Hotline Hacked Vol. 10
50:53 Share

Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession, after the beep. Hi guys, I love the show. Even though I'm not a programmer or a hacker, I'm an hardware designer that occasionally do some low-level C in Python. I also love a good prank. One day I saw a Reddit post about a guy creating a sarcasm keyboard. Basically a device that took the input from the keyboard and toggled shift for every character.

I thought it was the coolest thing ever. I just had to make one. Then I realized that this could also be a fantastic prank, and my target would be Bob, my boss. I couldn't modify his keyboard or plug something between the keyboard and the computer because of it being wireless. So I went to our box of development boards and found an Arduino Micro. This device features a microcontroller that has native USB that can act like a HID device

I programmed it to delay for five minutes when it powers up, so that he could log in as usual. And then, when he's in the zone to bash out his passive-aggressive emails, CapsLock would start toggling every 100 milliseconds, shooting random caps into his text. I tested the device a couple of times and after Bob left for the day, I plugged the device into his docking station and hid it out of his sight.

The next morning, I came to the office a little bit early to make sure I would be there before Bob. He came in, sat down, and started his morning routine, but he didn't show up at the coffee machine as usual at 9, like we normally do. I went to his office with my coffee in my hand, like that character Bill Lumberg in Office Space, and went, Hi, Bob, what's happening? He said, I have an issue.

I've tried several keyboards, but the caps lock is going crazy. I've googled it and everything points to faulty laptop. So I just ordered a MacBook Pro. I've thought about switching for a while and I've been putting it off too long. I wish I didn't, but I had to tell him about the prank. His only response was, "You fucking nerd." He did have laugh though and thought it was the funniest and most cunning prank he'd ever witnessed. I still remain employed to this day and Bob is very happy with his MacBook.

Thanks for listening. Have an awesome day.

And you should know Hotline Hacked is brought to you by Push Security. They help companies stop identity attacks before they happen, and they do it all right where it starts in the browser. You're going to hear more about it later in the episode. I hear that phrase all the time from my wife. You fucking nerd. That one lands for me because it's personal.

You felt that one a little deeper than usual. Yeah, a little deeper. I love that this guy just stumbled on and made himself a USB rubber ducky. He's just like, wouldn't it be cool if I created a USB hardware device that just injected keystrokes? And it's like, yeah, that's...

That's a thing. That's a thing. Yeah. So I found the thing that he's talking about, which is a little box that someone named Ben S. developed. And it just – it's the exact same thing that you built. It uses a Raspberry Pi Pico, but it's the exact same basic idea. It just sits in between a keyboard and the computer and randomly caps locks to get the – so –

There's a thing called irony punctuation, which is an idea of like there could be a character to denote sarcasm or irony in text on the internet, which is notoriously hard to do. There's even a rule about this. It's called Poe's Law, which just talks about the difficulty of parsing sarcasm when it comes to extreme views on the internet when intent is so difficult to parse. Right.

Probably the most successful version of this, of trying to denote sarcasm, didn't come from any intentionally designed symbol. It came from a meme, I think, of SpongeBob SquarePants. Most people would be familiar with this meme.

And it's just the idea that if you're yelling sarcastically or loudly, just make the characters go up caps lock, not caps lock, caps lock, not caps lock. And that for some reason seems to just read as mockery. I think I need to implement that rule in my personal life because I troll quite a bit in group chats. And I think a lot of people take me at face value. Yeah. So especially with all the political stuff going on in Canada, um,

I have some very opinionated friends and it's fun just to devil's advocate troll them. And I think they might think I'm a terrible person now. Yeah. Maybe on that one would definitely crack open the irony punctuation so no one gets confused. It is useful. It's a pretty useful way to tell someone. Yeah. The mocking SpongeBob meme. That's what I was looking for. It comes from the episode, Little Yellow Book.

And it is. It's an image of him acting like a chicken, and he looks very, very silly. And it's a great way to make maybe, I guess, your boss Bob feel like he's a little bit silly at work. I love that poor Bob got pranked, but then out of it came his love affair with MacBook Pros and the Apple OS system, Mac OS system. Cool.

The one thing that I did like about this technically is that because he was using a wireless keyboard, he couldn't put something in the USB line. Like he couldn't put an interface between the keyboard and itself. So what he actually did was added a second keyboard. So he couldn't hold shift. Like he couldn't send a shift A or a shift S command in. So he just would throw caps locks and on and off randomly to get the same output.

I don't know, a little bit of like a hack to get around the fact that he wasn't on a cabled keyboard. But yeah, custom built himself an Arduino micro USB rubber ducky. And fun thing, fun prank. He's still gainfully employed. And I understand why. Like if I employed somebody who's like use their fun spare time to do things like this, I'd be like, yeah, cool. You're like technically competent and capable.

Good prank. Also gave the boss an excuse to get a new MacBook Pro. There's shades of that there. Totally, yeah. Where it's like, well, maybe you played a little prank on me. Maybe I rushed out the door to buy a new MacBook Pro a little bit quicker than I might have otherwise due to our company's acquisitions policy or like new gear policy. So maybe we all just pretend like this didn't happen.

This is a total tangent, but I feel like I'm good for those on the show. I have my old MacBook Pro sitting beside me. And I am installing Linux on it because it is a last generation Intel MacBook Pro, which is the worst of all of the generations of MacBook Pro, as you know, because you had one too. I recall that was like a sweet spot where that computer that had just rocked for a decade and has rocked for like five years since just very briefly sucked.

Yeah, yeah. It's essentially a $6,000 paperweight at this point. So I am trying to breathe some life back into it by turning it into like a Unix laptop that I'm going to use for programming and stuff. But the one thing I will say is, more tangents, is more annoying than I thought it would be because the T2 chip MacBook Pros...

need custom Linux kernels to let the keyboard, mouse, Bluetooth, and Wi-Fi work, which are most of the things you need on a functioning computer. You use mice on keyboards, bro? Fucking nerd. So the worst thing is I have some mechanical keyboards and stuff, but I don't have mice and keyboards sitting around because I have to use hard-lined external devices to do this. And it's just

been more of a headache than I anticipated. So I spent, wasted more time last night doing that exact thing than I would have liked to have. So here's my question. Hit me. When you install macOS on what is traditionally a Linux or Windows PC, it's called a Hackintosh. It's getting tougher to do, but we have a whole name for that. There's a whole culture behind it. Is there a name for installing Linux on a busted old Mac?

Not that I know of. Could you be at the moment where you get to name something? You might be. I'm trying to think. What's a good punny name? Because Hackintosh, great. Self-explanatory. You're hacking together a Macintosh. What would Linux... I don't think there is a commonly used and associated name with this. So name away, Jordan.

You've created this naming incident in the world. Pawsintosh, like putting Pawsix, like a Unix operating system on a Macintosh. Is Pawsix a Linux? Macinix. Macinix? I wanted to have the fraud hack element to it.

We're going to come back to this later. I'm going to stew on this a little bit, maybe during some of the subsequent calls and see if we can't figure this out. You can drill this with your favorite AI chatbot to come up with a catchy name, and we'll get back to that later. I want this to be human. I want this to be from my mind. Don't you know that Grok and ChatGPT and Cloud are just extensions of your mind at this point?

What am I if not merely a vehicle that types things into Claude? Half of the YouTube viewers actually think we're just AIs chatting about things. So why not? Sometimes I wonder the same question. All right, next story. Next story. This is Roe, and I've got two short stories that I'm hoping you can help me bring full circle. The first is about some sketchy web traffic, and the second is a physical infrastructure prank.

So for the first one, I went to a really tiny college and all of us knew each other pretty well and most of us were pretty close. So when one of us was out of the country on her birthday, the idea was floated that we should try to Google her name so much that it showed up as one of Google's top results for that day as a little unconventional birthday gift. So

We set to work manually searching just like grandma used to do since none of us knew how to write any code at that point or script. So

After a few hours of going after this, we lost internet to the entire campus. Our ISP shut it down because they thought we were up to something and they were kind of right. So that shut down class for the afternoon on that day. So I am sorry, Caroline, that we did not get your name as one of the Google top results, but maybe I just got you on a podcast. Happy birthday.

Happy birthday, Caroline. Happy birthday, Caroline. I want to know, when did you go to university that it was possible to get someone's name to the top of Google search rankings? That's exactly what I was doing there. I was like, the amount of times you would need to Google something to compensate for the 7 billion people in the world constantly Googling.

I went to university in the 1800s, surprisingly during which Google was available briefly. You would need a botnet that wasn't doing any kind of DDoSing or anything, but the botnet was just flooding Google's algorithm with Caroline.

Or Caroline's last name is so iconic, so singular that it somehow that what, like a dozen people Googling something a bunch during the day was going to, I have follow-up questions, but let's continue. The second one came when I was working as a telecom designer at an engineering firm. We had these big L-shaped desks that were stand up, sit down desks with some memories and they were pretty cool. There was a little controller and,

And as I was cleaning my desk one day, I realized that these have RJ45 jacks on them, which intrigued me.

I knew it wouldn't be Ethernet, but it wasn't clear at all what the protocols were. I did some digging online and found next to nothing on whether it was just simple voltage. Was there some kind of signal? No idea. And I didn't even have a multimeter that day, like no equipment to even take a guess. I just need to jump in here because I have one of these desks and it has RJ45s on it. And there are massive stickers around it being like, this is not a network connection. And I'm sure...

I'm sure it's bad to plug things into this that you shouldn't. So RJ45, I'm not going to couch it for anyone that doesn't know. I don't know. I'm Googling it. That looks like a phone jack or like a cable jack. It's an Ethernet jack. Okay, got it, got it, got it. So phone jacks were RJ12s, 12, I think. Yeah, digging through memory. And then Ethernet, Cat5e, Cat5, Cat6, Cat7 are all RJ45 size jacks.

copper cable, ability to transmit voltage. Let's see where the story goes. So I felt a little defeated at first, but then I realized if I unhooked everything from the switch and we just went with the passive stuff, it might work. I wasn't sure about cables and all that, but we were going to try it. So I got the key from Anthony in IT. Shout out, Anthony. You rule.

And a lot of shout outs in this guy's lot of shout outs. I appreciate it. Anthony big ups. Hatched my controller through our telecom infrastructure in the building to my neighbor's desk and hit it and it worked. So it worked just as well as if it was plugged right in. I was afraid of voltage drop, but no factor. So we now had a working zero day and needed a worthy target and

So naturally we picked the intern in a different department who worked on the opposite end of the building and he was a mutual friend. So this was, we picked you because we love you. Love you, chariot. There we go. One more. I really feel like, I feel like chariot, I feel like this dude, and I appreciate this a lot is going to share this episode now with a couple of different people. I call that free marketing.

uh so when he was away i fixed the original patch and patched it into his desk and since he was so far away i couldn't actually see him from my desk so we had a third party act as a relay partly because it was funnier and partly because it would help obfuscate what we were up to so we're just using hand signals at first we would do little bumps up and down

just to see how he would react. And it scared him at first, of course, when your whole desk goes up. Before long, we just went for the sky, fully straight up all the way. And stuff has fallen off his desk and cables are straining. He took it like a champ. He was really cool about it. So we naturally bust out in laughter and the jig was up. So we helped him clean up his desk and make it all right and explain what we had just done and how it worked.

So the part where I'm hoping you can help me bring this full circle is I recently included this story in a cover letter for a job application. So if you run a pen testing firm and this story sounds familiar, I would very, very much like to hear from you. We'll talk. Thank you guys. Keep up the great work. Thanks guys. See ya.

Man, this guy really saw the Hotline Hacked opportunity as a marketing platform. I have some messages to get out. My dear friend Caroline, happy birthday. New intern at a whole company. Got to reveal some stuff. And if you are looking to hire, I am your man.

He's working with what he's got. Our podcast. Calling jacking your stand-up desk controller into somebody else's stand-up desk's receiver an Oday might be a stretch. The other thing I want to say. No one had done it before. That's true. I never heard of it. It might reach the technical definition of it. I don't know if you're going to be reading about it in the news. It shows creative thinking. It sure does. So I'll give them that.

The one thing I will say is, like, after last episode where, like, somebody brought receipts, it's like I feel like you could have strengthened this with receipts. Like, I want video footage of this guy's desk going crazy and him losing it. Yeah. Like, let's raise the bar here on Hotline Hack. Let's push it up a notch. Like, if you're going to do a crazy prank like this. Send us proof of your crimes. We want proof. Yeah.

Like hand signals, man signals. It's like I want three angles of video. I want to be able to see this person losing it. I want that TikTok. Okay, so the standing desks have these RJ45 jacks, which are just like Ethernet ports essentially. And he figures out, is it as simple as just the output on one sent into the input on the other? It's just now I'm controlling your desk kind of thing? It sounds like they set up...

He bypassed all the switching gear, which would have caused it to look for real network protocols and things. And he just created a coupled line between his desk and the intern's desk. So just connecting Ethernet cables. And then plugged that into the desk brain.

So his controller talked to that desk's brain. Okay. And then starts toggling it up and down. First... Yeah, little ticks. Little ticks here and there. You kind of notice it moving subtly until he... I did really like this. Went for the sky.

which I appreciate that the motors in these desks, I don't want someone producing one of these desks with a motor that could literally send it to the sky. But when he said that, I did picture like a desk, an L desk shaped hole in the ceiling with like a startled guy standing behind it as birds fly overhead, like a shot off the top kind of thing, which Ferry didn't do that.

But the one thing I will say is being the owner of one of these desks and the user of one of these desks is... I have a cable nightmare because I have one, two, three, four, five monitors, multiple audio interfaces, two computers. My desk is chaos. And I never take it full stand all the way up because I just know... The amount of power bars mounted to the bottom of my desk, this thing is...

is a house of cards of cables. And if I put it straight to the sky, I'm sure it would like ripping power bars off the bottom, disconnecting like my, like light controllers. And it would just be not so like the, at least they helped him put his desk back together because I'd be pissed about that. One of these days, I have a sense of your setup and I feel like one of these days I'm going to have to like,

call in one of those big avalanche dogs to come rescue you from underneath it if it was to collapse on top of you. There's so much gear. One piece of which is a penguin-tosh. Penguin-tosh. There we go. Nice. I found it. Took me a minute. Penguin-tosh will be the third computer on this desk. Yeah. And then I just want to briefly go back. I was curious...

So there might be some ambiguity here about what the caller meant in their first call regarding Caroline's birthday and name on Google. True, true. Multiple stories here. Can't forget them all. There's multiple stories. I appreciate it. I like the density. I will say, I just want to jump in and interrupt you rudely and say that let's not turn Hotline Hacked and the fact that we often don't listen to these stories before we record into a way to market things because that will make us have to listen to them all in advance.

Yeah, there's something we try and listen to the first chunk of the call to get a sense of whether it's a good fit and how it's going to flow, but not to listen to the entire thing because the element of surprise often contributes to the vibes. Maybe don't. I appreciate that there was no and find me on LinkedIn at the end of that. It was subtle.

walking the razor's edge. As a small business, you should plan to spend at least $10,000 a month on Google Ads in most cases, but a 10x that ad spend up to $10k is what you need to really move the needle on short-term search engine rankings. So bad news about Googling and name a bunch. You're about five figures short on the ad spend of getting that to rank, but I appreciate the spirit of it. And it is making me want a stand-up desk. I'm in this...

tricky spot where I have a desk I love very, very much. It's like a, it's a little bit precious to me. It was made with a family member, but the legs are structural to it. It's like the leg is the point. It's like a cool found object desk. So if I, I, I'm kind of just stuck, stuck sitting, unfortunately, stuck with sentimentality, stuck with sentiment, burdened by sentimentality, burdened by a deep emotional attachment to a piece of furniture made by a loved one. Yeah.

In another digression, a callback digression. What did you call it again? Penguin Tosh? Penguin Tosh. Yeah, so the Linux Penguin has a name. Oh. And that name is Tux. Tux Tosh. Which brings me to Macintux. Oh, yeah.

See, we don't need cloud. We don't need jippity. We don't need jippity. No jippity here. No jippity here. We got Macintuxes. We got Macintuxes. We got TuxToshes. Yeah, it's good. I like it.

Meanwhile, there's an LLM kicking out 30,000 better options per minute. Anyway, before we keep it going, why don't we just tell everybody about who this show is brought to them by? Well, Hacked Podcast, brought to them by Push Security. You know, one of the fun things about hosting this podcast, Jordan, other than weird stories and subtle marketing promotions that come in as stories...

We get to see a lot of tools, companies, meet a lot of people, get to know the community really well. And I mean, we talked to a lot of them off the air and some of them are really cool ideas and other ones are solutions just looking for problems. And then something comes along and we just have that moment of like, well, gosh darn it. Why didn't we think of that, Scott? Gosh darn it. It's really obvious in hindsight, someone was going to build it.

Yeah. And push security built it like identity attacks, phishing, credential stuffing, account hijack or a session hijacking account takeovers, massive causes of the breaches right now and their approach, you know, it's super interesting. And I totally had that moment like to their CEO's face was like, shh,

why didn't i think that you said kind of rude i mean we had just met him but it worked it worked out in the end they're presenting sponsors yeah what else can you ask for instead of trying to lock down everything at the infrastructure level they start where people actually work which is in the browser it's where we're talking right now

They built a browser extension that observes corporate identities created by employees and logs into their work apps, which when you think about it, makes a heap of sense. Yeah, because they've got visibility from the browser into all the SaaS applications, seeing how exactly the identities are being used. Are credentials being stolen? Are they reusing passwords? Have people figured out ways to get around multi-factor authentication? Are they using local accounts when they should be using the single sign-on application?

identity provision accounts. And the kicker, if they do find those vulnerabilities, they can automatically enforce controls to fix them all right there, all right in the browser. But it's not just about protecting identities. Push is monitoring them too in real time for attacks using adversary in the middle toolkits, cloned login pages, stolen credentials, stolen session tokens, phish kits, all kinds of things. All these attack trajectories and attack surfaces that expose themselves in the browser, Push is there monitoring them.

It's like endpoint detection response, but all right in the browser. Very, very cool stuff. And as you might have heard in the last episode, Adam, CEO came on. The team is super sharp, killer researchers, big in the red team world.

They recently put out this thing on cross-IDP impersonation, where attackers bypass multi-factor authentication and single sign-on by just registering their own identity provider. It's really cool stuff. You've got to see them demo it. Check it out, Push Security. It's a super smart approach. It's a really solid team. It's very interesting research. Check them out at pushsecurity.com. That's pushsecurity.com.

Hey, how's it going, guys? Didn't listen to your show for a while now. I'm just listening to the first part of your most recent of offline facts about that guy who's at a college and he was tapping his credit card on doors to see if he could get in for fun. Yeah, the building buyer. Yeah, the guy buying buildings by tapping his credit card on the security. Yep. Remember the episode. Remember the story.

I'm actually a security specialist, so this is my wheelhouse. I won't tell you up before too many details about exactly what I do. But I give you a little bit of insight of what probably was going on there. Most likely, probably that electronic hardware on that door had failed for whatever reason. I don't know what type of electronic hardware was on that door.

But it was probably unlocked, essentially. But in software, on their access control system, it's probably on a schedule. And when you open the door, the door position sensor, back-ended contact, showed that it was forced open, which triggered an alert. So their security came in the sense by...

He was allegedly surrounded by cops or security guards, which is good. It means that I came to actively monitor their system, which is not my customer's. And actually, it also is your human response. You can have the most advanced system out there in the world, but nobody's actually monitoring it. It's a slipper. It's...

However, there is some credence to tapping random credentials at cards. There are some systems out there that I would say are particularly great systems that if they fall off the network, they don't actually store any or not very many credentials locally on the door controller.

So they have the ability to failover so that if any credential that the system can read, i.e. cart format, so it would have to be at least a card that the system is designed to be able to read, would open the door. It sounds absolutely ridiculous. I think it is ridiculous that it is a feature that exists out there. This does sound ridiculous that...

Thank you for calling in. Thank you for giving us a best take of what probably happened. Funny enough, I've been installing a new access control system in our office, and I'm oddly more familiar with this stuff than I was two weeks ago. The fact that a system will, in a fail state, just allow any kind of RFID handshake to open the door seems like the worst physical access security policy you could have. For a security...

I can think of certain pieces of hardware where storing certain pieces of information on the hardware, it's kind of trivial. There's microphones, USB microphones that will store certain sound profiles on the device. Others that require a secondary piece of software to do it. It costs a $50 difference. It's a little nice to have. You plug your mic in your friend's computer and you get the profile and

letting me get into a building I shouldn't has slightly higher stakes. And I'm not sure that you should be selling that first version of that product. The one thing that I've been finding interesting, and here I'm going to go on another tangent and digression here, is like electronic locks that these access control systems control are

all run on like 12 volt DC, like very like minimal amounts of power. It's nothing crazy. And lots of these locks, if you can sever that power connection open. So it's like, I can see Jordan's face right now. You won't be able to, but it's really good. It should be everyone's listening. Yeah.

Like there's a lock that if you can cut the power, you break in. I'm like, that's the easiest heist movie ever. It's like just cut the power to the building and then walk in. There's some that fail safe and some that fail secure. So you can set them because the other problem is, is like if they don't open in case of emergencies, like clearing the building will be very impossible because a lot of them have electronic relays to reopen them from the inside. So like if you're in a secured facility, you have to push a button for the door to open to get out.

So then you have to set fail, save, fail, secure. And it becomes like this interesting thing. But like even aside from cutting the power to the building, like, like, you know, those big magnet locks that you see on like glass doors, like they only stay locked because they're getting a constant feed of 12 volt power. And if you just interrupt that power relay, those doors just wide open.

Yeah, sure. And I guess it depends on the type of building if you want to fail secure versus fail open. I definitely appreciate like there's enough horror stories of weird stuff happening where a building was burning and a door got locked and a bunch of people die in a supermarket in South America. It's like those stories suck. That shouldn't, you don't want to design a system that works that way. I'm surprised there isn't sort of like a healthy intermediary where it's like the door just has like a fail close in one direction. Yeah.

Yeah.

Well, the beauty is that the best cross for that is like we have a power lock, like a power strike on our office door. And it is fail secure, I think is the right one. So that if the power goes out, it stays locked.

But then on the inside of that door, there's one of those push rails that physically opens the door. Yeah. Opens the door. So you can still get out in an emergency, but the lock stays safe. If it's like the middle of the night, somebody cuts the power to the building and tries to break in. But anyway, I just find it, I found this fascinating just because I've,

recently gone down this rabbit hole of like looking at these access systems. And it's like you have these really complex identity control verification encrypted backends for the access systems. And then the lock is literally like the red and the black power cables. It's like... It's all encrypted, locked down...

There's no brain in the lock, but the lock is controlled by a brain. And it's like, all you have to do is kind of like get in between that and boom, it opens. Scott, what do you like best about Shopify? Oh, Shopify. Well, the cha-ching sound, you know, I adore, but actually. You mean this cha-ching sound? Yes, Jordan, that cha-ching sound. But truthfully, I love Shopify just because it is a well thought out, well designed, well conceived, well executed brand.

that makes my life easier. And what more can you ask for in today's world than paying for a service that you don't hate, that you actually love?

I like Shopify in the same way that I like all a lot of kind of creative software. For a lot of people, you got an idea in your head, you want to put it out into the world, but you don't have the right tool to do it. Selling stuff on the internet is one of those things that seems like it should be really trivial and simple because Lord knows everyone is doing it. And then you try and figure out how and it's complicated.

not with Shopify Shopify lets you plug all the different stuff you want into one place gives you a really nice clean easy front end for people to shop from lets you receive payment lets you run your product through it it's how we got the hacked store running far easier than a bunch of other tools that exist we genuinely really appreciate that that's what I love about Shopify

Yeah, yeah, I completely agree. It is as complicated as you want it to be, or you can use it at a pretty high level like we do. And it's very easy. So upgrade your business and get the same checkout we use with Shopify.

Sign up for your $1 per month trial period at shopify.com slash hacked, all lowercase. Go to shopify.com slash hacked, H-A-C-K-E-D, to upgrade your selling today. Scott, one more time. That's shopify.com slash hacked.

So we made an episode a long time ago called the problems with passwords. And I was pretty critical about password managers. And funny enough, years ago, the company that I work for and run,

Uh, started using one password teams and it's been amazing. I now gift one password, uh, subscriptions to people for birthday presents and Christmas presents because it's made such a profound impact on my life, my cybersecurity, even just my organization.

of access to accounts and accounts that I forgot about when there's hacks, it notifies me. I changed passwords. It's been amazing. And we're happy to have them now on as a sponsor. One password extended access management is the first security solution that brings all these unmanaged devices, apps, identities, gets them all under your control, ensures that every user's credential is strong and protected. Every device is known and healthy and every app is visible.

1Password Extended Access Management solves the problems traditional IAM and MDM can't. It's security for the way we work today, and it's now generally available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers.

1Password's award-winning password manager is trusted by millions of users and over 150,000 businesses from IBM to Slack. Now they're securing more than just passwords with 1Password Extended Access Management. Secure every app, device, and identity, even the unmanaged ones, at 1Password.com slash hacked. That's all lowercase. That's 1, the number one, password.com slash hacked. 1Password.com slash hacked.

Hey, Jordan, do you know the status of your compliance controls right now? Like right now? Well, we know that real-time visibility is critical for security. But when it comes to our GRC programs, we rely on point-in-time checks. More than 9,000 companies have continuous visibility into their controls.

With Vanta. Vanta brings automation to evidence collection across over 350 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows for policies, access reviews, and reporting, and helps you get security questionnaire done five times faster with AI. Now that, that right there, that's a new way to GRC. And for a limited time, listeners can get $1,000 off Vanta at vanta.com slash hacked.

That's Vanta, V-A-N-T-A dot com slash hacked. Get $1,000 off today. Hey, Jordan, what's that URL again? That's Vanta, V-A-N-T-A dot com slash hacked. Save on Cox Internet when you add Cox Mobile and get fiber-powered internet at home and unbeatable 5G reliability on the go. So whether you're playing a game at home or attending one live,

You can do more without spending more. Learn how to save at Cox.com slash internet. Cox internet is connected to the premises via coaxial cable. Cox mobile runs on the network with unbeatable 5G reliability as measured by UCLA LLC in the US to H 2023. Results may vary, not endorsement of the restrictions apply. Hey there, my name is Wolf. I really like your podcast and the idea of the hacked hotline series. So I thought I would share a story of mine. It's not overly technical or crazy, but I think it fits.

About five years ago, I was working as an aircraft mechanic at an airport. The company had vending machines that were supplied by a vendor. Each of us had a small blue key fob that we could use to pay at these vending machines. To add money to the key fob, we would hold it against the reader on the machine and insert coins. I had always wanted to work in IT and had a hacker mindset. I loved breaking things to understand how they worked behind the scenes.

One cold winter morning, I stood in front of a vending machine to buy a coffee. Then a thought crossed my mind: what would happen if I removed the key fob at just the right moment while adding money to it? I decided to try it. I held the key fob against the reader, inserted a coin, waited one second, and removed it. Nothing happened. I tried again, but waited a bit longer. Normally, when the charging process is successful, there is a distinct beep sound, and a small LED lights up green.

This time, however, the beep was distorted, and the LED lit up yellow, instead of green. I checked the balance displayed on the vending machine, it showed the amount of the coin I had inserted. Then, to make sure I wasn't imagining things, I checked the balance on my key fob at a different vending machine. To my surprise, the money had been added to my key fob as well. Curious, I pressed the return button on the vending machine, and it spit out the coin I had inserted.

I had effectively duplicated the coin's value. Since the highest value coin in my country is worth 5, I realized I could easily generate a lot of money by repeating the process. I tested it a few more times to confirm that it worked. But I didn't want to get into trouble or exploit the bug. Instead, I went straight to security and reported my discovery. The security officer looked baffled and unsure of what to do. He asked me to show him what I had found, so I did.

He told me he would investigate and that I might be contacted about it. He also instructed me not to tell anyone other than security. A week passed, and then one day, the security officer approached my work area, this time accompanied by three men in suits. My mind started racing. Had I done something wrong? Was I about to lose my job? One of the men introduced himself and explained that they were from the vending machine vendor. They wanted to know more about the issue and asked me to demonstrate it.

I explained everything and showed them how it worked. They took notes, asked questions, and thanked me before leaving. The whole thing felt like a crime scene investigation. The next day, nearly all vending machines in our hangars were shut down, with signs saying, out of service. This did not go over well, mechanics are serious coffee addicts. Another week later, the same man in suits returned.

They told me I had discovered a bug that affected nearly all of their machines and thanked me for reporting it instead of abusing it. Before they left, one of them handed me a small box. Inside was a red key fob with my name engraved on it. They explained that I could use this key fob to buy items from their vending machines, up to $5 per day, without ever needing to charge it.

It acted like a special credit card for their machines, even at train stations, where their vending machines only accepted coins or credit cards. This experience fueled my passion for IT. I started learning Python and JavaScript, staying up late to work on projects. One of those projects was a chatbot, which eventually became quite popular. I continued working as a mechanic for two more years, and not a single day passed without me using that red key fob.

I was the king around my workmates and friends. Eventually, I decided to leave the company to pursue an apprenticeship in IT. One day, after making my decision, I ran into the IT help desk manager in the cafeteria. He knew my father, who worked at the company a few years ago, and struck up a conversation with me over lunch. I mentioned my plans to leave and my chatbot project. Then he asked, "Wait, aren't you the guy who found the vending machine bug?"

"Yeah, that was me," I replied. He told me that the company was urgently looking for an IT apprentice and that, since I had already demonstrated an interest in IT and gained some knowledge, he would be happy to recommend me for the position. I eagerly agreed. After completing a few test days in the IT department, they offered me the apprenticeship on the spot. Now, I'm about halfway through my apprenticeship, and I love it. That's my story of how I transitioned into the IT sector.

Hope you enjoyed it and have a great day. I love it. Great story. I feel like the day started, I was interested to hear where it went because it sounds like he figured out a way to lose his money.

He was like, I'm putting coins in the machine, but I'm not getting it. And I was like, but then he's like, oh, I hit the refund button and the coin came back. The coin came back out. I was like, you found the opposite of an infinite money glitch. And then partway through, I was like, no, there it is. It's an infinite money glitch. Got it. Got it. Got it. I have a sneaking suspicion that this person's from Japan because, uh,

The vending machine culture in Japan is outrageous. They're everywhere. And the fact that they are... A lot of the indications that he said, like the largest coin is $5, like 500 yen is the largest coin. And so I was like, okay, so this person's in Japan. There's vending machines everywhere. And he now has the gold key to buy something at any vending machine in Japan, apparently. Which is also probably why the company took it so seriously.

Like was so worried about it. It's not just the hangers of people, but there's probably like 50,000 of these vending machines across the country. Yeah. That's, that's a really good take because my big question had to do with the apparent like squad of men in black type characters that show up because you got the best of a vending machine. Um, I've,

Without digging into too much detail, I've had family that worked in airlines. I have some very early memories of hanging out in weird parts of airports when I was a little kid before the security was what it is today and having some very bad airport vending machine coffee. And I can tell you, there was a guy coming and picking up a bag of quarters every couple weeks. There were no suited people touching down from the private jet to come figure out who hacked the system. See?

See, but then again, more leading indicators that is Japan, but salary men, like it fits the fits the vibe. I like it. The I I'm I like the story. I like that they use it as a pivot showed some some interest. I thought it was going to go in the darker way, like the pharmacy credits, where it's like, yeah, I figured out how to do this. And then it became my life just like

stealing points. Right. Yeah, sure. There's a version of this where they get enraptured with it. They acknowledge the infinite money glitch they've discovered and their whole world just becomes juicing 500 yen at a time out of a coffee machine. This is much more interesting. I am regularly on this show confronted with

with like pretty real questions about how I would behave morally in different situations. There's certain stories where I see the kind of good path and I know very confidently I would have taken that. There's other ones where I'm like, oh, maybe I just be free coffee baby for the rest of my life. And just, I'm the guy that knows how to get free coffee out of these things. I'm not so sure I would have done the right thing in this case. Well, in my case,

If my hypothesis is correct, and this is Japan, it's not just coffee. Like you can buy anything. Yeah. Food, booze, like you name it. Cool. I would love to have that culture here. Uh, the venue. Yeah. And then I would love to be the God of the vending machines with the sacred key fob. All of them. Uh, yeah. Yeah.

And the honorary red key fob engraved with their name also stands out to me. Swaggy. Yeah, totally. Swaggy. So if you submitted this story, please drop us a note. I'd love to know if I'm correct that this is in Japan. But thank you for calling in. Great story. I'm hoping you're enjoying your IT days. If you're learning Python, Python's one of my favorite languages and also one of the languages that the AI bots are best at writing. So if you just need a bunch of Python code written...

Talk to Jippity. Here's my question. With that magic red key fob, I'm holding the magic red key fob from this call in my mind and the security expert that called in about the buying a building with a credit card call from previous. What could you buy with that fob?

It's five bucks a day, but you go up to the main headquarters of this vending machine consortium, starts tapping it on shit. Well, if the previous caller that had called in was right, all you need is a malfunctioning access system and you can buy whatever you want. That's still pretty shocking to me. And does make certain heist movies make sense. There's often a, like, we got to shut down the power tie moment. It's a good, there might be something to that. Five bucks a day.

Yeah, wow. Lots to unpack in this one. Well, here's the thing, and this is just straight hypothetical. We're just BSing at the end of the episode now. Sure. But a lot of buildings, call them commercial towers...

Oh, there's a third rail here where we're going. I would rob a building, I guess is what I'm saying. Well, no, but you think about it like from a security perspective. It's like a lot of these controlled infrastructure pieces are inside of like large commercial buildings. And it's like cutting the power to a lock or bypassing the control unit and directly sending the power into these locks.

It would be really difficult for the outside of a building because the outside of a building is clad with stones and marble and all this stuff. But when you're inside of a... The inside. Yeah. But if you're like on the 36th floor of a corporate tower and there's a half inch piece of drywall between you and the red and black cables, it takes an X-Acto knife and a battery and you've bypassed, you know, a $100,000 access control system. Pretty. So it's like...

How secure are we, Jordan? I have a friend. She was in town. She was crashing with us and she's a lawyer. She was asking about work and she was asking about the podcast and she had that kind of polite moment that people do where they're like, and it's like a tech show, right? Yeah, totally. It's a technology show about security and hacking. She's like, oh, what do you mean hacking? We talked about it and she's like,

So you're telling people how to do that. It felt like the restaurant went quiet in that moment. I was like, no, no, no, no, no, no, no, no, no. We're not telling people how to do this stuff. We're just talking about people who did it and then telling people how to do this stuff. Yeah.

I don't agree with that. We never do that. For liability's sake, we never tell anybody. For liability's sake, we never do that. That was me doing a gag. I love it. I love it so much. I haven't done the tapping my credit card on a building thing since we made jokes about it in the last episode, but I have no word of a lie thought about it every single time I walk past a building where I can see the key fob thing up front, which is most buildings. I think about it all of the time now.

So I was really excited to see that follow-up call. I like the follow-up call thing. I think we're going to do more of that. If you want to share your strange tale of technology, your computer confession, your true hack, go on over to hotlinehacked.com. There's a phone number you can call. There's an email you can submit to. You can send us text. You can send us an AI voice message.

We just want to hear from you. And if you would like your voice obfuscated, just let us know. Either send us in text and we'll use an AI bot to convert it into audio. Or if you send us in a phone call or any of those things, we will convert them into... We can obfuscate them, no problems whatsoever.

This show, again, brought to you by PushSecurity, PushSecurity.com. They help companies stop identity attacks before they happen. They do it all right inside the browser where everyone's already working anyway. If you want to find out more, check them out at PushSecurity.com. I think that's another one in the bucket. I think so. I think so. Get at us with your story. We want to hear it. And until then, catch you in the next one. ♪♪♪

This is the sound of my husband loving me enough to get a CPAP for his sleep apnea so we can sleep together. Good sleep is a turn on with a ResMed CPAP. Simply air. It works overnight for that desirable well rested feeling. Learn more at loveisintheair.com. Results may vary. See website for details and important information.