Hotline Hacked Vol. 13
57:49 Share

Hi Jordan and Scott. You can call me Lamb and Rice. I absolutely love the show. Most of my family does in fact. My 5-year-old daughter often asks me to put the podcast on while driving her to school. I'm not sure whether I should be proud or scared about that fact. But I digress.

My story is from my college days about 20 years ago. I was privileged enough to have a family that supported me in my education, and I am forever grateful for that. I used to party really hard and forget to go to class at times, leading to either F's or W withdraw grades for the semester. My parents are traditional Asian parents and very strict when it comes to education. Knowing I couldn't show them my terrible report card, I devised an evil plan.

My university at the time gave out web space for all of its students so we could host any content we wanted. I downloaded the HTML for the university's grade portal and was able to alter it using Microsoft Front Page to change my grades. I made sure to make my grades very average, Bs and Cs, to make it look more realistic and ease any suspicion.

I uploaded the altered HTML to my personal web space and drafted a fake email to myself indicating that grades had been released and could be viewed on the student portal. It had the university watermark and everything. I was very proud of my work. When I logged in to show my dad my grades for the semester, he was disappointed that I didn't do better, but I was elated that it actually worked.

It's funny thinking back at the story because if I had put in the amount of effort into my studies versus forging a report card, I would have done pretty well. I now work as a data engineer and have been in the field for about 15 years, so I write it off as practical experience. I just hope now that my five-year-old doesn't devise a similar evil plan when she grows up and goes to college. If she does, however, I hope she'll come to me for help.

It's funny because the first thing I thought of was like, man, just spend so much of your time and utility like forging these grades. If you just like done it, put in the same amount of effort in a class, I'm sure you would have done fine. And I love that they acknowledge that thing. Yeah, it feels like this was just extracurricular study at a certain point. Like,

This could have been an assignment. Hey, use the free web space that we give you to do a mocked up version of the grades website. Also, welcome to Hotline Hacked. It's the call-in show where you can share your strange tale of technology, true hack, or computer confession. Brought to you by Push Security. If you want to share your story with us, go to hotlinehacked.com. Lamb and Rice, I really like this one. Thank you for sharing both the story and the show with your whole family. Sorry about the last episode. That would have been a

Not one to share. This is a good one. This one, I never quite forged grades, but this kind of mild getting in between the teacher and the parent type computer hijink was definitely my thing when I was younger too. I love that his daughter loves the show and it makes me regret that.

Some of the more recent feedback about how we get a little bit more loose-lipped with inappropriate language. Yeah, we can tighten that up. Maybe we can tighten that up for you. I definitely don't think of there as being kids listening, as evidenced by many of the stories. But you know what? It's a good thing to know. And so if we're going to get salty, we could give warnings. That's really, really valid. Yeah.

Okay, so Microsoft FrontPage. That seems to be the sort of technical heart of this little hijink. Are you familiar with that one, Scott? Microsoft FrontPage was just one of those products that Microsoft put out as like a

primitive, WYSIWYG, what you see is what you get, Web Editor that kind of came out in early web days being like, here, you can use this to build basic websites without having to know how to write the code. Sure. Squarespace before Squarespace type thing. Yeah, OG Squarespace. OG Squarespace.

It's cool that, I mean, he works as a data engineer now, so presumably he was studying something to do with tech in university. I guess that's a big assumption. He could have gone on to study it. But I find it cool that this university gave out web space to everybody so that they could host whatever content they wanted. Is that common? Yeah, I think it was pretty common back in the day. Like you had your own personal directory. I think that, to me, is what's at the heart of the con, we'll call it.

Because that allowed him to host essentially a created grades portal on a web, like on the university's URL. So it would be more believable than if it was like, yeah, my grades are just over here on geocities.com. It was like, no, you had to go to the university site and then it showed the grades. And the parents would be like, okay, this looks legit.

I'm sure you pointed that out too. Like, look, look, look, look. Yeah. Nothing like clamoring to point out how real something looks to make people think that it's real. Yeah. There was multiple steps to this too, because they not only mocked up the website. So it wasn't like, Hey, come in and look at my grades already loaded up onto the browser in full screen mode. So you can't see the URL, uh, like faked the website and then took the time to consider, um, okay. Yeah.

My family, the family supports lamb and rice. They maybe have a sense that they're not on a, you know, a road towards a straight A semester. They're partying. They sometimes don't make it to class. In order for this to be realistic, you're going to want to rock some B's and C's in that bad boy. They thought ahead. They didn't forge too high.

They forged right where they ought to be, right in that middle pocket to be a little more realistic and ease some suspicion. They draft the fake email. It was a very thoughtful version of one of these. They didn't go full Icarus, didn't fly to the sun with straight A pluses. Magna cum laude. They're going to be the valedictorian of our school and be like, I know this kid's not going down that path right now. This is a ruse. Yeah.

I'd be intrigued to know how he faked the email or whether he just drafted up an email structure that looked like it and sent it from some random email and the parents assumed it was right. Or if he actually used some kind of bypass to use an OpenSMTP server to make it look like it came from the university. But small details. I'm sure most parents, especially...

Well, if he's been an engineer for 15 years, I assume he's around my age. I don't think his parents are probably hyper-technically competent. Or the parent standing over his shoulder watched this whole thing unfold, nodded, said, okay, better grades next time, but glad to see you passed everything and walked out of the door, shut the door behind them and went,

That was total bullshit. That was all made up. Salty language. I got to work on that. That was totally made up. But you know what? It took a lot of work. It was pretty technically sophisticated. Maybe this kid should go into data engineering. Maybe. Maybe. Maybe that was part of his path of discovery. Maybe he was just like intro sciences and was like, you know what? I actually quite enjoyed that.

Yeah, sure. That like project, special project I took on at the end of the semester to like confuse and lie to my parents. Lamb and Rice was also majoring in English, but this forgery sent them down a much more useful path. I like to, you know what? That's, I'm retconning this whole thing. That's what I think happened here. I was going to say, I'm pretty sure you have an English degree, so. That's why I'm allowed to make that joke. That's true. That's true.

Oh man. I also, the one other thing that stood out, like when I was picking this, I only listened to the first few seconds is how like, uh, how thankful and grateful they were to their parents for paying for their education. I just love that sentiment. Yeah, totally. Respect. You don't take it for granted. It's not an expectation. I appreciate and respect that. So when I heard that, I just immediately like grabbed this story. Yeah. Appreciative. Uh, thank you for calling it. Thank you for the good story. Alignment rice. I really dug that one.

I'm a listener to Hotline Act now. Thought it's about time that I call in, tell my story about grade 7 to my grade 12 graduation. It started off...

Man, we're just getting an endless amount of people hacking their, like, it seems like school-related hacks. School's out for summer. It's the start of summer now-ish. We're getting there. Is this going to be a whole school-centric episode? We're going to find out together. Off with me, I'm injecting cheats into my X-Bar schemes, like Call of Duty World at War, Black Ops 2, having, like, a modded Xbox game.

And from that, it introduced me and showed me that you can modify software or make... The AI apparently didn't do a great job with all the words in this one, so please bear with us. Make computers do things that they aren't supposed to do. And being a kid in grade 6 or 7 at this time, you can see how this opened a whole world of possibilities for me. So I remember back...

So he was modding his Xbox and injecting cheats into the Xbox games. Grade six. That's what, like 11 to 12 years old? That's pretty good. I don't think I knew someone that had a modded Xbox. And I did know someone that had a modded Xbox until we were into like junior high. And I'm sure as heck that he didn't mod it himself. He bought it at the Superflea Market.

as you did in the time. Then I'd go on YouTube and I'd search up things like how to hack or how to remotely control a computer. And from that, I was introduced to tools like shutdown.exe on Windows or the command prompt or how you could change the color to green in CMB.etc and look like you're agging in the matrix.

Around this time, I was walking through my school and I seen someone in the computer lounge or the computer area with the green terminal open. And he was also one of my classmates. So I approached him and I'm like, hey, that's so cool. I also do this and I could also shut down computers.

Going forward, we bounced ideas off each other or learned how to batch script together. At one point, we made a script that we distributed to students in our class, which was just like a command-mime interface, like a batch script that you can enter a computer name and it would remotely shut it down. And since all the computers had stickers on them with their name, it was quite easy to identify a target to shut down.

And another payload that we had would be a PowerShell script, which would do a text-to-speech voicing. Insert your finger here, and then it would rapidly open and close the disk tray to the computer, and a bunch of stupid things that you'd expect grade 7 students to get up to. It's kind of nice that they found each other in this wild world, you know? Yeah, it's kind of sweet. Just walking down the hallway and sees a green terminal open and goes, hey, I do that too. I'll shut down the computers with the computer.

And then make the disc tray open and shut, open and shut, and put your finger in it and maybe shop it off like a cigar cutter. It's good stuff. I will say, though, when I'm in public, and we all have Macs now. There's so many of them, right? Everybody has a Unix computer, so it's not the same. But whenever I walk by and I'm in a public setting and I see somebody with a terminal open ripping in the terminal, I'm like, oh.

That's a friendly person. It's like a sticker on a laptop identifies what part of a subculture you are. But if you have a terminal open on a computer, it's like I know exactly what kind of person you are. I see you. I see you over there with that green terminal with the code tumbling down at the matrix. I love it. Shockingly not what they look like, but yes. I'm familiar. I know, I know.

Cutting forward to about grade 10 of this story, every single student in the school has a username and password, along with the kindergarten students. But as they are kindergarten students, they all have a shared account with a very memorable username and password of the username AZ and the password 123. With this,

I guess when they were configuring the account, they didn't really consider kindergarten students in their threat model and they forgot to enable a lot of security features. Like at this point, they block the ability for students to remotely shut down computers. But if you're a kindergarten student, you can easily get past that

Because there's no restrictions on your account. Along with this, every single computer on the school network came pre-installed with a Samba server. And lucky for us, the kindergarten account credentials also worked on the server, which would let us remotely access or upload files to any computer on the school network as long as you knew the host name to it.

We had a piece of software at this time called TrollRat, which was a remote access Trojan. It lets you remotely access computers and, as the name implies, troll them. So you can open up a Rick roll or you can make the screen look like it's melting or broken or blue screen of death, the computer. So my friend had the genius idea to upload this to our computer science teacher's computer and...

Most of the time, the students were very settled with it, like blue screening the computer if they wanted to get out of doing something or if they just wanted like a laugh. But they weren't blatant with popping up messages or opening up websites, to my knowledge. I do remember at one point in class,

the IT teacher was giving a lecture and he got a pop-up saying trollrat.exe has stopped responding. And with a puzzled look on his face, I believe after that class, he went to the IP department and mentioned how he believes his computer is compromised. I will say it's a strong...

A strong choice to go after the computer science teacher. You're going to want to go ahead and target a gym teacher, a social studies teacher. You're going after the one person that's going to know what's going on here. Exactly. Given the security measures that the school has implemented, the best solution that the IP team has found to resolve this malware was to put a script on his desktop of the computer and

And you can click it and it will just kill the task of trollrat.exe. That is not a solution. That doesn't sound like it would be the solution. Oh, there's something, there's some kind of compromise on your computer. We'll just get the turn off the compromise button installed right quick. Yeah. And every time it gets run and you notice that it's being run, you can just turn it off. No big deal. So you can't, you can't get it off of my computer and they're like driving away in the time it took for you to say that.

So since we had remote access to every computer in the school, if he decided to kill the rat, we were able to just log back into his computer, run the file again, and then we'd have control again. So their solution was not very well thought out, but I think it goes to reflect how the security was at this point. It also shows the complete deficiency of actual security protocol. Like, hey, there's malware on my computer. It's very like...

mundane as far as malware goes. Okay, we're just going to put a script on the desktop to kill it. And we're also not going to look at the other 600 computers in the school and see if it's on there. Yeah, there's no question asked about like, oh, how do you think it got onto my computer? Because that might lead you down the road of going, oh, this is on all of the computers on our network. Also, we didn't want to look through the log files and see what user account put it into the network.

Oh my god, it's a kindergarten student's account. And we haven't put any access controls on the kindergarten students. I was going to ask about that. Where it's like all the kindergarten kids have the same username and password. And for some reason this kindergarten username and password combo gives you the access to put files on any device on the entire network. That's what it sounds like. This comm sci teacher and IT department

Like, I wonder if I was wrong. And meanwhile, the gym teacher is off in the distance, hacking into mainframes, running botnets and stuff. Like maybe, maybe the talent hasn't been organized quite properly at the school. Yeah.

There's a bunch of other stories that I have, like times when we'd remotely authenticate into a student's computer and we'd turn up the volume to 100% and play a really embarrassing song in front of everyone. Watching them scramble to turn down the volume or figure out where the audio is coming from. But it all came crashing down when my friend was using a tool called Canon Able on the school laptop. He

He was using the future for a man in the middle attack, which basically lets him intercept every single HTTP request in the school network or the school districts network. So upwards of 50 schools. This allowed him to view if you were to log in on a website, it would show him the username and password, which you entered into that form. And given that he's doing this all from the school laptop and all of the computers in the school board, dozens of computers are connecting to this tiny school computer.

It got overloaded and it wasn't able to handle all the traffic going towards it, which caused an outage across the entire school board for about the hour that he was doing the man in the middle attack. This raised alarms with the IP department and they got a forensics team and did some investigation into the source of this. They were able to track down the school computer which it came from and either check security footage or maybe event logs to see who was using the computer at the time and

They did catch my friend. He got a two week suspension for this and everyone's password in the school board got changed. They upgraded their security. They changed password on administrative accounts. I ended up getting away without any punishment.

It did scare me quite straight. Now I've graduated with a degree in computer science. I work in a cybersecurity field on the defensive side. I am very remorseful for a lot of the things I've done at a younger age, but it did teach me a lot and I'm able to apply a lot of the skills that I learned from black hat hacking on a blue team side of things. But yeah, that's basically it for Mr. A. Thanks for listening. So you...

So you sit down at the library computer and you start a district-wide man-in-the-middle attack where you're routing all HTTP traffic through your computer, scrubbing all of the usernames, passwords, and other private data. Thus crashing the entire school boards or school districts' computer network because you were trying to run it through presumably like a little Chromebook or something. Which causes them to...

walk away from the it guy who put the kill troll rat script down and actually go get some competent analysts to come in and figure out what's going on so you know the the trope in in films and television where there's like a the small town sheriff and then the you know like a terrible murder happens and they have to call in like the very scary fbi people that pull up in like the black land rover or a helicopter or something and there's this real sense of oh no

I was the grownup a minute ago and now the grownups are here and it's very disorienting. I'm imagining that's what it was like for this IT department at this specific school when they suddenly get a call from the very serious IT department at the school board level or the district or whatever it was called saying like, Hey,

There seems to be a device on your network that's crashed the entire area. We are going to be showing up. See you soon. I imagine that was a real moment of panic, a real sheriff's waiting for the FBI kind of moment. That is a great analogy. I'm sure it very much was. It's like it turns out he used a kindergarten kid's login credentials and was-

Scraping all of the web traffic for confidential information from probably the library computer terminal. It's like he was, it turns out this person was using a kindergarten's login credentials and the IT department at the school had to go credential. Credential. There's only one.

Oh, and it has access to be able to upload files to the entire school's network. Yeah, yeah. It's been given like God rights on the Samba shares. Samba being like Windows file transfer protocol and also commonly used in Unix and

Other things. Troll rat. I like this one. This is, this is both a good story of a person that had a scared straight moment, which I know I've had in my life and they're useful. I think they're a useful moment to have in your personal history who went on to graduate with a degree in computer science, remorseful for the, for the black hat activities of his youth and,

I think really at its heart, it's a workplace comedy about an IT department in over its head in a situation that shouldn't have been above anyone's head. Should we write the script? Like do a pilot script for this TV show? Yeah, I'd watch. I'd watch. That one's really good. That is good. I do, yeah, classic tale as old as time. Feels remorse, goes to university, becomes a blue teamer. Totally. So he's literally on the other side.

Kudos to you. Good for you. I'm sure that's the thing. When you get these kind of interests, how do you explore them? If you're a 13-year-old or even younger, I think I started writing code when I was 7, 8. It's like, you get the itch and there's no way to scratch it without...

maybe break in a few policies and laws. And it's like, that becomes a real thing. It's like, how do you develop these skills and get interested in these topics? Like if I decide I really like baseball, like there's so many ways for me to go out and play baseball and progress in that field. But this is definitely a field of like self-discovery that can sometimes come at the cost of others. Yeah.

Sure. You can tell that I think the phrase like to turn off another person's computer was uttered a couple times in the call. You can tell that that was something that initially caught their imagination. Of course, you're telling me, I'm over here on my device, and I can turn that device on and off.

That probably seemed like the superpower that opened the floodgates to realizing that you can do a lot more than turn the other computer off. There's basically nothing you can't do. You can operate it as though you are sitting behind it, up to and including Troll Rat, Rick Rowling, opening up the CD tray, which is very nostalgic when you described it.

Because I can picture sitting in a school computer room with those big old beige, there were always beige towers.

with the CD tray. Yeah, you realize you got a little bit of a superpower on your hands there. Well, it's funny. I don't remember the timeline in there, but he goes from shutdown.exe to, yeah, and then we built a remote access Trojan. Big escalation. So we're running a man-on-the-middle attack on the school district. What was that? Exactly. You can see the progression as it goes from like, yeah, we figured out how to like,

make a pop-up or crash somebody's computer to next thing you know, it's like, okay, I got a remote access Trojans on every computer in the school district. Next step, it's like, yeah, we're running man-in-the-middle attacks, scraping web traffic for confidential data, unencrypted data. And it's like, okay, this is a three-year progression. I bet that school district level IT person

was so relieved when they discovered it was a 10th grader using the kindergarten account and not just a really scary kindergarten or doing this.

They probably breathed a big sigh of relief of like, oh, we had a real Terminator situation on our hands here. Like, we're going to have to stop this kid. We're going to have to intervene here because this child is alarming. By 10th grade, you having figured out how to do that, impressive. Good foreshadowing, but not scary. A five-year-old doing any of this, spooky. Yeah.

I wish he'd told us what happened to his friend, the one that did get busted, if he was scared straight and put back on the rails. I'll say a two-week suspension. Yeah. Pretty reasonable outcome for him. Yeah. Two weeks is interesting. I'm trying to, not to dox myself, but I think I only ever got a one-week suspension. Yeah. Same. And the damage...

It was somewhat tech-related, but it wasn't this kind of tech-related. It wasn't district-wide, though. It was localized to my school and involved power breakers. But it was just for one week, and it didn't affect anybody outside of that immediate vicinity. So kind of scales. See how they got there. Most I ever got was a week, too. But you're essentially committing...

Cybercrime. Yeah. Vandalism. A fairly large... A big man in the middle attack taking, scraping confidential data for what is probably thousands of users. Sure. That's not... That's real. I feel like a two-week suspension is like...

If I'm him, I'm happy about that. I'm happy I'm only getting two weeks for that. I'm glad the FBI didn't actually show up. I would hope they have better things to do. At that point, it's really just a question of like, okay, so you got a dud IT guy. Sorry. Yes, this literal child shouldn't have done this. But I'm pretty sure there's bigger fish to fry just in this school to address this problem.

I'm also, I'm just thinking the sheer number of, like, I love how many calls we get about like youthful school, various school aged hijinks on this show. School IT people might be the front lines in a way that I didn't really realize they were before we started doing this call in show. Like when that whole school district went down for an hour, I bet there was no mystery about what had happened.

It was that there was a student somewhere who had gotten up to some stuff. Because otherwise, like, shy of a ransomware attack trying to go after the school district, what's the more likely explanation? That some external state-level actor is trying to take down, maybe scraping the credentials, but man, student seems like a likely explanation.

Yeah. I don't know. I feel like when it comes to troubleshooting IT headaches, I feel like you start with the obvious. Did anything die? Did a network switch go down? Is there a disconnection? Is something going on? The ability to have the network data to be like, no, it's actually all of... There is thousands of gigabytes of throughput going to this library computer in this district school.

The disc tray frantically opened and shut. I think we're way past the disc tray. No, no, no. This was a separate instance. It was just the pressure on the system. I know that's not how computers work at all. But in reality, like, and this is the thing is like, you know, if you're really good, like say you're a seven-year-old prodigy at like basketball. Yeah.

People identify you. You start to get put into development programs. There's schools that have entire sports programs in them where you do the sport for half of the day and learning for half of the day. There's this big thing about identifying talent and fostering it and building it. I see where you're going with this. This is the thing. We don't do that that much in STEM. Maybe we should be. When Trojan Rat...

Or troll rat to be found the first time. That's not just a marker that there's somebody up to some malfeasance. That's a marker that there's somebody in the school that's like,

seven years past the technological expectation that they're there there's some people have on them likely talented if nothing else passion there's there's some enthusiasm for something and you're right that if this was basketball there would be like a coach standing off to the edge being like this kid's got it and instead there's a comm sci teacher going why is there malware on my computer thank you for writing a script that turns the malware off i can't get over that yeah

Yeah, me either. That's a wild response to that. But that's the thing. I would love to see better identification of having been one of these students. It's like there was, thank God I found some positive outlets for it because if I didn't find those positive outlets, I don't know where I would have ended up truthfully. Because there was so much I wanted to explore about

So much I wanted to do, so much you're learning at such a rapid pace. And especially in today's world where like you can literally sit down with an AI and learn anything in like 30 minutes. Like you can build these skills so quick that it's like if you have a passion and interest and a desire for it, it's like we need to...

I wish maybe I should run for government, Jordan. Maybe I need to, we need some better policies about talent identification and STEM. Or hack the school district, get some monitoring software. So the next time this happens before the IT people from the district show up, you show up and be like, this kid's got it.

I think that's the premise for like a sitcom. Yeah, we're really writer's room at this time. Totally. Yeah, that's like a bad network shows origin story for hackers. Like they were recognized when they were seven when they hacked the school. It's like, that's not real. And yet we're here advocating that that would actually be kind of rad if that sort of thing existed. The thing is, it probably does exist in certain countries.

If you told me that there wasn't that kind of a role in some places on earth right now, I would be like, you're lying. There's definitely a guy whose whole thing is just being like someone hacked the school in this province over here. I'm getting in my car and we're going to go figure out who did it because when they turn 18, they're hired. Well, all of those bad mini series, like,

Bunch of people fighting crime and they've got a hacker nerd on the squad. And that hacker nerd was arrested for breaking into the sec. It's 18 years old. And it's like, yeah, but you could have identified that person at like 11. You could have got away earlier. You gotta get away earlier. Give him better training. You would have been amazing. Or they would have been amazing. Oh, that's really, really good. Yeah. Good call. Um,

The least interesting part now in retrospect was the modded Xbox, but boy, that took me back. When I was a teenager, a buddy of mine had a modded Xbox with an aftermarket hard drive installed into it because I don't think the first version of Xbox had much, if any, local storage, certainly not enough to store a game on it. Yeah, correct. And he got it. It was an aftermarket hard drive with like...

150 full tilt AAA games on it. I remember playing Fable for the first time, running it off a hard drive that he bought. I was like, this is the greatest thing I've ever experienced. I wanted one so bad. See, Jordan can see me, but you can't. But there's actually a modded Xbox sitting right there. Hell yeah. Hell yeah.

Should we cut over to the Ad Roller Coaster? The Ad Roller Coaster. Dang. The infrastructure is getting built out. First, it was a calm oasis. Then it was a water slide. Much quicker. And now we're on a roller coaster. Is it a drop? Is it one of those just like straight vertical rips? Could be. Could be that we're brought to the people by...

Push security. Yeah, I was going to say, could be an identity attack. Could be phishing. Could be credential stuffing. Session hijacking. Account takeover. These are all the number one causes of breaches right now, but most security tools are still focused on endpoints, networks, and infrastructure. Meanwhile, the browser, the actual place where people are working, has been ignored.

Push changes that. They built a lightweight browser extension that observes identity activity in real time, gives you visibility into how identities are being used across your organization, like when logins skip multi-factor authentication, when passwords are reused, or when someone unknowingly enters credentials into a spoofed login page. Then, when something risky is detected, Push can enforce protections right there in the browser, no waiting, no tickets. It's visibility and control directly at that identity layer where it all happens.

And it's not just about prevention. Push also monitors for real-time threats like adversary in the middle attacks, stolen session tokens, and newer techniques like cross-IDP impersonation.

The way to think about it, it's kind of like EDR, but for the browser. And the team behind it, they're all offensive security pros. They publish some of the most interesting identity attack research out there, like the software as a service attack matrix, which breaks down exactly how these kinds of threats bypass traditional controls. Identity is the new endpoint and Push is treating it that way. Check them out, pushsecurity.com. Bye besties, love the snow and listen every time it comes out.

Love the new hotline format. Mine's not so much a hack, just something we stumbled upon internally. I worked for a large mass conveyancing firm in the UK, in the IT department, rewriting one of their systems. For some reason, all the machines has SMB file sharing turned on, so if you knew a computer name, you could double backslash computer name C dollar sign folders etc etc, and access their C drive and essentially see all their stuff.

This was probably mid-2000s before en masse HR SaaS, but we found the HR manager's computer and then just had a good old trawl. We found everything, GDPR, EU data regulation didn't exist, and apparently neither did security. We then found a large spreadsheet with the entire staff salary on. We quickly saved that externally and then sat on it. How much the directors, C-suite, were on and what we weren't.

A week or so later, we felt we had to disclose it. The hole was closed. The fun was over. We never got on trouble. Shout to my boys Dan, Shuck, Chill, and Lobber. Gilbo remains the worst boss I've ever had. Free to use this on air. Probably don't use my last name. First is fine. I really like the shots fired right at the end, and I feel this.

Gilbert was the worst boss. You can feel free to use my first name. What was it? It was Gilbo. Gilbo. I assumed that the AI had sort of mangled the pronunciation. Gilbo was the worst boss. Oh, that's really, really good. Okay, we got some location clues. Works for conveyancing and love nicknames. So I'm going to say... Is this British? Didn't we get some direct confirmation that this is UK? Yeah.

Did he say that? Did he say UK? I might have just projected the accent of the AI onto the caller. They made reference to EU regulations. So saying that this was in the mid-2000s. This was...

before the point where there were whatever kind of encryption and protocols for storing that kind of information. And so there was just an HR person who on their computer was a file that wasn't data protected in any way and just had everyone's salaries in a spreadsheet, including the C-suite and whatever level Gilbo was at. I bet most companies still have this spreadsheet. Yeah.

Yeah. Yeah. It's like at best, there's an Apple note somewhere that just says what everyone makes. And it's like, Oh, that's, that's secure. You got that lockdown champ. Wow.

But it's funny, back-to-back stories about Samba shares. Yeah, what happened here? This is almost the same as the high school one where they found out that if you had the kindergartner's credentials, you could use Samba to walk across the network and go into every computer's hard drive. Get onto someone else's device. Right, it does have that. This enterprise had the exact same thing.

They had SAM to set up openly. It doesn't even sound like they needed a kindergarten's credentials. I was going to say maybe it had that AZ123 username password classic combo. I wonder if they used that to log in. That's damning. But just a tale as old as time, you get access to a network. This is something that I have an issue with where it's like,

When you put me in a network, I inherently just look around it. It's like if you were to take me and put me in a hotel on an island that I've never been to, I would just...

go for a walk and see what's out there. And it's like, I would just fully assume that anything that I'm allowed to see or anything that you let me see, I'm allowed. Yeah. I was like, you are using allowed in a very, very loosey goosey way there. You're like, if I'm able to pick the lock and Jimmy the door open, well, how could I be expected not to see what's on the far side? I've been, I've been given access to like enterprise networks and stuff. And it's like,

If you put in my login scripts an automount for a shared drive, I'm assuming you've done that for a reason. I'm going to take a look at what's in that shared drive because some of it might relate to what I need. Sure.

There might be something like a good faith reading is like, if you gave me access to three things, I'm not going to know until I went into all three that the third one wasn't actually for me and I wasn't supposed to look at it. That's why you don't give access to stuff that isn't relevant. And you definitely don't give access to stuff that is privileged. Yeah, exactly. So it's like, to me, that's the thing. Like, this is a bit different, I guess, because you're like literally using Samba to go into a computer's hard drive that you don't have access to. But I don't know.

Like, yeah, I mean, locking down your data. Yeah. So there's, there's two different things here is one is like, don't share things that you don't want the person looking at. And the, in this particular cases, uh, the line was, I found the HR person's computer. It's like, well, you went, you went looking and I get why. Cause that's where, uh, for lack of a better word, the juicy stuff would be such as what that person,

turd Gilbo is making because that's just on a human level you got a bad boss you want to know what they're making it's very shout out to the boys shout out to the boys yeah this one's good

Do you get the sense this was an external vendor? No, internal employee. This was internal? Okay, so he was just hired on to rewrite the system, figured out how to get access. This makes sense. Okay. Yeah. Stumbled across it, found out that network sharing was turned on by default on every PC and that the C drive was being shared on every PC. Probably done by a lazy IT person to facilitate...

File distribution and stuff like that in the back end. I wonder if so. They the resolution of the story is, you know, they went, you know, a couple of days past week past or whatever. And we said, we're going to go report this. We're going to make sure that they can seal this up so that they can close the hole. I wonder if in that process they revealed that they had gotten access to the spreadsheet with everyone's salaries in it. Oh, definitely not. Yeah, I feel like that's something. Well, you could go two ways with that.

There's the, and I'd like more money because I know what you all make, which isn't how you deliver that news, but it's the subtext to be sure. And then there's the just, I'm going to go ahead and keep this to myself and not draw a giant spotlight on myself in the form of knowing what the top brass makes as opposed to me. I feel like going into a salary negotiation with a piece of confidential data that you stole and took externally, which they did note. Mm-hmm.

And asking for more money and justifying it by pulling out that confidential information is probably going to get you fired. Or get you the biggest raise of your career. I'm not recommending doing this. If there's any five-year-olds listening, that's a joke. It will probably almost certainly get you fired. Or even in more trouble than you would have been previously in. Or fat stacks. Anyway, on to the next one.

I was 17, a third-year high school student at a boarding school in Brazil. All school ones, pretty much. One employee one. Yeah. We got almost a full house here. We got a trend here. We do have a trend. You called it early. Yep.

the kind of place where you lived and breathed school. Internet access, however, was a different story. This was before smartphones made internet ubiquitous and Wi-Fi, while starting to appear in homes, wasn't common public infrastructure. Our school had no Wi-Fi in the dorms, only in select spots like the library. As a self-confessed nerd, I owned an HP iPack Pocket PC, a handheld device that, crucially, had Wi-Fi. The school, surprisingly, authorized me to use it.

To get online, they had to assign my IPAC a specific IP address. Back then, access control was often managed by white listing IPs. If yours wasn't on the list, you were out of luck. So with my IPAC's authorized IP in hand, I noticed something. The school was slowly wiring the dorms for cabled internet. The physical infrastructure was mostly there, but IT was configuring computers room by room. Even before they officially activated internet in my room, my desktop could see the internal school network.

It just didn't have an IP address cleared for internet access. A thought struck me. What if I use my IPaX IP on my desktop? I tried it. To my genuine surprise, it worked. My desktop was online. For about a month or two, I was one of the few, if not the only students with reliable internet in my room, all thanks to this IP trick. Then came the official rollout. Our school was Adventist, meaning on Fridays, after sunset, all work stopped.

It was a Friday, and the IT team was making their way through the dorms. As sunset neared, they were in the room before mine. My room was next. The problem? The technicians were friendly with those guys and were stalling, chatting. I saw the clock ticking. They wouldn't make it to my room. I approached them humbly. "Hey, it's almost sunset. Any chance you could quickly pop into my room and configure our computers?" We had three in our room. "No, we can't." They said firmly that I pushed. "Okay, but if I can get them configured, am I allowed to?"

One tech, probably thinking I couldn't, just shrugged. "If you can manage it, go ahead." That was all I needed. Back in my room, I fired up an IP scanner. This tool pings devices to see which IP addresses are active. Since it was Friday afternoon, many computers were being shut down. My scanner listed active IPs and, importantly, those becoming inactive. By night, I had a list of free IPs from offline computers. With three PCs in our room, I figured I'd grab two for my roommates.

The plan: use them for the weekend, then Sunday night, revert everything to avoid IP conflicts when everyone returned Monday. It worked like a charm. We had internet all weekend. Come Sunday night, I removed my IP and my cousin, one of my roommates, did too. But our third roommate decided he wanted more. "I'm gonna use it a bit longer," he said. I warned him, "Okay, but if you see any IP conflict messages or things get weird, turn off your computer immediately and unplug the network cable."

Monday morning. I also worked at the school, cleaning grounds. My non-compliant roommate came tearing towards me. Dude, he panted his hip to fan. They came to the room. They found the IP. I was confused. What do you mean? Didn't you turn it off if there was a problem?

He explained, "I was using the internet and man, it got super fast. Incredibly fast. I was downloading stuff like crazy, it was awesome, so I just kept going." The IT team had traced the problematic IP to the network switch on our dorm floor, then to his computer. When they burst in asking who configured the internet, he immediately pointed, "He told me it was you." "Great. Rat it out."

My first thought: well, at least I technically had permission from that technician. Here's what had actually happened: the IP my roommate was using wasn't just some random students. It belonged to a server. The IT guys were vague on how an IP conflict could cripple their infrastructure, or why a server's IP was even available.

But the head of the IT said, the problem likely stemmed from how the network switches handled the conflict, particularly concerning the time to live of entries in their IP or ARP tables. When his machine claimed that server's IP, the switches would have updated their tables to point traffic for that server to his machine's MAC address. If the TTL for that entry was long, or if the switches programming didn't handle duplicate IPs gracefully, legitimate traffic for the actual server would be misdirected to his computer for an extended period.

His machine, unable to process server requests, effectively created a black hole. This likely caused the cascade failure. The internet for the entire campus went down. The only place it still worked? My roommate's computer. That's why his connection became blazingly fast. He had all remaining campus bandwidth. Once he named me, the news spread like wildfire. Every student knew. The campus was offline, people panicking about assignments, and I was public enemy number one. Walking to my dorm was a gauntlet.

Pointing fingers, glares. It was him. Students approached, stressed. "I have a paper due tomorrow. You broke the internet." I mumbled apologies, trying to explain it was unintentional. Reaching my dorm floor, the entire IT team was there, clustered around our network switch. As I entered the common area, my dorm mates were there too. Accusations flew. "It was you. You don't know the trouble you've caused." The technician who'd given me that dismissive "if you can, go ahead" was among them.

Seeing him, something snapped. I got angry and yelled back. I only vaguely remember the specifics, but one exchange sticks out. One of them shouted, What do you have in your head? I retorted, Can't you see? I have hair.

A heated, but not technical, argument. The next day, formal proceedings. First, the coordinator's office. I explained everything. The IPAC IP, the text conditional permission, the scanner, the weekend plan. Then, a meeting with the head of IT. I apologized sincerely, reiterated it was never my intention, and stressed I believed I had authorization and had instructed my roommate to disconnect. My point. I set the stage, but the final trigger wasn't entirely my fault.

I even offered my talents and knowledge to help restore the network. "No taques" My next stop: the school's general director. They seriously considered expelling me. It was close, but I was allowed to stay. Ever since I was a kid, I'd wanted to be a hacker. More prankster than malicious, someone understanding systems enough for cool, unexpected things. Millennial hackers might recall dial-up days. Often no home routers or firewalls, your IP directly exposed online.

This made grabbing an IP via MSN Messenger for innocent pranks, like remotely opening CD-ROM drives or changing desktop backgrounds, relatively straightforward. I never considered myself a real hacker, and this campus incident, while impactful, wasn't technically complex, but the story became legend. At my graduation, as I walked up for my diploma, the entire student body started chanting, HACKER! HACKER! HACKER!

In that moment, though I didn't feel like one, I'd sort of achieved my childhood dream that I became a mechatronics engineer, though my career leaned toward electronics and programming. Security is a hobby. I have done capture the flag competitions. I guess I'm a hacker now, ethically exploring. The thrill is the break-in, the puzzle solving. I don't have much imagination for afterwards. One big lesson: official technicians aren't always the most knowledgeable.

I realized I knew more than some school IT staff then. That shaped my problem-solving approach and my enduring fascination with security. Full circle. What a saga. A crime saga set in a boarding school in Brazil.

That's pretty good. And a lot in common with some of the others, all the way right down to the disk drive opening up and shut. I got to say, the thing that gets me about this, and I'm mad on behalf of this person, is the technician being like, two things. One, the technician being like, whatever, yeah, if you can do it, go for it.

Passively dismissing them. And then the other thing that gets me is the roommate, the idiot that caused all the issues. He was like, because that's the funny thing, is like this person knew that he was borrowing approved and authorized IPs and using them. So he knew that there was going to be conflict headaches. So that's why they were like, okay, Sunday night, let's clean up the mess so we don't get in trouble. Like we've been playing Counter-Strike all weekend and now we have to stop. Mm-hmm.

And then the one roommate who was just too selfish, he's like, no, I'm just enjoying this too much. Like, I'll do it later. I'll do it later. I'll do it later. Yeah, we need to clean up this crime scene. Make sure you clean up the crime scene by Sunday. Otherwise, the crime scene won't be clean and we'll get caught in this crime scene. Your friend's like, I love the vibe of this crime scene and just lets it run out. It's like, no, you had one rule. Yeah, exactly. It's like I did you a favor and now you've destroyed me with it.

Because had they actually removed it and the technician showed up and configured on the Monday, it would have been fine. Nobody would have even noticed probably. Yeah. And instead, this person gets turned into public enemy number one. We've had a few calls where everyone kind of knows. Sometimes no one knows who the culprit was in this case, it sounds like. To quote them, public enemy number one. Everyone's pointing fingers. It was him. It was him. I have a paper to do. What did you do? Yeah.

And now this person's on the road to notoriety culminating with everyone chanting hacker as they walk across the stage. Oh yeah. I'm glad that as a positive incident though, like he was crossing the stage and they were yelling hacker and he's like, huh? I did it. I did it. My childhood dream. That's a silver lining kind of person. And I appreciate that. Absolutely. As the eternal optimist here, I'm with them. I'm glad that when it got escalated to the head of IP and eventually to the school's general general director, uh,

More so with the head of IP, I'm glad that I believed I was okay. Like this person graduated, like obviously this all worked out okay for them. And I think that that is a good, that to me should be a good excuse. I explicitly asked the IT people in my building, if I could get this up and running, was I okay to try and get it up and running? And they said, sure, fill your boots. So I filled my boots and now everyone's livid at me for how full my boots are. Like,

It's a fair point. The people in charge of this said that I could do it and then I didn't. It was fine. And I knew that a potential conflict could emerge if it wasn't undone by Monday. And I asked this snitch, capital S snitch, to get on top of this and they didn't. So you shouldn't be mad at me. You should be mad at that rat. Yeah.

I do, yeah. I wonder how the meeting went with the head of IT when they were just like, do you want me to help you guys fix it? It's like a room full of paid technicians and then there's a student being like, well, clearly you guys need some help, right? Yeah, it's like, do you want me to fix it? And they're like, well, hypothetically, how would you fix it? It's like...

It's like, well, your ARP table cache has got too long of a lifetime and you just got to refresh it. It'll all be fine. Just chill. Yeah. We're slowly accumulating a data set on this show of what leads people into different tech related careers.

Cause we always get the origin story and then people, and I really appreciate this tend to share where they, they went with things more. So when you get these less confidential school age stories where people can be a little bit more forthcoming with who they are and where they are in life currently, sometimes they don't share anything personal about themselves because there's a lot of confidentiality because they hacked a major retail chain, for example, just hypothetically. Yeah.

But I feel like we're accumulating a lot of information on how people get into different tech jobs. And that's interesting to me. I think the, yeah, kind of. Because I think what comes, like the chicken or the egg, you know, what comes first. And obviously these people have the passion and the interest. Like if you're carrying around a pocket computer. Yes. Like I had one of those. Like, I'll tell you. Like I was always obsessed with portable computing until portable computing became popular.

Now we all have portable computers and it's sick. And it's sick and I'm obsessed with reducing the amount of time I spend portably computing. Totally. Now I'm going the other way being like, am I spending too much time on this thing? There's a portable computing crisis, you might say. Yeah. But like I had an HP iPack that I had installed Linux on. But did you really? Yeah. HP iPack. I'm trying to picture that one. IPAQ. This looks like

I didn't have one of the ones. Oh, sick. Yeah. Yeah, sure. A little kind of Palm Pilot looking buddy. This is a personal, what are they, PDAs? What does that even stand for anymore? Personal Data Assistant? Assistant Accessory? I don't even remember. It's an acronym I haven't said in so long, PDA. It's Public Display of Affection is...

Yeah, personal digital assistant. Yeah, there you go. That's a great way of branding those. Yeah. There was a store near our house that sold used stuff. And at some point, one of these...

I can't, I think it was just Palm. I think it was like after the Palm pilots, like era of superiority had faded and they were just kind of becoming like, they made cheap ones that you could buy new for around a hundred bucks. You can get them used for less than 50. And one of them showed up and I got like a used Palm PDA when I was younger. And I was, I was a businessman. I was a hacker. Like I was, I was though the world opened up to me. I thought it was so cool. I was whatever I wanted to be. I thought that thing was so cool. And like,

Now our phones are ridiculous supercomputers. Yeah, they'll be on our faces soon enough. Yeah, they'll be in our eyes in a few months. And apparently on a necklace. I'm not sure if you saw that OpenAI. We could talk about whatever. We don't have to talk about it. Johnny, I've got another payday. Yeah, $6.5 billion for a company that literally has no products. Cool. That's an aqua. And that might be the world record for...

Aqua hire. Aqua hires. Yeah. That's pretty wild. Six and a half billion is a lot of money to pay somebody to come work for you. They got to have a gizmo. We're way off track here right now, but they've, they've got to have a thing. There's got to be a presentation you give where everyone goes, wow, that was pretty cool. Or Johnny Ive is just the all time. Great pitch, man. Like it's just like those videos that were such a big part of design and tech culture for his era of like, you know, the white backdrop, Johnny, I'm talking dramatically over Marimbas. Um,

He just did that in a room and $6.5 billion fell out of someone's pocket. We'll see. Wild. Anyway, back to the story. Back to the hotline. Good call. I'm fascinated by this boarding school in Brazil and just this sort of transitory era of the dorms getting all wired up for internet in real time as you're there. Good story. Good story. The...

I'm glad they let you stay in school. Me too. Yeah, me too. No expulsion. Didn't have to go to a different boarding school and hack their networks. You could stay in and hack a network that you were already familiar with.

If you want to share your strange tale of technology, true hacker computer fashion on Hotline Hacked, brought to you by Push Security, go to hotlinehacked.com. You can find the phone number. You can find the email. You can submit it as audio. You can submit it as text, and we'll AI voice-ify it. We love to hear your calls, be they set in schools or not schools. Wherever your story is set, send it in. We want to hear about it. And we'll see you soon. We'll catch you in the next one. Take care.

Bye.