Darknet Diaries - Ep 31: Hacker Giraffe
Episode Date: February 5, 2019In late November 2018, a hacker found over 50,000 printers were exposed to the Internet in ways they shouldn't have been. He wanted to raise awareness of this problem, and got himself into a ...whole heap of trouble. For show notes and links visit DarknetDiaries.com.This episode was sponsored by CuriosityStream. A documentary streaming service. Visit curiositystream.com/darknet and use promo code "darknet".This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.
 Transcript
 Discussion  (0)
    
                                         Today we're going to talk with a wanted man.
                                         
                                         Hi, I'm the Hacker Giraffe.
                                         
                                         He's responsible for doing some hacking that's hit the news in the last few months.
                                         
                                         Which were all hacks made to raise awareness about open devices
                                         
                                         and at the same time promote a YouTuber that I liked, which is PewDiePie.
                                         
                                         Yeah, this is actually quite surreal for me because just like three months ago
                                         
                                         I was introduced to your podcast, right?
                                         
                                         And I was listening, I was like, your podcast, right? And I was listening.
                                         
    
                                         I was like, oh, damn, you know, like, what if I end up on one of these podcasts?
                                         
                                         And it's just so surreal for me because I totally did not expect any of this to happen.
                                         
                                         Like, the last month of my life is a complete turn of events, really.
                                         
                                         You best start believing in hacker stories, Mr. Draft.
                                         
                                         You're in one.
                                         
                                         These are true stories from the dark side of the internet.
                                         
                                         I'm Jack Recider.
                                         
                                         This is
                                         
    
                                         Darknet Diaries. This episode is sponsored by Delete Me.
                                         
                                         I know a bit too much about how scam callers work.
                                         
                                         They'll use anything they can find about you online to try to get at your money.
                                         
                                         And our personal information is all over the place online. Phone numbers, addresses, family members,
                                         
                                         where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realize
                                         
                                         I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
                                         
                                         subscription service that finds and removes personal information from hundreds of data
                                         
                                         brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me Thank you. I'll see you next time. to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
                                         
    
                                         That's joindeleteme.com slash darknetdiaries
                                         
                                         and use code darknet.
                                         
                                         Support for this show comes from Black Hills Information Security.
                                         
                                         This is a company that does penetration testing,
                                         
                                         incident response, and active monitoring
                                         
                                         to help keep businesses secure.
                                         
                                         I know a few people who work over there, and I can vouch they do very good work.
                                         
                                         If you want to improve the security of your organization, give them a call. I'm sure they can help.
                                         
    
                                         But the founder of the company, John Strand, is a teacher.
                                         
                                         And he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud,
                                         
                                         breaching the cloud, digital forensics, and so much more.
                                         
                                         But get this, the whole thing is pay what you can.
                                         
                                         Black Hills believes that great intro security classes do not need to be expensive,
                                         
                                         and they are trying to break down barriers to get more people into the security field.
                                         
                                         And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
                                         
                                         which is great for practicing your skills
                                         
    
                                         and showing them off to potential employers.
                                         
                                         Head on over to blackhillsinfosec.com
                                         
                                         to learn more about what services they offer
                                         
                                         and find links to their webcasts
                                         
                                         to get some world-class training.
                                         
                                         That's blackhillsinfosec.com. blackhInfosec.com. BlackHillsInfosec.com.
                                         
                                         Just as a quick warning up top here, there are a few cuss words in this episode,
                                         
                                         so if that's an issue for you, you might want earmuffs. As we listen to our guest tell his
                                         
    
                                         story, I want you to try to figure something out. Is he a good guy or a bad guy?
                                         
                                         An ass or bro? And where exactly did he go wrong? He's not exactly a master hacker,
                                         
                                         but he's learning. By the time he was in high school, he had an obsession with computers. I had an enthusiasm with technology news and computer news, and a lot of people didn't seem
                                         
                                         to share. I always kind of felt out of place
                                         
                                         because everybody else wants to talk about cars, football, you know, and stuff like that. And
                                         
                                         I'm just like, no, I don't want to talk about any of that. I just want to talk about computers and,
                                         
                                         you know, have you seen the latest news and latest tech and, you know, oh, look, somebody hacked,
                                         
                                         I don't know what and stuff like that. So I guess that's how it started. And then people
                                         
    
                                         actually started saying, oh,
                                         
                                         you know, here's the hacker, you know, my local nickname kind of between my friends, you know,
                                         
                                         I was the hacker. I guess that's how it kind of grew on me. You're a hacker, Harry. I'm a what?
                                         
                                         A hacker. And a thumping good and I'd wager once you trade up a little. This was when he was young,
                                         
                                         he was simply known as the hacker among his friends. But he did earn the title of hacker in high school because he was actually hacking into stuff.
                                         
                                         You know, the school is running Windows XP.
                                         
                                         You know, just fire up good old Metasploit and just land a couple of shells, you know, mess with the teachers and stuff like that.
                                         
                                         Messing with the teachers by hacking into their machines. What a jerk.
                                         
    
                                         But wait, he actually didn't change his grade or didn't steal any files.
                                         
                                         He didn't dox the whole school's faculty.
                                         
                                         He had access to this stuff, but instead he just messed with the teachers,
                                         
                                         like changing their desktop background and stuff.
                                         
                                         So yeah, it's not cool to hack into the teacher's computer,
                                         
                                         but it kind of was a harmless prank.
                                         
                                         He kept learning more about hacking in computers.
                                         
                                         Be in public and you need Wi-Fi,
                                         
    
                                         so you just crack open one of the hotspots that are nearby,
                                         
                                         you know, things like that.
                                         
                                         It's just really small.
                                         
                                         Kind of like, it's like the equivalent of party tricks, really.
                                         
                                         But hacking.
                                         
                                         You ever go to a place like a hotel or airport,
                                         
                                         and when you connect to the Wi-Fi there, it asks you to pay to get on the internet?
                                         
                                         You ever try to figure out a way to get around that and get on the internet without paying?
                                         
    
                                         Yeah, that's the kind of stuff the hacker was doing in those days.
                                         
                                         So years go by of him doing various things like this.
                                         
                                         He's becoming better at coding, better at computers, better at hacking.
                                         
                                         But of course, he likes hanging out on Reddit and playing video games too.
                                         
                                         For those of you who are Redditors, do you think if we look at your favorite subreddits,
                                         
                                         we'd be able to tell what kind of person you are?
                                         
                                         I'm personally always hanging out in the podcasting subreddits, we'd be able to tell what kind of person you are. I'm personally always hanging out in the podcasting subreddits. And then I like checking out the crappy design subreddit,
                                         
                                         and tech support gore, and cable fail. Can you get a sense of who I am through that?
                                         
    
                                         These are the hackers' favorite subreddits. The hacking subreddit, well, of course.
                                         
                                         Programmer humor. Okay, funny IT jokes. I like those too. Humans being bros. Oh yeah,
                                         
                                         wholesome stories and gifs of people doing nice things.
                                         
                                         Good.
                                         
                                         Dank memes.
                                         
                                         Hmm.
                                         
                                         So he likes his memes dank.
                                         
                                         Okay, to each his own.
                                         
    
                                         Made me smile.
                                         
                                         Huh.
                                         
                                         And again, a nice wholesome subreddit.
                                         
                                         He also likes the subreddit, I'm going to hell for this.
                                         
                                         Hmm.
                                         
                                         Yeah, these jokes are a little too soon or are unfair, but really funny anyways,
                                         
                                         making you feel like you might end up going to hell for laughing at it.
                                         
                                         For instance, there's a joke on there that says these were Stephen Hawking's last words.
                                         
    
                                         Hmm, yeah, funny but tasteless.
                                         
                                         So what can you say about a person who likes all these things at once?
                                         
                                         Maybe that he's one part computer nerd, one part wholesome, one part dark.
                                         
                                         What does this recipe create? And there's one more thing that a hacker also likes, PewDiePie.
                                         
                                         Right. So PewDiePie is a Swedish YouTuber. He plays games, he makes jokes, and makes me laugh.
                                         
                                         He's not just some Swedish YouTuber. He's the single most popular YouTuber in the world.
                                         
                                         In September of last year, four months ago, he had 65 million subscribers, which is just phenomenal. I mean,
                                         
                                         these are bigger numbers than some mass media outlets get, and he's just an independent creator.
                                         
    
                                         He's just some goofy guy who posts a lot of memes, internet jokes, and mispronounces a lot of stuff,
                                         
                                         makes fun of a lot of people, and plays video games. He gets into some trouble sometimes too
                                         
                                         when he says things that aren't politically correct, which outrages some people,
                                         
                                         but it only makes his channel bigger when that happens. And in my opinion,
                                         
                                         I think PewDiePie's content is low quality and he's sometimes insensitive. If you don't think he's insensitive,
                                         
                                         then why does he do apology videos sometimes? I mean listen to this.
                                         
                                         I'm disappointed in myself because it seems like I've learned nothing from all these past controversies.
                                         
                                         I'm really sorry if I offended, hurt, or disappointed anyone.
                                         
    
                                         I counted four apology videos like this where he felt he did an oopsie so bad that he needed to say sorry to millions of people.
                                         
                                         And yeah, because he's so popular, a lot of people look up to him and are influenced by him.
                                         
                                         I mean, jeez, I just realized I've never put memes in my podcast before,
                                         
                                         and already this episode has two crappy ones.
                                         
                                         And it must be because I've watched so many of his damn videos
                                         
                                         that I feel like it's the normal thing to do now.
                                         
                                         So even I'm influenced by him.
                                         
                                         Oh, I can't believe I'm talking about PewDiePie this much.
                                         
    
                                         You have no idea how many videos I had to sit through to research this episode.
                                         
                                         I want that time back.
                                         
                                         And now YouTube is giving me PewDiePie as suggested videos to watch next
                                         
                                         Ah, I do not want to know any more about PewDiePie
                                         
                                         But there's stuff to learn in this story. So stick with me
                                         
                                         Two years ago PewDiePie was the first youtuber to hit 50 million subscribers
                                         
                                         And he's been the most subscribed to channel for years
                                         
                                         And while there are a lot of companies that create YouTube videos, the independent creators is what makes YouTube so amazing. We expect high quality top-notch stuff
                                         
    
                                         from companies, but technology is advanced in such a way that anyone can create a YouTube channel and
                                         
                                         teach or do funny things or make art. And it's sometimes better than what big companies can do.
                                         
                                         So the YouTube community has always been about the independent creator, fostering them, promoting them, and putting the spotlight on them.
                                         
                                         But lately, YouTube has been sort of dropping this ball.
                                         
                                         They've been working more closely with companies to bring in more sponsors
                                         
                                         and to enforce copyright violations closer.
                                         
                                         But look, YouTube has 1.8 billion users log in each month.
                                         
                                         Holy cow, that's a lot of people.
                                         
    
                                         And when you have that many people watching and creating and uploading videos,
                                         
                                         it's impossible to enforce anything effectively.
                                         
                                         So a lot of YouTubers are being hit with copyright violations
                                         
                                         or strikes against their channel when they did nothing wrong.
                                         
                                         I really feel like once something grows to a certain size,
                                         
                                         you just lose control of it.
                                         
                                         So the independent creators are being enraged over all this YouTube drama
                                         
                                         of strikes and accounts being banned for really dumb reasons.
                                         
    
                                         For instance, I saw a musician write an original song and then someone else used that song in their video
                                         
                                         and then did a copyright strike against the original musician saying they stole it from that video.
                                         
                                         Ridiculous.
                                         
                                         It's not the YouTube we all grew to love, but there's no other good alternative, so we keep hoping that YouTube changes.
                                         
                                         Anyways, during the height of all this YouTube drama, PewDiePie posts a video. Another YouTube channel is taking over. That's
                                         
                                         right. In no less than in November this year, PewDiePie will not be the biggest channel on
                                         
                                         YouTube. We must fight back. Who is this T-series channel? Uh, this channel will pay us pity pay.
                                         
                                         Pity, pity, pity, pity.
                                         
    
                                         I'm number one!
                                         
                                         I'm number one!
                                         
                                         I'm throwing my glove at you, T-Series.
                                         
                                         Fight me.
                                         
                                         IRL.
                                         
                                         To the death.
                                         
                                         No boxing glove and helmets.
                                         
                                         I'm talking about to the death here.
                                         
    
                                         Wait, they have 46 billion views?
                                         
                                         It's an Indian channel?
                                         
                                         It's an Indian channel! It's an Indian channel.
                                         
                                         It's an Indian channel.
                                         
                                         This other YouTube channel named T-Series was projected to pass by PewDiePie in just two months time.
                                         
                                         Their subscriber rate was so much higher than PewDiePie, which could make them the most subscribed channel on YouTube.
                                         
                                         But who is this T-Series?
                                         
                                         It's a music record label company based in India.
                                         
    
                                         And they're rapidly posting like three new music videos a day from many of the top performers there.
                                         
                                         And since India has such a big population, their subscriber count is exploding, outpacing everyone.
                                         
                                         Back to PewDiePie.
                                         
                                         Let it be clear. I don't care. Okay?
                                         
                                         The thing is, I have expressed that I don't want to be the number one channel on YouTube for a long time. Okay?
                                         
                                         I would prefer if someone else passes me.
                                         
                                         If T-Series was an actual individual and not a company,
                                         
                                         I would gladly congratulate them on becoming number one.
                                         
    
                                         And I believe this is the real rallying cry here.
                                         
                                         This is not a war to keep PewDiePie on top.
                                         
                                         It's a fight between the independent creators and the takeover of a company becoming the most subscribed channel.
                                         
                                         While an independent creator is on top, it forces YouTube to acknowledge that its users
                                         
                                         like content from independent creators more than companies. Some fear that if a major company is
                                         
                                         the most subscribed to channel, then this seals the coffin for YouTube working even more closely
                                         
                                         with companies and less with indie creators. Anyways, you can believe that or not, but that's
                                         
                                         what a lot of people rallied behind. And who doesn't like watching a good competition?
                                         
    
                                         This race became heated and exciting.
                                         
                                         Major celebrities started tweeting to subscribe to PewDiePie.
                                         
                                         With 65 million subscribers, Pewds was able to motivate a lot of people to help him stay on top.
                                         
                                         Everyone began chanting the same thing.
                                         
                                         So do me this one favor.
                                         
                                         If it's the last thing you do, subscribe to PewDiePie.
                                         
                                         Do not let T-Series win. Tell your grandmas, that's right, both of them,, subscribe to PewDiePie. Do not let T-Series win.
                                         
                                         Tell your grandmas, that's right, both of them, to subscribe to PewDiePie.
                                         
    
                                         Lo gang, do our YouTube family proud.
                                         
                                         And subscribe to our Swedish leader man, PewDiePie.
                                         
                                         I even bet that someone in the last four months has told you to subscribe to PewDiePie,
                                         
                                         or you've seen it in your feed at some point, that's how big this has become.
                                         
                                         PewDiePie was getting a massive bump of new subscribers, like over 50,000 new subscribers a day. But despite everyone's
                                         
                                         greatest efforts, it wasn't working. T-Series kept gaining ground, inching closer and closer
                                         
                                         to becoming the top channel. So PewDiePie created a music video in an attempt to compete with T-Series,
                                         
                                         a music video channel, on their own turf. This This video blew up and currently has over 100 million views, which is 20 times more than the average video he gets.
                                         
    
                                         It was epic and hilarious, actually.
                                         
                                         And it significantly brought awareness of this race and boosted the growth of PewDiePie's channel even more.
                                         
                                         Higher and higher it soared. Keep in mind, it's reaching new heights that nobody has ever hit before.
                                         
                                         But T-Series was right behind him. Around 67 million subscribers, the race almost became a dead heat. As soon as PewDiePie would hit 70 million subscribers, T-Series would have
                                         
                                         70 million the next day. And when PewDiePie hit 75 million, T-Series hit 75 million two days later.
                                         
                                         Each channel was getting a massive 120,000 new subscribers every day,
                                         
                                         which is just unbelievable growth.
                                         
                                         And this wasn't the only thing the YouTube community was doing to teach YouTube a lesson.
                                         
    
                                         In December, the same time that all this was going on,
                                         
                                         YouTube published an annual mashup video called Rewind,
                                         
                                         and it was supposed to put a spotlight on the creators,
                                         
                                         but the YouTube community hated it.
                                         
                                         They felt it catered more towards sponsors and didn't represent the community at all.
                                         
                                         That video quickly became the world's most disliked video of all time.
                                         
                                         It currently has over 15 million dislikes.
                                         
                                         And when YouTube itself tries to make a video to be a spotlight on the community,
                                         
    
                                         and the community downvotes it more than any other video in history,
                                         
                                         it sends a powerful message to YouTube.
                                         
                                         So there was this fervor at the time that the users were trying to show YouTube
                                         
                                         they need to pay more attention to what the community wants.
                                         
                                         And so the race between T-Series and PewDiePie was growing more intense now.
                                         
                                         And PewDiePie was just barely holding on top.
                                         
                                         PewDiePie knew he wouldn't last and he was running out of trap cards to play.
                                         
                                         So he turned to his viewers and said,
                                         
    
                                         The sub gap is getting closer.
                                         
                                         Do something!
                                         
                                         This brings us back to the hacker.
                                         
                                         As you heard earlier, he's a fan of PewDiePie and, well, a hacker.
                                         
                                         This really wasn't a project
                                         
                                         that was planned. There was zero
                                         
                                         planning in this. I was just
                                         
                                         trying to have some fun. I was bored.
                                         
    
                                         And I think the most dangerous thing is a
                                         
                                         bored hacker, to be honest. I'm usually lurking around Shodan. It's the search engine for connected
                                         
                                         devices. Yeah, this is a website that scans the entire internet to see if any well-known ports
                                         
                                         are open and makes that database searchable for anyone to see. If you go to shodan.io,
                                         
                                         you can easily find security cameras to watch remotely, telnet ports that are open,
                                         
                                         and a whole bunch of other stuff that shouldn't be on the internet.
                                         
                                         Its goal is to help us be aware of how insecure the internet is.
                                         
                                         And, you know, I'm usually just searching around
                                         
    
                                         looking for something to mess with.
                                         
                                         I was really looking for,
                                         
                                         is there a protocol that should never ever be open
                                         
                                         to the public facing internet?
                                         
                                         So while bored one night,
                                         
                                         he did some research to try to find anything new
                                         
                                         to look at on Showdown. I came
                                         
                                         across this article for IT
                                         
    
                                         admins. It was like these protocols
                                         
                                         should never escape your network.
                                         
                                         And the thing that caught my attention was
                                         
                                         the network printer. He found that printers
                                         
                                         often listen on three ports and if these ports
                                         
                                         were exposed to the internet it may mean that
                                         
                                         someone can print to that machine from
                                         
                                         anywhere in the world. So he searched Showdown to see if any computers had port 9100 open, 515, and 631.
                                         
    
                                         So the total was above 800,000. He was horrified by this. Why in the world are 800,000 printers
                                         
                                         directly on the internet, ready and listening for anyone in the world to send print commands to it?
                                         
                                         So he became very interested in this to see if he could do something with these.
                                         
                                         At that point, I was really messing around.
                                         
                                         So I wanted to go for the low-hanging fruit.
                                         
                                         You know, I wanted to go for the easiest thing possible.
                                         
                                         So the easiest thing to mess around with was the ones open on port 9100,
                                         
                                         which were around 50,000 in total.
                                         
    
                                         This port is easiest to use. There's no authentication
                                         
                                         or encryption. You simply send your PDF file to the port with the command to print and the printer
                                         
                                         will print it. He messed around with this a little and his initial tests seemed to be working.
                                         
                                         His packets were sent and there were no errors, but it was hard to tell if anything actually printed.
                                         
                                         So I literally had no way of finding out if it was working. Being the curious little
                                         
                                         researcher that he is, he looked to see if there were any tools that could help him with this.
                                         
                                         And sure enough, there was one. A German college student wrote a master thesis on doing security
                                         
                                         testing against printers and wrote a program called Pret and made it freely available for
                                         
    
                                         anyone on GitHub. So I found Pret, which is the printer exploitation toolkit. And it showed me
                                         
                                         that, hey, you know, if you find a printer
                                         
                                         that's open on port 9100, this tool can connect and you can do all kinds of things like list the
                                         
                                         files, reset the printer and all kinds of stuff. But the thing that caught my attention was the
                                         
                                         actual print, you know, that I could actually print. Sure enough, it worked like a charm. He
                                         
                                         realized he could make a little program to cycle through all the printers and send a message to 50,000 people. Now I wonder, what would you do in this situation? Let's say you
                                         
                                         stumbled upon the capability of being able to print any message you wanted to 50,000 printers
                                         
                                         at once. What do you do? Do you report it to someone? Who though? The printer companies? Do
                                         
    
                                         you write it up and post it to your social media? I'm like genuinely curious what you would do in this situation.
                                         
                                         So curious that I'm going to take a pause here, drive downtown, and ask people on the streets what they'd do.
                                         
                                         Can I ask you a quick question for a podcast?
                                         
                                         Sure, go ahead. All right, so imagine you're on the Internet and you're clicking around and you find that 50,000 printers are exposed to the Internet in a way they shouldn't be.
                                         
                                         And you have the ability to print whatever you want to 50,000 printers.
                                         
                                         What would you do in that situation?
                                         
                                         Would you print something? Would you report it to someone?
                                         
                                         I honestly don't think that I would care enough to do anything.
                                         
    
                                         I would just move on with my day.
                                         
                                         Oh, I barely have anything I would
                                         
                                         like to say to 300 people on Facebook, let alone send out a message to 50,000 people. I think it's
                                         
                                         unethical to use somebody else's equipment without their permission. Maybe I'd put it in the hands of
                                         
                                         the media. I mean, what else would I print to somebody else's printer other than a message like,
                                         
                                         secure your damn printer, you know? I would print out with the negative and in with the positive.
                                         
                                         Despite ethics, I would definitely send all the book manuscripts by Andreas Antonopoulos to them.
                                         
                                         The manuscripts for his undrafted speeches, and then he has a couple longer ones,
                                         
    
                                         one that explains Bitcoin and one that explains Ethereum.
                                         
                                         So you print like a 100-page book on everyone's printers?
                                         
                                         That might be a jerk thing to do, but I think the message is real.
                                         
                                         Maybe I could just find a shorter summary like the white paper
                                         
                                         and an explanation of it for Bitcoin and for Ethereum.
                                         
                                         Knowing as little as I do about the whole thing, probably what I would do from a moral standpoint is I would send something to each one
                                         
                                         of those printers saying, you know, this is not secure and you probably want to do something about
                                         
                                         it. However, if they receive an unsolicited message about something like blockchain, they would already be aware of that fact.
                                         
    
                                         So would you print something?
                                         
                                         No.
                                         
                                         Why not?
                                         
                                         I think I would not print anything because that seems kind of weird
                                         
                                         and maybe a misuse of resources.
                                         
                                         I really like trees, and that's a lot of paper.
                                         
                                         Well, first I would print a bunch of obnoxious memes to every printer on there, and then I'd report it.
                                         
                                         I'd probably request a reward for it.
                                         
    
                                         Hold a hostage.
                                         
                                         Nah, nah, nah, hold a hostage or nothing, but just request a reward for turning something in, as long as I got something out of it, you know?
                                         
                                         Thank you for that.
                                         
                                         You all have a lot of wildly different opinions on what you would do in this situation.
                                         
                                         So what did the hacker do?
                                         
                                         He decided to print something.
                                         
                                         And his primary goal was to make people aware that their printers were vulnerable.
                                         
                                         But then while doing that, why not help out a YouTuber he likes?
                                         
    
                                         He typed up a PDF.
                                         
                                         It said, attention, goes on to say,
                                         
                                         The bottom, it said,
                                         
                                         Greetings from your friendly giraffe.
                                         
                                         You know, it was just something that just came off the top of my head, really.
                                         
                                         And I had no intention of actually taking credit for it at all.
                                         
                                         It was just supposed to be something funny, and that's it.
                                         
                                         People forget about it in like three to four days.
                                         
    
                                         Now that he had a list of 50,000 IPs in a text file, the Pret tool all set,
                                         
                                         he just needed to make a simple program to loop through them all and print the PDF.
                                         
                                         He created a very short bash script to do this.
                                         
                                         It was like four IP in the text file and I provided the text file.
                                         
                                         That was the first line.
                                         
                                         And the second line is literally just calling the tool with the IP and print PDF as the command.
                                         
                                         So it's just one line.
                                         
                                         And then the third line is just to end a for loop.
                                         
    
                                         All it took to do this was three lines of code.
                                         
                                         Three lines!
                                         
                                         And to find the 50,000 printers was a simple search for port 9100 that anyone can do on Showdown.
                                         
                                         I mean, this sounds really easy to do.
                                         
                                         Yeah, this is quite literally zero skill required, yeah.
                                         
                                         And that just makes me think of this.
                                         
                                         You are without doubt the worst hacker I've ever heard of.
                                         
                                         But you have heard of me.
                                         
    
                                         So now the moment of truth.
                                         
                                         He's got everything built and is ready to hit print.
                                         
                                         50,000 printers.
                                         
                                         He just needs to hit enter.
                                         
                                         There were a thousand things going through my mind.
                                         
                                         Like, is this going to work?
                                         
                                         Should I even do this?
                                         
                                         You know, am I doing this properly?
                                         
    
                                         And there was even this like programmer voice inside me, like, dude, the script is trash.
                                         
                                         You should just make another one.
                                         
                                         There was this sense of hesitation because I knew that there was kind of no going back, really.
                                         
                                         I mean, there technically really was.
                                         
                                         It could have just stopped the script at sort of like 10 printers.
                                         
                                         But I knew that once it was running, I wouldn't have stopped it.
                                         
                                         So I did hesitate.
                                         
                                         That hesitation was for maximum like five seconds.
                                         
    
                                         And then I was like, nope, this is way too cool.
                                         
                                         Just press enter.
                                         
                                         A script would connect to one printer at a time, send it a PDF and tell it to print.
                                         
                                         And each connection took a while to complete.
                                         
                                         He would sit there and watch the count go up on how many print jobs he sent.
                                         
                                         It does provide some output.
                                         
                                         It just added a couple of statistics.
                                         
                                         You know, it was like, you know,
                                         
    
                                         we've reached IP 500 out of 50,000
                                         
                                         because I could actually tell if a printer printed successfully
                                         
                                         or if it did fail to connect.
                                         
                                         And there were some improvements that I was doing on the fly, really.
                                         
                                         I feel so sorry for the first 500 printers, I'd say,
                                         
                                         because I've run the script like seven to eight times
                                         
                                         because every time I'd just be like, oh no, I don't like this.
                                         
                                         And I'd change it and it'd just go over the list again.
                                         
    
                                         I was also renaming the printer.
                                         
                                         So on the LCD, you would say hacked.
                                         
                                         Once he finally got the script built the way he wanted it,
                                         
                                         he let it run.
                                         
                                         And run it did.
                                         
                                         It successfully printed to 100 printers, and then 1,000 printers,
                                         
                                         and then 10,000 printers. And this was taking a long time for it to reach that many printers,
                                         
                                         hours and hours. He was nervous and excited that it was working.
                                         
    
                                         I was seriously just refreshing Twitter. And I typed in, you know,
                                         
                                         PewDiePie printer, and another tab, printer hack, and another tab, like, p by print,
                                         
                                         which is completely refreshing.
                                         
                                         Just like somebody tweeted about this.
                                         
                                         I want to see if this is working.
                                         
                                         And the numbers going up, the numbers, like you said,
                                         
                                         the numbers hitting 10K, hitting 20K.
                                         
                                         Where are the tweets?
                                         
    
                                         And I think around halfway is when, around like 23 to 22k is when the tweets actually started rolling out.
                                         
                                         The very first tweet I saw was a woman saying that their local police station printed this paper out of the ticket counter.
                                         
                                         And I was like, what? I had zero concerns whatsoever about any consequences.
                                         
                                         I was so into it.
                                         
                                         I was like, yes, this is working.
                                         
                                         This is so cool.
                                         
                                         I got to tell everybody that this is working.
                                         
                                         He got up out of his chair and started pacing back and forth in the room,
                                         
    
                                         hovering over his computer, texting his friends, telling them what's going on.
                                         
                                         Everyone was like, yeah, okay, cool, dude.
                                         
                                         You know, like nobody really showed any big interest, but I was having a time of my life.
                                         
                                         More people were tweeting about their printer, telling them to subscribe to PewDiePie.
                                         
                                         Just left it running.
                                         
                                         It honestly took around like 24 to 28
                                         
                                         hours to actually complete
                                         
                                         the full 50,000 IPs.
                                         
    
                                         But this was so exciting for him that he didn't
                                         
                                         sleep or get to any of the real life stuff
                                         
                                         he needed to do that day.
                                         
                                         I completely forgot about any work that I had to do.
                                         
                                         I was so pulled into this.
                                         
                                         I was like, this is working
                                         
                                         and as you said, I'm pacing back and forth
                                         
                                         and this is crazy. How is this actually happening I'm pacing back and forth. And this is crazy.
                                         
    
                                         How is this actually happening?
                                         
                                         This is so simple.
                                         
                                         I couldn't believe how simple this was.
                                         
                                         Because that's the thing.
                                         
                                         It's actually, like you said, it requires zero skill.
                                         
                                         And so it completely blew my mind that this was actually working.
                                         
                                         And that the number was actually hitting something pretty close to 50,000.
                                         
                                         And I was like, no way.
                                         
    
                                         There's no way this is actually happening.
                                         
                                         It was a mix of the brush.
                                         
                                         I was like, oh, I'm going to be so famous,
                                         
                                         I need to make a Twitter account and I need to get behind this.
                                         
                                         I have to take credit for this.
                                         
                                         Because a lot of people were blaming PewDiePie at first.
                                         
                                         You're like, hey, why are you you doing this and they were serious about it and so I was like no okay I have to take
                                         
                                         credit and I have to properly explain because I've seen what happens when people do anonymous hacks
                                         
    
                                         you know the media goes crazy you know I really didn't want somebody to publish an article saying
                                         
                                         that I'm some sort of Russian crazy spy agency trying to,
                                         
                                         you know, oh, I'm hacking into your printers and I'm printing this funny paper, but I'm actually
                                         
                                         stealing all your money or like some crazy conspiracy theory. No, this was just your
                                         
                                         everyday normal, just coincidental show didn't find. So I created a Twitter account.
                                         
                                         And thus, the Hacker Giraffe was born.
                                         
                                         This was what he called his Twitter account.
                                         
                                         I started tweeting at the people who were posting it.
                                         
    
                                         Hey, it's me.
                                         
                                         What happened first is people were DMing me and were like,
                                         
                                         oh dude, how do I fix my printer?
                                         
                                         And it was really slow at first.
                                         
                                         Then it skyrocketed.
                                         
                                         It skyrocketed the moment one Twitter account has a huge follower base and he tweeted about it.
                                         
                                         I got media in my DMs telling me, hey, you know, we want to write a story about this.
                                         
                                         And it blew up in the span of like six hours from the moment that tweet happened.
                                         
    
                                         The Twitter account literally went from like zero followers
                                         
                                         to something like 20K in about six to 10 hours.
                                         
                                         For me, at least,
                                         
                                         this is where I think the hacker giraffe made a mistake.
                                         
                                         And I think he agrees too.
                                         
                                         It was a horrible idea.
                                         
                                         Yes, it was a horrible idea.
                                         
                                         Taking credit for the hack,
                                         
    
                                         leaning into this whole thing,
                                         
                                         that is playing with fire.
                                         
                                         What he did was technically illegal,
                                         
                                         and now he's taking credit for it?
                                         
                                         This can't end well.
                                         
                                         And it doesn't.
                                         
                                         After the break, we'll hear how everything unravels and falls apart.
                                         
                                         This episode is sponsored by Shopify.
                                         
    
                                         The new year is a great time to ask yourself, what if?
                                         
                                         When I was thinking, what if I start a podcast?
                                         
                                         My focus was on finding a catchy name, some cool stories, and working out the best way to record.
                                         
                                         But oh, so much more goes into making a podcast than that.
                                         
                                         If you're thinking, what if I start my own business?
                                         
                                         Don't be scared off, because with Shopify, you can make it a reality.
                                         
                                         Shopify makes it simple to create your brand, open for business and get your first sale.
                                         
                                         Get your store online easily with thousands of customizable drag and drop templates.
                                         
    
                                         And Shopify helps you manage your growing business. Shipping, taxes and payments are
                                         
                                         all visible from one dashboard, allowing you to focus on the important stuff.
                                         
                                         So what happens if you don't act now and someone beats you to the idea?
                                         
                                         The best time to start your new business is now with Shopify. Your first sale is closer than you
                                         
                                         think. Established in 2025. That has a nice ring to it, doesn't it? Sign up for your $1 per month
                                         
                                         trial period at shopify.com slash darknet. Go to shopify.com slash darknet and start selling
                                         
                                         with Shopify today. Shopify.com slash darknet and start selling with Shopify today. Shopify.com slash darknet.
                                         
                                         More and more people started tweeting about this, shocked and outraged that printers were
                                         
    
                                         promoting PewDiePie now. News agencies started picking up on this story and he started getting
                                         
                                         private messages on Twitter from the media. The first one was The Verge. They reached out for a comment and then they wrote it out. They published it
                                         
                                         instantly. Someone hacked printers worldwide, urging people to subscribe to PewDiePie. That
                                         
                                         was the very first article. Hacker Giraffe's popularity grew quickly. More and more news
                                         
                                         agencies started publishing stories about these printers. You know, I was drowning in DMs. And so
                                         
                                         I think a lot of media sources couldn't actually reach out for a
                                         
                                         comment and they just started rolling out their own articles but it was crazy the amount of articles
                                         
                                         like a google search would show up one article and then like an hour later it was five to six to
                                         
    
                                         seven they are sticking this whole pewdiepie super hardcore fan image on me. Yes, sure, I do like the guy genuinely. I enjoy his content
                                         
                                         really. And I would call myself a fan. I'm not like a diehard fan. And so I was like,
                                         
                                         no, that's not the point here. You just completely went over the actual point,
                                         
                                         which is the printers. I mean, for God's sake, what do I have to do to make you guys pay
                                         
                                         attention to the actual devices?
                                         
                                         This newfound status he had was intoxicating.
                                         
                                         It was, I was just baffled.
                                         
                                         I was completely baffled.
                                         
    
                                         I was just like, this is insane.
                                         
                                         And again, you know, again, just pacing around,
                                         
                                         you know, pacing around my house.
                                         
                                         Like, this is crazy.
                                         
                                         You know, calling out my friends and like,
                                         
                                         there's an article about me.
                                         
                                         Because I was just like every other normal person, really.
                                         
                                         I wasn't popular.
                                         
    
                                         I wasn't anything.
                                         
                                         Just your average person, really.
                                         
                                         Just maximum like 50 followers on Twitter or something, you know.
                                         
                                         And it was such a new experience.
                                         
                                         Like if I said something on Twitter, people instantly responded.
                                         
                                         And there was this whole audience.
                                         
                                         And it was complete euphoria, really.
                                         
                                         Needless to say, that night, the hacker draft did not sleep at all.
                                         
    
                                         He kept tweeting that he's going to sleep, but then he'd just come right back online.
                                         
                                         There was no sleep.
                                         
                                         I was so pulled into that Twitter account.
                                         
                                         I was, no joke, every five minutes, I had to open and tweet something.
                                         
                                         Or just check my check my
                                         
                                         notifications check the replies you know check the dms just just the the rush of popularity
                                         
                                         completely overwhelmed me and literally every five minutes i open my phone and i look at the
                                         
                                         twitter account i'm like okay any anything new should i tweet something do i do i do i say
                                         
    
                                         something funny do i try to pull off you know oh at me, I'm the greatest hacker alive, you know, stuff like that.
                                         
                                         I kept saying, okay, I'm logging off. Good night, guys. And then I'm like,
                                         
                                         all right, I'm back. Here I am. Here's another tweet.
                                         
                                         After waiting 24 hours for all the 50,000 printers to print, and then spending another long time on
                                         
                                         Twitter basking in his newfound popularity, the hacker giraffe finally crashed and fell asleep.
                                         
                                         By this time, the news had spread even further and wider. The story ran on all these sites. The Verge, ZDNet, Forbes, The Hacker News, Threat Post, Wired, Engadget, NBC, Vice News,
                                         
                                         The Register, and IGN published the story. Not to mention the dozens of smaller news agencies
                                         
                                         and YouTube channels that also talked about it. This was seemingly huge. And that's what amazes
                                         
    
                                         me about this story. This is a lot of coverage for such a simple hack. I mean, there's some big
                                         
                                         breaches that come out, but only make it onto a couple news sites and really aren't talked about
                                         
                                         that much. So I wonder why this one was so popular. Well, that's the secret. It was the PewDiePie
                                         
                                         thing. Honestly, if you think about it, this really would have gone in like maximum,
                                         
                                         just an article on some security news site. And that's it. If it was just a plain,
                                         
                                         you know, oh, look, printers are printing out. But it was because of the PewDiePie.
                                         
                                         You know how much the media loves PewDiepie you know so i really think that without
                                         
                                         the whole pewdiepie message it wouldn't have spread this much but it did spread because it
                                         
    
                                         had pewdiepie's name on it really in a sense oh i see now hacker draft just wanted to spread
                                         
                                         awareness that some printers were vulnerable but simply sending that message to some printers
                                         
                                         probably wouldn't have made that much coverage so hacker HackerDraft's trick was to put PewDiePie's name on it,
                                         
                                         which helped this problem get so much more attention,
                                         
                                         which would make a lot of people double-check their printer settings.
                                         
                                         I even checked mine.
                                         
                                         So this is actually a brilliant awareness strategy.
                                         
                                         That's got to be the best hacker I've ever seen.
                                         
    
                                         So it would seem.
                                         
                                         You might be wondering why so many printers are exposing themselves to
                                         
                                         the internet like this, and it all comes down to UPnP. This is otherwise known as universal plug
                                         
                                         and play. And here's what happens. Networked devices like printers can reach out to the router
                                         
                                         and request that port 9100 be opened so people can print to it. And the router automatically
                                         
                                         opens that port without any user interaction. But the problem is it opens it too much.
                                         
                                         Maybe it should only open it to internal networks,
                                         
                                         but instead it opens it up to the world.
                                         
    
                                         So it's a technology that's in many home routers to help make your life easier.
                                         
                                         And it does.
                                         
                                         There are a lot of devices in our homes that need people to connect to it.
                                         
                                         So having UPnP automatically configure this stuff can be helpful.
                                         
                                         Things like Chromecast, gaming consoles,
                                         
                                         Wi-Fi hotspots and printers all need connections to it,
                                         
                                         and the router needs to permit those connections.
                                         
                                         But these printers the hacker giraffe found
                                         
    
                                         were all likely exposed to the internet
                                         
                                         because either the printer asked for too much to be opened,
                                         
                                         or the router opened too much automatically.
                                         
                                         So who's responsible for fixing this?
                                         
                                         The printer makers?
                                         
                                         I guess.
                                         
                                         The router makers?
                                         
                                         Yeah, them too. But what about the users who could have configured this properly but didn't? It's a combination of
                                         
    
                                         all these things, and we all just want our tech to work when we buy it. And this is what happens
                                         
                                         when we expect stuff to work right out of the box. It works too well and opens you up to more
                                         
                                         serious problems. So let's take this lesson from Hacker Giraffe and all go check your UPnP settings
                                         
                                         on your home router. I've completely disabled that setting on mine. When Hacker Giraffe and all go check your UPnP settings on your home router.
                                         
                                         I've completely disabled that setting on mine.
                                         
                                         When Hacker Giraffe woke up, he went right back to Twitter.
                                         
                                         Again, in euphoria for being so popular and seeing his work get so much coverage.
                                         
                                         He's actually published security research before, but only four people read it.
                                         
    
                                         Now he's got thousands, no, millions of people noticing the vulnerabilities that he's found and exposed.
                                         
                                         He really did want people to fix their printers,
                                         
                                         and he was happy to see so many people talking about it.
                                         
                                         And I followed up with a few people who tweeted that their printers were hacked,
                                         
                                         and they all told me they fixed it right away.
                                         
                                         But most of the conversations were about PewDiePie,
                                         
                                         and somewhat ignoring the UPnP issue altogether,
                                         
                                         kind of assuming the hacker did something elite or magical
                                         
    
                                         and didn't even bother checking their home printers.
                                         
                                         Hacker Giraffe tried to use his newfound popularity
                                         
                                         to guide the conversations back to how to secure your own systems
                                         
                                         and to teach people about security.
                                         
                                         He started doing a live stream to teach people.
                                         
                                         When I did the very first audio live stream,
                                         
                                         you know, people were jumping in and people were commenting on it live.
                                         
                                         I was like, oh, I love this. This is so much fun.
                                         
    
                                         That first day kind of sparked me to make more accounts, you know, so now there was a Patreon, now there was Discord, now there was a
                                         
                                         Reddit account, and all kinds of fun, really. He started thinking maybe this could be his life now.
                                         
                                         He was attending college at the time, but this hacking incident was way more exciting than
                                         
                                         thinking about class right now.
                                         
                                         But neglecting his classwork caused a lot of problems. I really did. I didn't suffer a blowback from it, you know. And, but at that time, I really didn't care.
                                         
                                         You know, it felt like, oh, my whole life was set out for me.
                                         
                                         I'm going to be so famous.
                                         
                                         And, you know, I'm just going to live off doing more of these, you know, doing research publicly and all this kind of stuff. I was living this insane fantasy where, you know, I was going to be the king of the world. And at the time, the Twitter account just kept fueling that fantasy
                                         
    
                                         and more articles came out.
                                         
                                         It just kept fueling that fantasy.
                                         
                                         This voice of consequence in my mind was just completely crushed by,
                                         
                                         dude, look how many followers I'm getting.
                                         
                                         Look how many people are tweeting at me and look at all the articles.
                                         
                                         And I was on a rush for, I think, about three to four days.
                                         
                                         And I guess it kind of calmed down after that, really,
                                         
                                         just started calming down after like three to four days, maybe even a week.
                                         
    
                                         A lot of people were blaming PewDiePie, so he became aware of this hack too.
                                         
                                         He followed me on Twitter and he mentioned me on Twitter.
                                         
                                         And then his editor, Brad,
                                         
                                         came up and told me that you're going to be in the next video and I was completely losing my mind.
                                         
                                         I was like, dude, no way.
                                         
                                         Can you believe this?
                                         
                                         Someone hacked printers worldwide, urging people to subscribe to PewDiePie.
                                         
                                         Thank you, printers.
                                         
    
                                         Very cool.
                                         
                                         See, this is what I'm talking about.
                                         
                                         Even printers are doing their part.
                                         
                                         The message was basically printed and told people to
                                         
                                         Number 1, unsubscribe from T-Series
                                         
                                         Number 2, subscribe to PewDiePie
                                         
                                         Pro tip, your printer is exposed to the internet, please fix that.
                                         
                                         Greetings from a friendly giraffe.
                                         
    
                                         So this was made by the hacker giraffe.
                                         
                                         This was getting more media attention than anything I've seen in the recent memory of revolving me at least it was featured on a ton
                                         
                                         of
                                         
                                         different media websites
                                         
                                         IGN wired I love this one because it says that printers were exploited for PewDiePie
                                         
                                         propaganda
                                         
                                         So obviously this raises awareness because a lot of people's printers are could easily be exploited and actually cause
                                         
                                         Damage you know the the giraffe said that he could have targeted more
                                         
    
                                         But decided not to and he also mentioned that I killed two birds with one stone
                                         
                                         Raise awareness for this issue and help PewDiePie get a slight edge
                                         
                                         That's what I need. That's what I'm talking about. All this support
                                         
                                         to keep me on top is so funny. I love it. Please keep it up. Just don't do anything illegal,
                                         
                                         okay? Because that will look bad on me. That's the only reason.
                                         
                                         You know, and hearing him talk about me raising awareness, he said all kinds of nice things like,
                                         
                                         oh, he's doing this to raise awareness. This is a great job. You know, your printers are exposed and we should fix it.
                                         
                                         It was honestly, it was cool.
                                         
    
                                         It's just the best way to describe it.
                                         
                                         It was cool.
                                         
                                         You might think that remotely printing to a printer is not that big of a deal
                                         
                                         and it's not that impressive of a hack.
                                         
                                         But consider this.
                                         
                                         The Printer Exploitation Toolkit, or PRET, has more options than just printing. Historically, I've discovered that printers are very insecure.
                                         
                                         They're usually left with default passwords. They often act as mail relays and DNS relays,
                                         
                                         which opens them up to abuse. And they sometimes store a copy of all the files that were printed
                                         
    
                                         in its internal hard drive. And I even was at a talk at DEF CON once where they demonstrated how
                                         
                                         you can send a malicious PDF to a printer and get command line access to the printer.
                                         
                                         Yeah, and Prit actually did that.
                                         
                                         Print would generate malicious PDFs for you and you could actually get terminal access
                                         
                                         onto the printer.
                                         
                                         You could legitimately change files, download files, run commands.
                                         
                                         You could do whatever you wanted.
                                         
                                         Like he said, you could gain access to the thing.
                                         
    
                                         So this printer could legitimately be a gateway
                                         
                                         into the actual inner network.
                                         
                                         You could actually use it as a proxy or VPN of sorts
                                         
                                         to actually jump into a network.
                                         
                                         Or even worse, you could write your own botnet
                                         
                                         and just infect all these printers with that botnet
                                         
                                         and really you'd have 800,000 bots at your disposal.
                                         
                                         So this attack could be much more serious than simply printing something like this.
                                         
    
                                         And it's an issue that deserves more awareness and more people looking into the problem.
                                         
                                         After a few days of basking in his newfound popularity,
                                         
                                         the hacker giraffe was seeing another guy copying him and hacking printers too. And their name was User. I accused him of being a copycat. I reached out to
                                         
                                         him and I was like, hey, dude, you're copying what I'm doing. Don't do that. It's not cool.
                                         
                                         And then we kind of discussed through DMs. And we came to the conclusion that this guy actually
                                         
                                         knew what he was doing. He was basically doing the same idea, but executing it
                                         
                                         way differently. So I'm like, Hey dude, you know, that's, that's pretty cool. You know,
                                         
                                         you know, your stuff. Uh, and so we came together, uh, after seeing, you know, a few articles came
                                         
    
                                         out and then nobody really did anything about it. And so we were like, okay, uh, we have the rest of
                                         
                                         the 800,000 printers. We have two other protocols that we haven't really tested.
                                         
                                         Let's go for it.
                                         
                                         And so this is when I wrote the actual code for the other protocols.
                                         
                                         And we ran it and we hit the full 800,000 IP addresses,
                                         
                                         like the whole thing.
                                         
                                         So we went through the full 800,000 with the same message again.
                                         
                                         It was the same message, just altered a bit differently.
                                         
    
                                         This time with our actual Twitter handles being a user.
                                         
                                         That's when the BBC article came out.
                                         
                                         That was the first actual major news source to cover it.
                                         
                                         Again, this brought his popularity even higher still.
                                         
                                         Thousands more people were following him now.
                                         
                                         It was again that renewed sense of euphoria. like, oh yeah, this is happening again.
                                         
                                         There was this feeling that, you know, like, oh no, my popularity is kind of dying and people,
                                         
                                         it's kind of stale on my Twitter right now because, you know, it's been like a week
                                         
    
                                         and I haven't really done anything. So like, okay, we got to fix this. This whole sense of loneliness was creeping back in again.
                                         
                                         You know, like, oh, I'm just going to be like forgotten now.
                                         
                                         And so there was that hidden incentive
                                         
                                         that I guess I kind of lied to myself on that.
                                         
                                         I said, oh, no, no, this is not for popularity.
                                         
                                         This is totally, you know, like, oh, yeah, people, secure printers, whatever.
                                         
                                         But the higher his online euphoria was, the lower his excitement was for real life, is not for popularity this is totally you know like oh yeah people secure printers whatever but
                                         
                                         the higher his online euphoria was the lower his excitement was for real life which gave him
                                         
    
                                         depression the real life compared to this online persona was exactly as you said it was such a
                                         
                                         depressing comparison you're like oh you know like i have to go back to my normal life now where you
                                         
                                         know just going to be like this one person all by himself you know just doing stuff and hoping to achieve something but i have this online persona i have this audience
                                         
                                         that i can you know grow on like i can use this and grow and so like exactly like you said there
                                         
                                         was this it wasn't only popularity it was kind of this, you know, this loneliness that, hey, like, you know, there's a lot of people that I can talk to online now.
                                         
                                         That pushed me further to be absorbed into that whole persona, the HackerJuror persona.
                                         
                                         This took a serious toll on him. He ended up failing one of his college classes.
                                         
                                         His friends were getting sick of him talking about this constantly, and the real world just wasn't as sparkly and fun as his online persona was.
                                         
    
                                         This created a profound sense of loneliness. And to top it off, he was getting a lot of hate
                                         
                                         messages and harassment too. I was getting a lot of negative DMs on Twitter. Yes, definitely.
                                         
                                         The negative DMs had categories, right? It was either some other hacker on Twitter calling me
                                         
                                         a script kitty and they're like, dude, you just downloaded a script off GitHub and all you're
                                         
                                         doing is just going on Shodan and you're just stealing other people's work and they're like, dude, you just downloaded a script off GitHub, and all you're doing is just going on Shodan, and you're just stealing other people's work, and you're a nobody.
                                         
                                         And then it was people who have been affected who were like, why are you doing this?
                                         
                                         I don't care.
                                         
                                         Leave my shit alone.
                                         
    
                                         You're such an asshole.
                                         
                                         Why do you keep doing this? And then it was the other people who were angry about the PewDiePie part. People who were like, dude, like, why are you promoting this racist asshole, this Nazi?
                                         
                                         Like, are you a Nazi too?
                                         
                                         Like, is that what you're trying to say?
                                         
                                         Like, is that where your conscience lies?
                                         
                                         The Hacker Giraffe was riding an emotional roller coaster.
                                         
                                         So many ups, so many downs. The Hacker Giraffe was riding an emotional roller coaster.
                                         
                                         So many ups, so many downs.
                                         
    
                                         And while the ups were great, he wasn't handling the downs well at all.
                                         
                                         When you become an overnight success, it's hard to know how to handle this kind of popularity.
                                         
                                         So this added to his depression.
                                         
                                         He had a large audience now, and he wanted to demonstrate something else that was vulnerable.
                                         
                                         He didn't know what else to exploit, though.
                                         
                                         He didn't want to harass those 800,000 printers anymore.
                                         
                                         We'll literally just be assholes if we just go over the same range again.
                                         
                                         If we just go over the same printers again, then okay, people will definitely get the wrong message.
                                         
    
                                         He found a lot of Minecraft servers that were open, but didn't think it was a good idea.
                                         
                                         But then he came across the Chromecast. This is a simple little device that plugs into your TV
                                         
                                         and lets you control what plays on the TV using a phone or computer.
                                         
                                         HackerDraft looked into this and started seeing ports for Chromecast
                                         
                                         were in fact open all over the world.
                                         
                                         What happened was, what happened was like,
                                         
                                         hey, so Chromecasts actually are a viable target.
                                         
                                         I decided to go ahead and see like,
                                         
    
                                         so what exactly can you do with Chromecast? Is it
                                         
                                         just playing videos? And so after a lot of research, I came across the port 8008 and 8443,
                                         
                                         which is basically the SSL version of 8008. I tried to figure out, you know, like, okay,
                                         
                                         so this web server is open, this API is open. What exactly can you pull from it?
                                         
                                         Not only was it just exposing information that could be relatively sensitive,
                                         
                                         and not only could you reset, reboot, rename, connect it to your own Wi-Fi, with it, it was just something that very clearly should not be open to the internet.
                                         
                                         These Chromecasts were also exposed to the internet because of UPnP.
                                         
                                         The Chromecast requests from the router to open these ports so that things can talk to it.
                                         
    
                                         But it was opening up way too much. So anyone in the world can connect to a Chromecast on a poorly secured network and start playing TV shows.
                                         
                                         I was originally thinking of playing Black Mirror on so many Chromecasts,
                                         
                                         but I feel like a Black Mirror episode randomly playing on Chromecasts would have spooked people way more.
                                         
                                         So we just went with the safest option, which was YouTube,
                                         
                                         which is an app that we knew was installed.
                                         
                                         It had to be installed on the Chromecast because it comes by default.
                                         
                                         And it's super easy for us to just point it at a YouTube video.
                                         
                                         So at that time, I asked someone in my Discord server, I was like, hey, who's good with video editing?
                                         
    
                                         I need a very quick video.
                                         
                                         Just give me like a 10, 15 second video.
                                         
                                         You know, let it play Bitch Lasagna in the background.
                                         
                                         And just make it very obvious that this is about Chromecasts.
                                         
                                         Because we wanted to minimize the PewDiePie element. We wanted like, hey, this is really
                                         
                                         about Chromecasts. This is not about PewDiePie. That's why the video, like the PewDiePie thing
                                         
                                         is the very last thing. This video told the people to visit a a website which explains how to secure your network.
                                         
                                         He did a search on Shodan to find a list
                                         
    
                                         of IPs to run this against, and it returned
                                         
                                         a list of 120,000
                                         
                                         potentially vulnerable Chromecasts.
                                         
                                         But in this list were not just Chromecasts.
                                         
                                         Apparently Google Home devices were also opening
                                         
                                         up this port, and they had an API too.
                                         
                                         And he found you could connect to the Google Home device
                                         
                                         and see how much noise the microphone is picking up.
                                         
    
                                         Noise level? Seriously?
                                         
                                         Is that something that really should just be open to the internet?
                                         
                                         Because if I was a criminal and I was physically near that Google Home,
                                         
                                         I could actually figure out if there was anybody at home
                                         
                                         by checking the noise level.
                                         
                                         If it was dead silent, then I knew they're either asleep or nobody's home.
                                         
                                         And that's the kind of thing that was going through my head. He definitely wanted to expose
                                         
                                         this issue and make it into a big deal so it gets fixed. But his friends were not happy that he was
                                         
    
                                         planning another attack. And a lot of them actually tried to stop me from doing the cast hack. They're
                                         
                                         like, dude, that's it. Just drop it. You know, you've been safe so far and your attention died
                                         
                                         out. Just let it die and just fade off into,
                                         
                                         you know,
                                         
                                         fade off.
                                         
                                         Don't try to come back with another, with another hack.
                                         
                                         But,
                                         
                                         you know,
                                         
    
                                         the,
                                         
                                         I guess my ego.
                                         
                                         And like I said,
                                         
                                         that I did that,
                                         
                                         like wanting to go through that euphoria again,
                                         
                                         you know,
                                         
                                         again,
                                         
                                         that sense of,
                                         
    
                                         you know,
                                         
                                         loneliness and isolation.
                                         
                                         It's like,
                                         
                                         like,
                                         
                                         no,
                                         
                                         I want to get back.
                                         
                                         I have to do another thing.
                                         
                                         And so there was more hesitation.
                                         
    
                                         There was much more hesitation this time.
                                         
                                         And so the other voice won eventually,
                                         
                                         like the voice of just go with it, won.
                                         
                                         So him and Yuzur had everything ready,
                                         
                                         the list of 120,000 vulnerable Chromecast,
                                         
                                         the video, the script,
                                         
                                         and he even built a website with live statistics of the hack.
                                         
                                         He tweeted that Chromecasts were next.
                                         
    
                                         He got on his Discord chat room and told everyone to get ready.
                                         
                                         And there was even a countdown to when it would start.
                                         
                                         Everybody was like in the server.
                                         
                                         They were like, all right, three, two, one, launch.
                                         
                                         The script started going through the list of IPs playing the YouTube video.
                                         
                                         Hundreds of Chromecasts not only were playing the video, but also the device was being renamed.
                                         
                                         The live website was displaying the number of devices rising higher and higher.
                                         
                                         Soon thousands of Chromecasts had played the video.
                                         
    
                                         But all of a sudden, the number stopped rising.
                                         
                                         Five minutes, or five to ten minutes into our attack,
                                         
                                         Google actually disabled the ability
                                         
                                         to play YouTube videos over their HTTP API.
                                         
                                         It was just completely like you couldn't.
                                         
                                         Google had somehow gotten word that this was going on
                                         
                                         and they issued an emergency patch to all Chromecast
                                         
                                         in the middle of this hack.
                                         
    
                                         They removed the ability to play YouTube videos over the API.
                                         
                                         This stopped the whole operation.
                                         
                                         But I quickly started researching,
                                         
                                         like, what are other alternate ways?
                                         
                                         Because my Chromecast was still working.
                                         
                                         I could still send it YouTube videos.
                                         
                                         So there must be something else going on.
                                         
                                         So I figured out, I found out another port,
                                         
    
                                         port 8009, which uses Google's own protocol.
                                         
                                         And so I started reading up on that.
                                         
                                         I was under so much pressure
                                         
                                         because the number of Chromecasts
                                         
                                         being forced to play the video is not going up
                                         
                                         because they're not playing the video anymore.
                                         
                                         So I quickly modified the script
                                         
                                         and I was like, okay, I found the library
                                         
    
                                         that lets me talk to this port 8009.
                                         
                                         I plugged it in, plugged it into the script and I restarted it. After switching to this port 8009. I plugged it in, plugged it into the script, and I restarted it.
                                         
                                         After switching to this port, the whole thing was working again,
                                         
                                         and the numbers were rising again.
                                         
                                         The video was now playing on 10,000 Chromecasts,
                                         
                                         then 20,000 Chromecasts, 30, 40, 50, 60,000 Chromecasts
                                         
                                         were all playing the video explaining how your Chromecast was vulnerable.
                                         
                                         And to do that many only took about an hour.
                                         
    
                                         And so when we were almost done, when there was like around 10,000 Chromecasts left,
                                         
                                         they removed the YouTube video.
                                         
                                         Google can do this because they own YouTube.
                                         
                                         So within an hour of the attack being launched, the video had been removed by them.
                                         
                                         They gave me a strike. They gave me a full strike.
                                         
                                         They were like, hey, we're clearly pissed. Don't do this. And so I was like,
                                         
                                         okay, whatever. There's just 10,000 left. I'm just going to rename them and just call it a day.
                                         
                                         In total, he was able to play the video on 65,000 Chromecasts and renamed another 8,000 of them to
                                         
    
                                         say subscribe to PewDiePie. This again hit many news cycles, which gave him thousands of more
                                         
                                         followers on Twitter and more patrons and more attention. But at the same time, it gave him a lot more haters. There were death threats and
                                         
                                         people were like, I'm going to dedicate my life to finding out where you are, who you are and,
                                         
                                         you know, and come and get you. And a lot of people were like, oh, I'm going to I'm going
                                         
                                         to make sure that, you know, you get in trouble for this. And so that was just, that was slowly adding
                                         
                                         onto this background voice that was screaming like, you're going to get yourself in trouble.
                                         
                                         A few days after the cast hack, he was on his Discord chat server and someone sent him a
                                         
                                         private message. Who told me that, hey, you know, the FBI is building a case against you. You got
                                         
    
                                         to go dark. Just stop this right now.
                                         
                                         At that point, it really didn't matter how much evidence they provided because they didn't really provide any evidence.
                                         
                                         They just said it.
                                         
                                         But it just set off like all of a sudden this voice of you're going to get in trouble was
                                         
                                         so amplified.
                                         
                                         It was such a contrast.
                                         
                                         Like I was one second, I'm just living my life and I'm happy and
                                         
                                         everything. And then the next second I'm in full panic attack mode. This gave him a severe panic
                                         
    
                                         attack. All of a sudden, all the fear and worry that was in the back of his head was all he could
                                         
                                         think about. The idea of FBI agents visiting him particularly scared him. He thought the worst that
                                         
                                         would happen is to be banned from Twitter or something, and he hadn't really thought about law enforcement coming
                                         
                                         after him. But something about this private message made it all too real of a possibility.
                                         
                                         He quickly started deleting everything he could, removing all evidence of everything.
                                         
                                         He deleted his Reddit account, all his tweets. He deleted his Discord server and his Discord
                                         
                                         account. He deleted the Patreon page and the PayPal address linked to it.
                                         
                                         And he wiped everything on his hard drives too.
                                         
    
                                         And he went on to Twitter to post goodbye to everyone.
                                         
                                         He said,
                                         
                                         I'm sorry for everyone.
                                         
                                         And I'm sorry for everything I did.
                                         
                                         I don't plan on coming back.
                                         
                                         And please don't copy me.
                                         
                                         Please don't do what I did.
                                         
                                         It is not worth it.
                                         
    
                                         And I can't take this anymore.
                                         
                                         And I typed up that whole paste bin kind of goodbye message.
                                         
                                         And I posted it.
                                         
                                         He then took down his Twitter account and went completely dark.
                                         
                                         Just like that, he was gone.
                                         
                                         There was nothing left.
                                         
                                         And I just sat there, you know, like by myself, just trying to calm myself down.
                                         
                                         I stopped checking the internet and I was like, all right, I just need to calm myself down. I stopped checking the internet
                                         
    
                                         and I was like, all right, I just need to calm down. It's going to be okay. A lot of people,
                                         
                                         my friends, especially, you know, they were calling me and they're like, dude,
                                         
                                         we saw what happened to your Twitter. Like, are you okay? And everything. And it took a day for
                                         
                                         me to like calm down from the panic attack. Cause I was just completely irresponsive from like all,
                                         
                                         like everyone anybody
                                         
                                         who tried to talk to me just received the same statement over and over like oh I'm in trouble
                                         
                                         I'm gonna get caught you know they're coming after me and I've done such a big mistake and
                                         
                                         this was never worth it until the first day passed and and I was I was still super scared
                                         
    
                                         when I woke up you know super alert from everything super scared up, you know, super alert from everything, super scared from everything, you know.
                                         
                                         And I went into like this extreme state of depression.
                                         
                                         And I was reading the articles rolled out saying that,
                                         
                                         you know, like, oh, you know, Hacker Giraffe quits.
                                         
                                         You know, people calling me a coward for backing out. People saying, oh, look, that's what you get.
                                         
                                         That's what you deserve.
                                         
                                         And the worst thing is that people couldn't reach out for a comment, right?
                                         
                                         So they just had to come up with their own story,
                                         
    
                                         their own reason why everything happened.
                                         
                                         Hacker Draft spent almost two weeks in this severe depression,
                                         
                                         isolating himself in his room,
                                         
                                         trying to ignore the whole thing as hard as he could.
                                         
                                         After some time, he finally calmed down from all this.
                                         
                                         And, you know, I can go out. And I actually did go out, you know, for the first time in
                                         
                                         two weeks. And it was kind of like, hey, I'm on the way to, I'm on the road to recovery right now.
                                         
                                         This whole story took place in the last two months, starting late November 2018.
                                         
    
                                         It's amazing how so much has happened in such a short period.
                                         
                                         In listening to HackerDraft tell his story, it kind of sounds like hacking is like a drug.
                                         
                                         There's such a rush and a high when it first happens, and you forget about the real world
                                         
                                         for days. Then you start to come down and feel terrible and need a new bump to feel happy again.
                                         
                                         I'm hoping he really has quit this persona entirely. A week ago, HackerDraft logged into his Twitter account to
                                         
                                         check it one last time and leave a few last words, then logged out, possibly for the last time ever.
                                         
                                         Unless the urge to get another high from hacking is overwhelming and he's drawn to the sweet glow
                                         
                                         of popularity again. As for PewDiePie,
                                         
    
                                         he's still just barely beating T-Series. It's been neck and neck every day. Since HackerDraft
                                         
                                         started, PewDiePie has gained an extra 17 million subscribers. And surely some of those people
                                         
                                         subscribed because of HackerDraft. There's a comic I read once. You can be famous, you can be a
                                         
                                         criminal, but you can can be a criminal,
                                         
                                         but you can't be a famous criminal and still expect to have your freedom.
                                         
                                         You've been listening to Darknet Diaries.
                                         
                                         Thanks to the Hacker Draft for giving us the whole story.
                                         
                                         For show notes and links, check out darknetdiaries.com.
                                         
    
                                         The show is made by me, the Hacker Hacker Hippo,
                                         
                                         Jack Recider, and theme music is by the hungry Breakmaster Cylinder.
                                         
