Defeating Security Scams With Maximum Lawls

Security is of the utmost importance for me, especially in my work for the MIT Bitcoin Project. So I was alarmed when this showed up in my inbox:

You ain’t got no Swag

Unfortunately I was out and about when I saw this, but I wasn’t too concerned. After all, we’re only really running a static site at the moment. I couldn’t resist inquiring further. Later that evening:

Maybe It Was Their Use Of Capitalization Which Drew Me In

I quickly found that Nakul’s motivations were simple:

Game on:

Most likely, yes

Holy shit. Here are the bugs: Injected my Database using Database Injection (my server has no DB); Leaked all my Bitcoins; or Defaced my whole server — and Nakul doesn’t care.

Who is our new friend anyways? A cursory search yields: https://medium.com/@tareksiddiki/story-of-a-beg-bounty-hunter-e9a1f58ddf9e. TL;DR: Nakul is some kind of dumb ass bug-bounty chaser. Thanks Tarek!

Thus the plan begins:

I throw up a simple “hacked by Nakul” on the main site, and send some concerned messages:

Nakul doesn’t respond. I tell Nakul I don’t want to escalate:

And dance they did

Nakul bites:

The nerve!

Wat:

At this point, you may view this version of the website at

http://mitbitcoinproject.org/hacked

for historical reasons. You’ll need your full attention & audio to maximize enjoyment.

So what does Nakul really want?

First & Foremost, a well deserved “I told you so”:

Nakul gets down to business:

I’m in too deep. At this point, Dan points out this amazing counter-scam tactic. http://imgur.com/a/tR48B. I weigh my options and dive deeper:

Our next messages are sent at the same time — Nakul’s comes in while mine is sending:

Nakul bites…

Proof of Bite: https://blockchain.info/tx/aeab85ffd0fb3552c9bc864511117759c50bb0161ed777d94a4acd05e6d70309

… I bite back:

Panic onsets:

You’re asking me to use PayPal?

I reset the website:

Say hello to my little friend:

Nakul doubles down:

I admire your confidence and bask in your stupidity.

Reading the Riot Act:

Nakul issues an empty threat:

The Donation is… a #DOGENATION. That’s right, I’m supporting the Shibes on this one.

To learn more about NYC Shiba Rescue, please see http://nycshibarescue.org/

Thanks for reading. Please let me know of any security vulnerabilities you may discover, I can’t promise a reward, but I can promise your continued lawls.

As a reminder, MIT BitComp Round 3 closes tomorrow at Midnight — good luck to all entrants!

For more info, please visit http://mitbitcoinproject.org/#bitcomp