Found this twitter account https://twitter.com/googuns_prod posting these weird encrypted tweets. The locations are all over the globe. You can find them using this site http://onemilliontweetmap.com/. Anyone know what it is?
A numbers station (or number station) is a type of shortwave radio station
characterized by their unusual broadcasts, which consist of spoken words,
but mostly numbers, often created by artificially generated voices reading
streams of numbers, words, letters, tunes or Morse code.
Now, if you take a look at any random tweet, you will notice that the ___location that it was tweeted from changes every time (often in the middle of the Sea). This could also be a hidden chunk of information that encodes/hides other relevant data.
It is certainly not by accident that the lat/lngs change on each Tweet. If I had the time as an experiment, I'd probably try and find patterns between the lng/lats to see if the decimal equivalent means anything? How hilariously awesome would it be if when mapped on a globe, it builds up a large picture. (Fair warning.. this runs WebGL and will most likely nuke your browser for a few seconds http://data-arts.appspot.com/globe-search/ )
Just listen to the buzzing sound clip... Sends chills down my spine. Then after years of 24/7/365 buzzing, a Russian voice reads a bizarre encoded message. Spooky.
I am sure this is just interference or something and please excuse me if this is stupid thing to point out but I decided to check this out and listen to the live stream of this linked to via Wikipedia and after 5 minutes or so I started to hear a distorted conversation. It has continued ever since. Is this normal?
Seems to change too often for a number station. I wonder if foreign intelligence agencies would even consider using an American company for their covert communications.
I think it is less spooky: My bet is on it being an iPhone app from years ago, maybe long pulled from the store. Its dev was using the Twitter account as a logging system. Maybe for something silly as highscores from around the world. "_dev" and "_prod" seem far too innocent names for an account that is trying to fly under the radar.
EDIT: Perhaps it is used for indexation benchmarks? Deploy a tweet with a unique string and ___location, and check how long it takes before it shows up in the index or notification inbox?
The keys it is sending appear to be in pairs, in sets of 16, if you concatenate them you get the 32bit entire key. All of the keys are presented in hexadecmial format, you will notice none of the letters go above f. Most of the keys sent end in eight 0's, this would me to believe that this is padding and infact, the two keys concatenate to build up one 32bit string, but if you look carefully you will note that some of them only have 7bits of padding on the end, so I will disregard this assumption.
These tweets appear to originate from Russia.
Now, common uses of 16bit (and 32bit) encryption keys are for WEP keys, traditionally used in router password protection, which can be provided either in a full ASCII spectrum or in merely hexadecimal format.
Taking these points together I can conclude that these could possibly be the encrypted WEP keys of a Russian router.
Or I could be totally wrong, but I really wasn't given much to work with :)
The maximum is 200, but you can move down the line by using since_id or max_id optional parameters.
'xml' can be replaced with 'json' or 'rss' if you'd prefer a different format.
Looking over the data briefly reveals the additonal fact that the 'source' field is populated with a link to Google. That, combined with the other accounts including one that outright says it's associated with google on its profile. So this is either google maybe doing some sort of recruiting thing, or somebody that wants us to think it's google for whatever reason. One guess is that the account name could mean Google User Notification Service.
Additionally, the tweets are published at a (more or less, this is the web) regular interval. Always around the HH:M9:30, HH:M0:00, and HH:M4:30 and HH:M5:00 marks. As stbullard speculated (https://news.ycombinator.com/item?id=4697813), there could be two instances of whatever this is running, publishing every 5 minutes independently, with one instance having the code baf200000000 associated with it and another having the id of 2350000000. Note that the length of these two are different- the former is 12 while the latter is 10. This could mean a variety of things regarding the format in which the data is published, or variance in the data itself.
It might be worth looking at the unique parts of the 235 ones as color.
If anyone can pull these tweets down into a single file and share them that would be amazing.
I suspect what you are seeing is the output of a password cracking program that is dumping out cracked MD5s or similar. The zeroes at the end is a technique that's been seen before to mark a password as cracked, see for example with the dump of the LinkedIn hack: http://news.ycombinator.com/item?id=4073309
True this is likely some botnet coordinating where/who the C&C is currently. I wonder if this can be reverse engineered.
EDIT:
I wonder if it does some sort of transform on the number to get an IP addr? perhaps its part of a IPv6 Addr?
Perhaps its a distributed brute-force on a password or checksum being carried out by a botnet?
Its interesting distributed this is, too bad we dont have IP addrs associated with the posts
Perhaps it is a botnet trying to locate all of its clients.
Each client has his/her own UUID(the tweet) and the geolocation is where the client is located.
It seems as though the googuns_staging was the trial, all fake/useless ___location and googun_prod(as the name suggests) is the actual "in-the-wild" run of locating all of its clients
Also interesting is at the moment there are many tweets ending in either a350000000 or baf200000000 but that may just be coincidence based on some counter thats incrementing
It can't be the geolocation of compromised machines unless some of them happen to be on boats or planes. Some of the geolocation coordinates are in the middle of the ocean.
True, or it could be geolocations that it failed to resolve.. but then again it would likely be the same geolocation for every time it fails to resolve
On staging, all posts end in ba0000000. On prod, all posts end in 200000000 or 350000000. Since these sequences are repeated, it seems likely they could be disregarded.
Why would a botnet use such a public C&C channel instead of IRC? And why wouldn't the C&C tweets be encoded in a less suspicious format such as comments about cats or whatever?
IRC traffic is commonly blocked, but HTTP traffic directed to Twitter is generic enough to get through most locked down networks. I doubt whoever is behind this cares if it's public data and that people see what's being posted. Public access just means any newly compromised computer can access it without anything more than a single HTTP request.
If we had access to the IP(s) posting the tweets, it'd be pretty easy to get an idea if they were malicious or not. But where's the fun in that
It's clearly a viral marketing ploy. Standard theme: create some type of countdown website (or some other cryptic message) then seed a few high popularity forums by pretending to have stumbled across this thing nobody would ever actually find.
Sorry to burst your bubble but no. I just happened across this by accident. I'm a GIS Developer and was checking out this site. http://onemilliontweetmap.com/ I noticed there were a lot of single tweets floating out in the ocean.
It probably has nothing to do with this but there is another account https://twitter.com/googuns which claims to be associated with google . . . . In particular the page has a title "Google Notifications".
It could also be a distributed game of battle ships...
each shot is defined by one unique hash and a geo ___location.. waiting to see a tweet about "hit" or perhaps "miss" but those wouldnt need to be ACKed
I poked around the data a bit (I uploaded a JSON file below).
First, I separated the tweets into two sets
based on the last eight hex digits (00s and 50s).
In each set, I parsed each 16-digit message as an integer,
converted that to a binary string, and reversed the binary digits.
Parsing that as an integer again gives numbers that roughly increase over time.
Here is a chart of the 00s (plotted against tweet number):
The pattern of the gap between the times that they are tweeted is somewhat interesting too... 1 minute, 4 minutes, 1 minute, 4 minutes, 1 minute, 4 minutes, etc.
I would guess googuns_prod is the output from two of whatever googuns_staging is, running at a 1-minute offset, with each thing identifying itself with the last nine digits: 200000000 and 350000000 for the production thing, ba0000000 for the staging thing.
<meta name="keywords" content="googun googun googun googun googun googun googun googun gay gay gay gay gay gay gay gay seattle seattle seattle seattle hot hot hot hot hot hot hot hot hot Tshirts t shirt t shirt t shirt t shirt t-shirt t-shirt t-shirt coffee coffee coffee coffee coffee">
Yeah, I look at all out-of-the-blue mysteries with no context as the start of viral campaigns now, they've overused that trope. I can't even get interested in this because I don't want to waste time on something that turns out to be a sales pitch, which would sort of suck if anything ever ends up being genuine.
I was actually planning on doing something like this for fun. In my case, the numbers would be generated from a random function and wouldn't mean anything. YMMV.
Seems like some sort of coordination effort I'd have to guess. Perhaps for a region where Google traffic might normally be blocked, it's an alternative way to get a message in?
Random number radio stations.
http://en.wikipedia.org/wiki/Numbers_station
Now, if you take a look at any random tweet, you will notice that the ___location that it was tweeted from changes every time (often in the middle of the Sea). This could also be a hidden chunk of information that encodes/hides other relevant data.It is certainly not by accident that the lat/lngs change on each Tweet. If I had the time as an experiment, I'd probably try and find patterns between the lng/lats to see if the decimal equivalent means anything? How hilariously awesome would it be if when mapped on a globe, it builds up a large picture. (Fair warning.. this runs WebGL and will most likely nuke your browser for a few seconds http://data-arts.appspot.com/globe-search/ )