Gaming Foursquare With 9 Lines of Perl

caffeinemessiah writes "With the recent launch of Facebook Places, the rise to prominence of Foursquare and GoWalla, and articles in the New York Times about the increasing popularity of 'checking in' to locations using GPS-enabled mobile phones, a number of businesses are wondering how to reward frequent patrons. But exactly how susceptible are these 'location based services' to being abused? A researcher at the University of Illinois at Chicago shows how easily Foursquare can be gamed in 9 Perl statements, and invites readers to submit more succinct versions of the code to game the system." An anonymous reader contributes a link to a similar article about spoofing Facebook Places to create an alibi.

SPHREAKING

[Anonymous Coward]

I am happy that this is taking off. It's the only way we can fight back against data hoarders.

I propose SOCIAL PHREAKING: We need a P2P client that pretends to be a user of a social network: twitter, facebook, linked in, whatever. The software will login periodically (each client does it at a different rate, in fact, they negotiate.)

The idea is, the various fake accounts form relationships with one another. Every now and then they create a new account and share passwords where they login and 'appear to login' to be from a different location. The growth should be such that it is not suspicious and not an abuse of service. It would make more sense for every node to have only 1 or 2 accounts at most, to simulate families with accounts per family member.

• You can use a chat bot to generate the junk that goes into twitter feeds and people's walls. A markov would be a good one.
• You can spider nouns, hobbies from Wikipedia and randomly generate names and demographics. Of course they would have to be corrobative with the user's real location.
• You can use pictures from the various leaked archives to upload pictures.
• You can randomly spider groups and join them and so on.

With enough privacy advocates on the phreaknet should be able to generate enough traffic and data to distort the demographics at least slightly. We could make poison the data hoarders to make them think that everyone loves a certain brand of ice cream and then it would become more popular.

We can restore the tip of knowledge and power to ourselves.

Easy golf: round one

[mr_mischief]

#!/usr/bin/perl -W
use IO::Socket;
srand;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005;
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";
$_=;

The author didn't really even try, so it'll be easy to shorten it. Shortening it a lot is left as further exercise. I'll just get rid of some low-hanging fruit. I'm sure Perlmonks [perlmonks.org] will pick up the challenge if they haven't already.

1. The random number generator is automatically seeded, so get rid of that line.
2. The results from the socket are assigned to a variable, but that variable is not printed or otherwise used. There's a whole line. It might be friendly to read the data waiting, but it's not necessary to the task.
3. Rather than assigning to the command-line arguments, the assignment to $str could have included the random perturbations, so there's two more lines.

#!/usr/bin/perl -W
use IO::Socket;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
my $str = "vid=$ARGV[0]&private=0&geolat=" . ($ARGV[1] += rand() * 0.0001 - 0.00005)
        . "&geolong=" . ($ARGV[2] += rand() * 0.0001 - 0.00005);
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:"
        . " Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";

Five logical lines. Actual display lines may of course be different depending upon several factors like attempting to break long lines for viewing and the vagaries of the textual mangling on Slashdot.

Re:SPHREAKING

[Geoff-with-a-G]

A very interesting idea, but I think spam shows us that whoever actually developed and implemented such systems would most likely use them to intentionally skew the data towards something they could profit from, rather than adding noise to degrade the data.

How much of your spam is not related to making money off you?

I imagine this massive and convincing network of fake people would suddenly discover that they all love Axe body spray...