1/ Okay, time to use a Visa gift card and a disposable e-mail address and explore the technical details behind this "Trump NFT". I'm posting this thread to Twitter even though I suspect most followers are Mastodon (meaning, 280char limitation).
2/ As usual, they have a privacy policy that states "your privacy is important" and "we can and will violate it for any reason".
I'm using a separate email address to track in the future when they sell my private info. I expect to get Trump campaign ads to this address in 2024.
3/ Their main website has a FAQ.
This isn't campaign related (they rightly fear campaign finance laws).
It's possible they already paid Trump Org a lump sum, regardless of how many they sell. Trump's Organization makes most of its money simply licensing the Trump name.
4/ I have now bought one. A $100 gift card was rejected due to "insufficient funds", but a $300 gift card worked.
It's been over 10 minutes, and I still haven't received the NFT in the email.
5/ Here's a news story with some details on what's going on.
coindesk.com/web3/2022/12/1…
6/ The contract is public on the Polygon blockchain (a sidechain of Ethereum with dramatically lower transaction fees popular for NFTs).
As we can see, roughly 23 thousand (out of a total of 45,000) have been minted so far. An hour ago, it was 22 thousand.
polygonscan.com/address/0x24a1…
7/ One of the reasons I'm doing this thread is to answer this question. You can either use a wallet OR buy with credit card. But your NFT is only meaningful if you have a wallet, so what happens when people buy with credit card without a wallet???????
8/ After about 20 minutes it finally arrived in my email inbox.
Before I bought the NFT it had me create an account with a company called "web3auth", which in turn created a web-accessible wallet with "tor.us".
In other words, it created a wallet for me.
9/ You all can view my NFT. It's on the Polygon blockchain. OpenSea is the most popular way of viewing/trading such things, but since NFTs are a standard contract on a blockchain, anything can be used to view/trade them.
opensea.io/assets/matic/0…
10/ So what did I get for my $99? What I got were these three things:
1. Matic (aka. Polygon) blockchain
2. contract identified as 0x24A11e702CD90f034Ea44FaF1e180C0C654AC5d9
3. token #22884 in that contract

I now have control over token #22884.
opensea.io/assets/matic/0…
11/ It appears the token was minted and assigned to my wallet almost immediately -- it just took 20 minutes for the email to arrive informing me of that fact.
12/ Using a blockchain explorer for that contract address, I can enter the token #22884 and see what it points to. It points to this URL.
That's what an NFT points to. It doesn't even point to an image, it points to a URL.
If that URL disappears, then the NFT points to nothing.
13/ What at this URL? The image? Nope -- it's metadata about the image.

cards.collecttrumpcards.com/data/22/22884.…
14/ That metadata finally points to a URL of the image.
But the website can change that image any time it likes.
One of the thing cypherpunks like to do is mint NFTs where the website returns different images depending upon what you use to read the NFT.
cards.collecttrumpcards.com/cards/3b96f1cd…
15/ There are ways of creating fully decentralized NFTs, using the cryptographic hash of the image accessible via such things as IPFS or BitTorrent.
But most choose to centralize the NFT, defeating the entire point of using a blockchain.
16/ According to the FAQ on the CollectTrumpCards.com website, it's randomly assigned which image you'll get for your token. Some images have only 2 tokens that'll match them, some up to 20.
That implies at least 2,000 distinct images.
17/ But even then, the images are built from re-used components, like my token #22884 and token #22891. Swap the background, add a hat, and you have a "new" image.
18/ So the answer to this question: they are all different, but they are all the same.
19/ They are up to token #26443 so far. You can compare this to the tweet above from an hour ago to see that around 1000 have been minted in the last hour.
Note: they could be "minting" them but not actually selling them.
20/ If you are a hacker like me, this is the first sort of thing you'll think of -- just download all the NFTs and their metadata from the website:
21/ As you can see, the elements in mine are the most common, with the character="Blue Suit Finger Point", face="Smile", hat="Red Golf"
22/ Since the URLs exist regardless of what's on the blockchain, you should be able to download all the future ones, find the rarest, then time your purchase just right to snag a rare one. They've though of that: the URL isn't active until the blockchain mints it:
23/ Even single-line scripts have bugs:
24/ I'm stupid. It seems that OpenSea already tracks these traits so I don't have to write a script to do it myself. It's right there in the URL if I just read the webpage instead of diving straight into code.
opensea.io/assets/matic/0…
25/ As this person politely points out (thanks for the compliment), this is indeed a common thing for NFTs. Though only for a certain class of NFTs, not as they imply, all NFTs.
26/ As Adam points out, yes, sometimes people get prosecuted for simply editing a URL to get to things that may not be intended, and writing small scripts like that simply increment the number.
The courts haven't yet figured out whether it's actually a crime.
27/ Intentional "unauthorized" access is crime.
But if they put something on a website publicly accessible with no password, is it "unauthorized" for the public to access it?
Or maybe it's only authorized if average users can access it, but not if it requires techies w/ a script?
28/ Uh, I just now logged into that wallet they created for me -- and the NFT isn't there.
The NFT was assigned to the wallet: 0x04Ceb...f9786
The wallet they created for me is: 0x7b59...f58f8

So I don't actually have the NFT I supposedly own.
29/ This could only happen paying with a credit card, something failed in the backend creating the virtual wallet. Had I used a real crypto wallet, this probably wouldn't have occurred.
They do have support, so I entered something. But they have no trouble ticketing system.
30/ Ok, solved (thanks @mvaneerde).
1. go to app.openlogin.com
2. "View Authorized Apps"
3. Click on that tiny blue download button in the bottom right
4. this downloads the PRIVATE ethereum key
31/ Next, using any wallet, import the key. I'm just going to use the online wallet they gave me. Click on the settings thingy in the upper right and "Import Account", and paste that private ethereum key.

Then you'll see it's found your "Collectibles" on the blockchain:
32/ This Torus Wallet doesn't allow me to do anything with it other than transfer. But the NFT is on the blockchain. I could in theory import the Ethereum private key into any wallet. In practice, they don't make it easy.
33/ So what if you want to sell it? The easiest way is probably just using opensea.io. Go to the website and hook it up with your tor.us wallet above. Just go to OpenSea, even without creating an account, go to "profile" and connect to Torus.
34/ After going through the authentication, you can now click on your NFT and sell it. There are already offers for it. I can just accept this offer and it's sold, getting Ethereum deposited into my account.
35/ I think these offers are purely within OpenSea (not on the blockchain). Let's accept one and see what happens.
36/ The problem is that OpenSea needs some funds (a tiny amount) to complete the transactions. Every transaction on the blockchain costs coins. So it needs a small amount to start the transaction.
So I have to add like $5 to my wallet.
37/ I'm struggling through the various providers. They don't seem to want to accept my anonymous debit cards.
38/ I backed and tried the transaction again from scratch. (It's not logical it should cost ETHER). I keep bouncing from between OpenSea and the Torus wallet telling them it's confirmed/authorized, with both of them popping up errors that I ignore.
39/ I've got all these windows open trying to get this thing authorized. I'm not sure exactly what was going on between Torus and OpenSea. I'm sure it means something can get hacked in there.
40/ I could complete the transaction because somehow Torus dropped $5 worth of the MATIC (meaning Polygon sidechain) token into my account. I have to figure out where that came from and why. I couldn't actually buy any with my debit cards.
41/ But anyway, a person named "lululemons" is now the proud owner of the NFT I bought.
42/ Anyone can see the transaction on the Polygon sidechain:
43/ Using some tool to explore the blockchain, you'll see this data. You can see the small transactions for the various contracts involved, plus the $42 worth of Ether transfered to me.
polygonscan.com/tx/0xb9b3398f0…
44/ And and separate part of the transaction is the NFT going the other way to the buyer, at the bottom of this screenshot.
45/ The various transaction fees involve paying contracts. Using my private key (using Torus), I've told my NFT to allow a specific OpenSea contract to trade the token. That contract in turn works with the buyer's tokens, because the buyer authorized.
46/ That OpenSea contract then does the swap on the blockchain. Note that it's the OpenSea contract that does the exchange, completely decentralized. It's a contract that some time in the past that OpenSea posted to the blockchain.
47/ Anybody can use that same OpenSea contract to swap NFT tokens for Ether tokens. Even if OpenSea disappears, we can still use that contract, becuse it's still on the blockchain. However, I suspect part of the rules in the OpenSea contract is to send them a fee.
48/ Annoyingly, the Torus wallet shows my account balance hasn't changed. But, using a blockchain explorer, I do see that I've got the $36 of Ether at my blockchain address.
49/ I apologize for being confused: I know the theory, but don't have much experience with practice, because NFTs are scams so I've avoided the whole thing :-).
50/ But the key thing from this thread is that I've successfully bought AND sold a Trump NFT. It's not simply watching the process of getting an NFT, but also the process of getting rid of it. It's cost me about $70 :-)
So here's a great thread on where some of the artwork came from.
52/ Blame these people for this thread, btw. They make me do bad things.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham💰 @erratarob@infosec.exchange

Robᵉʳᵗ Graham💰 @erratarob@infosec.exchange Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Dec 16
1/ Here's today's civics lesson in "free-speech": EVERY tyrant who has suppressed speech as done so according to clear, unbiased rules -- that they just came up with at that moment. Image
2/ The only thing that proves your credentials for "defending free-speech" is when you defend the principle for speech you don't like.
The ACLU defended the right of neoNazis to march in Skokie, thus proving their "free-speech" credentials.
3/ Musk is creating more and more reasons to censor speech he doesn't like. They are all explained as "I support free-speech, but this specific thing isn't free-speech, like assassination coordinates".
Read 5 tweets
Dec 12
People really are this stupid.
The mRNA and adenoviral vectors are indeed gene therapy, though this is misleading since they don't change your genes.
The mRNA and adenoviral vectors are also absolutely vaccines.
I also don't care what the FDA says since it's basic science.
Technically, the smallpox (and monkeypox) vaccines are a form of "gene therapy": they insert gens into your cell to trigger an immune response the same way the mRNA/adenoviral vaccines do.
The monkeypox works by taking the horsepox virus (closely related to human smallpox) and changing it's genes to remove things that cause it to spread in humans.
Read 4 tweets
Dec 11
🧵
NASA's Artemis mission is now complete, with the Orion capsule successfully going around the moon and splashing down in the ocean today.

I thought I'd call attention to analogies with infosec.
The reason it's taking 50 years to get back to the moon is because our risk tolerance has changed. In the original Apollo missions, they estimated the astronauts had only a 90% chance of surviving.
The first Apollo 1 mission never launched. A fire on the launchpad killed the crew before the rockets even ignited. Since that moment til today has seen a steady improvement in safety. It wasn't until Apollo 7 they successfully sent people around the moon.
Read 19 tweets
Dec 9
I've got this video as an "ear worm" that's disrupting my sleep.

I've been curing it by a steady diet of Rammstein, Tool, and Disturbed.
The problem is the chicks are cute, so not only does the music play in my brain so does the entire video.

Luckily, I just say "Alexa play rammstein" and it gets pushed out of my brain.
Tool is also great for getting rid of earworms:
Read 5 tweets
Dec 6
🧵I've been working on my "OSI Deprogramer" document for a couple years now. It's hard because of the enormous weight of the deprogramming involved. Everything needs to be unraveled.
OSI defines a "Layer #3 - Network" and "Layer #2 - Data Link".

That's because in the beginning, there were only links between two computers. A single "link" isn't a network.
A computer "link" is like a single strand in a fishing net. The "net" is all the nodes connected by strands. An OSI "network" is built by connecting nodes with "data links", building layer #3 out of layer #2.
Read 20 tweets
Dec 4
If you believe in our constitutional Republic, you must loudly denounce and unambiguously dissociate from Mr. Trump after his blatant calls for dictatorship today. No more messing around Republicans. The stakes are too high. Country First.
Trump called for terminating the constitution today. He lost a fair election where speech was free, and is pretending otherwise in order to reinstate himself in power.
When members of the military swear and oath to defend the constitution against enemies foreign or domestic, THIS IS WHAT IT MEANT. It meant defending it against internal enemies that try to cling to power using flimsy pretexts.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(