[noahc]

When I had a lot more time, I would go into Yahoo chat and basically phish for pedophiles usernames/passwords. I can tell you that a "hehe" after anything will set the hook.

I could on average phish about an account a minute and I was never figured out. I only fell out of character once to warn an 18 year old kid, that talking to 14 year old girls sexually online wasn't the best use of his time. He freaked out and thought I was a cop!

It's relatively trivial to do this, most people will ignore minor slip ups provided you have the right context. I would set context by doing the following:

1. I would set my profile to the geolocation of the room I intended to work. I would then find a school and neighborhood to say I was from.

2. I would suggest I was home sick (and thus alone).

3. I would use an innocent, although, sexual name in my username like "booty"

4. I would use emoticons and "hehe" on probably 75% of all messages sent.

5. I would let them contact me first. If you contact them they get scared. If they contact you, they feel like they are in control.

For example, I could tell them the wrong name and many wouldn't notice, or if they did simply saying, "Oh, that's my middle name" is usually sufficient.

With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?

[lsb]

Welcome to the internet, where the men are men, the women are men, and the kids are cops.

http://news.ycombinator.com/item?id=1546789

[pyre]

That phrase is older than Hacker News. I could have sworn that it used to be on bash.org, but the best reference I can find is:

http://www.urbandictionary.com/define.php?term=kids+are+the+...

I'm pretty sure the phrase even predates 4chan though... Mostly likely originates from USENET or IRC.

[nostrademons]

Definitely older than Hacker News. I got it from Reddit, and I think Reddit got it from UseNet (possibly via 4chan or IRC).

I paraphrased though, and the grandparent post must have a better memory (or better Google skills) than me, which is probably why you can't find an exact match...

[jacobolus]

The oldest versions I've heard went something like “Welcome to the internet, where the men are men, the women are men, and the children are FBI agents.”

Example from 2001: http://www.bash.org/?2832

Pretty sure the line goes back further than that though.

My guess is that it’s a parody of A Prairie Home Companion’s line about “Lake Wobegone, where all the women are strong, all the men are good looking, and all the children are above average.” Though that might itself be playing on some earlier such line?

[danohuiginn]

I think of the hitch-hikers guide to the galaxy (from the 70s?): "Where men are real men, women are real women and small furry creatures from Alpha Centori are real small furry creatures from Alpha Centori."

Which is presumably itself a parody, I'd guess of some standard line from a Western. But I couldn't pin it down to exactly where.

[lsb]

That the internet has been thus for a long time is disappointing, but not surprising.

I've studied oral-formulaic poetry, and one of the interesting aspects of it is that everyone tells the same stories over and over, and what makes one retelling superior is not the actual content, but the way it's delivered. I may well have seen it before. But long line lengths and easy Verdana text make HN good for memorable one-liners, and your retelling had punctuation, capitalization, and pithiness.

[aidenn0]

Here's the bash.org quote you're thinking of:

http://bash.org/?2832

[eli]

That is... pretty creepy.

[awj]

> With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?

See if Chris Hansen is hiring?

[gaelian]

Going back about 10 years, there was a community that made a pseudo-sport out of this kind of activity and similar online masquerades, it was called baiting.org. The site is still up, though inactive.

[dhughes]

Finding one in Yahoo! Chat in the 90s wasn't very hard it was tough trying to find someone, anyone to chat with who wasn't a pedophile, those chatrooms were insane! ...and the webcams too!

[noahc]

For the record, I believe this would have been between 2000 and 2004ish.

[nyellin]

Interesting. What was your motivation?

[noahc]

I'm big on systems and testing and generally more interested in people than the technical nature of technology. I just wanted to see if it would work. I did this off and on from the time I was 14 to 17 or so. I lived literally in the middle of nowhere, where the nearest town had about 27 people. It was an interesting way to spend time in high school.

To me it was a big experiment to maximize conversion and minimize detectability.

The biggest take away from this is that I realized that social interactions have formulas and you can take advantage of those formulas. You can also find shortcuts to the formula or make certain parts of the formula more important or less important based on context.

[shuaib]

I am hoping you are hinting that this story is an exact replica of that behavior... pulling off a social formula, on a slightly bigger scale. Even if you are not, having gone through a similar phase back in early years with that exact same motivation, I am!

This is a text book usage of social engineer. Putting in divorced parents, single child getting all the attention from the engineer dad making the kid an above average amongst his/her peers, and then putting in a girl, so to make you focus less on the flaws in the story and drool over the hot-geek image more... evergreen combination.

I would doubt though that Forbes came up with this on their own. Rather, it could very much be someone from anon, just having little more fun.

[noahc]

Thanks for making that explicit. My point was that the context (story) she used makes it so we want to believe her. In the same way I could setup a context that makes you want to believe and ignore irregularities.

I would expect that the journalist as a filter makes this even more likely. The journalist would then ignore irregularities or dull them in the story presenting the most consistent pieces in the story, not the least.

I would say one advantage that I had, is I could test responses, over and over again. But that is always what allowed me to basically have a formula that would result in 95%+ conversion on the phishing attacks. The other 5% often times where do gooders trying to tell me not to be in chat rooms or to warn me about pedos.

[nyellin]

Thanks for the explanation. I suspect most people downvoted you because they didn't understand your motivation.

I particularly liked your comment about finding formulas for social interactions. Have you tried looking for work at a social startup? From what I have heard of Facebook's culture, you would fit right in.

[catshirt]

i didn't downvote, but regardless of the motivation it's still just a little creepy

[Jarred]

This sounds like Transactional Analysis, it's an interesting read on Wikipedia

I think the link is just http://en.wikipedia.org/wiki/transactional_analysis if that's wrong I apologize, I'm typing this from my phone

[roel_v]

Have you analyzed and documented the formulas you mention? This would be a first step into formalizing and eventually monetizing your experiences.

[noahc]

I don't have the logs, so it would be based more on memory than anything else. It'd be less than scientific, and I went into Yahoo Chat rooms 6 months ago to see if they had changed and it is much less fruitful now with the population being mostly made up of bots.

[gridspy]

This would be a great answer to the "Real life hacking" YC question, especially with your mention of the formula behind human interaction you discuss in another reply.

[noahc]

That was always my thought too.

[noahc]

Previous comment here related to multiple down votes I received. I jumped the gun and lesson learned.

[sorbus]

You're at +6 right now, so the number of people (including me) who think that your comment was interesting and useful to the conversation outweigh the number of people who objected to it. HN is generally self-correcting; I would say that not asking about downvotes for at least two hours or until you get down to -4 or below is probably a good rule of thumb, as I expect that HN's tendency to self-correct is lessened past either of those points (because of fewer people reading the thread or because people won't bother reading the comment), assuming that you can't see why it's been downvoted. That's just my advice, though, as I most often see comments asking about downvotes following comments which have a positive votecount.