I noticed this when registering. Residential IPs are treated differently. You don't get shadow-banned at all with plain old vanilla IPs. In-fact you can make your first post under a residential IP, and it will show up in /newest and you don't have to wait in purgatory for about 5 days for it to show up.
One other option is to use a really obscure VPN service that not many people use and has a greater chance of not being on a blacklist, but that is rare. It's also rare to get a SOCKS5 proxy that isn't flagged as suspicious in some spam database.
Then there's the shady practice of using hacked residential routers to make your posts, but who does that?
> "the post, that after some hours vanished from the top page of Hacker News"
This doesn't sound any different than any other post on HN. I'm not sure the author really did anything?! They didn't say the post vanished completely, for example.
> lowering the author’s credibility in the eyes of the algorithm.
This is one of the known flaws of Hackernews
It has a way of earning greater weight to users but if you fall out of that there is no way back in. It is easier to fall out when the account is new, a short string of negative karma or flags and that account is burned. Browser session as well. IP not as much but the mods do watch when an IP address eventually gets linked to a malbehaved user to apply greater scrutiny.
From their perspective this is fine, because people aren't that persistent. They don't have a way to quantify what an improved system looks like that allows for re-earning good standing, so to them there’s no rationale to develop that, as long as people just move on or stay shadowbanned talking to themselves forever.
"I'm bored, have dubious ethics and absolutely no restraint whatsoever, so, unsolicited, I'm going to help your site security without notice of my attack! Look what I did! Pay attention to me!"
Looks like Hacker News owes this generous soul a massive debt of gratitude for all his hard work while they get familiar with U.S. Code Title 18 Section 1030, "Fraud and related activity in connection with computers."[1]
Spot the paranoid or the gullible is a lot easier since Defcon isn't remotely on the radar of any federal agency, and the notion was only invented to increase interest and credibility. You seriously believe FBI Special Agents would attend Defcon? They have jobs.
edit: the 2015 FOIA request proved this. An FBI researcher pulled info off the web in 2001, no agents contacted the Vegas field office (which means no agents attended), the Vegas field office requested the case be closed, and it was. Read to me like someone in DC was playing a joke on the Vegas field office.
See any credentials? Maybe, and I mean maybe they weren't full of shit, but even so they certainly were not there in any official capacity, and it is just as likely as not they were entertainment paid to be there by Defcon organizers. Don't believe anything you read or hear, and only half of what you see.
It is a hacker convention after all. Social engineering is the name of the game (along with rooting ATMs and elevators). Whether the NSA booth on the convention floor is just for show or actually legit, I can't say, but it certainly gets the crowd going. The crowd who's hero is Kevin Mitnick. I'm sure later on it was all just a show to sell conference tickets, but they were real scared of computer hackers back in the 90's and there've been some truely impressive hacks shown there. Many of the speakers have FOIA'd FBI files so the feds are certainly consciously aware that it exists. Even then, printing out an official looking badge isn't proof of anything because that could easily be faked.
No offense intended, but this is a biased and exceptionally naive viewpoint. If you had an equal amount of awareness of the mission and mandates of FBI and the things the Bureau is already overwhelmed with, such as national security, terrorism and counterterrorism, espionage and counterintelligence, organized crime, illegal drugs, illegal guns and other weapons, racketeering, transnational criminal enterprises, white collar crime, violent crime, human trafficking, significant cyber crime, public corruption at all government levels, and how difficult and time consuming even simple investigations can be, and that FBI does not investigate innocent civilians without reasonable suspicion, probable cause and due process, you'd realize they literally would have no concern about Defcon even after one of their own agent researchers prepared a report showing they were mocked. We really do not want to know what horrible things FBI is working against because it would cause significant psychological damage to any not already in law enforcement.
NSA will be even less interested because their mission excludes domestic activities, and they are probably tapping every foreign telephone and monitoring and recording massive amounts of foreign Internet traffic, upwards of 2B emails a day, as well as radio and television broadcasts, and printed media. The amount of data NSA sifts through on a daily basis is mind-boggling. It would be astoundingly irresponsible if they wasted any resources whatsoever on Defcon, even a single employee to sit in a booth for a day. It is far more likely to be arranged by Defcon organizers rather than there being any interest whatsoever in a commercial convention and its participants, who are more than welcome to fill out and submit job applications on their own if the interest exists. NSA attracts so much talent as it is, they would never need to poach hackers from Defcon. The conventions these agencies attend you never hear about and would never admit the happy go lucky public participants of Defcon. I am not suggesting there isn't talent attracted to Defcon, only that the fact that these individuals even attended make them inappropriate candidates for recruitment by NSA, which is a spy agency. Spies do not show off their tradecraft in public or walk around with their mouths agape overwhelmed by the flashy commercialism of public conventions. By and large they are extremely patriotic and take their jobs deadly seriously, and Defcon could never be described as serious by design. Defcon is for fun, it is commercialized entertainment.
That said, federal agents are as free as anyone to moonlight even for entertainment purposes so long as they don't violate off-duty conduct codes of their agency and DoJ. But the agencies themselves could never have interest in Defcon in any official capacity unless there was actually a valid reason, and a bunch of hackers having a good time is not a valid reason. There would need to be a threat to national security or reasonable suspicion of federal crime. Defcon isn't like that.
>as not they were entertainment paid to be there by Defcon organizers
You sound worryingly paranoid. I've become friends with several of them and I assure you they are real people and not some paid actors. As if DC, which relies on volunteers to load and unload workshop equipment, could afford such nonsense. Also met a couple ex-Dark Matter employees who told me crazy stories about the crash and burn lifestyle they afforded ex-NSA guys in the UAE.
Bullshit. NSA recruits talent from exclusive universities not hacker conventions. Gen. Alexander would not have attended and spoken unless he was hired to do so.[1] He'll say what he is paid to say. Time to grow up, children. Play time is over, and this is reality.
If you ignore all the arrogant remarks from the post the take away is: relatively unsophisticated attacker can tank posts, harm users reputations and alter the state of the HN home page. It's not good, given the influence of HN in the community.
It has been flagged and still is. Not sure what kind of reputation damage it might have done if it was not caught, and the author, obviously has not been trying to hide too hard.
We don't know why it is flagged, but we can probably guess accurately it was due to the blogger's activity in somewhat of a self-fulfilling prophesy. I suspect he can now enjoy his black hole.
> if it was not caught,
It was caught by the first HN member to comment, which isn't all that surprising. We'll have to wait while up to a few of the several dozens of HN employees get around to completing an incident postmortem, and I suspect we'll never hear anything. It's very Art of War to let the attacker continue to believe they've succeeded.
Neither the legitimacy of the article nor that of the users' flags is in question. The flags merely draw attention to the fact that the voting was obviously illegitimate. IOW, the attacker drew attention to the attack only, and the article is flagged because of the attack, but the flagging itself is proper. So the attack caused the proper response of flagging. Not all that impressive. Preventing an illegitimate article composed entirely of Lorem Ipsum from being flagged off the front page would be impressive.
> I was surprised to learn that they actually had a decent algorithm for detecting possibly fraudolent and/or irrelevant content, as well as a weighted voting system, where the vote of a couple users with lots of karma are more important than hundreds of votes from low karma users.
> votes of suspicious users are still displayed normally, even though they do not count as much as a normal user’s vote, if not at all.
That's interesting.
There are a few notable groups of bad actors on HN but obviously the really good ones you wouldn't know about, which is a bit of a teapot.
The lack of a downvote button on posts does stop a lot of attacks.
Interesting write-up. I don't think the final exploit leads the way to a useable hack, but the journey says a lot.
I'm not sure how comfortable I am with this strain of research. I'm reminded of the University of Minnesota researchers who tried to see if they could get bad commits into Linux. I agree with encouraging us to widen our view of security to include gaming the system.
27 comments
[ 3.5 ms ] story [ 67.9 ms ] threadWere they able to run each experiment with the same botnet? Or is a fresh one required every time?
> The IP comes from a known VPN provider
> The IP comes from previously flagged locations
I noticed this when registering. Residential IPs are treated differently. You don't get shadow-banned at all with plain old vanilla IPs. In-fact you can make your first post under a residential IP, and it will show up in /newest and you don't have to wait in purgatory for about 5 days for it to show up.
One other option is to use a really obscure VPN service that not many people use and has a greater chance of not being on a blacklist, but that is rare. It's also rare to get a SOCKS5 proxy that isn't flagged as suspicious in some spam database.
Then there's the shady practice of using hacked residential routers to make your posts, but who does that?
> "the post, that after some hours vanished from the top page of Hacker News"
This doesn't sound any different than any other post on HN. I'm not sure the author really did anything?! They didn't say the post vanished completely, for example.
This is one of the known flaws of Hackernews
It has a way of earning greater weight to users but if you fall out of that there is no way back in. It is easier to fall out when the account is new, a short string of negative karma or flags and that account is burned. Browser session as well. IP not as much but the mods do watch when an IP address eventually gets linked to a malbehaved user to apply greater scrutiny.
From their perspective this is fine, because people aren't that persistent. They don't have a way to quantify what an improved system looks like that allows for re-earning good standing, so to them there’s no rationale to develop that, as long as people just move on or stay shadowbanned talking to themselves forever.
Looks like Hacker News owes this generous soul a massive debt of gratitude for all his hard work while they get familiar with U.S. Code Title 18 Section 1030, "Fraud and related activity in connection with computers."[1]
[1] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
https://www.vice.com/en/article/ypw4wb/when-the-fbi-found-ou...
edit: the 2015 FOIA request proved this. An FBI researcher pulled info off the web in 2001, no agents contacted the Vegas field office (which means no agents attended), the Vegas field office requested the case be closed, and it was. Read to me like someone in DC was playing a joke on the Vegas field office.
NSA will be even less interested because their mission excludes domestic activities, and they are probably tapping every foreign telephone and monitoring and recording massive amounts of foreign Internet traffic, upwards of 2B emails a day, as well as radio and television broadcasts, and printed media. The amount of data NSA sifts through on a daily basis is mind-boggling. It would be astoundingly irresponsible if they wasted any resources whatsoever on Defcon, even a single employee to sit in a booth for a day. It is far more likely to be arranged by Defcon organizers rather than there being any interest whatsoever in a commercial convention and its participants, who are more than welcome to fill out and submit job applications on their own if the interest exists. NSA attracts so much talent as it is, they would never need to poach hackers from Defcon. The conventions these agencies attend you never hear about and would never admit the happy go lucky public participants of Defcon. I am not suggesting there isn't talent attracted to Defcon, only that the fact that these individuals even attended make them inappropriate candidates for recruitment by NSA, which is a spy agency. Spies do not show off their tradecraft in public or walk around with their mouths agape overwhelmed by the flashy commercialism of public conventions. By and large they are extremely patriotic and take their jobs deadly seriously, and Defcon could never be described as serious by design. Defcon is for fun, it is commercialized entertainment.
That said, federal agents are as free as anyone to moonlight even for entertainment purposes so long as they don't violate off-duty conduct codes of their agency and DoJ. But the agencies themselves could never have interest in Defcon in any official capacity unless there was actually a valid reason, and a bunch of hackers having a good time is not a valid reason. There would need to be a threat to national security or reasonable suspicion of federal crime. Defcon isn't like that.
You sound worryingly paranoid. I've become friends with several of them and I assure you they are real people and not some paid actors. As if DC, which relies on volunteers to load and unload workshop equipment, could afford such nonsense. Also met a couple ex-Dark Matter employees who told me crazy stories about the crash and burn lifestyle they afforded ex-NSA guys in the UAE.
https://www.theverge.com/2012/8/1/3199153/nsa-recruitment-co...
[1] https://www.speakerbookingagency.com/talent/keith-alexander
We don't know why it is flagged, but we can probably guess accurately it was due to the blogger's activity in somewhat of a self-fulfilling prophesy. I suspect he can now enjoy his black hole.
> if it was not caught,
It was caught by the first HN member to comment, which isn't all that surprising. We'll have to wait while up to a few of the several dozens of HN employees get around to completing an incident postmortem, and I suspect we'll never hear anything. It's very Art of War to let the attacker continue to believe they've succeeded.
And this is what his attack was: making legitimate users flag a legitimate article.
> votes of suspicious users are still displayed normally, even though they do not count as much as a normal user’s vote, if not at all.
That's interesting.
There are a few notable groups of bad actors on HN but obviously the really good ones you wouldn't know about, which is a bit of a teapot.
The lack of a downvote button on posts does stop a lot of attacks.
Interesting write-up. I don't think the final exploit leads the way to a useable hack, but the journey says a lot.