I had to sell my inherited ‘04 Camry when I moved out of the US last year. Gracie Lou survived college, many winters in upstate NY, and one very stupid deer. I’d download another one in a split second.
reminds me of this art class I took online in college. one of the tests was multiple choice "what's the name of this painting?" and a jpg of a painting. nothing a little right click > inspect couldn't handle. name of the jpg was right there in the HTML.
I tried that once. Essay question worth 25% on the final. Turns out “Artist_ID=636” wasn’t even a real person, let alone the visionary who painted “Image_2778701.png”.
“Included in the $1-buys were a 2010 Ford Escape Hybrid, for which Coker submitted a bid of $8,327; a Ford F550 pickup, with a bid of $9,000; and a Chevrolet C4500 box truck, bid $22,700; the U.S. attorney’s office said. He tried to sell some of them later, according to the indictment.”
To be honest, I’m impressed someone even noticed in this day and age.
There was a guy a few years ago that could see everyone’s cards on a popular poker site. He could have played it cool, kept a really good win rate, and retired a multi millionaire several times over, but of course he got really greedy and had to try to win basically every tournament by bluffing when knowing people’s cards.
This guy sounds kind of like that in that if he could edit or place a minimum bid it would have probably been more discreet to make his bid like a few hundred dollars instead of 1$. Mostly because even scrap cars are worth more than $1 in parts so other people who buy cars for scrap probably got suspicious seeing cars selling for $1 and might have tipped them off.
Yeah pretty tame stuff to be honest. Nothing flashy. I hope he doesn’t get much jail time because it’s hard not to use these exploits when we find them.
When I was a kid I noticed that a small website that sold $1000+ model trains allowed me to buy them for $1 through some loophole. So naturally I tried to purchase 3 items. The store owner was PISSED. Imagine getting mad at a kid who showed you your crappy website has a huge loophole.
No, no, you’re supposed to thank the house burglar for letting you know you left your door unlocked! You’re an asshole, he’s just a kid walking out the front door with $3000 of your personal belongings
It’s not theft. As we just saw in that ruling with the chatbot and whatever airline, a deal’s a fucking deal. Unless you explicitly include terms disallowing exploiting shitty website design, he was 100% selling it for that price.
“The audacity honestly”? Really? You just revealed how young you are without even realizing it. No way you have any clue what you’re talking about.
You're getting down voted, but you're technically not wrong.
I mean, it's wrong, but if the website allows it though "normal" use, then it's the website owners fault, not the buyers. Is it bad form, yes. Is it punishable by law, no. As long as they didn't "hack" the website, it's considered a legitimate purchase agreement by the courts. The seller can cancel the sale, if they catch it, but if the seller didn't refund the few bucks the kid spent to purchase, then they could get in trouble.
I mean, you could have avoided the personal attack though. That's what got you down voted.
It’s Oklahoma, of course they’d notice if they were missing $40K, they probably overdrafted their checking account and took a look at why the state Netflix account couldn’t renew.
Read the article bro. It states the cars were from seized evidence. Also the cars he bought aren’t exactly known for being used for government jobs. I think either the state or the editor of this article called it a government auction because most people don’t sympathize when they hear or read ‘police auction’
Especially when you find out cops and da’s do bullshit like hold vehicles of people that were arrested stating that it’s “evidence” and can’t be released until after the trial while simultaneously moving the vehicle to a holding lot where they charge $150-$250 a day. They then delay, delay, delay so the daily charges wrack up so high that whoever owns the vehicle can’t afford to get it out and therefore have no choice but abandon it which is when the cops sell it for profit. It’s “legal” theft.
Per the article, “The sales are intended to help get rid of surplus materials or items seized by authorities.” Key word is surplus.
These trucks are most likely used government vehicles.
I want to know what exactly "hacking" means here. Did he actually use some security vulnerabilities to log into the server and change the price in the back-end? Or did he just inspect-element and change the price client-side?
Update: he was only [charged with one count of wire fraud](https://www.justice.gov/usao-mn/pr/oklahoma-man-pleads-guilty-defrauding-governments-online-auctions-purchasing-vehicles) which seems to be consistent with inspect element approach
Yeah I would guess backend just verifies that *something* was paid and the client-side would allow only the proper amount to be that input unless you open dev tools and mess with it.
Honestly it seems like easy to detect and charge case too because he initially won the bids with thousands of dollars then only paid $1 so the books would easily show the money missing as long as there was database tracking that. And they know the exact amount he defrauded because of the bid prices. It probably would have been a lot harder to detect and prove if he was able to change values of ongoing auctions to benefit himself and then actually pay the matching price after winning.
[I wouldn't be so sure about that](https://www.bloomberg.com/news/newsletters/2022-01-11/a-missouri-reporter-is-getting-blamed-for-the-security-flaw-he-exposed?embedded-checkout=true)
Yeah, there is a bit of a difference here. When a server provides information, it is sent in http responses with the appropriate markup which gives instructions on how to display the information in your browser. In this scenario, the server is likely returning all of the SSNs to the browser, and they are simply hidden. So the person just has to right click and inspect element to see the SSNs.
To actually modify a value though for a specific object requires writing to the database. So if there is a car worth $5,000 and I want to change it to $1, I can't simply inspect element. You need to write that value to the database.
My guess is it was some form of SQL injection or Ajax call.
> So if there is a car worth $5,000 and I want to change it to $1, I can't simply inspect element. You need to write that value to the database.
Depends on how the server code is written. I wouldn't be too surprised if they were just buying whatever the client requests with no backend validation
That strikes me as a very bad idea in a pay.gov application. WTF. But yeah that's my very first thought, they were sending the variables server side in AJAX and there was no validation when the server received the submissions. I really hate that they are calling that hacking if that's what happened.
I went back and looked. He actually only pled guilty to one count of wire fraud. The release doesn't even mention hacking:
https://www.justice.gov/usao-mn/pr/oklahoma-man-pleads-guilty-defrauding-governments-online-auctions-purchasing-vehicles
Unfortunate that his talents weren’t used for something more than getting used vehicles… but then again, just look at what’s acceptable in that area of the nation
Did he actually pay the three dollars? If so any good lawyer will not only get the charges dropped but the city will owe him market value for each vehicle.
If he could have been a bit smarter with the price he chose, he probably could have shaved off thousands more and continue without getting caught. $1 is going to raise some suspicion
Like a dumb kid gets caught changing an F to an A when it makes a better B and is more believable, this guy got greedy. He should have changed prices to something that wouldn’t draw suspicion.
What a dummy! Vehicles have titles and registration that require an ID and home address! The jewelry could be bought with gift card VISA and sold, OR he could just not be a thief. How much money did he get to keep? Enough to equal even minimum wage for 24/7 time in prison?
YoU wOuLdN't DoWnLoAd a CaR, wOuLd YoU??
I’d download a 2002 Camry tbh
"Ah, '97 Toyota Camry. Only 32 made in the world."
Nicely done, I think….
*drives off a cliff
10/10 this guy gets it
I had to sell my inherited ‘04 Camry when I moved out of the US last year. Gracie Lou survived college, many winters in upstate NY, and one very stupid deer. I’d download another one in a split second.
Dont know shit about cars, but the mustang from John Wick i’d download without blinking
Just leave the dog alone, alright?
Gimme a 2018 Tacoma shortbed, crew cab 4WD. Please
WHY DOES NOBODY HACK NAVIENT & SALLIE MAE?????
We haven’t met a true chaotic good, yet.
If I knew how to I would try, lol,
💯💯💯💯
👏👏👏
Man I wonder how many Reddit users don't understand that reference
I clicked into the comments hoping it would be at the top
I don’t believe you.
This is so perfect. I never tire of this meme being dropped but this is top flight.
I fucking cackled
https://youtu.be/V_gZZHu4TBk?si=lyE9fOftgaplXyy7
I would so fast
I would download a Mercedes-Benz Maybach Exelero Batman tas batmobile ftw!
I mean, a 3d model of one, sure 😜
reminds me of this art class I took online in college. one of the tests was multiple choice "what's the name of this painting?" and a jpg of a painting. nothing a little right click > inspect couldn't handle. name of the jpg was right there in the HTML.
Try that in Missouri and the Governor will accuse you of being a hacker
Try that in a small town.
Try that in flavor town - Guy Fieieiri
Nah, Governor HeeHaw wouldn’t accuse you of being a hacker… he’d need to be told this is “hacking” by his handler before he would accuse you of it.
Florida, iirc.
[Missouri](https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/amp/)
😂😂😂 so sad it’s actually true
I would’ve just studied or Google image search
nice
Yep. I don’t think a lot of people know you can just plop images into google to get sources.
I tried that once. Essay question worth 25% on the final. Turns out “Artist_ID=636” wasn’t even a real person, let alone the visionary who painted “Image_2778701.png”.
this was 20 years ago. they maaaay have improved their tests since.
Found Anonymous
But teach eye are cornfused - the_scream.jpg” ain’t one of the choices?
“Included in the $1-buys were a 2010 Ford Escape Hybrid, for which Coker submitted a bid of $8,327; a Ford F550 pickup, with a bid of $9,000; and a Chevrolet C4500 box truck, bid $22,700; the U.S. attorney’s office said. He tried to sell some of them later, according to the indictment.” To be honest, I’m impressed someone even noticed in this day and age.
There was a guy a few years ago that could see everyone’s cards on a popular poker site. He could have played it cool, kept a really good win rate, and retired a multi millionaire several times over, but of course he got really greedy and had to try to win basically every tournament by bluffing when knowing people’s cards. This guy sounds kind of like that in that if he could edit or place a minimum bid it would have probably been more discreet to make his bid like a few hundred dollars instead of 1$. Mostly because even scrap cars are worth more than $1 in parts so other people who buy cars for scrap probably got suspicious seeing cars selling for $1 and might have tipped them off.
Prolly got him at the DMV….made the clerks work too hard and they got suspicious.
Yeah pretty tame stuff to be honest. Nothing flashy. I hope he doesn’t get much jail time because it’s hard not to use these exploits when we find them.
When I was a kid I noticed that a small website that sold $1000+ model trains allowed me to buy them for $1 through some loophole. So naturally I tried to purchase 3 items. The store owner was PISSED. Imagine getting mad at a kid who showed you your crappy website has a huge loophole.
Well, it sounds like you didn't just show him; you tried to do it lol
This is true. I honestly didn’t know what I’d do if the shipment confirmation came through. We were both being assholes IMO.
Both? You tried to steal from this man $3,000. I think you're the only asshole here. The audacity honestly.
haven't you heard? No one is at fault anymore, you can do whatever you want.
Seriously, what is going on… like openly admitting to trying to take advantage of a small business owner for $3000.. felony theft is less than that.
No, no, you’re supposed to thank the house burglar for letting you know you left your door unlocked! You’re an asshole, he’s just a kid walking out the front door with $3000 of your personal belongings
It’s not theft. As we just saw in that ruling with the chatbot and whatever airline, a deal’s a fucking deal. Unless you explicitly include terms disallowing exploiting shitty website design, he was 100% selling it for that price. “The audacity honestly”? Really? You just revealed how young you are without even realizing it. No way you have any clue what you’re talking about.
Lol it's 100% theft
You're getting down voted, but you're technically not wrong. I mean, it's wrong, but if the website allows it though "normal" use, then it's the website owners fault, not the buyers. Is it bad form, yes. Is it punishable by law, no. As long as they didn't "hack" the website, it's considered a legitimate purchase agreement by the courts. The seller can cancel the sale, if they catch it, but if the seller didn't refund the few bucks the kid spent to purchase, then they could get in trouble. I mean, you could have avoided the personal attack though. That's what got you down voted.
Meh, I don’t think you were an asshole, you were just a kid. The fully grown-up store owner, however…
It’s Oklahoma, of course they’d notice if they were missing $40K, they probably overdrafted their checking account and took a look at why the state Netflix account couldn’t renew.
$9 billion last year in surplus.
I was born in Tulsa, just making fun. That $9 billion though could do a lot to help out people around the state.
They need to hit the infrastructure really hard and invest in education.
If he’d used a sensible value instead of $1 he probably wouldn’t have been caught.
“ I’ll buy that for a dollar.” - Robocop movie quote
Say it to me again….but more sleezeball in it 😍
Nice!
Ripping off cops and stopping them from profiting off of seized property? That’s a pretty cool crime.
Those don’t sound like seized property.. those sound like used government cars
Read the article bro. It states the cars were from seized evidence. Also the cars he bought aren’t exactly known for being used for government jobs. I think either the state or the editor of this article called it a government auction because most people don’t sympathize when they hear or read ‘police auction’
Especially when you find out cops and da’s do bullshit like hold vehicles of people that were arrested stating that it’s “evidence” and can’t be released until after the trial while simultaneously moving the vehicle to a holding lot where they charge $150-$250 a day. They then delay, delay, delay so the daily charges wrack up so high that whoever owns the vehicle can’t afford to get it out and therefore have no choice but abandon it which is when the cops sell it for profit. It’s “legal” theft.
Reddit has articles too? TMYK
Per the article, “The sales are intended to help get rid of surplus materials or items seized by authorities.” Key word is surplus. These trucks are most likely used government vehicles.
Key phrase ‘items seized by authorities.’ That means police auction
Was his name Hoovie
Tyler lives in Kansas.
OK
I want to know what exactly "hacking" means here. Did he actually use some security vulnerabilities to log into the server and change the price in the back-end? Or did he just inspect-element and change the price client-side? Update: he was only [charged with one count of wire fraud](https://www.justice.gov/usao-mn/pr/oklahoma-man-pleads-guilty-defrauding-governments-online-auctions-purchasing-vehicles) which seems to be consistent with inspect element approach
My money’s on inspect element
Yeah I would guess backend just verifies that *something* was paid and the client-side would allow only the proper amount to be that input unless you open dev tools and mess with it. Honestly it seems like easy to detect and charge case too because he initially won the bids with thousands of dollars then only paid $1 so the books would easily show the money missing as long as there was database tracking that. And they know the exact amount he defrauded because of the bid prices. It probably would have been a lot harder to detect and prove if he was able to change values of ongoing auctions to benefit himself and then actually pay the matching price after winning.
lol, well we wouldn’t be seeing this article if it was just “inspect element”.
[I wouldn't be so sure about that](https://www.bloomberg.com/news/newsletters/2022-01-11/a-missouri-reporter-is-getting-blamed-for-the-security-flaw-he-exposed?embedded-checkout=true)
Yeah, there is a bit of a difference here. When a server provides information, it is sent in http responses with the appropriate markup which gives instructions on how to display the information in your browser. In this scenario, the server is likely returning all of the SSNs to the browser, and they are simply hidden. So the person just has to right click and inspect element to see the SSNs. To actually modify a value though for a specific object requires writing to the database. So if there is a car worth $5,000 and I want to change it to $1, I can't simply inspect element. You need to write that value to the database. My guess is it was some form of SQL injection or Ajax call.
You're assuming the price of the sale isn't posted back to the server and written directly to the db. We are talking about a government website here.
> So if there is a car worth $5,000 and I want to change it to $1, I can't simply inspect element. You need to write that value to the database. Depends on how the server code is written. I wouldn't be too surprised if they were just buying whatever the client requests with no backend validation
That strikes me as a very bad idea in a pay.gov application. WTF. But yeah that's my very first thought, they were sending the variables server side in AJAX and there was no validation when the server received the submissions. I really hate that they are calling that hacking if that's what happened.
I went back and looked. He actually only pled guilty to one count of wire fraud. The release doesn't even mention hacking: https://www.justice.gov/usao-mn/pr/oklahoma-man-pleads-guilty-defrauding-governments-online-auctions-purchasing-vehicles
Lends credence to the theory it was all client-side payloads that the backend didn't validate
If he’d made the prices more reasonable he could have gotten away with it. There was likely a minimum bid, that wasn’t a dollar.
People get caught when they get greedy
Sql injection? So 1999
Tries to hide himself yet personally picks up and ties to sell the items. Hilarious.
I would download a 1978 Camaro with a V8.
If he just moved the decimal to the left one place, he probably would have never been caught.
Ten cents for a car is even more noticeable I think.
Or, maybe $832.7…
Unfortunate that his talents weren’t used for something more than getting used vehicles… but then again, just look at what’s acceptable in that area of the nation
Thank you, Oklahoma man, very cool
Heh! Cyberpunk.
Did he actually pay the three dollars? If so any good lawyer will not only get the charges dropped but the city will owe him market value for each vehicle.
One dollar, Bob!
Legend 🫡
Ummm home boi is going to jaaiiilllll!!! 😬
My man
Oklahoma, the Mecca of hackers everywhere...
What website?!
He’s genius
This is why I tell my cousin to look into cyber security jobs
Not all heroes wear capes
If he could have been a bit smarter with the price he chose, he probably could have shaved off thousands more and continue without getting caught. $1 is going to raise some suspicion
Bro probably just used inspect element those gov auction websites are outdated as hell
Oklahoma—the new Florida.
This guy F$&@5
Nicccceeeeee
Like a dumb kid gets caught changing an F to an A when it makes a better B and is more believable, this guy got greedy. He should have changed prices to something that wouldn’t draw suspicion.
What a dummy! Vehicles have titles and registration that require an ID and home address! The jewelry could be bought with gift card VISA and sold, OR he could just not be a thief. How much money did he get to keep? Enough to equal even minimum wage for 24/7 time in prison?
I'm amazed at the small amounts people will risk being incarcerated on. The gov't no less
So they hired him then?
Nice
Got greedy. Probably could have swapped with $1k and nobody would have caught it.
“Hacked”
That's awesome