Hacked - Hotline Hacked Vol. 4
Episode Date: September 8, 2024Fourth times a charm. Share your strange tale of technology, true hack, or computer confession at hotlinehacked.com. We discuss stealing login credentials with microphones, hacking courses for cyberse...curity classes for instant grades, and parking pits. Hotline Hacked is brought to you by DeleteMe. Take control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount for our listeners: Today get 20% off your DeleteMe plan when you go to joindeleteme.com/HACKED and use promo code HACKED at checkout. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology, true hack, or computer confession.
After the B.
Hello guys.
This is a B.
Thanks a lot for what you're doing.
I love the pod.
It's one of my favorites right now among all the podcasts I listen to.
I listen to the latest episode about the on the Hotline Hacked.
And one of the comments from Scott was about someone,
getting in somewhere, just checking what's available, and then leaving without leaving a trace.
And that reminded me actually of a story from a few years ago.
And I was a middle manager in a big company.
I wouldn't say the industry because that would identify the company right away.
So I was working in a satellite office.
we had a small team there, so someone from HR and taken care of admin as well,
one person from finance, and then sales team, operations team, et cetera.
So about 30 people in that office.
So I had a big reporting period where I had to produce a lot of reports,
a lot of deliverables over a short period of time,
so that meant a lot of late nights at the office.
and one of those nights I was alone at the office and I'm not a technical guy
and have a marketing background but I enjoy everything back and so I was there at
the office it was about maybe 11 p.m. or something and between two slides and a
report I was thinking okay why not try and access the HR guy's computer so it was a
desktop so the computer was sitting there in the open space
and there was nobody so yeah because why not why not like what could go wrong
did the office by myself there's a bunch of other people's computers around you know physical
access is a great way to gain unauthorized access so like why not why wouldn't you it's
and if anyone's computer you're going to want to look at it's probably HR's yeah the HR guys
yeah totally everybody loves personal information whether you should see it or not everybody
to see it. It's the juicy stuff. Why not? So I went there, we went to his desk, sat at the
computer, and tried guessing the password at first. I knew the guy pretty well and so tried a few
things. Didn't work. Then I thought, yeah, maybe let me check if the BIOS is password protected.
And it wasn't. So I went into the BIOS settings and changed it to boot, to start to start
the boot from USB first and then move on to Windows etc and I downloaded a
version of Linux that can run out of a USB key
loaded up loaded that up connected the USB powered the computer and they worked so I was
running the I was running Linux on his computer from that from that USB disk and I had access to all of the hard
drive basically. It was I was surprised that files were not encrypted. I thought it would be
encrypted because of the password protection on the Windows account but well it wasn't so
there was I had access to all the files contracts for everyone and started having a look
everywhere checking what's what was there and the first thing my mind went to was
okay let me check how well I'm paid completely
paired to everyone else.
So yeah, I kept looking into the files, checked everything.
I didn't change a thing, just had a look out of curiosity and know what is, you know, what,
maybe it was what a lot of people were wondering about but never had the chance to get the information.
So I had all of that, and then didn't copy anything, didn't just read the files from his computer.
Well, it felt good because I found out that was dead.
I was the highest paid middle manager at the time.
But yeah, that was a good feeling.
And then I just switched up the computer,
removed my USB with Linux on it,
and went on to continue my reports and the next slides
with a little bit of motivation.
Yeah, so that's my story.
Thanks a lot.
And have a great one.
Welcome, welcome to Hotline Hacked.
It's a call-in show where you can share your strange tale of technology,
true hack or computer confession.
If you want to share your story, go to hotlinehack.com.
It's got the email.
It's got the phone number.
People seem to like Hotline Hacked.
We like Hotline Hacked and Delete Me.
It really likes it.
So we have a new sponsor that's come on board who wants us to make more of this.
So we're going to be doing a Hotline Hacked every month.
thanks to Delete Me is a subscription service that removes your personal information from hundreds of data brokers online, kind of trying to get you your privacy back.
We're going to be telling you a little bit more about them later in the show, but we really love making hotline hacked, and we're excited to make even more of them.
So we really appreciate their support.
Absolutely.
So you're alone in the office.
You're alone in the office.
You're hanging out after hours.
You're just chilling, and you think, why not interpret?
bios on the HR computer and see if I can find out how well I'm paid.
Scott, can we, let's just, before we get into anything else, take me through the, like,
technical side of this.
So they get into BIOS, they boot it from USB, they get a version of Linux running.
Take me through, like, technically what happened here.
Yeah, technically what happened here?
Well, he had physical access to a computer.
So Unix operating systems and some Windows operating systems,
have a single user mode.
So you don't even need to boot it into a Linux USB key.
You can bypass the user's security in the operating system
by just going into a local admin account essentially.
Like a troubleshooting, like this server is having an issue
and I'm sitting at the console of it.
You know, something's wrong so that like you can boot it
into single user mode often,
which essentially bypasses a lot of the security actions.
Assuming that if you have physical access to the computer,
that you are not somebody who is nefarious.
This person went one step above that
because they probably wanted to be reading docks
and things like that.
And they actually made a bootable USB key.
So a lot of Linux distros can boot off of USB keys.
A lot of Linux distros are super light, right?
Like our retro gaming handhelds run Linux
and they're like these tiny little raspberry pies essentially.
So this person took the time to make
a bootable Linux distro on a USB key, jacked it in, was able to modify the bio settings to boot from USB before boot from hard drive and opened it up. The fact that there's no file system encryption and a lot of these files are just sitting on a on an NTFS or fat 32 like file system on one of the hard drives, you can use the Linux system to mount the hard drive and then you can go through the file system contents without any real Windows security. All of the files will be sitting there.
and you'd have access to everything, which this person did.
So I think we should do this person the favor of digitizing their voice
because what they did was not only, I would say, going to get you fired,
but also probably get you maybe charged.
But I do like that he takes the positive element out of it that, you know,
after determining that he was the highest paid, it really gave him more motivation to like grind
out some more reports on the weekend.
Really, this call is an advertisement for pay transparency.
Yeah, there is a, I was struck by that as we were listening to it, that there is an alternate
history version of this where late at night, sitting in that office with no one around,
this caller finds out they're not in fact the highest paid manager.
And I can imagine the fork in the road they take where they're sitting there with access to all this sensitive material.
And they go bad.
That moment was their villain origin story when they discovered that they were the lowest paid manager and they just went on a tear.
And we would be getting a very different call.
But luckily they discovered they were good, probably because of all of their technical skills that they brought to the job.
Yeah.
I also love the fact that it's like this is also like, I don't know how many grinder weekends and stuff you've had in your career.
where you're working the entire weekend.
But like sometimes you just need to do something else for your like own sanity.
You know, step away.
And this person, yeah, this person found something else to do that was maybe a bit nefarious.
It's just like I need to not be writing these reports anymore.
I need to do something else.
It's like, you know what I'm going to do?
I'm going to break into the human resources computer and look at everybody's contracts.
Yeah, I mean, I guess if you're stuck in the office late at night, I don't know.
I'm trying to think if there's anyone else whose computer, I would be interested in looking up.
There's a temptation to find out, like, get into someone's email, see what people are saying,
but you're really going digging for something that you don't know what it looks like.
HR payroll, that's a pretty, pretty good straightforward target.
There was a hack, I think earlier this year where the Ministry of Defense in the UK got hacked.
The payroll system was the only thing they got access to.
It was the first thing they went for.
there was a story in HR magazine, which, hey, there's a magazine all about HR, good for that community,
where policy and research officer at the Chartered Institute of Payroll Professionals, Matthew Acrigg, said,
quote, payroll data is one of the most valuable assets for businesses, and as such,
it has become the target for malicious groups seeking to gain inside information or to ransom for profit.
And it makes sense that payroll would be one of the big valuable prizes in a company or organization that doesn't have a IP,
corporate espionage type vulnerability for most places who's getting paid what and what are their social
security numbers and their banking info is like yeah that's the that's the relevant stuff that's what
you'd want to hunt down well salary information is the juicy goss you know it's the juicy gossip it's
it's the thing that everybody wants to know and it's you know we going back in time like something like
a bad USB attack lots of those USB keys if you want somebody to put them in
do a computer, they label them things like human resources or payroll or things like that because
people can't.
I forgot about that.
Yeah.
People can't resist the urge to know things that they shouldn't know.
And it's like that's exactly one of them.
And this person clearly couldn't resist the urge to not break into the human resources computer.
Maybe it was a honeypot.
Maybe it was maybe they, maybe the whole thing was a scheme they set up overnight.
They set it up for him.
He's actually the lowest paid.
You're going to need to stay late overnight to work on this.
None of us will be there.
And then they, like, turned off the energy saver on the HR person's computer just to draw your eye to it across the room and make it even more compelling.
This was a, this was a sting.
And they set up fake contracts to make it look like he was the highest paid so that he would work the hardest.
They just like it.
This is a tailored manipulation.
I like that storyline.
They've done this to every person in the company.
one by one, they each get assigned a late night, and then they see on a computer that they're the highest paid person.
But they can never go and try and verify it because they gained the information illicitly.
This is some 4D chess we are making up.
Let's just be clear about this story.
We only hire tech-savvy marketing people so that they can compromise the human resource computer and work harder when they realize that they're being overpaid in relation to their co-wears.
I love it.
That would be, that's like an editorial feature in HR magazine,
how to honeypot manipulate your stuff into working even harder by making them think they
figured out they're the highest paid one.
Exactly, exactly.
Thank you for your call.
That was a really good one.
Yeah, I appreciate that.
Hey, guys, I love your show.
We've got a real early social engineering hack technically back in high school.
would have been 2020,
oh, Jesus,
2002.
We had these passes
that only the seniors could get
and they would park on this
upper lot that was all paved and nice.
Then we had this place down below
called the pit
and it's full of gravel and
loose rock and
anything goes kind of there.
I just want to stop there
because I feel like
does every high school have
a pit? The pit. I know. Our high school had a pit. Did your high school have a pit?
So did ours. Yeah, see, I feel like literally I was making notes about this saying when he was like,
he started describing it and I felt like I was having flashbacks and there was such a sense of like on
we, he's like as full of gravel, is anything goes. And I was like, I'm familiar. And I don't
think we're from the same place. Definitely not. And it's like, but the thing is,
I just think that every school had like had a pit. Like it's like the architect.
We'll put the gym here.
We'll put the seedy little gravel lot for like people to smoke and fight and do drugs and stuff over here.
It's like it's part of the like site layout for high schools.
In the same way.
Yeah.
There's like an urban design architectural philosophy that if you don't create the pressure valve that is the pit, the entire school becomes the pressure ground.
It's like the pressure valve.
It's like if we don't give them a place to fight and do drugs, they're going to do it in the halls.
So we're going to make a pit.
It's going to be over here.
It's going to be a literal pit.
It's going to have gravel in it.
It won't be very nice.
You won't want to stay there.
But it will be a pit where you can get up to no good.
We are school architects.
We know how this works.
I love it.
That's a great thesis.
Great thesis.
My buddy's, my friend's brother was a senior.
And he had to pass the park up top.
And I Xerox did some.
Photoshop, if that was even available, Microsoft Paint, maybe.
Printed it out, laminated it, put it on my car at the beginning of junior year.
And we were going to see if it worked, and it worked.
And the whole year, parking up top, had a fake ID, didn't have to deal with the pit.
and carted and get all scratched up, messed up,
potentially broken into.
And the very last day of that year,
the security guard comes up, real cool guy.
But he was like, man, I've been trying to find you all year.
I wrote your license plate down.
You had a good pass, but it wasn't in the system,
but it looked legit.
But I knew something was up.
and I think I had like a $300 fine.
So it technically worked for a while, but then it's, they just caught on.
And yeah, so that's my fake pass, quote unquote, social engineering that worked, but then it didn't work.
So I love the show.
Keep up the awesome work.
Thank you, guys.
Man, thank you.
Thank you. And thank you for your honesty. I really appreciate. You could have left that last beat of the story out. And it was just like a high flying park and heist. And we love those. There's been a few of those. It makes me think something about how parking lots maybe incept people with a little bit of anti-authoritarian bent to them. But I appreciate you included the ending where you're like, he did catch up with me. Cool dude. Nice about it. Didn't wrap me out. Did give me a $300 fine. I appreciate the honesty.
I just love the idea that, like, parking, like, everybody has, like, their moral code is like, yeah, he stole some parking.
Like, no big deal.
It's like, no one gives you shit of a parking.
It's like, oh, you stole some HR data.
Okay, well, like, let's like wait on that a beat.
This is like, yeah, just tried to steal some parking.
Like, totally get it.
Who wouldn't?
Yeah.
Also, the second he said security guy came over, a real cool dude, I thought that story was
going in a different way.
Like, he was going to be like, knew you had a face.
pass all year like good work but he still got the fine that was pretty cool pretty cool you're pretty
cool guy you you you hacked together a pass and you stole the parking but um yeah i feel like we've had three
or four of these stories so i'm not sure how much more there is to talk about but uh good for you and
story you got a fine um hope three hundred dollars was less than the cost of paying for good parking all summer
or all school year it seems the way he tells the story it seems like it was still
worth it. Oh, yeah. He was like, you know, it was the last day of the year. I'd avoided being
down in the pit. I'd avoided getting my car scratched up. Here's the thing. We were talking about how
the pit is a universal experience. And I'm starting to wonder if this guy's pit in 2002 wasn't a
little bit gnarlier than mine was. He's making it sound kind of thunder. Yeah, yeah. He's like,
you know, there was no one sleeping in the car. There were no dense in the windshields. All the windows
were there. It's like, whoa, what's happening in your pit? My pit was just gravel and not very nice. Your
pit sounds kind of real, my guy.
Like, I get why you would go to all this effort, too.
And again, another good detail from this.
Not sure if it's Photoshop or Microsoft Paint.
And if you forged a parking pass in Microsoft Paint,
you deserved to not be in the pit.
Like, you did something challenging.
That should have maybe gotten you a credit in a class.
Like, that should have been worth something.
You overcame hurdle.
that were provided by one of the worst pieces of software ever made.
I really like that.
Also, like the remembering the 2020, sorry, 2002, like that blip, that moment of 20 years passing
in the telling of the story.
That was a nice little beat.
There's nothing but twos in this year, and I don't know which one it is.
Yeah, exactly.
Hollin hacked is brought to you by Delete Me.
It's a bummer thing about making the show,
We know that there are a lot of people who have been harassed on the internet, who have been stalked on the internet, who have been doxed.
Privacy matters.
It matters to, I know a lot of our listeners.
And bummer news, a lot of our personal information is floating around on the internet.
Everyone is kind of an easy target if someone decides to put you in their sites.
Yeah, just last episode, we talked about a data broker being hacked.
And these data brokers compile tons of your personal information, name, contact info, social security.
addresses, relations to family members, you know, all the stuff. And then they sell this data.
And anyone can buy it. Uh, that can lead to identity theft. It can lead to fishing attempts.
It can lead to harassment, unwanted spam calls. Good Lord, can it lead to unwanted spam calls.
And now you can protect yourself with the sponsor of Hotline hacked, delete me.
As, uh, as someone who exists publicly on the internet, you know, myself and Jordan, but
especially me in the sense that, you know, maybe I have some critical opinions on things,
notably crypto. I'm hyper aware about, you know, my online safety, my online security,
and it's easier to find personal information about people online now than ever. All this data
is just kind of hanging out, ready to be bought by people who might not have the best, you know,
intentions. That's why we use Delete Me and we recommend it. Delete me is a subscription service that
removes your personal info from hundreds of different data brokers. You sign up and provide
Delete Me with exactly what information you want deleted and their experts take it from there.
Delete Me sends you regularly personalized email privacy reports showing what they found,
where they found it, and what they took offline. Delete me isn't just a one-time service. It's always
working for you, constantly monitoring and removing the personal information.
that you don't want on the internet.
Very simply put,
Delete Me does all the hard work of wiping you and your family's personal information from
data broker websites.
So take control of your data and keep your private life private by signing up for Delete
Me.
Now at a special discount,
just for all of you.
Today,
get 20% off your DeleteMe plan when you go to join deleteme.com slash hacked and use promo
code hacked at checkout.
The only way to get 20% off is to go to join deleteme.com.
slash hacked and enter code hacked at checkout. That's join delete me.com slash hacked.
And one last little stinger on this. Part of the reason we make two hacked every month we have for a
long time. We're really excited to be making more of it and we're excited that the form factor it's
taking is hotline hacked. And a big reason why is because delete me heard it, reached out to us and
said they wanted to sponsor it and bring more of it to the world. So part of the reason we're
getting to do more of these is because of them. It's a really cool product. You should check it out.
join deleteme.com slash hacked.
Hi, I was just listening to the third installation of Hotline Hacked, a great series,
and it occurred to me that I have a hack story myself.
I am a web developer, and I work at a small consulting agency, so we get different clients,
and some of our clients require us to fill out these training modules.
The training modules are just, you know, your standard corporate modules.
They're a video followed by quizzes.
They're very boring.
Most of them are like, you know, kind of common sense, compliance, don't bully your
coworkers, et cetera.
But there was this one that was actually dealing with security one time.
And that gave me the idea, hmm, what if I could hack this?
I love the thought there.
Like, hey, do this training module about cybersecurity.
It's like, well, I don't really want to, so maybe I'll hack it.
Yeah, I like this guy's style already.
Yeah.
Or it's just extracurricular.
And so while the video is playing, I opened up the dev tools in the browser.
And for context, the video is a pop-up window.
And the main page is the window under that.
But in the video page, I have the dev tools up.
and I just started looking in the window object
because sometimes you can find some interesting stuff there
and I found this one method called set past
capital S-E-T capital P-A-S-S-E-D so
I thought maybe this would just allow me to pass the quiz
and so I open up the console and I called the function
the window closes the pop-up window with the video
closes and I'm just left with the main page. Nothing happened but I refresh the page.
Lo and behold, it marks me as having completed that module with 100% on the quiz.
And at first I couldn't believe this so I logged out, logged back in and it persisted.
So I just thought it was ironic that this security training video was
you know, presented through a service with the security flaw,
a service which also has secure coding videos.
Now I won't name any names for companies and whatnot,
but I just thought it was an amusing thing.
And it's also sort of troubling maybe if, like,
you know, you're legally required to fill out these things
for compliance purposes, but you could just hack it.
Anyway, I love the show, guys.
Thank you for listening.
Well, thanks for your nice feedback.
That is indeed extremely ironic,
and it is very satisfying.
It does bring up the question,
like,
what higher stakes online training platform
could simply be circumvented by calling a,
hey, set me as having aced this test function?
It raises some questions.
Luckily, probably only people in security
or devs would know
do this. But I guess what I'm trying to say is I sure hope pilots can't do this.
Pilots, online voting, you know, the list goes on.
Online voting. Yeah, there's a lot of situations. There are a little higher stakes than an online
video quiz training platform that's a little bit redundant and a little bit easier to hack.
I love like this this thing, like the power of being a web developer and understanding what's
going on in the background of a web page. Now with.
so many things, you know, like I'm speaking about this coming from the past 25 years, but it's like
so many things are now just online, right? Like, they're online tests, they're online learning
platforms, they're online everything. You know, even paywalls on news sites. Like if you have the
ability to whip open dev tools and just take a brief scan at the structure of the page, you can often
do a lot of things. You probably shouldn't. You know, there's a lot of lazy missteps by coders
doing things on the single page rather than on the server side.
And something like that's perfect.
Like somebody has a JavaScript function that's set past that passes probably a call back to the server flagging that they pass the thing and what their score is.
You whip open the JavaScript console in the web dev tools and you just type in set past and run the JavaScript call and bang, it's done.
And it's like that's pretty easy and pretty easy to find out.
Like, good for you for finding it out.
But it's like, it's, yeah, it's the, these learning platforms, tons of things that have security or doing it client's side.
And I don't fully understand why.
I don't know how the software architecture, the engineer that's in charge of the project is like, you know, what's a great idea?
Let's just offload all the server processing and verification and just put it in the client side.
Like, what could go wrong?
There was a, at the end of it, you know, he made an offhanded remark to the fact that, you know,
inside of this training platform, there were lessons about secure coding.
And I'm reminded of the fact that we have helped companies create video trading platforms,
like not the platforms, but the content helped people make, you know,
online education for companies.
And it's interesting to think about how the people that were creating that content,
who were building the videos, explaining how secure coding worked,
were probably not the same people that had built the platform.
that the videos were being delivered on it, the quizzes were being taken.
And probably at some point someone thought to themselves,
I sure hope whatever platform these videos was being deployed on is secure,
because otherwise this is going to be extremely ironic
when someone figures out how to compromise this quiz about secure coding.
And then, I don't know, calls into a call-in show years later
and talks about it on the internet.
It's a, I can imagine that perspective and it's a pretty fun one.
Well, even like these online platforms, like, you know,
I'm not going to name any of the names.
There's some huge ones out there that offer right up to get your master's degree.
Like imagine if that was the same as this platform.
And you could like just bang out a professional master's in like an afternoon by just like hitting next to the next module, running set past in the console, going to the next module and just doing that on.
You could even script that and be like, oh, today I'm going to get a master's degree in, you know, cybersecurity.
And then bang, you'd like hit a button and it's done.
It's the scene where Neo plugs in and learns kung fu in five seconds,
except without any of the learning.
You can just get the piece of paper that says you know kung fu.
You will not know kung fu.
There is no education, no pedagogy taking place here.
You will know nothing at the end of it.
But you will have like, I don't know, $200,000 worth of PDFs saying that you have a master's in like English lit or something.
Certificates in everything.
You were the most trained human in the world.
Your human capital is worth so much.
Yeah, the thing for me is just, you know,
being somebody that's been a long time
in like the early parts of my career,
building online platforms,
server side versus client side,
and like the whole Ajax movement,
like, putting so much stuff into the client side,
And I'm shocked that they don't make a callback with the results and get a confirmation from the server.
Or like, I wonder, like, I wonder on the back end if they open up his records,
if they can pull up that module and just see that he had no answers for that quiz.
But if it's recording 100% like good, then maybe it did record that he had answers for everything.
Interesting.
And would they see the past like tag or however that worked?
and the absence of questions and wonder to themselves,
did it just fail to save or store the answers
and the person actually passed with 100%,
or would you jump immediately to?
This person clearly gained this very vulnerable system
and didn't do any of these quizzes.
But at this point, the stakes of this aren't that high
that I'm willing to reveal how bad a job we did developing this.
So 100%, I guess.
It's like it harkens back to my master's project.
A thesis I never finished writing,
but I don't know why I'm going to talk about this,
but it seems relevant.
But like what I did is I'd taken a major web framework,
RELMAN Rails, and I jacked hooks into it
that extracted a logical model for the entire software application.
So every time you got to a different part of the state space,
like it constructed the entire state space for the logic of the software
that you were running.
I don't know if this is too.
technical enough we should include it. But then you could set rules to be like,
you should never be in a situation where somebody is marked as past and has no responses
to the questions. And then it would flag that and be like, you have an issue here. Like,
there's a compromise. So that was my master's project. And it seems very relevant in this
situation to me. It just instantly triggered that for me because it's like,
that's a piece of state space that you should never be able to get into. Like if this person
hasn't submitted answers, they should not have been marked as approved on the module.
And it just feels like there's, it could be some uses for that.
Maybe I should finish that thesis at some point in my life.
And send it to this caller to send on to that training platform.
Yeah.
Totally.
Totally.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just.
Couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations
from the ground up for a world where attackers are already using AI. They created the Aurora
Super Intelligence Platform, a fully agenic system powered by the swarm of experts. Instead of single-purpose
bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto a number.
an old model. They rebuilt the model entirely. What makes it even more effective is how it works
with Arctic Wolf's concierge experience. The team brings customer-specific context directly into the
platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind. If you want to see what trustworthy,
production-ready AI and security operations actually looks like,
Go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fear mongering.
It's practical, actionable, intelligence from experts in the future.
trenches. Register now at arcticwolf.com slash hacked.
Hello, this is Max from Switzerland, and I wanted to share a story from the 80s, probably
around 19805. We were kids that went to school, and we will go to trade shows.
And on these trade shows, like computer shows, usually the incumbent telephony provider,
And we're in Switzerland, so it was called PTT, which is now Swisscom.
They were there, and they would show off the X25 network, which was called Telepack.
And that was obviously the pre-Internet days, but with Telepack, you were able to connect to computers all around the world.
Now, what you need for Telepack to access it, you need what was called a Nuey, a network user identification.
And at the time, those things were expensive.
So what we would do is we would have a voice recording device,
like a dictaphone that managers used to dictate letters to their secretaries
to then type it into a typewriter.
So we would have one of those.
And we would have what was called an inductive copler.
Looks like a small suction cup that you would then,
stick against the modem and you would record the
basically the phone call the modem would do to the telepack network
and the the guy that was demoing
the telepack network would then enter the newie
the username and the password and we would record that
on the dictaphone now at the 300 bod or 300 bits per second
you know that was not that hard to record that
and we would then go home and use an acoustic cobbler and replay the recording,
and it would get us the NUI to access TelePAC.
Now, since those newies were from the telecom provider themselves,
they probably never got a bill for it,
and usually those passwords that we got on those trade shows,
they would work for years after that.
You would then use Telepack to actually.
access unix or vMS computers and from there at the time there were there were things like the
us net or before us net it was called notes so yeah that's that's what we would access across
those systems yeah love the show keep you going thanks all this one's cool this is my guy this is this is
this is my guy.
I used to have an inductive coupler too.
I actually built a small,
really?
A small modem that used an inductive coupler to,
like,
in a pre-broadband world when we still had dial-up,
I had built something very similar to this.
I didn't use it in the same way as he did.
I used it more for,
like, being able to dial into the internet from anywhere on any phone
without having to take a big modem with me
and, like,
a little bit more discreet. But yeah, this is bringing back childhood for me right here. Inductive couplers,
you know. What is an inductive coupler? Because everything about this sounds like it's a microphone
speaker. Yeah. You use a microphone to record the signal and then it would be a speaker to just play it back
into the phone. What is an inductive coupler? Yeah. So it's essentially an electromagnetic microphone
that you suction into the side of the phone. Got it. So instead of it actually being a microphone,
that you put over the ear socket.
It's a tiny little,
mine was little black and round
with a suction cup on it,
and it's got like a little like,
uh,
uh,
3.5 mm,
like,
uh,
mono coming out of it.
And it's like a mono microphone,
but it doesn't use,
like the classic microphone audio waves thing.
It actually picks up the,
the signal.
So it was,
it's,
anyway,
I,
I,
I love this story.
Because internet was,
expensive. Access to networks was expensive and these guys were literally hacking ways to get around
logging credentials in like a very analogy cool old school way. And I love this story. This is this is right
up my alley from when I was a kid. Yeah, this one's really cool. We've done episodes before about stories
that took place on Usenet, which in my mind is like, I mean, not in my mind, which is a precursor to the
modern internet. And this dude was was rolling in.
on precursors to even that.
So when you log into one of these networks using one of these newie password user,
whatever this thing is, what is the legitimate way of doing it?
Like what does it look like if you're not hacking it and using an inductive coupler?
What is the mechanism by which you log into one of these systems?
Well, they were only using the inductive coupler to essentially eavesdrop on the authentication protocol.
So then they would take that recording home.
And then they would use an acoustic couplers.
So like a classic modem where you took the handset for your phone and you
suctioned it into the little box.
I don't know if you've even ever seen one of these, Jordan, if you're old enough.
No, I don't think I have me.
Yeah.
You used to have to take the headset from like an old phone and literally push it into a thing,
like a box that had both a microphone for the speaker,
like for the, had a speaker that went to the microphone and a microphone where the speaker
came out of the handset.
And that was how original modems worked,
is that they were entirely acoustic.
So that's why the bit rate was so slow
because there was not actually a physical connection.
Like nowadays, we're all fiber optics and light,
and the speed of light is our limiting factor.
And the speed of electricity transferring over copper
is our limiting factor.
These systems use literally audio waves,
beeps and boops to indicate bits.
Through an audio space,
So like the you had latency from you know the traveling of sound you had all kinds of issues so these guys
Instead of having a legitimate account to get on to the what is now Swiss comms like you know network access
They were literally recording and stealing the creds from trade shows
Which were probably like demo accounts used by the sales force and not very well monitored and then they would take them home and then use those to gain access to the networks which is
is like real OG hacking stuff. And like I love it, love it. Like we're talking about like me
as like an early, maybe preteen like reading and doing these things. And like this is great.
Yeah, there's something really satisfying about, you know, this pretty high stakes admin accounts
to this network being played as sound. Like maybe one of the least secure things I can think
of. Like it is, it is in a sense spoken out loud every time it is used as a password.
word. It is audible to a person with a little bit of gumption. That's incredibly cool. And just
paint such a sick picture of like a 1985 tech trade show in Switzerland with some kids like ripping
in and like pulling out these credentials as audio files and then playing them back into a phone
to gain access to like computer networks somewhere. This is really cool. I would like to watch
a show about some like 1980s Swiss hackers. Like you've been. Like you've been.
got to imagine that the actual demo units set up at the trade show were acoustically coupled.
So like imagine the headset is in the modem pushed in.
So you can't really hear it.
So that's why they were using the inductive coupler is so they could access the audio coming out of the speaker in the telephones handset without actually removing it from the modem.
So that's why they were recording it.
And then they would take that home.
and it's great.
Like it's old school, reminds me in my childhood.
I love it.
Kudos to you.
It would have been highly illegal,
so I'm not saying go break the law,
but like smart, clever,
makes me feel like it's something that I would have done.
So kudos.
Love it.
There is a telehack retro game.
I think it's called Hack Like It's 1987,
where you can, it's a text-based hacking game
where you can simulate a stylized combination
of like Usenet and Arpanet,
or like 1985, late 1980s,
pretty much bang on when this would have existed.
And you can try your hand
at doing this as a basically a web game.
I haven't heard of it, but it sounds great.
Yeah, I'd be intrigued to have a conversation
with this person and see what they're up to now.
You know, like I feel like if you're doing that in 19, whatever it was, 80-something,
I imagine you had a technical career and probably, you know, probably a good one.
So I'd be intrigued.
Yeah, fire us an email as a follow-up.
We'd love to hear what you're up to these days and what you did with those skills.
But they, yeah, great, great story.
Love to hear it.
And thanks for listening to another episode of Hotline Hacked, brought to you by DeleteMe.
Join DeleteMe.com slash hacked.
If you want to share a story with us, they are the guests that,
keeps this engine turning.
Go to hotlinehack.com.
We would love to hear your story.
You can call 1-888-288-28-289,
or you can go to hotlinehack.com
and submit an audio file via the email.
We'd love to hear from you,
Strange Tales of Tech,
true hacks, computer confessions,
whatever you got, we'd like to hear it.
Get at us.
And until the next one,
thanks for listening.
Take care.