‘A small team of A players can run circles round a giant team of B and C players’ – the late Steve Jobs
So I decided to conduct a….. hmmmm… ‘social experiment’. I am always amazed and intrigued by the bluster put forth by ‘members’ of ‘Anonymous’. I decided to see for myself exactly how ‘anonymous’ anonymous think they are. One of the really great things about being me is thousands of Anons follow me on twitter, because, as much as they protest, they like to keep a close eye on what I am up to at any given moment, but as we all know, the hand, in some cases, is quicker than the eye right? I can use this fact to my advantage.
With Twitter, whether I am following someone or not, if they are following me I can Direct Message them.
So I coded-up a really quick and dirty Twitter App that went through my 56,000 followers and picked out 250 random followers that had the letters ‘anon’ in their twitter handle, it just looped through until it reached the API limit. Upon finding a ‘mark’ it then ran off to Project Looking Glass and generated a unique URL very similar to this one:
with the target’s handle encoded within it, very simply and specifically for those who want to deconstruct I used this simple method for encoding:
$base64 = base64_encode($account->screen_name);
$twithandle = bin2hex($base64);
When it was clicked this encoded string enabled Project Looking Glass to identify who it was at the other end. Then at this point the Direct Message was generated, the message was designed to rouse curiosity in the target:
“Heads up <twitter name>, you are doxed in this paste dump. <unique URL> The password is your email address. Not looking good.”
This message was then auto-sent to the target. The little app sent out all 250 DM’s in approximately 40 seconds. The URL then led the target to a pastebin-type site with a protected paste dump requesting a password to open. The key here is that in the DM it clearly states that the password is the recipients ’email address’. But nobody would be so stupid right? I mean this is Anonymous and they are, well, anonymous, and legion and l33t? Well even I was surprised. At the point of entering a password (which will always be wrong btw) Project Looking Glass had already snared the following info on intended target:
- twitter handle from the unique URL they used,
- their operating system of choice
- browser type and version number
- installed plugins inside the browser
- IP address (in some cases a proxy but not all)
- their hostname where applicable
- their Internet Service provider name
- Their GEO-IP location
- Their actual timezone as per local system clock
- the exact moment in time this all occured
- a Project Looking Glass hook
- …… and all that’s before they start to bang away on the keyboard, inputting their email address – as the password – to try and open the paste dump. Which many did, and many, when the first attempt failed tried again and again, putting in all their email addresses over and over because they didn’t know which one was the password, even though none of them actually were.
So now I have at least one but in most cases multiple email addresses associated to a twitter handle along with all of the above information too. All this stuff is fed into a database for storage, and search, etc etc. I’ll be giving you a method of seeing the results at the end of this post. Just to see if you got snared, because I am not all bad. 😉
Looking at my result set as it stands right now, but there are still people stumbling in, I can determine a few key indicators like demographics and some really in-depth stuff, but I am gonna share just one interesting fact.
At the point of writing, of the 250 Direct messages sent out to Anonymous ‘members’:
- 113 entered an email address as password when asked.
- most entered more than one when it failed
113 expressed as a percentage of 250 is 45.2% – lets extrapolate that up, if as anons claim they number ‘over 9000’ then it’s fair to suggest that 45.2 percent of 9000 turns out to be no less than 4068. <<< LOLWUT??
Yes thats right the figures indicate that at least 4068 (Thats OVER 4000) of their ‘legion’ number, would have been so stupid as to fall thru the looking glass had I not been so kind as to publicize my ‘social experiment’. What is going to be really interesting to see is that now I have published this, how many more of them still rumble on through lol. I’ll be sure to update you.
Not so fucking ‘Anonymous’ now huh? What a gaggle of halfwits.
This op is a response the ‘Anonymous’ member (because anyone can be anonymous right) @fawkesSecurity who last week posted a bomb threat involving 400lbs of explosives and a Federal building. NOT COOL.This man is clearly as dumb as a box of wet hammers but Anonymous allow him to speak for them. Because they are dumber and wetter than said box. That move was terrorism, and Anonymous is moving into the realms of becoming a Terror organization as I predicted, here and again here and most recently here.
I’d also like to point out that the @fawkesSecurity individual did in fact fall for this op in it’s early stages, altho he was using a French proxy at the time, which I notice is ran by the same ISP that hosts Wikileaks?
The method described above is just one of over 700 Project Looking Glass enabled hook sites at my disposal. So no, I am not really giving much up here with regard to OpSec.
How can I view the results?
Authorities and anyone else who is interested can view the result set live by clicking the ‘Pi’ symbol at the top right of this blog, login using any username you like and then type the command ‘plg‘ – it is simply a dataset viewer, nothing malicious.
Respect for other peoples privacy is not something Anonymous are known for given the amount of hacked data dumps they have released for no good reason over the years, but out of a healthy respect for at least some privacy, search capability has been removed along with some persons of interest whom should be starting to feel some heat right about now. Timestamps are redacted. Password attempts (email addresses in this case are redacted. Law enforcement agencies can make contact if they want a full un-redacted view on the dataset should a person of interest catch their eye.
UPDATE: Results are now available via THIS LINK
Again, not so fucking ‘Anonymous’ now huh? Poke the bull…get the horns.
There’s an unequal amount of good and bad in most things, the trick is to figure out the ratio, and act accordingly. No Anons were harmed during the making of this blog post. The op this post describes however …. #ticktock
Cue the butthurt, threats and rage posts. Meanwhile it’s target practice over, I’ll get back up in online Jihadis faces now.
Remember kids, Anonymous and its offshoots isn’t cool. Ask Topiary.
UPDATE: @LulzMouse has decided to threaten me and troll me lol, even going as far as to suggest @fawkessecurity and myself are one and the same. It’s all they have in their arsenal, lies, disinfo and basic troll-tactics. Then they cry when they get burned. I may be a Jester, but holy crap they are the joke. Well here’s a link to the conversation we had just after that user @lulzmouse stepped through the looking glass: http://imgur.com/RvzzV