Back in the day (1960s?) two relatives of mine had a prank battle going on. One of them posted an add in the local newspaper offering to buy old Christmas trees, at the address of their adversary. Half the city showed up, were told trees were not in fact being bought, and everybody dumped the trees at their door.
Reminds me of the story in Pranks[1] (I got my copy at a garage sale V. Vale was having in SF years ago!) about an even more vicious prank - advertising for workers to help demolish a home - while its owner was out of town...
Back in the Depression, my grandfather and a friend posted an ad. It claimed to be a medical laboratory who needed cats for an experiment, and offering $0.25 per cat if people would bring their cats to the local train station at whatever time.
Of course there were no lab representatives waiting at the appointed time, so lots of people just dumped their cats (or perhaps they were feral cats that they rounded up?) at the train station. The neighborhood was infested with them for some time after that.
Unusually for gramps, he actually proved that this particular story was true. He actually had a newspaper clipping that told the story.
Seems like a great way to stock up your firewood supply for the next winter, if you manage to target it in a way that doesn't cause half the city to show up, but maybe a little less than that?
It reminds me of a newspaper ad I saw 20 years ago which read "Free monkey and 10 pounds of monkey food. call 555-555-5555". Well the gentleman that answered did not have a monkey for sale, and was quite rude about it.
Had a roommate in graduate school whose friend listed his car (and phone number) on craigslist for a ridiculously low price. His phone was ringing off the hook for like two days until he was able to get it taken down.
This reminds me of a classic (non-internet powered) version of this where every business in London was sent to some unsupecting resident's address in order to win a bet, clogging the streets in the process: The Berners Street Hoax of 1810.
What I love about this is that it's a textbook example of a reflection DoS attack (https://en.wikipedia.org/wiki/Denial-of-service_attack#Refle...) - you send a message with a spoofed reply-to address, such that the message you sent (in this case, a letter) is much cheaper than the response eventually sent to the victim (in this case, tradespeople / goods / dignitaries).
Just to point out some possibly ambiguous phrasing, but the person pulling the prank was trying to win the bet - the tradespeople and visitors were called there to use their services(ie chimney sweeps thought they were going to sweep a chimney), not that they themselves were going to claim some prize.
This is what happens when optimists win and the realists are cut out of the conversation.
As a taxi service, I believe I would want to know if I'm about to have a shortage of taxis in any one area of town, and I'd better only have a concentration in one area of town for an event the entire world is talking about, like a reunion tour or a championship game.
Even with the hack, the moment all of the taxis started converging on one area of town, alarms should have been going off and managers should have been asking questions. But that's not what happened, because we say yes the moment money enters the conversation, without bothering to ask what it says about you as a person if you'll do anything for money, or for that matter if the money is even real or just a trick to get our attention.
It’s already so hard to build a large company, you just don’t have the resources to chase super rare, low pain outcomes.
This is the first time this has happened and the total cost of it is at most a few hours revenue. They’ll likely add safeguards to prevent such a thing now, but if they ran the company preparing for every possible way things could go wrong, they’d get absolutely nothing done.
This is more of what happens when you do the least effort to build a product to make a buck. They're probably optimized for the average happy path, however flooding isn't a concern until someone gets upset.
Yandex in particular has a system where it would dynamically adjust the price to prevent that sort of thing happening. When many people want to order a taxi to the same place, it gets really expensive, really fast. Uber does that too. This normally works well, but I feel like this hack bypassed the normal ordering system entirely and just sent bogus orders straight to drivers.
In most areas taxi-companies use a zone-based system where cars will flag what zone they're in (rarely automatically using GPS and more often via button presses) this is an effort by the cab company to keep their vacant vehicles well distributed to keep a high response rate and increase customer turnover.
It also happens to have the side benefit that an operator watching the flagged zones would be able to see this kind of an issue happening in advance and maybe check into why every cab is suddenly bee-lining it to zone 3.
There are always going to be individuals that say yes the moment money enters the conversation, as long as food and housing cost money and there is the possibility of going without.
Yandex.Taxi, like Uber (in fact, they merged with Uber in Russia), is not really a 'taxi service', they're a marketplace.
A real taxi firm would notice and stop taking new calls to the address, but Yandex.Taxi aren't really 'dispatching' taxis, they're just advertising jobs, and letting drivers respond in real time.
In fact, I'd imagine that almost none of the orders placed are reviewed in realtime, and the only indicator that anyone would have had for this to begin with would have been a higher than average number on the dashboard for 'trips requested today' - an interesting metric, but not something that I would expect to be monitored closely in real time.
I'd imagine there's a 'no show' procedure that doesn't involve human oversight, so the first couple of drivers likely arrived at the address, waited a few minutes, then coded in the no show and moved on to different jobs.
This is also likely a metric on a dashboard which would have been the second indicator - booking cancellations/no-shows/driver rejections. But again, it's an analytics metric, rather than realtime actionable business intelligence, so it's the sort of thing that gets put into weekly reports. Maybe someone would have seen it and thought 'huh, that's a bit high', but probably didn't trigger any alarms.
Eventually a curious taxi driver would start to question why there are so many taxis outside this address, and would get out of his car and chat to his colleagues. They'd identify that they'd all been asked to the same address, and probably all cancel together and drive off.
MAYBE the third indicator here would be a call from one of the drivers to customer support, letting them know about the 'system glitch' that meant multiple taxis were waiting at the same address, but it's equally possible that the drivers just moved onto their next fare without reporting any issue.
So potentially, the first time that anyone at YT realised there was a serious issue was already 10-15 minutes after the incident occurred, by which time, it's already late. On top of that, it's unlikely that they have a way to easily and effectively cancel all bookings to a particular address.
I don't have any details on the hack itself or YT's infrastructure, so it may have been very difficult to identify and cancel the fraudulent bookings en masse (e.g.: fuzzed addresses, booking times, different users, card details not stored or different card numbers used, etc.).
By the time it got escalated to any technical teams, we're already likely 30-40 minutes into the incident itself, at which point they have to analyse what is happening, trace how it happened, and identify a fix.
With the immediate nature of taxi booking (I want a taxi NOW, not in 45 minutes), it doesn't surprise me that an incident like this can occur before any technical measures can be put in place to stop or mitigate it.
Who is cutting anyone out of the conversation? You sell your product and if I care for 100% uptime, I'll pay for it. I actually don't. I can route through lots of stuff for appropriate savings and most people can.
No one wants this single pair of instances in a Tier 4 datacenter that host a single key-pair authenticated process with dual manual approval and an air-gap that dispatches one taxi (and precisely one taxi) every 30 days on a route where it can be guaranteed to hit its time prediction.
Any fool can build a bridge that stands. It takes an engineer to build a bridge that barely stands.
this is also something that's oddly absent from the self-driving debates. Mass deployment of the same models or apis in automated systems is very brittle because it means errors are highly correlated. it's like a form of central planning.
individual drivers or individual taxi firms in a market due to their decentralization are much more robust to any kind of individual failure.
People often ask "is the car smarter than the driver?" but the correct question would be if the car, or system is more diverse than the aggregate knowledge of all the participants.
Yes. Additionally, this is a commonly cited win of cars in cars v. public transport. You can take your car anywhere in the zombie apocalypse*, whereas any system that requires central planning (trains) are more likely to break.
Making cars (human or machine driven) depend on a centralized service basically takes away that advantage.
A related - today is the first, and thus kind of celebrated, day of school in the former-USSR territories, like Russia and Ukraine, and the top Russian TV channels in Crimea were hacked to broadcast Zelenskiy speech congratulating schoolchildren there with the first day of school https://focus.ua/voennye-novosti/527684-hakery-postaralis-ob...
I suspect you're kidding, but you know, having lived through a few very long traffic jams I could imagine some scenarios where I'd be willing to pay for:
1) Rickshaw or cargo bike with a narrow pull along trailer to let me use the bathroom
2) Similar setup with food and drink
3) Similar setup with a few gallons of gas if I've gotten a bit too close to empty
4) More expensive (XL?) version of the service where I am getting delivery from a helicopter (since drones flying over congested traffic is not an FAA approved delivery method)
You might not be able to make this a daily thing, but when things get bad I suspect the margins might be unreal.
I used to be a taxi driver and anytime something looked to be turning into a major clusterfuck like that I’d just get the hell out.
One night Modest Mouse played downtown Phoenix and went past the time light rail stopped running on weeknights. Same thing happened, basically everyone who took the train called for a cab. Once I realized what was happening I just grabbed the first group who flagged me down and got the hell’s out of there.
What I especially like about the video is it is completely obvious something isn’t right and they’re all still trying to get to the pickup point.
Many drivers do not read the passengers' comments on the order. Anyone who took a second to read this comment would've understood that there is something fishy here.
Someone hacked #YandexTaxi and ordered all available taxis to Kutuzov Prospect in Moscow. Now there is a huge traffic jam with taxis. It‘s like James Bond movie.
I think you are right. I think the unknowns are, how tiny will the script be that commands all the cars into a lake and will it be a cloud hack or a local broadcast hack?
there were already such bugs before, and my analysis is that even the older ECU cars before the 2000s had such bugs, just nobody bothers to look for them (also ECUs have been causing deaths from bugs but they just assume its the driver's fault). self driving cars will be the next order of magnitude of problems. ECU 1x, smart 10x, self driving 100x.
> In July 2015, IT security researchers announced a severe security flaw assumed to affect every Chrysler vehicle with Uconnect produced from late 2013 to early 2015.[120] It allows hackers to gain access to the car over the Internet, and in the case of a Jeep Cherokee was demonstrated to enable an attacker to take control not just of the radio, A/C, and windshield wipers, but also of the car's steering, brakes and transmission.[120] Chrysler published a patch that car owners can download and install via a USB stick, or have a car dealer install for them.[120]
I’ve had this worry for years of a state level attack via network connected FSD cars. But I’m hardly alone, it was shown in a Fast and Furious movie, so people are thinking of it.
No, the future is to command all self driving cars to immediately accelerate to 100 mph and do not stop for whatever reason no matter what. Pure remote code execution.
inasio|3 years ago
blacksmith_tb|3 years ago
1: https://www.researchpubs.com/shop/p/pranks
CWuestefeld|3 years ago
Of course there were no lab representatives waiting at the appointed time, so lots of people just dumped their cats (or perhaps they were feral cats that they rounded up?) at the train station. The neighborhood was infested with them for some time after that.
Unusually for gramps, he actually proved that this particular story was true. He actually had a newspaper clipping that told the story.
meibo|3 years ago
frogperson|3 years ago
v8xi|3 years ago
upsidesinclude|3 years ago
hangsi|3 years ago
https://en.wikipedia.org/wiki/Berners_Street_hoax
ekimekim|3 years ago
googlryas|3 years ago
hinkley|3 years ago
As a taxi service, I believe I would want to know if I'm about to have a shortage of taxis in any one area of town, and I'd better only have a concentration in one area of town for an event the entire world is talking about, like a reunion tour or a championship game.
Even with the hack, the moment all of the taxis started converging on one area of town, alarms should have been going off and managers should have been asking questions. But that's not what happened, because we say yes the moment money enters the conversation, without bothering to ask what it says about you as a person if you'll do anything for money, or for that matter if the money is even real or just a trick to get our attention.
tjs8rj|3 years ago
This is the first time this has happened and the total cost of it is at most a few hours revenue. They’ll likely add safeguards to prevent such a thing now, but if they ran the company preparing for every possible way things could go wrong, they’d get absolutely nothing done.
monksy|3 years ago
grishka|3 years ago
munk-a|3 years ago
It also happens to have the side benefit that an operator watching the flagged zones would be able to see this kind of an issue happening in advance and maybe check into why every cab is suddenly bee-lining it to zone 3.
tenebrisalietum|3 years ago
d1sxeyes|3 years ago
A real taxi firm would notice and stop taking new calls to the address, but Yandex.Taxi aren't really 'dispatching' taxis, they're just advertising jobs, and letting drivers respond in real time.
In fact, I'd imagine that almost none of the orders placed are reviewed in realtime, and the only indicator that anyone would have had for this to begin with would have been a higher than average number on the dashboard for 'trips requested today' - an interesting metric, but not something that I would expect to be monitored closely in real time.
I'd imagine there's a 'no show' procedure that doesn't involve human oversight, so the first couple of drivers likely arrived at the address, waited a few minutes, then coded in the no show and moved on to different jobs.
This is also likely a metric on a dashboard which would have been the second indicator - booking cancellations/no-shows/driver rejections. But again, it's an analytics metric, rather than realtime actionable business intelligence, so it's the sort of thing that gets put into weekly reports. Maybe someone would have seen it and thought 'huh, that's a bit high', but probably didn't trigger any alarms.
Eventually a curious taxi driver would start to question why there are so many taxis outside this address, and would get out of his car and chat to his colleagues. They'd identify that they'd all been asked to the same address, and probably all cancel together and drive off.
MAYBE the third indicator here would be a call from one of the drivers to customer support, letting them know about the 'system glitch' that meant multiple taxis were waiting at the same address, but it's equally possible that the drivers just moved onto their next fare without reporting any issue.
So potentially, the first time that anyone at YT realised there was a serious issue was already 10-15 minutes after the incident occurred, by which time, it's already late. On top of that, it's unlikely that they have a way to easily and effectively cancel all bookings to a particular address.
I don't have any details on the hack itself or YT's infrastructure, so it may have been very difficult to identify and cancel the fraudulent bookings en masse (e.g.: fuzzed addresses, booking times, different users, card details not stored or different card numbers used, etc.).
By the time it got escalated to any technical teams, we're already likely 30-40 minutes into the incident itself, at which point they have to analyse what is happening, trace how it happened, and identify a fix.
With the immediate nature of taxi booking (I want a taxi NOW, not in 45 minutes), it doesn't surprise me that an incident like this can occur before any technical measures can be put in place to stop or mitigate it.
renewiltord|3 years ago
No one wants this single pair of instances in a Tier 4 datacenter that host a single key-pair authenticated process with dual manual approval and an air-gap that dispatches one taxi (and precisely one taxi) every 30 days on a route where it can be guaranteed to hit its time prediction.
Any fool can build a bridge that stands. It takes an engineer to build a bridge that barely stands.
konart|3 years ago
Yandex has thousands of cars here in Moscow. There were around 60 in this jam on the prospect.
So most likely not "ordered all avaiable", but "the order was forwareded for all available in the radius" or something like that.
Surely you can't order a car in Yadex Taxi much less order all of them or even a car from another part of the city.
nikau|3 years ago
https://www.reddit.com/r/Damnthatsinteresting/comments/x3neh...
r721|3 years ago
b1n|3 years ago
Without knowledge of Russian or context this could just be taxis on some sort of protest rally.
r721|3 years ago
https://news.ycombinator.com/item?id=32682199
mr_toad|3 years ago
Barrin92|3 years ago
individual drivers or individual taxi firms in a market due to their decentralization are much more robust to any kind of individual failure.
People often ask "is the car smarter than the driver?" but the correct question would be if the car, or system is more diverse than the aggregate knowledge of all the participants.
karmanyaahm|3 years ago
Making cars (human or machine driven) depend on a centralized service basically takes away that advantage.
* assuming you have enough fuel/battery
tpmx|3 years ago
andrewxdiamond|3 years ago
trhway|3 years ago
robot9000|3 years ago
[deleted]
fblp|3 years ago
gvb|3 years ago
https://www.thedrive.com/news/a-swarm-of-self-driving-cruise...
DonHopkins|3 years ago
jammr.com: It's like Uber for Traffic Jams!
EwanG|3 years ago
1) Rickshaw or cargo bike with a narrow pull along trailer to let me use the bathroom 2) Similar setup with food and drink 3) Similar setup with a few gallons of gas if I've gotten a bit too close to empty 4) More expensive (XL?) version of the service where I am getting delivery from a helicopter (since drones flying over congested traffic is not an FAA approved delivery method)
You might not be able to make this a daily thing, but when things get bad I suspect the margins might be unreal.
unknown|3 years ago
[deleted]
doesnotexist|3 years ago
crtasm|3 years ago
smm11|3 years ago
eps|3 years ago
wmeredith|3 years ago
MaKey|3 years ago
cafard|3 years ago
UncleEntity|3 years ago
One night Modest Mouse played downtown Phoenix and went past the time light rail stopped running on weeknights. Same thing happened, basically everyone who took the train called for a cab. Once I realized what was happening I just grabbed the first group who flagged me down and got the hell’s out of there.
What I especially like about the video is it is completely obvious something isn’t right and they’re all still trying to get to the pickup point.
dm33tri|3 years ago
nivertech|3 years ago
squarefoot|3 years ago
Gunnerhead|3 years ago
https://www.bloomberg.com/news/articles/2022-02-28/uber-to-a...
jetzzz|3 years ago
unixbane|3 years ago
aaur0|3 years ago
late2part|3 years ago
katazd|3 years ago
josephd79|3 years ago
throwaway14356|3 years ago
donkarma|3 years ago
LinuxBender|3 years ago
reaperducer|3 years ago
My prediction: Ransomware hits self-driving cars.
You're locked in the car until you Venmo the bad guys some credits.
To encourage compliance, the stereo starts playing the sound of running water.
fffobar|3 years ago
unixbane|3 years ago
> In July 2015, IT security researchers announced a severe security flaw assumed to affect every Chrysler vehicle with Uconnect produced from late 2013 to early 2015.[120] It allows hackers to gain access to the car over the Internet, and in the case of a Jeep Cherokee was demonstrated to enable an attacker to take control not just of the radio, A/C, and windshield wipers, but also of the car's steering, brakes and transmission.[120] Chrysler published a patch that car owners can download and install via a USB stick, or have a car dealer install for them.[120]
> https://en.wikipedia.org/wiki/Chrysler#Chrysler_Uconnect
quantumduck|3 years ago
The worst part is they were never really transparent about what the issue was.
nytesky|3 years ago
marginalia_nu|3 years ago
unknown|3 years ago
[deleted]
hedora|3 years ago
xwdv|3 years ago
aaron695|3 years ago
[deleted]
jbverschoor|3 years ago
gaius_baltar|3 years ago
You can also search for #YandexTaxi : https://nitter.42l.fr/search?q=%23YandexTaxi
edm0nd|3 years ago
r721|3 years ago
unknown|3 years ago
[deleted]
rdxm|3 years ago
[deleted]