Hacked - The Treasure Hunt
Episode Date: September 1, 2022The story of the hunt for a couple million bucks in lost crypto. With Joe Grand AKA Kingpin from the L0pht. Check out Joe's YouTube channel: https://www.youtube.com/c/JoeGrand/featured Learn more abo...ut your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I mean, I'm an equal opportunity hacker.
Back in 2018, a guy named Dan Reich and his buddy decided to buy some crypto.
They buy $50,000 US worth of a new token called Theta.
They shuffle that crypto around a little bit before eventually transferring the all-important keys to a physical hardware wallet.
The idea behind a hardware wallet is actually pretty simple.
Instead of you holding a copy of the private key that lets you control all that crypto,
or storing that key on the servers of a crypto exchange,
you can store those keys on a physical device,
a little thumb drive-style machine protected by a pin.
So you could have a massive amount of money that is protected by, you know, a simple four-digit pin.
That's not, Dan, by the way.
That's Joe, who we're going to meet in a little while.
As long as you have that hardware wallet and you keep that pin secret, only you can access that crypto.
It's almost like keeping something really, really valuable inside of a combination safe.
You obviously need the safe and you need the combination.
So the value of those theta tokens they bought then did what a lot of crypto does.
and it crashed, down to half of its value, and then it spiked, and then it crashed again.
And eventually Dan just said, yeah, I want off this roller coaster.
Let's cash out.
But his friend, ironically a professional poker player, which would suggest having a very good memory,
had forgotten the pin.
So they start guessing.
and guessing trying to get access to their money.
Anytime where there's a pin or password or something a human has to remember,
generally if they don't have it written down somewhere
and assuming if that paper might get thrown away, which happens often,
people forget their passwords and they're pins
and they can't get access to things,
especially when you think about cryptocurrency.
You know, like if you're using your bank card and you have a four-digit pin,
you're using that pretty often.
A lot of people are buying cryptocurrency and then sitting on it, hodeling, as you might say, and they don't use their pin very often.
So you set up the hardware wallet, you enter your pin, throw it in your safe or wherever, and then say a year from now or two years or five years or ten years goes by and then you want to access your cryptocurrency and you don't remember your pin.
But this hardware wallet where they stored the keys, a Treasurer hardware wallet,
has two very important security features regarding that pin,
that combination to the safe, so to speak.
First, every time you guess wrong,
the amount of time you have to wait until you can guess again doubles,
which is inconvenient.
But second, and this is the important part,
if you guess wrong 16 times, the wallet would erase itself.
And the only copy of that private key to all that crypto vanishes.
So Dan and his friend guessed, and they guessed, and they guessed about a dozen times.
And then they stopped, lest they erased the only key to what was still tens of thousands of dollars.
stuck in this weird limbo in possession of a seemingly uncrackable safe but not of the combination to that safe.
Call it a really hard one lesson.
Call it a very expensive story.
Until around the end of 2020, when all that theta did the other thing that crypto sometimes does.
and it just went to the moon.
From a low point of about $12,000, it starts to climb in value
until Dan and his friend had at its high point
about $3 million locked inside of that little device,
which is, I think we can all agree too expensive a story.
So they started looking around for a safecracker.
We're joined today by the seven members of the loft.
A brief aside, there's this really cool footage of the first congressional hearings focusing specifically on cybersecurity.
It happened in May 1998, and in it, the seven members of the loft.
A hacker think tank in Cambridge, Massachusetts.
Testified in front of Congress about really just the idea that all of the computers we were building more of our,
infrastructure on are vulnerable to attack.
Due to the sensitivity of the work done at the loft, they'll be using their hacker names.
And one of those first publicly televised hackers went by the code name, Kingpin.
Like any good crew, they all had kind of a specialty, and Kingpins was hardware hacking,
electrical engineering, the physical stuff.
The kind of person who could take apart a machine
and just figure out how it worked.
Good morning. My name is Kingpin.
I am the youngest member of the loft
and one of the electrical engineers and hardware hackers.
While some of the loft members concentrate on software programming,
I work with hardware design and implementation of electronic circuits.
Kingpin's legal name is Joe Grant.
And in the decades after that Senate hearing, Joe went on to have a storied career as an educator, a TV show creator, and a hardware hacker.
So in 2020, when Dan Reich went looking for someone with the electrical engineering and hacking knowledge necessary to crack a hardware device that sole purpose is to be uncrackable, well, all roads led to Joe.
I'm formally trained as an engineer because when I was a kid, you couldn't make a career being a hacker.
Like it wasn't even an option.
I mean, you could make a career being a hacker, but you probably would eventually get in trouble for it.
So I'd always wanted to be an engineer.
And then on nights and weekends and after school, I was a hacker, right?
So I was able to see both sides of that, and that's exactly it.
It's like the design and the reverse engineering or the undesign are really two sides of the same.
It's just how you approach the problem.
It's estimated that people have lost track of roughly 3.7 million
or about $80 billion worth of Bitcoin alone.
Electrical engineering never used to be that useful of a skill
in a treasure hunt, but now it suddenly is.
So Dan and Joe made a deal.
And Dan got on a plane to Portland with a little hardware wallet
worth a couple million bucks in his pocket
to meet Joe Grand in his home lap
to see if they could crack the treasure inside.
And that's the benefit of being a hacker
is like every chip in a system
may have some sort of weakness
undiscovered or already discovered
that could be exploited in some way.
So it's just a massive landscape
of fun physical things to mess with.
This is the treasure hunt.
here on Hacked.
So Joe Grand has gotten into YouTube.
He makes these really, really well-produced YouTube videos
about these hardware hacks that he does.
It's where I got a bunch of the audio
that I'm using in this episode.
You should definitely check his channel out.
But because of those videos,
now Joe gets a lot of emails from people
who have lost access to their crypto looking for help.
But back in 2020, when all of this started,
He wasn't really known as a guy that can hack crypto hardware wallets in the way that he is very publicly known for that now.
And he gets this email from Dan Reich outlining this situation.
Back then, it was not an email he typically got.
But I got one that somebody had lost their pin for their Treasor 1 cryptocurrency Harbor wallet.
And it was just a very well-written email.
You know, it was well thought out. They had clearly done their research. They knew what research was out there already. They knew what my skills were. So they'd clearly done some investigation before reaching out to me, which is hugely appreciated. You know, like a lot of unsolicited emails I get. People haven't done their research. And they ask questions about things that are completely online already, things that I've already put online. So yeah, this email just struck me as being something that I should maybe investigate a little bit further.
And so I reached back out.
And the first thing really I wanted to make sure is that they were, you know, that this guy was
legit.
I wanted to know his story.
I wanted to have a Zoom meeting so I could actually see his face, see his surroundings.
So Joe gets on the horn with Dan.
And he learns a little bit about him.
Dan is technical.
He's trained as an engineer.
And he really understood the risks of going into a project like this, of trying to crack a
piece of hardware like they're trying to do.
If we go back to that safe and combination metaphor, it's almost like whatever is inside of that safe is extraordinarily delicate.
Dan understood that, first, this is kind of doing surgery on a piece of hardware.
You're prying it apart manipulating it in ways that are dangerous enough that you could theoretically lose the information stored on that wallet just by trying to access it.
If you took one wrong turn in this process, the money could vanish.
And second, he understood the amount of research and legwork that goes into a project like this.
Because hacking a hardware wallet in a way that has never been done before isn't a try on plugging it and plug it back in kind of problem.
It is a dedicate couple months of your life just resource.
searching this problem, kind of problem.
So he kind of understood the risks of going into this project,
the fact that we're physically tampering with his device to try to extract these,
you know, the recovery seed out of it to get access to his cryptocurrency.
So it really was like this perfect scenario.
Because I think a lot of times people don't necessarily understand the,
how hard hacking is.
Whether it's hardware or software or whatever, like the legwork that goes into this stuff,
can take months or years of people banging their heads against the wall to find something that works.
And then you usually only see the end result, right?
You only see this success.
You don't really see the whole thing.
And luckily, this particular attack that I was using had already been done.
It had been proven that these types of devices can be hacked.
The problem is those were public presentations that only had to be basically done once on a device
to prove the device could be hacked.
But it wasn't robust enough or to the point where the risk was reduced enough to make me comfortable doing it on a device that actually had a huge amount of money on it.
So that was the legwork for me is taking that existing work and then trying to, first of all, understand everything I possibly could about the attack for my own personal education.
And then trying to figure out if I could reduce the risk to a point where it would be suitable for Dan to fly across the country with his device and us try to have.
hack it. Joe goes out and he buys three of these treasurer hardware wallets and he starts to experiment.
Joe wasn't the first person to try and crack these things. So there were some public case studies.
There were some giants whose shoulders he could try and sit on. Publicly given talks where people
had found different vulnerabilities. But again, as you have different versions of wallets with different
versions of firmware installed on them, each situation is just different. So he's looking to the way
this has been done, but he's trying to apply it to what he is very specifically trying to do.
It's almost like a lawyer looking for precedent in legal texts or a doctor pouring over
medical case studies. Yeah, I mean, that's a great point. It's kind of thinking about,
you know, doctors reading medical studies, right? And you kind of learn how a test may
worked on a certain population and then you have to take that and apply it to your own patients.
So I think the research is hugely important. I mean, part of the beauty of the hacking community,
at least what I grew up with is if you discover something, you share it with other people
and whether it's full technical details or at least showing some high level process, but letting
people know that that's possible and then people take that and build on it and maybe somebody
writes a paper, maybe somebody gives a talk, maybe now somebody makes a video,
But it was all about sharing information when I was a kid, you know, for bragging rights,
but also for inspiring other people to then go and do something with it.
So the sharing of information is what makes, to me, what makes the hacker community so special,
is that information sharing through these hacker conferences, through these presentations and videos and things.
So the research part and seeing what other people had done up to that point is hugely important.
And it's something that if you skip that part, you're basically recreating the wheel.
Right.
If you don't know what's happened in history, you're going to waste a lot of time reinventing those things.
And yeah, I mean, it's the first thing I do every time I work on a project is the information gathering, the research.
And there's nothing wrong with building on other people's success or building on their failures, right?
Understanding what their failures are.
So Joe has his three wallets.
and he has his case studies, and he starts to dig.
And remember, whatever tactic he ends up figuring out,
it can't be like a brute force thing
where you guess the pin over and over again,
because you only get so many guesses
before that device wipes itself,
which is how Joe arrives at a technique called fault injection.
So we basically couldn't use just like a brute forcing the pin
because there was the pin counter and that would erase it.
What we ended up doing is something called fault injection
where we're basically causing like a very quick kind of brownout
of the core voltage on the CPU
that basically causes the chip to kind of skip over an instruction
or return an invalid response to that instruction.
Something that kind of screws up the internal logic of the chip.
And if you do that at just the right time
while the chip is verifying if it has security enabled or not,
You can downgrade the level of security and then continue on with an attack to try to extract the recovery key.
And that essentially you have unlimited tries.
So he's testing this technique.
He's testing it.
He's testing it.
And eventually, I was able to unlock the device and downgrade the security.
He was able to unlock the device.
Hooray, right?
But even though he had gotten in.
But it turns out that I had corrupted something in the flash memory itself.
So once I had downgraded security, it never reset.
So that just proved how unpredictable things are.
Like if I had corrupted the memory in a way that instead wasn't beneficial to me,
but in a way that could have locked me out forever or even worse,
erased the contents of the memory, those are the types of things that you just don't know
what's going to happen.
When you're dealing, you're basically dealing with physics at this point and hoping that,
you know, something misbehaves properly, not misbehaves improperly.
and it's totally a crap shoot.
So Grand is trying to troubleshoot this problem in his approach,
and he's experimenting and iterating,
and eventually he stumbles into this new solution,
inspired by all the case study hacks that came before,
but still uniquely his own.
It had to do with this specific version of firmware
that he figured Reich probably had installed on his wallet.
And with this specific version,
of the firmware. For some reason, during the initialization of the treasurer, when you plug it in,
it copies your recovery seed, your private key information from its non-volatile area of the chip,
so in flash memory, into RAM. And RAM is a volatile memory area, meaning if you remove power,
those contents go away, but RAM is also much faster to access. So I'm not exactly sure why that
information was copied into RAM, but that was a key part of our attack.
If he could glitch the device at the exact moment, he could downgrade the wallet security
and read the RAM where all of the good stuff he was looking for was temporarily stored.
And since all of that important info was just copied into RAM, there was less likelihood of it
getting accidentally erased than the other techniques he tried.
But, and this is really, really important, it required
thousands of attempts to get the exact timing to find the exact moment that would let him
downgrade the wallet's security. Using automated software, it was hours, just waiting.
With no guarantee that because it worked once, it would work again.
With no guarantee that because it worked on Grand's tests, it would work on Dan's wallet.
The funny thing about this is that later, when Joe told him,
Trezer about all this? The response from Trezer basically was like, oh yeah, we know about default
injection and Joe did that attack on an old version of firmware, 1.6.0. So they were kind of downplaying
the end result. But the reality is, first of all, most people are not going to upgrade
their firmware of their device because you're going to load the cryptocurrency on it,
you put it away, and then you forget about it, right, until the value goes up or until you need
to access it and you get it back.
So just like people forget their pins because they don't use it, they're not using their device to do firmware updates.
I also know from experience that I don't want to upgrade by firmware until it's been tested and proven by other people, but it's also really inconvenient.
But the technique that Grand had cooked up, it was hopeful.
Enough hope that it was time to try with the real thing.
enough hope for Dan to put the wallet in his pocket and drive to the airport and get on a plane.
Joe told him to try and not let the hardware wallet go through like the security scanner
just in case, God forbid, there was some sort of electromagnetic glitch with the microcontroller.
But airport security did not care what some hacker told this man and they made him scan it anyway.
And it was all fine.
Dan made it across the country with the wall.
wallet intact and in hand.
You want to do it?
You're going to do the hand off?
Yeah, yeah, let's do it.
Okay.
Okay.
Wow, there it is.
All righty.
Thank you.
So now that I have it, you're not allowed to touch it, right?
Great. I don't want to touch it anymore.
It's in your hands.
This is it.
Millions of dollars on this exact treasurer wallet.
And we're going to, uh, we're going to hack it.
It was time to get to work.
Joe Grant's home lab is cool looking.
It's a full-on electrical engineering lab.
It's what you would expect.
Lots of hardware and little boxes full of capacitors and gizmos
and very intense-looking microscopes and tools.
And the two of them, they hunker down.
And Joe takes him through this process.
Here's Joe from his YouTube doc again.
So, yeah, let me give you a rundown of, like, the whole setup
just so you can kind of get a feel for the process
and what we're seeing.
Joe briefly outlines the tactic.
He shows all the different key.
he's going to be using to do this, and there's a bunch of it, because you don't really run a hack like this by connecting the thing to a USB port and starting to type.
You really tear the machine apart with scalples and solvents and soldering.
We need a way to power cycle the treasurer over and over and over again.
In order to power cycle the treasurer, I'm using a device called the phi whisperer.
We're just using it to power the device on and off.
This glitch only works if we glitch the chip on power up.
So it's something where we have to turn the device on, try to glitch it.
If it doesn't work, turn the device off, turn it on.
Once power to the Treasor is applied, we want to try to defeat the security check at exactly the right time
to trick the chip the chip into thinking that we have access to it, when in reality we shouldn't.
To do that, we use a tool called the Chip Whisperer, and we're using an attack called a fault injection or a voltage glitch.
That basically means that we're trying to force the chip into misbehaving in some way that's beneficial to us.
Joe had told his kid about this whole project over the months he'd been working on it,
And the metaphor that his kid came up with was pretty fun.
When Miles, my nine-year-old came in here
when I started doing this, I'm like,
it's kind of like when you're glitching a video game.
Yeah.
You know, and like you find, somebody finds some bug
and you can skip the level or do whatever.
He's like, oh, so you just have to get the timing right
to do the glitch.
And I'm like, yes.
So Joe has explained to Dan what he's going to do.
He checks that the treasurer has the right version
of the firmware for their glitch, which it does, which is good.
which means that all that's really left to do
is crack this thing open.
Okay, should we do it?
First up, there's a coating that protects the components
but makes soldering a good connection really, really hard.
So he has to go in with a little chemical brush
to wash all that coating off,
get everything as clean as possible
so he can create good, solid connections.
He checks his work under the microscope
and everything is looking good.
Next step,
he has to remove these little capacitors.
The capacitors make it hard for him to glitch out the chip,
and the risk at this stage in removing them is that he'll pull off a little bit of the circuit board.
So he gets in there and everyone waits, but Joe is able to remove them.
Now all he has to do is add the external connectors that let him rig into his hardware,
and they're off to the races.
You can tell I'm nervous. You're like cool and collected and I'm sitting here like tapping my feet.
When Joe was cooking up this hack, way before Dan arrived,
he was just spending hours and hours staring at his screen
as the automated software tried over and over again waiting for a result.
So after a while, Joe decides to save himself all of the just staring,
and he programs a little alarm.
I didn't want to just stare at the computer waiting for it to just say, succeeded.
And the sound he used from the classic film hackers was...
So I'd added in a little text to speech thing that said hack the planet.
When this works, you'll hear hack the planet.
Which is a throwback to the hackers movie in the 90s and just something that was a little bit
tongue in cheek but also like pretty funny.
Everything is ready for him to launch his hack, to let it start looping and testing and
testing until it does or does not work hours later.
So now we wait. This is it. It's the
police steak out. Yeah. We sit here and eat donuts and then a couple hours later something good
happens. So they order pizza. Joe gets vegan pepperoni. Apparently it's pretty good. And they wait.
Should we take bets on how long it's going to take? I'll say it goes it's going to go within
within an hour, then one hour. I'm going to say it's going to be between three and four hours.
Joe Grand is an educator. He teaches folks about hardware hacking and I asked him,
kind of about misconceptions.
What's the most common misconception that his students are occupied by?
What's the thing that he tells them that you can tell is really shifting some core understanding they have?
Yeah, probably the most common one is people don't realize,
especially engineers who might be coming into the class,
trying to learn how a hacker approaches hacking something,
is they go, wow, I didn't realize that somebody could actually use that against
me. Right? So there's a lot of things on circuit boards that are put in place by the engineers,
by the manufacturers to make their job easier to make the manufacturing process more
reliable and robust and better yields. And we can use those things. So we're looking for test
points and debug interfaces and markings on the board that could give us some clues about what's
going on. All the things that the engineers and manufacturers put in there that they use during
development and manufacturing we can use also.
Conveniences are footholds.
Everything that makes life easier for the person making something
makes it easier for the person trying to hack it.
Every shortcut a creator takes is a shortcut the hacker can take.
And I'm certain the people who design Treasur hardware wallets are smart as hell,
a lot smarter than me.
But the question isn't whether they're smart.
The question is, what does?
did all of these very smart people do to make life easier for themselves?
And could Joe, over his months of just taking this thing apart,
identify those shortcuts?
That's the big question.
And the answer came exactly three hours and 19 minutes later,
stomachs full of vegan pepperoni.
There's like nothing to do.
There's literally nothing to do.
And right as Joe is like shrugging back in his chair.
And he says,
This is torture.
The computer says,
And they were in.
Yes.
I'm like, this is torture.
What they found.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried.
A signal missed.
An SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding.
building security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of
experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy. And all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more
and nine trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually
looks like, go to Arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded, and most importantly, what businesses can do to fortify their
defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
hours and three hours and 19 minutes, which is right within that sweet spot.
I asked Joe the obvious question, really just how did it feel when that little hack the planet
audio clip played when the first step of the hack worked?
I don't normally get like really excited about things and I'm not a very like publicly like,
you know, blah type of person. But this was really one of those times where I was legitimately like,
oh thank God, like it actually worked.
Like, this is so cool.
But this wasn't in the bag yet.
This hack the Joe cooked up was actually a two-part process.
The first part, the part with all the waiting, that had worked.
But there was still this other question.
But that was only the first step.
Like, that proved that we could downgrade the security,
but it didn't show us yet that we actually had the contents that we were trying to get to.
And that was the next phase of the attack.
that we didn't harp on too much in the video,
but that was equally as nerve-wracking.
Now Joe had to run an external program
to extract that RAM and see if what they were looking for,
the pin and the key, were actually there.
Now I'm going to run the external program
to extract the RAM.
Now Joe had to run another program
to extract the contents off the RAM
and to see if what they were looking for,
the key, the pin, the importance,
stuff was actually stored there.
Okay, we've successfully copied the RAM out of the device.
Now we can run strings and look at that file which has been sucked off of this
device. So we're done with this hardware. If the contents are in the RAM, we have it
on my computer right now. I'm so nervous right now, you don't even understand. I don't
know if you can see like sweaty palms, sweaty palms.
There's no long pause this time, no dramatic tension, just a process to run and a result.
the pin and the key, the combination to the safe, or not.
Months of work for something or for nothing.
So Joe hits run on step two.
All right, okay, ready?
And the three and a half hours from step one is compressed down to a second and a half.
And step two...
Three, two, one.
works.
Which is the whole plan.
The plan worked.
The number appears on the screen in front of them.
They found it.
It found the treasure.
Oh, that actually reminds me.
Can you pay me now?
Yeah, that's awesome.
And the four-digit pin that the professional poker player and Dan had forgotten.
You could see it right on the screen.
One, two, five, one, four.
We did it.
It was actually five digits.
There are plenty of famous cases about this topic of people losing a lot of money in crypto.
There's this famous one right now, this Welsh guy who threw out a hard drive, he says, has like I think a half a billion bucks worth of crypto on it.
He is currently proposing to comb through a landfill somewhere in Wales.
Again, there is $80 billion in lost Bitcoin alone.
And Joe Grant, Kingpin, is uniquely acquitted.
to find that treasure.
Also, I use both treasure hunting and cracking as safe as metaphors in this thing, which is
sloppy.
But anyway, but even though Joe Grand is uniquely equipped to hunt treasure, he's not a treasure
hunter.
He's a hacker.
So he doesn't go where the treasure is.
He goes where his curiosity leads him.
From a hacker perspective, it maybe would be worth it.
But then, again, it comes down to allocating where do I want to spend?
my time and what do I want to do? Like, I have a list of stuff I want to work on that isn't about
breaking cryptocurrency. It's just about doing fun things. And then it's like, okay, when I have
time, I have to kind of prioritize what stuff is what. But yeah, I mean, security really is like
it all comes down to is it worth somebody to hack that device? And what are they getting out of it?
And what value are they getting out of it? For a long time, I associated Joe Grant with that
1990s Senate hearing. And then I associated him with
those YouTube videos and kind of as an educator.
But his history with hacking obviously goes back way before any of that, back to when he was
just a young guy learning to hack.
I didn't grow up as somebody who followed the rules and went to school and took an engineering
class and decided that was the best career path to go down.
Like it was very much not that way, but it was 100% following my passion.
and kind of my rules and not thinking about the ramifications,
which is how ultimately I got arrested
because I was not thinking about what happens when you do things.
And I was 16 when that happened,
and that kind of changed my perspective a little bit.
And it's really cool to watch these two guys, Dan and Joe,
cheer and bounce around this lab,
having solved this problem together.
And to think about the long arc,
of his career as a hacker.
I think that hacking as a whole has grown with a lot of us.
It's evolved with a lot of us.
And many of us who were involved in hacking in the early 80s and on, it was a much
different time, a much different world.
Technology was much different.
So even just hacking itself has grown as we have grown and matured and thought about
things as well, which is really.
Yeah, really kind of interesting.
Like this community and this industry, like, yes, there have been hackers well before us.
And there will be hackers well after I'm here, I hope.
But this sort of, it was like a seed, you know, like this, there was no industry around it.
There was a very small community of people that really were fascinated with this stuff.
And maybe we're a little socially awkward, like didn't want to play sports or hang out at school.
But it was easier for them to communicate online and do things online and talk on the phone where you weren't face to face.
And like, I think that's how a lot of us got involved in this type of stuff.
Like I was made fun of it in school for being overweight and for being a nerd into computers and wearing clothes that I got at a thrift store.
And it just seemed like the computer world was just a natural fit for me.
And so we all kind of grew, you know, it was like we were little.
kids and now the industry is growing and we're growing and it's like things are constantly changing and
acceptance of hacking has changed and you know in the 90s when i was in the loft uh we were always trying
to show the good side of what hackers can do because you always had this negative misconception about
hacking and there's always going to be a negative element of anything you look at right um so we were
always just trying to focus on the on the good the positive benefits of that
Since Joe has started on this new project, cracking hardware wallets,
he's also been working to help keep them more secure.
And admittedly, some companies are more interested or receptive than others.
And those companies can choose whether or not they want to care about what a dude is posting on his YouTube.
But Joe has to care a lot about what he shares.
So he doesn't share some information that creates a vulnerability that gets a vulnerability,
that gets a bunch of people himself, including, in a bunch of trouble.
And that imbalance is kind of how it always goes.
As Joe and I were wrapping up, we kind of landed on this tool metaphor.
But hacking is a tool.
And what you build with it is up to you.
My day job is in advertising.
And you can use advertising to raise funds for a charity.
Or you can use it to sow disinformation in an election.
It is a tool.
And what you build with it is really your responsibility.
And Joe sees hacking the exact same way.
I guess I just like knowing that there are folks out there like Joe
who can wield this tool that in the wrong hands is very, very destructive.
But who chooses to do cool, interesting, constructive things with that tool.
Joe built a pizza compass.
This is a really big aside right as we're wrapping up.
But yeah, Joe Grant built a GPS power.
compass that instead of pointing north, points towards the nearest pizza place.
Look it up.
It's a very cool invention.
Joe Grand uses hacking to understand things and to make things and to occasionally find treasure.
He is not primarily a treasure hunter.
And when so many of these episodes of this show are about the destructive things we do with
these tools, I think that's really cool to meet.
So I'll leave you with Joe's thoughts on that.
not on pizza, but on the tools we learn to use and what we choose to build with them.
I like to think about hacking or techniques or exploits as tools, right?
And you can use a hammer and you can do something constructive with it, like building a house.
Or you can use a hammer and do something negative with it like smashing somebody's head in.
And this is an analogy that we've used over and over within the loft of like showing that positive aspect.
And yeah, you can say that with lots of other things in the world.
And it really comes down to how you're using the tool in a responsible way that's helping somebody.
And it really comes down to humanity just operating in a way that's kind and helpful to other people.
But I think hacking in general, you're always going to have the people that are negative and you're going to have the people that are positive.
And it just all comes down to like trying to have more of the positive than the negative.
You know, have the positive, outweigh the negative, and then we're going to do just fine.
Thanks for listening, everybody.
And big old thank you to Joe Grant for being very generous with his time and chatting with me about the story.
He sat down for an interview.
He let us use clips from his YouTube doc.
It was very kind.
Check out his YouTube channel.
It is some world-class content.
There is a technical canyon I descended into in the middle of this.
I hope I got all the details generally right.
And I hope you enjoyed.
If you like the show and you want to support it, Patreon.com slash hacked podcast.
That's patreon.com slash hacked podcast.
A great way to support the show.
Thank you very much for listening.
We'll catch you in the next one.