I have a funny story about the recent Hello Barbie networked-device security failure. This is doubly a repost – it started its current incarnation as a twitter rant, and longtime readers may remember it from the dim recesses of history, but the time has come for me to tell it again.
Back in 2007 Mattel had a site where they’d charge parents two bucks to have one of Mattel’s franchise characters give their child a real phone call, because people still did that in 2007. They’d let you hear the call before paying, which I suppose was good of them, but I poked around a bit and pretty quickly discovered that whatever company Mattel had hired for this was not so good with the infosec.
The subject of the calls – Dora would say it’s important to learn to read or help around the house, Barbie would tell you to work hard in school, that sort of thing – was pretty pedestrian, harmless despite the weirdly Reagan-era-esque Kid-Celebrities-Help-You-Just-Say-No-To-Drugs vibe. But the indexes on the folders storing all those component sound files they’d assemble into your custom call were wide open.
And the other thing lying around on those open shares were recordings of names. To reach a wide audience they’d recorded some unstoppably perky young woman reciting kids’ first names, Aaron, Abbot, Abby, Abigail, Adana, Adena, in an upbeat barbie-girl voice, every single one. And there I was with a pile of free disk space, university bandwidth, wget and why not.
There were seventeen thousand of them.
After a bit of experimentation, I figured out how to stitch them all together with .4 seconds of silence between each. The resulting audio file was almost five hours long; four hours and forty five minutes of relentless Barbiedoll voice reciting seventeen thousand first names in alphabetical order.
To my knowledge, nobody has ever listened to the whole thing.
Of the six attempts I’m aware of, four were called off when the death threats started, one due to the near-breakup of the couple making the attempt, and one person drinking themselves to unconsciousness at about the 90 minute mark. I’m not saying that to make a joke. I’m telling you because this is real and it’s an SCP-grade psychic biohazard. No highly esteemed deed was committed here; this is not a place of honour.
So don’t say I didn’t warn you.
For your listening pleasure: here it is.
Have a good weekend, Internet.
UPDATE: Somebody made a Youtube video.