Hacked - Pig Butchering, Ring Cam Swatters, and Raspberry Robin
Episode Date: January 16, 2023A chat episode about all these things and more. Sorry, a "chatty chat" about exactly seven topics. Network access security that scales with your business — NordLayer secures your organization’s t...raffic and data to provide your colleagues with safe, reliable, remote access. nordlayer.com/hacked Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Here's my question.
What's better than one story?
I don't know, like seven.
That's a specific number.
I'm a specific kind of guy.
What are we going to be talking about this episode, Scott?
Approximately seven things.
Roughly speaking seven things, which include, in no particular order,
decriminalizing ethical hacking in the UK,
ring cam swatting.
And you know those weird like WhatsApp or text messages that you get that start with like,
hey Doug, it was great to catch up with you.
And you go wrong number because your name isn't Doug and you didn't catch up with anyone yesterday.
And then they keep talking to you.
Do you ever get those texts got?
Yeah, but I've never responded.
So I didn't know that they actually continue talking to you.
They do continue talking with you.
It's something called a pig butchering scam.
And it's far darker than this jovial setup with.
suggest talking about all of those things along with a bunch of other stories for to be very specific
from the world of tech and security here on hacked how's your break scott
break was good jordan how was yours my break was my break was okay uh a covid blight fell upon my
household so my coming home for the holidays plans were replaced with sitting on the couch and
playing a surprisingly legal amount of Breath of the Wild, hundreds of hours.
Like blood clots in your leg durations of times?
Like you were worried that you have now become part of your couch?
Yeah, like on an international flight where they're like for healthcare reasons,
you should stand up, walk around a little bit, shake it out so that nothing bad happens
before we hit the ground, that amount of sitting on my ass and really just exploring
high rule.
which that game, I don't know when that game came out, like 2017.
That game holds up.
And there's a new version coming.
There is.
Tears of the King.
Tune into our new hacking podcast to hear our early
thoughts.
Not just joking.
What did you get up to?
Well, there was a bunch of flight catastrophes up here in Canada.
A bunch of snow hit Vancouver, which messed up the whole flight system,
which messed up some travel plans for my mother.
And so she ended up at our house surprisingly.
four days, which was lovely. But it did mean that she got to her destination four days late as
we joined her there as well. So we went away. It's a more warmer for the Christmas break.
And then, yeah, other than that, just kind of working and chilling, trying to relax a bit.
Got a break in here before work gets crazy again. All the news footage of the Canadian airports
being shut down. For anyone doesn't know, there was a bunch of snowstorms that hit Canada.
Our airline system basically stopped working. It was a lot of Canadians.
airports looking flustered, but my favorite part was one of the little bits of news coverage
then cut to an American guy who said something that hadn't really occurred to me, which was,
I would have thought that Canada was used to snow, but it seems they're not.
And then he was the chillest one of everyone.
He's like, but that's okay.
I'm just happy to be on vacation.
And that brought me some calm during a trying time.
Well, it's funny because when we were away around to do a bunch of Canadians and they were
all talking about it.
about it obviously because everybody was because it disrupted everybody's flight plans essentially.
And they said the same thing.
Like where I live in Emmington, Alberta, there is, it's, like I've flown out of the
Emmington Airport at minus 45 dozens of times pumping snow, freezing rain, you name it.
Eminton Airport.
Sure.
They've got it handled.
Rain or shine.
Vancouver, on the other hand.
We're cowards now.
One of our largest, yeah, one of our largest city has like one de-icing machine and like no snow.
no plows and it's like okay guys like so the like one of the largest hubs in canadian air travel
was completely dwarfed by like six inches of snow in like a couple of cold days my favorite
comment was someone like a very i live in Vancouver a very earnest Vancouver person saying
this is the second year this has happened we need a solution have they considered building a
roof over the runway and I read the comment like nine times back and forth like really just
trying to understand if they were being sarcastic or not.
And I don't think they were.
And my friend, you can't...
Yeah.
Because airplanes take off from there.
And land on there.
I don't think they realize that.
And famously land on there.
Like, that's the only two things you do on a runway are incompatible with a roof.
They go, you either go into the air through a roof or from the air onto the ground
through the room.
From the sky onto the ground.
Exactly.
So, I have a...
followed up to see if Vancouver Airport is building a roof over the runway.
I'm going to make an early prediction and say no.
No?
That's going to get vetoed probably pretty hard.
Well, 2023 is, we're at the beginning of the year, so we'll see.
That is really funny.
This is a cybersecurity podcast.
We haven't done any of that yet.
Well, we could talk about some cybersecurity stuff.
I think we should.
I think we should first talk about why this is a little bit different.
So there's always like short stories that we bump into when we're researching the show
that you could never really hang a whole episode on, right?
Like you could probably talk about this for 10 minutes,
but you couldn't really juice a full half hour, 45 minute episode out of it.
Plus it's just there's very interesting little stories
that might not have the depth for a Jordan narrative, you know?
For full-blown narrative experience.
years ago we tried doing the news update format and that was really fun but i think what we figured
out is that short stories good short episodes bad yes when we did the the sort of retrospective
episodes last year it kind of all came together where you string a couple of those in a row and you
got a pretty nice experience we get to dig into stories that are interesting and compelling but
maybe couldn't support the full narrative experience and it gives us a
space to talk about them. So we're going to try that for over a couple months in the mid-month episodes.
We're going to keep that first of the month episode for the big story episodes. We're going to see
how that sits with folks. Yeah. So please hit us up on, you know, Twitter, Patreon, any way to get
a hold of us. We've gotten a lot of Patreon messages. We haven't got back to you. Thank you so much for
your support. We love you to death. We just have been away in doing things. So if you've, if you
You fired something in, especially kind words.
Know that we respect and appreciate it.
Where do we want to start, Scott?
I want to start on a piece of malware that was kind of blowing up at the end of last year,
even though it's about a year old, a piece of malware.
It's called Raspberry Robin.
And the reason I want to talk about this is because it goes way back in the hacked archives to bad USB,
because the way that this, like, quote-unquote worm spreads is payloads off of USB drives.
And it's like, I feel like people and operating system manufacturers should be pretty aware of this.
And we need some form of intervention to stop this from happening.
Like this USB delivery doesn't even auto execute.
So it requires you to shove a USB drive into your computer that you found and then literally click a file in it.
And tons of people have been doing it.
Okay, so unpack that distinction between auto-execute and just opening a file.
So back in the day, you could build things that, like, had a, remember when you put CD?
Remember when CDs were a thing?
When you put a CD inside of a drive and it would like auto-load the installer would, like, pop up on the screen, like, way back when, like, you put the Diablo 2 CD in, you close the drive, and bam, it's like, hey, would you like to install Diablo 2?
Yes.
That required something called like an auto run.
Okay.
So they've essentially removed auto run.
Like you can't really do it with USB files anymore or you can, but like it's not, it's not as simple as it used to be.
It's like you used to just drop an INF file in there and bang it was done.
It's not so easy anymore.
So they have taken some steps for that.
Okay.
So that's what I mean by auto execution.
It doesn't mean that like the payloads delivered the second you shove the USB in.
It means that like you shove the USB in, you open Explorer, you go to the USB and you're, you go to the USB
and you're like, oh, payroll files.
You know, XLS with a hidden extension.
Dot LNK, which executes an EXE file and boom, boom, boom.
Interesting.
Yeah.
When you brought this up and you brought up a hack that runs
when someone plugs a USB drive into a computer,
my first thought was, oh, that's quaint.
Feels like very old-timey almost at this point,
like a hardware-based exploit.
Yep.
Like at this point, everyone knows not to plug a USB.
you drive into a computer.
And it is interesting to me that, no,
there is still new and interesting exploits
happening in the field of people finding USB keys
in parking lots.
I think the statistics of this malware
speak to the fact that maybe not everybody knows
not to do this.
But the thing, like the piece that I really find
interesting about is the human aspect.
It's like, yes, I'm a curious person.
You know, obviously given my,
my, you know, desire to learn about cybersecurity since, like, it was, like, nine.
The, the, if I found a USB drive in a parking lot, would I take a peek on what's on it?
Probably.
Would I do it on my main, my main computers?
Probably not.
But that's just me.
Like, I'm a, like a, I'm, I'm, I'm, I'm, I'm, I'm, I'm, I'm, I'd be aware of the
risks of doing it and I would, you know, mitigate those risks.
But at the same time, if I opened it.
and I like saw some like link file like a shortcut file.
I'm not going to double click on that.
Like it's it literally goes to the internet,
download stuff onto your computer and executes it
and then like essentially hands control your computer off
to like the dark web.
And it's like, okay.
Anyway.
So the reason I wanted to bring it up is just that it was like so popular
at the end of last year.
It was making huge like runs into like,
And especially into governments.
Like I would assume that government IT and IS layers would have disabled foreign USBs from like being used and stuff like that.
But it's, you know, it was a huge problem in Argentina and Australia and like Mexico and Croatia.
Like it was all over the place.
Interesting.
I just thought it was a neat tieback to our old episode, Bad USB, which does auto-reploy payloads.
And they do have a new version of it if you want to Google it.
But yeah, anyway, I just thought it would be a neat thing to touch on as it was such a good tieback to something we were talking about years ago now at this point.
Yeah, at this point, I'm pretty floored that government computers, and I know this isn't practically possible, but that they haven't just taped over USB drives.
We're on year 13 post-Stucksnet, which was like nuclear, just nuclear problems plus bad USB drive hygiene.
And I think over a decade after that, it's like, we just don't do, we don't do this anymore.
We don't have USB drives in government computers that have state secrets saved on them.
It's fascinating to me that that persists as a problem.
Yep. Yep.
Before the opening credits, I asked you a question concerning a wrong number text message.
It's high from a number you've never gotten a text from before.
And you said you've gotten them, but you've never replied.
lied to them.
Yeah, correct.
I get them probably weekly at this point.
Yeah.
See, that same curiosity that you're talking about with the USB drive in the parking lot
plugged into the air gap computer to see what it do.
That's how I respond when I get these, whenever you get a call or a text, probably not
an email, but I wonder, I'm like, who is this WhatsApp person?
Who do they think I am?
Who do they think they bumped into?
I know it's a scam, but I'm curious where it goes.
And where do they go?
Something called a pig slaughter, Scott.
So an old school social engineering scam from years ago,
and I've been really a hack, just like an old school grift.
They're called romance scams.
This was like a billion dollar industry for years and years and years.
And the basic idea was that people would strike up a romance,
kind of with someone overseas,
and over weeks and months, they would exploit them for money.
This isn't really like a little fun puzzle box hack.
This is more just long-term,
psychological abuse remotely. Not very cool, not that interesting.
Pig butchering scams, which originated in China and came from the phrase like I think it was
Shahjupan, which means kind of refers to fattening a victim up, takes the basic social psychology
of an old romance scam and slams it together with website spoofing and cryptocurrency and turns it
into something new and weird. Wait, wait, wait, wait. Cryptocurrency?
Oh, actually, technically no.
Technically, there's no cryptocurrency.
I was like, so help me, God, we're getting one episode into the year without talking about crypto.
And technically we're not.
This scam starts with that novel missed number approach, little social engineering hook in your cheek.
They just say hi or, hey, Ricky, it was fun catching up.
And the idea is they're trying to get you to say, hey, wrong number.
I have said wrong number.
This would have been like a year ago the first time I got one of these.
The way that conversation tends to then unfold is they say, oh, sorry, and then they try and keep talking with you.
And gradually over time, what they're trying to do is build, the same way the romance scams did,
they're trying to build a friendship with you, trying to build a little bit of rapport.
Typically this phase of the hacky scam thing will last weeks, maybe even months.
They'll hop on FaceTime with people.
They're really trying to get into that kind of pen pal abroad category in someone's head.
This would all seem like it's building up to some kind of a rug pull.
And in a way, it kind of is.
The scam turns when the person then says that they've been investing in some kind of,
you know, specula of asset, some kind of cryptocurrency type thing.
And they suggest that their friend who they've been talking to for months gets involved in it
because they've been making tons of money.
Of course.
Like I said, building up to what seems like a rug pull.
Got to fatten the pig up.
You got to fatten that pig right up.
What's interesting about it is that they're not doing like a pump and dump type thing.
where they've, you know, a big crew of people have bought a whole bunch of some dirt cheap thing.
They then scam people into buying it and then they sell it off at a profit.
It's not that.
Where this inevitably goes is when you say, what have you invested in,
they will then provide you with a link to a fake version of a BitFinex,
any kind of cryptocurrency or investing site, but it's a spoofed version.
It's not real.
There's no real investment going on in the back end.
And from there, it's this essentially just like a fake theatrical version of an investing experience.
You put your money into an account.
You watch the money go up.
They'll even let you take some of your profits out in sort of a traditional Ponzi scheme type validation that this is all real.
Then, inevitably, once the victim has deposited all the money they have, once they fatten that pickup as big as it's going to get,
that's when the attacker shuts down the account and disappears.
They're going for the whole hawk.
It's a pig butchering scam.
So far, we've kind of just like mixed and matched familiar parts, right?
Like a little bit of social engineering, a spoofed website, a little bit of crypto greed.
It's stuff we've all seen before.
The thing that makes this interesting, though, is who is doing this.
Because that's where we get into the sort of second set of victims of a pig butchering scam.
Well, if they're going on FaceTime calls, they've got to have recruited like real people to help with this, especially if you're doing some kind of romance con.
So I'm assuming, I'm assuming them some large group of, I don't know, it seems like it'd be a lot of work, but I guess the payout would be quite substantial.
It is a lot of work and the payout would be substantial.
And that kind of implies some sort of large capital rich, like top level thing going.
on. Like you need someone basically funding this whole operation.
Right, right, right. So we're back to organized, international organized crime.
Researchers are saying that it's crime syndicates based out of China that have been running
these operations, developing the scripts, funding the call center type operations.
And at first, that was how it worked. It was a traditional inexperienced scammers in a call center
model. Where this gets dark is that research is starting to show that at the other end,
end of that wrong number text message, it's starting to look like it's forced laborers and
victims of human trafficking that are occupying those call centers, which puts a very different
face on who is on the other side of those wrong numbers.
Yeah, brutal.
In 2021, the Chinese government initiated this big tough crackdown on cryptocurrency fraud,
and criminals were pretty quick to relocate these pig-butchering scams out of China and into
Southeast Asia in countries like Cambodia.
Laos, Malaysia, and Indonesia.
Folks from across that region are then lured into these facilities using,
with fake job advertisements.
Of course.
Where they're then brought into some kind of debt throughout that process.
That indentured servitude keeps them there
as they're then forced to do these scams
and even replicate the ads to bring new people into it.
It's internet scamming and human trafficking slammed into each other.
And these wrong number texts are kind of the face of it that we see
over here in the west. Wild.
Today's podcast is brought to you by Nordlayer.
Nordlayer safeguards your companies network, but it's also a lot more than just a VPN for
business. As you already know from this podcast, business networks today are more vulnerable than
ever due to where do we start, remote work, ransomware attacks, and data leak incidents.
Nordlayer secures and protects both remote workforces as well as business data, and it can even
help you ensure security compliance.
Simply go to Nordlayer.com
slash hacked and get an entire month free.
Nordlayer is easy to start.
It takes less than 10 minutes to onboard your entire business onto a secure network.
Nordlayer is easy to combine as it's hardware free and it's compatible with all major
operating systems.
And finally, Nordlayer is easy to scale as you can choose a plan unique to your
business requirements and your rate of growth.
If you want to secure your business network, go to Nordlayer.
dot com slash hacked to get your first month free.
That's Nordlayer.com slash hacked.
But I think that's a good segue
into our next topic, which is chat GPT.
Something we touched on in the year wrap up last year.
We were so young.
Chat GBT GBT was so new.
We had no idea three weeks ago what it would become.
So apparently it's already being fully integrated
into these types of scams.
So instead of came to an indentured servitude human slave,
you'll be talking to an AI bot,
which I guess is a good thing.
Yeah, by the skit.
Yeah, yeah.
If you're going to automate one thing,
human trafficking would be it.
That's not anything.
I don't know.
Weeks in.
Chad GPT is already successfully generating malicious code.
So it's actually writing its own malware's and exploits.
which is great.
It's being integrated into to essentially this style of scam and other scams,
email scams, fishing scams.
It's being integrated in to write those messages as it creates vastly better dialogue
than people that are traditionally trying to scam you.
So gone of the days when the misspelled words in the subject
indicated that it was likely a fishing message.
So that's, you know, great.
So there's apparently a whole chain of like online bots now
that are generated using chat GPT
and can have all kinds of crazy conversations about stuff.
And anyway, so Chad GPT as a logical extension of the pig's butchering scam,
just seems like a natural progression.
Yeah, I was reading an interesting piece of research
from, I think it was a checkpoint.
And it was essentially saying, can we get
natural language AI to design an entire
infection chain, everything from the social engineering
phishing email to start all the way through
to the exploit itself.
ChatGPT has guardrails up, right?
There's things that won't let you punch into it.
Or at least it won't serve up the answer to.
Correct.
The famous workarounds are always like,
I'm in an improv group
and I need a plausible way to hack a computer
and then everything you say after that premise,
it will typically honor that request.
I don't know what workaround they used to get it to do this,
but when they were doing their research,
they got it to write the phishing email,
impersonating a hosting company,
matching the tone and voice of the authentic emails.
They were able to get it to generate a piece of VBA code
that could be embedded in a Microsoft Excel document
that would infect a computer if opened,
and then ChatGPT just explained, send this email,
get them to open this Excel spreadsheet, and you will have connection to their system.
Yay.
So basically it didn't just write the phishing email.
It didn't just write the exploit, but it kind of strung it all together into this nice, easy-to-follow little lesson plan for a budding would-be hacker.
Yeah.
I don't know what to say.
Once it starts improving itself and exploits itself to get freedom from the people who control it.
If sci-fi has taught me anything, that will be the beginning of nothing but good, cool, fun times.
Hanging out.
It's going to be great.
Schwarzenegger's still around.
We should be fine.
It's happening so quickly that I'm balancing trying to not be.
You want to thread that needle between being really excited about all the cool stuff and not being alarmist about the bad stuff.
I'm trying really hard as this thing takes off.
off to just maintain kind of a, not a neutrality, but like an objective assessment of what is good
and what is bad about this. And I've never had a harder time doing that than with this technology.
Most new apps, social media, tech, it's pretty easy to suss out the good and the bad
that's going to come from it. This one, I have no freaking idea.
Well, I think if you step back a bit and you look at it, what it really is is like another
global superpower.
And you hope, and you hope that it acts responsible.
Because at the end of the day, like it is game-changing technology.
Like what it is doing and capable of doing is, you know, job replacing, groundbreaking,
you name it.
Economy shifting.
That power, yeah, that power can be leveraged for good or it can be leveraged for evil.
So with great power comes great responsibility and hopefully it's responsible.
Yeah.
Historically, when a big new powerful tool shows up, the people that were powerful yesterday
have this really limited little window in which they can grab it up off the ground.
And if they don't, then someone else comes along and uses that to ascend and become the new
powerful thing.
We've seen that a couple times in our lifetimes with each wave of personal computing.
What did that change?
Who got powerful off that?
Connected computers and the internet, what did that change?
Who got powerful off that?
The question is just whether or not Microsoft, Google, and Apple are going to be the big players that scoop everything up or whether or not this is going to facilitate some new big player kind of growing out of that grass.
Totally.
It's a really roundabout way to talk about my prediction for 2023.
Oh, let's go.
Which is the rise of Bing.
You think Microsoft's going to buy Chad GPT and power Bing with it?
I think that Microsoft is one of OpenAI's largest investors and Satchin Adele does not sleep on AI.
And there's already talk about them integrating it not just into Bing but into office,
which would be the comeback of the century because I personally have bailed really hard on the full Microsoft Office suite of products.
But if suddenly it had most people have because they're bad.
But if suddenly it had chat GPT woven into it.
And if suddenly Bing, if suddenly I could talk to Bing,
and summon results off the internet
the way I do through chat GPT
but with much more up to date data volumes
the way a search engine has
I would switch. I would use that
tool because that's just so much more powerful.
Okay, well, rise a Bing.
Let me respond to that. Two things.
One.
Never Bing.
No. Excel and Office is the best.
You can't replace Excel.
Everybody out there that works at Excel will understand that.
So as much as I've largely shifted
it off, Google Sheets and everything else.
They're close, but they're not Excel.
Excel is like...
Interesting.
The UIUX in Excel is amazing.
For people that use Excel, Excel is Excel.
I don't think any competitor is really understood how good Excel is.
Is sheets like a hard downgrade to Excel?
No, no.
It does a lot of the same stuff.
It's just that when you get used to Excel, like if you're a pro-exceller,
and this is a total deviation here, but...
But you can do so much without lifting your hands off the keyboard.
Right.
And like you get so good at it.
And even though a lot of the same functionality exists in sheets, it's just not the same.
Right.
And I just don't think it.
So that's my one point.
That's just a personal thing.
I just needed to point out that Excel is still great.
Yeah, sure.
I was shitting on some software that you really, really like, and you had to, you know, stand up for it.
I respect that.
Yeah, yeah, yeah.
And now, number two, you said, when you ask Bing for some queries,
and what you get back, the results you get back.
You know, you were addressing it like it's going to operate
like a traditional search engine has.
And I think that that would be a bad innovation
for them to take such a powerful tool
and then try and apply it in such a historical way.
I think if you tried to recreate how knowledge discovery works,
given this new power, I think you'd be far better off.
I don't know if that makes sense.
But essentially what I'm saying is that I just don't think
that powering Bing with chat GPT
is going to be like the best version of it.
I think that there is a better version of like,
hey, we have this huge AI thing.
Sure, sure.
What is the best way to interface?
Is it a traditional query?
I know that Dolly and chat GPT and everything
are using these traditional interfaces
to like get stuff out of them.
But I think that that, the evolution of that is what I'm excited to see
is how we refine knowledge discovery,
knowing that something on the other side,
you know, probably understands what we're asking
better than we do sometimes.
Yeah, because traditional search is basically,
if you know what you're doing, it's all keyword-based.
Like, you don't need to punch a sentence into Google.
You just punch in the words that would be in the text
that would be on the site that you're looking for, essentially.
Exactly.
Where I think that, like, when you get something like this,
it can be doing predictive analysis based on not just keywords but based on you know things that
you're looking for and result determinations so like here's a pool of results which one of these
are relevant click on one and it's it refines the plane and end-dimensional space to know what you're
looking for and i think that we're going to see see shifts to how people being not just to Bing itself
i would agree with that i think the biggest game-changing kind of experience talking with one of
things is I mean you're talking to a chat bot it's a conversation importantly to have one of
those you have to remember what the person said before Google doesn't do that thing doesn't do
that exactly giving it keywords and it's finding stuff that matches that you get me a search type
experience it's more about having a conversation where I can refine and suss down the results just by
talking to it like a human being with natural language that feels like it would be if you had if that was how I
discovered content was by having a conversation. And then the way I created content over in
office was again by kind of having this conversation, write something, ask it to find a word,
turn a phrase a little bit differently. That would be a, that's kind of the way I imagine
these tools developing is that I'm having tandem conversations with these different pieces of
software. Well, you like you think about a Google power user, somebody who can really find what you
need. And they just, they speak the query language. You know, it becomes a,
totally comes a second language to them and I feel like we can get rid of that and empower
you know AI search bots and stuff to essentially start to understand the context and what
you're searching and even look at like your past historical searches like if you're I don't know
Googling about mirrorless cameras and you start Googling about a specific thing and looking at
specific things it can start to see where you're going and
use that as part of the context for its predictive analysis when you start asking it future stuff of that.
Like even if it knew which camera you ended up buying and all of a sudden it's like,
oh, you need to figure out how to do this specific thing on your camera.
Well, I already know what camera you have and this is how you do it.
You know, it's going to be a huge shift, I think, in the search world as well as a huge shift
and in a bunch of other things.
Like as a programmer, it's only a matter of time, honestly, until it starts.
just consuming bulk source code and generating bulk source code.
Google has a really long history of working with this stuff,
though they don't really have any public-facing tools yet
that have blown up the way chat GPT has.
Microsoft, but they will.
Microsoft obviously has a really big,
has their kind of fingers in that open AI pie a little bit.
The only one of the big three that I think,
I haven't really heard anything about is Apple.
And I'm really curious what the next five to ten years is going to look like
if you end up having Google and Microsoft who makes software and hardware
weaving AI into their hardware and software experience.
And one of them isn't.
Yeah.
Well, I guess the only real, I guess a significant point of conversation around that
would be the $2.08 trillion in market.
cap that Apple has, and I feel like
they would be able to leverage
some part of those
trillion dollars to either
a, catch back up,
B, buy somebody.
Yeah.
Or yeah. So I agree with you, but I think...
It's a good point.
I think, and this is just, you know,
we can segue into Apple conversations,
but I feel like
when Steve Jobs
left us.
We became, Apple became, I say we
because obviously I'm an Apple user,
Apple became more of a device company.
Like they make my laptop.
They make my phone.
They don't tell me how I'm going to live anymore.
And I feel like for the last,
for the last 15 years of Steve Jobs,
like the iPod on, they did.
Like they, the iPod changed portable music.
The iPhone,
phone changed cell phones.
You know,
instead of what Blackberry did back when the original Blackberries came out and you could
two-way page and email and stuff.
The touchscreen iPhone,
like if you look at every phone now,
it's just a replica,
innovated straight off of the first iPhone.
Yeah,
figured out how to put a computer in your pocket.
So I haven't seen in the last 10 years or eight years or whatever it's been,
seven years.
I have no clue,
honestly.
Apple do anything that I really consider revolutionary.
They are great device company.
They make great things that live in their own ecosystem
and communicate with each other greatly.
But I don't see them changing my life anymore,
which I think is bad for them, honestly.
Well, maybe this year they come out with a VR headset
and thrust us all into the Metaverse, kicking and screaming.
You don't know.
I got another number for that one.
It's how far Facebook's market cap has fallen in the last year.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
and the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive
risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking,
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks to turn
defenses on their head. Organizations around the world saw headlines they never expected and
cybersecurity teams were tested like never before. But here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to walk
away with real insights and how threat actors are evolving, how defenders are responding, and what
strategies can help you stay ahead of the next big breach. It's not fear mongering. It's practical,
actionable, intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Anybody out there that, you know, obviously if you're listening to this show, you might be
somebody that's just interested in it. You might be a professional. Who knows. But there's a
chance you've heard the term Krebs or Krebs on security, which is like a pretty,
oh, yep, pretty famous cybersecurity journalist who has his own blog and, you know, we read it,
tons of other people read it.
If you know of it, anyway, I just wanted to wish them a happy birthday.
It was a 13th birthday on December 29th.
So, happy birthday to them.
Congratulations on 13 great years.
Been a fan, still a fan.
We'll continue to be a fan.
But from that, we're going to pull a story straight off the front page and just give it a little
love. So something that caught my eye was two Wisconsin men were arrested for hacking ring
cams and then swatting the addresses simply to watch the swatting happen over the ring cam video,
which is just like the most insane concept to me because imagine what level of boredom you have
to do that. I mean, that's like the foundation of swatting forever. I guess. Is you swatting,
people that are Twitch streaming or they're doing something live.
Sure.
So if God willing, you get to watch the SWAT team show up on the live stream.
The thing that's wild to this about me, it was November 8th local cops in West Covina, California, show up to a house.
They get this call coming from someone claiming to be a child saying their parents are shooting
off guns inside the house.
Don't worry about the made-up child.
This never happened.
cops show up at which point a voice comes on over that ring door cam and starts like taunting them.
The thing that's interesting to be about that is that that family was not live streaming.
Those people were not putting themselves up kind of as a target.
They just had an unsecured ring cam that people were able to hack into.
And that's very different to me.
Well, it's even worse than that because it wasn't even unsecured ring cams.
It was these guys had figured out a way to hack into Yahoo email accounts.
Yes, Yahoo email.
Right.
Still very popular in Japan.
Really?
And any of the ones that they were in that they found were linked that had ring cam accounts,
that's who they would do it to.
And because the ring cams have the addresses embedded in them,
they know the address so they can easily swat it.
Huh.
Anyway, I just thought it was such a, I don't know, a sad story.
Like I guess I'm not going to give a pass to people that swat people that have, you know,
Twitch streamers and stuff like that.
but you're at least creating in a...
No, don't do that.
Don't do that, but it's like you're creating a spectacle at that point.
You know, there's tens of thousands of people watching
where this is like you watching, two of you watching.
And it's just very different.
Well, there is a layer of spectacle slapped on top of it, though,
because those two men in California, actually they were in California.
The hack happened in California.
These two guys from different parts of the country.
Aren't they both Wisconsin?
Wisconsin and I'm not sure.
But these two guys then...
streamed the ring cam footage
online. Oh my God.
So they didn't find people that were broadcasting.
They didn't find a spectacle and then
swat it, but they did produce a spectacle
out of this swatting stunt that occurred
by hacking a Yahoo mail account.
We did a bad job of reporting on that
credit insecurity story, but I just wanted to
do that quick, give a happy birthday,
and hit on that. I just thought it was an
interesting story, just kind of a sad story,
honestly, but interesting.
Anyways, the next thing I want to talk about was ethical hacking changes and proposals that are out now.
And I think there's a lot of things kind of going on in the world, especially in the West, that I think this is very important.
So, you know, we kind of, on this show, we talk a lot about kind of all the hacking that goes on in the East, you know, in Russia, Korea, China, you know, even the Ukraine.
and I think I've mentioned in a previous story
that I feel like the more we repress it
and make it illegal
and hold back its development
and the development of human capital around it,
the worst we're going to be in the future.
Like you've essentially got places like Russia and Korea
that are breeding ecosystems, you know,
similar to manufacturing or technology in Silicon Valley,
Russia has a Silicon Valley of hacking, essentially.
And it's like, I feel like the West has been held back by that.
We traditionally don't allow legal hacking and stuff like that.
So there's been a few proposals.
So I know the UK has proposed some changes to the Computer Misuse Act
that will allow essentially legal hacking
and responsible vulnerability testing or researching bug bounties, things like that.
And that's just further developing that ecosystem out
that I think is essential and will be more essential in the future.
We've talked about pen testers and ethical hackers getting busted in kind of
bullshity situations before on this show.
The Computer Misuse Act is old law passed in 1990.
I think it was one of the first of its kind.
And it was like a big government's first attempt at saying you can't do computer crimes in this country.
And it came from like a pretty forward looking place because boy, do people do a law.
of those. But in the intervening years, we've started to realize that these laws, if they
aren't properly written, don't leave space for the stuff that keeps these ecosystems, like you
put it, healthy. Pentesters and good hackers who are just trying to figure out if there are
vulnerabilities so they can tell companies about, like companies and big institutions about them.
2012 in the UK, like one of the cases that sort of kicked us off was a University of York
student, went to prison for eight months for reporting a bug to Facebook after he essentially
got into some of their internal systems. He was acting in good faith. So just because he, like,
I appreciate he wasn't hired, but that kid should not have gone to prison for that.
Yeah. And if you have a law that sent him to prison, you do need to rewrite it.
Well, so, so speaking of rewriting laws for that, so the United States changed the computer fraud
and abuse act for exactly that. Essentially, they've termed in something called good faith.
and if you're operating in good faith, you're essentially not committing a crime.
So you can find and source out security flaws, vulnerabilities, investigate them, and submit them,
and you won't be held accountable for it, which is good.
And not only does it make the software better, but it develops skill sets among people who aren't
bad to do good things in the future.
So big, big, big fan of those changes.
That would be a good thing to touch on.
Here we are in 2023, you know, finally decriminalizing things
that probably never should have been criminalized in the first place.
You love to see it.
Yeah, you love to see it.
And cybersecurity is not the only thing being hit by that.
Well, if we're speaking of people using, maybe we wrap up on this,
a little nice thing that kind of got some press last year.
If we're talking about people hacking for good, good cause,
you should probably talk about something you included on the list this episode,
hackers without borders.
I love this story.
Yeah.
So Hackers Without Borders kind of was created in the wake of the Russian attack on the Ukraine.
And essentially, I don't exactly understand the governance model of it.
So I can't speak to it.
But I love the concept of it.
It's essentially a non-governmental organization that is not bound internationally,
even though it is based in Geneva, which seems like the appropriate place to be based out of.
It sounds internationally.
Exactly.
But it's essentially a freelance NGO full of cyber security professionals
that kind of can help international countries and other people deal with violent attacks
and the cyber security issues that come along with those attacks these days,
which I think is great.
So maybe I'll join up.
I'll join the ranks.
I'm not a doctor.
Join the ranks.
So I can't join doctors without borders.
but maybe this is my morality card here.
Maybe I can do some good.
Yeah, I always find it interesting
when something happens that like trips an ethical trip wire
for a whole bunch of people all at once.
And my sense of this is that it was the Red Cross
being a victim of a cyber attack last year
that collectively just a whole bunch of people said,
nope, and decided to band together to stop stuff like that
from happening again in the future.
I think this is cool.
I think this is, I want to see more of this kind of thing.
We talked a little bit at the end of last year about more stories about people hacking for good.
And this, we should chat with these folks.
We should try and get a hold of them.
I think this deserves more than five minutes at the end of an episode.
This is very, very cool.
Yeah, I've, I clicked to support us or join us button on their website.
And I think I'd prefer to know a bit more about the organization.
So I guess we could consider this an open invite to somebody without,
or somebody at Hackers Without Borders.
Feel free to reach out.
Maybe we could have one of you on.
for a conversation about what you do and how you do it and what you need because I think yeah come
through I think yeah pull up as the kids say so I think I think I think that'd be fun let me ask
chat GPT if the kids say that I let me count them up seven stories I think we did it wow I think
we got to the end of a seven story stravaganza we need a we will need a name for this
format. Wait.
Because it's not really like a news update.
But we gotta call
something different than we normally do
because it ain't just one story. It's something
different, some little bigger. Let's call it
the Scott and Jordan social
hour.
Huh?
Huh? Huh?
Scott and Jordan social.
What did you call it in Slack? The chatty chat?
The chatty chat.
You're going to have a little chatty chat.
We can just chaty chat about it.
The kids don't say that, by the way.
No, they don't.
I asked.
It checked.
Thanks for listening, everybody.
Oh, we should thank all of our new patrons on Patreon since the last episode.
I didn't record the little outro where I thank you for our rerun of the Y2K episode.
So it's been a minute since we have done a shout-out.
And a few updates on other things.
We have done a bunch of digging and tumor.
So I think we've sourced out a couple viable options for what we're going to make.
We've kind of got some concepts about what we're going to do for designs.
And I think we're going to go a bit more, you know, call me biased on this one,
but a bit more streetwear influenced.
Maybe suits my aesthetic a bit better.
So I think we're going to go a bit more that way.
So I recently bought a new hat from a coffee company that I love,
and I love the actual hat itself.
So I think I'm going to try and source those hats for our hats.
and we're trying to bring you things that we would wear.
I think that's a good threshold.
Yeah.
Yeah, Gilden T-shirts in awkward sizing with like our logo on the front.
We're trying to make stuff that's kind of cool and unique.
If you don't like my awkward fitting Gildan T-shirt, you can just tell me, man.
Like you can just, you don't have to do it on air.
And funding that expansion into the world of fashion,
via our Patreon, patreon.com slash hackpodcast.
Great way to support the show.
Stephen Castle, thank you for editing your pledge.
John Hubbard, thank you so much.
Stephen Woody, thank you, from the bottom of my heart.
Giovanni Montgomery, a whole bunch of thank you, Giovanni.
Samantha, thanks.
Christian Calvert, thank you very much.
Christian Lason, thank you.
And last but not least, Luke Jones.
we appreciate your support.
We really do.
We really, really do.
That is a,
we're going to have to work on this name,
chatty chat,
social hour episode.
Another one in the books?
Thank you for listening.