A

I think we might have to cut banter a little short today because we got some thick episode with questions at the end. We've got a lot of emails this week and I figured I'd throw a few of them in there. Shout outs to the people that reach out to us. @questionsackerinthefed.com Hector Monseager was responsible for some of the most notorious hacks ever committed.

B

Special Agent Chris Tarbell. Hackers and FBI informants participated in some

A

of the world's most infamous hacks that

B

caused up to $50 million in damages.

A

A life in the shadows.

B

Cyber attacks on the rise.

A

Welcome to Hacker in the Fed. I'm Chris Tarbell, former special agent working my entire career in cyber security. And I'm joined as always by my friend and podcast co host for Hacker in the fed. Pre show 133, Hector Monserrat. Hey, Heck.

B

Hi. Hey.

A

Hecker is a former black hacker who once faced 125 years in prison for as many years of hacking under the code name Sabu. So if Sabu came after you, this is your dude. Our stories collided in June 2011 when I arrested Hector, but then I convinced him to work with me at the FBI. He's now a red Teamer, researcher, cybersecurity expert, one hell of a guy, and co founder of Safe Hill.

B

All right, let's get it.

A

Hey, buddy, we got big fat show today. Or as you like to say, fat. Thick with three C's.

B

Thick with three C's is exactly right. It's the way I like it.

A

You, you do like it. Thick. How's life? We over on the Patreon. We just covered the Knicks. So in depth on the Knicks if you want to hear about it. But man, I got to give you your flowers over here too.

B

Hey, listen, bro, I'm excited, I'm happy. I'm, you know, I'm everything you could imagine. Horny minus the naked. Well, that too.

A

Yeah.

B

Yeah, 100%. I'm tired because my night was, was long and exciting and I went in all different type of directions. I gotta say, I'm so happy for the Knicks. Big shout out to the Eastern Conference finals champions. And of course, the ECF mvp, Jalen Brunson. You know, that's the guy right there. You can't sleep on him.

A

Well, I'm so happy for you. I wore my Knicks orange today to celebrate and I knew you would love it.

B

Oh, yeah.

A

I knew you love it. I love it. Yeah, things are going well. So, speaking of Patreon, guys, thank you for helping us join our Patreon, help support the show. We're keeping this damn show commercial free. We promise you that. We will keep it commercial free as long as you support us. Grab your hacker and the fed merchandise@hackerandthefed.com. so, heck, how's safely doing?

B

We haven't.

A

I haven't heard. I haven't heard much about safely in the last couple of days. So what's going on there?

B

Yeah, no, listen, SE is doing, you know, pretty dope. You know, a lot of interest from folks that are like, hey, so what's. What's this whole C temp thing about? Or, hey, tell me more about, like, threat exposure management and, you know, what can we do about our source code? I'm freaking out because we have no AI policy. I don't know what our developers are doing. You know, I have no idea how our internal network looks. Hey, we'll work with the government next year. And, you know, we have to get some sort of compliance readiness going. Can you guys, you know, help us with that? So it's been. It's been really busy on that front. Also, we're in the middle of fundraising, which is really dope because we're meeting a lot of investors, a lot of people. We're answering a lot of the same questions over and over. As you guys can imagine. It's tiring. You know, we got the. We got the occasional gotcha questions. Okay, so what is the difference between this and that? You know, it's a lot of vetting. I gotta tell you guys something. I know I've said it before. If you're gonna go the. You're gonna route of, you know, getting investors involved, just be, you know, prepare yourself. It's. It's a lot of work, but, yeah, no, safe was doing great. You know, we're. We're. We're kicking and driving forward, brother.

A

Good, good. Well, AI is hot in the. In the news these days. We had said that the pope release. What was it called? What did the pope release?

B

It was called the. It was actually called.

A

I put you on the spot here. No, I'm more. Not the actual document, but the. It's below a dec. Oh, yeah, yeah.

B

It's below a declaration. He released the encyclical called Magnifica Humanitas or the Magnificent Human.

A

Yeah, just basically a big warning about AI and the Pope's views on it. So that pretty much is what we covered on the Patreon episode. So again, go check that stuff out. Probably, you know, heck, we got a Lot of emails about our banter and like hearing us talking back and forth and being friends and all that. I think we might have to cut banter a little short today because we got some thick episode with questions at the end. We've got a lot of emails this week and I figured I'd throw a few of them in there. Shout outs to the people that reach out to us at Questions Hacker in the fed dot com. So maybe, maybe jump forward with getting into some stories. Maybe throw some banter in the middle. Throw some banter at the end. Still have fun because I love chopping it up with you. But of course, like you said, it's sick. It's thick with three C's. It's also sick.

B

Listen, it's sick. It's thick. It's whatever you want, right? I mean, it's, I'm looking forward to. I think it's some really good stories to cover less of the supply chain madness because that's, that's something that, you know, I think I'm gonna get drains of energy. We cover more of those stories here.

A

All right, let's get into it. Texas has decided to sue WhatsApp for faulty claiming messages are encrypted while allegedly accessing private communication. So te. Texas Attorney General Ken Patterson has filed a lawsuit on May 21 against Meta Platforms and WhatsApp in Harrison County District Court alleging that the companies misled consumers about WhatsApp end to end encryption by claiming messages are private, inaccessible to the company, while allegedly maintaining access to quote, unquote, virtually all private communications for three plus billion users worldwide, with impact on Texas residents. Texas. The suit brought under the Texas Trades Practice Act. Oh, Deceptive Trades Practice act, sorry. Seeking injunctions bearing unauthorized access and monetary penalties. What are your thoughts and feelings about Meta being sued by a red state?

B

Well, this is, this is very exciting for me. Shout out to Ken Paxton. Shout out to the team out in Texas. Texas is, Texas has always been like ahead of the curve. You know, even when you know they've, they've. You could critique any governor, any state. But then Texas always surprised you with something like this. I am happy the text. You know, Texas definitely leads the red states for actors like this. They said, hey, Meta, you're claiming one thing, it's impacting our people. When we find out it's not what you're claiming, you know, it's the opposite. Now, once this came out, Chris, I saw researchers on Twitter posting evidence that's aligned with what Mr. Paxton is saying here. For example, there was one thread on infosec, Twitter or Twitter or X, where they show that WhatsApp messages, depending on the phone, depending on the system, stores clear text communications in the file system. Same with, like, you know, where it would store, like, configuration files, so locally and locally. Yeah, so. So imagine a scenario where, you know, you get kidnapped. Let's say you're a businessman, you get kidnapped, you're going to China, you're going to Nigeria, you're going wherever, you get kidnapped, they go to your phone. You're over here thinking, hey, my is secure, my shit's encrypted. No, these files are locally accessible from the phone itself. And, and your messages are probably not encrypted and they're accessible. So there's a lot of support that Paxton is getting as a result of this. And what. You know, here's my takeaway, right? My thinking is it wasn't that long ago where meta removed, quote, unquote, end to end encryption from. Was it Instagram or. Remember we covered the story like two weeks ago? Right. I wouldn't be surprised if WhatsApp goes in that same direction. Just because.

A

Why just take it off? Like, why even have the. Well, I mean, now being sued by an estate, you know, and you change the way things are operating. That's. It's not a good fact.

B

Well, it's not a good. Look, it's not a good fact, but at the end of the day, they could just say, you know what, yeah, the end. The end to end thing didn't work out, we're just going to remove it altogether, just like we did with our other apps. It is what it is. Sorry, Mr. Paxton, you could, you could dismiss the lawsuit now. It's over. Right. And the thing is like this, this is just like. I think. Was it an injunction? I think they filed. So they filed a lawsuit. They haven't even gone to court yet. Right. I think that's. That's what it is.

A

Okay, I, you know, so this is kind of misleading to me. End to end encryptions means across the wire. So you type it on your phone, it gets encrypted, and it gets sent over through the wire, through whatever systems and all that. It comes to my phone and then my phone decrypts it so I can read it.

B

Yeah.

A

How is that not end to end encryption? Like, how am I. What am I missing? Like, whether you. Like, if I said full encryption, then yes, it would be then stored on my phone locally. But end to end is device to device.

B

Yeah. Well, that is. What. What end to end should be the messages between one device to the other

A

is encrypted while transversing. It's encrypted.

B

Yeah. In the middle of transfer. Right. But then, you know, the expectation also is if you're going to encrypt over the wire, then you might as well just encrypt the messages as well and they won't be accessible even locally. Right. You would have to go through WhatsApp and you know, see the messages after you, you've authenticated, put in your PIN or whatever. But for those of you that have, like you, you've connected your phone to your web browser on a desktop and instantly all of your messages are there in plain text or your, your, your, your desktop, like, wait, what the fuck? How did that happen? Where along the way did my web browser decrypt these messages? Right there, there's, there's a lot of, like, there's a lot of nuance to it that I think people are confused about. And so I think the, according to the lawsuit though, kind of like reading through it and reading through what the points are, the points of contention there contention is that yes, it may be end to end, but employees and contractors may still get access to those messages.

A

Yeah, I think that's the point here, is that they're maintaining access to the three plus billion users messages unencrypted. How they have, I, I guess I haven't read further enough in to see how they have access to those. Yeah, but maybe they have access to the actual device, some sort with some sort of, you know, beyond physical access.

B

Sure. Well, and that's a problem, right? You can't, you know, you can't claim something and then, you know, and then it's not the truth. And then we've seen court cases where, yeah, bad people have been caught and we've seen all the chat messages on the, the indictment papers or, or you know, discovery. And you and I have asked, well, how the, did they get that if it's all encrypted? We've asked that question before. Right. And so, so what's the argument here? Well, no, what happens is we'll encrypt communication between your device and the receiver, but the messages itself, you know, it's, you're not really encrypted on your local device and those files can be accessible over the cloud. So yeah, they're not really encrypted. Encrypted. So maybe end to end is just fugazi. Maybe the concept of end to end is just bullshit. You know, maybe it's what it sounds like, which is we're only using encryption over the wire. Everything else is clear text.

A

Yeah, I mean, there's some allegations that the unencrypted storage of the messages are on the servers, you know, and then the servers, you know, enable authorized personnel to access them. So you know who's authorized? The AI agent that met his training.

B

Ah. Oh, you bring us full circle. Bring it to full circle.

A

Yeah. You know, if you're not being charged for something, they're using you for something. So don't, don't think your Gmail is not being used to train their AI agents with whatever, you know, pulling documents and attachments and all that.

B

That's when you, the human, become the product. Isn't that crazy?

A

Exactly. So we'll see, you know, best of luck in Texas and making sure that, you know, what people are claiming are protecting their users, really are protecting their users, because, you know, we really do pull for, you know, privacy and people just understanding exactly what these companies are doing with their data and how they're not. You know, I think that's part of the reason Hacker and the Fed have become so popular is we're demystifying some of these claims, you know, oh, this is so, you know, secure, and nobody will look at your stuff and you can say whatever you want. But every week we tell a different story. How these companies don't give a shit about your privacy. In fact, they want to exploit your privacy for their profit.

B

And you're paying them.

A

Yes.

B

Along the way. Yes. Well, going back to Texas, I love Texas. I've never had a terrible moment in Texas. It's always been a beautiful, positive thing. But I'm happy to see Texas, a red state, handling this. I'm happy that they're on the forefront of this and I hope that the other smaller states continue with it. You know what I mean?

A

Why, why do you like to see this out of a red state versus a blue state? Just for my education.

B

Yeah, Well, I mean, we've seen a lot of. Okay, give you a good example. Right. So one of the first states to require cyber insurance. Right. And I may be wrong on this, but I think California is one of the first, if not the first.

A

Okay.

B

Now, when that first happened, people were upset. Oh, this is freaking crazy. This is fucking communist, blah, blah, blah. But what did that do? Yeah. Cyber insurance is not the end all. It is not the solution. But it forced a lot of companies, especially out of that state, to start to enforce those rules, guidelines, regulations.

A

Right.

B

We've seen similar coming out of New York. We've seen similar coming out of Virginia. We've seen similar coming out of other, other states that are either, you know, in the middle or blue. And usually people are upset at those states. They're fucking tired of those states deciding that we need more and more regulations. I get it, but sometimes it's okay. Sometimes it's okay to ask fucking questions. Sometimes it's okay to say, you know what, if you get hacked, then you need to tell your, your, your, your victims, you need to tell your, your customers if you get hacked. You have to, you know, report that to the sec. Right? So, yeah, I'm pretty excited. And it's not Texas, not the first red state to do something. We've, we've, we brought up North Carolina. And who's the other state? Okay, I always get it wrong. North Carolina and Florida or Georgia for that.

A

Don't deal with ransomware.

B

Exactly.

A

North Carolina and Florida.

B

There you go. North Carolina, I love that. That's what I want to see. I want to see more of that, you know, so shout out to all these states and hopefully we see more.

A

So another big win for law enforcement and for, you know, people protecting our privacy is law enforcement has shut down a VPN service used by two dozen ransomware groups. So international law enforcement operations codename Operation Saffron, dismantled the first VPN or one VPNs is a cyber crime focused VPN service active since approximately 2014 and used at least 20 used by at least 25 ransomware groups, plus other actors for anonymizing ransomware attacks. Data theft, network scans, botnet, DDoS and fraud. 33 servers across 27 countries were taken offline and three domains were seized. Big win for European law enforcement here to kind of, you know, de, anonymize or take the security away from these ransomware groups.

B

Yeah, I'm pretty happy with this. I'm super stoked actually, because, you know, we've been saying it for a long time now. It's been like, this is like almost the 90s and 2000s and a lot of these organized groups that are doing like cyber crime are coming out of Eastern Europe. I think the one of the administrators was over there in Ukraine. They raided his house and interviewed him. Not sure they arrested him. But you know, this is something that's this long time coming. And so when you have these ransomware groups running amok and they're running infrastructure, obviously these servers, they got to connect to the Internet. They have IP addresses. The fact that it took this long to engage that I want to say, it's baffling. It makes sense. You. You yourself taught me they may be

A

in places that it's tough to get to.

B

That or there's active investigations, and that takes time.

A

Yeah, yeah. You don't want to take, you know, if you're. You're trying to get down to the, you know, people doing it behind it, you don't want to take these things offline if you can put a tap on it or something like that. Let me ask you, as a former bad guy, how do you find places like this? How do you. How do you look for bulletproof hosters or VPN services that you believe are safe? Is it just word of mouth or what are you doing?

B

Well, listen, sometimes it's just. It's just a guy that has some money and wants to make more money, a shitload of money, and they'll. They'll say, hey, you know what? I could set up, I could buy a bunch of you servers and, you know, build my own data center or take over a data center. There's aging in Eastern Europe. That's a lot. There's a lot of places, massive warehouses full of data centers that, you know, they're just collapsing. You know, if, for example, Ukraine, if there's a data center there that it hasn't been blown up by Russia yet, there's not gonna be a lot of users there. So it's easy for someone to be like, you know what? Fuck it, I'm gonna get a rack over here for like pennies on a dollar. You know, we're going to have awesome bandwidth straight into Europe and America. And, yeah, we're going to make a killing. And they do. I'll give you. I'll give you an inside story, right? So right before you arrested me, I set up a server with a data center operator. And I was like, listen, I talked to the guy. I said, listen, brother.

A

Well, first, how'd you find the guy?

B

Well, I knew the guy. I wouldn't say I knew him, but I knew him within the circuit. Okay? Right.

A

And you trusted.

B

That's the problem. You have to trust. Right. It was 50. 50. I'll be honest with you. I said, listen, brother, here's the thing. I need a server. You gotta hide it somewhere. You gotta. You can't label it. You put it somewhere. You can put it in a closet. That was a data center I had in Puerto Rico, right? I knew the guy that knew a guy that knew a guy that ran a data center. And, you know, I was like, yo, set the server up and just unlabel it and hide it somewhere and just give me the IP address and root password. I'll log right in, take care of it. And so I use that for, for like some of the like the Sunny days chats. Like there was when we got off on an ops, we went to like a private server. That's what that private store was. So you could definitely talk to these data center guys like, hey, listen, I'll give you a couple bucks, you know, hide this shit. And they'll set it up. And then when you show up, when you show up, or your counterparts and they're like, okay, where's his IP address? I don't know. Well, look at the switch. You look at the switch. Okay, where is it located? I don't know. It becomes a problem. Then you gotta take down the whole data center.

A

Yeah.

B

Now if the operators there don't know that server exists, then you're gonna have to take down the data center.

A

Right?

B

Unless you track it physically, wire that shit down, and then you find a random ass server in the middle of a closet buried by a bunch of shit. You know what I mean?

A

But that's putting a lot of trust, I mean you're putting a lot of trust in some guy in some data center somewhere to handle that and not just dime you out right there at the beginning.

B

Yeah, no, a hundred percent. Well, this is why. So for, for those of you hacker historians, you know, you've been following along all the different scenes over the years. In the early 2000s, there was a fugazi ass data center in New Jersey called. Was it Full Net? I think it was Full Net. The FBI raided the fuck out of it. But basically it's a guy with a lot of money that did exactly this. He set up, he took a lot of money, he built out a data center, bought a bunch of servers and he started renting it out to all the low lives on FNET and IRC. You know, flat rates give me 300, you know, month, don't worry, do whatever you want. And they started doing that and they made millions of dollars along the way.

A

But you want legit traffic in there too, right? Like you want to kind of hide some of that? Yeah, oh yeah.

B

You want real customers. But it didn't matter because once the FBI raided that building, it was over that whole business was what the. You know. But yeah, the whole data center space is weird. It's gray, super gray. I think, I think this still data center in New Jersey, right? Now is great. I think you've probably been to and let's just say they don't speak English there, so.

A

Yeah, I mean the problem being is the FBI needs these dirty data centers too to run its stuff, so.

B

Exactly.

A

You have to hide amongst it and kind of trust these guys. You, they know when we set stuff up and what's going on, you know? You know, so it's a, it's a foolish game we play now why the FBI hasn't set up their own stuff years ago. Sure. And maybe they have. Maybe I've been out long enough that they have. They have all that stuff where it's, you know, layers and layers deep, but it's actually in a secure place. I don't know. Back in my day, we had to go to these quote unquote gray sites to set up our infrastructure.

B

Oh, they exist. They exist here in the United States. I don't think people realize that, but what this was, was even a gray site. It was straight up black. It was a black hat data center in Eastern Europe that's had servers all around the world. And those guys went down and I don't know what happens to them. You know, I know the laws here versus Europe are way different. They may get slapped on the wrist. It might do 20 years, I don't know.

A

Yeah, the one thing that we could do around, fuck around with is like get ICANN involved and like having IPs that are listed someplace, but really there's someplace else. So. Oh yeah, that, that's where, where the, the bureau has the, the benefit of doing some things. Damn.

B

Fun times.

A

Yeah. Yeah. So good on law enforcement, good on the Europeans for, for taking this out. And again, it's sort of a whack a mole. You know, they're going to find some other place, but maybe it slows them down for a little bit and they have to do things. I know that you were heartbroken this week. I know it. I know that I didn't hear from you for a couple days. I knew you were sad and all that we had heard that only fans had been hacked. Your whole life came crumbling down. You didn't know what to do with yourself. You thought, man, they're going to find out what the weird shit I'm into. They're going to find out my secret foot fetishes that are out there. Your life was crumbling. So apparently onlyfans had been hacked and they were selling a complete database of the 340 million users, including data of content creators and consumers. The leaked data include Usernames and profile names, email addresses, phone numbers, account creation dates follows and subscriber metrics. Creator and fan rankings link social media profiles, partial payments. The result was going on after a massive wave of extortions against attempted users. But then soon we found out it was Fugazi.

B

It's Fugazi. It's Fugazi. Fugazi.

A

So the hacker that was selling the 340 million onlyfans records was built from an old breach. So a threat actor under the Name euphoric replay 5727 him, whoever it is, was selling a claimed 340 million only fans linked users records a database on a cybercrime forum for about $76,000.

B

That's always a giveaway.

A

Yeah, it's gonna be worth a little bit more than that to know what every perv out there is into. Again, we come to find out it came from a matching simply the seller compiled by matching an old to like Twitter and Instagram and Spotify and public records rather than a direct breach of only fans. So, whoo, you're safe.

B

Well, listen, we've seen this before. We've seen these guys, and they're. They're usually neophytes. They're young kids. They try to make a quick buck. That's why 76,000 was the obvious giveaway was not real. Because, yeah, that would be worth in the millions probably because at that point you could extort all sorts of crypto people, you could expose all sorts of politicians, everybody in their mothers and only fans. Even if it's like, you know, one time sign up. Yeah, I've seen context of the list. I've seen journalists, you know, kind of put their opinions out and say, yeah, this is not real. This is either old breach data or generated data. A lot of it is fake. In fact, one researcher took like the. The guy, the. The adversary or the dude that was posting the. They made the post. Rather, she gave him like example, like a. Like a. I would say like a little taste. 10 or 20 accounts. All of those accounts came back with 404s. They weren't on only fans. It just. None of it was real. But yeah, you know, I was like, woof. The sweat, you know, the sweat came now. But I'm okay now. Yeah. And by the way, I don't have feet fetish. I'm just a big booty guy. That's it. Nothing. Nothing to it. I'm simple.

A

If your porn search history came out, would you be embarrassed?

B

I'll be embarrassed because it's Very basic. It's not like, you know, I'm not looking up, like, show me, you know, Japanese, you know, I don't know, whatever, right? It's, it's like, yo, I want to see some big booty. Like, that's it, that's it. There's nothing, there's nothing complex to it, right?

A

But again, you know, in your time of need and you're going through that and you know, you're like 30 seconds in, like if there was time, if it was all timestamps, when your searches were and all that, you're like, wait a minute, that big has a penis? What's going on here?

B

But it, you know, whoops, let me get the out of here.

A

You get out of there when you figure it out. But I mean, if you have timestamps, you know, you're a good 45 seconds into watching it before you figure that out.

B

No, no, no, no, no, no, I'm not doing that.

A

No, no, I'm not. I'm saying completely by mistake, you're not searching it, but it pops up and you're like, what? Huh? Wait, is that a penis? Wait a second. Oh, and then you ex out.

B

Yeah, no, I exit out immediately. Once you Adam's apple, I'm like, no, I'm out.

A

That would be my only embarrassment. That once in a while maybe I lingered a little too long.

B

Well, the sad part is if you release your history, it'll show that you clicked on that video.

A

Yeah. Oh yeah.

B

It won't show that you click out of the video immediately.

A

Yeah, look at the next one. Look how close it was. It was almost instantaneous. Please, please.

B

People don't care.

A

Forensic deep dive. Yeah, all they care about is you clicked on that one. That, that pervasive.

B

Oh yeah.

A

But stop trying to fake us out with OnlyFans. Do not mess with our only fans. People, Whoever you are, leave us alone.

B

Come on.

A

So another one? Heck, I know you don't want to talk about it because it's all that happened all the time. There was a two wave AI developer supply chain attack, of course. So Threat Actor Team PCP conducted a coordinated two wave supply chain attack in April targeting the AI developer ecosystem. Wave one used a self propagating, propagating pypy worm to compromise approximately 172 packages across the ecosystem, including tan stack, mistrial, AI guardrails, AI a whole bunch of other room. And then wave two pushed out 5718 malicious commits to 5561 GitHub repos in under six hours to backdoor workflows for mass credential exfiltration creation. We're seeing more and more and more of this.

B

Yeah, no, this is, this is where it gets scary. So you asked me earlier about safill, right. And so this is why I'll bring the conversation back to that. Because a lot of what we're discussing now with clients, especially those that have developers or have brought in contractors to do like some heavy web app lifts or web app development, right. They're kind of freaking out. So I want to give you guys the real, you know, what's, what the conversations are in the background. You have CSOs and directors of security is, directors of IT, you know, IT, people in general, managers of sorts, directors of engineering, CTOs. They're freaking out a little bit because a lot of their employees and or developers are leveraging AI like crazy. Or if not, they're using, they're, they're. If they're not leveraging AI for like business stuff, they're using it at least for development work.

A

Sure.

B

And the consequence of that, I mean AI works beautiful for that stuff. But the consequences is that a lot of these people may potentially be caught up in these supply chain drive bys. It's happening so frequently that there's no way out of all the people listening to us right now, all the thousands of you guys listening right now, there's no way that, not that not one of you guys have not been infected thus far, whether you know it or not. Right. The amount of supply chain attacks that are happening are exponential. They're moving very quickly and it's led to a ton of massive enterprise compromises. It's led to ransomware taxes, led to extortions. And we're going to continue to see that. So the concern is, Chris, is how do we deal with this when there's no tools to help us govern use of AI? We have no idea what our developer is doing. We could tell them to use our enterprise cloud account, our enterprise OpenAI account, but we cannot enforce it. That's the concern.

A

I definitely agree that. Sorry, this is a little bit of a tangent, but there has been a massive uptick in compromises even this week. I got a message from Facebook this morning. I'm not on Facebook. In the FBI you have a thing called an aphid. So we go and get fake IDs. So you carry a fake wallet. It's a wallet with like fake credit. It's the real credit cards in your name. It's a real New York driver's license in a fake name with your picture on it. You actually go to the DMV and get your fake id, but you build this whole Persona. And one of my Persona. And my Persona had all these accounts and all that. I got a. I completely forgot about this Facebook account, but I got an email forward to me because my. I use your. I used another email account as recovery. And then that email account has, you know, backup to my. My real email account.

B

Sure.

A

That my aphid had logged in. And here's the. The 2fa for it. Dude, I haven't been in the FBI since 2014. I have not touched that Facebook account. Somebody popped that Facebook account and pushed out to a fair request on it. Oh, I don't know. Somehow they. They got into it. But, you know, but that. That was the. The one I got today. I got three yesterday from different accounts. So, you know, having the two of eight, like, just kind of lets me know old accounts being popped open. But, you know, it's. It's. It's the compromise. The count of compromises are going way up.

B

Yeah, yeah, yeah.

A

So. And I know it's not a new info stealer because I got. Obviously I haven't logged into that account since 2014.

B

And even if you use like a workstation at the FBI, they must have wiped it since then.

A

Oh, yeah, they're long gone. I mean, yeah, there's no way any computer I use is still around.

B

So if you use those accounts as your Personas to log into, like, other sites and those sites got popped and bada Bing. Right. So that's how. Maybe they've compromised those accounts.

A

Well, I wouldn't use the same password. I mean, I, I'm really good about. Not like you can't even guess it. Like, like, my passwords are like, well, maybe. Okay, so maybe back in 2014 of now, my, my passwords are at least 20 characters and it is a mishmash of. It doesn't mean make sense. Yeah. So.

B

Well, let me tell you, that is crazy, the fact that you're seeing that and. Yeah, no, it's. It is absolutely a problem, and I'm not sure anybody knows how to fix it. With all the security experts and cyber security professionals and, you know, all the hackers that have turned it to the white hat side and all the tools and vibe coding and Mythos and Project glasswing and GPT Cyber and all this really cool stuff, there's still no solution for any of this nonsense, you know, and it's. It's kind of like a critique on humanity itself. Humans built these systems. Humans are breaking these systems. The inherent weakness is the human. Regardless.

A

Yeah, I mean, and the other factor is that, you know, these accounts are open. So long account I haven't logged into in over 12 years, and it's still open.

B

Hey, well, maybe Peter Thiel's right, you know, Maybe we should have AI just take over and let the humans phase out.

A

I don't know where to have this conversation with you, but I recently came up with a thing in the shower the other day about Peter.

B

Okay. Tell me about it.

A

I don't think I want to have it here online. And not because I don't believe it's not true, but because I don't want to be killed.

B

Yeah. So you're not suicidal.

A

Maybe I'll save it for Rogan. If Rogan wants to have me on. I got a fucking hell of a story about that guy.

B

Damn, it's scary. It's scary because, you know. No, it's. It's scary because I know we joke about shit like this.

A

Yeah.

B

Until we see people disappear.

A

Yeah.

B

We've seen, as a scientist. Disappeared about these fucking scientists what happened to these people. Right.

A

People are talking about it, but again, they're not doing shit about it. They're just saying, hey, man, this woman was walking through the woods. Her friend. She asked her friend a question. Her friend turned around, talked to her. Ten feet later, the girl's gone. Just gone and can't find a body or nothing. Like, what the fuck?

B

Well, we had a journalist, I think a journalist asked President Trump. He's like, yeah, we're looking into that. I haven't had any updates since then, you know, and it wasn't just here in America. It's Japan and fucking Russia.

A

I'm not going. I'm not going down the tinfoil hat, dude. But somebody shot Trump in the ear. Like, literally shot Trump in the air. And we don't have any answers to that whatsoever. And you. You would think if that guy doesn't get any, we don't get answers to that. We're not getting answers to any of this shit.

B

Yeah. Well, okay, let's go to the next story, bro. We're treading on thin water here.

A

All right, well, FBI Director, current FBI Director Cash Patel's apparel website is reportedly hosting Click Fix malware. FBI Director Cash Patel's pre2026 apparel merch site. I guess we'll give it a free plug. Based apparel.com co founded. Yeah, co founded with Andrew Olis, was compromised and began serving A click fix style attack on or about May 21st. Preliminary targeting Amos visitors via a fake Cloudflare quote verify you're a human page that tricked users into copy and pasting a terminal command executing an info stealer. Then a malicious woo commercial plugin also stole payment card data. The site was taken offline shortly after public reports. A whole shitload of stuff to go into on this one. One, why is the current FBI director got an apparel site? Two, knowing that he is a fucking major fucking target. Why would there not be crazy amounts of security done on this site? And three, how come we got no fucking updates on who fucking did this? You're the director of a powerful cyber investigating force. What the fuck, Hector?

B

I've been to the site before because I was curious. I read about this site being like. I read that he had current apparel. Yeah, yeah. I know the site predates him becoming director, but he was. There was new products, so I was curious as to what's there. Like what is our director of the FBI selling? And you know, it's. It's basically merch. You selling merch? You know, with K a dollar sign H T shirts and hats and.

A

Well, we sell merch.

B

No, I'm not, I'm not. Listen, I'm not judging the guy on the merch. It's just that, you know, I've never seen that from a director of anything within the government. But you know what I was actually going there for? I was trying to see if he was selling the bottles of cognac. You know, remember he had the liquor, the cash liquor. No, yeah, he has. He has his own liquor, bro. Forget.

A

Wow.

B

Other conversation. Yeah, conversation for another day. So I thought I could buy it there. And no, that was a flop. So anyways, and then a couple weeks, you know, in my head I'm like, damn. You know, it'd be crazy they hacked the out this website. It's probably like WordPress or something, right? Cool. Fast forward this story. The crazy thing is every supporter of Cash Patel likely have their personal information and even process credit card process information stolen as a result of this. Because for the adversary to get access to the file system to create a click fix payload, they would then have access to the database and all the contents on that server. Now there's not gonna be nothing national security related on there, but it is gonna have a list of all of his customers as fans.

A

Yeah.

B

And his fans might include people that are potentially national security relevant. So yeah, you're right. It would be good and wise if they actually Investigated this and figured out

A

what happened, you know, I mean, so it is very acute. So maybe I would guess that it is being investigated, you know, but you know, there was, you know, so security researcher Wi Fi Rumham, which is, you know, a trusted source in the cybersecurity world. He did, he did show that there is an exfiltration of victim data out to an attacker controlled domain. I don't know if that domain is still active, but I mean, so there, there, there is some investigative leads here that can be be done pretty easily.

B

Yeah, yikes. Is all I can tell you, brother. Just yikes.

A

Yeah. I just don't understand how, you know, how does Cash Patel knowing that he is a major target, how does he not reach out to safely and say hey, tighten my shit up.

B

Hey, you know what? And say for would take care of the director, take care of, you know, his organization and everything and his website, you know, but we. I never got the call, Chris. I'll be honest with you. I never got the call.

A

Yeah, yeah. I don't. Now let me ask you this. Like it pays the same. You. You tighten up a website and you know, it's nice. That's your business. You do a good job and you know, you make it as secure as possible. I mean, maybe there's like a zero day that you don't even know about. So how can you protect against that?

B

That is a problem.

A

Yeah, but like a Cash Patel website, they pay the exact same, right? Like Sayfield doesn't charge based on who's associated with. Yeah. So. But obviously this is going to be a much richer attack environment. Like you, you know, you. You know, what website do I want to go after? I'd rather put it on the FBI director's apparel website. Or do I want to put it on hacker and the Fed just two schmucks that are fucking talk about cybersecurity, you know, you would think ours would be a little bit more better to protect or a little easier to protect.

B

Well, I'll tell you what. We're over here talking shit about the director. There's a parasite. We need to make sure our parasite doesn't get popped too, bro.

A

Oh yeah. Maybe we should hire Seifield to fucking check us out.

B

There you go. Well, hell of a story. 2026, ladies and gentlemen. 2026 has been a hell of a year.

A

Yeah. I wonder though, any anything why they're going after Mac os? Is it just what. That's what they had access to.

B

That is actually a great question. And so this is where I would question the research, right? I would say is it that the researcher was on a Mac OS and he got that payload and he tried to load up on his phone, which is an Android, it didn't pop up. So he's well maybe it's a Mac OS variant and. But Android's not being targeted. Who knows? You know, I don't know if anybody logged in. We don't have any information whether the researcher or the journalists loaded up the website from their Windows browser. If they did and got no results, then yeah, it might be a macOS specific. If it, if they didn't then we don't know. But usually these click just for, just for some clarity here, usually these click fix payloads are auto generated based off a user agent. So if it is a Mac os it'll show Mac os. If it's Windows based, it'll show you a Windows system. And even more recently because the guys like me using Linux, a lot of us have moved to Linux now the Linux people are getting similar pop ups. So it's no longer a Windows OS X thing anymore.

A

So heck, we've gotten a lot of listener questions. We haven't really covered listener questions in a long time. We got feedback questions but we got four this week that I highlighted here. The first one I'm not going to, I'm going to try to sanitize a little bit because there is an open is about an open criminal investigation. So right in I. I've listened to your podcast ever since Chris was interviewed on Lex Friedman's podcast and a big fan. Thank you for being a big fan. The technical pieces that you discuss sometimes go over my head but I really love the stories of your friendship and enjoying listening to your banter and the information you share. Well, I'm sorry that our banter was cut a little short because because of these thick ass episodes. I'm not a computer, I'm not, I'm not in computers tech. I'm a couple's therapist. Probably not your target audience. We don't have a target audience. We're looking for anybody. So to see a couple's therapist listening to Hacker and the Fed, we love it. We love that, we love your insight, we love hearing from you. A lot of what you share is still relevant to personal professional life and fascinating. Never thought I would write to you too. So this is exactly what we're looking for, Hector. People maybe not in the tech space reaching out to us, listening to us and what's going on. So this user wrote in is curious about A personal story. So apparently what it was is has a family member and I'm not going to use any proper nouns or details so people can't kind of find it. A family member all of a sudden got three and a half million dollars sent into their account. This is it. Send us a link to a story online. That person then goes to the bank and withdraws roughly 10% of it out of the bank and moves it over to a personal account. You read the story online, that's it. Then been charged. They, you know, took her from her home, arrested her, brought her over to the jurisdiction this all happened in. And it's apparently it's an older lady. You read into the listeners email they sent into us and says that this person was only being commanded through,

B

through

A

emails to do this sort of like a money mule type situation. But an older person that was tricked into it.

B

You've seen a lot of these stories.

A

Yeah, kind of wants our take on this one. So read the story online. It doesn't mention anything about an outside influence, you know, that, that. And so I'm hoping what this is, is law enforcement just move too quickly. Has a video of this woman going to the bank, taking the money out, moving the money over to a personal account. That's all the indictment talks about. Doesn't mention anything about the defense. The woman was released on a bond. So you know, there may be some facts but apparently looking at the, you know, our listeners, and again I'm trying to cut out as much as possible. So if people can't find the exact story we're talking about, it seems like it's an easy defense. You know, there wasn't any talk about approaching the woman to get the money back, the payment. So you know, when you read the article, it was, hey, this money just showed up. This woman went to the bank, took the money out, thought it was she was going to keep it and not give it back. Get a few more details, you know, she was being manipulated, you know, elder abuse type manipulation and being frauded that you know, something might happen if you, if you don't move this money and going that way. But yeah, this stuff is happening all the time. I will tell you if money shows up in your account, then do not take it out. Do not do things if someone's online and you know, whether it's a, you know, a pig butchering scam, which we've covered all the time, like a love thing, if someone's telling you not to tell your loved ones or if someone's telling you to act fast, do things fast and get things and move things. It's. They're scamming you. Like, I know people want to be loved by others, and I can understand loneliness and I can understand everything going through, but these people are manipulating you. And now this woman is a prime example of being charged with felonies. You know, she was arrested in her home, handcuffed, flown across the country as a criminal. Crazy appear before a judge and all that being manipulated. Now, again, I'm telling you, there's an article that says one thing, there's a family member that says something else. So two different things here. But, you know, it just spoke to what we're seeing all the time with these fraud cases and how cyber criminals are manipulating older people to help them facilitate their cybercrime.

B

What's sad about this is that there's multiple victims here. Let's assume that the family member is correct. Okay. Family member is correct that this is exactly what happened to the person that's currently being charged. Okay? Now the sad part, I say we know this from facts. It's factual for the most part. We know this from recent stories. There was a whole war behind this in Cambodia when Thailand invaded Cambodia recently, because Cambodian. Well, let's, let's clarify. Chinese businessmen would go into Cambodia, which right now is in a really bad place economically and politically, and then they would basically do human trafficking and force people into buildings in front of computers and phones, give them a script and tell them to execute against senior citizens all around the world. Here in the United States, in Thailand is where Thailand went hard against them. And then of course, in places like, you know, Europe and France, Egypt, Germany, et cetera. So we know that's a problem. This person, if the story is correct, is a victim, though people that have been human trafficked to engage her, you know, of victims as well. And very little, very. I would say not so often do we see any sort of consequences aside from the recent activities we saw in Cambodia. It's going to continue, you know, aside from like pig butchering, which we had, you know, really good discussion on, you know, last year, Chris, or two years ago. There's so many victims. There's so many. There's so much pain, there's so much money that's stolen. There's real world consequences to this shit and very little response or action. You know, it brings me back to Obama when he made a decision to, to drone that operate out of isis. That, that hacker guy, you know.

A

Yeah.

B

You know, does this eventually require some sort of military Intervention. I mean, I know it sounds crazy, but should we start droning these data centers? But what about the humans that have been trafficked to those data centers? Those, those, those warehouses? Right? What the do we do? How do we deal with this?

A

Drawing them?

B

Just drone them? You know, it's sad. It's sad because grand larsy is a terrible freaking thing. That's a terrible charge. There's a lot of time involved here, and for the person that is going through this, they might be more confused than anything at this point. Like, what the hell is going on? I thought I was doing the right thing.

A

Well, shout out to our couples therapist. I'm not going to name you by name because I don't want your family member to be out in any sort of way. But reach out to us if you want to talk. I'm happy to talk to you offline and go through some of the stuff that I can see that you might be able to help your family member with. So just email us back and happy to set up a time to not talk about it on the show, but give you some helpful tidbits that might help you with your family member. And just if this really is just a senior being scammed, you know, hate to see an innocent person get jammed up on this, but, you know, based on the way the article was written,

B

it doesn't seem that way. The article's written real bad.

A

Well, the article is written from the indictment. And then you write, you write an indictment with, without, you know, the mitigating facts in it. But, you know, I would hope that if, if there are mitigating factors in this whole thing, you know, the emails that are controlling people, that the cops would never even make the arrest. Sure. And so happy to talk to you about it offline if you want to reach out to us. And thanks for listening to Hacker in the Fed. We really appreciate it. Dear Hector and Chris, I have a career question. I have been interested in cyberspace for a while yet. Although I am very interested in the IT sector, my main passion is law. I hope you don't want to be a lawyer. I've been following your podcast for a while and I always hear your advice about getting started and learning the basic of ethical hacking and cybersecurity. As a recent law school graduate. Oh, I'm sorry to hear that. Oh no, I was wondering what opportunities do you see in the space for somebody who likes the sector and has the affinity for tech but doesn't want to be a coder and is looking for more of a Secondary role. How often do you have contact with lawyers? What is their background? Thanks for your help. I value your counsel. Keep up the great job. I love you guys vibe and chemistry. Kind regards from Belgium. So we got a lawyer in Belgium, so. So I can talk to the US side of these things. So, you know, when I first started getting involved, cyber was not part of US law schools. There was no whatsoever. I, I was in the bureau, I started talking at law schools, I started talking to lawyers about what the problems were seen how every time we had a cyber case, we needed to educate judges, we needed to educate lawyers about what is this? What are we talking about? You know, we're applying old telephone laws to cybercrime and trying to solve it that way.

B

That is right.

A

It is not the case anymore. You can go to a good US law school and if you are not required to take at least one cyber class, then you are, you know, you can sort of specialize in cyber law. Now. I know a lot of guys that get out. There's a lot of practices out there that focus just on cyber, cyber law, defense of cyber law, or, you know, there's a lot of prosecutors that have their own cyber division. They come out and they, that's all they do is handle cyber cases. So cyber within the law space has really blown up in the last 15 years. So I would say, again, I don't know what's going on in Belgium. We just talked about how Europol took down a big VPN on the Today show. I'm going to guess that, you know, prosecutors over there are going to get involved. You know, that's the route I took. Get inside on law enforcement side, get some experience. And then once you have that experience, you can get out and work the other side of things, you know, and you can find your line. You know, I would never work a CCM defense case. It just wasn't my thing. I didn't, I. Everyone deserves their day in court, but I just couldn't cross the line and help, you know, find a flaw in a case of a csam. Someone has been accused of csam. So. But it's definitely out there. Heck, from you, you, you had a great cyber lawyer. We talked about it a couple weeks ago. She's now becoming a magistrate. So it's fantastic that federal magistrates have an experience in cyber crime.

B

That's right. That's right. We have a, we have a wonderful lady. She's becoming a magistrate in the, you know, over here in Brooklyn. I'm very happy. It's just Eastern in district, Eastern district of New York. Here's what I, here's what I know from here in the US it dragged a bit. It was a little bit slow. I mean, we still use cyber laws from 1988, you know, conjured up, you know, as a result of Ronald Reagan watching war games and freaking the hell out, Right? So, you know, you have to, you have to consider the fact that here in the U.S. you know, it took quite some time before we got to this point. Now in 2026, we have more FBI agents that are well versed in cyber. We have some law enforcement, you know, cops that are involved in cyber. You know, even in smaller places like, you know, where I'm from in Puerto Rico, you have little, tiny, tiny cyber division. Super. When I say tiny, like one or two people, right? But that's something. It's progress. What I do know is that there's still a lot of attorneys that are not well versed in cyber. I know this for a fact because every year I do at least one to two speeches for a law school here in the United States. And I love those people. And every year I'm getting asked by new lawyers, lawyers that are just going out into world, into the world about cyber law. Now we just read a story about an indictment that happened in the United States about a person that, you know, may have been swindled as part of a, you know, pig butchering campaign. They fell for it and then they, they acted on behalf of the adversary. The, the jerk. That's what I'm going to call that person. It's not this, it's not necessarily technical. I call him a jerk. And they got this person to do some really terrible things. And so where you come in, right, if you have, and you're studying ethical hacking, the basics and fundamentals of cyber security, if you could have and build up that knowledge and help people just like that woman or that person we discussed, right. Then, you know, you could take that skill, that knowledge base to actually help those kind of people. And I tell you, not only is that going to be a problem here in the United States, eventually you're going to find a case like that in Belgium. It's absolutely going to happen over there. And that's where you can come in and be very useful and be very helpful. You know, and I would even take it further. I would say that as, you know, here in the United States, we're still kind of slow with cyber laws and crime and all that. We're still using, I think we're using Updated laws from the 2000s, but that's still 20 odd years too late, too old. You know, if Belgium is in the same position where you guys have cybercrime laws from the 80s and 90s, maybe you could be a part of, you know, legislation and updating those. Right. Like, there's a lot that you can do.

A

Yeah. My experience in European law is that their cyber laws, and again, this is a little dated, don't have the teeth that ours do. There's not the, you know, there's not the punishment that comes along with what we have.

B

Yeah, it's a lot of slaps. Slaps on the wrist over there.

A

Exactly. So this one might just be a shout out, but gentlemen, been listening for a few excellent podcasts. Well, we'd love to hear that. Just heard the Anon CISO episode. Struck by the insights I received from listening, literally moved to speak. Well, I'd like to close saying you both come across as not only highly knowledgeable, but people I would enjoy speaking with. Have a great day, Robert. So thanks, Rob. Really appreciate the shout out. And yeah, again that episode with the, the Anon Ciso, man, it gets so much shout out and I gotta. The person we spoke to loves hearing this.

B

Oh, they love this.

A

Eat it up. That's why I included that one.

B

Well, you know, I think that when we finally do an episode three on that series, so much has happened since episode two that I think that it's going to be another hour long conversation. There's no way that it's not going to be because you have supply chain issues that blew up overnight. Now we have ethical conundrums by means of the Pope and his encyclical. We have so many different things that are popping up right now that I would love to get that perspective.

A

So good times, Chris and Hector. Just wanted to give you guys a shout out on the podcast. Your story and friendships are awesome and I've been listening since day one. Well, thank you, sir. We appreciate you listening. I really appreciate the advice and recommendations you drop on every episode. Your show actually inspired me to change careers.

B

Really?

A

Yeah. And I'm thriving now in a real in with real time to spend with my family. Family's number one. Heck family over career. Best old man advice I can offer you. Before the switch, I was a U.S. air Force veteran and law enforcement officer with the Federal Reserve, doing everything from special response to executive protection to uniform duty. Between the work life balance and honestly just being burnt out, I knew I needed something different. So I went back to school and Got my master's in cybersecurity. Took a pay cut. I'm surprised. Taking a pay cut, but it's picking up. And started over as a Tier 2 help desk and network guy. Now I'm working as a security analyst, a backup ISO, an adjunct professor. Wow. Really? Took hacker. Took hacker in the Fed all the way. Life is good. Lastly, just want. Just recently in Puerto Rico visiting friends and. What a beautiful place. Stayed in Ricon.

B

Rincon.

A

Oh, sorry. Thank you for that. But traveled throughout the island, just taking things in. Wife now wants to relocate.

B

Oh, hey, that's what. That's what usually happens.

A

Exactly. And I took my wife there. She wanted to relocate, but I think it was be with my brown friend here, not with me. Thanks for the podcast, fellas. Hope to see you one day at a conference in Richmond, Virginia. Keep doing what you're doing. You have some ties to Richmond and going down in Richmond here soon, don't you?

B

Yeah, yeah, I'm going to be there in, In June. Yeah, I'm going to be. What's that place called? Middleburg or something over there?

A

Yeah, out that way. So I don't know if you want to let people know you got some people down in Virginia that wants to be a fan, so.

B

Yeah, yeah, yeah. I think before then I will do a. When we do an episode, I'll. I'll kind of give the detail. If people want to show up, they can show up.

A

Sounds good. But, yeah, no, sounds like this guy really was inspired by you, Hector. And so I was happy to include this, you know, thank you for your service. We just passed Memorial Day and I know that's for fallen soldiers, but it reminds me, thank you for what you do, and I am glad that you, you know, you took the leap. But again, family first. I'm a family first guy now. Whatever comes, you know, you know, I. I've mentioned it all the time and I don't want to keep repeating, but, man, family is so important. And the people you love and those that love you, put them first.

B

Oh, yeah, Well, I. I tell you, brother, you know, I. When it comes to family, you know, I. I've been. I've been. I've been one of those people where, like, you know, without my family, I'm nothing, man. I'm just. I'm just a random dude floating around in space. My family means everything to me. So, you know, yeah, let's hop careers, let's improve, let's do great things, folks. Everybody listening. Enjoy your life. Make the best of it. But Always at the end of the day, you know, get, get back to the family, hang out with them, spend time with them. Even a picture, a picture. Once in a blue moon, you could always look back and cherish those moments. And for those of you that don't have families, you got us, at the very least, hit us up, you know, we got your back.

A

People talk all the time when they ask us when we're at these speaking events and all that, you know, what did you learn from Hector and all that? And I always give them the, you know, humanized criminal to me. Like, you know, like I, I thought him as just people you, you, you arrest and punish and throw in jail and all that. But, you know, I saw I Hector, you know, transitioned from Sabu the online enemy to Hector the man and all that, but, you know, I don't give you enough credit for the family first concept. I really learned that from you. You know, I was so career driven and going after you, I'm going to become, you know, this great FBI agent. I'm going to make millions of dollars and all that. And the love you had for your family and the, the togetherness really has, you know, was the impetus that started that with me. I didn't see the importance of it until you started getting into my head, you know, now become an old man, my old man wisdom. You know, I clearly have just stolen that from you. That family, family first. You know, like, it really, it really is important. You know, we talk about heaven, we talk about hell, and you know, I truly believe, you know, heaven and hell in my mind is the what you leave behind to those that you love. You know, were you a dick? Well, guess what? You live in eternity in hell. Were you, were you great to your family? Those that love you, do they remember you in great ways? You're living in heaven forever, man. Eternally in heaven. Because the way you treated your family and friends, you don't get to always pick your family. So you know, that love you have can be for friends too. And you know, I appreciate what you did me. And when I say it, you know, no, Diddy, I straight ass love you. I really do love you, you know. You know, we, we talked about some personal before we turned the mics on this morning and you know, and you really are family and I do love you, brother.

B

It goes both ways.

A

A little bit of diddy on your side, though.

B

No, there's no, there's no baby oil over here, man.

A

But

B

I say it all the time, bro. Listen, I tell people all the time. Even today, yesterday I was talking to my boy, his friend. Friend from school, you know, and he was like, so what do you guys, you know, what are you doing? I'm like, hey, I have about to record a podcast tomorrow. I gotta go to bed or hit me up at midnight. I'm like, bro, I gotta go to sleep. I got a podcast in the morning. Like, oh, I had, I had no idea, dude. I'm like, I've told. Not only did I tell you about the podcast, but I'm doing it with the guy that, you know, that, that at some point was my adversary, you know, he said, wow, that's amazing. How did that happen? So I kind of gave him the whole run through.

A

Sure.

B

And I said, man, listen, you know, sometimes in life, you know, you. You meet people that, whether it's directly or indirectly, they change your life, they change your perspective, they improve that perspective, you know, and that's how I feel about you, Chris. I love you too, my boy. You know, that's why I'm always here for you and always very appreciative. That's why, you know, I know I don't get cringy sometimes, but whenever we, we, we're doing a conference or something.

A

Yeah.

B

And someone's like, so how do you feel about Chris? You arrest you?

A

Hahaha.

B

I'm like, well, Chris was like one of the best things ever happened to me because it led directly to me getting a fucking second chance at life. And I don't think people realize how important that second chance is. Some people go through life, Chris, without ever getting a second chance. It's always a one off and they're fucked. A one off and they got to do life in prison. A one off or they're dying. You know, the second chance is so rare that you get to appreciate life even more. You know, when people ask me, hey, were you upset that he was in prison? Nah, I was chilling. I was happy. I told you this earlier. I was happy as a clam, you know, I was not happy that I was away from my family, though. That's the only part. But aside from that, I was chilling, you know. So enjoy, folks. Enjoy what the hell you have. Make the best of it. And if you don't have it, just hit us up. We're here for you.

A

Hey, guys. Been a minute since I emailed you. I've been doing well in my Red Team management role. Sometimes it feels like drinking from a fire hydrant, but I've learned a ton recently. I've been trying to get out of my comfort zone a bit and have booked myself for two speaking engagements. A webinar for a cup for my company and a Wednesday Offensive. I guess that's a proper noun. Whatever Wednesday Offensive is, do you know about them?

B

No. I'm going to assume it's like another webinar or something.

A

Yeah. My question primarily is how do you guys deal with nervousness and get more comfortable with speaking to folks? I like talking to people in a one on one conversation, but bigger presentations have me very nervous. Appreciate it as always. So, I mean, so we've done a lot of speaking engagements, We've done a lot of public thing and come to me, it comes down to reps. When we first started doing them, I spent the whole morning before the night before throwing up. I wouldn't sleep, I'd get nervous. Yeah. And it wasn't so much like the people, it was, you know, that people paying us and they're paying us a lot of money to come talk. Are we giving them the product that they want? I think now we've come down to like we've, we've, we've done it for so long, we know exactly the product the audience wants. Sometimes the customer doesn't know that the one of the audience wants and we have to force their hand and tell them this is the what your audience wants from us. Oh yeah. And so we, we've gotten that down so it's less nervous. But I get to the point now where you have to realize the subject you're talking about. You're the smartest person in the room about it. Like sure, people can try to get you with the gotcha questions and all that.

B

And, and they do, they try, they try.

A

But, but guess what? You can deflect and feed them off. You know more about what you're talking about than, than they do. Otherwise they wouldn't be asking you to talk. They wouldn't ask for your opinion. You know, and people with the gotcha questions, you can be like, just call it out, be open, honest. Hey, I don't know what you're talking about. You can say that a lot of people get up there and don't want to be honest. I've said, you know, when we first started doing these things and someone would ask me something big I can't really talk about, it's classified or something like that. I'd use it as a crutch. I have no problem getting in front of 3,000 people and saying, hey, you know more about that little subject matter that you're bringing up than I do. What's your opinion on it? Maybe I can rift off that, but what you're talking about, I don't know anything about. I can tell you about my life experiences and my life experiences don't have that. Don't let these assholes get into your head. Don't get uncomfortable by people trying to get your gotcha question questions you were asked to be part of, you know, your company webinar or your Wednesday offensive because you're a smart and you know what you're talking about. People have seen that. So go into that. Be confident, you know, and don't be afraid to say, I don't know what they the answer to that question, but let's talk it out. Give me your opinion and maybe we can riff.

B

Sure.

A

What's your advice?

B

Yeah, so I'll tell you a quick story. I, Prior to having my name out there, 2012, when my name was all over the place and my face was all over the place, before that, I was a loner. I've been a loner 90% of my life. I never had to stand in front of an audience and speak. And then even then, if I had to, whether it was a school thing or maybe going out to a party or something, you know, I was always very self conscious, Chris, about the way I spoke or, you know, my education level. You know, I always felt like, damn, maybe I don't know, you know, what, you know what the hell I'm saying? Or maybe, maybe there's people in this room that are smarter than I. And so I would always get nervous. But what helped me break free from all of that anxiety was my first ever events, and that was with suits and spooks. You know, the thing that Jeffrey Carr had for a long time. And right after my case was done and, you know, I could speak now, I did my first speech in front of an adversarial crowd. You know, 80% of the people in the crowd were in part of intelligence or former FBI agents or current FBI agents. And then there was about 20% that hated my guts. They were Anonymous. There were members of Anonymous. There, there are people that just hated me. And they would ask me the most ridiculous question. They even call me. Yeah. I even had one guy, you know, try to like derail the whole thing and be like, you're a pedophile. And, you know, you know, they always lying and trying to cause a ruckus. Yeah. And. And I handled that shit so smooth. You know, there was a point where I was. I was kind of Telling my story. And this guy was like, that's fake. That's all a lie. You're a liar. Hector or Sabu, I don't know what your name is. And I said, you know, brother, how are you going to tell me what my story is? You know, if you have a different perspective, that's you. But you asked me for my perspective on my story. Here's it is. Here's my truth. Whether you accept it or not is on you. And so it allowed me to take control of the conversation. It allowed me to take control of that anxiety, okay? And so ever since I did speeches after that, it was the same thing. I was confidence. Chris is what would help. And even in a situation where someone tries to ask you a gotcha for some reason, people do that. I don't know what it is. Ego. I don't know. There's always Chris. They always try to hit Chris with it or they'll hit me with it. Right? And the reality is that at that moment, you're the subject matter expert. And even if you don't know the answer to the question, let's say they ask you some ridiculous, nonsensical questions, you know, take it offline. You know what, brother? Let's take it offline. We'll talk about it. You know, any other questions from the audience? Because you don't want someone else to control that. That's your time. You don't let somebody else control that time. So, yeah, leave it at that.

A

Yeah. Confidence. Going in with confidence, knowing you're the smartest motherfucker there. And if you don't want to, don't take questions. You know, you don't have to have questions. Don't let people get in there. Maybe the formats you're doing, it requires it. Again, remember, you're smarter than them. And don't be afraid to say, I don't know. It's completely fine to say, I don't know. A lot of people don't want to do that or they get embarrassed or whatnot. You know. You know, all the time. Yeah. So Hector and I have been hit left and right. Remember, A lot of people hate us. They. They hate Hector because he, you know, hacked him sometime or did some. They hate me because I made drugs on impossible to buy on the Internet for a long time. You know, a lot of people, like, hit us up with. With stupid. We get them. We do it all the time, so we love it. And it's a thrill, it's a high once you come off the stage and all that you come off with, with a high and the whole thing. So, you know, get out there and. And somebody that is dedicated and is passionate about cyber security. The more voices out there, the better educate people on what's going on. So appreciate you reaching out to us that. Glad that you know you're doing well and a long time listener. Thanks guys. We love to hear these stories. Guys, reach out to us@questionsackerinthefed.com. love to hear you support us on the Patreon. Keeping the show commercial free. That's what we want to do through the Patreon and hacker and the fed dot com. Buy the merch. If there's some merch out there you want, we can make it, we can change it. If you know you want a shirt that says fugazi, we'll make sure. Just email us, let us know.

B

Yeah, let's go.

A

Five star reviews. Wherever you download or subscribe to Hacker in the Fed. Share us on social media. Tell your co workers, tell your friends, tell your lovers, tell anybody that'll listen. Hey, there's two guys that talk about cyber security and willing to share their stories. So check us out. Trying to blow up the store, blow up the show a little bit more, make it popular out there. So, friend, got a little emotion there at the end. Got some good stories. People, I don't care. Let people know. Call me diddy, I don't care. Whatever you want to call me, I don't care. Dude, I love you. I love our friendship. I love what we have. You know, we've not been physically intimate yet, but, you know, I'll leave it open to maybe the possibility, you know, we'll see where it goes. So. But love and respect. Thick, thick episode this week. Extra seas, Extra seas. All right, friend.

B

All right, brother man.

A

I'll talk to you. Peace. Cheers. It.