Hacked - Hotline Hacked Vol. 3
Episode Date: June 2, 2024It's our third call in episode and we're cooking now. Share your strange tale of technology, true hack, or computer confession at hotlinehacked.com. We discuss accidentally causing internet outages, c...reating a botnet pandoras box, and the proud tradition of hacking into stuff to play great songs the man does't want you to. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology, true hack, or computer confession.
After the bee.
All right, I got one for you guys.
When I was in high school, I went through, like, a computer phase, I would say, with a friend of mine.
We were kind of the computer nerds for our class, and naturally we gravitated to the print shop and who was also.
also our sysadmin for the school and befriended him.
And he inadvertently challenged us saying that we could not break into our school's network,
which you should not do with high school boys.
So my friend and I were able to successfully compromise the network.
I'm not going to go into details for obvious reasons.
But fortunately, we were both good kids and it didn't change.
grades or anything like that but for our senior prank did modify our school
website to reflect year in school as well as play schools out for summer by Alice
Cooper as soon as you loaded the page which is exceedingly irritating then we ended
up getting caught but not for the reasons that you think there was no
technical reason why we were caught because we were very careful we were the
likely suspects. So the cis admin approached my friend who ratted me out and we served two days
of in-school suspension. Fortunately, we had no ad history of doing anything malicious. We were
both honor students and didn't have any, they didn't have any reason to really throw the book
at us fortunately. But in the meeting with the superintendent, the cisadmin, and
our high school principal.
We were given the analogy that it was like breaking and entering into someone's home
and messing up their closet.
So hopefully you enjoyed that story.
Take care.
Schools out for summer.
Hey, everybody.
Welcome to Hotline Hack.
It's the Colin show where you can share your strange tale of technology,
true hacker computer confession.
So many things to, so many things with this one.
The print shop was the sysadmin is a great way into any story.
I want the life story of this guy because he sounds rad.
He's like, I work on the technical things, the printing and the computers.
And also hammers.
Hammers.
It's great.
Yeah, I mean, don't inadvertently challenge, I think was the phrase.
Don't inadvertently challenge high school boys to do anything because they have a lot to
prove and a lot of time on their hands.
It's never a good move.
this is
I
it's foolish to me
like the
you're going to challenge like the nerds
to whether they can do something
they're going to figure out how to do it I'm sorry
it's like this only you just don't like
how do you even get mad at these kids
like you're the one that you're the one that spurred them on
you're like I dare you do it it's like you're the assisted man
you just dared me to violate your security
I'll violate your security
if you really want me to
I feel like when this happened, everyone turned to each other and was like, who could this have been?
And that dude knew immediately.
Oh, immediately.
Well, I did pose a challenge to some nerds with gumption that they couldn't do the exact thing that just happened.
Do we think maybe it was them?
Also, a real no honor among thieves thing with the friend immediately ratting him out.
Hey, man.
You know, if I've seen enough Hollywood movies about nerds in my life, it is that they crack under pressure.
It's out.
Crack under pressure.
I won't go into the details, but I had a really similar situation in high school.
It wasn't nearly as cool as this, but it did involve being somewhere we weren't supposed to.
And the way it all shook out, no word of a lie, someone cracked under pressure and ratted everybody out.
Yeah.
We got pulled into the school cop office and everyone was tight-lipped except one person.
And it all fell apart.
My in-laws are both principals.
And apparently my mother-in-law was exceptional at getting children to crack.
She's like, yeah.
What a thing to know about yourself.
Yeah, exactly.
She knew, like, the right buttons to push and, like, when to leave them to stew
and, like, let their internal emotions, like, take over.
And it just, like, always led to, like, she would reenter the office and they'd be, like,
I did it.
She's like, I know.
I know. Still standing in the doorway. Exactly. Like we all casting a long shadow into the room. Yeah. We've known since. We've known sense this morning, of course. But the walks out and someone else is like, how did you know? She's like, we had no idea. I just knew that kid. He was sweating bullets the moment we brought them in. I think, I think I would have a story similar to this from my youth, which I, you know, maybe, maybe. I have a story similar to.
this. But the, yeah, a lot of security in school networks not so great. Even in school divisions and even
in provincial school networks used to not be so good. A lot of, when you have that many staff,
a lot of them aren't technical. You know, security protocols can be pretty lenient.
For sure. It's nice that they, I like breaking an end.
someone's home and just messing with the closet.
I think that's, um, I'm glad that they just messed with the closet and played a song.
I, this just brings up the fact that there's such a proud history of hacking and breaking into
stuff just to play bops, just to, just to do a sick needle drop that the man doesn't want
you to.
I feel like there's so many great hack stories that were just about playing a song over the radio or
the internet or a website or an intercom.
I remember there were.
I remember there was one a couple years ago where the rapper, it was a song by YG and I think Nipsey Hustle called FDT is a political song.
And it was a South Carolina radio station that there was like 20 minutes just looping this song on repeat.
Sunny 107.9 and someone like hacked into it because it had a internet connected antenna.
The antenna had an internet intermediary where you sent the audio to it through this web system.
And then it broadcast over the air.
They got in the middle of that and were able to just write a song on the loop.
Brilliant.
And then the other one that I remembered, and I dug it up was it was a British radio station.
And they, uh, there's a song band in 1978 in Britain called The Winkers song by
Yvore Biggin and the Red Nose Burglar, uh, language advisory here.
Uh, the song's lyrics are just, I'm a wanker said,
36 times. And someone took over a radio station in Britain and just rang that song on repeat for a
little bit of a little bit of time and caused a whole bunch of trouble in the UK. I don't know if they
ever got caught, but I guess it made it like it served caused the song to surge a little bit in
popularity in the UK. Well, affect the charts. Shot to the top of the billboard charts.
It affected the charts. Yes, you bumped someone off them.
Exactly.
Yeah.
So a proud tradition.
Proud tradition.
I've never really, I guess the thing for me is, is like if you're going to break into something,
the second you mess up the closet, people are going to know you were there.
Sure.
Where if you break into it and you don't even mess up the closet, maybe you go through the closet,
but maybe you kind of put it back like it's supposed to be.
And then you leave.
Maybe you change some grades.
Not even change some grades, but just like take a peek in.
Like, usually the nerds don't change their grades.
Like, let's be honest.
You're like taking a peek in and you're like just kind of a little bit of a voyeur and you just kind of look around, take a little detail, read some stuff you're not supposed to, look at some schedules, do some things like that.
Scott.
No, no, but then you can leave and then you can come back later because nobody knows you were there.
The second you put like schools out for summer on the main website, they're like, okay, hold up.
We got a problem.
Yeah.
It's the, it's the Oceans 12 thing of the burglar that leaves the little onyx fox behind so that you know the night.
Fox was here kind of thing.
I get that temptation to just be like, look how gosh darn clever I know.
We are the nerds.
We will inherit the earth.
Schools, in fact, out for summer.
It's almost like that motivation is the motivation behind this show.
Hotline hacked.
You could.
And with that, why don't we spin our own, why don't we do our own needle, drop and play
another one?
Okay.
Hi, George and Scott.
I'd like to share with you a war.
story from back when I was quite a lot younger. Back in 2014 was working for a small
pentest outfit and we'd scored a gig at a multinational and I was sent to the London HQ. We'd
been making steady progress or rather I'd been making steady progress because I was doing the
testing but I'd hit a bit of a wall so I started looking at ARP spoofing. So there I am at the
European HQ of this company and I've done a little bit of ARP spoofing but not got very far.
I think I've managed to grab one set of Abnincreids. I just
decided to widen the net of my ARP spoofing without really thinking things through and not
really anticipating the consequences of my actions. Just to add some technical context which will help
explain what is actually going on. ARP or ARP is address resolution protocol. So, ARP is a way of
making sure that packets on the wire get to where they're supposed to be and this is done by
advertising your location information to everybody. Arp spoofing is when an attacker wants to
impersonate another endpoint and redirect traffic and act as a man in the middle to read any data
crossing between host A and host B. Tonsko provided us great details here. So your computer
is sitting on a network. It has an IP address. The routers kind of look to your hardware ID,
your Mac address, and ARP is the protocol that connects your hardware ID with your network ID. So it's
kind of like the
it's kind of like the glue in the middle.
And the thing with ARPS moving is,
you can essentially broadcast that you are a different
hardware ID and start getting packets routed to you that
shouldn't be routed to you.
So you can kind of man in the middle network traffic a bit.
So that's very applicable to the how and why this story
when we continue how it,
where the pain point came from.
so we can get there.
It's equivalent to putting a different address on the front of a house
and waiting for the mailman to deliver someone else's mail kind of thing.
Yeah, and then opening that mail, looking at it,
and then taking it back and putting it in the right mailbox.
Sure.
Sure, so they never know.
Exactly.
I'd found three Cisco switches that looked innocent enough,
however they turned out to be Cisco Catalyst 6,500s.
Big core switches the size of a cabinet,
capable of shunting up to 4 terabytes per second around.
As I started to ask for everything that,
It directed them to send all of that traffic through my little MacBook Pro's one gigabit network card.
I didn't really get much juice, so I kind of stopped and started throughout the day.
So there's the rub, and you'll understand it in a bit,
his massive institutional 4 terabyte a second data throughput switches start funneling all of their traffic through his 1 gigabit Ethernet port in his MacBook.
So essentially you're taking this massive funnel
and funneling all of the data down to this tiny little channel
which I guess one gigabit, the Ethernet card is a tiny channel
in comparison to four of these monster switches.
So that's going to be very relevant.
So I'm just hoping to help you understand.
I was sat in this room in a big open plant office
and IT were on the other side of the atrium.
And I noticed that there was a bit more activity on the second day.
Not really thinking any of this increased energy, I continued with what I was shortly to realize was my rather reckless ARP spoofing attacks.
About halfway through day two, I saw a group of people threading their way through the desks towards where I was sitting.
I clocked them and they looked purposeful.
More to the point, the purpose appeared to be me.
They stopped at my desk.
One of the people, seemed senior, asked me to stand up and a fellow checked under my desk to see what port I was plugged into,
which became clear was the port they had identified was causing whatever problem they were trying to solve.
I was asked what I was doing and why I was here.
This is the point you present your get-out-of-jail-free card to say that you're authorized to be there and do some testing.
I explained that I was trying to up spoof some switches, at which point they interrupted me
and said that my testing was causing widespread European network disruption for the last day and a half
and politely requested that I stopped what I was doing immediately.
as they were talking, the enormity of my error dawned on me,
and I felt this huge hollow hole open up in my stomach.
So now you can see, like imagine all that data.
Every time that he would spoof and pull that data through his computer to like, you know,
analyze it and look for, he was looking for credentials, like unencrypted credentials.
But like every time he would do that, like they own those monster switches for a reason, right?
they have the network connectivity to push all of this data throughput.
And every time he would hijack it,
do we bottleneck it,
so that it would just cripple like the network connections
for everybody trying to use that information
and use data going through those switches.
So he was causing intermittent hell for this company
because just every time he turned on, like started spoofing,
they would just kind of cripple the network.
And then he'd turn it off and go through the data he collected.
And it would go back to normal.
And then, you know, two hours later, he'd turn it back on.
And just doing that repeatedly would just because it comes such a headache.
So they obviously trace the network load to his Ethernet port and went and, you know, interjected.
So just to help you understand.
I was lucky enough to be spared the walk of shame and allowed to stay until the end of the day.
But it was made very clear that I was deeply unpopular.
Thinking about it later, from their point of view, I would have been causing that worst sort of support issue, the intermittent problem with no obvious pattern.
In the report, I described the attack and suggested that Cisco's anti-arp spoofing control was enabled.
My boss was good enough to not chew me out, but I suspect he got severe bollicking by the client.
We never went back.
I was the layer rate problem.
Oh, that's a good story.
I clocked them and they looked purposeful and the purpose was me.
So Tonsko for everyone listening is a good friend of the pod.
But I'd listen to this when it first came in.
I forgot how good a storyteller he is.
There's some great, there's a really well-told story.
The metaphor I was cooking up as you were explaining to me is it almost feels like there
was this industrial water infrastructure, some massive pipe that everyone's drinking from.
And he managed to reroute it through a tiny little garden hose so he could take a
sample out of the water, not realizing that a bunch of people's taps stopped working every single
time he did that. That's a good one. Okay. So that, so that, like, this is a cut down version of it.
He, I think he sent us like 19 parts to this. So his little, his little tail there, like, I was the
layer eight problem is like a really, is a throwback to a joke that I didn't realize that I didn't
include in the edit of the story. Sorry, Tonsko. But networks are seven layers. And layer eight is like,
It's like a technical joke to say that like it's a user problem.
Like it's like skill issue user.
So like he was the layer eight problem is saying like I was the user that was causing the headaches.
Oh, sure.
Okay, that makes sense.
So I totally, when I listened to that there, I was like, oh man, I missed that.
But but it is good.
He did provide tons of technical context and a bunch of color and commentary about things.
But it just would have, it was like 20 minutes, I think.
So I chopped it down.
I think I think I kept the core part of the story.
story, which I'm happy about.
I think we got the big idea is that he'd been brought in to do this job as part of this
pentest outfit.
He was gathering data and just inadvertently caused widespread European outages, which is, it's
fascinating that that's a thing a person can sort of like walk their way backwards into.
I also like that he talked about the idea of, and this is true and more than just tech,
but especially in tech is that the intermittent problem is the worst problem.
Totally.
If you're not getting a signal, you're always.
always getting a signal you shouldn't, that's pretty easy to figure out, whether it's,
regardless of what it is, you can basically do some unplug, re-plug in and work your way back
to whatever the thing is that's causing the problem. But when the problem's intermittent,
that's a lot harder to troubleshoot because you kind of got to wait for it to flare up.
Yeah. And then if it doesn't last long enough for you to properly diagnose, it just goes away.
So like the word, the term intermittent used to be like a keyword when you dealt with warranty support.
like if you're i was going to bring this up i was going to bring this up i was like it's also how to get a new
iphone yeah yeah so like i remember rack when i had my first iphone i remember i was having
intermittent USB problems like it would back before iCloud synced everything over the over the air
you used to have to back up your phone to your computer and stuff through through a cable
and every now and then it wouldn't work so i remember booking an apple genius bar appointment
and going in there and being like i'm having intermittent USB problems and they were just like
here's a new phone.
Like there's no way that it looks like it's working fine now,
but there's no way that we can prove that it's not not working.
So here's a new phone.
Have a great day.
I remember a friend, a mutual friend of ours.
This was years and years and years ago,
but telling me to do the exact same thing.
It was like I had a phone and there was something trivially wrong with it,
but it was still under warranty.
I wanted to take it back in and kind of just get a new one.
And this mutual friend of ours looked at me and said,
it's not that there isn't a problem.
It's that whatever problem there is is intermittent.
And he said it to me like, I'm going to teach you abracadabra.
Exactly.
This is the thing you say to the genius bar to get them to give you a new one.
It's like going in the gray market situation, going into the special doctor's office and saying, I have this thing on the page and they give you the thing you want.
Totally.
It's the magic spell.
Totally.
Yeah.
Intermittent, like as far as technical issues go, things that are like that aren't constantly reprimand.
producible are just a nightmare because it means that there's multiple factors affecting what's
going on. And Tonsko's Lair 8 intermittent problem here kind of shut down this big company.
It does make me want to, I'm sure it's not a big enough outage for it to ever made news,
but I do want to see if I can, I want to see if I can find some reports of a outage somewhere in
Europe because it's fun. I want to find, I want to find out more. Great story. And thank you for
sending that one in. Totsco.
Totally. He actually had a little extra story, so I'm just going to fire that now.
Oh, amazing.
Just as another little extra, one of my colleagues at a different time was using BIRP Suite
to test a website, and it was testing so they could go live the next day.
He had admin credits, and he'd used BIRPS, explore every button feature within the website.
Unfortunately, one of those buttons was delete the website, and as he was logged in as an
admin user, the website went bang just before they had to release the next day and they had to
really hurriedly rebuild everything. That again was not deeply popular with anybody.
And the website went bang. I'm using that one for catastrophically distra. I just went bang.
So that's just like such a classic story about like knowing the tool you're using and
understanding the exceptions that you don't want it to do. It's like running running like
a testing suite, Burb Suite, to like go through a website and make sure that all the links
work and make sure everything's functioning and make sure that the buttons are reacting.
And then you run it through the admin panel and all of a sudden it's like creating garbage
posts and changing content. And then bang, it hits the delete. And then test the verify that you
want to delete it button. And then boom, the whole thing's deleted. Sure. That actually makes a lot
of sense. Yeah, you unleash the things. It's like, test everything. It's like, you want me to test the
burn this thing down button.
Exactly.
I said, test everything.
Exactly.
So maybe if you're going to run something like that,
don't point it at the admin panel.
Yeah, sure, sure.
Also, just,
burp sweet.
Good stuff.
Hey, so I had
an interesting interaction trying to find
some data online.
I was looking up
some leads
for my company.
And I found this one company that had leads apparently for every state, tens of thousands of leads.
And they had some sample data, which if you clicked on the sample data, it would say Alaska.
Here is the few sample leads we have for Alaska.
And it was kind of just like dip your toes in and tell you a little about it.
But I noticed in the URL it said dash Alaska at the end.
So I tried it.
And I did dash Ohio.
Idaho
and another state
and ended up being able to find the entire repository of data
that they were selling for tens of thousands of dollars,
all of the leads,
because all of the URLs were just plain text
kind of easy to find URL.
But yeah, they wanted near $10,000
for access to all of the leads
but I was able to find all of them for free.
I wonder what the highest ticket data that is hiding behind a guessable URL is.
Because it's sort of a fascinating question.
It evokes like a treasure buried somewhere, but there isn't a treasure map.
But like if you just knew to dig there, there be gold.
And sales leads feels like a pretty good potential realm for that kind of thing to be in.
Because, man, are sales leads not cheap?
No. Yeah, I think, yeah, personal information for sure. Yeah. Yeah. For sure would be,
would be up there, especially confidential personal information. Totally. Socials, things like that.
Definitely. Like the e-bike story from last Holland hacked. This is essentially, I threw this one in
because it's in the same regards. You know, it's, we're talking about like people, people who have built
web structures that work, but they don't explore how they work if you just make a few little
obvious changes.
It's like paywalls and, you know, web developer inspector and you can just disable the paywall
on a website.
If the site still loads all the data, and all you have to do is take out the HTML layers
that are blocking you from seeing it and you can still see the data.
It's like, I feel like this is the same thing, you know?
It's just basic, basic security solutions and people that don't perceive the future security problem,
especially with valuable information, which is crazy.
Yeah, there's whole massive industries built on this.
We've talked about third-party data brokers before on this show,
but the third-party data broker ecosystem has a huge subset of it that is just dedicated to sales leads.
It is a massive way that companies find sales leads is purchasing them from other people
that have typically purchased them from someone else.
And it gets very difficult to know the sort of genesis of that information by the time it gets to an end buyer.
And it's like apparently quite a, quite a problem.
There's a lot of overreliance on these third party groups.
They're quite underregulated.
There's security and regulatory risks when you don't know where the data came from.
None of that has anything to do with it being publicly visible behind a guessable URL.
but it is a fascinating world that this caller sort of inadvertently weighted themselves into just by tweaking a URL.
Yeah, totally.
Like the, I can always tell when I've been added to a new dataset just by the flooding of garbage that I get into my inbox.
That's a good call.
Like, like it's like very recently, as of recently, I've been seeing a strongly increased presence of fishing attacks in my inbox.
So I'm assuming something, some website where I had an account got hacked.
And then I'm also getting just a flurry of newsletters from companies that I've never heard of,
nor have I ever signed up for.
So I'm assuming I was added to another data sets and I'm going to report them all
as spam and get their MailChimp accounts banned.
If you buy a giant list of names with a disregard for where they came from,
you've got to acknowledge that you're going to piss a lot of the people you reach out to.
Like it's, I'm not.
saying there aren't situations where those third party leads don't make a lot of sense,
but you got to know that it's like somewhere down the line, the source of that data could be,
you know, a data leak.
Totally.
It's a fascinating world.
This is a bit of a tangent, but so for anyone that doesn't know, a CPM cost per
melee is the way advertising on the internet is monetized.
It's whatever 1,000 impressions costs for the advertiser to get.
So if your audience is 10,000 people, it's 10 times.
the CPM cost. Sales leads operate on a similar system. It's CPL cost per lead. And the ceiling on
CPL is considerably higher than CPM. It bottoms out at around 10, but it maxes out at around 100,
which is an exceptional, if it was a CPM would be exceptional, which makes a lot of sense,
because depending on what you're selling, that audience could be worth a ton of money.
Well, I know, like, my brother's a real estate agent, and I know the realtor world, like,
leads and lead development lead generation like they're that's whole thing they're tuned into that
world and like hot leads like if you can imagine like say you're in like a like a decent real estate
market where you know say the average house is 700 plus you know your commission your realtor commission
on that's going to be tens of thousands of dollars so like what is the value to you as a
realtor to get a hot lead somebody that's actively wants to buy a house
like would you spend $1,000 to make $10,000?
You'd spend $2,000 to make $10,000?
Would you spend $5,000?
If it was a sure thing, you'd spend $9,000.
Exactly.
Yeah, no, it makes a ton of sense,
especially for something like real estate
where the potential margins are massive.
You know, for a tech company trying to get a new customer at $9.99 a month,
the scale shift a little bit,
but for an individual salesperson going after an individual buyer
that has the potential to put five figures in their pocket,
how do you not turn to these sort of repos of information?
I get it.
I really get it.
This is a good one.
Yeah.
Yeah, yeah, yeah.
Why don't we kick it over to,
I think we need a name for where we read ads.
I'm calling it.
You're calling it.
Okay, you name it then.
You call it.
I didn't say I had a name.
I'm saying I think we need one.
A podcast I love calls it going to the money zone.
And I just really like that.
There's something, something nice about that.
So we're going to workshop that.
For now, let's go read some ads.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform with fully a digital.
agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy, and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every
week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic.
training data. And the result is the new Aurora Agent SOC. It's the first SOC that is agent led by
design. You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so whoever,
Every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like, go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to understand.
impact not just what happened, but why these attacks succeeded, and most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights
into how threat actors are evolving, how defenders are responding, and what strategies can help
you stay ahead of the next big breach. It's not fear mongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Thanks for listening to the hack podcast. This is an episode format that we have called Hotline
Hacked. You can visit hotlinehack.com. You can email in an audio clip, email in text clips. You can
call into our call in number and leave us a voicemail, which we get as an audio file. And we will
include, I will note that if you want to disguise your voice, we prefer that you do that on your
side. Yes. Rather than supplying it over to us and making us do it. There's also an email if you
want to send us a file. Like Scott said, if you'd like your voice concealed, please do it yourself
because we run the audio as we get it,
unless you explicitly ask us to.
Some folks have found awesome ways of concealing their audio.
So feel free to have fun with it.
Well, the next story was actually sent to in text,
and it has, so we get this lovely AI voice.
Brilliant.
While working at an ISP in Australia,
we had a cloud storage server used for clients to store data,
and I wanted to export the list of accounts.
I connected to the Linux box via SSH using Putty, logged in his route.
Yes, this is bad I know.
Ran the command to display the list of active user accounts on the system,
highlighted the complete list of usernames,
and out of habit right clicked on the list to copy.
Okay, I'm just going to chop this one up in my own way.
Puddy is a Windows-based SSH client.
Okay.
So SSH is like a Unix command,
like a Unix demon that runs on Unix servers
so you can connect to it via text like command lines.
So when you're on Windows, back in the day,
which this story sounds like it was,
there was no Linux core running inside of Windows.
So now you have full kind of Unix integration in the command line.
Now you back then you didn't.
So if you wanted to connect over SSH to, you know,
Unix-based servers, you had to use Putty.
Or putty was the most common.
And running anything as root is bad.
So that's why she flags that or they flag that.
I guess I'm just using the gender of the AI, which is probably incorrect.
Those of you that use Putty know that by selecting text, it automatically goes to the clipboard,
and Putty has right-click to paste enabled by default.
Suddenly my entire clipboard is being dumped into the server's terminal, then my SSH session drops.
Connection lost.
I stared blankly at the screen for a moment trying to work out what just happened.
I pasted my clipboard into Notepad and reviewed the list of names and found a user account called Shutdown.
That's the day I learned that RHEL slash Centos has a default user account called Shutdown,
and a simple click of the mouse took down the cloud storage server briefly.
So it's pretty common to have a user called Shutdown.
And pasting just a bunch of garbage into the command line,
sadly executed the commands shut down,
which truthfully surprising that it actually shut it down
because I think typically you need like a hyphen now
or something after that to actually make it shut it down instantly.
Right, sure.
But yeah, just a little user error.
Just a little user.
Just a little user error.
Take down an entire cloud server.
I really liked my favorite point in this is,
and I know part of this is the AI's read
adding the comedic timing,
but I think it was in the story is
I logged in as root.
Yes, this is bad I know.
Like the immediate awareness of an error as it is occurring is a timeless feeling.
A timeless, timeless feeling.
Right click to pace enabled by default seems like this story is so above my head technically,
but right click to paste enabled by default feels like a weird feature to include in anything.
Like that, I've just never heard of that.
That might just be my non-familiarity with this kind of cis admin type stuff.
but that feels like a lot of potential bad stuff could happen by having a mouse,
one mouse button queued to paste.
Yeah,
I think the gist is like when you work on command lines,
typically you only use the mouse to select things.
Right.
Right.
So Puddy was like,
so Puddy was like,
hey,
like why don't we just fast track this?
If you select something,
we're just going to auto copy it,
which is like a brilliant little user interaction.
That actually does make sense.
You're never using your mouse.
Granted,
it violates all.
user interactions you've learned your entire life. But it is kind of an optimal workflow. And then right
click to paste, again, same thing. Like if you're just copying things by selecting them, if you wanted
to paste something, like say you wanted to redo a command or, you know, you're building out some
large awkward query or something and you copy something and you want to paste it in, like right click,
it's like a nice little quick paste button. Sure. But when you copy like, you know, your bash history
by accident, which maybe you don't know what that is, but your command line history.
And then you paste that in, like, that would be brutal.
One of my favorite things of working with ComSai people, account you amongst this,
but like devs and computer engineer, any of that type of person is all of the genuinely
smart, but humanly unintuitive solutions that slowly become part of a workflow.
Like the idea of like, we never use the mouse.
why not make one of these buttons something we do all the time that requires a key command?
It's like, that's very, very clever until you inadvertently press the button you otherwise use all the time for something else and paste something.
It reminds me of Dvorak, where it's like, this is technically a better way to lay out a keyboard until someone who isn't used to this tries it or until you try and go use a computer that isn't laid out in Dvorak, an alternative to QWERTY.
And your brain explodes trying to translate these different keyboard layouts into one another.
I love those computer engineer workarounds.
Good stuff.
Yeah.
I think we both know who you're talking about when you're talking about Dvorak.
We sure do.
One of my favorite human beings.
Yeah, great guy.
I love him.
Hate sitting down at his computer trying to type something on his keyboard and immediately
feeling like I'm having a stroke where it's like I'm looking at characters showing up on the screen.
And I'm like, I don't know what's going on.
I have to back away from the system.
situation. Hate the Dvorak, love the sinner kind of situation there. It's just I can't believe that you did
this. Can you turn it off? It's a pain in the ass to turn it off. Okay. Can you type for me? Yeah,
definitely been there. Speaking of keyboards, I got my new one bill last night. Oh, yeah. I'm not sure
relevant it is to the podcast, but exceptionally not, but it is fun color commentary for everyone that doesn't
know Scott's Swanky mechanical keyboard got broken and he was building out a new one. That's very exciting.
I mean while I'm still operating my lightning port Mac keyboard that I loathe.
Do you have the number pad one?
No, I don't.
I'm not a I'm not a pad guy.
I know it.
I know.
I'm missing a good numpad.
Yeah, you're a big numpad.
I know.
I'm the standard chicklet apple keyboard and it's bad.
You can hear all about it on a consumer tech show.
Let's keep it.
Let's keep this bad boy going.
I'm submitting my audio with an AI.
since my speaking English is not great.
I got an accent and also so people cannot identify me,
so I got a very powerful command and control, C2C,
that is able to shut down and slow any websites and servers, etc.
It's only built with Raspberry Pi 4 Model B+,
and a plus 170 MEP fiber internet speed
and an open source software, etc.
To test it out during the pre-war occurricular,
October 7th in Israel, I saw the Hamas website is still up even though there are news that
other hackers' countries shutting it down. Even though it changed its internet protocol since the
attack, I was too able to shut it down in minutes. I also tried to join a bounty program for
denial of service in hackaron for PlayStation website my dot-account.soni.com. I was able to make it into
404, unresponsive, but of course I didn't receive any reward since they don't accept full
shutdown disruption, and also no distributed denial of service, D-D-O-S. But only denial of service,
D-O-S. Also, whenever I receive a message from a scammer redirecting me to their websites or link,
I just get the domain they are redirecting me and shutting it down for myself, asterisk, smiley-face
asterisk. This C2C botnet is very dangerous and powerful since I test it out in Live Layer 7
massive in D-State ECC. It sends out over 17 million requests in just minutes, etc.
So I got a hand into a Pandora box.
Got a hand into a Pandora box.
Yeah, what a way to end a recording. I've got a hand into a Pandora box.
End call.
This is maybe the least lighthearted of the class.
So this is somebody that's got control of a botnet for doing DDoS, so distributed denial of service.
Yeah.
And, you know, tried to go kind of white-hattie, join a thing with PlayStation, but apparently they were only looking for, you know, DOS, like just denial of service, not distributed denial of service, says, you know, obviously that's hard to combat.
But, but yeah, interesting.
Command and Control with a Raspberry Pi. Can you make sense of that for me?
Yeah, so Command and Control, so there wasn't enough detail in there to fully understand what the botnet is, like what's actually what the bots are.
Right.
But it sounds like they've set up a Raspberry Pi, like essentially an invisible computer that they can kind of carry around.
That is the control unit for a massive botnet.
At least that's the way I took it so that they can kind of fire it up and point it at things when I
they feel the need to. Right. Does that make sense? I think so. You're just using it as essentially
a little server for this command of control operation. Like if you remember command of control,
it's like the, it's like a hub and spoke kind of model where you've got, you know, what would
you say, 17 million requests a minute? So he'd have just a flurry of bots living in the world,
and then he'd have a single unit to control them all. So like a lot of those DDoS for higher services
are set up like this
where they have a control unit
and then they have millions of bots
or whatever smart fridges
around the world that have been compromised.
Sure.
And then they can send a command
to all those smart fridges
to make requests
on a specific data,
you know, IP address or web protocol
or something and they could just shut the server down.
So it sounds like he was successful
at shutting down PlayStation.
Hmm.
So, and, you know, Hamas and a few other things.
So it sounds like they've got a substantial little botnet.
I can see the I've got my hand at a Pandora bot because.
Right.
Okay, that makes more sense.
You've just got like all this power in your hand to be like,
I just pointed things on the internet and they go away.
It's like, what do I feel like pointing at today?
You know, I don't hate the idea,
especially given the amount of fishing requests I've got lately.
It's like a lot of them point back to these like weird server farms
and like Russia and Bulgaria and things like that.
So it would be having the power to just be like,
I'm not going to click on your bad link,
but I'm going to take the server IP address
and just knock it off the internet.
I can understand that motivation.
I found a Reddit thread with someone asking a question
somewhat tangibly related to this,
asking using a Raspberry Pi 3 as a command and control server.
One of the first comments says,
it's a server.
You can use it as any other server.
since you're asking this question
and seem like you intend to use it at home,
maybe don't unless you like a prison fee.
Which is,
it was a great comment,
proper amount of snark.
The thread then goes,
here's where you assume too much.
They could just connect it to any network
and walk away,
see Mr.
robot,
to which someone else replied,
and then they find your Reddit post.
And if we go back up to the top of the Reddit post,
we see the user deleted their account.
So it's a nice little close loop.
I doubt it was this caller,
but an interesting question
with some good feedback.
from the hive mind.
But like the Raspberry Pi, like the micro PC trend, I think is like when being a young
hacker, when you wanted to do something with computers was like difficult, like laptops
where, you know, expensive and hard to come by and often underpowered.
And now it's like you can build like you could build a tiny little microcomputer
and like turn it into an ARP spoofing device.
and walk into an office and jack it in.
Right.
And people won't even notice it's there.
Like it could be very tiny or disguised to look like something else.
And so it's like the, yeah, I don't know.
There's a whole whole cool alley of like custom little microcomputer hacking device things that is out there that would be fun to pursue.
Yeah.
That's an interesting world of tiny, like a Raspberry Pi 3 is.
about 50 bucks.
And so the idea of there being a thing that can function as a server, but is $50 isn't
disposable and no tech should be regarded as disposable for a bunch of other reasons.
But the fact that there's a thing that you could theoretically just sort of leave behind somewhere
without a fingerprint on it is, there's a reason Mr. Robot made a whole bunch of subplots
based on that very premise.
Yeah.
Because it's interesting and compelling and is, as this caller referred to it, quite the Pandora's box.
Yeah, totally.
Like then 20 years ago, if you wanted to build something like that, it would be, you'd be building a small computer.
And then you'd have to, like, have a power supply and walk in and plug it in.
Where it's like nowadays, with USB power, like, you pretty much, if you really wanted to and you were like a big hardware engineer,
you could probably build something that you just slide into a USB slot that was a fully functioning computer with radio antennas.
And, like, yeah, I don't know.
Totally.
Like, look at the flipper zero.
And it's like a tiny little $100.
device or $150 device.
Yeah. I think that world of little hacker
computers and you got me onto cyber
decks, that fascinating community
of people building from
scratch little
computers. And it's, I
think there's, for as much as we're
pushing the boundary of, you know, what
a $3,000 computer can get you
and what a $1,500 smartphone can get
you, the floor two
raises. And we start figuring out, well, what's
the most a $50 thing can do?
And that's at just as
interesting a question. I mean, I think of game emulators, too, those tiny little devices that,
you know, can suddenly, for $45, look what they can do. Well, I was about to say the, the micro device
world is, you know, fired up. You know, you've got like the tiny little Android devices,
like so many things. Like, I just got a new bike computer for cycling. And it is a full Android
phone, essentially. It's just a dedicated Android device. And, you know,
You know, we were talking about the Rabbit R1, which has gotten more press.
Yeah.
We're going to talk about that so time.
But the Rabbit R1 is essentially just a micro-android device.
And it's like all of these things.
And like they're cheap, you know, they're tiny little pieces of hardware.
Like the game emulators are great because like one of my game emulators is literally a Linux computer.
And if you think about that, like that's a full-blown Unix computer.
Like I could plug a keyboard into it.
And I have essentially, it has Wi-Fi chips, it has everything.
And it's essentially a micro-computer and it costs me like $39.
It has a screen, has like a full-color screen.
Like I have another one that has an OLED in it.
Like it's, I don't know, crazy.
The micro device market is very cool, maybe a bit wasteful, if we want to talk about waste.
But I think very, very cool.
and especially from a hacking perspective,
just the amount of things that you can do with these things now.
Now you can have a, like, if you talk to 17-year-old me
and ask me if I would love to have a Linux computer
that was in my pocket, I would have loved that.
Especially something with the battery life
that some of these small emulators have.
They have eight hours, ten hours of battery.
Like, you know, when I was a kid,
the best battery life you'd hope for
and a computer was like 45 minutes on a laptop, maybe an hour and a half.
I imagine if we could talk to a 17-year-old you right now at time of recording,
you would be trying to play schools out for summer, somewhere where you're not supposed to be.
No, no, no, no.
I was a white glove service.
I never met with too many things.
That was pretty good.
I just went, you know, I was more of a, more of an explorer than I was a disruptor.
Well, I was, I was flipping power breakers and getting dragged into the, yeah.
dragged into the old office, but that's a story for another time.
And if you want to hear us...
Power breakers.
You bet, man.
The thing they were most mad about was that our school had a vending machine with those weird
milkshakes, like bottled milkshakey type drinks.
Oh, no.
And you soiled a bunch of them.
And we didn't.
That was the funny part is that they're shelf stable.
Oh, my God.
But they do have refrigeration in the thing.
And I remember a police officer yelling at me,
do you know what could have happened to the milkshake vending machine?
Like that line, can you imagine what would have happened to the milkshake vending machine?
It's like, like, barked at me by a guy in a cop uniform, will be forever burned into my mind.
If you want to hear us tell more stories like that, you know, feel free to support the show however you can.
Hacktoppodcast.com redirects towards our Patreon.
If you go towards our store, pick up some merch, buy a hat.
That helps us.
That helps us out.
anything else, anything I'm missing?
I don't know.
No, I don't think so.
Store.
That hackpodcast.com, hackpodcast.com, Patreon, hotlinehack.com, submit your story.
I think that's it.
I think that's it.
Is that it for us?
School's out for summer?
School is in fact out for, oh, I don't know how fair, I don't know enough about
fair use to know if we can end this episode with that song.
So, but we'll find out before the episode goes live.
So if you don't hear that right now, it means.
it's because you can't use it. And if you do, it's because school's out for summer. Well, it is
Memorial Day weekend. We're recording this on Memorial Day weekend. We are. And Memorial Day is the
demarcation for summer. It is. Oh, that's fun. Good, good timing. Good timing. School's out for summer.
Call in with your story, hotlinehack.com. That's another one in the bucket. Thanks for listening,
everybody. Take care.