99 comments

  • kccqzy 4 days ago

    Nice. Here's a similar personal story with a PSA that sometimes blurring is NOT sufficient.

    A friend of mine posted on Instagram a picture of a U.S. visa (or something similar; it was probably five years ago) to announce her trip to the U.S., and she took care to blur out sensitive information such as her passport number. But a Gaussian blur is easy to reverse and I successfully unblurred it and told her my discovery. I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.

    I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.

    • function_seven 4 days ago

      Your advice is good, and I agree that you didn't use specialized software to reverse the blur, but this

      > I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.

      is one of the most HN comments I've come across recently :)

      • zwayhowder 4 days ago

        Reminds me of the Simpson's 3D episode. Professor Frink's

        >"Well, it should be obvious to even the most dimwitted individual, who holds an advanced degree in hyperbolic topology..."

        • gropius 4 days ago

          Professor Frink, Professor Frink. He'll make you laugh, he'll make you think. He likes to run and then the thing with the.. person...

          • jgwil2 2 days ago

            That monkey is going to pay...

          • fnord123 4 days ago

            Such an underrated character. Thank god for Futurama.

            • cconcepts 4 days ago

              "Gleevin gliven"

            • 1f60c 4 days ago

              That reminds me of this legendary comment: https://news.ycombinator.com/item?id=9224

            • mroche 4 days ago

              > is one of the most HN comments I've come across recently :)

              That gave me a laugh. I don't have any experience with Mathematica, but everytime I see it mentioned (usually on HN) I'm amazed at the sheer breadth the system is capable of. The amount of use cases and possibilities blows my mind.

            • astrec 3 days ago

              Whatever knocks this exchange off the top spot will be really special: https://news.ycombinator.com/item?id=35079

              • gus_massa 4 days ago

                If it is in the installable version now, it will be in Wolfram Alpha in 5 years if you can guess the right command, and in 10 year Wolfram Alpha will just automatically select the blurred part and make a fake unblurred versions of the jpg.

                • batsigner 4 days ago

                  Yet another example of someone mistaking the quality of a single person for the quality of a platform

                • lysp 4 days ago

                  > I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.

                  We had a similar issue in Australia as well.

                  Politicians phone bills are published on the government website in summary form.

                  Someone in 2017 decided to blank out their phone numbers by changing the phone number text colour to white (same as background).

                  End result - hundreds of politicians and former prime ministers had their phone numbers leaked.

                  https://www.abc.net.au/news/2017-03-20/phone-numbers-of-fede...

                  • mickotron 3 days ago

                    I used to work in IT for a state based police force in Australia. Traffic reports can be requested by those involved in traffic accidents, which includes parties to the accident and their details.

                    People used to be able to get the personal information of police officers if they were involved, intentionally or not, in a traffic accident with a police car. They would request for the traffic accident report, and that included the personal information (including home address) of the police officers in the car. I was in QA and I tested the change when it was fixed. It now includes the address of Police HQ when a police officer is involved in a traffic incident.

                  • dheera 4 days ago

                    Yup. I wrote a blog post about this a long time ago in 2007, and it was republished in Gizmodo in 2014: https://gizmodo.com/why-you-should-never-use-pixelation-to-h...

                    You can dictionary attack pixelated photos.

                    With Gaussian kernels, besides deconvolution you can sometimes also dictionary attack them if you have the original font and if the kernel is properly normalized kernel (i.e. most gaussian blurs).

                    Although I haven't tried, I think there may even be neural network based techniques that can perform even more effectively than a dictionary attack.

                    Separately, if the image editing tools added sufficient random noise to their mosaic filters they might be able to thwart most of these attacks, or at least make them significantly harder.

                    • jacquesm 4 days ago

                      Interesting, thank you for the link. I had a hunch this should be possible but I wasn't aware that it was already proven. I used a similar trick on image recognition: turn images into a single 32 bit word by heavy pixelation and then look up a matching description. It's interesting how often that will work once you feed it with enough data. After all, that gives you 4 billion inputs mapped onto 4 billion descriptions, and plenty of those will contain the Eiffel tower with various cloudy backgrounds apparently recognized perfectly.

                      It's a total cheat but it is funny how close that can get you to something that might be actually useful.

                      • Jugurtha 4 days ago

                        I wonder if you could use adaptive optimal kernels, AOK[0]? I had used this for work on multiphase flow recognition from an electrical capacitance tomography, ECT, as a proxy for void fraction. We wanted to tinker with time-frequency representations.

                        [0]: https://pdfs.semanticscholar.org/20c2/b82eef0809df80a402f125...

                        • jacquesm 4 days ago

                          > electrical capacitance tomography

                          Mind blown. Wow, that is very impressive.

                          • Jugurtha 3 days ago

                            Yes, that is cool. I had just come back from an internship in Wireline at Schlumberger where I was exposed to tools like one that did nuclear magnetic resonance, NMR, thousands of metres below. Pretty sweet tech. Transitioned to ECT for that project, then ECG for anomaly detection on anonymized hospital patient data. I never will underestimate the effect hair and sweat have on data. That was a cool year with lessons that served well later.

                    • dylan604 4 days ago

                      I once had to provide my employer copies of court documents proving something or other in order to qualify for the benefits plan I was attempting to enroll. The part of the document that contained the info they required also contained other information I did not want them to have, and I was more than irked at having to do this in the first place. I used Photoshop to draw a 99% black box as the redaction, but then using a 100% black font color typed in a nasty little message. Nobody was ever going to see it, but just knowing that if they did it would be a shock. I qualified for the package.

                      • Namidairo 4 days ago

                        > and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.

                        You'd be surprised at how many times this happens on Government documents with redaction.

                        :S

                        • Someone1234 4 days ago

                          That's why some even departments now have policies of printing and re-scanning retracted documents. It is dumb, but yet pretty hard to get wrong.

                          Both MS Word and PDF have leaked redacted/removed information in the past. Wasting paper given the severity of some of these leaks is minimal cost.

                          • Freak_NL 4 days ago

                            If it is hard to get wrong, is it still dumb? Being able to verify with your own eyes that the redacted parts are indeed redacted is a pretty strong benefit to that process. You'll need to train staff to properly black out stuff (no idea what they do, heavy cardboard cut-outs or cutting out the censored content and using a black background for the scan?), but once that process is in place, it works.

                            With software you either need vetted and approved, very expensive software, or you have to accept a much higher error rate, because the operator cannot verify the results of the process with certainty.

                            • eru 4 days ago

                              Incidentally, you just wrote a pretty good argument for (political) voting on paper instead of via machines.

                              • Freak_NL 4 days ago

                                Absolutely. A system you can see and understand garners a lot more trust than a black-box (even if the box runs vetted and open software).

                                • aidenn0 3 days ago

                                  I think the correct solution is a machine that prints out both a human- and machine-readable representation of the vote. The voter can confirm that the human-readable representation is correct, and you can randomly hand-count a few boxes of ballots to check that the hand-count matches the machine-count.

                                  An election doesn't need to be tamper-proof we just need to be able to detect tampering well enough to make tampering a loser's game.

                                  • eru 2 days ago

                                    You could do such a hybrid system, but honestly purely paper based systems seem to work well enough in practice. Eg Germany uses paper and human counting, and the results are usually available fairly quickly.

                                    The problem with randomly hand-counting a few boxes of ballots is that you then need to convince people that the random selection was uniform and fair and actually random.

                                    There are methods to do that, but there are at least as complicated and full of cryptographic finesse, that they ain't simpler than vetting an electronic voting system in the first place.

                                    Having said that: human counting isn't fool proof and is still open to abuse and tampering.

                                    It's mainly that any village idiot can in-theory audit the human-run system, and that it would take a conspiracy with lots of people to engage in wide spread tampering.

                                    The more people involved, the harder it is to prevent leaks.

                                    • cesarb 3 days ago

                                      It's not just tampering one needs to worry about with elections. There's also secrecy (to prevent voter coercion).

                                      • aidenn0 3 days ago

                                        Right, otherwise the problem would be trivial. If it wasn't clear, the plan was the printed ballot would anonymously go in a box to be machine counted.

                                        • eru 2 days ago

                                          Someone could stuff the box with extra ballots?

                                          • aidenn0 1 day ago

                                            Yup, but they can do so with old-fashioned paper ballots too. Any security measures for paper ballots will also work with my idea, and the machine could also do fancier things like printing out a timestamp and signature of the timestamp . I really want things to be simple though: if the system of voting is too complex, then it will be distrusted, and distrust in the voting system is toxic to democracy.

                                            What they can't trivially do with any system including paper ballots is remove ballots, compared to digital voting machines where you can add e.g. -100 votes to candidtate A, 100 votes to candidate B, thus ensuring that the total-votes field is correct while advantaging candidate B -- this was actually demonstrated by a security researcher on a Diebold touch-screen machine.

                                  • moftz 4 days ago

                                    FOIA reports usually have a small textbox over the redacted information with a reference to the reason for redaction, likely made in Adobe PDF. Then the docs are either printed and scanned or just converted to an image only PDF.

                                  • techdragon 4 days ago

                                    Then they use the big multifunction networked printer’s built in scanner, which saves a copy to the “little” hard drive they all tend to have in them now, and forget to ensure these things get wiped/destroyed... years later they sell the printer once the lease ends and the surprise inside is months to years of raw scanned documents the new owner gets access to with very little effort.

                                    • powersnail 4 days ago

                                      Why don't they convert the PDF to image and convert back? This approach seems to be a lot more efficient, and less prone to other type of human errors (e.g. missing page). Is there still an attack vector?

                                      • mhh__ 4 days ago

                                        It's a bit like point and speak checklists on aircraft - it takes a certain amount of energy to do so you can't skip it without doing it deliberately

                                      • exikyut 4 days ago

                                        If you do that, look at the document, hit CTRL+Z, then look at the document again, it will likely look identical, thanks to the fact that rendering a PDF to a JPEG with 70-90% quality... at ~600DPI... then scaling it back out to a 75-150DPI screen... is going to look visually lossless.

                                        So, not only do you have the energy-investment thing noted in the/a sibling comment, you have the issue that there's no giant "THIS IS AN IMAGE" or "THIS HAS TEXT IN IT" that you can just Look At and know that yeah the document is okay. There's no lowest-common-denominator provability thing. You have to hyperspecifically know what to look for (render to image) then know how to verify whether it's an image or not.

                                        And... how do you verify if it's an image? I don't have any PDF authoring/editing software on this machine, so the only thing I can think of is checking the Undo menu for "convert to image" or similar.

                                        • powersnail 4 days ago

                                          There will be no CTRL + Z, as it can only be used to save to a new document (just like scanning).

                                          Under the hood, you created a new document, rasterize the original document page by page as JPEG, and insert the JPEGs back to the new document.

                                          You can even create a fake "printer", that outputs a PDF with rasterized images as pages, so you don't have to teach the office clerks to anything extra.

                                          To me, it seems to be indistinguishable from printing and scanning.

                                          PS: It's pretty easy to verify if the page contains nothing but an image, programmically, especially if you also wrote the software that rasterize it in the first place.

                                          • pessimizer 4 days ago

                                            > It's pretty easy to verify if the page contains nothing but an image, programmically, especially if you also wrote the software that rasterize it in the first place.

                                            It's pretty easy for a computer to verify any of this, the point is making it idiot proof. You don't have to be much of an idiot, if you process hundreds of documents a year where there's no way to visually verify the difference between a badly redacted document and a well redacted document, to screw up once. Especially when the difference between them is that you remembered to push the "redact correctly button", and if you forgot that, remembered to push the "verify if is redacted correctly programmatically" button before hitting send.

                                            What you do is create a ritual where you have to walk across the room and use a physical machine. You'll remember doing that. And if you don't, since the output will look a bit crap, you can confirm it trivially.

                                            Creating a process that has to be done perfectly every time or it fails catastrophically, and has few indications of failure during the process, is worse than having no process at all.

                                            • jooize 4 days ago

                                              It is probably still easier to screw up on a computer than by looking at physical documents to verify them and then scanning them.

                                      • banana_giraffe 4 days ago

                                        Even when the black box is done right, sometimes there are quasi side-channel leaks of the size. The box covering a name for instances may be discoverable if there are only a few names possible, and it's a small box, meaning it's the shortest name.

                                        • Agentlien 4 days ago

                                          A friend of mine once had to review some (Swedish) court document with redacted witness names. It was a word document with history intact. Just undoing a few steps was all it took.

                                          • taneq 4 days ago

                                            One of my lecturers did that back at university - they generated an Excel spreadsheet containing everyone's marks, then for each student, deleted all but that student and saved as a different file.

                                            Document history was turned on and anyone who hit ctrl+z got the full class marks.

                                            (The same lecturer initially failed me because they forgot to add my final exam score to my assignments score, and then took four months to fix it. They weren't very competent.)

                                        • nikanj 4 days ago

                                          My all-time favourite recommendation is "print, cut out the sensitive parts with an exacto knife, rescan".

                                          Firstly because it's a nice mix of analog and digital, and secondly because it's short enough to fit in a tweet - yet extremely secure.

                                          • michaelt 4 days ago

                                            "Information to be withheld should be black highlighted using a tool such as the word highlighter tool like this ⬛⬛⬛⬛⬛ and then printed off. This print out should then be scanned in and saved as a PDF."

                                            Ministry of Defence redaction policy, https://assets.publishing.service.gov.uk/government/uploads/...

                                            • cgriswald 4 days ago

                                              ...shred cut out parts, burn remains, mix with water, encase in cement, explode, divide rubble into four parts, disperse one part each in Lake Superior, Pacific Ocean, Atlantic Ocean, and the Great Salt Lake; assume an alias, move to Alaska...

                                              • ponker 4 days ago

                                                This is how military redactions have been done forever. If a soldier writes home to his family and includes classified details (“I watched the sun rise over Mt Vesuvius yesterday but today we are moving west”) the censors just cut out the text with a knife.

                                                • irrational 4 days ago

                                                  Wouldn’t that mean they were marching into the gulf of Naples?

                                                  • nkrisc 3 days ago

                                                    Obviously they wouldn't want the enemy to know their troops are amphibious.

                                              • bentcorner 4 days ago

                                                > I personally recommend blacking out (add a black rectangle) instead of blurring

                                                I've seen people use image editors on mobile and they'll "scribble" out sensitive information, but one of the problems is that if you pick the wrong pen it'll blend your strokes so it's not 100% opacity (but on a casual glance it's close enough). You can zoom in and change the contrast of a photo that has been redacted this way and recover information.

                                                • saagarjha 3 days ago

                                                  It's unfortunate because that's the "thicker" brush so people tend to choose it first…

                                                • TwoBit 4 days ago

                                                  A pedophile ringleader was once caught by reversing a graphical swirl he used to try to hide his face in a picture.

                                                • undebuggable 4 days ago

                                                  > I personally recommend blacking out (add a black rectangle) instead of blurring

                                                  Real life document workflows can be really tricky. What if one is required to print or photocopy the obscured document? Devastating for printer's toner or cartridge lifetime... In some cases opaque grayish rectangle does the job.

                                                  • userbinator 4 days ago

                                                    White (with a black border) is fine too. Black is popular, but the goal is to make it an image with no residual data.

                                                    • pessimizer 4 days ago

                                                      > Devastating for printer's toner or cartridge lifetime

                                                      Which could result in thousands of dollars of loss over decades. Is that really a significant concern? Charge the client for it.

                                                      • bayindirh 4 days ago

                                                        I generally edit the sensitive part out and match it to the background of the document looks much cleaner IMHO.

                                                        However, I agree that it requires some quick hand in image manipulation software.

                                                      • j_walter 3 days ago

                                                        I found many years ago that my pay statements suffered from the last item you mentioned. My personal info had a black box over things like the SSN...but if I just moved the window around the black box followed slower than the document so everything was visible. ADP never acknowledged the problem when I brought it to their attention, but they did eventually fix it.

                                                        • ErikAugust 4 days ago

                                                          Sure. I would go a step further - just don’t post any photos of these sorts of documents ever. The risk and reward ratio is too skewed.

                                                          • irrational 4 days ago

                                                            That is my argument against using any social media in a nutshell - the risk and reward ratio is too skewed.

                                                          • bjornorn 4 days ago

                                                            Did the blog author actually un-blur the booking reference though? He states he tried to un-blur the barcode, was unsuccessful and then realized the booking reference was right there in the picture. Nothing about un-blurring it.

                                                            • howlgarnish 4 days ago

                                                              The original image was not blurred, he simply read off the plaintext booking reference. (After first trying and failing to scan the also unblurred bar code.)

                                                            • stjohnswarts 1 day ago

                                                              Why not use a randomized blur so people who like to do such things can waste time trying to figure it out when it's actually nothing but random numbers and has none of the original info?

                                                              • >a Gaussian blur is easy to reverse

                                                                That's the most surprising thing I've read today. I assumed it was destructive.

                                                                • jacquesm 4 days ago

                                                                  It's lossy, but not destructive, and a 'sharpen' operation is technically the same as blur but in reverse. So you won't end up pixel-perfect after doing an 'unblur' but you will be able to make out more than you could before.

                                                                  • eru 4 days ago

                                                                    If you know anything about the probability distribution of likely inputs, it's even easier to reverse with minimal loss.

                                                                    Eg knowing that the input was black text on white background or a natural image (instead of eg white noise) helps a lot.

                                                                    • zerd 3 days ago

                                                                      Also if you have multiple pixelated/blurry images that helps you can reconstruct it more easily, e.g. if different newspapers print pixelated picture of the "suspect" you can reconstruct it pretty accurately.

                                                                      Machine learning can also do a surprising good job of it, especially if you know what the target is (e.g. a face) https://www.vox.com/future-perfect/2019/9/4/20848008/ai-mach...

                                                                      Sample code: https://gist.github.com/JonathanFly/80b669a72bf624d17b56a1cf...

                                                                      • eru 2 days ago

                                                                        > Machine learning can also do a surprising good job of it, especially if you know what the target is (e.g. a face)

                                                                        Yes. Though that's just a corollary of doing better when you know something about the probability distribution of inputs.

                                                                        (But a very useful and practical corollary. My formulation didn't give any hint how you might make use of that knowledge of the distribution.)

                                                                • Sysosmaster 4 days ago

                                                                  The thing to remember here is that the only way to hide (real world) data in an image is to reduce the amount of data in the picture... a blur or swirl leaves most if not all data just in the picture (although distorted) Any filter that removes data (such as pixelate or blacking out / whiting out) can be used to safely hide this data... Just remember to also strip out any unwanted meta data (Exif-data) and do not use layers but a 'flattened' version of the picture.

                                                                  • kortex 4 days ago

                                                                    Pixelation is also attackable. Generate input (e.g. GAN) and apply pixelation until it converges. Probably won't be super accurate but enough to probably ID someone.

                                                                    Black/delete (and flatten/rebroadcast) is the only way.

                                                                    • freeone3000 3 days ago

                                                                      I'd worry about hallucinations when applying a GAN to a pixellated image. You'll get out a face, but who's to say that it's the correct face? Lots of people look similar.

                                                                  • plorg 4 days ago

                                                                    "I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath."

                                                                    I have this at work, with engineering drawings. With mobile equipment often were not dealing with engineering companies per se, and they won't or don't know how to get us CAD models of their equipment. And we often don't have the equipment on have at the time we need to make drawings.

                                                                    But if you have a PDF with vector drawings, often a manual, and one or two good dimensions you can make a reasonably accurate model. AutoCAD even makes this easy with the PDFIMPORT function.

                                                                    More often than I would expect, there's a whole other drawing view either covered by a white box or off-page. Once it looked like it had been drawn over with a white paintbrush tool, and if course the path of that too was also visible.

                                                                    • sjs382 4 days ago

                                                                      Sometimes a black bar or even cropping isn't sufficient. You still have to trust the editing software.

                                                                      There was a scandal around 2003 when a TV host took a topless photo, cropped it and shared the cropped photo online. Unfortunately, the software (Photoshop—I think CS3) she used to crop the photo stored the original photo as metadata if you didn't change the original filename. The original (uncropped) photo could be seen in the "Open File" preview dialog when opening the cropped version.

                                                                      • qwertox 3 days ago

                                                                        Blacking out is the correct thing to do.

                                                                        Not cutting it so that it becomes transparent since this may still preserve the color component of the RGBA-pixels, even if it is invisible and blended with a black background.

                                                                        • greenmana 4 days ago

                                                                          If using for example Word you can conveniently just change the background text color to black. /s

                                                                        • POiNTx 4 days ago

                                                                          Apart from the really interesting content, this is an extremely good read, strikes me as the right kind of balance of information and keeping you entertained. I really enjoyed this writing style!

                                                                          • warent 4 days ago

                                                                            Interesting, I liked the story but got the opposite impression you did. At first the humor was amusing but I felt like the relentless, extremely heavy sarcasm dripping off every sentence quickly turned it into a slog and even started to make me wonder which parts were genuine vs. joking. Not great.

                                                                            • mikeappell 4 days ago

                                                                              I had a feeling it might be a very off putting style for some people.

                                                                              However, for me, I found it absolutely hilarious and very intelligent despite being obviously extremely... I'm not sure the right description. Young? Modern internet colloquial? Either way, it worked for me.

                                                                              • giarc 4 days ago

                                                                                I agree... when you listen to a great comedian, it's not 1 joke/sentence. This article was too much. I still read it all since the overall topic was entertaining but the attempt at humour was overkill.

                                                                                • poutrathor 3 days ago

                                                                                  Have you actually listen to nowadays comedians ? It _is_ one joke/sentence nowadays (at least in my country).

                                                                                  More exactly, they separate each sentence. Each has a tiny bit of funny in it (in the words, in the way they say it, because they stay in character, whatever) and they let audience lol. Rinse and repeat.

                                                                                  Look I just googled "up and coming standupers" and picked the first video (new laptop, not connected to Gaccount) https://www.youtube.com/watch?v=s6uW1odtjPc

                                                                                  Check the 36 first seconds.

                                                                                  Humour changed without you (us) realizing ¯\_(ツ)_/¯

                                                                                • dvirsky 3 days ago

                                                                                  For me it was funny at first, then it was too much, but then it became funny again, like a joke repeated enough times.

                                                                                  • oh_sigh 3 days ago

                                                                                    It seemed like a lot of words to say "His reservation code is visible on his ticket and I typed that into the website and saw the data they sent me". I do like how you got to see all the false starts though, which is more realistic than just knowing what to do immediately(ie trying to scan the barcode and then finding the data just printed in ascii)

                                                                                  • anon9001 4 days ago

                                                                                    This was really a delight to read. I wonder if the author was raised on 2600. Fantastic stuff.

                                                                                    Also visited his page. Does not disappoint: https://mango.pdf.zone/

                                                                                    • CPLX 4 days ago

                                                                                      I was pretty sure after a few paragraphs he was getting his style inspiration from Douglas Adams, but when I got to his line saying “this is widely regarded as a bad move” I became certain.

                                                                                      It is an excellent stylistic choice for documenting interactions with commonwealth bureaucracy, of course.

                                                                                      • dwd 4 days ago

                                                                                        Something Adams incorporated a lot into his stories:

                                                                                        "But look, you found the notice, didn’t you?" "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."

                                                                                        I did chuckle out loud when I read "For security reasons, we try to change our Prime Minister every six months".

                                                                                      • NamTaf 4 days ago

                                                                                        Ah, he was the guy who wrote the facebook sleep time stalker script! It hits the same style of prose very closely.

                                                                                        • SamBam 4 days ago

                                                                                          Figured the least I could do after reading the article was crack the puzzle, and felt good that I did since I usually fail at these kinds of things.

                                                                                          • exikyut 4 days ago

                                                                                            Oh, that was indeed fun.

                                                                                            "Uhh... how many layers deep is this going to g-- oh, ok. Nice :D"

                                                                                          • airstrike 4 days ago

                                                                                            Hard mode is an absolute delight

                                                                                          • maest 4 days ago

                                                                                            Since we're sharing views on the writing style - I found it off-putting enough that I had to quit halfway through.

                                                                                            It's very tiresome to read, with _way_ too many digressions and jokes.

                                                                                            • coldpie 4 days ago

                                                                                              Yeah, same. "Ok, this paragraph is nonsense, skip it.. so is this one... and this one... why am I still reading this?"

                                                                                            • chriswwweb 4 days ago

                                                                                              I liked the humor in this piece a lot, I would not have read it until the end if it wasn't for the funny bits

                                                                                              • jrochkind1 4 days ago

                                                                                                Yes. I want to subscribe to his newsletter for sure.

                                                                                              • sorum 4 days ago

                                                                                                Some Grade A zingers in there:

                                                                                                > The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.

                                                                                                > For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.

                                                                                                > Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke.

                                                                                                • danieltrembath 4 days ago

                                                                                                  "...I called up and was all like “yeah bloody g’day, day for it ay, hot enough for ya?”. Once the formalities were out of the way..."

                                                                                                  • ralphael 4 days ago

                                                                                                    I couldn't stop laughing.

                                                                                                    His skills at hacking are only matched by his wit at writing.

                                                                                                  • fergie 4 days ago

                                                                                                    "(Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads)."

                                                                                                    • Dragonai 2 days ago

                                                                                                      This was the line that made me audibly laugh. Couldn't not finish the article after that. Great read.

                                                                                                  • fphhotchips 4 days ago

                                                                                                    I feel like this buries the lede massively: Qantas' system was run by Amadeus, who also run the booking system for some 200 other airlines [0]. If you could do this with Qantas and get all those notes, you could probably do it to any other airline and get them too. That would be bad enough, but it also appears that this issue (or one very much like it) has been reported widely at least back in early 2019.

                                                                                                    So, either Amadeus didn't fix the issue until it was disclosed here (very very bad) or Qantas didn't update their booking system for a security patch (also very bad).

                                                                                                    [0] https://techcrunch.com/2019/01/15/amadeus-airline-booking-vu...

                                                                                                    • robjan 4 days ago

                                                                                                      The issue isn't Amadeus, it's that some airlines don't bother to use accounts with lower levels of privileges for operations which don't need full access. There are a number of different levels which are intended to be used for different purposes: for example, the credit card numbers are not visible to booking agents but can be accessed by the anti fraud department.

                                                                                                      Some airlines just use a single "god mode" account for their whole e-commerce platform because it's cheaper / more convenient for their developers / vendors.

                                                                                                      • saberdancer 4 days ago

                                                                                                        Could you explain how returning all data to the frontend is connected with "god mode" usage? Is the Amadeus system such that it created/masks different fields in the data depending on the access level you have?

                                                                                                        In this case, "hacker" logged in a customer facing portal, this is probably not even an user account in the strict sense of the word.

                                                                                                        I am asking as I fail to see how it is not a development issue. If they returned only the data that was needed on the page, it wouldn't expose internal comments or passport IDs.

                                                                                                        • robjan 4 days ago

                                                                                                          There are of course two errors that the developer of the backend made. The first is not filtering what came back from the Amadeus API, but the second one - the one I am referring to - is using an Amadeus API key with too much access.

                                                                                                          Amadeus filters the booking record depending on the level of access that the user accessing it has (the user being the backend in this case). In a previous life for another airline, I have experienced this problem before when a vendor tried to get something through to production which was retuning credit card numbers and expiry dates to the frontend (but not the CV3). This was all because the vendor tried to use the highest privilege API key rather than the one with access to the specific info they needed. It never got past UAT thanks to thorough security review in this case.

                                                                                                          • underwater 4 days ago

                                                                                                            The API key shouldn't change what type of data an API call returns. The developer should explicitly request data and that either succeeds or fails based on authorisation. Making assumptions about the use case from the key will of course lead to this kind of error.

                                                                                                            • robjan 4 days ago

                                                                                                              The PNR (passenger name record) is the data record which represents your booking on Amadeus. It's basically a semi-structured flat text file. Each line is an entry which may represent a leg of your journey, your name, the payment method used to make the booking or various remarks (which themselves are arbitrarily structured).

                                                                                                              These lines are filtered / redacted depending on your role. You have to remember that this is a legacy system which has remained pretty much unchanged for 40-50 years. It's hard to change because hundreds of airlines have their own legacy systems which rely on bookings being structured this way. And when you book a multi-carrier itinerary, the airlines often all access this same record directly on Amadeus.

                                                                                                              There has been some movement in recent years in a platform called NDC[0] (new distribution capability) but most airlines still rely on the PNR at the moment.

                                                                                                              [0]: https://www.iata.org/en/programs/airline-distribution/ndc/

                                                                                                              • pathseeker 4 days ago

                                                                                                                This is pretty standard when fetching entire complex objects from many backends. You get the full object with all of the fields the authorization layer allows you to see.

                                                                                                                Something like "GET /reservation/<id>" would rarely require you to specified the 50 fields that you would like included in the response. Many offer fields to explicitly filter for specific things, but the default is almost always to return the full object as much as the caller is allowed to see.

                                                                                                                • Aeolun 3 days ago

                                                                                                                  You shouldn’t arbitrarily include or exclude information. The response to a given input should always be the same output, and not depend on what API key you are calling with.

                                                                                                                  • saberdancer 3 days ago

                                                                                                                    I agree. Using API key to determine what kind of information is returned is a strange solution. It would effectively mean that if the airline is developing an application that has multiple levels of users (airline employees, customers, admins) it would need to store and use multiple API keys to retrieve the data.

                                                                                                                    Ofcourse, real solution here is that the airline software should not just pass along everything it received from Amadeus but rather that they should convert it and return only the relevant subset. This would avoid these type of issues.

                                                                                                              • saberdancer 3 days ago

                                                                                                                OK, thank you for the explanation. I was not aware that Amadeus is some type of backend system that airline software integrates with.

                                                                                                          • bostik 4 days ago

                                                                                                            The underlying issues have been known for quite a while. There was a fantastic talk in CCC at 2016 about the airline booking systems and the various bits of information you can glean from them.[0]

                                                                                                            0: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

                                                                                                            • namdnay 4 days ago

                                                                                                              The underlying issue is that PNR+Last Name has always been the "secuirty" to access a booking, and no airline or travel agency wants to enforce stronger measures unilaterally, for fear of increasing friction for their customers

                                                                                                              • bonzini 3 days ago

                                                                                                                There was another great talk by a (former?) ITAsoftware engineer, unfortunately I can't find it. Among various things he shares is that there's provision for the passenger being a child at arrival but not on departure. Which obviously can happen if you cross the date line backwards.

                                                                                                                It would be great if anyone can find it, I am certain I got it from HN.

                                                                                                            • tomerico 4 days ago

                                                                                                              I found his advice to Tony on how to get better with computers remarkably insightful:

                                                                                                              > I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.

                                                                                                              > My mum always said when I was growing up that:

                                                                                                              > There were “too many buttons” She was afraid to press the buttons, because she didn’t know what they did I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.

                                                                                                              > Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.

                                                                                                              > Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”.

                                                                                                              • jhealy 4 days ago

                                                                                                                A similar anecdote from my family.

                                                                                                                My uncle (a sheep farmer) and I discovered that:

                                                                                                                1. I was afraid to touch anything in a car engine, but happy to muddle through unfamiliar computer issues

                                                                                                                2. He was afraid to click unknown buttons on a computer screen, but comfortable pulling apart and rebuilding an unfamiliar car engine.

                                                                                                                In both cases, we were confident because we knew whatever mistake we made we'd be able to reverse it. And in both cases, we were afraid of making a mistake that we couldn't reverse.

                                                                                                                • dorkwood 4 days ago

                                                                                                                  That's basically how I taught my father to use a computer. It came down to two things:

                                                                                                                  1. He was terrified of breaking it, so I told him that there was nothing he could possibly do to it that I couldn't fix. I made sure to sound overly confident -- almost like I was challenging him to break it. That gave him the confidence to do whatever.

                                                                                                                  2. Every time there was a problem with it, I would Google the answer in front of him, and he'd watch me figure it out in real time. Eventually, he got the confidence to start Googling things himself. The tech support calls dropped off pretty steeply after that.

                                                                                                                  • toyg 4 days ago

                                                                                                                    Give a man a fish, and he'll eat for a day.

                                                                                                                    Teach a man how to google, and he'll never go a day in his life without being obsessed with conspiracy theories.

                                                                                                                    • dorkwood 3 days ago

                                                                                                                      You're not far off, to be honest. Just replace 'conspiracy theories' with 'extreme political YouTube channels'.

                                                                                                                      It's not all bad, though. He invites his friends over and shows them how you can find all sorts of cool stuff online. One of them the other day was apparently trying to stump YouTube with increasingly obscure woodworking joints.

                                                                                                                      I think most people would be surprised how many people are still out there who have no idea what the internet is or what it does. Imagine discovering that there's a machine that can show you how to do anything, or play any song you've ever listened to, and you had no idea something like that even existed.

                                                                                                                    • znpy 4 days ago

                                                                                                                      Yeah it's nice and everything but don't tell that to your boss or bosses in general otherwise most of us will be unemployed in a few years /s

                                                                                                                    • Eric_WVGG 4 days ago

                                                                                                                      This reminds me of a trick I would do when I was the teenage “computer guy” for my family and neighbors back in the nineties.

                                                                                                                      When I was doing upgrades, I would make the person in question replace a few parts themselves. Usually I would pull out one SIMM chip or PCI card, explain what it did and how it was retained, and then ask them to pull out and replace a similar part themselves.

                                                                                                                      I found that getting their elbows dirty went a long way toward perceiving computers as things that could be figured out.

                                                                                                                    • stubish 4 days ago

                                                                                                                      You missed the corresponding footnote:

                                                                                                                      “Nobody gives the baby a knife. You give them a spoon” - Mum, when I showed her this.

                                                                                                                      (which is also insightful, because the 'Mums' I've dealt with are mostly worried that pushing the wrong button will permanently break something, as if they used to sell blenders without safety features or something back in the day)

                                                                                                                      • arh68 4 days ago

                                                                                                                        Yes! I call it cat-like thinking, after watching our cat walk all over the keyboard. She wouldn't look at the keys or the screen.

                                                                                                                        I can't remember how many times I've heard "I can't log in, the machine is locked", when there is literally 1 button Switch User, and clicking that 1 button does it. "Oh, I didn't think to try that, it said it was locked.."

                                                                                                                        Entering newlines in a textbox? It's.. shift-enter, or alt-enter, alt-shift-something. Multicursor? It's.. shift-up? Alt-up? You just try 'em. Cat-like

                                                                                                                        • dTal 3 days ago

                                                                                                                          In fairness, the "Switch User" button is a terrible interface on many levels. Apart from the complete lack of feedback on the actual situation (an active desktop session), it conveys a muddled mental model in which someone who has logged out and walked away from the computer is still considered to be "The User". A better interface would simply have the normal login prompt, along with some information about any active desktop sessions. The computer is no more "locked" than it is on first boot.

                                                                                                                      • abhiminator 4 days ago

                                                                                                                        Great post, thoroughly enjoyed reading it.

                                                                                                                        BTW, on a side note, when you try and visit the blog's homepage[0] and scroll down to the bottom, you find a link to an actual (password protected) PDF file called Mango.pdf[1]. The author 'Alex' says the password for the PDF has been embedded in the page and it didn't take me a lot of time to figure the password out from the HTML source[2].

                                                                                                                        But when I opened the PDF, I was hit with this random string of characters:

                                                                                                                        cGJhdGVuZ2h5bmd2YmFmLCBsYmggZmJ5aXJxIHpsIHlodnR2IGNobW15ci4gQCB6ci BiYSBnanZnZ3JlIGp2Z3UgbGJoZSBzbmliaGV2Z3IgcXJmZnJlZyBnYiB0cmcgbGJo ZSBlcmpuZXEuIFZnJ2YgeXZ4ciwgYWJnIG4gaXJlbCB0YmJxIGVyam5lcSBmYiBodQ o=

                                                                                                                        I tried to decode this using every available decoder, but it only throws up random result. Was wondering if any of you smart people here had any idea about this code.

                                                                                                                        [0] https://mango.pdf.zone/

                                                                                                                        [1] https://mango.pdf.zone/mango.pdf

                                                                                                                        [2] view-source:https://mango.pdf.zone/

                                                                                                                        EDIT: SOLVED IT!

                                                                                                                        As the commenters who replied to me mentioned, this puzzle is double-encoded. I think the trick is to figure out which decoder to use first.

                                                                                                                        • cimi_ 4 days ago

                                                                                                                          CyberChef[0] has a 'magic' decoder that tries out different encodings for you.

                                                                                                                          [0] https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false...

                                                                                                                          • carlmr 4 days ago

                                                                                                                            There are two layers to that encoding. When you see a random string of characters and numbers ending with one or two equals signs, think of base64. Then when you see something that seems like word groups with spaces, think of rot* (* = 13 being the most common version) encoding.

                                                                                                                            • abhiminator 4 days ago

                                                                                                                              Thank you. I solved it. My decoding sequence was wrong before (I was trying to decode in reverse), but your pointers helped me.

                                                                                                                            • losvedir 4 days ago

                                                                                                                              I decoded it probably in the same way you tried, but I wouldn't call the result "random" in the space of possibilities. A random result of that kind of decoding would likely involve binary data that can't map cleanly to letters the way this did. You've just gotta go deeper!

                                                                                                                              • nbgl 4 days ago

                                                                                                                                Hint: try ROT13.

                                                                                                                                • barbs 4 days ago

                                                                                                                                  Quick posix shell rot13 tip: pipe it into:

                                                                                                                                  tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

                                                                                                                                  • ramses0 4 days ago

                                                                                                                                    Also sometimes useful is vim: `g?` ... it's useful to have "scrambled" lines in notes for protection against casual disclosure.

                                                                                                                                    Vim used to have a (terrible) encryption capability, but lately I've been fairly happy with `pass` (passwordstore.org) for basic local encryption.

                                                                                                                                    • efreak 4 days ago

                                                                                                                                      There's a rot13 command in the bsdgames package on Ubuntu. Or you could just create an alias. Not sure if the command takes file input.

                                                                                                                                    • abhiminator 4 days ago

                                                                                                                                      Thank you. Tried that as well, still throws up a string of letters and numbers. But the frequency this time seemed a bit more consistent, so the trick is to apply some sort of frequency analysis, I guess. Still on it.

                                                                                                                                      BTW, are there any more of such 'puzzle hunt' websites where you could play around and sharpen your decoding skills? Thanks!

                                                                                                                                • ibudiallo 4 days ago

                                                                                                                                  The power of Inspect Element. This is exactly how I found out I was underpaid[1]. A company I worked for used a software called erecruit to manage my contracts. When you click on a clients name, it makes an ajax request to fetch the data. Being a web developer, I inspected the data returned.

                                                                                                                                  I'm pretty sure all the developer did was:

                                                                                                                                      echo json_encode($queryResult);
                                                                                                                                  
                                                                                                                                  
                                                                                                                                  I saw how much I was getting paid vs how much they were charging clients. I quickly changed my prices after that.

                                                                                                                                  [1]: https://idiallo.com/blog/how-much-do-you-charge-for-your-wor...

                                                                                                                                  • dylan604 4 days ago

                                                                                                                                    I think this is a lesson lots of early AJAX/client-side coders should be forced to learn. When you do a `SELECT * FROM` and return the entire result, that data is visible on the client end in full detail (if you're familiar with how to use the browser's dev tools that is). Maybe you only make some of that data visible to the user in the UI, but the data you didn't use is still part of that AJAX return. Only send to the browser the data you actually need!

                                                                                                                                    • bagacrap 4 days ago

                                                                                                                                      Every consulting firm pays their employees way less than the hourly rate they bill clients. That's how the firm exists. Good for you that you were in a situation to dictate your compensation.

                                                                                                                                    • vishnugupta 4 days ago

                                                                                                                                      I accidentally discovered a way to get hold of passport details of random people by applying for Visa on arrival to Vietnam. There are these online portals which do some document pre processing which is legit. And on landing in Vietnam we are expected to show that we have already applied for Visa. It so happens that these portals do batch processing. Which means my application is processed along with a half a dozen or so other random applicants.

                                                                                                                                      And so I applied for one. And when I received the confirmation document I received the entire batch file. It included passport number, expiry date and other PII of ten random people which would be super valuable in the hands of criminals and such.

                                                                                                                                      And conversely ten random people know my PII

                                                                                                                                      • hdi8534 4 days ago

                                                                                                                                        The same when you apply to give up vietnamese citizenship, all your info are public on the goverment website (pdf files with name, birthday, current addresss...)

                                                                                                                                        • rntksi 4 days ago

                                                                                                                                          with the way how the government over there works, even if you have those information... there's really nothing much to do with it.

                                                                                                                                          • mannykannot 4 days ago

                                                                                                                                            If you are applying to give up Vietnamese citizenship, I would guess that you are no longer living in Viet Nam, so this information might serve as a starter kit for someone to steal your identity?

                                                                                                                                        • jwong_ 3 days ago

                                                                                                                                          Foreign visitors to China staying in non-hotels are required to register at the local police station. The police in the city I visit use their personal cellphones to take pictures of your passport, use their personal WeChat accounts to send them who-knows-where, and then store them in paper form on the top of their desks. Anyone who walks in to register can see what kinds of foreigners are staying, where they're staying, their jobs, passport numbers, etc.

                                                                                                                                          • city41 3 days ago

                                                                                                                                            I recently bought a used phone on ebay. When I turned it on it had the previous owner's data in tact and no passcode. I opened Gmail and was in their account.

                                                                                                                                            I immediately factory reset the phone. My point being sensitive data leaks all over the place in many ways in today's world.

                                                                                                                                          • tschwimmer 4 days ago

                                                                                                                                            This is one the of the funniest things I've read in recent memory. He made an Instagram post 30 second check of Chrome's dev tools into a narrative I couldn't stop reading. Thanks for brightening my day author!

                                                                                                                                            • zamfi 4 days ago

                                                                                                                                              I am very impressed by this piece. Something about how “Alex” manages to blend the kind of humor not typically associated with compassion or competence, with a story that is most spectacular because of the very compassionate and competent actions of its protagonist...I literally couldn’t stop reading.

                                                                                                                                              So well done.

                                                                                                                                              • aahortwwy 4 days ago

                                                                                                                                                > “You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”

                                                                                                                                                I mean not to call him out but this did happen and he didn't navigate his way out (although that says nothing about his confidence).

                                                                                                                                                https://www.smh.com.au/national/tony-abbott-lost-in-the-outb...

                                                                                                                                                EDIT: To be fair, it's been a decade. Maybe he's worked on his orienteering skills since having that experience?

                                                                                                                                                • chris_wot 4 days ago

                                                                                                                                                  Sure, this is the guy who knighted a prince and ate a raw onion. What did you expect?

                                                                                                                                                  Abbott was Australia's Trump. Thankfully he lasted in office an even shorter time than the people he replaced.

                                                                                                                                                  • mmerlin 3 days ago

                                                                                                                                                    Abbott's worst two decisions while PM were, IMHO:

                                                                                                                                                    Killing our nascent Fibre-to-the-Home rollout which had just begun after years of planning by the previous government. We now use problematic mish mash of slow copper instead of fibre (Murdoch wanted this so Tony gave it up for him).

                                                                                                                                                    Killing the mining tax for his donors. This would would have returned billions for our country. We could have begun a sovereign wealth fund like Norway who have over $1 Trillion in theirs. Australia also makes minimal profit from gas exports. Qatar exports less than us but their country profits 2600% more per year than Australia.

                                                                                                                                                    Domestic buyers on the east coast of Australia now pay one of the highest prices in the world for gas. Double the price our exporters are buying it for (and they have liquefaction and transport costs included).

                                                                                                                                                    • joppy 3 days ago

                                                                                                                                                      Don't forget scrapping basically every environmental initiative that the Rudd and Gillard governments put in place, pretty much on his own personal conviction that climate change is not human-caused.

                                                                                                                                                    • tonyedgecombe 4 days ago

                                                                                                                                                      Since hired as a UK trade advisor:

                                                                                                                                                      https://www.bbc.co.uk/news/uk-politics-54027762

                                                                                                                                                      • taejo 4 days ago

                                                                                                                                                        I had assumed the Tony Abbott in recent UK news was a different person to the former Australian PM. Thanks for the correction!

                                                                                                                                                      • rswail 4 days ago

                                                                                                                                                        I wouldn't say he was our Trump. Our Trump is Clive Palmer, down to the grifting and ripping off subcontractors and employees and suing people.

                                                                                                                                                        Abbott was more our McConnell, happy to tear down political norms and standard parliamentary practice while claiming to defend it. He was a "good" opposition leader in that he basically was in opposition to everything proposed by the government, not for good reason, just because.

                                                                                                                                                        He didn't last long as an actual leader, because that requires positive actions, not just oppositional or destructive ones.

                                                                                                                                                        He won't be missed from our political domain.

                                                                                                                                                        • prawn 4 days ago

                                                                                                                                                          I think your Trump-Palmer comparison is decent, but not sure about McConnell. Something that seemed key to Abbott was his focus on very repetitive and simple statements - the three word slogans (stop the boats, axe the tax; hardly discouraged "ditch the witch"). Not saying there hasn't been similar before, but he was particularly effective with it. Trump has used similar tactics (build the wall, lock her up, etc), which might've encouraged OP's point.

                                                                                                                                                          • mmerlin 3 days ago

                                                                                                                                                            He triumphantly claimed several times that a particular issue or legislation was now "Dead, buried, cremated"

                                                                                                                                                            • dbt00 4 days ago

                                                                                                                                                              Sounds like GW Bush.

                                                                                                                                                          • bmarquez 4 days ago

                                                                                                                                                            I don't get it, is there something noteworthy about eating a raw onion?

                                                                                                                                                            • boyter 4 days ago

                                                                                                                                                              Yes and no. It was the pinnacle in a series of bizzare behaviour from Tony while he was the Prime Minister. Certainly its the one people most remember of him. Keep in mind he ate it with the skin on as well. I think its also something people look out for, with the previous PM Kevin Rudd being somewhat infamous for eating his own ear wax on live TV.

                                                                                                                                                              When I was working on an archive project for the ABC, "tony eating onion" or some variation was the most common thing people searched for in the system when they first started using it.

                                                                                                                                                              • dwd 4 days ago

                                                                                                                                                                He doubled down and did it again another time.

                                                                                                                                                                More bizarre was that time he froze and didn't speak for 30 seconds when asked a difficult question by a reporter about his "shit happens" comment. Justin Trudeau did the same thing recently when asked a question regarding Trump.

                                                                                                                                                                • JadeNB 4 days ago

                                                                                                                                                                  > I think its also something people look out for, with the previous PM Kevin Rudd being somewhat infamous for eating his own ear wax on live TV.

                                                                                                                                                                  … as a stunt? On a dare? Why?

                                                                                                                                                                • coagmano 4 days ago

                                                                                                                                                                  The earwax thing was during a long boring session in parliament, so not exactly Live TV

                                                                                                                                                                  • taneq 4 days ago

                                                                                                                                                                    Oh, well that explains it, then. Perfectly legitimate behaviour. /s

                                                                                                                                                                • eskaytwo 4 days ago

                                                                                                                                                                  The context: he was on a PR tour of a farm (or factory or something), and grabbed it from a pile and just started eating it like it was an apple, whilst continuing the tour. It caught the public attention at how normal he made eating a raw onion look.

                                                                                                                                                                  • triceratops 4 days ago

                                                                                                                                                                    > grabbed it from a pile and just started eating it like it was an apple,

                                                                                                                                                                    Sounds like a sociopath.

                                                                                                                                                                    • grp000 4 days ago

                                                                                                                                                                      Time to put out an alert on raw onion-eaters

                                                                                                                                                                  • nicwilson 4 days ago

                                                                                                                                                                    When you use it to hide the breath of an alcoholic, yes.

                                                                                                                                                                    • akent 4 days ago

                                                                                                                                                                      He ate it with the skin on, too.

                                                                                                                                                                    • searchableguy 4 days ago

                                                                                                                                                                      Yeah same. It's pretty common for restaurants and households to have raw onion in the salad (at least in north India). Unusual for someone to eat them with the skin though.

                                                                                                                                                                      • bobthepanda 4 days ago

                                                                                                                                                                        But that would be chopped or otherwise separated onion right? Not eating an onion the way one would eat an apple.

                                                                                                                                                                        • Biganon 4 days ago

                                                                                                                                                                          My fiancée has been to the Azores and told me she's seen old people eat onions like apples there

                                                                                                                                                                    • strken 4 days ago

                                                                                                                                                                      Prior to becoming prime minister, he was a Rhodes Scholar and then a Master of Arts at Oxford, a journalist for multiple papers, and a fairly effective lobbyist and politician.

                                                                                                                                                                      His policies were regressive even for the liberal party's right, he was needlessly belligerent as PM, and I didn't like him or vote for his party. However, he wasn't an uneducated or stupid man, and he wasn't an inexperienced political outsider like Trump.

                                                                                                                                                                      • qdiencdxqd 4 days ago

                                                                                                                                                                        He was a Rhodes Scholar, so he's probably pretty smart.

                                                                                                                                                                        • chris_wot 2 days ago

                                                                                                                                                                          I’m not saying he is stupid. But he was fundamentally unsuited at being a Prime Minister. He left the government in absolute chaos.

                                                                                                                                                                    • sellyme 4 days ago

                                                                                                                                                                      The contact form on Abbott's website 403ing is impressively on-brand.

                                                                                                                                                                      • coagmano 4 days ago

                                                                                                                                                                        I wouldn't be surprised if the staff deliberately sabotaged it. I've worked for a party before and the emails are horrendous

                                                                                                                                                                        • There are so many website that will automate spamming every politician contact form with prewritten content about an issue so I'm surprised if those contact forms route anywhere other than /dev/null.

                                                                                                                                                                          • iso947 4 days ago

                                                                                                                                                                            My MP had several death threats last year - including in the post to her home address inside an otherwise normal looking birthday card.

                                                                                                                                                                        • p49k 4 days ago

                                                                                                                                                                          I would encourage anyone interested in this article to read it thoroughly to the end. This is one of the most satisfying articles I’ve read recently and I really enjoy the author’s unique sense of humor.

                                                                                                                                                                        • philliphaydon 4 days ago

                                                                                                                                                                          I still find it strange you can manage a booking with just a reference and name. About ~5 years ago someone I follow on twitter posted their boarding pass and I replied to them with a screen shot asking if I should cancel the booking. They removed their post and I removed mine. But all it took was the reference on the boarding pass and their last name...

                                                                                                                                                                          • Cthulhu_ 4 days ago

                                                                                                                                                                            What I've gathered left and right wrt the airline industry is that it was one of the earliest industries that went digital, and / but they have a lot of legacy going on.

                                                                                                                                                                            I mean in this particular case, they could have Abbott create an account on their website first, but then, someone else booked the ticket for him so that makes things more complicated (because they don't have an e-mail address), and then there's tickets being booked all over the world, and then loads of people don't have computers or e-mail.

                                                                                                                                                                            It escalates quickly.

                                                                                                                                                                            • howlgarnish 4 days ago

                                                                                                                                                                              The amount of pain still caused by things like somebody back in the sixties deciding that two characters is plenty to encode every single airline ever is still felt to this day. Witness the majesty of the "controlled duplicate": https://en.wikipedia.org/wiki/Airline_codes

                                                                                                                                                                            • astura 4 days ago

                                                                                                                                                                              I understand why... A lot of business travelers have a third party book their flights, so there isn't always a username/password. Airlines and travel agencies don't make it clear that it's sensitive information though.

                                                                                                                                                                            • btilly 4 days ago

                                                                                                                                                                              The following line confuses me, because it contradicts a lot in the post.

                                                                                                                                                                              Update: I have been arrested.

                                                                                                                                                                              Is that just an obvious mistake? Or is there a news flash that we would like to hear more on?

                                                                                                                                                                              • akent 4 days ago

                                                                                                                                                                                Looks like that was yet another joke.

                                                                                                                                                                                • vincnetas 4 days ago

                                                                                                                                                                                  Yes, if you read previous sentence, it ends abruptly

                                                                                                                                                                                    "I mean you’re reading the blog post right now so obviousl"
                                                                                                                                                                                • The_Amp_Walrus 4 days ago

                                                                                                                                                                                  The hacker known as "Alex" also gave a really fun talk at PyCon AU in 2018: https://www.youtube.com/watch?v=ZlNkIFipKZ4

                                                                                                                                                                                • dayjobpork 4 days ago

                                                                                                                                                                                  It's nice to live in a country where not only do various parts of the government actively try to help someone with a really bizarre issue, but no one got arrested (or shot) for bullshit trumped-up hacking charges. I can't think of many other countries responding well to 'hi I'm some random person and I used the PM's boarding pass and found out all this secret stuff'

                                                                                                                                                                                  • chrismorgan 4 days ago

                                                                                                                                                                                    A few years back when I was looking to buy a house, I was interested in how long the property had been on the market. (I was looking in country towns and their outskirts, where six months is a typical time for a property to be on the market; I even saw one or two blocks of land that seemed to have been for sale for at least five or six years.) Few real estate agents tell you this on their websites (though if you ask, they may), and aggregators like domain.com.au and realestate.com.au don’t either. Except sometimes they do, in the markup. My vague recollection (I don’t have the scraping scripts I wrote handy right now, they’re just on my old laptop and backups) is that I found a JSON blob in the realestate.com.au mobile website containing two dates, and that the domain.com.au desktop website fetched a JSON response from an API which happened to contain one date. I ended up deciding that REA’s dates were when the listing was first seen and last updated, and the Domain one was one of those. Neither of these sites were actually displaying this date, but the data was there for me to take and feed into my research.

                                                                                                                                                                                    Careless or unwitting information disclosure from APIs—sometimes sensitive, sometimes not—is a real problem.

                                                                                                                                                                                    • strange_aeons 4 days ago

                                                                                                                                                                                      That's interesting. The time on market is always listed on Danish real estate websites. And the aggregator sites also have previous listings.

                                                                                                                                                                                    • logifail 4 days ago

                                                                                                                                                                                      In some countries, identity documents are in relatively frequent use. The number of authorised strangers who would have access to one's identity document might be significantly higher in these jurisdictions than, say, the number who would be able to view Tony Abbott's passport number. I'm thinking of - for instance - the 'personnummer' in Sweden (I've heard friends recite theirs in public when asked for them).

                                                                                                                                                                                      Q: Should (merely) the number from your passport really be considered a secret?

                                                                                                                                                                                      • toyg 4 days ago

                                                                                                                                                                                        In theory no, but in practice yes. It's the same for a lot of metadata about our lives that routinely doubles up as authentication factor, e.g. "to verify your identity, can you please confirm the first line of your address and your postcode?"... Most of my neighbours know that!

                                                                                                                                                                                        • extraduder_ire 3 days ago

                                                                                                                                                                                          As an example of metadata revealing a lot about you:

                                                                                                                                                                                          Ireland got a postcode system in 2015 (the last time they considered implementing postcodes to improve autosorting, they were so late to the party that "an post" (Irish postal service) had OCR machines good enough to just read the whole address) which assigns each residence in the country a 7-digit alphanumerical code. Called an "Eircode" [1] It is purported to be a solution to packages getting lost or delayed, and an unambiguous way of giving someone a building's address.

                                                                                                                                                                                          An Eircode can be resolved into a full postal address, and GPS co-ordinates for the address.

                                                                                                                                                                                          e.g, here's some Eircodes;

                                                                                                                                                                                          Facebook's headquarters: D02 Y098

                                                                                                                                                                                          President's house: D08 E1W3

                                                                                                                                                                                          Data protection commission: D02 RD28

                                                                                                                                                                                          To get the info for any of these, check out: https://finder.eircode.ie/

                                                                                                                                                                                          Personal note: I'm not too jazzed on the specifics of the implementation, but it sure is handy when you're shitfaced and can trivially explain exactly where you live to a food-delivery driver over the phone.

                                                                                                                                                                                          [1]: https://en.wikipedia.org/wiki/Postal_addresses_in_the_Republ...

                                                                                                                                                                                      • AFlyingBoom 3 days ago

                                                                                                                                                                                        I find it incredible that Abbott being openly vulnerable about his lack of competency with computers, has been more effective in making me like him than anything he has ever done in his political career.

                                                                                                                                                                                        Teams of media advisors and a very favorable alliance with the Murdock press have paled in comparison to this one blog post that didn't even have that as an aim.

                                                                                                                                                                                        • pretendgeneer 4 days ago

                                                                                                                                                                                          Great read.

                                                                                                                                                                                          I really like the bit about learn "the IT", there's no book or anything to be good at computers you just gotta fuck around and find out a bunch.

                                                                                                                                                                                          > Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.

                                                                                                                                                                                          • Cthulhu_ 4 days ago

                                                                                                                                                                                            The problem is that there are a LOT of books, but what is relevant just changes every couple years.

                                                                                                                                                                                            I mean the IT books section of the charity shops is a good example of this, there's so many there for older versions of Office, operating systems, etc.

                                                                                                                                                                                            That said, I had a school book (Structured Computer Organization by Tanenbaum) that explains a lot of the basics of computers. Sure, it's about the Pentium architecture and early JVM and doesn't cover multi-core architecture or using GPU's to crunch numbers, but it goes through a lot of the basics.

                                                                                                                                                                                          • sygma 4 days ago

                                                                                                                                                                                            Great talk [0] given during the 2016 congress touching on the Amadeus flight booking system and the danger of posting your boarding pass on social media

                                                                                                                                                                                            [0]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

                                                                                                                                                                                            • aneutron 4 days ago

                                                                                                                                                                                              This was an amazing watch. Thank you very much for the link.

                                                                                                                                                                                            • seesawtron 4 days ago

                                                                                                                                                                                              >> Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads).

                                                                                                                                                                                              Nailed it.

                                                                                                                                                                                              • mrg2k8 4 days ago

                                                                                                                                                                                                Imagine doing something similar to a government application of an EU country and in 15 minutes finding a way to expose all citizen requests for an EORI number ever (some tens of thousands), with all personal details there for you to take. This was last year and in the meantime they updated their application from an ancient 2003 Oracle one to one that's more modern.

                                                                                                                                                                                                Thinking in perspective now, I regret not going out with it because that ancient application probably cost millions of euro from taxes.

                                                                                                                                                                                                • rvz 4 days ago

                                                                                                                                                                                                  We blame these social networks for collecting vast amounts of our private data (yes we should), yet these folk have no problem of posting already sensitive information under a hashtag - creating an Aladdin's cave of identities waiting to be stolen for fraud as this blog-post has demonstrated.

                                                                                                                                                                                                  'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place' - Eric Schmidt

                                                                                                                                                                                                  I guess they will learn the hard way given that they aren't really 'tech savvy' or internet wise these days.

                                                                                                                                                                                                  • The problem is people have no idea what is sensitive. Until just now I would have thought a boarding pass was safe to share.

                                                                                                                                                                                                    Its more the airlines fault for making this info so easy to access with what looks like unsensitive info.

                                                                                                                                                                                                    • bjoli 4 days ago

                                                                                                                                                                                                      I have told people at airports to not friggin post their boarding passes or documents containing their booking refeeence on Instagram. Back when I was 20 I didn't lot of stupid things. One was to change tine obnoxious details about their reservations. When they were in air (and presumably had their phones off) I sent them a text message. "Never put booking information on asocial media".

                                                                                                                                                                                                      I could probably have gotten in a lot of trouble.

                                                                                                                                                                                                    • ClumsyPilot 4 days ago

                                                                                                                                                                                                      Boarding pass clearly should not allow tgis lwvel of access to yiur personal infornatiob- it has one job, boarding a plane.

                                                                                                                                                                                                      • cobookman 4 days ago

                                                                                                                                                                                                        It's also used in the customs process.

                                                                                                                                                                                                    • orisho 4 days ago

                                                                                                                                                                                                      This post was very amusing! It always bordered on silly meme-style writing, but never doing too much of it at once which I find annoying. The story itself was also very interesting!

                                                                                                                                                                                                      • 0xy 4 days ago

                                                                                                                                                                                                        Surprisingly good experience, and even a call from the man himself. I'm actually impressed, I expected way more incompetence and fumbling from a government.

                                                                                                                                                                                                      • fahrradflucht 4 days ago

                                                                                                                                                                                                        Great read. If somebody is interest in another great talk about boarding pass data security, there is this one from 33c3: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

                                                                                                                                                                                                        • maxden 1 day ago

                                                                                                                                                                                                          This got picked up by the news in Australia [0], they also interviewed the author [1].

                                                                                                                                                                                                          [0] https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-...

                                                                                                                                                                                                          [1] https://www.abc.net.au/radio/melbourne/programs/drive/alex-h...

                                                                                                                                                                                                          • Nextgrid 4 days ago

                                                                                                                                                                                                            I don’t know if it’s just me or it’s the fact that I’m reading this on mobile on a small screen but I couldn’t stand the writing style. Curious to know if anyone else felt that way.

                                                                                                                                                                                                            • h0l0cube 4 days ago

                                                                                                                                                                                                              The writing style was irreverent, colloquial, and replete with cultural references, but also dense with information. I felt a constant tension of wanting to skim-read and actually parsing the content, but found it really entertaining all the while.

                                                                                                                                                                                                              • CosmicShadow 4 days ago

                                                                                                                                                                                                                I loved it, it helped me keep reading the whole way through an extremely long, yet engaging article. Different people like different writing styles and humour obviously.

                                                                                                                                                                                                                • mindfulhack 4 days ago

                                                                                                                                                                                                                  Yeah I thought the person to be quite young. But I understood, as I've been that young and written in almost exactly that writing style before. :) I skimmed through it feeling fondness for my youth.

                                                                                                                                                                                                                  • fireattack 4 days ago

                                                                                                                                                                                                                    I hate it. But I knew I'm never a fan of this kind of overly joking style (the same reason I can't stand famous YouTube Channel "half as interesting", despite I love his main channel.)

                                                                                                                                                                                                                    • steveklabnik 4 days ago

                                                                                                                                                                                                                      I read it on my phone and I love the writing style.

                                                                                                                                                                                                                      Different people are different.

                                                                                                                                                                                                                      • codetrotter 4 days ago

                                                                                                                                                                                                                        I think it was funny and I liked it. Still didn’t read the whole thing though – maybe later, am not in shape right now. But did read quite a bit of it.

                                                                                                                                                                                                                        • gonzo41 4 days ago

                                                                                                                                                                                                                          It reads like a travel diary. Which I really like because you get the things that are done and the thoughts and feelings along the way.

                                                                                                                                                                                                                          • stordoff 4 days ago

                                                                                                                                                                                                                            I found myself rolling my eyes a few times, but the core content was good so I didn't find it all that off-putting.

                                                                                                                                                                                                                            "Update: I have been arrested." did leave me slightly confused for a while though, probably due to the verbosity making me want to scan read.

                                                                                                                                                                                                                            • mulmen 4 days ago

                                                                                                                                                                                                                              If you were scanning that would be an easy joke to miss. The giveaway is the previous paragraph ending mid-word like the authorities just busted in and hauled the author off to a CIA black site.

                                                                                                                                                                                                                            • C19is20 4 days ago

                                                                                                                                                                                                                              Humour, with a 'u'.

                                                                                                                                                                                                                              • ezluckyfree 4 days ago

                                                                                                                                                                                                                                I agree, kind of. I had to skim it, some of the jokes were funny, it just took up too much space.

                                                                                                                                                                                                                                • Camas 4 days ago

                                                                                                                                                                                                                                  Feels like I accidentally opened discord

                                                                                                                                                                                                                                  • traverseda 4 days ago

                                                                                                                                                                                                                                    Yeah, it was a bit yikes.

                                                                                                                                                                                                                                    • kayson 4 days ago

                                                                                                                                                                                                                                      I couldn't either. It was absolutely terrible. I think you can achieve the style and voice he was going for without being completely over the top, which he very much was.

                                                                                                                                                                                                                                      • starpilot 4 days ago

                                                                                                                                                                                                                                        Same. Sounds like the author thinks he's way funnier than he is.

                                                                                                                                                                                                                                        • mulmen 4 days ago

                                                                                                                                                                                                                                          I laughed out loud multiple times reading this and sent it to some friends whose senses of humor I respect and the consensus is this is funny.

                                                                                                                                                                                                                                          • maest 4 days ago

                                                                                                                                                                                                                                            I shared this with some of my friends, and we all agreed it was obnoxious.

                                                                                                                                                                                                                                            So, where do we go from here?

                                                                                                                                                                                                                                            • oefnak 3 days ago

                                                                                                                                                                                                                                              It was literally the first HN article I sent to my friends?

                                                                                                                                                                                                                                        • netsharc 4 days ago

                                                                                                                                                                                                                                          Couldn't stand it either, since I (probably like most of us here) know about the "scan the 2d barcode to get the booking number, use that and passenger last name to see their flight details" trick. The kid draws out that first bit for too long. Although he did get clever and used the developer tools (again here he goes into boring details) to find the actual passport number as some hidden JSON, and some other internal airline info...

                                                                                                                                                                                                                                        • mulmen 4 days ago

                                                                                                                                                                                                                                          This was a great read but I'm a bit disappointed there are no easter eggs in the page source. Or maybe I'm just not finding them.

                                                                                                                                                                                                                                          • hayyyyydos 4 days ago

                                                                                                                                                                                                                                            There is one, but it's on the homepage - take a look under the "about" heading at the bottom and go from there.... (assuming that's the puzzle that ASD figured out)

                                                                                                                                                                                                                                          • iamshs 4 days ago

                                                                                                                                                                                                                                            I loved the writing style. That "hard mode" effect had me wheezing though.

                                                                                                                                                                                                                                            • mikeappell 4 days ago

                                                                                                                                                                                                                                              > If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested.

                                                                                                                                                                                                                                              Possibly the best line in an article full of really fantastic lines.

                                                                                                                                                                                                                                              • gouggoug 4 days ago

                                                                                                                                                                                                                                                Out of curiosity a few months back I spent a few hours looking at this exact hashtag (#boardingpass) and other travel related hashtags.

                                                                                                                                                                                                                                                I ended up thinking that Instagram was actively removing pictures of boarding passes because I could only find a surprisingly low amount of pictures containing valid Lastname/BookingRef. As for the few pictures available, the references were often either too old, or partially covered.

                                                                                                                                                                                                                                                I'm still wondering if Instagram does remove such photos.

                                                                                                                                                                                                                                              • beervirus 4 days ago

                                                                                                                                                                                                                                                Well now I feel compelled to read everything this person has ever written.

                                                                                                                                                                                                                                                • gregjw 4 days ago

                                                                                                                                                                                                                                                  Most entertaining post-morterm I've ever read, Australian through and through.

                                                                                                                                                                                                                                                  • Zealotux 4 days ago

                                                                                                                                                                                                                                                    >I personally recommend blacking out (add a black rectangle) instead of blurring

                                                                                                                                                                                                                                                    This can be reversed as well, if you do black things out this way: please make sure you're using 100% opacity black. I've managed to retrieve data from plenty "blacked-out" documents simply by playing with contrast and exposure filters in Photoshop because the opacity wasn't set correctly.

                                                                                                                                                                                                                                                    • cricalix 4 days ago

                                                                                                                                                                                                                                                      Black it out, print it to paper, scan it back in, embed the image in a Word document, and print to PDF. Wait, that's just how "most" people do it anyway..

                                                                                                                                                                                                                                                    • aha amazing read, quality content.

                                                                                                                                                                                                                                                      • kabacha 4 days ago

                                                                                                                                                                                                                                                        Real question here is: should the passport number have any expectations of privacy? It seems like such an easy thing to expose as you literally put it down on every document like hotel check ins etc. AFAIK it's not even a random number and instead it's generated from basic info like birth year/place/gender.

                                                                                                                                                                                                                                                        That being said it was a really good blog!

                                                                                                                                                                                                                                                        • rswail 4 days ago

                                                                                                                                                                                                                                                          It depends where you are from. Our (Australian) passports have a "series" letter at the start and then a set of numbers. Not sure whether they are random or incremental or derived.

                                                                                                                                                                                                                                                          YMMV based on nation that issues yours.

                                                                                                                                                                                                                                                        • beatrobot 4 days ago

                                                                                                                                                                                                                                                          I like that there was such a good response to the disclosure from all the different parties, compared to this: https://research.digitalinterruption.com/2020/09/10/giggle-l...

                                                                                                                                                                                                                                                          • starpilot 4 days ago

                                                                                                                                                                                                                                                            The tl;dr:

                                                                                                                                                                                                                                                            > Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.

                                                                                                                                                                                                                                                            > How it works: The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.

                                                                                                                                                                                                                                                            • XCSme 4 days ago

                                                                                                                                                                                                                                                              Amazingly written post, really enjoyable to read!

                                                                                                                                                                                                                                                              It's amazing that we have all those security protocols (HTTPS, e2e encryption, secure log-in, etc.) but in the end most of the "hacks" are just people being stupid or manipulated through social engineering.

                                                                                                                                                                                                                                                              • jasomill 3 days ago

                                                                                                                                                                                                                                                                Reminds me of the time I learned Jim Morrison's social security number from a framed form hanging on the wall next to my table at a Hard Rock Café, written in ballpoint pen, "redacted" with a magic marker that did nothing, obviously, to obfuscate the impression made by the pen in the paper.

                                                                                                                                                                                                                                                                While I have no idea how the SSN of a long-dead rock star could ever be useful, I'm certain I still have a copy saved around here somewhere...

                                                                                                                                                                                                                                                                • thdrdt 4 days ago

                                                                                                                                                                                                                                                                  Lately I am thinking about building a framework for web APIs where the database stores the owner, group and other's rights for each entity. The framework will then fetch data based on the user and fills the models based on the rights set for each field.

                                                                                                                                                                                                                                                                  Exactly for the reason shown in the article.

                                                                                                                                                                                                                                                                  I believe right now it is still too difficult to do this in any framework. That's why developers take shortcuts and just expose all entity data or just make a mistake and forget about it.

                                                                                                                                                                                                                                                                  Does anyone know if such a framework already exists? So per field rights, not per entity rights.

                                                                                                                                                                                                                                                                  • mulmen 4 days ago

                                                                                                                                                                                                                                                                    Take a look at Postgres roles, I think they are similar to what you describe. This should allow you to set row level permissions per user. Not sure how well that scales.

                                                                                                                                                                                                                                                                    I know postgrest uses it.

                                                                                                                                                                                                                                                                    https://www.postgresql.org/docs/12/user-manag.html

                                                                                                                                                                                                                                                                    • efreak 3 days ago

                                                                                                                                                                                                                                                                      I think the Windows registry has this, doesn't it? Not really applicable to this use case, and do far as I know it's world-readable (acls are applied for writing, not reading) but it does have per-key ACLs (not sure about per-field).

                                                                                                                                                                                                                                                                      • throwawaynothx 4 days ago

                                                                                                                                                                                                                                                                        or... GraphQL.

                                                                                                                                                                                                                                                                        • thdrdt 4 days ago

                                                                                                                                                                                                                                                                          How does GraphQL fix the problem of showing different fields depending on rights?

                                                                                                                                                                                                                                                                      • iandanforth 4 days ago

                                                                                                                                                                                                                                                                        This is a long read, but trust me, keep reading it's great.

                                                                                                                                                                                                                                                                        • fardeem 3 days ago

                                                                                                                                                                                                                                                                          This is easily top 1% of all writing on the internet

                                                                                                                                                                                                                                                                          • xyzal 4 days ago

                                                                                                                                                                                                                                                                            Is it just me, or did anyone else try to clean up their monitor from dust, realizing eventually the "dust" is the websites background image?

                                                                                                                                                                                                                                                                            • WebDanube 4 days ago

                                                                                                                                                                                                                                                                              TFW your monitor is dirty enough for you to not notice the dusty BG image.

                                                                                                                                                                                                                                                                              • efreak 3 days ago

                                                                                                                                                                                                                                                                                Could be worse. I'm pretty sure some of the dirt on one of my monitors is actually dead pixels.

                                                                                                                                                                                                                                                                            • WrtCdEvrydy 4 days ago

                                                                                                                                                                                                                                                                              For anyone who wants to do this easier... ZAP Proxy has a HUD display that will allow you to see the data flying on a page after you load it.

                                                                                                                                                                                                                                                                              No need to do funky Inspect Element magic. Works wonders for reverse engineering how your fancy UI talks to the fancy API to do the fancy things.

                                                                                                                                                                                                                                                                              If you can't figure out ZAP with HUD, you can alternatively use the Network tab on Chrome and switch to AJAX (if it's something that happens without the page loading)

                                                                                                                                                                                                                                                                              • bigiain 4 days ago

                                                                                                                                                                                                                                                                                > funky Inspect Element magic

                                                                                                                                                                                                                                                                                Are you sure you're on the right website?

                                                                                                                                                                                                                                                                              • philipdavis 4 days ago

                                                                                                                                                                                                                                                                                Question: do you think you will be arrested for doing the same thing if it was in your country? (A from myself: yes absolutely)

                                                                                                                                                                                                                                                                                • This was a thoroughly entertaining read, thank you!

                                                                                                                                                                                                                                                                                  • reillyse 4 days ago

                                                                                                                                                                                                                                                                                    What a well written article. Really enjoyed that. If the hacking doesn't work out get a job writing about hacking...wait.

                                                                                                                                                                                                                                                                                    • juststeve 4 days ago

                                                                                                                                                                                                                                                                                      Australian here, he’s doing the best he can

                                                                                                                                                                                                                                                                                      • abanayev 4 days ago

                                                                                                                                                                                                                                                                                        Did anyone notice the line, “Update: I have been arrested”? Chekhov’s gun is just hanging there.

                                                                                                                                                                                                                                                                                        • ChrisRR 4 days ago

                                                                                                                                                                                                                                                                                          That's a long read, has anyone got a blurb so I know what I'm getting myself into?

                                                                                                                                                                                                                                                                                          • pmontra 4 days ago

                                                                                                                                                                                                                                                                                            Search for "tl; dr". It's a section at the end of the page with the summary.

                                                                                                                                                                                                                                                                                        • This has to be the funniest and most gratifying thing I’ve ever read on Hacker News. Great job!

                                                                                                                                                                                                                                                                                          • Aeolun 3 days ago

                                                                                                                                                                                                                                                                                            To be honest, I find it ridiculous (just like with social security numbers) how much you can apparently do just by virtue of knowing a passport number.

                                                                                                                                                                                                                                                                                            It shouldn’t work like that.

                                                                                                                                                                                                                                                                                            • ztgasdf 2 days ago

                                                                                                                                                                                                                                                                                              Really entertaining read. I'm amazed how much information they were able to get from the airline website.

                                                                                                                                                                                                                                                                                              • dependenttypes 4 days ago

                                                                                                                                                                                                                                                                                                Is the passport number supposed to be secret? You show them when you buy alcohol in some countries as well to the police if they ask for it - all of these people can copy the number if they so wish.

                                                                                                                                                                                                                                                                                                • razki 4 days ago

                                                                                                                                                                                                                                                                                                  Really enjoyed reading this. Thanks for redirecting my time brotheeeRRRR

                                                                                                                                                                                                                                                                                                  • jeffbee 4 days ago

                                                                                                                                                                                                                                                                                                    Are passport numbers secrets?

                                                                                                                                                                                                                                                                                                    • andreareina 4 days ago

                                                                                                                                                                                                                                                                                                      I'd say sensitive at the very least. Like social security numbers they shouldn't be, but when places use them for identification without checking authenticity and authorization...

                                                                                                                                                                                                                                                                                                      • ObsoleteNerd 4 days ago

                                                                                                                                                                                                                                                                                                        They're a form of Government-issued photo ID, so not "secret" but definitely "sensitive".

                                                                                                                                                                                                                                                                                                        At least in Australia, a passport can be used as your primary ID for a lot of stuff such as renting houses, buying mobile phones, connecting services to your home, booking flights, renting cars, etc etc etc.

                                                                                                                                                                                                                                                                                                        • macintux 4 days ago

                                                                                                                                                                                                                                                                                                          Yes. The bottom of the post covers some of the things you can do with the number.

                                                                                                                                                                                                                                                                                                          • zbrozek 4 days ago

                                                                                                                                                                                                                                                                                                            Yet good luck traveling without actually surrendering them to all kinds of places you'd rather not. Like hotel clerks basically everywhere.

                                                                                                                                                                                                                                                                                                        • half-kh-hacker 4 days ago

                                                                                                                                                                                                                                                                                                          I love Alex's stuff.

                                                                                                                                                                                                                                                                                                          • seapunk 4 days ago

                                                                                                                                                                                                                                                                                                            That is one of the best blog post I read for a long time.

                                                                                                                                                                                                                                                                                                            • lanevorockz 4 days ago

                                                                                                                                                                                                                                                                                                              We are trying to fix this in the language ... It's just hard to convince people around that the change is worth it, I guess that I found the perfect use case.

                                                                                                                                                                                                                                                                                                              • Lorin 4 days ago

                                                                                                                                                                                                                                                                                                                "Unblending the smoothie" is such a great line.

                                                                                                                                                                                                                                                                                                                • nl 4 days ago

                                                                                                                                                                                                                                                                                                                  Interestingly (and strangely) some frequent flyer numbers are treated by Australian airlines as confidential information.

                                                                                                                                                                                                                                                                                                                  • pachico 4 days ago

                                                                                                                                                                                                                                                                                                                    What a fun article to read! Congratulations!

                                                                                                                                                                                                                                                                                                                    • pragmaticpandy 3 days ago

                                                                                                                                                                                                                                                                                                                      > I’ve been practicing every morning at sunrise, but still can’t scan barcodes with my eyes.

                                                                                                                                                                                                                                                                                                                      rofl. Great writer.

                                                                                                                                                                                                                                                                                                                      • bassie2 4 days ago

                                                                                                                                                                                                                                                                                                                        Clicking Inspect Element in this post results in some fun as well (NSA Tracking cookies). A true Droste effect.

                                                                                                                                                                                                                                                                                                                        • gkanai 4 days ago

                                                                                                                                                                                                                                                                                                                          This was a great read! Highly recommended.

                                                                                                                                                                                                                                                                                                                          • michaelsitver 4 days ago

                                                                                                                                                                                                                                                                                                                            One of the better blog posts I’ve read

                                                                                                                                                                                                                                                                                                                            • dis-sys 4 days ago

                                                                                                                                                                                                                                                                                                                              What is the big deal of knowing Tony Abbott's diplomatic passport number?

                                                                                                                                                                                                                                                                                                                              • pietroppeter 4 days ago

                                                                                                                                                                                                                                                                                                                                is there a book about basics of IT?

                                                                                                                                                                                                                                                                                                                                https://news.ycombinator.com/item?id=24492554

                                                                                                                                                                                                                                                                                                                                • Lerain 4 days ago

                                                                                                                                                                                                                                                                                                                                  That was extremely entertaining and so much fun to read, thanks!

                                                                                                                                                                                                                                                                                                                                  • imwm 3 days ago

                                                                                                                                                                                                                                                                                                                                    I can't believe how funny this writer is

                                                                                                                                                                                                                                                                                                                                    • marvinblum 4 days ago

                                                                                                                                                                                                                                                                                                                                      What a brilliant blog post. Thank you for posting it!

                                                                                                                                                                                                                                                                                                                                      • ironfootnz 4 days ago

                                                                                                                                                                                                                                                                                                                                        That’s the best funny post about “CVE” I’ve ever read.

                                                                                                                                                                                                                                                                                                                                      • spyder 4 days ago

                                                                                                                                                                                                                                                                                                                                        It would've been faster and easier to report it to Instagram but this way it made a better story and educated the user better than instagram just removing the picture.

                                                                                                                                                                                                                                                                                                                                        • pragmaticpandy 3 days ago

                                                                                                                                                                                                                                                                                                                                          TIL McAfee® Gamer Security is a thing...

                                                                                                                                                                                                                                                                                                                                          • jslakro 4 days ago

                                                                                                                                                                                                                                                                                                                                            Most hilarious techie post I've read ever

                                                                                                                                                                                                                                                                                                                                            • kulesh 3 days ago

                                                                                                                                                                                                                                                                                                                                              Enjoyed the read very much, thanks.

                                                                                                                                                                                                                                                                                                                                              • soulofmischief 4 days ago

                                                                                                                                                                                                                                                                                                                                                When your simple blog page is crashing Spice and virt-viewer, there is a serious bloat problem. I can't even view this blog because it immediately crashes.

                                                                                                                                                                                                                                                                                                                                                • nmeofthestate 4 days ago

                                                                                                                                                                                                                                                                                                                                                  Looked interesting, but as an old fogey I just couldn't get past the "omg u guise yikes jklsflsfdjfds" style.

                                                                                                                                                                                                                                                                                                                                                  • dmje 4 days ago

                                                                                                                                                                                                                                                                                                                                                    Bloody love the way this guy writes...

                                                                                                                                                                                                                                                                                                                                                    • rootsudo 4 days ago

                                                                                                                                                                                                                                                                                                                                                      Narrative is cute, but too much.

                                                                                                                                                                                                                                                                                                                                                      • alottafunchata 4 days ago

                                                                                                                                                                                                                                                                                                                                                        This was a great read--thanks!

                                                                                                                                                                                                                                                                                                                                                        • JoachimS 4 days ago

                                                                                                                                                                                                                                                                                                                                                          Highly entertaining reading.

                                                                                                                                                                                                                                                                                                                                                          • kdtsh 4 days ago

                                                                                                                                                                                                                                                                                                                                                            This is certifiably grouse.

                                                                                                                                                                                                                                                                                                                                                            • tunnuz 4 days ago

                                                                                                                                                                                                                                                                                                                                                              This entertained me a lot.

                                                                                                                                                                                                                                                                                                                                                              • cottsak 4 days ago

                                                                                                                                                                                                                                                                                                                                                                Alex, you are so funny!

                                                                                                                                                                                                                                                                                                                                                                • FerretFred 4 days ago

                                                                                                                                                                                                                                                                                                                                                                  This is a great read!

                                                                                                                                                                                                                                                                                                                                                                  • brlnwest 4 days ago

                                                                                                                                                                                                                                                                                                                                                                    this is such a great story. Love the way he writes!

                                                                                                                                                                                                                                                                                                                                                                    • ddiddu 3 days ago

                                                                                                                                                                                                                                                                                                                                                                      it is easy to figure out passport number in a picture of ticket posted on Instagram

                                                                                                                                                                                                                                                                                                                                                                      • BoredomHeights 4 days ago

                                                                                                                                                                                                                                                                                                                                                                        I can't believe I read this whole thing only to find out at the end that this dumbass thinks the earth revolves around the sun. I wish I'd known we were dealing with a wacko from the start so I could have saved 20 minutes of my life.

                                                                                                                                                                                                                                                                                                                                                                        • carrolldunham 4 days ago

                                                                                                                                                                                                                                                                                                                                                                          clickbait. no "passport" is found. very long winded insufferable hooting about finding the passport number from an instagrammed boarding pass booking number. is that still a big security hole? i guess. could have been one tweet though

                                                                                                                                                                                                                                                                                                                                                                          • h0l0cube 4 days ago

                                                                                                                                                                                                                                                                                                                                                                            > very long winded insufferable hooting about finding the passport number

                                                                                                                                                                                                                                                                                                                                                                            Did you read the whole thing? Also included were phone number, notes from airline staff.

                                                                                                                                                                                                                                                                                                                                                                            > is that still a big security hole?

                                                                                                                                                                                                                                                                                                                                                                            To quote the article:

                                                                                                                                                                                                                                                                                                                                                                            > Just having the information on the passport is not quite as powerful as a photo of the full physical passport, with your photo and everything.

                                                                                                                                                                                                                                                                                                                                                                            > With your passport number, someone could: > - Book an international flight as you > - Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check > - Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)

                                                                                                                                                                                                                                                                                                                                                                            .. and then it had a couple more points.

                                                                                                                                                                                                                                                                                                                                                                            > could have been one tweet though

                                                                                                                                                                                                                                                                                                                                                                            And then you'd miss the whole story about informing government security and Qantas of the flaws (difficult apparently), tracking down the staff of the ex-Prime Minister of Australia, and then finally getting a call from the man himself. Might not be your cup of tea, but not 'click-bait'. The author put a lot of effort, and told a really interesting story.

                                                                                                                                                                                                                                                                                                                                                                            • juancampa 4 days ago

                                                                                                                                                                                                                                                                                                                                                                              I found the writing style to be very entertaining. Maybe someone else would've stopped at a tweet but in the end he managed get on the phone with Tony Abbott himself and got himself a cool story to tell.

                                                                                                                                                                                                                                                                                                                                                                              • sellyme 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                When a (former) head of Government is calling your personal phone number I think you're entitled to want more than 280 characters to tell the story of how the hell that happened.

                                                                                                                                                                                                                                                                                                                                                                                • parksy 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                  The full title is "When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number" not sure why the title here omits "number" but it is there on the actual post.

                                                                                                                                                                                                                                                                                                                                                                                  Also as someone that hasn't ever done anything like this before, it was interesting to read the journey from end to end, specifically the steps taken to try and responsibly disclose a security breach and the hoops he jumped through which might seem obvious for someone who does it on the regular, but was somewhat enlightening to someone who has never encountered something like this in life.

                                                                                                                                                                                                                                                                                                                                                                                  • cjbprime 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                    It's not mentioned in the post, but it seemed like you also get access to past and future trip itineraries. Seems like a big deal for a past head of state to me.

                                                                                                                                                                                                                                                                                                                                                                                    • akent 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                      Let us know when you do something even half as impressive.

                                                                                                                                                                                                                                                                                                                                                                                    • jezze 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                      A friendly advice to the author of this article. Even though I enjoyed reading the whole thing, if you are gonna have a tl;dr in your article; put it at the start, not at the end. Almost felt lika a mockery.

                                                                                                                                                                                                                                                                                                                                                                                      • tdy721 4 days ago

                                                                                                                                                                                                                                                                                                                                                                                        This write up... irreverent and dumb. Did you study any Dave Barry? <3 I would love to buy a book. I mean probably not me, but if you need any moneys