Hotline Hacked Vol. 8
01:00:42 Share

Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession after the beep. Good day guys, just calling up from Australia. I wanted to say I really love your show, you're doing a fantastic job. It's been absolutely awesome listening to you guys tell all sorts of amazing stories over the past few years. So thank you for everything you've done. I was listening to a story from a guy in Brisbane, which is a bit north of where I am in Sydney.

And he was telling, you know, a default credentials story, the kind of standard stuff that you would hear, the standard kind of hack. And I thought, well, I wish I had a story to tell, but I'm a pretty rubbish hacker. I don't really have any story I can tell. And this is probably the part where I should say that you should obviously skip my voice if you don't mind. So for the past three years or so, I've been getting free internet anywhere in Australia.

So I kind of stumbled upon this hack and I reckon it must be known in hacking communities in Australia, but I haven't heard anyone talk about it. So I'm sure I'm not the first to realize this, but it's this pretty cool thing that I found where there's this huge internet provider here, probably the most popular one, and you can beep their name if you have to. It's...

So when you sign up with a plan using this internet provider, they ship you out a modem and the modem has a default SSID, so your network name and a default password. Now the default network ID is Wi-Fi dash and then four hexadecimal values and a default password is always eight numbers. So it's not...

There's no characters, there's no symbols, there's no uppercase, lowercase, it's just eight numbers every time. So I think, you know, originally, maybe three years ago, that was considered perhaps secure enough. But what I found was you could capture a handshake either through just sniffing or through a deauth attack. And once you have that handshake, which you probably want to stop the podcast and explain it because I'm sure you'll do a much better job than I will.

Once you have that handshake, you can convert it to a format that Hashcat will read. And Hashcat's this awesome program that uses a computer's GPU to compare hashed passwords with the hash that you've captured very, very quickly. So you can go through a million passwords in a couple of minutes. It's amazing stuff.

So the result is that anywhere you go in Australia, you can do a Wi-Fi scan, basically open a Wi-Fi scan and you'll see that there's Wi-Fi dash for hexadecimal values in your vehicle. That's a default SSID for ****. I'm sure they're probably using a default password, right? So you can run, capture the handshake from that SSID, run Hashcat, and in about two and a half minutes, you'll have free internet anywhere in Australia.

So yeah, it's been awesome. It's been really, really good. And the funny thing is I thought I don't have a story and then I thought, oh, this is something that's pretty good. Maybe this will fit the criteria. And I went to look up your number and I passed like five legitimate methods to report this to organizations that should be reporting this to you. But instead, I'm telling you this story. So yeah.

I hope you enjoy it. And thanks again for everything you guys have done. Well, thank you for your kind words and taking the time to send us your story. As opposed to the five legitimate organizations that you could have reported it to along the way, you went straight to the source hotline, hack.com. It woke. It's a call-in show where you can share your strange tale of technology, true hacker, computer confession, and,

including how you get free internet. This reminds me of like a first episode we did, or maybe even before we ever recorded you just explaining-

all the different machinations of free internet you'd come up with over the years, Scott. Yes. We did talk about this. We have talked about this. But right now I want to talk about our sponsor, Delete Me, who brings us Hotline Hacked. And without them, we wouldn't have these episodes coming out every month. So thank you, Delete Me. We will talk about them a bit in the future. But right now, let's get back to the story.

Yes. So we talked about this during the Flipper Zero thing because the Flipper Zero is especially good at de-auth attacks and sniffing a handshake.

So you can literally get modules and things that attach to it for Wi-Fi access. Sasquatch, I think him and some of the other creators have these beautiful big LED screen attachments that go into the GPIO pins that are specially built for mass deauth and recording handshakes to then put through Hashcat and pull it out. So this is...

I love that you've identified such an infrastructural issue in a massive ISP.

And because they are so prevalent, you just have access wherever you want to go. So for anyone that doesn't know, there's a couple different like ingredients to this little thing. The caller is cooked up. First one is a Wi-Fi D off attack for anyone that doesn't know kind of what what is that? Sure. So essentially you're sending D off packets at the Wi-Fi router, which is then causing essentially it to terminate connections with things.

So you're essentially punting things off the internet. So think about it like that. You're essentially just kicking a device off of the internet. So you spoof the MAC address of that device, and then you essentially tell the wireless access point that you don't want to be connected to it anymore. So it deauthorizes you. It just punts you. Huh. Interesting. And then the real one tries to reconnect because it's just been punted.

And that is the handshake that he's recording. Huh? If that makes sense. Which he's recording as, the thing that he's recording is hashed. And so he's then using this hashcat tool in order to figure out what the password is based on that. Yeah. Yeah. Yeah. So like hashcats is essentially a big like password brute forcer.

So it just, it's custom written to use like high performance GPU, like your NVIDIA graphics cards and stuff to be able to process faster data. So often there'll be like a dictionary attack. Like we talked about this in problems with passwords. I remember this. Where it's like you have a hash. By the time you like kind of parse the handshake, you essentially get an encrypted version of the password. And then you can like essentially like brute force it with dictionaries or random things.

randomly generated, you know, hashes. Hmm. And he's able to do this because as he mentioned, uh,

The password is always just eight numbers for this large Australian ISP, and importantly, no characters. So that makes it a lot easier for you to just brute force guess because it's a smaller set of things. It's just numbers you're working with here. Yeah, the dictionary file, like I could write a Python script to generate. Actually, sorry, ChachiPT could write a Python script to generate that dictionary file. I don't write things anymore. Thank you very much. I have a robot that does that for me.

Yeah, exactly. So ChatGPT could build you a script that would generate a dictionary file of just one of those combinations per line, and it would generate that in moments. And then you'd just be able to use that as the dictionary for the brute force. If you knew it was eight digits, that's an easy win. Yeah.

Huh. And I guess because it's standardized, you do. I like how this started with, I'm a pretty rubbish hacker, and then proceeded to explain something that doesn't strike me as rubbish at all. It's like, I think you cracked this thing wide open there, caller. I just think it's like, this is like, how do I say this? It's like a functional hack. Yeah. It's like this person is saving, like, I don't know what your internet bill is, but my internet bill is like $1,300, $1,400 a year for my home internet.

This person's saved like $5,000 by just being like, these are all over my neighborhood. Or if you're living in an apartment or condo building, you go to a cafe. Like if they are such a prevalent ISP, they'd be everywhere. It would take you a few moments to like run your DIA script, like read the, read the, uh, the handshake, parse it, uh,

brute force it and then boom you're in online yeah i guess i i was thinking of this i wasn't thinking of them as being able to do this at home i was thinking of it as like oh you're on the go and you want to connect to something here you go but i guess you could just like live by the sword die by the sword and just use this hacked internet all the time huh well if if like

when I'm in our office and I run like a wifi scanner to see what's available, there's literally, I did it yesterday. There are 360 wireless networks within range of my desk.

So it's like, and a boatload of them are one of our prevalent ISPs. And I can see that. So it's like, if I knew how to get into any of those, I just picked the one that has the highest, you know, connection value and I'd brute force it and jump on it. When I was a teenager and I first got my own computer, not the like family computer sitting on the desk, but I got a laptop and

And it had Wi-Fi, but our house did not have Wi-Fi because why would we need Wi-Fi? We have one computer and it's plugged into the wall. There's a good year and a half where I was just connecting to a password-free Wi-Fi connection for my neighbors. Which I haven't thought about in a really long time. Significantly less technically sophisticated than this.

Well, when Wi-Fi came out, it was like the Wild West. It got installed. It wasn't just that you had free access to people's Wi-Fi. It was that all the Wi-Fi routers, nobody ever changed them from default admin passwords.

So you could literally download like a Reddit, like it would be a Reddit post at this point. But like back then it was like something that would get shared in like a BBS or news group or something. And it would just be every model of wireless and network router, it's admin credentials by default. So you could literally just war drive around a neighborhood. War drive? Yeah. Connect to every house's wireless network and,

log into their router, change permissions, do whatever you wanted, and then just go to their neighbors and do the same thing. It was literally the Wild West. We've managed to make like 115 of these things, and I've never heard the term war driving. And it is literally what you're describing, the act of searching for Wi-Fi wireless networks as well as cell towers, usually from a moving vehicle. The thing that popped into my head was in Mad Max Fury Road, where they have the cars with the guys on the poles. Yeah.

That's pretty much the same thing. I bet it was. It's definitely not a bunch of teenage nerds sitting in a beat-up old car driving around with laptops on their laps. Yeah, there's a war boy shredding on the electric guitar as you try and connect to Wi-Fi networks you shouldn't have. Yeah. No, I think there was more like a Wu-Tang CD in the aftermarket CD player. That's pretty good.

I think you have heard the term "war drive." I'm pretty sure Talking Sasquatch and I talked about war driving because that's essentially what they've built now for the Flipper Zeros. It's like these massive antenna arrays with screens and they're all set up to do the MAC address cloning and de-auth-ing and all the rest of it. So it's like they're pretty much built for these things. There was a comment on that episode

because it got a bit more technical where someone said like, I understood two thirds of this and I had a really fun time. Um, and I also understood about two thirds of it. It had a really, really fun time. So that might've been what was going on there. It was also apparently in war games with, uh, with Matthew Broderick. So yeah, there's some lore here that I need to, I need to brief myself on. Oh, I might have to give you a book list for Christmas. Maybe I'll just Amazon you some old school hacking books.

I could probably just like do a little book club. That's, that's fun. A little 2025 book club. Oh, you know what we should do is we should do like a, the hacked archive. We should buy hacked.archive and set up like find all of the old zines. Cause it used to be that like the hacking subculture, like, like there was a few key zines for like, like, um, freaking and like 2,600 and like used to buy these little tiny, you know, 18 page books.

you know, loose leaf paper with a staple through it. Talking zines, man. Yeah, yeah. You'd buy the chapters for like $3 because it was the only place that brought it in from wherever it was from. And we should find all of those, scan them in and like archive them because like that's, that's like history for like, you know, my subculture, I guess. So some, someone must've done it. If not, then we should get on it. So the other thing I like about this call and it maybe transitions us into the next call.

It is the holiday season episode. We want to give things back to, you know, we want to give some gifts under the tree. So, so far, our Australian listeners have a nice little present for how to get free Wi-Fi. This next one is for our Canadian listeners. Ooh.

Jordan Scott, feel free to ask me to re-record this. I don't think I need to mask my voice, but I'll just go ahead and start telling the story. So I think when I use Canadian, see if my friend is interested in going to the wild.

Correction, we're both Canadian. We're both Canadian. And now we're going to sing the full national anthem in its entirety in three, two. There was a large grocer that had a point program. I think they still do. And you could submit online complaints of missing points. And these points would equate to $10 increments. So

Originally, and I think the most wrong thing, for lack of a better term, was you could spam the site overnight with, let's say, a script or whatever. It didn't have any image thing or whatever for a human, so it was pretty...

A captcha. He's talking about a captcha. Didn't have a captcha to make sure you weren't submitting multiple posts. So you're just spamming this thing like, I didn't get points for my brownies. I didn't get points for my rotisserie chicken I bought yesterday. I didn't get points for my Sunny D. Gimme, gimme, gimme. Sunny D? You don't drink Sunny D, do you? I am a man in my mid-30s. I would die if I drank Sunny D.

And you could wake up with, you know, $500 of value worth of points that you could spend and you could go spend them online or you could go to the store and use them. So, you know, I would go and

order something online just to my place wouldn't even care and So like socks and you know groceries, but you can only get so many groceries because I'll go bad and and then And the reason what you'd see in your email would be like a whole bunch of rejected ones But every once in a while you'd get someone like Judy just like approved and it would be like a $50 grab so maybe like oh

out of like 50 maybe one would go and if one that one was fifty dollars and you get fifty dollars you know i tried various different amounts i think so really what you're doing is you're writing a script to submit claims hoping that there's someone lazy enough that they've written a script to approve claims on the other side and this slacker judy over here is just approving these things left right and center i see your hustle i respect it yeah

I think it was actually 49 hundred points or whatever. That would be the max I'd ever get, but I had better luck with doing 20 or something. But just submitting requests and then eventually you submit enough requests all day, get to nine, and then you build up an account with this much. Well, that worked for a while and then eventually implemented some sort of thing where like

the human, they either put the humans on the system or automated it. So everything was rejected and a human had to take a better look at it and they couldn't just do pass. But the thing is what they changed it to was if it was under or if it was $10 and you had spent $10 on that loyalty account,

then they would automatically give it to you. No questions asked every time, 100% of the time.

And then anything over, they would send it to a human to review and it would get always rejected. Whereas before it would sometimes go through. So that's the two different kind of phases of this. And that first phase didn't last that long. I mean, that was actually better with getting an account worth $500 overnight. But then it limited to like the most you would get on one account was $10. So like, I mean, most people I think would have stopped there, but

But not me. But not me. Not this guy. Me having lots of free time on my hands.

I figured out that you know you how you can create multiple accounts the same thing there's no image thing to make multiple accounts and they would also you know allow you to do the the gmail thing where you go plus zero one plus zero two plus zero three on your loyalty account name to be able to use the same gmail account not that that's a huge plus but it just makes it easier for making multiple accounts and then

So the thing is with this, so you could normally just do the $10 and you know, you have to spend $10 on the account and then you would get $10 for free. So it'd be like 50% off. And there's little stipulations where like you couldn't put it towards tax. So like if you were buying something that had tax on it in Canada, I think it's like if it's a certain type of food, then there's no tax on it. So then you try and like find combinations of like, okay, I'm going to buy bananas. I'm going to buy whatever. And it's going to total up to like,

$10 on one cent, then you'd pay one cent. So as long as it's over $10, you would get $10 taken off, not including tax. And I think, I guess I'll tell you, so the tax could be like 50 cents in the province I was in at the time. I no longer live in Canada.

I know what province you live in based on how much tax you're paying. And so most people would stop it there, 50% off. But what you could also do then to take it a step further was you could create another account and there was a way of linking the two accounts together. So you could spend the $10 on the new account from the old account that claimed the $10 of missing points.

So you're making an account. You're probably spending 10 initial dollars. You're then getting a refund on the points for the $10 or $10 worth of points refunds. Exactly. Then you're moving those to a new account and then spending them and then making a claim and then moving it to a new account and doing this over and over, I imagine, is where we're about to get to.

It would allow you to start cycling these accounts because it bypassed the rule of you have to spend $10 of new money on an account to be able to claim $10 of free points that you could spend as $10 at the store. So it allowed you to chain these accounts together. So really he found the actual unlimited money glitch.

Yeah, it seems like a... Well, we'll get to this at the end, but I think exactly that. There was a $10 criteria for this that basically minimized the discount he was getting to just that, a 50% discount. And he found a way to chain these accounts together to get around that limit. So as long as you only want money in $10 lots, you could probably get as many as you were willing to create. An actual unlimited money glitch. For Canadian groceries. Yeah.

It's not bank fraud, but it's loyalty fraud. Then you just make another new account. You'd link it to the account that you had just claimed the $10 on, spend it on the new account. Then the new account would look like you had spent $10 on it. You'd break the connection, spend the money, spend the free $10, claim the $10 are free. So I would just do this. I wasn't working at the time. And

And I had lost a vehicle because I was... Tell me how much money you stole. I wasn't working at the time. Yeah, you were. I had a company vehicle.

vehicle or whatever and um so i only had a bicycle so i'd bicycle to these um these stores and it did there'd be multiple places in canada where you could spend these these points and uh i would just go ahead and i made a rule where i could only um spend two ten dollars at a time uh per store every two hours because i thought if i if any more than that it would just this was a job this man biked around a city going to

What I'm assuming is Shoppers Drug Mart at this point. I'm developing theories about which one of our many fine Canadian food monopolies he was doing this to. But yeah, this is basically a full-time job. He was spending $20 every two hours at each location. This is a job. It's so ambitious and so constrained at the same time. Be greedy or something. I don't know.

And I'm sure these people in the store that could recognize me, okay, why is this guy coming in and buying like a nightlight that's worth $10, you know, every two hours or whatever. But I would try and actually space it out. So like it was a different... So wait, he's...

Sorry, I shouldn't do that. I'm not going to say, are you buying nightlights? He's just in it for the love of the game, Scott. I'm honestly fully here for this. I think this is fantastic. I thought for sure he was going to be like, I was picking up groceries, you know, I was dropping stuff off at the food bank. No, I'm buying nightlights. Just like spending the points, playing the game. Nothing conspicuous, you know, keep it under that, that, uh, that limit.

shift of the people there but i mean if you're still doing it every day i mean at the same time i don't think they really care because they're making you know a little bit over minimum wage i mean they don't have time to even if they do report it the guy above them probably doesn't care and it just drops

You could send the codes to people too, for them to spend the $10 and then add a little system where it would automate and break the account, make the next account. It could all be automated. I don't know if I should tell you the amount it got up to in a year, but one year it was just me personally. It was just under $10,000.

It wasn't too crazy. It was $9,960 Canadian in one year, me personally, which means I did 996 transactions in a year. That's a lot of nightlights. Just do the rules. Just for context, you should know that Canadians hate our grocery monopolies as well.

Given that Canada's population is so small, we actually are just ruled by oligarchies and monopolies.

Oligopolies is actually the word I was going for there. And we have very few choices among cell providers, internet providers, grocery stores, et cetera. And we feel that pain pretty much constantly. Yeah. So this is a real Robin Hood moment for us here north of the border. Some guy on a bicycle ripping around doing 996 transactions in a calendar year just to grift him out of a night later too. I'm about this. Yeah.

which I guess isn't that much. I didn't do it the full year, but there was a period of time in the months that

where I was like intent where I that's all I did um and I would just build up um ridiculous amounts of you know toothbrushes and stuff because eventually you don't have anything to really buy anymore and like one day when you know I gave my dad like a bunch of tooth toothpick like a lifetime supply of the tooth toothpick things um and yeah just to this day I still have buckets full of um just random stuff hygiene stuff primarily now but um just soap and like a

Your local homeless shelters will love to have that stuff. So if you have buckets of it and you find no use for it, please donate it because they're always calling for hygiene products at shelters. You might be able to do a little bit of wealth redistribution here if you play your cards right and just get the system auto shipping the hygiene products directly to the charitable organization. And you might be onto something here, friend.

times supply of soap and Dove soap um and just yeah it was it was a good good go and I I think you could probably still do it to this day at the end I think what what I stopped well I moved away from Canada but also um they there was some interaction with like the I was using a specific VPN provider and I think they were banning if I left the ten dollars on like if I left the two accounts connected and I left the ten dollars on there for too long um they would put the accounts into uh

read only mode or a collect only mode and not a not a spend mode. And then it would be and then I couldn't link new accounts to it. So if I left them for too long, there was a human going in there and messing with the account and then to have to start like a new chain of ten dollars and eventually just became

too tiresome to try and do that, but it still did work. Even when I tried it a little bit ago when I went back to Canada once. And I think they were doing it through like knowing the VPN IP. I don't think they're having like hardware identification stuff, but I think it was through the IP. So, I mean, it could still work to this day. Anyway, I could rerecord this if needed. I kind of just went with it. Thanks. Love the podcast.

We will chop it up and take out some of the longer parts, but thank you for calling in. This is, we will, I think we should obfuscate a voice on this one as well. Yeah. We'll do a little something, something to it. There's somebody in an, like in a security and risk mitigation department that knows who you are. So if they listen to this podcast, they're like, that's the guy like,

You know, the movie scene where it's like the detectives are hunting something. There's somebody out there who's like, oh, man, he got away. The Night Fox, we've been calling him. We have a cork board with yarn and thumbtacks and security photos up on the wall for the last decade. I really appreciate that this caller cooked this up when they were in Canada at bike and around age five.

left Canada. And then when they came back to Canada, they like cracked it open just to see if it would work. And they're like, buy gum. It still goes. That $10 limit still seems to be there. Oh man, this is, I feel, I don't know. I feel like the loyalty programs are probably, they're probably much better now that they're all like major systems. Yeah. But I bet in early days of loyalty rollouts and loyalty apps and stuff, like I bet they were rife with loyalty.

security flaws, I bet. Oh, yeah. They've all basically converged to our earlier point. And this isn't a show about issues with Canadian markets, but they've all converged

basically converged around being three of these rewards programs. There's Loblaws, PC Optimum, there's Sobeyscene Plus, and then there's Metro, uh, which is like the French Canadian one. And they're basically every grocery store you're apt to find up here in Canada is now one of these three systems. So I would guess when, you know, these were all different grocery stores, you could just game the living crap out of these things. But by now, um,

PC optimum points is basically a small country's economy. Like it's like, it's, it's, it's a third of our food infrastructure here up in Canada. So it's probably pretty locked down now, but I, I could see there being like a little bit of a, a little bit of a gap where at a certain price point at less than $10. Sure. Auto approve it once. And then you do this daisy chain thing that this caller figured out of reconnecting these accounts. It's pretty clever. Yeah.

Well, yeah, it is very clever. Like this is to me, this is like this is the gamesmanship and the puzzle solving that makes cybersecurity speak to certain types of people. And this is definitely one of those types of people where he's just like, I figured out a system like I figured like they built something. I figured out a way to game it and I'm gaming it. And I feel the payoff of it is enough that I will fill pails full of toothpicks.

Because that is my trophy for figuring out the game. Totally. It was like, you can imagine a person who... The first stage of this plan prior to the $10 limit was... It was a law of large numbers thing. It was like, I'm going to do these big...

big claims. And the vast majority of, I think the number they said was one out of 50 of them might ever get through, but that's all you really need because you script it yet run it automated overnight. And you come back the next morning and you see, Oh, one of them went through, which means to your earlier point, Scott, that there was probably some security person working for this large grocery chain who was very well aware of this, like fraudulent claims and,

And so they shifted the numbers a little bit, and then this caller didn't buckle. When that shift took place, it was like, now it's a $10 limit. It's like, okay. And now it's a $10 limit. You have to have spent $10. The game is adapting. The other side is playing. Yeah, exactly. Yeah, exactly. Their side of the chessboard is moving, and you're just like, okay, fine. I'll string the accounts together. The thing that surprises me is that they would have known...

they would have had a photo of him, you know, like they would have known like the, he went into this drug store or grocery store or whatever, because the points are spendable everywhere. Uh, even at gas stations in Canada due to the oligopoly above us. But the, um, the, they would have known they would have pulled security footage. Like if they were blocking his individual VPN IP, like they would have gone to the lengths to be like, okay, like we've,

We saw that he made a $20 nightlight purchase on Thursday, January 9th at this location. Like, let's pull the security footage and pull a photo of this person. And then they probably would have distributed that photo in the area, which was even more surprising if they didn't. So the fact that he played for so long and accumulated such a high point value on the leaderboard. Literally points.

Yeah, wild. I would have thought for sure that they would have stepped in harder and stopped it. And the fact that years later when he came back for a holiday or something or see family or whatever the point was, still worked, is wild. Yeah. I mean, he speculated, I think, correctly that the staff... I have a...

A good friend who works for a large grocery chain. And I can attest. They don't care. That guy's face could have been printed 10 feet tall with wanted above and below it.

Big dollar signs next to it. And they just couldn't give less of a shit. The other thing I like was that he pivoted towards toothpicks and toothbrushes, a lot of dental hygiene stuff, but like non-disposable products. Because I think the quote was groceries, you can only buy so many of them before they go bad. Which is like...

I remember being an age where if there was fresh food in my fridge, it was definitely going to go bad before I would have a chance to eat it. I would simply throw up that the average Canadian spends about $16,000 on groceries in a year, and his annual gains were about $9,000. So you could totally eat $9,000 worth of groceries from a grocery store, but that really wasn't the tenor of this game. Exactly.

Yeah. Yeah. I agree. I agree. The thing that made me think of a shopper's drug mart, and this is just totally an aside for any Canadians listening is when he mentioned that the points are spendable in a lot of places, right? Because I know the PC optimum points are both grocery drugstores, gasoline, like they're kind of accrued and spent all over the place. So that's when I thought, okay, this is probably, probably is the PC shopper's drug mart programs. Yeah. You could see a real Canadian superstore, uh,

sells PS5s. I'll just say that. True. I'll just lob that up in the air. You can buy a Nintendo Switch at the Real Canadian Superstore or a Shopper's Drug Mart, I think, at this point. Full disclosure, I bought an Xbox Series X when they could not be found anywhere from Shopper's Drug Mart. Yeah, that's true.

That's the pro tip up here is if you're trying to get like some really hard to find electronics, there's always like three of them under a bunch of Culligan jugs of water in some of these grocery stores. It's the weirdest thing. It is. They're like the new iPhone. Yeah. I think we got a couple of them back. You're like, sure. There's a lineup around the block everywhere else, but rock on a great call. Thank you for sharing it with us. If you're ever back up in Canada again, uh,

please keep trying this and let us know if it works. You can share that call as can anyone at hotlinehack.com. We want to hear your strange tale of technology. You can call into the phone number. You can submit audio via an email. You can send it as texts. If you asked us to, we'll futz with your voice as needed. We love to hear your tales. But the only thing we love more than that, Scott, do you know what it is? I think you do. I do. I do. I think you do. It's our sponsor.

Delete me. Delete me. Scott, do you ever wonder how much of your personal data is out there on the internet for anybody to see? No, because I know it's too much. You do? I do. And one of the things, so this is an anecdote. So my mom recently got scammed. I told Jordan this. Yeah, this sucks. Somebody called it from Amazon, quote unquote Amazon. Yeah, yeah, yeah. Yeah, my mom got taken, who is one of the most...

viciously cynical when it comes to her personal security people I've ever met, which is the shocker in this. And I would bet money that they had personal information on her that make her feel more comfortable about it. And they probably ended up getting that information via the data broker hack or something like that. Cause these were true professionals. They had full blown sites and things set up to clone and obfuscate and do everything to make it seem like they were hyper legitimate. And yeah,

Yeah, it would not surprise me if that they had personal information that they had either purchased or stolen from a data broking site to help help with their goal. Yeah, which was to do something real shitty. I'm sorry that happened. No worries. And their goal being to use your name, your contact info, your social security number, your home address, info about your family, your

And to take that stuff and sell it on the internet for money, which is why anyone on the web can buy those private details. That can all lead to identity theft, phishing attempts, as we saw here, harassment, spam calls. And you can protect your privacy with a friend of the show and sponsor of Hotline Hacked. Delete me. You know, just given current events and stuff, you know, I'm hyper aware of safety, security, and it's easier than ever to just find information on people online. And that's something that I think needs to go down and away more.

So all this data is just hanging out, but it has real world impacts and real world consequences to people as we've now seen in the story that I told. So that's why I recommend you use DeleteMe. Join deleteme.com slash hacked, code word hacked at checkout. It's a subscription service that removes your personal information from hundreds of these data brokers.

They send you regular personalized privacy reports showing what info they found, where they found it, what they got removed. So it's not just a one-time service that you run once and walk away from. It's kind of constantly a service that's running in the background. So I recommend it. You sign up, you provide them with exactly what information you want taken down. Their experts take it from there.

If you're interested in something like this, take control of your data. Keep your private life private. Sign up for Delete.me. It's a special discount for listeners of Hotline Hacked. You can get 20% off your Delete.me plan when you go joindeleteme.com slash hacked and use promo code hacked at checkout. It's the only way to get 20% off is go to joindeleteme.com slash hacked and enter code word hacked at checkout. Scott, one more time for the people. That's joindeleteme.com slash hacked, code hacked,

Sponsor of Hotline Hacked. Appreciate them.

So the statute of limitations has expired so I can speak freely. My name is Jeremy. I'm from Atlanta. What a great way to start a story. Exceptional way to start a story. I think in any setting too. The statute of limitations is over. I have no fears of being charged for this and I'm happy to tell this story. You could start a TED talk that way. You could start a wedding speech that way. It is a very provocative way to start a story. I...

I love the theory that you could start a wedding speech that way. That's a wedding speech I want to hear. That would be an amazing wedding speech. If somebody steps up to the mic and uses that as the opener to a wedding speech, everybody would lean in. Now that the statute of limitations is over. Now that the toast to the groom, you know, the statute of limitations is over, the hall would go silent. Yeah, the groom just starts shaking his head quietly.

I'm going to bank that one. And listeners of Hotline Hacked, you just gave them like amazing advice for any speeches they have to do in the future. Especially if it doesn't get resolved by the end of the talk. Like if it's just a nice story about how the bride and groom met, but you start it with now that the statute of limitations has expired. That's good. Back in 2015, I was

Running around with the underbelly a little bit, using a lot of methamphetamines, running with a scammy crowd, I got the idea to download a bunch of background check apps and see if I – I was looking to see if I had a warrant, trying to find out if –

I needed to be worried. So I downloaded all the usual has been verified truth finders, etc. And I found one on the Android App Store called People Spy. The APK is still visible. However, the app hasn't worked since about 2018. So I download the app. And of course, the first thing you do is do a background check on yourself. And I did it and it was a little buggy. It kind of went in and out. And

looked up some other people and didn't really think anything about it. One day I was looking around in the file directory of my Android device and in the slash folder I see a random text file that's called peoplespy.txt. So I open it and this was all the metadata

The app collects previous criminal history, address history, telephone number history, acquaintances, and then there was a section that said relatives. And I look, and I see my mother's name, and next to it is her social security number. This is a number that I know and could verify, so I looked my mom up. I found me as a relative, and there was my social security number exposed in plain text just in a metadata dump file from one of these background check apps.

At that point, I realized that I had open access to everybody's social security number pretty much ever as long as they had a somewhat unique name. Findable, easy, 100% of the time.

Once I got sober and got my life together, I contacted the company that was the owner of it, just kind of making a moral disclosure, hey, your app was doing this. You may want to check the servers and make sure this doesn't happen again. They denied it, completely ignored me, and I've left it alone since. Thanks a lot. Again, the app was called PeopleSpy. I guess first and foremost, kudos for...

For getting sober. Congratulations, caller.

And then for having the wherewithal after all of that was said and done to contact this app and let them know that there is a glaring security compromise in their shit. I feel, I feel like hotline hacked is three quarters entertainment, one quarter moral growth. Like a lot of these stories, a lot of these stories are like, yeah, I did these things and it wasn't great. Like this one wasn't obviously cyber like crime related, but yeah,

Um, there, it seems like every, every episode we have a story that has some more growth. So yes, kudos to you for getting sober and, uh, getting your life on the rails. So kudos people spy.com. I, I dug this up after looking at this call. It doesn't currently seem to still exist. It's redirecting. I'm not sure if it's a new product or they sold the, um,

They sold the email to someone else, but it redirects to email tracer.com. You can't find press releases about this and it does get into sponsor the show. And then something we've just talked about, especially during the national public data breach that happened this year, they got a lot of people talking about these data brokers is that the existence of these services that will sell you information gathered from a bunch of different sources indiscriminately is

is tricky because, you know, there's really no protection for what someone does with it afterwards, including building an app that stores information in plain text on the device locally that it probably shouldn't be. Which sounds like, according to this caller, is what occurred here. I feel like no matter how bad we mess up an ad read, that is a better advertisement for delete me than anything we could have said.

It's just like getting your information out of these data brokers, because I guarantee these apps are powered by it. They're buying wholesale lots of data, personal information about people, which is how the app exists. So it's, yeah. Yeah. I have not a lot to say besides this is not surprising and...

there are ways to combat it. Yeah. It seems like lazy, something lazy occurred here. If this is how this went down, this is some sloppy, sloppy development that took place, I guess is what I'm trying to say. Yeah. But to me, to me, it's not even just that, like it is, it is sloppy in the sense that they've essentially given, like they clearly bought this information. Yeah. Right. Like they have the, the personal information, the sins, all the rest of this jazz or the socials, um, showing the Canadian in me there, the, um,

They have these from data sets that they purchased. And it's like the fact that they're exposing it is like, if anything, it's them not charging enough for access for it. You know, like it's like you can still buy this information. It's just that like they shouldn't be giving it away for free. And I'm saying that in like a cynical way, but it's like.

Like that's not a feature of PeopleSpy. And it's like, but they still have that information. Some other random person still bought it. So it's not like it's super confidential. I think that's the thing that I want to understand more about this. And I'm waiting for a story to function as an excuse to dig into it more is the legality of some of this stuff.

Like if you can't confirm the provenance of a social insurance number that is inside of the database of a product that you are selling to other people, how's that legal? There should be some kind of law that that's bumping up against. I'm not sure exactly which one, but I'm surprised that's a totally fair and legal thing to do. Yeah. I know in Canada we have a higher bar of rigorous protection for personal information laws.

I'm not sure about other countries. I'm not like an IP lawyer or like a whatever lawyer would deal with this. Maybe this is an interview we should try and put together in the new year. And if you happen to know someone in your life that might be this kind of expert, I'd like to hunt someone down that can explain to me the like...

way the court system in the states regards these kinds of incidents where it's like you have a private company and some of these companies are not large companies it's like a dude spins it up and they go buy a bunch of data from a bunch of sketchy sources and then resell it in a vaguely slick legal looking package i'm like i just want to understand that from a legal perspective

Here's the thing. So I've reached out to two of those people in the last year. One specifically to talk about the Canadian Online Protections Act and that pile of thing. And I actually reached out to the EFF, old supporter of the show, Electronic Frontier Foundation, because if anybody is going to know the answers to that stuff in the States, it will be somebody that works there that's a lawyer. We'll try and get them on in 2025. So if you work at the EFF or the Canadian Civil Liberties Association, please reach out, get at hackpodcast.com.

Take it across the finish line. Should we take a little break to the Ad Oasis? Oh, man. It's cold this time of year. It's wet. It's snowy. I could chill on a beach for a minute or two. Let's do it. Let's get over there. Let's go. What's up, guys? My name is J-Pod. I wanted to share kind of a fun story from my high school days in the late 90s.

uh it's kind of like a little early slice of hacking not really hacking just a kid being a kid with maybe too much access and not enough oversight hell yeah brother yeah hell yeah what we do here i went to a a magnet school anyways we got computers earlier than most schools which was kind of a big deal back then and i've grown up around tech like my older brothers they're really into it uh i remember we had like a

Commodore 64 and my brother's got all kinds of PCs growing up. I really wasn't into it, but I was just like exposed to it early on. So anyways, fast forward to high school. One of the first programs they introduced to us was something called EBS program or electronic book system. And basically in our class, we had to read books and then every week we took a quiz and

And there's like a DOS-based program or something like that. But anyways, each week we were required to complete a quiz as part of our grade. This computer basically managed the tests for the teacher. The problem was no one at the school had any real training or knew how to use it, especially our teacher. So every week she like kind of struggled to log in and set up the quizzes and get the class organized.

so naturally is kind of straightforward to me so i kind of i guess was a tech savvy kid at the time so i volunteered to help just a classic social engineering and the teacher's peck going on here i think why mrs tomlinson i know how the computer works and without any hesitation my teacher just handed me her credentials and let me do everything

And here's the thing, her login credentials weren't just limited to the EBS program. I quickly realized that they gave me full unrestricted access to the school's entire computer network. And not just from the school network. I was able to remotely log in. There are no firewalls, no multi-factor authentication, no real oversight, just basically a login name and a password.

So at first I didn't really think much of it. I was kind of focused on getting the EBS work for the class, you know, try to help everyone out, make the teacher's life a little easier. But then curiosity kind of got the best of me and I started poking around in the software and discovered something that's kind of hilarious in retrospect. All the data, the questions, the answers were kind of

I basically stored in unencrypted text files right on the machine. Literally no encryption, no file permissions, nothing. It was like they assumed no one would ever look into it. So being a teenager and not wanting to spend my evenings reading books, I downloaded the EBS software on my home computer. And with a simple text editor, I had access to all the answers for every quiz in the program.

Bad decision.

Bad decision. I feel like every one of these stories begins with like, I figured it out. I could cruise my way to college. And then it's like, but then I wanted to help my friends out. And then we got busted. And then we got thrown out of school. Yeah, there are no secrets that time does not reveal. The more people you let in on something, the quicker it's going to get.

It's going to get found out. They gave me the name of the book they were supposed to read that week, and I just handed them the answers. I printed it up on my mom's printer, brought them to school. No one thought anything of it. So we aced every quiz for the rest of the year, and to this day, I don't think the teachers ever figured out what was happening. They just stopped.

Prove me wrong. Yeah. Hey, sometimes crime pays. You must have been hanging out with the smart kids because I feel like the, if a teacher sees a student go from a 60% average to a hundred percent on every test, it would be like a shocker. But if there were already like eight kids and then they just kept getting A's, it's like, eh.

I wonder... Finish the call. I have a theory. Okay. They thought the software was working and we were all doing really good. But I probably gave every kid in my class a printout at least once a week, you know? So this caller is...

like not accidentally. And we have a five, I think is a five minute limit. It shouldn't be a five. No, I don't think there is, or maybe there is. Yeah. We don't seem to have a second call. Got disconnected at five minutes. So we don't have the rest of his story. Um,

So we'll just tease it that apparently he got access to the overall network and into some of the gray data and other pieces of information that he probably shouldn't have. We don't know the rest of the story. So if you want to call in and finish this, this can be a cliffhanger ending. For the year. Oh, I love it. For the year. Like an old network drama. So here's my theory. Okay, let's hear it. And this kind of gets back to what you said of the conspicuousness of like, wow, this kid starts getting...

90s and 100s on all these quizzes. Oh, shit. All of this kid's friends have started really acing all of the quizzes too. You know, a teacher, you don't have to be tech literate to be shrewd and smart and observant. So I'm wondering, here's what I'm thinking has maybe occurred here. I'm a teacher.

I'm not the most tech savvy teacher maybe ever. It's early days computers. I don't need to be. I give a student some login credentials to get their help figuring out how a thing works. They're good at computers. Maybe they can help me figure it out. It's a learning opportunity for the kid. That kid started getting 100% on every quiz and the quizzes are stored on the computer and all of their friends are getting 100%. So I have two choices.

I can either untangle this massive security breach that I have engineered by giving the login credentials to a teenager, or I can consider the fact that the school year is pretty short. And next year, this kid's going to be someone else's problem. And so maybe they just get 100% on like ninth grade algebra or book reports or whatever the heck it was. It's English class in junior or higher school. It's like, you know what? You got the A. Yeah.

get the heck out of my hair. And now I've learned a valuable lesson. Do not share logon credentials with the students. That's my theory. I think if that was the theory, the teacher would maybe request to have their credentials changed mid season. Once she, once they realize what's going on. So here's my theories. One,

Smart kid, obviously, maybe surrounded by other smart kids. They were already getting 90s and 100s. Sure. Now they just don't have to work for them. They just literally get them. And it sounds like maybe in the future they just get them by editing the grades. But we don't know. Cliffhanger. Cliffhanger. So that's my theory one. Theory two is that...

What was the previous caller's reference for the lazy employee, Judy? Yeah, I think it was Judy. Judith, Judy. Maybe this is a Judy. Maybe the teacher was a Judy and was just like, eh. I didn't even look at the grades. The computer's auto-checking them. She doesn't even need to review them. She's like, I've got an artificial intelligence now. I'm in auto-drive. The computer and this kid coordinate my class and all of the testing now, and I don't even need to look at it.

I'm going to be like, I guess this was probably before you'd be staring at your phone, but maybe they were reading like Martha Stewart magazine, classic Judy move.

classic Judy move. Yeah. Judy might just not give a shit. Yeah. That's always, and that's, that almost, that theory almost loops back around to my original theory, which is that the teacher cared less about untangling this than they did about catching the kid. And it's just like, the thing I know about Judy is Judy doesn't give a fuck. And she just like, let it ride as she had done in her previous job, working in the, a customer support department of a large Canadian grocer. Yeah.

She didn't give a shit there. She approved all of those claims and she doesn't give a shit now. If that kid gets 10 out of 10 on every quiz. Yeah. Good theory. Good theory. And a cliffhanger ending. Hopefully they call back in with the rest of the story. Please do so. If you hear this Jordan, I think was their name, not just your name. Also your name. Not just my name. It's my name too. And it could be yours. No, it can't, but you could get your call on hotlinehack.com. If you, if you, if you want, um,

You can't have my name, but you can do that. Share your strange gel tech. I think true hack. Is this the last episode of the year?

I think it might be. I think we got a rerun coming up. Early January. On like New Year's Day kind of thing. I think we'll drop a hacked classic for everyone to enjoy. But I think in terms of original content, this is a wrap on 2024. Yeah. Thanks for being here with us, everybody. Thanks a lot. Definitely thanks to all the participants in Online Hacked taking time out of your life to be a part of the show. We really appreciate that. We know it's...

It's not just asking for you to listen, but it's also asking for you to contribute as part of the show. And big thank you to all of you. It's true. Thanks to all our sponsors. Thanks to everyone that shared a story.

And thank you for listening. Yeah. I really enjoy making this bad boy. We got a lot of really fun schemes hatched for 2025. So we, we hope you'll stick around and thanks for that. Thanks for the discord gang. Thanks to the patrons. Thanks to the people that reach out. I don't know if you saw it, but Patrick Bjorn foot, I'm hope I'm, I'm probably masquerading that, but it looks like Bjorn foot to me. Um,

Is part of the sinus infection gang. And he sent me a recommendation for what looks like a World War II, like, mass-produced...

Gas mask like an emergency gas mask, but apparently these things are very common in cross-country skiing So so instead of your face freezing up and having cold dry air constantly burning your sinuses and your lungs you put these masks on and they re-moisturize the air with the moisture from your breath and

which kind of makes sense. A little bit of a strong look for me just to wear out and about on the random Wednesday getting groceries. I don't know about that. I think you could. I think you'd bring an intense post-apocalyptic energy that we could all enjoy right now. Thank you for your email. Same to Tobias, emailing in with some fun game references from last call. We really appreciate it. If you just want to send us a message, not for Hotline, get at hackedpodcast.com.

is a great way to get a hold of us. Submit a story. Also a great way to get a hold of us. We're here. We're around. We are. We try to be. Try to be. We try. And yeah, hit us up on the socials. Hack podcast on most things. I don't think we're very active on really any of them. People do tweet at us and we do get back to them.

I recently put a chat TPT prompt on there to generate a Python script to download all of the episodes of our podcast is MP3s. Somebody asked how to do it. And I was like, just ask chat TPT and it will do it for you. Um, I think that's it. I think that's it to everyone who listened. Thank you so much. Happy new years. We'll catch you in the next one. Ciao.

Bye.