Hacked - The Texas Lottery Courier App Scandal
Episode Date: June 29, 2025A London syndicate used a phone app to buy nearly every combination in the Texas Lottery—and walked away with a $95 million jackpot. In this episode, we dig into how that happened, what it reveals a...bout the modern lottery system, and a handful of other stories. Hacked is brought to you by PushSecurity.com. Check them out! Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
There's a small storefront in North Austin, Texas called Winners Corner.
From the outside, it's pretty unassuming. It's like a nondescript building on a quiet street.
And the sign out front, I found it on Google Maps, says board games, lottery, gifts.
You walk in the door and there's technically stuff for sale.
A few board games stack near the register.
Under Texas law, lottery retailers have to sell something other than lottery tickets.
and this shop shows monopoly.
In 2024, Winner's Corner sold $179 million in lottery tickets.
That is more than any other retailer in Texas and more than the next 25 combined.
That is because Winner's Corner is the physical front end for Jackpocket, a lottery career app that lets users buy tickets from their phones.
The app handles the orders, the machines in the back, behind the monopoly boards, print all the tickets, and scanned images are sent to the buyer.
This is less a story about a security breach and more about a mathematical vulnerability in game design.
There is a fear that the lottery, one of the few forms of legal gambling in certain states, is a game with an aging out player population.
You need players to have prizes and young people aren't playing the lottery as much as previous generations, so that line has been going down.
Yeah, they're too busy sports betting online.
Literally.
In most states, that's so much more popular.
But in some states, the lottery is the only legal gambling.
So there's this desire to figure out how to make the lottery compete in that modern gambling world of sports betting apps.
And across the U.S., career app companies like jackpocket, lotto.com, and lottery.com are the answer to this.
trying to be like Uber for lottery for younger users who have never bought tickets in person to begin with.
And in Texas, where gambling is tightly restricted and the lottery is one of the few legal games in town,
this new breed of courier app helped push ticket sales past $8 billion in 2023.
In Texas, by the letter of the law, it's illegal to buy lottery tickets remotely.
The laws are pretty old.
They technically prohibit buying the ticket over the phone,
but like the spirit of the law is clear enough that these courier apps always,
existed in kind of a gray area. In April, 2023, the lot of Texas jackpot had rolled over 91 times.
This had swelled to about a $95 million prize, the largest and more than a decade.
And finally, one evening in April, a winner. Lottery career apps in Texas can't sell you a ticket
remotely. That contradicts the no buying over the phone rule. But what they can do is provide you
a service. To buy a ticket themselves and to enter into a contract.
with the user to hold that ticket in trust and then give them either the ticket or the prize in
the event of a win. How is this different? A question they should have asked before April
2023. By automating the buying process, they created a vulnerability once the prize got over a certain
size that basically turned the lottery from game of chance into a math problem. Because if the
prize gets above a certain size and you can buy as many tickets as you want,
want very, very efficiently.
There comes a point where the cost of buying out all 25.8 million possible number combinations
intersects with the otherwise astronomical cost of doing so, which is exactly what a London-backed
gambling syndicate decided to do to the Texas lottery once the pot reached this size.
Brilliant.
It's very, very clever.
Brilliant.
Using software, these courier storefronts and dozens of high-speed printers, they bought
nearly every one of the again, nearly 26 million possible combinations, skipping a handful
to avoid the chance of splitting the pot.
And by gum, the Brits, they won.
Shocking.
Shocking.
Math.
Math.
After taxes, the group walked away with $57.8 million.
They'd gamed the game and they'd done it technically by the letter of the law.
Texans, we're not fans of this.
the like Boston Tea Party energy radiating off of this was like potent.
This was the inciting incident of a story that reached something of an end recently after a massive fallout.
There were lawsuits, legislative hearings, investigations by the Texas Rangers,
the state's longtime lottery director resigned, followed by his deputy.
And recently, in 2025, the state formally banned all third party courier app sales.
At one point, they came within a vote or two of dissolving the Texas lottery community.
mission entirely.
Critics called this a heist and broad daylight.
The lieutenant governor called it the biggest theft from the people of Texas in the
state's history.
I found this fascinating.
A technology meant to automate playing the lottery to bring it to the youths being
used to automate gaming the lottery.
So we'll start here with the story of the Texas lottery courier scandal here on Hacked.
It's going to play that whole thing beginning to end.
I intended to have an AI red or like a we don't have to put this in but I there's a
JavaScript library that essentially is a music production suite and I intended to make a
like a remake of our theme song using vibe coding and this library and got distracted doing
other things so that's on me I do want to hear you were sending me videos of music that
people had vibe coded um which is just essentially
a fascinating concept of like if beat 16 play high hat like that that way of thinking about music
is so interesting to me and I'm I'm personally holding my breath for the vibe coded version
of our theme song is it going to be its own song or are you going to recreate the current one?
My intention was to recreate the current one but the problem became that not a lot of the models
are smart enough to listen to music and transcribe music. So I couldn't find an easy way to like
stylistically take our theme song, produce prompts to guide a vibe code.
So I think I might just raw vibe code it.
Just like,
Hey, here's the scenario.
We have like a tech podcast.
You know, please make me a JavaScript script that automates the production of what could be theme music and just see what comes out.
I'm going to swing the other way and do a version of the theme music on like a multi-travel
tape deck recorder, like go full analog.
We'll throw a bunch of like tech spaghetti at the wall and see what the best version gets us.
AIs are pretty damn good at coding now, right?
Yeah.
Coding's logical.
It's mathematical.
It's music.
If you know, music theory, hook theory, it's very similar.
So like, AIs should be pretty good at making music.
And I think actually given a lot of the platforms that AIs make music, it is pretty good at making
music. So I'm just excited to try the code feeds the music and the vibes feed the code. I'm just
excited to build that pipeline and see what comes out of it. Or we strip down and just do the vamped,
ad-lib, acid jazz version that we do on mic of every episode of Hacked, of course, brought to the people
by Post Security. Of course. It goes without saying. Goes without saying. I want to talk about the
feedback we got from just our little tech cat the other day.
At the end of the last episode, Jordan, I just left our mics on and had the conversation
that we inevitably would have had with the mics off and left it in.
And we got an overwhelming, I'll put that in air quotes.
I'm out of positive response to that.
And I just wanted to let people know that, anecdotally, you have a lot of power over us.
It's true.
It's like Spotify comments, DMs, email.
If you take the time to reach out to us, we read everything, we acknowledge everything,
we pivot when we think it makes sense, and people like that.
So I think we're going to do more of that.
Yeah.
I think our next episode, we might just go Pure Hot Mike, just for the fun of it.
Just for the fun of it.
Just for the fun of it.
So today will be, I think, probably another combo.
I've got this story that I want to talk about because I recently was traveling quite a bit
for the old wedding season.
And I downloaded, I found one story about this.
And then as I was getting on the plane and I knew it was going to lose data,
I downloaded a bunch more information and sources on it and spent an entire flight
reading about it and then spent a good chunk of the trip reading about it and then
spent the flight home reading about it.
So I have, I want to dig into what happened in the Texas lottery because it's a fascinating
like game design story.
I think when we get back from the break, we'll just.
Let's talk about some stuff.
Let's get into it.
Before I pitch it back to you, I'm going to say that this storefront, that is the face.
Did you find it on Google Maps?
No, I didn't.
It's good.
But I should, I should.
The physical manifestation of this online gambling platform, I noticed this a long time ago in some of the podcast that I listened to.
A lot of them have betting ads, you know, stick pills, betting, beds, all the same.
cornerstones of the genre.
Exactly.
The,
they always come with like a warning label at the end and it always refers to some obscure
casino.
Yes.
And it's because the same thing's happening there where it's like all of these platforms,
no matter how big they are, have to operate statewide on like through partnerships
with these small gambling institutions.
So you've got these massive international gambling franchises that are,
They're like operating out of these like podunk casinos and like Nevada and stuff.
And you're like, oh, weird.
Yeah.
And not only do you have, so it's not only in operating inside of the state, as you said,
which is true, but you also have like interest state politics, which is the laws governing
gambling vary based on which state you are in and websites.
Geofencing is a famously easy thing to get around.
So now you have people gambling in effectively other states.
And the giant amount of legal turmoil that that creates, not just for the users, not just for the app front end, but for that otherwise normal sleepy little casino that is technically the license holder for that gambling website.
I think I talked about this in an episode, like maybe a year ago.
But I'm a big tennis fan.
I travel.
Go watch tennis tournaments.
Go to one in California quite frequently, which is geofenced away from online gambling, which is a pain because we like.
like to bet a little bit on tennis to make it more exciting.
But the thing that I always love is the people sitting in the crowd doing the real-time
like controlling the gambling environment around the game.
There's literally a person lazily plopped in a chair inside the stadium with a big
application in front of him who's turning the bets on, turning the bets off,
recording what had happened, recording if it was an ace, recording all the details of it to
fill the bet so that you can't be gaming the system with latency.
So you can't, yeah.
Sure, so that you couldn't have someone in the actual arena feeding you information that you could then
slip a bet in somehow before the official results got posted.
Yeah, because especially like TV feeds are often offset by eight, ten seconds.
So if the gambling headquarters were watching the games on TV, people on the ground would have
like temporal arbitrage to be able to put bets in knowing the outcomes before the platforms did.
And so they literally pay people to go sit in all of these stadiums and live record what's happening.
Kind of a sick job.
Yeah, call me.
Get at me.
You want to fly me out to some.
It would be so lost on me if it was tennis, but I would just show up in a fancy little outfit to record the results of a tennis match somewhere.
Every one of these people that I've ever seen do not look like fancy little outfits.
It's like they look like Russian mobsters.
I mean, that's a fancy outfit of its own.
Yeah.
Yeah.
Yeah.
Really.
But, but yeah, if you need somebody to do the Aussie open or Wimbledon, like, hit me up.
I'd happily go.
I know what all of the bet things are.
I gamble.
I bet on tennis.
Like, I'm a competent person.
I think you're going to like this story.
So the thing that got me on to this was this phrase I saw Uber for lottery tickets.
This idea that.
people still play the lottery, but over time, the line was trending down for a little bit.
There was a desire to figure out how do we get people that want to do everything on their phones
that don't want to go to a storefront and buy a piece of paper to gamble like it's the 90s,
playing the lottery, and especially in places that rely on the tax revenue,
and especially in places where that's the only form of legal gambling.
And as such, we get this suite of services, jackpocket, lotto.com, lottery.com.
they have emerged to try and modernize traditional lottery.
They are not official lottery operators.
They're these middlemen that buy the tickets on the user's behalf
and then deliver the ticket or the price to them
in a bunch of different ways depending on the size of the price.
You log into a website or a mobile app.
You can order an official state lottery ticket digitally
and then you pick which game you want to play,
a Powerball, Mega Million State Lotto.
You pick the numbers or you can go for like a quick pick
just like going into a store, and you enter into this little agreement with the app.
You don't get issued the ticket digitally.
Instead, the courier system routes it to a human or automated, like, retail partner
that enters into that contract with you.
Each career service has to have that license, brick and mortar retail outlet in every state
it operates in.
Jackpocket has the Winners Corner that we talked about in Austin.
lotto.com uses a little, tiny little storefront called Players Cafe.
They're these massive businesses with these teeny tiny little retail brick and mortar front ends.
It's very, very funny.
Wildly profitable tiny retailers.
$179 million out of this one little shop.
And it's printers in the back.
Printers and monopoly boards.
It's wild.
They all work slightly differently.
Jackpocket generates like a high resolution scan of the actual ticket and delivers it to the user's app.
Lauda.com just skips this and gives you the numbers.
the important part is that they have to physically secure the ticket and then store it in a secured
vault on behalf of the user.
That ticket has to exist physically somewhere.
It's not purely digital.
There's a piece of paper.
Or to claim it, you need the physical thing.
Exactly.
Then if you win to claim it and to facilitate that payout, there's different ways it works.
If the price is below $600, they typically redeem the ticket on the person's behalf and just
credit it to the user's online account.
If it's larger than that, there's typically a process of delivering that physical slip of paper to the user securely in some way.
Insured mail and in-person handoff depending on the size of the prize.
It's very, I'm editorializing here.
It's very janky and weird and slapdash and different based on the state and the context.
It's nebulous.
It's a weird, like I'm just thinking about it as like a business process problem.
Like what kind of headache it would be to be like, yeah,
we sell 176 million sheets of paper a year and we have to keep them like notarized and filed and secured
and recall has to be 100% or else we're going to get sued.
Yep.
It's like the, it's like a data storage business more than it is anything else.
It's data storage.
A hundred percent.
It's physical data storage of pieces of paper that potentially represent huge sums of money
that the user has a document of.
So you can't even say, oh, we don't know.
it's like no they have proof of receipt so it doesn't matter if like the winner's corner in north
austin burns to the ground you've entered into a contract and you are liable so we get into like
what size of physical fireproof safe can store this many lottery tickets it's that kind of a
problem for for 95 million bucks right i'm getting on a plane and going to austin picking up my
physical ticket myself and taking it to the lottery office like ain't no way a
you're getting that. Oh, completely. And you kind of have to go to them in that case because
let's say you wanted to be the pushy customer and say, no, you bring it to me so I can get back
on a plane and fly to Texas and redeem it because this is geolod. Which is another major feature of
these apps is that like they need very good geolocation APIs because there is again intrastate
legal differences for how gambling is moderated. It's theoretically legal in some states to gamble in
their lottery from outside of state, inside of that state of which it might be illegal to
gamble in another state's law.
Like, it's, these apps sit in this weird tangling knot intersection of a bunch of different
laws and tech jurisdictions.
It's really interesting.
It's the, starting a tech business in this space, it just seems like it's such a regulatory
nightmare.
Like, I'm sure it's wildly profitable and they figure it out.
But it just like, I know when it comes to gambling,
alcohol, any of the sins, you know, the regulation handbooks are like regionally dependent.
They're federally enforced. There's so much. It was like when marijuana shops opened in
Colorado and they couldn't even take their money to the bank because the banks were federally regulated
and still considered it a crime. And it's like just such an insane thing. I think that might,
someone in the comments flag if I'm wrong about this, but I think that might still be the case in
the states maybe, that because it's not still federally legal and banks are still federally
administered, it's still very, very difficult depending on where you are operating a cannabis
business, not the topic of this episode, to use traditional banking for your business. So you end up
having a lot of like, you know, safes and basement type situations for like big businesses.
Well, yeah, but back to gambling, like Jordan and I live in neighboring states,
Canadian provinces. I'll call them states for our American listeners.
We actually share the same oversight in our gambling, the Western Canadian
Really?
Yeah, WCLLC Liquor Corporation. I think it started as booze and alcohol regulation and then
moved into gambling. I think it's a liquor corporation. I don't know. A quick Google
would tell me, but I'm not worth worth doing it. But I can't redeem a British Columbia lottery
ticket in the same lottery. So like if it's the same draw, I can go to Vancouver to see Jordan
buy a ticket, bring it home to Alberta, and I can't redeem it or scan it. If I want to claim it,
I would have to fly back to British Columbia to redeem it, even though it is being operated,
executed, and regulated by the exact same corporation. Hmm. Yeah. Yeah, that same weird,
like, okay, so there's an imaginary line and the law changes radically based on which side of
with potentially huge outcomes, obviously the case in the states when it comes to this stuff.
One of the few two states to explicitly legalize and license these apps early on was like New York
and New Jersey were early adopters.
They passed regulation to let you legally register these services.
Jackpocket became the first one in 2021.
There's a bunch of different requirements to meet the standards of being allowed to do this
geo-fencing inside New York.
In states like Texas where this all went down, that longstanding law prevented,
lottery sales by telephone, didn't, you could interpret that law to apply to internet
and orders and you could interpret it in such a way that it doesn't apply to internet orders,
which is kind of what happened. It was pretty confusing for years. The Texas Lottery Commission
simultaneously claimed that it lacked authority to regulate or ban these services, effectively
allowing them to operate in a gray area, even as this law preventing remote sales over the phone
was on the books. It's very odd.
The way it works in Texas is you get this regular retailer license, often by just opening up a small convenience store and then you sell the tickets via the app via this courier service app.
The commission didn't initially impose additional rules on them.
They were just considered a retailer selling lottery tickets like any gas station until this 2023 bulk buying fiasco forced Texas lawmakers over the course of the next two years to explicitly ban these courier apps and to do.
threaten any physical retailer who even like cooperated with them.
I don't know what the outcome of banning the apps is going to do.
Like when something becomes a numerical guarantee, like being able to make $57 million
by investing $28 million or whatever the numbers were, $26 million, even if the British private
equity guys got to get on the plane and fly to Austin, for 50 million bucks, they're going to do it.
Yeah.
You know, so it's like banning the app is not going to solve the problem.
Like you've created a mathematical guarantee of winning.
Even if it got split, they would have only made what, like 14, 15, 18 million?
Yeah.
And the odds of a splitter vastly less than the odds of a win given a six number string set.
The much easier solution, all this is increase the number of numbers that you play with in the lottery.
Yeah.
That's looming over all of this for me is like you have massive fallout.
You have maybe we don't have the lottery.
have all these big existential questions. And there's like, or nine numbers. You don't even need
nine. Yeah, you could go to seven. You can literally go to seven. So just to speak to our heritage again,
the Canadian main lotteries were six 49, six numbers, 49 possible outcomes, like six digits,
one to 49. That was how lottery used to be. We still have that lottery, but the payouts are often
much less. We now have what's lotto max, which is just a seven number lottery. And the payouts are
usually often $70 million because it rolls over all the time because there's so many potential
combinations that the probability of winning can sometimes take, like for a lottery that gets drawn,
I want to say two or three times a week, sometimes it can take a month to get a winner.
So it's like you only need one more number to just grotesquely expand the state space of
potential, like, you know, the state-based potential numbers that could be chosen.
And you've still insulated yourself where the total number of tickets, even though it's the
same roller with this total number of tickets you would have to buy to guarantee a win as they
effectively did here is still so astronomically high that those lines on the graph won't intersect
in a practical sense. And you have still some kind of a lottery. You don't have an easily
gamifiable system.
Yeah, like seven.
You crunching those numbies?
Yeah, you are.
I did it backwards.
I did it backwards.
Yeah, there are 86 million potential outcomes at 7, 49 choose 7.
Interesting.
So that's quite a lot.
So there's the math side of it.
And then there's again, the state level side of things.
And I want to keep, I want to move on, but it is worth talking about that.
there's a bunch of ambiguities outside of the math when it comes to the state lines.
State statutes often require tickets to be sold at a licensed premise, which brings up this
weird question of like, if a player orders on an app from home, who is the actual seller
and where did that sale occur for legal purposes?
Like Colorado's state auditor noted that under the courier model, it might not be clear
who is selling the tickets or where they're being sold to.
Like a player might reasonably assume I made an online purchase and therefore a different set
of laws and regulations exists, then if they technically made the purchase in a physical store
in a place they never set foot in. And this ambiguity and clarity creates like weird law enforcement
issues when it comes to age and location. An investigation in Texas found that lottery.com,
the courier, and they will come up again later, had sold over 500,000 tickets to out-of-state players
blatantly violating state laws that the tickets only be stole to in-state customers.
This occurred in 2022, which would suggest that Lottery.com's controls on geolocation were in some way flawed or circumvented by the user base.
And the fallout of that, this is important to the story, was pretty intense.
Lottery.com's app was pulled from the app stores.
Its license was suspended and its executives faced separate fraud charges.
There was unrelated securities charges.
Lottery.com got in a lot of trouble, and I want us to all remember that for a few minutes from now.
Yeah, given how much time is spent on re-geolocating our digital devices, it's like how much, like, they have to be so far ahead of it.
Like I even know, like, when I'm traveling, sports betting, a lot of TV platforms, like if you're like an F1 fan or if you're trying to load like any kind of digital streaming.
platform from your home country.
They only have rights for that content
in your home country.
So it becomes this like, oh, I'm on the road
and I want to watch this tennis match.
And it's like, oh, I can't actually use these apps
because they don't own the rights
for that content to stream where I am.
So then you kind of have to geo-relocate
to where you're supposed to be.
And then all of a sudden it works again.
And it's like this, that's a real,
what am I trying to say?
I'm trying to say that's a really fast moving target
and a big liability for these companies.
and I'm sure it's part of the risk planning.
It's also a very low barrier of technical entry
for compromising a system with like millions,
if not tens of millions of dollars on the line,
which makes it really, really interesting
that you have like, hey, lottery.com,
why did 500,000 people buy lottery tickets from you
from outside of this state when there's explicitly a logger instead?
And you know that because you use this geo-fencing technology.
But the other thing I'll shoot back is like,
I can fly to Austin tomorrow, walk into a corner store and buy a lottery ticket.
And I'm not from there.
Literally, there's no, the barrier to buying the ticket is literally no different.
It's just that there's some arbitrary antiquated law that requires me to be physically present at the point of purchase in that, physically present in that state while I make that purchase.
It is arbitrary at the scale of one ticket for sure.
Yeah.
It has nothing to do with residency.
requirements, has nothing to do with anything.
And I'm just going to keep going because I think that when you're talking about regulations
and stuff and all of the complexities around this, I think it's largely based on the fact
that U.S. lottery winnings are taxable.
In Canada, they are not.
So the states want their percentage of tax.
So if you're a Florida resident buying a ticket in Colorado that has a higher state tax and you
win, they don't want you to redeem it because they want their percentage of tax.
portion of it where in Canada it's even more arbitrary because we don't have tax on lottery
wings. So it's like, who really cares where you are? I think that there's something, there's the tax
thing, which is a practical economic benefit of having the win occur inside of the state where
the money was fed into the lottery. And then there's kind of just like a spiritual defeat of we poured
all of this money inside of our state into this lottery and then who won it someone completely
outside of it.
Like, there's just almost something about like a Texan winning the Texas lottery that I think
matters to people.
I think that's part of why people got so mad.
Like, the money sucked, but there was just something really icky about.
We wanted one of us to win.
Bingo.
Yeah.
And instead, enter Bernard Marantelli, a British bookmaker loan for not known for launching
the betting startup Colossus bets and his financier, I want to make sure I get this right,
Zalushko, the Joker, running a check.
a reclusive Australian billionaire famous for exploiting gambling systems at scale.
These two people, fascinating characters, there's quite a bit of experience in high volume,
statistically optimized betting, often targeting systems whose odds could be bent with enough
money and math and time and resources.
And in the lot of Texas, it would seem they spotted something of a target, relatively low odds,
25.8 million possible combinations and no legal caps on ticket purchases.
And then third thing, the existence of a digital courier system that made bulk buying feasible.
You take all three of those things, pretty good odds, no cap on ticket purchases,
and a remote system for purchasing these.
And you've got this sweet spot where once the prize gets above a certain point,
funnel money at it and you can win this thing.
Remember how we spend a little bit of time talking about how in 2020,
to Lottery.com kind of got wrecked after their own little scandal of selling all those tickets
out of state a few minutes ago. Guess what courier company that had recently regained its
retailer license and was struggling after that massive fallout was more than happy to facilitate
the dump truck of sales that this would require. Could you imagine being like a person working
there and getting a phone call being like, hey, I need to speak to somebody about buying $30 million
in tickets. I want to kick back on the retailer kickback. And you've just gotten the license back
and people are like, if you're going to make a $26 million purchase, you know that the retailers
get a percentage of each ticket. So like I would negotiate that. Be like, I'm about to spend
$26 million. You get 5% of it. That means you're going to get, you know, whatever, $1.3 million.
I would like $300,000 of that back. Like, I'd negotiate that if I was about to do a $26 million buy.
You wouldn't be alone in that.
And you're going to be furious at the numbers you hear lately.
Because I would argue that that opportunity was maybe not taken advantage of to its fullest,
which is an interesting twist in a situation where it feels like a lot of opportunities are being taken advantage of.
So using dozens of terminals across Texas to print nearly, again, every possible combination that used QR codes were sort of at the heart of the automation.
In order to do this, lottery.com actually had to request dozens of extra, like in order to just fulfill this order from this British gambling.
They had to get extra lottery ticket terminals, which the lottery's vendor rushed to install at four of these makeshift like front end locations, including a warehouse and a defunct dentist's office that they spun up.
And these terminals were operating like simultaneously in parallel and were just printing tickets around the clock for three days.
The bottleneck would have been manually entering numbers.
So instead, it was quite shrewd, they had an automated system generate QR codes for each possible combination,
effectively creating these little bet slips that instead of having to take the time to type it in,
you could just scan it with a camera app and it would speed up each one of those.
And then they had crews of staff, including family members of children,
using smartphones to scan these QR codes into the machines,
achieving an output of over 100 tickets per second.
aggregated across the different terminals.
They purchased 99.3% of all possible combinations for the lottery.
They deliberately omitted a small fraction of combinations like 1, 2, 3, 4, 5, 6,
certain birth dates to minimize the risk of splitting the jackpot.
And all of those printed tickets were stacked in labeled boxes
so that the winning combination could be located afterwards.
They needed to be able to actually find it in there.
Let's hang there for one sec, because that seems,
insane to me to omit a fraction of the tickets because probably like probabilistically they have the
same probability as winning as any other number granted there are distributions and people do
analysis on this stuff like there are numbers that hit more frequently but to leave
imagine you lost because you cheaped out by $70,000.
You didn't pick a birthday.
I didn't quite get that either.
I don't get why you would rather not,
I don't get why you would rather a guaranteed loss for a marginal savings
than the,
then the terrible possible income of splitting the pot and at least making some of your
investment back.
Like to me, that would seem like a hedge.
I didn't get that.
It came up in multiple pieces of reporting that they avoided certain numbers to avoid a pot
split.
And I don't get why.
I don't get why either.
And I never saw that commented on and all the report.
Like I,
I miss either I'm missing something there or they know something.
I would guess that the high stakes international gambling boys of the Commonwealth
know something about lottery gamification that I don't, but I didn't get that either.
That would be my, like I assume we're missing a piece of the data that these professionals
did not.
I'm sure there's a reason why they didn't do it.
It wasn't to save, you know, a couple hundred K.
A little bit.
A hundred percent.
And open the risk window up to losing it all.
Yeah.
So you end up at the end of that with this massive dump truck of lottery tickets, indexed inboxes, ready to go on the day.
The lottery happens.
It's rolled over multiple times.
The prize is swelled to $91 billion.
And sure enough, the syndicate's ticket hits the jackpot.
It was the sole winning ticket.
So crisis averted.
They claimed the $90 plus million prize anonymously via a Delaware LLC called Rook
TX and took a lump sum payment of $57.8 million,
yielding an estimated profit of about $20 million
after all of the expenses of doing this scheme.
Lottery.com, the courier whose tickets enabled all of this,
earned $264,000 in commissions from the massive sales volume.
That's lowered and I would have expected, honestly.
It's simultaneously a lot of money and not nearly enough for the heat
that this all threw off.
I think that's not enough money for what happened here.
Like setting up, like getting a month lease on a former dentist office,
bringing people in, running 24-7 crews for $250K doesn't, it seems like it is still, yes, a lot of money.
But I would have assumed it would have been bigger.
Like if I was them, I would have negotiated a percentage of the winnings.
Which I'm guessing is just flat out illegal.
Yeah, probably.
But said about the company that was just, they got their license back from the previous illegal thing.
Courts deemed that illegal, I think I can say that.
Like, yeah, it's all very odd.
People did not like this.
It came up pretty quickly who owned this company and there was a lot of fallout.
At the time, Texas lottery officials sort of publicly stated a belief that a feat like this was impractical.
And they said, quote, this caught them kind of by surprise.
guys. In reality, there were warning signs about this. The New Yorker piece about this that
recently came out due to the sort of recent bannings, I highly recommend you read it. It centers
on a character, a lottery watchdog named Don Nettles, a woman who by herself publishes
something called The Lotto Report, which is a small regional publication focused entirely
on the Texas lottery. She's like the bulldog kind of hero who had been like big short style,
like banging the pot being like there's a problem someone's going to game this look at that
british australian weird gambling tag team they're about to game this oh wow they did she was the one
she was the one warning that an out of state group was attempting to screw every player in retailer
that was playing the game um executives at a rival courier lotto.com alerted the lottery director
a week in advance as this whole thing was being booted up saying that like they learned about the
terminal request and they pieced it together and they're like the optics of this to the Texas
lottery is going to be atrocious if an outsider wins this local jackpot. It's going to set us all
back. Please stop this and it forged ahead regardless. The then director approved the extra
terminals. It's a free market. It forged ahead. Two years later, this all kind of had been like
boiling, boiling, boiling, boiling in the aftermath and blew up into a full-fledged scandal.
Texas's lieutenant governor decried it as quote the biggest theft from the people of Texas in the history of Texas, likening it to like a big robbery.
That's a little over the top. A little train heist. It's a little train heist. It's a little train heist. It's got a good Texas energy to it.
There were investigations launched by the Attorney General and the Texas Rangers. The Texas Lottery Commission's leadership is upended, the longtime director, a guy named Gary Grief. Gary Grief. Great name. Abruptly retired. And his depressive.
P.D. A guy named Ryan Mendel took over to resign a few months later amidst criticisms that he too was part of all this.
Until just recently a time of recording. In 2025, the commission does this about face and bans all of these third party courier app sales in Texas.
They immediately revoke any retailer license found to be assisting these couriers.
They pass bills to criminalize online ticket sales and threaten to abolish the lottery in its entirety if it could not ensure its integrity from this type of thing happening.
What's interesting about all this is that at the time this occurred, this bulk buying scheme appears to have been legal under the then existing letter of the law.
They cashed out.
They cashed out.
So like they got their money.
Yeah.
So it's like nothing prevented it.
No.
There was, they, they knew what they were doing.
This was all totally legal.
Like it was gamification.
It was a vulnerability in the game design, not in the law.
And that's a very, very important.
seemingly trivial distinction, but a very important one when you have like $95 million on the line.
Yeah, sure.
It's the Pepsi career jet problem.
Couldn't put it better.
Deep cut, but couldn't have put it better.
Yeah, yeah, yeah.
I don't know if you ever like chase the rabbit holes, gone down the rabbit holes in regards to like people that game points systems, credit cards.
Yeah, yeah, yeah, yeah, yeah.
Points guy.
I love that stuff.
Yeah.
Like I haven't looked at it in like decades, but like I have a friend that was.
was into it. And I was just like, like, I guess, like, if you need purpose, like, this is a fun
thing to do to like... Like a game. Like, yeah, yeah, the return on your investment of time is really
quite low. You should just go get another job. But, but, like, I don't know, I just think
it's a fun game that some people like to play. And I'll never, like, knock that, you know,
as somebody that, like puzzles and stuff like that. But it is such a weird world. And, like,
this to me just makes total sense. Like, if you've got a probabilistic certainty that you're
going to win and you will and the the the risk becomes at what probability do you split or split
three ways and like only cover your costs or not quite cover your costs but then you look at the
risk reward portion of being like yeah but if we don't split how much you know we make yeah
20 30 million bucks uh yeah to me to me this is like I don't know like lotos set
up to be like this. And if you're smart enough to recognize it and to have the ability to pull
together the capital to execute on it. And so it was like, they did. They got with it totally illegal.
Like the fallout was huge. A bunch of people got in trouble. Totally. As a result of the Texas
lottery career app scandal, but it was not the people that won the Texas lottery. Totally.
I was going to say the one thing that does stand out to me
is that the outcome is always the banning.
No more of this.
This is again just like a knock on effect of the technological revolution.
It's like all of our governance and governmental and policy systems are based on a world
that just no longer exists anymore.
And it's like this is forcing them to all catch up.
Look at what Airbnb is going through.
Like it's pretty much ruined affordable housing in most urban metropolis.
It has not helped.
Yeah.
And the response now is governmentally just banning it.
Like you, the province, i.e. state that Jordan lives in has a statewide ban on it now.
I think it's only approved in like a small handful of like hyper touristy places, but that's guaranteed to go too because the same thing is happening like in the province that I live in.
the cost of living in those tourist towns was already so high.
And now that like an apartment can rent for $700 a night,
you know,
makes it economically much more viable to be rented as a short-term rental
than to rent it to a small family working hospitality jobs for $2,000 a month.
So it's like it's just, yeah, we just,
our world's moving and it's only going to keep moving faster than we know how to
respond to. Yeah. And like, like housing, very different than housing in almost every way
that counts. But similar to that is you also just have like the cultural context of how people feel
about the thing. Like there's a lot of anxiety about housing in the places where we live. And weirdly
in Texas, like the relationship with gambling is a very fraught political issue. That New Yorker article
spends a lot of time talking about that where it's like, you have giant schisms over things like,
like something like gambling.
It's like, are you the kind of person that thinks that, no, freedom, liberty, you should
be allowed to gamble if you want to, or are you the kind of person that thinks that it's a sin
and it should be illegal?
Like, that's where that cultural line sits there.
And then you have something like this where a British guy and an Australian guy game that
thing that you already think is a sin and make off with tens of millions of dollars of money
from mostly Texans.
It's really, really interesting.
Yeah.
Just on the topic very briefly, and we should move, we should kick over to ads, but after I finished reading about this, struck by the fact that this was technically legal, I went looking at other lottery compromise type situations to see.
And they're overwhelmingly not.
And that's kind of what makes me find this so fascinating is that they were able to exist inside the letter of the law while circumventing it, whereas previous ones have failed to do so.
There's a guy in, from 2015 to 2013, a guy named Eddie 10.
Hibton. He was the information security director for the multi-state lottery associations.
It was his job to protect the integrity of the lottery draw.
He wrote a secret back door into the random number generator software used by several
state lotteries.
And the code caused the machines to produce predictable numbers on just three dates per year.
Even better.
A pattern that only he and his accomplices knew so they could go out and across Iowa, Colorado,
Wisconsin, Kansas, Oklahoma,
routed through people
on these special specific days
knowing this random number prediction
to go out, buy tickets
over this stretch of time,
just sneakily in the background,
they collected just shy of $20 million.
It didn't unravel until 2010
when he was caught on a gas station
surveillance camera,
buying a winning ticket himself in Iowa.
That was what ended up falling apart.
He told a story about what it was, but a forensic audit of that random number generator revealed the unauthorized code, which they then were able to look at the winners on those three specific dates that all unraveled.
But so many of the other stories of lottery compromises are that kind of thing.
And I found it so fascinating that like this hack worked because it was not illegal.
It was like, no, there's a vulnerability here, but it is not a legal one.
Yeah, you use the word circumvent.
And it kind of sounded like you meant circumventing the law, but they didn't circumvent the law.
They just circumvented the like system.
Yeah.
And I misspoke just now.
It was the law.
They didn't.
There was no vulnerability.
The vulnerability was on the game design side and in the law, but in different directions.
Yeah.
Yeah.
I feel like if you've got a situation where your possible combination count is lower than the prize pool, like if the cost of playing every number is lower than the prize pool,
you need to run, it needs to become a special event of something.
Like maybe then you, like you were saying, add another number.
Bingo.
Split it up into two separate pots.
Like you need to do something to dole it out a fair way.
Because if it's like who can say no to mathematical certainty of like a high probability return of a lot of money?
Like these guys couldn't.
And like I don't judge them for it.
Like good for them.
If I told you that guarantee.
if you just go bet, like, you would mortgage your house if you had this level of mathematical
certainty.
The most risk-averse person, it becomes rational to do this.
100%.
And that's sort of what these two guys did professionally was sniffle out those mathematical
certainties.
Anyway, should we kick it over to the ad pool?
I think it's time to head on over.
And then we can chatty chat when we're back.
Identity attacks, fishing, credential stuffing, session hijacking, account takeover.
These are the number one causes of breaches right now.
But most security tools still focus on endpoints and networks and infrastructure.
And meanwhile, the browser, the place where all that stuff is really happening where people actually work, that's been mostly ignored.
Push changes that.
They do.
They've built a lightweight browser extension that observes identity activity.
In real time, it gives you visibility into how identities are being used across your organization,
like when logins skip multi-factor, when passwords get reused, or when someone unknowingly enters
credentials into a spoofed login page. Then, when something risky is detected, push enforces
protections right there in the browser, no waiting, no tickets, no compromise. It's visibility
and control directly at the identity layer. And it's not just about prevention.
they monitor for real-time threats like adversary in the middle attack, stolen session tokens,
and even newer techniques like cross-IDP impersonation, where the attack or bypasses SSO and MFA
and registers their own identity provider.
Think about it all taken together.
It's sort of like endpoint detection response, but for the browser.
Yeah, and the people behind it, amazing.
All offensive security pros, published tons of research, came on our pod, talked about
their software, their backgrounds, or everything.
They break down exactly how these things work.
And yeah, they are great.
So definitely check it out.
Identity is the new endpoint and push the streeting it that way.
Check them out, pushsecurity.com.
That's pushsecurity.com.
During the ad water slide,
I was sliding into thoughts about
if you're a lottery, your gambling corporation
that relies on random number generation,
how is the random number generated code not...
reviewed frequently, highly analyzed,
you know, MD5 hash to make sure that it never gets changed in the background.
Like, how is there not multiple levels of security to make sure that nobody mucks with the random number generator?
Like, to write code in there that would be specific enough to only become predictable on specific dates would be actual code.
Like, you'd be able to see that.
if you were reading through the source code,
that surprises me the lack of code control.
I don't know why,
but I was just thinking about that during the ad break.
Sure.
And we should move on because we've subjected to people
to enough lotto talk.
But I think...
Sport the arts, buy a lotto tickets.
Support the arts buy lottery tickets.
Not an official endorsement.
But you're saying that as the person
who would be in charge of that.
And to me, that thought,
of wow, this random number generator is really quite deeply important to this whole system,
is one path you could go down,
or you can go down the path with $20 million at the end of it.
And as long as you don't buy a ticket at a lottery station,
it would have seemed that was working for a long.
That path was taking him to $20 million.
I can easily see how you could make money going down that path.
Okay, different point.
I'm just surprised that there's less corporate controls that prevent that path from ever happening.
Sure. I think that that is reasonable.
Yeah. Anyway, to move on.
To move on.
The other day, you and I were talking about this $16 billion credential leak.
$16 billion credentials, not dollar.
We've been talking about money so much.
Let me, I've got to give the prefix for this.
Yes.
Somebody that Jordan and I work with.
threw this up on Slack and was like,
everybody should change their passwords.
Like, there's all of these passwords in the,
in the dark web.
Like, they know all of our passwords.
So, like, go reset all your passwords.
And I immediately, like, fired Jordan a message.
And I was like, this is,
I don't know, this isn't meant to be rude,
but it was comical to us because we spent so much time
talking about this, preparing the show,
making the show.
Yeah.
We just inherently know that every website
has been compromised,
their entire password list has been fed into some massive directory that you could purchase on the dark web.
To me, that's not new news.
No, that person was right to use it as an excuse for everyone to do a good audit of their passwords
and their multi-factor authenticate.
All that is good and well and true.
What's fascinating about it is the headline, you know, this sort of, the narrative that was
spun around it.
One of the largest data breaches in history is 16 billion user credentials.
They're now online.
And you hear 16 billion user credentials and a quick gut check of that goes like, well, there's 8 billion people on Earth.
So even assuming that only some subset of them are on the internet and most of them have probably a lot of accounts, I have to assume some of my accounts are in there and it begets urgency because if there's a new leak of that many, even if I knew I wasn't in one of the old leaks, at that scale, I must be peppered in that new one.
It was a cybersecurity news outlet, cyber news, revealed this discovery, talked about this massive
set of credentials that have been exposed on the internet, billions of usernames and password,
stored in a format that's associated with a very common info stealer malware, like a little
piece of malicious software that steals, you know, sensitive information from infected devices.
It is worth talking about this because there's a, there's a clarification about this massive
of credential leak that is warranted.
This was not a new breach.
No.
No.
No.
Researchers, a couple of different places have confirmed that these credentials,
like most of these credentials, the vast majority, had been previously leaked, stolen
over years going back.
It's an aggregator.
It's an aggregate.
Yes, these are from info stealers and credential stuffing attacks and a bunch of different
data breaches.
I'm guessing most of which we've talked about in this show.
but they'd been circulating for months and years.
And what happened here was they were collected by a threat actor or security researcher.
We don't know where it came from.
But this was existing information that was collected and repackaged into this ginormous data set,
where it was then shared freely on the internet and cyber news discovered it.
We found ourselves here.
I'm going to throw you a hypothetical, Jordan.
Please.
you're the vice president of marketing
for a password manager.
Is this not the greatest thing you've ever seen
when Forbes
like all of the major news articles
start running this massive thing
about how all your old passwords are compromised?
Because it's true.
Like even like we run a
like if you go back to listen to an episode
whatever it was five problem with passwords,
I talked about like having tiers of passwords.
I've since moved entirely to a password manager.
have massive unknowns for every account.
And it makes my life so much easier.
I just hope, for the love of God,
that my password manager never gets hacked,
which a few have.
My password manager has the ability
to look at all of these breach lists.
Have I been poned?
It's obviously the big one.
And it tells me what accounts
have problematic passwords.
And any of the accounts that get flagged
are the ones running my passwords
from episode five
because they've been around long enough.
Funny.
And the funny thing is
is that they're all on accounts
that I never use
and most of those websites
don't even exist anymore.
So like when I go through
to clean up my dead password lists,
half of them were like forums
about synthesizers
and like stuff that like I was into
at that time and I had an account on it
and I put it in like a really garbage password
that I use my lowest tier of password.
And yeah, sure.
It existed in,
60 places and at least 10 of those have probably been compromised over time.
And now it's just publicly available.
Like I could almost tell you, I could almost just read out.
I'm sure somebody, some fan will go in and look up, find my emails and be able to go in there and tell me what my old passwords used to be.
It wouldn't be hard.
Yeah.
They age out.
Like that's a good way of thinking of passwords is at a certain point a password just simply ages out because somewhere down a line, some,
breach or compromise happened.
But it is important that when we see a headline like 16 billion, you know,
credentials leaked.
There was Rock, you, 2024 had nine billion.
There was collection one, which is 20, like whenever you get one of these, it is,
it is worth.
And you don't want to understate that passwords are still a huge vulnerability.
And credential identity theft is like, that is how most of this stuff happens.
But it is not 16 billion new credentials event.
entered into the world.
Exactly.
It is that there is constantly this aggregation and collection process that is unfolding
between bad actors, researchers, curious people.
People make these collections and those collections get out in the world.
And that is what has occurred here.
So to go back to my hypothetical, you're the vice president of marketing.
Sure.
What are you doing?
What are you doing with this information?
I'm probably making a blog post that reads roughly like what we just said, which is couching this in context, which is that, I mean, you could go a lot bigger than a blog post, but the sensible thing to do is like there was this event that occurred.
Here's what it is.
And it is a reminder that all this information is ever presently sloshing around on the internet.
And that's why you want a password manager.
Like, the threat is different than that headline characterizes it, but it is still a good reminder of the threat.
Yeah, well, for me, like, I'll flip it back on myself.
It's like, this isn't one compromise.
You know, it was Sony here and this blog over here, this forum and this and that and Instagram.
And, you know, it's thousands of compromises that have led to this treasure trove.
and there's no better justification for a password manager than that.
If every password is unique to the site that it's used on,
then does it really upset you?
Because the big thing is,
is like cross usage of these passwords.
You know,
if I see that Jordan uses this password,
and then I go log into his email using that password and it works,
even though, you know, Google Mail or whatever might not have been compromised,
if you're reusing your password.
Sure.
Walla.
All of a sudden, I'm into your email,
which is, again, as I've described,
a keychain because now I can just reset all your passwords from there
now that I have control of your email.
Yeah.
Yeah, I mean, it's-
Bitcoin scams to all your friends.
Yeah.
It's the tiering of passwords thing that we always talk about.
It's like you have to think about
what is the top of that pyramid in terms of vulnerability.
It's like,
totally.
All these accounts are not created equal.
This one can turn into a compromise for this one,
which can turn into a compromise.
for this really special one.
So you have to like work your way backwards.
Hack yourself in your own head.
Yeah.
And then secure against that and then just do that over and over again.
And I hope you're good.
So if this comes out and I'm VP marketing, I'm, I'm loving this.
I'm reallocating our annual marketing budget to this quarter.
And I'm riding this stuff because this is like I've personally converted three people in the last two weeks to using password managers.
And it's not even because of this story, but I'm sure it's because they passively read something on the internet and they asked me a question about it because they know that I know about it.
And I'm like, yeah, you should definitely use one.
Like one of them, a friend of ours from Chicago who was just staying with me, he'd asked me a simple question about it and he wanted to give it to his entire family because I told him that honestly one of the gift that I often give nowadays is an annual subscription to a password manager.
it's like I give those out as like presents and he did the same for his family he looked up how
much a family plan cost and it was way less than I expected it was like four bucks a month or something
and I was like yeah they're table they're table stakes it doesn't matter which when you use there's so
many of them but the basic idea that like now you you have these very long randomized passwords for
every single one of these things like it it's table stakes for existing on the modern internet I
would say. I do. And I think we talked about this recently, but I do love, like, I just reset a few
passwords the other day. And one of the passwords that I entered into, it was PayPal. I reset a PayPal
password on one of my PayPal accounts. They had a maximum character length. Really? And I was like,
you were PayPal. Like, you were a money service. Why do you have a maximum password length?
Is there any technical reason why that, like? It shouldn't. Okay. I was like, I'm trying to think of,
like, is there some galaxy brain thing of like, oh, it passed a certain point.
It could be a vulnerability if you were able to do.
Like, is there any technical reason you can think of why that's good or is it just bad
for a company like PayPal to have that?
Like when you put something through a hashing algorithm, it comes out as equal length.
So it doesn't matter what you put in.
Sure.
You could put in a 4.8 gigabyte text file.
Sure.
ISO and it'll come out with like a specific fixed length.
Yeah, right.
And it's like, so why do you care what?
length my password is if you're,
it implies that you're not using
hashing and then if you're not using some kind of
hashing algorithm, what are you using?
Like typically, if it wasn't PayPal,
I would just assume that they were saving it
unencrypted and that they'd set the field length
to a specific number, which is terrible security.
But we've talked about so many things
where it's just like, oh yeah,
there's just a plain text file.
Maybe the file was encrypted, but inside of it,
it wasn't.
And it's just like, that's come up so many times
on this show.
I'm sure that is not what PayPal is doing.
No, definitely.
It's PayPal.
Yeah.
Like my bank is connected to it.
An international banking institution for all the tense and purposes.
Like, yeah, it's PayPal.
So I was shocked.
I'm pretty sure it was PayPal.
I should put a flag in there that if it wasn't PayPal, please don't sue me.
But I'm pretty sure it was PayPal.
Yeah.
Come on the show and talk about security and we'll proudly correct that.
Interesting.
Dodgy.
Dodgey.
Anyway, password managers.
Use them.
Password manager.
Use them.
Reset your passwords.
Go to have I been poned and see all the times you have been poned.
Look up all your emails.
I wonder if I go there now and look up Scott at Hack Podcast, what comes up.
Anything else exciting happen?
I feel like I've got a bunch of things ready for our next, like, I don't have like notes
and stuff for me, but I just have like, now.
next chatty chat episode like whenever I read something I'm like I'm going to talk to jordan about
this I want his take on it my I have a chat with myself in our in our team slack that is just basically
a list of links I want to talk about I'm very excited for the next episode to do a true chatty chat no
prescripted did a bunch of research story we're we're going to try being just a hot mic podcast just for the fun of
it I think one thing that I would like to just have a if we're going to go into the like talk
about what we care about.
Yeah.
We recently talked about how Apple was way behind in the AI war.
Yes.
And it's a bunch of news coming out that Apple might be buying perplexity.
And you're a perplexity.
And you're a perplex.
Wow, I can't say that word.
Yes.
Yes, you can't.
I really can't.
And I'm pretty good at saying words.
And you are a perplexity user.
I am.
I am.
As I discussed earlier in the episode, I use perplexity for on-flight research and stuff.
Yeah.
Yeah.
16 billion?
Am I making that up?
Or am I just taking the number that we used from the credential link?
I think there was a discussion around Apple might be paying upwards of 16 billion for perplexity.
It would make sense.
I can't speak to what the rumored price would be.
I had seen Apple, the people talking about that Apple, like perplexity could make sense
as an acquisition for Apple, who seems to be struggling with the development and implementation
of their own LLM's generative content, not that.
and Moji aren't the future of computing or anything, but there's a story there and
maybe some acquisition of a bunch of talent and pre-existing tech could be really cool,
and maybe a perplexity is the thing.
I also saw rumors that Meadow was sort of like buzzing around them a little bit,
but they seemed to have a little bit of a better toehold on the tech.
Meta?
And this is, Meadow was apparently going into open AI and throwing just insane amounts of money
at senior people.
Oh, to try and draw them away, sure.
Yeah, one of the news articles I read about that was that they were offering some senior people
$100 million signing bonus to come join me.
Yeah, exactly.
I'm watching Jordan's eyes get huge.
Like an involuntary response at the size of that.
And that has to be like a psychological thing to be like, oh, the head of that department
went over to meta.
That tells a story to all the other people that maybe that's the place to go.
Because I cannot imagine that one person can provide that amount.
The crazy part of that story isn't that meta is trying to buy talent because they see the market opportunity is going to keep growing.
It's the fact that I didn't read of any successful conversions.
So like what's going on at OpenAI when somebody's coming up to you and like handing you a blank check to come join and make a boatload of money.
And you're saying, no, I'm good.
Oh.
Yeah, so there's a few ways you could go with that.
One is disinterest in working at meta.
Could supersede financial compensation in some way.
That's a lot.
100 million pays for a lot of ethics.
I would agree.
But I'm just drawing out the space here.
Yeah, yeah, yeah.
I simply don't want to work at meta so much.
There's something about Open AAS compensation model,
be it the stock, the crazy trillion dollar evaluation.
And maybe not for profit that they are?
Maybe there's a path to a similar amount of money.
And they're going, you know what?
I'm going to stick on this road.
It's been working really well.
So there's not wanting to be at meta, a financial reason for wanting to stay at OpenAI.
And then there's the R slash singularity.
Oh, no, they've invented God in a basement.
And they're about to release.
Like that level, AGI.I.
And there's that.
There's the kind of crazy sci-fi conspiratorial direction, the money direction.
and then the inverse money direction.
And I don't know which it is.
You've got to assume, like, and this is just, you know, we are in the chat bow,
but like you've got to assume that the $100 million signing bonus is to offset
employee option value.
Yes.
So like if you've been around for a long time, your initial option stola was at like
20 cents a unit and that $20 million valuation.
Now Open AI is valued at TBD.
No, no.
Lots.
Yes.
Sam Malman seems to be.
like at a generational level more gifted as a fund raiser than anyone a lot if I would say.
He has proven to be the person that can raise money in a way that I can't think of any contemporary too.
It's it's it is as not I'm not going to say as remarkable of what they've achieved technically
because they've achieved some stuff technically that's pretty damn remarkable.
But boy, is he good at it.
But also like if you've just given a $6.7 billion signing bonus to Johnny Ives.
Yeah. Like how much money do you theoretically have an enterprise value?
So yeah. Anyway, that's what I forgot where we were talking about,
Perplexity, Apple, we got to Open AI. I just want to jump back to Perplexity because as a
perplexity user and as somebody who's been building AI, agentic systems frequently and
commonly these days, something I'm quite into,
perplexity is just an agentic rapper. And it's a really,
really good agentic rapper, but like there are, it's a, like, I feel like I could build some of
the basic perplexity functionality, not in a deployable production ready enterprise way, but like
in, in like a couple weeks. So it's like, I'm not sure, like they don't have their own models.
They're definitely going to have a lot of consumer. I think they do have a few of their own
models, but if you're a perplexity user and you pay for it, you can frequently choose. You can
frequently choose which models you want.
And the models that get used are the standard ones,
the Anthropic models, the OpenAI models,
the Google Gemini's.
So it's like they're literally just built a platform that's better than the default
chat that wraps around those models anyway.
And it'll say that like that gap is shrinking.
Like Gemini has gotten very good.
Open AI has launched deep research.
Like deep research started as like an open source project.
And it's like I can go fork that branch right now.
build off of that and probably build a lot of perplexity-like functionality pretty quick.
In the last episode, I made a big swing that for Apple, letting the LLM that a person interacts with be
a customer choice and giving those hooks into the system might be how Apple steps into the
AI world.
And that kind of maybe makes a lot of sense with perplexity.
they're like, oh, we're not really worried about the model.
We're worried about the hooks and the user interactions.
It's like, yeah, yeah.
That's kind of what they might be doing.
A super gifted team to be like, here is iOS and MacOS.
Yeah.
Where do we hook this in and how do we best hook it in?
Because I will say perplexity has done a great job of that.
Like there and there are agentic systems.
Like the perplexity labs thing, it will write code to generate me charts and graphs.
Like I'll be in the.
middle of like make me a document on this so I can learn about it on the plane. And you'll be
watching it go through doing all the subset research and like gathering all the pieces and
structuring the document. And then it'll want to show me a bunch of visuals and it'll write
a bunch of Python scripts that output pings. I'm like, cool. Pretty good. Pretty good. Like they've
done an exceptional job at it. So it's like I could see I could see Apple finding value in that for
sure. Because the thing for me is like when I look at Apple intelligence and its implementation on
my phone and my computer and my iPad, I don't see it. It's not there really. Not currently.
It's like sure, it might like I'll open up a message to send you a message on text and I'll get
this little rainbow text strip and it takes me longer to close it. Like I just don't even want it there
because that's not what I was going to say. It's never it never guesses what you want to see.
write the text summaries are comically bad.
I have more screenshots of those that I've sent to people of what their text was summarized as being like, this is how I receive.
It's like, and I think I've just turned them off at this point.
It's not, it's not good.
So yeah, maybe that's maybe that is what Apple's identified as their like weakness because I could see that because I don't love how they've integrated intelligence.
From the sounds of it and the research that I've done, their back end teams, like the.
Apple ML people, the MLX people, seem really good. I think that they're really pushing the right
direction with that, with the foundations models platform and the micro models that they're fine
tuning that will actually run locally on your devices. Like I think they're... Great ideas. Yeah,
I think they're moving in the right direction in a lot of those things, but the actual user experience
piece has been, I would say, like not good. It's been rickety. And then meanwhile, ex-John,
ex-Apple person, Johnny Ive, you'd mentioned the $6.5 billion acquisition of, so OpenAI purchased
the hardware startup co-founded by Apple designer Johnny Ive, $6.5 billion, a very weird multi-million
dollar rollout video about them being friends in San Francisco. Kind of cute. It was a whole thing,
dominated a little tech news cycle for a minute here. And then last week, this must
have stung. OpenAI scrubbed all mention of I.O., the hardware startup that they actually purchased for
$6.5 billion from their website, including the announcement, including the nine-minute video that I
referenced due to a court order following a trademark complaint from a company called I.O.
About their name, I.O., spelled differently. But I'm just imagining what it must feel like
to spend $6.5 billion to get to...
to release a nine minute mini documentary about you and Johnny I bumming around San Francisco.
Yeah, having a glass of wine.
Having a glass of wine.
And then getting a court order and having to just quietly take it all down.
Oh, that's got a sting.
And here's the thing is like the,
they're proposed, like all of the leaks and chatter about what they're building,
like the little iPod shuffle that goes on your neck.
Yeah.
Google XR glasses, the Apple glasses, metas, the Raybans, they just launched Oakley
Oakley meta glasses.
I don't know.
I just feel like without vision, like without some form of visual interface, there's
going to be so much deficiency in the potential output that you could get from the AIs.
Like I could see like the, I don't know if you're getting, I'm getting flooded with gross online ads for TEMU.
AI bracelets.
Just listen to everything that you say all day.
Fundle it to an app on your phone.
Funnel it to an app on your phone,
which feeds it to an LLM
so you can ask questions about it.
Like, oh, what did Jordan say about this?
What did Jordan say about that?
And like the last thing on the planet
that I would ever buy.
But the,
I just don't see as much value in that
as I do in something
that's helping me interact with the world,
not just paying attention to me
interacting with the world
and coming out with it.
Yeah.
It feels like what it's going to be is a big software innovation,
that they bottleneck behind a piece of hardware that everyone collectively,
all three, two, one in unison goes.
That could have just been an app.
Like that seems like where this is going.
Yeah.
Is that the hardware is like, well, no, but it now it's closer to you so it can hear better.
And there's a camera, so it's watching.
And it's like, my phone does have all those things.
Totally.
Maybe there's something magical about wearing a necklace outside of your shirt.
And then you get into a whole, like, I don't know.
but it really sounds like it's going to be that Open AI rolls out some kind of agentic life
assistantie type piece of software that's probably very, very good.
Oh, for sure.
That they bottleneck behind hardware.
Like that seems like what this is going to be.
It's like, yes, if Open AI made a phone, this would be on their phone, but it'll probably
be hidden behind the paywall of a piece of very slick Johnny I have hardware.
So I looked at perplexity's valuation disfurt.
interest.
14 billion is a rough internet approximation.
And then I was like, I wonder what Open AI's is.
Open AI is rough internet approximation of 300 billion.
Yeah.
300 billion.
300 billion and they spent 65 billion on this.
I'm so, we're going to follow this hardware thing because I find this.
6.5.
Oh, 6.5.
Oh, 6.5.
Sorry.
65 would be insane.
I misspoke.
Not that 6.7 isn't insane.
It is.
For a 30 person company.
Yes.
Yes.
You're paying for Johnny Ive.
You're paying, like, he's an extremely good industrial designer.
Credit, like, obviously.
Ionic.
Like, Johnny Ive, hooray.
$6 billion?
My God, you could buy the Bauhaus school.
Yeah, yeah, yeah, yeah.
You could get all the designers in the world.
So maybe there's some massive technical innovation on that hardware that none of us are
seeing it.
It truly is an iPod moment type thing.
Like, I don't know, right?
But probably an iPhone moment is a better.
analogy there. But maybe, or it was a really expensive video.
$200 million per employee. Is my math right on that?
Six point. That would be more than the meta $100 million acquisition cost.
Yeah, true, true. But yeah, just an insane, insane money. It's going to be fascinating to see what
happens. And here's the thing. It's like we talked about earlier in the story about lottery is like
the government's going to have to step in and regulate and respond to this at some point.
And as they do, it will be two to five to ten years later than it should have been.
We could point to crypto for this. We could point to Airbnb for this. We could point to so many
different things. But they will step in eventually. And it's like, what is the next 10 years going
to look like.
And that one of these companies going to do is going to be wild.
Well, we'll talk about this in the next episode, the pure chatty chat.
But there have been a bunch of Disney v. Mid Journey-esque lawsuits that have culminated
in the last two weeks.
And then as that's happening, some rumors of a Disney plus Open AI co-lab.
So the rubber of intellectual property versus intellectual property eating AI models is starting
to get, it's starting to get real, real hot. I think that's definitely something that we need to
talk about in the next episode of Hack. Brought to you by Push Security. I think that's another
one in the bucket for now, though. I agree. I agree. See you guys next time. We'll catch you in the
next one.