The evil part in me could not help but wonder about how everybody seems to be so psyched about receiving a chrome notebook that they throw caution to the wind and enter anything and everything in to a form on some server somewhere allowing the google marketing department to significantly update their profiles with all that data they supply, and all that for the chance of getting a laptop.

This sort of action is a very common marketing tactic, but I was actually quite surprised to see how popular it was on HN. Also, the fact that google was happy to collect your information even when you can't receive the notebook was an interesting detail, and lots of people only realized that after filling out the form.

Then the other day a second thing happened, someone solved the contest that was embedded in the video that was used for the launch of the product.

The evil part of me again thought wow, what a large amount of work that was done here, I wonder how people would respond to a second contest, with a much larger number of notebooks to be won?

So, within a few minutes a plan was hatched, a simple idea to see how susceptible a security conscious community is to stuff like this. The domain is plainly in my name and just about all the tell tale signs of a phishing scam are present. Over the course of the last couple of days the text was polished to make it more clear what the intent is.

The url of the site is http://www.freechromelaptop.com/ , the url of the payoff page is http://www.freechromelaptop.com/process.html

Since I'm the main 'driver' behind this little prank I take full responsibility for it and for the fall-out if any, the other co-conspirators would have never done this without me asking for it.

I hope you'll forgive me for having a devious side to me, but I intended for nothing but good to come out of this, and I hope that even if the project never got underway that you will take these words to heart, please be very careful with what you fill out in online forms, even if the page looks genuine and it is google that is giving you a chance to win some laptop you have to wonder if the collective value of the information given up does not exceed greatly the value of the goods they are shipping.

  Jacques

People don't like being duped, even if it's for their own good. You're likely to get more "f--k you's" than "thank you's".

If you want to teach someone a lesson, you don't start out by telling them they are stupid.

To create some real, lasting value you could have created the app and then said something like, "Hey everybody! I made this fake marketing web app that will steal your information and show you how it's done step-by-step. If you want to see how web scams are done, follow this link: ..." Then make some fake Google accounts for people to use (instead of their own).

"... you have to wonder if the collective value of the information given up does not exceed greatly the value of the goods they are shipping."

+1 for that sentiment. If your info wasn't more valuable, they wouldn't be doing it.

I think it depends on the person. Let's consider two scenarios.

1. "Never fill in your details on suspicious sites."

2. "You recently filled in your details on xyz.com. Now I know that your credit card number is 1234."

In response to (1) I would nod, but would it register deep enough? Not so sure. Now if someone actually shows me that he duped me into giving out sensitive details, I would be way more impressed and remember the lesson for longer.

That of course makes it impossible to see if people enter fake information or not but I'd hate to give a bad guy the opportunity to hack the server and walk out with the info.

How many entrants did you get?

1. Never give passwords to a third party (so, for example, no Mint).

2. Never give anything more than an email address to someone you wouldn't also give your credit card number to. I only give an address or phone number when I'm planning on buying something.

3. Never log in after following a link. Always log in by manually (either through typing the URL or a bookmark) visiting the site.

Could you/someone who has more knowledge of this than me explain how this is safer (if it is) and then possibly explain if/how someone could hack mint to get my information.

I always thought of mint as just as safe as using online banking, is this very flawed?

Plus I use passwords that are auto-generated based on domain name, which I copy & paste to the generator. Hopefully this makes me immune to homograph attacks.

1) Similarities in the way letters look in certain fonts can cause you to think you're on the correct site when you are not. This is mitigated by EV SSL usually, but if you're not paying close attention you might miss it.

2) Browser exploits (though I'm unaware of any specific ones in current browsers) have commonly focused on tricking the browser into displaying one URL when the page is actually being hosted by another.

3) Links in e-mail, specifically, asking you to "login and update your information" (or "login and sign up for paperless billing now!" is pretty common, especially when combined with some perk). Often these links use redirection to gauge effectiveness of the e-mail campaign, so it's common for the link to look strange. If the e-mail is a phishing attack, that redirection could include code injection resulting in you being sent to the right URL to login, but with malicious code inserted to capture credentials or do other fun and exciting things. Of course, the site would have to have some existing XSS vulnerability on the login page, or the code would have to be attacking a browser/plug-in vulnerability, for you to see the EV SSL indicator properly in the address bar.

The last point is also usually mitigated by extensions like NoScript in Firefox.

Any other "HN Rate my webapp" thread could do the same.

There are ways of hashing nice password with custom-modified algorithms and bookmarklets. Use them guys.

I'm not saying anyone here did anything terrible, but usually when contacted privately you first respond privately, so this is a bit out of order. It's not like jacquesm wouldn't have listened to arguments about this, and so an immediate action in the form of this post is, well, just bad form.

Edit: jacquesm has come forth with it, so I've replaced "a contributor" with his username.

Not intending to get into this specific debate, but that's precisely the wrong way to think. Well respected individuals with a good reputation risk their's every day. More importantly, for many, jacquesm is a faceless individual. How can you be certain he's the one who concocted this plan and it wasn't someone who fished out his information in order to utilize his reputation to gain something? Especially when this so-called "jacquesm" is trying to phish out information from the HN community, something that could hurt his reputation regardless of the intent.

I'm not suggesting he wasn't who he said he was, nor should be distrust him. Rather, we need to always be aware of what we trust (and an email from a friend is merely that, an email, not your friend).

Excellent point, and one that can't be stressed enough.

That's not how it was being discussed at the time.

http://www.freechromelaptop.com/irc.txt

This was in open channel on #startups, I've redacted the names of the other participants.

We both agree that it's easy to phish people. I disagreed then and still disagree now that the right way to do that is to embarrass them.

If I wanted to "shame" you somehow, I could have easily done that by naming names to begin with. The only intention of this submission was to warn people that you must be careful with your information because you never know who might be out to get it.

I don't believe you were out to snag people's financial data, but beyond that it was pretty tough to tell what you were after other than "teaching other people a lesson" (yes, this is paraphrased).

I fail to see what positive outcome could occur from essentially pointing and laughing at people because they fell for your scheme.

[Edit: I did a bad and edited this comment. Originally it only said "This is missing parts of the conversation", which is what jacquesm is replying to.]

I don't think posting a full log of the channel is appropriate, if the other people that were there wish to publish their parts with their ids in there that's fine with me.

The email you refer to which explained the whole thing in some detail was sent to the one person whose reputation might have been harmed but if I had not I would not have been able to tell if he had fallen for it or not (highly unlikely anyway) because identifying information is hashed to make sure that even I can't accidentally leak who fell for it.

My email is in my profile, feel free.

https://chrome.google.com/extensions/detail/pcgpfcjfajapilli...

That said, we do step into fewer digital traps than a less technical person.

if someone were to seriously try and phish any specific site, they'd probably be reasonably successful. the question really is, how long would it take for someone to recognize what was going on and get it killed? will 20 people visit the page, or will 2000?

It pleases me to say that in spite of it being an obvious 'fake' it didn't take mozilla more than a few hours to have the site marked as a phishing site, which I think is really great for them.

At the same time, I'm a pretty skeptical guy, and any domain name of www.freeproductx.com screams of fake and phony to me. Anyone that submits their information there, especially from the more technically savvy HN crowd, needs to take a look at what they are trying to accomplish. I do have to give you credit, the site does look amazingly legit, though Google does tend to use minimalistic themes so the time taken shouldn't be too involved. And because I am skeptical, the nameservers aren't all that convincing: NS1.MATTHEIJ.COM :)

It would have been fairly easy to make it a lot more resilient against that but we figured that by making it this plain those that fell for it would know that they had failed to do due diligence before entering all that data.

A simple whois would have been enough, as would have been a google search for 'second chrome notebook contest' or anything else like it. Google consistently refers to the device as a 'notebook', the site used 'laptop' in the domain but notebook elsewhere, the site was not hosted on a google IP range and so on.

The particulars in this situation only keep me from being angry. Was it malicious or harmful? No. But is it irritating to know that crap like this going on and that I might be punished for not lurking the right IRC channels? Hell yeah. I don't need that kind of attention-theft in my life.