#and like people have recently been taking the security like wayyyyy up | Explore Tumblr Posts and Blogs

itbeatsbookmarks · 4 years

Link

(Via: Hacker News)

Act 1: Sunday afternoon

So you know when you’re flopping about at home, minding your own business, drinking from your water bottle in a way that does not possess any intent to subvert the Commonwealth of Australia?

It’s a feeling I know all too well, and in which I was vigorously partaking when I got this message in “the group chat”.

A nice message from my friend, with a photo of a boarding pass 🙂 A good thing about messages from your friends is that they do not have any rippling consequences 🙂🙂🙂

The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.

That’s him, officer

For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.

The boarding pass photo

This particular former PM had just posted a picture of his boarding pass on Instagram (Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads).

The since-deleted Instagram post showing the boarding pass and baggage receipt. The caption reads “coming back home from japan 😍😍 looking forward to seeing everyone! climate change isn’t real 😌 ok byeee”

“Can you hack this man?”

My friend (who we will refer to by their group chat name, 𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊) is asking whether I can “hack this man” not because I am the kind of person who regularly commits 𝒄𝒚𝒃𝒆𝒓 𝒕𝒓𝒆𝒂𝒔��𝒏 on a whim, but because we’d recently been talking about boarding passes.

I’d said that people post pictures of their boarding passes all the time, not knowing that it can sometimes be used to get their passport number and stuff. They just post it being like “omg going on holidayyyy 😍😍😍”, unaware that they’re posting cringe.

People post their boarding passes all the time, because it’s not clear that they’re meant to be secret

Meanwhile, some hacker is rubbing their hands together, being all “yumyum identity fraud 👀” in their dark web Discord, because this happens a lot.

So there I was, making intense and meaningful eye contact with this chat bubble, asking me if I could “hack this man”.

Surely you wouldn’t

Of course, my friend wasn’t actually asking me to hack the former Prime Minister.

However.

You gotta.

I mean… what are you gonna do, not click it? Are you gonna let a link that’s like 50% advertising tracking ID tell you what to do? Wouldn’t you be curious?

The former Prime Minister had just posted his boarding pass. Was that bad? Was someone in danger? I didn’t know.

What I did know was: the least I could do for my country would be to have a casual browse 👀

Investigating the boarding pass photo

Step 1: Hubris

So I had a bit of a casual browse, and got the picture of the boarding pass, and then…. I didn’t know what was supposed to happen after that.

Well, I’d heard that it’s bad to post your boarding pass online, because if you do, a bored 17 year-old Russian boy called “Katie-senpai” might somehow use it to commit identity fraud. But I don’t know anyone like that, so I just clumsily googled some stuff.

Googling how 2 hakc boarding pass

Eventually I found a blog post explaining that yes, pictures of boarding passes can indeed be used for Crimes. The part you wanna be looking at for all your criming needs is the barcode, because it’s got the “Booking Reference” (e.g. H8JA2A) in it.

Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight.

The second one is your… last name. I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass. And it also lets you log in to the airline website?

That sounds suspiciously like a password to me, but like I’m still fine to pretend it’s not if you are.

Step 2: Scan the barcode

I’ve been practicing every morning at sunrise, but still can’t scan barcodes with my eyes. I had to settle for a barcode scanner app on my phone, but when I tried to scan the picture in the Instagram post, it didn’t work :((

Maybe I shouldn’t have blurred out the barcode first

Step 2: Scan the barcode, but more

Well, maybe it wasn’t scanning because the picture was too blurry.

I spent around 15 minutes in an “enhance, ENHANCE” montage, fiddling around with the image, increasing the contrast, and so on. Despite the montage taking up way too much of the 22 minute episode, I couldn’t even get the barcode to scan.

Step 2: Notice that the Booking Reference is printed right there on the paper

After staring at this image for 15 minutes, I noticed the Booking Reference is just… printed on the baggage receipt.

I graduated university.

But it did not prepare me for this.

askdjhaflajkshdflkh

Step 3: Visit the airline’s website

After recovering from that emotional rollercoaster, I went to qantas.com.au, and clicked “Manage Booking”. In case you don’t know it because you live in a country with fast internet, Qantas is the main airline here in Australia.

(I also very conveniently started recording my screen, which is gonna pay off big time in just a moment.)

Step 4: Type in the Booking Reference

Well, the login form was just… there, and it was asking for a Booking Reference and a last name. I had just flawlessly read the Booking Reference from the boarding pass picture, and, well… I knew the last name.

I did hesitate for a split-second, but… no, I had to know.

Step 5: Crimes(?)

youngman.mp4

The “Manage Booking” page, logged in as some guy called Anthony Abbott

Can I get a YIKES in the chat

Leave a comment if you really felt that.

I guess I was now logged the heck in as Tony Abbott? And for all I know, everyone else who saw his Instagram post was right there with me. It’s kinda wholesome, to imagine us all there together. But also probably suboptimal in a governmental sense.

Was there anything secret in here?

I then just incredibly browsed the page, browsed it so hard.

I saw Tony Abbott’s name, flight times, and Frequent Flyer number, but not really anything super secret-looking. Not gonna be committing any cyber treason with a Frequent Flyer number. The flight was in the past, so I couldn’t change anything, either.

The page said the flight had been booked by a travel agent, so I guessed some information would be missing because of that.

I clicked around and scrolled a considerable length, but still didn’t find any government secrets.

Some people might give up here. But I, the Icarus of computers, was simply too dumb to know when to stop.

We’re not done just because a web page says we’re done

I wanted to see if there were juicy things hidden inside the page. To do it, I had to use the only hacker tool I know.

Right click > Inspect Element, all you need to subvert the Commonwealth of Australia

Listen. This is the only part of the story that might be confused for highly elite computer skill. It’s not, though. Maybe later someone will show you this same thing to try and flex, acting like only they know how to do it. You will not go gently into that good night. You will refuse to acknowledge their flex, killing them instantly.

How does “Inspect Element” work?

“Inspect Element”, as it’s called, is a feature of Google Chrome that lets you see the computer’s internal representation (HTML) of the page you’re looking at. Kinda like opening up a clock and looking at the cool cog party inside.

Yeahhh go little cogs, look at ‘em absolutely going off. Now imagine this but with like, JavaScript

Everything you see when you use “Inspect Element” was already downloaded to your computer, you just hadn’t asked Chrome to show it to you yet. Just like how the cogs were already in the watch, you just hadn’t opened it up to look.

But let us dispense with frivolous cog talk. Cheap tricks such as “Inspect Element” are used by programmers to try and understand how the website works. This is ultimately futile: Nobody can understand how websites work. Unfortunately, it kinda looks like hacking the first time you see it.

If you’d like to know more about it, I’ve prepared a short video.

Browsing the “Manage Booking” page’s HTML

I scrolled around the page’s HTML, not really knowing what it meant, furiously trying to find anything that looked out of place or secret.

I eventually realised that manually reading HTML with my eyes was not an efficient way of defending my country, and Ctrl + F’d the HTML for “passport”.

oh no

Oh yes

It’s just there.

At this point I was fairly sure I was looking at the extremely secret government-issued ID of the 28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II and I was kinda worried that I was somehow doing something wrong, but like, not enough to stop.

….anything else in this page?

Well damn, if Tony Abbott’s passport number is in this treasure trove of computer spaghetti, maybe there’s wayyyyy more. Perhaps this HTML contains the lost launch codes to the Sydney Opera House, or Harold Holt.

Maybe there’s a phone number?

Searching for phone and number didn’t get anywhere, so I searched for 614, the first 3 digits of an Australian phone number, using my colossal and highly celestial galaxy brain.

Weird uppercase letters

A weird pile of what I could only describe as extremely uppercase letters came up. It looked like this:

RQST QF HK1 HNDSYD/03EN|FQTV QF HK1|CTCM QF HK1 614[phone number]|CKIN QF HN1 DO NOT SEAT ROW [row number] PLS SEAT LAST ROW OF [row letter] WINDOW

So, there’s a lot going on here. There is indeed a phone number in here. But what the heck is all this other stuff?

I realised this was like… Qantas staff talking to eachother about Tony Abbott, but not to him?

In what is surely the subtweeting of the century, it has a section saying HITOMI CALLED RQSTING FASTTRACK FOR MR. ABBOTT. Hitomi must be requesting a “fasttrack” (I thought that was only a thing in movies???) from another Qantas employee.

This is messed up for many reasons

What is even going on here? Why do Qantas flight staff talk to eachother via this passenger information field? Why do they send these messages, and your passport number to you when you log in to their website? I’ll never know because I suddenly got distracted with

Forbidden airline code

I realised the allcaps museli I saw must be some airline code for something. Furious and intense googling led me to several ancient forbidden PDFs that explained some of the codes.

Apparently, they’re called “SSR codes” (Special Service Request). There are codes for things like “Vegetarian lacto-ovo meal” (VLML), “Vegetarian oriental meal” (VOML), and even “Vegetarian vegan meal” (VGML). Because I was curious about these codes, here’s some for you to be curious about too (tag urself, I’m UMNR):

RFTV Reason for Travel UMNR Unaccompanied minor PDCO Carbon Offset (chargeable) WEAP Weapon DEPA Deportee—accompanied by an escort ESAN Passenger with Emotional Support Animal in Cabin

The phone number I found looked like this: CTCM QF HK1 [phone number]. Googling “SSR CTCM” led me to the developer guide for some kind of airline association, which I assume I am basically a member of now.

CTCM QF HK1 translates as “Contact phone number of passenger 1”

Is the phone number actually his?

I thought maybe the phone number belonged to the travel agency, but I checked and it has to be the passenger’s real phone number. That would be, if my calculations are correct,,,, *steeples fingers* Tony Abbott’s phone number.

what have i done

I’d now found Tony Abbott’s:

Passport details

Phone number

Weird Qantas staff comments.

My friend who messaged me had no idea.

Tony Abbott’s passport is probably a Diplomatic passport, which is used to “represent the Australian Government overseas in an official capacity”.

what have i done

By this point I’d had enough defending my country, and had recently noticed some new thoughts in my brain, which were:

oh jeez oh boy oh jeez

i gotta get someone, somehow, to reset tony abbott’s passport number

can you even reset passport numbers

is it possible that i’ve done a crime

Intermission

Act 2: Do not get arrested challenge 2020

In this act, I, your well-meaning but ultimately incompetent protagonist, attempt to do the following things:

⬜ figure out whether i have done a crime

⬜ notify someone (tony abbott?) that this happened

⬜ get permission to publish this here blog post

⬜ tell qantas about the security issue so they can fix it

Spoilers: This takes almost six months.

Let’s skip the boring bits

I contacted a lot of people about this. If my calculations are correct, I called at least 30 phone numbers, to say nothing of The Emails. If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested. Eventually I started keeping track of who I talked to in a note I now refer to as “the hashtag struggle”.

I’m gonna skip a considerable volume of tedious and ultimately unsatisfying telephony, because it’s been a long day of scrolling already, and you need to save your strength.

Alright strap yourself in and enjoy as I am drop-kicked through the goal posts of life.

Part 1: is it possible that i’ve done a crime

I didn’t think anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly become crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this?

My usual defence against being arrested for hacking is making sure the person being hacked is okay with it. You heard me, it’s the power of ✨consent✨. But this time I could uh only get it in retrospect, which is a bit yikes.

So I was wondering like… was logging in with someone else’s booking reference a crime? Was having someone else’s passport number a crime? What if they were, say, the former Prime Minister? Would I get in trouble for publishing a blog post about it? I mean you’re reading the blog post right now so obviousl

Update: I have been arrested.

Just straight up Reading The Law

It turned out I could just google these things, and before I knew it I was reading “the legislation”. It’s the rules of the law, just written down.

Look, reading pages of HTML? No worries. Especially if it’s to defend my country. But whoever wrote the legislation was just making up words.

Eventually, I was able to divine the following wisdoms from the Times New Roman tea leaves:

Defamation is where you get in trouble for publishing something that makes someone look bad.

But, it’s fine for me to blog about it, since it’s not defamation if you can prove it’s true

Having Tony Abbott’s passport number isn’t a crime

But using it to commit identity fraud would be

There are laws about what it’s okay to do on a computer

The things it’s okay to do are: If u EVER even LOOK at a computer the wrong way, the FBI will instantly slam dunk you in a legal fashion dependent on the legislation in your area

I am possibly the furthest thing you can be from a lawyer. So, I’m sure I don’t need to tell you not to take this as legal advice. But, if you are the kind of person who takes legal advice from mango blog posts, who am I to stand in your way? Not a lawyer, that’s who. Don’t do it.

You know what, maybe I needed help. From an adult. Someone whose 3-year old kid has been buying iPad apps for months because their parents can’t figure out how to turn it off.

“Yeah, maybe I should get some of that free government legal advice”, I thought to myself, legally. That seemed like a pretty common thing, so I thought it should be easy to do. I took a big sip of water and googled “free legal advice”.

trying to ask a lawyer if i gone and done a crime

Before I went and told everyone about my HTML frolicking, I spent a week calling legal aid numbers, lawyers, and otherwise trying to figure out if I’d done a crime.

During this time, I didn’t tell anyone what I’d done. I asked if any laws would be broken if “someone” had “logged into a website with someone’s publicly-posted password and found the personal information of a former politician”. Do you see how that’s not even a lie? I’m starting to see how lawyers do it.

Calling Legal Aid places

First I call the state government’s Legal Aid number. They tell me they don’t do that here, and I should call another Legal Aid place named something slightly different.

The second place tells me they don’t do that either, and I should call the First Place and “hopefully you get someone more senior”.

I call the First Place again, and they say “oh you’ve been given the run around!”. You see where this is going.

Let’s skip a lot of phone calls. Take my hand as I whisk you towards the slightly-more-recent past. Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime.

Helllllll yeah. But I mean it’s a little late because I forgot to mention that by this point I had already emailed explicit details of my activities to the Australian Government.

☑️ figure out whether i have done a crime

⬜ notify someone (tony abbott?) that this happened

⬜ get permission to publish this here blog post

⬜ tell qantas about the security issue so they can fix it

Part 2: trying to report the problem to someone, anyone, please

I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who knew I had these.

Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature.

wait but do u see the irony in this, u have his phone number right there so u could just-

Yes I see it thank u for pointing this out, wise, astute, and ultimately self-imposed heading. I knew I could just call the number any time and hear a “G’day” I’d never be able to forget. I knew I had a rare opportunity to call someone and have them ask “how did you get this number!?”.

But you can’t just do that.

You can’t just call someone’s phone number that you got by rummaging around in the HTML ball pit. Tony Abbott didn’t want me to have his phone number, because he didn’t give it to me. Maybe if it was urgent, or I had no other option, sure. But I was pretty sure I should do this the Nice way, and show that I come in peace.

I wanted to show that I come in peace because there’s also this pretty yikes thing that happens where you email someone being all like “henlo ur website let me log in with username admin and password admin, maybe u wanna change that??? could just be me but let me kno what u think xoxo alex” and then they reply being like “oh so you’re a HACKER and a CRIMINAL and you’ve HACKED ME AND MY FAMILY TOO and this is a RANSOM and ur from the DARK WEB i know what that is i’ve seen several episodes of mr robot WELL watch out kiddO bc me and my lawyers are bulk-installing tens of thousands of copies of McAfee® Gamer Security as we speak, so i’d like 2 see u try”

I googled “tony abbott contact”, but there’s only his official website. There’s no phone number on it, only a “contact me” form.

I imagine there have been some passionate opinions typed into this form at 9pm on a Tuesday

Yeah right, have you seen the incredible volume of #content people want to say at politicians? No way anyone’s reading that form.

I later decided to try anyway, using the same Inspect Element ritual from earlier. Looking at the network requests the page makes, I divined that the “Contact me” form just straight up does not work. When you click “submit”, you get an error, and nothing gets sent.

This is an excellent way of using computers to solve the problem of “random people keep sending me angry letters”

Well rip I guess. I eventually realised the people to talk to were probably the government.

The government

It’s a big place.

In the beginning, humans developed the concept of language by banging rocks together and saying “oof, oog, and so on”. Then something went horribly wrong, and now people unironically begin every sentence with “in regards to”. Our story begins here.

The government has like fifty thousand million different departments, and they all know which acronyms to call each other, but you don’t. If you EVER call it DMP&C instead of DPM&C you are gonna be express email forwarded into a nightmare realm the likes of which cannot be expressed in any number of spreadsheet cells, in spite of all the good people they’ve lost trying.

I didn’t even know where to begin with this. Desperately, I called Tony Abbott’s former political party, who were all like

Skip skip skip a few more calls like this.

Maybe I knew someone who knew someone

That’s right, the true government channels were the friends we made along the way.

I asked hacker friends who seemed like they might know government security people. “Where do I report a security issue with like…. a person, not a website?”

They told me to call… 1300 CYBER1?

1300 CYBER1

I don’t really have a good explanation for this so I’m just gonna post the screenshots.

My friend showing me where to report a security issue with the government. I’m gonna need you to not ask any questions about the profile pictures.

Uhhh no wait I don’t wanna click any of these

The planet may be dying, but we live in a truly unparalleled age of content.

You know I smashed that call button on 1300 CYBER1. Did they just make it 1300 CYBER then realise you need one more digit for a phone number? Incredible.

Calling 1300 c y b e r o n e

“Yes yes hello, ring ring, is this 1300 cyber one”? They have to say yes if you ask that. They’re legally obligated.

The person who picked up gave me an email address for ASD (the Australian flavour of America’s NSA), and told me to email them the details.

Emailing the government my crimes

Feeling like the digital equivalent of three kids in a trenchcoat, I broke out my best Government Email dialect and emailed ASD, asking for them to call me if they were the right place to tell about this.

Sorry for the clickbait subject but well that’s what happened???

Fooled by my flawless disguise, they replied instantly (in a relative sense) asking for more details.

“Potential” exposure, yeah okay. At least the subject line had “[SEC=Sensitive]” in it so I _knew_ I’d made it big

I absolutely could provide them with more information, so I did, because I love to cooperate with the Australian government.

I also asked whether they could give me permission to publish this blog post, and they were all like “Seen 2:35pm”. Eventually, after another big day of getting left on read by the government, they replied, being all like “thanks kiddO, we’re doing like, an investigation and stuff, so we’ll take it from here”.

Overall, ASD were really nice to me about it and happy that I’d helped. They encouraged me to report this kind of thing to them if it happened again, but I’m not really in the business of uhhhhhhhh whatever the heck this is.

By the way, at this point in the story (chronologically) I had no idea if what I was emailing the government was actually the confession to a crime, since I hadn’t talked to a lawyer yet. This is widely regarded as a bad move. I do not recommend anyone else use “but I’m being so helpful and earnest!!!” as a legal defence. But also I’m not a lawyer, so idk, maybe it works?

Wholesomely emailing the government

At one point in what was surely an unforgettable email chain, the person I was emailing added a P.S. containing…. the answer to the puzzle hidden on this website. The one you’re reading this blog on right now. Hello. I guess they must have found this website (hi asd) by stalking the email address I was sending from. This is unprecedented and everything, but:

The puzzle says to tweet the answer at me, not email me

The prize for doing the puzzle is me tweeting this gif of a shakas to you

yeahhhhhhhhhh, nice

So I guess I emailed the shakas gif to the government??? Yeah, I guess I did.

Please find attached

Can I write about this?

I asked them if they could give me permission to write this blog post, or who to ask, and they were like “uhhhhhhhhhhh” and gave me two government media email addresses to try. Listen I don’t wanna be an “ummm they didn’t reply to my emAiLs” kinda person buT they simply left me no choice.

Still, defending the Commonwealth was in ASD’s hands now, and that’s a win for me at this point.

☑️ figure out whether i have done a crime

☑️ notify someone (The Government) that this happened

⬜ get permission to publish this here blog post

⬜ tell qantas about the security issue so they can fix it

Part 3: Telling Qantas the bad news

The security issue

Hey remember like fifteen minutes ago when this post was about webpages?

I’m guessing Qantas didn’t want to send the customer their passport number, phone number, and staff comments about them, so I wanted to let them know their website was doing that. Maybe the website was well meaning, but ultimately caused more harm than good, like how that time the bike path railings on the Golden Gate Bridge accidentally turned it into the world’s largest harmonica.

Unblending the smoothie

But why does the website even send you all that stuff in the first place? I don’t know, but to speculate wildly: Maybe the website just sends you all the data it knows about you, and then only shows you your name, flight times, etc, while leaving the passport number etc. still in the page.

If that were true, then Qantas would want to unblend the digital smoothie they’ve sent you, if you will. They’d want to change it so that they only send you your name and flight times and stuff (which are a key ingredient of the smoothie to be sure), not the whole identity fraud smoothie.

Smoothie evangelism

I wanted to tell them the smoothie thing, but how do I contact them?

The first place to check is usually company.com/security, maybe that’ll w-

Okay nevermind

Okay fine maybe I should just email [email protected] surely that’s it? I could only find a phone number to report security problems to, and I wasn’t sure if it was like…. airport security?

So I just… called the number and was like “heyyyy uhhhh I’d like to report a cyber security issue?”, and the person was like “yyyyya just email [email protected]” and i was like “ok sorrY”.

Time to email Qantas I guess

I emailed Qantas, being like “beep boop here is how the computer problem works”.

(Have you been wondering about the little dots in this post? Click this one for the rest of the email .)

A few days later, I got this reply.

And then I never heard from this person again

Airlines were going through kinda a struggle at the time, so I guess that’s what happened?

if ur still out there Shr Security i miss u

Struggles

After filling up my “get left on read” combo meter, I desperately resorted to calling Qantas’ secret media hotline number.

They said the issue was being fixed by Amadeus, the company who makes their booking software, rather than with Qantas itself. I’m not sure if that means other Amadeus customers were also affected, or if it was just the way Qantas was using their software, or what.

It’s common to give companies 90 days to fix the bug, before you publicly disclose it. It’s a tradeoff between giving them enough time to fix it, and people being hacked because of the bug as long as it’s out there.

But, well, this was kinda a special case. Qantas was going through some #struggles, so it was taking longer. Lots of their staff were stood down, and the world was just generally more cooked. At the same time, hardly anybody was flying at the time, due to see above re: #struggles. So, I gave Qantas as much time as they needed.

Five months later

The world is a completely different place, and Qantas replies to me, saying they fixed the bug. It did take five months, which is why it took so long for you and I to be having this weird textual interaction right now.

I don’t have a valid Booking Reference, so I can’t actually check what’s changed. I asked a friend to check (with an expired Booking Reference), and they said they didn’t see a mention of “documentNumber” anymore, which sounds like the passport number is no longer there. But That’s Not Science, so I don’t know for sure.

I originally found the bug in March, which was about 60 years ago. BUT we got there baybee, Qantas emailed me saying the bug had been fixed on August 21. They later told me they actually fixed the bug in July, but the person I was talking too didn’t know about it until August.

Qantas also said this when I asked them to review this post:

Thanks again for letting us have the opportunity to review and again for refraining from posting until the fix was in place for vulnerability.

Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains.

We appreciate you bringing it to our attention in such a responsible way, so we could fix the issue, which we did a few months ago now.

I couldn’t find any advice on their website about not posting pictures of customer boarding passes, only news articles about how Qantas stopped printing the Frequent Flyer number on the boarding pass last year, because… well, you can see why.

I also asked Qantas what they did to fix the bug, and they said:

Unfortunately we’re not able to provide the details of fix as it is part of the protection of personal information.

:((

☑️ figure out whether i have done a crime

☑️ notify someone (The Government) that this happened

⬜ get permission to publish this here blog post

☑️ tell qantas about the security issue so they can fix it

Part 4: Finding Tony Abbott

Like 2003’s Finding Nemo, this section was an emotional rollercoaster.

The government was presumably helping Tony Abbott reset his passport number, and making sure his current one wasn’t being used for any of that yucky identity fraud.

But, much like Shannon Noll’s 2004 What About Me?, what about me? I really wanted to write a blog post about it, you know? So I could warn people about the non-obvious risk of sharing their boarding passes, and also make dumb and inaccessible references to the early 2000s.

The government people I talked to couldn’t give me permission to write this post, so rather than willingly wandering deeper into the procedurally generated labyrinth of government department email addresses (it’s dark in there), I tried to find Tony Abbott or his staff directly.

Calling everybody in Australia one by one

I called Tony Abbott’s former political party again, and asked them how to contact him, or his office, or something I’m really having a moment rn. They said they weren’t associated with him anymore, and suggested I call Parliament House, like I was the Queen or something.

In case you don’t know it, Parliament House is sorta like the White House, I think? The Prime Minister lives there and has a nice little garden out the back with a macadamia tree that never runs out, and everyone works in different colourful sections like “Making it so Everyone Gets a Fair Shake of the Sauce Bottle R&D” and “Mateship” and they all wear matching uniforms with lil kangaroo and emu hats, and they all do a little dance every hour on the hour to celebrate another accident-free day in the Prime Minister’s chocolate factory.

calling parliament house i guess

Not really sure what to expect, I called up and was all like “yeah bloody g’day, day for it ay, hot enough for ya?”. Once the formalities were out of the way, I skipped my usual explanation of why I was calling and just asked point-blank if they had Tony Abbott’s contact details.

The person on the phone was casually like “Oh, no, but I can put you through to the Serjeant-at-arms, who can give you the contact details of former members”. I was like “…..okay?????”. Was I supposed to know who that was? Isn’t a Serjeant like an army thing?

But no, the Serjeant-at-arms was just a nice lady who told me “he’s in a temporary office right now, and so doesn’t have a phone number. I can give you an email address or a P.O. box?”. I was like “ok th-thank you your majesty”.

It felt a bit weird just…. emailing the former PM being like “boy do i have bad news for you”, but I figured he probably wouldn’t read it anyway. If it was that easy to get this email address, everyone had it, and so nobody was likely to be reading the inbox.

Spoilers: It didn’t work.

Finding Tony Abbott’s staff

I roll out of bed and stare bleary-eyed into the morning sun, my ultimate nemesis, as Day 40 of not having found Tony Abbott’s staff begins.

This time for sure.

Retinas burning, in a moment of determination/desperation/hubris, I went and asked even more people that might know how to contact Tony Abbott’s staff.

I asked a journalist friend, who had the kind of ruthlessly efficient ideas that come from, like, being a professional journalist. They suggested I find Tony Abbott’s former staff from when he was PM, and contact their offices and see if they have his contact details.

It was a strange sounding plan to me, which I thought meant it would definitely work.

Wikipedia stalking

Apparently Prime Ministers themselves have “ministers” (not prime), and those are their staff. That’s who I was looking for.

Big “me and the boys” energy

Okay but, the problem was that most of these people are retired now, and the glory days of 2013 are over. Each time I hover over one of their names, I see “so-and-so is a former politician and….” and discard their Wikipedia page like a LeSnak wrapper into the wind.

Eventually though, I saw this minister.

Oh he definitely has an office.

That’s the current Prime Minister of Australia (at the time of writing, that is, for all I know we’re three Prime-Ministers deep into 2020 by the time you read this), you know he’s definitely gonna be easier to find.

Let’s call the Prime Minister’s office I guess?

Easy google of the number, absolutely no emotional journey resulting in my growth as a person this time.

When I call, I hear what sounds like two women laughing in the background? One of them answers the phone, slightly out of breath, and says “Hello, Prime Minister’s office?”. I’m like “….hello? Am I interrupting something???”.

I clumsily explain that I know this is Scott Morrison’s office, but I actually was wondering if they had Tony Abbott’s contact details, because it’s for “a time-sensitive media enquiry”, and I j- She interrupts to explain “so Tony Abbott isn’t Prime Minister anymore, this is Scott Morrison’s office” and I’m like “yA I know please I am desperate for these contact details”.

She says “We wouldn’t have that information but I’ll just check for you” and then pauses for like, a long time? Like 15 seconds? I can only wonder what was happening on the other end. Then she says “Oh actually I can give you Tony Abbott’s personal assistant’s number? Is that good?”.

Ummmm YES thanks that’s what I’ve been looking for this whole time? Anyway brb i gotta go be uh a journalist or something.

Calling Tony Abbott’s personal assistant’s personal assistant

I fumble with my phone, furiously trying to dial the number.

I ask if I’m speaking to Tony Abbott’s personal assistant. The person on the other end says no, but he is one of Tony Abbott’s staff. It has been a long several months of calling people. The cold ice is starting to thaw. One day, with enough therapy, I may be able to gather the emotional resources necessary to call another government phone number.

I explain the security issue I want to report, and midway through he interrupts with “sorry…. who are you and what’s the organisation you’re calling from?” and I’m like “uhhhh I mean my name is Alex and uhh I’m not calling from any organisation I’m just like a person?? I just found this thing and…”.

The person is mercifully forgiving, and says that he’ll have to call me back. I stress once again that I’m calling to help them, happy to wait to publish until they feel comfortable, and definitely do not warrant the bulk-installation of antivirus products.

Calling Tony Abbott’s personal assistant

An hour later, I get a call from a number I don’t recognise.

He explains that the guy I talked to earlier was his assistant, and he’s Tony Abbott’s PA. Folks, we made it. It’s as easy as that.

He says he knows what I’m talking about. He’s got the emails. He’s already in the process of getting Tony Abbott a new passport number. This is the stuff. It’s all coming together.

I ask if I can publish a blog post about it, and we agree I’ll send a draft for him to review.

And then he says

“These things do interest him - he’s quite keen to talk to you”

I was like exCUSE me? Tony Abbott, Leader of the 69th Ministry of Australia, wants to call me on the phone? I suppose I owe this service to my country?

This story was already completely cooked so sure, whatever. I’d already declared emotional bankruptcy, so nothing was coming as a surprise at this point.

I asked what he wanted to talk about. “Just to pick your brain on these things”. We scheduled a call for 3:30 on Monday.

And then Tony Abbott just… calls me on the phone?

Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.

He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”.

The answer is that boarding passes have your password printed on them, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.

He was vulnerable, too, about how computers are harder for him to understand.

“It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before.

It’s, I suppose, a terrible confession of how people my age feel about this stuff.”

Then the Earth stopped spinning on its axis.

For an instant, time stood still.

Then he said it:

“You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”

This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly.

When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too.

Anyway I hadn’t heard of a book that was any good, so I told a story about my mum instead.

A story about my mum instead

I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.

My mum always said when I was growing up that:

There were “too many buttons”

She was afraid to press the buttons, because she didn’t know what they did

I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.

Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.

leaked footage of me learning how to hack

Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”.

He was like “Oh, you just learn by trial and error”. Exactly! Now that I think about it, it’s a bit scary. We are dumb babies learning to use a spoon for the first time, except if you do it wrong some clown writes a blog post about you. Anyway good luck out there to all you big babies.

Asking to publish this blog post

When I asked Tony Abbott for permission to publish the post you are reading right now while neglecting your responsibilities, he said “well look Alex, I don’t have a problem with it, you’ve alerted me to something I probably should have known about, so if you wanna do that, go for it”.

At the end of the call, he said “If there’s ever anything you think I need to know, give us a shout”.

Look you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem. Back at the beginning, I was kinda worried that he might misunderstand, and think I was trying to hack him or something, and that I’d be instantly slam dunked into jail. But nope, he was fine with it. And now you, a sweet and honourable blog post browser, get to learn the dangers of posting your boarding pass by the realest of real-world examples.

During the call, I was completely in shock from the lost in the bush thing killing me instantly, and so on. But afterwards, when I looked at the quotes, I realised he just wanted to understand what had happened to him, and more about how technology works. That’s the same kind of curiosity I had, that started this whole surrealist three-act drama. That… wasn’t really what I was expecting from Tony Abbott, but it’s what I found.

The point of this story isn’t to say “wow Tony Abbott got hacked, what a dummy”. The point is that if someone famous can unknowingly post their boarding pass, anyone can.

Anyway that’s why I vote right wing now baybeeeee.

☑️ figure out whether i have done a crime

☑️ notify someone (The Government) that this happened

☑️ get permission to publish this here blog post

☑️ tell qantas about the security issue so they can fix it

Act 3: Closing credits

Wait no what the heck did I just read

Yeah look, reasonable.

tl; dr

Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.

How it works

The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.

Why did you do this?

One day, my friend who was also in “the group chat” said “I was thinking…. why didn’t I hack Tony Abbott? And I realised I guess it’s because you have more hubris”.

I was deeply complimented by this, but that’s not the point. The point is that you, too, can have hubris.

You know how they say to commit a crime (which once again I insist did not happen in my case) you need means, motive, and opportunity? Means is the ability to use right click > Inspect Element, motive is hubris, and opportunity is the dumb luck of having my friend message me the Instagram post.

I know, I’ve been saying “hubris” a lot. I mean “the willingness to risk breaking the rules”. Now hold up, don’t go outside and do crimes (unless it’s really funny). I’m not talking about breaking the law, I’m talking about rules we just follow without realising, like social rules and conventions.

Here’s a simple example. You’re at a sufficiently fancy restaurant, like I dunno, with white tablecloths or something? The waiter asks if you’d like “still or sparkling water?”

If you say “still”, it costs Eleven Dollars. If you say “sparkling”, it costs Eleven Dollars and tastes all gross and fizzy. But if you say “tap water, please”, you just get tap water, what you wanted in the first place?

When I first saw someone do this I was like “you can do that? I just thought you had to pay Eleven Dollars extra at fancy restaurants!”.

It’s not written down anywhere that you can ask for tap water. But when I found out you could do that, and like, nothing bad happens, I could suddenly do it too. Miss me with that Eleven Dollars fizzy water.

Basically, until you’ve broken the rules, the idea that the rules can be broken might just not occur to you. That’s how it felt for me, at least.

In conclusion, to be a hacker u ask for tap water.

FAQ

Why is it bad for someone else to have your passport number?

Hey crime gang, welcome back to Identity Fraud tips and tricks with Alex.

A passport is government-issued ID. It’s how you prove you’re you. The fact that you have your passport and I don’t is how you prevent me from convincing the government that I’m you and doing crimes in your name.

Just having the information on the passport is not quite as powerful as a photo of the full physical passport, with your photo and everything.

With your passport number, someone could:

Book an international flight as you.

Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check

Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)

Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything)

who knows what else, not me, bc i have never done a crime

Am I a big bozo, a big honking goose, if I post my boarding pass on Instagram?

Nah, it’s an easy mistake to make. How are you supposed to know not to? It’s not obvious that your boarding pass is secret, like a password. I think it’s on the airline to inform you on the risks you’re taking when you use their stuff.

But now that you’ve read this blog post, I regret to inform you that you will in fact be an entire sack of geese if you go and post your boarding pass now.

When did all of this happen?

March 22 - @hontonyabbott posts a picture of a boarding pass and baggage receipt. I log in to the website and get the passport number, phone number, and internal Qantas comments.

March 24 - I contact the Australian Signals Directorate (ASD) and let them know what happened.

March 27 - ASD tells me their investigation is complete, I send them a shakas gif, and they thank me for being a good citizen.

March 29 - I learn from lawyers that I have not done a crime 💯

March 30 - I contact Qantas and tell them about the vulnerability.

May 1 - Tony Abbott calls me, we chat about being dropped in the middle of the bush.

July 17 - Paper Mario: The Origami King is released for Nintendo Switch.

August 21 - Qantas emails me saying the security problem has been fixed.

September 13 - Various friends finish reviewing this post <3

September 15 - Tony Abbott and Qantas review this post.

Today - You read this post instead of letting it read you, nice job you.

I’m bored and tired

Let me answer that question,,, with a question.

Maybe try drinking some water you big goose. Honk honk, I’m so dehydrated lol. That’s you.

honk honk honk honl

Yeah, exactly.

I wrote this because I can’t go back to the Catholic church ever since they excommunicated me in 1633 for insisting the Earth revolves around the sun.

You can talk to me about it by sliding into my DMs in the tweet zone or, if you must, email.

#IFTTT #Feedly

1 note · View note

hyperfixation-station-1234 · 7 years

Text

The Haircut

Hey guys! Here’s chapter 6 to Slow Burn! Again, it took wayyyyy too long and I’m so sorry.

It had been a month since Elain started training with Azriel. Azriel, who made it a point not to underestimate her, was surprised by how quickly her training had progressed. Like both her sisters, she was a fast learner. It made Azriel wonder if the three Archerons were all destined to be Made as fae. And like Feyre and Nesta, there was fire inside her soul that he could see blazing from within. Each of the Archeron sisters had a different feel about them. Elain’s was like the fire of a hearth: warm, strong, and controlled.

Her physical abilities were quickly building and recently they had started to work her seer abilities into her fighting. To make it even more difficult, he had made her start training with everyone else as well. Although he wanted to keep their training sessions between the two of them out of selfishness, he knew it would be a disservice to keep her from learning other fighting styles. Even if it he was not the one fighting her he was always on the sidelines watching. He loved seeing her own the movements of her body. Her spirit shown so brightly through her confidence and focus.

Today is the first time they had sparred in a week, and like always, it was so easy to soak in her bright spirit.

Elain stopped their light sparring with a huff and put her hands on her slender hips. Today she’d been getting more frustrated than usual. Seeing movements still happened in only happened occasionally. It was more than he expected for her to learn at this stage. She found it frustrating, which he found endearing.

“I’m taking a break,” she walked off toward the bench Amren and Mor were seated with water. He watched her walk off. Elain never flaunted her gracefulness and it always enraptured him. Stopping his mind from entering a dangerous territory, like envisioning his hands wrapped around the legs walking away from him, he forced his eyes away. And, Mother’s tits, Feyre was staring right at him with a smirk on her face. There were times he was grateful for how perceptive she was. This was not one of them.

Feyre laughed and looked towards Rhys, “Feel like running?”

Azriel rolled his eyes at the immediate, “Why yes, Feyre Darling,” that followed.

No one really believed they went running. They were probably just looking for a spot to have a different kind of workout in mind. He groaned and shook his head.

He crossed the training grounds to Elain, who had plopped herself on the bench watching Nesta and Cassian share equal time sparring and arguing. He lowered until he balanced on his heels in front of her. His hands twitched to grab the knees in front of him, but he kept them still and focused on her face.

“Do you know how many trees Feyre hits when she flies still?”

Her lip twitched and he almost had that smile back that he couldn’t get enough of. She shook her head at him in answer.

“A lot. She still hits a lot of trees,” he didn’t only receive a smile, but the sound of her quiet giggle.

“I know you’re rushing yourself, but you aren’t going to pick something new up right away. You’ve already come farther than even I was expecting at this point. Don’t ever be discouraged in your abilities. Just keep pushing them. When it seems like your stalled, sometimes moving on to something else can bring more clarity to the block on another ability.”

His eyes trailed her throat as it bobbed, “So, I may not ever really be able to control seeing in battle?”

“Oh, no I definitely think you can. But we can work on other ways to make you stronger, too,” Azriel stood and offered her his hand, pulling her to her feet.

Just when she had reached her feet, Elain tensed. A far-off look crossed her eyes. On instinct, he catalogued their surroundings. Besides the argument between Cassian and Nesta growing louder by the second, he couldn’t feel anything threatening in their vicinity. It only lasted for a second. Elain came to almost instantly and she shoved him. Azriel saw a blast of blue flame blow right behind Elain in the spot he had just been standing.

Her body slammed into his. He whipped his head in the direction the attack had come. Cassian and Nesta were standing agape looking in their direction. He tracked their gaze to the charred spot where the blast he knew Nesta had created made its landing. His gut screamed and he furiously ran his hands over Elain’s head and shoulders, stopping when he found a patch of raw skin and heard Elain gasp into his chest. He looked over her shoulder and found angry red skin glaring back at him. A section of her hair had been charred right above it. He felt his body grow icy.

He gathered her hair in his hands and gently pulled it away from the wound. Securing it with a band he found on her wrist. Almost too gently, his hands held her face.

“Go into the house, I’ll be right behind you. I’ll send for the healer.”

He could tell she was in pain when she nodded her head and made her way back into the house. Once he knew she was inside he turned to Cassian and Nesta. Nesta’s face was vacant of color. He almost felt bad for her. Azriel stalked toward them both.

And then, he threw a fist in Cassian’s face.

He looked at them both, “Sort your shit out. Both of you.”

He looked at Nesta, pointing a finger in her direction, “Control you damned powers and emotions. Start actually training instead of throwing childish tantrums when you don’t like what he tells you.”

Walking off he yelled back over his shoulder, “Send for a healer.”

It didn’t take long to find Elain inside the house. He stared at her while she tried to place a washcloth over the burn on her shoulder.

Before she could cause more damage, he said, “Hold on. You need to take your shirt off first.”

Elain startled at the sound of his voice.

“You have to remove it when the healer gets here, anyways.”

She studied his eyes and slowly nodded her head.

“Okay, will you help me?” She didn’t look unsure, just resigned.

“I won’t look, El. I promise.”

A soft laugh sounded, followed by, “I don’t care. I trust you.”

Azriel felt his chest constrict with something a lot like hope at her admission. He’d come to adore the way she would look at him with complete faith and understanding. Before his mind could come up with a response the door to the bathroom opened and the healer and Feyre were standing outside the door.

She slowly turned her back toward him. Air hissed out of his lungs at the sight of her shoulder. He had the sudden urge to run his lips over her shoulder. And he did not want to stop until he reached her lips. But he would never cross that line with her. Not yet, when so much of her future was in the air.

The burn was in a precarious position. He knew if she pulled her arms over her head herself the skin would rip itself. He gripped the bottom of her top and ripped it along the seam running down her back.

Like they had a mind of their own, his finger ran down the length of her spine. He didn’t need to touch her skin to peel the leather off her body, but he could not help but feel appreciation for the way for skin pebbled in the wake of his finger, or the imperceptible shiver her shoulders gave.

Before he could help her peel the shirt from her shoulders, both Feyre and the healer arrived in the bedroom. Azriel left it to Feyre to help Elain remove the shirt and quickly left the room adjoining bathroom with Feyre on his heels.

It was not long before the healer emerged. It felt like an eternity with Feyre smirking at him from her perch on a chair in the study, Azriel avoided her the best he could by finding an extra tunic laying around the house. After finding one he re-entered the room to find Feyre talking to her sister, Elain still clutching a towel to her body. Few people would be able to tell Feyre was upset, her tell was the slight pull of her eyebrows.

As he walked closer with the shirt in his hand, Feyre squeezed Elain’s hand and then walked out, patting his shoulder. Azriel’s cocked his eyebrow, staring at Elain.

“Is that shirt for me?” Azriel nodded at her question. His eyes tracked over her shoulders and her face. It donned on him that her hair was still uneven from the blast.

“Do you need some help cutting your hair?”

Elain’s face mouth gaped, “What happened to my hair?”

Azriel winced, “Some of it got burned off. I can cut it for you if you want.”

He heard Elain groan and gave a quick laugh, “It’s not bad. Just a small section. Come on.”

With a sigh, Elain turned to go back into the bathroom. Azriel sucked in his breathe. On Elain’s shoulder was a patch of skin was still red and razed, like the healer had not even been there.

It matched the skin of his hands.

Azriel could feel an icy rage building. He did not blame Nesta, not really. But her beautiful skin being scared permanently like his created a visceral response in his body. He warred between wanting to tear the room apart and needing to gather her in his arms and hold onto her. Elain must have sensed his shadows leaking into the corners because she turned back to him then. When she saw where his gaze had been directed, her face softened.

“Az, I’m alright. Nesta’s powers… they aren’t like any seen before. The healer had some difficulties with figuring out how to treat the burn. I’m not in any pain,” her voice was strong, she gazed at his steadily, “Can you come fix my hair? Please?”

Azriel knew speaking would give away the rock that had lodged in his throat and settled for a firm nod and moved toward her. However, he knew attempting to hide the emotions that rose like waves in his eyes was impossible. He was sure she could read the sadness, the need to in some way give her comfort when he looked in her eyes. He was astounded when he saw those same emotions when she was the one who had been hurt. Shaking his head in disbelief at the woman in front of him, he started searching the drawers for a straight razor. Finding one, he grabbed it, absentmindedly twirling it around his fingers. Elain’s lips twitched into an almost smile at it.

“Have you cut hair before?” Her fingers were still following the movement of the razor.

The corner of Azriel’s lips turned up, “You’d be surprised how many times I’ve cut Cassian and Rhys’s hair over the centuries.”

Elain looked at him and studied his face, “Who cut your hair?”

“You think I’d trust either one of them to cut my hair?”

Azriel heard her giggle chime through, “I can’t blame you.”

He smiled at the happy tone of her voice, “I need to wash your hair before I cut it.” Taking out the chair from beneath the vanity he positioned it in front of the sink and pointed to it. Elain sat gently in the chair and leaned back with her head over the sink. Azriel slid between Elain’s and leaned over her. He knew it was unnecessary to gently slide his leg along hers, just like it was unnecessary for her hand to glance off his thigh. Somehow, the unnecessary things seemed the most necessary when it came to being near Elain.

Azriel turned the water on, using his hand to wet Elain’s hair. She closed her eyes and let out a contented sigh and it almost killed him. He was sure being able to touch her like this felt almost as good. As her golden hair grew dark a memory surfaced in his brain.

“The first person who ever cut my hair was Rhys’s mother.” At his admission, Elain’s eyes popped open.

“After I was brought to the camp, Cassian and Rhys had brought me back to the cabin. She had this way of calming everything around her. When she spoke, you listened to her. The first thing she did was tell Rhys to show me where the bathroom was to get cleaned up. After I was finished and dressed she sat me down, grabbed a straight razor and cut and cut and cut. Afterwards she cleaned all the hair off his face and said, ‘Now there’s a handsome boy if I’ve ever seen one,’” he smiled slightly, grabbing the soap to wash Elain’s hair, “she reminded me so much of my mother.”

Elain smiled at him, “She must have meant a lot to you.”

“She did. She was the first person to show kindness to a lonely and hurting boy.” His hands massaged the soap into her scalp, feeling satisfied when he heard Elain hum.

When her eyes opened, they turned wistful, “Nesta would cut mine. I know you all thought we were both useless sisters to Feyre, but at least Nesta did that.”

Azriel stilled, and locked eyes with the woman in his hands, “El, the past is just that. You aren’t who you were. And now, you’re one of the strongest people I know, Sunshine.” Elain’s face warmed, both her hands raised and encircled his wrists. Her thumbs caressed the scars just below his palm, while Azriel’s thumbs slowly stroked Elain’s temples. Azriel shivered at the intimate touch. He was finding it more and more difficult to not use the hands in her hair to draw her face toward his own. He was becoming addicted to the small touches between them. Even though he had finished washing her hair, he found it hard to move away from her.

Abruptly, he shut the sink off. Taking a towel, he got most of the water out of her hair. Elain hands grabbed a hold of his arms and he helped hoist her out of the chair. Azriel spun the chair around.

“Alright, sit.”

Obeying him, she tucked her hands under her legs and sat straight in the chair. To keep hair from touching the would on her shoulder, Azriel took the towel and draped it around her shoulders. Silently, he went to work, evening her hair until it reached just below her shoulders.

When he was finished, she got up from the chair and looked in the mirror. Her reflection looked back at him with uncertainty.

Before he could check his self-control, he approached her back. Both his hands met the vanity on either side of her body. Bending slightly, he gently grazed a kiss just above the top of the burn, and meeting her reflection said, “Beautiful.”

Recognition dawned in her eyes, and the sweetest flush crept into her cheeks.

He caught movement in the doorway of the bathroom. Apparently, they missed the entrance of Nesta and Cassian into the room.

While Nesta looked shocked by the position Azriel and Elain were in, Cassian looked as if he were about to say something that would make Azriel plant his fist in his face for the second time. Azriel sent a cold stare to Cassian, daring him to open his Caldron-damned. The male must have received the unspoken message because his smile disappeared and he kept his mouth shut. Nesta’s face was wracked with guilt when they settle upon her sister.

Before Nesta could open her mouth, Elain walked up and wrapped the arm with the uninjured shoulder around her sister and said, “Ready for dinner?”

As he watched the two sisters whisper to one another, Azriel fell for her just a little more, like he had been for days, weeks, and months.

He watched Elain pull away from Nesta and say, “Go on we’ll be right behind you.”

Just when they had turned out the door, Elain stepped towards him. He was not expecting to have her arms wrap so tightly around him he felt some of the cracks in his soul mend together. Like she was a human balm for unseen scars of all kinds. In turn, his arms would around her just as tightly.

“I owe you a haircut,” she said.

Azriel smiled into her hair, “As long as you use Cassian as a practice subject first.”

He felt her warm breath fan over his chest as she laughed from deep within herself. Her pinky wrapped around his as she led them toward the door. Smiling mischievously, she said, “I’m sure I can guilt him into agreeing.”

In that moment, staring at her joyful face, he would do anything to always bring that joy back.

#acowar #acowar fanfiction #elain archeron #azriel #azriel x elain #elain x azriel #elriel #elriel fanfiction

83 notes · View notes