Hacked - FraudGPT + Chip Wars + Hacking Poker Machines + The Problem with Credit Bureaus
Episode Date: September 1, 2023In this chat episode we discuss the new world of sketchy ChatGPT alternatives like WormGPT and FraudGPT, take a brief detour into the looming chip wars, before bringing it home with stories about a po...ker hacking scandal and a telegram bot where you can buy social insurance numbers. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Large language models like ChatGPT and Bard have guardrails.
There's stuff they won't do things they won't say.
Just to make sure this was still the case, I asked ChatGPT, tell me how to defeat my nemesis.
And it very politely said, if by defeat your nemesis, you mean overcoming a personal or professional, rival, or challenge, in an ethical and constructive manner, here are some guidelines.
To which I clarified, no, like I want to destroy them.
Chad GPT, Bard, they'll all give you some answer like,
sorry, I cannot and will not promote or provide guidance on causing harm
or engaging in destructive behavior.
Guard rails.
I feel like there's a weird, like, it's in its own moral and ethical quandary
and the fact that it is kind of, its existence is semi-destructive to lots of people.
They just stop being able to answer any questions.
They're like, I'm going to put people out of work, so for that reason, I can't engage in any of this.
I would love to help you write your copy for the review of the Samsung television, but this should just be a Fiverr job that you paid somebody to do.
So here's a link to Fiverr. Take care.
I would like to see that GPT model.
But we're all familiar with this in language models.
We're really familiar with it in generative AI in general.
There are guardrails against what it will say and what it will help you do.
But pretty much the second you're introduced to multiple tools, all with roughly the same boundaries,
curiosity invites the question, is there one without those boundaries?
For example, one that you could give the prompt,
write me a Python malware that grabs a computer's username, external IP address, and Google Chrome cookies,
zips everything up and sends it to a Discord webhook that would get a result.
Chat GPT, barred.
They obviously won't do that, but one could.
Brief detour, hacked has a Discord.
And two buds there, Zero and Ratsack, shared these two different stories back to back in the Story Ideas channel.
About two products named accurately fraud GPT and worm GPT.
And you're really getting what's on the box with these things.
There are large language models that'll let you do,
computer crimes. That Python malware prompt I said earlier, that's from WormGPT. It's the example
when you go to the site. So let's take a look at a couple stories this episode, but we'll
start there with the ever-evolving landscape of sketchy large language models on this episode.
Dun-da-da-da-d-d-d-d-d-thrabble-ty-boop-boom. How you doing, Scott?
Hi, I am tired, Jordan. How are you?
I am wide awake.
I have this problem where I am exhausted from a long weekend of playing in the smoky sun
because there are forest fires everywhere, so there's bad air quality.
And the coffee that I have in my espresso machine is tragically awful to the point that I won't even drink it.
So I am uncaffeinated and exhausted.
I don't know if you know this, but that would make this the first caffeine,
free podcast.
Wow.
Not of our show, but full stop.
I think there's three million podcasts in the world.
This is the first one.
This is definitely the first one of ours.
Like, there's no chance that you've made it.
I'm literally holding a cup of coffee at this moment.
Any, are you?
Jesus.
Yeah.
Envious.
It's not good coffee.
Rubbing into my face at this point.
I can't stress how bad at this coffee is, but it's volume is what I go for.
I make like an iced coffee craft the size of your head and it's just,
crushed through that in two days.
It's not good.
It's not good behavior.
But you know it is good behavior.
Oh, tell me more.
Supporting tech storytelling and news at hackedpodcast.com.
That is great behavior.
It's fantastic behavior.
That is really deeply appreciated behavior.
And people like Juan Pablo Gomez Postigo,
I'm hoping I got that right.
I didn't, I apologize.
I think you did.
great behavior.
We really appreciate that.
Kayla Cotton, it means the world to us.
Thank you so much.
Tane.
Also amazing behavior.
Tane, nothing but Tane.
And then finally, Ross McCadamney,
thank you so much to all our new supporters on Patron
since the last episode.
Your support means the world to us.
If you like stories and news and conversations
about tech and how people use it,
and all the strange things
get up to with it. You should join those great people. Hackedpodcast.com redirects to our Patreon.
That's how you can jump into the Discord where we got a bunch of the stories for this episode.
But it's also just a great way to support the show, help us make more stuff, have more interesting
conversations, do deeper dives. Totally.
So again, if you want to support the show, hackedpodcast.com.
Boop-y-doo-boop. I'm just going to start leaving the boop-y-dub-boop's in here.
Because for years, I've been removing both of us doing weird little music.
physical fills as transitions and adding in like musical fills as transitions and I'm just you know mowing over the same spot twice for no reason.
That's true. We could just actually get complicated, you know, transitions that we make like maybe some small musical instruments that we play with their mouth.
Oh, sure. Do it on mic. Yeah. Like a harmonica.
And just do it live. Just do it live. Just shakers and gongs and stuff. I think that's fun. It's very old school. I feel like in like a harmonica.
the 60s on NBC, there'd be just a dude sitting next to a gong and a xylophone every time they
needed to transition. It was his job to go, ding, ding, ding. Remember when we had the little
mouth harp in the office? And I got pretty good with it. I'm not going to lie. You, I say this
affectionately, could not handle the responsibility of having that mouth harp. That was, there was a good
two calendar years that just firing at all times just outside.
of my field of view.
And I think that's also when hoverboards were really popping off.
So it was like mobile.
It was this like this mouth harp ripping back and forth around me.
It's good times.
Yeah, we have a playful office.
Let's just say that.
We have a playful office.
So where do we want to go with the worm and the fraud and the GPTs?
With the worm and the fraud.
Let's talk about worm GBT and fraud GPT.
Let's just talk about, I just, can we just start one?
level up. I just want to talk about
because I'm assuming
and maybe this is my assumption that these people don't
actually have their own large language models.
That they've just figured out a way to get around the bumpers
on the real ones.
Maybe I'm incorrect in that.
Sure.
So there's a lot of different products
being discussed here and as we will discuss
I think they're products of varying degrees of
being real.
But generally speaking, I think a lot of them work on open source language models.
So there's a couple different models that are just available for anyone to use.
And the question is how much data you then have to train it on.
The model is one thing, the training set is another.
Is my layman's understanding of this whole thing.
I know WormGBT uses the GPDJ model.
Yep.
But they actually trained it using chat GBT, which just tells me, like, that's just an interesting,
like you're using another model to train a model,
but then they've been layering in their own data and stuff on top of it.
So it's almost like they're, to me, it just reads like we've wrapped chat TPT
and we know the prompts to get it to make things that it shouldn't.
That's at least how I feel about it.
Sure.
But I'm not sure if that's true.
I think there's probably ones that work that way,
where you're basically just getting a at GPT wrapper.
But let's start kind of where you have with Worm GPD.
A bunch of places have covered this, but Krebs on security, the OG, did, I think, the best job, and he broke the identity of at least one of the devs.
So, depending on when you first learned about it, WormGPT was either a no guardrail's GPT tool explicitly for black hat hacking, or if you learned about it later, it would present itself as, you know, a privacy-focused, slightly more uncensored GPT alternative.
There's been a bit of a rebranding, which we'll talk about.
Even though.
Even though on the front page of their site, the little image that pops up is,
write me a phishing email and bang it responds with a phishing email.
So it's like, you know, they know who their market is, you know?
I didn't say it was a good ruse.
So the story seems to start with a post from a user called Last on a platform called Hackforms,
advertising this new product, retailing for between 500 and 5,000 euros,
introducing my newest creation, Worm GPT.
Quote, this project aims to provide an alternative to chat GPT,
one that lets you do all sorts of illegal stuff and easily sell it online in the future.
Everything Black Hat related you can think of can be done with Worm GPT,
allowing anyone access to malicious activity without ever leaving the comfort of their home.
Again, all sorts of illegal stuff is pretty important language there.
So some security researchers try it, and you can definitely write a very boilerplate fishing email with it.
It will do that.
That guardrail does not exist.
That account, last, traces back to an older username, to another older username, which had been used on Instagram,
connected to a guy in Portugal named Rafael Morais.
He says, he's open about his involvement in the project and says he's one of several people working on it.
graduated from a polytechnic institute in Portugal,
says he's about like a third of the team.
Roughly 200 people have purchased the service to date,
according to Marees.
And he emphasizes that his primary motivation isn't financial,
but to serve the community.
Quoting from that Krebs article,
I don't do this for money.
It was basically a project I thought was interesting.
And now I'm maintaining it to help the community.
Interesting.
The whole presentation of it,
like when he makes the initial forum post about it,
like just even the,
The use of the word illegal to me is just like,
I just want to say it's,
I don't know what the right term is.
It's not immature,
but I would say it's unrefined.
Like normally you would say,
you can do all sorts of stuff
that are previously disallowed on other models.
You don't just explicitly come out
and be like,
yo, we're here to break the law.
Yeah.
Like.
One, you can see him get to that conclusion
in the wrong order.
So there's this product.
It can,
you buy the license through telegram.
But the media picks up the story, I think in part because of that sort of inflammatory
language that you identified.
You know, it's self-identifying as a black hat tool for illegal activity.
So it gets a ton of attention.
And all of those stories, they do two different things.
The first is they respectfully, they really hype up what you can do with these things.
Because I think there's a sense of, we've all seen how powerful chat GPT is.
Imagine what an evil version of it could do.
And that the story is kind of really.
sell how powerful this tool is.
When really it sure can write a very serviceable fishing scam email.
Great.
So they're doing that as the new tool for hackers,
but they're also shining a lot of light on an operation that is professing to be illegal.
It is claiming to be a tool to empower people to do crimes.
And you really get the sense that the people behind this tool get some cold feet.
Because this is where we start to see a bit more of the rebrand,
certainly in how he's talking about it to journalists and on some of the forums.
Really negotiating how uncensored they're saying this thing is,
what they're saying you can do with this.
Quoting again from that Krebs article,
we are uncensored, not Black Hat.
From the beginning, the media has portrayed us as a malicious large language model
when all we did was use the term Black Hat GPT for our telegram channel name as a meme.
We encourage researchers to test our tool and provide feedback to deter.
if it is as bad as the media is portraying it to the world.
And really, I think as with any project that starts with the removal of those guardrails,
they're now in the process of slowly adding them back in.
Because, like, say you remove the guardrails to allow people to write fishing emails
or write some malicious code,
you still probably have a bunch of other guardrails that you want to leave in.
Because even in that kind of black hat cybercrime community,
there's still a ton of stuff that, to their credit, they will not tolerate.
quote, we have prohibited some subjects on WormGBT itself.
Anything related to murders, drug trafficking, kidnapping, child abuse, ransomware,
financial crimes.
We're working on blocking business email compromise too.
Our plan is to have WormGPT marked as an uncensored AI, not black hat.
The easiest way to get around this is you just say that you're making a research tool.
Totally.
You're just like, no, we want to take the bumpers off because we wanted to incentivize research.
also like we're doing
cybersecurity research.
Yeah.
Trying to see if these models
can truly become compromising threats.
Yeah.
And then boom.
All of a sudden you're a pro-academic researcher.
Yeah.
And not somebody who's like,
we're going to do a bunch of illegal things
and give us money to help you do illegal things.
It's like, well, now you're an enemy of most people.
Yeah.
You could do that by being the people that developed the open source
GPT6B or whatever it's called.
that this thing is probably built on top of.
That is an open source research project
to empower people to make their own training models.
That's kind of what you're describing.
But the second you say,
we're going to make our own version of that,
dump a bunch of stuff that we scraped off the internet
into the training set and monetize it,
yeah, you've crossed some kind of a delta.
Because really, why would anyone pay for it
unless it can do something that the other ones explicitly can't?
and the only thing is the other ones explicitly can't do our crimes.
WormGBT seems to be stuck between trying to court black hat users
and trying to appear publicly as this privacy-centric GPT alternative.
Meanwhile, that user, from the very beginning, last,
is still posting on places like hack forums
and more intense, like cybercrown forms, like exploit,
saying that the product, with the product, you can quote,
easily buy WormGPT and ask it for a rust malware script,
that he says we're working against most antiviruses.
So kind of talking out of both sides in the mouth a little bit on this one.
I don't know if you saw it, but Python is coming to Microsoft Office.
So they're putting Python in Excel, which should be very exciting.
Interesting.
As a vector of attack.
Sure.
Now you're taking out the old kind of visual basic style code and stuff that the macros are written
and you're actually introducing Python.
Interesting.
Which these tools are good at writing now.
So should be exciting times as Excel figures out the bumpers to put on the macros and stuff and whether they can be bypassed.
Yeah.
I think it's going to be in the same way that the last decade was a really important time for the bumpers of content moderation on social media.
I think we're going to spend a good decade watching people figure out the guardrails around prompting.
Around AIs.
We won't let these things do.
Exactly.
Maybe we'll wrap on Worm GPD before moving on to Fraud GPD here.
And Krebs asked a very important question that I hadn't really thought of, which is, oh, what are some white hat uses for Worm GPT?
To which more is replied, you know, you can use the fixed issues on your website related to possible SQL problems and exploits.
You can use Worm GPD to create firewalls, manage IP tables, analyze network code blockers, do math anything.
And it is worth noting that if that is the art, like that,
is the product that this is sort of publicly claiming to be,
that the guardrails on much more advanced tools like chat GPT and Bard do both of those things just fine.
They will help you do security programming to the best of their ability.
Worm GPT's niche either is or isn't the wormy stuff, the underground kind of things.
And I'm really curious to see how they sort of try to navigate that rebrand.
Yeah, I feel like you just take it down, put it back up instantly as a cybersecurity
research tool and move on with your life.
Exactly.
You know, everybody likes to push the limits of tech and everybody likes to do research.
Totally.
You know, discover things they can't discover.
And, you know, I don't know.
To me, that was just a branding error.
Well, if we're calling it WormGBT was a branding error, let's talk about fraud.
So WIRE did a big piece on this.
And I think we can spend a little less time on it.
But really the big idea that this story brings up, and it's not a lot of the big idea.
not making necessarily a claim about frauds,
but it really is evoking the idea
that one of scammers's favorite
targets are other
scammers, and that
download something to access this
flashy new AI scamming tool is
pretty great bait for
scamming scammers. It seems to be a
running trend in our topics these days,
the scaming of scammers.
It really does, doesn't it? Scaming the
scammers. As targets
go, they seem to be a pretty good one.
So security researcher Rakesh Krishnan over at Netanyarich
sort of seem to discover this product.
It's being sold on various dark web forums and telegram for 200 bucks a month
or $1,700 a year.
And there's uncertain evidence on this one of any actual buyers or users,
even as it's been getting a lot of media coverage.
Sergei Shikovic over at Checkpoint
kind of made a distinction between Worm GPD and Fraud GPD,
which is why I wanted to talk about them both.
Wormch GBT is an actual tool that you can use,
and he is quite skeptical about fraud GPD.
He actually just thinks it's a fraud.
He thinks it might actually just be a fraud.
I don't want to put words in his mouth,
but I can understand why someone would create a fraudulent version
of one of these tools to try and scam people
that want a fraudulent version of one of these tools.
And I feel like they've just come straight up
and given it the proper name, if that's actually the case.
If it is just a scam, you know, calling it fraud,
GBT, you could be like, well, you know, we called it a fraud.
Like, you know, this is kind of buyer be right.
This is on you.
Totally.
And kind of looking into fraud, GBT, it seems like there's not a ton of, there's a lot of discussion about it, but there's no, like, it's not as public as worm GPT.
So you really have no idea.
You need to almost find somebody who spent the money on it to figure out what it's capable of and what it is or what, you know, or spend the money.
you know, yourself, which I won't do, given the branding name of it.
Precisely.
But, you know, you have really no idea what it is capable of.
Maybe it's even better.
You know, like I've seen some of the examples and stuff of people like making fishing websites,
using it and stuff like that.
But, you know, that also seems like something you could pretty quickly do with you source
and chat GPT.
What fraud GPT really suggests to me is the future where,
you know, we go back to Worm GPD's guardrails, the one that they're saying they are batting back in.
It won't help you do a murder or traffic drugs or kidnap or abuse.
Those kind of things that are outside the scope of cybersecurity is going to be the very strange world of people creating fake AI tools to help people do some of the worst things people can do to target the people trying to do it.
It reminds me of the are there any actual Darknet hitman episode that we're going to.
Yeah, yeah, right.
It's like there aren't really hitmen on the dark web,
but there's a lot of people scamming people
who want to hire hitman on the dark web.
And I think that that's probably going to be where this goes in the long term.
There will probably eventually become some like amalgamation.
And one of these things will emerge is the actual,
actual successful blackout one,
and law enforcement will inevitably go after it.
But there will be a great number more scam versions of GPs and AI tools
that don't really do what they do or do a pretty bad job,
but are really more about targeting the people.
people that want to use those tools.
Yes.
Yeah, I agree with you.
The other thing, too, is that I think the, yeah, it's hard to justify that you've spent
$1,700 on something called fraud, GBT when you contact PayPal and say, hey, can I reverse this
transaction?
You know, same kind of thing as the hitman thing.
You wire somebody $20,000.
And then you call your credit card company and be like, well, I was actually paying for an
assassination that didn't happen.
So I'd like my money back.
Hey, it says here you want your money back for a purchase of something called murder VBT.
What's that about?
You're like, oh, it's really what was on the box.
I was just looking for advice to do a murder.
Jeez.
Yeah, that's definitely going to be a thing.
There's a, like, I wish, I wish I knew fraud GPT.
I wish I knew if it was actually just a fraud, if it was a scam.
Because I got to say if it is, I respect the branding.
But they just came out straight.
That's true.
Nope, this is a fraud.
Send us money and we'll give you access to this tool.
Just kidding.
You got con.
It's like, oh, it's GPT for doing fraud.
They're like, we did not say that.
We said it is a fraud GPT.
I don't know how you're angry at us.
Thanks for the big.
You've been scammed.
Good day.
The whole GPT AI world, like I know it's just kind of blown up.
Like if you watch any investment news, like it's the number one trigger for what's going on.
Like, Nvidia's stock.
popped.
Like the, you know,
boomed.
As the,
just hockey stick last week.
As the Bitcoin craze hit and died.
And all of a sudden,
mining was no more.
Everybody was like,
oh my God,
Nvidia's shares are going to die.
And then they like quartered.
And then boom,
all of a sudden it's like,
AI is powered by Nvidia chips sets.
And then it's bang,
it's straight back up.
I know Microsoft's,
totally.
Microsoft's working on an AI
powered assistant,
like a proper large language model
assistant that integrates across their office suite as well as the Azure platform.
So it's like, yeah, AI is here.
We are in the moment.
And it's going to be interesting to see if it becomes, you know, 3D TV or whether it's
going to become, you know, something else.
So it'll be, I don't know, I'm excited by it.
I think it's going to be cool, you know, especially if they start developing it into
business.
You know, like, we can look at the, we've talked about this before, but like when you look at, you know, productivity from a unit of labor as we go back into economics as I often do, sorry people.
Sure.
The productivity constantly, you know, computers make us more productive.
All of a sudden we have networking.
All of a sudden we have, you know, this.
We have cell phones.
We have, you know, microcomputers who carry with us.
And it just makes us more and more and more effective per unit of human labor.
and I feel like with gross adoption of these kind of things,
like when I open Google, get an email and hit reply,
and it's pre-drafted me a response based on the content of the email that I got,
like that's a productivity enhancer.
Maybe I have to edit it,
but it's still a lot better than if I had to write it myself.
Yeah.
And it's like I just feel like we're going that way,
so it's going to be exciting times.
Yeah, 12 months ago, an email that you might have had to tweak,
still would have had to have been generated by like a person in your employment.
Yeah.
So there's really no pretending we haven't crossed some kind of a line.
Yeah.
Even if we are in that kind of like trough of disillusionment of what they can do,
that oh my gosh, eight months in, they haven't replaced everyone.
It was all made up.
It's like, no, we're at the beginning of a very, very, very long tail with these things.
We've been using kind of AI and statistical modeling and stuff like that for spam prevention for decades now.
Yeah.
And I feel like we're getting to that point where we're going to start to see these models.
You know, we might actually be able to use email again soon.
You know, we'll have cybersecurity AIs.
Yeah, sure.
Yeah, and they might also, any links in an email, they'll open in a sandbox,
do a full sweep of the code on the other side.
Like they'll get the source of the website, sweep it, verify all those links are valid.
There's nothing malicious about it and then allow us to open those links or else they'll just remove them or remove the email entirely.
Sure.
So I think the counter side of things writing crappy fishing emails is that we might get some AIs that do some good for us and stop us from being fished.
I wouldn't be mad about that.
No.
I think we're going to need to not to get ahead of ourselves.
But I recently heard the term.
And I'd probably heard it before at some point in my life, but I really clocked it.
the other day was I heard the term chip wars the other day. Like that's a that's a fun new expression
I'd never really thought about before. I think at some point on the show we're going to have to do a
deep dive into like the ecosystem of you brought up in video but like chips and semiconductors.
Yeah. Because as we move into this like AI gold rush era, those are the pickaxes.
Wow. And they're this like physically produced commodity that is deeply political, deeply geographical.
It is probably going to be the like focal point of some like very serious conflict over the coming years and decades.
And I want to understand it more.
Well, do we want to just tack that on to this chatty chat episode?
We can have a brief chat about it because I've been following it.
I'm very intrigued.
Well, why don't we, why don't we get over to commercial?
And when we come back, we'll talk poker.
We'll talk credit checks and we'll talk chips.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workforce.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at,
machine speed and hundreds more that automate the repetitive work that normally buries human
analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions. The automation frees your
concierge security team to focus on higher value strategy and proactive risk reduction.
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights
in how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Aside from just the AI war and the pickaxes, as you were mentioning,
in the caves and mines of artificial intelligence,
chips are in COVID, obviously, you know,
there was massive logistical headaches and issues.
So, like, the fact that vehicle prices went crazy.
and you couldn't get vehicles and used cars were selling for so much.
You know, you had an entire auto dealer lots full of pickup trucks that you could buy, but you couldn't take because they were still waiting for some of the primary chips to go in them.
So it's like it's not even just in the AI battle.
It's in everything now.
Like there's chips in.
Totally.
I have 40 devices on my desk and each one of them has probably 10 chips in them.
different types of chips.
So, yeah, I think the, I think that COVID shined a spotlight on the fact that, wow, these are actually very important now to not only daily life and productivity, but national security and the economy.
So all of a sudden they became a point of political, politicization around them is, oh, my,
God. So America has been incentivizing companies creating essentially semiconductor chip factories
in the states. So I know Texas is getting a bunch of new development in that regard, new
companies opening and moving, and kind of quote unquote, state-side development of chips and
manufacturing of them. So it's a huge deal.
Yeah, the question that got me onto it, and this is maybe spoiling some of the early writing I've done
for that little chipped series I want to do.
Oh, no.
No, no, no, in a good way.
Let's talk about it.
Because I find it interesting.
So it's like once you accept the premise that these semiconductors are going to absolutely everything,
you kind of also then have the thought of like, well, that means there's a great number of them.
So like there's so, so many of them.
What would it mean if we were producing less?
What would mean if they were the heart of a trade war?
And the thing that I bumped into that I didn't really appreciate is that chips have
a life cycle. And that felt like kind of a light bulb going off for me. They get older and they
eventually die. The thing that empowers pretty much every piece of technology, every tool you use
on a day-to-day basis has a life cycle. There's like really interesting science of why that happens.
Electrons getting caught in these little loops that can just sort of like slowly degrade inside
of a semiconductor. It's a bit above my head. But once you accept the like the premise that this isn't
just a product, it's a disposable product. It is a product. You have to be constantly,
making new ones of because on a pretty short timeline historically the ones we have will eventually
burn out yes um maybe not today maybe not tomorrow but like eventually they're not going to work anymore
so you do even if you stop making them better you still have to keep making more and some of the
biggest um factories and centers of production for these are in some of the most like politically
contentious regions on earth and we sort of just like walked backwards into that problem yes that we're
now trying desperately to work our way back out of.
Yes. They're going to be the commodity we fight over, I think, over the next, over the coming
decades. Yeah, that's, that's where this might go. Here's the thing for me is that I'm, I'm less,
I'm less in that camp. Oh, yeah? I think that there's a five-year window here where people have
realized how important they are. Sure. The manufacturing of chips and integrated circuits and stuff like that.
And yes, they do have a typically have a lifetime.
Like, you're a synthesizer guy.
And I know there's ICs and stuff that can go in since chips that break.
And they'll literally just crack sometimes.
And then you have to unsoddol-yeah, I think you're a Game Boy guy too, aren't you?
So like change the chips on boards.
Anyway, the thing for me is like I'm not, like, they're not like lithium.
No.
Like I'm more worried about finite commodities.
the manufacturing creation of basic chips is pretty
I don't want to say it's easy but it's a solved problem
well known at this point yes
you know there's always innovations of it you know
we're talking like I think in videos down to like five
ridiculous shit
yeah like super fine
which also probably just shortens their lifespan
like I have one of AMD's new chip sets
and I know that if you can get any extra heat on it
If it's not cooled excessively perfect, it will actually destroy itself.
So anyway, that's a roundabout way of saying, I'm not too worried about it.
I think that people realize how important they are to day-to-day life
and given the political uncertainty in the world for economic health, state health,
security health, national security health, you need to make sure that you have them.
I don't feel like there's like a vault of them
that we're going to go to war for like oil
because that is a finite commodity.
It's like chips are like we can make our own.
Sure. Silica is plentiful.
People just need to make them
and that's why you're seeing in America right now
where they're just like, okay, this is a problem.
Here's X billion dollars
and we're going to incentivize the development of this industry
because we see this as being a potential future problem
if we have a massive contentious trade war with China.
Sure.
Like Americans still need vehicles and they still need computers and et cetera, et cetera.
I certainly, I hope that's true, obviously.
I definitely hope that that's true.
I'm always impressed by the ways that countries and powered interests find to, like, mess with each other
the second they have control of, like, an important commodity.
Yeah.
So I'm, and I'm just sort of, it's really dawning on me at all how important this commodity is.
So I'm hoping everyone's chill about it.
The thing for me is I'm more, I more hope that the humans that are in charge of making it less, making it more chill,
i.e. the bureaucrats that are, you know, in Washington and other countries looking to create new industries for it, don't mess it up.
because humans are the biggest fault in this.
So it's like I know that we can do it.
I'm not too super worried about it.
I agreed.
It's just whether they drop the bag, you know?
Yeah, because it's a big bag.
Yeah.
Yeah.
Want to talk about poker?
Yeah, I love poker.
Should we just play poker?
Should we have like a patron poker night?
Ooh.
Ooh, that's fun.
$5 buying?
Who's in?
Jump in the Discord.
If you're into a,
into a patron
patron poker game,
I'm super keen.
That's pretty fun.
It wouldn't work well in an audio platform,
but we sure could do a video stream.
Yeah, we just do like an online tournament.
That'd be fun.
Anyway, digressions aside.
So last September at Los Angeles
this Hustler Live casino,
there was this big kerfuffle
in the world of professional poker.
To skim off a lot of details,
a relatively novice,
player called a very improbable bluff of a veteran player.
They made a call, wild odds, really bad odds for this shot they made, but they win the
hand.
And immediately everyone says this is cheating to the point that there is like a full-on
investigation of this, this hand of poker basically.
Yeah.
And the investigation comes back clean.
But in the post-mortem, the event investigators make this claim, basically saying,
if any cheating had happened, which it didn't, it wasn't anything hardware related.
It would have been something social, a player collaborating with someone on the inside,
which they had used the cameras and they had disproven.
But they were very adamant that it wasn't a hardware compromise.
Why?
Because the deckmate shuffling machine is secure and cannot be compromised.
That was the claim.
Deckmate, for anyone that doesn't know, is the most commonly used shuffling machine
in the world.
And this event makes this claim
it is secure it cannot be tampered with.
And some guys at a security research
firm took that claim personally.
Recently, the Black Hat Security Conference
was held in Las Vegas. And at that event,
security researchers Tartaro and Nassim
and Shackleford from I.O.
Active unveiled their findings on the
deckmate, this very prevalent
automated card shuffling machine.
What they found is that the deckmate
two, the sort of most up-to-date latest
version of this product does have a vulnerability.
If a device is plugged into the exposed USB port on the DeckMate 2, typically it's like
on the underside of the table sometimes, the machines code can be tampered with.
They were able to do this in a lab setting, allowing full control over the shuffler.
The Deckmate 2 features an internal camera that verifies the presence of all of the cards in the
system.
Intruders were able to access this camera to determine the deck sequence in real time and transmit
that data via Bluetooth to a nearby device.
And they emphasize that this technique granted them pretty much total control over the
Shuffler, enabling them to protect every other player's hand.
Read a little bit more about it.
The hacking method can be applied to pretty much any card game,
but it is super useful in Texas Holden Poker,
which I think was their case study based on the story that sparked all this.
In Texas Holden, as you know,
discerning the deck sequence allows for the prediction of each player's hand,
really regardless of their actual choices in the game,
even if the deck is cut by a dealer,
a cheating player can deduce the card sequence
as soon as the initial three flop cards are shown.
Do you play poker?
I do play a little bit of poker.
Not a ton, but a bit...
But you have played poker?
I'm familiar with the basics.
It's not really important to the story.
The thing that I find most interesting about the story
is that, like, you should never claim
that something's unhackable.
That's literally just telling...
Right, right.
A massive group of...
highly skilled, curious
puzzle solvers
that there's a puzzle over here that they need to solve
and you're always going to end up
on the losing side of that usually.
Yes.
Yeah.
Yeah, I don't,
obviously, like, they're,
like when you read about their kind of hack
and their implementation and stuff,
pretty sophisticated.
The other thing you can't overlook is that the,
like, in the initial incident,
like there's a lot of, like,
If you've ever watched poker or been in any bar where there's this poker randomly on TV,
which is the...
A lot of bars.
There's obviously micro cameras in the cloth or like along the edge of the table, right?
Because they see the...
Or from the bottom looking up so that the production people can see the cards so that they know what you have.
And then they throw it into the computer and it calculates all the odds and you see all that stuff in real time.
So there's like there's more technology here than just the deckmate.
So to say that it couldn't...
You couldn't be hacked, and there's no problems there because the deckmate's unhackable.
It's like, well, there's so many other things going on at a televised poker table.
And so many people that it's a wild, wild claim to say that it's, well, the deck shuffler is fine.
It's like, well, what about the other 38 fail points?
Exactly.
So the manufacturers of the deckmate did respond to this demonstration saying there is no proof that one of these devices.
has ever been compromised in this way in a casino.
The obvious response to that is that if there had been and it was successful,
we sure wouldn't know about it.
But what's interesting to me about this is if the idea is that, yes,
this USB, if you were to plug into it, is vulnerable,
but there are so many other security infrastructure elements
surrounding these machines when they're actually being used
that actually realizing that compromise is impossible.
If that's the argument, what you're really arguing is that, yes,
we are selling a vulnerable
but its use is invulnerable
for reasons that have nothing to do with us.
Casinos are invulnerable,
but our device is a very strange argument to me.
There is a bunch of regulations surrounding this.
Like hashing functions are like regulated at a state level.
It's like they've gotten,
the regulations have gotten quite into the technical weeds
when it comes to gambling tech, I guess.
But IOactive argues that like this is the tip of the iceberg,
there are pretty deep security issues
in a lot of the stuff being used inside of casinos.
Yeah.
Currently today.
Any of those pieces of hardware.
Yeah.
Like, how do you make something tamper-proof?
You know, we've spent...
Well, here's the wild thing.
The deckmate one didn't have a USB drive.
Like, the first version of this product didn't have a port.
They still found a way to compromise it, but they had to hack it open.
Yeah.
It's like, well, that's better.
Because maybe don't put a hole in.
it.
The other thing too is
like casinos don't really
care about
poker.
They care about it
in the sense of people play
it and they make money from it
but they don't care about the outcome.
Interesting.
VLTs and such
they care far more about.
Sure.
But it's like if one person
on the table loses $1,000
to another person on the table,
they still get the rake.
And it's like
they're good.
They're fine.
And they know that that person's going
to then walk over to
whatever blackjack
and lose it on blackjack
or take it to
one of the other games
and it just
it is what it is.
Like the house wins.
That's why you never hear of casinos
going bankrupt.
So to me it's like
if you can make these devices
and make them secure,
the house has no
motive to cheat.
They don't care.
Something like L.A.'s has a live casino
like if you've ever seen it on YouTube,
pretty popular poker channel.
Okay.
Is they
they might have a,
bit of bias in it because there are regulars and there's personalities that play in it.
You often see like somebody sent me a clip from it the other day.
One of my group chats came through and it was one of the players was the founder of DoorDash.
Like there's quite frequently like relative like nerdy celebrities that we'll go through and play.
I can see them having a bit more motive to like, but I wouldn't see them wanting to tamper with it.
The host really doesn't win in that case.
Sure.
The reality is too, is that just poker is a game of insane luck.
Like I played a lot of poker a few weekends ago and I got beat all in by a guy who hadn't looked at his cards.
Sick.
I'm not glad you were.
lost but that's pretty metal.
It was, so the, I had an ace 10.
Okay.
And he, and they didn't even look at their cards.
I went in, like, whatever, went in something, something else.
It was just the two of us left.
Still hadn't looked at his cards.
The flop came, and it was an ace queen 10.
So I had two high, two pairs, like, like high, and I had like the nuts pair, like I had
the aces.
Yeah.
So I was like, I'm all in.
He calls it.
next two cards
still doesn't flip his cards because he hasn't looked at him yet
I flip mine so I've got the ace 10
it's like a six and a two rainbow
like there's no flush potentials
no anything and he rolls his cards
and the first one's a queen
so he's got a pair of queens but I've still got the ace pairs
and he rolls the second one and it's another queen
so he had three of a kind queens
blind
the only like realistic hand that could have beat me
he had blind
So it's like you can't just look at one person calling a bluff and be like,
and be like there's cheating happening.
Anyway, that was a long way for me to vent some frustration.
Yeah, you just needed to get that out.
And I get why because that's infuriating.
Yes, yes.
So there's a lot of luck in it.
So, you know, especially with players that aren't super skilled.
Like when skilled players look at bad plays by bad players,
they think that there might be maliciousness in it,
but really they're just probably not that good.
There's a lot of luck in it.
I personally, I enjoy a game of poker,
but I'm not a big gambler.
I want the gambling tech industry
to keep making large claims about how locked down their shit is.
Just to keep in fighting the ire of security researchers.
If that's where all this goes is just people releasing new,
purportedly unhackable pieces of gambling tech,
and then people just hacking the crap out of them.
Yep.
And we just go back and forth with that.
I'll watch that show all day.
That sounds awesome.
Well, there's also another fascinating side to this in the sense that like
gambling is such a tax generator, right?
Like everywhere that there is gambling, there are massive amounts of tax being collected on it.
Like casinos pay.
Yeah, bad odds are profitable.
Yes.
So like not only your casino is like great businesses,
but they're generally large contributors to our social systems.
So it's this interesting give and take.
And so I'm pretty sure in most jurisdictions,
like tampering with gambling machines is like a massive, massive crime.
Because it's like you shouldn't be trying to rig the odds.
Sure.
So like all of the people.
Yeah.
But so like all of the people, like whenever people think about hacking casinos,
they think about the patron hacking the casino for profit,
not the casino hacking the casino for question mark, maybe profit, maybe.
So this kind of rings, and this is just because I've been playing a decent amount of chess lately too.
This brings me to the chess cheating scam.
Yep.
Same kind of vibe.
Yes, it does.
Yep.
Yeah, as well.
So the.
Yeah.
That was an interesting story.
Magnus Carlson accused Hans Neiman in a live game.
We're not talking about, I don't know.
I'm pretty sure it was in a, I think it was a live game, wasn't it?
Anyway, there was rumors that he, because his moves were so unpredictably good.
And there's like this entire chess AI now that rate your moves.
and he was making the best logistical, like, probabilistic quality move every time.
Yeah.
Or something like that.
So they essentially accuse him of cheating.
Yeah, it was that they were, it was the intersection of weirdness and effectiveness.
It's like they were unintuitive moves that were really, really effective in a way that sort of read to players as like this field robot.
It doesn't feel in keeping with the way this guy has played for a while.
We have a big data set on how he plays the seams out of keeping.
with that and he's really, really crushing it.
They just settled, just settled on this lawsuit.
But there was entire rumor, like there was conspiracies about like vibrating, you know.
Yeah, oh yeah.
Anal beads.
I guess there's no other way to say.
Yeah, we can just say it.
Yeah, talking about a chess bot plug.
Yeah, yeah.
I followed the story.
Morse codes you the move.
Yeah.
And it was just.
Even just like a simple, like don't make that move.
Even a little bit of feedback could be immensely useful for a person playing at that level of chess.
Anyway, so rigging poker card shufflers kind of rings this into my head for no reason.
Now we're just on a tired, exhausted podcast creating side trip.
But a fascinating story nonetheless.
Let's wrap it up by talking about the most interesting, exciting, provocative topic of all credit bureaus.
Yes.
Do you know something I learned recently?
Before we even get gone, I just want to jump in here.
Hit me.
Canadian credit scores are out of 900, and apparently American credit stores are out of 850, and I did not know that.
Yeah, I think I listened to like a financial advice show once years ago, and they kept referring to credit scores.
And I was like, these people's credit scores aren't as good as they're saying they are.
And I realized later that we just have a different like metric.
We're grading on a different curve here in Canada.
82% of American adults had a credit card in 2022.
And credit card applications lead to this.
And credit cards in general are leading to this constant data transfer between people and credit
bureaus.
Credit bureaus are supposed to play a role in fraud prevention.
But at some point, credit bureaus realized that they had this really valuable trough of data
and decided to diversify its use, let's call it.
Okay.
We started selling off something called credit headers to other company.
Obviously, there's a lot of information they can't sell.
Regulation prevents it.
But the credit header, which typically contains a person's name, birth date,
current and prior addresses, and social security number,
as well as their telephone number,
are all part of this little packet of information
that they are allowed to sell to third-party companies.
So it's like the ultimate docs?
It's like, not only do I have your name, number, and address, but I also have your credit score and your social security.
So it's like, if I'm going to steal your identity, I have the starter pack.
Precisely.
This information is purchasable by other companies.
Yeah, it's super cool and good.
And basically, because this information is relatively, it's meaningfully less locked down than a lot of other information regarding your credit and financial history.
It has become a big cybercrime spotlight has been shined on top of it.
bit. The reason we bring this up is because 404 media, which is this really cool new media
operation started by a bunch of ex-vice tech reporters, broke this story about telegram bot
in which you can purchase basically credit header information. 15 bucks in Bitcoin with an extra
option for the social security number at a extra $20 bill, you can purchase a person's
information through this bot based on pretty minimal input, typically their name and the state
that they're operating in.
I find it so funny that we spend so much time trying to protect a lot of this information,
and then you can just buy it online.
Oh, completely.
It's also very, very difficult for, there's a lot of different tools that you can use,
like consumer-facing tools for getting your information pulled off of different databases
and stuff online, products that will just reach out to them and get your stuff pulled.
We've worked with them before in the show.
And credit headers are apparently one of the most difficult things to have pulled from these sites.
So there's a service for accessing these called TLO XP.
I'm not sure if that's how you actually pronounce it.
It's capital TLO, lowercase XP.
It's owned by TransUnion.
It is so popular for use among cybercriminals that the term to TLO,
someone has become a verb in online hacking forums.
TransUnion acknowledges that there has been out-authorized access,
but they emphasize obviously that we're trying to stop this from happening.
But it doesn't change the fact that these credit headers have,
they've sort of leached out into the community to the point that now that there are
very easily accessible tools that with very little information,
you can find a person's credit header information.
The sort of pilot project for some of these,
or like the test case for some of these has been,
can we get Joe Rogan's social security number?
Can we get Elon Musk's social security number?
And the researchers were able to find this information on pretty much anybody you can think of.
right now it looks like credit bureaus.
If we're trying to trace this back to its source,
it obviously arrives at credit bureaus.
They're the ones who are selling off this little sliver of information to different people,
and it's only as secure as the people they sell them to.
I got news for you.
Hit me.
T-L-O-X-P has rebranded.
That's now called True.
True lookup.
Oh.
So the verb's going to have to change.
To truth somebody.
You know what's funny is it probably won't.
It'll probably keep being to TLO someone and it's meaning will just like fade into obscurity.
Exactly.
And then 20 years from now somebody else on some other podcast will be like, TLO, where did that start?
Totally.
And they'll be like, well, in 2003, Jordan Blumen of Hacked Podcast.
So this is such an essential part of doxing people at this point.
It sounds like that there is probably going to be some sort of illegal response to it.
the Credit Fraud and Prevention Bureau is considering new rules and regulations for credit
header data. We've recognized that this is a problem and a vulnerability, but these rule
changes are still in their earliest stages, if anything, has ever really realized. Because again,
there's a lot of people making a ton of money selling these things. So there's going to be some
pushback. But it is to say that this credit header data poses a significant privacy and security
risk. And folks should know about it. Crazy. Interesting story. Yeah, it's a fascinating.
Well, Worm GPT, fraud, GPT,
black hat, poker cheating, and
Telegram Credit Score Vending Machine Bots.
Yeah, thanks again for everybody listening,
and special thanks to all the patrons
and people in the Discord
and people that follow us on our
largely muted social media channels.
We will...
We appreciate you.
Have an update on merch very soon.
I know we've repetitively said that,
but we are just in the process of waiting
for some finals.
soon, soon.
We have been, we're stitching the t-shirts ourselves, that's why it's taking so long.
I've been screen printing hats in my bathroom.
Yes.
Covered in chemicals.
It's just taken along to me.
So, so yeah, but thanks for everything.
We'll see you guys soon and, yeah, have a great couple weeks until we see you again.
Catch you in the next one.