A

Welcome to the GRU University, where Moscow turns students into spies and hackers.

B

Hector Monseager was responsible for some of

A

the most notorious hacks ever committed.

B

Special agent Chris Tarbell and FBI informants participated in some of the world's most infamous hacks that caused up to $50 million in damages. A life in the shadows Cyber attacks on the.

A

Welcome to Hacker in the Fed. I'm Chris Tarbell, former FBI special agent working my entire career in cyber security. And I'm joined, as always, by my boy, Heck, Hector Monsegor. Hector's a friend, podcast co host and former black hat hacker who once faced 125 years in prison for his many years of hacking under the dumbass codename Sabu. Dumb who in Patreon episode today we learned Sadhu has passed away years ago this Our stories collided in June 2011 when I arrested him and convinced him to work with me at the FBI. Hector is now a red teamer, researcher, cyber security expert, and co founder of Safill. Heck, welcome to Hacker in The Fed Free Show 131. Woo.

B

131. That's a lot of freaking episodes, brother.

A

Oh, a lot of free shows.

B

Yeah. No, listen, I love it. And let me tell you something, I love that we could do a free show without ads. I, I, I'm, I, it's hard for me to listen to podcasts right now, bro, because I know. Five minutes, bro. It's insane. I wish. And I've seen some, I've seen some podcasts where like, there's. Okay, I use Spotify, I use like Apple music, Right?

A

Yeah.

B

So on Spotify, there's like a subscription thing. I think it removes the ads or something. But that's this, that extra step, there's more money, you know, and I haven't found a podcast that I like enough to do that to go beyond, you know, besides that, Besides, aside from hacker and effect. Yes, yes, yes.

A

Yeah. It's got to be rewarding to our listeners to not have to hit plus 15. Plus 15, plus 15 to get through some of that. Well, maybe they do. Maybe they do. That's what they do. Enduring on the banter section.

B

They love the pantry section. Pantry section is always the best. We always get a little updates about what's going on with Chris's pantry, which I'm about to ask him.

A

I said banter, not pantry. Of course they don't fast forward. No, they don't fast forward through that. They want to hear about the color of my nuts and the pantry.

B

Yeah, they love the pants What I'm saying, I agree with you. The Panther's cool, too. You know, they like that. They like the back and forth, you know.

A

Dude, we've got some nice weather recently. I've got a lot of good color on my testicles these days.

B

Yeah, I see your face, too. You got some color. You got some melanin, bro. I like. That's good. You gotta be careful.

A

I'm trying to catch up.

B

I'm trying to catch up to you with that. You might get rejected from restaurants and shit.

A

Or that ice might pick me up, you know.

B

You know, I still walk around my passport because I'm like, oh, man, I don't want to deal with this. I still got it. It's crazy good.

A

You should, you know. That's America for you. Let me see your papers. Let me see.

B

I got my papers.

A

All right. We can't get too far into this without talking about you Knickerbockers.

B

Oh, hey. Oh, hey.

A

Hey.

B

How you doing over there? Listen, let me tell you guys something. If you guys ain't noticed, the Knicks have been on like a seven game spree. They have been playing Elites top tier basketball. We're talking about the likes of Big Body Brunson, Josh Hart, the heart of the city. We got Deuce McBride. We got cats. He's kind of. He's kind of sassy, but Cat is cat. We like cat, you know, and then we have all these other role players that are just contributing to the Knicks, just kicking ass. Shout out to the Philly fans. If you're a 76ers fan, I apologize, but not really. You guys got swept four games to zero. Shout out to the New York Knickerbockers. And you have to pronounce the CK there because some people think you're saying something else. But the New York Knickerbockers are killing it.

A

What else would I be saying?

B

No, I'm not saying you. I'm saying per se. I heard someone say knickerbockers, and it came out really bad. It was like a sportscaster, he's like, what about those New York. I was like, be careful with that, brother.

A

They've brought back some words. That word has not come back.

B

It's not. Not yet, but, you know, it's there. It seeps out sometimes. But, yeah, listen, brother, the Knicks are doing fantastic. I'm super proud as a lifelong New Yorker and a New York Knicks fan who had to deal with literally my entire life of them sucking, with the exception of, like, the 95 to 2000 era. They had some good teams. Shout out to Alan Newson. They're killing it. I'm happy.

A

Speaking of happy news, keep this in the happy news section. Heck. A woman named Peggy Cross Goldenberg was just named the US Magistrate judge in Eastern District, New York. Tell us a little bit of our connection to. Back then, we knew her as Peggy Cross, but now she's Peggy Cross Goldenberg.

B

Hey, she got hitched. You know, she found herself a good man, and, you know, she got the Goldenberg at the end. Listen, shout out to Peggy. Peggy's beautiful. She's wonderful.

A

Who is Peggy?

B

Oh, it's all bro. Come on, come on. I got your back. So let me tell you about Peggy. Peggy is a fantastic lady. She started off as a schoolteacher helping little children with their educational needs. She would help them and teach them and, you know, walk them to the bathroom and help them with their little homework. She's such a wonderful lady who decided one day she said, you know what? I love helping the children, but I feel like I have a duty. And that duty is I want to stay in law. Yeah, not that kind of duty. Oh.

A

Oh, sorry.

B

She has a duty. Not in my head. I'm all fucked up. I'm all screwed up. But she wanted to.

A

Yeah, she wanted professional broadcaster Hector Matzagor

B

talking about Peggy's duty, Veggie's duty, so. But no, she wanted to make an even bigger impact. She loves the kids still. She's fantastic. But she said, you know what? There is a disparity in federal cases. And the reality is the federal case system. The federal system. Chris, when he was an FBA agent, he wouldn't just knock on your door and arrest you and then try to make a case. Chris would make a case first and then arrest you. That's why.

A

That's how the FBI works. Yeah, that's how the FBI works. Wrapped up.

B

Yeah. By the time they. By the time you see the. Chris, the case is over. Ready. You know, this is pleasantries at that point, but it doesn't mean that FBI, Every FBI agent is like, chris, sometimes they make mistakes. And there wasn't enough attorneys helping the people that were dealing with those kind of federal cases. And so she made the decision to join the federal defenders and she was helping people. And of course, she became my attorney and she walked me. She help me by my hand like I was a little kid. Like. Like I was the little kid to her classroom. Right. Remember, she was a teacher. I was a little kid, and she was walking me through the Process. She's like, all right, Hector, so here's what's going on. And yeah, you're facing over 25 years, but, hey, listen, don't worry about it. We're going to sort it out, because in your class. Yeah, you.

A

You and I didn't know each other. You didn't know whether you could trust your inner or not, whether we were going to do it. And Peggy came in and said, well, this is what they're offering you. This. And I'm going to hold your hand, and I'm going to make sure that I hold them accountable to what they say, what they are offering you. So, you know, thank God she was there to. To be. Be with you and support you.

B

Oh, yeah. No, pe. Peggy was. She was my angel. She's my everything. I love the lady. She is a blessing. And she is. When I speak about, like, you know, I wish more Americans could do more, and. And. And Chris and I haven't even had a conversation about that, like, giving back to the community. She's a perfect example of that. And I'm so happy to say that now. She is a judge. She's a magistrate judge. And the Eastern District. If you guys don't know what Eastern District of New York is, that's Brooklyn. Very exciting. So shout out to her. Shout out to her family. It's a blessing. I'm very happy. I'm the happiest guy.

A

Yeah. So Peggy worked for two decades at the Federal Public Defender's office. That's the. In New York City. And she also worked as a supervising attorney in there. So like you said, Peggy did some great things. Helped, I'm sure, a lot of people, but most of all helped my boy Heck. And what. What a great honor to her to be named a federal magistrate judge, even inviting my boy Heck to come to her ceremony. Yeah. So that. That'd be fantastic if you can make it.

B

Oh, yeah. No. So shout out. Shout out to you for bringing that up. That's great. That's a beautiful.

A

Well, it's nothing but shout outs. Now I got another shout out. Oh, something came out. Hector, there's a thing called the CISO playbook, the adversarial mindset. What is this? What is going on with this? This book, the CISO Playbook.

B

Well, I'm glad you brought that up. Shout out to you now. I'm shouting you out. Shout out to you for bringing it up. You know me. I don't like to. I don't like to, like, highlight stuff that I'm doing, but so yeah, so about eight months ago, six months ago, within the year, you know, I was having a conversation with a good friend, you know, Andres. Andres is fantastic. The CEO of Constella Intelligence. Shout out to them, really cool company. He's like, yo, hey, I've been a CISO my entire career, now I'm a CEO. You've been an adversary both as a black cat, but now as a professional, let's get together, let's put together this project. I said, yeah, why not? Let's do that. And he's a prolific writer, fantastic gents, really smart. And yeah, we started working on this book together and we conceptualized it, we put together some content and then now we're going into production. So the book already has its own link, you know, with the, with the production house. And then of course it'll be available at some point within the next couple months. But yeah, man, it's exciting.

A

When can people order it? Can they pre order it now?

B

Yeah, I think the link already allows you to pre order now. And I would say that I push

A

out the pre link with, with, with the social media stuff this week.

B

Yeah, I think we could definitely do that. I think at the very least people could bookmark it and just kind of review it at some point, you know, because sure, right, right now we didn't even have the images up. You just have like the, the pre order stuff. But the cool thing is right now working on the imagery, you know, the, the, you know, the, the chapter, like previews and stuff. Yeah, it's pretty dope. It's been a cool experience.

A

Are you gonna do an audiobook?

B

Oh, I don't know, bro, because I'm gonna be bugging out like, you know me. Yeah, I can't, I can't just stay straight. It's one thing I gotta, I'll probably jump into different topics as I'm reading it out.

A

So you ain't straight note in no sort of way, I'll tell you that.

B

No, I'm crooked as hell, but you know, in a fun way, you know.

A

Yeah, yeah. Well, that's good, man. You got a lot of, a lot of things going on. It's pretty good. I'm gonna, I'll share that on a social media. When we put that on this episode comes out safely's got a little killing it, right?

B

Yeah, brother. Safe Hill. So to give you guys full disclosure to kind of tell you guys where we're at, S.E. hill's in a really cool place right now. We're going through the seed round which is dope. It's a dope experience because for those of you that are business owners and for those of you that had, have done the startup scene and investors and data rooms, you guys know what I'm talking about. It's a whole new experience. And for the rest of you that have never done this, it is a wild experience because you're getting to look at your business from, from the perspective of a banker, essentially. Right? You know, what are the, what's your go to market strategy? What's going to be your, you know, your projections for the next 24 months? You know, how are you going to deal with SLAs, how are you going to deal with this, that and the other, you know, all the legalese and the contracts and all that good stuff. That's all part of it, right? But the hardest part, and some people, actually the easiest part for me, it's been fun. It's meeting the bankers because in some cases they're degenerates way more than you and I could ever be. They're like, hey, you want to go party? Let's hop on this jet real quick. Nah, nah. How about this? How about we talk about the business and then we'll hang out some other time? You know, they're a fun bunch, you know, good.

A

Sounds like fun. Sounds like you're doing a good time. I'm happy that Seifhil is successful and moving forward.

B

Oh, I love that, man.

A

Thank you, thank you to the audience for supporting us on Patreon. New Patreon episode every freaking week. Join our Patreon to find a link there, help us out, keep the show commercial free like Hex said. Find our merch up at Hacker and the fed dot com. Appreciate all the support, guys. Best, best listeners are the ones on Patreon, so appreciate you guys. New stuff every week. We try, we try to do different every week. Sometimes we argue about politics, sometimes we talk about cyber security, sometimes we just talk about life. Yeah, but happy to talk about if, if you want something specific on the show, reach out to us, tell us you're on the Patreon and we'll put, we'll talk about a specific subject on, on the Patreon. Talk about, yeah, Hector's balls maybe once in a while.

B

Yeah, and send us some emails, man. You know, throw some questions our way. I know you guys, you guys get shy, you get busy. I, I want, I want questions. I want emails. Curse me out if you want. I'm with it.

A

They did good. They. The Patreon episode that you missed because you were sick a couple weeks ago. They hit me up with some pretty good question. Yeah, it was a really good, good episode. Maybe they want a heck only episode. Would you ever do a heck only Patreon episode?

B

No, absolutely. I'll gladly do that.

A

I'm fun.

B

But it's gonna go like three hours. I'm gonna tell you right now, I'm a perpetual yapper, bro.

A

All right, you might talk for three hours. We'll cut it down to an hour. He'll edit your ass and put a stamp at it.

B

Yeah, whatever.

A

You know, Will, he doesn't like brown people.

B

No, no, no, he does. You know what? I'm okay with it. You know, as long as it's like he doesn't try to do anything weird with me and I'm okay with it.

A

This is a big story this week. I'm still getting stuff. I got something in some emails last night about this one. Cyber attack hits Canvas system used by thousands of school as finals loom so Shiny Hunters, those fucking Shiny Hunters again hacking group breached the infrastructure Canvas learning management system, stealing data from nearly 9,000 schools and universities worldwide, claiming approximately 275 million records, which is about 3.65 terabytes, including names, emails, students IDs and billions of private messages. And it caused a widespread outage and defacements during finals week in early May of this year. So Canvas has restored for most users by May 8 after a temporary shutdown, the infrastructure was disabled free for teacher accounts and confirmed that the breach involved an unauthorized access via that feature. Shiny Hunters defaced login pages at multiple institutions and then hit them with a ransomware extortion message demanding contact by May 12. Some schools have restricted access out of caution. There's been no confirmed ransom payments. The FBI's and other others groups are looking into this online extortion. Pretty bad takedown by Shiny Hunters.

B

There's been a lot of, like, maybe perhaps misinformation that came out of this, right? There's. There was some messaging around, hey, maybe private messages were exfiltrated. Maybe, you know, things that were important to students were taken down, deleted, removed, right? We don't know. At the end of the day, shout out to W VX on the ground on Twitter or X because they kind of released a couple posts saying like, hey, you know, we have, you know, we have some decent information regarding the compromise. And I'll paraphrase it, right? I forgot the exact tweet, but they were like, hey, it seems like they may have only Taken the students email addresses. Right. But you know, again, this is. We don't know yet. We don't know what the ultimates, or rather the end result is from this. We know there was a defacement. We know there was some sort of compromise and breach. There's definitely got to be some sort of breach where they have at least email addresses. Whether they have student IDs or students, you know, homeworks or whatever, we have no idea. But here's what we do know. Thousands upon thousands of schools are affected almost at the same time. Like you said, at, at or near the finals. So a lot of students were affected by this. I personally got messages from people in my life that are students. They saw the message and they started freaking out and I'm like, well, I'll just take it easy. You know, just wait to see what, what instruct was in the company name this canvas, the software. But they're owned by Instructor or something? Yeah, yeah, it's owned by a company. And so Instructor basically said, yeah, there is something that's ongoing. We're trying to sort it out. You know, I don't think there's any. Schools are going to pay, actually. And there was a funny rumor, whether it's true or not, that Chinese hunters let it go. They let go of the extortion tap because they had too many students sending them messages asking for them to update their score, you know, their grades. So whether that's a joke or not, whether it's real or not, it's whatever. It's just one of those weird situations where, you know, this probably shouldn't be a thing. Right? You and I talked about the hacking ethics, quote unquote, back going back to the 80s.

A

Yeah.

B

Leave hospitals alone, leave the government alone and leave like schools alone. Everything else is fair game. Private companies, public companies.

A

I don't think I agree with that.

B

Well, from the perspective of the adversaries back then.

A

Right. Okay, sure, right now.

B

But a lot of these ransomware groups, especially the newer generations, don't follow those ethics. They don't care. They'll hit a hospital, shut the hospital down. They have zero care if people die as a result. Right, we know that. We've seen it.

A

It's the max amount of pressure.

B

Well, they'll hit the government. You got a jerk like me. I hit the guard myself and I dealt with the consequences. But then, of course, you know, the schools. Leave the fucking students alone. Come on, they're already going through enough. If you're trying to get paid, you could have extorted instructor directly and you know, off channels, out of bounds channels, did the faces, whatever. Now I hope they don't leak the students addresses because that would suck. There's a lot of kids there, you know, not, not a lot of them are cyber security tech savvy. You know, it's just going to open the doors for social engineering. We don't want that.

A

You're going to have a large uptick of, of social engineering and also clicking click fraud, you know, phishing emails. Yeah, but you never know what. Now we might let pedophiles come in, but you know, they're just going to filter a lot of these email accounts. I know, at least locally the ones I deal with, you know, they don't let exterior emails come in. So they're just going to block access to all that stuff.

B

Well, you know what, just chill out guys. Shiny hunters, if you guys are listening, just chill out. Leave the kids alone. I get it, you're trying to make some money, I understand, I can understand that. I don't agree with it. But you know, there's ways to do things. This is not it. You know, and in fact as we're talking, there's some supply chain attacks happening right now on GitHub. GitLab.

A

GitHub. GitHub's getting hit again, huh?

B

Oh of course, you know, there's always the supply chain attacks. Compromising a GitHub account, a developer key transferring, becoming a worm. Everything's wormable. It in fact the worm from today, this morning jumped from Node JS developers to Python developers. So now it's a, everybody's getting owned right now as we speak.

A

What do you think this increase is? Is this AI? Are we, you know, weaponizing tools using the power of AI?

B

Developers are lazy. Developers have been lazy breaking. Not a lot of developers are security conscious and they don't sometimes even care. Why? Because sometimes they're tasked with getting things done as soon as possible. And what that means for them is they'll blindly trust the open source ecosystem and even proprietary ecosystem and not give it any second thought to say, hey, what would happen if this is compromised? That's what you're seeing, that's how all these developers being compromised. And as a result these companies are getting hit because those developers have the keys to the kingdom, as it were. So if you are, if you are a manager, if you a CEO, if you're a ciso, you have a bunch of developers, they are your entry point right now, today. Yeah, you have other issues like insider threats and asset management. Issues and vulnerability management issues and your policies are probably crap anyway, but your developers are your low hanging fruit. How about you start working with them first? Talk to them.

A

If you do have developers, what's the prescription on how to fix this? How do you, how do you educate them? And, and, or do you just, is it holding them accountable or what? What's your methodology here?

B

The CSOs that I've seen that have dealt with this have leveraged accountability. If you are compromised, you're, you know, you might get a warning. Depending on the scenario, you're likely getting fired. If this happens multiple times and you're probably involved in it, then we're gonna have to call the FBI, you know, because at that point you're inside a threat. Whether you're a direct insider threat or not, something you're doing is wrong if you keep getting hit over and over. And that seems to be a trend, you know, and so when you have enterprises losing millions or hundreds of millions of dollars, this becomes a major problem, right? So yeah, there's, there's going to be some financial repercussions, potential criminal, criminal repercussions with these developers. They don't spray it up. You got to remember, things have changed. Chris. You, you and I both have talked about this. Now CISOs are liable for potential, you know, court issues and legal issues. There's no longer a free ride for the CISOs, which means not 100%, not 100%.

A

I mean, we're seeing liability when they blatantly lie or blatantly do something wrong. But I think there could be more.

B

It could be more. And it's probably going to get to that point when you have people like Hegsef in charge. Hegsef has put together a lot of policy with regards to like, you know, requirements of certain frameworks. You have to follow this in order to do business with us. And remember, just because you're not a direct federal contractor, you might be a contractor to a federal contractor who is a contractor with US government. So you are part of the supply chain. There's gonna be a consequence somewhere. Either you're gonna get charged with something or you're gonna get kidnapped and disappear. It might even fall out of a window sometimes. I'm joking. I kid. But you know, if you, if you value, if you value your career, you value, you know, what you're doing with your life, then you gotta, you gotta sit down and set up structure. I'll give you a good example, Chris. If there's anybody listening right now that has developers you have a team of developers working for you right now. Then you have to look at how they're deploying, developing and managing code. If they're deploying to GitHub, great. How are they using libraries? These libraries are being compromised. Are they freezing these libraries? There's a difference between dynamically loading a new library every time your application runs, or if you are freezing a library to a specific version. Because if that specific version is good, then more than likely you are good. And you're probably going to avoid a potential supply chain compromise. Not always, but in many cases, yes. So just be mindful, look at your policy and just shoot us a question. If you have questions about this, feel free to shoot me an email and I'll take a look.

A

Questions@hackerinthefed.com if you want to reach out.

B

That's right.

A

Welcome to the GRU University where Moscow turns Students into spies and hackers. So I see a secret department number four, also called the Military Training Center Clandestine section at Bauman Moscow State Technical University systematically trains 10 to 15 students per year as GRU hackers. Spies and information warfare specialists leaked about 2,000 plus internal documents which includes student list and contacts and revealed direct GRU oversight placement into the unit like Fancy Bear and Sans Worm and others responsible for cyber attacks, election interference and sabotage against NATO and Western targets. This was a pretty cool article talking about how they're training their spies over there and training their hackers.

B

Yeah, no, this is awesome. If you guys go through the report, it was posted on VSquared.org it's probably one of their, their main blog post right now reports. What's fascinating is that we're seeing a lot more leaks. We talked about this before. We saw some leaks coming out of China and their operations and how they're building out teams and how they are. China's becoming like Russia in the sense that they're, they're bringing in private security companies in China to do the dirty work for them. That wasn't really a thing. Before you had to be part of prc, you had to be a part of the military. I've met some hackers that were part of the Chinese military, but now it's changed in China. Now we're getting leaks from the GRU and how they're building out teams. Now here's the funny part. Wanna hear something funny?

A

Yes, I do.

B

Infosec. Twitter was freaking roasting these Russian hackers because part of their, part of the curriculum is using learning how to use metasploit. You know, they're Using open source tools to hack into your networks. That's how ridiculous and easy it is. You know what? That right there should highlight the state of cybersecurity when you could take a 20 year old tool like Metasploit, which by the way is beautiful. I love Metasploit.

A

No, it's great.

B

You take a tool like. Yeah, it's a great tool. You take a tool like that and you put a Russian spy to use it and now they're breaking into your network and stealing IP and sensitive documents. That's how you know you've missed the plot. You've lost the plot. You're part of the plot and the plot stinks.

A

Is Metasploit still as loud as it used to be or can you, can you kind of damper that?

B

Oh, that's as loud as a motherfucker. If you're using a default, a default Metasploit, you're always going to get caught.

A

Which does not sound like a spy tool to me.

B

Well, the Russians are learning how to use it. I mean we're seeing a lot more leaks. We saw leaks coming out of Iran, China, Russia. Don't be surprised. Remember we had the big leak here with one of those files that leaked from the nsa. That was a big one many years ago.

A

What do you think it is? What do you think the uptick in leaks coming out of China? You know, it is what it is. But the Russia has been very good about normally locking this shit down. They, they normally don't day to leave like this.

B

Yeah, because the consequences over there is death, you know, and China, you can say the same. But the problem with China is China's so massive like okay, you see what, what, what this report says they're training about a dozen hackers a year. China's probably training a thousand hackers a year.

A

I think thousand might be low.

B

And that might be low. Right, That's a low number. So there's a massive difference here. And in fact, I'm more surprised that more hasn't leaked from China of anything. But this leak right here is what's most interesting because it's such a small group of people and I'm willing to wager that it was probably a Ukrainian that got access to it or the insider threat, insider Russia, who's probably Ukrainian alliance. I said it, I'm gonna leak this stuff. Don't doubt it.

A

Yeah, it was, it's definitely insight that we never had before. So I'm sure, you know, the FBI is enjoying seeing what's going on There and what it is, did you see anything outside the metasploit stuff that could be used to harden our defenses?

B

Honestly, bro, here's, here's, here's my take, right? So from what I've read, what I've looked at, what are these guys learning? They're learning methodology, they're learning structure, they're learning how to do things. I mean, look at the pictures, right? There's pictures in the support. Guys, there's pictures of the support. And what are we seeing? We're seeing soldiers. A lot of these people, they're not, they're not your, your, your cousin, you know, Yousef, you know, from freaking, you know, some random town. These are people that joined the Russian military who have a certain technical capability, who met a certain requirement, and now it's inverted. Right now the Russians are going back to the military for hacker training rather than, you know, using private companies like China's doing now. And so what you're probably going to see is method, methodical hacking campaigns, very structured, very rigid, very narrow, very. And that's pretty much my take. Remember, guys, what made Sabu my Persona, what made Sabu effective as an adversary wasn't that I'm a genius. You guys talk to me every week. You guys know I'm no genius. What made me effective was structure, methodology. I knew exactly what to target, how to target, and once I got in, I knew exactly what to exit trade or what to do once I'm in. If you're just breaking into a network and running a bunch of commands and doing a bunch of recon and making noise, you're not effective at that point. That's, that's the takeaway here, Chris.

A

So, heck, Instagram and encrypted messages ended on Friday, May 8. So meta Instagram disabled its optional end to end encryption feature for direct messages, meaning that Meta can now access the full content of messages, images, videos and voice notes sent between users in the platform. The change went into Effect on Friday, May 8, and affected users receiving in app prompts to download their encrypted chat history. Before the cutoff, Meta cited low user adoption for the reason users have direct are directed to WhatsApp for the encrypted messaging. You surprised by this?

B

No. You know what? You know, I'm more surprised about. I'm going to tell you what I'm surprised about. I'm surprised that they told you that this was.

A

I am, too.

B

Yeah, they didn't have to tell you. They. Historically, they didn't tell you shit. I'm surprised that they told you that your messages are now clear text and that they're going to probably listen. They're probably going to use this as a way to train AI model of some sort on your conversations. There's going to be a little Chris somewhere.

A

They did it for 100%. That's what they did it for, is for AI training. Meta feels like they're what, fourth, fifth in line now in the AI world and that ain't gonna fly for them.

B

Meta Zuckerberg is not as smart as you think. No disrespect to him. He's a, he's a nice, I'm sure he's a nice robot, but. But he caught that, right? It took you a minute. No, but I'm sure he's a nice NPC or whatever. But here's the reality. They made some really bad investments in early AI. Like the whole Meta world thing was a big waste of multiples of billions of dollars. We can have a virtual world and hang out with virtual people and listen to virtual music and have virtual sex. That was the whole thing that went nowhere, you know, and so they, they took a risk, they lost a lot of money and now they have to play catch up. And who's, who's leading the charge? Anthropic, OpenAI, Microsoft, Google, Nvidia and some companies you've never heard of are leading the charge. Meta is not in that conversation. They've released some cool stuff, but it's not what you think.

A

So now I do think Meta has a good talent pool. They have overpaid by drastic amounts for AI talent. Now I'm not seeing where that investment is coming, but you never know. They could leap ahead of everybody. But it seems like Anthropic is really kind of sort of taking the reins on everything here.

B

Remember that elite AI salary list that we saw a while back for, for Meta?

A

Yeah.

B

Remember that? They were paying people like $40 million a year. What is that?

A

They hired a guy and gave him a billion dollars. Can you imagine? You're a salaried employee and you have a billion dollars. It was like a three year contract. A billion dollars.

B

Well, listen, guys, I'll tell you, I'm a nerd. I'm not that big of a nerd. All right? I would love to be that big of a nerd, but yeah, no, that's, that's a whole different game.

A

So I don't know. AOC says nothing, that no one can be worth a billion dollars. So we never, we don't know, we don't Know what they're paying for here. It's crazy.

B

Well, so here's what we know. So we know that meta, slash, Instagram, probably Snapchat, probably whatever else. You can't trust messaging through that. What about Facebook? Oh, definitely not. What about Telegram? Oh, no, no, no, no telegram. What about WhatsApp? I don't know. This WhatsApp thing, I've heard a lot of things that people getting indicted and convicted and this random WhatsApp logs that should have been encrypted, but then they would showed up all over the indictment papers, you know, and there's this. There's a whole bunch of technical reasons why that could have happened. But here's, here's. Here's where your boy Hank has to give you a reality check. Stop typing stupid shit into prompts that you don't control. Right? You don't. You don't control OpenAI. You don't control Instagram, you don't control any of it. Whatever you type into any of these apps belong to the owners that are hosting those apps. Keep that in mind, okay? Now if you don't care, you want to, you want to have a love affair with an AI bot, go ahead, by all means, just remember someone's probably reading that log. Just keep that in mind.

A

But heck, what if I click Incognito?

B

Incognito. Incognito is like.

A

It's fugazi.

B

It's fugazi. It's nothing. It's. It doesn't mean anything. It's, you know, it's. Privacy is not a thing anymore. Especially using third party software and applications and services. Doesn't mean anything. You are the product. Facebook is not the product that you are. You know, Instagram is not the product that you are. So keep that in mind. Always. If you value your privacy, get the fuck off. You know, Eisenhower told you this was happening. Certain other people, not going to mention domestic people, they tell you the same thing. Don't do that. You know, if you value privacy, do what Chris does. He gets offline and he fucking, you know, tans his balls. You do that.

A

Yeah. Jerk off with paper.

B

Nah, I'll do the fifi.

A

No, I'm not saying use paper. I'm saying looking at like magazines.

B

Oh yeah, you can do that. Do those even exist anymore?

A

I don't know. I don't even know where to get one.

B

Yeah, so it's probably like a whole shady experience. So you gotta go like buying a back alley, like a little store. There's a magazines there. Like, what are you looking for, buddy? What do you. What are you in the mood for?

A

I don't know. Yeah, I mean, their excuse that. So I, you know. Yeah.

B

What's the excuse?

A

It. Well, it used to. It's so Instagram used to have an option for the. The encryption, whereas WhatsApp came by default. And I guess not enough people knew that or turned it on. So they're like, ah, we'll just get rid of it for everybody. It's not gonna be an option anymore. I don't see. What. What does it save? What. What do you. If. If people weren't using it, who do. What do you care? Like, why are we getting rid of it?

B

Yeah, well. Yeah, well, here's the thing. A lot of people think that a lot of these protocols are, you know, legitimately, you know, it's safe or secure. They're not. You know, and. And. And in a way, I'm glad. A lot of idiots that have committed crime have been caught through them, you know, because they were so dumb. They're like, yeah, I'm gonna type in my. My, you know, my. My, my, my plots into this chat and see what happens. Yeah, they get caught. So I'm glad for that at least. But honestly, bro, like, I'm a big privacy guy, you know, I would like to have privacy, but I've learned long ago it doesn't exist. Not. Not here, not when someone else is hosting the service. You know, I barely use Signal as it is. I love Signal, it's great. But even that, I'm looking at, like, I'm sure there's something backdoored somewhere, that someone's seeing something somewhere, and I'm not. I'm not in a mood for that. And even if. Even if with all the recent stories about quantum physics and quantum computing, specific specifically to the lowering of qubits needed to crack this and crack that, at this point, anything you say today is probably gonna get cracked next week. What's. Privacy?

A

Yeah, that's the big thing. Everyone's just collecting all this encrypted data just because one day they're gonna be able to open it. I think that day is coming sooner and Sooner.

B

Yeah, well.

A

So two U.S. nationals sentenced for facilitating fraudulent remote information technology worker schemes to generate revenue for North Korea. So. So two U.S. nationals, Matthew Knott of Tennessee and Eric Prince of New York, were sentenced for operating laptop farms that enabled North Korean IT workers to fraudulently obtain remote IT jobs at US companies by hosting company shipped laptops and installing remote desktop software, allowing overseas workers primarily in China to appear as if they were working from the US residencies. The scheme generated over $1.2 million for North Korea and affected nearly 70 victim companies. So we've been covering this story for quite some time here. Now we finally got two guys that were operating, you know, these laptop farms, just giving them IP addresses for the North Koreans to use. Not was sentenced to 18 months plus one year of supervised release. And then Prince was sentenced to 18 months plus three years of supervised release. And then they had to forfeiture a whole shitload of money in restitution. I don't know, man. I don't know if these sentences are enough for, for the damage that these guys facilitated.

B

Well, this is traitor level operations, right? Like they. Well, it depends. If they knowingly knew, they knew that they were in cahoots with the North Korean government acting as escorts, which, you know what, we're about to get into that in a second. We're gonna get into that Microsoft escort problem in a second. All right? If these gentlemen, I'm giving the benefit of the doubt because you know what, I went through this before, I made mistakes before, and I'm going to have to give them a chance. If they knew that they were cahoots in the North Korean government, I think that's treacherous, And I think 18 months is probably too low for that. But if it was, it was all misunderstanding and somebody hit them up on Facebook and said, hey, I'll give you 20 GS to set up some laptops in your basement. Just let us connect to it and just shut the fuck up. Don't say anything about it. I could understand money. Money compels, right? And 18 months makes sense. It sucks. Trust me, it's gonna suck. But the good thing for them is they have a white collar crime. I think this is, this is a white collar crime, right? Yeah. Right. So this is why they have a low. For the guys that don't know in the federal. In federal cases, white collar crimes are usually a two year minimum, which is like 24 months. This case, they put it down to 18 months. There's probably some downward departure thing that happened there. Right. And so since the classification for their case is so low, they're probably going to be in like a low camp, federal camp somewhere, hanging out, playing dominoes. They're going to be chilling, don't worry about them. They'll be all right. If they had high classifications, they'll be in a, in a maximum facility getting tossed around by lifers.

A

So, I mean, I will say this popped up on our radar. But this isn't the first time. So you know, this is the. These guys were the seventh and eighth based laptop farm sentencing in the last five months. So it really seems that DOJ is kind of going after these North Korean

B

laptop farms because these are the farms that the North Koreans are using to proxy into companies. They get hired by these companies. And by the way, this is a funny shit. I have people tell me all the time this job market sucks, I can't get a job. So how the fuck are these North Koreans getting all these jobs? There's something amiss, you know what I mean? So keep that in mind. If you know what, maybe she hit the door. Committees and ask them how the hell they're getting jobs. Because they're getting jobs. If you're not. If you can't find one, they're doing it. But here's what I'll tell you though. We have convictions from the Department of Justice against people that acted as proxies and or escorts. People have gone to prison for this. So what about Microsoft? Pete Hegseth came out swinging when he found out that Microsoft was allowing employees to do exactly this. But the difference was it was allowing Chinese employees to access sensitive government systems. I don't recall anyone from Microsoft going to prison behind this. I don't like this fucking uneven situation. Maybe, Chris, maybe. Maybe I'm wrong. If I'm wrong, let me know. I'm stupid sometimes, but what's good for the goose is good for the gander. If this guy ever Prince. If ever Prince. Chris, this guy, I even know this guy. He's got a. He's got a weird middle name. I'm not gonna say that fucking name. His name is crazy. But if this guy, Eric Prince from New York, probably one of my neighbors, gotta do 18 months. What's going on in Microsoft? What about those escorts? Or the people that made the decision that allowed that to happen in the first place? Uncle Pete, if you're listening, take a look into this. There's something to miss.

A

Yeah, there's not much difference between these freaking stupid escorts who probably was not monitoring everything they freaking did. It was beneath them. I mean it was assign it to a low level guy. If you're an escort, you know it's going to be an intern, summer intern. Because I can charge, you know, 750 an hour for someone just to sit and watch the screen, not knowing really what the hell they're doing.

B

Not knowing nothing is going on. They have no, they have no clue what's going on. And so you're sitting here and you're like, hold on a second. And you're right, the 750, I'm sure I know you just made that up, but you're probably not off. In fact, it's probably more money, right?

A

It's probably more than that.

B

Yeah, it's probably way more than that. And the crazy thing is that they're

A

paying that intern, you know, 32 bucks an hour and they're charging 750 to $850 an hour for it, for a

B

Chinese actor to use their computer to access government systems. But these guys who did the same shit, probably for less money, got to go do an 18 month bid. There's something wrong here. You know what, I'm, I'm taking this up somewhere. I got to, I got to speak out. Pissing me off.

A

£ free the laptop. Farmers.

B

Yeah, that's how. Farmers.

A

Yeah.

B

You know, think about those guys.

A

These guys are just farmers. They're just trying to, trying to do what's right and be farmer and make a couple bucks.

B

Yeah. You know, it is what it is. They did it though, you know, support your local farmer. But I'm hopeful and I haven't looked at all the recent sentencing. This is the last two guys from this, from that little farm thing. But I wonder if there was at least one that knew. There had to be at least one who's like, oh yeah, this is some North Korean shit, but I'm not going to tell the rest of these dorks, you know what I mean? So if that's the, if that was the case, how much time is that person getting? It can't be 18 months either.

A

So a little follow up on a story we get in the past. On January 9, 2020, 24, 25 year old Eric Council Jr. Of Athens, Alabama executed a SIM swap on the phone number tied to the official U.S. securities and Exchange Commission the SEC X account by printing a fake driver's license at home and impersonating an authorized user at an ATT store in Huntsville. Co conspirators then reset the account password and then he posted a fake announcement approving spot Bitcoin ETFs, which caused Bitcoin to spike roughly $1,000 in minutes before it crashed. $2,000 after the real SEC chairman disavowed the Post. So this guy, this one you used a fake id, got into the account and was able to spike the prices. Probably made a little profit off of it.

B

I don't think it's enough, honestly, I don't think it's enough. No, this guy, this kid, because he can't be. I don't know how. Oh, 25. Yeah. He's still a kid, you know. Yeah, his frontal lobe is still developing. He's still a kid. Right. So here's the reality shout out to Athens, Alabama. I'm sure it's a pretty nice place, but homeboy put himself in such a weird predicament. Goes to show you how easy it is to engage a SIM swap. It goes to show you how easy it is to do manipulation. You know, we bring up all the time when we do a speech, Chris, about like the Tupac and Biggie story in New Zealand. Story that came out, right. It was a big laugh. We all laughed about it. But there is consequences to that. We show that it's possible to manipulate the media. In this case, this is exactly what this young gentleman did. He was able to hijack the account. He was able to boost a signal towards bitcoin from the SEC. The price of bitcoin jumped $2,000 and it crashed back down. Can I tell you something, Chris?

A

Yeah.

B

I don't think he made any fucking money off of this.

A

Well, he was sentenced to 14 months in federal prison plus $50,000 in restitution. Normally the restitution is somewhere close to the damages you caused. And just changing a Twitter account, there's not $50,000. But I'm gonna guess he probably profited somewhere off that. Yeah. The interesting thing I saw in this is that when he was arrested In October of 2024, the co conspirator in this one who actually posted from the hijack account, he re. He or she remained unidentified in public records.

B

Look at that.

A

You know what that means?

B

Oh, yeah, he.

A

That person used their real IP address to do it. That's how they got to him. They said, hey, council did all this. Damn that when unnamed co conspirator just means they cut a deal.

B

Wow, look at that.

A

Well, folks, you know, it just, it just highlights how easy it is for these SIM swaps. You know, we can all be victimized by SIM swaps pretty easily. And so, you know, I hope we sort of get away from the SIM based two factor authentication.

B

Yeah, I mean, look, it's tough because from my, from my personal experience back when I was hacking T mobile 20 years ago.

A

Right.

B

All you need is a manager's account to be able to swap out a phone, at least back then with the Watson system. That's a long time ago. Obviously that's changed. That system does not exist anymore. You probably have some new system. The truth of the matter is, bro, is that it's a privileged issue, right? If you're going to have a support staff that can only do maybe a phone repair, that person should only do a phone repair. If a person is doing sales at T Mobile store, they should probably only be able to do sales if it requires some sort of SIM swap, this, that or the other. Then it has to go through a chain. I don't think that that employee at the T Mobile store or the mobile store did the SIM swap themselves. They probably called T Mobile and said, hey, I have so and so and I have his id, he's proving his identity, yada yada yada. Then the person on the other line is the one that made the decision to say, yeah, I'm going to swap the SIM over.

A

Yeah, but I mean what sort of training has that employee been given to verify IDs?

B

Yeah. Did you ask for a Social Security number? I mean that's, that's harder to get, right? Maybe, maybe not. Did you, did they ask for like a secondary password maybe that didn't exist on the account, you know?

A

Yeah, well that's, that's the SEC's fault to not set up that on that phone number. Whatever phone number you're using to set up that account should definitely have a PIN associated with it.

B

And we always tell people have some secondary passwords, support passwords, they do exist. They, you, they will not deny you. If you call your phone service right now and say, hey, I'm concerned about SIM swapping, can we do like a PIN or a support pin, they'll absolutely set it up for you and they cannot do anything unless you provide them those pins. Using people, it works and if it still happens, and that means that you have an insider at T Mobile itself or whatever mobile system you have, service system utility, somebody in the back end just overrode that didn't care. And then at that point there's nothing you could do, unfortunately.

A

Well, friend, it's been a fun show. I've enjoyed my time with you. You've made me feel better about myself. You've made me feel the love and respect.

B

Of course, baby, listen, you're my brother from another mother. You know, they always think about you. I'm always like, let me, let me, let me bother Chris. But then I don't because I know you're fucking busy. So I'm like, let me set up a bother me.

A

So you guys got questions, reach out to us at Questions at hacker and the fed.com support us on Patreon. Much love and respect to safe. We got a Safe Hill event coming up at the end of the month. Excited to do that. Support the show at Hacker and the fed dot com. Buy your merch, buy your shirts. We would love to see people out and about wearing, wearing our shirts and our merch and hoodies and all that. Five star review wherever you download, subscribe, share us on social media. Tell your workers, co workers, tell your lovers, tell your friends, tell your boo. Listen to Hacker and the Fed. Two douchebags talking about cyber security. Hey, all right, brother.

B

Nothing wrong with that.

A

Love and respect. Cheers to you.

B

Much love, brothers. Talk to you soon. Peace. Ra.