Ask HN: What is this? 158268a350000000
Found this twitter account https://twitter.com/googuns_prod posting these weird encrypted tweets. The locations are all over the globe. You can find them using this site http://onemilliontweetmap.com/. Anyone know what it is?
70 comments
[ 3.5 ms ] story [ 157 ms ] threadEDIT: I wonder if it does some sort of transform on the number to get an IP addr? perhaps its part of a IPv6 Addr?
Perhaps its a distributed brute-force on a password or checksum being carried out by a botnet? Its interesting distributed this is, too bad we dont have IP addrs associated with the posts
see: https://twitter.com/googuns_staging/status/22294385659595980...
https://maps.google.com/maps?q=-20.73906235%2C-145.82847672&...
Each client has his/her own UUID(the tweet) and the geolocation is where the client is located.
It seems as though the googuns_staging was the trial, all fake/useless location and googun_prod(as the name suggests) is the actual "in-the-wild" run of locating all of its clients
Also interesting is at the moment there are many tweets ending in either a350000000 or baf200000000 but that may just be coincidence based on some counter thats incrementing
17 73 f2 7b a0 00 00 00
23 115 242 123 160 00 00 00
On staging, all posts end in ba0000000. On prod, all posts end in 200000000 or 350000000. Since these sequences are repeated, it seems likely they could be disregarded.
hex:10 37 ba f2 00 00 00 00 dec:16 55 186 242 0 0 0 0
they do indeed look like IP addresses. The extra number is the port(maybe). what's weird is that it's sometimes zero.
IRC traffic is commonly blocked, but HTTP traffic directed to Twitter is generic enough to get through most locked down networks. I doubt whoever is behind this cares if it's public data and that people see what's being posted. Public access just means any newly compromised computer can access it without anything more than a single HTTP request.
If we had access to the IP(s) posting the tweets, it'd be pretty easy to get an idea if they were malicious or not. But where's the fun in that
These tweets appear to originate from Russia.
Now, common uses of 16bit (and 32bit) encryption keys are for WEP keys, traditionally used in router password protection, which can be provided either in a full ASCII spectrum or in merely hexadecimal format.
Taking these points together I can conclude that these could possibly be the encrypted WEP keys of a Russian router.
Or I could be totally wrong, but I really wasn't given much to work with :)
Also there is an (inactive) GooGuns_Staging: https://twitter.com/googuns_staging
As a note, the last nine digits just alternate between 200000000 and 350000000. On staging they're simply ba0000000.
Random number radio stations.
http://en.wikipedia.org/wiki/Numbers_station
Now, if you take a look at any random tweet, you will notice that the location that it was tweeted from changes every time (often in the middle of the Sea). This could also be a hidden chunk of information that encodes/hides other relevant data.It is certainly not by accident that the lat/lngs change on each Tweet. If I had the time as an experiment, I'd probably try and find patterns between the lng/lats to see if the decimal equivalent means anything? How hilariously awesome would it be if when mapped on a globe, it builds up a large picture. (Fair warning.. this runs WebGL and will most likely nuke your browser for a few seconds http://data-arts.appspot.com/globe-search/ )
Just listen to the buzzing sound clip... Sends chills down my spine. Then after years of 24/7/365 buzzing, a Russian voice reads a bizarre encoded message. Spooky.
[1] http://priyom.org/number-stations/slavic/s28.aspx
http://www.priyom.org/number-stations.aspx
'Priyom' is Russian for copy/over.
[1] http://en.wikipedia.org/wiki/The_Conet_Project
[2] http://archive.org/details/ird059
I think it is less spooky: My bet is on it being an iPhone app from years ago, maybe long pulled from the store. Its dev was using the Twitter account as a logging system. Maybe for something silly as highscores from around the world. "_dev" and "_prod" seem far too innocent names for an account that is trying to fly under the radar.
EDIT: Perhaps it is used for indexation benchmarks? Deploy a tweet with a unique string and location, and check how long it takes before it shows up in the index or notification inbox?
http://websdr.ewi.utwente.nl:8901/
(Requires Java plugin)
http://www.googun.com/
<meta name="keywords" content="googun googun googun googun googun googun googun googun gay gay gay gay gay gay gay gay seattle seattle seattle seattle hot hot hot hot hot hot hot hot hot Tshirts t shirt t shirt t shirt t shirt t-shirt t-shirt t-shirt coffee coffee coffee coffee coffee">
<a href="http://www.google.com/ rel="nofollow">Google</a>
I would guess googuns_prod is the output from two of whatever googuns_staging is, running at a 1-minute offset, with each thing identifying itself with the last nine digits: 200000000 and 350000000 for the production thing, ba0000000 for the staging thing.
Maybe it's just announcing a continuous deploy script saying that a particular build made it to prod/staging?
The maximum is 200, but you can move down the line by using since_id or max_id optional parameters. 'xml' can be replaced with 'json' or 'rss' if you'd prefer a different format.
Looking over the data briefly reveals the additonal fact that the 'source' field is populated with a link to Google. That, combined with the other accounts including one that outright says it's associated with google on its profile. So this is either google maybe doing some sort of recruiting thing, or somebody that wants us to think it's google for whatever reason. One guess is that the account name could mean Google User Notification Service.
Additionally, the tweets are published at a (more or less, this is the web) regular interval. Always around the HH:M9:30, HH:M0:00, and HH:M4:30 and HH:M5:00 marks. As stbullard speculated (https://news.ycombinator.com/item?id=4697813), there could be two instances of whatever this is running, publishing every 5 minutes independently, with one instance having the code baf200000000 associated with it and another having the id of 2350000000. Note that the length of these two are different- the former is 12 while the latter is 10. This could mean a variety of things regarding the format in which the data is published, or variance in the data itself.
It might be worth looking at the unique parts of the 235 ones as color.
If anyone can pull these tweets down into a single file and share them that would be amazing.
each shot is defined by one unique hash and a geo location.. waiting to see a tweet about "hit" or perhaps "miss" but those wouldnt need to be ACKed
Yeah, I'm looking at you DonnyV.
See: Portal
http://www.sendspace.com/file/7huqe8
Left one for the data ending with "f200000000", right one with "50000000". For these I just assumed the numbers were 64-bit little endian integers.
Here is a chart of the 00s (plotted against tweet number):
http://i48.tinypic.com/svl4jm.png
and of the 50s:
http://i46.tinypic.com/2mn1wg7.png
It's rather strange that the data isn't perfectly monotonic.
I'll look into the tweet coordinates next.