Hacked - Pondering the Worldcoin Orb + the Gang Who Cracked Outlook + Hacking Together Superconductors for Fun and Profit
Episode Date: August 16, 2023In this chat episode we discuss Sam Altman's Worldcoin biometric ID / crypto project, the cybercrime syndicate that used a vulnerability in Microsoft to hack the US State Department, and a weird week ...on the internet for amateur scientist investigating LK99. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Sam Altman, CEO of OpenAI,
ChatGBTGy Guy, has a new project centered around a $5,000 silver spherical camera called The Orb
that is used to capture biometric data and that has already sparked a black market for
biometric IDs in China.
So my question for you, Scott, is are you ready to ponder the orb?
Is it something that needs to be pondered?
Like a wizard peering into a crystal ball.
It's orb ponder in time, Scott.
You know my soft spot for fantasy, Jordan.
So, you know, if we've got a ponder in the orb, let's ponder in the orb.
Sam Malman's got an orb and it needs a pondering.
On this episode of Hacked, we are talking about World Coin.
We're going to talk about how a vulnerability and outlook allowed Storm 558,
a Chinese hacking syndicate to infiltrate the email systems of 25 government organizations.
And while we don't normally dabble in science, there aren't normally people trying to hack together
a bleeding edge superconductor out of matchheads on Twitch. So I think we should talk about
LK99, the superconductor taking the internet by storm. And I think the very cool history of
amateur scientists trying to verify and contribute to big scientific discoveries.
Well, I think we should harken back to a bit of the cybercrime stuff,
and we're going to talk a little bit about 16 shop,
big fishing outfit that got shut down recently,
and also talk a bit about Open Bullet,
which is a web security tool that has found itself hacked.
All of that and more on this chatty episode of hacked.
Before we get into that, because this isn't a great way into it.
How are you doing, Scott?
I'm doing great.
I was away biking.
I only dislocated one part of my body.
So that's great.
What?
You just talked for 45 minutes and you didn't tell me that.
I fell biking on the second day of our mountain biking trip,
week-long mountain biking trip,
and dislocated my left thumb.
And so I spent the rest of the time fishing,
capital F fishing, not pH fishing.
and yeah.
Need your thumb for both though.
I do, yeah.
But fishing was much more, you know, much less intensive and much less risky if something
goes wrong and your thumb fails you when you're fishing than when you're descending
a mountain on a bike.
Yep.
So yeah, it's feeling better.
I've been doing little physio exercises and stuff like that.
So my hand is coming back together.
I went to the driving range last night and hit a few balls to see if I could golf.
and it looks like it's going to be okay.
So I think I've got a few golf games
that I've had planned for a long time coming up.
So I'm happy that my thumb is not totally broken.
But I got an x-ray, all good.
It's been a wild summer for my hands.
I've got a sprained finger, a broken pinky,
a dislocated and sprained thumb.
And my hands are not loving me this summer, you know?
Thumbs up for hand health, man.
You've got to take care of those things.
Yeah, join my new, my new charity, you know, all in for hand health.
All in for hands in for hand health.
Hands in for hand health.
This thing writes itself.
You know what else?
How are you doing?
What's that?
I've been good.
I've been good.
Taking it easy.
Just enjoying the summer chatting about some cybersecurity with Lorenzo last week, having a good time.
Listen to the episode while I was away.
Great, great job.
You know.
I appreciate that.
I hope the people out there value how great you are at your job.
Oh, aren't you too kind?
You as well.
And you know who?
Oh, there it is.
Whoa, we were about to make the same transition.
Do you know who does value it?
New patron, Walt Spielman.
Thank you, Walt.
Appreciate it.
Appreciate the heck out of you.
I also want to thank David Wakely for supporting us on Patreon.
Yeah, big fan.
Sean Moffitt.
The one and only.
Huge fan.
Instant.
One of the greatest to ever do it.
JS, really appreciate your support.
Thank you so much.
Mm-hmm.
Mm-hmm.
And Matthew Fisher, we can't forget Matthew Fisher.
Oh, we're going to forget Matthew Fisher.
It is Matthew Fisher show right here.
And last but certainly not least, I'm talking about Big Mike.
Big Mike.
You might be a little Mike.
We don't know.
We just know that he's Mike.
We just know Mike.
Thank you, Mike.
Just Mike, singular.
One name.
Like, Cher.
Is it a Michael?
Thank you, Mike.
Is it a Mike?
Who knows?
Who knows?
Mikey.
If you want to join this prestigious group of people, you can go over to Hacked Podcast.
It redirects to our Patreon.
It's one of the best ways to support the show.
And your support means the world to us.
So, we haven't talked about this yet.
July 24th, a little company called Tools for Humanity launches something called World Coin.
Have you been following this story, Scott?
I've seen blipits of it as it was kind of rolling through.
Granted I was away.
So I was just when I was taking the time to completely depart from being social with all the people that I was with and to stare at my phone for a while.
So I did read a bit about it, but I'm not.
It happens.
I will fully admit that I am not fully up on this.
Okay.
There's a lot to it.
I'm going to try and take you through it as best I can.
Let's hit it.
WorldCoin is a cryptocurrency-based biometric ID project.
I think it's probably the best way to explain it.
created by a company called Tools for Humanity that was co-founded by Alex Blania,
and importantly, Sam Altman, the founder of OpenAI and the creator of ChatGPT.
So they're creating a token to confirm humanity from the people that are creating the AIs.
Yeah, you basically got it.
So the idea here is that as AI becomes more popular and common on the internet,
it's going to get harder and harder to figure out who is an asset.
actual human on the internet and who is just a very sophisticated AI chat bot.
And the goal is to use biometric data in order to create some sort of a verification
system, this biometric ID that lets you know that this person on the internet who is logged
into this account is a real person.
And then, so hold that idea in your head, biometric ID for the internet.
And then the other part is that theoretically at some point in the future,
something, something cryptocurrency, something, something universal basic income.
This biometric ID would be used to enable a cryptocurrency token that could be the foundation of a universal basic income.
If you were to have a truly global universal basic income, you would need some sort of identity verification process that transcends governments.
why not use biometric data that you've given to this project.
That's the two big goals of this thing.
Does that make sense?
No, it doesn't make any sense,
which is why I'm immediately infuriated.
This is just another, and like we talked,
so Jordan and I usually have like a little catch-up
before we start recording these episodes.
You know, we don't live in the same city anymore.
We don't see each other every day anymore.
So we kind of like convene and we were like,
you know what?
Maybe we, today is the day we should be,
less hard on crypto, but like this just brings me right to the depths.
It's like, hey, start with WorldCold.
It's like we're making a token and its big selling feature is if you believe in
UBI, universal basic income, you should get in on this token.
And it's like this is just, it just feels like another marketing ploy from these people to be like,
oh, you're a supporter of UBI.
Yeah, yeah, WorldCoin is for you then.
You should definitely like invest and get in on it.
And it's like there is no way that this coin, well,
that I have a number of problems from what you just said already.
One, there's no way that they're going to be able to provide
universal basic income from this token and camera.
Two, doing online biometric verification.
So let's just talk through that briefly from a technical perspective.
Really what you're doing is scanning something,
eye, fingerprint, whatever, turning that into digital information,
which is hackable, and probably using some form of algorithm
them to generate a unique key value.
Let's just call that a password for complete analogous reasons, encrypting it and then
sending it across the internet.
So really what we're talking about here is that everybody's just going to have a password
that's based on some physical trait.
And as we all know, passwords never get hacked and are completely super secure.
You know, databases full of unique keys.
Yeah, never happens.
So I have no idea, A, how they're going to provide basic income.
and B, how any of this stuff will be secure,
or any more secure than anything else.
Literally, a password that's stored in your head
is probably harder to copy than a password that's stored by a camera
because at least, you know,
you can probably create, if you understood or could hack their algorithm,
and lots of this code exists in the blockchain.
So if you knew it's going to generate the token
that verifies you biometrically,
Oh, yeah.
You could take photos of these people and stuff like that
and generate your own token.
Like, will this be less secure than just a basic, you know, password 2023?
Anyway, I don't know what got me so turbocharged up on that,
but the basic income thing, because I believe in basic income.
I think it's like...
I know you do.
It could be like a good thing for mankind,
and I hate to see it being leveraged to like throw into a marketing pitch about a token.
It just drives me up the wall.
I like that I got one stuff.
step into my notes and you were like,
let me cook.
Like I got some takes.
Got some takes.
Oh, that's great. When do I,
when do I not have takes?
Yeah, I mean, I should have known that the UBI
being evoked on the context of crypto
would have elicited a response.
Okay.
For anyone that doesn't know enough about this
for the salt makes sense.
The basic idea here is that
they've created these blueprints for this orb.
It's this camera module thing.
And it's an open source plan.
People around the world are building them.
And the idea is that you go to one of these orbs,
they take a bunch of photos of your eyes and your face
and capture a whole bunch of biometric data.
That information is on the device encoded into this numeric string.
I think the way this works is that that is used to generate a hash
that is then used when the world ID, like the world,
World coin ID and corresponding token are minted on this Ethereum-based blockchain they've made.
So your biometric data is turned into this number that is then used to mint your coins.
You get about 50 of them when you do your- Call that a passphrase.
You could sure call that a passphrase.
It means there was a real human being around at some point when the account was created,
but we're going to get into how that's not secure at all.
Yeah, I was going to say, was there?
I feel like I could find enough photos of Jordan Blumen's eyes to generate a base.
take biometric key for your eye.
Well, I'm open to the idea that you can, there's types of biometric data that couldn't be fudged
with a simple photograph.
You get two cameras and a depth isn't playing and a two-d image isn't going to work.
Of course.
However, however, as of right now, two, it was two million to two point two million people
have signed up and been scanned by this thing around the world.
Allegedly, allegedly, the tokens themselves.
Yeah, no, that's true.
I honestly believe that a really big chunk of people have been scanned.
Why they've been scanned is where this gets thorny, but we'll get to that.
The actual tokens themselves are in varying degrees of actually being issued to people who have had their faces scanned,
scanned based on the legality of these coins where they live.
The concept of trading like biometric data and IRA scans for cryptocurrency has naturally been criticized by a lot of people already up until this point.
Edward Snowden has come out against this idea of using biometrics for like identification on the public internet.
Passphrasing.
Exactly.
The response of the company has been that unless the individual specifies otherwise the raw images captured by the orb are deleted and only that numeric representation is kept on file.
But if the numeric representation works at all, that should be functionally the same thing.
In any case.
Theoretically.
Theoretically.
The goal of this project is clearly global.
So far, there have been scans done in 30 different countries.
different continents. In Kenya, the government has ordered WorldCoin to stop collecting data
while it reviews the project for potential privacy and security risks. The communications authority
there is evaluating WorldCoin due to a lack of clarity on the security and storage of those
iris scans regulators. In France, Germany, the UK are also evaluating the product. The app
that you need to use it isn't available in some countries in China. There's an unclear regulatory
state in the United States. Really at this point,
if you were to go do it right now in a place where they could actually issue the tokens,
given that this World Coin ID does not currently do anything,
really all you can do with this is like good old-fashioned speculating on tokens internet gambling.
Love it.
A token trades for about two bucks right now,
making your eyeball scan worth about 50 to 60 US dollars.
I think you get like 25 coins.
And that price helps explain why this service,
those two million people have been quite popular in some of the poorest countries on Earth.
There's been several bits of reporting that suggests that the people in the lineups to get their eyeball scanned
do not have a great understanding of what World Coin is or what it might be good for
other than you will get paid to give your biometric data to this project.
I don't know.
It just seems, I just don't even know what to say.
It just seems like it seems, you know?
Well, maybe the black market will make it better.
To maintain privacy, the unique hash that's generated by the orb
that's used to mint your tokens and create that world ID on the blockchain,
it doesn't include your name or the data from the scan.
It's not tied to your legal identity, only your biometric data.
And your wallet.
And your wallet, which is good in a sense from a privacy perspective,
but bad from a commoditizing biometric data perspective
because it means that theoretically your unique biometric
ID, at least in the current incarnation, can be sold to other people.
The project is banned in China, but there have already been reports of an emerging black
market for this iris data in China, where people are reportedly buying detailed scans of
people's irises to claim coins for the World Coin Project.
The company is claiming that it's modifying the sign-up process and is using dynamic
instead of static QR codes to cut down on the style of abuse, but this really seems structural
to me.
And now we've got a race between people trying to circumvent the system and those trying to secure it,
which famously is very hard to do.
To date, there have been other security issues with this project.
And again, it just launched July 24th.
So far, hackers have managed to install malware on several of the orb operators' different devices,
gaining access to the World Coin online portal, displayed earnings, signups gathered through a device.
Several orb operators' login credentials have been already circulating on dark web marketplaces.
there are reports that allege that the orb operators logins didn't even necessitate two-factor
authentication. That's not confirmed. But if it's true, deeply disappointing for a project like this.
I think this kind of brings me back at least to like, who's funding this? Where's this coming from?
Worldcoin is in the middle of a hundred million dollar plus funding round, according to the financial times.
They're on the prowl for money for a crypto project in 2023, which is a hard beat to
be on. But it seems to be working because it has the support of Sam Altman, the sort of
wonder child of modern AI. Sure. I think, however, that as with all of these projects,
it's probably worth talking about, I think they call it the tokenomics of it all,
aka, is this a rugpole? For anyone that doesn't own crypto projects, you make a crypto
project, you keep 30% of the coins yourself, you hype it, hype it, people start buying them,
drives the project, the price of the thing up, at which point you, you,
You sell off all the stuff that you originally had from founding the project, make a bunch of money and walk away.
You pull out the rug on the people left holding the coin, the bagholder.
Very, very common in the crypto space.
Exceptionally common in the crypto space.
And I am certainly not accusing this of being a rug pull, but I think it's at this point, to be responsible, you have to engage with that question.
The total supply of real coin tokens is capped at initially, I think, $10 billion.
Three quarters of that amount will be distributed to users over the next 15 plus years.
The remainder is split between tools of humanity staff and investors who have to refrain from selling them for various periods.
I think the shortest one is about 12 months.
At launch, a maximum of about 143 million tokens, 100 million of which are loaned to third-party market makers whose job is to provide liquidity.
This arrangement has naturally raised concerns amongst certain experts in tokenomics.
But what it basically means is we are looking at a project with,
a 15 plus event horizon
talking about creating
biometric IDs you use across
the internet and a token
that becomes the foundation for a
global universal
basic income, the creators
of which are allowed to sell it in
about a year.
That doesn't sit
super great with me.
This whole
this whole idea
of like turning any
piece of information into a token and then assigning it arbitrary values and letting the market
and then essentially like gambling occur around it is just yeah it's just it's just such a
fascinating period in in time that we live in it's like if somebody was like hey we're worried
about AI we want to start creating a database of biological identities to make sure that we can
like license this to the governments and like you know et cetera et cetera to prevent fraud and
that's fine
why it needs to be done under the guise of a crypto token
that has essentially a market surrounding it
very surprising to me
this desire to turn everything
into a gambling chip is like just such a weird
it's just an interesting time
in a humanities timeline
the ultimate goal of this according to its founders
is to increase economic opportunity
and potentially show a path to AI funding
funded UBI. There is the larger question of whether or not you think these are goals that a
crypto project could or should even take on. Being good at one thing, crypto and AI doesn't
mean you're necessarily good at another. Global wealth distribution. But that's like a big,
muddy philosophical thing. I have two practical questions about Worldcoin. First is should you
trust a project that is launched despite being so incomplete? The governance model is incomplete.
it is in process, the actual availability of the tokens, not a given depending on why you live.
The cart is firmly before the horse on this project, and it is a lofty cart.
The second issue is there's this idea that this is a project with a 15-year, if not decades-long time frame,
but whose founders who hold a huge portion of these coins have decided they can sell theirs much sooner.
The question there is will they, and how many people will have bought into this by scanning their faces,
by the time they do.
Those are my questions about WorldCoin, amongst others.
My question is just the big why.
Big why.
And like what value, aside from the $50 or whatever it is,
you're receiving a few of these tokens,
which could be worth nothing in 12 months or four months or 24 hours,
you're essentially gambling with your biometric data at this point.
You're not just gambling with a bit of money,
that you made.
You're gambling with like, I'm going to trade my biometric data for some tokens.
And hopefully those tokens appreciate and value.
I don't know.
I don't know.
To the moon.
To the moon.
Well, it'll be good for the investors, including, I think you pointed this out when we
were chatting about this before, potentially Sam Bankman-Fried, who is, I think part of that
$100 million seat funding round.
I wonder how these, I wonder if that's going to compromise this project a bit.
Oh, probably not.
I haven't been following his trial, but I know I've heard that it's going better than it should be.
Huh.
Like he's, he's, no, no, I mean like good, like it's been too good for him.
Yeah, like they're like like considering dropping charges and things like that, which to me seems maddening given.
It's what, what's it like 11 bill?
Oh, I've lost track.
They're all just imaginary numbers now in my head.
The other thing I did see, and I haven't done any big digging into this,
but it just touches on Sandbank McFreed is I found or like saw some,
I'm going to call it a Twitter thread, but it's actually an X thread now.
All internet sleuthy, you know, conspiracy theory
that San Bankman Fried actually ran a rugpole from house arrest for the bald token.
Oh my God.
And there's like all of this data.
It's actually, so when I first saw it, it was like this one thread.
I can't remember the user's name.
He had put all of this random, you know, pins and yarn stuff together being like,
we think Al-Meda people, notably.
The voice and tone of all the posts and chat is very SBF-E.
Anyway, but now it's been covered by like tons of news sources.
So it's like lots of people are like, oh, did Sam Bankman-Fried, you know, do a rugpole to get some extra cash to fund his lawsuit?
And maybe he did.
Allegedly.
Allegedly.
I would.
I mean, I'd have to imagine that is probably not part of his bail conditions, given that he is under house arrest right now.
I'm imagining it would be a large violation to execute a potential.
alleged financial scam for being on trial for financial scams.
My favorite part about this is that apparently Bankman-Fried's parents,
so Bankman-Fried friend that doesn't know is under house arrest and his childhood home in California,
his parents signed an affidavit stipulating that they would install
surveillance and monitoring software on any computer he used to restrict his access to the internet
via their home connection.
The former FTCS executive is supposed to just be using,
He can't use anything more advanced than a flip phone.
And I just really, really enjoy the concept of Sam Bankman-Fried's parents having to stare over his shoulder
and make sure that he is not doing a massive crypto-rug-pull scam
while he is awaiting trial in an alleged much larger crypto-rug-pull scam.
Well, just for good cybersecurity chatter.
Let's just assume San Bankrupted is technically.
psychologically very competent because I feel like you would be.
I think so.
I think it would be pretty hard to keep a lock on that guy if you were trying to.
Let's think about how easy it would be to bypass anything that your parents are expected to install on the computers.
Like, come on now.
Yeah, no, I'm just trying, I'm imagining that face off between me and my parents and just trying to imagine how that would go.
And it's, that's just good stuff right there.
Yeah, yeah, yeah.
Top notch.
Top notch.
I would have assumed they would like wrap his house in a Faraday cage.
Totally.
Put him inside of a Faraday cage like Magneto or something.
Yeah, cut the utility lines coming into the house.
Totally.
Like just remove the computers.
Yeah, there's just no computers in that house, I think would be fair to be like,
if you're going to be under house arrest here, you can have a flip phone and that's it.
And so help us God.
if we find an iPad in here, it's over for you.
Yeah, literally.
Like, everything's in the cloud these days.
You just need, like, you could probably run one of these things from like a Chromebook.
You could pick up anonymously for cash at like the nearest Best Buy.
That's true.
Anyway.
Anyway, we can transition off of crypto.
Let's talk about some allegedly state sponsored hacking.
Why don't we?
Is it crypto related?
It's not.
I think there's not a single drip of crypto in here.
That's like an episode and an intro's worth of crypto.
Let's just leave it there for the rest of this bad boy.
I'm with you. I'm with you.
So last couple of years, it's been pretty good to be in the cloud business solutions business.
For sure it has.
There's a lot of people working remote.
And I think generally speaking, some of these services are quite popular amongst IT professionals.
You don't have to manage your own security anymore if you're using Microsofts.
Yeah, or any of the other ones?
There's a bunch of them now.
The downside, however, is that a single compromised piece of cloud-based software can grant a hacker access to data from a whole bunch of organizations, some of which are very important, as we will discuss.
The past month, Microsoft reported that Storm 558, a China-based hacker group known for targeting Western European governments,
access the cloud-based outlook email systems of 25 organizations, including the U.S. State Department and the U.S. ambassador to China.
The full extent of this breach is still under investigation.
The U.S. cybersecurity and infrastructure security agency stated that the breach had led to the theft of unclassified email data from several of those accounts.
So looking at a pretty serious government hack here.
It's worth looking briefly at the mechanics of how web-based cloud systems work.
When you enter your credentials, as a user, you receive a little token.
I'm not talking about crypto tokens.
You get this little user ID token.
after you enter the credentials.
This token acts as like a temporary ID,
enabling you to navigate throughout this cloud system
without having to constantly reenter your details
every single time you click.
Those tokens are sealed with a cryptographic signature
to prevent forging them.
This signature uses a unique key
possessed only by the cloud service.
That key is very important to this.
While we don't know how they did it,
the hackers at 558 got a hold of one of those cryptographic keys, allowing them to produce their own authentication tokens that act as proof of a user's identity.
They exploited some flaw in Microsoft's token validation system, signing general user tokens with this stolen key, allowing them to access more secure enterprise-grade systems.
One piece of coverage I really liked used the metaphor of it's not stealing a passport, it's stealing the whole password.
passport printing machine.
And like a country issuing passports,
Microsoft, the cloud service in question here,
has a lot of citizens,
including these 25 government departments.
Like if you think about how many people use Outlook
and Outlooks web services and Microsoft Mail,
it's aside from the list of government departments
that they've given us,
the amount of places that it hits is probably outstanding.
Huge.
Like educational information.
institutes, research things, defense contractors, like, you name it.
It's probably touching tons of very sensitive data.
Oh, completely.
And when you've got the ability to just make user credentials and let's check out,
you know, log in and check mail, like that's pretty, like in a world where knowledge is power,
that's a lot of free knowledge.
It's a lot and a lot of free power.
Yeah.
Yeah.
When the headline reads these 25 government organizations, including the U.S. state
department. That means that those are the 25 that are worth talking. Exactly. And it kind of would
suggest that that token gave them access to potentially a much larger group of people, but that as a
allegedly state-sponsored hacking group, you would naturally veer towards your ambassador,
the state department of a political rival. So in response to this, Microsoft has blocked all
tokens associated with that stolen key. They've issued a new key. They have been
prove the security of the key management systems, I do not doubt for a second that their response was very significant to this.
But it does bring up theories surrounding the breach. How did this happen?
One theory suggests that the key might have been taken from a customer server that runs an older outlook setup that still had some older vulnerabilities in it.
Another theory implies that the token sign key might have been stolen from Microsoft itself.
We don't know how.
It could be social engineering, could be misconfiguration, could be exploiting errors in the cryptographic process, but it could be that
Microsoft is where that token signing key went out.
How they got it, it's unclear.
It's worth noting.
There have been other token-based breaches.
Russian hackers responsible for the Solar Winds attack.
Also stole Microsoft Outlook tokens to extend their reach within those networks.
See, but that was a, I think they just stole the actual tokens off the computers.
Did they?
So like, say you have an Outlook client on your computer, it has the authentication token stored locally.
If you steal it, you can essentially dupe the, I think, I think, I don't think they signed it.
This is a big deal to lose signing authority.
You're essentially handing out one of the keys.
We talked about cryptographic keys way back, like episodes one through five maybe.
And it's like a public private set of keys is everybody has the public key, but only you have the private key and know how to use it.
Like you have the passphrase to use it.
And it's like if they lost one of the private keys that allows them to sign things, that then you.
gets validated by all the public keys.
That really kicks off the ability to kind of do whatever you'd like
because you're now the signing authority.
And that's a big deal.
That's a big security breach, massive security breach in the cryptographic space.
Yeah, it's an interesting question of whether or not you treat those breaches as
certainly not inevitable.
But knowing that they're going to happen, do you want there to be a big company like Microsoft
in the position to act kind of?
unilaterally across a whole bunch of people's systems to patch it,
or do you think you maybe avoid that situation to begin with by handling your security yourself?
I genuinely don't know.
It seems really, really hard to build a system that would rival these massive companies in terms of security,
but I really don't know.
Like from where I sit, like you've already given the trust to Microsoft,
you need to let them patch it.
Like, that's an on-them problem.
Like, there's nothing you can really do locally.
Like, you could probably take it out of your authorized keys list and things like that,
but it's still, like, that's a massive.
Like, that's not something that, like, you want to get the email notifying you of that at a stoplight,
read the headlines, mark it as red, and forget it exists, which is a huge problem that I have in life.
That's not one of those.
That's a pull the car over.
Yeah, that's a pull the car over and send some emails immediately and make some
phone calls.
Yeah, pretty frantically too.
Interesting.
Yeah.
There was another story just very briefly that's probably worth talking about.
There was a headline that broke this week concerning Japan.
Yeah.
So this one caught my interest because Japan refused to comment on it.
Interesting.
Which, when they initially broke it, they put up pressfully saying that it had happened,
but they didn't want to talk about any details, which tells you that it's probably
much more complex and scary than you would think.
So apparently they had like a pretty low level, pretty deep level
and persistent access.
So they had been ongoing.
So that's, I don't know.
It's not good to say that.
But it's definitely changing this whole state sponsored hacking landscape.
It seems like these, I don't know if we're getting more coverage of it.
Like governments are being more open about it as they're beating.
beating their chest in the public media
rather than just over the phone yelling at each other
which is maybe where I feel like it lived the last like 20 years
and now we're getting more public coverage
kind of coercing and dictating public response to it
and public sentiment to it but it seems like these are speeding up
yeah I could see it being a little bit of both
like I could see the volume of attacks and compromises
frankly going up and I could also just see a greater willingness
this on the kind of on behalf of different governments to admit when this happens.
I think probably for a long time there was a desire to treat this as like,
we don't talk about this.
We don't even suggest the idea that any of these systems might be vulnerable.
We need to sort of maintain this veneer that everything at the government is exceptionally
well locked down.
But at a certain point, you've lost control of that story amongst the public.
And okay, well, let's see if we can juice a little bit of utility out of this whole situation
by talking about our enemies attacked us again.
They got this this time.
And it manufactures a little bit of willingness to attack them back.
And I think we're in sort of a transitional period right now between those two states.
Yeah, we're playing political games.
Okay, so we've got biometric crypto projects.
We've got international state-sponsored hacking.
When we come back from the break, let's do a little mad science.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone, somewhere, saw something too late, an alert buried, a signal missed, an SOC that just
couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground
up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm
of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire work.
workflows. Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy. And all of this is just off running on their secure operations graph. A constantly
updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real world incident response.
The system reasons on real signals and real context not synthetic training data. And the result is the new
Aurora agent SOC. It's the first SCC that is agent led by design. You get agents that coordinate,
agents that investigate, agents that respond at machine speed, and hundreds more that automate the
repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to,
focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI insecurity operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
organizations around the world saw headlines they never expected and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat.
actors are evolving, how defenders are responding, and what strategies can help you stay ahead of
the next big breach. It's not fearmongering. It's practical, actionable, intelligence from experts
in the trenches. Register now at arcticwolf.com slash hacked. I think we should talk about,
we're just kind of in this cybersecurity vein here, so I think we talk a little bit.
You know, we've talked about fishing on this podcast pretty much endlessly, seeing as humans
are the most vulnerable part of cybersecurity. Massive news this week. And, you know, we've talked about
Interpol and a number of other agencies managed to take down the 16 shop fishing service,
which was, I believe, out of Indonesia, and they managed to arrest the people that were kind of running it.
So it was a fishing as a service, so like essentially a hacking service thing.
They sold a bunch of tools too.
It really was like a, I don't know what you call it, like a major problem in the fishing world.
Aside from doing it actively, they also enabled and empowered people to do it.
for themselves.
So it's good that they're gone.
Do I think that they'll be replaced
probably immediately?
But in the constant
give and take war,
this is a step,
a win for the good guys.
Win for the good guys.
Yeah, I'm so curious about this concept
of pre-packaged.
We've talked about this a lot,
but the commodification of these exploits
as like little products you can buy.
These are fishing kits.
It's like a little,
email or PDF that directs to a little custom site where people just put their credit card
information hopefully and you get to keep it.
Like it's a, yeah, you're kind of like automating the hard part of this whole thing and
leaving it up to like, are you good at finding emails and tricking people into clicking on
things.
Yep.
And, you know, when it comes to, you know, making money and getting access to information, you
not supposed to have, you know, you don't need every single person that gets the email
to click the link.
But if you get one in a thousand, like, it's pretty cheap.
cheap to send emails.
So they sold these fishing kits to apparently over 70,000 customers across 43 countries.
So there's a good chance that in your inbox right now is a fishing email and a fishing
email from one of these kits or was enabled and empowered by one of these kits.
Interesting.
Yeah.
It sounds like they were all to bust it based on the fact that the servers were actually hosted
by a company based in the United States.
So suddenly the courts have a line into that whole operation.
Yeah, jurisdiction.
The guy who got busted, the administrator was a 21-year-old guy.
You know, he saw a market...
Younger than I would have guessed.
He saw a market need.
He filled it.
You know, who doesn't want to...
Who doesn't want to be able to push a button
and generate their own fake version of Amazon,
you know, just to be used for fishing or fake version of Outlook.com, you know, all these things.
So it's...
Yeah, sure.
It is what it is.
You know, I feel like, you know, we've talked about this at great length,
And it's like, I just feel like we need some brilliant people to sit down and just figure out what to do with fishing.
Because it's becoming the starting vector for so many hacks.
It's like, oh, instead of back in the day, you know, we used to write exploits and do stack overflows on email servers to try and get a root access on a shell, like a server or something.
Nowadays, you just send a bunch of fishing emails away for somebody to click you and give you their credit.
which lets you log into their corporation.
It's way less sophisticated and, you know, way more vulnerable.
I'd say that.
You can fix and patch a error in code pretty quick, you know, patching IT security
understanding of 7 billion people is a little bit more challenging.
Oh, certainly.
It feels, I mean, we were talking about cloud solutions during the last section,
and it's like, I don't know what email client.
is most popular, but it seems like it would have to start there.
That's just a big old giant switch that says,
please, for the love of God, stop me from clicking on a thing I shouldn't click on.
Thank you very much.
And any link being opened from an email is like cordoned off in a little hole.
And the trouble with that is that it just doesn't address social engineering.
At the end of the day, if they've tricked you well enough to punch in your credit card information
or use a login credential that you're not supposed to, like, it's not a technical.
thing, it's a soft social deception thing.
Totally. And the other thing is too, is like, even if you were to bundle things up and
remove all links from emails and stuff, it just hits the efficacy of email as a platform
to the point that it's like...
Oh, totally.
You know, we're already seeing that with the rise of IRC chat, aka Slack.
But, you know, you're seeing it, like, you're seeing email losing its corporate credibility.
It's still used, I think, for a lot of, like...
official channels and, you know, between organizations intoorganizational chat.
But I just, I don't know.
Yeah, this is, you know, we could do a whole week mini series on fishing
and not even cover the amount of fishing related hacks that happened in the last month,
probably.
Yeah, you could just have like a stock ticker feed of every single story, one of them going live.
But when one of these groups gets shut down, it's kind of a small reason to celebrate.
I'm not sure if it's a huge reason to celebrate.
Yeah, it's fine.
It's worth talking about because there's this feeling that the hacks have become endless.
And every single day you're just bombarded by messages of people like in a very small way trying to harm me.
They're trying to deceive you into giving them something that you wouldn't have otherwise.
It's like we've all kind of become normalized to that.
And so it's nice when some of the people doing that aren't able to do it anymore.
And it's quickly leaving, it's quickly leaving email.
and going to text.
Like I get probably a fishing scam via text
once a week.
So it's just an endless amount of small details.
So anyway.
Yeah.
If anything that we do to lock down email,
it'll move over to text.
And anything you do to lock down text,
it'll move over to Slack channels or something.
And anything you do there,
it's just going to be on Roblox on a long enough timeline.
And it doesn't matter because it's not a technical vulnerability.
It's a people vulnerability.
Totally.
And, you know, perfect little transition I'm going to try here.
People that are trying to protect against stuff like this have now become targeted by malware.
So there's a recent piece of news.
So Open Bullet, which is like a web security app.
Let's call it an app for lack of better terms.
But essentially creates, it's a piece of software that lets you test websites for a variety of,
potential hacks, lets you dig through the communication channels running between the browser
and the server, things like that.
Okay.
Anyway, somebody has figured out a way to insert malware into this.
So people downloading Open Bullet using some config file that was incorrect, ended up getting
a version of Open Bullet that still functioned, but it also had a remote access Trojan
built into it.
Oh, wow.
You download, like, I don't want to call it script kitties,
but like anybody that downloads this and maybe wasn't,
didn't go through the hash verifications and things like that,
ended up getting, or could have ended up getting a version of this
with a remote access Trojan implanted into it.
That was then firing notifications out to Telegram being like,
yo, I'm in control of this computer now.
And what would you like me to do?
So just an interesting little twist on, like,
like, you know, when the security tool that you're using to make things more secure
becomes the target vector for or the attack vector for getting you hacked.
It was an open source project too, which is a bummer.
Yeah.
Because I want things like that to work.
Well, it does work.
It just, it was like a somebody had posted.
Yeah, I think the way that it worked is somebody had posted a configuration file for it.
So like Open Bullet uses configs for a lot of its attack stuff.
So somebody had posted or modified a config file
that then throughout the process of it
means that it got delivered with a remote access Trojan
which is like, you know, sad.
Well, it's tough too because it's like the people that would probably be,
I don't know a ton about this tool,
but the people that would be most likely to use those configs
that have been pre-created by someone else as someone
that's probably not doing themselves,
which would suggest less technical sophistication.
So it makes sense that that's a great way to target.
at someone.
This is above my head.
I have nothing to comment on it.
That's good.
I think we covered it.
It was just something interesting
that I wanted to touch on.
So we can move.
Super interesting.
I think we're through the Scott portion
of this episode.
So we can go back to fun
to fun stuff.
You want to go back to fun stuff?
To fun stuff.
Well, I think we got one last thing
that I at least want to talk about.
It's just like a hard, hard pivot.
Like I said in the intro,
we don't typically talk about science that much on this show.
But it's been a weird, weird week in science
and people are hacking together some stuff in their garages
that they normally wouldn't.
So it seems worth talking about.
Have you been following the LK99 story?
I would say that I haven't been following it,
but I did see, I can't remember where the research lab is
that put out the tiny video that everybody was so excited about.
And I did take a peek at that.
I saw that, but I think that's where the end of it ends for me.
I don't think I got, I didn't go fully down the rabbit hole.
I don't know if there's a massive rabbit hole that is created in its wake, but I'm,
oh, there's a rabbit hole.
But I heard you mentioned Twitch, so I definitely didn't watch anybody on Twitch using matches to create a superconductor.
So I, I am not in the rabbit hole.
Take me into the rabbit hole.
I wouldn't normally talk about like speculative pre-publication science.
This story has just dominated the internet for the last two weeks.
And I'd honestly held on for a little while of not diving into it.
And then I did.
So now I want to talk about it here.
So for anyone that doesn't know, superconductivity is the phenomenon where a material conducts electricity with almost zero resistance.
It's a big, big deal, especially in transportation infrastructure.
So like you have a massive power generating facility.
and it is 52 miles outside of the city.
Exactly.
It has to pipe that power across lines,
and literally as it gets to the city,
it bleeds off a substantial portion of it
in resistance and heat.
So the resistance inside the metal in the lines,
it's resistant to the electricity,
so it actually turns it into heat,
and then that heat gets kicked off into the atmosphere.
So we don't notice the heat as much.
Probably, we have enough infrastructure in the world at this point that it could potentially.
I'm sure you could make an argument that it's part of climate change.
I never thought about it.
No.
Just thought about it now.
But the loss of it is a much bigger deal.
Because if you think about burning like whatever, one cube of natural gas produces X amounts of power,
but you lose half of it in the infrastructure loss as it goes to the point of consumption.
that's a big deal.
Like we'd have to generate a considerably less power for the world
if it was able to transport without loss.
And we'd be much better at generating it.
Yeah.
Broadly speaking,
you've got current flowing through a wire material.
And as it's going,
it's shedding electrons.
That expresses itself most commonly as heat.
You're familiar with this.
Like your phone getting hot is a teeny tiny version of that exact same process.
Superconductivity up until now.
we have achieved it, but only under very, very extreme temperatures, like minus 2609 degrees Celsius.
Like it's a hard, temporary thing to do.
It is when we do it, though, really important.
Super high-powered electromagnets, like an MRI machines, maglev trains, particle accelerators.
These are a couple of the instances where it is worth doing this exceptionally difficult thing.
But as you said, it would change a lot of things if we had it.
temperature superconductors are kind of a little bit of a scientific holy grail especially those that
work at like just any ambient temperature transporting electricity without loss without the need for super
cooling it would change the energy grid it would diminish energy waste it would mitigate global warming
and to some degree it'd be really really cool it'd be a very good thing if we had room temperature
superconductors i think is why the internet's getting so excited about this a little fun piece of
a trivia about this is 15 years ago when the movie Avatar came out, the element that they
were on that planet to mine, unobtainium, is a room temperature superconductor.
There it is.
Like it's a, it's a sci-fi McGuffin.
You know what I mean?
And look, look what happened in the Avatar movies, Jordan.
Is that what happened on Twitch?
A lot of people riding on dragons and, I don't know, something to do with ponytails.
I don't remember that movie that well.
Anyway.
So wait.
Just like if I buy WorldCoyne, there will be universal basic income.
If we come up with a superconductor, I get to ride on a dragon.
Yeah, no.
I'm sure that the dragons will trickle down and we'll all get dragons not just like seven people that own the whole thing.
I'm sure that's exactly how it's going to go.
I'm going to get my dragon scott.
This brings us to LK99.
So a couple weeks ago, this group of South Korean researchers post two papers to this thing.
called Archive, which is like a pre-print server. So this is the big, massive asterisk
above this whole thing. Archive is pre-peer-review. Stuff gets published to it all the time.
That is ultimately not true. It means something, but it is really, really importantly, peer review.
So they publish these papers about this so-called LK-99 compound, which is claiming to be a room
temperature superconductor made up of a combination of relatively common things.
I think it's like lead, phosphorus, oxygen, a couple other things, but nothing truly,
truly crazy.
The researchers presented evidence of al-K9's superconductivity under room temperature without
any added pressure.
And this sparks global intrigue.
You have labs all over the world attempting to do replication.
The famous video that you saw, there's this thing called the Meisner Effect.
when a material becomes superconductive,
it sort of expels a magnetic field,
and that's how you can get a little piece of it
just sort of floating in the middle of a metal dish.
And this video that they published claims to show that.
Doesn't it, isn't the magnetic field like bi-magnetic?
Like, isn't it both poles?
Isn't that a big part of it?
Ooh, cool.
I try to remember this.
I don't know.
Which is why it flows,
because it's both repulsed and attracted.
I believe. I'm again by no means a physicist.
I like this whole podcast has hinged on you knowing about a thing
and me sort of like keeping up but adding a fun storytelling vibe
and we have now wandered into a thing neither of us know jack shit about.
Correct.
So this is a very big if true type situation and as a result
and I'm glad to see this, there's immense scientific skepticism immediately.
really this is a race to replication to confirm if this is real.
And depending on when you're listening to this,
it may have been confirmed or debunked.
I'm praying that doesn't happen in the five days
between when we record this and when it launches,
but it hasn't gone either way yet.
You know what?
I will happily take that it is confirmed.
You're going to go confirmed.
Because that would be pretty amazing.
I think that would be sick.
No, no, no.
Like I'm just saying, like you said you'd be sad if it was confirmed
or denied before this episode reaches.
and I'm saying,
yeah, I'm saying that like for the good of mankind,
it would be pretty amazing if this was confirmed.
Yep, you make a really good point.
I would not be bummed if my podcast became out of date,
but we got a room temperature superconductor.
There are things more important than this pod.
I know it's hard to believe.
I'll believe it when I see it.
So two teams,
one from India and another from China,
have managed to recreate a version of LK99,
but have not publicly confirmed its supercondy.
activity. Another Chinese lab reported a levitating LK99 sample, but again, that doesn't necessarily
confirm superconductivity. This is all still totally up in the air. This has kind of happened before.
There was another pre-review paper published in, I think, 2020 that was retracted in 2022.
And really, this isn't just about smashing the right ingredients together. The process by which you do that
is what results in the exact atomic structure. And that atomic structure is what's really, really
important here. I bring all this up because I want to talk about the amateurs.
Because right now there are people with obviously scientific education and a lot of know-how
who are hacking together their own versions of the superconductor outside of labs. And it has
made the internet a very fun place the last two weeks. I'm totally there for it. I'm totally there
for it. I love it. So this guy named Andrew McCallop. If this is a guy named Andrew McCallop.
If this is so simple that people are making this happen on their Twitch stream, that is big.
If this doesn't need to be owned and controlled by some massive conglomerant that has the ability to make this stuff, it would be massive.
It hasn't been proven to be that simple yet because, again, we have not reproduced this.
But I just, I love the quest.
So there's this guy named Andrew McCallop, wired it a big piece of him.
He got a lot of press coverage.
He's an engineer and now Twitch streamer
who became interested in replicating LK99
as part of like a little startup
a startup that doesn't really focus on this kind of thing.
Publicly, I think it's on X, he posted this.
It's his 34th birthday and he wants red phosphorus,
which is essential for making the superconductor.
I think you need red phosphorus to make lanarkite.
I'm not totally sure about that.
But importantly, red phosphorus is a controlled substance
because you need to use it when you're making meth.
So people on Twitter start getting involved.
They're suggesting different ways he could get it.
He could melt down the heads of a pile of matchsticks.
People are suggesting maybe he goes on Etsy to buy like a pure form of it
where the DEA might not be looking, but it is technically for sale.
Oh my God.
Other people are offering connections to Eastern European suppliers,
just trying to get Andrew some red phosphorus so he can try and make this thing in his lab.
So Andrew takes to Twitch, which means very briefly,
there were people on a Twitch stream watching a streamer doing amateur-ish science
trying to create a room temperature superconductor,
trying to create unobtainium from the film Avatar.
And I just, I love that.
I think that's great.
The process of creating LK99 is not that straightforward, clearly,
no one's been able to publicly reproduce it.
The paper outlines generally how it works,
but there's no clear recipe,
but amateurs like McAulip are forging a head.
head. This just briefly, and I'll kind of wrap up here. I wanted to read a little bit more
about the history of amateur science people making or confirming really intense big scientific
discoveries. And I highly recommend you go down that rabbit hole. Because the number of things
that just random people have contributed to across the history of science is incredibly cool.
Archaeology, 20,000-year-old cave paintings were confirmed to be part of a lunar calendar based
on just an amateur archaeologist.
He was able to crack what these things meant.
You've got over in Earth Sciences,
fossil hunter spotted a meter long dinosaur footprint,
the largest ever discovered, amateurs.
And then a big one, climate science,
I think back in the 1930s,
one of the first ever published papers
proving or making the connection
between carbon dioxide and its effect on the climate,
done by an amateur climatologist.
There is a rich history of like,
people who have educated themselves on these things, making really cool discoveries.
It's not without criticism.
There are situations where amateur science should really take a back door,
a backseat to professional science.
No, no, I should take a back door and leave, probably.
Yeah, should just not take part in it.
I'm sure for every...
When it is not an exceptionally high-stakes-urgent situation,
I love this stuff.
I think for every major life-changing...
discovery that was helped by amateur science.
I'm sure there are thousands of weird conspiracy things that were harmed by amateur science.
Certainly.
So be a good one if you're going to do it.
I choose to be an optimist about this, and I think it's very fun and neat.
And I hope that A, L.KNA and I is confirmed.
I hope it's real.
I think that'd be pretty cool.
And I wouldn't be mad if an amateur scientist helped.
Thanks again.
Thanks for tuning in.
I hope you enjoyed the show.
Thanks for listening, everybody.
Appreciate your time.
And we will catch you in the next one.
Cheers.