We're sunsetting PodQuest on 2025-07-28. Thank you for your support!
Export Podcast Subscriptions
cover of episode The 4chan Hack

The 4chan Hack

2025/5/2
logo of podcast Hacked

Hacked
Transcript

Shownotes Transcript

Today we have the story of a schism. I'm going to guess that most people listening to this show are familiar with 4chan, if not in practice, then in premise. But in case you're not, 4chan is an image board. It's organized into topic-based boards. You have 100% seen screenshots of the iconic 4chan green text stories.

4chan was an incubator for iconic memes, Rickrolling, lolcats, Pepe the Frog, Pet-a-Bear. It was central to Gamergate and QAnon, while there are boards for innocuous things, tech, anime. There were also image boards celebrating all manner of not-so-innocuous things. 4chan is one of the bases of the DNA of modern internet culture, and it got hacked, allegedly because of a schism.

Love me a schism. Interesting concept. Good word. Back in November 2021, a meta board dedicated to discussions about 4chan's moderation called QA, short for questions and answers, goes down. It had been removed by moderators, quote, because it sucked. And at that moment, an exodus occurred to a place called Soy Jack Party.

I will regrettably explain all of this in due time. I was going to say, are you going to say the like a short name for Soy Jack Party? The Shardy? We'll get there. Yeah. They, they like to call themselves the Shardy and it sure did seem like a

One hell of a shardy. The point is that a rivalry had emerged between the moderators of 4chan and the people who thought that 4chan had become too buttoned down in corporate in light of a sale that had occurred. A schism between SoyJackParty and 4chan. And this past month, 4chan took a pretty big blow in that fight. On April 14th, 2025, there was a breach, allegedly carried out by users from SoyJackParty, that took 4chan offline.

And importantly for 4chan, a famously anonymized platform, the hack to some extent de-anonymized a subset of the users. Internal systems were compromised, source code was leaked, moderator identities were exposed. Now all of last week we got a string of articles and headlines, I would say prematurely noting the death of 4chan. And then a night or two ago at time of recording, a portion of the site, boom, comes back online.

with an explanation from the mods there as to their side of the story of the hack, why it went down, and how they say it worked. So to start, amongst a couple other stories, we're going to walk through what happened, the hack itself, and what it means when the myth of online anonymity collapses inside one of its most infamous communities. Here. ♪

Ba-ba-dee-bop-bop-boom. Jazzy remix of the theme song. Cha-cha-cha-cha. How you doing, Jordan? I'm doing good, man. How are you? I'm doing pretty good. I'm starting to get healthy. Mmm. Which, which...

I don't know why it's taking so long. It's really annoying me. I'm not actually, I don't feel bad. Like I went skiing this weekend, got some spring skiing in. Heck yeah. But I still have this like throat thing, which I can't tell whether it inspired one of the comments on the recent episode about us sounding tired, whether it was

It's just me being sick or whether we were actually just tired. Could be one of the two. It could just be the general tiredness in my soul. So I've caffeinated pretty thoroughly to try and offset that today. I'm wired, Scott. I've actually been largely kicking the caffeine addiction. I've tuned my coffee intake from like two to three times a day down to like two to three times a week. Whoa, you're skipping. We have another mutual friend who's doing that too. And he described it as being quite harrowing when he did it.

So I'm curious to talk about your experience about that. Yeah, yeah. It hasn't been bad. Can't complain about it. Good. So it's been an interesting couple of weeks since we last had sort of a chatty chat episode. This chatty chat episode, of course, brought to you by Push Security. One of the big stories was the 4chan leak, which I think we should maybe start with. Yeah, I'm happy to start with it. Where do we want to start? I think maybe for anyone that doesn't know, because I...

I feel like a couple years ago, the world learned about 4chan through a couple of pretty gnarly news stories of different things that had been sort of fermented there. And we all got a little bit of a primer back then, but maybe we start at the beginning with the history of the platform, just so the people know. Yeah, well, the 4chan went live in 2003.

But it was based off of a Japanese website, 2chan. I won't do the disservice to the Japanese listeners to try and pronounce its Japanese name. Yeah, there was a couple of different, these sort of image boards. If you're familiar with Reddit, you have the basic idea. It's not quite the same, but there's some overlap. It's a forum. It was founded, as you said, in 2003 by a 15-year-old guy named Christopher Poole, known on the platform as Moot.

It was inspired by 2chan, 2channel. It was anonymous by default. You could use it without usernames, account systems. It was just posts and image. It was sort of very intentionally anonymous. It was organized into different topics. There was slash A for anime, slash B for random, slash Paul for politics, G for technology. And it was an incubator for memes in internet culture. Totally. I think the biggest...

Like whenever I hear the word 4chan, my brain immediately links QAnon. Like I feel like that is the tip of the spear for 4chan. It's like if anybody knows of 4chan, it's probably QAnon because I feel like that was the biggest, most media intensive storyline to come out of 4chan or at least one of them. Totally.

QAnon was, I would say, the sort of impetus for that first big media cycle that we were talking about when a lot of people learned what this was. It's also kind of considered by some to be a birthplace of like a certain modern incarnation of anonymous. The slash B board for like the random board in the mid 2000s, like people started. It was almost like a shared joke because everyone was anonymous.

And then a campaign, we won't dig into this too much, in 2008 called Project Chanology that was a protest against the Church of Scientology. It was spurred there and sort of a version of the modern Anonymous was born there as well. So you got QAnon, you got Anonymous, and you've also just got like a decade plus of internet culture. You've got Rick Rowling and LOLcats and Pepe and Petabare and Green Tech Stories. You've got all that stuff birthed out of 4chan.

So for as kind of gnarly and dark as the platform could be, it was undeniably influential on the internet. And I want to be careful not to past tense it either because a big part of this story is sort of the false reports of the death of 4chan, which at time of recording is still online. Yeah. The thing for me is like, if you spend any time on any other social media platforms, chances are you consume a pile of 4chan content without knowing it. Totally. Yeah. Yeah.

There's the content and the culture that came out of it. And there have been often when it makes it into media and with good reason, it's because of some things that have happened there, perhaps due to moderation policies without getting into hate speech, gore, extremist manifestos that have popped up on slash Paul and slash B.

very widely reported links to real world violence. 4chan played a role in the Christchurch shootings, the Buffalo mass shootings. It's been repeatedly and I think validly criticized for its moderation policies being insufficient in some regards. Yeah, it is 4chan. It's 4chan. You know what it is. So a big thing to note here in the history of all of this, especially from skimming around on the site, there's a before and after for a lot of the users.

which is that the original founder, Moot, who founded and ran the platform until 2015 when he sold it to Haruki Nishimura, the founder of 2Channel, one of the original Japanese boards that inspired it. So that, for a lot of people, is a before and after in the history of the platform, and it's pretty important for what's to come. Bringing us to SlashQA.

SlashQA is a questions and answers board for site meta discussions and talking about policies on the platform. It over time became a hub for SoyJack memes and Wojack edits, which you've definitely seen. They're memes that sort of parody different internet archetypes of users. It also, very importantly for this story, fostered a subculture that was quite critical to 4chan's moderation team. Yeah, any moderation was unacceptable. Yes, yes.

Your criticism of the moderation is different than this group's criticism of the moderation. For sure it is. It for sure is. So Slash QA was shut down in November 2021 with little explanation. A moderator, the commenter, dismissed it in saying that it was closed, quote, as I said earlier, because it sucked. And that shutdown sparked this like diaspora who migrated over to this new thing, Soy Jack Party.

The original founder of 4chan moot plus soy jack equals suit. Suit? Suit. Suit? Created in 2021 by a user known as Soot, which I'm just going to start saying because it's the only way I know how to say those letters. And it started as like a fragment hub for soy jack memes, these internet persona parodying little caricatures. And after QA's closure, it becomes a refuge for that community. Okay.

Self-described, as you said in the introduction, as the shardy. The shardy. It was from day one hostile towards 4chan structure and moderation, which they viewed as corporate and stagnant. And by 2025, when this really all pops off, it had evolved into a full-fledged counter platform and like antagonist to 4chan. Trolling on 4chan was like the beating heart of the culture of Soy Jack Party.

So they had, they were rivals. Yeah. Nemesis. Nemesis. Post schism nemesis. Post schism nemesis. April 14th, 2025, a major outage begins and slash QA, that board that had been taken down, mysteriously reappears defaced with all caps, you got hacked XD. There were some initial signs of a backend breach. The next day, soyjack.party user starts claiming responsibility under what they're calling Operation Soyclips.

So in that April 15th post, there were some initial signs of what the full scope of the leak was going to be. You got admin dashboards, moderator lists, emails of staff, a little bit of the source code for 4chan. The next couple days that follow, 4chan is intermittently offline but trending towards fully offline. Reuters starts to report on this that hackers may have had back-end access for up to a year at this point.

And a week after that, 4chan is still largely offline and there'd been no official statement from Nishimura. Everyone starts to go, okay, this is a catastrophic failure. Catastrophic. In a world of privacy being hacked, in a world that prides itself on anonymity...

Getting all your data breached and hacked is probably the worst possible thing that could happen. And a platform that prided itself not just on anonymity, but on the types of speech that that anonymity taken to its conclusion could proffer. I think that's really, really important here is that this didn't happen to Reddit itself.

This didn't happen to any number of different platforms that have, I would say, moderation policies that are a little closer to the middle of the bell curve. This happened to a place where that anonymity is... I don't know if I'd say that Reddit is close to the middle of the bell curve. I think we can argue about that one. I would say that... I don't know if we could argue about that it's closer to the middle of the bell curve than 4chan is. That's true. That's true. Yeah. It's all relative. I wouldn't say it's in the middle of the bell curve, but it is much closer than 4chan for sure. That's, I think, a valid distinction.

So let's dig into the hack itself. Like what happened here? There's the technical details as we know them today. And then I think there's the overarching story of how this happened. But to dig into the details. My sense of this is that this all came down to a bogus PDF upload. Someone was able to upload something they shouldn't and it basically wrenched this thing apart on the grounds of some out-of-date infrastructure. Is that generally accurate? So it seems like...

Well, they actually posted on Reddit a lot about what they did and how the hack went. So they released a lot of the attack vector data. But what it seems like is that 4chan really wasn't that great at keeping their stuff up to date. They were running old, old versions of PHP, very traditional 2003 website build, like probably LampStack, Linux, Apache, MySQL, PHP.

Classic for 2003, totally outdated these days. They weren't updating a lot of their libraries and dependencies. And what it came down to is that they were allowing PDF uploads in certain, I don't know what you call them. I'm not a 4chan user. I would call them like subreddits, but like whatever the like channels are. Boards. I think you call them boards. Thank you.

Some of the boards didn't, would allow PDF uploads. And what it would do is it would then run it through something called GoScript, which would then turn the PDF into a thumbnail to present a thumbnail to the users. Oh, interesting.

But what they weren't doing is checking to see if it was a real PDF that you were uploading. So what they ended up managing to do was exploit a pretty well-known CVE, CVE-2023-36664. That's right. There is three sixes in the middle of it. But essentially what they allowed them to do was upload PostScript files, which are similar to PDFs.

but then GoScript would actually execute malicious code embedded in the postscript. So should have been something that was patched, very well known vulnerability. The version of GoScript was very old.

Like just poor server maintenance and poor, I don't know, system administration led to a bunch of vulnerabilities that were eventually executed to give them admin access and control over the server. - Potentially for up to a year in advance of this hack, there was some reporting to that effect. - Yeah, yeah. So they managed, it seems like they managed to change their user account IDs up, escalate them to administrators.

And then from there, they branched out, went deeper into the system and into the server itself. So pretty, I would say, like pretty avoidable hack. Yeah. I'm seeing FreeBSD, which is like an operating system that they were using on their servers that had been like unsupported since 2016. I was a FreeBSD guy. Yeah. I used to run FreeBSD exclusively until about, I don't know, 2007.

2006. That's before 2016, I'll note. Yes, yes. So really when Mac OS X came out, and this is actually something, a digression, is like being in the Linux environment world again. Every day I wonder why. I can understand a love of Linux and a love of Unix. That's where I came from. But it's like everything is just way harder. Why do you put yourself through the pain of it?

of using Linux when Mac OS exists and it's based on a BSD kernel and it has full Unix inside of it. It's like everything just works better. So I just, anyway, that's a digression aside, but, but the, yeah, so FreeBSD was very secure for its day. FreeBSD, NetBSD, both very secure operating systems.

Great operating systems use it extensively. But again, a little long in the tooth at this point, a little long in the tooth. These are people that clearly were not prioritizing basic IT requirements for being secure. And they offer a little bit of an explanation as to why that is, which I think we'll get to. It seems to come down to capacity and available resources, we'll say.

So the hack goes down and immediately, so the two big outcomes here are 4chan goes down and a bunch of internal information from the backend of 4chan gets leaked publicly. We had, as I said earlier, a bunch of staff identities, admins, mods, emails,

some connections linking pseudonyms to real names, including their email addresses, peppered amongst which we find .gov and .edu addresses, which I found fascinating. Very fascinating. Yeah. We got a little bit of user data, some IP logs tied to deleted posts, and some... It doesn't look like there's any payment data exposure, but 4chan had a... There was a 4chan pass subscriber emails that seemed to be in the leak.

source code for the website, as well as internal moderation notes, which confirmed some long-held public suspicions regarding tolerance of all manner of stuff that if you spent five minutes on 4chan, you knew they tolerated. So...

The previous dates in our timeline had taken us up to April 17th or so. The story boots back up on April 25th. 4chan posts this defiant message on X saying, like, the premature announcements of our death were just that. There was a bunch of coverage in major platforms talking about 4chan in the past tense, basically saying this is done. They've been taken down forever. And here was this tweet saying, nope, we're back.

April 27th, two days later, an official 4chan blog confirms the catastrophic breach, talks about the hacker, explains the bogus PDF upload thing that we spoke to earlier, connects it potentially to a UK IP address. And I think the big point here is they say that it was years of being, quote, starved of money and a lack of skilled man hours that had left the infrastructure vulnerable. Which brings us to now.

There's a new server that's replaced the compromised one. The site is in parts back up online, but with limited capacity. PDF uploads are, I would say, wisely disabled. Flash animation boards have been left offline, I think permanently, it sounds like. And as of last reports, posting images, thumbnails, there are still issues on the site, though it is back online.

I think this is just a fascinating one on the grounds not just of like the hack itself is interesting, but I think it's interesting to see what happens when a platform that is really built around the concept of anonymity

and discussion under the veil of anonymity gets de-anonymized. I think it's going to be fascinating to see what happens to 4chan moving forward now that that anonymity has been tested. And now also I think that its role as like a counterculture hub has been in a way usurped. Part of the draw of 4chan was that it was the

one of the edgiest places on the open web. And now there's an even edgier antagonist that has done this big public thing. And I think that that's going to have an effect on the relationship between these two different sites and which one draws people to it that are interested in that kind of thing. Yeah, it's like a sociological experiment more than it is anything else. Totally. For me, something like 4chan is always going to exist. 100%.

It's really fascinating to me that it's like, this could be the demarcation point for a new generation. And whether that's the Shardy, whether it's something else comes alive, especially given... It's just so funny to be speaking so seriously. Whether it's the Shardy or another unknown planet, it's just, you remember what you're talking about. But also you could take, you and I could kick up YouTube Live right now

and build with AI a version of 4chan before the end of the day.

yeah and it's and it's like so the the empowerment that ai code development is has enabled into communities that look for solutions like this it's going to be fascinating to watch you know we talk about fragmentation like one of the major barriers to entry for like having a platform for our community used to be like building a platform was big and hard and expensive and now it's

Now it's not. This is a story about a person spite founding a platform that's now quite prominent. And it's like, oh, there's a shift that's been taking place and it's been accelerated as of late. So who fragments off of Soy Jack Party when someone that founded it decides that they have some line that they don't want crossed? And how many times does this just repeat over and over and over again? Yeah, it's just going to become a critical mass exercise of like, it's like...

You can have AI build a Twitter X clone in like two hours, but it's the critical mass of the user base that makes the platform viable. So that's going to be the, that's the thing, you know, you're seeing that with blue sky, blue sky, finally after years of nothing, you know, one election and boom, all of a sudden blue sky is relevant. It's going to be a fascinating thing. Like I just seeing how people promote drive traffic to and develop communities and

The technical barrier to entry is going to largely, like it's already mostly gone and it's going to keep reducing as these tools get better. And as the processes for interacting with them get better to watch what's going to happen to the internet, because it's so easy to build something these days. If you kind of know what you're doing, it might not be the best version of it. Like that's the other thing is like, I look at this and I'm like, oh yeah, you were running a website from 2003, right?

running like PHP 5.5 or something. And it's like, you could have just literally taken the source code for it, given it to Google Gemini 2.5 Pro and been like, rewrite this as like React TypeScript. And it would be like, boom, here you go. Oh, that's probably happening behind the scenes now. Yeah. It's like the bone that has to be broken in order for someone to come along and reset it properly. Yeah.

And is the technical debt of having been a website founded in 2003, iterated on and iterated on and sort of hacked together become a really, really big disadvantage in this kind of a world where we can, it's like, okay, I want to create a 2chan imitation. I can do it in two hours and it can be up to date, relatively speaking, as compared to something that was created over 20 years ago, basically at this point. Totally. Yeah. It's...

there's like an acceleration and when schisms like this happen it makes it all the easier for the uh the the new combatant that's entered the fray to spin something up well i will like as to just as a knock-on to the fact that there's going to be so many ai developed websites out there yeah if if like and i'm going to use you as an example in this but you're not right but like if jordan spins up some community for some website or some software as a service application

no coding it, like just vibe codes the whole thing. Are you going to be equipped to maintain it? No, absolutely not. And that's exactly like the next question I had is in the same way that it's, I'm curious at what point some cohort of people over on 4chan decided

turn it back around and grab as much information as they possibly can about Soy Jack Party and how it's built and feed this in the exact same stuff into one of these systems and try and find the vulnerability that they can go after there. And it's just accelerated creation and destruction. Well, the, like there's some, there's some pins and strings on a, on a cork board here, but like,

If the founder was British, the founder built the initial site, would know the technical layout of the site, would know the library dependencies, would know all of the stuff. The hacker's IP address was British. I'm not saying anything.

But it's like, who would be better equipped to hack a system than the person that designed, architected, and constructed it? They're going to know every pinpoint vulnerability in it. So I'm not making any claims or any alleges there. I'm just saying...

In a general sense, the easiest way to hack something would be to have built it because you're going to intricately know all the details of it. Are you saying Christopher Poole is British? Moot? Wasn't that part of the story? Christopher Poole, online known as Moot, was born in New York. And I think that the evidence was not evidence. There was an allegation on the 4chan response to the hack saying that they connected it to a UK IP address.

But I think he might be American. So I'm totally wrong. See here, I thought Poole was British. I thought I read that in something that he had founded in Britain. Maybe he lived in Britain when he founded it. And he made a powerful nemesis that years later took down the platform after he'd sold it to someone for presumably a bunch of money. I am curious how much he sold 4chan for in 2015. It's not revealed. I looked. I tried to find it. Good. Asking the right questions. Yeah, yeah.

Because it just makes you wonder what something like that is worth because it is so, like, I think they're ranked 359th globally, get over, well over 100 million visits a month. Yeah, it's a major platform on the internet. It's not a fang company, but it's a big deal. And an outsized cultural influence, I would say. Yeah, yeah, totally. Yeah.

I was having a conversation with someone about this and we should move on, but we were talking about like the concept of black box systems where the inputs and outputs, you can see what they are, but there isn't really any knowledge about what's happening inside of it. You have instincts and ideas based on what you've built, but there's an opaqueness to it. Hence the term black box.

And it feels like an increasing amount of software that shouldn't be black box software is going to effectively become where you're going to have people creating things and implementing them at scale where there isn't really anyone inside that organization that can explain to you exactly how it works. They have insights and they know how to ask an AI how it works.

But there isn't really like an architect of the whole thing. They can look at it and just explain it all to you nicely and importantly, fix problems when they emerge. It's going to be a tricky little time for a while here. Yeah, security through obscurity, like a classic, you know, Microsoft started with it way back when the open source community fought against it. But yeah, it's like a storyline in software as long as the day. The one thing I will say is that AI is not bad at fixing logic problems in code. Yeah.

I think that now that we're seeing so many, and this is probably a good transition, but like talking about places like Duolingo going AI first and a lot of these companies kind of pivoting to be an AI first company rather than, you know, enhanced by AI. Software engineers and people working there enhanced by AI, but they're actually putting AI at the top of their decision-making trees and the top of their system design trees and

and things like that. It's like, we're seeing this trend kick off. And actually, again, before we jumped on the call, we were talking about like, has anybody defined a hierarchy for like AI inclusion into an organization? Like if AI first is the top of the, I guess it's probably just an AI organization, which would be the top of the pyramid, which is like a company of agents that just does stuff. And there's no humans involved, no human in the loop.

On the very far end of that.

A mutual buddy of ours sent me this research paper called AI 2027, and it maps out a couple of different historical trajectories for how it could work. And it was done by some people that had some good guesstimations in the past of things. This is all just speculation.

But the thing that it outlined at the end of the document was the emergence of a thing called, so a special economic zone is a real world thing. Totally. There's different shades of them and they come in wildly different scales. Like Shanghai was a special economic zone at its beginning and now it's a world capital city. But you also have small little things where there's these little regional jurisdictions where the government in an area basically says, we're just going to let some investment group

or external body administer this year, right down to security and policing and governance, basically. So as to see what kind of economic activity can happen on this little plot of land if we just sort of like look away for a while. And the document lays out a path towards something called like AI administered SECs, where it's not about we've come up with a plan and then we're going to use AI to empower it. It's

Sort of like a land black box where it's like, well, we have a pretty good sense of what it's doing in there, but we don't totally know. And I would say that if you're trying to map out a spectrum of potentials, the idea of like a geographic agentic SEZ is probably as far as you're going to get in that direction where it's like it's functioning basically as the government at that point.

AI-2027.com. It's a fascinating document. One of our mutual friends, Sash, sent it to me and I read it and I loved it. I think it's great. He sent it to you? Yeah, of course.

Identity attacks, phishing, credential stuffing, session hijacking, account takeover. These are the number one causes of breaches right now. And most security tools still focus on endpoints, networks, and infrastructure. And meanwhile, the browser, the actual place where people work, has mostly been ignored. Push security changes that. They built a lightweight browser extension that observes identity activity in real time, gives the corporation and yourselves visibility into how identities are being used, and

like when logins skip multi-factor authentication, when passwords become reused, or when somebody unknowingly enters credentials into a spoofed login page or phishing page. Then when something risky is detected, push enforces protections right there in the browser. No waiting, no tickets, no processes. It just happens.

It's visibility and control directly at the identity layer. And it's not just about preventing all that stuff. Push also monitors for real-time threats, adversary in the middle attack, stolen session tokens, and even newer techniques like cross-IDP impersonation, where an attacker bypasses SSO and MFA by registering their own identity provider. If you think about it, it's like endpoint detection response, but for the browser. And the people at Push are a great...

offensive security pros. We had Adam on the pod. You should listen to that episode. They've published some of the most interesting identity attack research out there, and they break down exactly how these kind of threats bypass traditional controls. Identity is the new endpoint, and Push is treating it that way. So check them out at pushsecurity.com. Pushsecurity.com.

We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 350 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.

Now that's a new way to GRC. For a limited time, listeners can get $1,000 off Vanta at vanta.com slash act. That's V-A-N-T-A dot com slash act for $1,000 off. The wrongs we must right. The fights we must win.

The future we must secure together for our nation. This is what's in front of us. This determines what's next for all of us. We are Marines. We were made for this. Jordan and I started this podcast in a boardroom talking about cybersecurity and never thought that it would become what it is. And it is now.

Yeah.

We got to the point where we needed to make merch and we did the evaluation of all the potential solutions and Shopify was the only one that really jumped out at us. Shopify is the commerce platform behind millions of different businesses around the world and 10% of all e-commerce in the US from household names like Mattel and Gymshark to brands that are just getting started like ours.

Get started with your own design studio. With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style. Accelerate your content creation. Shopify is packed with helpful AI tools that write product descriptions, headlines, and even enhance your product photography.

Get the word out like you have a marketing team behind you. Easily create email and social media campaigns wherever your customers are scrolling and strolling. And best yet, Shopify is your commerce expert with world-class expertise in everything from managing inventory to international shipping to processing returns and beyond. If you're ready to sell, you're ready to Shopify.

Turn your big business idea into with Shopify on your side. Sign up for your $1 per month trial and start selling today at shopify.com slash hacked. Go to shopify.com slash hacked. That's shopify.com slash hacked. Clue-ly. Clue-ly. Let's talk about cheating on stuff.

Let's talk about cheating on everything. Why don't we? So a couple episodes ago, we talked about Roy Lee, a Columbia University student who had developed an AI-powered interview assist tool. And he kind of went viral with this stunt in certain tech and hacking communities.

as part of this debate about like technical assessments and whether the tech job interview process was up to date, broken, fair, all that interesting stuff. The basic idea behind this was that he would be sitting on an interview and this tool he'd built would feed him real-time answers during technical interviews including like coding suggestions and behavioral prompts of like what to say without being detected by the person on the other end of the call.

It sparked this whole big fascinating discussion we talked about, I think, two or three episodes ago. You can go check that out if you're fascinated. But the story booted up again this past week. In a big way. In a big way. When Roy Lee used, I would say, the clout and virality from that initial stunt to launch, to fundraise for and then launch a new company called Clue Lee, launched with a slick start.

viral video. It's basically a $20 a month productized version of what he did in that original interview stunt. Yeah. So like to touch back to our previous conversation about it, about him going to be just fine. $5.3 million for his new startup. Yep. I think there's more of a philosophical conversation to be had about this because I don't see it as that bad. I see the outcome of it as being terrible. Yeah.

like society's going to get stupider because we'll have real time information all the time. But essentially what,

like the framing and the branding and the way that they're positioning themselves is kind of antagonistic. Sure. Like using the word cheat as their like primary thing, but really what they're building is like an instant data recall, like information system. It's a real time answers thing. It prompts you, it gives, it listens and it provides relevant context. It's not entirely dissimilar to having chat GPT open in a window next to a zoom call and feeding information into it. Yeah. But, but even then like the,

Search engines were so good at doing... Google, when Google came out, revolutionized information retrieval. It was essentially cheating. You didn't have to really learn anything anymore. You did. But if you had a question, it could find you the answers. And that was a revolution. This appears to just be...

The next kind of iteration of that, like this is going to understand what you're doing, the context you're in, the context of what's being discussed. And it's going to be pulling up real time information about that discussion. And to me, it's like that's a logical step. Like like the like when I was in college, I wrote a graphic novel about.

This exact concept. People wore contacts that told them what to do, showed them how to do it. Their education died away. People just became... It was a dystopian novel, but essentially it was like people became automatons, kind of driven, commanded, and controlled by the central control all through a contact interface that this is what you have to do today. Today you're going to be...

having, you're going to be running a surgery on somebody. You've never been a surgeon before, but we're going to walk you through it in entirety in your eyes and like tell you everything you need to know. And it's like, this has been coming for 25 years. So it's a meet. I don't know. It, it, it, um, I mean, I wouldn't have brought this meme up if you hadn't brought up that

graphic novel. It's very the meme sci-fi author. In my book, I invented the torment nexus as a cautionary tale. Tech company at long last, we have created the torment nexus from the classic sci-fi novel. Don't create the torment nexus. It definitely has shades of that.

Yeah, I think it's worth separating the broad premise of this technology, which Roy Lee, let's be clear, didn't invent. There have been multiple tools and projects over the last couple of years about saying this technology can run basically in real time now. What if instead of the copy paste use case, it was just listening, auto transcribing with capacity it already has and providing that information in real time with that have utility? The answer is certainly. Yeah. I think...

It's worth, however, talking about how this specific implementation is designed and communicated because I think that matters. Totally. You and I have talked about the hammer metaphor before of like people always talk about, you know, a hammer can be used to drive a nail or hit someone in the head. It's not the hammer's fault. And then the complication of that, when you think about it for more than about 15 seconds, which is yes, but if I design a hammer to shoot 10,000 hammers per second, it's

And then someone goes and does violence with that. Perhaps the design of a hammer that seems explicitly engineered for doing violence is in some way implicate. I find this discussion fascinating. So there's two things I want to bring up here. One is the manifesto that Roy Lee posted on the Clue Lee website yesterday.

Uh, it has changed over the last couple days. He has refactoring it. Well, he had the LLM refactor it. I think given the context here, we shouldn't assume that this was written by a human mind, but it is framed around the idea of we want to cheat on everything. You heard that right? Sales calls, meetings, negotiations. There's a faster way to win. We'll take it. And he builds up to this idea. Um,

Quote, and yes, the world will call it cheating, but so was the calculator. So was spellcheck. So was Google. Every time technology makes us smarter, the world panics, then it adapts, then it forgets, and suddenly it's normal, but this is different. And it builds up to this idea, which he posted in a tweet. Lee said, quote, $5 million to change the definition of the word cheating.

The other element of this, and I want to set both of these up because I think this is important to take them in concert, is the video that it was launched with. Oh, totally. Very different vibes. Very different vibes. I want to start with the credit where it's due. It is an achievement in virality. This whole thing has been. We've talked about it twice now on the podcast and he didn't pay us a cent. He got 10 million views. He's very good at this. And I won't try and take that away from him.

And the core premise of an AI note taker that's giving you live information probably going to become an increasingly common thing in the same way that Google was too. Undeniably. Undeniably.

The video. In the promotional video, Roy Lee is out on a date and we see him. It's an IRL date and he's being fed what to say by an LLM. It's a visualization. He doesn't have a real computer. There's no such thing as heads up glasses. This is an extrapolation of the technology. And it's sort of this, you know, the place Cyrano de Bergerac.

It's the, it's this old play story about a man that falls in love with a woman, but he can't woo her. He can't speak well enough. He doesn't have the thoughts. So a man with a beautiful way with where it stands in the bushes and feeds him the line, the woman falls in love with the wrong way. It's a whole thing. He's sort of using AI as a Cyrano de Bergerac-esque character to get through this date, pretending that these are his thoughts and then saying them out loud. The date goes terribly. Um,

And that video went very, very viral. Roy Lee, of course, knew what he was doing in creating something intentionally controversial. He has tweeted as such. I feel like that is his, like that's his marketing persona. Like right from the leak code stuff to this, the antagonism of using the word cheat. Like I don't disagree with his manifesto. Like that's the thing. It's like, I think that what he's building will have value, right?

People will use it. And the commercial I find just a bit cringy, but at the same time, very, very good at marketing. Like he built, yeah, he built something that would be intentionally viral, intentionally controversial, did a great job at launching it. I think like in all honesty, like he might be more than anything, a marketing genius than a tech genius, or at least one, maybe the two combined. But the thing is, is like,

I don't disagree with his manifesto. I think he's kind of right. And I think that there's an important thing here. And yes, there's a long storied history of using moral ambiguity as a marketing tool. And he did it really well here. We're on, you know, minute 15 of free PR. No debating it. I think the video and the manifesto taken in concert speak to something deeper.

There's like a having cake and eating it too type thing going on based on the fact it's evidenced by the fact that he's changing this language in real time. He makes a video where he uses the product to, I'm going to editorialize here, gaslight a woman as a marketing hook because in his own words, the fact you're washing this and getting annoyed is the point. And then I would say hides behind, oh, dates aren't a real use case. He writes a manifesto about redefining cheating and then has terms of use to basically say, don't use this to cheat.

which of course you will, because otherwise, why would you pay $240 a year for it? He describes a world in which we let LLMs sort of pilot us like meat suits and we go limp as a social revolution and progress as inevitable as the calculator. But the thing I keep noticing in all of these use cases from the interview to the date video isn't the idea of having AI helping you with useful information in real time. It's lying about it to the person you're talking to. Yeah.

Every time the user real or imagined they're being lied to about it, not cheating by having an AI helping you, but lying about that fact.

And my issue is that if you're lying to the person you're talking to so that they think they're actually talking and hearing your ideas, your thoughts, that's still lying. And that isn't captured by the rationale in the manifesto or the video. If you're honest from the jump and you say, hey, I'm just reading what an LLM is telling me to, then your revolution is an honest one.

But as it stands, even if you redefine something that was once considered cheating as not being cheating, and to be clear, that's what he's doing. He's not redefining cheating. He says he raised $5 million to redefine cheating. He's not. He's recategorizing a thing that is currently considered cheating as not being. You still haven't redefined lying.

Yes. I get the thrust of it and the tool is cool. And saying, you know, there were people who said a calculator was cheating at doing math. And that's true. But if I asked you if you used a calculator and you lie about it, that's a lie. I agree with you in the context in which we live in now. Yep. And the thing that I'm going to push to you is, is that context going to change?

And I'm going to say, yes, it is. Like AI, like we are humans. I think I'm going to make a broad sweeping statement here, but like we are lazy. Like we look for the shortest path. We optimize. Yeah, we optimize. That's a great way to put it. Yeah, very generous. We prefer optimization. We want the least resistance to get to the best outcome. And this is built for that. Like you've seen like,

You've seen how AI has changed the corporate world, even in small ways. Like it makes everything a little bit easier if you know how to use it. And that's if you're not using it a lot. And if you are using it a lot, it makes everything way easier. It might not mean the quality is better. It might not mean the consideration is better. It might not mean so many things, but it can do so many little things optimized for your life. Yeah, really well.

This is built for that world. Like we're going here, we're going to meat suits. Like we are, we are LLM driven meat suits. And it's like, that is because that is an optimization. It's like, we, we are going to willingly accept this reality, willingly shift our context and our morality window as to what is acceptable. And like, like I see this future. I saw this future 25 years ago when I wrote my, my graphic novel. It's like, this is where we're going.

And his antagonism and cheating and his lying and stuff, we all consider that a good marketing. But at the same time, it's like, I don't think he's wrong. I think that in 24 months, we will all be using systems like this to optimize our outputs. And it'll be a status quo at that point. It won't be lying. Everybody will just assume you're using it. And if you're not using it, people will know because you're going to be worse than them.

Yeah. If two people, I'm very open to the normalization argument and I'm even pro-optimization. If there will ever be situations where people are expected not to and they do, the morality window shifts, but the definition of lying won't. Things that were once considered lying can be recategorized as not. That's sort of my big point.

is that the concept, it's like he's not redefining cheating and he's not redefining lying. He's recategorizing. And some things will get recategorized. But if you design a hammer to shoot little hammers like bullets, you're still designing a system to empower lying. And that's,

I can't tell you where this is going. And the fact, honestly, that he's changing some of the language in this in real time is a good thing. Because I think that it speaks to a desire to not be flat out evil, but just to use moral ambiguity as a marketing tool. And that scares me a lot less. Yeah. But a lie is still a lie. Yeah. Guys, I don't know where to go from there. The gaslighting video.

It ain't great. It isn't great. It's not a good look, but here's the thing. It speaks to... I feel like people lie to each other all the time. Sure. People posture. People do this. Of course. They round the edges on things to make it... So it makes them look like... Instagram is essentially a window into people's lies. It's like we're in a culture where we already are lying so much anyway.

People have been lying to people to get them into bed for a fucking thousand years. It's not a great thing. It's not a morally sound thing, but it's part of human nature. And now you can pay $20 a month to do it better than ever. I think the thing that this resonates with me the most is that it speaks to the shift in the window rather than the window we currently live in.

Certainly it does. And the window is shifting. Yeah, yeah, yeah, yeah. And that's where this like, if he'd asked me to invest, I would have invested because I think that the world is going in this direction. And I think that what is not normal today will be normal in the future. And this is a system to empower that transition and it's going to be successful for it. There's going to be a bazillion competitors pop up, which is the other problem with it.

So maybe not the greatest investment, but like they're obviously one of the first to markets and also one of the most controversial and getting the most free PR. Right now, right here. Right now, right here. It's an interesting story and I'm curious to see where he lands. The guy's clearly very competent at drumming up a lot of press for stuff.

And it for hacking together cool technology. I take none of that away from him. I think this tool in a lot of situations would be really genuinely useful. And I'm glad to see the list of proposed use cases getting a little bit more conservative and a little bit less lie. I just want us to be, I think that this is, this one is worthy of being thoughtful about and not treating the

The post-truth future as an inevitable conclusion of this technology. If both of them were sitting there on that date. Wearing the same thing. Both using it. Both knew it. And the Overton window had just shifted there. Fine. I'll see that world when I see it. I know.

You're old enough to not want to see that world. And I don't really know if I want to see that world, but I think that that world is coming for us no matter what. Like when I, a couple episodes ago, I talked about a friend of mine who is hiring somebody, did a Zoom interview. Sure.

Asked them a question. Literally could see them typing it. The question that they asked into ChatGPT. That's really funny. And then parroting back what the response was. And it's like, people are already trying to do this. They're already using it. Yeah, yeah. They're doing it worse. People are already meat sacks guided by LLMs. Totally. It's a sad reality. I'm not sure...

Like I wrote a dystopian book about it for a reason. Yeah, it was a dystopia thing. It was your torment, Nexus. Yeah. I'm not even sure. I don't know what that future will be, dystopia or not. I know that people will probably always feel bad if they're lied to. So if they think it's not happening and then they find out it will, I think that's...

I don't know that the Overton... I don't know that a window can shift far enough that if I thought you were telling the truth and I found out you weren't, that will ever not feel unpleasant. I would just say look to modern politics. You're being lied to. Do you find that pleasant? Not at all. But like the amount of focus testing and the amount of like...

Now we have LLMs, but traditionally we had research. The amount of time and money that gets spent on researching things to lie to people, to make them believe that you're a good... To do something. Yeah, yeah, yeah. To activate somebody. Like this is a... Normalized. The process is old as time. Totally. Yeah, yeah. We don't expect to be told the truth by politicians. How bad is that? We've normalized that politicians lie so much that nobody cares. Yeah. An expectation of lying has increased. Yeah.

Which is to say an expectation of a thing we don't like and feels bad has increased. Right. And if in our current window, we're currently accepting of people lying to us who we've elected to lead us. You're telling me that in like five years, you're going to care if like some junior marketing coordinator literally is just a meat sack guided by a...

190 IQ LLM. I'm assuming they're Googling stuff now. I probably wouldn't care about that. I'd probably care if I was on a date and I thought I was talking to a person and then I found out that they were just like, they're like, I don't even remember that. I was listening to a podcast to be like that. I think that would bother me. I think that would bother me. If they told me up front, I would almost be intrigued by it. If they're like, I'm actually really not here presently. I'm going to just sort of say what it tells me to. I would,

If that was the video, I'm fascinated. I'm like, I'm watching this episode of Black Mirror. Hell yeah. Strap in. Let's see how it goes. Totally. Totally. Oh, that's really funny. Oh, we should shoot a counter video. A counter commercial for it that is just that. Yeah. For all the-

Yeah, you got the glasses on and you're like, so I don't know how to explain this to you. There's an Oilers game on tonight that I'm extremely emotionally invested in, but I didn't want to cancel this date because it seemed rude. So I think I can do both. Tap me on the shoulder if it starts hallucinating. And they're like, if what starts hallucinating? And you're like, nothing. How are you? And you just start parodying it. Like you cheer every so often when they score a point.

Oh, man. The Torment Nexus. The Torment Nexus. Anyway, is there anything else we should talk about this fine episode? No. I think that's good. I think that probably puts a pin in it. Yeah. 4chan hacked. Clueless. Update your systems. Update your libraries. You're upgraded. Truly. Track down CVEs. The CVE group got refunded, which is good. There was a...

small little blip that they were going to be or they had lost their funding and that they were no longer going to provide the service they provide and that would have been terrible so that is I think bypassed so we don't have to worry about that dark feature where people are tracking vulnerabilities yeah but I think other than that I think we're good I think it was a good fascinating one

Yeah. I hope people were tolerant of us going on that tangent because that was a fun one to discuss in this episode. In fact, brought to you by Push Security. Check them out, pushsecurity.com. Otherwise, I think we'll catch you in the next one, friends. Take care.