These fliers (Photo 1) popped up all over Cal Poly campus a week ago. I thought it was weird, but went on with my daily routine, thinking it was some concert ad.
I didn’t notice the fliers anymore until I left my computer science lab today, and my friends and I saw another flier that replaced the first one. The flier contained a QR Code (not pictured), the white rabbit, and a barcode at the bottom (Photo 2). Ryan happened to have an iPhone app for scanning QR codes and determined that the QR code was an email address: firstname.lastname@example.org . We weren’t sure what to send to that address, but we figured that the barcode may have something to do with it. I determined—after an hour of trying different scanning software—that the barcode was Code-128 encoded with the following URL:
This ended up leading us to a barcode-reading Java program. Since we already decoded the QR and bar codes, this seemed redundant, so I sent an email to Alice asking “What is the Matrix?” accompanied by the URL for good measure.
Not being satisfied with waiting for a response from Alice, I decided to do some additional research. The domain slowhiterabbit.org yields no results from a browser, but the emails don’t bounce. I checked the DNS information to find that it is a valid domain, but registered under DyDNS, a popular dynamic DNS company, so no dice on the web hosting account. What was bizarre is that there is no WHOIS information, the obligatory public records for any domain name, for slowhiterabbit.org. So who operates it?
I did a trace of the IP traffic to find that the domain is running from the IP address 18.104.22.168. I cross-referenced this with an IP geolocation service to find that the server is a personal computer in Suisun City, CA. From there, I don’t know where to go.
I’m not sure how far the rabbit hole goes, but it’s gone pretty far already. I’ll keep posting this week as I find out more.