HN Theater @HNTheaterMonth

⬐ mrweasel

It makes me a little sad to see him write Python 2 code. There's only 18 month of Python 2 left.

⬐ starbugs

That's what all of us oldies do. We can't get used to the hip new stuff so quickly ;)

⬐ welder

Most of the time you're writing Python3 code and you don't even know it... try changing #!/usr/bin/env python to

#!/usr/bin/env python3

I bet your Python2 script will run on Python3.

⬐ ageofwant

And then there is 2to3, which has not failed me once.

⬐ matmann2001

It might be interesting as a learning exercise but there's a lot of gotchas in running 2 as 3.

Besides the obvious things like print, which will just cause an error, there's behavioral changes, like with division and range, that may introduce more insideous bugs.

Better to read up on the difference first and use a tool.

⬐ flyingfences

The "hip new stuff" is, in this case, already ten years old, though.

⬐ js2

I know you’re being sarcastic but anyway: I’m an oldie I guess as I started with Python 1.5.2 and I’ve been using 2.7 now as long as I can remember. But I had a new project last month so I used Python 3. There was basically nothing to learn. I mean, print is a function and classes don’t need to inherit from object and you’re like 99% of the way there. Learn and adopt new 3 functionally at your leisure. I’m honestly having no trouble switching between 2 and 3 and I’ve converted all my 2 code to be syntactically compatible with 3.

⬐ alain_gilbert

Uh-oh, and well, integer division now gives float

    $ python3
    >>> 1/2
    0.5

VS

    $ python2.7
    >>> 1/2
    0

which can cause a great load of bugs if you're just porting some existing code.

⬐ aldanor

And strings are now strings, surprisingly, and not bytes...

⬐ js2

Why do you say surprisingly?

I've been aware of the bytes/string split for a long time since it's probably Python 3's most prominent change, so I certainly wasn't surprised by it. The surprising part for me (after having read complaints about this change over the years) is that I haven't had any trouble with it.

⬐ aldanor

Apologies, it was a (failed) attempt at sarcasm :)

⬐ js2

True, but I can’t recall a single time I wanted the integer division behavior of Python 2.

⬐ 1024core

In most C-like languages, int/int gives int. The fact that 3 returns float is a little troubling.

⬐ earenndil

Python is not a c-like language, though.

⬐ zaarn

You can use // instead of / to request a integer division with integer result.

int//int=int instead of int/int=float.

⬐ None

None

⬐ yeukhon

The sad thing is he didn’t use open in context manager....

⬐ Phrodo_00

He should've also used load instead of loads, although in this case is not such a big problem (if he closed the file) because everything is getting loaded in memory anyway.

⬐ yeukhon

Right. My problem is he was trying to show off his skill (he emphasized "engineer" at the beginning of his video) so he could troll the scammer. In that case, at least know how to write proper code. Even intro to Python writes with "with".

⬐ donohoe

If I were that scammer I'd quickly see I can likley filter out all accounts added within such a short burst of time following convention of <name><number>@yahoo.com

Also, my guess is most users don't have that pattern of password...

⬐ legohead

I thought the form fields were suspicious. The scammer may already have something in place that generates random user/pass form fields, and even random endpoints by the look of the url.

The "engineer" didn't check this, which he could have easily done by simply refreshing the page. But if the scammer did have any sort of protection, the engineer would have had a lot more work in it for him, having to scrape the page.. so maybe he purposely ignored this red flag.

⬐ eat_veggies

I checked out the page myself, and the endpoints and form fields are the exact same for me.

Also, there's some funny exposed PHP code sent along:

    <?php
    session_start();
    ?>

And some packed javascript that does nothing because it's "commented out" with <!-- ... --> inside the <script> tags, meaning it has syntax errors.

⬐ pavel_lishin

There's no need to put engineer in quotes. This video wasn't an in-depth how-to; it was just a quick proof-of-concept.

⬐ legohead

It wasn't meant as an attack. I don't know his name, but his channel is called engineer-something, so I meant it as "engineer-something".

Although I do think, for a learning video, that he missed out on a lot of opportunity to explain such things as I mentioned.

⬐ jamra

I think he did check it and the video we saw was the fast version of this process for the sake of the viewer.

But that’s just what my instincts tell me based on the time spent investigating, the amount of useful snippets, and the lack of typos and errors while coding.

⬐ Dolores12

filtered by IP and Useragent.

⬐ iforgotpassword

Also seems some kind of ID is encoded in the URL he got redirected to after visiting the initial link, as well as the field names.

⬐ rad_gruchalski

It would be probably another 5 minutes to add: random delay and a thread pool, a file with Xk most common passwords, random user agent from another file, bunch of email domains, select at random, append numbers to local part when ... [bunch of conditions].

Another half an hour to deal with the IP address stuff.

But, I think the purpose of the video was to show how to use the requests library.

⬐ DKnoll

How would you deal with the 'IP address stuff'? If you plan on harvesting SOCKS proxies or using existing lists, your adversary can just check IPs against DroneBL.

⬐ rad_gruchalski

Hey, I’m sure that video does not show how to build an anti-scammer solution. The scam stuff seems to be a nice back story for showing some python stuff. OTOH, any time a scammer is required to go and look at the data, write filters and what not, it’s a win!

⬐ DKnoll

True.

It's interesting to look at from the other perspective though, normally we're on the side trying to prevent malicious users and in this thread we're thinking as the 'malicious' user.

⬐ elif

The terrible thing here is that:

'very common name' + 1 digit @yahoo.com generates a list almost completely of real email addresses...

Spammers don't care about cleaning their lists... So he just helped the spammer do his job, involving a few hundred unrelated victims.

⬐ pavel_lishin

This is likely not made to harvest email addresses for spam, but rather for email:password combos.

⬐ certifiedloud

If all the scammer wanted was email addresses, they could have written a random yahoo email address generator on their own. They want legitimate email + password combos.

⬐ laurentl

Given that world + dog has the entire Yahoo DB by now, I wonder if a list of yahoo username + password still has any value on the market... Well, I can only hope so, or else the scammer will just drop all the yahoo addresses from his take rather than try to clean up the data.

⬐ ryanlol

If you can somehow find the yahoo DB, I will pay you $5000 in bitcoin for it :)

⬐ vmarshall23

Seems a little dodgy to redirect output from an apparent scammers website to an apparent root shell.

⬐ Zimahl

What's the scam here? The scammer gets access to someone's Craigslist account... and then what? They take down or change their posts?

⬐ ryanlol

It’s probably targeted against dealer accounts if they aren’t asking for cc info.

Other posters talking about password reuse are really confused, there’s essentially no chance someone would waste sms spam on such a silly venture.

⬐ Willson50

They try the username + password on other sites.

⬐ Sohcahtoa82

Relevant XKCD: https://xkcd.com/792/

⬐ pavel_lishin

Due to password reuse being very common, getting access to a craigslist account means you've got access to their email account as well.

⬐ lxe

What if the URL and the form fields are randomly generated? I would just use the Chrome console to keep submitting the form or something low-effort like that.

⬐ newshorts

Put a time delay in there and let it run over a couple days. Otherwise it’s too easy to just delete all the names from that 5 minute window of entries.

⬐ zb3

Usually entering credentials causes an email to be sent containing at least user IP address and a User-Agent string. In this case, the UA string reveals it all

⬐ ourmandave

For educational purposes only. <wink>

#2600

⬐ ccnafr

Yeah. Let's not the cover-all disclaimer

⬐ albowicz

My hero!

⬐ techVentureStar

this dude should do this on multi thread and distributed in cloud. this is so vanilla, also the hacker can just just filter with a easy regex. lame

⬐ pavel_lishin

I agree that in all likelyhood, a technically clever scammer can trivially exclude the ~500 entries this guy put in, but it _does_ create some extra work for them, and we have no idea how skilled the person harvesting these things are. (Plus, a committed troublemaker could likely make these things much harder to detect, and much more work for the scammer.)

⬐ starbugs

Definitely not skilled enough to install a TLS certificate :)

⬐ ryanlol

These guys clearly aren't very good, but there's a chance they might be deliberately not getting a TLS cert to avoid getting flagged by safebrowsing via CT logs.

⬐ andrewstuart2

How would it create extra work for him, unless he's manually entering emails and password into the usual email sites?

In all likelihood he tries every single entry he gets against the top 100 juiciest sites (banking, email, etc), and records all successful hits.

⬐ greenhatman

All you have to do is check which ip address is over represented in the logins table and delete those.