Hotline Hacked Vol. 6

Speaker 1: Thank you for calling hotline hacked. Share your strange tale of technology, true hack, or computer confession after the beep.

Speaker 2: Hello, fellow Canadians. Love the show. Funny story about email spoofing. Having grown up in the early days of email, hacking on open relay SMTP servers was great fun. Freaking your friends out by sending them emails from someone famous or from each other. Fast forward to around 2012, I'm at work and get a call from my wife saying our Internet stopped working. We used a cable Internet service provider at the time, gave her the usual fix, power cycle modem and then erder, but to no avail. When I got home that night, I confirmed that something external was blocking our Internet, so I called the ISP and explained the situation. The young support tech advised me that my wife's email address was sending thousands and thousands of spam email messages, and so they blocked our Internet in an attempt to stop it. At the time, my wife had a very basic email address, firstname@isp.com, so was often being spoofed by spammers, and thus this did not surprise me at all. I had previously investigated the ISP's SMTP server and knew they were open relay servers and had actually reported it to them, but of course they hadn't done anything about it. Anyway, I explained this to the tech support dude, and he had never heard of email spoofing, and really didn't believe me that anyone could do this. So I decided to educate him. I asked him first to restore my Internet service, and then I could prove to him that this type of spoofing was possible. He did. And then I asked him for any email address of someone he knows in his own email address, and that I could pretty much instantly email from one to the other. He complied, being anxious to see if my claim was true, and I opened a telnet session to port 25 on the ISP's MX. And about thirty seconds later, he received the email. He was completely floored, excited even, and desperately wanted to know how I did it. Although I didn't give him all the details, I said just Google SMTP and telnet. He was quite awestruck and thankful, so I ended the call by saying, don't ever cut our Internet service again. What's even funnier, or perhaps scary, is that a year or so later, I checked and those same SMTP servers were still open relay servers. No doubt they can still be found out there, even today. Cheers. Cheers.

Speaker 3: Cheers. Gotta love the AI voice. Welcome back to Hotline Hacked.

Speaker 4: It's a, it's a call in show where you can share your strange tale of technology, true hack, or computer confession. We always appreciate your calls. This is a fun one to kick it off with.

Speaker 3: Well, this one kicks off this episode similar to the first episode of hacked podcast kicking it off. I believe we were talking about open relay SMTP servers back in the day.

Speaker 4: And email spoofing. That's totally true.

Speaker 3: Yeah. This is a throwback.

Speaker 4: And this was sent in 2012. So this, IT support tech support man couldn't have even learned of it from even some of the earliest episodes of Hacked, before the big break. For anyone that doesn't know, not that I don't. What's SMTP servers? What does it mean for them to be open? And what exactly happened here?

Speaker 3: Well, I would refer you to episode one of

Speaker 4: this podcast.

Speaker 3: SMTP simple mail transfer protocol. It's the way that email moves between servers. So like, when I build an email and like my Outlook client, let's pretend I use Outlook, and I hit send, it literally creates a socket to port 25 if unencrypted. Now most of them are encrypted, but, passes the email information over to the server, which then, in the background, looks up what the receiving server needs to be, makes the connection, and delivers it for you. Since 2012, there's been, let's just call it a million updates to the security of this. It's very less or it's considerably less common these days than it used to be. That's for sure. The, especially with Google now banning so many different you know, adding so many more restrictions to authenticate and verify email senders to make sure that this stuff doesn't happen because back in the day, it used to run rampant. Like, I remember doing a a case study in university in, like, the early two thousands, mid two thousands about the cost of spam because the lost time, this data usage, all the rest of it,

Speaker 5: it was massive. So spam is kind of a thing

Speaker 3: in the past. I still get added to mailing lists probably from data brokers, which is a great transition to the sponsor of the show, DeleteMe. Talk about DeleteMe. Talk about DeleteMe. DeleteMe has come aboard. They love the hotline hack concept, and they wanted to sponsor it. So the, DeleteMe offers a service that kind of can cleanse your information from the data brokers of the Internet, the bad the bad personal information sellers. But we'll talk about that in a bit. But the

Speaker 5: but

Speaker 3: as long as your email exists in some of these data broker things, it seems like I get signed up for mailing lists that I have no idea about pretty much constantly. So so let's hope that DeleteMe does his job, and I get removed from a ton of those things. But back to the story.

Speaker 4: Back to the story. So this this guy's wife, it's 2012, their internet goes down, it's not working, calls up tech support at the ISP and gets explained to him his wife's email is sending thousands of spam emails, and apparently had a very, very good, very old email, firstname@domain.com, which, as a, like, appreciator of really, really good usernames, kudos, to her. But it's clear that someone is spoofing this email. Someone is sending emails even though they don't control the actual email address. And tech support had never heard of this, which I find surprising. I feel like by 2012, if you're in tech support, especially in an ISP, you might have bumped into this. Is that a a bad assumption I'm carrying around?

Speaker 3: Yeah. A bit. I I think the the difference between, like, a customer service tech support person and somebody that's in the technical infrastructure side are very different people. Often tech support people have scripts and, you know, etcetera. They're not they're I wouldn't say that they're, like, infrastructure grade IT staff. So they often

Speaker 4: are good point.

Speaker 3: Yeah. But the but the the fact that you're running an ISP in 2012 and you don't know about and it's not closed to your SMTP servers or open relay and have no controls on them is wild. Especially because you're paying for the throughput of all the data for all the spammers using your mail server to send emails, which is also wild. So just bad business?

Speaker 4: You were

Speaker 2: Question mark.

Speaker 4: Yeah. Sure. And a year later, I think the call ends with the caller saying that the, the servers were still open. Probably not anymore, but shortly after, they they hadn't shut it down, basically, is the way the call ends.

Speaker 3: Yeah. Yeah. That's, again, probably just an internal disconnect between the IT staff, the actual infrastructure staff, and the tech support people. So he probably unlocked the person's account and thought it was neat, did some research on their own, and never reported it to the infrastructure team for fixing. Or maybe they did, and the infrastructure team decided not to fix it because it would create more headaches for their user base that then they'd have to deal with because I'm sure a lot of them didn't set up their mail clients properly. And if you have hundreds of thousands of people that use it, then do you really wanna upset the Apple cart that much? So, anyway

Speaker 4: I remember back in that first episode, and I summoned up a couple of the notes here. But the story I think that we kick off one of those earliest episodes about talking about email spoofing takes place in 2013. If I if if I've got the right story here, which is funny because it was after this and concerned a Swedish company. Someone sent out a blast to a bunch of news agencies that the Swedish company called Fingerprint Cards was going to be, purchased by Samsung, and it caused the, price of the company's stock to surge by, like, 50%. It was one of these first instant instances of email spoofing being used in kind of a fraudulent social engineering type scam. And it's funny that it happened after this. So the idea that maybe someone at an intercompany wouldn't have heard of email spoofing makes a lot more sense to me because it hadn't broken out yet. It was a thing you could do if these things were open, but it wasn't a thing that a lot of people maybe knew about. So that makes more sense to me.

Speaker 3: Well, it's it's like the being somebody that was, you know, in that space.

Speaker 4: Mhmm.

Speaker 3: It was something that I'd known about since, you know, the early nineties. You know, I'd been mucking about with it. So, like, I remember when you and I had the first conversation on the first episode of Hacked. I can't remember the year, but I remember it kinda blew your mind a bit. And it was just like it's it's, it used to be like a common tool in the toolbox. You know? It was pretty easy to to send fake emails. I still get a lot of them now, and there's a lot of people now that spend more time obfuscating emails to make it look like it's coming from you. Like, our accounts payable department at the company gets emails from me all the time to to pay invoices that I have no knowledge of from a person whose email looks just about the same as mine and has the same email structure as me. And spammers will spam and con men will con and, you know, grifters will grift. So such as life. Creep on creeping

Speaker 4: on. Onto the next one.

Speaker 6: Jordan and Scott, my name is Dana, and I discovered what I thought was a vulnerability in Apple back in 2020. I reported it to them. They said this is not a vulnerability. So I'm sharing it with you all, and I'm curious as to your take on it. In 2020, during COVID, coworker and I discovered that you can put a period in front of a username at the new user setup screen. You take a if you were to take a brand new Mac out of the box and go through the setup process, you could create a user beginning with a period. And, if if you created that user with the beginning with a period, that user would be, hidden from system preferences, it would also be hidden from even the DSCL command line utility in Mac OS or OS 10 even going back even further, and you would not be able to see this user in your user lists on this device. The concern is that if you couple this with by setting the up this hidden user on a brand new computer out of the box, brand new Mac out

Speaker 5: of the

Speaker 6: box, then you, load your malicious software on there. By the way, you would have to change the UID of the user because you'll get a collision next on the next user you create. It doesn't iterate properly. So I think it's like 501. So then you would change that user from 501 to like 599 or something. And you load malicious, software on that computer, you can then reboot the computer into, single user mode or recovery mode, whatever, get to the terminal, remove the Apple setup down file, and when that computer is reboot rebooted the next time, that, that computer will look like it's brand new out of the box. Then that that new user, they could set up the computer exactly how they want. They could, enable disk encryption, any of the security features, security profiles, anything like that post attack. And because this attack would happen, in the could attack, could happen in the supply chain, this computer could be compromised anywhere between, leaving the factory and arriving at a person's doorstep. Could be resealed. You know, you you can reseal, a box, whatever, an Apple, box, and make it look like it's brand new, deliver it to your CEO with malicious software on it. That was not a good idea, but I'm just saying that's what a malicious person would think. I'm curious as to your thoughts on this. It sure seems like, Apple would wanna fix this, and it's funny that they say it's not a vulnerability when they have indeed, corrected this in the latest iteration of Mac OS. But my concern is that for more than twenty years, Apple has ignored fixing this problem. And there could be devices out there with these dot hidden accounts on them out in the wild. I'm not sure of that. I haven't been able to get enough information to discover that, but I'm curious as to your thoughts. What do you think about this? You think this is a vulnerability or not?

Speaker 3: What do you think Jordan? Deliver it

Speaker 4: to your CEO. It's not a good idea, but you could do it. You could really hear a person reaching the end of a thought of what could be done with this potential vulnerability we're hearing about. If this vulnerability is true and we haven't purchased Macs from this period of time and gone through the process of testing this for full disclosure. That's pretty bad vulnerability if if that was lurking around in in macOS for a couple years, if not decades. What what do you think, Scott?

Speaker 3: I think, yes. It is a vulnerability, and it was right of you to report it, and it was right of them to fix it even though they claimed it wasn't a vulnerability. The yeah. Crazy to think like, it's crazy to think about what you could do with that. Like, IT staff generally have an elevated level of Yep. Transparency into organizations. You know, you can often see emails. You can go through stuff. So, like, delivering a true CEO to me is not the big one. The bigger scare to me would be, like, reselling a laptop, reselling a Mac. That's Like, that happens all the time. And imagine you got it. It looked like it was fresh and cleaned and reset. And, you set it up yourself and boom, there was a backdoor entrance into it pre preset up by the previous owner. The in in in organizations that have, like, a, like, a firewall between departments and things like that, like, mergers and acquisitions, one I love to talk about because a place sent same as the reporting as we did in the last story, artificial information about a company to manipulate its stock price. Having eyes into details that you're not supposed to Mhmm. Would be could be very lucrative. So there'd be tons of attack, you know, potentials for this, wild that it existed. You know, the and the origins of it, I don't fully understand. Like dot at the beginning of a folder and stuff is like an old, Unix.

Speaker 4: I was gonna ask. Yeah.

Speaker 3: So, like,

Speaker 4: why might that be relevant?

Speaker 3: Yeah. So any any folders and things that start with a period become invisible. So they're like hidden files and hidden folders. That's like an old UNIX command or like an old UNIX structure. The so applying it to users, you know, this is funny. In, like, the thirty some years that I've been a Unix user, I've never actually tried this. So so kudos to you for trying it. I wonder if it I wonder if it applies to other Unix systems would be my question and not just Apple because chances are when they adopted the BSD kernel in the original OSX, they they probably adopted a lot of those Unix structures and that vulnerability still might exist in other Unix servers. So, like, when you're talking about if I hack into a Unix server, I could set myself up an account that's essentially completely hidden unless you really go looking for it, which would be kinda kinda crazy to leave yourself a beautiful backdoor that is just a full admin root access user.

Speaker 4: Yeah. When the CEO and I I think the larger premise of delivering this to someone in the workplace came up, I do think about how many people are working every day on a laptop that was set up by an IT person at the company who set up to whatever the company's standards for security are, delivered it. That end user, the employee might not have admin access to their own computer, and that's for security reasons, and there's pros and cons of that. But I I fully understand it. It doesn't strike me as where a vulnerable vulnerability like this would be relevant because your computer might already be vulnerable in that situation. It might already have, monitoring software on it. Like, you are not in control of that computer. Totally. You shouldn't assume you are. Someone buying a used computer is where this comes up. Mhmm. Because I can imagine cracking open a computer and it's sure looking like it's been factory reset, but it hasn't. Which is a good reminder that if you ever buy a used computer and it looks like it's been factory reset, you should factory reset it again just to be safe. So they they set up a new user, they put period at the beginning of the name. Apparently in Unix this is, not shorthand is the wrong word, but this is a way to render something invisible, thus creating one of these hidden users. You then go through a little bit of a process of removing the Apple setup down file. This is after you would have loaded whatever malicious software you want to change the UID, get the computer looking brand new even though this hidden user with the malicious software is still, lurking in the background, and they can then go do whatever it is they wanna do to lock down the computer, it won't matter because through this supply chain attack, you've, kind of gotten under the hood already. Is that a is that an accurate summary of what this caller is describing?

Speaker 3: Yeah. Yeah. The the supply chain attack piece is really interesting. Like like the To me, the, like, internal IT supply chain, you know, they kind of already usually have superuser access and access to a lot of confidential information. You know, they're trusted employees. Like, there would be a potential there for I don't know. I don't I don't even wanna theorize, like, cyberstalking and stuff like that. But, like, there you you would have the ability like, that would True. Grant, like, a a much more personalized attack to be able to go into someone's computer personally. Personally. But the at the same time, it's like the the idea that yeah. Like, the inner supply chain outside of IT, like, this could be something that happens. Like, the you know, we're in a world now with nation state IT, you know, wars, hacking or cybersecurity wars. And we're seeing nations put themselves into supply chains for all kinds of things like pagers, being one of them of note. So it's like the ability to distribute an entire, you know, bulk of of IT hardware that has a a perfect open backdoor in it with with ease because it's like, I think in a lot of other major supply chain attacks, it's it's much more nefarious and much more refined in the sense that, like, maybe it's a small piece of malware that's living inside of another app, etcetera, etcetera. It's harder to detect where this is just a a full backdoor account. So, yeah, it's it's definitely a vulnerability. Obviously, they fixed it for a reason. So I'd say kudos to you for identifying it and sending it in. Not sure why they said it wasn't a vulnerability. Maybe that's just for legal liability case.

Speaker 2: But

Speaker 4: I was gonna get to that next that this feels like a a tech support and someone called the lawyer's collab where we can't deny that this is the case, assuming this is Ultra. We can't deny that this is going on because you can go verify that this is a thing that you can do. But we do have to say it's not a vulnerability because we haven't fixed it yet, and we don't want a email thread where we admit to there being a very very dire functionality, a very, very dire vulnerability in macOS. So we arrive at this weird liminal in between state where, yes, this thing that looks conspicuously like a vulnerability is in the computer, but you'd be mistaken for thinking it's a vulnerability. It's more like a like a fun trap door in the bottom of the treehouse. It's like a it's a cool way of talking about it.

Speaker 3: We didn't fully know that it existed, but we're not surprised it exists, and we're not mad at it, but we'll fix it. Don't worry.

Speaker 4: It's like, hey. You have shit on the bottom of your shoe. Be like, no. No. That's how this shoe came.

Speaker 3: Yeah. Anyway, if you have an interesting tale, that you'd like to share with us, please let us know hotlinehack dot com. There's a phone number that you can dial in and leave us a voicemail. You can send us an email with a text. You can send us an email with an audio recording. If you want to obfuscate your voice, please do so. If you send us an email, we will use, as you heard in the first one, some mediocre AI to convert it to audio. So and as as you're about

Speaker 4: to hear, we've done it again. I think you just threw some shade because that first one, they used AI. Oh. This one, we can say that we're using mediocre AI to do it. I personally think the AI in the first one was fantastic, Scott.

Speaker 3: Oh, yeah. Really? Yes. Yes. Let's hear let's hear how our mediocre AI compares. This was sent in by a German user. So we've used a German English voice. So let's we're in for a real treat to see how good AI is here.

Speaker 4: That's the commitment to quality you get when you send in a story to Hotline Hacks. We're gonna try our best to find the AI we think that matches your spirit, your energy as closest as we can. Mhmm. Mhmm.

Speaker 7: Well, I used to study CS at a German university and landed a job at a chair of one of the professors. We did some research project work mainly, but you also had to do some administrative stuff like updating schedules, updating lecture files, etcetera. For the purpose of the administrative things, we got API access to our university system where you could upload files via an API endpoint, for example, or upload the grades of an exam to the central server. However, it being Germany, the API was very old, so you had no identifying authentication in place. All we got was a generic API token, which was basically the same for every user for the whole semester. So it's probably every university student had the same experience with deadlines. I had to submit a project for a subject, had had nothing to do with the chair I worked at. And, of course, I was way too late and would have had to work a night shift to get it done by the deadline. Instead of getting on my ass and working, I, of course, thought about how getting more time to finish it and got the brilliant idea to just DDOS, the central server, where I would have to submit my project to via the API access I had. Didn't think about any possible consequences and just started crafting huge files, set up a small script that would send the files repeatedly and hope for the server to crash. Even though I studied CS, it was still pretty early in my studies, and I had no idea about DOSing and other hacking things. So it was just a trial and error. It took several hours to get the script to work and submit a good chunk of files, but then out of nowhere, the connection errored out and the server was down, and I had an excuse to not submit the project. By that time, it was pretty late at night as well, so might have also finished the project in the first place. LOL. But, yeah, that's my story. Brought the server to its knees with a night shift instead of working on the project, never got caught, got a few more days to finish the project successfully, and lived ever happily after.

Speaker 3: I love that he I should say they. I love that they themselves identify that they could have just spent the time getting the project done but instead they decided to learn how to DDoS a server.

Speaker 4: Yep. That's kind of the thing about a lot of cheating.

Speaker 3: Is it

Speaker 4: more often than not to do to cheat really really good. That top drawer s tier cheating is normally more work than just doing the thing that you're cheating at.

Speaker 3: Yeah. Yeah. Yeah. Yeah.

Speaker 5: I

Speaker 3: don't know what to say.

Speaker 4: So they got they're doing some admin work at at the university. And then to do that admin work, they needed API access, which gives you access to these servers to be able to do things like upload grades. I sure thought that's where this was going, that they got access to upload grades and were like, a plus A plus whatever German for A plus is. Not what happened. Everyone gets issued this generic API token. So there's it's pretty anonymous, I guess is maybe what I can intuit from that part of it, which is what enables what's about to happen. Meanwhile, this person with this generic API token access to these this university service has a urgent subject. They would need to upload it to the server. Instead of doing the hard work of doing the assignment, They got the idea to spend the entire night DDoS ing the server, to have and this is the part that took me a second to get in order to have an excuse as to why they didn't submit the assignment. Mhmm. Is that correct?

Speaker 3: You are correct. So the the the API key that went out, it appeared that they gave everybody the same key. So instead of a key linked to you, they gave it to everybody. So the so the idea of being able to identify based on the API key who was who was uploading all this garbage that caused the server to crash, they couldn't do. They probably could have done it through network logs and figured out IP addresses and things like that, Cross referenced those IP addresses to previous logins and things like that. Like it shouldn't have been hard to track down who did this is what I'm saying. They got, it sounds like they got away with it, which is good for them. And the I think the real lesson here is sometimes you just need to do the work.

Speaker 4: I don't know that that's the lesson from this. It seems like it went off without a without a hitch. It's true. There is that lesson. It's a good lesson. It's not present in this story. You're not wrong. The the the thing for me

Speaker 3: on this one is is I guess this is part of their tech journey. You know? They they figured out something. They figured out like, they they wrote a script to generate garbage files full of probably random information just, you know, you know, and and just started uploading those in bulk, whether they filled up the hard drive or whether they actually crashed out the network. Who knows? But but they managed it to DDoS or disconnect the server. It wouldn't I wouldn't call it a DDoS because it wasn't distributed. It would just be a denial of service, just a regular DOS. But they managed to get away with it. To me, I think the lesson that I would take away with it is maybe I should just do spend the time on the assignment because I I also went through CS and none of the assignments were particularly lengthy unless we're talking like a advanced, you know, massive project in the fourth year. But most of the smaller things were just, you know, a few hours here and there. And if you're gonna spend an evening or an all nighter Sure. Learning how to crash a server, you may as well spend it knocking off the assignment and get it uploaded. At least that's my way to look at life.

Speaker 4: That's certainly true. However, I would say, then you wouldn't be doing a massive solid to all of the other students in that class that didn't get the assignment done. Because not only did you generate an excuse for you, you created an excuse that is sort of applied unilaterally to everybody. You you you cheated for the whole class, and that's punk rock.

Speaker 3: You're not wrong. I that I might be.

Speaker 4: I might be wrong.

Speaker 3: The thing is that there was probably a bunch of other kids who were staying up all night actually working on the assignment that went to upload it in the morning and

Speaker 4: couldn't Sure. Nerds. Yeah.

Speaker 3: Grant and and I'm one of those nerds, Jordan. Thanks. The I

Speaker 4: was one of those nerds too.

Speaker 5: But the

Speaker 3: yeah. I guess if for all of the other students that just were gonna completely whiff on it and not submit anything Yep. For sure. For sure.

Speaker 4: Yeah. He's like the he's the Robin Hood of poor, time management.

Speaker 3: Yeah. It's cool.

Speaker 4: I like it.

Speaker 3: I've I've Recall. I've managed to do things like this on accident before. Like yeah. I'm not even joking. Yeah. Yeah. Yeah. Like the ability to generate infinite information or spawn infinite processes in Unix. Like I once wrote a script, like just a bash shell script, inside of Unix that called itself at one of the forks. And I managed to spawn an infinite amount of these this process that was calling itself. And there's very little control if you have admin access and boom, the server's down. Like I've crashed. I've accidentally crashed production servers with just like a small misstep before. So it's it's

Speaker 4: A terrifying chain reaction to sort of Chernobyl gray goop. Yeah. Nanobots eating everything moment where the computer just starts to is steam.

Speaker 3: Exactly. So it's easier than you think, to crash crash a basic server. So so, easier than you want sometimes.

Speaker 4: So But did you use it for good? This caller sure did. And we appreciate getting to heard about it. Why don't we okay. We have one more after this. It it it's a long one, which makes this about as good a time as any to talk about our dear dear sponsor of Hotline Hacked, Delete Me.

Speaker 3: Delete Me. We've already mentioned them in talking about the vulnerabilities that exist with our information being inside of data brokers on the Internet. And here they are. And here they are. Delete me. Delete me. You know, if you ever wonder just how much of your personal information is on the Internet for anybody to buy or see, it's it's more than you think. You know, your name, your contact info, your social, your addresses, and information about your family members. And this is all compiled and sold to whoever wants to buy it and and we all kind of turn a blind eye except for delete me. Anyone on the web that can buy your details it leads to identity thefts, phishing attacks, harassment, spam calls, spam emails, which is how I was referencing it earlier. But now you can protect yourself with DeleteMe.

Speaker 4: As people who exist on the Internet as we all do, especially someone who shares their opinions about stuff, We're Scott and I are both pretty aware of our safety and security on the Internet. It is regrettably very, very easy to find personal information about people online. It's just all hanging out there. People are buying it and selling it. There's an entire economy of it, and that's why we choose to use DeleteMe. DeleteMe is a subscription service that removes your personal info from hundreds of different data brokers. You sign up, you provide DeleteMe with exactly what information you want deleted, and their experts take it from there.

Speaker 3: They send you regular personalized privacy reports showing what they found, where they found it, and what they removed. And it's not just a one time thing, it's always kind of running, constantly monitoring and removing that information as it goes. So to put it simply, DeleteMe does all the hard work of wiping you

Speaker 4: and notably your family's personal information from data broker websites. Take control of your data. Keep your private life private. Sign up for DeleteMe. Now we've got a special discount for hacked listeners. Today, you can get 20% off your DeleteMe plan when you go join deleteme.com/hacked and use the promo code word hacked at checkout. The only way to get 20% off is to go to join deleteme.com/hacked and enter code word hacked at checkout.

Speaker 3: That's joindeleteme.com/hackedcodehacked at checkout.

Speaker 4: Okay. Before we get into this one, it's a little bit longer. We actually don't know quite where it goes. We know we want to give it a listen. We don't know where this this roller coaster ride is taking us. Just wanted to give you a little bit of a heads up.

Speaker 3: Yeah. We got this one. It's so long that we'd listened to the first minute each and decided that it's probably good, but we didn't wanna ruin our hot takes. So we didn't listen to the entire thing. So here we go. Join us on this ride.

Speaker 5: Hey, guys. Love your podcast. Love the hotline hack stuff. I'm excited to share the story with you. It's a little exciting and nervous at the same time. So.

Speaker 3: I'm also excited and nervous. So I'm with you on this ride. That makes three of

Speaker 4: us.

Speaker 5: Story takes place back in let's see. Back Orifice was released in August 1998.

Speaker 3: Back Orifice. One of the original kind of malware, like, computer control remote controls for computers. This is like an old Cult of the Dead Cow, thing came out in the nineties, which I think he just referenced, just so you know. That's what he's talking

Speaker 4: about when he mentions back orifice. Back orifice,

Speaker 3: b o b o. B o from Cult of the Dead Cow, CDC.

Speaker 5: The the dorm I was staying at during that time. So this was either in the fall of ninety eight or the spring of nineteen ninety nine. But let me give you just a little bit of backstory real quick. So I started going to college in, like, 1996. I didn't know anything about computers at all. What is it? And I, you know, kind of want we wanted to play some games and network. We didn't know how IP v four worked, you know, Ethernet. So we figure out

Speaker 3: I love that he's talking about how he did no computers at all back then and then starts referencing inter in Internet protocols based on versions. So I'm assuming his is his I'm assuming those skills have escalated since now.

Speaker 4: I I'm gonna bet that by the end of this story, he will have revealed himself to have known something about how computers worked back then. I might be wrong about that. We'll find out together.

Speaker 5: T cards could be hooked up with coax cable. We use the IPX SPX protocol and, like, things just work so we could play games. And that's kind of, like, how we got started into computers was just through video games.

Speaker 3: Didn't we all? I also used I used to have LAN parties where we used coax networks because they were super easy to spawn up and take down. So I did the same thing.

Speaker 4: Is a GameShark hacking, Scott?

Speaker 3: Yes. It is. Hell yes.

Speaker 5: Carmageddon. I think it was like MotoGP with some motorcycle game and Anyways, so wasn't going to class at all. We were just literally just hacking on stuff, learning how computers worked and, you know, eventually obviously figuring out how IPv4 worked. And so through the next couple of years, you know, we advanced from Windows 95 to Windows NT. One point we were running like Windows 2,000 beta, I think at the time we did this. You know, on floppy disks, everything was dial up. We had no, you know, no fast internet anywhere. And MP3s had kind of just hit the scene. So of course, being broke college kids, we ripped all of our CDs into MP3s and then sold our CDs back to the, you know, resale shops so we can get some cash. And encoding back then was, like, you know, 100% CPU maxed out, like, don't touch your mouse because you're gonna have, like, a skip in your song when you're encoding. Like, it it it really sucked back then.

Speaker 3: This is I remember all of this. This is really good. This is a trip into the past for me here.

Speaker 4: This is just starting to bump into my actual experience with janky shit with computers, which was very or, like, early two thousands music piracy and the sketchiest m p threes you've ever seen in your life. I'm I'm seeing the dawn of my era here in this story, and I and I like it.

Speaker 3: I I I gotta say I never went as far as to rip all my CDs and resell them. It's a brilliant move right there. I just used I allegedly just used straight piracy and downloading music that I didn't buy. So

Speaker 4: Yeah. Well and specifically, what he did was buy a CD, rip it, and then just return it to the store, which is like a weird kind of piracy. It was pre, you know, Kazaa, Limewire, Morpheus, Napster, but post the popularization of CDs. It is like this tiny little window of

Speaker 5: time. Yeah. We have like a I think we have Pentium 200 or something roughly right around then. Like, it was it was a lot. Pentium two two hundred. Just to kinda set the stage on, like, hardware specs. You know, we have, you know, our our 56 k modems and things like that. And so yeah. So anyway, so so m p threes, like, you know, I had my collection. My roommate kinda had his collection. And, like, you know, we would try to, like, steal each other's m p threes, like, when you weren't looking. You know, if he goes to class, I would try to get into his machine, you know. Like, I knew some of his passwords. He knew some of mine. And then we started getting better at, like, you know, better passwords and things like that. And then, you know, ultimately, we ended up kind of, you know, learning about, you know, file sharing and all that stuff. So we kind of ended up learning how to secure our stuff and, you you know, it kinda culminated one night. I had for whatever reason, I had taken my, like, my snowboard goggles and put them on because it was kinda like, you know, my mask. And so, like, it was a no one night. I wake up. I got my snowboard goggles on.

Speaker 3: Is is he saying they use snowboard goggles as a sleep mask?

Speaker 4: Or see, I read that as, like, a pre like, whenever I would go do hacking prior to the, popularization of the hoodie is the sort of iconic Costume. Uniform costume of hacking. I would sort of pop on some snowboard goggles and just and just get my hack on. He wore them as asleep. I actually don't know which one of those is weirder. I like them both.

Speaker 5: I got the you know, I got his PC, like, the case is off, you know. And all my stuff was IDE. And his he was he had a little bit more meetings than I did. So he had, like, you know, SCSI ultra wide. And so I'm like, I've got this, like, Adaptec, you know, thirty nine forty SCSI ultra wide card. I'm like, I've got that out, and I'm like, in the middle of taking out his SCSI drives to to plug them into my computer.

Speaker 3: I wasn't very technically skilled, but here I am disassembling the computer, pulling out SCSI cards. The SCSI was a a better hard drive, like a connectivity, like, what's the right word I'm looking for here? A way that the computer talks to the hard drives. So IDE was one and SCSI is a different one. SCSI was a better one, often used in enterprise grade stuff, servers, things like that. Where IDE was more of just like the classic, you know, when you see the classic hard drive and the classic connector, that's what IDE was. So just different ways of connecting the hard drives and different throughputs and things like that. So his buddy had better hard drives and better connections that his computer wasn't capable of. So he's removing the SCSI interface from his friend's computer to install it in his so that he can steal his music. I love that. I love the journey that we're going on here. It's like we started just as, like, playing games in our dorm rooms, and now we're, like, literally tearing each other's computers apart to steal each other's music.

Speaker 4: And we're less than a quarter of the way into this odyssey. I have a feeling this guy's gonna commit felonies by the end. Those rules. Also, the level of detail. Like, I was, oh, I don't know, an Adaptek 3940.

Speaker 3: Yeah. Yeah.

Speaker 4: Yeah. This was twenty five years ago. That's remarkable. You have an extremely good memory. Also, thanks for clarifying, SCSI, because I assumed that he was just shit talking the other guy's gear. Like, SCSI, if you don't know that that's a protocol or a standard interface, it sounds like it's bad.

Speaker 3: Yeah. No better. Scuzzy was an interface and a better interface than the one that he had. So he wasn't shit talking his friend's computer. He was being like, my friend was rich and had expensive shit and I was mad about it. So

Speaker 5: You you know, he wakes up. He's like, dude, what what the fuck are you doing? I'm like, alright. You're so you know, totally busted.

Speaker 3: K. I gotta this is hard. It ought to just keep stopping.

Speaker 4: We're gonna it's gonna take an hour.

Speaker 3: So he just has snowboard goggles on. He's ripping his friend's computer apart. Yep. And then his friend wakes up and it's like, what the fuck are you doing? I think I would say the same thing if I woke up.

Speaker 4: This confirms my theory that this was indeed his hacking uniform. When you wake up and there's this, like, gremlin unscrewing your computer and you're like, Ricky, get out of my

Speaker 3: room again.

Speaker 5: And so we kind of at that point, we just we'd call it the truce. Right? We're like, alright. Truce, we're not gonna we're not gonna listen to each other's stuff anymore. Let's band together and, you know, go about this a different way. So, you know, back then, there was no LimeWire, Parashare, Napster. Like, none of that existed. So the only means of getting a p threes were either, you know, borrowing CDs from people ripping them and giving them back or, you know, on the Internet. So we would find open FTP sites. And that's that's kind of how how this really started.

Speaker 3: I feel like we're about to go on a journey into something that was called Wares, which was what stolen software used to be called. That's my gut read here is that we're about to enter a massive tale about stealing and distributing software. So we'll see if I'm right.

Speaker 4: Let's put on our goggles and find out.

Speaker 5: And then Back Orifice comes out. And this thing's this is cool. Right? So Back Orifice, for those that don't know, it's a a RAT, a remote access trojan, I guess you would call it. But at the time, it was just a really cool thing to play with. Right? So we had it we had it installed on all the lab computers, like in our in our dorm. In the, you know, on the Main Floor, there was like probably, I don't know, 15 or 20 computers on there.

Speaker 3: Well, He's into felonies at four minutes and eighteen seconds of a fifteen minute story, so you don't see where this goes.

Speaker 5: We had it installed on all of them down there. And it wasn't really for anything nefarious. It was actually, to run distributed.net clients, which back in the day distributed.net was basically or maybe still is. I don't know. It was a thing that you would use to try and crack encryption just to prove that the encryption algorithm could be cracked. And so you download a little slice of a thing and and work on it and, you know, work on these chunks very similar to, like, bit Bitcoin pool mining where everyone kind of works on a little slice and then, you know, you kinda work together. That's what this was. So I had I had this client installed on all the computers, and it was just kinda running. And that way, I was kinda getting credit, like, under my username for, like, all these jumps that I was completing. You know? It was it was pretty cool. And then, you know, there was a there was, like, a faster Internet connection down there. So, like, a lot of people would go on there and just, you know, they would use it for for whatever. And so, like, our our, like, dorm roommates would, like, go down there. They'd be on AOL. They'd be chatting to, like, girls, you know? And so, like, our little buddy came back came back up and he's like, yeah, dude. I was just talking to this chick. And we're like, yeah. We heard long dong 42. And he's like, dude, bro. How do you know about using it? You know, like, all this stuff. So we were kind of giving crap about it, but so that was kind of, you know, it was it was fun. You know, we would open close the CD ROMs and, you know, do stupid stuff like that, you know, free people out. But then, you know, we're like, how do we how do we get this out to other people? Like, how do we let's let's do something cool with this.

Speaker 3: And we're gonna have to obfuscate this guy's voice.

Speaker 4: I think you might be right. Can you please continue? I'm so curious.

Speaker 5: That's circling back to the sort of the m p three thing, and and here's here's where things kinda get get wild. So on these FTP sites, a lot of them were set up as ratio. So like you would like a one to 10 ratios. You would upload one meg and then you would be able to download 10 meg. And the idea there is to share, you know, to upload upload a song and then you could download some songs. Right? And uploading was super painful because we're on dial up and it sucked. And we're like, man, it would be really cool if there's a way around this. Well, that that was kind of the spark for this idea. It was like, hey, we're going to release this back office tool and we're gonna call it cute FTP ratio cracker. This cute FTP was the the client that kind of a lot of people used back then. And we're gonna call it, you know, cute FTP ratio cracker. People are gonna download this and they're totally gonna run it because people are idiots. And remember, like, back then, like, downloading executables off the Internet was something you did, like, all the time. Like, everybody was running, like, cracked copies of Photoshop, downloading, you know, serial number generators, cracks, things like that. Like, you just download anything. It was like the Wild West. Right? So here's here's what we did. So MacOrpheus has a couple of plugins. It has a lot of plugins, but the two that we used. One is called Silk Rope. And I I hope I hope I'm remembering this correctly, but to the best of my my memory here, here's what it was. So Silk Rope lets you embed one executable into another. And so we took the back warface executable and we embedded it into this other EXE, which all it was, it was it was just an executable that had had no icon, so it was clear. And when you when you ran it, it just deleted itself. That's all it did. Like, it was I don't even know if I could find something like that today, but it was I don't know how we found it back then. But so we we basically use this program. So when you when you don't click on it, it would install back Orbis, and then it would it would just delete, like, the original executable. So you'd run it, and you wouldn't really you wouldn't it just looked like nothing happened and it would be gone. And you're like, what the hell is that? Like, that's that was weird. But whatever. You kinda go about your business. And so that's that's what we did. And the other plug in we used was Butt Trumpet. Yep.

Speaker 4: Yep.

Speaker 5: And Butt Trumpet would make it so that when a computer got infected, it would send BackOrpheus would send an email to an email address of your choice with some bits of information. I think it was I think it had like a little customizable template so you could say like, you know, here's the IP address or, you know, whatever it was. And so we had to send emails to an email address. That is is really unbelievable in today's day and age. But because the name But Trumpet, it just we're like, hey, let's use, you know this this really I have no way to verify this claim, but it was we had Donald Trump at I I think it was yahoo dot com. It might have been hotmail, but I think it was yahoo dot com. And I I know, like I said, it's completely unbelievable. And I I still know the password we used because it was like a generic password, but I've and I know the account's been disabled probably years ago. But if there was some way to verify it, I could tell you the password and we could we could I'm I guarantee we could get into this account.

Speaker 3: It'd be surprising if we got into that account and it was still receiving email updates from, like, old ass computers that hadn't been updated, that we're still running this rat.

Speaker 4: DonaldTrump@Yahoo.com.

Speaker 5: And then we started uploading this combined, you know, this silk rope. We we uploaded this thing to all the FTP sites so we could find all these ratio sites. And then we just sat back and waited. And I remember it wasn't it wasn't very long. I mean, it was like less than a day that we started getting emails. And it was like, you know, tens of emails, hundreds of emails. Like, by the end of the week, it was like we were getting like a thousand a day. And it was like, holy shit, dude. Like, gold mine. And so then we started, you know, plundering people's devices like it.

Speaker 3: But we're deep in felony territory now.

Speaker 4: Yeah. This is a lot.

Speaker 3: Like a distributed Trojan attack at taking over control of thousands of PCs on the Internet and then plundering them. Was that the term he disused?

Speaker 4: I am so curious to find out what dear caller means by plundering.

Speaker 3: We have six more minutes where I'm sure we'll learn the details. Plunder on.

Speaker 5: My badge of honor, I remember so it was like somebody from, like, UCLA. I had, you know, remoted in and I'm like, I I stole their background streak, like their, you know, their desktop background, which back then, it was always like, you know, some culture. It was always like some, like, you know, Sports Illustrated swimsuit edition model, you know, like lying on a beach in a bikini or whatever. So, like, I would steal that, make that my background. And that was, like, you know, my trophy because I would steal people's backgrounds. And then here's where here's where, like, here's where the guilt really comes in. Oftentimes, it would be like, you know, people would have, you know, 3.2 gig hard drives. Like, it was pretty small. But we people would have, like, a c drive, and then it would have a a second drive, like, their d drive. And that's where all their, you know, all wares would be. And, you know, cracked copies of Photoshop, all their MP threes, you know, we would steal MP threes and stuff.

Speaker 3: And then Called that.

Speaker 4: Yeah. No credit where credit's due. You called that one a mile out.

Speaker 5: You know, if they if if somebody's drive, like their secondary drive was full of just like cracks and MP3s and nefarious stuff, I would, I would format the drive. So I would go to a command prompt on the machine and I would type in format space D colon space forward slash V colon loser and V is to set the volume name And so if they open up my computer, they would see the C drive and then they would see the D drive and the D drive would just say loser and it would be empty because I just formatted it. So I don't feel good about it.

Speaker 4: I don't feel good about it either.

Speaker 3: Like oh, man. There's that hint of Robin Hooding here because he's, like, deleting stolen software, but there's also a hint of, like, just mass crime.

Speaker 4: Like trolling almost? I'm I I keep coming back to the visual, of the of the snowboard and goggles. Just like formatting someone's drive and leaving the word loser behind and then just popping them up off your head and going for a coffee.

Speaker 3: It's not me that's doing it. It's my alter ego.

Speaker 4: Ten eighty snowboarding hacker. This is great. I love it.

Speaker 3: I actually got four minutes.

Speaker 4: Let's find out.

Speaker 5: I said it's there's been, like, twenty five years of guilt that I feel extremely remorseful for, but I really only did it for people who had a bunch of trash on their job. Like, I do I would do it if they have, like, schoolwork on there or, like, you know, important documents because I, you know, I would scoop through everything. I didn't I didn't do any of that. So it makes me feel a little better, but I still feel I still feel pretty shitty about it. So, I'm sorry.

Speaker 3: Wow. Public confession. Like, we've got, like,

Speaker 4: a Yeah.

Speaker 3: Never haven't had a hotline hack that's a public confession and an apology. So And, like I

Speaker 4: It like, it seemed like he got a good heart on you. Like, you you did something. It was a little a little bit anarcho. It there there were shades of that to it, but you carried it around. You you realized you maybe shouldn't have.

Speaker 3: And the the things, you know? Yeah. Totally.

Speaker 4: I I appreciate gross.

Speaker 3: The thing is, like, this story is long enough, and we've gone on such a journey to get to this part that I'm invested in the main character, protagonist or antagonist. And and here's the thing is, like, it's good to see the moral evolution as you went from and like truth be told, like, I remember those days. It was the actual quote unquote Wild West. Like computers weren't set up and capable of dealing with, you know, the hazards. People were trusting and did anything. It was so easy to put a Trojan on a computer, to put a virus on a computer, to get access to information you weren't supposed to have, crash servers for your email assignments. It was it was, yeah, it was it was the Wild West. And I think a lot of us grew up in that time, or a lot of us that did grow up in that time remember that that was just like it was it's a sad part to say, but I'm what am I trying to say here is I think we I think during that time, a lot of us did things that we regret, and we all grew from it. And it's good to hear that you've grown from your your story too.

Speaker 4: I think about how when I was I I think younger than this caller was during this period of time, but when I was first when I first got that computer that I had access to by myself and it was just, allegedly an explosion of piracy in the basement of my childhood home. And then if the criteria for, yes, I can go ahead and muck with this person, and yes, I can go ahead and format their drive was the presence of pirated software and m p threes. Boy, did I have a big flashing bullseye above my head that entire time, and I'm sure happy. I I wasn't I didn't get into it back in the FTP.

Speaker 3: I had had friends growing up that were, I wanna say, borderline addicted to collecting music, which is, to me, like, a more reasonable venture. But I had other friends that collected wares, which was stolen software and things like that, and didn't use any of it, just collected it like a like a mouse hoarding or a squirrel hoarding nuts for the winter. Like, I had to I remember a friend of mine, I won't say his name, but he had, you know, back in the day, there was like CD binders that you would store your CDs in.

Speaker 4: Oh, yeah.

Speaker 5: Yeah. And he he

Speaker 3: had a CD burner, which was an expensive toy, like SCSI hard drives, that the rich kids had. And he would have binders and binders full of, like, every piece of software, every game, everything, and he would download it and then burn it to a disk and put it in his binder, and he just collected them. He never used any of it. He just collected them. Anyway, that's a digression. Let's

Speaker 5: There was there was one person who I, you know, I connected to and I I it was like a web server, so I, like, go to it and this kinda hit home for you guys, but it was a it was like a Canadian, mom and pop travel, place. So they would do, like, guided tours. Like, if you visited Canada, you'd go to this place and they would take you on, like, you know, guided hiking tours and canoe trips and things like that. I was like, man, like, these people have no idea that that they're just exposed. You know, so I I actually went I I, like, drove to a payphone somewhere, and I called international, which I'd never called international before. And I was like, hey. You know, I I called them and let them know. I'm like, hey. Your your your blood server is compromised. And they were like, dude, what are you talking about? And I'm like, just trust me. Have somebody technical go look at this. Here's what they should look for. And I, like, hung up and I was like I felt like I did it sort of a good deed, but I still I felt I felt guilty, you know? And I'm like, man, that was that was crappy. But whatever, you know? So I moved on. And, I think the the final the final the the last part of the story really is is, the part that scared the shit out of me. So I'm like, you know, somebody's live on their computer. And I have, like you could, you know, watch your keystrokes. And I I think it was, like, in notepad. I I I don't remember exactly how it worked. I think I, you know, I could see, like, it was, like, in a notepad type thing. And you could see their keystrokes in. You would see, like, their misspellings and things, but it wouldn't correct their misspellings like a notepad. Like, if they hit backspace, it wouldn't, like, backspace in notepad. It would just give you, like, a backspace, you know, care thing to let you know they typed in backspace. So seeing what they're typing is kind of hard. You kind of had to decipher what they're typing because it was kind of jubbly. But this person went to microsoft.com And he searched for something. And I don't I I didn't know at the time what it was he was searching for, but I knew immediately after because he went to command prompt and he typed in netstat. And then he typed, and I don't know where he typed this, it was probably still in the command prompt, but he just typed it knowing somehow he knew. He typed, I know who you are. One five one point one six seven dot x dot x or whatever my, you know, but it and it was it was my IP address. And the first the first two, you know, octets or whatever are tied to my school. And so, like, he knew for sure what school I went to. And so he knew for sure who he could contact and that I I was like, I I powered on my PC. I remember this was a Friday night at, like, 08:00. So we were getting ready to kinda go out to parties, you know, so because you didn't go out till you didn't even go to parties till, like, ten or 11:00 at night when you're in college. I remember freaking out, getting extremely drunk because I was like, man, the feds are gonna kick down my door. And, just that that was like that was like the end of my hacking. That that was it. And I I was I was freaked out and that really set me straight. And I ended up switching degrees into I got into computer science at that point and, became a web developer. I was a developer for twenty years. I got into infrastructure and and, during that time, I actually kind of was getting back into the scene. I, you know, was buying 2,600 magazine and going to hacking conferences. And Now I'm in AppSec and hacking legally for money. I I work for a company and I get paid for it to do what I really like to do. So kind of all came full circle. Sorry to those people that I formatted your drives, but you had probably had it coming anyway. And, that's the end of my story. Thanks for listening.

Speaker 4: Great story. You you truly earned every minute of that. That was fantastic. I like that the ending of it. I said earlier that you clearly had you got a conscious on you, and it's like you really appreciate that in a story like this. This sort of double beat right at the end of there's this one person I connected to, the Canadian mom and pop travel place. They They take you on guided tours, driving out to a payphone so that you can call them and tell them your computer, network is compromised, your web server is compromised. Who are you? Just trust me. Have someone technical look at it. Totally. It's such a great little turn in that story. Not before the final turn in the story, however, when you were scared straight.

Speaker 3: Yeah. He ran into somebody that knew. That, like, the somebody that knew the footprint of back Orpheus, probably. They knew. And and the thing is too is I I remember back in the day too of of of doing the same thing, like netstatting people, seeing what people were so netstat, you're looking at all the connections on your computer on the network, finding the one that's the anomaly. And then there's even geolocation. So you can take an IP address and essentially geolocate it at varying degrees of of, specificity. So you can figure out essentially where someone is and you can do this even nowadays like in in certain games and stuff where there's direct connections between gaming clients. You can still see the IP address of the people you're playing against. This this is where DDoS ing in games comes in, stuff like that. As you can figure out other people that are around you use IP addresses and then DDoS them off the network or essentially killing their connection to the game, allowing you to beat them, whatever whatever their goal is. It's part of the the cheating matrix now in gaming. But the I remember doing the same thing with geolocation and and freaking people out, like, when people would be talking smack on the Internet and stuff. Like, a lot of forum posts save the IP address things came from. And if you had access to those records, be it the database or whether they were embedded in the the source files, like the HTML source for forums. And being able to geolocate people and being like, you know, how's Boston these days? And, like, you know, just like and and and varying degrees of specificity. So the person that they ran into clearly had that knowledge, knew how to look up where the connections were coming from, and probably knew how to geolocate it. So So not just, you know, looking at the IP address and what organization it's associated with, but also probably geolocate the IP. So they probably had a really good idea of where you were. And yeah, great I I great story.

Speaker 4: A really, really good story. I think about how often scammers you always see this moment when someone's trying to scam someone, that they think is probably less technically literate than by saying you have no idea who I am. I'm the scariest hacker you've ever seen. It's like you're texting. They're just making shit up. But they're trying to scare you by saying, I know where you are. I know your IP address. I can see out of your this is just lies. And that that is such a pale shadow of an imitation of this very real, very scary moment you had where you were the technically literate one who had gotten control of someone else's system. And they very matter of factly typed to you out of the darkness, I know who you are and then your location. It's so good. You couldn't script it better.

Speaker 3: The it's it's funny too because it's like this person's journey, I'd say is probably very common in people that work in defensive security and AppSec and stuff like that where it's like you get the interest and you learn the skills. It's

Speaker 4: a good point.

Speaker 3: Not a lot of people go into the the security sector blind and like with no knowledge. Like you're coming in with a with a catalog and a toolbox that you developed somewhere. And I would say most cases that was not developed doing good. So it's like the the fork in the robot between the white hats and the black hats is, you know, this person was in the black hat camp and then started to feel remorseful for their actions and ended up ended their career or ended up in a career of a white hat. And I think the same goes for a lot of people. The same happened to me. The same happened to probably a lot of a lot of people that you work with probably have a similar similar journey, whether it's as severe as this one, you know, mass distribution of remote access Trojans and and, you know, mass gross data privacy violations. Like, definitely definitely a severe tale and especially when to tell to us. So appreciate you taking the time.

Speaker 4: We really appreciate that. That's the kind of calls we want. Totally. To bore your phrase, it felt like the fork in the road led him to that payphone. It was his conscience led him to go, you know what? I did I did this and it was fun and it was interesting. And I've got my snowboarding goggles on and I'm mucking with my friends and it's just sort of this naturally evolving process. But you sort of hit the the moral Mhmm. Crux of it. And it led you down that kind of white hat road. You were actually yoinked off the road entirely when that other person wrote that terrifying message to you and you're like, I'm actually going to detour through a really nice twenty year career in web development before I come back to this road I am going down and pursue, work as a white hat hacker. This is a really, really good one. I appreciate you taking the time to record it. The detail was worth it. And, we love getting stuff like this. So thank you again.

Speaker 3: Anything else?

Speaker 4: I think that about puts a pin in it. If you've got a story that you would like to share, something short and punch or something like a real crime saga drama like that one, kick it on over to hotlinehack.com. You can send us an email with raw text. You can send us an email with an anonymized voice. You can send your own voice. You can call into a real phone line that we have listed on the website. A myriad of options. All we want from you is your story. We'd love to hear it. Love to talk about it on the show. Take care, everybody. Catch you in the next one.