Tell HN: There is a Scammer Amongst Us
Starting in the evening of January 30th, posts began to appear on complaint forums with my name. These posts claim that I am a pedophile and that I have stolen money. These posts are false and I find it unsurprising that they began to appear after I provided information about the possible identity of jiganti's scammer. My name and phone number are easily Google-able, however, I provide it here in case anyone wishes to call me: Louis Marascio, 512-964-4569.
I'm posting this because although jiganti's post fell off the front page, this story is not over. Other HN'ers and I dug up some information about the possible scammer in the original thread. Also, I believe jiganti might not be the only person who's been taken by this guy. Please read the post and thread in full. This sub-thread specifically discusses our findings: http://news.ycombinator.com/item?id=2158590
Our most promising evidence is this: the responsible party is a single user that has at least three handles here on HN: pinksoda, sinkfloat, and BrianHolt. This has not been proven nor has it been denied, and I repeat the last sentence of my findings: I encourage the owner(s) of the HN accounts pinksoda, sinkfloat, and BrianHolt to speak up--and if I'm wrong I apologize.
I re-urge you to read the post, the subsequent conversation, and the other linked-to Hacker News posts and make up your own mind. Hacker News is a tight-knit community, and if there is an unsavory character here who's using it as a way to find and exploit young entrepreneurs, then I feel we need to all be made aware of this. If a scammer does exist amongst us, let's all hope a little light will cause him to slither back into the hole he came from.
It is important to note that 'mahmud' is mentioned in the first paragraph of the original post. mahmud IS NOT THE SCAMMER. The original poster lost his ability to edit the post before he could clear up what he meant. This is specifically discussed in this sub-thread on the post: http://news.ycombinator.com/item?id=2157602
85 comments
[ 5.8 ms ] story [ 166 ms ] threadhttp://news.ycombinator.com/item?id=2157281 http://news.ycombinator.com/item?id=2158590 http://news.ycombinator.com/item?id=2157602
Or maybe that's what LinkedIn was supposed to be before it turned into something that to me feels much more impersonal and spammy.
Passwords and cookies in clear HTTP are no good. Anyone here (should) knows it. Firesheep proves it. GMail and Zuckerberg suffered it.
Just buy or get a free SSL certificate, and let nginx or stunnel handles SSL and proxies HTTP to/from Arc. Total cost, being pessimistic: 150$ for the certificate verification, and 2 hours to set-up the certs & nginx.
I know, it's awesome, it's a custom Arc webserver and all, and good practices are for PHBs only, but still. For a "hacker" website, news.ycombinator.com is a shame regarding to privacy/security (see also: passwords stored as shasums (without even a salt), funny things like <img src="http://news.ycombinator.com/logout>, outdated versions of software used [http://news.ycombinator.com/item?id=516122], etc.)
http://www.startssl.com/?app=1
Use something like Perspectives instead of CAs:
http://www.techrepublic.com/blog/security/perspectives-bette...
We need SSL certificates for encryption. With the certificate you get a private key that is used for secure communication between your browser and HN (both ways).
If it didn't cause every browser to show a big, scary, your-computer-will-instantly-explode-and-your-children's-social-security-numbers-will-be-stolen-if-you-continue, using self-signed certificates (ie. certificates that anyone can just generate) wouldn't be that big of a deal. It could open you up to a man-in-the-middle attack, but it's still way better than sending everything in the clear.
How do you know that? That's the whole point of SSL - knowing that you've traded private keys with the right party.
SSL for "encryption only" only works to defend against attackers that can listen to your network, but cannot write to it. So, sure, it defends against some passive collection system, and perhaps against some tools that are designed to just listen.
But, if browsers stopped displaying warnings, so that using a "bad" certificate worked just fine, then I'd bet the tools would just switch to allow cert injection and we'd all be worse off.
(Hint: https should have been implemented the same way. CAs are fundamentally broken.)
That's the way it's supposed to work. You know the first time you logon to a server and it asks if you trust it? You're supposed to call up the server admin and get them to read off the fingerprint, or have them email it to you, or get it from some other out-of-band channel.
And no-one, nowhere actually verifies host fingerprints. Even security conscious people. And what do people do when they get that warning about a modified fingerprint? Just delete the entry from authorized_hosts and re-connect.
So ssh actually does a really shitty job handling key exchange.
Anyway, the closest thing to a real alternative to https and CAs is monkeysphere (OpenPGP WoT for servers), but no-one uses that.
While 'security conscious people' might not verify the fingerprint out-of-band when adding it the first time, I'm sure most of them wouldn't just remove the authorized_hosts entry...
That doesn't make any sense to me. There are even free services that can perform the validation for you based on a "crowdsourced" approach to verification, like Perspectives:
http://www.techrepublic.com/blog/security/perspectives-provi...
She was apparently someone who should have known better, but instead was willing to believe that FireFox was just warning her spuriously about valid HTTPS certs -- yes, someone had hacked her computer, and was collecting every bank, credit card, and online shopping password as she fell for an MITM attack over and over.
In this case, though, we don't need a CA. PG could publish the key in an essay and we'd just carry it through manually.
http://news.ycombinator.com/item?id=499851
I do care about identity usurpation.
SSL is a giant waste of time for Hacker News, modulo the fact that people might be crazy enough to use a shared password here.
It's a fallacious argument in my book. Like comparing apples and oranges.
Say I run a bakery. What I care the most about is the quality of my bread. So much, I spend all my time working on that and only that. So much, I didn't ever bother to have a lock at the door. But it's not even a big deal if someone comes in and poisons one of the bread, as long as the overall quality is increasing!
> SSL is a giant waste of time for Hacker News
Yes, if by "giant" you mean that it takes like 2 hours to set-up, and a small payload for each negociation. But concerning the payload, Arc is not especially fast, so there is room for improvements there to compensate, if needed.
> modulo the fact that people might be crazy enough to use a shared password here.
Not the point, the point is HTTP sniffing.
And anyway, people could use a shared password, making it easier for them (don't overestimate human memory), if HN used (HTTPS and) a "real" password encryption scheme (bcrypt or the like). Why put the burden on the user when you can put it on the computer?
Waste of time in what sense? The time it takes to set up SSL?
If this was a real product, this would clearly not be my advice. But it's not. It's just HN. The worst case to an attack here is not all that bad.
There's some goofy YC stuff that happens through this site. If asked, my advice regarding security and YC would not be "make HN more secure so the YC stuff is safer". It would be "get the YC stuff the hell off HN."
</really really dumb question>
Thanks in advance.
This is not to say that I agree with him - the worst-case scenario isn't that bad, but setting up SSL is easy and the right thing - but he's not babbling nonsense or anything.
Not surprised. Just trying to verify if he had the subject matter expertise I thought he had or not so I can better understand the discussion. Since I am a member here, security of the site does matter to me as it potentially directly impacts me. But I lack your depth of knowledge of the subject. So the credentials of different speakers matters to my understanding. For someone like me, whether he is being downvoted because he has no clue what he is talking about or for some other reason entirely makes a significant impact on my understanding of the situation.
Thank you for your helpful reply.
Fifty bucks worth of work, once, which pays a dividend each and every time a security conscious user visits the site. That's not a waste of time, that's a no-brainer.
He took a lot of flack for, what was surely just a 2 minute job editing some html template, but I can kind of see that logic now.
When you add the link, it signals that you deem "Searching Archives" as an important feature of the site and then it's suddenly no longer just a simple href= entry in a text file somewhere.
Dealing with SSL could be in the same boat. By adding it, you're implicitly saying that 'this site is serious enough to warrant proper security measures' and then that's another rabbit hole that's difficult to get out of.
Granted, that scenario may seem far-fetched, but it's not unreasonable to suppose that some unscrupulous person might have motive to do something of the sort. Rather than deal with the fallout if it does occur, why not simply allow people the option of having a secure login? If they choose not to use it, that's their prerogative.
HN is not the small and unfamous news site it was 2 years ago anymore.
As evidence for my point of view (and, you can say "you're welcome" if my brinkmanship with this sentence is paid off by Graham promptly enabling SSL, which he could easily do in the process of fixing the far-more-important bug of this site not being served through a front-end proxy), note that next week SSL will in all likelihood not have SSL enabled. That request --- provide SSL --- has been outstanding forever. Does Graham also share my cavalier attitude towards the site?
But remember that this is also the YC application system. A lot of alumni help read apps, probably just by getting a permission added to their account. So a lucky firesheep-er can probably read every application to YC. And mess up people's applications (if they get the account of an applicant before the deadline). And may reject people/delete apps if they were to get, say, pg's or harj's account.
And possibly other stuff. I don't know what all YC uses it for, but I get the impression that they continue to use it for various things (signing up for office hours?), some of which may be sensitive, once teams are accepted.
Plus it's never optimal, even for a bs written-in-a-weekend app, to send passwords in the clear, given how many people use the same password on multiple sites. And even though HN isn't that important, we'd certainly prefer to avoid the headache that would result from someone getting a mod's account, banning a bunch of high-karma people, deleting a ton of stuff, etc.
So SSL is a good solution because a) It could be deployed today. b) It's preferable anyway. But I agree that if they decoupled HN from all the other YC stuff, I'd be a lot less concerned.
jiganti was helped by mahmud
yesterday, lrm242 investigated X and turned up addresses (Chinese) etc. from DNS
lrm242 is now being libelled on complaints forums, as of yesterday
X appears to have several HN accounts: pinksoda, sinkfloat, and BrianHolt
Vaguely interestingly, Totiboti (now auto-dead - you need to turn on showdead to see his posts) was warning about the guy repeatedly: http://news.ycombinator.com/threads?id=Totiboti
I know that I wound up on a shitlist simply for not supporting some of the voting mafias on this increasingly noisy site. That said, we can't reasonably expect a fix. It's not in pg's interest to improve the place so long as it's generating leads for YC, and while many of us might have nostalgia for smaller times, increased traffic means pg's fishing out of a bigger pie these days.
I'm happy to be corrected, and I am sorry that this has happened to you, but we must realize that there is a huge difference between a scam and a private business transaction that was conducted without proper due diligence that ended in one person feeling cheated.
Which of these two has occurred here is difficult to tell with the facts being presented, and without us playing amateur detective.
As raganwald said, "While anyone who invests money and gets nothing in return has my sympathy, I don't see the relevance of a private business transaction to HN." [1]
I hope this gets sorted out for you, and please correct me if I'm wrong.
[1] http://news.ycombinator.com/item?id=2163675
While anyone who invests money and gets nothing in return has my sympathy, I don't see the relevance of a private business transaction to HN.
You will sometimes find someone plastering notices all over the city. These notices have a picture of someone and the warning not to date them because they are a lying, cheating low-life. Is this a public service intended to save other people from an unhappy fate? Or is it someone trying to get revenge by naming, blaming, and shaming someone else?
Unless the "scamming" in question is happening on HN, such as someone spamming HN with fraudulent posts, I have trouble thinking this kind of thing meets the HN guidelines.
Services for vetting people in business already exist, starting with LinkedIn and going on to other sites, many of which are specifically designed for web programmers to showcase their work and show off their reputation.
The situation is unfortunate, but I still don't see it as HN business if one HN user decides to do business with another HN user and things don't work out well. HN is not responsible, we're a "common carrier" so-to-speak.
p.s. JM2C, of course, carry on, I'll be over here coding...
With respect to people going off together and starting companies based on "meeting" each other on HN, I'm not cynical about that either, I just have no opinion of it one way or another. It's as if you told me that two people met at a bus stop, fell in love, got married, but one had an affair and now they are in a bitter custody dispute. I feel very sorry things didn't work out for them, but as far as the bus stop is concerned, my interest is in when the next bus arrives, and I think the interior of the shelter should be devoted to the schedule, not to their story.
All I am saying is that there are established places for entrepreneurs to meet each other for the purpose of doing business, and such places have mechanisms for resolving and/or publicizing such disputes.
p.s. That being said... Perhaps this is a one-time thing and will blow over. Unless the front page starts picking up a few stories like this a day, HN is not in any danger of losing its focus, so I don't have anything really to worry about. Carry on!
If someone can help lrm242 great, but I don't think anyone else has delusions that HN is anything but an open forum on the web and therefore entails the most basic precautions.
There are thousands of other bad-actors waiting even if you manage to round up a posse to track this guy down.
So lrm242 has my sympathies but this is definitely a personal problem because making any assumptions based on the fact that someone entered news.ycombinator.com into their address bar (which is the only barrier to membership) is frankly, stupid.
HN doesn't purport to be a programmer/money matching service, in this case it's pretty unclear what the original payments were for, and what either party expected from it.
In all reality, you're better off with dedicated outsourcing sites rather than informal relationships created between usernames found on this site.
So the warning stands, but it's pretty irrelevant as someone who has seen fit to create multiple identities would have no problem creating another clean identity to work with. However, I think this post (and the others) are a bad precedent. I'd hate to see an avalanche of 'so and so did me wrong' type posts.
The only thing that people should get from this is that you can't trust anyone you 'meet' over the internet until you have gotten to know them better. Trust no-one, verify everything. Don't do business on the basis of IM conversations. Make it clear and understand what you're delivering. A contract doesn't have to be written by a lawyer (although lawyers make better contracts) but any contract should at least state the terms of the agreement. You make x for y$ and ownership belongs to me. Anything else is just he-said she-said complaining.
I do realize that maybe it will be difficult to believe in a new user with these claims, but I do assure you that I'm here only to help, your linkedin profile list a domain, send me a mail from this domain (with the correct headers from the correct IP, I know that you use Google Apps in your domain) and I will answer with the links that I found, I do not kow if they will be of any help, but I think they provide trails for you, some of them are right here on HN, and these ones I think there's no problem in post here:
http://news.ycombinator.com/item?id=1299501
With BrianHolt saying about a past website of him, I do not know if he said the truth.
http://news.ycombinator.com/item?id=1320560
I did not confirm this, but searching his name in Google will bring some of the links that I found, although not in the front page.
The e-mail: XXX@gmail.com
EDIT: I will try to give the links as early as possible.
EDIT2: I gave the links and some trails for Louis, although I'm not sure if they will be useful, I will not use this account again and will only answer Louis in the e-mail.
EDIT3: Smarter to remove the e-mail... a long day programming.