Robe Graham 6. @erratarob@infosec.exchange 9 [Sb 28 eet: 12 min read ‘1/ Okay, time to use a Visa gift card and a disposable e-mail address and explore the technical details behind this “Trump NFT". I'm posting this thread to Twitter even though | suspect most followers are Mastodon (meaning, 280char limitation). collecttrumpeards.¢ collecttrumpcards.c collecttrumpcards.con ail Images Go 2 Pa collecttrumpeards.com @ Customize Chrome 2/ As usual, they have a privaey policy that states "your privacy is important" and "we can and will violate it for any reason”, I'm using a separate email address to track in the future when they sell my private info. I expect to get Trump campaign ads to this address in 2024.cot x + a eoyee ag PR en ec ‘Their main website has a FAQ. ‘This isn’t campaign related (they rightly fear campaign finance laws). It's possible they already paid Trump Org a lump sum, regardless of how many they sell. Trump's Organization makes most of its money. ply licensing the Trump name. Thave now bought one. A $100 gift card was rejected due to "insufficient funds", but a $300 gift card worked. It's been over 10 minutes, and I still haven't received the NFT in the email. Here's a news story with some details on what's going on. Dorn Thump Amounces $99 Dighal Trading Card NETS ‘The contract is public on the Polygon blockchain (a sidechain of Ethereum with dramatically lower transaction fees popular for NFTs), Aswe can see, roughly 23 thousand (out of a total of 45,000) have been minted so far. An hour ago, it was 22 thousand,DTAS.Token | Address (24a 1e702cdOrOSen-4faF Te BOCOKESAacsd9 | Polvaorscan “The Contract Address Ox24a1 1e702cd90/034ea44tafle1 80cOc654ac549 page lows users to view the source cade, transactions, vances, and analytes forthe contrat adress, Users can algo Interact snd m 7/ One of the reasons I'm doing this thread is to answer this question. You can either use a wallet OR buy with. credit card. But your NFT is only meaningful if you have a wallet, so what happens when people buy with credit card without a wallet???222? 8/ After about 20 minutes it finally arrived in my email inbox. Before I bought the NFT it had me create an account with a company called “webgauth", which in turn created a web-accessible wallet with "tor." In other words, it created a wallet for me. “Torus Labs | Open-Source Key Management Torus Is the most secure passwordess authentication and private key management platform wth the security guarantees of ron custodial Public Key nfrastructre (PA, 9/ You all can view my NFT. It's on the Polygon blockchain. OpenSea is the most popular way of viewing/trading such things, but since NFTs are a standard contract on a blockehain, anything ean be used to view/trade them. opensea.io/assets/matic/o, 1o/ So what did I get for my $99? What I got were these three things: 1. Matic (aka, Polygon) blockchain contract identified as ox24Ar1e702CD90fo34Ea44FaPie18oCoC6s4AC5d9 », token #22884 in that contract [now have control over token #22884. 14/ Ttappears the token was minted and assigned to my wallet almost immediately — it just took 20 minutes for the email to arrive informing me of that fact. 12/ Using a blockchain explorer for that contract address, I can enter the token #22884 and see what it points to. Tt points to this URL. ‘That's what an NFT points to, It doesn’t even point to an image, it points to a URL. If that URL disappears, then the NFT points to nothing,What at this URL? The image? Nope -- it's metadata about the image. cards.collecttrumpeards.com/data/22/2288 4... That metadata finally points to a URL of the image. But the website can change that image any time it likes. One of the thing cypherpunks like to do is mint NFTs where the website returns different images depending upon what you use to read the NFT. cards.collecttrumpeards.com/cards/sb96fied. ‘There are ways of creating fully decentralized NFTs, using the cryptographic hash of the image accessible via such things as IPFS or BitTorrent. But most choose to centralize the NFT, defeating the entire point of using a blockchain. According to the FAQ on the CollectTrumpCards.com website, it’s randomly assigned which image you'll get for your token. Some images have only 2 tokens that'll match them, some up to 20. That implies at least 2,000 distinct images. CCollecmumpCard | Donald Trump Distal acing Card NETS “The Only OFFICIAL Dial Trading Card NFT Collection Celebrating the Lfe and Carer of 4Sth US. President Donald Trump. Collectible Dial Art wth a Chance to Win inthe Trump Sweepstakes, But even then, the images are built from re-used components, like my token #22884 and token #22891. Swap the background, add a hat, and you have a "new" image. So the answer to this question: they are all different, but they are all the same. They are up to token #26443 so far. You can compare this to the tweet above from an hour ago to see that around 1000 have been minted in the last hour. Note: they could be "minting" them but not actually selling them. Ifyou are a hacker like me, this is the first sort of thing you'll think of -- just download all the NFTs and their ‘metadata from the website: As you can see, the elements in mine are the most common, with the character=" face="Smile", hat="Red Golf” ‘Blue Suit Finger Point", Since the URLs exist regardless of what's on the blockchain, you should be able to download all the future ones, find the rarest, then time your purchase just right to snag a rare one. They've though of that: the URL isn't active until the blockchain mints it: Even single-line seripts have bugs:I'm stupid. It seems that OpenSea already tracks these traits so I don't have to write a seript to do it myself. It's right there in the URL if just read the webpage instead of diving straight into code. As this person politely points out (thanks for the compliment), this is indeed a common thing for NFTs. ‘Though only for a certain class of NFTS, not as they imply, all NFTs. ‘As Adam points out, yes, sometimes people get prosecuted for simply editing a URL to get to things that may not be intended, and writing small scripts like that simply increment the number. ‘The courts haven't yet figured out whether it’s actually a crime. Intentional "unauthorized" access is crime. But if they put something on a website publicly accessible with no password, is it "unauthorize access it? for the public to Or maybe it's only authorized if average users can access it, but not if it requires techies w/ a seript? Uh, I just now logged into that wallet they created for me -- and the NFT isn't there. ‘The NFT was assigned to the wallet: oxo4Ceb...{9786 The wallet they created for me is: ox7bs9...f5818 So I don't actually have the NFT I supposedly own. ‘This could only happen paying with a credit card, something failed in the backend creating the virtual wallet. Had I used a real crypto wallet, this probably wouldn't have occurred. They do have support, so I entered something. But they have no trouble ticketing system, sing some Thea this thena? You can try tore 2 reves 4# Keep Current with Rob Grahiamd @erratarob@in © This Thread may be Removed Anytime! Stay in touch and get notified when new ‘Twitter may remove this content at unrolls are available from this author [EGS 2vtime! save it as POF for later use! a this thread as POF My Authors" | 2 Read all threadsTryunrollinga thread yourselft @rinencreaderapp unall sao More from @ErrataRob Robe" Graham}. @erratarob@infosecexchan.. ‘exataRob weciz 1. Follow «ThreadReaderApp to mention us! 2. From a Twitter thread mention us with a keyword nl @threadreaderapp vnroll Practice here first or read more on our hein page! Rob*'Graham6 @erratarob@infosecexchan.. SrrataRob belt People realy are this stupid, The mRNA and adenoviral vectors are indeed gene therapy, though this is misleading since they don't change your genes. The mRNA and adenoviral vectors are also absolutely vaccines also don't care what the FDA says since it's base science. ‘Technically, the smallpox (and monkeypox) vaccines are a form of "gene therapy”: they insert gens into your cell to ‘rigger an immune response the same way the ‘mRNA/adenoviral vaceines do. Rob" Graham. @erratarob@infosecexchan. SrataRah peo 1Tve got this video as an “ear worm’ that’s disrupting my sleep. I've been curing it by a steady diet of Rammstein, Too}, and Disturbed. ‘The problem isthe chicks are cute, so not only does the music play in my brain so does the entre video, Luckily, Tjust say’ “Alexa play rammstein" and it gets pushed out of my brain. ‘Tool is also great for getting ri of earworms: [ness set | Robe Graham, @erratarob@infosecexchan.. trataRob Det [NASA's Artemis mission is now complete, with the Orion capsule successfully going around the moon and splashing. down in the ocean today. I thought 1' all attention to analogies with infose. ‘The reason it's taking 50 years to get back to the moon is because our risk tolerance has changed. In the original Apollo ‘missions, they estimated the astronauts had only a 90% chance of surviving. Read 19 tweets RobeGraham 6 @erratarob@infosecexchan.. ‘SEratakal bere ve been working on my "OSI Deprogramer" document for ‘ couple years now. It's hard because of the enormous weight of the deprogramming involved. Everything needs to be unraveled. (OST defines a "Layer #3 Network” and "Layer #2 ~ Data Link’. That's because in the beginning, there were only links between two computers. A single “link” isn’t network, A computer "lnk" is ikea single strand ina fishing net. The wend 2 wee RobeGraham 6, @erratarab@infosecexchan.. 3 besIf you believe in our constitutional Republi, you must loudly denounce and unambiguously dissociate from Mr. Trump after his blatant calls for dictatorship today. No more ‘messing around Republicans. The stakes are too high. Country First. ‘Trump called for terminating the constitution today. He lost a fair election where speech was free, and is pretending ‘otherwise in order to reinstate himself in power Fact-checker here. Many people have pointed out that Trump was in power atthe time, not Biden, However, Musk could be plausibly talking about Congress or the FEI instead of the President. But... 1/3) (2/3) But Congress wasnt involved here, except far the one Democratic congressman worried about censorship (the other direction) (a/a) But aw enforcement wasn't involved here, as far as, Read & Did Thread Reader help you today? Support us! We are indie developers! This site is made by just two indie developers on a laptop doing marketing, support and development! Read! more about the story. Become a Premium Membe1 (S3/month or $30/year) and get exclusive features! Don't want to be a Premium member but still want to ‘support us? Make a small donation by buying us coffee ($5) or help with server cost ($10) Peer Or Donate anonymously using crypto! Ethereum Bitcoin 9 Thank you for your support! @