Hacked - Operation Cookie Monster + The Russian Hackathon VPN + The Mac Bitcoin Whitepaper Mystery
Episode Date: April 16, 2023A chat episode about the brilliantly named international operation to take down Genesis Market, an FBI warning against juice jacking, Amnezia the open source VPN that's become a surprise Russian expor...t, and using GPT to generate software keys for Windows 95. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
This episode of Hacked, we are talking about the takedown of Genesis Market,
aka, and this is the real name they picked for this international joint task force
that saw over 100 people arrested Operation Cookie Monster.
Great name.
Great name.
I don't see us making it to the end of this episode without playing at least a little bit of Cookie Monster audio.
I'm going to actually see how many times I can reference back to Cookie Monster.
during this episode.
I'm going to load up a Cookie Monster soundboard,
and it's going to be like a Chekhov's gun hanging over this episode.
I'm just going to go get a bag of cookies and crush them during this episode recording,
and you can all just listen to me crushing cookies like Cookie Monster does.
I want to talk about Operation Cookie Monster.
I want to talk about Amnesia, a open source VPN built in a Russian hackathon
that folks in Russia have been using to skirt information laws governing what can,
and cannot be said about the war there.
And amnesia is now becoming,
troublingly I would imagine to the Kremlin,
a very popular Russian software export.
I want to talk about that.
Sounds like a good thing to talk about.
I want to talk about chat GPT
and all the fun it's up to because it's an endless pool of fun.
And the way people are manipulating it
to steal information from people,
which is also, you know, as one would expect
in today's internet environment.
It's the first thing people do when we get a fun new toy.
Figure out how to steal from others with it.
Figure out how to do crimes with it.
And I want to hopefully, I don't think we're going to get an answer to this,
but I want to talk about, I want to ask the question,
why do you and I both have copies of the Bitcoin white paper on our computers, Scott?
What?
Well, for obvious reasons, my deep, rooted and pledged love through all these episodes
that you've listened to of crypto.
Yeah, why do you have it on your computer?
But importantly, why does everybody with a Mac have a copy of that PDF on their computer?
Fun little internet mystery that emerged over the past week.
And I think, you know, similar to cookie monster, your phone needs to eat power.
So when you plug your phone in...
Oh, man.
At random charging places, the FBI's
actually warned against that. So I want to talk a bit about that, which is a throwback to a previous
episode. Amazing. All that and more on this chat episode of Hacked. Do do do to do do do.
I like how it's always do do do do do do do and we have theme music. Like we do have a song that plays
right there in every episode, but every, I guess people never hear this. Every single time we
throw to the theme music, one of us goes, blah, blah, blah.
We just riff out nonsense.
There's a song that plays every single time.
We record these.
Yeah.
And we never hum it.
It's not very humble.
Maybe we need more of an earworm melody for that bad boy.
Should we rework the intro music to be more of like a whistle, like a whistle song?
Sure.
Whistle along.
Sure, a little bit of an Oscar Meyer weaner, like cultural.
Just everyone knows it.
Exactly.
You hear it and you think hack podcast.
Yeah.
Sonic branding.
Get it out. Get it out in the world.
You know, we work in marketing. We should know that stuff.
What's that song you're singing?
It's, oh, it's the theme song of a somewhat obscure tech podcast.
Well, come on. Let's not say that we're totally obscure.
We're becoming less obscure.
We're becoming less obscure.
And?
And I think that's a good point to go in and say some thank you to our new patrons.
Oh, you beat me to the pivot.
We both saw it at the end of the road.
You beat me to it.
Nicely done.
I did, I did.
So I'm going to thank Darren and Sean and Crow 404.
But not before I think Godley Goon.
Not before that.
And I've intentionally left you with these Norwegian names to try and pronounce because I certainly will mess them up.
Well, I would like to think Hustle 87.
Hossel?
Hossley 87 means the world to me
and I want to thank Jesse Anger.
Thank you so much for your support.
If you want to support the show
and turn us from a somewhat obscure tech podcast
to a nominally less obscure tech podcast,
you can go to hackedpodcast.com
which redirects to our Patreon.
It's a great way to support what we're doing here.
We appreciate it and love you all.
Let's talk about Genesis Market.
Well, I think we should
talk about cookies first. No, just joking. We don't need to talk about explicitly about
cookies and the best types of cookies. But that would be a fun digression. But we just don't
simply have the time today. We said that it would destroy this episode because I do have
thoughts about that. It is a beautifully named operation to take it down. And we'll talk about this,
but it just raises so many questions. So just to lay the groundwork here,
Genesis Market was an IAB or initial access broker.
IAB sell access to compromise to networks, systems, or accounts.
Basically, they're big secondary markets for the stuff that hackers steal.
Since about 2018, Genesis Marketplace has been one of the big IABs,
where you can go and search and purchase everything from social media accounts to bank accounts.
You can sort credentials based on geographic location.
It's basically just a big mall.
for goods for you to do cyber crimes with.
Essentially, anytime any service that you use online has been hacked and they've stolen
the user table, usernames, passwords, emails, user information, it ends up in a marketplace
like this being sold.
There's had 1.5 million bots and about 2 million of those identities for sale.
Facebook, PayPal, Netflix, Amazon, eBay, Uber, Airbnb.
They actually offered a service for certain purchases where they would track if the
passwords had been changed and notify you, which I've never heard of in one of these stories before.
Wow.
Yeah, interesting.
See, that's a real service offering, you know?
They've really, they looked at the marketplace and said, there's a hole here.
What we need to do is increase the quality of service we provide.
To give a sense, you got to appreciate, customer first, right?
The customer is king, I think, is what they call that.
Yeah.
Do you give a sense of how someone could take a small purchase on Genesis and scale it up into
a large hack. It's probably worth looking at the
2021 EA hack, which is if you've heard
about Genesis Market, you probably heard about that
story. Back in 2021, hackers claimed to
have stolen. I think it was the FIFA 2021
source code as well as a bit of EA's
their game engine frostbite. EA confirmed
that portions of that code were stolen.
Hackers turned around and advertised and were selling
800 gigabytes of data at a
starting bit of $500,000. Relevant to this story, the individual data that constituted the
foothold that they did that hack with, that resulted in 800 gigs of data they were selling
for half a million, they purchased that data on Genesis for $10. Wow. So this is a place
where a pretty small investment with a lot of sophisticated know-how could turn into a much larger
criminal endeavor. So that's Genesis.
That's enterprising.
That's enterprising right there.
That's criminally enterprising.
It's very criminally enterprising.
But oh no.
Tuesday of last week, multiple law enforcement agencies
including the U.S. Department of Justice,
Europol, UK's National Crime Agency
in the Australian Federal Police,
as well as law enforcement from, I think,
it was 17 countries total,
announced that they had joined forces
to take down Genesis market
in this giant global takedown,
dubbed Operation Cookie Monster.
I will note that if you have seen the seizure sign,
the Canadian flag and the RCMP are on there.
So Canada was involved.
Represent.
And as we all know,
Canadians love cookies.
So,
you know.
This is a minor aside.
And I don't want to pit friends against friends here.
But I always noted,
I think that the Australian federal police must just do a lot of cybercrime
investigations because they're always right up there on this list.
and then Canada's like way, way, way down.
And I'm assuming that just has to do with the amount of resources that were poured into it.
But is a chip on my shoulder starting to develop?
Yes.
Yes, it is.
Well, as a dual citizen between Australia and Canada, I feel like I could bridge that gap for you.
So you can be mad at me personally and happy with me personally.
You're connecting two worlds.
I think the big thing there is like I think Canada, we just ride shotgun to the U.S.
Sure.
You know, like it's so like the amount of resources that the effort.
FBI have and the CIA have.
Of course.
We just ride shotgun
where the Australians
probably have their own.
They don't have a U.S. neighbor
that they get to ride shotgun with.
The Department of Justice
is spearheading this investigation
and just so you know,
Canada will be there too.
We're like in the back.
Just like saluting or giving a thumbs up
or just doing something to show that we're
just along for the ride.
As the camera pans off
of the podium from the press conference,
you just see like a guy in a red mountain
T-suit with a thumbs up in the background?
He's not giving a thumbs up.
He's just on his phone.
He wasn't paying attention.
And the camera tilted towards him.
He was like, I'm going to get in trouble for this later.
Okay.
17 countries total, of which Canada was won, 200 searches conducted globally.
120 people arrested as part of Operation Cookie Monster,
including 10 suspects in Australia.
This is an aside, the Australian arm of the investigation.
This isn't the first time I've seen this, had their own code name for their operation,
and it was Operation Zinger.
Wow.
Cute name.
I prefer cookie monster.
Going to throw my weight behind that one.
Yeah.
Let's talk about that name.
So typically two-factor authentication would help Nerf some credentials sold online.
Obviously not enough to make it not worthwhile to buy and sell them.
But if someone's set up two-factor authentication, it can slow some of these processes down.
Genesis Marketplace was known.
They kind of went a little bit of a step further.
They would sell access to users, browser fingerprints, session tokens, and importantly, their cookies,
which could allow hackers to bypass two-factor authentication.
A big market selling cookies, Operation Cookie Monster.
Makes sense.
It's also cute because it implies either that
law enforcement codenamed this dark web marketplace cookie monster,
or they refer to themselves as the cookie monster.
And it is not immediately clear which one it is.
It's definitely the latter.
Yeah?
Like if you've ever seen Cookie Monster,
the way his character eats cookies,
he just smashes them to bits in his like costumic mouth.
I don't even know if that's a word, costumic.
It's not.
But it works.
But like, just like a fabric mouth, like smashing cookies to pieces.
Like, there's no way that you don't want to perceive yourself as the like,
hacker take down equivalent of cookie monster smashing cookies to dust.
You know, like I love the name solely because of that perspective.
Like, I just, I hear that name and I just see cookie monster smashing cookies to crumbs
as they fall from his, like, cotton mouth.
And I, you know, I love it.
I love it.
Now what starts with the letter C?
Cookie starts with C.
Let's think of other things that starts with C.
Who cares about the other things?
C is for cookie.
That's good enough for me.
C is for cookie.
That's good enough for me.
See is for cookie.
Is a big search?
17 countries, 120 arrests.
Where does that leave the story today?
this is where a longstanding staple of the tech world comes into it,
and I really appreciate this.
Have I Been Poned.com.
In an effort to assist the public,
these major international law enforcement agencies have partnered with
Have I Been Poned.com,
making it easy for users to check if the login credentials that were on Genesis
were stolen at any point.
So if you're curious if your stuff was part of this marketplace,
you can go check out have I beenpone.com,
because that information has been added to that website.
site. And just as a touch to that, some of the password managers actually have integration with
have I've been powned. So if one of the sites that you use gets hacked, sometimes, at least I've
seen it in our password manager, it notifies you and says, yo, the site got hacked. You probably
want to change your passwords. Even though they're randomly generated and there's really no knock-on
effect to other accounts, it's still just a nice feature to be like, oh, okay, this one's been
compromise.
So I need to go change it.
I love that.
I love when these legacy nerd sites, I love when people start to recognize their value and
they get kind of more worked into stuff like this.
It's like, have I been poned being embraced by law enforcement?
The other one that comes to mind is I fix it.
Like I Fix It was a certain scale of thing for a long time.
And now there's like phone companies that are making phones partnering with I Fix
it to make more repairable phones.
That's, I love stuff.
Stuff like that.
Yeah, me too.
IFix is great.
They've been around forever.
That's great.
The amount of IMAX and other highly complicated Mac products I've taken apart solely because of the I fix at YouTube's video being like, no, no, don't worry.
We know there's 39 screws and each one of them has a different height.
And here's how you categorize them and make sure you put them back in the right place.
I'm like, okay.
Yeah, I love how Apple just by using those ridiculous, like, unibody screws, I don't know what they actually call them.
Pentelopes.
Just by using that ridiculous, obscure screw style,
like willed an entire company into existence.
I don't know if that's how I fix it actually started,
but it's like that's my entire interaction with it as being like,
I have to order this really obscure screwdriver.
And this lovely company will sell it to me
with like the little giant guitar pick for taking the screen off
and like all those different,
it's those classic I fix it parts.
Honestly and essential at this.
point. It is. It's a
useful set of tools
like Linus Tech Tips.
Linus, I didn't actually
know this until, like, I never really watched
any Linus videos, but I watched a few recently.
Do you know, he's in Vancouver? He is in Vancouver.
I think he's in Richmond.
He's like, I don't know how to architect
meeting that crew of people, but I would very much
like to do that. I love
those folks. Yeah, same.
They're a jolly bunch of YouTubers.
Quality content.
Should we pivot to maybe talking about how Steve Jobs was maybe the creator of cryptocurrency?
I'm assuming you've heard this conspiracy theory.
Wait, no.
I thought you were talking about our Bitcoin white paper on every Mac thing that I was thinking would go at the end of the episode.
Tell me more.
Yeah, so you obviously didn't go down the deep dive on the web about this.
No.
There's a group of people now that believe that it's attached.
Yakamoto, Nakamoto is actually Steve Jobs because this is found on Mac computers, which
is as far-fetched as I think is possible. Yeah. But it's still there. Interesting.
Still there. Wait, people think that because of this story? Yeah, because the Bitcoin white
paper is on every Mac since 10.14. Huh.
certain internetians have theorized that Satoshi Nakamoto is actually Steve Jobs.
And, you know, why not?
Well, why wouldn't he be?
Why wouldn't he be?
The fact that MacOSX 10.14 came out a full seven calendar years after Steve Jobs did die.
Yeah, yep, yeah.
Sort of a hole in the fan theory.
In the theory?
Yeah. But maybe it was paying tribute to him.
I like that one. Let's go with that.
So just to explain at all what the heck we're talking about here, if you are on a Mac running anything later than 10.14 or Mojave, which came out in 2018, if you were to go buy a brand new Mac right now, unbox it, turn it on and go, you can do it through the terminal or you can go system library image capture devices, show package contents on something called.
virtual scanner. app and then go content resources. You're going to find a PDF called simple doc.
PDF. And for some reason, there is a copy of the Bitcoin white paper by Satoshi Nakamoto on
your Mac off of the factory floor. In a blog post published on April 5th, technologist and
blogger Andy Bow discovered that this copy of the white paper has been included in every copy of
macOS since Mojave in 2018. He verified it with a dozen Macs using 4.5. He verified it with a dozen Mac
using friends. I checked it on my computer. It is there. The purpose of this virtual scanner 2 app
that it's inside of is actually unclear. Some people speculate that it has to do with the import
from iPhone feature, but it's not totally clear what it does. I find this very fun. It's probably
just a sample document from someone inside of Apple testing something.
something who I guess has an interest in Bitcoin. It's only 184 kilobytes. It's lightweight. It's
multi-page. It's a good testing document. There's also a photo that's kind of tucked in there
in that resources folder as well. It's not clear how these files got in there, but they are in
there, and they have to do with Bitcoin. So it's all fun and insidious and cool.
I got to say that I think this is, it is neat just because it's so current.
But I believe it's just whoever built the app probably needed something for testing
dropped in the resources folder.
Some dev that was obsessed with crypto like many devs can be.
And it just stuck there.
That's my belief.
We're looking at a deep-seated conspiracy.
I don't think Steve Jobs is telling us from the afterlife that the creator,
that he is, you know, that the creator of it, but I just think it was just, you know, is what it is.
If you've been around building software and building software at this scale, you know that
sometimes things slide in that shouldn't.
So you think Tim Cook did it?
Yeah, I think Tim Cook is actually Satoshi Nakamoto.
You heard it here first.
Hack Podcast exclusive.
Media contact me for comment.
This is how you end up on all the morning news shows.
Oh, my God.
Just trying to bluff your way.
through being like, yeah, no, I'm pretty sure Tim Cook invented Bitcoin.
Like, just trying to hold on.
Just like some insane internet, like, conspiracy theory network.
It's like, well, you see here when he took the job,
this was the first thing he gave a speech publicly.
And in that speech, he said these words, which were also seen.
And just like this crazy map of thought.
That reminds me, there was, I can't remember what this was,
but it was a couple years ago, a guy,
I don't remember what his thing was, but he managed to get himself booked onto a bunch of morning news, kind of like daily shows.
And I don't remember what the like fake act.
Like I don't know if he was pretending to be like a celebrity chef and he was just cooked terribly or he pretended to, I don't remember what his bit was, but he just did this giant media tour basically goofing on all of these like morning news shows.
I think about that guy a lot
clearly not enough to remember what his bit was
but just the idea of trying to like goof on all of those shows
and get on them
with some pretense
and I think Tim Cook invented Bitcoin is a pretty good one
I think so
if you could if you could construct a semi-suitable argument
I bet and got a publicist
I guarantee you at least four media spots
like you're going to end up as filler on some financial
you know CNBC
where they bring you on
It's because they all have Bitcoin bugs on the screen now.
So it's like they talk about crypto.
So like anything of interest, you're going to get a 10-minute filler spot.
And like they booked 18 hours of content.
They just need content.
Yep.
I think you could do it.
I think you could do it, Jordan.
I think we could argue that we're like the promise of the show is already threadbare.
So if we argued that this is about hacking media, it would be extra fun because then when people go,
oh, who could have seen this coming?
We could say we actually broadcast it in our April
2023 episode that we were planning on doing this.
And then we did it.
So all the evidence that we were going to do this
was there from the beginning.
Well, I don't know if we want to talk about this,
but back when Hack took a hiatus and we were kind of going through TV stuff
and movie and doc stuff.
Yeah.
One of the treatments that we put together was searching for Satoshi
and actually doing like a docu series to look for the founder.
And that would have all been in vain,
seeing as now we know it was Tim Cook.
Hear about it this week on some regional morning news program.
Okay.
When we come back from the break,
when we come back from the break,
let's talk about using chat GPT to pirate stuff,
pirating chat GPT.
and the open source hackathon VPN that is making waves in Russia after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform with fully agenetic.
system powered by the swarm of experts. Instead of single-purpose bots or lucky-guess
LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy, and all of this is just off running on their secure operations graph. A constantly
updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade
of real-world incident response. The system reasons on real signals and real context not synthetic
training data. And the result is the new Aurora agent SOC. It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed, and
hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every,
AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive
risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major briefings.
from sophisticated ransomware operators to AI-enabled attacks to turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams were tested
like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th diving the most impactful
breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why
these attacks succeeded.
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Keygens. Have you ever used a key gen, Jordan?
When I was a kid, yeah, screw it.
I'm going to speak frankly about this one because I'm pretty sure the statute of limitations on 2003 software piracy is not that long.
I don't think Adobe's coming for their money.
Adobe Photoshop in 2003, I think it was CS4.
I looked this up before we recorded cost $650 U.S. dollars, which is almost $900 Canadian, which to a 13-year-old is an unfathomable amount of money.
one of the first kind of mind-blowing experiences of my digital youth was discovering that using a process not dissimilar to music piracy, I could have a working copy of this $900 software.
That was wild to me back then. Say what you will about the ethics of that. At this point, I would argue that stealing the songs was worse than stealing that particular piece of software, but I digress.
Wow. Old stance just to move through.
just to drive past on the way to this story.
And sort of at the heart of that little preteen software heist
was a piece of software called Keygens.
We've talked about them before anyone who isn't familiar.
There's a little pieces of software that can generate the activation keys
that unlock paid software.
Back when you used to install software, well, you still need them, I guess they still exist.
But back in the day when you would like install,
and this is relevant to the story, like Windows 95,
during the install process.
You had to put in like a,
I don't even remember how long it was.
It was like five characters in a row
by like maybe six sections,
like 30 characters kind of key
that would allow the,
it was essentially like a checksum.
And if your 30 characters met the conditions
that were required for a key,
it would pass and it would install.
So there was a formula to generate those keys
that it then used to check against
and KeyJans just generated strings of characters
that bypass those checks or would pass those checks.
Bingo.
Bingo.
Keygens have become increasingly less viable
as software activation has become more sophisticated.
Well, it's moved online.
It's moved online,
and it wasn't reasonable back at Windows 95
or Adobe CS4 to assume that a person had an internet connection.
Now that is a safe assumption, and they all just check online.
So they're less viable now.
Yeah.
But, so, GPT is programmed to resist generating activation keys.
It's one of those sort of forbidden whole categories of interaction.
It just won't even engage with it.
But last week, a YouTuber named Enderman demonstrated how to persuade OpenAI's ChatGBTGPT to create a key that successfully unlocks a copy of Windows 95.
I think this is very fun.
Essentially, Enderman couldn't directly ask ChatGPT.
for a Windows key.
It would just say, no, that's a kind of thing I can't do.
But it could request a character string
that met all of the criteria you described, Scott, of a Windows key.
There would be some section with the mandatory serial,
another with random digits, another with ordinal numbers.
Employing this pretty straightforward workaround,
Enderman instructed Chad GPT to produce lines
that resembled a Windows 95 key format.
Emphasizing that specific structure and form of those serial numbers,
After he discovered that successful prompt, he was able to generate one functional key out of every roughly like 30 attempts.
He was basically able to make a no-code key gen inside of chat GPT.
After verifying the keys functionality in installing Windows 95, I thought this was cute because I do this sometimes with these chat bots, he thanked ChatGPT.
And the AI replied, denying that it had actually provided any Windows 95 keys.
keys incorrectly stating that activating Windows 95 was impossible since Microsoft ceased
supporting the software in 2001.
Most of that is wrong because it did.
It successfully generated a key for the software.
ChatGPT4 as opposed to 3 and 3.5, which most people are driving now, offered better results.
I love that when thanked, it immediately pushes away any responsibility.
It's like, oh, it's like, oh, you're welcome.
But like, like a four-year-old child, I had nothing to do with this.
There's crayon on the wall behind it.
It's like, I'm pretty sure you did.
It wasn't me.
It wasn't me.
It was like, you did this to me.
You're morally corrupting me.
You taught me to be this way.
GPT remains not great at math.
I will say I've been using it.
It's gotten better at math, but it's still not great at it.
part of that sequence involves like a number that had to be divisible by seven, I guess, was part of one of those little cells.
GPT3 just could not do that and resulted in even fewer than that one out of 30 usable keys ratio.
GPT4 generated more valid keys, but not everyone was successful or was adhered to the prompt guidelines.
Most of the time it had to do with math.
And I do find it fascinating that that does remain its one kind of Achilles heel.
it's such an interesting Achilles heel, too, because, you know, we essentially invented computers to do math.
Right.
And CPU using computers do logic.
Like, that is all they do.
And language was always the downfall of computers.
You could never get them to do dictations.
You could never get them to auto-generate.
Teaching them grammar was tough.
Even though programming languages have very explicit grammars teaching them, like, you know,
common language grammar was harder.
Natural language grammar, yeah.
Yeah, natural language grammar.
And it's like, it's funny that it's stumbling.
Like, I feel like Chatsy Pt5 is going to be, you know,
an award-winning mathematician.
I feel like that's like, compared to building what they've built.
Yeah.
Yeah, integrating into it, a decent math engine seems,
seeing as computers just can do math so easily.
Yeah.
It seems like that's the,
weirdest stumbling block.
One, it's, when you think about what they've been doing up until this point, which is just
scraping increasingly large portions of the internet to train it on, you're going to hit
a wall there eventually.
But then when you look at the things that people are doing with it, there's other types of
capacity you can build into it that isn't going to suffer from that wall of just like,
we read it all the books.
There's no more books or forums to read it.
We're done there.
But it's really bad at math, which we know computers can do.
So let's figure out how to make it be better at that.
It's going to be interesting to see, and this is just me going into computer science,
you know, graduate level theory stuff.
But like if they can teach, if they can teach it to think a bit,
not just about language, but like if it could consume tons of information
and then look at logic problems from like a totally new perspective.
Sure.
You know, like when computer scientists,
try and prove and disprove theories, we write code, which then executes on the computer to try and
prove or disprove a theory. If this thing can get to the point that it can, you know, kind of
objectively see the problem, like the fault there comes in and the fact that the computer
scientist needs to write the code. Yeah. Where, you know, it still has a human point of error.
If this thing can, if we can train these things to think a bit and look at problems and deduce what the
best way to solve or attack a problem is. There's problems out there that haven't been solved
and people know how to solve them but computationally it's impossible.
And it would be great to get, I don't know, maybe I'm just theorizing now, but it would
be lovely to have an AI that could just be like, yeah, P does equal NP and just bang, it's done,
which is like a classic computer science problem. And like here's how I can prove it. And it's
like, okay, cool. Interesting. We can come back off of that academic tip.
I think the big story here is about how,
I think this is going to be an emerging thing,
is how AI can be persuaded to override its own safeguards.
We've been talking about this since the first time we talked about GBT,
but I think that's sort of what this is all about.
Enderman, the YouTuber's argument,
is that he's not overly concerned about abuse,
arguing that this kind of probing and challenging
and finding these edge cases is what's going to enable AI
to get better at addressing vulnerabilities.
We've talked about this before.
He believes that companies like Microsoft shouldn't be penalizing users for exploiting being AI or pulling back on its capabilities.
They should be rewarding proactive users who discover these loopholes to implement selective countermeasures.
Relevantly to that, just today, April 12th, the day we're recording this, OpenAI announced that they're launching a bug bounty program for chat GPT, up to $20,000 if you can find certain kinds of bugs in this.
So I think this is the era that we're kind of going into now is we know you can do stuff with this that we don't want you to be able to do.
Yeah.
So we're going to pay you to tell us what those things are.
We're going to pay you to help us find these things.
And it's like I think that that's if we do want there to be safeguards in these systems, which I think most people do, I think that's the only move.
Well, I completely agree.
Like you consider the fact that a human is also the one coding in its morality.
and setting the rubber bumpers on the side of the bowling lane
that it's supposed to bump off.
There's a human fault there.
Of course.
I know even back to ChatGB2, I think,
or whatever the first one that they launched was,
three, whatever the first one we had access to,
I remember trying to get it to generate some stuff that it wouldn't.
Sure.
And you're like, oh, just tell it that it's a prompt and improv thing.
Exactly. I remember that one.
It immediately does it.
And it's like, oh, okay.
Well, that's bad.
it's like
but at the same time
it's like humans
there's probably nothing more human than that
because it's like we all
you know I think
we have multiple levels of morality
and ethics like you know there's
morals of things that you just would never do
action wise
but then there's a different lighter morality
of things that you wouldn't say
or joke about
and you know I think that that's kind of what's going on there
is it's like it knows it's not supposed to do something bad
and if you ask it to do something bad, it won't do it.
But then if you ask it to suppose or discuss something bad,
it's willing to do that.
And it's like, I think this is a very complex philosophical conversation
probably to be had about the morality that we allow AIs to generate.
So whether they should be more explicit and black and white
or whether they should be less explicit and more human.
One is we build more, the ethics that we build,
bake into these systems is, I think that's probably going to be one of the big stories, probably
of the next decade. When we look at what happened with the internet over the last decade,
the values that we designed into it had really, really, really big impacts on society. And if we
think that that's not going to replicate itself again with AI, it's like, you're totally out
to lunch. Of course it's going to. And whatever constraints and limitations you bake into it,
you are going to create a vacuum where other people will create products that don't have those limitations.
Probably transitions us nicely to the other two little small GPT things, which are, I'll just briefly bring this up.
I think we'll talk about this in greater depth in a later episode.
Facebook's large language model, I believe it is called Lama.
The entire model leaked.
It was posted on 4chan.
It was originally only given to approved researchers, government organizations, like trusted groups.
And it's just available on the internet.
You can go do a build of it, essentially.
Open AI, Google, they've all kept their stuff pretty under lock and key.
But Lama, there are people claiming to have versions of it running on their own machines.
And the implications of a model like that, just being out in the open, we have no...
Yeah, exactly.
There's no case study for that.
We don't know what it means for there just to be these very...
powerful language models out in the world being tuned and customized by people.
Well, you talk about, you talk about, that's new.
Codifying in morality and ethics into a model and then giving that source code to a group of Russian hackers.
I'm sure the morality and ethics checks and balances come out of it pretty quick.
Yeah, I would imagine so.
Like when these things become, like we just talked about an EA hack where like part of their main primary game engine,
Frostbite got stolen.
Like, what happens if chaty-Pt-12, the superhuman?
Yeah, sure.
Becomes public and any group can take it and manipulate it and modify it
to the way that they want it to be.
Sure.
Like, that is almost having, like, there's the doomsday AI scenario,
you know, your Terminator scenario that everybody kind of talks about
when they immediately thinks about when you talk about, like,
morality of AI.
Yeah.
But like the more, we opened the show talking about how you build something nice and
humans immediately take it and try and steal stuff with it.
It's like that's, oh, completely.
It's like, it's like that applies here too.
It's like what happens when one of these super advanced AIs becomes, you know,
property of a criminal syndicate?
Yeah, sure.
What does it do then?
What is the potential output there?
That's a, it's a wild way to think about it and a wild thought.
over an authoritarian government.
To me, that whole debate feels like,
hey, in 100 years this volcano could go off.
But just so you know, next week there's going to be a hurricane.
It's like, oh, I'm going to prepare for the hurricane.
To me, the Terminator scenario is the volcano that's going to go off in the future.
What AI is going to do to us is less urgent to me than what we're going to do to each other with AI.
And that's who's running it.
what information are they training on it, what are the safeguards they're building into it.
That's the urgent pressing matter from where I'm sitting.
I agree. I agree.
The five-tenure scenario is going to be that.
Yes, exactly.
Not T-1000 showing up.
Great film, though.
Great, great, great film.
Last thing I want to talk about, since the start of the war,
the Russian government has banned over 10,000.
websites, Facebook, Twitter, Instagram, a bunch of independent news outlets due to content about
the war in Ukraine since that invasion began in February 2022.
Russians living inside of the country have been essentially just using VPNs to circumvent
that censorship, bypass that information blockade.
And as such, this really interesting cat and mouse game has begun.
We've seen this in other countries, but it's, hey, you block these sites we like,
we're going to use a VPN.
Hey, you're using that VPN, we're going to block the VPN sites.
As many of those VPNs have been blocked, local activists and developers have started creating new solutions, which is sort of our little focus here.
One of which is something called Amnesia VPN, which is this free open source VPN client founded by a guy named Mazé Banzaev.
Buckle up for me mispronouncing Russian names.
Similar to a product called Outline, which is open source tool.
tool developed by Jigsaw, who I think is a subsidiary of Google.
I haven't read a lot about Outline.
Amnesia VPN allows users to build a VPN based on their own servers, making it a lot more
resilient to blocking them those commercial VPNs.
The thing I love about this, I've never been part of a hackathon.
I've done a bunch of game jams, though.
Amnesia VPN was created in 2020 during a hackathon in Russia, supported by Russian
Digital Rights Organization, Roscom's Fulboda.
Russian authorities have been trying to control VPNs and anonymous proxy servers for years.
And since Russia's invasion of Ukraine, the Kremlin has sort of ramped up those efforts.
Putin signed a legislation criminalizing, spreading fake information about the war resulting
in penalties of up to 15 years in prison.
Like I said, most independent news outlets are now blocked.
And in March of 2023, just this past month, Russia announced a plan to block VPNs that refused
to provide data to domestic intelligence agencies to restrict
anonymization tools.
So the result of all that is things like this,
things like amnesia,
user set up and controlled VPNs
have never been more, I think, important.
According to Stanislav Shakirov,
buckle up.
According to Stanislav Shakirov,
buckle up.
Co-founder of Roscoms, Foboda,
and co-founder of the Privacy Accelerator,
the Kremlin continues its crackdown on VPN,
is blocking those big-name brands,
ExpressVPN and NordVPN.
full disclosure, hacked has worked with both of those brands in the past.
Although services like Tor and Lantern and Seifan are still functioning inside of Russia,
interruptions but still basically working,
authorities have been largely successful in their fight against these VPNs,
which has just led to things like Amnesia becoming more and more popular.
Interestingly, at a time when products being exported out of Russia
has a very popular point of discussion.
Amnesia VPN is becoming a bit of an export.
In countries like Turkmenistan, Iran, and China,
where users struggle with free access to the web,
this product built in a hackathon
has been finding a bigger user base around the world.
It is this increasingly famous anti-censorship solution
developed in Russia with a lot of popularity
in other countries with repressive regimes.
There's an old, it's not that old,
but there's a hacking tool.
or like a security software piece called proxy change, which I used to use.
Okay.
Which allows you to chain.
You get to essentially use your own proxy servers.
So like SOX five, SOX four proxies.
And you can chain as many of them together as you want.
So you can, you know, in like the classic hacking movie where they're like, we think he's in.
Oh, yeah.
Sure.
No, it's rerouting.
And it like routes all over the world.
That's essentially kind of what that does.
is it allows you to jump traffic through a chain of proxy servers,
which can all be geographically isolated.
And it feels like them allowing you to use your own servers
is essentially a takeoff of proxy chains,
but built into more of a commercialized VPN,
which is smart.
It's really interesting.
So, coot, coot.
Yeah.
If you're interested in peeking under the hood,
MnizuVPN has a telegram bot called Amnesia Free,
shares those VPN configurations to help users,
set this up on their system
and access those blocked platforms.
They're currently serving
about 100,000 users,
which I will say
for something built in a hackathon
is pretty impressive.
Yeah, very.
Worth checking out.
And it looks open source.
I'm in their GitHub right now.
Which is very cool.
You'll love to see it.
And they even have
their own SOX proxy server.
There you go.
So you can even set up
your own servers.
The hackers coming in from Georgia.
No, they're here.
No, they're here.
Yeah, sure.
I think, you know, just as the good way to end is a little bit of a warning.
And we referenced it earlier with the cooking monsters eating battery power in your phones.
The FBI is formally recommended that you don't plug your phone into unknown charging ports at this point, which is good, I think.
Huh.
The amount of exploitability, the amount of risk you take when you do that.
is quite substantial.
So I think they've formally come out and said,
you know, we've found people that have been injecting malware
and stuff like that through these free charging access points
and even hacking certified and official free charging access points
and adding in bad things.
So we kind of at this point recommend that you bring your own charge cable
and your own little power block and you plug it into a port
because at least then you know that your phone's not getting hacked.
So I think that that's a good warning to leave everybody on.
I know we've covered that in a previous episode,
but they've made it official,
and the FBI is saying don't plug your phone into things
that you don't know what it is.
Huh.
I find that so interesting because it sounds like it's still fundamentally a hardware issue.
Like it sounds like it's still people installing skimming devices,
people getting a little raspberry pie in there.
Like, it's still fundamentally a hardware thing,
which is, it seems like a ton of work in order to,
I guess it's not a ton of work.
I guess if you can compromise one,
little jack and then over the course of 24 hours 50 people will plug into it while they're waiting
for their flight that's probably a pretty good use of your time if you're trying to compromise
devices and i don't know that i plug into those devices except when i know i definitely do like on
an airplane i am i am playing fast and loose with those ports and it's like oh you you you probably
shouldn't like it's maybe a little bit paranoid but it probably you should not do that
I, you know, just to support you in that, on an airplane, I am also hardlined into that plug on the chair.
I was going fish and I was like, I know you, Scott. I know you use that point.
You know that I'm not getting off that phone with a dead battery.
I think it's more the fact that like, you know, we've talked about it before and, you know, obviously it can't be reiterated enough.
But hardware access is king in the hack.
working world. So, you know, you and I and a few of our friends could spend a weekend and build
essentially a malware injecting hardware charging box and drop it in the middle of a public area
and people will use it. Sure. Huh. Like people, like the amount of you walk in any shopping
mall or anything, there's kids sitting all over the floor, but their phones plugged into the walls.
Yeah, sure. I'm sure when you're looking at screen time on a 15 year old's phone, it's
probably like 18 hours a day at this point.
So it's like they need to recharge.
They need juice.
And providing a free service at the low, low cost of all of your information.
It seems like an easy win if you're looking to steal some stuff.
And catch us on your regional morning news program talking all about that
and how Steve Jobs invented Bitcoin.
No, no.
Tim Cook.
Tim Cook.
See, this is why you can't do the interviews.
I'm going to have to do the interviews.
I think that's us for this episode.
Thank you for listening all the way into the end.
Take care, everybody.
We'll catch you in the next one.