The 4chan Hack

Speaker 1: Today, we have the story of a schism. I'm gonna guess that most people listening to this show are familiar with 4chan. If not in practice, then in premise. But in case you're not, 4chan is an image board. It's organized into topic based boards. You have 100% seen screenshots of the iconic 4chan green text stories. 4chan was an incubator for iconic memes, rickrolling, lolcats, Pepe the frog, pet a bear. It was central to Gamergate and QAnon. While there are boards for innocuous things, tech, anime, there were also image boards celebrating all manner of not so innocuous things. 4chan is one of the bases of the DNA of modern internet culture. And it got hacked. Allegedly, because of a schism. Love me a schism. Interesting concept. Good word. Back in November 2021, a meta board dedicated to discussions about 4chan's moderation, called QA, short for questions and answers, goes down. It had been removed by moderators, quote, because it sucked. And at that moment, an exodus occurred to a place called Sojjack Party. I will regrettably explain all of this in due time.

Speaker 2: I was gonna say, are you gonna say the, like, short name for Swajak party? The shardy?

Speaker 1: We'll get there. Yeah. They they like to call themselves the shardy, and it sure did seem like a one hell of a shardy. The point is that a rivalry had emerged between the moderators of 4chan and the people who thought that 4chan had become too buttoned down in corporate in light of a of a sale that had occurred. A schism between Sojjack Party and 4chan. And this past month, 4chan took a pretty big blow in that fight. On 04/14/2025, there was a breach, allegedly carried out by users from the Sojjack Party, that took 4chan offline. And importantly for 4chan, a famously anonymized platform, the hack to some extent de anonymized a subset of the users. Internal systems were compromised, source code was leaked, moderator identities were exposed. Now, all of last week we got a string of articles and headlines, I would say prematurely noting the death of 4chan. And then, a night or two ago at time of recording, a portion of the site, boom, comes back online, with an explanation from the mods there as to their side of the story of the hack, why it went down, and how they say it worked. So, to start, amongst a couple other stories, we're gonna walk through what happened. The hack itself, and what it means when the myth of online anonymity collapses inside one of its most infamous communities. Here, on Hacked. Babidi bop bop boom. Jazzy remix of the theme song. Cha cha cha.

Speaker 2: How you doing, Jordan?

Speaker 1: I'm doing good, man. How are you?

Speaker 2: I'm doing pretty good. I'm starting to get healthy, which which I don't know why it's taking so long. It's really annoying me. I'm not actually I don't feel bad. Like, I went skiing this weekend, got some spring skiing in. Heck yeah. But I still have this, like, throat thing, which I can't tell whether it inspired one of the comments on the recent episode about us sounding tired, whether it was just me being sick or whether we were actually just tired. Could be one of the two.

Speaker 1: It could just be the general tiredness in my soul. So I've caffeinated pretty thoroughly to try and offset that today. I'm wired, Scott.

Speaker 2: I I've actually been largely kicking the caffeine addiction. I've, like, I've tuned my coffee tuned my coffee intake from, like, two to three times a day down to, like, two to three times a week.

Speaker 1: Woah. You're skipping. We have another mutual friend who's doing that too, and he he he described it as being quite harrowing when he did it. So I'm curious to talk about your experience about that.

Speaker 2: Yeah. Yeah. It hasn't been it hasn't been bad. Can't complain about it. But, Good.

Speaker 1: So it's been an interesting couple weeks since we last had sort of a chatty chat episode. This chat chat episode, of course, brought to you by push security. One of the big stories, was the four channel leak, which I think we should maybe start with.

Speaker 2: Yeah. I'm happy to start with it. Where do we wanna start?

Speaker 1: I think maybe for anyone that doesn't know because I I feel like a couple years ago, the world learned about 4chan, through a couple of pretty gnarly news stories of different things that had been sort of fomented there. And we all got a little bit of a primer back then, but maybe we start at the beginning with the history of the platform just so that people know.

Speaker 2: Yeah. Well, the 4chan went live in 2003. Yep. But it was based off of a Japanese website, 2chan. Mhmm. I won't do the disservice to the Japanese listeners to try and pronounce its Japanese name.

Speaker 1: Yeah. There was a couple of different these sort of image boards. If you're familiar with Reddit, you have the basic ID. It's not quite the same, but there's some overlap. It's a forum. It was founded, as you said, in 2003 by a 15 year old guy named Christopher Poole, known on the platform as Moot. It was inspired by 2chan, 2channel. It was anonymous by default. You could use it without usernames, account systems. It was just posts an image. It was sort of very intentionally anonymous. It was organized into different topics. There was slash a for anime, slash b for random, slash paul for politics, g for technology, and And it was an incubator for memes and Internet culture.

Speaker 2: Totally. I think the biggest like, whenever I hear the word four Chan, my brain immediately links QAnon. Like, I feel like they like, that is the the tip of the spear for four Chan. It's like if anybody knows a four Chan, it's probably QAnon because I feel like that was the that was the biggest, most media intensive storyline to come out of four Chan or at least one of them.

Speaker 1: Totally. QAnon was, I would say, the sort of impetus for that first big media cycle that we were talking about, when a lot of people learned what this was. It's also kind of considered by some to be a birthplace of, like, a certain modern incarnation of Anonymous, the slash b board for, like, the random board in the mid two thousands, like, people started it was almost like a shared joke because everyone was anonymous, and then a campaign, we won't break dig into this too much, in 2008 called Project Chanology that was a protest against the Church of Scientology was spurred there and sort of a version of the modern anonymous was born there as well. So you got QAnon, you got anonymous, you've also just got, like, a decade plus of Internet culture. You've got Rickrolling and LOLcats and Pepe and Pettibear and Green Text Stories. You've got all that stuff birthed out of 4chan. So for as kind of gnarly and dark as the platform could be, it was undeniably influential on the Internet. And I wanna be careful not to past tense it either because a big part of this story is sort of the false reports of the death of 4chan, which at time of recording is still online.

Speaker 2: Mhmm. Yeah. The the thing for me is, like, if you spend any time on any other social media platforms, chances are you consume a pile of 4chan content without knowing it. Totally.

Speaker 1: Yeah. Yeah. There's the content and the culture that came out of it, and there have been often when it makes it into media, and with good reason, it's because of some things that have happened there, perhaps due to moderation policies. Without getting into hate speech gore extremist manifestos that have popped up on slash Paul and slash b very widely reported links to real world violence, 4chan played a role in the Christchurch Church shootings, Buffalo mass shootings. It's been repeatedly and I think validly criticized for its moderation policies being insufficient in some regards.

Speaker 2: Yeah. The it is 4chan. It's 4chan.

Speaker 1: You know what it is. So a big thing to note here in the history of all of this, and especially from skimming around on the site, there's a before and after for a lot of the users, which is that the original founder, Moot, ran who founded and ran the platform until 2015 when he sold it to Haruki Nishimura, the founder of 2channel, one of the original Japanese boards that inspired it. So that, for a lot of people, is a before and after in the history of the platform, and it's pretty important for what's to come. Bringing us to SlashQA. SlashQA is a questions and answers board for site like meta discussions and talking about policies on the platform. It over time became a hub for soyjack memes and Wojak edits, which you've definitely seen. They're, like, memes that sort of, like, parody different Internet archetypes of users. Mhmm. It also, very importantly for this story, fostered a subculture that was quite critical to 4chan's moderation team.

Speaker 2: Yeah. Any moderation would be unacceptable. Yes. Your criticism of the moderation is different than these this group's criticism of the moderation.

Speaker 1: For sure, it is. It for sure is. So Slash QA was shut down in November 2021 with little explanation. A moderator of the comment on dismissed it in saying that it was closed, quote, as I said earlier, because it sucked. And that shutdown sparked this, like, diaspora who migrated over to this new thing, Sojjack Party. The original founder of 4chan moot plus Sojjack equals suit. Soot? Suit. Suit. Suit. Created in 2021 by a user known as Soot, which I'm just gonna start saying because it's the only way I know how to say those letters. And it started as like a a frag fragment hub for Sojjack memes, these Internet persona parodying little caricatures. And after QA's closure, it becomes a refuge for that community. Self described, as you said in the introduction, as the shardy.

Speaker 2: The shardy.

Speaker 1: It was from day one hostile towards 4chan's structure and moderation, which they viewed as corporate and stagnant. And by 2025, when this really all pops off, it had evolved into a full fledged counter platform and, like, antagonist to 4chan. Trolling on 4chan was, like, the beating heart of the culture of SoiJack Party.

Speaker 2: So they had later rivals. Yeah. Nemesis.

Speaker 1: Nemesis. Post schism nemesis.

Speaker 2: Post schism nemesis.

Speaker 1: 04/14/2025, a major outage begins and slash QA, that board that had been taken down, mysteriously reappears defaced with, all caps, YOU GOT HACKED EXTI. There were some initial signs of a back end breach. The next day, soijack. Partyuser starts claiming responsibility under what they're calling Operation SoyClips. So, in that April 15 post, there were, some initial signs of what the full scope of the leak was gonna be. You got admin dashboards, moderator lists, emails of staff, a little bit of the source code for 4chan. The next days, couple days that follow 4chan is intermittently offline, but trending towards fully offline. Reuters starts to report on this that hackers may have had back end access for up to a year at this point and a week after that 4chan is still largely offline and there'd been no official statement from Nishim where, everyone starts to go, okay. This is this is a catastrophic failure.

Speaker 2: Catastrophic. In a in a world of privacy being hacked, in a world that prides itself on anonymity, getting your all your data breached and hacked is probably the worst possible thing that could happen.

Speaker 1: And a platform that prided itself not just on anonymity, but on the types of speech that that anonymity taken to its conclusion could proffer. Mhmm. I think that's really, really important here is that this didn't happen to Reddit. This didn't happen to any number of different platforms that have, I would say, moderation policies that are a little closer to the middle of the bell curve. This happened to a place where I

Speaker 2: don't know. I don't know if I say that Reddit has is close to the middle of the bell curve. I think we can argue about that one. I would say that

Speaker 1: I don't know if we could argue about that it's closer to the middle of the bell curve than

Speaker 2: four Chan is. That's true. That's true.

Speaker 1: Yeah. That's true. It's all relative.

Speaker 2: I wouldn't say it's in the middle of the bell curve, but it is much closer than four Chan for sure.

Speaker 1: That's a, I think, a valid distinction. So let's dig into the the hack itself. Like, what what happened here? There's the technical details as we know them today, and then I think there's the overarching story of how this happened. But to dig into the details, my sense of this is that this all came down to a bogus PDF upload. Upload. Someone was able to upload something they shouldn't, and it basically wrenched this thing apart on the grounds of some out of date infrastructure. Is that generally accurate?

Speaker 2: So it seems like from well, they actually posted on Reddit a lot about what they did and how the hack went. So they they released a lot of the attack vector data. But what it seems like is that four Chan really wasn't that great at keeping their stuff up to date. They were running old, old versions of PHP, you know, very traditional 2003 website build, like, probably LAMP stack, Linux, Apache, MySQL, PHP. Classic for 2003, totally outdated these days. They weren't updating a lot of their, libraries and dependencies. And what it came down to is that they were allowing PDF uploads in certain, I don't know what you call them. I'm not a four chan user.

Speaker 1: So I

Speaker 2: I would call them, like, subreddits, but, like, whatever the, like, channels are. Boards. Or four boards. Boards. Thank you. Some of the boards didn't, would allow PDF uploads. And what it would do is it would then run it through something called Ghostscript, which would then turn the PDF into a thumbnail to present a thumbnail to the users.

Speaker 1: Oh, interesting. But what

Speaker 2: they weren't doing is checking to see if it was a real PDF that you were uploading. So what they were actually so what they ended up managing to do was, exploit a pretty well known CVE CVE2202336664. Cool. That's right. There is three sixes in the middle of it. But essentially, what they what they allowed them to do was was upload postscript files, which are similar to PDFs, but then Ghostscript would actually execute malicious code embedded in the Postscript. So should have been something that was patched, very well known vulnerability. The version of Ghostscript was very old.

Speaker 1: Mhmm.

Speaker 2: Like, just just poor server maintenance and poor, like, I don't know, system administration led to a bunch of vulnerabilities that were eventually executed to to give them admin access and control of the server.

Speaker 1: Potentially for up to a year in advance of this hack. There were some some reporting to that effect.

Speaker 2: Yeah. Yeah. So they managed it seems like they managed to to change their their user account IDs up, escalate them to administrators. And then from there, they branched out deeper into the system and into the server itself. So so pretty pretty, I would say, like, pretty avoidable hack.

Speaker 1: Yeah. Yeah. I'm seeing FreeBSD, which is like an operating system that they were using on their servers that had been, like, unsupported since 2016.

Speaker 2: I I was a FreeBSD guy. Yeah. Yeah. I used to run FreeBSD exclusively until about, I don't know, 2007, 2006.

Speaker 1: That's before 2016, I'll note.

Speaker 2: Yes. Really, when Mac OS X came out, and this is actually something a digression is like being in the Linux environment world again. Every day, I wonder why. Like, I can understand a love of, like, Linux and a love of, like, Unix. Like, that's where I I came from. But it's like everything is just way harder. Like like, why do you why why do you put yourself through the pain of it of using Linux when macOS exists and it's based on a BSD kernel and it has full Unix inside of it? It's like, everything just works better. So So I just anyway, that's a digression aside. But but the, yeah. So FreeBSD was very secure for its day. FreeBSD, NetBSD, both very secure operating systems. Great operating systems. Used it extensively. But, again

Speaker 1: A little long in the tooth at this point.

Speaker 2: Little little long in the tooth. These are people that clearly were not prioritizing basic IT requirements for being secure.

Speaker 1: And they offer a little bit of an explanation as to why that is, which I think we'll get to. It seems to come down to capacity and available resources, we'll say. Mhmm. So the hack goes down and immediately so the two big outcomes here are 4chan goes down and a bunch of internal information from the back end of 4chan 4chan gets leaked publicly. We had, as I said earlier, a bunch of staff identities, admins, mods, emails, Some connections linking pseudonyms to real names including their email addresses peppered amongst which we find dot gov and dot edu addresses which I found fascinating very fascinating Yeah, we got a little bit of user data some IP logs tied to deleted post and some it doesn't look like there's any payment data exposure, but 4chan had a, there was a 4chan pass subscriber emails that seemed to be in the leak. Source code for the website, as well as internal moderation notes which, confirmed some long held public suspicions regarding, tolerance of all manner of stuff that if you spent five minutes on 4chan, you knew they tolerated. So, the previous dates in our timeline had taken us up to April 17 or so. The story boots back up on April 25. 4chan posts this defiant message to it on x saying, like, the the premature announcements of our death were just that. There was a bunch of coverage and, like, major platforms talking about, you know, 4chan in the past tense, basically, saying this is done. They they've been taken down forever, and here was this tweet saying, nope. We're back. April 27, two days later, an official 4chan block confirms the catastrophic breach, talks about the hacker, explains the bogus PDF upload thing that we spoke to earlier, connects it potentially to an a UK IP address. And I think the the big point here is they say that it was years of being starved of money and a lack of skilled man hours that had led, that had left the infrastructure vulnerable. Which brings us to now. There's a new server that's replaced the compromised one. The site is in parts backup online, but with limited capacity. PDF uploads are, I would say, wisely disabled. Flash animation boards have been left offline, I think, permanently it sounds like. And as the last reports, posting images, thumbnails, there are still issues on the site, though. It is back online. I think this is just a fascinating one on the grounds, not just of like, the hack itself is interesting, but I think it's interesting to see what happens when a platform that is really built around the concept of anonymity and discussion under the veil of anonymity gets de an de anonymized. I think it's gonna be fascinating to see what happens to 4chan moving forward now that that anonymity has been tested. And now, also, I think that its role as, like, a counterculture hub has been, in a way, usurped. Part of the draw of 4chan was that it was the one of the edgiest places on the open web, and now there's an even edgier antagonist that has done this big public thing. And I think that that's gonna have an effect on the relationship between these two different sites and which one draws people to it that are interested in that kind of thing.

Speaker 2: Yeah. It's like a it's like a sociological experiment more than it is anything else that Totally. For me, the like, a four Chan something like four Chan is always good to exist. A 100%. It's just it's it's really fascinating to me that it's like we're this could be the demarcation point for, like, a new generation. So, like and whether that's the shardy, whether it's something else comes alive, like, especially especially given

Speaker 1: It's just so funny to be speaking so seriously. Whether it's the shardie or another unknown plan, it's just that you remember what you're talking about.

Speaker 2: But, like, also, you could take like, you and I could kick up YouTube live right now and build with AI a version of Fourchan in before the end of the day. Yeah. And it's and it's like so it the the empowerment that AI codevelopment has has enabled into communities that look for solutions like this

Speaker 1: Mhmm.

Speaker 2: It's gonna be fascinating to watch. You know? We talk about fragmentation. Like, one of the major barriers to entry for, like, having a platform for our community Used to be, like, building a platform was big and hard and expensive, and now it's now it's not.

Speaker 1: This is a story about a person despite founding a platform that's now quite prominent, and it's like, oh, that there's there's a shift that's been taking place, and it's been accelerated as of late. So who who fragments off of Sojjack Party when someone that founded it decides that they have some line that they don't want crossed? And and and how many times does this just repeat over and over and over again?

Speaker 2: Yeah. It's it's just gonna become a critical mass exercise of, like Yeah. It's it's like like, you can have AI build a Twitter x clone in, like, two hours, But it's the critical mass of the user base that makes the platform viable.

Speaker 1: Mhmm.

Speaker 2: So that's gonna be the that's the thing. You know, you're seeing that with blue sky. Blue sky finally after years of of nothing. Yeah. You know, one election and boom, all of a sudden blue sky is relevant. The it's gonna be a fascinating thing. Like, I just seeing how people promote, drive traffic to, and develop communities, the technical barrier to entry is gonna largely like, it's already mostly gone, and it's gonna keep reducing as these tools get better and as the processes for interacting with them get better to watch what's gonna happen to the Internet because it's it's so easy to build something these days if you kind of know what you're doing.

Speaker 1: Mhmm.

Speaker 2: It might not be the best version of it. Like, that's the other thing is, like, I look at this, and I'm like, oh, yeah. You were running a website from 2003 running, like, PHP 5.5 or something. And it's like, you could have just literally taken the scores code for it, given it to Google Gemini 2.5 pro, and been like, rewrite this as, like, React TypeScript. And it would be like, boom. Here you go.

Speaker 1: Well, that's probably happening behind the scenes now. Yeah. It's like the bro the the bone that has to be broken in order for someone to come along and reset it properly. And is the technical debt of having been a website founded in 2003 iterated on and iterated on and sort of hacked together Yeah. Yeah. Yeah. Yeah. Become a really, really big disadvantage in this kind of a world where we can it's like, okay. I wanna create a a two chan imitation. I can do it in two hours and it can be up to date, relatively speaking, as compared to something that was created over twenty years ago, basically, at this point. Totally. Yeah. It's, there's, like, an acceleration. And when schisms like this happen, it makes it all the easier for the, the the new combatant that's entered the fray to spin something up.

Speaker 2: Well well, I will. Like, as to just as a knock on to the fact that there's gonna be so many AI developed websites out there. Yeah. If if if, like and I'm gonna use you as an example in this, but you're not right. But, like, if Jordan spins up some community for some website or some software as a service application, no coding it, like, just Vibes codes the whole thing, are you gonna be equipped to maintain it? No. Absolutely

Speaker 1: not. And and that's exactly like, the the next question I had is in the same way that it's I'm curious at what point, some cohort of people over on 4chan turn it back around and grab as much information as they possibly can about Sojjack Party and how it's built and feed this in the exact same stuff into one of these systems and try and find the vulnerability that they can go after there. And it's just accelerated creation and destruction.

Speaker 2: Well, the like, there's some there's some pins and strings on

Speaker 1: a Yeah. Totally.

Speaker 2: On a corkboard here. But, like, if the founder was British, the founder built the initial site, would know the technical layout of the site, would know the library dependencies, would know all of the stuff. The hacker's IP address is British. I'm not saying anything. But it's like, who better equipped who would be better equipped to hack a system than the person that designed architected and constructed it? They're gonna know every pinpoint vulnerability in it. So I'm not making any any claims or any alleges there. I'm just saying, in a general sense, the easiest way to hack something would be to have built it because you're gonna in intricately know all the details

Speaker 1: of it. Are you saying Christopher Poole is British?

Speaker 2: Like, Moot? Didn't didn't wasn't that part of the story?

Speaker 1: Christopher Moot, Christopher Poole. Sorry. Online note is Moot. Born in New York. And I think that there's the evidence was well, it's not evidence. There's an allegation on the four channel response to the hack saying that they connected it to a UK UK IP address. But I think he might be American.

Speaker 2: So I'm totally wrong. See here, I thought I thought I thought Poole was British. I thought I read that in something that he was had founded in Britain.

Speaker 1: He maybe he lived in Britain when he founded it, and he and he made a powerful nemesis that years later took him took down the platform after he'd sold it to someone for presumably a bunch of money. I am curious how much he sold 4 chan for in 2015.

Speaker 2: But It's it's not revealed. I looked I looked to try to find it. Good.

Speaker 1: You're asking the right questions.

Speaker 2: Yeah. Yeah. Because it just just makes me wonder what something like, something what something like that is worth because it is so like, I think they're ranked three hundred and fifty ninth globally, get over well over a 100,000,000 visits a month.

Speaker 1: Like Yeah. It's a it's a major platform on the Internet. It's not it's not a FAANG company, but it's a big deal. And it and outsized culturally, I would say too.

Speaker 2: Yeah. Yeah. Totally.

Speaker 1: I was having a conversation with someone about this, and we should move on. But we were talking about, like, the concept of black box systems, where the inputs and outputs, you can see what they are, but there isn't really any knowledge about what's happening inside of it. You have instincts and ideas based on what you've built, but there's there's an opaqueness to it, hence the term black box. And it feels like an increasing amount of software that shouldn't be black box software is going to effectively become where you're gonna have people creating things and implementing them at scale where there isn't really anyone inside that organization that can explain to you exactly how it works. They have insights, and they know how to ask an AI how it works, but there isn't really, like, an architect of the whole thing. They can look at it and just explain it all to you nicely and, importantly, fix problems when they emerge. It's gonna gonna be a tricky little time for a while here.

Speaker 2: Yeah. Security through obscurity, like a classic you know, Microsoft started with it way back when. The open source community fought against it. But, yeah, it's like a storyline in software as long as today. The the one thing I will say is that is that AI is not bad at fixing fixing logic problems in in code. So I think that now that we're seeing so many and this is probably a good transition, but, like, talking about places like Duolingo going AI first and a lot of these companies kind of pivoting to be an AI first company rather than, you know, enhanced by AI, software engineers and people working there enhanced by AI, but they're actually putting AI at the top of their decision making trees and the top of their system design trees and things like that. It's like we're seeing this trend kick off. And, actually, again, before we could jump on the call, we were talking about, like, has anybody defined a hierarchy for, like, AI inclusion into an organization? Like, if AI first is the top of the I guess it's probably just an AI organization, which would be the top of the pyramid, which is like a company of agents that just does stuff, and there's no humans involved. No human in the loop. And then you go AI first. And then what what are the tiers down from it? Somebody really needs to sit down, some academic that does this stuff, a business academic, and define the hierarchy of, like, AI integration into organizations because I'd be I'd be interested in using that chart.

Speaker 1: On the, on the very far end of that, a buddy a mutual buddy of ours sent me this research paper called AI twenty twenty seven, and it it maps out a couple of different, like, historical trajectories for how it could work. And it was done by some people that had had some good guesstimations in the past of things. This is all just speculation. But the thing that it outlined at the end of the document was the emergence of a thing called, so a Special Economic Zone is a real world thing. Totally. There's different shades of them, and they come in wrap wildly different scales. Like, Shanghai was a Special Economic Zone in its at its beginning, and now it's, you know, it's a world cap capital city. But you also have small little things where there's these little regional jurisdictions where the government in an area basically says, we're just gonna let some investment group group or external body administer this here, right down to security and policing and governance, basically. So as to see what kind of economic activity can happen on this little plot of land if we just sort of like look away for a while. And the document lays out a path towards something called like AI administered SECs where it's not about we've come up with a plan and then we're gonna use AI to empower it. It's sort of like a land black box where it's like, well, we we have a pretty good sense of what it's doing in there, but we don't totally know. And I would say that if you're trying to map out a spectrum of potentials, The idea of, like, a geographic agentic at SEZ is probably as far as you're gonna get in that direction where it's, like, it's functioning basically as the government at that point. Ai-2027.com. It's a fascinating, it's a fascinating document.

Speaker 2: I've, one of our mutual friends, Sash, sent it to me, and I read it, and I loved it.

Speaker 1: I think it's He he sent it to you. KK. Yeah. Of course. Identity attacks, phishing, credential stuffing, session hijacking, account takeover. These are the number one causes of breaches right now, and most security tools still focus on endpoints, networks, and infrastructure. And meanwhile, the browser, the actual place where people work, has mostly been ignored. Push security changes that.

Speaker 2: They built a lightweight browser extension that observes identity activity in real time, gives the corporation and yourselves visibility into how identities are being used, like when logins get multifactor authentication, when passwords become reused, or when somebody unknowingly enters credentials into a spoof login page or phishing page. Then when something risky is detected, push enforces protections right there in the browser. No waiting, no tickets, no processes. It just happens. It's visibility and control directly at the identity layer.

Speaker 1: And it's not just about preventing all that stuff. Push also monitors for real time threats, adversary in the middle attack, stolen session tokens, and even newer techniques like cross IDP impersonation where an attacker bypasses SSO and MFA by registering their own identity provider. If you think about it, it's like endpoint detection response, but for the browser. And

Speaker 2: the, you know, the people at Push are great offensive security pros. We had Adam on the pod. You should listen to that episode. They published some of the most interesting identity attack research out there, and they break down exactly how these kind of threats bypass traditional controls. Identity is the new endpoint, and Push is treating it that way. So check them out at pushsecurity.com.

Speaker 1: Pushsecurity.com. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 3: Study and play. Come together on a Windows 11 PC. And for a limited time, college students get The best

Speaker 2: of both worlds.

Speaker 3: Get the Unreal College deal. Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller. Learn more at windows.com/studentoffer. While supplies last, ends June 30, terms at aka.ms/collegepc.

Speaker 4: When you need to build up your team to handle the growing chaos at work, use Indeed sponsored jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit at indeed.com/podcast. That's indeed.com/podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed sponsored jobs.

Speaker 1: Cluelly. Cluelly. Let's talk about cheating on stuff. Let's talk about

Speaker 2: cheating on everything. Why don't we?

Speaker 1: So a couple episodes ago, we talked about Roy Lee, a Columbia University student who had developed an AI powered interview assist tool, and he kinda went viral with this stunt in certain, like, tech and hacking communities as part of this debate about, like, technical assessments and whether the tech job interview process was up to date, broken, fair, all that interesting stuff. The basic idea behind this was that he would be sitting on an interview, and this tool he'd built would feed him real time answers during technical interviews, including, like, coding suggestions and behavioral prompts of, like, what to say without being detected by the person on the other end of the call. Sparked this whole big fascinating discussion we talked about, I think, two or three episodes ago. You can go check that out if you're fascinated. But the story booted up again this past week

Speaker 2: when In a big way.

Speaker 1: In a big way when royally used, I would say, the clout and virality from that initial stunt to launch, to fundraise for and then launch a new company called Cluely launched with a slick viral video. It's basically a $20 a month productized version of what he did in that original, interview stunt.

Speaker 2: Yeah. So, like, to to touch back to our previous conversation about it, about him gonna be just fine, while he's just raised $5,300,000 for his new start up. Yep. The I think I think there's more of a philosophical conversation to be had about this because I don't see it as that bad. I see the outcome of it as being terrible. Like society's gonna get stupider, because we'll have real time information all the time. But essentially what like, the framing and the branding and the way that they're positioning themselves is kind of antagonistic. Sure. Like, using the word cheat as their, like, primary thing. But, really, what they're building is, like, an instant data recall, like, information system.

Speaker 1: It's a real time answers thing. It prompts you it gives it listens and it provides relevant context. It's not entirely dissimilar to having chat g p t open in a window next to a Zoom call and feeding information into it.

Speaker 2: Yeah. But but even then, like, the like, search engines were so good at doing like, Google, when Google came out revolutionized information retrieval. Right? Like, we got it it it was essentially cheating. Like, you didn't have to really learn anything anymore. You did. But, like, if you had a question, it could find you the answers. And, like, that was a revolution. This appears to just be the next kind of iteration of that. Like, this is gonna understand what you're doing, the context you're in, the context of of what's being discussed, and it's gonna be pulling up real time information about that discussion.

Speaker 1: Mhmm.

Speaker 2: And to me, it's like that's a logical step. Like like the like, when I was in college, I wrote a graphic novel about this exact concept. People wore contacts that told them what to do, showed them how to do it. Their education died away. People just became people like, it was a dystopian novel, but essentially, it was like people became people became automatons kind of driven, commanded, and controlled by the central control all through, like, a contact interface that, like, this is what you have to do today. Today, you're gonna be like having you're gonna be running a surgery on somebody. You've never been a surgeon before, but we're gonna walk you through it in entirety in your eyes and like it tell you everything you need to know. And it's like, this has been coming for twenty five years. So it to me, I don't know.

Speaker 1: It it it, I mean, I wouldn't have brought this meme up if you hadn't brought up that the the the graphic novel. It's very the meme sci fi author. In my book, I invented the torment nexus as a cautionary tale. Tech company at long last, we have created the torment nexus from the classic sci fi novel. Don't create the torment nexus. It definitely has shades of that. Yeah. I think it's worth separating the broad premise of this technology, which Roy Lee, let's be clear, didn't invent. Mhmm. There have been multiple tools and projects over the last couple years about saying Totally. This this technology can run basically in real time now. What if instead of the copy paste use case, it was just listening, auto transcribing with capacity it already has and providing that information in real time with that that have utility? The answer is certainly. Yeah. I think it's worth, however, talking about how this specific implementation is designed and communicated because I think that matters. Totally. You and I have talked about the hammer metaphor before of, like, people always talk about, you know, a hammer can be used to drive a nail or hit someone in the head. It's not the hammer's fault. And then the complication of that when you think about it for more than about fifteen seconds, which is yes. But if I design a hammer to shoot 10,000 hammers per second and then someone goes and does violence with that, perhaps the design of a hammer that seems explicitly engineered for doing violence is in some way implicated. I find this discussion fascinating. So there's there's two things I wanna bring up here. One is, the manifesto that Roy Lee posted on the Cluely website. It has changed over the last couple days. He has made refactoring it? He has re well, he had the LLM refactor it. I think given the the context here, we shouldn't assume that this was written by a human mind. But it is framed around the idea of we want to cheat on everything. Mhmm. You heard that right? Sales calls, meetings, negotiations, there's a faster way to win. We'll take it. And he builds up to this idea, quote, and yes, the world will call it cheating, but so was the calculator, so was spell check, so was Google. Every time technology makes us smarter, the world panics, then it adapts, then it forgets, and suddenly it's normal, but this is different. And it builds up to this idea which he posted in a tweet. Lee said, quote, $5,000,000 to change the definition of the word cheating. The other element of this, and I wanna set both of these up because I think this is important to take them in concert, is the video that that it was launched with.

Speaker 2: Oh, it's lovely. Very different vibes.

Speaker 1: Very different vibes. I I wanna start with the credit where it's due. It is an achievement in virality. This whole thing has been. We've talked about it twice now on the podcast, and he didn't pay us a cent. Mhmm. He got 10,000,000 views. He's very good at this, and I I won't try and take that away from him. And the core premise of an AI note taker that's giving you live information probably gonna become an increasingly common thing in the same way that Google was too. Undeniably. Undeniably, the video. In the promotional video, Roy Lee is out on a date, and we see him. It's an IRL date, and he's being fed, what to say by an LLM. It's a it's a visualization. He doesn't have a real computer. There's no such thing as heads up, glasses. This is an extrapolation of the technology, and it's sort of this, you know, the play Cyrano de Bergerac? It's the it's this old play story about a man that falls in love with a woman, but he he can't woo her. He's he can't speak well enough. He doesn't have the thoughts. Yeah. Yeah. Yeah. Yeah. So a man, with a beautiful way with words stands in the bushes and feeds him the line, the woman falls in love with the wrong way. It's a whole thing. He's sort of using AI as a Cyrano de Bergerac esque character to get through this date, pretending that these are his thoughts and then saying them out loud. The date goes terribly. And that video went very, very viral. Roy Lee, of course, knew what he was doing in creating something intentionally controversial. He has tweeted as such.

Speaker 2: I I I I feel like that is his like, that's his marketing persona. Like, right from the leak code stuff to this, the antagonism of using the word cheat. Like, I don't disagree with his manifesto. Like, that's the thing. It's like, I think that what he's building will have value. People will use

Speaker 1: it. And

Speaker 2: the commercial, I find just a bit cringy, but at the same time, very, very good at marketing. Like he built. Mhmm. Yeah. He he built something that would be intentionally viral, intentionally controversial, did a great job at at launching it. I think, like, in all honesty, like, he might be more than anything, a marketing genius than a than a tech genius or at least one maybe the two combined. But the but the but the thing is is, like, I don't disagree with his manifesto. I think he's kinda

Speaker 1: right. And I think that I think that there's an important thing here. And, yes, there's a long storied history of using moral ambiguity as a marketing tool.

Speaker 2: Mhmm.

Speaker 1: And he did it really well here. Mhmm. We're on, you know, minute fifteen of free PR. No debating it. I think the video and the manifesto taken in concert speak to something deeper. There's, like, a having cake and eating it too type thing going on based on the fact it's evidenced by the fact that he's changing this language in real time. He makes a video where he uses the product to I'm gonna editorialize here, gaslight a woman as a marketing hook, because in his own words, the fact you're watching this and getting annoyed is the point. And then I would say hides behind oh, dates aren't a real use case. He writes a manifesto about redefining cheating and then has terms of use that basically say don't use this to cheat, which of course you will because otherwise why would you pay $240 a year for it? He describes a world in which we let LLMs sort of pilot us like meat suits and we go limp as a social revolution and progress is inevitable as the calculator. But the thing I keep noticing in all of these use cases from the interview to the date video isn't the idea of having AI helping you with useful information real time. It's lying about it to the person you're talking to. Yeah. Every time the user real or imagined, they're being lied to about it. Not cheating by having an AI helping you, but lying about that fact. And my issue is that if you're lying to the person you're talking to so that they think they're actually talking and hearing your ideas, your thoughts, that's that's still lying, and that isn't captured by the rationale in the manifesto or the video. If you're honest from the jump and you say, hey. I'm just reading what an LLM is telling me to, then your revolution is an honest one. But as it stands, even if you redefine something that was once considered cheating as not being cheating, and to be clear, that's what he's doing. He's not redefining cheating. He says he raised $5,000,000 to redefine cheating. He's not. He's recategorizing a thing that is currently considered cheating as not being. You still haven't redefined lying. Yes. It it's I I get the thrust of it, and the tool is cool and saying, you know, there were people who said a calculator was cheating at doing math, and that's true. But if I asked you if you used a calculator and you lie about it, that's a lie. Sisiba, I

Speaker 2: I I agree with you in the context in which we live in now. Yep. And the thing that I'm gonna the thing that I'm gonna push to you is is that context going to change? And and I'm gonna say, yes. It is. Like, AI like, we are humans. I think I'm gonna make a a broad sweeping statement here, but, like, we are we are lazy. Like, we look for the shortest We optimize. Yeah. We optimize. We're inherently that's a great way to put it. We are Yeah.

Speaker 1: We're very generous.

Speaker 2: We prefer optimization. We want the least resistance to get to the best outcome. And this is this is built for that. Like, you you've seen, like, you've seen how AI has changed the corporate world even in small ways. Like, it makes it makes everything a little bit easier if you know how to use it. And that's if you're not using it a lot. And if you are using it a lot, it makes everything way easier. It's it might not mean the quality is better. It might not mean the consideration is better. It might not mean so many things, but it can do so many little things optimized for your life. Yeah. Really well. This is built for that world. Like, we're going here. We're going to meet suits. Like, we're we we are LLM driven meet suits, and it's like, that is because that is an optimization. It's like, we we are gonna willingly accept this reality, willingly shift our context and our morality window as to what is acceptable. And, like like, I see this future. I saw this future twenty five years ago when I wrote my my graphic novel. It's like, this is where we're going. And he's he's his his antagonism and his cheating and his lying and stuff, we all consider that a good marketing, but at the same time, it's like, I don't think I don't think he's wrong. I think that in in twenty four months, we will all be using systems like this to optimize our outputs. And it'll be a status quo at that point. It won't be lying. Everybody will just assume you're using it. And if you're not using it, people will know because you're gonna be worse than them.

Speaker 1: Yeah. If two people there's I I'm very open to the normalization argument, and I'm even pro optimization. If there will ever be situations where people are expected not to and they do, it's the morality window shifts, but the definition of lying won't. Things that were once considered lying can be recategorized as not. That's sort of my big point is that the concept it's like he's not redefining cheating and he's not redefining lying. He's recategorizing. And some things will get recategorized. But if you design a hammer to shoot little hammers like bullets, you're still designing a system to empower lying. And that's I I can't tell you where this is going. And the fact, honestly, that he's changing some of the language in this in real time is a is a good thing because I think that it speaks to a desire to not be flat out evil, but just to use moral ambiguity as a marketing tool, and that scares me a lot less.

Speaker 2: Yeah. That But a lie

Speaker 1: is still a lie.

Speaker 2: A lie yeah. I'm I'm not guys, I don't know where to go from there. The the the gaslighting video

Speaker 1: It ain't great.

Speaker 2: It isn't great. It's not a good look, but it but here's the thing. It's like, it speaks to like, I feel like people lie to each other all the time.

Speaker 1: Sure.

Speaker 2: People posture. People do this. They they they they, you know, round the edges on things to make it so it makes them look like Instagram is essentially a window into people's lives. Mhmm. It's like it's like we're we're in a culture where, like, we already are lying so much anyway. You know, people have been lying to people to get them into bed for a fucking thousand years.

Speaker 1: Sure.

Speaker 2: You know? Like like, it's like it's not a great thing. It's not a morally sound thing, but it's like it's it's part of human nature.

Speaker 1: And now you can pay $20 a month to do it better than ever.

Speaker 2: I I I think the thing that this the thing that this resonates with me the most is that it speaks to the shift in the window rather than the window we currently live in.

Speaker 1: Certainly, it does. And the window is shifting forward.

Speaker 2: Yeah. Yeah. Yeah. Yeah. And and and that that's where this, like, if he'd asked me to invest, I would have invested because I think that the world is going in this direction. And I think that what is not normal today will be normal in the future. And this is the system to empower that transition, and it's gonna be successful for it. There's gonna be a bazillion competitors pop up, which is the other problem with it. So maybe not the greatest investment, but, like, they're they're obviously first one of the first to markets and also one of the most controversial and getting

Speaker 1: the most free PR. So Right now. Right

Speaker 2: here. Right now. Right here.

Speaker 1: It's a it's an interesting story, and I'm curious to see where he lands. The guy's clearly very competent at drumming up a lot of press for stuff, and it for hacking together cool technology. I take none of that away from him. I think this tool in a lot of situations would be really genuinely useful, and I'm glad to see the list of proposed use cases getting a little bit more conservative and a little bit less

Speaker 2: lying. Exams? Yeah.

Speaker 1: I just want us to be I think that this is this one is worthy of being thoughtful about and not treating the, a post truth future as an an inevitable conclusion of this technology. If both of them were sitting there on that date Wearing the same thing. Both using it, both knew it, and the Overton window had just shifted there, okay. Fine. I'll I'll see that world when

Speaker 2: I see it. I know. You you're old enough to not wanna see that world, and I don't really know if I wanna see that world, but I think that that world is coming for us no matter what. Like, when I a couple episodes ago, I talked about a friend of mine who was hiring somebody, did a Zoom interview, asked them a question, literally could see them typing it, the question that they asked, into ChatGPT That's

Speaker 1: really funny.

Speaker 2: And then parroting back what the response was. And it's like, we're we're like, people are already trying to use

Speaker 1: using it. It.

Speaker 2: Yeah. Yeah. Like, they're they're doing it worse, but there are, like people are already meat sacks guided by LLMs. And it's like, it's it's a sad reality. I'm not sure like, I wrote a dystopian book about Yeah.

Speaker 1: It was a dystopia thing. It was your torment nexus. Yeah. I'm not even sure I don't know what that future will be, dystopia or not. I know that people will probably always feel bad if they're lied to. So if they think it's not happening and then they find out it will, I think that's I don't know that the Overton I don't know that a window can shift far enough that if I thought you were telling the truth and I found out you weren't, that will ever not feel unpleasant.

Speaker 2: I would just say look to modern politics. You're being lied. You're being lied to that. That pleasant? Not at all. But, like, the amount of focus testing and the amount of, like, the like, now we have LLMs, but but traditionally, we had research.

Speaker 1: Mhmm.

Speaker 2: The amount of time and money that gets spent on researching things to lie to people to make them

Speaker 1: Yeah.

Speaker 2: Believe that you're a

Speaker 1: good do something.

Speaker 2: Yeah. Yeah. Yeah. To activate somebody. Like, this is a Normalized. The process is old as time.

Speaker 1: Totally. Yeah.

Speaker 2: Yeah. We don't expect expect to be told the truth by politicians. How bad is that? We've normalized the politicians' lie so much that nobody cares.

Speaker 1: Yeah. An expectation of lying has increased, which is to say an expectation of a thing we don't like and feels bad has increased. Right.

Speaker 2: And if if in our in our current window, we're currently accepting of people lying to us who we've elected to lead us. You're telling me that in, like, five years, you're gonna care if, like, some junior marketing coordinator literally is just a meat sack guided by a one ninety I q l l m?

Speaker 1: I'm assuming they're googling stuff now. I probably wouldn't care about that. I'd probably care if I was on a date and I thought I was talking to a person, and then I found out that they were just like a rebel. Be like, I don't even remember that. I was listening to a podcast. I'd be like, that I think that would bother me. I think that would bother me. If they told me upfront, I would almost be intrigued by it. If they're like, I'm actually really not here presently, I'm gonna just sorta say what it tells me to. I would if that was the video, I'm fascinated. I'm like, I'm watching this episode of Black Mirror. Hell, yeah. Strap in. Let's see how it goes. Totally. Totally. Oh, that's really funny.

Speaker 2: Oh, we should shoot a we should shoot a counter video, a counter commercial point that is just that.

Speaker 1: Yeah. For all of you to

Speaker 2: a date and you're like, I'm not here. I'm just gonna be repeating what an LM says to me, but, like, I think you're pretty.

Speaker 1: Yeah. You got the glasses on, and you got you're like so I don't know how to explain this to you. There's an Oilers game on tonight that I'm extremely emotionally invested in, but I didn't wanna cancel this date because it seemed rude. So I think I can do both. Tap me on the shoulder if I if it if it starts hallucinating. And they're like, if what starts hallucinating? And you're like, nothing. How are you? And then you just start parodying it. Like, you cheer every so often when they score a point. Oh, man. Oh, man. The torment nexus.

Speaker 2: The torment nexus.

Speaker 1: Anyway, is there anything else we should talk about this this fine episode?

Speaker 2: No. I think that's good.

Speaker 1: I think that probably puts a pin in it. Yeah. Four Chan hacked.

Speaker 2: Cluelly your systems. Your libraries

Speaker 1: are upgraded. Truly.

Speaker 2: Track down CVEs. The CVE group, got refunded, which is good. There was a small little blip that they were gonna be or they had lost their funding and that they were no longer gonna provide the service they provide, and that would have been terrible. So that is, I think, bypassed. So we don't have to worry about that dark future where people aren't tracking vulnerabilities. That's Yeah. But I think other than that, I think we're good. I think it was a good

Speaker 1: Fascinating one.

Speaker 2: Yeah. I

Speaker 1: hope people were tolerant of us going on that tangent because I that was a that was a that was a fun one to discuss, Mhmm. In this episode. In fact, brought to you by Push Security. Check them out, pushsecurity.com. Otherwise, I think we'll catch you in the next one, friends. Take care.