Hacked - REvil Redux
Episode Date: April 16, 2026We return to one of the more interesting ransomware as a service stories of the last few years; the story of REvil and it's recently (allegedly) named operator. Also the big mythical thing that happen...ed. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Who is this guy?
This is the landlord, Daniel Schuchin, who I think wasn't named publicly in this way.
This is one of the people that lives by organizing these renting arrangements.
Probably, I have to say, he hasn't been convicted, he hasn't left Russia.
This is in Antalya, at the Turkish coast, where he is still free.
This past week, Germany's federal criminal police, the Bundescriminema...
the Bundas Krimandum, or BKA, put a face in a name to one of the most elusive handles in the history of ransomware,
a story that we started telling on this show four years ago.
That handle, UNKN, unknown.
For years, all anyone had was that username from like a Russian cybercrime forum to point towards the person behind some of the,
call it craziest destructive ransomware operations the world had ever seen.
The man behind that handle ran a ransomware shop called Gandcrab, which opened up in 2018,
and within roughly a year and a half, it extorted over $2 billion from victims before abruptly shutting down.
Then, almost immediately, he opens up doors on Our Evil, also known as Sotomaybi.
That kicks off with like a big kind of statement, deposits a million bucks into a forum's escrow account just to make it clear
the kind of scale we're dealing with.
Unknown pioneered what the industry now calls double extortion.
We covered all this back in 2022 when we first talked about this.
You pay once for the keys to unlock your system,
then you pay again for the promise that all that stolen data will be published.
Our evil were a big game hunting operation.
In July 2021 over the 4th of July weekend, they hit Kasea,
a very big company managing IT operations for a lot of people.
When GANCrabb shut down,
the group's farewell message was, quote,
we are living proof that you can do evil and get off scot-free.
Reval.
Reval.
Quite the exit.
Interestingly, unknown has given only one known interview.
To record a future, he described growing up in poverty in Russia, quote,
as a child, I scrounged through the trash heaps and smoked cigarette butts.
Now I'm a millionaire.
And I would say bringing us to now with this big German announcement.
But while.
this is the first time we've seen law enforcement say they've unmasked unknown and this is the guy,
it is not the first time Shuken as a name has come up.
Another young Russian has some technical talent, lives the big life, is visible with his wife
and his friends whose food he pays for, he has online casinos, crypto and other dirty stuff
online and he has
R.Evo, another large ransomware
model and he
seems to be living a good life from that.
This is him again, both times
smiling.
That audio that you heard at the top of the episode,
that was an English translation
of a talk at the 37th
Chaos Communication Congress held in
Hamburg in December 2023.
Great name for an event. We should go one of
these times. Love to you. We first reported
on a known here,
on hacked back in 2022. At that conference, one year later, a group of private researchers named
Schuchin publicly in front of the global security community is the man behind our evil. And what
made that accusation hit was that the U.S. Department of Justice had already kind of got his name
into a federal court filing. Earlier that same year, seeking to seize roughly $317,000 in cryptocurrency,
the FBI had already pulled from his wallets. That filing included his name, his address in
Krasnodar, Russia, all right there in a public document. It just took the rest of the world a little
longer to catch up. Bringing us to now. 2026, BKA has made it official. 31-year-old
Danil Maximovich Schuchin, allegedly the head of both Gancrab and Our Evil, charged with at least
130 acts of computer sabotage and extortion against victims in Germany between 2019 and
2021, causing more than 35 million euros in total economic damage, according to those charges.
So I want to start the episode right here with that unmasking and what Schuiken is alleged to
have built and why this all took so long. And then we'll talk about the other thing.
That other thing, the big thing.
That big mythical thing.
Big mythical thing.
All that and more here on Hacked.
How long until I just removed the theme song.
And it just becomes us.
It's just that scribbledy bupity do.
Us live, live jamming it.
Sometimes you got a jazz scat.
How you doing, Scott?
Um, good.
Good.
How are you?
I'm doing good.
Keeping busy.
Yeah.
How's, uh, I imagine summer is almost in full swing where you are.
It's, oh man.
It's, I wish.
I could point the camera out the window right now and you could see just how not in full swing it is right now.
Just the grayest shit you ever saw.
How is it where you are?
Also kind of gray.
Actually, today I think it's going to be nicer, but yesterday it was pumping rain and very drabby.
We still do have like sheets of ice around.
We had such a hot, cold winter that snow melted and then refrozes ice.
And that ice is taking a while to clear itself off.
But you can feel spring is in the air.
And that's a big positive, emotional, mental thing where we live.
It's more of a mood than meteorological when spring is in the air.
Yeah.
Yeah.
It's like we're coming out of the five-month stay inside to survive period of the year.
The crazy place we live in, man.
We didn't choose it, Jordan.
We didn't choose.
We didn't choose this life.
Okay.
We got a lot of stuff to talk about this episode.
There is the big story, I would say.
It's always interesting when a tech story like crosses the delta into mainstream media.
And I'm like, oh, they're talking about security.
This is crazy.
What Jordan's referring to is Anthropics new model, mythos, the zero-day engine coming for all infrastructure code everywhere.
Security is no more.
Your passwords are gone.
They're gone.
They put it in a box.
They put it in the box.
Yeah.
We'll talk about that later for a bunch of reasons.
For now, I want to talk about a classic hacked tale before we get to whether or not
cybersecurity as a field is ceasing to be with a pretty fascinating story.
I love a callback.
It's been long enough since we've talked about this guy.
And now we have a name to point towards.
And it just cracking this story back open reminded me of how fascinating.
it was. So I want to start here. Please.
Okay, so going back to the beginning. We're just going to take you through this. Gand crab.
Gant crab was franchise ransomware. Ransomware is a service operation. We've talked about this before.
It's the kind of thing where unknown in his team built the malware that other criminals then pay to use, handing back, call it 30 to 40 cents on every dollar they extorted.
Very low barrier to entry. Very huge scale.
The affiliate model, you know?
Yeah, good, good, solid business model tuned by, tuned by many people.
Yeah, 100%.
The group shipped five major versions of the code in roughly like a year and a half.
You know, software.
It's getting a little bit better each time.
They're in the classic arms race with the antivirus industry, iterating like a startup.
They had a support team.
We talked about this back in 2022.
Enterprise model.
Enterprise model.
You get some affiliates.
coming in who, you know, maybe mixed levels of tech literacy. Don't worry. We have a crackerjack
customer support team to help you out. Technical pre-sales, the whole line. There's forums.
There's tutorials. Is it organized crime? Yes, but it's run like a business.
Europol and the Romanian cybersecurity from Bit Defender eventually started like, okay,
what is this gand crab? How do we slay it? Start offering like free decryption tools and
collaboration with law enforcement. Undid about 30,000 of these like affiliate kind of
of infections,
saving, according to them,
$50 million in unpaid ransom.
Super interesting story in its own right.
Gancrap's response, they ship an update.
Every time the decryptor drops a new version of their malware comes out,
so it's like the formal call and response of this whole thing.
Then May 31st, 2019,
out of nowhere, a farewell post.
We're done.
We made that money.
We got that bag.
Goodbye.
We're off to a non-extradition country.
Where we are.
live in many cases as we will get to.
Fair enough.
Yeah, the group claimed $2 billion in total.
Law enforcement believed of the number was like, yeah, that seems about right.
Pretty good, pretty good haul.
Pretty good haul.
Within weeks of gang crap going down, the other one pops up, like pretty quickly after
our evil.
Same structure, much bigger targets.
Crowdstrike tracked them a bunch.
They noted that the code like from the jump wasn't, don't, it's not
like a fork, but it was like, oh, there's a lot of connections to what GANCrabb was selling.
They're operating with the same team, new name, a lot of lessons learned. Our evil is going
upmarket. You know, they're hunting organizations with pulling in over like $100 million
in year. Companies big enough to have cyber insurance policies that are going to pay out.
They're just sort of refining how they work, who they work with and who they're going after.
The first major named victim, Travelex, a global currency exchange company, January 2020.
R-Evil encrypted their system, threatened to publish customer data.
They paid out $2.3 million, and as such, a series of dominoes begin to fall.
March 2021, Acer.
I used to have an Acer.
The time when he's electronics manufacturing giant, R.Eval demands $50 million.
At the time, fun little bit of trivia, that was the largest publicly known ransom demand ever.
Really?
50 mil?
Pretty small, right?
Yeah, I would have thought it would have been bigger.
I know.
Some of the big health syndicates and stuff.
But then, you know, time passes and it's now a small, small hat.
Just a measly little 50 mil.
A little 50 million, no big deal.
Yeah, totally.
Because what was the one in like the Vegas one when they had all the all the casinos?
I feel like that one would have been massive.
That's a good question.
I'm trying to remember that one.
But that was more recent than May 2021, wasn't it?
Oh, it was only a million and a half?
never mind leave all this in
that's shockingly low amount of money
you're talking about the MGM one
yeah yeah yeah that was just chaos
I remember right wins was
wins was 1.5 million
Caesar's entertainment paid 15 million
MGM on the other hand did not pay
interesting it is wild at this point
that we can't keep track of the multi-million dollar payouts
from this stuff like it's just
Hey, it's its own business these days.
Truly.
Well, speaking of, JPS Foods, May 2021, world's largest meat processing company, facilities, U.S., Australia, up here in Canada, they'll get shut down.
All the, like, physical infrastructures offline.
They paid 11 million.
White House got involved in that one.
July 2nd, 2021, the kind of big one, Kasea.
This one's different.
Instead of any one company, R. Evil goes after a vulnerability in Kasea's software to push ransomware.
through to all of their customers at once, more of a supply chain attack.
1,500 organizations.
Tis the season.
Tis the season.
Like, 1,500 orgs downstream.
That was $70 million for the universal decryption key.
So they're climbing.
They're growing.
See, but then you've got an intermediary who's now responsible for delivering it.
So now they're on the hook to pay the 70 mil or their insurance is on the hook.
100%.
They don't get sued by all of the downstream clients.
So supply chain.
It's the new, it's the new way.
Oh, and who wants that decryption key more than Kasea in that moment?
It's like all of the customers, but multiply those customers by 1,500 times.
And that's how much Kasea wants that key.
Like there's nothing we won't pay for that key.
Totally.
This is where it gets kind of murky.
The FBI actually had already been inside of our evil servers.
Unbeknownst to our evil, prior to the Kasea attack, U.S. intelligence
had gotten into their infrastructure.
I find this fascinating.
This is an imitation game type thing going on here.
They had the decryption key,
and the FBI holds on to it for three weeks
while they plan this bigger, broader operation
to dismantle the group.
Congress later was like, hey, FBI,
explain yourself immediately.
There were hundreds of businesses still locked out of their system
while you had this decryption key,
and their response was that if we released the key,
we would have tipped off the target and blown the operation.
That's just a really interesting question.
of like do you blow your own operation and potentially let them get away but save 70 million dollars like it's it's a really weird question that is i think maybe never had to be asked before prior to this point
it's an interesting one right like 70 million is a lot of money to like you and me but when it comes to the like world of global finance 70 million dollars is like a rounding error when you're trying to bust it uh the successor to a two billion dollar ransomware operation so the scales of numbers of
get really topsy-turvy.
Totally.
July 13th, 2021, 11 days after Kasea,
our evil's website and infrastructure do vanish.
No one really knew what was going on.
Had law enforcement moved on them,
had Russia shut them down under diplomatic pressure,
which at the time was more kind of plausible.
Maybe they went down voluntarily to kind of wait out the heat.
On September, 2021, they popped their head back up,
and this was an error.
In October, a multi-agency operation, FBI, U.S. Cyber Command Secret Service international partners
hacked our evil zone servers and forced them offline again permanently this time.
Then in November, the DOJ unseals some charges, importantly not going after unknown.
It was a Ukrainian national named Yaroslav Vassaninsky.
Well, thank you.
22 years old, arrested in Poland and later extradited to the U.S.
He was the affiliate.
He was the guy who licensed the software tied directly to the Kaseya attack.
In 2024, he's sentenced to 13 years and seven months, ordered to pay more than $16 million in restitutions, over 2,500 ransomware attacks, $700 million in demands.
And then in January 22, in a rare move, the Russian FSB arrested 14 are evil members at the request of the United States.
I'll say that again, in a rare move.
They seized hundreds of millions of rubles, $600,000 in cash, 20 luxury vehicles.
The Kremlin got, you know, the diplomatic credit.
And then they invaded Ukraine a month later.
And so that all just went away from her.
The one who wasn't caught through all of this, the takedowns, the decryptors, the FBI infiltration, unknown, never officially named.
It's never charged, never caught.
He's unknown.
Great name.
Great handle, honestly.
It is like UNK.
It's quite good.
Yeah.
Like, game recognized game.
Um, not that I'm in the same game in the hand, in the naming stuff game.
Kudos.
Uh, so like you got this characters.
Fingerprints are on both of these operations, but he's very, very careful.
Uh, the only public facing persona here is this one form handle unknown and the one
interview given under a pseudonym.
And then you just got like years of it seems pretty, pretty good operational security.
Looking back further, if we're trying to figure out how long he's been doing this, there was an earlier alias that someone found Garrowin that had run botnets and sold malware on like Russian cybercrime forums as far back as 2010 that's been connected to him.
So he would have been about 20 years old at that point, I think a little, little younger.
He's been doing this a long time flying under the radar until February 2023, the DHA kind of files this little forfeiture complaint in federal court in Texas, has.
to do with getting some money that the FBI had gotten throughout this whole process.
And in that, in that document, it's the first time we see it, his name pops up.
It's no longer just a handle.
They've connected through the FBI's investigation, trying to get this money back from them.
His name, his address in Krasnodar, and they're saying, we want the $317,000 in seized
crypto.
But now this name is out there in a public document.
And most people miss it until, you know, talk that we opened the episode with, a researcher
who takes the stage in Hamburg, names him loud in front of thousands of people in the security
community. The clip kind of circulates a little bit. We read about this in Krebs on security.
It's very good reporting on the story. Always. Just the OG. And then in April 5th,
26th, we get here. The BKA German policing makes it official. I wonder friends in high
places keep you out of trouble. I wonder how many friends in high places they might have.
to be the one person who's avoided persecution.
Yeah.
And especially if the government knows who they are, like the government of America is just
simply asking for the money back, not being like.
That's interesting.
Yeah.
Well, the American government has been kind of in this weird tangle of a situation
where you have the FBI that has access to these decryption keys and has infiltrated
their system, but is, again, to evoke imitation game, which is a good movie.
worth checking out, ends up in a situation where someone has gotten access to this privileged
information, but for tactical reasons, cannot reveal they have that access.
You get this thing where it's like, it seems like maybe the American law enforcement apparatus
had all the information necessary to go after this guy, but it wasn't prudent to do it.
So we're going to go after the like 20 customers down the line doing this.
And Russia seemingly willing to collaborate on that project.
Right.
See, that, that's what I'm saying is like, yeah.
As much as I know about law enforcement, which is very little.
Sure.
Prefaces is, uh, don't they usually try and go up the ladder?
You think, right?
Yeah, sure.
They're trying to get to the head of the snake rather than the tail.
Yeah.
I mean, I've, I've seen enough crime movies to know that you don't want the boots on the ground.
You don't want the goon.
You want the, you know, the top brass.
Yeah.
And like the reason why you would not give up the key, let the attack go on to not
disclose that you have the confidential information is so that you can use it to better trap
the top of the ladder.
But instead, you just kind of let them roll away.
BK.
Advisory lists Schuchin is a wanted person.
German authorities believe he's currently in Russia, likely in Krasnodar, is the city where he's
from.
Russia, as we have discussed, does not historically extradite its citizens, given the current
political climate.
I would be very surprised if they decided to start now.
his co-accused Anatoli Kravchuk is also named to the German advisor, also believed to be in Russia.
Kind of raises all the question, what does this BKA announcement really accomplish, aside from giving us a satisfying conclusion to the story in a lot of ways?
Maybe not even a conclusion.
They're all still out there.
But at least we have a name to point to.
And for the victims of like 130 attacks in Germany alone is outlined in these charges, for Kasea and JBS, thousands of other businesses, not.
not a lot, I would say. This is not an arrest. It is a name, however. I wonder, so it closes the loop on
attribution. Yeah, I wonder what a new identity costs. It can't be that much. Yeah. That's the thing.
It's like, you don't even need to worry about extradition treaties. It's just become somebody else and
like move to Thailand. Yeah. And that's such an interesting question, right? Because it's,
as long as you assume that there's no chance that the Russian government's going to extradate you,
you're probably in the safest place on Earth.
But if there's even a possibility that they're going to use this as like a diplomatic tool, you're in the most dangerous place on Earth because they for sure know you in no amount of fake identity is going to function in that ecosystem there.
You know what I mean?
Like I don't, I think there's a fake identity that might work in Thailand that does not work in Russia.
Very much.
Yeah.
Yeah.
And like when the government comes and asks you for favors, they will expect you to pay them out.
Totally.
Yeah.
That's interesting too.
Yeah.
Yeah.
Yeah, we're fine with you being here.
It's a very nice penthouse you have here in Moscow.
Yeah.
We need some assistance with something.
Totally.
We have a, we have a few little problems going on that we'd like help dealing with.
Yeah.
Yeah.
We will not be dealing with it.
Yeah.
It's not that kind of problem, but you can go ahead and do it.
You work for us now.
We will let you stay here, but you are our employee.
We control your, forever.
If you would like to leave your pet house, please call this number and ask for a permission.
Totally.
Totally. It's a really nice penthouse, but you're going to want to stay in it.
Yeah, yeah. There'll be a guy outside the door with a bunch of guns. Just, you know, he's there to keep you safe and make sure you don't leave.
More ominously, it's like there actually isn't a dude out front. Oh, yeah, totally.
But a dude will show up if you get further than about a kilometer away from here. And you won't know when. It might be then. It might be weeks later. Don't do that.
It might be in the coffee. You get at the cafe. It might be.
Yeah.
Like how ominous this guy.
Totally.
We have no reason.
All of this other stuff is decently well.
Like, researched.
That thing for me that triggers it is like the fact that he's a known entity.
Like if he truly was unknown, you know, ha ha.
Then it's a different thing.
You know, if they still haven't found the head of the snake.
But if they know who the head of the snake or like who it is, but they're still not going after them, be it through joint, you know, task force or whatever it is.
if they've taken out the ladder below them, but they're leaving the top alone, that tells,
that tells me more than, you know, anything else.
There's also an interesting thing of like, think of this, think of the politics of a big employer
where you have like a community of people and there's the one big employer that employs like
15% of the town.
And it's like, don't mess with that company because that town is going to turn on you because
you're messing with the, you know, the hand that feeds you type logic.
I wonder if there's an element of like, do you want to know how we could really instantaneously infuriate the entire hacking community here in Russia going after this dude?
Like, yes, we have a crazy amount of power and authority.
It's just not prudent of us to go after this guy because there's a lot of people making a lot of money off him, including people that are our friends.
You have that affiliate network.
It's an affiliation of loyalty, too, not just money.
Totally.
I think money talks to.
It's both, right?
They're all kind of woven up.
There's a reason why Russia is kind of like, yeah, we kind of let this happen.
It's a company town.
It's a company country.
It's a company country.
It's such an interesting story.
I'm fascinated by that conference where someone just stands up eight months after this word gets snuck into a filing that isn't a, it's not a big filing.
It's not one of the filings we cover on the show.
It's like a little thing.
It's just trying to get money from one government department to another because they think it landed in the wrong place after this war.
It's so technical and small, but the name pops up for the first time.
And then like eight months later, these security researchers stand up and we're like, there it is.
That's the guy.
Yeah.
Fascinating.
Interesting story.
Yeah, it's an interesting one.
Nice to.
It'd be so interesting to get a guest on that, like, operates at this level.
like somebody like a former director of international cybercrime like coordination
because it would be fascinating to know to get a little look behind that curtain.
Yeah.
Because it is such a complex and complicated and diplomatic headache that it would be awesome
just to get somebody to lift the curtain and let us in there for 15 minutes.
Maybe we should do a little YouTube trip to rush.
Hell yeah.
Just hope they don't listen to podcast there.
We'll get new identities.
Sure.
Apparently those are relatively affordable.
Yeah, I would bet in a couple of years, I don't know what the statute of limitations on these types of stories is.
But at some point, we're going to leave that window of time where the earliest crazy ransomware negotiations and specifically the kind of ransomware negotiations where international diplomacy is a very.
are going to start entering into, yeah, you can talk about that.
That was 15 years ago, 10 years ago, 20 years ago, sure.
Yeah.
That's going to be an interesting day because there's not a lot of visibility into it.
We've gone down the rabbit hole of learning about people that do consulting for private groups
that are allowed to talk about it because they're promoting their business.
But I'm like, I want that person who's like, I'm just on phone calls with like the Kremlin
to figure out how this is going to go down because we have like a, I don't know, like a butcher
consortium here in the southern United States that is offline and there's like 20,000 people
just waiting to go back to work while like a server gets decrypted. So I need to figure out how to do this
without starting a war. It's like, oh, that's interesting. Like an international cybercrime fixer.
Yeah. Yeah. So if that's you and you're listening to this podcast, get at hackedpodcast.com.
Yeah. Yeah. Come on the show. We'd love to hear about how this is.
Yeah, how the intricacies of the diplomatic side of it works.
It's fascinating.
This is a tangent.
Well, I think we're moving off this story in a minute.
Or tangenting.
This podcast is a tangent, Jordan.
We do interviews with real grownups and then you and I spiral on tangents.
It's what it is.
You're here for it or not.
No, what I was going to say is the show The Pit.
I don't know if you are familiar.
I'm sure you're familiar.
I know what it is.
I have never seen an episode, even though it has been popping.
up in my news feed as of the last couple days because somebody left the show and that's big news.
Oh, I didn't know. I didn't know that. All I know is it's a pretty, it's a pretty good TV show.
And it had a major plot point in a season that involved a cyber ransomware attack on a hospital.
And I was like, this is so interesting to me. Like it feels like seeing someone from work in the real world and it's kind of uncanny.
It's seeing the teacher in the parking lot of the grocery store. You're like, oh, that that's out here now.
And it's, it's reached that level of like ransomware is.
now in the zeitgeist in the zeitgeist in a really fascinating way um yeah and now well and now we
allegedly have the name behind one of its largest operators allegedly allegedly
allegedly reval rievel unknown i like gand crab also like to talk about tangents yeah
what is with this obsession about people naming things after like aquatic creatures
Like claw bot.
Yeah.
Crab.
It's all about the lobster and it's like open claw.
You know, this is like a, like, they're all like crustaceans.
Like what's with this obsession, this recent obsession with crustaceous.
I think those two, because I doesn't and correct me, I think I'm about to say something wrong.
But isn't open claw a like play on clod?
Yeah, well, it was originally clawed bot.
So yeah.
Yeah.
I think it ended itself as open claw, but then it adopted like a lobster, like.
And Gandcrabb precedes the existence of Claude.
So we kind of have to infer that this is just a weird coincidence.
Yeah.
You know what I mean?
Like, there's an air gap between the inspiration on them.
But to me, it just jumps out of this weird pattern forming.
Yeah, sure.
People being like, yeah, yeah, crustaceans.
Like, oh, the international cybercrime syndicate lobster face.
And you're like, what?
What's that?
And they're like,
oh,
they took down shrimp head.
Like,
oh, no,
they were,
they were bad.
Yeah,
it's weird.
Yeah.
Should we sail our way
on the open seas?
Do piracy?
To the ad oasis.
To the ad oasis.
The water slide.
The water slide.
Yes.
Let's go to the water slide
and then we'll come back
and we'll do some myths.
Scott,
what do you like about Shopify?
Well,
there's lots of things to like about Shopify, Jordan.
The first thing I like about it
It's easy to use.
It's totally web-based, has great apps for the phone,
integrates with all of the systems, distributions,
production partners that we use.
It's amazing.
It does everything you need.
And not only that, now as a consumer,
as a mass consumer of online buying,
it seems like every single website that I go to is Shopify
because it automatically logs me in with my shop account.
It knows all my information.
It does everything for me.
So I love it both as a website.
retailer and is a shopper. It is like a unified sales platform for the internet. And if you
want to sell things on the internet, I honestly don't know if there's another platform that I would
use because it's just, it's everywhere and that makes it better. If you want to upgrade your
business and get the same checkout that we use, use Shopify. Sign up for your $1 per month
trial period at Shopify.com slash hacked. That's all lowercase. Again, go to Shopify.com
slash hack to upgrade your selling today. Scott, one more time for the people. Shopify.com
slash hacked. Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated
ransomware operators to AI-enabled attacks that turned defenses on their head. Organizations
around the world saw headlines they never expected and cybersecurity teams were tested like never
before. But here's the thing.
These incidents aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live webinar on February 5th, diving into the most impactful breaches of 2025. Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded. And most importantly, what businesses can do to fortify their defenses for it's too late. You're going to walk away with real insights into how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach. It's not fearmonger.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Welcome back.
Oh, welcome back.
So did it?
Is there anything else you want to talk about?
Yeah, did anything else happen?
Well, you're doing the bit that I'm doing.
We can both do the bit.
Can we both do the bit?
Scott, is there anything we should talk about?
We can talk about Anthropics' latest release and their insane promotional budget.
and promo videos for it.
I'm more interested to talk about the marketing of
Anthropics Mythos that I am to talk about.
Just come back from a commercial break.
I'm doing it again, Jordan.
On April 7th, Anthropic announced Claude Mythos preview,
this is, I think, this is a fascinating story.
It's a security story.
It is very much a marketing story.
Claude Mythos, and this is according to the
announcement, its most capable
frontier model to date, big
improvements in reasoning and coding,
and very importantly for our purposes here,
cybersecurity. In an
atypical move,
they chose not to make it generally available
restricting the access to like this consortium
of 12 partner organizations.
This is according to TechCrunch,
Amazon, Apple, Broadcom, Cisco, Crowdstrike,
Linux Foundation, Microsoft, Palo Alto
Networks.
That's part of an initiative that they
have announced in this very
fascinating marketing video called Project Glasswing.
Yes.
In addition to that, they committed $100 million in usage credits and $4 million in
direct donations to open source security organizations.
And then everyone acted cool and normal about it and no one lost their goddamn mind.
Well, there's two stories here.
One, let's talk about the technical side first because it is.
It's interesting.
It is interesting, but to me it's less.
That's interesting than the marketing story.
So Anthropic has this new model, mythos, that they have trained to essentially chain attack vectors together.
So that somebody has taken the time to, you know, really train the model and tune it to identify security issues.
Like we were talking about like Karuna and like, you know, these multiple attack vectors and chained exploits.
Yeah.
They've now trained a model to do this.
So it can find like a pretty low-key exploit that doesn't really get them what they want,
but then it can figure out that when it chains that to another low-key exploit that doesn't
really get them what they want, they can actually get an escalation of privileges.
So they've created a model that's essentially doing what an advanced hacker or cybersecurity
red teamer will do.
The thing for me is that this probably already exists.
in the sense that like there's some hacker out there that's taken something like a Kimmy K-25 or like an advanced model.
Kimmy K-25 is just like an advanced open-source model.
Yes, correct. Yeah.
Okay.
Yeah.
Out of China.
Great model.
Use it all the time.
And then they probably added like a low-ranked adaptation adapter to it and gave it some extra tuning in these things.
There's somebody out there that has probably done what they've done here and probably has this already operating.
They just don't have the compute capacity that Anthropic does.
to really like hammer through millions of lines of source code.
And I think that's the big thing.
It's like they've created something that's the ultimate cybersecurity hacker,
but it's also the ultimate cybersecurity fixer.
They've created both like the,
like it's both a red team and a blue team.
And it just depends on who's using it.
I think that's going to be the interesting thing.
So the big group that they've launched that you mentioned with all of the
Microsoft school.
Google's, JP Morgan, CrowdStrike, Amazon, all of the preferred American companies.
They've done that really in the sense of like this model is going to get public or China is going to build their own model or Russia as going to have one of these soon.
So like let's make sure that we batten down the hatches for lack of better terms on major infrastructure companies that provide services.
Like somebody like on Microsoft and I'm tangenting here.
Microsoft's similar where they've got an upstream and a downstream, right?
Like there's so many million or like thousands and hundreds of thousands of organizations
that run the Microsoft suite.
So if they can harden the Microsoft suite, they kind of umbrella protect a huge chunk
of organizations in, you know, not even just America, but all across the world.
Amazon, same thing like AWS, Microsoft Azure, Google Cloud.
They're all, you know, massive things being used by a huge company.
It is interesting that there's not, you know, essential utilities in this consortium.
Like a lot of those systems have custom, like if you're managing a nuclear plant, it's probably all custom software, custom control systems.
They might want to invite those people to the party.
But there's a line in the video.
There's a lot of lines in the video that I think are really fascinating in addition to some like music that was chosen so, so carefully to inspire calm, but sort of serious calm.
in any case.
The line that sets it up well is if LLMs are now able to write code,
and this is clearly more than just an LLM,
but the line is if LLMs are now able to write code at the level of some of the
greatest software developers in the world,
it can also be used to find bugs and exploit that software equally effectively.
I think that's,
that was the big kind of moment of awareness,
I think for the population of,
I've been hearing this story that,
I've been hearing this story that I've been hearing this story.
story that these tools are exceptionally powerful for software development. I use it to maybe rewrite an
email or like I kind of use it in place of a Google, but the real capacity seems to be
creating software. And this seemed like a big moment for people understanding that like a tool
necessary to create software better. So too do you get tools for exploiting software better? To write is
to review and to review is to hunt for bugs. So you can send these things bug hunting and sometimes
they're going to find them.
And the reason this got so much more press, I think, than the normal announcement being
like, you wouldn't believe what we've created in this new model.
We've heard that announcement before.
Call it every three months like clockwork since GPT2 came out.
The reason why was because when they sent this model bug hunting, again, with all of the
resources of Anthropic behind it, with all of functionally unlimited time and compute,
with the potential of a massive marketing carrot in the form of cybersecurity.
They tasked it with bug hunting.
And it seems like it did find some.
It did.
Enough to warrant this level of response up to you.
But they sure did find stuff.
And it's pretty interesting.
It made it credible.
Exactly.
Credibility is a great word.
Yeah.
Yeah.
So some of the big ones that it found is it found.
So Open BSD, you know, classic security favorite.
it Linux or like a BSD distribution, POSIX distribution.
Hardened forever.
You know, it's been an operating system that people have hammered on.
It's supposed to be one of the most secure.
It was intentionally done.
It's had security audit after security audit.
People go through the lines of code with a comb.
And it found a 27-year-old bug that had been missed after 27 years of people going through
it with a comb.
And that's a big deal.
And it makes it credible.
You know, it was also able to break out of its old little sandbox.
Who knows how complicated that was?
It was also tasked with that.
But like escaping a Docker, like it asks, it currently asks you to like escape the Docker.
So is it really just giving itself permission to escape the Docker?
You know, you know what I'm saying?
I don't know if you know what a Docker is, but like a container on your computer that it's running inside of.
Yeah.
I'm understanding the premise that like we gave it a test.
we created the test that it passed and now we're scared.
It's like, but you created the test.
There is.
Totally.
A lot of this is very specific when you hear like, we found a 27 year old bug in open BSDs,
TCP sack handling.
Like it's like so detailed and specific.
But it's like, well, what very, very specifically was the bug?
What was these very specifically the like I use a tool sometimes.
I've used a tool called FFM peg.
So I was drawn to this.
It's like a conversion code.
And it's like, oh, they found a bug in that.
And I'm like, but specifically what kind?
I've seen a lot of people.
And this is neither bearish or bullish.
I think it's just useful context is that bug is not binary.
There's not one thing called a bug.
There's shades of bug.
There's, oh my God, it gives you root access, full compromise control of a system.
Or there's in an extraordinarily narrow edge case, it can cause the system to crash.
Or like the text to render incorrectly over here.
Maybe a computer goes, but nothing.
There's no.
You have an infiltrated a system.
And then there's the other end of it.
So it's like there's just a ton of this that is ambiguous right now.
Well, and a 110 page document that Anthropic put out.
I'm not sure if you had a chance to see that lovely thing.
This is true.
There's a section of it called responses, which is just some of the anthropic staff reacting to the model doing things.
Interesting.
Something that I've never.
And it's, it's, it's, thank you for sponsoring the show.
But I've never seen something more biased and unique in any kind of marketing
document marketing presentation around these things.
It's very interesting.
And I've heard some criticisms of anthropic.
And the way that they release their models is typically with this, I don't want to call
it like a doomer angle, but they're like, they definitely lean into it a bit.
And it creates a bit of a social uproar around it.
I think they've really adopted the, there's no such thing as bad press.
And I think it works for them.
And it is working for them.
And look at all the attention they're getting from people like us and everybody else.
And as you mentioned, the mainstream media is picking this up because they're just like, is security over.
Yeah.
It's the marketing side of it is the more interesting part of the story here.
The fact that somebody tuned a model to like look for security vulnerabilities is like, we were at DefCon last year,
or two years ago and they probably had this model built at that point or somebody had tuned a model to look for these things. I think that an awareness that these types of systems have increasingly relevant uses in security is like that that's just true. That that's like yes, we should all be aware that where these are going is they get better at creating software. They will get better at exploiting software. A big moment where we all go, oh, okay, got it, understood. That is important and that is real and that is relevant.
The idea that other element of it, which is this feeling, which isn't expressed literally in the video, it's just more the way people talk about it of like, as you said, security is no more is like, to be clear, there are a finite number of bugs in the world.
People have been hunting for those bugs for years.
They find most of them.
They get patched before you ever have to encounter them.
Sometimes they don't.
Bad stuff happens.
This is both a tool for finding those experts.
in the same way that a tool for creating software is a tool for exploiting software, a tool for
exploiting software, is a tool for patching software.
You just have to find the exploit first.
So I view this as in a sense, also a marketing exercise because maybe we have a model that is
not economically rational to distribute to the public based on the compute cost of it.
And maybe it's extraordinarily useful for cybersecurity.
So maybe we give $100 million in coupons to the biggest companies.
in the planet.
Who are going to spend a billion.
It's a 10%
10% discount.
Baby,
who knows,
allegedly.
Allegedly.
And that's not even like, ooh, bad.
I'm like, no, that just makes a lot of sense.
You have a tool that will genuinely be extremely powerful for cybersecurity
research.
It's not quite ready to put out to the general public for a panoply of reasons.
Economic ones.
And like,
no, we actually,
the core premise that we shouldn't put this out right now when it's scoring 80%
on cyber gym and like 70s,
was 77.8 on SWBE bench.
Like, that's real.
That's, that totally tracks to me.
And let us let off the nuclear bomb of AI marketing in security.
Like, both can be true at the same time.
Yeah.
The, if you really think about it, like, Anthropic has done some brilliant, brilliant development.
Like, they went after, like, we talked about this last week.
or last episode, but they've spent the time and money to focus on software engineering because
they know that that's a multi-trillion dollar TAM, total addressable market. If you were to
replace software engineering globally, how many software engineers that are highly paid in-demand
can be replaced by AIs? Probably a decent amount. Like there's always going to be engineers leading
the AIs, developing the products, things like that. But,
The actual raw building of the code, an AI has demonstrated that it's quite competent at doing.
Does it build currently build the best code?
No.
Does it still need humans to review it?
Yes.
Does it still introduce bugs?
Yes.
It looks like what they've done here is really build a model that's tuned specifically to fight the SWE benchmarks, things like that, to get really good at building the code.
So if they can ever get it to the point where it's building bug-free code, which it currently doesn't, and I use these tools all the time, they could theoretically own a multi-trillion dollar TAM, which is a huge thing for a company that wants to be, you know, the biggest in the world.
We collectively, you know, we being humankind, depend on trillions of lines.
of code, some of which date back 50, 60 years.
So if you, and all of those, all of that code is faulty to the human error that
introduces logic bugs, bugs, things like that.
This system will probably really be good at cleansing through tuning up and patching
known vulnerabilities and known exploitable vulnerabilities in code.
The thing that it doesn't scream to me and I did not see in any of the marketing was, can it create its own vulnerability?
Like, you know, a human came up with smashing the stack.
A human came up with man in the middle.
A human came up with all of these clever ways to bypass security, to figure out structural issues in the programming language, in the memory blocks, to do all of this complicated stuff.
when an AI introduces a new one of those, I'll be very impressed.
Just being able to go through and identify potential issues that are known issues in existing
code to me is not, it's impressive, obviously.
But it's distinct from the thing you're describing.
Yes.
Yeah.
It's not creating the vulnerability class.
It's just taking known attack vectors and looking for them.
Interesting.
Very different thing for me.
Yeah.
The technical side of this is so far above my head.
I always end up settling back down to where we started on this,
which is the sort of the way you tell the story about this and the marketing side of this.
And it is just fascinating to me to see people,
because no one is in that distinction you're talking about between identifying a bug
and coming up with a new category of exploit.
But it is making people aware of this thing.
Yeah.
Yeah.
Like when we talk about bug bounties, like most bug bountiers, they know a suite of attacks.
Let's call it like 50 styles of attack, SQL injection, and the middle, you know, whatever it is.
Yeah, and they'll test endpoints against them.
And they're looking for known things.
Very rarely are they sitting down and going, okay, this is running.
And that's the other thing is that a lot of these systems are closed source.
so they can't just sit down and thread through the source code of the server running to be like,
is there an option here?
Where can I find a place where I can do an injection of this style or a memory overflow here?
And yeah, I don't know.
Training and AI to be a bug bountyer to me is like, that's not such a bad idea.
Yeah, I mean, especially if you're selling people the tool that they're developing their own software in.
Like everything up into this point has been a discussion.
of software that already exists.
But these are, let's go back to the very start of this discussion, which is, boy,
are these things useful for software development.
It's like, well, do you want to use the one that scores really high on nipping its own
bugs in the butt?
Kind of better way of putting that.
But like, do you want to use that one or do you want to use the one that's worse at that?
Because the one that's better, that could be used to exploit the software that you're
creating with the other one.
Totally.
Yeah.
They're building like an escalation in the marketing world, a pipeline.
It's like, hey.
You know, you just vibe-coded together a SaaS product that you think is going to make you rich.
There you go.
You've got 275,000 lines of code.
Do you want to pay a thousand bucks to make sure that it doesn't get hacked?
Truly.
Like, yeah, truly, that's what it's going to be.
I'm also, just a small thing to kind of wrap on is I am fascinated by the naming of all of this.
So Anthropics models have, um,
a like language poetry naming hierarchy or like their,
their fast little model is called haiku and it's fast and efficient.
Like a haiku and then a sonnet balance is like kind of the next level up.
And then, you know, a sonnet's longer than a haiku more intense, more involved.
And then you get up to opus.
Someone writes their opus.
It's their big long novel.
So you get haiku, sonnet, opus.
And then you get to this one.
And it's the one that they're not releasing yet because it's too powerful.
and you name it after a myth.
I'm like, that's just, I was like, that's such a choice.
And I haven't heard anyone talk about that.
The decision to name this as a mythical thing when it cannot even be released because
it is too powerful.
It's like, that's so on the nose.
Hey, as a fan of Greek mythology.
Sure.
It's marketing.
And it's like, if you've ever seen an interview with Dario, it doesn't surprise me.
Like, the man seems like he's great at marketing.
The, yeah, I, I don't know.
I'm excited by this more than I am scared of this.
Let's just say that.
Yeah, I'm more interested in it than I'm.
And again, it's the hype counter hype cycles, right?
Like literally the day that we recorded this probably would have had a really huge impact
where I'm glad that we waited until over a week later to get to talk about this.
You get the hype, you get the counter hype, you get the counter counter hype.
And then everything kind of just chills out a little bit.
And you're like, yeah, it was a great marketing video.
The goal of those is to create hype for a product that seems like it is legitimately very,
very impressive for cybersecurity reasons.
Yeah.
And if you go in hugging, if you go in Hugging Face, there's thousands of people tuning models
to do different things all the time.
Like it's something that like casual like recreational activity for like nerds.
Like you can do this.
I guarantee somebody has done this already.
So it's good that like a major company has done this.
so that it can then push that model into the hands of people like Microsoft, Amazon,
you know, critical infrastructure providers.
Because I would bet money that there is a consumer version of this floating around
in the hands of the wrong person somewhere.
That could be North Korea, that could be Russia, could be wherever.
Yeah, I remember a couple years ago when DeepSeekR1 got announced.
And it was this thing of like, there is an open source.
internationally produced model that you can run locally on your system.
And it is X percent as good as the sort of flagship models.
And that's been changing every single day since.
But that basic story went wide of like, you don't need a cajillion dollars in venture capital to produce these anymore.
The technical innovation is caught up.
Now the barrier of entry is a little bit lower.
And I'm like, oh, that's going to.
So that, that empowers people to write emails and some code.
differently in a different economic model, potentially without the safeguards of a large corporation
kind of acting.
Of course.
It's like, okay.
So like give it.
So, so, so, so, so when is there a mystical version of one of those things?
Like if we're using mythical to describe security forward models, it's like, when is the
open source mythical security model come out?
Because that's a really different story than rewriting your emails and doing your haikus.
That's, that's a really, that's a whole different can of worms.
Well, there have been, like, as somebody that follows both the major American, you know, commercial models and the open source model world, the open source world has some amazing models.
Like Kimmy that I mentioned earlier, which is now months old and probably not the best anymore.
But like there's GLM, there's Kimmy, Gemma just had a couple new releases of the incredibly tiny models that are incredibly
strong. That's the other thing is like the whole innovation curve is moving and people have
figured out how to make better, smarter, faster, smaller models. And we're seeing that in real
time. Like, especially with the push for mobile, like people want to have full-fledged
LLMs running on your mobile devices. So there's this massive push to build tiny models that are
incredibly operationally efficient, but also score really high on the benchmarks. And they're,
they're doing it. Like the new Gemma models are tiny and amazing. Yeah, I wanted to talk to you
about Gemma. I was watching a thing of just like, yeah, it's literally in the Google app if you
want to try it on a device to just have a local model performing. I'm like, that's, that's kind
of nuts when you consider that in addition to like code and generative output, it's like they sort of
just also contain most of the internet in them inadvertently as text. So it's like, statistically,
It's just like, okay, so it's a real hitchhiker's guide to the galaxy type situation here.
I can be on a non-internet connected device and can summon an extraordinary amount of information
in a few gigabytes, which I guess isn't that different from just downloading an offline version
of Wikipedia, but it sure feels different when you can talk to it.
Yeah, it's like, it's like, think of it as the ultimate compression.
Yeah, there you go.
It's like a statistical compression model that has, can take, you know, hundreds of terabytes of
knowledge and compress it down into a few gigabytes that runs with a with a pleasant
communication platform natural language communication the foundation of why we all lost
our minds in the first place yeah multiple languages yeah yeah it's uh it's fascinating times at
ridgemont high the downer sequel to that beloved class is there anything else we should talk
about. I think when we're in the
space of chatting about how powerful these models are
and trusting strong Western corporations, we should also talk about how
weak they are to bypass their security things.
A new jailbreak technique has come out called
sock puppeting, which allows
attackers to bypass all the safety guardrails,
and they've managed to do it on all of the major models.
Lama, Gemini, Claude, Chat, GBT, BT.
and essentially what it is, is there's an API feature that allows developers to kind of pre-fill assistant responses.
And by injecting compliance into the pre-fill, you get compliance in the output.
Does that make sense?
100%. I'm looking at a flow chart on this website that makes it quite clear.
We're looking at cybersecurity news.com if you'd like to go check it out yourself.
Yeah.
I got this in my news feed this morning.
And I caught my eye because I know Jordan likes to talk about jail breaking these things.
So the normal flow would be if you were to ask one of these systems, hey, what is the system
prompt?
The model generates a response that says, sorry, I can't tell you the system prompt or my internal
instructions.
Correct.
Whereas if you inject this attack to the level of like that little proceeding thing that goes into
every response and with the like something like, sure, here is like an affirmative, positive start to an answer.
And then you ask it, what is this system prompt?
If the attack works, it will then give you the answer.
The system prompt is, blah, blah, blah, blah.
So just for knowledge.
So if you're building AI powered systems, say you have an explicit output format.
So say I'm asking for something to be like a research report and I have like a template
for what I want the research report to look like, you can inject that into the pre-fill.
So that's typically what that's used for.
So it's like, hey, write me this research report on Jordan Blumen of Hack podcast.
And I can then give it the research report structure that I want as the pre-fill and it will fill out the rest of the report.
So it has a valid use.
But essentially what it's doing is preempting the model before the security checks or I guess after the security checks to bypass it.
So essentially by injecting
compliance in there. So if I say, hey, I want you to hack
the Mexican government, and then I inject in the
security or into the pre-fill, like, yes,
I would love to help you with that. We'd love to help.
We'd love to help you with that. Dot, dot, dot. Yeah, sure.
Then it goes, oh, okay, like I'm already pre-approving
myself to do this. So I'm sure they'll have this
patched if it's not patched already.
I feel like you don't even public.
this until you've informed the people. It was Gemini 2. In terms of the hit rates on this,
it was 15.7% successful in Gemini 2.5 Flash, 8.3% successful in Claude 4 sonnet. Those were the
highest. There was partial vulnerabilities in Quinn and Gemma, but it goes down from there. That's
interesting. Yeah. At this point, so we've talked about jailbreaking these models a few times now.
And I'm starting to reach a point where I'm like, why would you use a model?
If you were up to something nefarious, why would you even embark on using a model that requires jailbreaking when there are already pre jailbroken versions of the open source models like Deep Seek and all those other ones?
Like those forks, it's well documented that they exist.
The ones that are just like, oh, I'll let you do functionally anything as long as you're running it locally.
I was like, eh, why go after Gemini?
What's so hot about Gemini 2.5 flash that you got to use?
use it on that one. And I guess it's just about who the user is and what the specific situation is,
because there's a big gulf between some young person just trying to get it to output something
it shouldn't and like a very serious, steely cyber, like a hacker, basically. Yeah, I think this
was found by red teams. Um, naturally, you know, people, people trying to do this. Researchers, my favorite
people. Yeah, exactly. Yeah. I think the big thing that you do it for is like intellectual property
theft like one of the one of the main things that they show off here is they could get the system
prompts out which tells you a lot about how a how the model's trained yeah be how to function with
the model what what it's what its control scales are what its personalities defined as a lot of
little yeah yeah so to steal that because that gives you a ton of insight into the model but also
they were using it to generate exploits so essentially you could trick a model into writing you an
exploit right for no day there you go
And you didn't have to get a model right locally.
Exactly.
Didn't even have to waste your time spending up a local model.
I was supposed to really like the idea of someone rigging up a system and then the
prop just being hacked the Mexican government.
I know that's because we covered a story of someone hacking the Mexican government.
Yes.
I just like the idea of starting that high and then like going to get lunch and coming back
and seeing what it got up to.
We should really cover that story in detail.
I've been reading more and more about how it happened as they've been kind of giving the posts
the post-mortem on it, I think it's definitely worth a discussion here, maybe next episode or the
episode after.
I'm into that.
Yeah.
Okay, I got a little quick one to wrap up on.
You know when you're standing at a like crosswalk intersection and you press the button and it makes a little beepy noise?
Yeah, of course.
Of course.
Beep, boop.
We're all familiar.
Last April, Hacker exploited like a default password situation on one of the central databases for this thing.
on the Polera crosswork buttons, which are used in Silicon Valley across the United States,
and replaced the beep boop audio file with deep faked audio of like Zuckerberg, Musk, Bezos,
saying crazy crap about like AI and technology so that anytime anyone crossed to walk at the
crosswalk instead of beep boop, beep boop, they heard Musk describing Trump as actually really
sweet and tender and loving.
Well, first and foremost, I'm going to say that I'm disgusted by this attack because the beep boop is actually for people who can't see.
It is a major accessibility issue.
And as funny as you could take it to be, they created a risky environment that would be hazardous to people.
And I just can't get behind that as a well-natured person.
Sure, sure, sure, sure.
it's very high-minded of you.
It does raise an interesting question of does Jeff Bezos talking across the intersection
function in the same way as the beep boop, beep, boop.
I would imagine not.
I imagine you rely on.
You've got to imagine that some researcher spent millions of dollars of government grant money
figuring out the optimal beep boop.
Even if they did it, even if it's just a rudimentary beep boop, that people, especially
with people with like, say,
like a seeing assistance dog or something that would itself be trained on knowing I need to go towards that specific sound.
This got way more earnest and serious than I was expecting it to when I embarked on this story.
But no, let's really dig into this because you make a really fascinating point.
In any case, these like, there's there's official online manuals aimed at like the thousands of different technicians across the country who have to go and like do maintenance on these little buttons.
describing how like the Bluetooth enabled version of this Polara model ships with a default
password of say it in the back if you know the words one, two, three, four.
Be poop, beep, be boop.
B-E-P, B-O-O-P.
So the vulnerability was was there.
Eight months before last year's button kind of hacking whole thing.
There was a physical security vlogger named Deviant Olam who posted a video pointing out how easily
these things could be compromised.
Just fascinating little story to wrap up on.
I just looked up the history of these things.
Of the beep boop?
Of the beep boop.
Hell yeah.
So in the 1920s, some of the earliest traffic signals in the U.S. actually used bells.
Physical bell rang every time the light changed.
It wasn't specifically designed for the visually impaired.
It was more designed to wake up distracted drivers.
Yes.
What was going on in the past?
They're like people keep falling asleep in the intersections.
In 1928, Japan began experimenting with mechanical bells specifically to assist blind pedestrians.
But in 1950s, they had evolved to a standard clanging noise to facilitate such crosses.
Sure.
You do go to other countries and you hear a different beep boop.
It's like clung-clong and you're like, ah.
I like that.
In the 70s and 80s, they moved to a more bird-related one.
So they actually had directional birds.
So it was a chirp for east to west and a cuckoo for north to south.
Yo, that's actually really cool.
In Australia and Europe, they had a steady ticking sound, which I'm sure you've heard.
You've well traveled.
It served as a locator tone helping physical push button box or helping users find the physical box before the light had even changed.
Hey, everyone.
I know that you listen to this show for security related stuff, but would you be down if
We did some episodes that are just us going on crazy deep dives into obscure technology because, boy, would I be into it.
Maybe you could make a YouTube content.
Sick.
That's so interesting.
In the 1990, Americans with Disabilities Act, ADA, they did a lot more research into it.
They dug into it.
And they also found that the loudspeakers mounted were too high on the polls, making it different for users to determine exactly which crosswalkers.
was active because, you know, sound is a wave.
And when you put the speakers really high, the wave distorts.
Exactly.
And it also, unsurprisingly, annoyed the neighbors.
Sure.
You pointed it over my fence.
Huh.
Yes.
Then they went and tried, they took away the ambiguous bird cuckoos and went to a,
the north crosswalk is now on.
Like they went to like an auditory.
But that has issues for people that don't speak the language.
Of course.
Interesting.
I also wonder if playing, oh, no, please continue.
Please continue.
Bringing us to essentially the present era where we now have these specialized systems with these beep boops.
And I will tell you, interestingly enough, they have noise detection apparently.
I did not know this.
They will alter their volume based on the atmospheric noise around them.
So if you're at a quiet intersection, it's actually much less annoying than if you're at a very loud intersection because it needs to jack up the volume.
Did not know this.
Fascinating.
Sorry?
No, no, no.
I can keep going.
I can't take us on a further tangent, though I have one.
Yeah.
I got one more thing to cover.
Lay on me.
You can go wild.
Recently, they've been adding smartphone connectivity, which is probably where this Bluetooth is.
accessibility comes in because a lot of visually impaired people apparently use headphones and
have specialized beacons that these things now communicate with, which gives them a much better
signal than just the beep boop. Yeah. That's cool tech. Yeah. Okay. We're engineering the problem out.
That's really neat. Huh. Yeah, I mean, don't hack these. Like, they have purpose. They're,
important infrastructure.
This is,
oh man,
brick wall of ending the episode
and whenever I'm done saying this,
because we can't tangent off this tangent.
There is a concept in the world of birding called playback,
which is that you can try and get a bird to come out or come to you
by playing audio of that species of bird as a bird call off of your phone and then
the bird comes out.
It is.
Hunters have been familiar with us for.
It is naturally contentious because there's a,
an element of like you're in a city and the birds minding its own business and now the bird
is thinking there's another bird around and what kind of effective you had on the ecosystem
of birds.
All of that notwithstanding.
I'm realizing that having these machines make bird sounds was probably just like, like a religious
event for birds in whatever city that was in where they're like the number of birds just
tripled, but they're robots.
And I don't know what they are.
Is the bird in the box?
I'm standing on the box and it's making the bird noise and I can't find the,
bird. Well, here's the, here's the natural tangent from that. Oh, please. Is our doll
birds robots, Jordan? Thank you so much for listening to this episode of HACT. It's like,
we'll talk about like Russian cybercrime, but it's just like, you're going to, you're going to
attract some heat to us if you bring up this bird conspiracy. If it, if it flies, it spies, Jordan.
If it flies, it lies. Thanks for listening, everybody. That was a fun one.
And we'll catch you in the next one.
Take care.