When you browse Instagram and find Tony Abbott's passport number(mango.pdf.zone) |
When you browse Instagram and find Tony Abbott's passport number(mango.pdf.zone) |
Sarcastic PDFs never stop being amusing to me.
At least in Australia, a passport can be used as your primary ID for a lot of stuff such as renting houses, buying mobile phones, connecting services to your home, booking flights, renting cars, etc etc etc.
It shouldn’t work like that.
rofl. Great writer.
Different people are different.
"Update: I have been arrested." did leave me slightly confused for a while though, probably due to the verbosity making me want to scan read.
I ended up thinking that Instagram was actively removing pictures of boarding passes because I could only find a surprisingly low amount of pictures containing valid Lastname/BookingRef. As for the few pictures available, the references were often either too old, or partially covered.
I'm still wondering if Instagram does remove such photos.
Possibly the best line in an article full of really fantastic lines.
This can be reversed as well, if you do black things out this way: please make sure you're using 100% opacity black. I've managed to retrieve data from plenty "blacked-out" documents simply by playing with contrast and exposure filters in Photoshop because the opacity wasn't set correctly.
That being said it was a really good blog!
YMMV based on nation that issues yours.
> Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.
> How it works: The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.
It's amazing that we have all those security protocols (HTTPS, e2e encryption, secure log-in, etc.) but in the end most of the "hacks" are just people being stupid or manipulated through social engineering.
[0] https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-...
[1] https://www.abc.net.au/radio/melbourne/programs/drive/alex-h...
Exactly for the reason shown in the article.
I believe right now it is still too difficult to do this in any framework. That's why developers take shortcuts and just expose all entity data or just make a mistake and forget about it.
Does anyone know if such a framework already exists? So per field rights, not per entity rights.
I know postgrest uses it.
While I have no idea how the SSN of a long-dead rock star could ever be useful, I'm certain I still have a copy saved around here somewhere...
No need to do funky Inspect Element magic. Works wonders for reverse engineering how your fancy UI talks to the fancy API to do the fancy things.
If you can't figure out ZAP with HUD, you can alternatively use the Network tab on Chrome and switch to AJAX (if it's something that happens without the page loading)
Are you sure you're on the right website?
A friend of mine posted on Instagram a picture of a U.S. visa (or something similar; it was probably five years ago) to announce her trip to the U.S., and she took care to blur out sensitive information such as her passport number. But a Gaussian blur is easy to reverse and I successfully unblurred it and told her my discovery. I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.
I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.
> I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.
is one of the most HN comments I've come across recently :)
>"Well, it should be obvious to even the most dimwitted individual, who holds an advanced degree in hyperbolic topology..."
That gave me a laugh. I don't have any experience with Mathematica, but everytime I see it mentioned (usually on HN) I'm amazed at the sheer breadth the system is capable of. The amount of use cases and possibilities blows my mind.
We had a similar issue in Australia as well.
Politicians phone bills are published on the government website in summary form.
Someone in 2017 decided to blank out their phone numbers by changing the phone number text colour to white (same as background).
End result - hundreds of politicians and former prime ministers had their phone numbers leaked.
https://www.abc.net.au/news/2017-03-20/phone-numbers-of-fede...
People used to be able to get the personal information of police officers if they were involved, intentionally or not, in a traffic accident with a police car. They would request for the traffic accident report, and that included the personal information (including home address) of the police officers in the car. I was in QA and I tested the change when it was fixed. It now includes the address of Police HQ when a police officer is involved in a traffic incident.
You can dictionary attack pixelated photos.
With Gaussian kernels, besides deconvolution you can sometimes also dictionary attack them if you have the original font and if the kernel is properly normalized kernel (i.e. most gaussian blurs).
Although I haven't tried, I think there may even be neural network based techniques that can perform even more effectively than a dictionary attack.
Separately, if the image editing tools added sufficient random noise to their mosaic filters they might be able to thwart most of these attacks, or at least make them significantly harder.
It's a total cheat but it is funny how close that can get you to something that might be actually useful.
You'd be surprised at how many times this happens on Government documents with redaction.
:S
Both MS Word and PDF have leaked redacted/removed information in the past. Wasting paper given the severity of some of these leaks is minimal cost.
Firstly because it's a nice mix of analog and digital, and secondly because it's short enough to fit in a tweet - yet extremely secure.
Ministry of Defence redaction policy, https://assets.publishing.service.gov.uk/government/uploads/...
I've seen people use image editors on mobile and they'll "scribble" out sensitive information, but one of the problems is that if you pick the wrong pen it'll blend your strokes so it's not 100% opacity (but on a casual glance it's close enough). You can zoom in and change the contrast of a photo that has been redacted this way and recover information.
Real life document workflows can be really tricky. What if one is required to print or photocopy the obscured document? Devastating for printer's toner or cartridge lifetime... In some cases opaque grayish rectangle does the job.
Which could result in thousands of dollars of loss over decades. Is that really a significant concern? Charge the client for it.
However, I agree that it requires some quick hand in image manipulation software.
That's the most surprising thing I've read today. I assumed it was destructive.
Black/delete (and flatten/rebroadcast) is the only way.
I have this at work, with engineering drawings. With mobile equipment often were not dealing with engineering companies per se, and they won't or don't know how to get us CAD models of their equipment. And we often don't have the equipment on have at the time we need to make drawings.
But if you have a PDF with vector drawings, often a manual, and one or two good dimensions you can make a reasonably accurate model. AutoCAD even makes this easy with the PDFIMPORT function.
More often than I would expect, there's a whole other drawing view either covered by a white box or off-page. Once it looked like it had been drawn over with a white paintbrush tool, and if course the path of that too was also visible.
There was a scandal around 2003 when a TV host took a topless photo, cropped it and shared the cropped photo online. Unfortunately, the software (Photoshop—I think CS3) she used to crop the photo stored the original photo as metadata if you didn't change the original filename. The original (uncropped) photo could be seen in the "Open File" preview dialog when opening the cropped version.
Not cutting it so that it becomes transparent since this may still preserve the color component of the RGBA-pixels, even if it is invisible and blended with a black background.
> The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.
> For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.
> Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke.
His skills at hacking are only matched by his wit at writing.
So, either Amadeus didn't fix the issue until it was disclosed here (very very bad) or Qantas didn't update their booking system for a security patch (also very bad).
[0] https://techcrunch.com/2019/01/15/amadeus-airline-booking-vu...
> I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.
> My mum always said when I was growing up that:
> There were “too many buttons” She was afraid to press the buttons, because she didn’t know what they did I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.
> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.
> Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”.
BTW, on a side note, when you try and visit the blog's homepage[0] and scroll down to the bottom, you find a link to an actual (password protected) PDF file called Mango.pdf[1]. The author 'Alex' says the password for the PDF has been embedded in the page and it didn't take me a lot of time to figure the password out from the HTML source[2].
But when I opened the PDF, I was hit with this random string of characters:
cGJhdGVuZ2h5bmd2YmFmLCBsYmggZmJ5aXJxIHpsIHlodnR2IGNobW15ci4gQCB6ci BiYSBnanZnZ3JlIGp2Z3UgbGJoZSBzbmliaGV2Z3IgcXJmZnJlZyBnYiB0cmcgbGJo ZSBlcmpuZXEuIFZnJ2YgeXZ4ciwgYWJnIG4gaXJlbCB0YmJxIGVyam5lcSBmYiBodQ o=
I tried to decode this using every available decoder, but it only throws up random result. Was wondering if any of you smart people here had any idea about this code.
[1] https://mango.pdf.zone/mango.pdf
[2] view-source:https://mango.pdf.zone/
EDIT: SOLVED IT!
As the commenters who replied to me mentioned, this puzzle is double-encoded. I think the trick is to figure out which decoder to use first.
I'm pretty sure all the developer did was:
echo json_encode($queryResult);
I saw how much I was getting paid vs how much they were charging clients. I quickly changed my prices after that.[1]: https://idiallo.com/blog/how-much-do-you-charge-for-your-wor...
And so I applied for one. And when I received the confirmation document I received the entire batch file. It included passport number, expiry date and other PII of ten random people which would be super valuable in the hands of criminals and such.
And conversely ten random people know my PII
I immediately factory reset the phone. My point being sensitive data leaks all over the place in many ways in today's world.
So well done.
I mean not to call him out but this did happen and he didn't navigate his way out (although that says nothing about his confidence).
https://www.smh.com.au/national/tony-abbott-lost-in-the-outb...
EDIT: To be fair, it's been a decade. Maybe he's worked on his orienteering skills since having that experience?
They are written in a similar style, I really love them.
Update: I have been arrested.
Is that just an obvious mistake? Or is there a news flash that we would like to hear more on?
I mean in this particular case, they could have Abbott create an account on their website first, but then, someone else booked the ticket for him so that makes things more complicated (because they don't have an e-mail address), and then there's tickets being booked all over the world, and then loads of people don't have computers or e-mail.
It escalates quickly.
and salty hacker news comments (his words) https://news.ycombinator.com/item?id=14919845
Careless or unwitting information disclosure from APIs—sometimes sensitive, sometimes not—is a real problem.
Q: Should (merely) the number from your passport really be considered a secret?
Ireland got a postcode system in 2015 (the last time they considered implementing postcodes to improve autosorting, they were so late to the party that "an post" (Irish postal service) had OCR machines good enough to just read the whole address) which assigns each residence in the country a 7-digit alphanumerical code. Called an "Eircode" [1] It is purported to be a solution to packages getting lost or delayed, and an unambiguous way of giving someone a building's address.
An Eircode can be resolved into a full postal address, and GPS co-ordinates for the address.
e.g, here's some Eircodes;
Facebook's headquarters: D02 Y098
President's house: D08 E1W3
Data protection commission: D02 RD28
To get the info for any of these, check out: https://finder.eircode.ie/
Personal note: I'm not too jazzed on the specifics of the implementation, but it sure is handy when you're shitfaced and can trivially explain exactly where you live to a food-delivery driver over the phone.
[1]: https://en.wikipedia.org/wiki/Postal_addresses_in_the_Republ...
I really like the bit about learn "the IT", there's no book or anything to be good at computers you just gotta fuck around and find out a bunch.
> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.
I mean the IT books section of the charity shops is a good example of this, there's so many there for older versions of Office, operating systems, etc.
That said, I had a school book (Structured Computer Organization by Tanenbaum) that explains a lot of the basics of computers. Sure, it's about the Pentium architecture and early JVM and doesn't cover multi-core architecture or using GPU's to crunch numbers, but it goes through a lot of the basics.
Teams of media advisors and a very favorable alliance with the Murdock press have paled in comparison to this one blog post that didn't even have that as an aim.
[0]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place' - Eric Schmidt
I guess they will learn the hard way given that they aren't really 'tech savvy' or internet wise these days.
Its more the airlines fault for making this info so easy to access with what looks like unsensitive info.
I could probably have gotten in a lot of trouble.
Nailed it.
Thinking in perspective now, I regret not going out with it because that ancient application probably cost millions of euro from taxes.
However, for me, I found it absolutely hilarious and very intelligent despite being obviously extremely... I'm not sure the right description. Young? Modern internet colloquial? Either way, it worked for me.
Also visited his page. Does not disappoint: https://mango.pdf.zone/
It is an excellent stylistic choice for documenting interactions with commonwealth bureaucracy, of course.
It's very tiresome to read, with _way_ too many digressions and jokes.
Some airlines just use a single "god mode" account for their whole e-commerce platform because it's cheaper / more convenient for their developers / vendors.
In this case, "hacker" logged in a customer facing portal, this is probably not even an user account in the strict sense of the word.
I am asking as I fail to see how it is not a development issue. If they returned only the data that was needed on the page, it wouldn't expose internal comments or passport IDs.
0: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
It would be great if anyone can find it, I am certain I got it from HN.
My uncle (a sheep farmer) and I discovered that:
1. I was afraid to touch anything in a car engine, but happy to muddle through unfamiliar computer issues
2. He was afraid to click unknown buttons on a computer screen, but comfortable pulling apart and rebuilding an unfamiliar car engine.
In both cases, we were confident because we knew whatever mistake we made we'd be able to reverse it. And in both cases, we were afraid of making a mistake that we couldn't reverse.
1. He was terrified of breaking it, so I told him that there was nothing he could possibly do to it that I couldn't fix. I made sure to sound overly confident -- almost like I was challenging him to break it. That gave him the confidence to do whatever.
2. Every time there was a problem with it, I would Google the answer in front of him, and he'd watch me figure it out in real time. Eventually, he got the confidence to start Googling things himself. The tech support calls dropped off pretty steeply after that.
When I was doing upgrades, I would make the person in question replace a few parts themselves. Usually I would pull out one SIMM chip or PCI card, explain what it did and how it was retained, and then ask them to pull out and replace a similar part themselves.
I found that getting their elbows dirty went a long way toward perceiving computers as things that could be figured out.
“Nobody gives the baby a knife. You give them a spoon” - Mum, when I showed her this.
(which is also insightful, because the 'Mums' I've dealt with are mostly worried that pushing the wrong button will permanently break something, as if they used to sell blenders without safety features or something back in the day)
I can't remember how many times I've heard "I can't log in, the machine is locked", when there is literally 1 button Switch User, and clicking that 1 button does it. "Oh, I didn't think to try that, it said it was locked.."
Entering newlines in a textbox? It's.. shift-enter, or alt-enter, alt-shift-something. Multicursor? It's.. shift-up? Alt-up? You just try 'em. Cat-like
[0] https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false...
tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
BTW, are there any more of such 'puzzle hunt' websites where you could play around and sharpen your decoding skills? Thanks!
Abbott was Australia's Trump. Thankfully he lasted in office an even shorter time than the people he replaced.
Killing our nascent Fibre-to-the-Home rollout which had just begun after years of planning by the previous government. We now use problematic mish mash of slow copper instead of fibre (Murdoch wanted this so Tony gave it up for him).
Killing the mining tax for his donors. This would would have returned billions for our country. We could have begun a sovereign wealth fund like Norway who have over $1 Trillion in theirs. Australia also makes minimal profit from gas exports. Qatar exports less than us but their country profits 2600% more per year than Australia.
Domestic buyers on the east coast of Australia now pay one of the highest prices in the world for gas. Double the price our exporters are buying it for (and they have liquefaction and transport costs included).
Abbott was more our McConnell, happy to tear down political norms and standard parliamentary practice while claiming to defend it. He was a "good" opposition leader in that he basically was in opposition to everything proposed by the government, not for good reason, just because.
He didn't last long as an actual leader, because that requires positive actions, not just oppositional or destructive ones.
He won't be missed from our political domain.
His policies were regressive even for the liberal party's right, he was needlessly belligerent as PM, and I didn't like him or vote for his party. However, he wasn't an uneducated or stupid man, and he wasn't an inexperienced political outsider like Trump.
Document history was turned on and anyone who hit ctrl+z got the full class marks.
(The same lecturer initially failed me because they forgot to add my final exam score to my assignments score, and then took four months to fix it. They weren't very competent.)
"But look, you found the notice, didn’t you?" "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."
I did chuckle out loud when I read "For security reasons, we try to change our Prime Minister every six months".
More exactly, they separate each sentence. Each has a tiny bit of funny in it (in the words, in the way they say it, because they stay in character, whatever) and they let audience lol. Rinse and repeat.
Look I just googled "up and coming standupers" and picked the first video (new laptop, not connected to Gaccount) https://www.youtube.com/watch?v=s6uW1odtjPc
Check the 36 first seconds.
Humour changed without you (us) realizing ¯\_(ツ)_/¯
"Uhh... how many layers deep is this going to g-- oh, ok. Nice :D"
Vim used to have a (terrible) encryption capability, but lately I've been fairly happy with `pass` (passwordstore.org) for basic local encryption.
Teach a man how to google, and he'll never go a day in his life without being obsessed with conspiracy theories.
It's not all bad, though. He invites his friends over and shows them how you can find all sorts of cool stuff online. One of them the other day was apparently trying to stump YouTube with increasingly obscure woodworking joints.
I think most people would be surprised how many people are still out there who have no idea what the internet is or what it does. Imagine discovering that there's a machine that can show you how to do anything, or play any song you've ever listened to, and you had no idea something like that even existed.
[0]: https://pdfs.semanticscholar.org/20c2/b82eef0809df80a402f125...
Mind blown. Wow, that is very impressive.
Eg knowing that the input was black text on white background or a natural image (instead of eg white noise) helps a lot.
Machine learning can also do a surprising good job of it, especially if you know what the target is (e.g. a face) https://www.vox.com/future-perfect/2019/9/4/20848008/ai-mach...
Sample code: https://gist.github.com/JonathanFly/80b669a72bf624d17b56a1cf...
Yes. Though that's just a corollary of doing better when you know something about the probability distribution of inputs.
(But a very useful and practical corollary. My formulation didn't give any hint how you might make use of that knowledge of the distribution.)
Now show me the thread where Steve Jobs gave a shoutout to CmdrTaco :)
Amadeus filters the booking record depending on the level of access that the user accessing it has (the user being the backend in this case). In a previous life for another airline, I have experienced this problem before when a vendor tried to get something through to production which was retuning credit card numbers and expiry dates to the frontend (but not the CV3). This was all because the vendor tried to use the highest privilege API key rather than the one with access to the specific info they needed. It never got past UAT thanks to thorough security review in this case.
These lines are filtered / redacted depending on your role. You have to remember that this is a legacy system which has remained pretty much unchanged for 40-50 years. It's hard to change because hundreds of airlines have their own legacy systems which rely on bookings being structured this way. And when you book a multi-carrier itinerary, the airlines often all access this same record directly on Amadeus.
There has been some movement in recent years in a platform called NDC[0] (new distribution capability) but most airlines still rely on the PNR at the moment.
[0]: https://www.iata.org/en/programs/airline-distribution/ndc/
Something like "GET /reservation/<id>" would rarely require you to specified the 50 fields that you would like included in the response. Many offer fields to explicitly filter for specific things, but the default is almost always to return the full object as much as the caller is allowed to see.
On the one hand, it's perfectly built to spec and satisfied all requirements given by the customer.
On the other hand, you know it's incredibly fragile, and that the customer actually wants something different.
Developing a different getUser API for 20 different caller types does not scale.
Ofcourse, real solution here is that the airline software should not just pass along everything it received from Amadeus but rather that they should convert it and return only the relevant subset. This would avoid these type of issues.
This is frequently called property level authorization or field level authorization.
https://stackoverflow.com/questions/30002351/enforcing-prope...
https://help.salesforce.com/articleView?id=security_data_acc...
You're just wording it in an indirect way to make it seem like something different. It's not "Using API key to determine what kind of information is returned", it's "hiding sensitive fields based on permissions".
Use ImageInstanceQ[image, object], where image is the image and object is "caprine animal". [0] [1]
[0] https://reference.wolfram.com/language/ref/ImageInstanceQ.ht...
[1] https://codegolf.stackexchange.com/questions/71631/upgoat-or...
With software you either need vetted and approved, very expensive software, or you have to accept a much higher error rate, because the operator cannot verify the results of the process with certainty.
An election doesn't need to be tamper-proof we just need to be able to detect tampering well enough to make tampering a loser's game.
[0] https://www.atlasobscura.com/articles/pointing-and-calling-j...
So, not only do you have the energy-investment thing noted in the/a sibling comment, you have the issue that there's no giant "THIS IS AN IMAGE" or "THIS HAS TEXT IN IT" that you can just Look At and know that yeah the document is okay. There's no lowest-common-denominator provability thing. You have to hyperspecifically know what to look for (render to image) then know how to verify whether it's an image or not.
And... how do you verify if it's an image? I don't have any PDF authoring/editing software on this machine, so the only thing I can think of is checking the Undo menu for "convert to image" or similar.
Under the hood, you created a new document, rasterize the original document page by page as JPEG, and insert the JPEGs back to the new document.
You can even create a fake "printer", that outputs a PDF with rasterized images as pages, so you don't have to teach the office clerks to anything extra.
To me, it seems to be indistinguishable from printing and scanning.
PS: It's pretty easy to verify if the page contains nothing but an image, programmically, especially if you also wrote the software that rasterize it in the first place.
https://www.theglobeandmail.com/canada/toronto/article-autom...
It's pretty easy for a computer to verify any of this, the point is making it idiot proof. You don't have to be much of an idiot, if you process hundreds of documents a year where there's no way to visually verify the difference between a badly redacted document and a well redacted document, to screw up once. Especially when the difference between them is that you remembered to push the "redact correctly button", and if you forgot that, remembered to push the "verify if is redacted correctly programmatically" button before hitting send.
What you do is create a ritual where you have to walk across the room and use a physical machine. You'll remember doing that. And if you don't, since the output will look a bit crap, you can confirm it trivially.
Creating a process that has to be done perfectly every time or it fails catastrophically, and has few indications of failure during the process, is worse than having no process at all.
When I was working on an archive project for the ABC, "tony eating onion" or some variation was the most common thing people searched for in the system when they first started using it.
More bizarre was that time he froze and didn't speak for 30 seconds when asked a difficult question by a reporter about his "shit happens" comment. Justin Trudeau did the same thing recently when asked a question regarding Trump.
… as a stunt? On a dare? Why?
Sounds like a sociopath.
The problem with randomly hand-counting a few boxes of ballots is that you then need to convince people that the random selection was uniform and fair and actually random.
There are methods to do that, but there are at least as complicated and full of cryptographic finesse, that they ain't simpler than vetting an electronic voting system in the first place.
Having said that: human counting isn't fool proof and is still open to abuse and tampering.
It's mainly that any village idiot can in-theory audit the human-run system, and that it would take a conspiracy with lots of people to engage in wide spread tampering.
The more people involved, the harder it is to prevent leaks.
What they can't trivially do with any system including paper ballots is remove ballots, compared to digital voting machines where you can add e.g. -100 votes to candidtate A, 100 votes to candidate B, thus ensuring that the total-votes field is correct while advantaging candidate B -- this was actually demonstrated by a security researcher on a Diebold touch-screen machine.