In 2004 a group of people were handing out free chocolate to anyone who would give them their passwords. It turned out that 70 % would reveal their password for a candy bar or perhaps that people are willing to lie to strangers in order to get free chocolate. Though this was some interesting statistics, it wasn’t very useful to me. What I wanted was a username to go with the password and the name of the company where the person was working. However, I didn’t want to stand alone in the subway handing out Snicker bars to people who didn’t deserve them. I’ll keep my candy treats for myself, thank you very much! Besides I wanted a something which was a tad more discreet.
Mambo server to the rescue! Well I’ve switched to Joomla after the split. Joomla is an excellent CMS system which I’ve used to create my site laugh-and-a-half.com. It’s a site where people go for a laugh; it’s crammed with funny stories, silly pictures and videos with crappy quality. Out of the goodness of my heart I provide all these services free of charge as long as people register. Some teasers are available without logging in, but most of the site members come from recommendations by their friends (at least that’s what the polls tell me) and they don’t mind registering. I don’t ask for much; Alias/Username, Real Name, Email, Password, Gender, Age and Occupation.
Some people just enter gibberish, and that’s fine, (that’s what I would do), others are proud of their titles and neatly enters the correct information in every field; “Sales Executiveâ€, “Purchase Managerâ€, “Corporate Slaveâ€. I’d like to ask for a phone number too, but I don’t feel that bold. The information would be great to have in social engineering terms, but I don’t want to make people too suspicious, plus I want valid information. Most members provide exactly that, and password reuse is practiced by most people who login to the site. It’s not really their fault, they haven’t been taught better.
When the users login I also keep records of their connecting IP addresses, from nine to five this usually can be translated to companies.
During the time when I was starting up the site there was a lot of work involved with collecting jokes and wrestling myself up in the search engines. But I can tell you the ROI has been substantial; nowadays the site has grown and more or less has a life of its own. 95 % of the content is now submitted by users. Everyone likes sharing a joke right?
No one knows that I run the site. That is, no one on irc knows, they probably haven’t even heard of the site and I’m sure as hell not going to tell them. Why should I? The site is registered to some bloke name Peter. Yep that’s me IRL. The people I do business with only know about tr0y and it would be most unfortunate if anyone connected tr0y to Peter.
While Peter runs an innocent site called laugh-and-a-half, tr0y is in it for the information. There is some work involved with sorting out bad data from good, but overtime my Perl scripts have gotten quite refined.
I get a thrill when a new company finds the site. It starts with one user, then he or she sends an email to his or her colleagues which they in turn forward. Some days I’ve gotten 20 users from the same company!
So what do I do with this information? Most of the time I trade it, if it’s from an interesting company I might be able to sell it. Otherwise I have great fun using it myself. Some times I’m able to just VPN in to a company based on the information I’ve been given from my members. To some extent I guess I just like the mining.
Lately I’ve added some more features to laugh-and-a-half. First I’ve got the face recognition software, the idea is that people upload their pictures and I tell them who they look like. Boy do people love to look like celebrities;
“Susan you look like Madonna, please tell your friends.”
Of course the software itself isn’t working very well but the upload module works excellent.
Then there’s the horoscope where the members enter more information about themselves. This is a mix of “worthless stuff” and things I wanted to know but didn’t dare ask during their registration. Members fill out a form; where they live, interests, favorite food, what they earn, what their boss is called, favorite animal etc. Based on their input I provide them with a randomized horoscope.
Another popular feature of laugh-and-a-half.com is the weekly newsletter. Every Monday the site sends out a newsletter with the jokes which have received the best votes during the previous week. Mind you it’s easy to unsubscribe. Heavens I don’t want to get accused of spamming! The newsletter is a good way to remind people of the site. But then there’s a little something called out of office replies.
“Hi this is Brent, I’m out of the office visiting customers this week…”
“Laura is on vacation this week; if you need anything call Mark at this number…”
“Hi this is Jonathan I am on vacation until 13/7…”
“Hello, Sarah will be back on Wednesday…”
“Neil is on vacation…”
These can be good to have for a bunch of reasons, but today I think I’ll ping devin…
– tr0y – you there?
– devin – hey buddy long time no see, sup?
– tr0y – know anyone in kent?
– devin – why?
– tr0y – business
– devin, business business?
– tr0y – yep business business
– devin – shoot
– tr0y – a guy named jonathan will be on vacation in Greece
– devin – the deal?
– tr0y – 6 %
– devin – I’ll get back to you
– troy – I’ll send you what you need when you do
– devin – how do you know about this anyway?
– tr0y – I ask politely
Please note this is a purely fictional story any name found here are made up. I’ve written this because I like writing, if someone reads it and enjoys it great. If they get more conscious about security, that’s a bonus too.
Related Links:
Passwords revealed by sweet deal
– http://news.bbc.co.uk/1/hi/technology/3639679.stm
Would you trade your password for chocolate?
– http://www.theregister.co.uk/2004/05/28/password_advice/
Urban Legends Reference Pages: Crime (Grand Theft Auto Reply)
– http://www.snopes.com/crime/intent/reply.htm
Passwordsafe – is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows.
– http://passwordsafe.sourceforge.net/
Simple Formula for Strong Passwords (SFSP) Tutorial
– http://www.sans.org/rr/whitepapers/authentication/1636.php
[…] It was time to focus on Meriabeck’s internal network. A few days ago he had asked tr0y, an online friend of his, if he had any connections in Meriabeck that could be used. Although tr0y didn’t have anything on the company he was very eager to hear about midfr0st’s plans. Though there was a risk telling others, tr0y could be trusted to not spread the word and when offered $6500 midfr0st just couldn’t turn his friend down. […]