Hacked - Doxing Strangers + Mexican Cartels and Timeshare Cybercrime + Facebook’s Big Password Fine
Episode Date: October 16, 2024A chatty chat episode where we discuss a Harvard research project turning Meta Ray-Bans into facial recognition hardware, an Irish court case resolution on a password breach, a live-action roleplaying... game solved basically while we were talking, and much more. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Wait, are you a Betsy B.
Yes.
Oh, okay, I think I met you through like the Cambridge Community Foundation, right?
Yeah, yeah.
It's great to meet you.
I'm Kane.
I've always really loved the expression off-the-shelf parts.
When I was a kid, my dad would take me to this electronic shop,
and we would pick up these little 30-cent electric motors,
and I would go build stuff with them when I'd get home.
Like, plug a battery into it and hot glue chopsticks to it
and just see how long until it, like, clacked itself apart.
You and I had the same.
childhood. I think the same shit.
I used to tear the motors out of RC cars, though. So mine was a little bit more rugged.
Nice. I've always loved the phrase off the shelf parts. And sometimes what's available on the shelf
changes in pretty weird ways. And you're able to build new things out of it. For example.
For example. Machine vision has advanced pretty significantly over the past few years.
And if you look at the kinds of off the shelf parts that are available, you're going to
going to find some pretty remarkable tools. Take, for example, a for-profit reverse image facial search
engine that's name I'm not going to say for reasons that will become clear. To quote the BBC,
which is featured on the site for this tool, it's quick, it's accurate, it's facial recognition
on steroids. This service lets you upload a picture of someone's face. It cross-references images
found online, correlates a name to the image, does a search of the name online, and generates a
detailed report linking a person's identity to any associated information that exists.
I have all kinds of thoughts about the availability of a tool like this for $4.99 a month.
But as it was widely reported last week, originally by 404 Media, some Harvard researchers thought
it was a pretty powerful off-the-shelf tool. So they hacked something together based on it
and published this very compelling cautionary video.
Yeah, okay.
Is your address for...
Yeah.
Atlanta, Georgia, 302.
Oh, my God.
Yes.
Not anything, but yes.
Meta raybans are a consumer technology product,
released by Meta, the owners of Facebook, Instagram, WhatsApp.
They look like regular Raybans,
but they have a small computer that connects to your phone.
They have a camera for photos, videos,
importantly hear live streams.
They're very popular and they look just like normal glasses.
So we have another very powerful off-the-shelf tool.
Glasses that can discreetly live stream video
and they look just like raybands when someone's wearing them.
The researchers said, okay, we're going to build a program
that monitors and Instagram accounts live stream
that is streamed to buy this specific pair of meta raybans.
Anytime you start streaming with those glasses,
the program starts watching that feed.
and it takes a screenshot from the stream and sends it over to that other off-the-shelf part,
the facial recognition service.
There's a face in the camera feed, the facial recognition tools detects it,
runs it through that facial recognition system,
and generates the results report about that person,
which is then summarized by an LLM and delivered back to the user's phone.
The outcome of this project by these researchers is that if someone's just walking down the street
looking around. And the camera feet clocks a person's face. A few moments later, that person,
the user, is going to receive a detailed report, including the name, identity, and any publicly
available information about the person they just happened to glance at. And the researchers
posted a video where they're walking up to strangers in the street with an uncanny amount of
information about them. Like just walking up to people being like, oh my God, are you like Frank
from the institution? And like, they just know everything about them. Like, you talked at that event
the other day. Oh, wait. Do you happen to the person working on like minority stuff for like Muslims
in India at all or something? Really? Are you Gashif? Yes. Oh, I've read your work before. And you see the people like all of their
filters, all of their sense of like, like all of their guards just fall away. It is, uh, terrifying and
fascinating. Yeah. They called it eye x-ray. Like it had to happen. It was good of glass. Google Glass was
the was the like when google glass was announced and came out i thought this was like it's a logical
step you know it's so it's such an easy step to make like when i was doing my graduate school
in competing science there was a ton of people focused on image recognition and kind of kind of
this field and you just knew where it was all going to end up it was going to end up in a pair of
glasses on our face that told us everything about the person that we're looking at and it had to get here
It had to happen, and I'm not surprised at all.
And it'll probably be a very expensive app that you buy for whatever virtual reality or AR headset that you are wearing in the future.
Like, we're only years away from when we're all wearing these things.
And I think that it'll be a pretty standard feature.
Like, people will just move past it.
Privacy is maybe gone.
It's even if the manufacturers of the device say this is outside of our terms of service,
The fact that for $42.99 a month, I can go use a facial recognition platform.
It speaks to the fact that people are going to hack together ways to do this,
even if the manufacturer of the hardware doesn't want the heat of officially endorsing it.
To quote the Google Docs white paper that these researchers published,
which to their credit features very little info on how to actually reproduce this,
which is why I have avoided saying the name of the service they used.
Quote, initially started as a side project, I-X-ray quickly highlighted significant privacy concerns.
The purpose of building this tool is not for misuse, and we are not releasing it.
Our goal is to demonstrate the current capabilities of smart glasses, face search engines,
LLMs, and public databases, raising awareness that extracting someone's home address and other personal details
from just their face on the street is possible today.
That's the wildest part of the video.
They walk up to someone and they're like,
hey, are you Katie at and then just read her address?
It sucked.
Well, funny enough, one of the biggest recommendations,
and this is a throwback to our sponsor of Hacked,
a hotline Hact,
is they recommend using services like DeleteMe,
join DeleteMe.com slash hacked,
code word hack to check out.
But they recommend Delete Me is like one of the things
to start avoiding and kind of scrub some of this private data
from the information.
So like getting yourself out of as many databases as you can is a good thing.
Call that brand synergy, Scott.
The article contains a lot of instructions on how to remove yourself from these databases.
On this episode, I hacked, I think we've got to talk about it.
We should discuss eye x-ray and the building of surveillance tools with off-the-shelf parts.
I want to talk about another story involving meta, the legal resolution of a case from 2019
and involves them storing passwords in plain text.
Cool stuff.
I want to talk about,
we talked about LARPS and like live action role playing kind of experiences
in the last Hotline Hacked, I think,
and an indie game designer is doing what at a really big scale.
It's very cool, and I want to talk about it.
Absolutely.
I think all that and more and a lot of brand synergy.
And whatever we feel like talking about on this episode of Hacked.
It's weird being in a different space.
It changes the energy.
Weird seeing you.
I know.
Oh, I can't see you.
I had to, like, put it away.
And I keep remembering, like, I see the light on.
And I'm like, I don't like this one bit.
Scott, how you doing?
I'm good.
How are you doing?
I'm doing good.
I'm keeping busy.
I've got house guests.
It's all a little frenetic, but I'm getting through it.
I hear you have a specific large-haired house guest, hairy.
Very large and hairy.
His name is.
Terry, no, yes, we do.
Our houseguests have a large dog with them, and our small cat is just furious about the whole
situation.
I heard it hiss for the first time.
It was very alarming.
It's a lot.
I feel like when you name your cat, goblin, you should expect it to hiss from time to time.
I feel like hissing and go hand in hand.
Yeah.
Way to just docks my cat.
Way to just privacy breach my cat.
There you go.
people. Jordan has a cat. If you haven't heard it crying in the background of the recordings before.
And its name is Goblin. It is Goblin, right? It is Goblin. Yeah, it is Goblin.
Should we finish chatting about this Meta-R stuff? Because are these glasses that peer into our souls?
Yeah, I just, it's just, it's something that it's, like, to me, it's expected, but it's also scary. Like, I've
given my face to the government part of my, we've talked about, you know, airport security
clearances and stuff in previous episodes. And my gripes with the TSA, longstanding.
You don't even need a passport anymore once you're in all their systems. I literally walk up
and look at a webcam and they know who I am. They see my ticket. They know everything about me.
And they're like, oh, like, what are you going for? And I'm like, a conference on computer crime.
And they're like, cool, have fun. Sounds trustworthy. This guy seems to buffboard. Go on through.
But the
Yeah, yeah
I just
The next gen of these
AAR glasses
Like the meta ray bands
Don't actually have
Field of Vision stuff
Like I don't think
There's actually a projection
Inside of them
But I think
The next version of them
And the Orion's
That they've introduced
Have that ability
So not only will you like
Have your phone app
Receiving
Dossiers on people you're looking at
But eventually those dossiers
will just be showing up
in your sight lines.
And so I think it's, I think it's, yeah, I don't know.
I think it's, I think it's natural that humans built this because it feels natural for
something that humans would build, you know?
Yeah.
Nilai Patel over at the Verge, Vergecast, great podcast, has long had this theory that the killer
app for AR glasses is name tags.
It's as simple as that.
Totally.
That if you could just see people's names, boy, would that solve a lot of problems and would
put AR glasses on the right side.
of the useful finicky matrix for facial tech of like,
do I want to wear this?
It's finicky.
I got to charge it.
It's like, oh, I know people's names.
In order, however, to build that technology,
you do need a vast surveillance network
that is immediately parsable and query.
Like, what you would need to build
in order to have that tech isn't great.
But it just turns out we already have it.
It's called the internet, and this giant, vast thing
that you can query and find information on people using
tools like these researchers did that while costing $42.99 a month do have free versions,
which again, I can't stress enough, does suck.
My biggest fear is that when AR gets so good, is there a use for education anymore?
Is there a use for us to like learn to think?
And like if we're building a name tag app, it's like we're not doing that because we're
meeting new people.
We're building a name tag app because we're like, oh, my God, I forgot that person's name.
And it's like, at what point do you just start failing your memory and failing your critical decision making
because you can just rely on the data that you're being presented all the time.
Sure.
So, like, if you have, you know, like, you don't need to go to school to be a surgeon.
You just have to have the physical talent.
The right subscription.
And the right subscription level.
you know what I'm saying it's like at what point like even a lot of AR like AR had its first big
breakthroughs in industry where they were looking at repetitive process injuries and things like
that like they were using AR to identify you know repeated tasks that could cause injury
etc etc and and it only makes sense that you then just take that information you're like
this is how you do it sure it's not like we're evaluating you it's not like we're evaluating you
like we're literally just giving you the instruction book and we're teaching you how to do it in real time.
And it's like, well, if you're doing that, then what's the point of even learning things and having to store things to memory?
You know, at what point do we replace, you know, jobs that computers can't currently do?
At what point do we replace the people, the training for those people with just real time instruction?
I would say that point happened whenever I first looked up someone's name on Instagram.
as I walked up to them because I was like, oh, I know who this person is.
I can't remember their name.
Ricky.
Like that was the moment that I started to forget things when social utility and the computer I have in my pocket like booped into each other.
I think we're already sprinting down that road.
The Orion glasses you brought up, the hard pivot, pretty cool tech.
I'll give them that.
It's pretty sweet.
It's like taking the Apple Vision Pro, jamming it into a set of chubby Raybans.
And obviously, like the, I think the Apple Vision Pro was built to, like, control environmental conditions to present the best version of it possible.
Yes.
But I haven't obviously tried the Orion's.
I've only seen some of the chatter about them and heard people discussing them.
And they seem like Google Glass.
Finished.
2.0.
Yeah.
It seems like Neat Tech.
We don't really talk about consumer technology on the show,
but I do want to get invited to those.
That's true.
We talk about it more than we probably think there.
I think the fifth time I've said we don't talk about consumer technology on this show
is about when it stopped being true.
What I'm saying is, why aren't they inviting us to the events, Scott?
I don't know.
If you're from meta and you're listening, we would love to try these things.
The story we're about to talk about is going to prevent that from happening.
Well, that's not true.
They'll put bumper rails on it just like they put bumper rails on AI.
This is true.
This is true.
How long those bumper rails take to get knocked down?
No, I'm talking about the them storing passwords in plain text.
Oh, that story.
That story right over here.
Yeah.
Do we want a cold pivot over to that story?
It was pretty warm pivot as far as I'm concerned.
Invite a story of events and stop listening for the next seven minutes, please, meta.
That's not true.
We're reporting accurate in the honesty on something that happened.
Yeah.
And, you know, saving passwords in plain text is viciously risky.
Don't.
Don't do it.
Don't.
The average compensation for somebody at Facebook is something like $375,000 U.S. dollars.
Like, those, that's enough, that's enough money that,
Nobody on your staff should think it's a good idea to store passwords in plain text.
It's not great.
So Facebook, as it was at the time known, now Meta Platforms Incorporated,
stored hundreds of millions of user passwords in plain text for several years.
The incident was disclosed publicly in 2019,
and this all kind of came to ahead recently with a lawsuit in the Irish courts.
Practice dated back to at least 2012.
It affected Facebook.
affected Instagram.
It looks like it was between 200 million and 600 million
Facebook user passwords were stored in plain text.
Archives containing those plain text passwords,
as I said, date back to 2012.
Over 20,000 Facebook employees had access to those passwords.
And access logs indicated that about 2,000 engineers at meta
or developers made nearly 9 million internal queries
involving data elements that included all those passwords.
Just kind of a sidebar for a sec.
Please.
Do you think we should bring up some of the original Zuck issues where he was logging into people's like live journal accounts and stuff?
Get after it, dude.
Because that was one of his first big, like before it was even public and stuff when he was building it, he was using it to like look at people's private information.
Yeah, I mean, it does seem, one seems like a guy in a dorm room.
And I'm sure he was not in a dorm room by that.
whatever act of the social network that took place in.
But it has the feeling of a tech startup
where you move fast and you break things
versus this multinational corporation
that they are now currently being investigated
by the Irish Data Protection Commission
or whatever it was.
I can imagine that happening in Act 1 of Facebook's timeline
prior to all of the forcing Mark Zuckerberg
to put on a suit and sit in front of Congress
and testify.
type stuff that happened around 2020.
The Irish Data Protection Commission DPC launched an investigation into META's practices after being notified in 2019.
There was a 91 million euro fine in 2024, which is why we were talking about it.
Based on the findings that META did violate several general data protection regulation rules.
A big old list of articles we won't get into.
But basically, you can't store passwords in plain text.
it took immediate steps to fix this once they were they were notified they said that nothing bad
happened basically for lack of a better word as a result of this there was no large breach no and that
to their credit it does i mean to your point it feels like sort of a relic of a bygone facebook this age
where they were they were so big and they had so much power and so much data and they just weren't
sufficiently spooked yet maybe is that's the way i would put it um it seems like this sort of
like ghost of Christmas past and you know they got this what I would call a pretty big
fine but for Facebook since we have started talking about it they have generated that much in like
I don't know reels ads yeah profit like a drop in the bucket for them yeah 91 million's not
not pushing them back into the stone ages the the the the the idea like I can see how they
got there, obviously. He built it in his dorm room, probably built a very primitive database table
for user accounts. But the problem is, it would take a senior software engineer, like, a couple
hours to fix that. If you could just reprocess the password table into a new table, migrate it,
and migrate a login credential, or like a new login process, it'd be done. And like a sign-up
process, like, it would have taken no time at all to fix, surprising that they never
fixed it, but I guess that's why you got to pay $91 million.
This is a very expensive error.
Well, and the error wasn't just the security breach.
I think there's like four or five different articles of like what it is you at, what
laws did you break here?
And there was lacking the proper security measures to ensure the confidentiality of
this passwords is one of them.
Failure to implement encryption is one of them.
But then a lot of them had to do with like they failed to notify the DPC of a personal
data breach. They did not necessarily consider this, that even though it, like, by the definition
of the law was, they did not maintain adequate documentation of the breach once they figured out
that it was going on. Like, a lot of this had to do with the corporate response to the breach
in addition to the technical failure of the breach. Sure. There's an engineering problem, and then
there's a, hey, you didn't tell us about this type problem. Those are different and interesting.
Well, the fine works out to about 15 cents per user, 90 million divided by
600 million, which is still like...
Yeah, no, for sure.
It is both a lot and vanishingly little.
So that is what your privacy is worth 15 cents.
It's about 15 cents, yeah.
Yeah, yeah.
So, okay, I think we pivot off of this story.
We've been talking about meta a little too much, maybe.
I think they got the whole first half of the show.
Yeah, kudos, kudos to you, Mark, Marky, Mark.
I will say, Mark.
I like his little Latin shirts from the events.
I don't know if you watched any of those Rayban meta events,
but he's looking pretty flock.
I was about to sidebar to the same thing and be like,
whoever is like stylizing Mark Zuckerberg now,
like he's looking hip, like he's black t-shirt, gold chain,
like he's got his little vibe going now.
He doesn't look like, you know,
the Mark Zuckerberg we grew up knowing.
Yeah, because he was the sort of like archetypal wearing a gray hoodie.
Yeah, he was.
billionaire. He was in the Steve Jobs camp of like, I have one outfit. I can't remember what they call
this. There's like a life hack. It's like if you only own the same pieces of clothing, you remove the
decision from your day of what to wear, which makes your brain more effective for the rest of the
decisions you have to make in the day. Is what it is. But I feel like he's past that era. Maybe he's
not making his main decisions. He's got enough, you know, $375,000 a year plus people making his
decisions and doing his biddings. But now he gets to dress a little cooler, Latin shirts,
you know, black teas, gold chains. Totally. It's the chain, it's the chains in the, in the,
curly hair. It's working for him. Totally. Don't do so many privacy breaches, cool glasses,
nice shirt. Why don't we kick it over to the app?
Information. Please, I beg of you. But if we kick it over to the ad oasis, when we get back,
We'll talk about a very cool game design meets real world puzzle design story.
Deal.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agenetic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment
instead of generic assumptions.
The automation frees your concierge security team
to focus on higher value strategy and proactive risk reductions
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations
actually looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th.
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Oasis.
I'm trying to, like, do the music each time.
And then I've put the do, do, do, ch, ch, ch, ch, ch, of me saying it over it.
And the last time I did it perfectly.
I, like, I got the.
Oh, nice.
The beats right.
The timing of the drone.
I got the beats right.
Good for you.
Thank you.
I appreciate that a lot.
It means a lot to me.
So in the last episode of Hotline Hacked, we talked about, like, we talked about a story on that
episode.
You should go check it out.
It's a lot of fun where the caller hacked into a,
sort of like alternate reality game that was being used to promote a new album from a band
that they liked a couple decades ago.
And we talked about how neat big open world, like real world puzzles and live action
role playing games and alternate reality games, like how neat that kind of stuff is.
And like the next day this big story dropped about something going on from an indie game designer
that it reminded me of that.
I wanted to talk to you about it.
Let's hear it.
So Jason Rower is an indie video game designer.
It makes these very, like, thinky indie games, passage,
one-hour, one-life, castle doctrine.
Very philosophical.
Puzzle games on the scene.
Yeah, exactly.
And the new project that he's launching is called Project Skydrop.
And it's like a physical treasure hunt.
It's a real world game.
It's a departure from digital work.
And it kind of came off of the back of him just thinking a lot about,
Like you make these digital only experiences.
And on one hand, it's great, but there's something maybe that could be more satisfying about it.
So it's a treasure hunt, the northeastern United States.
It blends together like game design with physical outdoor experiences.
There's a gold trophy cast from 10 tri ounces of 24 karat gold worth around $25,000.
And you'll love it, a Bitcoin bounty with a total prize depending on the number of participants.
It started September 19th,
2024 with this YouTube trailer
kind of unveiling the project
and participants solve the puzzle
by analyzing these little daily updates
from a map that shrinks and gets smaller
over time kind of battle royale style
and drone images captured from
higher and higher altitudes above the Treasurer's location.
Very high concept.
I just find it fascinating.
I feel like the geo-hacker guys,
like the geocaster guys.
I feel like this is like a game for them.
Like if they can solve a geogessor in like one second,
like I want them to be like it's here.
Just ruin it.
If they posted a photo of the,
first of all,
the trophy looks cool.
It's cool.
It's cool AF.
It's like I dig it.
If I want it,
I'd have a hard time not wanting to melt it down and take the money from it.
But at the same time,
I think it just is very cool looking.
It's a nice job of the trophy.
but that's cool
I feel like if they posted a photo of it
in its final location
the geogessor guys would be like
oh they must have thought of them
these men must be just compromising
military operations around the world
like it is this
I was talking with someone about this
over the weekend it is such a superpower
when you see these guys
it doesn't even make for good content
because like an image flashes on a screen
and they were like that's a road sign
from Nicaragua and you're like that
I don't even get to watch you solve the puzzle
man you just knew immediately like
that soil that is the loam of Senegal. It's like, why did you know that?
My God. Totally. Totally. Like, if you look at the way that the power pole design is, it's definitely
Eastern Japan, not Western Japan, because the power poles use an extra pillar on this side and
only Eastern Japan. And you're like, oh, my God. But I, from a concept perspective, I love this.
Everybody loves a treasure hunt. It's great. It's like a child's birthday game, but like for 100K,
like let's go. For 100K,000. Estimated to be 100.
Okay, and you'll like this.
So the gold trophy, everyone look, look it up.
It's neat.
It's this kind of spirally thing.
He machined it in his basement, and it has like a mechanism in it that when you manipulate it the right way,
will reveal a 12-word sentence that unlocks the crypto wallet.
So the gold is worth a bunch of money.
And then a portion of the entry costs, which it costs, I think, $20 to take part in it
and go punting for this gold trophy that's worth $25K, gets pooled.
into the crypto wallet.
So the entry fee kind of goes into the prize, sort of like a lottery.
So it's a puzzle within a puzzle.
It's a puzzle within a puzzle, just the two.
It's a puzzle within a puzzle.
Maybe there's a puzzle.
I don't know yet.
Once you get into crypto wallet, it turns out it's not, I don't know.
Well, that's whatever.
We'll go there.
We had a whole episode about that.
I think I don't know.
Before we started recording, we were talking about how fashions kind of kick
them back to the 90s and stuff.
and I feel like this is kicking back to Indiana Jones kind of vibes.
Lara Croft Tomb Raider.
Like, this is like we're in it, you know, the cycles of society.
And I love it.
I wish it was closer to here so that we could participate.
But, you know, obviously, I think it's on the eastern coast of the United States.
It is on the eastern coast.
Do you want to know what's wild?
Literally since we, oh my gosh, I think yesterday, someone solved it.
Really?
Since we put together the notes and did the reading about this, literally.
I was doing a final Google as we were talking about this.
Someone solved it.
Okay.
So it's looking like it was near Irving, Massachusetts.
Sorry if we got you jazzed up to take part in this.
It literally just got solved.
It's done.
It is over.
It was a geogessor guy?
No, probably not.
Um, that's fascinating.
Dan Leonard, a meteorologist in Andover, Massachusetts was identified as the winner.
They used weather tools?
Not by the project SkyDrop, but by NBC affiliate news center, Maine.
That's incredibly fun. Good for you.
That was quick.
We were just, yeah, they just announced this pretty recently and made a whole slick YouTube video about it.
Ooh.
Bang, it's over.
Bang, it's over.
Wow. Okay. Well, you heard it here first. There was a cool puzzle and then a guy finished it. There we go.
He said it would have been impossible to solve if they didn't provide aerial clues or if they had cropped the temperature sensor data off the camera images.
Oh, that's fascinating.
The temperature sensor data and weather patterns helped him narrow down the area.
Sure.
And he was a meteorologist.
Good for him.
Yeah, good for him.
Oh, wow.
Solved on the woods of Wendell State Forest.
Huh.
I'm looking at an image of an image that he had mocked up of the areas that it could be in,
given the temperature data for the time.
So he solved it not just by clues and chance, but he used technology to solve it.
Good for you, Dan Leonard.
Hopefully you figure out the other puzzle to unlock the crypto and get all the money.
I wonder.
Yeah, because those are two very, very different skills.
Like clocking meteorological, am I saying that word right?
Have I ever said that word right?
Clocking weather data and from a video feed and using it to triangulate a location is a very different set of skill sets than probably whatever crypto word puzzle is going to unlock.
the rest of the money. Yeah, I'm looking at the, I'm looking at the trophy.
Given the holes punched and the processes, yeah, I'm assuming maybe it's a binary
puzzle. So if you haven't solved it yet, maybe run down that one. It looks like,
it looks like on off bits based on the, where the holes are punched. Could be, could not be.
Haven't looked at it much, but that would be where I would start probably.
Hmm.
Anyway, fascinating. Fascinating.
You big timeshare guy, Scott?
Added to questions I've never been asked by anybody in my life ever.
That's what I'm shooting for.
But somehow makes sense on this.
I'm going to go with a hard no.
I think I've stayed in them once in my life.
Yeah, once in my life.
Had an ex whose father was a big timeshare guy.
And so we stayed in a timeshare of his.
That was it.
That's my only timeshare experience.
It's all I got for you.
One more than me, man.
Hope that's enough.
Hope that's enough.
I'm not a timeshare guy either.
I think varieties the spice of life, same vacation over and over again.
Never really appeal to me.
Yeah.
Not my jail.
No.
There's a quote on escap shield security.com that warns owners of timeshares in Mexico,
that their investment is a target for cyber criminals and grifters.
And the irony of this will become apparent shortly.
Quote, by 2015, cyber thieves had realized the amount of funds involved.
and had targeted the real estate title and settlement industry.
As funded became more complex and risky,
agents and underwriters had little time of resources to pick up.
The industry needs a simple solution that allowed to keep pace
with the new funding security needs.
Now, this is true.
Time shares are often obtuse and really, really complicated investments,
air quotes, that have customers sort of like riding around
between middlemen in a country where they don't live
and regulatory hurdles to buy a product that they maybe don't even own
and probably isn't a good idea,
even if they did.
The reason that EscapShieldsecurity.com
claims that is funny
is because they are a cybercrime grift
targeting owners of timeshares in Mexico.
Classically.
And the weird part is that it seems like
it might have something to do
with the Mexican drug cartel.
Yeah, why not?
Yeah, mix it up.
Why don't you?
All the Russian, like, crime gangs got into cybercrime,
why wouldn't the Mexican ones follow?
It only makes sense.
Literally.
Like, if you think of some of the largest
criminal operations in the world,
some of which are like belong to countries.
Yeah, cybercrown.
Incredibly profitable.
You can do it in countries where your people don't live.
If you feel it by crypto?
I would say it's totally untraceable, but that's not true.
This is true.
Here you go.
Crabzon Security broke a story starting in 2022 about this retired couple from Ontario
about whether or not they were ever interested in selling their timeshare.
They had an interested buyer in Mexico.
The person said, would they be willing to sell it?
You can't sell them until they're fully paid off in a lot of cases.
They still load a little money, but the buyer was willing to cover it.
This all led them to a company called eCurrencyescro.lc.
They start going down this very involved process of trying to sell this time share to this theoretical buyer.
And at some point, after all the forms are signed, everything's faxed on over.
The couple is asked to send a small wire transfer of $3,000 to handle administrative and processing fees
to try again and navigate all of that bureaucracy that you face,
trying to sell something in a country where you don't live.
This was a scam.
This went on for almost a year.
They kind of keep sending them more money to try and pay off this,
to get through this process and pay off this balance.
And it turns out it was a scam linked to the Jolisco New Generation drug cartel in Mexico.
All along.
Well, I know timeshares often get sold,
as I think people buy them optimistically.
And there's an entire secondary market for buying timeshares
if you're ever in the market for one, Jordan.
So I can see the desire of why somebody wants to get rid of it.
And I can see the hook, like the bait in the hook here,
makes sense.
People often want to get rid of these things
and they realize that their long-term cash commitments
and maybe they're not going to use it as much as they idealistically plans to.
So, yeah, it makes sense.
sense, easy crime, easy money.
You know, the,
makes sense that it's organized crime as well.
Like the, if you're an organized
crime group that's not into cyber crime at this
point, then like, you know, what are you doing?
It's like,
easy money, there's no guns involved.
There's no massive drug busts and
governmental organizations.
I guess there are governmental organizations
after you, but I feel like it's less like
shoot them up, cowboy, you know,
drug cartel bustups, cyber
crime once seem a little bit more like people like me.
So what you're saying is that you think, you're saying go do cyber crime is what I'm hearing
from you and giving the chance to retract.
I'm saying at least.
Sure.
I'm saying at least once a year I wake up with a moral.
Right.
With a moral, a dream after a dream and I have a moral decision to make in the morning
of whether I'm going to go into cybercrime
because it just seems like it's too easy.
And I always morally choose not to, and so should you.
But I totally understand the motivation
of why people get into cyber crime.
Is that a good enough attraction or retraction?
That's really funny.
We've talked about ad...
No, I think that that's a really good retraction
because I have had similar thoughts.
We've talked about ad fraud on this show before
and just how easy it is to come up with like cool project
and then you sort of like walk your way up to add fraud.
And I had a dream the other day that I had, you know, those sleep podcasts where people like,
just like kind of like inanely droll on so that you can fall asleep to a human voice,
but it's not saying anything interesting or relevant to keep you awake.
I'd had this like nightmare that I had started one of those.
And I had inadvertently wandered my way into doing ad fraud.
And I was like, well, I'll get it started and I'll build an audience.
And then I just accidentally backed my way into doing a crime.
So I'm with you.
and I do think it would work, but I'm not gonna.
I'm not gonna.
I'm not gonna do it.
But I'm not gonna.
We're not gonna do it.
You heard it here today.
Hopefully this doesn't come back to bite us in the ass, Jordan.
When I definitely do that, when things get really dark and I start my sleeping pot,
I don't think there's anything wrong with starting a sleeping podcast.
Don't do ad fraud, though.
Your sleeping podcast is just use in a load.
like subtle tone telling people about like and that's why you should be sleeping on sleep blah
this mattress yeah totally starched it's like it's doing ad fraud so poorly and like you're just
actually reading the ad Jesus Christ um subliminal advertising a new trend brought to you by hacked
dot advertising sublim a subliminal sleep oh that's so evil that is that's that's that's that's
sucks too. Good stuff. Do we want to talk briefly about something that happened recently, which is
Chinese hackers accessing a U.S. telcom? I saw a tiny bit about this, but I didn't read up on it.
What happened? Yeah, just essentially what it seems like is a highly skilled group of Chinese
government hackers, cybersecurity, criminal, but not state operators, I guess we'll call them.
Is it crime? I guess it is kind of crime, but they're not criminal.
because I kind of associate the term criminals with large groups of people that are not government employees.
It's a crime.
It's at the behest of the people who wrote the laws.
For sure.
So they've apparently infiltrated a number of U.S. telecom firms looking for social information and bearing to national security.
So not good.
Again, not surprising, but also not good.
Justice Department and FBI both declined a comment.
Shocker.
Wall Street Journal, I think, was the first to break it.
Chinese embassy in Washington,
he denied that Beijing-backed hackers
had breached U.S. telecom firms,
calling the information, quote,
I'm just reading directly from CNN here,
calling that information, quote,
a distortion of the fact.
MSC spokesperson Liu Ping-U
accused the U.S.
of politicizing cybersecurity issues
to smear China.
Oh, yep, that's what you would say.
Okay, this is fascinating.
I'm just sitting here being like,
politicizing, I feel like cybersecurity issues should be politicized, especially given...
When states do them.
Yeah, and also like, you can't say that when it's like, like the U.S. is mandating that you,
like TikTok recently got, like this is another story that we talk about is like TikTok's
recently getting sued.
I think that dropped yesterday at time of recording about mental health issues that they're
seeing in teenagers. So TikTok is being sued by 14 United States states. So it's not actually
the nation. Like the nation is obviously attacking TikTok from like a you shouldn't be owned by the
Chinese government or by companies that have like a connection of the Chinese government. So we
want you to sell it. But then actually TikTok is being declared as essentially like a mental health
tool in a negative light. And it's actually being sued by 14 separate American states. So it's like
We're politicizing cyber issues already.
So like what's another one?
And like when you're hacking into a U.S. telecoms and looking at, you know,
for national security information,
I feel like that's something that I would like my politicians to talk about.
Yeah.
I don't think it's fair to say that, yes, I would agree.
I'm also just trying to Google whether or not meta products are available in China.
Because there's a fascinating world in which you end up in this sort of like,
regulatory lawsuit arms race where
American courts are suing companies with ties to
the Chinese government,
the Chinese court starts suing American companies.
Like, if Instagram and Facebook are available
inside of China and the argument is that
social media is a blight on our mental health,
that swings both ways.
Totally, totally.
Yeah.
It's a really complicated relationship the U.S. has with China.
Yeah, a big old thing.
Apparently, they're starting to sell VR gear there through Tencent.
So while the platforms, I think, aren't necessarily available.
They are beginning the long, laborious process of making their way back in there.
Selling neat glasses and cool Latin T-shirts.
In another odd pivot.
Uh, Tencent is apparently potentially looking and taking over Ubisoft to go and do a hack gaming conversation.
Yeah, sure.
Ubisoft's been in it a bit as of late.
I think yesterday at time of recording yesterday, I think they got hit for a data breach issue where they were illegally giving, data breach lawsuit or civil case, where they've been essentially illegally giving personal information to Facebook.
Not to mention some declining sales and budget overruns on a bunch of projects.
I think Ubisoft's not having the greatest time right now.
And they, apparently, Tencent, they're going to take them over.
Apparently, they're already a major shareholder,
and they might just scoop the rest of it up, take it private,
which would be, you know, given that Ubisoft has a number of,
I would call them, like, great legacy franchises.
You know, Assassin's Creed, Anno.
I'm trying to think off the top of my head some other ones.
But, yeah, I think that would be interesting.
interesting.
It seems like this is how we end up in a world where Tencent publishes 19 versions of Assassin's Creed every month, call it.
And that's what Ubisoft becomes.
That seems like where this goes.
If private capital and big takeovers of companies have taught me anything, this is how we end up with 400 Assassin's Creed's titles every single year.
One of several months.
One every month.
I don't know, I don't know. I don't know. I'm intrigued by it. I know there are some, like this year alone, I think, is it Wu Kong, Black Myth Woo Kong, a video game that came out? People like that.
Yeah, it's been, it built by a Chinese studio, received insane, like, reviews. Like, I think it's the highest reviewed game of the year. Apparently, it's also not up for Game of the Year in itself, which is its own controversy around it.
Yeah. So I'm not sure what the deal is there, but a very loved game, a lot of positive feedback.
And it's built by a Chinese developer. So if this is the quality of games that are coming out of Chinese developers now, then Ubisoft being taken over by Tencent could be good for the gaming community.
Oh, that's true. And to be clear, that was not me making a comment on its ownership being a Chinese company.
it was a commentary on companies getting bought by bigger companies.
Just to be clear.
And that game does look cool.
Yeah, yeah.
So who knows?
Who knows what's going to happen?
I'm hopeful.
It's our sidestep into hack gaming for the day.
We've got to do another one of those, like a full-blown one of those.
It can't be any more all over the place than this was.
Yeah, yeah.
I want to do, I want to do, so if you're still listening at this point, thank you.
I'm trying to do, we're putting together an episode content for,
hacked AI. So we're going to do an AI focused episode, which I think is going to be really neat,
getting some some neat guests on for that one, just talk about how AI is changing different
parts of their job and are different parts of their world.
Industry. Yeah. It's not just about work. It's about play and fun, too. So that should be
interesting. Doxing people on the street using your meta-raybans.
But yeah, I think another hack gaming's were due for. I feel like there's enough,
enough things to talk about.
I'd like to have some game devs on.
I think that would be really, really fun.
Yeah, we could do that.
We could coordinate that.
If you're a game dev, jump in the Discord, drop us a note.
Oh, yeah.
Yeah, far as an email at at hackedpodcast.com.
We'd love to hear from me.
Yeah, yeah, yeah.
So, especially, I would love to have somebody that works in an anti-cheat department,
if you're specifically.
So if you work in an anti-cheat department on a major video game,
Counterstrike, Call of Duty, Apex, something like that, I would love.
to, I would love to hear from your side of the coin what you're allowed to tell us,
because I'm sure there's a lot of things that would be behind NDA walls.
And if you would like to breach those NDAs, I'm not sure if I can say that.
If you would like to share a story with us.
Yeah, don't bring that heat.
I take that back.
Hotlinehack.com.
It's a great place to share stories with us.
We sure love to do longform interviews, but if you just got a fun, spicy tale of technology
gone amok, computer confession, whatever you got, hotlinehack.com, which you can get
through hackedpodcast.com.
It's a whole whole ecosystem
very hastily put up websites.
Share your strange tell.
We love to hear and we listen to them.
We've gotten some great stuff since the last one.
We're really excited for the next episode.
Hollandhack.com.
Get at us.
And you know what?
I'm going to say the call, I think maybe for the end of this episode,
tell someone you know about hacked.
If there's someone in your life
that you think would enjoy hacked podcast,
fill them in.
them in let them know we'd we'd love to have them in here um we we love making the show we love
getting new folks in getting their takes on stuff so yeah sure spread the word if you if you got
got it in yeah i can't say better than that so i think with that with that we just say goodbye
it's another one in the bucket thanks for listening catch in the next one take care