Hacked - Hotline Hacked Vol. 7
Episode Date: November 28, 2024A collection of calls, including an extremely wholesome story about a hacked internet contest and an electric guitar that changed a caller's life. Hotline Hacked is brought to you by DeleteMe. Take ...control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount for our listeners: Today get 20% off your DeleteMe plan when you go to joindeleteme.com/HACKED and use promo code HACKED at checkout. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology,
true hack, or computer confession.
After the beep.
Hey guys, love the podcasts.
My name's Adam.
I'm in Brisbane, Australia.
No need to make my voice anonymous or anything like that.
Of course, you're welcome to make it sound better and less nasally, perhaps.
Hey, nasal empowerment.
I'm there with you, brother.
A member of the community.
It's a small community.
It's a small community, but it's proud.
My nose has been broken 13 times.
I don't know what your excuse is, but you are part of my community.
13 times.
We're going to address that later.
Otherwise, I don't think too many people will come after me after this confession.
First off, love the podcast, love everything that you guys do.
I've been a regular listener for a number of years.
Definitely in my top two of Cybersecurity Podcast.
So yeah, it's great.
I love it.
So this story is for Hotline Hucked.
Just some quick background.
I worked at a fairly medium to large business nationwide here in Australia.
They had offices scattered in all capital cities.
So we're talking 25 years ago, early 2000s.
I was just a spring chicken at the time.
I just organically found myself being good at IT.
and just ended up on their national IT help desk, helping out the IT guys in Sydney from time to time.
As part of that, they gave me full admin access to their email service,
so I could help reset passwords and troubleshoot and things like that.
So yeah, it was just a really basic pop three IMAP kind of deal.
So anyway, eventually I left that organisation and my girlfriend,
the time. She also works there and we both left around the same time and while working there,
we, I guess, you know, we were curious as to what was going on after we left because this was
a few years before Facebook and we didn't really have any contact anymore with anyone that
was still working there and over the time we'd made a few friendships, I guess. So, you know,
I guess we could have picked up the phone and called them to see how things were going, but we chose
the lazy way and would still log into my admin account to check people's emails just to see
what was going on. As I said, it was pop three, so usually of an evening I could still see
emails that were sitting in inboxes waiting to download sales, you know, able to pretty much
access anyone in the organisation's emails to see what was happening. So that was fun for a little
while and it kept us intrigued for I guess a few months until my account was
eventually disabled. So that was that we moved on but then sometime later my
my girlfriend calls out and she goes hey I'm back into the emails and I'm like
what what's going on and she said I'll just put in admin as the username and
password one two three four so that old chestnut got us back in I thought it was
quite funny because my
girlfriend was completely
computer illiterate. She has very
little interest in anything related to cyber
so I guess you could say
that these guys were
compromised by
really a very
intra-level hacker, maybe
I don't know. That's my little
story, the old admin
1234. Anyway, I can't remember what happened. I think we
just got bored of it.
And who knows how long that password combination.
In hindsight, we probably should have let them know, but, you know, we'll be young and stupid.
Thanks, guys.
See you later.
The old password, one, two, three, four trick, eh?
The old admin as username.
Welcome to Hotline Hacked.
It's a call-in show where you can share your strange tale of technology, true hack or computer confession.
It can be recent.
it can be from 25 years ago when you were just a spring chicken.
It can be from like 40 years ago.
Yes.
Because the person, I think it was two episodes ago, maybe up a hack, Collin Hack 4.
Yeah.
The person who did the inductive coupler in Switzerland and like hacked into like the old like dial in servers and stuff actually did reach out and told us his history.
And he did end up with a long and successful and continuous career in tech.
truly because I think we speculate during that call like wow what a career this person probably went on to have based on how
kind of clever they were during the anecdote and indeed they did like on tell German television I think
for doing hacker stuff like had a very interesting career that they're um not quite wrapped up yet
but I think if Bitcoin reaches six digits is what they said that they'll be yeah they'll call it in
He took a hard transition from like FinTech and financial management and the banking industry to the obvious out to crypto.
And yeah, he's hoping on a six-figure Bitcoin price.
And I'm sure there's a lot of people that are too.
But so for him, I hope it gets there.
You know, I'll put aside my cynicism and say, good for you.
You earned it.
I hope you get it.
So what I'm curious about is in the intervening years since this story,
if the caller's girlfriend, who was then just an entry-level hacker,
has since gone on to have a Bitcoin-fueled professional hacker career as well.
Maybe that admin plus password 1, 2, 3, 4 really sparked something.
The thing that I really liked about this was we were curious about the company.
Yes, we could have picked up the phone, but we went with their easier option.
Like, that you just decided, like, we're just going to hack back into all their emails
versus like calling up Steve in accounting and seeing how it's been going.
I'm going to make a movie reference here, which is not something I often do.
But like, have you ever seen the movie Laircake?
Oh, it's like a Daniel Craig movie.
Yeah, I remember that.
I feel like that movie is why he got cast as James Bond because it's like pre-James Bond
and you're like, man, this guy could play James Bond.
But there's a scene in it where it's kind of doing his character introduction and he's like,
you know, I'm a drug dealer, but like I pose as like a real estate broker.
And it's like, you know, everybody wants to know what's a,
on the other side of a doormarked private.
And it's just like a thing about mankind of like, you know,
how we can't help ourselves.
But like if I'm not allowed to be in there, I want to be in there.
And that's exactly this.
I have the access.
It's not really adding any value to my life.
But for some reason I'm using that access to learn little bits of information
that I shouldn't have had.
Well, because it's also compelling too.
It's like an old workplace.
You're not there anymore.
It's been years.
But there's probably people that you're curious about and like dramas that you
want to know how they resolved. Yeah, lunch meetings that you could have had. Totally. Like,
you just want to kind of know. So maybe, maybe you try. Go for a beer and catch up on what's going on
in their life. Yeah. Yeah. Hack another app or their email server and read their emails.
Same, same. Yeah, exactly. I also like that 25 years ago, this caller was able to kind of like,
obviously, like, they have some technical knowledge, but they were able to kind of just like,
I was just really good at computer stuff. So anyway, I'm sitting on the national IT help desk. And it's like,
That worked differently back then.
They said it was a pop three iMap kind of deal for anyone that doesn't know what's that.
Yeah.
So when I was listening to this, the first thing that really stood out to me was that like I hadn't heard the acronym pop or pop three for mail in so long because it's essentially a dead protocol.
Like I don't know if you, you might not be old enough.
But pop three used to be like my email client would go to the server and get the email.
and then they were no longer on the server.
And if I deleted them locally off my email client,
they were gone forever.
IMAP was the first protocol that was like,
we keep an archive or like your mailbox stays on the server
and then you keep a sync of it locally.
I completely forgot about the nightmare that was pop email.
And the second he said it,
it triggered me.
And all of a sudden I was having these flashbacks
and being like accidentally deleting something
or like losing a lap.
top or a hard drive corrupting and just losing all your emails.
And I was like, oh, God, remember those days?
It's the computer equivalent of like LSD stays in your body for a decade and it can
show back up at any time.
You can have a sort of like flashback acid trip, except it was for Pop 3 and remembering
that there was a type of email delivery that's not stored back redundantly on the server.
I also feel like PTSD.
That feels like that feels like that.
feels conspicuously like you could sell that as a service today. Like that there's like a type of email
where it's like vanish mode. Like vanish mode. Like vanish mode. You could just revert 15 years to a much
older standard and you're like $4.99 a month. Hey, like let's just follow. Let's just pull that.
Like what did Microsoft pay for Slack? Because Slack is just IRC chats put into a fancy look and called
a corporate communications tool. It's still like I guarantee that if you took the source code for Slack,
still has the pro, like I bet a lot of the base code is still the open source IRC code
because you use hashtags for channels, you use like ads for people, like everything's still
the same. And I'm looking at my Slack window right now being like, I pay so much money
for corporate Slack when it's really just a private IRC server. I like this idea. The thing
I've been really enjoying about Hotline hacked is that a lot of the calls naturally are going to
bias to being older. Like they happen to the past because those are the types of calls that people are
willing to share publicly. This happened 15 years ago. Who cares if I share it is sort of like the
crux of it. But I'm also getting a glimpse into all of this cool old tech that I was,
wasn't really either around for or was it really paying attention to at the time. And I really
like this idea that you could just like resurrect an old standard and being like, dear sharks,
this is my new business idea. It's like vanish mode. Yeah. But for,
email. Exactly. It's pretty good. It would be like, okay. Okay. Okay. It's called Pop 3.
Yeah, yeah. No, no, you're going to give it a new name. It's called Free Pop. It became Slack.
You can call this like, you have to give it some fancy marketing names to that when Microsoft gives
you a billion dollars for it that you're like, you know. Yeah. I think Vanish. Vanish is pretty good.
We'll workshop it later. It'll be fine. We'll hire an extremely expensive branding agency or
something to help us name it.
I just I just had a memory.
Salesforce bought Slack, not Microsoft.
So ignore all of that Microsoft conversation.
It was Salesforce that bought Slack.
Well, they'll buy Pop 3 from us and we'll see you on the island.
We'll see you with all the rest of the crypto billionaires.
Exactly.
See you on the crypto island.
But yeah, welcome to Hotline Hacked, Jordan already intro at us,
but I love being back.
And it's all because of our wonderful sponsor.
Don't want to delete me.
Mm-hmm.
And, you know, delete me offers a kind of a privacy service
to help cleanse your personal information out of certain data brokers.
But we could talk a bit more about that later.
But just a big thank you to them for making the show the Hotline Hacks series possible.
And yeah.
Ain't it the truth.
Ain't it the truth.
Should I kick to the next one?
I think you kick it on down to the next one.
Hey, guys.
Love the show.
The story of Mike and Robbie reminded me of a time I broke the Internet for a relatively
well-known mid-sized marketing company.
I wasn't even working for said marketing company.
I was working for a tiny startup renting office space
and, importantly, bandwidth from the marketing company.
People who work in tech may not realize how heavily startups will lean on Google
sheets for their entire tech stack.
It's slow as hell, full of security vulnerabilities and,
most relevant to our purposes, extremely easy to break.
But it is free and very accessible.
Database administration capabilities might be in short supply, but you can move data between large Google spreadsheets with a five-minute YouTube videos worth of Google App Script, which is basically just JavaScript.
Such was the case with this tiny startup.
Our entire tech stack was a Frankensteinian labyrinth of Google Sheets collecting, analyzing, transforming, and storing data with Google Apps script.
Big ups for Frankensteinian Labyrinth.
Yeah.
AI voice conversion really lands for me.
It's really nice when someone with a way with words plugs them into an AI.
It's a Frankensteinian labyrinth.
You're like, ooh.
One of the tables who stored information about press releases we were generating for our clients.
One of the properties we wanted to report on was whether or not Google had indexed the live URL of a published press release.
That's easy enough to figure out, but not programmatically at scale.
Being the plucky go-getter that I was, I attempted to solve this process.
problem. I learned that if you create a function in Google App script, it is available to use in a
cell formula inside Google sheets. I wrote a function which I thought could scrape Google's
SERP to test for whether or not the press release URL had been picked up. I then loaded the
formula in the Google sheet, similar to how it would work in Excel, and copied it down all 20,000
rows, feeling very proud of myself. What I didn't know is that first of all, Google is pretty
protective of programmatic scraping of their serps. So I wasn't even getting the information I thought I was.
More importantly, I didn't realize that Google Sheets refreshes every five minutes or so,
which means our Franken database was pinging Google servers 20,000 or so times every five minutes.
Not only did that clog the network with traffic, effectively dosing the entire building from the inside,
but we found out that Google banned our IP address, shutting down our access to all Google services.
in a digital marketing company.
They called in someone much smarter than me,
and they managed to fix it by the following day.
I now know proper SQL.
Dosing.
They dose us.
We dose them.
I like that.
I'm going to quit calling a dosing and start calling it dosing.
Yeah, it kind of feels right.
You dose them a little bit.
Like it feels like it's an attack.
It's like not a thing you want to have happened, do you?
Yeah.
Okay.
A dose of the Frankenstein.
A dose of the Frankensteinian labyrinth.
A dose of the Frankensteinian labyrinth because you pinged Google servers 20,000 times every five minutes.
And Google went, not on our fucking watch and just shut everything down.
Literally.
Okay.
So working for a mid-sized marketing company was not.
He's working in the office of a mid-sized marketing company for a startup.
But for some reason.
It sounded like he was doing marketing-related communications, press releases.
Like he was in a text.
space of marketing for sure. Okay. And probably one of those like we own an agency and we have a tech
idea and now we have a startup inside of our office kind of vibes. That's what I'm picking out.
Yeah, because he had access to their like their databases and was clearly been tasked with moving
things around inside of those databases. And in this case, trying to figure out whether Google had
indexed the live URL that was sent out in a press release was what this caller was trying to do,
right? Mm-hmm. Mm-hmm. Okay.
Serp. Serp, like search engine results.
So just trying to see if it was in the, if a robot had indexed it.
Got it.
Be a bunch of other ways to get it.
Okay.
And so they create this, created a Google function, created a function inside of sheets that they put into a cell in it, which had 20,000 rows in it.
Am I understanding that correctly?
If you and I have the same understanding, so if we're not understanding it, then we're both, we're both,
the page that we're both missing it um they loaded it in and then apparent so help me understand
this they run this and it runs this little scraping check thing 20 000 times like what happened
then that's where gets yeah yeah sure so it sounds like they defined the function in the like
sheet itself so it's like a global function we'll call it for people that program and once they
embedded it in a cell essentially any time you load the sheet
up, open it up, make changes, like do anything massive. Anything that causes the cells to recompute
would immediately mean that every cell that has a call to that function would get called again.
So, and because the function's not like, you know, is there three decimal places afterwards,
if not then sealing the third one and rounded or something like that. Like it's not some basic
function that's like easy and quick to compute, but it's like create a socket to the internet.
Go out and get this piece of data.
Parse the return.
Do all this stuff.
It's like it's a tangible task for each one of those function calls.
So every time the page gets refreshed or change or needs to recompute, boom, it triggers 20,000 of these massive functions.
And importantly, whatever that function was, it pings Google's servers.
If this was happening locally on their system, no one gives a crap.
But it's calling to Google servers.
So they go, who the heck is calling?
calling us 20,000 times every five minutes shut it down.
Yeah, the funny thing is I can't believe.
Like that actually seems like such a low amount of traffic that I'm surprised that Google would actually have caught that.
Like if you think about Google's traffic, 20,000 active connections is like nothing.
Every second we're talking, there's an order of magnitude more.
Yeah, yeah.
But maybe one spreadsheet doing it.
They're like, don't stop it.
It's probably related to they probably have like an anti-stube.
scraping system in place.
And it was like they, it triggered some form of detection that automatically hot flagged them
and it will stop it.
So yeah, yeah, I, um, Google Sheets powerful, but also chaotic.
Actually, the whole Google platform, love it to death, use it all the time.
Yep.
But it can constantly have problems in it.
So, we have so much to talk about on the next chatty chat.
There's been so much stuff with Google lately.
but we'll save this for the next one.
Well, so we could just touch into that, just a hair, just for fun.
Just do Porto-O-in.
When Jordan and I were in Vegas for DefCon was when the FTC and all that stuff started with Google.
And we were actually just hanging out chatting with somebody in line at one of the talks, who was a Google employee.
Right.
Yeah, there you can.
I remember.
Oh, I forgot about this.
We all got an email this morning being like,
don't talk about this, don't say anything to anybody.
And we're standing there wearing our big press badges being like,
okay, just like pointing at them being like, you know that we're like,
look, like, we're not hiding anything.
There's no room of people I want to deceive about being a member of the press
less than any room at DefCon.
Yeah, exactly.
So anyway, that's the teaser for that discussion is that we,
We were at Defcom and that stuff all got announced.
The funny thing for me is, and this is just a complete aside,
but if you're a listener to the show, you're used to this,
is Google's stock didn't take a beating from that for like a week after.
Like it was public knowledge that the FTC was going after them
for like monopolistic enterprise stuff.
And literally one of the first things I did was check the share price on Monday.
And it was like going up.
And then in the financial news, it broke on like the Thursday that this was happening.
And then all of a sudden, the stock got pumped.
And I was like, how did the financial news be like five or six days behind like the real news?
So anyway, a weird aside, but that actually happened.
I'm so intrigued by the story because we did that whole big episode about Chrome and its connection to advertising
and whether or not there's cross-pollination because that's there's not supposed to be.
And now the DOJ is telling Google to sell Chrome.
Next chatty chat.
I don't know.
Yeah, next chatty chat.
Because I got takes.
I got takes.
I got hot takes.
I think the Chrome is a sacrificial lamb.
I think it's a negotiating tactic.
I think so too.
That's my take.
I think they're just like, you know what?
We got to give you something.
So we're going to give you Chrome.
And it's just like, we're not going to break up the display ads and the network
and the search and the whole pool that is our perspective monopoly.
But we'll give you Chrome, like our not-for-profit, essentially free-use product, that, like,
we'll sell this.
That they already white label out to most other browsers on the internet.
Like, I think there's a world, I know that there's a push also for the search platform
to be functionally white-labeled.
Like it is this, it's this, like, flywheel argument that we've now reached a point where it is impossible for another party to enter the, like, ecosystem, regardless of funds, because the traffic is simply all in Google and any competing product will just be worse because of that lack of product.
So to me saying, like, we need you to sell off your browser is like, well, do they want that more or less than having to white label their own search technology?
Like, it's not about what's, it is definitely a like monopolistic consumer protection argument, but it's also a negotiation.
And I don't know.
I'm trying to figure out who wants what.
Yeah.
Yeah.
Completely agree.
I think that we should stop this.
Back to the hotline.
This digression that I created.
Let's go back to the calls.
No, let's talk about how much of your personal information is available on the internet for anyone to see.
It's more than you think.
And our sponsor of today's show in the Hotline Hack series, Delete Me, is here to help.
Your name, contact info, social security number, home address, even information about your family members and children,
has all been compiled by data brokers and is sold online to pretty much anybody.
So anybody on the web can buy your private details, leads to identity theft, helps with fishing attempts,
unwanted spam calls.
Personal experience, my mother-in-law got defrauded by somebody who had personal information on her and her family,
and they lost thousands of dollars.
True story.
And she's an avid listener to the show.
Love you.
Sorry, I had to bring that up for you.
Oh.
So, yeah.
Now you can protect your privacy with Delete Me.
I was going to make a whole bit about how I was buying your personal information prior to you using Delete Me, but now it seems uncouth.
That sucks as people who exist on the internet.
And for people that don't exist publicly on the internet,
safety and security is a pretty big concern if you use the internet.
It's really easy to find personal information about people online.
All that data is just hanging out on the web and have real consequences in the real world,
as we all know.
And in some cases, have unfortunately experienced.
That is why we personally recommend use and choose, delete me.
It's a subscription service.
This is something that I find as much as subscriptions are a point of contention and a discussion,
this is one that I actually like because it runs consistently.
It's not like they do one sweep of the internet.
You give them their $19 or whatever and it's done.
They're constantly monitoring the data sources, looking for your information and requesting
its removal in real time.
So for me, that's a huge value.
So you sign up, you tell them exactly what you want to.
their experts kind of they go off, they take it from there.
And they send you regular personalized privacy reports showing you what they found.
It's weird to get these emails.
It's like it's very cool to see the things they're digging up where they found it and what they're removing.
Put it simply, they're doing the hard work of wiping you and your family's personal
information from data broker websites.
So take control of your data and keep your private life private by signing up for delete me.
Now at a special discount for all hacked listeners, today you can get 20% off your Deleteme plan
by going to join Deleteme.com slash hacked and use the promo code, hack to checkout.
The only way to get 20% off is to go to join Deleteme.com slash hacked and enter the code word
hacked at checkout. Hotline Hacked is coming to you monthly because of Delete Me.
We think they're a cool company, a cool service. You should definitely check it out.
that's join delete me.com code word hacked.
Now back to the show.
Back to it.
One other thing that I think we should hit on is, you know,
while we're in digression land here, like let's not stop.
Is you sent me the email that came into the Hotline Hacked account about the dynamic ad insertions.
Do you remember sending this to me?
You put a screenshot in with the audio files.
So apparently we were in the last online hacked,
we were having a conversation about like cars moving to a subscription model for functionality and stuff.
And apparently somebody out there in the world got served an ad for a Lexus car with a subscription service for some of its functionality like at the end of the episode.
So they emailed in and were like, oh my God, the chef's kiss was that I got served an ad by Lexus for a subscription based car.
immediately after listening to your discussion about it.
So thank you for reaching out.
That's brand synergy.
Every time that it's like we don't, for anyone that's curious,
because this is probably one of the few shows where people would be compelled by this,
host red ads, we do see what they are, dynamic inserted ads.
We typically don't.
There's a set of criteria that you get to flag.
And then the ads just kind of happen because different advertisers will pay to
advertise to different people in different geographic regions or who have expressed different
interests, which is a really roundabout way of saying, we don't really know what goes into those
dynamic non-host red ads. And the majority of the time when we get a funny email about it, it's not
worth talking about. But when you shit talk, heated seat subscriptions in an episode and then
an ad runs for a new car. That has heated seats subscriptions. You got to talk about it on the show.
Yeah, yeah.
This is Pete from the UK. Thanks for doing this show. I really gets to
me through my long commute that I have to face once a week.
Couldn't resist trying to submit a story into Hotline Hacked
because I really enjoyed the tales from everyone.
My story states back to, I think it was the late 90s,
maybe early 2000s, I forget.
And I was reminded of it recently because of all of the
noise around Oasis tickets that occurred recently.
Oasis being
you know such a big band
particularly in the UK
sort of mid to late 90s
and being
a
teenager at that time
really got into wanting to
to play guitar
but also being a teenager
at that time I remember not having a lot of money
and I wanted a particular
type of acoustic guitar
to play that I could also plug it
into an app and just really struggled to save up the funds for it.
And again, like probably a lot of teenagers at that time,
I played a lot of games as well.
Less on consoles, there was always much more into PCs
and understanding how they're built and how they worked.
And so on my sort of quest to try and find a guitar to play
so that I could emulate Oasis and others.
I came across a website after looking for weeks and weeks.
I found this website that had a competition running.
And I can't remember the exact specifics around it now of how it worked,
but it was something along the lines of,
it was multiple questions that you had to answer
in sort of the shortest time possible.
So the answers had to be right,
and you had to answer within,
you know, in the shortest time possible.
And I think I was still dial up internet at the time,
so everything was a bit painstakingly slow,
but I remember the prize of a guitar,
that you've got a certain selection of guitars to choose from,
the prize would be announced every week,
so there's a winner every week.
And much as I tried to win this guitar,
and this question,
I could never do it in the time frame.
And they would have a leaderboard at the end of the week
and you'd see the top five people in the shortest time
and who's the winner.
And I could never win it.
He could never win it legally.
A few weeks went past and that's the way.
It's never going to happen.
But as I say, I used to play a lot of games at the time.
and I remember playing, maybe it's before the time,
I remember playing Duke Nukem's 3D in particular.
I know once I've finished it,
I then started to think, well, how could I beat the game
in a different way and find some cheats for it?
And remember I got hold of a, what I call it, a memory trainer?
Maybe it's called something different these days,
But the premise of it was that you could play the game.
And if you had, say, 100 ammo, you would run this program.
And you'd tell it that you had 100 bullets or 100 ammunition remaining.
And then you would, you know, rattle off a few rounds in the game.
And perhaps it would go to 90.
And then you go back to this program and say, right, now I've got 90.
And then you do it again.
So you get down to 70.
You'd go back and say, right, I've got 70.
And after a while, eventually we'll come back to you and say,
I've now found where this value is being held in the program's memory, and it would let you adjust it.
So you could then go into the program and say, right, now I've got a thousand bullets, right, and it would adjust it in the running program.
So I was playing this game, and I suddenly thought, I wonder if this would also apply to web browsers.
So I went back to this competition page and I tried answering the questions and I think that the top score, the lowest number, the lowest time that someone had was something like 11 seconds.
And I was getting something like 18, 19.
And so I went through the round of questions, I think about five questions.
And I got something like 22 seconds.
seconds, and I put in the memory trainer and I focused it on Internet Explorer at the time,
I guess it was, and said, right, you know, 22.
Could have been Netscape, another throwback.
Miao.
Mew.
My cat.
And then went back, did it again, got something like 21.2 seconds.
We went back in, put 21.2 in.
Did that a few times, and it came back, and it said, I found the memory value.
I thought, huh, well, it's worth a go, right?
And so I put in, I think it was like 10.2 seconds, didn't want to over-reg it, didn't want
to make it seem unrealistic, putting 10.2, dot to the end of the round of the questions, and sure
enough, up on the screen, popped well done, 10.2 seconds.
And so my name went to the top of the leaderboard and there it sat for the rest of the week until
the Friday or Saturday when it was announced.
And then I looked back on the site and I'd won my choice of guitar.
So I went ahead and chose the guitar that I really wanted.
I'm sitting here pensively waiting.
There's another two minutes left in this.
And it's like, did he get it?
Did they figure it out?
And then the FBI showed up.
Is there a check and balance?
And said, if you don't do a guitar solo, we're arresting you.
You have 10.2 seconds to do an amazing guitar solo.
To shred harder than you've ever shred.
Like the devil challenging you to a fiddle contest.
Charlie read electroacoustic guitar and it promptly got delivered to me.
And I was reminded about it specifically recently because that that guitar itself, I still have to this day.
It's a trophy.
Yeah, you never get rid of that guitar.
You can't get rid of that guitar.
No.
Whilst I do still look at it occasionally, and I do feel a guilt of how I got it.
But at the same time, I hope, you know, whoever ran that site, and I think they got bought out by like a big fur, and I hope everyone did well out of it.
But at the time, I remember my girlfriend at the time, my girlfriend at the time,
did say that one of the things she really liked about me was I could play guitar, albeit really badly, right?
I never got to kind of oasis or any kind of standard past that.
But that girlfriend became my wife, and we now have two kids.
And yeah, I thought about it the other day because they started guitar lessons,
and one of them now takes my guitar that's been all re-strung and takes it to school for a guitar lesson.
So I hope in some way, despite the...
quite dishonest way I attained it.
I hope, you know,
whoever was in charge of that looks back
and doesn't mind too much, considering
it, I think it went to a good
call and did some good in the world.
So, that's my story.
I'll probably have that guitar for a few decades
yet, and every so often just
look at it and think,
yeah, there's a little good
that can come from bad.
Thanks, guys. Really appreciate the show, and
thanks for the time.
God damn, that's wholesome.
Man, I got to say, every time we do one of these episodes,
it makes me like the people who listen to our podcast more.
It seems like there's a lot of like moral consideration and moral growth that has
happened in the people.
Like a lot of people are telling us these stories being like, you know what?
And I still look back on it with remorse about the bad and evil that I did.
And it's, I don't know, it's nice.
I like to hear it.
You know, like we were all kids at one point.
We all mucked around.
And then to learn a moral lesson and morally developed from that, so important.
And yeah.
I really like that.
It was right at the moment when he flagged.
It's such a tiny detail.
And I want to go back to the start of the story.
But when he's like, the site where they were doing this quiz, years later it got bought out.
I'm sure the person who owned the site got a bunch of money.
It's like, oh, you followed.
you followed it.
There was a sense of moral culpability for this like cool acoustic electric guitar, ironically,
of which I'm kind of shopping for one.
I feel so seen in this call.
There's like five parts of it where I'm like, I think we should be friends.
Yeah, totally.
You want to grab a beer sometime?
Totally.
But that he'd been like every time we looked at this guitar,
he thought about the site and he'd followed that the site had gotten sold.
It's just very funny to me.
I want to build up to, I want to get to the ending where the girlfriend,
friend likes that he played guitar and he learned to play guitar on the hacked guitar. But to go back to
the beginning, Oasis tickets being the thing in the zeitgeist that made him remember this story
because he loved Oasis when he's young. I'm supposed to go to that tour. Really? With a bunch of people
that are nostalgic about Oasis from about the same time time period. And I'm like, I'm a medium.
I was a medium fan in high school, I would say. But the thing I won't do is miss.
a bunch of people going to see Oasis in Mexico.
There's no way it won't be really, really entertaining.
Yeah.
So, like, I want to watch Oasis.
I want to watch them watch Oasis.
I think that's going to be really good.
The detail you left out that you just dropped in there is that you're going with British people.
And that makes more sense.
Because, like, I feel like Oasis was like a seven out of ten here.
They were like an 11 out of 10 there.
Big deal.
It's a very, like, great people.
and I'm very excited to go see it with them.
So I'm right there with you.
So caller, there was a website that had a competition running for free guitar.
It was trivia.
It was timed trivia.
There's a winner every week and you had to do it really, really fast.
People are finishing this thing in 10 seconds.
Collar is young.
They're not clocking it in less than 20.
So they crack open a, I was Googling for this during the call.
And I found a post about like, DOS,
there are generic training hack game value tools.
There's a few of them.
Game Wizard 3.0.
Memory scanners,
Infinity machine,
GameBuster 4.0.
I'm curious how this worked with a web browser.
That was the technical side of this.
I didn't totally grok because it sounds like these read RAM.
How's that work?
Yeah, sure.
Let's talk both things.
Let's talk about like these tools,
Infinity Sharks and whatever,
all of these RAM scanners that are looking for.
persistent values in the in the memory that's kind of not too dissimilar to something like what a game
shark was doing for you on like a whatever comp game board yeah yeah like so much like it used to be
able just to pop open binaries and hacks and like look for values in them like things that were
hard-coded in and modify them like there wasn't a lot of as long as you didn't cause overflows and
stuff. There wasn't a lot of control for that stuff. And yeah, honestly, like, when I,
when he first started talking about using a memory scanner, I immediately became a bit critical
being like, huh, I wonder how that's going to work. Just given the fact that it's kind of an
like an asynchronous web conversation, it's not something that's inactive memory, but I guess the
browser is probably submitting the response back to the server.
but but but to further to your question as I'm rambling is uh your web browsers is using a boatload
of RAM like we're in probably Chrome right now I bet if you opened up activity monitor on your
Mac yeah right Chrome is the single largest user of memory at this moment so those values could be
stored in there's a it would theoretically make sense that those values were actually stored
in RAM which made them parsable by that tool yeah the thing the thing the thing
like for me, like maybe it was different back then, but I'm just thinking about how many processes
are in modern browsers. Like I've got Chrome open and I probably have, let's say it's a slow day
for me. I probably have 18 tabs open. So there's a chill 18. There's 18 sub-processes running, each with
their own memory like buffers. I assume back then, if I remember like the pre-tab web, like you had a window
open for Internet Explorer or Netscape and that was your web browser.
Maybe like I think originally you couldn't even have multiple windows open if I'm like we're
going so far back in my history here that my memory is failing me but I'm pretty sure like
the original Netscapes and Internet Explorer you had one window one right which means that
there would be like one memory buffer or like memory stack that you could go through so I could
see, I can see, well, obviously it worked. So it's like kind of a creative way to do it. It wouldn't
have been my first thought about it, a way to do it, just given that it's web and it is asynchronous.
For me, I probably would have tried to intercept the submission results and supply a false
result there rather than modify a result value in a variable in RAM and then have it send that. So,
So anyway, just an interesting, fascinating solution to it.
And yeah, creative.
And it worked.
And he was inspired by Duke Nukem 3D.
One of the first games I ever had on PC.
We got Oasis.
We've got Duke Nukem 3D.
And then the other one was I didn't do any hacky stuff.
But I was just reflecting on the fact that in my mind, the first purchase I ever really, like, sweat it over and put the money in.
Like, I was a guitar.
And I know a lot of people who like 13 or 14, a parent had the like wisdom to say like,
nope, you want this bad enough.
We're not going to pay for it.
If you want it, you got to figure it out on your own.
And you're just going to sort of like teach yourself how savings works and how, you know,
squirreling away a little money every week can build up to something bigger.
And it's making me wonder what's the wildest thing a teenage boy did to save up money for a guitar?
because I bet it's a lot gnarlier than either of our stories.
It's a big motivation.
Yeah.
I'm trying to think of what my first big purchase like that was.
It probably would have been something sporting related, skateboard.
It was definitely a skateboard.
Yep.
And I bought one.
I think I saved up and I bought it when I was like seven.
Yeah.
That was about the same age as the guitar.
A seventh grade or seven?
Pro model. No, age seven.
Oh, wow. Not singer than I did.
Yeah. Yeah. And you know what? Do you know how I raised that money, Jordan?
How did you raise that money, Scott?
Not stealing it on the internet. I raised it by collecting discarded cans and trading them in at five cents a pop.
I raised hundreds of dollars to buy my first skateboard.
I worked. That's pretty good. That's a pretty good one. Pop can collecting Scott.
I worked in the parking lot of the local carnival in the city where we're from.
there you go there you go uh it's really fucking cute that you like have a kid that is learning to play
guitar on this guitar that you hacked when you were a kid that impressed your girlfriend that you
could play guitar that then became your wife like i yeah it's it's a little silly hacky story
that kind of in a weird way becomes a little bit of a life story and i didn't think we were going
to get any of those on this call um they really appreciate this one i really enjoyed this yeah me
me too. Me too.
My name is Jordan. I used to be into the BBSing scene in the early 90s.
Bulletin board services.
Perfect.
Kind of like a proprietary old school forum. Think about it like that.
Mainly calling local numbers, so cities and towns that surround me and connecting to various BBSs.
Sometimes chatting with the SISA, other times playing.
the games that we called Doors on the, like the text-based games on the BBS.
And then I was there mostly, though, for the wares.
So if I could find any BBSs that were offering pirated downloads, I really love that.
So like games like Doom and things like that I had first acquired through BBS.
Do you know how long it took to download Diablo over dial-up?
I cannot imagine.
I think about pirating an MP3 and being like, well, plug in the generator.
It's going to be up all night.
Say.
Enter the mid-90s, 1995.
I was 16 years old.
I was using Windows and things had kind of taken a big shift from BBS has really pretty much disappeared.
And everything was now kind of online.
And that pirating scene had moved online.
So one of the big changes there, just to give a little history on this, because I also had friends that were, wears junkies.
When it came off of bulletin board services, it kind of moved into partially in the news groups, which was like another old school protocol that we don't really use anymore.
That maybe we can rebrand and relaunch and sell for billions of dollars.
But it also became one of the times where public facing hacking became big.
because a lot of people would hack FTP servers and servers that had FTP and web servers
and then store the wares in hidden folders and in hidden areas on these servers.
So a lot of, there was a lot of private servers, but given the legality of the content,
a lot of people that were big in distribution of it actually spent a lot of time hacking
to find private repositories to put this stuff.
So just some history.
Yeah, it's good.
Where I kind of used it a lot was on the IC and acquiring files via FTP.
So what would happen is there was a number of channels on the IRC including one called Whereas 666, I recall,
and a number of other ones, both publicly accessible and private channels.
And we would use FTP clients to access the libraries of files.
If you recall, and this isn't the case anymore, I think, there used to be a lot, you could go to a lot of domains and just type in FTP.
Dot the Domain Name.com rather than WWW.
And sometimes you could just, you could log in with no username and no password.
You could simply press enter on both.
This is true.
One of the default settings for a lot of like, especially Unix servers and stuff back in the day, is that they come with a handful of services pre-endom.
enabled being Pop 3 mail, SMP, FTP, Telnet, before SSH.
And a lot of, even now today, if you go to a lot of domain hosts, like people that deal with
DNS hosting, the default package of subdomains is like WWW, FTP, mail.
Like a lot of those services tie to the original subdomain structures.
So like almost every major company that had like Microsoft.com also had an FTP.microsoft.com.
Got it.
You would immediately fall into a directory where you could sometimes upload a file if you're using an FTP client
and read the files from within there.
So what would happen is people would often use those as dumping grounds for pirated files,
games and applications and, you know, cracks and whatnot.
And eventually those would be discovered by the admins that run those web servers, and then the access would be locked up.
But what was really coveted was the private server.
So those would be an admin has intentionally set up a FTP server for piracy, in which case they were very well, like meticulously or
organized often directories by theme name or by year
directories within those ones for all of the applications
and then within them the cracks that go along with them,
et cetera.
So this was prior to anything like a torrent or anything like that.
Everything was on FTPs.
Where those got traded was on the IRC.
That's internet relay chat.
I used Merck to access it, which is a Windows client.
So back in 95, I was 16 years old, very much into this, very much loving it.
And it was a hobby of mine.
But acquiring those private servers, those very highly coveted ones, was tricky.
You had to trade and trade up or you had to know the right people and be on the right teams and things like that.
I wasn't into any of that so much as I was running a little bit of a scam.
sorts where I would log into all of the channels at once that I knew. So where's 666s,
amongst others, probably 10 where's channels. And I would dispatch a message. I would change my
name importantly to a girl's name. It was almost always Jessica. It just seemed like a sweet,
innocent girl that young men like myself might like to help out.
Jordan becomes Jessica. Yeah, yep. That's funny. I don't have.
have the oasis style parallels here, but it's extremely funny.
I do, I do love the fact that he mentioned something that I completely forgot existed,
the like teams. Like I remember there were like organizations of like self-organizing groups of
people that used to steal software and they had like, you'd see their little like acronyms and stuff
at the beginning of the file names. This is all coming back to me. This is so long ago.
Some of that stuff is still in piracy. Like you still see like names and kind of brands behind it.
It's like, hey, let's commit mass larceny and make sure that we put our handle on it.
So it's easy to track how much stuff we've stolen.
Let's do some crimes, but let's make sure that we have a brand we're building while we do it.
That's great.
Let's leave a business guard behind the bank after we rob it.
Totally.
And I would post a message to all of the chat at once.
And the message would be composed.
It would be something like, I use QDFTP for work and need to access it today.
but every time I started it keeps crashing and it says QDFDP.
I and I would need to say.
And I would add that a friend or a colleague told me to ask you guys here
because you guys know this software.
Immediately I would get like 10 or more transfers like DCCs is what they called them.
This is brilliant to say you now.
Yeah, I think I'm following what's going on and it's extremely funny.
this like thirsty, it's a honeypot.
It's a honeypot.
Direct transfers to my account of someone else's QFTP.I. File.
Do you know what an I and I file is, Jordan?
No, I don't.
Okay.
It's like initializations.
It's like a settings file essentially.
It's plain text, but it's where a piece of software will save a bunch of user settings.
And I think notably in this case, it's where people save favorite servers and their
login credentials for it.
And then what's contained within that I and I file is a plain text list of the FTP domain,
the login name, and the password for all of these private accounts, including also
their anonymous ones.
So I would suddenly have tens of fresh new pirate FTP sites.
I would then get a second flood of messages from all of the same people.
kind of would just peppered with so many obscenities.
Like they would realize only after sending me the I and I file what was contained within it
because they just gave me the keys to everything.
At which point I would just kind of disappear and go low for a couple weeks,
just enjoying my cache of whatever I got, you know, using those sites.
And then I could go back in a couple weeks later and then do it again.
So that's my little story about software piracy scene in the mid-90s, I guess.
And it was quite a fun time.
I'd love to hear about other people from that time or in particular about BBS and stuff.
I think there's a lot of interesting things there.
Love your show.
Thank you.
Bye, guys.
Bye, Jessica.
Bye, Jessica.
I hope you have a good one.
We too would like to hear more of those stories.
If you have a call, if you have a story, if you have something you want to share, hotlinehack.com.
Got an email.
We got a phone number.
Oh, this rules.
Okay.
So my sense of this is in the 1990s, the piracy ecosystem had to do with people sharing different servers on IRC channels.
Some of them were private servers, which were the real rules-Royce of these things.
And then other ones were, I guess people just uploading and downloading stuff to like companies' servers.
servers, hoping that they could get the files up and back down before an admin noticed it.
Am I understanding that right?
Yeah.
So Ware's was shared in lots of places, BBS's news groups in private transfers between people.
But FTP servers, like the 90s were like the FTP era because it was like everybody had an FTP
server, a Windows server installation, like almost had it on by default, I think.
So so many websites and web servers and corporate servers.
that were web-facing typically had an FTP server.
And some of them might have not disabled guest credentials or might have enabled it because
it made it easier for them to use it for whatever thing.
And they weren't thinking about cybersecurity because it was 1993.
No.
Yeah.
And security and convenience.
We always talk about this.
It's like, well, lack of security is extremely convenient and convenient stuff is
extremely insecure.
But you also need to remember that like bandwidth in that era, like a T1 line was like,
I want to say T1 was like 1.5 megabytes,
but it would have been like a massive commercial line to get for like a business.
So it's like a lot of those servers probably sat on private bandwidth or private pipe.
So like of course they're going to notice when their daily bandwidth on their server goes from like eight megs to like 60 ter or gigabytes.
Yeah.
And it's like so of course they get caught like the second you start exploiting it.
The other thing is like the private servers were the people who either worked at companies and set them up underneath the discretion of like, you know, hidden away from the operations or even people that had large home pipes.
Like I actually know a person that had a private FTP and it was member only and you had to get access.
You had to create creds and all the rest of it.
And they set it up at great expense to themselves because they had to buy hard drive arrays and set up array to raise and a server.
all the rest of it. They set it up just solely because people would then give them the wares.
Instead of them having to go look for it, their server just filled up with what they wanted.
They would take whatever they needed, delete stuff, and then people would fill it up with more stuff.
And it was like, it was an interesting generation to be in big business in the software industry
because it was super easy to steal stuff.
Interesting. So these people would set up these private servers for some,
cocktail of altruism for the community and just self-interest.
People are just going to upload all this free stuff that I want to have for myself
and they'll upload it to my servers that I control.
Links to and credentials to get access to these servers were precious in this community
because you knew that there'd be all this cool shit on them and you wanted to get access.
This caller, I love the turn in the story where it's like, so anyway, now that I've
set all this up, I was running a scam of sorts.
And in this case, the scam was that they would log into all these channels, set their username as a girl's name, which was always Jessica, and then tell this little story of like, hi there, I'm not from this world.
Someone told me that this is where I should come with a question, and I need help getting access to this thing.
Can anybody help me?
Yeah, yeah.
Play off the benevolence of others.
the, like, if you grew up in that generation too, right, you need to remember that you've grown up with fairy tales and Prince Charmings and stuff like that.
So it's like everybody's, you know, masculine perspective of themselves is that they're going to save the damsel in distress.
So you put on the masquerade of the damsel and distress.
Like if there's anything I know about Jordan, it was that after DefCon, Jordan was very intrigued by the social engineering, like community and stuff like that.
is a social engineering hack.
Like stealing stuff, whatever. Everybody was
doing it. This person figured out a
way to get a bunch of people
who valued a ton of private
information and like earned
these credentials and access to these
servers to just puke them into a
direct file transfer to them
by just pretending to be
the damsel in distress.
Yeah, I use the term
honeypot during one of the brink. I use
the term honey pot. I think
because it's apt, but I also just like the
idea that that term typically associated with like spycraft and people kind of like like a honeypot
typically isn't just the name jessica that's a very low bar for a honey pot i'm sure the tonality he used
oh i'm sure added to it it was a character it's very it's very sure so they play this character
they tell this story a friend of a colleague you know asked me to ask you everyone starts sending over these
INI files to contain the domain to the private server, the login, and then the password,
and then go, here you go, my lady.
Here's the help that you need.
Oh, no.
I just gave you the login credentials.
And I'm reflecting now on the fact that you are almost certainly not Jessica.
Rats.
Yes.
Yes.
Okay.
Pretty good.
Pretty good.
I assume the way the scan worked is I put this sad story into the general chat or into one
of the chats. Five heroes show up to save me. And then the next response to my message is somebody
being like, you're an asshole. Like, quit trying to steal credentials. And then the five heroes read that
message and go, oh shit, I just got scammed. And then I send an expletive-filled message being like,
you prick. Oh, that's a good read in the public chat. Yeah, yeah, yeah. So it's a window of time.
Yeah. Yeah, yeah. The people who were immediately,
like, oh, Jessica needs help. I have a cute FTP.I. and I file have mine. Yeah, I would like to be the first
one to help Jessica. Here you go, Jessica. And then a minute later, someone's like, that's not Jessica.
Exactly. That's Jordan. That's Jordan, who's stealing your information. That's pretty good. This is a
good one. Man, the 1990s sounded, I guess I can't really say that. It's, I was about to say like, wow,
it sounded like a really different ecosystem. And then in the last.
last call we were talking about pump fun and meme coin streamers trying to, but like it's like,
it's always been a weird crazy mess. It's just the shape of the mess changes in such fascinating ways.
Well, I saw, I don't know if this is real, but apparently some kid was like live on Twitch or something,
created a fake salana coin, like salonabased meme coin and then rugged it. So he pulled like,
like drove up the value and then sold all of his coins and like left with 30 grand.
And then the way the community has gotten back at him was by pumping it even more.
And now the coin's value is like $10 million or something.
And so the kid's like, oh my God, I only took 30 grand when I could have had 10 million.
And I'm just like, this whole community makes no sense to me.
Yeah.
That's literally what I was talking about.
I think it's the two bands kid is my understanding of him.
And then everyone drove up the price of it to like,
$85 million or something.
I'm obsessed with this.
And then they were like, you're a fool.
Yeah.
You fool.
And it's like this child made $20,000.
There's nothing.
Real dollars.
There's nothing you can do.
Totally.
It's like, yes, opportunity cost.
If you just held on a little longer, it's like the child made $20,000.
And that's before we even get into what does it mean that there is an online service where children can do financial fraud?
What's that mean?
What are we going to do about that?
Teach him young.
I've been working on AI Jordan
has been working on a meme coin project
that I'm very excited to share on the show.
Evil Jordan.
Evil Jordan.
I didn't say, whoa, whoa, whoa, whoa, whoa.
No one said anything about evil.
There's nuance, is all I'm trying to say.
But we'll talk about that on a later episode.
This has been great.
I'll wait for the hotline hackt call from AI Jordan
where he cops to all of his dad and talks about the moral development that he's had sense.
Yeah, so anyway, I was running sort of a scam that turn part way through the call.
That's going to come real early in this call, let me tell you.
Oh, that's great.
But we'll talk about that in a different episode.
For now, I think that's another hotline hacked in the bucket.
Genuinely, if you got a story that you want to share, Strange Tale of Tech, True Hack,
computer confession, it can be from the 90s, the 2000s, the 2010s,
can have done it yesterday.
We want to hear about it.
Go to hotlinehack.com.
Email, phone number.
We just want to hear from you.
If you want to be a part of AI Jordan and AI shots evil empire that just takes
internet services from the 80s and 90s, repackages them and resells them to corporate
clients, give us a shout to hotlinehack.com.
Or if you're a venture capitalist feeling Lucy Goosey today and just feels like investing
in, I don't know, pop three, but it's an app now.
With AI.
With AI.
But with AI.
Get at us.
We want to hear from you.
And you'll hear all about exit scam simulator, the hit new meme coin on the next episode of Hotline Hacked.
Thanks for hanging out.
Thanks for hanging out.
We'll catch you in the next one.