Hacked - Hotline Hacked Vol. 10
Episode Date: March 2, 2025Double Digits! Featuring caller stories of sarcastic keyboard pranks, failed SEO birthday gifts, vending machine hijinks and more. Hacked is brought to you by Push Security—helping companies stop ...identity attacks before they happen. Phishing, credential stuffing, session hijacking—Push tackles it right where it starts: in the browser. Smart, seamless, and built for how people actually work. Check them out at pushsecurity.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology, true hack, or computer confession.
After the beep.
Hi guys, I love the show.
Even though I'm not a programmer or a hacker, I'm an hardware designer that occasionally do some low-level C in Python.
I also love a good prank.
One day I saw a Reddit post about a guy creating a sarcasm keyboard.
Basically a device that took the input from the keyboard and toggled shift for every character.
I thought it was the coolest thing ever.
I just had to make one.
Then I realized that this could also be a fantastic prank,
and my target would be Bob, my boss.
I couldn't modify his keyboard or plug something between the keyboard
and the computer because of it being wireless.
So I went to our box of development boards
and found an Arduino Micro.
This device features a microcontroller that has native USB
that can act like an H-I-D device,
I programmed it to delay for five minutes when it powers up, so that he could log in as usual.
And then, when he's in the zone to bash out his passive-aggressive emails,
caps lock would start toggling every 100 milliseconds, shooting random caps into his text.
I tested the device a couple of times, and after Bob left for the day,
I plugged the device into his docking station and hit it out of his sight.
The next morning, I came to the office a little bit early to make sure I would be
be there before Bob. He came in, sat down, and started his morning routine, but he didn't show up at
the coffee machine as usual at nine, like we normally do. I went to his office with my coffee in my
hand, like that character Bill Lumberg in office space, and went, Hi, Bob, what's happening? He said,
I have an issue. I've tried several keyboards, but the caps lock is going crazy. I've Googled it,
and everything points to faulty laptop. So I just ordered a MacBook Pro, pro,
I've thought about switching for a while, and I've been putting it off too long.
I wish I didn't, but I had to tell him about the prank.
His only response was, you fucking nerd.
He did have laugh, though, and thought it was the funniest and most cunning prank he'd ever witnessed.
I still remain employed to this day, and Bob is very happy with his MacBook.
Thanks for listening. Have an awesome day.
You nerd.
You fucking nerd.
Welcome to Hotline Hacked.
It's the call-in show where you can share your strange tale of technology,
true hack, or computer confession.
If you want to share your story, go to hotlinehacked.com.
And you should know, Hotline Hacked is brought to you by push security.
They help companies stop identity attacks before they happen,
and they do it all right where it starts in the browser.
You're going to hear more about it later in the episode.
I hear that phrase all the time from my wife.
You fucking nerd.
That one lands for me because it's personal.
You felt that one a little deeper than usual.
Yeah, a little deeper.
I love that this guy just stumbled on and made himself a USB rubber ducky.
He's just like, wouldn't it be cool if I created a USB hardware device that just injected keystrokes?
And it's like, yeah, that's a thing.
That's a thing.
So I found the thing that he's talking about, which is a little box that someone named Ben S developed.
And it just, it's the exact same thing that you built.
It uses a Raspberry Pi Pico, but it's the exact same basic idea.
Just sits in between a keyboard and the computer and randomly caps locks to get the...
So there's a thing called irony punctuation, which is an idea of like there could be a character to denote sarcasm or irony and text on the internet, which is notoriously hard to do.
There's even a rule about this.
It's called Pose Law, which just talks about the difficulty of parsing sarcasm when it comes to, you know,
to extreme views on the internet when intent is so difficult to parse.
Probably the most successful version of this of trying to denote sarcasm didn't come from
any like intentionally designed symbol.
It came from a meme, I think of SpongeBob SquarePants.
Most people would be familiar with this.
And it's just the idea that if you're yelling sarcastically or loudly,
just make the characters go up caps lock not caps lock caps lock and that for some reason
seems to just read as mockery.
I think I need to implement that rule in my personal life because I troll quite a bit in group
chats and I think a lot of people take me a face value.
So especially with all the political stuff going on in Canada, I have some very opinionated
friends and it's fun just to devil's advocate troll them.
And I think they might think I'm a terrible person now.
Yeah, maybe on that one would definitely crack open the irony punctuation, so no one gets confused.
It is useful.
It's a pretty useful way to tell someone, yeah, the mocking SpongeBob meme.
That's what I was looking for.
It comes from the episode, A Little Yellow Book.
And it is.
It's an image of him acting like a chicken.
And he looks very, very silly.
And it's a great way to make, maybe I guess, your boss, boss.
feel like he's a little bit silly at work I love that he poor Bob got pranked but
then out of it came his love affair with MacBook pros and you know the Apple OS
system Mac OS system the one thing that I did like about this technically is that
because he was using a wireless keyboard he couldn't put something in the USB line
like he couldn't put an interface between the keyboard itself so what he actually
did was added a second keyboard so he couldn't hold shift like
he couldn't send a Shift A or a Shift S and in.
So he just would throw caps locks and on and off randomly to get the same output.
I don't know, a little bit of like a hack to get around the fact that he wasn't on a cabled keyboard.
But yeah, custom built himself an Arduino Micro USB rubber ducky.
And fun thing, fun prank, he's still gamefully employed.
And I understand why.
Like if if I employed somebody who's like use their fun spare time to do things like this, I'd be like, yeah, cool.
You're like technically competent and capable.
Good prank.
Also gave the boss an excuse to get a new MacBook Pro.
There's shades of that there.
Totally.
Where it's like, well, maybe you played a little prank on me.
Maybe I rushed out the door to buy a new MacBook Pro a little bit quicker than I might have otherwise due to our company's acquisitions policy or like new gear policy.
so maybe we all just pretend like this didn't happen.
I'm,
this is a total tangent,
but I feel like I'm good for those on the show,
is I have my old MacBook Pro sitting beside me.
Oh.
And I am installing Linux on it
because it is a last generation Intel MacBook Pro,
which is the worst of all of the generations of MacBook Pro,
as you know,
because you had one too.
I recall that was like a sweet spot where that computer
that had just rocked for a decade
and has rocked for like five years since,
just very briefly sucked.
Yeah, yeah.
Like, it's essentially a $6,000 paperweight at this point.
So I am trying to breathe some life back into it
by turning it into like a Unix laptop
that I'm going to use for programming and stuff.
But the one thing I will say is more tangents
is more annoying than I thought it would be
because the T2Chimp MacBook Pros
need custom Linux kernels
to let the keyboard, mouse, Bluetooth, and Wi-Fi work,
which are most of the things you need on a functioning computer.
You use mice on keyboards, bro?
That's fucking nerd.
So the worst thing is,
I have some mechanical keyboards and stuff,
but I don't have, like, mice and keyboards sitting around
because I have to use, like, hard-lined external devices to do this.
And it's just been more of a headache than I anticipated.
So I spent wasted more time last night doing that exact thing
than I would have liked to have.
So here's my question.
When you install Mac OS on what is traditionally a Linux or Windows PC, it's called a Hackintosh.
It's getting tougher to do, but we have a whole name for that.
There's a whole culture behind it.
Is there a name for installing Linux on a busted old Mac?
Not that I know of.
Could you be at the moment where you get to name something?
You might be.
I'm trying to think.
Like, what's a good punny name?
Because Hackintosh, great, self-explanatory.
You're hacking together a Macintosh.
What would Linux?
I don't think there is a commonly used and associated name with this.
So name away, Jordan.
You've created this naming incident in the world.
Posentosh, like putting Pazix, like a Unix operating system on a Macintosh.
Is POSX a Linux?
Macanix.
Maconix?
I wanted to have the fraud hack element to it.
We're going to come back to this later.
I'm going to stew on this a little bit,
maybe during some of the subsequent calls.
Let's see if we can't figure this out.
You can drill this with your favorite AI chatbot
to come up with a catchy name,
and we'll get back to that later.
I want this to be human.
I want this to be from my mind.
Don't you know that GROC and chat GPT and cloud
are just extensions of your mind at this point?
What am I, if not merely a vehicle that types things into Claude?
Half of the YouTube viewers actually think we're just AI's chatting about things.
So why not?
Sometimes I wonder the same question.
All right.
Next story.
Next story.
This is Roe, and I've got two short stories that I'm hoping you can help me bring full circle.
The first is about some sketchy web traffic, and the second is a physical infrastructure prank.
So for the first one, I went to a real.
really tiny college and all of us knew each other pretty well and most of us were pretty close.
So when one of us was out of the country on her birthday, the idea was floated that we should try
to Google her name so much that it showed up as one of Google's top results for that day
as a little unconventional birthday gift. So we set to work manually searching, just like grandma
used to do since none of us knew how to write any code at that point or script.
So after a few hours of going after this, we lost internet to the entire campus.
Our ISP shut it down because they thought we were up to something, and they were kind of right.
So that shut down class for the afternoon on that day.
So I am sorry, Caroline, that we did not get your name as one of the Google top results,
but maybe I just got you on a podcast. Happy birthday.
Happy birthday, Caroline.
Happy birthday, Caroline. I want to know, when did you go to university that it was possible
to get someone's name to the top of Google search rankings?
That's exactly what I was right there. I was like the amount of times you would need to
Google something to compensate for the 7 billion people in the world constantly Googling.
I went to university in the 1800s, surprisingly during which Google was available briefly.
like you would need like a botnet that wasn't doing like any kind of
DDoSing or anything but the bot net was just flooding Google's algorithm with
Caroline or Caroline's last name is so iconic so singular yeah that it somehow that
what like a dozen people Googling something a bunch during the day was going to I have follow
up questions but let's continue yeah the second one came when I was working as a
telecom designer at an engineering firm.
We had these
big L-shaped desks that were
stand-up, sit-down desks with some memories
and they were pretty cool.
There was a little controller.
As I was cleaning my desk one day, I realized
that these have RJ-45 jacks
on them, which
intrigued me.
I knew it wouldn't be Ethernet, but it wasn't
clear at all what the protocols
were. I did some
digging online and found next to nothing
on whether it was just simple
voltage, was there some kind of signal, no idea. And I didn't even have a
multimeter that day, like no equipment to even take a guess. I just need to jump in here
because I have one of these desks, and it has RJ45s
on it, and there are massive stickers around it being like, this is not
a network connection. And I'm sure
I'm sure it's bad to plug things into this that you shouldn't.
So RG45, I'm not going to couch it for anyone.
that doesn't know. I don't know. I'm Googling it. That looks like a phone jack or like a cable
jack? It's an Ethernet jack. Okay. Got it, got it. So phone jacks were RJ12s, 12, I think,
yeah, digging through memory. And then Ethernet, Cat 5E, Cat 5, Cat 6, Cat 7 are all RJ45 size
jacks. Copper cable, ability to transmit voltage. Let's see where the story goes.
Yeah.
So I felt a little defeated at first, but then I realized if I unhooked everything from the switch
and we just went with the passive stuff, it might work.
I wasn't sure about cables and all that, but we were going to try it.
So I got the key from Anthony in IT.
Shout out, Anthony, you rule.
And a lot of shoutouts in this guy.
A lot of shoutouts.
I appreciate it.
Caroline, Anthony, big ups.
hatched my controller through our telecom infrastructure in the building to my neighbor's desk
and hit it and it worked. So it worked just as well as if it was plugged right in. I was
afraid of voltage drop, but no factor. So we now had a working zero day and needed a worthy
target. So naturally we picked the intern in a different department who worked on the opposite
into the building.
And he was a mutual friend.
So this was,
we picked you because we love you.
Love you,
Charion.
There we go.
One more.
I really feel like,
I feel like this,
Charion,
I feel like this dude.
And I appreciate this a lot is going to share this episode now with a couple
of different people.
Call that free marketing.
So when he was away,
I fixed the original patch and patched it into his desk.
And since he was so far away,
I couldn't actually see him from my desk.
So we had a third party.
act as a relay, partly because it was funnier and partly because it would help obfuscate what we were
up to. So, just using hand signals at first we would do little bumps up and down just to see how he
would react. And it scared him at first, of course, when your whole desk goes up. Before long, we just
went for the sky, fully straight up all the way. And stuff has fallen off his desk and cables are
training and he took it like a chip. He was really cool about it. So we naturally bust out in laughter
and the jig was up. So we helped him clean up his desk and make it all right and explain what we
had just done and how it worked. So the part where I'm hoping you can help me bring this full
circle is I recently included this story in a cover letter for a job application. So if you
run a pen testing firm and this story sounds familiar, I
would very, very much like to hear from you.
We'll talk.
Thank you guys.
Keep up the great work.
Thanks, guys.
See you.
Man, this guy really, like, saw the hotline hacked opportunity as a marketing platform.
I have some messages to get out.
My dear friend Caroline, happy birthday.
New intern at old company.
Got to reveal some stuff.
And if you are looking to hire, I am your man.
He's working with what he's got.
Our podcast.
Calling jacking your stand-up desk controller into somebody else's stand-up desk's receiver.
An O'Day might be a stretch.
The other thing I want to say...
You've known it before.
That's true.
It might reach the technical definition of it.
I don't know if you're going to be reading about it in the news, but...
Shows creative thinking.
It sure does.
I'll give them that.
The one thing I will say is like,
after last episode where like somebody brought receipts, it's like I feel like you could have strengthened this with receipts.
Like I want video footage of this guy's desk going crazy and him losing it.
Like that.
Yeah.
Like let's raise the bar here on Hotline Hack.
Let's push it up a notch.
Like if you're going to do a crazy prank like this.
Of your crimes.
We want proof.
Like hand signals, shman signals.
It's like I want three angles of video.
I want to be able to see this person losing it.
I want that TikTok.
Okay, so the standing desks have these RJ45 jacks, which are just like Ethernet ports essentially.
And he figures out, is it as simple as just the output on one sentence of the input on the other?
It's just now I'm controlling your desk kind of thing.
It sounds like they set up.
He bypassed all the switching gear, which would have caused it to look for real network protocols and things.
and he just created a coupled line between his desk and the intern's desk.
So just connecting Ethernet cables.
And then plug that into the desk brain.
So his controller talked to that desk's brain.
Okay.
And then starts toggling it up and down.
First, little ticks.
Little ticks here and there.
You kind of notice it moving subtly until he, I did really like this,
went for the sky, which I appreciate that.
the motors in these desks, I don't want someone producing one of these desks with a motor that
could literally send it to the sky. But when he said that, I did picture like a desk, an L-desk-shaped
hole in the ceiling with like a startled guy standing behind it as birds fly overhead, like a shot
off the top kind of thing, which Ferry didn't do that. But the one thing I will say is being the
owner of one of these desks and the user of one of these desks is, I have a cable nightmare because I
have one, two, three, four, five monitors, multiple audio interfaces, two computers. Like,
my desk is chaos. And I never take it full stand, like all the way up because I just know,
like the amount of power bars mounted to the bottom of my desk. Like, this thing is, is a,
is a house of cards of cables. And if I put it straight to the sky, I'm sure it would, like,
ripping power bars off the bottom, disconnecting like my, like, light controllers. Sure.
It would just be nuts.
So at least they helped him put his desk back together because I'd be pissed about that.
One of these days, I have a sense of your setup.
And I feel like one of these days I'm going to have to, like, call in one of those big avalanche dogs to come rescue you from underneath it if it was to collapse on top of you.
There's so much gear.
One piece of which is a penguin tosh.
Yeah, penguin tosh.
There we go.
Nice, nice.
Yeah, I found it.
Took me a minute.
Penguin Tosh will be the third computer on this desk.
Yeah.
And then I just want to briefly go back.
I was curious.
So there might be some ambiguity here about what the caller meant in their first call
regarding Caroline's birthday and name on Google.
True, true, multiple stories here.
Can't forget them all.
There's multiple stories.
I appreciate it.
I like the density.
I will say, I just want to jump in and interrupt you rudely and say that.
Sure.
heinously. Let's not turn hotline hacked and the fact that we often don't listen to these
stories before we record into a way to market things because that will make us have to listen
to them all in advance. Yeah, there's something we try and listen to the first chunk of the call
to get a sense of whether it's a good fit and how it's going to flow, but not to listen to the
entire thing because the element of surprise often contributes to the vibes. Maybe don't.
I appreciate that there was no and find me on LinkedIn at the end of that.
It was subtle walking the razor's edge.
As a small business,
you should plan to spend at least $10,000 a month on Google ads in most cases,
but a 10x that ad spend up to $10K is what you'd need to really need to move the needle
on short-term search engine rankings.
So bad news about Googling a name a bunch,
you're about five figures short on the ad spend of getting that to rank.
But I appreciate the spirit of it.
And it is making me.
want a stand-up desk. I'm in this tricky spot where I have a desk I love very, very much. It's
like a, it's a little bit precious to me. It was made with a family member, but the legs are
structural to it. It's like the leg is the point. It's like a cool found object desk. So if I,
I'm kind of just stuck, stuck sitting, unfortunately. Stuck with sentimentality. Stuck with
sentimentality. Burdened by sentimentality once again. Burdened by a deep emotional attachment to a piece
of furniture made by a loved one.
In another digression, a callback digression.
What did you call it again?
Penguin tosh.
Penguin Tosh.
Yeah, so the Linux penguin has a name.
Oh.
And that name is Tux.
Tux.
Which brings me to Mack and Tux.
Oh.
See, we don't need cloud.
We don't need Jipity.
We don't need Jipity.
No Jipity here.
No jipity here.
We got Mac and Tuxes.
We got Mac and Tuxes.
We got Tux Tosh's.
Yeah, it's good.
I like it.
Meanwhile, there's an LLM kicking out 30,000 better options per minute.
Anyway, before we keep it going, why don't we just tell everybody about who this show is brought to them by?
Well, hacked podcast brought to them by Push Security.
You know one of the fun things about hosting this podcast, Jordan?
other than weird stories and subtle marketing promotions that come in in his stories.
We get to see a lot of tools, companies, meet a lot of people, get to know the community really well.
And I mean, we talk to a lot of them off the air.
And some of them are really cool ideas and other ones are solutions just looking for problems.
And then something comes along and we just have that moment of like, well, gosh darn it, why didn't we think of that, Scott?
Gosh darn it. It's really obvious in hindsight.
Someone was going to build it.
Yeah, and push security built it.
Like identity attacks, fishing, credential stuffing, account hijack,
or a session hijacking, account takeovers.
Massive causes of the breaches right now.
And their approach, you know, it's super interesting.
And I totally had that moment.
Like, to their CEO's face was like, shit, why didn't I think that?
Kind of rude.
I mean, we had just met him, but it worked.
It worked out in the end.
They're presenting sponsors now.
presenting the monsters.
What else can you ask for?
Instead of trying to lock down everything at the infrastructure level,
they start where people actually work, which is in the browser.
It's where we're talking right now.
They built a browser extension that observes corporate identities
created by employees and logs into their work apps,
which when you think about it, makes a heap of sense.
Yeah, because they've got visibility from the browser
into all the SaaS applications,
seeing how exactly the identities are being used.
Are credentials being stolen?
Are they reusing passwords?
or have people figured out ways to get around multifactor authentication?
Are they using local accounts when they should be using the single sign on identity provision accounts?
And the kicker, if they do find those vulnerabilities, they can automatically enforce controls to fix them.
All right there.
All right in the browser.
But it's not just about protecting identities.
Push is monitoring them too in real time for attacks using adversary in the middle toolkits,
cloned login pages, stolen credentials, stolen session tokens, fish kits, all kinds of things.
All these attack trajectories and attack surfaces that expose themselves in the browser pushes there monitoring them.
It's like endpoint detection response, but all right in the browser, very, very cool stuff.
And as you might have heard in the last episode, Adam, CEO came on.
The team is super sharp, killer researchers, big in the red team world.
They recently put out this thing on cross-idp impersonation, where attackers bypass multifactor authentication and single sign on by just registering their own identity provider.
It's a really cool stuff.
You got to see him demo it.
Check it out.
Push security.
It's a super smart approach.
It's a really solid team.
It's very interesting research.
Check them out at pushsecurity.com.
That's push security.
This is the first part of your most recent of offline fact.
About that guy who's at a college and it was tapping his credit card on doors to see if you get to get in for fun.
Yeah, the building buyer.
Yeah, the guy buying buildings.
by tapping his credit card on the security.
Yep.
Remember the episode?
Remember the story?
I'm actually a security specialist, so he's in my wheelhouse.
I'll tell you about exactly what I'd use.
But I give you a little bit of insight of what probably was going on there.
Most likely, probably that electronic card were on that.
It was probably unlocked, essentially.
But in software, on their access control system,
any jito talks, probably on the schedule.
And when he opened the door, the door position sensor he
back in the contact show that it was forced to open,
which carried an alert, their security chain, in the tense,
by, he was allegedly surrounded by,
he's your human response.
You can have the most being assisted out there in the world,
but nobody's actually monitoring it.
It's a slipper.
However, they have the ability to fail over so that if any credential that the system can breathe,
it's designed to be over-free, would open the door.
It sounds absolutely ridiculous.
I think it is ridiculous, there is a feature that exists out there.
This does sound ridiculous.
Thank you for calling in.
Thank you for giving us a best take of what probably happened.
Funny enough, I've been installing a new access control system in our office,
And I'm oddly more familiar with this stuff than I was two weeks ago.
The fact that a system will, in a fail state, just allow any kind of RFID handshake to open the door,
seems like the worst physical access security policy you could have.
For a security device.
I can think of certain pieces of hardware where storing certain pieces of information on the hardware,
it's kind of trivial.
There's microphones, USB microphones that will store certain systems.
sound profiles on the device, others that require a secondary piece of software to do it.
It costs a $50 difference.
It's a little nice to have.
You plug your mic in your friend's computer and you get the profile.
Letting me get into a building I shouldn't has slightly higher stakes, and I'm not sure that you
should be selling that first version of that product.
The one thing that I've been finding interesting, and here I'm going to go on another tangent
and digression here, is like electronic locks that these access control systems control
all run on like 12 volt DC,
like very like minimal amounts of power.
It's nothing crazy.
And lots of these locks,
if you can sever that power connection,
open.
So it's like,
I can see Jordan's face right now.
You won't be able to,
but it's really good.
It should be everyone's listening.
Like there's a lock that if you can cut the power,
you break in.
I'm like, that's the easiest heist movie ever.
It's like just,
cut the power to the building and then walk in.
There's some that fail safe and some that fail secure so you can set them because the other
problem is, is like if they don't open in case of emergencies, like clearing the building
will be very impossible because a lot of them have electronic relays to reopen them from
the inside. So like if you're in a secured facility, you have to push a button for the door
to open to get out. So then you have to set fail safe, fail secure. And it becomes like this
interesting thing. But like even aside from cutting the power to the
building.
Like, you know those big magnet locks that you see on, like, glass doors?
Like, they only stay locked because they're getting a constant feed of 12 volt power.
And if you just interrupt that power relay, those doors just wide open.
Yeah, sure.
And I guess it depends on the type of building if you want to fail secure versus fail
open.
I definitely appreciate, like, there's enough horror stories of weird stuff happening
where a building was burning and a door got locked and a bunch of people die in a
supermarket in South America.
It's like those stories.
suck. You don't want to design a system that works that way. I'm surprised there isn't sort of
like a healthy intermediary where it's like the door just has like a fail close in one direction,
where it's like there's a door handle that will open it even if there's no power and there's
another door handle that won't open it if there's no power and you just put one of those facing
outside of the building. There could still be vulnerabilities where a person could get a thing through
now and maybe open it up like coat hanger style.
But I would still take that over the alternative of we must either entomb them or open
the doors to everybody.
Well, the beauty is that the best, the best cross for that is like we, we have a power lock,
like a power strike on our new, on our office door.
And it is fail secure, I think is the right one.
So that if the power goes out, it stays locked.
But then on the inside of that door, there's one of those push rails that physically opens the tumbler.
Yeah, opens the door.
So you can still get out in an emergency, but the lock stays safe.
If it's like the middle of the night, somebody cuts the power to the building and tries to break in.
Hmm.
But anyway, I just find this fascinating just because I've recently gone down this rabbit hole of like looking at these access systems.
And it's like you have these really complex identity control, verification.
encrypted backends for the access systems
and then the lock is literally like
the red and the black power cables
it's like
there's no
cryptic, lock down
there's no brain in the lock
but the lock is controlled by a brain
and it's like all you have to do is kind of like
get in between that and boom it opens
think about the last time you heard
a breach story on this show
it always starts the same way
Someone somewhere saw something too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machines.
speed and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions. The automation frees your
concierge security team to focus on higher value strategy and proactive risk reductions.
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected
than cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwulf.com slash hacked.
Hey there, my name is Wolf.
I really like your podcast and the idea of the Hacked Hotline series,
so I thought I would share a story of mine.
It's not overly technical or crazy, but I think it fits.
About five years ago, I was working as an aircraft mechanic.
at an airport. The company had vending machines that were supplied by a vendor. Each of us had a small blue key fob that we could use to pay at these vending machines. To add money to the key fob, we would hold it against the reader on the machine and insert coins. I had always wanted to work in IT and had a hacker mindset. I loved breaking things to understand how they worked behind the scenes. One cold winter morning, I stood in front of a vending machine to buy a coffee.
Then a thought crossed my mind, what would happen if I removed the key fob at just the right moment while adding money to it?
I decided to try it.
I held the key fob against the reader, inserted a coin, waited one second, and removed it.
Nothing happened.
I tried again, but waited a bit longer.
Normally, when the charging process is successful, there is a distinct beep sound, and a small LED lights up green.
This time, however, the beep was distorted, and the LED lit up yellow instead of green.
I checked the balance displayed on the vending machine, it showed the amount of the coin I had inserted.
Then, to make sure I wasn't imagining things, I checked the balance on my key fob at a different vending machine.
To my surprise, the money had been added to my key fob as well.
Curious, I pressed the return button on the vending machine, and it spit out the coin I had inserted.
I had effectively duplicated the coin's value.
Since the highest value coin in my country is worth five,
I realized I could easily generate a lot of money by repeating the process.
I tested it a few more times to confirm that it worked.
But I didn't want to get into trouble or exploit the bug.
Instead, I went straight to security and reported my discovery.
The security officer looked baffled and unsure of what to do.
He asked me to show him what I had found,
so I did. He told me he would investigate and that I might be contacted about it. He also instructed me
not to tell anyone other than security. A week passed and then one day, the security officer approached
my work area, this time accompanied by three men in suits. My mind started racing. Had I done
something wrong? Was I about to lose my job? One of the men introduced himself and explained that they
were from the vending machine vendor.
They wanted to know more about the issue and asked me to demonstrate it.
I explained everything and showed them how it worked.
They took notes, asked questions, and thanked me before leaving.
The whole thing felt like a crime scene investigation.
The next day, nearly all vending machines in our hangers were shut down, with signs saying,
out of service.
This did not go over well, mechanics are serious coffee addicts.
Another week later, the same man in suits returned.
They told me I had discovered a bug that affected nearly all of their machines,
and thanked me for reporting it instead of abusing it.
Before they left, one of them handed me a small box.
Inside was a red key fob with my name engraved on it.
They explained that I could use this key fob to buy items from their vending machines,
up to five bucks per day, without ever needing to charge it.
It acted like a special credit card for their machines, even at train stations, where their
vending machines only accepted coins or credit cards.
This experience fueled my passion for IT.
I started learning Python and JavaScript, staying up late to work on projects.
One of those projects was a chatbot, which eventually became quite popular.
I continued working as a mechanic for two more years, and not a single day passed without me using
that red key fob. I was the king around my workmates and friends. Eventually, I decided to leave
the company to pursue an apprenticeship in IT. One day, after making my decision, I ran into the IT
help desk manager in the cafeteria. He knew my father, who worked at the company a few years ago,
and struck up a conversation with me over lunch. I mentioned my plans to leave and my chatbot
project. Then he asked, wait, aren't you the guy who found the best?
Mending Machine Bug?
Yeah, that was me, I replied.
He told me that the company was urgently looking for an IT apprentice, and that, since I had
already demonstrated an interest in IT and gained some knowledge, he would be happy to recommend
me for the position.
I eagerly agreed.
After completing a few test days in the IT department, they offered me the apprenticeship on
the spot.
Now, I'm about halfway through my apprenticeship, and I love it.
That's my story of how I transitioned into the IT sector.
Hope you enjoyed it and have a great day.
I love it.
Great story.
I feel like when they started, I was interested to hear where it went because it sounds
like he figured out a way to lose his money.
He was like, I'm putting coins in the machine, but I'm not getting it.
And I was like, but then he's like, oh, I hit the refund button and the coin came back out.
The coin came back out.
I was like, you found the opposite of.
an infinite money glitch and then at partway through it was like no there it is it's an infinite
money glitch got it got it got it got it i have a sneaking suspicion that this person is from japan
because uh the vending machine culture in japan's outrageous they're everywhere and the fact that
they're like a lot of the indications that he said like the largest coin is five dollars like 500
yen is the largest coin and so i was like okay so this person's in japan there's vending machines
everywhere and he now has like the gold key to buy something at any vending machine in
Japan apparently, which is also probably why the company took it so, like, was so worried
about it.
It's not just the hangers of people, but there's probably like 50,000 of these vending machines
across the country.
Yeah, that's a really good take because my big question had to do with the apparent like
squad of men in black type characters that show up because you got the best of a vending
machine.
I've, without digging into too much detail, I've had family that worked in airlines.
I have some very early memories of hanging out in like weird parts of airports when I was a little
kid before the security was what it is today and having some very bad airport vending machine
coffee.
And I can tell you, there was a guy coming and picking up a bag of quarters every couple
weeks.
There were no like suited people touching down from the private jet to come figure out who
hacked the system.
See, but then again, more, more leading indicators that is Japan, a bunch of salary men.
Sure.
Like, it fits the vibe.
I like it.
I like the story.
I like that they used it as a pivot, showed some interest.
I thought it was going to go in the darker way, like the pharmacy credits, where it's like, yeah, I figured out how to do this.
And then it became my life, just like stealing points.
Right.
Yeah, sure.
There's a version of this.
where they get enraptured with it.
They acknowledge the infinite money glitch they've discovered,
and their whole world just becomes juicing, you know,
500 million at a time out of a, out of a coffee machine.
This is much more interesting.
I am regularly on this show confronted with, like,
pretty real questions about how I would behave morally in different situations.
There's certain stories where I see the kind of good path,
and I know very confidently I would have taken that.
There's other ones where I'm like,
oh, maybe I'd just be free coffee baby for the rest of my life and just I'm the guy that
knows how to get free coffee out of these things. I'm not so sure I would have done the right
thing in this case. Well, in my, if my hypothesis is correct, and this is Japan, it's not just
coffee. Like, you can buy anything. Real food. Yeah. Food, booze. Like, you name it.
They're cool. I would love to have that culture here, the vending machine. And then I would love to be
the god of the vending machines with the sacred key fob that opens all of them.
Yeah.
I do end like the honorary red key fob engraved with their name.
Like also.
Swaggy.
Yeah, totally.
Swaggy.
So if you'd submitted this story, please drop us a note.
I'd love to know if I'm correct that this is in Japan.
But thank you for calling in a great story.
I'm hoping you're enjoying your IT days.
If you've learning Python, Python's one of my favorite languages.
And also one of the languages that the AI bots are best at writing.
So if you just need a bunch of a Python code written, talk to Jipity.
Here's my question.
With that magic red key fob, I'm holding the magic red key fob from this call in my mind
and the security expert that called in about the buying a building with a credit card call from previous,
what could you buy with that fob?
It's five bucks a day, but like you go up to the main headquarters of this vending machine consortia.
starts tapping it on shit.
Well, if the previous caller that it called in was right, you know, all you need is a
malfunctioning access system and you can buy whatever you want.
That's still pretty shocking to me.
And does make certain, like, heist movies make sense.
There is often a, like, we got to shut down the power tie moment.
It's a good, there might be something to that.
Five bucks a day.
Yeah, wow.
A lot to unpack in this one.
Well, here's the thing, and this is just straight hypothetical.
Like, we're just BSing at the end of the episode now.
Sure.
But, like, a lot of buildings, like, call them commercial towers.
They're not like...
Oh, there's a third rail here where we're...
The way I would rob a building, I guess is what I'm saying.
Well, no, but you think about it, like, from a security perspective,
it's like a lot of these controlled infrastructure pieces are inside of, like, large commercial buildings.
And it's like cutting the power to a lock.
or bypassing the control unit and directly sending the power into these locks
would be really difficult for the outside of a building because the outside of a building is clad
with stones and marble and all the stuff but when you're inside of a the inside yeah but if you're like
on the 36th floor of a corporate tower and there's a half inch piece of drywall between you and the
red and black cables it takes an exacto knife and a battery and you've bypassed
you know, a $100,000 access control system.
Pretty.
So it's like, how secure are we, Jordan?
I have a friend.
She was in town.
She was crashing with us and she's a lawyer.
She was asking about work and she was asking about the podcast and she had that kind of
polite moment that people do where they're like, and it's like a tech show, right?
Yeah, totally.
It's a technology show about like security and hacking.
She's like, oh, what do you mean hacking?
We talked about it.
And she's like, got it.
So you're telling people how to do that stuff.
It felt like the restaurant went quiet in that moment.
I was like, no, no, no, no, no, no.
We're not telling people how to do this stuff.
We're just talking about people who did it and then telling people how to do this stuff.
I don't agree with that.
We never do that.
For liability's sake, we never tell anybody.
For liability's sake, we never do that.
That was me doing a gag.
I just love it.
I love it so much.
I haven't done the, like, tapping my credit card on a building thing since we made jokes
about it in the last episode, but I have, like, no word of a lie.
I thought about it every single time I walk past a building where I can see the key fob
thing up front, which is most buildings.
I think about it all of the time now.
So I was really excited to see that follow-up call.
I like the follow-up call thing.
I think we're going to do more of that.
Yeah.
If you want to share your strange tale of technology, your computer confession,
your true hack.
Going over to hotlinehacked.com,
there's a phone number you can call.
There's an email you can submit to.
You can send us text.
You can send us an AI voice.
We just want to hear from you.
And if you would like your voice obfuscated,
just let us know.
Either send us in text and we'll use an AI bot
to convert it into audio,
or if you send us in a phone call
or any of those things,
we will convert them into.
We can obfuscate them, no problems.
This show again, brought to you by Push
Push security, pushurity.com.
They help companies stop identity texts before they happen.
They do it all right inside the browser where everyone's already working anyway.
If you want to find out more, check them out at push security.com.
I think that's another one in the bucket.
I think so.
I think so.
Get at us with your story.
We want to hear it.
And until then, catch you in the next one.