Gaming Foursquare With 9 Lines of Perl

caffeinemessiah writes "With the recent launch of Facebook Places, the rise to prominence of Foursquare and GoWalla, and articles in the New York Times about the increasing popularity of 'checking in' to locations using GPS-enabled mobile phones, a number of businesses are wondering how to reward frequent patrons. But exactly how susceptible are these 'location based services' to being abused? A researcher at the University of Illinois at Chicago shows how easily Foursquare can be gamed in 9 Perl statements, and invites readers to submit more succinct versions of the code to game the system." An anonymous reader contributes a link to a similar article about spoofing Facebook Places to create an alibi.

SPHREAKING

I am happy that this is taking off. It's the only way we can fight back against data hoarders.

I propose SOCIAL PHREAKING: We need a P2P client that pretends to be a user of a social network: twitter, facebook, linked in, whatever. The software will login periodically (each client does it at a different rate, in fact, they negotiate.)

The idea is, the various fake accounts form relationships with one another. Every now and then they create a new account and share passwords where they login and 'appear to login' to be from a different location. The growth should be such that it is not suspicious and not an abuse of service. It would make more sense for every node to have only 1 or 2 accounts at most, to simulate families with accounts per family member.

• You can use a chat bot to generate the junk that goes into twitter feeds and people's walls. A markov would be a good one.
• You can spider nouns, hobbies from Wikipedia and randomly generate names and demographics. Of course they would have to be corrobative with the user's real location.
• You can use pictures from the various leaked archives to upload pictures.
• You can randomly spider groups and join them and so on.

With enough privacy advocates on the phreaknet should be able to generate enough traffic and data to distort the demographics at least slightly. We could make poison the data hoarders to make them think that everyone loves a certain brand of ice cream and then it would become more popular.

We can restore the tip of knowledge and power to ourselves.

Julian Assange...

[Jazz-Masta]

How long before Julian Assange is proven (through his Facebook account) to have been at a McDonald's in Seattle when the alleged assault took place?

no need for srand;

[Danny+Rathjens]

"If srand() is not called explicitly, it is called implicitly at the first use of the "rand" operator." -- perldoc -f rand

So there is a wasted line right there. This whole thing is quite silly, though. perlgolf can be a lot more challenging and fun than making a simple http post. :)

Re:Luckily

[naz404]

Sure it is! It is a revolutionary app indispensable for burglars everywhere!

Easy golf: round one

[mr_mischief]

#!/usr/bin/perl -W
use IO::Socket;
srand;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005;
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";
$_=;

The author didn't really even try, so it'll be easy to shorten it. Shortening it a lot is left as further exercise. I'll just get rid of some low-hanging fruit. I'm sure Perlmonks will pick up the challenge if they haven't already.

1. The random number generator is automatically seeded, so get rid of that line.
2. The results from the socket are assigned to a variable, but that variable is not printed or otherwise used. There's a whole line. It might be friendly to read the data waiting, but it's not necessary to the task.
3. Rather than assigning to the command-line arguments, the assignment to $str could have included the random perturbations, so there's two more lines.

#!/usr/bin/perl -W
use IO::Socket;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
my $str = "vid=$ARGV[0]&private=0&geolat=" . ($ARGV[1] += rand() * 0.0001 - 0.00005)
        . "&geolong=" . ($ARGV[2] += rand() * 0.0001 - 0.00005);
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:"
        . " Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";

Five logical lines. Actual display lines may of course be different depending upon several factors like attempting to break long lines for viewing and the vagaries of the textual mangling on Slashdot.

So wait...

[coryking]

Did any body else catch that the Foursquare API has you sending your username and password in the clear?

Please tell me you can do all this on port 443 and that your phone is using SSL.

That said, I love it!

Re:What is foursquare? - The missing description.

[mr_mischief]

There's this other application on mobile phones that lets people selectively contact those they want at a particular moment and communicate arbitrary information including that and a bunch more via simultaneous two-way voice.