Comment by graemep
3 months ago
What do you have in mind? It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
3 months ago
What do you have in mind? It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
The ultimate exploit is to create fake "likes". Once any system of likes becomes successful, it gets used for (a) filtering news feeds, and (b) establishing consensus & social truth. This is the biggest exploit there is.
A cheap system for "likes", such as this, is only safe when few people use it. Once it becomes popular, and worth something, it gets exploited, and then utterly fails.
"A Open Heart message should contain of a single emoji sequence. However, the emoji sequence may be followed by arbitrary data which the server is expected to ignore."
Italics mine.
That arbitrary data could be a multi-gigabyte zip file of some expensive program, classified data, copyrighted video/music,or anything for all this spec cares.
Ok, so? Provided the receiving server is configured to redirect the arbitrary data into the trash, you're in the clear, right? Not your fault someone sent you extra data, and you're not expected to keep it, and if you don't keep it anywhere, law enforcement could search your server but there's nothing to find because your system doesn't retain anything from the arbitrary data.
With ZWJ (Zero Width Joiner) sequences you could in theory encode an unlimited amount of data in a single emoji.
Particularly interesting are the "family" emojis, made by joining any number of person-type emoji with ZWJ characters. So in theory, a family made of thousands of men, women, girls, boys, etc... would be a valid emoji.
This nerd-sniped me, I wrote a tool for encoding arbitrary strings into one emoji: https://news.ycombinator.com/item?id=42829938
I tried with ZWJ but it turns out variation selectors were easier to make work.
Yup, ZWJ was my first thought, and yes, it works.
Tried up to 4.
Too lazy to push it to see how many joins until the api breaks.
https://emojipedia.org/zero-width-joiner
Ottoman harem emoji is valid Unicode now.
>A Open Heart message should contain of a single emoji sequence
This probably refers to emojis made out of multiple codepoints (e.g. skin color + person, or flags which are built out of the country code in a special range).
A single emoji is a sequence (of bytes)
"<thing> sequence" is generally taken as a sequence of <thing>. There is a certain ambiguity there.
4 replies →
You are aware that computers also just use zeros and ones to enable everything that is around us?
It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
In the age of beepers, criminals found plenty of creative ways to send messages in just a few characters. And this permits emojis, which -- binarily speaking, contain far more bits than a beeper message.
The problem isn't that criminals can use your service, its that the service provider really doesn't want to be liable for that happening, which generally only happens when you host illegal content.
You don’t need a upload a lot of data in order to have illegal data stash and there are creative criminals out there.
E.g. for GPS coordinates you need only a 16 digits. Emojis are 8 bytes so by selecting specific ones and adding a control character (or two) and ensuring other stay in sequence you can encode this data in.
And then I can only respond with „Did you read article on ACME Times about a car riding a bike?” which is a simple pointer for URL which you might check for the drop coordinates.
This it’s also possible to provide encryption keys, url serialization, cryptocurrency wallet pointers etc. And sure, this seems complicated and dystopian but when government asks you to provide data of your users who committed hard crimes it’s not really fun to be at position when you say „I don’t know who my users are”.
From my experience any service that allows anonymous write and anonymous read over long periods will sooner or later be used for illicit activity. It doesn’t matter if that’s 1mb or 10 bytes.
Sure, I guess that could happen. Hackernews allows anon data uploads over long periods. How many online services actually do KYC if they don't legally have to?
Any motivated criminal could also just use a book cipher or any number of less trackable options.
The GET request does not return data in sequence, does it? Just counts fr each emoji.
What exactly does the govt do if you do not have data they want? I assume if you run a service like this you would comply with any data retention requirements in your country and hand over logs - although older ones which you might have deleted to comply with other laws!
Unless you have id verification crminals can sign up with false identities.
> Unless you have id verification crminals can sign up with false identities.
Having registration is enough to not be liable, that’s why everyone is doing that. You get subpoenaed, you give logs for user that you have, case closed.
Data can be linked to your server. If you cannot pass the torch it’s you who will be investigated as potential partner in crime.
Why not just use pastebin for a "hey I left ur drugs at this coord", or even just a plain ol' encrypted message over email, Signal, etc...? I'm a little lost here, probably due to naivete. Is the storage of URLs or crypto wallet pointers really the bottleneck for cybercrime?
Because that way it’s easy to track both poster and visitor (one could say that every visitor of such URL was involved).
Indirect communication shifts focus from channel to method. And if anyone can use channel and anyone can read message then it’s impossible to pinpoint true poster and true recipient.
E.g. Few years back I was helping fix a Wordpress site which shared leaked CC through page visitor counters. Imaging proving anyone’s participation.
And finally I didn’t say anything about it cybercrime, the cases I know of were related to identity theft, assets theft, extortion and illicit videos. Seized servers and personal computer for years.