Gaming Foursquare With 9 Lines of Perl

caffeinemessiah writes "With the recent launch of Facebook Places, the rise to prominence of Foursquare and GoWalla, and articles in the New York Times about the increasing popularity of 'checking in' to locations using GPS-enabled mobile phones, a number of businesses are wondering how to reward frequent patrons. But exactly how susceptible are these 'location based services' to being abused? A researcher at the University of Illinois at Chicago shows how easily Foursquare can be gamed in 9 Perl statements, and invites readers to submit more succinct versions of the code to game the system." An anonymous reader contributes a link to a similar article about spoofing Facebook Places to create an alibi.

SPHREAKING

I am happy that this is taking off. It's the only way we can fight back against data hoarders.

I propose SOCIAL PHREAKING: We need a P2P client that pretends to be a user of a social network: twitter, facebook, linked in, whatever. The software will login periodically (each client does it at a different rate, in fact, they negotiate.)

The idea is, the various fake accounts form relationships with one another. Every now and then they create a new account and share passwords where they login and 'appear to login' to be from a different location. The growth should be such that it is not suspicious and not an abuse of service. It would make more sense for every node to have only 1 or 2 accounts at most, to simulate families with accounts per family member.

• You can use a chat bot to generate the junk that goes into twitter feeds and people's walls. A markov would be a good one.
• You can spider nouns, hobbies from Wikipedia and randomly generate names and demographics. Of course they would have to be corrobative with the user's real location.
• You can use pictures from the various leaked archives to upload pictures.
• You can randomly spider groups and join them and so on.

With enough privacy advocates on the phreaknet should be able to generate enough traffic and data to distort the demographics at least slightly. We could make poison the data hoarders to make them think that everyone loves a certain brand of ice cream and then it would become more popular.

We can restore the tip of knowledge and power to ourselves.

Re:SPHREAKING

[Requiem18th]

I'd like to subscribe to your mailing list.

Re:SPHREAKING

[Geoff-with-a-G]

A very interesting idea, but I think spam shows us that whoever actually developed and implemented such systems would most likely use them to intentionally skew the data towards something they could profit from, rather than adding noise to degrade the data.

How much of your spam is not related to making money off you?

I imagine this massive and convincing network of fake people would suddenly discover that they all love Axe body spray...

Julian Assange...

[Jazz-Masta]

How long before Julian Assange is proven (through his Facebook account) to have been at a McDonald's in Seattle when the alleged assault took place?

no need for srand;

[Danny+Rathjens]

"If srand() is not called explicitly, it is called implicitly at the first use of the "rand" operator." -- perldoc -f rand

So there is a wasted line right there. This whole thing is quite silly, though. perlgolf can be a lot more challenging and fun than making a simple http post. :)

Re:no need for srand;

[pyrrhonist]

Perl itself calls srand() if it hasn't been called (regardless of what platform it's running on). You don't need to do it explicitly.

Re:Luckily

[naz404]

Sure it is! It is a revolutionary app indispensable for burglars everywhere!

Easy golf: round one

[mr_mischief]

#!/usr/bin/perl -W
use IO::Socket;
srand;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005;
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";
$_=;

The author didn't really even try, so it'll be easy to shorten it. Shortening it a lot is left as further exercise. I'll just get rid of some low-hanging fruit. I'm sure Perlmonks will pick up the challenge if they haven't already.

1. The random number generator is automatically seeded, so get rid of that line.
2. The results from the socket are assigned to a variable, but that variable is not printed or otherwise used. There's a whole line. It might be friendly to read the data waiting, but it's not necessary to the task.
3. Rather than assigning to the command-line arguments, the assignment to $str could have included the random perturbations, so there's two more lines.

#!/usr/bin/perl -W
use IO::Socket;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
my $str = "vid=$ARGV[0]&private=0&geolat=" . ($ARGV[1] += rand() * 0.0001 - 0.00005)
        . "&geolong=" . ($ARGV[2] += rand() * 0.0001 - 0.00005);
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:"
        . " Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";

Five logical lines. Actual display lines may of course be different depending upon several factors like attempting to break long lines for viewing and the vagaries of the textual mangling on Slashdot.

Re:Easy golf: round one

[ducomputergeek]

So now you can tell Foursquare to go away as I've replaced you with a small perl script?

What is foursquare? - The missing description.

[gnalle]

Foursquare is a mobile application that makes cities easier to use and more interesting to explore. It is a friend-finder, a social city guide and a game that challenges users to experience new things, and rewards them for doing so. Foursquare lets users "check in" to a place when they're there, tell friends where they are and track the history of where they've been and who they've been there with. For more information on how foursquare works, see our searchable FAQ. http://foursquare.com/about

Re:What is foursquare? - The missing description.

[mr_mischief]

There's this other application on mobile phones that lets people selectively contact those they want at a particular moment and communicate arbitrary information including that and a bunch more via simultaneous two-way voice.

Faking geolocation in Firefox

[BerkeleyDude]

Firefox allows you to fake your geolocation: http://pugio.net/2009/07/fake-your-geolocation-in-firef.html

So wait...

[coryking]

Did any body else catch that the Foursquare API has you sending your username and password in the clear?

Please tell me you can do all this on port 443 and that your phone is using SSL.

That said, I love it!

Re:So wait...

[francium+de+neobie]

Well, unfortunately, that plain text thing isn't limited to the hack. I intercepted the traffic coming from their iPhone app and it sends your passwords in plain text too.

to make it portable use \015\012 instead of \r\n

cause \r\n isn't \015\012 on every platform