Chapters
- Open relay SMTP servers allowed for easy email spoofing.
- Tech support staff were sometimes unaware of email spoofing.
- ISPs left SMTP servers open despite the risk of spam.
Shownotes Transcript
Thank you for calling hotline hacked. Share your strange tale of technology, true hack or computer confession .
after the b low fellow canadians love the show. Funny story about email spooking ing. Having grown up in the early days of email hacking on open real S M T P server was great fun breaking your friends out by sending them emails from someone famous or from each other.
Fast forward to around two thousand twelve, I met work and get a call from my wife saying our internet stopped working. We used a cable internet service provider at the time, gave her the usual fix power psychomotor and then err, but to no avail. When I got home that night, I confirmed that something external was blocking our internet, so I call the I S P and explain the situation.
The Young support tech advised me that my wife's email address was sending thousands and thousands of spam email messages, and so they blocked our internet and attempt to stop IT. At the time, my wife had a very basic email address. First name IT is that call, so was often being sooth by spammers, and thus this did not surprise me at all.
I had previously investigated the I S P S M T P server and knew they were open real servers and had actually reported IT to them. But of course, they hadn't done anything about IT. Anyway, I explain this to the tax support dude.
And he had never heard of email spoofing and really didn't believe me that anyone could do this. So I decided to educate him. I asked him first to restore my internet service, and then I could prove to him that this type of spooky was possible.
He did. And then I asked him for any email address of someone he knows in his own email address, and that I could pretty much instantly email from one to the other. He complied, being anxious to see if my claim was true.
And I opened to talent session deport twenty five on the I S P M X. And about thirty seconds later he received the email. He was completely flared, excited even, and desperately wanted to know how I did IT.
Although I didn't give him all the details, I said just google S M T P and telling he was quite astar and thankful. So I ended the call by saying, don't ever cut our internet service again. What's even funnier, or perhaps scary, is that a year so later, I checked to know same S, M, T, P.
Services were still open, really servers. No doubt they can still be found out there even today. Cheers.
cheers.
cheers. Get of the I voice. Welcome back to hot line hat.
It's a colon show where you can share a strange tale of technology, true hack or computer confession. Um we always appreciate your calls. This is a fun one to kick IT off with.
Well, this one kick off this episode, similar to the first episode of hacked podcasting. Ve, we are talking about open ray S M T P servers back in the day.
And email, spooky, that's totally through.
Yeah.
this is a throwback. Uh, and this was sent twenty, eighteen, twelve. So this, uh, I T support, tech support man couldn't even learn of IT from even some of the earliest episodes of act.
Uh, before the big brick. For anyone that doesn't know, not that I don't. What's S M T P services? What does that mean for them to be open? And what exactly happened here?
I would refer you to episode one of this podcast. But FTP simple mail transfer protocols, the way that email moves between servers. So like when I build an email and like my outlook client, let's pretend that I use outlook.
And I had then IT literally creates a socket to port twenty five, if unencrypted. Now most of them are encysted, but passes the email information over the server, which then in the background looks up what the receiving server needs to be, makes the connection and delivers IT for you. Since twenty twelve, there has been licious call IT little a million updates to the security of this is very less it's considerably less common in these days than I used, that's for sure.
The especially with google now banning so many different, now adding so many more restrictions, authenticating verify email centers to make sure that this stuff doesn't happen. Because back in the day, used to run rapid, like remember doing A A case study in university, and like the early two thousands made two thousands about the cost of spam. Because the last time, the day usage, all the rest of IT was massive.
So spam is kind of a thing of the past. They still get added to mAiling less, probably from data brokers, which is a great transition to the sponsor of the show. Delete me.
Talk about delete.
talking about delete me, delete me as come aboard. They love the hot line, had concept and they wanted to sponsor. So the delete me offers the service that kind of can clench your information from the data brokers of the internet, the bad, the bad persons information sellers.
But we will talk about that in a bit. But the but as long as your email exists in some of the data burk of things that seems like I get signed up for mAiling ingliss, that i'd have no idea about pretty much constantly. So so let's hope to delete me, does his job and I get removed from a ton of those things, but backs in the story.
Bx, in the story. So this guy's why it's twenty twelve. The internet goes down.
It's not working. Calls of tax support at the I. S. P, and gets explained to him as wife's email is sending thousands of spam emails and apparently had a very, very good, very old email first name at domain dot com, which, as I like, appreciator of really, really good user names, custos out to her. But it's clear that someone is spoofing this email.
Someone is sending emails even though they don't control the actually email address. And tax support had never heard of this, which I find surprising. I feel like by twenty twelve, if you're in tax support, especially in an I sp, you might have bumped into this. Is that a bad assumption? I'm Carrying around yeah a bit.
I think the difference between like a customer service text support person. And so the technical infrastructure side are very different. People um often texts ort people have scripts and know accept or not. I wouldn't say that they're like infrastructure grade IT staff got IT they off. Good point. Yeah but but the fact that you're running an isp in twenty twelve and you don't know but and it's not closed to your snp services are are open reay and have no controls on them as wild um especially because you're paying for the through put of all the data for all the spammers using your male server to send the emails, which is also wild. So just bad business.
You were work. Yeah sure. And a year later, I think the call ends with the collar saying that the the servers were still open, probably not anymore, but surely after they hadn't shut IT down.
specially the way the call ends. Yeah, yeah. That's again probably just an internal disconnect between the IT staff, the actual infrastructure staff and the tax support people. So he probably unlocked the person's account and thought I was neat dits of research on their own and never reported IT to the infrastructure team for fixing.
Or maybe they did in the inflections team decided not to fix that because if we create more headaches for the user based than they'd have to deal with because i'm sure a lot of them didn't set up their male clients properly. And if you have hundreds of thousands of people that use IT, then do you really want to upset the apple card that much? So um anyway.
I remember back in that first episode and I summed up a couple notes here, but the story I think that we kick off one of those earliest episodes about talking about email spooking ing takes place in twenty thirteen if I if i've got the right story here is funny because I was after this and he concerned a swedish company.
Someone sent a blast to a bunch of news agencies that the swedish company called fingerprint cards was going to be purchased by samsung and IT caused the uh Price of the company's stock to surge by like fifty percent was one of these first instances of email spoofing being used in kind of a fraudulent social engineering type scm. And it's funny that IT happened after this. So the idea that maybe someone added the company wouldn't have heard of email smoothly makes a lot more sense to me because I had broken out yet.
IT was the thing you could do if these things were open, but IT wasn't. I think that a lot of people maybe new about. So that makes more sense to me.
It's like the being somebody that was, you know, in that space. IT was something that i'd note about since, you know there are early nineties, you know, i'd been mucking about with that. So like I remember when you and I had the first conversation on the first at a hacked and I can member a year, but I member kind of blew your mind a bit.
And it's like it's it's IT used to be like a common tool in the tool box. No, IT was pretty easy to to send take emails. I still get a lot of them now, and there's a lot of people now that spend more time of ice skating emails to look like it's coming from you.
Like our accounts payable department at the company gets emails for me all the time to pay invoices that I have no knowledge of from a person whose email looks just about the same as mine and has the same female structure is me. And spammers will spam and gen will come on and know grifters will rifted. So such as life creep.
bon creep, ban on to the next one.
Jordan and Scott, my name is dana and I discovered what I thought was a vulnerability in apple back in twenty twenty. I reported IT to them. They said this is not a vulnerability so i'm sharing with you all um and i'm curious as to your take on IT um in twenty twenty uh during covin coworker I discovered that you can put a period in front of a user name at the new user set up screen.
You take if you were to take a brand new mac out of the box and go through the set up process, you could create a user beginning with a period and a if if you created that user beginning with a period, that user would be hidden from system preferences, that would also be hidden from even the D, S, C, L command line utility in mac OS or O S and even going back even further um and you would not be able to see this user in your user list on this device. The concern is that if you coupled this with by setting this up, this hidden user on a brand new computer out of the box, brand new mac out of the bus box, then you load your malicious software on there, by the way, you would have to change the UID of the user because you'll get a collision next on the next user you create doesn't IT iterate properly. Um so I think it's like five ones.
Then you would change that user from five o one to like five ninety nine or something. And you load multiple software on that computer. You can then reboot the computer into a single user mode or recovery mode, whatever.
Get to the terminal, remove the apple set up downfall, and when that computer is rebooted, the next time that that computer will look like its brand new out of the box, then that that new user, they could set up the computer exactly how they want. They could a enable, describe pt, any of the security features, security profiles, anything like that, post attack. And because this attack would happen um in the could attack, could happen in the supply change, this computer could be compromised anywhere between a leaving the factory and arriving at a person's doorstep could be sealed.
You know you can resealed um um a box, whatever an apple box and make IT look like a brand new delivered to your CEO with militias software on IT. That was not a good idea, but i'm just saying that's what a malicious person would think. Um i'm curious ous your thoughts on this.
Uh sure seems like a apple would want to fix this and it's funny that they say it's not a vulnerability when they have indeed corrected this in the latest iteration of mac O S. But my concern is that for more than twenty years apple has ignored fixing this problem. And there could be devices out there with these dot hidden accounts on them out in the wild.
I'm not sure of that. I am able to get enough information to discover that. But i'm curious as to your thoughts, what do you think about this? You think this is a vulnerability or not?
What do you .
think Jordan deliver .
IT to your CEO? It's not a good idea, but you could do IT. Um you could really hear a person reaching the end of a thought of what could be done with this potential vulnerability we're hearing about um if this vulnerability is true and we haven't purchased max from this period of time and got through the process of testing this for full disclosure um as as pretty bad vulture ability if if that was lurking around in in macos sr a couple years, if not decades, what what do you .
think got I think yes, IT is a vulnerability and IT was right of you to reported and was right of them to fix IT even though they claim IT wasn't vulnerability. The yes, crazy to think like it's crazy to think about what you could do with that. Like IT staff generally have an elevated level of transparently into organizations.
You know, you can often see males. You can go through stuff. So like delivering A C E O to me, is not the big one.
The bigger scared to me would be like reselling a laptop, reselling a act like that happens all the time. And imagine you got IT. IT looked like IT was fresh and cleaned and reset. And you set that up yourself and boom, there is a back door or entrance and do a preset up by the previous owner in in in organizations that have like like a fire wall between departments and things like that at like merger and acquisitions.
When I love to talk about because a place and reporting, as we did the last story, artificial information about a company to manipulated stock Price, having eyes into details that you're not supposed to would be, could be very lucrative. So there be tons of attack potentials for this wild that IT existed, you know, that and the origins of IT, I don't fully understand, like dot at the beginning of a folder and stuff as I can hold that unix, I was gonna. yeah.
So why might not be relevant? yeah. So any any fuld's and things that start with a period become invisible. So they're like human voice and hit volkers that like an old, the unique command there are like an old unique structure. So applying IT to users know this is funny.
Like the thirty some years that i've been a unix user, i've never actually tried this, so so could host you for trying. And I want to IT. What if IT applies to other unique systems would be my question and not just apple because chances are when they adopted the bsc kernal l in the original O S S, they probably adopted a lot of those unique structures and that vulnerability. So might and other unique servers. So like when you're talking about if I hack into unique server, I could set myself up an account that essentially completely hidden unless you really go looking for IT, which would be kind of crazy to leave yourself a beautiful back door that is just a full at men root access user .
yeah when the CEO and I think the larger premise of delivering this to someone in the workplace came up. I do think about how many people are working everyday on the laptop that was set up by an I T person at the company who set up to whatever the company company standards for security are delivered IT that end user the employee might not have min access to their own computer and that's for security reasons and there's persons of that.
But I hope fully understand IT IT doesn't strike me as where a vulnerable ulna ability like this would be relevant because your computer might also be vulnerable in that situation. Minority have uh monitor software like you are not control that computer and you shouldn't assume you are um someone buying a used computers where this comes up because I can imagine cracking open a and IT sure looking like it's been factory reset uh but IT hasn't which is good minder that have you ever buy a use computer and that looks like it's been factory reset. You should factory recited to can just to be safe.
Um so they they set up a new user they put period at the beginning of the name, apparently in unique. This is a not short handles the wrong war, but this is a way to render something invisible, thus creating one of these hidden users. You then go through a little bit of a process of removing the apple set up done files after you would have loaded whatever malicious software you want to change the UID to get the computer looking brand new, even though this hit in user with the malicious software is still lurking in the background.
And they can then go do whatever is they want to do to lock down the computer. IT won't matter, because through this supply chain attack, youve kind of gotten under the hood already. That is that an accurate summary of what this color is describing?
Yeah, yeah. The supply in attack peace is really interesting. Like like the to me, that like internal I T supply chain, you the kind of arty usually have super user access and access to a lot of confidence information. You they're trusted employees like there would be a potential there for, I don't know. I don't want to fear ize like cyborg stocking and to like that, but like you would have the ability like that would grant like A A much more personalized attack to be able to go into someone's computer personally.
But at the same time, it's like the idea that yeah like the inner supply chain outside of IT like this could be something that happens like, you know where in a world now with nation state IT know wars, hacking wars, cybersecurity wars, and we're seeing nations put themselves into supply change for all kinds of things like pages being one of them have note. So it's like the ability to distribute an entire bulk of of IT hardware that has a perfect open back door and IT with ease because like I think and a lot of other major supply and attacks, it's much more nefertiti and much more refined in the sense that like maybe it's a small piece of malware, it's living inside of another epic. It's harder to detect where this is just a full back door account.
So yeah, it's it's definitely vulnerability. Obviously, they fixed IT for a reason. So I say could do see you for identifying and sitting in in not sure why they said he was in a vulnerability. Maybe that's just legal liability case.
but I was going to to get to that next that this feels like A A tech support and someone called the lawyers collab where we can deny that this is the case. Assuming this is alter, we can't deny that this is going on because you can go very fy that this is a thing that you can do. But we do have to say it's not a vulnerability because we haven't fixed IT yet.
And we don't want a email thread where we admit to there being a very, very dire function now very, very dire vulnerability in macos. So we arrive at this weird liminal in between state where, yes, this thing that looks conspicuously like a vulnerability is in the computer, but you'd be mistaken for thinking it's a vulnerability more like a like a fun trap door in the bottom of the Greenhouse. It's like it's a cool way of talking .
about we didn't fully know that IT existed, but we're not surprised that exist. And we're not matter IT, but we'll fix IT the worry like.
hey, you have hit on the bottom of your show be like, no, no, that's how this shoe came.
Yeah, anyway, if you have an interesting tale you'd like to share with us, please let us know hot line hat tak calm. There's a phone number that you can dial and leave as a voice mall. You can send us an email with the text.
You can send us an email with an audio recording. If you want to obfuscate your voice, please do so. If you send us an email, we will use, as you heard in the first one, some mediocre AI to convert IT to audio. So and as you're a boat to hear, we've done IT again.
I think huge through some shade because that first one they use A I oh this one, we can say that we are using mediocre AI to do IT. I personally think the AI and the first one was .
fantastic guy, how I am really yes, yes. Let let's hear how our mediocre AI compares. This was ended by a german user. So we've used a german english boy solutes. We're in for a real treat to see how good they ee is here.
That's the commitment to quality you get when you send in a story to hotline hacks. We're going to try our best to find the AI. We think that matches your spirit, your energy as closer as we can.
I used to study C. S. At a german university and landed a job at a chair of one of the professors. We did some research project work mainly, but you also had to do some administrative stuff, like updating schedules, updating lecture files, exec, for the purpose of the administrative things.
We got API access to our university system, where you could upload files via an API n point, for example, or upload the grades of an exam to the central server. However, at being germany, the A P. I was very old, so you had no identifying authentication in place.
All we got was a generic API token, which was basically the same for every user for the whole semester. So as probably every university student had the same experience with deadlines, I had to submit a project for a subject, had nothing to do with the chair I worked at. And of course, I was way too late.
And we've had to work at a night shift to get IT done by the deadline instead of getting on my us. And working eye, of course, thought about how getting more time to finish IT and got the brilliant idea to just ddos the central server where I would have to submit my project to via the A P. I.
access. I had didn't think about any possible consequences and just started crafting huge files, set up a small scrip that would send the files repeatedly and hope for the server to crash. Even though I studied C.
S. IT was still pretty early in my studies, and I had no idea about dosing and other hacking things. So IT was just a trial, an era.
IT took several hours to get the script to work and submit a good chunk of files. But then out of nowhere, the connection error out and the server was down. And I had an excuse to not submit the project by that time.
I was pretty late at night as well, so might have also finished the project in the first place. Ll, but yeah, that's my story. Brought the server to its knees with the night shift instead of working on the project, never got called, got a few more days to finish the project successfully, and lived ever happily, often.
I .
love that.
I should say they, I love that they ve themselves identify that they could have just spent the time getting the project done. But instead they decided to learn how to deal of the server.
Yep, that's kind of the thing about a lot of cheating isn't more often than not to do to cheat really, really good. That top draw. S T, R. Cheating is Normally more work than just doing the thing that you're cheating out.
Yeah, yeah, yeah, yeah. I don't know what to say.
So they got they're doing some midi dd work at at the university, and to do that had mean work. They needed a access which gives you access to these servers to be able to do things like upload grades. I sure thought that's where this was going, that they got access to upgrades.
And we're like a plus, a plus, whatever german for a plus is not what happened. Everyone gets issued this genre API token. Uh, so there's it's pretty anonymous.
I guess this maybe what I can into IT from that part of IT, which is what enables what's about to happen. Uh, meanwhile, this person with this generic A P. I token access to this, this university service has a urgent subject.
They would need to upload IT to the server stead doing the hard work of doing the assignment. They got the idea to spend the entire night, D, D, using the server to have. And this is the part that took me a second get in order to have an excuse as to why they didn't submit the assignment. Correct, correct.
The A P I key that went out um IT appeared that they gave everybody the same key. So instead of a key link to you, they gave IT everybody. So so the idea of being able to identify based on the ap I who was who is uploading all this garbage that causes the server to crash, they couldn't do.
They probably could have done IT through network logs and figured out I P addresses and things like that, cross reference those I P addresses to previous loggins and things like that like IT shouldn't have been hard to track down. Who did this is what i'm saying. Ah they go sounds like they got away with IT, which is good for them. I think .
the real .
lesson here .
is sometimes you just need to do the work.
I don't know that that's the lesson from this. That seems like IT went off without without a hitch. There is that lesson. It's a good lesson. It's not present in this story.
you know, wrong. The thing for me on this one is, is I guess this is part of their tech journey. No, they figured out something. They fired out like they wrote a script to generate garbage files full of probably random information, just know, you know, and just started uploading those in bulk, whether they filled up the hard driver, whether they actually crash out the network, who knows? But but they managed IT to deos or or disconnect the server.
Wouldn't I wouldn't all a dedas because that wasn't distributed IT would just be service, just take regular dogs, but they managed to get away with IT to me. I think the lesson that I would take away with IT is maybe I should do spend the time on the assignment because I also went through CS and one of the assignments were particularly lengthy unless we're talking like a advance, you know, massive project in the fourth year. But most of the smaller things, we're just a few hours here in there. And if you're going to spend an evening or at all nighter, sure learning how to crash a server, he is spending IT not enough assignment, get IT upload. He sets my way to look at life.
That's certainly true. However.
I would say .
then you wouldn't be doing a massive solid to all of the other students in that class that didn't get the assignment done because not only did you generate an excuse for you, you created an excuse that is sort of applied unilaterally to everybody. You you cheat IT for the whole class, and that's puncher.
You know, wrong that I .
might be.
I might be wrong. The thing is that there was probably a bunch of other kids who were staying up all night actually working on the assignment that went to uploaded the morning in the i'm one of those nerds and thanks.
I was one of those nerds do.
but yeah, I guess that for all of the other students that were just we're gonna completely with on IT and not something anything Young for sher for sure.
Yeah, he's like, he's the Robin hood poor, a time management.
Yes, I like I i've managed to do things like this on accident before. Like, yeah, not even joking. Yeah, yeah, yeah. Like the ability to generate information or spd infinite processes in unique.
Like I once rode a script, like I just a bash shell script inside of unix that called itself at one of the forks, and I managed respond an infinite amount of these, this process that was calling itself. And there's very little control if you have an min access and boom the servers down, like i've crash, I ve accidentally crash production servers, which just like A A small misstep before. So it's a .
terrifying chain reaction, a sort of chernoff gray .
goo ah now about .
seating everything moment where the computer to starts to steam exactly.
So it's easier than you think to crash crash a basic server. So so easier than you want sometimes. So.
but did you use IT for good? This color should, did we appreciate getting too bird about IT? Why don't we? Okay, we have one more after. This is a long one, which makes this about as good a time as any to talk about our dear, dear sponsor of hot line hacked. Delete me.
Delete me. We've rarely mention them in talking about the vulnerabilities that exist with our information being inside of data brokers on the internet. And here they are, and here they are.
Delete me and delete me. Know if you ever wondered just how much of your persons information is on the internet for any way to buy or see. It's more than you think.
Know your name, your contact info, your social, your addresses and information about your family members. And this is all compiled and sold to whoever wants to buy IT. And we all kind of turn a blind eye, except to leave me, anyone on the web that can buy your details. IT leads to identity, that fishing attacks, harassment, stamp calls, spam emails, which is, how is revenge IT earlier? But now you can protect yourself with the lime .
is people who exist on the internet, as we all do, especially someone who shares their opinions about stuff. We got a pretty ware of our safety, security on the internet. IT is reGretably very, very easy to find persons information about people online.
It's just all hanging out there. People are buying IT and selling IT. There is an entire economy of IT, and that's why we choose to use delete me.
Delete me is a subscription service that removes your personal info from hundreds of different data brokers. If you sign up, you provide to let me with exactly what information you want deleted. And their experts take .
from there the regular personalized privacy report showing what they found, where they found IT and what they removed. And as such, as the one time thing, it's always kind of running constantly monitoring and removing that information as IT goes. So to put IT, simply delete me as all the hard work of wiping you, and notably your family's persons information from .
data c websites. Take control of your data. Keep your private life private. Sign up for delete me. Now we ve got a special discount for hack listers, so you can get twenty percent off your delete me plan when you go join delete me dot com slash hacked and use the promo code word hacked at checkout. The only way to get twenty percent off is to go to join delete me dot com slash hacked .
and into code word hacked a check out that join delete me dock com slash hacked code hack to check out.
check. Okay, before we get into this one is a little bit longer ah. We actually don't know quite where IT goes. We know we want to give you a listen, we don't know where this this roller coast to ride is taking us, just wanted to give you a little bit of a heads up.
Yeah, we got this one. It's so long that we would listen to the first minute each and decided that is probably good, but we didn't want to ruin our what takes. So we didn't listen the entire thing. So here we go. Join us on this ride.
Guys will be procter love, the hotline hacks stuff. I'm excited to share the story with you, exciting and nervous at the same time. So i'm .
also excited and nervous. So i'm with you on this ride that .
makes three of us .
story takes place back. And let's see, black office was released in August of a thousand eight back office.
One of the original kind of mware, like a computer control, remote controls for computers. This is like an old call to the dead cow thing, came out in the nineties, which I think he just referenced. Just say, you know, that's what he's talking about when he mentions back office.
back or office B, O.
B, O, B, O, from all to the dead cow, C, D, C.
the dorm I was staying at during that time. So this was either in a fall fifty or the spring of nineteen ninety nine, but only give you just a little bit of backy row quick. So I started going to college in like one thousand ninety six.
I didn't know anything about computers at all. Um what is in I do you want to play some games and network? We do know how I P before work, you know isn't so we I love .
that he's talking about how he did know computers at all back then and then starts referencing in internet protocols based on versions. So i'm assuming his i'm assuming those skills have escalates since now. I am gonna .
bet that by the end of this story, he will have revealed himself to have known something about how computers worked back then. I might be wrong about that. Will find together .
t cards to be hooked up with cox cable. And we use the I P X, S P X protocol. And my things just work so we could play games, kind of like how we get started into computers just through video games.
didn't we all? I also used, I used to have land parties where we used coax networks because they were super y to spin up and take down. So I did. The same .
thing is a game show .
hacking gotten?
Yes.
IT is, tell us, was like moto G P anyways. So wasn't going to class at all. We were just literally just hacking on self to learning how computers worked and know eventually, obviously figure how I P before work.
And so through the next couple years, you we advanced from windows ninety five, windows and t one point we were running like one two thousand beta. I think at the time we did this, you know, on floppy disks, everything was dial up, had no fast internet anywhere, and happy three had kind of just had the scene. So of course, being rolled kids, we ripped all of our cds into and three years, and then solar cds back to the in reale shops so can get some cash. And encoding backdoor was like, you know, hundred percent CPU max out like, don't touch your mouse because you're going to like a ski in song when you encode really .
socked at this is, I remember all of this. This is really good. This is a trip in the past for me here.
This is just starting to bump into my actual experience with jackie ship, with computers, which was very like early two thousands, music, pacy, and the sketchy est M P. Three years you've ever seen your life seeing the dawn of my error here in the story. And i'd like IT, right?
I got to say I never went as for us to ripple my cds and reset them to brilliant move right there. I just used, I allegedly just used to ray piracy and downsides that I didn't buy.
So yeah, what specifically what he did was by A C. D. ript. And then just return IT to the store, which is like a one kind of pacy IT was pru know kaa limewash more fish napster. But post the popularization of cds, this is like this tiny, little wind of time.
If we have, like, I think we had pennon two hundred or something, roughly, right? Roman IT was was a lot pending. Two two hour, just kind of set the stage. I like cordwood spaces, know fifty, sixteen modems and things like that. So yeah, so anyway, so p three, like, you know, I had my collection, I can have his collection.
And like you try to like steal each other and every three years, like when you weren't looking, you know, if you go to the class and I will try to get in this machine. You know, like I knew some of those passwords, you need some in them. Then we start to getting Better, like, you know, Better passwords and things like that.
And then you know, all we ended up kind, you know, learning about file sharing. All this. We can ended up learning how to secure our stuff, and no can come to one night I had, for whatever reason, I had taken up, like my new work diggs, and put them on. So so I was kind of like, and so like, is no one wake up my snowball ago on is .
he say they use snowboard GLE is a sleep mask .
I or see I read that is like a pre like whatever I would go to hacking prior to the popularization of the hood as the sort of iconic to uniform got stuff backing, I was sort of pop on some snowboard goggles and I just get my hack on. He wore them as a sleep man. Actually don't know which one of those is weird. I like both you .
know I got his PC like the case was off, you know and all myself as idd and has he was he had a little boring than I did. So here like guzy ultrawise. And so i'm like i've got is like a dep tech you know thirty nine forty zy ultrawise card like i've got that out and i'm like in the midst taking artist because he drives to to but I wasn't very .
technical skilled. But here I am disassembling the computer pulling out guzy cards. The guzy was a Better hard drive, like a connectivity, like was the right word to look for her a way that the computer talks to the hard drives.
So I was won. And sky is a different one. Guess he was a Better one. Often used in enterprise grade stuff service, things like that, where IT was more of just like the classic when you see the classic car drive in the classic connector, that's what I was.
So just different ways of connecting the hard drives in different through puts and things like that. So his body had Better hard drives and Better connections that his computer wasn't capable of. So he's removing discussing interface from his friends computer to install IT in his so that he can steal his music.
I love that. I love the journey that we're going on here. It's like we started just as like playing games in our dorm rooms and now we're like literally tearing each other as computers apart to steal each other other's music.
And we're less than a quarter of the way into this autism. I have a feeling skies, you recurrent felonies by the end, this rules also the level of detail like I was, I don't know, adapt tech. Thirty nine, forty.
Yeah.
yeah. This was twenty five years ago. That's were remarkable, even extremely good memory.
Also, thanks for clarifying sky because I assumed that he was just shit talking the other guys gear, like guy. They don't know that that's a protein or a interact like it's bad. Yeah not Better scope.
I was an interface and a Better interface than the one that he had. So he wasn't SHE talking his friends computer. He was being like, my friend was rich and had expensive shit, and I was mad about IT. So.
you know, he wakes up because I do. what? What the fuck you could do, what I do so, you know, told, posted.
K, this is hard to that.
Keys keeps up to an hour.
so he just has snowboard goggles on. He's ripping his friend's computer apart and then his friend wakes up and it's like, what the fucker you doing? I think I would say the same if I work out this .
confirms my theory that this wasn't indeed his hacking uniform. When you wake up this this like gramma in unscrewing your computer and you're like, Ricky, get out of my room again.
So we can happen. We'd called the truth right, like truth other stuff more. Let's get together.
You know, go about this a different way. So you back there was no limewater. Are partier napster like not of that existence? So the only means of getting up three or either no borrowing cds for people grim and give them back or um here on the interview so we would find open FTP sites and that's that's kind how this really did.
I feel like we're about to go on a journey into something that was called wares, which was wet, stolen software used to be called that's my god, read here is that we're about to enter a massive tale about stealing and distributing software. So we'll see if i'm right.
put on our gog's and find .
out and then back office comes out and this this is right. So back office for those who don't know to arrant a remote access children against recall IT, but at the time, who just a really cool thing to play with, right? So we had IT. We had IT installed on all the lab computers like or was like fifteen and twenty computers other well is into felonies .
at four minutes and eighteen seconds of a fifty minute story. So you know a see where this goes.
We hadn't stalled and all down there and IT wasn't really for anything of areas that was actually to run distributed dot net clients, which back in the day distributed that, that was basically, but maybe still, I don't know. Um IT was a thing that you would use to try and crack encryption just to prove that the encryption already and could be crack. And so you doubled a little slice of a thing and and work on IT.
And you work on these chunks very somewhere to like bitcoin pool lighting, whether kind of works on a lot. And then you you can work together. That's what that's what.
So I had, I had this client installed on all the computers that was just kind of running in that way. I was kind of, rick, getting credit like by using name for like obvious jumps that I was completely no IT was was cool. And then, you know, there was like a faster interact action on this.
So like a lot of people go on there and just, you know very for whatever and so what are are like dorm roommates would like good on there. They've well, they could chatting to like girls, you know. So like everybody came back up, I just talked with this check and like, yeah, we heard long down forty two, he's like to, how do you know how to give so that was kind of, you know, this was fun, know, we were open calls to see arms and produce, to put stuff that free people. But then you are like, how how do we get this out to other people like how what's the we're gonna .
ask skate these guys voice .
I think you might be right. You please continue. I am so curious.
That's the look back to the sort of the M P three thing, whole things going to get 给我。 So on these FTP sites, a one of them were set of best ratio.
So like you would, I got one to tensions, you would upload one mag, and that you would be able to download ten x and their idea there is to share, you know, to p, upload song, and then you can download songs, right? And updating was super painful, because one dial up in its sut and really might be really cool. There was me around this.
Well, that was kind of the Spark for this idea is really like, hey, we are going to release this back north as tool, and we're going to call IT cute F T P ratio cracker because cut F T P was declined. That kind of a lot of people used to back them were to all Q T P ratio cracker people going to doubled this. And they're all right, because people idiots.
And really like back then, like down loading executes with something you do like all the time, like everybody was running, like the copies of now loading you serial number of generators cracks things like you disabled anything was like the at west, right? So here's here's what we did. So that warf is has a couple point, two we used, one is called silk rope.
And I I remember in this word, but to the best of my my memory here hears what I was. So, so group, what's you embedding one executable into another? And so we took the back worth is executable, and we embedded IT into this other E X, which all that was IT was IT was just the next couple that had no idea.
So was clear. And when you when you run IT IT just do this off as IT I was. I even know if I could find something like that today, but I was I don't know how we found IT back that.
But so we please use the program, IT would install backwater and then they would just delete like the original executable. So you got that and you didn't really you went IT just look like nothing happened and IT, we've got one, you know like what the holes that like that that was heard, but whatever you can go about your business. And so that's that we did. And the other plugin used was but dropped.
yep, yep.
petrock c word make .
IT so that when my computer got infected, IT would send backwards, would send an email to an email address of your choice with some bits of information. I think that was, I think I had a little customizable teles you could say like here's the I P address whatever was and so we had to send emails to any email dress that is IT is really unbelievable in today's day age um but because they in much prompt, I just really like know this is really I have no way to verify this claim that was we have done all drop at apple is yahoo 点 come and might hot, but pico is yahoo. And I I know like I said, it's completely unbelievable. And I still know the passage we use because I was a password, but I ve and I know that I want to be disabled problem years ago. But if there was some way to verify, I could tell you the best of the .
surprising count. And I was still receiving email updates old as computers that hadn't been updated, that we're still running this rat Donald trumpet.
yahoo dot com.
And then we started uploading this combined in the silk rope. We upload this thing to all the FTP sites. We can find all these ratio sites. And then we just set back and and waited IT and I am wasn't IT isn't very long. I mean, I was like, what the day that we started getting emails, I was like, you know, tens of emails, hundreds of emails. Like by the end of the week, I was like, we were getting like a thousand a day and I was like, holy shit, like gold mine and so only started you pondering people's devices like .
I were deep and file territory right now.
Yeah so what?
Like a distributed trojan attack at taking over a control of thousands of pcs on the internet and then plunging them was at the term y this year.
I am so curious to find out what dear colour means by plunging.
We have six more minutes when i'm sure we'll .
learn .
the details plan on body from like U C, O, A, I had no time. Like I store their background street like um you know they just have background with backup. He was always like you some party always like some sport illustrate swim through addition model you like lying to beach, became you're whatever.
So like, I would steal that, make that my background. And that was like my trophy. I was still people's backgrounds. And here, here's here's the guilt to really come.
And often times, so do you know people would have three point two dig hard drives, like he was pretty, we people have a sea drive, and then they would have A A second drive, like your d drive. And that's all, you know, all we are would be rack up. Is photoshop there still that?
Yeah no credit credits. Do you called that one a mile out?
You know I think if somebody y's drive that your secondary drive was four, just like cracks and M P three reason, the serious stuff. I would, I would form at the drive, so I would comment product on the machine, and I would can format space d coin, space fourth flash v column loser and views to set a volume in. And so if they opened up my Peter, they would see the sea drive and then they would see the d drive and the d driver to say, loser and IT would be empty because I just formatted IT. So are you feel good?
哎呀。
I hope feel good about IT .
either like.
oh, man is a .
hint of Robin hood here because he's like deleting stolen software but there's also a hint of lake just mass crime like .
trolling almost. I I keep coming back to the visual of the snowboarding goggles, just like formatting someones drive and leaving the word loser behind. Pop a map of your hand going for a coffee.
It's not me. It's doing IT. It's my alter ego. Ten, eighty snowboarders.
Hacker.
great. MIT, I got four minutes.
Let's find out is that .
IT has been by twenty five years of guilt that I feel extremely remorse. But I really only did that for people who had lunch, a trash on the drug, like I do. I would do if they have school work on there, or like port documents, because I would seek. I didn't I didn't do anything, so makes me a little matter, but I still feel I still feel about IT. So wow, public confession like .
we're got like yeah never haven't had a hall line hacks that's a public confession and apology. So and like I like .
seem like got a good heart on you like you did something that was a little a little bit anarchy, the shades of that to IT, but you Carried IT around you. You realized you maybe shouting of and I think.
you know, yeah, totally appreciate thing is like this story is long enough and we're gone to such a journey to get to this part that i'm invested in the main character, proteges, iter, antec, anim and IT.
Here's the thing is like it's good to see the moral evolution as you went from and like the truth be told like I remember those days, IT was the actual quote and quote, wild west, like computers weren't set up and capable of dealing with, you know, hazards, people we're trusting and did anything. IT was so easy to put a trojan on a computer, to put a virus on a computer, to get access to information you were supposed that have crash servers for your email assignments. IT was, yeah, that was.
IT was the wild west N. I think a lot of us grew up in that time or a lot of us that did grow up in that time. Remember that, that was just like IT was.
It's a sad part to say. But what am I trying to say here is I think we I think during that time, a lot of us did things we regret and we all grew from IT. It's getting you're grown from your your story to you.
I think about how when I was I I think he Younger than this color was during this period of time when I was first, when I first got that computer that I had access to by myself and I was just allegedly an explosion of piracy in the basement of my childhood home. And then if the criteria for, yes, I can go ahead and muck with this person. And yes, I can go head and form out their drive was the presence of pirated software and mp trees.
Boy, did I have a big flashing bulls above my head that entire time. And i'm sure happy I wasn't. I didn't get into IT back in the FTP.
I had had friends growing up. There were, I want to say, border line addicted to collecting music, which is to me, like a more reasonable venture. But I had other friends that collected wares, which was still in software, things like that, and didn't use any of IT, just collected IT like like a most hoarding, or squirl hoarding nuts for the winter.
I remember a friend of minor to his name, but he had, back in the day, there was like CD binders that he would store, your cds, oh, yes. And he had a city burner, which was an expensive toy like guzy. HDR drives that the risk kids had.
And he would have binders and binders full of, like every piece of software, every game, everything. And he would download IT and then burn IT to a disk and put IT in his binder. And he discovered them. He never used anyway, just collected them anyway. That's a direction.
Let's there. There was one person who to I and IT was like a once ever say, I like go to IT and this kind of hit three guys. But IT was, IT was like a canadian, a mom.
Pop travel a place so they would do a guide to tours. Like, if you visit here, you go to the players and they will take you. Like, know, I did hiking two hours and knew trips and things like that as I can.
Like, these people have no idea that that they are just exposed, you know, actually want I, I like, drove to a payphones somewhere and and I called international, which I ever called international before, and I was like, hey, you call them what to know? My once was compromised, an early ke. Do what you talk about and I might just, trust me, have so many technical, go look at this.
Here's what they should look for her and I would, how about 他们 was like, I felt like I did sort of beauty but I still, I felt, I felt guilty. You like now I was like, whatever, you know, something done. And I know, final look, the last part of the story really a the part of studies should enemy.
So unlike, you know, somebody y's live another computer and I have, like, you could so much key throws. And I think that was like, indo pad, I don't know exactly how worked. I think know I could see like the you would see like misspelling of things, but I wouldn't correct their misspelling like a new pair.
Like if they hit back space, IT wouldn't like backspace, and no patent would just give you like a back piece. You know, care what know IT? Seeing what they are typing is kind of party. I kind of have to decide for what they're typing because I was kind of doubly but this person went to microsoft to back on and he searched for something.
And I don't I didn't know at the time what I was he was searching for, but I knew immediately effort because he want to give in front and he typed that's that and then he tied and I don't know where he tied us, so probably still make exact but he just typed knowing, you know, he's like, I know who you are, one five, one at one six seven x or whatever might know but I was IT was my I P address and the first, the first two, you know what? That's whatever are tied to my school. And so like, you know for sure what what about you so he knew for sure who he could count and that I was like, I powered red on my P.
C. I member. This was a friday. I like eight o clock. We became ready to to go to parties, the parties to ten in the park.
When you're intellect, remember, freak out, getting through me drunk, just like bank. And just that was like, that was like the end of my hacking. That was that I was I was free out. And that really so straight and and the sour degrees into, I got into computer science at that point and became a one felber.
I was a developer for twenty years again to, and during that time I actually, and I was back into the scene, no five, twenty thousand magazine and go to now i'm in absent and hacking legally for money up. I work for company. And are you paid for to do what I really want to do? So kind of working force, recall. So are, are those people that I never drives, but you have probably had to coming anyway.
Great story.
You you truly earned every minute of that. That was fantastic. I like that the ending of IT. I said earlier that you clearly had you're got a conscious ona and IT would like you really appreciate that in a story like this, this sort of double beat right at the end of there is one person oni, connected to the canadian mom and pop travel place.
They take you on guide of tours, driving out to a payphones so that you can call them and tell them your computer, uh, network is compromised. Your web server is compromised. Who are you? Just, trust me. Have someone technical look at IT is such a great little turn in that story, not before the final turn in story. However, when you were scared straight.
yeah, you ran into somebody that knew that like the summer, that knew the footprint of back office, probably they knew. And and the thing is too is I remember back in the day to of of of doing the same thing like net starting people, seeing what people work.
So net say you're looking at all the connections on your computer on the newark, finding the one that's the anomaly and then there's even geolocation so you can take an I P address and essentially geo located at varying degrees of of specificity. So you can figure out essentially where someone is. And you can do this even nowadays, like in in certain games and stuff, for there's direct connections between games and clients.
You can still see the IP address of the people you're playing against. this. This is where d dosing and games comes in suffix that, as you can figure out, other people that are around, use I P addresses and then deed off them off the network are essentially killing their connection of the game, allowing you to beat them.
Whatever, whatever that goal is, is part of that the cheating matrix now in gaming. But I remember in the same thing, the ga and freaking people out, like when people would be talking smack on the internet stuff like a lot of form post, save the I P address that things came from. And if you had access to those records, be at the database or whether they are embedded in the source, like the h ml series reforms and being able to geo people in being like, you know, house boston in these days and like know, just like in varying degrees of specificity.
So the person that they ran into clearly had that knowledge, knew how to look up where the connections were coming from and probably knew how to g located. So not just you looking at the IP address and what organization is associated with, but also probably geo locate the IP. So they probably had a really good idea where you were. And yeah, a great, great story.
A really, really good story. I think about how often scammers you always see this moment when someone's trying to scm someone that they think is probably less technically literate than by saying you have no idea who I am I the scariest attack you've ever seen you texting with some, they're just making sheet up, but they're trying to scare you. I think I know where you are.
I know your I P address. I can see that this just lies and that that is such a pale shadow of an invitation of this very real, very scary moment you had where you were the technically litter at one. Who had gotten control of someone else system and they very matter of factly typed to you out of the darkness, I know who you are and then your location, it's so good you couldn't script IT Better.
The it's funny too, because it's like this person's journey. I'd say it's probably very common in people that work in defensive security and upset and stuff like that where it's like you get the interest and you learn the skills point. Not a lot of people go into the the security sector blind and like with no knowledge like you're coming in with a with a catalogue in a tour box that you developed somewhere.
And I would say most cases that was not developed doing good. So it's like the the fork in the road between the White hats and the black hats is this person was in the black hat camp and then started to feel remorse for their actions and ended up ended their career or ended up in a career of a White hat. And I think the same goes for a lot of people. The same happened to me. The same happened to probably a lot of a lot of people that you work with probably have a similar, similar journey, whether it's a severe as this one, you know mass distribution of remote access Rogers and and you know mass gross data privacy violations, like definitely, definitely a severe tail and especially when the to also appreciate you taking the type, we really .
appreciate that that's the kind of calls we want to to worry your phrase that feel like the fork in the road LED him to that payphone IT was his conscience. Let him to go. You know what I did, I did this and IT was fun and IT was interesting and got my snowboarding god goes on and a mucker with my friends.
And it's just sort of this naturally evolving process, but you sort of hit the the moral crux of IT and IT let you down that kind of White out road. You are actually going to off the road entirely when that other person wrote that terrifying message to you and you like, i'm actually going to deter through a really license twenty year career in web development. Before I come back to this road, I am going down pursue a work as a White hat hacker.
This is a really, really good one. I appreciate you taking the time to record IT as the detail was worth IT. And um we love getting stuff like this so thank you again.
Anything else I think, that about put pain in IT, if you got a story that you would like to share, some short and puncher, some like a real crime sega drama like that one, a kick IT on over a hotline hacked dot com. You can send us an email with raw tax. You can send us an email with an anonymized voice.
You can send your own voice. You can call into a real phone line that we have listed on the website, a mira out of options. All we want from you is your story.
We'd love to hear IT love to talk about IT on the show. Take her. Everybody get you in the next one.