Hotline Hacked Vol. 4

Speaker 1: Thank you for calling hotline hacked. Share your strange tale of technology, true hack, or computer confession after the beep.

Speaker 2: Hello, guys. This is from. Thanks a lot for what you're doing. I love the pod. It's one of my favorites right now in, among all the podcasts I listen to. So if, I listened to the latest episode about the, on the hotline hack, And one of the comments from Scott was about someone getting in somewhere, just having a checking what's available and then leaving without without leaving a trace. Trace. And that reminded me actually of a story, that from a few years ago and I was, I was a middle manager in a in a big company. I wouldn't I wouldn't say the industry because I would, identify the company right away. And, so I was working in a satellite office. We had a small team there, so someone from HR and taking care of admin as well. So one person from finance and then sales team, operations team, etcetera. So about and then sales team, operations team, etcetera. So we were about 30 people in that office. And so there was a I had a big reporting period where the where I had to to produce a lot of a lot of reports, a lot of deliverables over a short period of time so that meant a lot of late nights at the office and one of those nights I was alone at the office and, someone is a technical guy and have a marketing background, but I enjoy everything tech. And so I was there at the office. It was about maybe 11PM or something. And between two slides and a report, I was thinking, okay, why not try and access the HR guy's computer? So he the it was a desktop, so the computer was sitting there in the open in the open space. And, there was nobody. So that yeah. Because why not?

Speaker 3: Why not? Like, what could go wrong? I stood the office by myself. There's a bunch of other people's computers around. You know, physical access is a great way to gain unauthorized access. So, like, why not? Why wouldn't you?

Speaker 4: It's and if anyone's computer you're gonna wanna look at, it's probably HR's.

Speaker 3: Yeah. The HR guys. Yeah. Totally. Everybody loves personal information. Whether you should see it or not, everybody wants to see it.

Speaker 4: It's the juicy stuff. Why not?

Speaker 2: So I went there. I went

Speaker 5: to his to his desk, sat

Speaker 2: at the computer, and, well, tried guessing the password at first because I knew the guy pretty well and, so tried a few things, didn't work. Then I thought, yeah, maybe. Let me check if the BIOS is password protected and it wasn't. So I went into the BIOS settings and changed it to boot to start, to start the boot from USB first and then move on to the to Windows, etcetera. And I downloaded a version of Linux that can run out of a USB key. So I loaded up loaded that up, connected the USB, powered the computer, and they worked. So I was running the, I was running Linux on his computer from that from that, USB disk and I had access to all of the hard drive basically. It was, I was surprised that files were encrypted. I thought it would be encrypted because of the password protection on the Windows account but well it wasn't so there was. I had access to all the files contracts for everyone and started having a look everywhere, checking what's what was there. And the first thing my mind went to was, okay, let me check how well I'm I'm paid compared to to everyone else. And so, yeah, I kept looking into the files, checked everything. I didn't change a thing, just had a just had a look out of curiosity and know what is, you know what's maybe was what a lot of people were wondering about but never had the chance to to get the information so I had all of that and then didn't copy anything, didn't just read the files from his computer. Well, it felt good because I found out that was the I was the highest paid middle manager at the time, but, yeah, that was a good feeling. And then, just switched up the computer, powered, removed my USB with Linux on it, and went on to continue my my, reports and, the next slides with a little bit of motivation. Yep. So that's my story. Thanks a lot, and, have a great one.

Speaker 4: Welcome, welcome to Hotline Hacked. It's a it's a call in show where you can share your strange tale of technology, true hack, or computer confession. If you wanna share your story, go to hotlinehack.com. It's got the email. It's got the phone number.

Speaker 3: People seem to like Hotline Hack. We like Hotline Hack, and DeleteMe Mhmm. Really likes it. So we have a new sponsor that's come on board who wants us to make more of this. So we're gonna be doing a Hotline Hack every month, thanks to DeleteMe. DeleteMe is a subscription service that removes your personal information from hundreds of data brokers online kind of trying to get you your privacy back.

Speaker 5: Mhmm.

Speaker 4: We're gonna be telling you a little bit more about them later in the show, but, we really love making hotline hacked, and we're excited to make even more of them. So we really appreciate their support.

Speaker 3: Absolutely. So So so you're alone in the office.

Speaker 4: You're alone in the office. You're hanging out after hours. You're just chilling and you think why not enter bios on the HR computer and see if I can find out how well I'm paid. Your Scott, can we let's just before we get into anything else, take me through the, like, technical side of this. So Sure. They get into BIOS, they boot it from USB, they get a version of Linux running. Take me through, like, technically, what happened here?

Speaker 3: Yeah. It technically what happened here? Well, he had physical access to a computer. So Unix operating systems and some Windows operating systems have a single user mode, so you don't even need to boot it into a Linux USB key. You can bypass the user security on this in the operating system by just going into a local admin account, essentially. Like a troubleshooting, like, this server is having an issue, and I'm sitting at the console of it. You know, something's wrong so that, like, you can boot it into single user mode often, which essentially bypasses a lot of the security ash, like, protections. Assuming that if you have physical access to the computer that you are not somebody who is nefarious, This person went one step above that because they probably wanted to be reading, you know, docs and things like that. And they actually made a bootable USB key. So, like, a lot of Linux distros can boot off of the USB keys. A lot of Linux distros are super light. Right? Like, you know, our our retro gaming handhelds run Linux, and they're like these tiny little, you know, Raspberry Pis, essentially. So this this person took the time to make a bootable Linux distro on a USB key, jacked it in, was able to modify the BIOS settings to boot from USB before boot from hard drive and opened it up. The fact that there's no file system encryption and a lot of these files are just sitting on a on an NTFS or FAT 32, like, file system on one of the hard drives, you can use the Linux system to mount the hard drive, and then you can go through the file system contents without any real Windows security. All of the the files will be sitting there. And you'd have access to everything, which this person did. So, I think we should do this person the favor of digitizing their voice because what they did was was not only, I would say, gonna get you fired, but also probably get you maybe charged. But I do like that he takes the positive element out of it that, you know, after determining that he was the highest paid, it really gave him more motivation to, like, grind out some more reports in the on the weekend. So

Speaker 4: really this call is an advertisement for paid transparency. Yeah. There is a I was struck by that as we were listening to it that there is an alternate history version of this where late at night sitting in that office with no one around, this this caller finds out they're not in fact the highest paid manager. And I can imagine the fork in the road they take where they're sitting there with access to all this sensitive material and they they go bad. That moment was their villain, you know, origin story when they discovered that they were the lowest paid manager and they just went on a tear. And we would be getting a very different call. But luckily, they discovered they were good probably because of all of their technical skills that they brought to the job.

Speaker 3: Yeah. I I also love the fact that it's like, this is also like, I don't know how many Grindr weekends and stuff you've had in your career where you're working the entire weekend, but, like, sometimes you just need to do something else for your, like, own sanity. No

Speaker 4: step away.

Speaker 3: And this person, yeah, this person found something else to do that was maybe a bit nefarious. It just, like, I need I need to not be writing these reports anymore. I need to do something else. It's like, you you know what I'm gonna do? I'm gonna break into the human resources computer and look at everybody's contracts. Yeah.

Speaker 4: I mean, I guess if you're stuck in the office late at night, I don't know. I'm trying to think if there's anyone else whose computer I would be interested in looking up. There's a temptation to find out, like, get into someone's email, see what people are saying, but you're really going dig in for something that you don't know what it looks like.

Speaker 6: Mhmm.

Speaker 4: HR payroll, that's a pretty pretty good straightforward target. There was a hack, I think earlier this year where the Ministry of Defense in The UK got hacked. The payroll system was the only thing they got access to. It was the first thing they went for. And there was a story in HR magazine, which, hey, there's a magazine all about HR. Good for that community. Where, policy and research officer at the Chartered Institute of Payroll Professionals, Matthew Acrig said, quote, payroll data is one of the most valuable assets for businesses, and as such, it has become the target for malicious groups seeking to gain inside information or to ransom for profit. And it makes sense that payroll would be one of the big valuable prizes in a company or organization. It doesn't have a IP corporate espionage type vulnerability. For most places, who's getting paid what, and what are their Social Security numbers and their banking info is like, yeah, that's the that's the relevant stuff. That's what you'd wanna hunt down.

Speaker 3: Well, salary information is the juicy goss. You know? It's the juicy goss. It's the hot goss. It's the it's the thing that everybody wants to know. And it's, you know, we going back in time, like, something like a bad USB attack, lots of those USB keys, if you want somebody to put them into a computer, they label them things like human resources or payroll or things like that because people can't about that. Yeah. People can't resist the urge to know things that they shouldn't know. And it's like that's exactly one of them, and this person clearly couldn't resist the urge to not break into the human resources computer.

Speaker 4: Maybe it was a honeypot. Maybe it was maybe they maybe the whole thing was a scheme they set up over there.

Speaker 3: Set it up for him. He's actually the lowest paid.

Speaker 4: You're gonna need to stay late overnight to work on this, and none of us will be there. And then they, like, turned off the, energy saver on the HR person's computer just to draw your eye to it across the room and make it even more compelling. This was a this was a sting.

Speaker 3: And and they they they set up fake contracts to make it look like he was the highest paid so that he would work the hardest. They just like it. This is a tailored manipulation. I like that I like that storyline.

Speaker 4: They've done this to every person in the company. One by one, they each get assigned a late night for and then they see on a p on a computer that they're the highest paid person, but they can never go and try and verify it because they, gained the information illicitly. Mhmm. This is some four d chess we are making up. Let's just be clear, about this story.

Speaker 3: We only hire tech savvy marketing people so that they can compromise the human resource computer and work harder when they realize that they're being overpaid in relation to their careers. I love it.

Speaker 4: That would be, that's it like an editorial feature in HR magazine. How to honeypot manipulate your staff into working even harder by making them think they figured out they're the highest paid one.

Speaker 3: Exactly. Exactly.

Speaker 4: Thank Thank you for your call. That was a really good one.

Speaker 3: Yeah. Appreciate that.

Speaker 7: Hey, guys. I love your show. Got a real early social engineering hack, technically, back in high school, would have been 2020 oh, Jesus. 2002. We had these passes that only the seniors could get, and they would park on this upper lot that was all paved and nice. And then we had this place down below called The Pit, and it's full of gravel and loose rock, and anything goes kinda there.

Speaker 3: I just wanna stop there because I feel like does every high school have a pit?

Speaker 4: The pit. Because, like,

Speaker 3: our our high school had a pit. Did your high school have a

Speaker 4: pit? Ours.

Speaker 3: Yeah. See, I I I feel like

Speaker 4: Literally, I was making notes about this saying when he was, like, he started describing it, and I felt like I was having flashbacks. And there was a such a sense of, like, on we he's, like, as full of gravel as anything goes. And I was, like, I'm familiar, and I don't think we're from the same place.

Speaker 3: Definitely not. And it's like but the thing is, I just think that every school had, like, had a pit. Like, it's like the architecture, like, we'll put the gym here. We'll put the seedy little gravel lot for, like, people to smoke and fight and do drugs and stuff over here. It's like it's it's part of the, like, site layout for high schools, I think.

Speaker 4: In the same way yeah. Is there's, like, an urban design architectural philosophy that if you don't create the pressure valve that is the pit, the entire school becomes the pressure ground. It's like, the pressure valve, it's like, if we don't give them a place to fight and do drugs, they're gonna do it in the halls. So we're gonna make a pit. It's gonna be over here. It's gonna be a literal pit. It's gonna have gravel in it. It won't be very nice. You won't wanna stay there, but it will be a pit where you can get up to no good. We are school architects. We know how this works. I love it. I I that's a great thesis. Great thesis.

Speaker 7: Oh, my buddy's, my friend's brother was a senior, and he had the pass to park up top. And I Xeroxed it, did some Photoshop if that was even available. Microsoft Paint, maybe. Printed it out, laminated it, put it on my car beginning of, junior year. And we we're gonna see if it worked, and it worked. And I the whole year, parking up top, had a fake ID, didn't have to deal with the pit. Car didn't get all scratched up, messed up, potentially broken into. And the very last day of that year, the security guard comes up, real cool guy, but he he was like, man, I've been trying to find you all year. I wrote your license plate down. You had a good pass, but it wasn't in the system. That'll look legit, but I knew something was up. And I think I had, like, a $300 fine. So it technically worked for a while, but then it, they just caught on and yeah. So that that's my, my fake path, quote, unquote, social engineering that worked, but then it didn't work. So love the show. Keep up the awesome work. Thank you, guys.

Speaker 4: Man Thank you. Thank you. And thank you for your honesty. I really appreciate. You could have left that last beat of the story out, and it was just like a high flying park and heist, and we love those. There's been a few of those. It makes me think something about how parking lots, maybe incept people with a little bit of anti authoritarian bent to them. Totally. But I appreciate you included the ending where you're like, he did catch up with me. Cool dude. Nice about it. Didn't rat me out. Did give me a $300 fine. I appreciate the honesty.

Speaker 3: I just love the idea that, like, parking like, everybody has, like, like, their moral code is like, yeah. He stole some parking. Like, no big deal. It's like Yeah.

Speaker 4: No one gives the deal a parking.

Speaker 3: It's like, oh, you stole some HR data. Okay. Well, like, let's let's, like, wait on that a beat. This is like, yeah. Just tried to steal some parking. Like, totally get it. Who wouldn't? Yep. Also, the second he said security guy came over real cool, dude, I thought that story was going in a different way. Like, he was gonna be like, knew you had a fake pass all year. Like, good work. But he still got to find

Speaker 4: That was pretty cool.

Speaker 3: Yeah, pretty cool. You're a pretty cool guy. You you hacked together a pass and you stole the parking. But, yeah, I feel like we've had three or four of these stories, so not sure how much more there is to talk about. But, good for you and story you gotta find. Hope $300 was less than the cost of paying for good parking all summer or all school year.

Speaker 4: It seems the way he tells the story, it seems like it was still worth it. Oh, yeah. He was like, you know, it was the last day of the year. I'd avoided being down in the pit. I'd avoided getting my car scratched up. Here's the thing. We were talking about how the pit is a univer a universal experience, and I'm starting to wonder if this guy's pit in 2002 wasn't a little bit gnarlier than mine was. He's making it sound kinda thunderdome. Yeah.

Speaker 3: Yeah.

Speaker 4: He's like, you know, there was no one sleeping in the car. There were no dents in the windshields. All the windows were there. It's like, woah, what's happening in your pit? My pit was just gravel and not very nice. Your pit sounds kinda real, my guy. Like, I get why you would go to all this effort too. And, again, another good detail from this. Not sure if it's Photoshop or Microsoft Paint. And if you forged a parking pass in Microsoft Paint, you you deserved to not be in the pit. Like, you you did something challenging. That should have maybe gotten you a credit in a class. Like, that should have been worth something.

Speaker 3: You you overcame hurdles that were provided by one of the worst pieces of software ever made.

Speaker 4: I really like that. Oh, man. Also, like the, the remembering the 2020 sorry, 2002, like that blip, that moment of twenty years passing in the telling of the story. That was

Speaker 3: that was a nice little beat. There's nothing but twos in this year, and I don't know which one it is.

Speaker 4: Yeah. Exactly. Hotline Hacked is brought to you by DeleteMe. It's a bummer thing about making the show, but we know that there are a lot of people who have been harassed on the Internet, who have been stalked on the Internet, who have been doxxed. Privacy matters. It matters to, I know, a lot of our listeners. And bummer news, a lot of our personal information is floating around on the Internet. Everyone is kind of an easy target if someone decides to put you in their sites.

Speaker 3: Yeah. Just last episode, we talked about, data broker being hacked, and these data brokers compile tons of your personal information, name, contact info, Social Security addresses, relations to family members, you know, all the stuff, and then they sell this data.

Speaker 4: And anyone can buy it. That can lead to identity theft. It can lead to phishing attempts. It can lead to harassment, unwanted spam calls. Good lord. Can it lead to unwanted spam calls? And now you can protect yourself with the sponsor of Hotline Hacked, Delete Me.

Speaker 3: As, as someone who exists publicly on the Internet, you know, myself and Jordan, but especially me in the sense that, you know, maybe I have some critical opinions on things, notably crypto. I'm hyper aware about, you know, my online safety, my online security, and it's it's easier to find personal information about people online now than ever. All this data is just kinda hanging out, ready to be bought by people who might not have the best, you know, intentions. That's why, you know, we use DeleteMe, and we recommend it.

Speaker 4: DeleteMe is a subscription service that removes your personal info from hundreds of different data brokers. You sign up and provide DeleteMe with exactly what information you want deleted, and their experts take it from there. DeleteMe sends you regularly, personalized email privacy reports showing what they found, where they found it, and what they took offline. DeleteMe isn't just a one time service. It's always working for you, constantly monitoring and removing the personal information that you don't want on the Internet. Very simply put, DeleteMe does all the hard work of wiping you and your family's personal information from data broker websites.

Speaker 3: So take control of your data and keep your private life private by signing up for DeleteMe now with a special discount just for all of you. Today, get 20% off your DeleteMe plan when you go to join deleteme.com/hacked and use promo code hacked at checkout. The only way to get 20% off is to go to joindeleteme.com/hacked and enter code hacked at checkout. That's joindeleteme.com/hacked.

Speaker 4: And one last little stinger on this. Part of the reason we make two hacked every month we have for a long time. Really excited to be making more of it, and we're excited that the form factor it's taking is hotline hacked. And a big reason why is because DeleteMe heard it, reached out to us, and said they wanted to, you know, sponsor and bring more of it to the world. So part of the reason we're getting to do more of these is because of them. It's a really cool product. You should check it out. Joindeleteme.com/hacked.

Speaker 5: Hi. I was just listening to the third installation of Hotline Hacked, great series, and it occurred to me that I have a Hack Story myself. I am a web developer, and, I work at a small consulting agency. So we get different clients, and, some of our clients require us to fill out these, training modules. The training modules are just, you know, your standard corporate modules. They're a video followed by quizzes. They're very boring. Most of them are, like, you know, kinda common sense, compliance, don't bully your coworkers, etcetera. But there was this one that was actually dealing with security one time, and that gave me the idea. What if I could hack this?

Speaker 3: I I love the thought there. It's like, hey. Do this do this training module about cybersecurity. It's like, well, I don't really want to, so maybe I'll hack it.

Speaker 4: Yeah. I like this guy's style already. Yeah. No. Or it's just extracurricular.

Speaker 5: And so in while the video is playing, I open up the dev tools in the browser. And, for context, the video is a pop up window, and the main page is, the window under that. But in the video page, I had the dev tools up, and I just started looking in the window object, because sometimes you can find some interesting stuff there. And I found this one method called set passed, capital s e t, capital p a s s e d. So I thought maybe this would just allow me to pass the quiz. And so I open up the console, and I call the function. The window closes. The pop up window with the video closes, and I'm just left with the main page. Nothing happened, but I refreshed the page. Lo and behold, it marks me as having completed that module with 100% on the quiz. And at first, I couldn't believe this, so I logged out, logged back in, and it persisted. So I just thought it was ironic that this security training video was, you know, presented through a service with the security flaw, a service which also has secure coding videos. Now I won't name any names for companies and whatnot, but, I just thought it was I it was an amusing thing. And it's also sort of troubling maybe if, like, you know, you're legally required to fill out these things for compliance purposes, but you could just hack it. Anyway, love the show, guys. Thank you for listening.

Speaker 3: Well, thanks for your nice feedback.

Speaker 4: That is indeed extremely ironic, and it, is very satisfying. It does bring up the question, like, what higher stakes online training platform could simply be circumvented by, calling a, hey, set me as having aced this test function. It raises some questions. Luckily, probably only people in security or devs would know to do this, but I guess I'm trying to say is I sure hope pilots can't do this.

Speaker 3: Pilots, online voting, you know, the list goes on.

Speaker 4: Online voting. Yeah. There's a lot of situations that are a little, higher stakes than an online, video quiz training platform that's a little bit redundant and a little bit easier to hack.

Speaker 3: I I love, like, this this this thing, like, the the power of being a web developer and understanding what's going on in the background of a web page. Now with so many things, you know, like, I'm speaking about this coming from the past twenty five years, but it's like so many things are now just online. Right? Like, they're online tests, they're online learning platforms, they're online everything. You know, even paywalls on news sites. Like, if you have the ability to whip open dev tools and just take a brief to scan the at the structure of the page, you can often do a lot of things you probably shouldn't. You know, there's a lot of lazy missteps by coders doing things on the single page rather than on the server side, and something like that's perfect. Like, somebody has a JavaScript function that's set passed that passes, probably a callback to the server flagging that they passed the thing and what their score is. You whip open the JavaScript console in the web dev tools, and you just type in set pass and run the JavaScript call and bang, it's done. And it's like, that's that's pretty easy and pretty easy to find out. Like, good for you for finding it out, but it's like, it's, yeah. It's it's it's the these learning platforms, tons of things that have security or doing a client side, and they don't fully understand why. I don't know how the software architecture, the engineer that's in charge of the project is like, you know what's a processing and verification and just put it in the client side. Like, what could go wrong?

Speaker 4: There was a there's a at the end of it, you know, you made an offhanded remark to the fact that inside of this, you know, training platform, there were lessons about secure code. Mhmm. And I'm reminded of the fact that, we have helped companies create video trading platforms, like, not the platforms, but the content helped people people make, you know, online education for, for companies. And it's interesting to think about how the people that were creating that content, who were building the videos, explaining how secure coding worked, were probably not the same people that had built the platform that the videos were being delivered on and the quiz quizzes were being taken. And probably at some point, someone thought to themselves, I sure hope whatever platform these videos was being deployed on is secure because otherwise, this is gonna be extremely ironic when someone figures out how to compromise this quiz about secure coding. And then, I don't know, calls into a call in show years later and talks about it on the Internet. It's, I can imagine that perspective, and it's a pretty fun one.

Speaker 3: Well, even, like, these online platforms, like, you know, I'm not gonna name any of the names. There's some huge ones out there that offer, like, right up to, like, get your master's degree. Like, imagine if if if that was the same as this platform and you could, like, just bang out a professional module, running set past in the console, going to the next module, and just doing that on. You could even script that and be like, oh, today I'm gonna get a master's degree in, you know, cybersecurity, and then bang, you'd like hit a button and it's done.

Speaker 4: It's the scene where, Neo plugs in and, like, learns Kung Fu in five seconds, Except without any of the learning. You can just get the piece of paper that says you know kung fu. You will not know kung fu. There is no education, no pedagogy taking place here. You will know nothing at the end of it, but you'll have, like, I don't know, $200,000 worth of, PDFs saying that you have a, a master's in, like, English literature or something.

Speaker 3: Certificates in everything. You were you were the most trained human in the world. The your your human capital is worth so much. The yeah. I the the thing for me is is just, you know, being somebody that's spent a long time in, like, the early parts of my career building online platforms, server side versus client side, like the whole Ajax movement, like, dude, putting so much stuff into the into the client side. I'm shocked that they don't make a callback with the results and get a confirmation from the server or, like, I wonder, like, I wonder on the back end if they open up his records, if they can pull up that module and just see that he had no answers for the, like, for that quiz. And But but if it's recording a 100%, like, good, then maybe it did record that he had answers for everything.

Speaker 4: Interesting. And would they see the past, like, tag or however that worked and the absence of questions and wonder to themselves, did it just fail to save or store the answers and the person actually passed with 100%? Or would you jump immediately to this person clearly gained this very vulnerable system and didn't do any of these quizzes. But at this point, the stakes of this aren't that high that I'm willing to reveal how bad a job we did developing this. So 100%, I guess.

Speaker 3: It's like the it it hearkens back to my master's project, a thesis I never finished writing, but, I I don't know why I'm gonna talk about this, but it seems relevant. But, like, the the what I did is I'd taken a major web framework, work Rails, Ruby on Rails, and I jacked hooks into it that extracted a logical model for the entire software application. So every time you got to a different part of the state space, like, it constructed the entire state space for the logic of the of the software that you were running. I don't know if this is too technical enough. I should include it, but but then you could set rules to be like, you should never be in a situation where somebody is marked as passed and has no responses to the questions. And then it would flag that and be like, you have an issue here. Like, there's a compromise. So that was that was my master's project, and it seems very relevant in this situation to me. It just instantly triggered that for me because it's like, that's a piece of state space that you should never be able to get into. Like, if this person hasn't submitted answers, they should not have been marked as approved on the on the the module. No. And it just feels like like there's could be some uses for that. Maybe I should finish that thesis at some point in my life.

Speaker 4: And send it to this caller to send on to that training platform.

Speaker 3: Totally. Totally.

Speaker 4: Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 8: This Father's Day, do more with dad and spend less with low prices guaranteed at the Home Depot. Get him fired with a new grill and accessories, like the next grill five burner for just $299 so you can spend more time together while he becomes the grill master he was always meant to be. Or build memories with savings on top brand power tools so you can tackle projects side by side. Give more and do more together this Father's Day with help from The Home Depot. Exclusive pricing homedepot.com slash price match for details.

Speaker 9: When you finally find your thing, you want the whole world to know about that thing. So you use a thing called Canva to make it an even bigger and better thing. Whether you want to create flyers for that thing, make presentations for that thing, or design merch for that thing, you can do anything. So people can see your thing, feel your thing, love your thing. The next thing you know, it's a thing. Canva, the thing that makes anything a thing.

Speaker 6: Hello. This is, Max from Switzerland, and I wanted to share a story from the eighties, probably around 1985. We were kids that went to school, and we will go to, trade shows. And on these trade shows, like computer shows, usually, the incumbent, telephony provider, and we're in Switzerland, so it was p it was called PTT, which is now Swisscom. They were there, and they would show off the x twenty five network, which was called Telepac. And, that was obviously the pre Internet days. But with, Telepac, you were able to connect to computers all around the world. Now what you need for, Telepac to access it, you need what was called a NUI, a network user identification. And at the time, those things were expensive. So what we would do is we would have a voice recording device like a dictaphone that, you know, managers use to, dictate letters to their secretaries to then type it into a typewriter. So we would have one of those and we would have what was called a a inductive cope coupler. Looks like a, small suction, cup that you would then stick against the modem and you would record the, basically the phone call the modem would do to the telepack network. And the, the guy that was demoing the telepack network would then enter the Nuui, the username and the password, and we would record that on the dictaphone. Now at 300 baud or 300, bits per second, you know, that was not that hard to record that. And we would then go home and use, a acoustic coupler and replay the recording, and it would get us the, the NUI to access Telepack. Now since those NUI's were from the, telecom provider themselves, they probably never got a bill for it. And usually, those those passwords that we got on those trade shows, they would work for years after that. You would then use TelePak to access, UNIX or BMS computers, and from there at the time, there were, there were things like the Usenet or before Usenet, it was called notes. So, yeah, that's that's what we would access across, those systems. Yeah. Love the show. Keep it going. Thanks, all.

Speaker 4: This one's cool.

Speaker 3: This is my guy. This is this is this is my guy. We I used to have an inductive coupler too. I actually built a small Really? Small modem. They use an inductive coupler to to, like, in a pre, broadband world when we still had dial up, I had built something very similar to this. I didn't use it in the same way as he did. I used it more for, like, being able to dial in to the Internet from anywhere on any phone without having to take a big modem with me and, like, a little bit more discreet. But, yeah. I'm this is bringing back childhood for me right here. Inductive couplers, you know.

Speaker 4: What, what is an inductive coupler? Because everything about this sounds like it's a microphone speaker. Yeah. You use a microphone to record the signal, and then it would be a speaker to just play it back into the phone. What is an inductive coupler?

Speaker 3: Yeah. So the it's essentially an electromagnetic microphone ear socket, it's a tiny little mine was a little black and round with a suction cup on it, and it's got, like, a little, like, 3.5 millimeters, like, mono coming out of it. And it's like a mono microphone, but it doesn't use, like, the classic microphone audio waves thing. It actually picks up the the signal. So it was it's anyway, I I I love this story because Internet was expensive, access to networks was expensive, and these guys were literally hacking ways to get around logging credentials in, like, a very analog y cool old school way, and I I love this story. This is this is right up my alley from when I was a kid.

Speaker 4: Yeah. This one's really cool. We've done episodes before about stories that took place on Usenet, which in my mind is, like, I mean not in my mind, which is a precursor to the modern internet. And this dude was was rolling in on precursors to even that. So when you log into one of these networks using one of these Nuui password user, whatever this thing is, what is the legitimate way of doing it? Like, what does it look like if you're not hacking it and using an inductive coupler? What is the mechanism by which you log into one of these systems?

Speaker 3: Well, they were only using the inductive coupler to essentially eavesdrop on the authentication protocol. So then they would take they would take that recording home, and then they would use a acoustic coupler. So, like, a classic modem where you took the handset for your phone, then you suctioned it into the little box. I don't know if you've even ever seen one of these, Jordan, if you're old enough. But modems

Speaker 4: I don't think I have, mate.

Speaker 3: Yeah. You used to have to take the handset from, like, an old phone and literally push it into a thing, like a box that had both a microphone for the speaker, like for the had a speaker that went to the microphone and a and a microphone where the speaker came out of the handset. And that was how original modems worked is that they were entirely acoustic. So that's why the bit rate was so slow because there was not actually a physical connection. Like nowadays, we're all fiber optics and light, and the speed of light is our, like, limiting factor. And the speed of electricity transferring over copper is our limiting factor. These systems use literally audio waves, beeps and boops to to indicate bits through an audio space. So like the you had latency from, you know, the traveling of sound. You had all kinds of issues. So these guys, instead of having a legitimate account to get onto the what is now Swisscoms, like, you know, network access, they were literally recording and stealing the creds from trade shows, which were probably like demo accounts used by the Salesforce and not very well monitored. And then they would take them home and then use those to gain access to the networks, which is, like, real OG hacking stuff. And, like, I love it. Love it. Like, we're talking about, like, me as a, like, a early, maybe preteen, like, reading and doing these things. And, like, this is great.

Speaker 4: Yeah. There's something really satisfying about, you know, this pretty high stakes admin accounts to this network being played as sound, like, maybe one of the least secure things I can think of. Like, it is it is in a sense spoken out loud every time it is used as a password. It is it is Audible. Yeah. To a person with a little bit of a little bit of gumption. That's incredibly cool and just paint such a sick picture of like a 1985 tech trade show in Switzerland with some kids like ripping in and like pulling out these credentials as audio files and then playing them back into a phone to get gain access to, like, computer networks somewhere. Like This is really cool.

Speaker 3: Yeah. Like

Speaker 4: I would like to watch a show about some, like, nineteen eighties Swiss hackers.

Speaker 3: Like, you've got to imagine that the, like, the actual demo units set up at the trade show were acoustically coupled. So, like, imagine the the handset is in the modem pushed in, so you can't really hear it. So that's why they were using the inductive coupler is so they could access the audio coming out of the speaker in the telephone's handset without actually removing it from the modem. So that's why they were recording it, and then they would take that home. And it's it's it's great. Like it's it's old school reminds me of my childhood. I love it. Kudos to you. It would have been highly illegal. So I'm not saying go break the law, but like smart, clever, makes me makes me feel like it's something that I would have done. So kudos. Love it.

Speaker 4: There's a there's a telehack retro game. I think it's called hack like it's 1987, Where you can It's a text based hacking game where you can simulate a stylized combination of, like, Usenet and ARPANET or, like, 1985, late nineteen eighties, pretty much bang on when this would have existed. And you can try your hand at doing this as a, basically, a web game.

Speaker 3: Haven't heard of it, but sounds great. Yeah. I'd be I'd be intrigued to have a conversation with this person to see what they're up to now. Yeah. You know, I like, I feel like if you're doing if you're doing that in '19, whatever it was, eighty something, I imagine you had a technical career and probably, you know, probably a good one.

Speaker 4: Probably preoccupied.

Speaker 3: Yeah. Fire us an email as a follow-up. We'd love to hear what you're up to these days and what you what you did with those skills, but they, yeah. Great, great story. Love to hear it. And thanks for listening to another episode of hotline hacked brought to you by delete me. Join deleteme.com/hacked.

Speaker 4: If, if you wanna share a story with us, they are the gas that keeps this engine turning. Go to hotlinehack.com. We would love to hear your story. You can call +1 (888) 281-8869, or you can go to hotlinehack.com and submit an audio file via the email. We'd love to hear from you. Strange tales of tech, true hacks, computer confessions, whatever you got, we'd like to hear it. Get at us and until the next one. Thanks for listening.

Speaker 3: Take care.