Hacked - Hotline Hacked Vol. 8
Episode Date: December 23, 2024Let's get festive with it. Calls concerning grocery point systems, Australian internet providers, and so much more. Want to share your story? Check out hotlinehacked.com. Hotline Hacked is brought to... you by DeleteMe. Take control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount for our listeners: Today get 20% off your DeleteMe plan when you go to joindeleteme.com/HACKED and use promo code HACKED at checkout. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology, true hack, or computer confession, after the beep.
Good me, guys, just calling up from Australia.
I wanted to say, I really love your show.
You're doing a fantastic job.
It's been absolutely awesome listening to you guys.
Tell all sorts of amazing stories over the past few years.
So thank you for everything you've done.
I was listening to a story from a guy in Brisbane, which is a bit north of where I'm in Sydney.
And he was telling, you know, a default credentials story, the kind of standard stuff that you would hear, the standard kind of hack.
And I thought, well, I wish I had a story to tell, but I don't, like, I'm a pretty rubbish hacker.
I don't really have any story I can tell.
And this is probably the part where I should say that you should off-escape my voice, if you don't mind.
So for the past three years or so, I've been getting free internet anywhere in Australia.
So I kind of stumbled upon this hack and I reckon it must be known in hacking communities in Australia
but I haven't heard anyone talk about it so I'm sure I'm not the first to realize this but
this is a pretty cool thing that I found where there's this huge internet provider here
probably the most popular one and you can beep their name if you have to it's um so when you sign up
with a plan using this internet provider
they ship you out a modem and the modem has a default SSIDC network name and a default
password. Now the default network ID is Wi-Fi dash and then four hexadecimal values and a default
password is always eight numbers. So it's not, there's no characters, there's no symbols, there's no
uppercase, lowercase, it's just eight numbers every time. So I think, you know, originally, maybe
three years ago that was considered perhaps secure enough, but what I found was you could capture
a handshake either through just sniffing or through a deorth attack. Once you have that handshake,
which you probably want to stop the podcast and explain it because I'm sure you'll do a much better
job than I will, once you have that handshake, you can convert it to a format that Hashcat will read,
and Hashcat's this awesome program that uses a computer's GPU.
to compare hashed passwords with the hash that you've captured very, very quickly.
So you can go through a million passwords in a couple of minutes.
It's amazing stuff.
So the results is that anywhere you go in Australia, you can do a Wi-Fi scan.
Yeah, basically open a Wi-Fi scan,
and you'll see that there's Wi-Fi Dash for Hex and Nessmal values in your vehicle.
That's a default SSID for...
I'm sure they're probably using a default.
password, right? So you can run, capture the handshake from that SSID, run hashcat, and in about
two and a half minutes, you'll have for internet anywhere in Australia. So yeah, it's been awesome.
It's really, really good. And the funny thing is, like I thought I don't have a story and then
I thought, oh, this is something that's pretty good. Maybe this will fit the criteria. And I went to
look up your number and I passed like five legitimate methods to report this and
organizations I should be reporting us to.
But instead, I'm telling you this story.
So I hope you enjoy it.
And thanks again for everything you guys have done.
Well, thank you for your kind words and taking the time to send us your story.
As opposed to the five legitimate organizations that you could have reported it to along
the way, you went straight to the source, hotlinehack.com.
Well, it's a call-in show where you can share your strange tale of technology,
true hack or computer confession, including how you get free internet.
This reminds me of like a first episode we did,
or maybe even before we ever recorded you just explaining all the different machinations of free internet you'd come up with over the years, Scott.
Yes, we did talk about this.
We have talked about this.
But right now I want to talk about our sponsor, Delete Me, who brings us Highline Havis.
And without them, we wouldn't have these episodes coming out every month.
So thank you, delete me.
We will talk about them a bit in the future.
But right now, let's come back to the story.
Yes.
So we talked about this during the Flipper Zero thing
because the Flipper Zero is especially good at D-Oth attacks
and sniffing a handshake.
So you can literally get modules and things that attach to it for Wi-Fi access.
Sasquatch, I think him and some of the other creators have these,
like beautiful big LED screen attachments that go into the GPI pins that are specially built for
mass deoth and recording handshakes to then put through Hashcat and and pull it out.
So this is awesome.
I love that you've identified such an infrastructural issue in a massive ISP.
And because they are so prevalent, you just have access wherever you want to go.
So for anyone that doesn't know, there's a couple different ingredients to this little thing the caller is cooked up.
First one is a Wi-Fi D-Oth attack.
For anyone that doesn't know, kind of what is that?
Sure.
So essentially, you're sending D-Oth packets at the Wi-Fi rotor, which is then causing essentially it to terminate connections with things.
So you're essentially punting things off the internet.
So think about it like that.
You're essentially just kicking a device off of the internet.
So you spoof the Mac address of that device,
and then you essentially tell the wireless access point that, like,
you don't want to be connected to it anymore.
So it deauthorizes you.
It just punts you.
Huh.
Interesting.
And then the real one tries to reconnect because it's just been punted.
And that is the handshake that he's recording.
Huh.
If that makes sense.
Which he's recording is,
the thing that he's recording is hashed.
And so he's then using this hashcat tool in order to figure out what the password is based
on that. Yeah, yeah, yeah. So like, Hashcat's just essentially a big, like, password brute
forcer. So it just, it's, it's custom written to use, like, high performance GPU, like,
your invidate graphics cards and stuff to, to be able to process faster data. So often there'll be
like a dictionary attack. Like, we talked about this in problems with passwords. I remember this.
Where it's like, you have a hash, by the time you, like, kind of parse the handshake,
you, you essentially get an encrypted version of the password. And then you can, like, essentially,
brute force it with dictionaries or random, randomly generated, you know, hashes.
And he's able to do this because, as he mentioned, the password is always just eight numbers
for this large Australian ISP. And importantly, no characters. So that makes it a lot easier for you
to just brute force guess because you're not, it's a smaller set of things. It's just numbers you're
working with here. Yeah, that, the dictionary file, like I could write a Python scripta genera. Actually,
sorry, ChachyPT could write a Python scripted
to generate that dictionary. I don't write things anymore. Thank you very much. I have a robot that
does that for me. Yeah, exactly. So chat GPT could build you a script that would generate a dictionary
file of just one of those combinations per line, and it would generate that in moments. And then you'd
just be able to use that as the dictionary for the brute force. If you knew it was eight digits,
that's an easy, easy win. Huh. And I guess because it's standardized you do. I like,
how this started with I'm a pretty rubbish hacker and then proceeded to explain something that
doesn't strike me as rubbish at all. It's like, I think you cracked this thing wide open their caller.
I just, I just think it's like, this is, this is like, how do I say this? It's like a, it's like a
functional hack. Yeah. It's like this person is saving, like, I don't know what your internet bill is,
but my internet bill is like $13,400 a year for my home internet. This person's saved like $5,000.
thousand dollars by just being like these are all over my neighborhood or if you're living in a
apartment or condo building you go to a cafe like if they are such a prevalent iSP
they'd be everywhere it would take you a few moments to to like run your dioscript
like read that read the uh the handshake parse it brute force it and then boom you're in online
yeah i guess i was thinking of this i wasn't thinking of them as being able to do this at home
I was thinking of it as like, oh, you're on the go and you want to connect to something.
Here you go.
But I guess you could just like live by the sword, die by the sword and just use this hacked internet all the time.
If like when I'm in our office and I run like a Wi-Fi scanner to see what's available, there's literally, I did it yesterday.
There are 360 wireless networks within range of my desk.
So it's like, and a boatload of them are one of our prevalent ISPs, and I can see that.
So it's like if I knew how to get into any of those, I'd just pick the one that has the highest, you know, connection value and I'd brute force it and jump on it.
When I was a teenager, and I first got my own computer, not the like family computer sitting on the desk, but I got a laptop.
And it had Wi-Fi, but our house did not have Wi-Fi, because why would we need Wi-Fi?
We have one computer and it's plugged into the wall.
There's a good year and a half where I was just connecting to a password-free Wi-Fi connection
for my neighbors.
I haven't thought about in a really long time.
Significantly less technically sophisticated than this.
Well, when Wi-Fi came out, it was like the Wild West.
Like, it got installed.
Like, it wasn't just that you had free access to people's Wi-Fi.
It was that all the Wi-Fi routers, nobody ever changed.
them from default admin passwords.
So you could literally download like a Reddit, like it would be a Reddit post at this point.
But like back then it was like something that would get shared in like a BBS or news group
or something.
And it would just be every model of wireless and network router, it's admin credentials by default.
So you could literally just war drive around a neighborhood.
War drive?
Yeah.
Connect to, connect to every house is wireless network.
log into their router, change permissions, do whatever you wanted, and then just go to their neighbors
and do the same thing. It was literally the Wild West. We've managed to make like 115 of these
things, and I've never heard the term war driving. And it is literally what you're describing,
the act of searching for Wi-Fi wireless networks as well as cell towers, usually from a moving
vehicle. The thing that popped into my head was in Mad Max Fury Road, where they have the cars with the guys on the poles.
that's pretty much the same thing
I bet it was
the same thing
yeah you had like a
bunch of teenage nerds
sitting in like a beat up old car
driving around with laptops
on their on their
on their laps
yeah there's a war boy
shredding on the electric guitar
as you try and connect to Wi-Fi networks
you shouldn't have
yeah no I think there was more
like a Wu-Tang CD
and the
right
the like you know
aftermarket CD player
that's pretty good
I think you
have heard the term wardrobe. I'm pretty sure talking Sasquatch and I talked about war driving,
because that's essentially what they've built now for the flipper zeros. It's like these, these like
massive antenna arrays with screens and like they're all set up to do like the Mac address cloning
and D-A-a-thing and all the rest of it. So it's like they're pretty much built for these things.
There was a comment on that episode because it got a bit more technical where someone said like,
I understood two-thirds of this and I had a really fun time. And I,
I also understood about two-thirds of it and had a really, really fun time.
So that might have been what was going on there.
It was also apparently in war games with Matthew Broderick.
So, yeah, there's some lore here that I need to brief myself on.
Oh, I might have to give you a book list for Christmas.
Maybe I'll just Amazon use some old-school hacking books.
I could probably just like do a little book club.
That's fun, a little 2025 book club.
Oh, you know what we should do is we should do like the hacked art.
We should buy hack.archive and set up like find all of the old zines because it used to be that like the hacking subculture like like there was a few key zines for like like freaking and like 2600 and like you used to buy these little tiny, you know, 18 page, you know, loose leaf paper with a staple through it.
Talking zines, man.
Yeah, yeah.
You'd buy the chapters for like $3 because it was the only place that brought it in from wherever it was from.
and we should find all of those, scan them in and, like, archive them because, like, that's,
that's, like, history for, like, you know, my subculture, I guess.
So, some, someone must have done it.
If not, then we should get on it.
So the other thing I like about this call, and it maybe transitions us into the next call,
is the holiday season episode.
We want to give things back to, you know, we want to give some gifts under the tree.
So so far, our Australian listeners have a nice little present for how to get free Wi-Fi.
This next one is for our.
Canadian listeners.
Jordan and Scott, feel free to ask me to re-record this.
I don't think I need to mask my voice, but I'll just go ahead and start telling the story.
So I think what to use Canadian, see my fun is interesting for a while.
Correction.
We're both Canadian.
We're both Canadian.
And now we're going to sing the full national anthem in its entirety in three, two.
There was a large grocer that had a point program.
I think they still do.
And you could submit online complaints of missing points.
And these points would equate to $10 increments.
So originally, and I think the most wrong thing, for lack of a better term, was you could
spam the site overnight with like, let's say a script or whatever, it didn't have any image
thing or whatever to you know for a human so it was pretty a captcha he's talking about a
captcha didn't have a capture to make sure you weren't submitting multiple posts so you're just
spamming this thing like I lost I didn't get points for my brownies I didn't get points for my
rotissory chicken I bought yesterday I didn't get points for my sunny D give me give me
sunny D do you don't drink sunny D D D do you I am a man in my mid 30s I would die if I drink
sunny tea and you could wake up with you know $500 of value worth of points that you could spend
and you could go spend them online or you could go to the store and use them so you know I
would go and order something online just to my place wouldn't even care and so like socks
and you know groceries but you can only get so many groceries because I'll go bad and and then
And the reason what you'd see in your email would be like a whole bunch of rejected ones,
but every once in a while you'd get someone like Judy just like approved and it would be like a $50 grab.
So maybe like out of like 50, maybe one would go.
And if one that one was $50 and you'd get $50.
You know, I tried various different amounts, I think.
So really what you're doing is you're writing a script to submit claims,
hoping that there's someone lazy enough that they've written a script to approve claims on the other side.
And this fucking slacker Judy over here is just to prove these things left, right and center.
I see your hustle.
I respect it.
I think it was actually 49, 100 points or whatever.
That would be the max I'd ever get, but I had better luck with doing 20 or something.
But just submitting requests and then eventually, you know, you submit enough requests all day, good done.
And then you build up an account with this much.
Well, that worked for a while.
And then eventually they implemented some sort of thing where like the human, they either put the humans on the system or automated it.
So everything was rejected.
And a human had to like take a better look at it and they couldn't just do pass.
But the thing is what they changed it to was if it was under or if it was $10 and you have.
spent $10 on that loyalty account, then they would automatically give it to you.
No questions asked every time, 100% of the time.
And then anything over, they would send it to a human to review and it would get always
rejected, whereas before it would sometimes go through.
So that's the two different kind of phases of this.
And that first phase didn't last that long.
I mean, that was actually better with the, you know, getting an account worth $500 overnight.
But then it limited to like the most you could get on one account.
was $10. So like, I mean, most people I think would have stopped there, but
but not me, but not me, not this guy.
Me having lots of free time on my hands. I figured out that, you know, how you can create,
you know, multiple accounts. So same thing, there's no image thing to make multiple accounts.
And they would also, you know, allow you to do the Gmail thing where you go plus 01,
plus zero two plus zero three on your loyalty account name to be able to use the same
Gmail account not that that's a huge press but it just makes it easier for making multiple
accounts and then so the thing is with the so you could normally just do the $10 and you know
you have to spend $10 on the account and then you would get $10 for free so it would be like
50% off and there's little stipulations where like you couldn't put it towards tax so like if
if you were buying something that had tax on it.
In Canada, I think it's like if it's a certain type of food,
then there's no tax on it.
So then you try and like find combinations of like,
okay, I'm gonna buy bananas, I'm gonna buy whatever.
And it's gonna total up to like $10 on one cent.
And then you'd pay one cent.
So as long as it's over $10,
you would get $10 taken off, not including tax.
And I think, I guess I'll tell you.
So the tax could be like 50 cents in the province
I was in at the time.
I no longer live in Canada.
And I know what province who live in
based on how much tax you're paying?
And so most people would stop it there, 50% enough.
But what you could also do then to take it a step further was you could create another
account and there was a way of linking the two accounts together.
So you could spend the $10 on the new account from the old account that claimed the $10
of missing points.
So you're making an account, you're probably spending 10 initial dollars.
You're then getting a refund on the points for the $10, or $10 worth of points refunds.
Exactly.
Then you're moving those to a new account and then spending them and then making a claim
and then moving it to a new account and doing this over and over, I imagine, is where we're
about to get to.
It would allow you to start cycling these accounts because it bypassed the rule of you
have to spend $10 of new money on an account to be able to claim $10.
of free points that you could spend as $10 at the store.
So it allowed you to chain these accounts together.
So really he found the actual unlimited money glitch.
Yeah, it seems like a, well, we'll get to this at the end,
but I think exactly that.
There was a $10 criteria for this that basically minimize the discount he was
getting to just to just that, a 50% discount.
And he found a way to chain these accounts together to get a
around that.
So as long as you only want money in $10 lots, you could probably get as many as you were
willing to create an actual unlimited money glitch.
For Canadian groceries.
It's not bank fraud, but it's loyalty fraud.
Then you just make another new account.
You'd link it to the account that you had just claimed the $10 on, spend it on the new
account.
Then the new account would look like you had spent $10 on it.
You'd break the connection, spend the money, spend the free $10, claim the $10 are free.
So I would just do this.
I wasn't working at the time.
And I had lost the vehicle because I was.
Tell me how much money you stole.
I wasn't working at the time.
Yeah, you were.
I had a company vehicle or whatever.
and so I only had a bicycle, so I had bicycle to these stores, and it did be multiple places in Canada where you could spend these points.
And I would just go ahead and I made a rule where I could only spend $2, $10 at a time per store every two two hours.
Because I thought if any more than that, it would just...
This was a job.
This man biked around a city going to, what I'm assuming is,
Shoppers Drug Mart at this point.
I'm developing theories about which one of our many fine Canadian food monopolies he was doing
this too.
But yeah, this is basically a full-time job.
He was spending $20 every two hours at each location.
This is a job.
It's so ambitious.
It's so ambitious and so constrained at the same time.
Yeah.
Be greedy or something.
I don't know.
And I'm sure these people in the store that could recognize me, okay,
why is this guy coming in and buying like a nightlight that's worth $10, you know,
every every two hours or whatever.
But I would try and actually space it out.
So like it was a different.
So wait.
He's,
sorry.
I'm not going to say,
are you buying nightlights?
He's just for the love of the game, Scott.
I'm honestly fully here for this.
I think this is fantastic.
I thought for sure he was going to be like, I was picking up groceries, you know,
I was dropping stuff off at the food bank.
No, buying nightlights.
Just like spending the points, playing the game.
Nothing conspicuous, you know, keep it under that, that limit.
Shift of the people there.
But, I mean, if you're still doing it every day, I mean, at the same time, I don't think
they really care because they're making, you know, a little bit over minimum wage.
I mean, they don't have time to, even if they do report it, the guy above them probably
doesn't care and it just drops.
So, and, you know, you could send the codes to people to for them to spend the $10
and then add a little kind of system where it would automate and, okay, no, break the account,
you know, making the next account and you could all be automated.
And I don't know if I should tell you the amount it got up to in a year, but one year,
it was just me personally, it was just under, it wasn't too crazy.
It was $9,960 Canadian in one year, me personally, which means I did 996 transactions in a year.
that's a lot of nightlights
this dude rules
the
just for context
you should know that
Canadians hate our grocery monopolies
as
given the Canada's population
so small we actually are just ruled
by oligarchies and monopolies
oligopolis
is actually the word I was going for there
and we have very few choices among
cell providers, internet providers
grocery stores etc
And we feel that pain pretty much constantly.
Yeah.
So this is a real Robin Hood moment for us here north of the border,
some guy on a bicycle ripping around doing 996 transactions in a calendar year
just to grift them out of a night later or two.
I'm about this.
Which I guess isn't that much.
I didn't do it the full year,
but there was a period of time in the months where I was like intent,
where I, that's all I did.
And I would just build up ridiculous amounts of, you know,
toothbrushes and stuff because eventually you don't have anything to really buy
anymore.
And like when I gave my dad like a bunch of tooth pick like a lifetime supply of the
tooth pick things.
And yeah, just to this day, I still have buckets full of just random stuff, hygiene stuff
primarily now, but just soap and like a...
Your local homeless shelters will.
love to have that stuff. So if you have buckets of it and you find no use for it, please donate it
because they're always calling for hygiene products at shelters. You might be able to do a little
bit of wealth redistribution here if you play your cards right and just get the system
auto shipping the hygiene products directly to the charitable organization. And you might be
on to something here, friend. Times to buy of soap and dove soap and just yeah, it was a good
good go and I think you could probably still do it to the stay at the end I think what what
why I stopped while I moved away from Canada but also they there was some interaction with like the
I was using a specific VPN provider and I think they were banning if I left the $10 on like if
I left to two accounts connected and I left the $10 on there for too long they would put the accounts
into read only mode or a collect only mode and not a not a spend mode and then it would be and
I couldn't link new accounts to it.
So if I left them for too long, there was a human going in there and, you know, messing
with the account and then to have to start like a new chain of $10.
And eventually it just became too tiresome to try and do that.
But it still did work even when I tried it a little bit ago when I went back to Canada once.
And I think they were doing it through like knowing the VPN IP.
I don't think they're having like hardware identification stuff.
But I think it was through the IP.
So, I mean, it could still work to the stay.
Anyway, I could re-record this if needed.
I kind of just went with it.
Thanks, love the podcast.
We will chop it up and take out some of the longer parts.
But thank you for calling in.
This is, we will, I think we should obfuscate a voice on this one as well.
Yeah, we'll do a little something, something to it.
There's somebody in a security and risk mitigation department that knows who you are.
So if they listen to this podcast, they're like, that's the guy.
Like, you know, the movie scene where it's like the detectives been hunting something.
There's somebody out there who's like, oh, man, he got away.
The night fox we've been calling him.
We have a cork board with yarn and thumbtacks and security photos up on a wall for the last decade.
I really appreciate that this caller cooked this up when they were in Canada at biking around age, left Canada.
And then when they came back to Canada, they, like, cracked it open just to see if it would work.
And they're like, buy gum.
It still goes.
That $10 limit still seems to be there.
Oh, man.
This is, I feel, I don't know, I feel like the loyalty programs are probably, they're probably much better now that they're all like major systems.
Yeah.
But I bet in early days of loyalty rollouts and loyalty apps and stuff, like, I bet there we were, they were rife with security flaws.
I bet. Oh, yeah. They've all basically converged to our earlier point. And this isn't a show about
issues with Canadian markets, but they've all basically converged around being three of these
rewards programs. There's Lobloss PC Optimum. There's Sobicine Plus, and then there's Metro,
which is like the French Canadian one. And they're basically every grocery store you're apt to
find up here in Canada is now one of these three systems. So I would guess when, you know, these
were all different grocery stores, you could just game the living crap out of these things.
But by now, PC optimum points is basically a small country's economy.
Like it's like it's a third of our food infrastructure here up in Canada.
So it's probably pretty locked down now.
But I could see there being like a little bit of a little bit of a gap where at a certain
price point at less than $10, sure, auto approve it once.
And then you do this daisy chain thing that this collar.
figured out of reconnecting these accounts.
It's pretty clever.
Well, yeah, it is very clever.
Like this is, to me, this is like, this is the gamesmanship and the puzzle solving
that makes cybersecurity speak to certain types of people.
And this is definitely one of those types of people where he's just like, I figured out a system.
Like, I figured, like, they built something.
I figured out a way to game it and I'm gaming it.
And I feel the payoff of it is enough that I will fill pails full of toothpicks because that is my trophy for like figuring out the game.
Totally.
It was like you can imagine a person who the first stage of this plan prior to the $10 limit was it was a law of large numbers thing.
It was like, I'm going to do these big, big claims.
And the vast majority of I think the number they said was one out of 50 of them might ever get through.
But that's all you really need because you script it.
You run it automated overnight and you come back the next morning and you see, oh,
boot and one of them went through, which means to your earlier point, Scott,
that there was probably some security person working for this large grocery chain who was very well aware of this, like,
fraudulent claims.
And so they shifted the numbers a little bit and then this caller didn't buckle.
When that shift took place, it was like, now it's a $10 limit.
It's like, okay.
And now it's a $10 limit.
You have to spend $10.
It's like, okay.
The game is adapting.
The other side is...
Exactly.
They're playing.
They're playing.
Yeah, exactly.
Yeah, exactly.
Like, their side of the chessboard is moving,
and you just are like, okay, fine.
I'll string the accounts together.
The thing that surprises me is that, like, they would have known...
They would have had a photo of them.
You know?
Like, they would have known, like, he went into this drugstore or grocery store or whatever,
because the points are spendable everywhere.
Even at gas stations in Canada due to the oligopoly about.
of us, but the, um, the, they would have known, they would have pulled security footage. Like,
if they were blocking his individual VPN IP, like, they would have gone to the lengths to be like,
okay, like we've, we saw that he made a $20 night light purchase on Thursday, January 9th at this
location, like, let's pull the security footage and pull a photo of this person. And then they probably
would have distributed that photo in the area, which was even more surprising if they didn't. So the fact
that he played for so long and accumulated such a high point value on the leaderboard.
Yeah, wild. I would have thought for sure that they would have stepped in harder and stopped it.
And the fact that years later, when he came back for a holiday or something, or C family or, you know, whatever the point was, still worked, is wild.
Yeah. I mean, he speculated, I think, correctly that the staff, I have a,
a good friend who works for a large grocery chain.
And I can attest.
They don't care.
That guy's face could have been printing 10 feet tall with wanted above and below it.
Big dollar signs next to it.
And they just couldn't give less of a shit.
The other thing I like was that he pivoted towards toothpicks and toothbrushes,
a lot of dental hygiene stuff, but like non-disposable products.
Because I think the quote was groceries.
You can only buy so many of them before they go bad,
which is like, I remember being an age where if there was fresh food in my fridge,
it was definitely going to go bad before I would have a chance to eat it.
I would simply throw up that the average Canadian spends about $16,000 on groceries
in a year and his annual gains were about $9,000.
So you could totally eat $9,000 worth of groceries from a grocery store.
But that really wasn't the tenor of this game.
Yeah, yeah.
I agree.
I agree.
The thing that made me think of a shopper's drug mart, and this is just totally an aside for
any Canadians listening, is when he mentioned that the points are spendable in a lot of
places.
Right.
Because I know the PC optimum points are both grocery, drugstores, gasoline, like they're
kind of accrued and spent all over the place.
So that's when I thought, okay, this is probably, probably is the PC shopper's drug mart programs.
Yeah, you could, a real Canadian super store sells PS5s.
I'll just say that.
True.
I'll just lob that up in the air.
You can buy a Nintendo Switch at the real Canadian super store or a shopper's drug mart, I think, at this point.
Full disclosure, I bought an Xbox Series X when they could not be found anywhere from Shopper's Drug Mart.
That's the pro tip up here is if you're trying to get some really hard-to-find electronics,
there's always like three of them under a bunch of culligan jugs of water in some of these grocery stores.
It's the weirdest thing.
They're like the new iPhone.
Yeah, I think we got a couple in the back.
You're like, sure.
There's a lineup around the block everywhere else, but rock on.
Great call.
Thank you for sharing it with us.
If you're ever back up in Canada again,
please keep trying this and let us know if it works.
You can share that call as can anyone at hotlinehack.com.
We want to hear your strange tale of technology.
You can call into the phone number.
You can submit audio via an email.
You can send it in his texts.
If you asked us to, we'll futs with your voice as needed.
We love to hear your tales.
But the only thing we love more than that, Scott, do you know what it is?
I think you do.
I do.
I do know what is, Jordan.
It's our sponsor.
Delete me.
Delete me.
Scott, do you ever wonder how much of your personal data is out there on the internet for anybody to see?
No, because I know it's too much.
You do?
I do. And one of the things, so this is an anecdote. So my mom recently got scammed. I told you
this. Yeah, this sucks. I'm sorry this happened.
You know, quote unquote Amazon. Yeah, yeah, yeah. Yeah, my mom got taken who is one of the most
viciously cynical when it comes to her personal security people I've ever met, which is the
shocker in this. And I would bet money that they had personal information on her that make her feel
more comfortable about it. And they probably ended up getting that information via the data broker
hack or something like that. Because these were true professionals. They had full-blown
sites and things set up to clone and obfuscate and do everything to make it seem like they
were hyper legitimate. And yeah, it would not surprise me if that they had personal information
that they had either purchased or stolen from a data broking site to help with their goal.
Yeah, which was to do something.
something real shitty. I'm sorry that happened. Hey, no worries.
And their goal being to use
your name, your contact info, your
social security number, your home address,
info about your family.
And to take that stuff and sell it on the internet for money,
which is why anyone on the web can buy
those private details.
That can all lead to identity theft,
fishing attempts, as we saw here, harassment,
spam calls. And you can
protect your privacy with a friend
of the show and sponsor of Holland hacked, delete me.
You know, just given current events
and stuff, you know, I'm hyper aware
of safety security, and it's easier than ever to just find information on people online,
and that's something that I think needs to go down and away.
So all this data is just hanging out, but it has real world impacts and real world consequences
to people as we've now seen in the story that I told.
So that's why, you know, I recommend you use DeleteMe.
Join DeleteMe.com slash hacked, code word hack to checkout.
It's a subscription service that removes your personal information from hundreds of these data brokers.
They send you regular personalized privacy reports showing what info they found, where they found it, what they got removed.
So it's not just a one-time service that you run once and walk away from.
It's kind of constantly a service that's running in the background.
So I recommend it.
You sign up.
You provide them with exactly what information you want taken down.
Their experts take it from there.
If you're interested in something like this, take control of your data.
Keep your private life private.
Sign up for Delete Me.
It's a special discount for listeners of Hotline hacked.
You can get 20% off your Delete Me plan when you go,
join delete me.com slash hacked and use promo code hack to checkout.
So the only way to get 20% off is go to join delete me.com slash hacked and enter code word
hacked at checkout. Scott, one more time for the people.
That's join delete me.com slash hacked. Code hacked. Sponsor of hotline hacked. Appreciate them.
So the statute of limitations has expired so I can speak freely. My name is Jeremy. I'm from Atlanta.
a great way to start a story. It's an exceptional way to start a story. I think in any setting too.
The statute of limitations is over. I have no fears of being charged for this and I'm happy to tell
this story. You could start a TED talk that way. You could start a wedding speech that way. It is a
very provocative way to start a story. I love the theory that you could start a wedding speech that
way. That's a wedding speech I want to hear. If somebody steps up to the mic and uses that as the
opener to a wedding speech, everybody would lean in.
The statute of limitations is over.
The toast to the groom.
You know, the statute of limitations is over.
The hall would go silent.
Yeah, the groom just starts shaking his head quietly.
I'm going to bank that one.
And listeners of Hotline hacked,
you just gave them, like,
amazing advice for any speeches they have to do in the future.
Especially if it doesn't get resolved by the end of the talk.
Like,
if it's just a nice story about how the bride and groom met,
but you started with now that the statute of,
limitations
that's expired.
That's good.
Back in
2015,
I was running around
with the underbelly
a little bit,
using a lot of
methamphetamines,
running with a scamy crowd.
I got the idea
to download a bunch
of background check apps
and see if I,
I was looking to see
if I had a warrant
trying to find out
if I needed to be worried.
So I downloaded
all the usual,
has been verified, truth finders,
etc. And I found one
on the Android
app store called
People Spy. The
APK is still visible. However,
the app hasn't worked since about
2018.
So I download the app, and of course, the first thing you do
is do a background check on
yourself, and I did it, and it was a little buggy.
It kind of went in and out
and looked up
some other people and
didn't really think anything about it. One day I was looking
around in the file directory of my Android device, and in the slash folder I see a random text
file that's called peoplespy.p.t. So I open it, and this was all the metadata that the app collects,
you know, previous criminal history, address history, telephone number, history, acquaintances,
and then there was a section that said relatives. And I look and I see my mother's name,
and next to it is her social security number. This is a number that I know and could verify,
So I looked my mom up, I found me as a relative, and there was my social security number exposed in plain text, just in a metadata dump file from one of these background check apps.
At that point, I realized that I had open access to everybody's social security number pretty much ever.
As long as they had a somewhat unique name, findable, easy.
100% of the time.
Once I got sober and got my life together,
I contacted the company that was the owner of it,
just kind of making a moral disclosure,
hey, your app was doing this.
You may want to check the servers and see,
make sure this doesn't happen again.
They denied it, completely ignored me,
and I've left it alone since.
Thanks a lot.
Again, the app was called People Spy.
I guess first and foremost, kudos,
for getting sober.
Congratulations, caller.
And then for having the wherewithal,
after all of that was said and done to
contact this app and let him know that there's a
glaring security compromise
in their shit.
I feel like Hotline Hacked is
three quarters entertainment, one quarter
moral growth.
That's true. A lot of these stories,
a lot of these stories are like, yeah, I did
these things and it wasn't great.
Like this one wasn't obviously cybersecurity.
like crime related, but
it seems like every
episode we have a story that has some moral growth.
So yes, kudos to you for getting sober
and getting your life on the rails.
So kudos.
Peoplespy.com.
I dug this up after looking at this call.
It doesn't currently seem to
still exist. It's redirecting.
I'm not sure if it's a new product or they
sold the
email to someone else, but it redirects to
email tracer.com.
You can't find press releases about this.
And it does get into sponsor the show.
And then something we've just talked about,
especially during the national public data breach that happened this year,
they got a lot of people talking about these data brokers,
is that the existence of these services that will sell you information
gathered from a bunch of different sources indiscriminately is tricky
because, you know,
there's really no protection for what someone does with it afterwards,
including building a website and building an app that stores information
in plain text on the device locally that it probably shouldn't be.
Yeah.
Which sounds like according to this caller is what occurred here.
I feel like no matter how bad we mess up an ad read,
that is a better advertisement for Delete Me than anything we could have said.
It's just like getting your information out of these data brokers,
because I guarantee these apps are powered by it.
They're buying wholesale lots of data, personal information about people,
which is how they're,
how the app exists.
So it's,
it's,
yeah.
I,
yeah,
I have not a lot to say besides,
this is not surprising and,
and there are ways to combat it.
Yeah,
it seems like lazy,
something lazy occurred here.
If this is how this went down,
this is some sloppy,
sloppy development that took place,
I guess is what I'm trying to say.
Yeah,
but to me,
to me,
it's not even just that.
Like,
it is,
it is sloppy in the sense that they've essentially
given, like they clearly bought this information.
Yeah.
Right?
Like they have the personal information, the sins, all the rest of this jazz or the socials.
Showing the Canadian enemy there.
They have these from data sets that they purchased and it's like the fact that they're
exposing it is like, if anything, it's them not charging enough for access for it.
You know, like it's like you can still buy this information.
It's just that like they shouldn't be giving it away for, for, for,
reset. And I'm saying that in like a cynical way, but it's like, like the, that's not a feature
of people spy. And it's like, but they still have that information. Some other random person
still bought it. So it's not like it's super confidential. I think that's the thing that I want
to understand more about this. And I'm waiting for a story to function as an excuse to dig into it
more is, is the legality of some of this stuff. Like if you can't confirm the provenance of a social
insurance number that is inside of the database of a product that you are selling to other people.
How's that legal?
There should be some kind of law that that's bumping up against.
I'm not sure exactly which one, but I'm surprised that's a totally fair and legal thing to do.
Yeah.
I know in Canada we have a higher bar of rigorous protection for personal information.
And I'm not sure about other countries.
I'm not like an IP lawyer or like a whatever lawyer would deal with this.
Maybe this is an interview we should try and put together in the new year.
And if you happen to know someone in your life that might be this kind of expert,
I'd like to hunt someone down that can explain to me as a like way the court system in the states
regards these kinds of incidents where it's like you have a private company.
And some of these companies are not large companies.
It's like a dude spins it up.
and they go buy a bunch of data from a bunch of sketchy sources and then resell it in a vaguely slick legal-looking package.
I'm like, I just want to understand that from a legal perspective.
Here's the thing.
So I've reached out to two of those people in the last year.
One specifically to talk about the Canadian Online Protection Act because and that pile of thing.
And I actually reached out to the EFF, old supporter of the show, Electronic Frontier Foundation,
because if anybody is going to know the answers to that stuff in the States,
it will be somebody that works there that's a lawyer.
We'll try and get them on in 2025.
So if you work at the EFF or the Canadian Civil Liberties Association,
please reach out, get at hackpodcast.com.
Take it across the finish line.
Should we take a little break to the ad oasis?
Oh, man, it's cold this time of year.
It's wet, it's snowy.
I could chill on a beach for a minute or two.
Let's do it.
Let's get over there.
Let's go.
Oh, what's up, guys?
My name is J-Pod.
I wanted to share kind of a fun story
from my high school days in the late 90s.
It's kind of like a little early slice of hacking,
not really hacking, just a kid being a kid
with maybe too much access
and not enough oversight.
Hell yeah, brother.
Hell yeah.
That's what we do here.
I went to a magnet school.
Anyways, we got computers earlier than
most schools, which is kind of a big deal back then. And I'd grown up around tech, like my older
brothers, they're really into it. I remember we had like Commodore 64, and my brother's got all
kinds of PCs growing up. I really wasn't into it, but I was just like exposed to it early on.
So here, fast forward to high school. One of the first programs they introduced to us was something
called a EBS program or electronic book system.
And basically in our class, we had to read books, and then every week we took a quiz.
And there was like a DOS-based program or something like that.
But anyways, each week we were required to complete a quiz as part of our grade.
This computer basically managed the tests for the teacher.
The problem was no one at the school had any real training or knew how to use it,
especially our teacher. So every week she like kind of struggled to log in and set up the quizzes
and get the class organized. So naturally that is kind of straightforward to me. So I kind of,
I guess was a tech savvy kid at the time. So I wanted you to help. Just a classic social
engineering of the teacher's pet going on here, I think. Why, Mrs. Tomlinson, I know how the computer
works.
And without any hesitation, my teacher just handed me over her credentials and let me do
everything.
And here's the thing.
Her login credentials weren't just limited to the EBS program.
I quickly realized that they gave me full unrestricted access to the school's entire
computer network.
And not just from the school network.
I was able to remotely log in.
There are no firewalls, no multi-factor authentication, no real oversight, just basically a login name and a password.
So at first I didn't really think much of it.
I was kind of focused on getting the EBS work for the class, you know, try to help everyone out, make the teacher's life a little easier.
But then curiosity kind of got the best of me, and I started poking around in the software and discovered something.
thing that's kind of hilarious in retrospect.
All the data, the questions, the answers,
were kind of basically stored in unencrypted text files right on the machine.
Literally no encryption, no file permissions, nothing.
It was like they assumed no one would ever look into it.
So being a teenager and not wanting to spend my evenings reading books,
I downloaded the EBS software on my home computer.
And with a simple text editor, I had actually,
access to all the answers for every quiz in the program.
The first thing I did, of course, was tested out.
I went to class, took the quiz, and got a perfect score.
It was pretty easy.
And then it didn't take long before I realized I could share this discovery with my friends.
Bad decision.
Bad decision.
I feel like every one of these stories begins with, like, I figured it out.
I could cruise my way to college, and then it's like, but then I wanted to help my friends out, and then we got busted, and then we got thrown out of school.
Yeah, there are no secrets that time does not reveal.
The more people you let in on something, the quicker it's going to get, it's going to get found out.
They gave me the name of the book they were supposed to read that week, and I just handed them the answers.
I printed it up on my mom's printer.
Brought them to school.
No one brought anything of it.
So we aced every quiz for the rest of the year.
And to this day, I don't think the teachers ever figured out what was happening.
They just thought.
Prove me wrong.
Yeah.
Hey, sometimes crime pays.
You must have been hanging out with the smart kids because I feel like if a teacher sees a student go from a 60% average to 100% on every test, it would be like a shocker.
But if there were already like eight kids and then they just kept getting A's, it's like, okay.
I wonder, finish the call.
I have a theory.
Okay.
They thought the software was working and we were all doing really good.
But I probably gave every kid in my class a print out at least once a week, you know.
So this caller's audio file, like not accidentally.
And we have a five, I think is a five-minute limit.
It shouldn't be a five-line limit.
No, I don't think there is.
Or maybe there is.
Yeah, we don't seem to have a second call.
The call got disconnected at five minutes.
So we don't have the rest of his story.
So we'll just tease it that apparently he got access to the overall network and into some of the gray data and other pieces of information that he probably shouldn't have.
We don't know the rest of the story.
So if you want to call in and finish this, this can be a cliffhanger ending.
For the year.
Oh, I love it.
For the year.
Like an old network drama.
So here's my theory.
Okay, let's hear it.
And this kind of gets back to what you said of the conspicuousness of like, wow, this kid starts getting.
90s and 100s on all these quizzes.
Oh shit.
All of this kid's friends have started really acing all of the quizzes too.
You know, a teacher, you don't have to be tech literate to be shrewd and smart and
observant.
So I'm wondering, here's what I'm thinking is maybe occurred here.
I'm a teacher.
I'm not the most tech savvy teacher maybe ever.
It's early days computers.
I don't need to be.
I give a student some login credentials to get their help figuring out how a thing works.
They're good at computers.
Maybe they can help me figure it out.
It's a learning opportunity for the kid.
That kid started getting 100% on every quiz.
And the quizzes are stored on the computer.
And all of their friends are getting 100%.
So I have two choices.
I can either untangle this massive security breach that I have engineered by giving the login credentials to a teenager.
or I can consider the fact that the school year is pretty short.
And next year, this is kids going to be someone else's problem.
And so maybe they just get 100% on like ninth grade algebra or book reports or whatever the heck it was.
It's English class and junior higher higher school.
It's like, you know what?
You got you got the A.
Get the heck out of my hair.
And now I've learned a valuable lesson.
Do not share logger credentials with the students.
That's my theory.
I think if that was the theory, the teacher would maybe request to have their credentials changed mid-season once they realize what's going on.
So here's my theories.
One smart kid, obviously, maybe surrounded by other smart kids.
They were already getting 90s and 100s.
Sure.
Now they just don't have to work for them.
They just literally get them.
And it sounds like maybe in the future they just get them by editing the grades.
But we don't know.
Clifhanger.
Clifanger.
So that's my theory one.
Theory two is that...
What was the previous caller's reference for the lazy employee, Judy?
Yeah, I think it was Judy.
Judith, Judy.
Maybe this is a Judy.
Maybe the teacher was a Judy.
It was just like, eh, I didn't even look at the grades.
The computer's auto checking them.
She doesn't even need to review them.
She's like, I've got an artificial intelligence now.
I'm in auto drive.
The computer and this kid coordinate my class and all of the testing now, and I don't even need to look at it.
I'm going to be like, I guess this was probably before you'd be staring at your phone.
But maybe they were reading like Martha Stewart magazine.
Classic Judy move.
Classic Judy move.
Yeah, Judy might just not give a shit.
Yeah.
That's always, and that's, that theory almost loops back around to my original theory,
which is that the teacher cared less about untangling this than they did about catching the kid.
It's just like, the thing I know about Judy is Judy doesn't give a fuck.
And she just like let it ride.
As she had done in her previous job working in the customer support department of a large Canadian grocer,
she didn't give a shit there.
She approved all of those claims and she doesn't give a shit now if that kid gets 10 out of town on every quiz.
Yeah.
Yeah. Good theory.
Good theory. And a cliffhanger ending.
Hopefully they call back in with the rest of the story.
Please do so if you hear this.
Jordan, I think, was their name.
Not just your name.
Not just my name. It's my name, too.
And it could be yours.
No, it can't.
But you could get your call on hollinehack.com if you want.
You can't have my name, but you can do that.
Share your strange gel tech.
I think true hack.
Is this the last episode of the year?
I think it might be.
I think we got a rerun coming up early January on like on like New Year's Day kind of thing.
I think we'll drop a hacked classic for everyone to to enjoy.
But I think in terms of original content, this is this is a wrap on 2024.
Yeah.
Thanks.
Thanks for being here with us, everybody.
Thanks to definitely thanks to all the participants in online hacked taking time
into your life to be a part of the show.
We really appreciate that.
We know it's not just asking for you to listen, but it's also asking for you to
contribute as part of the show. And big thank you to all of you. It's true. Thanks to all our
sponsors. Thanks to everyone that shared a story. And thank you for listening. You really enjoy making
this bad boy. We got a lot of really fun schemes hatched for 2025. So we hope you'll stick around.
Thanks for the Discord gang. Thanks to the patrons. Thanks to the people to reach out. I don't know
if you saw it, but Patrick Bjornfoot. I hope I'm probably masculine that, but it looks like
yarn foot to me, is part of the sinus infection gang.
And he sent me a recommendation for what looks like a World War II, like, mass-produced
gas mask, like an emergency gas mask.
But apparently these things are very common in cross-country skiing.
So instead of your face freezing up and having cold, dry air, constantly burning your sinuses
and your lungs, you put these masks up.
and they re-moisterized the air with the moisture from your breath,
which kind of makes sense.
A little bit of a strong look for me just to wear out and about on the random Wednesday getting groceries.
I don't know about that.
I think you could.
I think you'd bring an intense post-apocalyptic energy that we could all enjoy right now.
So the...
Thank you for your email.
Same to Tobias, emailing in with some fun game references from Lescault.
We really appreciate it.
If you just want to send us a message, not for Hotline.
Get at hackedpodcast.com is a great way to get a hold of us.
Submit a story, also a great way to get a hold of us.
We're here.
We're around.
We try to be.
We try.
And yeah, hit us up on the socials, hack podcast on most things.
I don't think we're very active on really any of them.
People do tweet at us and we do get back to them.
I recently put a chaty p.t prompt on there to generate a Python script to download
all of the episodes of our podcast.
p3s. Somebody asked how to do it. And I was like, just asked chat TPT and it will do it for you.
But yeah, I think that's it. I think that's it. To everyone you listened, thank you so much.
Happy New Year's. We'll catch you in the next one.
Ciao.