Loading summary
Chris Sharbo
So the FBI has issued an alert on numerous physical access attempts. We're starting to see it. We've been talking about it for a year now that we're going to see an increase in this. I'm surprised it's taken so long. But yeah, guys, people are going to try to get into your offices and try to access your machines. I mean, they already do it. If you travel with a laptop to a hotel, sure. People are going to. If they, if they're targeting you, they're going to pop open your door. How easy is it to get a hotel room key?
Hector Monsegore
Hector Monseager was responsible for some of
Chris Sharbo
the most notorious hacks ever committed.
Hector Monsegore
Special Agent Chris Tarbel and FBI informants
Chris Sharbo
participated in some of the world's most
Hector Monsegore
infamous hacks that caused up to $50 million in damages.
Chris Sharbo
A life in the shadows.
Hector Monsegore
Cyber attacks on the rise.
Chris Sharbo
Hello, our wonderful audience. Welcome to Hacker and the Fence. I'm Chris Sharbo, former FBI special agent working my entire career in cybersecurity. And I'm joined as always by my buddy, my friend, my podcast co host, Hector Monsegore. Hi, Heck.
Hector Monsegore
Hey, how you guys doing over there? What's up, brother man?
Chris Sharbo
For you fugazi's who don't realize this, Heck used to be a former black hacker who once faced 125 years in prison for as many years of hacking under the code name Sabu. Now he's addicted to nose spray, as you hear him. Suck it all in. Our stories collided in June 2011 when I arrested Heck, but then I convinced him to work with me at the FBI. Heck's now a red teamer, researcher, cybersecurity expert, and co founder of SafePill Heck. Welcome to Free Show 138.
Hector Monsegore
Oh, man, 138. We're getting old.
Chris Sharbo
I know, I know, brother. You don't have to remind me.
Hector Monsegore
Yeah, man, listen, you know, people tell me all the time, hey, you should just shave your beard, man. All the grays or something. I'm like, no, no, hold on a second. I appreciate the grades. I've showed them off. I don't care.
Chris Sharbo
You earned those grays.
Hector Monsegore
Earned that?
Chris Sharbo
That is experience.
Hector Monsegore
You know, I'm glad you feel that way because, you know, basically all the ladies in my life tell me to cut it off. I'm rocking this.
Chris Sharbo
I bet if I let my bogus grow out, it'd look exactly like that.
Hector Monsegore
Yeah. Yeah. All right. Like this. Little fuzzy.
Chris Sharbo
The gray hairs.
Hector Monsegore
Yeah.
Chris Sharbo
So we had an excellent trip to Florida. We spoke at the Ms. ISAC conference I know you're a big fan of them. Why don't you tell the audience about the organization?
Hector Monsegore
Sure, yeah. Listen, Ms. Isac, the, there's a few listeners that know exactly what we're talking about here, but they're really cool organization. They would do work with CIS and, and provide cyber security services, like SOC services at a very, very low discounted rate. We'll talk about a couple bucks per endpoint in some cases. They helped, you know, a lot of small towns and communities, cities that just don't have the budgets and of course, you know, territories like Puerto Rico, US Virgin Islands, St Thomas, et cetera, et cetera, Massive resource, you know, fantastic organization. And yeah, and we had a great showing. There was a lot of people there, man. It was a good one.
Chris Sharbo
Yeah, it was, it was a big building, huge packed crowd. So, yeah, they're not paying us to say this, we're not sponsored. But again, it's the free show. Just a good organization and they've had their funding decimated and so they need membership. So if you guys, you know, if it's something you think you could fit, something you need, Take a look at Ms. Isac guys.
Hector Monsegore
Yeah, take a look at them. And you know, all these organizations are fantastic. You know, they're out there, they're great. There's a whole bunch of them out there. There's, there, there are ones that I haven't even heard of yet or interacted with yet. So one, one thing I want to do this year is definitely research. More organizations are doing stuff like that, you know, helping out communities and cities, towns and so on, municipalities, and then seeing how we could help them, you know, even, even, you know, do a little zoom or something. I'm down with it.
Chris Sharbo
Yeah, yeah. So if you guys reach out to Ms. Isac, just tell them you heard about Hacker in the Fed and that we're helping them out and because they're a good, good partnership. So.
Hector Monsegore
That's right.
Chris Sharbo
What's going on with you, brother? Anything good and exciting coming up this week for you?
Hector Monsegore
Yeah, man, it's, it's been, it's been fun. Fantastic, bro. I mean, this week is going to be busy. I'm going to be doing a lot of research and it's a holiday, brother. What holiday? What holiday is it?
Chris Sharbo
That's America 250.
Hector Monsegore
Yeah, yeah, yeah, yeah, yeah, yeah.
Chris Sharbo
Fourth of July is on, on this week. It's going to be a big one. Remember, this comes out on Thursday.
Hector Monsegore
Ah, yeah, that's right. I'm sorry, I keep forgetting, bro. You know, I'm. I'm a little off in time, but, yes, I'm looking forward to that. I'm spend time with my family. It's to be great, you know, and make the best of it.
Chris Sharbo
I have a business field trip I got to take, so for all day Friday, I'm driving all over the east coast doing a business field trip.
Hector Monsegore
So what is that? What do you. What do you mean business? Food trip.
Chris Sharbo
I told you, I am opening a new business, so I'm going to visit similar businesses to see what I like and don't like and all that sort of thing.
Hector Monsegore
Nice. Love it.
Chris Sharbo
Yeah, me and one of the mean girls.
Hector Monsegore
Hey, let's get it, girl.
Chris Sharbo
Yep. So we'll see what happens.
Hector Monsegore
How do mean girls doing? How they holding up?
Chris Sharbo
They're doing all right. Well, I haven't seen one in a couple weeks. She's got family going on, like kids and husband and all that stuff, so I ain't seen her in a couple weeks, so. Yeah, well, the other one's doing fine.
Hector Monsegore
That's good. That's good.
Chris Sharbo
Cheeks, cheeks. Things are going well. Say, Phil.
Hector Monsegore
Yeah, man. Listen, seafood is. Is. Is doing his thing. In fact, this morning I was doing a. There's an audit of a bunch of things and looking at all the services. It's Sunday. Yeah, bro. Listen, I'm always working, bro. I can't. Bro, I can't sit here idle. You know, I'm not a thumb twiddler. You know, I'm not a titter of any sort. I got to be busy.
Chris Sharbo
Yes, you are. That's a lie. I know something that you do.
Hector Monsegore
Nah, man, that. Well, listen, I. I was. I was up this morning, was cracking away. I was doing research and auditing, and this why I hit you up early. I hit you up like at 9 o'. Clock. Hey, what's up, buddy? Let's do this podcast.
Chris Sharbo
And you're like, no, I'm busy. I'm doing something. Unfortunately. I was speaking at a church.
Hector Monsegore
Well, why is that unfortunate?
Chris Sharbo
Oh, it's not, but. Well, because we could have rooted the short early when you had all this energy.
Hector Monsegore
That's true, that's true.
Chris Sharbo
You did have quite a bit of energy in the Patriot episode today. You were all fired up.
Hector Monsegore
Oh, yeah, yeah. There's certain topics that get me riled up, get me going, you know, it's always fun.
Chris Sharbo
I was just going to say, well, speaking of the Patreon, thanks for supporting us over there. Pick up your hacker in the Fed merch. We're going to. I'm not sure when it's dropping. I know it's been designed, but we're definitely putting out a fugazi shirt. I'm not sure when it's going to be able to be put up. I'll push the merch people to put it up this week, hopefully before this episode comes out.
Hector Monsegore
Well, I'm going to tell you something. I'm going to be walking around with my little fugazi hoodie or whatever it is, and I'm going to enjoy it. I'm with it. I'm sorry.
Chris Sharbo
All right, perfect. So, yep, help us out, guys. Keep the free show free with the Patreon and the merch at hacker in the fed dot com.
Hector Monsegore
That's right.
Chris Sharbo
You ready to get into some cybers?
Hector Monsegore
Yeah, brother, man, let's do it. This is a bunch of cybers going on as usual, and I'm excited.
Chris Sharbo
I think it's a thick show. So the biggest story happening this week, we talk about it all the time. Poly Market says hackers stole user funds. So Poly Market, the decentralized prediction market platform, suffered a supply chain Compromise when a third party vendor was breached and allowed injections of Melissa JavaScript into its front end website for users. This enabled phishing style attacks that drained approximately $3 million in user crypto funds, primarily from on Polygon affected by unspecific number of users. There was at least over 11 victims in the whole thing and the funds were swapped and converted and moved on chain. So what's your thoughts on this?
Hector Monsegore
Well, when you, when you said potty market and breach, I was like, nah, that's not possible, brother. That's, you know, potty market were all over Twitter saying, oh, there's no breach. We were not compromised. We were not hacked. Oh, you guys are dumb. There's a whole back and forth between. I forgot who it was. One of the founders and one of the, one of the engineers publicly kind of mocking hackers, you know, then look what happens here. We have a situation where you have a bunch of, you know, users that were targeted and in a third party supply chain, briefs that targeted Poly Market users stole a bunch of money over Polygon. It's, it's an underlying protocol. And yeah, man, listen, $3 million, there's nothing to laugh at, bro. I mean, you know, it's, this is what happens when you have organizations that, you know, that they think that they're part of like that techno oligarchy class. They, you know, they want to act like security is, is something that they've Mastered and obviously not Maybe, you know, this is something that people don't realize. And you, you know this about me. When I was in adversary, I rarely went after the target directly, you know that I went around the target, I went to its suppliers, I went to his, you know, as providers. I went through it's DNS that were run by third parties. I would always try to gain access around the target before I hit the target. And so you know, this is a good example of if you're a business and someone claims something, you need to investigate that claim. Don't, just don't, just don't, just don't push it off and mock people because I don't think it's gonna be the last time. I think it's gonna continue. There's probably gonna be way more after this.
Chris Sharbo
Yeah, no, we always say if you're on top and polymarket certainly been on top for a little while in the predictive market platform, you know they're going to take swing in it. But I do like you sent over the International Cyber Digest sort of their breakdown of where it was.
Hector Monsegore
You saw that?
Chris Sharbo
Yeah. B Polymarket next step two. Hackers say you're compromised. Polymarket then makes fun of the hackers and says public puts out which VC paid you to post this. We had half of the CyberX cybersecurity spot on X telling you the not to taunt them. Polymarket ignored the cybersecurity experts and then two months later a third party vendor injects a malicious script into your front end and then $3 million is drained. Swapped ether compromised. Polymarket was making fun of the security reachers and this is what happens.
Hector Monsegore
Yeah, I think, I think if lessons weren't learned after this then, then they're going to be, you know, they're going to be another T Mobile, another Microsoft. They're probably going to get hit a lot more because now you got the interest of adversaries, now they, now they want to test your security. So yeah, you never want to, you know, kind of shake the hornet snatch. Definitely not.
Chris Sharbo
Well, yeah, you learned that lesson. But how many weeks, how many weeks are we just going to keep hearing about supply chain compromises? I mean, is that, is that 2026, you know, attack the vendors?
Hector Monsegore
Yeah, it's been 2026. Attack the vendors, attack the developers, attack the maintainers, attack the repositories. It's just endless. It's every day at this point. And so the people that are getting hit the most are those that are kind of maintaining these repositories. Of source code or applications, projects, platforms and then you know, any user of those of those platforms then get hit and you know, it's just, it's just a repeating cycle over and over and over. It's not going to end anytime soon.
Chris Sharbo
And as an end user there's nothing you can do to protect yourself, right? Like if there is a malicious script injection on a front end or something, you wouldn't know that. There's nothing you can do to detect it, right?
Hector Monsegore
Honestly, no. You could be anal and just disable JavaScript, right? Some people do that, they just disable JavaScript entirely. But if you're interacting with a platform, a website that leverages JavaScript very heavy, then you end up with this, right? Now you're kind of forced to deal with this. Assuming that you want to do some poly market predictions. If Poly market itself did not provide a non JavaScript like let's say a Web 1.0 type of website, then you probably need to go somewhere else, right? Because they're not, you know, they're not going to obviously you saw what happened here. They got hit by a third party JavaScript injection rather than their own JavaScript libraries being compromised. So there's not much you as an end user can do. What a developer could do from the perspective of, you know, engineering and developing code and maintaining that code is to freeze the assets, freeze the dependencies. And what that means is if you're the developer today and you're using a library, in this case it's third party vendor like vendors library and the version of that library is 1.2.3, that's the version for today. It works, it's not compromised. Fantastic. That's called a freeze. You're going to stick with it until you update, eventually later on, right? When you freeze, you're keeping things static. It works today, I'm gonna keep it at them. Now if you don't freeze your dependencies and you end up with stuff like this where the moment they're compromised, you're
Chris Sharbo
also compromised, what's the downside of the freeze then? Why wouldn't you do it every time?
Hector Monsegore
Honestly bro, I'll be honest, very honest with you here, it doesn't make any sense not to freeze because assume that this third party would have made some really drastic changes to their JavaScript library, their code in general. It would break the Poly market site at that point, you know what I mean? So you, you would want to freeze. If you know the library today at this version works today, you don't want to Chance it that it'll break in the future because then you have to do last minute fixes to get to that point. So this is a, this is complete fault of the Poly market engineers. They could have dealt with this a different way. They did it and this was a lesson I hope that they learned.
Chris Sharbo
Yeah, again I just not seeing again why you wouldn't freeze it. I guess like you said these developers are about continuity and making things work. And if something new comes along, let's use that. The problem with this, these injections cause it to go fugazi.
Hector Monsegore
It goes fugazi takes a left turn on you then. Now you look goofy. Now you look goofy on Twitter because you just made fun of the adversaries two months ago.
Chris Sharbo
So a lot of on chain tracing going on here. So you know people mark those funds and as they go through cross chain and that sort of thing. So sure they'll keep track of it. I'm sure, I'm sure the FBI or somebody's looking into it.
Hector Monsegore
Yeah, of course.
Chris Sharbo
I mean I think, I think the FBI's want to get their hooks in Polymarket anyways.
Hector Monsegore
Well, you know, listen, I don't want to politics but we already have people in the administration, there are investors in Poly markets. So naturally the FBI is probably already on this and I think we have
Chris Sharbo
people's children in the administration that are.
Hector Monsegore
That's exactly right. That's exactly right.
Chris Sharbo
Just just to be accurate.
Hector Monsegore
You hear this leftist over here guys, he bite to that.
Chris Sharbo
All right, so there's a Russian cybercrime speed hitting major law firms across the US again. Heck this is not reinvention wheel. This happened huge in 201011 somewhere around there. So silent ransomware group, which is a Russian speaking cyber criminals with alleged conti ransomware ties conducted a hybrid cyber physical attacks on major US law firms. They hired local individuals for physical access to plug in USB drives or perform recon reconnaissance enabling data theft or multi million dollar ransoms or leaks. The scope was they target multi billion dollar firms for sensitive client data. Approximately 100 million in ransom was paid in the last six months per one estimate. Numerous physical access attempts in cities like New York and Washington D.C. and at least two firms received mailed extortion letters. So we've been talking about physical access for a little while. We talked about this in Ven Florida. I went on a podcast the other day first on fraud. They did a two part one. I told a story of a thing where you know, hackers were trying to get in and trying to get in, trying to get in. They couldn't get in, so they hired some, what's the best term, ladies of the night to, to go and do some dancing at this one business. And the ladies, while they were there, plugged them thumb drives in the back of a machine. Wow.
Hector Monsegore
No way.
Chris Sharbo
Yeah, so, so, you know, little distraction, little TNA wiggle and you know, the other one is slipping thumb drives into machines, you know, and sometimes what they'll do, and we talked about this on the. They'll go in there. They'll two missions. They'll go in and they'll find like the keyboards that people are using, and then they'll simply buy the same keyboard and put the malware inside the keyboard and then plug the key, switch the keyboards out so it doesn't look like there's anything plugged in the back. You can do physical checks all you want, but the, the keyboard has malware in it.
Hector Monsegore
Well, listen, I'd rather a thumb drive in the back than a thumb in the back, so I'm glad that, you know, that's as far as it went. But yeah, I mean, it makes sense, bro. Think about it, right? So you have organizations that prioritize making money. You would think that these law firms would think these law firms, knowing the kind of information and IP and, and futures information that they have futures, you know, especially for clients that are publicly traded, you would think that they would make an investment in physical security. I would think that.
Chris Sharbo
No, I agree with you. The problem is, is that lawyers, in my experience, lawyers are the worst proponents of. I want this, I need this information at my fingertip whenever I want it. You know, they do not care. They want, they want the idea of cyber security. They do not want the implementation of cyber security.
Hector Monsegore
Well, that's a problem. And the fact that they paid out $100 million in the last six months is very telling. It's a lot of freaking money to give to these, these, these, you know, dirt bags.
Chris Sharbo
And I'm going to tell you that money comes directly out of the partner's pockets. There's no. I, I'm, I'm sure cyber, the cyber insurance is not paying out hundreds of millions of this. You know what the US army did back in the early 2000 and tens to solve this physical injury, this physical access problem?
Hector Monsegore
Well, disabled the USB drives.
Chris Sharbo
They did disable USB drives. You know how Super Glue, they simply squeezed super glue in all the USB ports and the ones that were in there simply just glued the plug right in place.
Hector Monsegore
Look at that. Yeah, I mean, that makes sense. That makes a lot of sense. And so now you start looking at this, right, and you say, well, this operation works, clearly works. How long before we have copycats doing the same? They're going to pivot away from law firms because now law firms will be aware that this is a thing.
Chris Sharbo
But can't this be simply be solved with an edr? I mean a detection of a device added to a machine is really fucking easy. It's fundamentals back into the late 90s, I mean there's a lot of,
Hector Monsegore
there's
Chris Sharbo
shit that's kept in the registry about all the devices that are attached and when they're attached and all that stuff. I mean, not hard for an EDR to detect something new has been added and to not allow it.
Hector Monsegore
Theoretically, yes, an EDR would be able to catch a lot of this. But you have to take two things into account, right?
Chris Sharbo
What's that one?
Hector Monsegore
And this is what I've seen with clients, okay? One is that EDRs are extremely expensive and so some computers will get access to edr, like a domain controller, but you know, the secretary's workstation may not really. Yeah, I've seen that a lot. I've seen that more often than not. That's number one. Number two now with, you know, frontier models being the way they are, they're able, researchers are able to take a whole bunch of different techniques and create payloads. Even, even as for like a one off engagement, they're able to kind of create a payload that's never been detected before, it's undetected. It uses all sorts of different tricks and mechanisms to either kill the EDR or avoid the edr. Run enough to exfiltrate credentials, right. Or exfoliate, whatever. And then if they're getting caught, it's whatever because then they could create a whole new payload with a whole new set of tips and tricks. So for an engagement like this, I could see someone using something really, really sophisticated. But knowing what I know, dealing with customers in the tens of thousands, potentially up to a million computers that I've dealt with. And EDR is probably not being run on some of these machines. They were caught. Yep.
Chris Sharbo
So the FBI has issued an alert on numerous physical access attempts. We're starting to see it, we've been talking about it for a year now that we're going to see an increase in this. I'm surprised it's taken so long. But yeah, guys, people are going to try to get into your offices and try to access your machines. I mean, they already do it. If you travel with a laptop to a hotel. You know, people are gonna. If they. If they're targeting you, they're gonna pop open your door. How easy is it to get a hotel room key? And you have no audit of who's coming to your room and not in your room when you're out to dinner, you leave your work laptop there. You know, small little device added to your machine. Are you gonna notice it? Maybe, maybe not. Certainly you're not crawling down under your desk when you get in the office every day and check for anything added to the back of your machine. So we're hoping that these. IT firm, you know, the IT of your company is checking for these devices being added. You know.
Hector Monsegore
Yeah. Well, you know what, here's what I say, right For. And I know we have at least one small, you know, law firm listening to us. Somebody that's. Has their own practice. That's almost a guarantee. And so here's what I'll tell you now that you know what adversaries are doing. There's a hybrid of maybe email campaign, maybe a social media campaign, maybe a text message. Now you have to be looking at your cameras. You'd be. You're going to have to make sure that your cameras are logging and recording and scoring footage. You have to make sure that. Chris just gave you an idea. Listen, if you're not using USBs in your organization, rarely using a USB, then super glue that shit.
Chris Sharbo
Disable it.
Hector Monsegore
Yeah, disable it. Or make sure that, you know, you have physical, you know, compensating controls or controls in general that are going to make it extremely difficult for someone to get into your organization. There used to be. There's a game called Rust, Chris that I played long time, for years. I love Rust and I played Rust.
Chris Sharbo
I played Rusty Trombone once.
Hector Monsegore
No, no, we're not talking about Rusty Trombone. We're talking about Russ.
Chris Sharbo
Okay, sorry.
Hector Monsegore
And Russ is like. Is a survival game where you kind of. You wake up on a beach naked. There's hundreds or, you know, players. There's hundreds of players on the server.
Chris Sharbo
And then now this is a computer game. Oh, damn it. You had me waking up naked on a beach. I was all about this, tanning my balls.
Hector Monsegore
And so you wake up and you're naked on the beach. And now you have to survive and you have to go get wood and stone and you have to build a base. And so one of the earliest tricks that people realize would help you secure your base is by putting in a lot of doors. Right. I forgot what they call that. But anyways, the point is, you know, you set up a little base. It's a wooden door, and then behind that you have a metal door. It's a multi stage, you know, defensive system. Sure. You know, these law firms have to think about how they're securing their locations, how they're dealing with the computer. Physical. Physical access.
Chris Sharbo
Yeah. I mean, I love your advice about the cameras and all that, but if no one's watching them, if no one's monitoring to them, you know, it's just to record, to see when it happened. So after you've been hacked, oh, we get to go back and find the exact date of the, when the person came in. That's it. That's all you're going to get out of a camera if no one's actively monitoring. Are there any good AI solutions for monitoring security cameras that you know of?
Hector Monsegore
You're a funny guy. Well, I'm sure there's something. There's some products out there that leverages AI, you know, like Flock, for example.
Chris Sharbo
Oh, you know Flock's new partnership with Palantir.
Hector Monsegore
Oh yeah, yeah, yeah, yeah. It's an insider for the, for the Patreon listeners. You're going to hear this and laugh after you listen to Patreon episode.
Chris Sharbo
So there could possibly be a good use of cameras in the workplace mixed with AI.
Hector Monsegore
Well, I mean if there is a. If, if there's like a detection system that also like sends you an alert like, hey, someone just broke into your shit. Do something about it.
Chris Sharbo
Yeah, somebody's walking down the, down this hallway. Who never walks down this hallway at this time of day.
Hector Monsegore
Oh yeah.
Chris Sharbo
Oh, hey, that's a janitor. This isn't an alert. Now, not to say that the janitor can't be the, the problem. I mean if I'm going to attack a place, instead of trying to get someone to sneak their way in, I'm going to try to socially engineer the janitor into doing it or straight paying them.
Hector Monsegore
Or get hired as a janitor if he knows you get a big pay over $100 million.
Chris Sharbo
Yeah, I'll put in a job as a janitor. I'll put in a job as an under desk fluffer for the secretary.
Hector Monsegore
That's right.
Chris Sharbo
That's right.
Hector Monsegore
That's an on demand. That's a big demand job right there, brother.
Chris Sharbo
So the national association of Insurance Commissioners confirmed that there was a cyber attack by shiny hunters, claiming 3.1 terabytes of data was taken. So NIAC confirmed a cyber attack Exploiting a zero day in Oracle PeopleSoft Shiny Hunters claimed responsibility for stealing approximately 3.1 terabytes of data, including insurer filings, credit ratings, AWS logs, configs and alleged PII. The attack began on May 27, part of a broader campaign hitting over 100 organizations. But NIAC didn't detect it until June 11 and then disclosed on June 17 the data leaked online after no ransom was paid. It's a lot of information going out the door, Hector. 3.1 terabytes.
Hector Monsegore
It's a lot of information. The fact that nobody saw that information leaving their networks is terrible. I mean the fact that there's AWS logs here makes me, makes me think that this was probably hosted in AWS. It's a possibility. The fact that 3.1, by the way, we talked about this before. 3.1 terabytes of data coming out of your cloud environment. Assuming that you know, the AWS logs is implication that this, you know, Oracle PeopleSoft software was running on AWS. You pay for traffic, right? So if you don't have any alert thresholds on outbound or egress traffic, then you're doing yourself a disservice. And this is the consequence of that disservice if somebody somewhere should have got an alert that hey, by the way just blew through three terabytes for data. Hey, you need to start looking at something. Here's another problem I have with this that people soft exploit that went around and you know there's over 100 organizations that was targeted. It was targeted May 27th. These guys knowing that that was happening because you know Oracle would have sent out notifications, AWS would have sent out notifications, right?
Chris Sharbo
Well, Oracle didn't send the patch didn't come out till June 10th.
Hector Monsegore
Jesus man, this. These guys are the worst.
Chris Sharbo
I will say, I will say it's funny I read in the Ex so in the article exploit the exploit vulnerabilities was an unpatched zero day in PeopleSoft. Well of all zero days are unpatched by definition.
Hector Monsegore
Oh yeah, well you know what, that, that's a great example right there folks that when, when there's a zero day and, and the vendor that you're using is not moving quick enough to deal with that zero day. This is a consequence because there was nothing they could have done aside from taking their people swap incidents down.
Chris Sharbo
Yeah but that's the thing. So PeopleSoft should have seen something. Somebody should have seen with a hundred attacks on the same, the same thing you should have seen something had going on. Maybe not. I don't Know, I would assume. I mean, that's how most of these things become patches. When you have a hundred different customers, something anomalous is happening to all of them and it's happening the same way.
Hector Monsegore
Yeah, well, that's the thing. If there's no centralized logging, then PeopleSoft Oracle's not gonna know. Right.
Chris Sharbo
I can't believe PeopleSoft is still around.
Hector Monsegore
I know. What the hell is that? This is like 35 years old at this point. Well, listen, the, the ni. The NAIC, unfortunately, they had to deal with it. Their. Their information were leaked because they did not pay the ransom. So at least kudos to them.
Chris Sharbo
Kudos to them for end of the problem.
Hector Monsegore
Not adding to the problem. You know what? I. I still, I still, you know, subscribe to President Bush Junior's we don't negotiate with terrorists. I'm still big on that. The same applies to ransomware. Don't pay the extortion attempts. I mean, they already have your data. It's already done. It sucks. It sucks to happen because, you know, you think about it, right? Going back to this, you know, there was, There was. There must have been some, Some, Some. Some knowledge that PeopleSoft was getting hit the ERP software back in May. Right. May 27th. May 28th. May 29th. By then, it's already on Twitter. People are talking about it. Even if the NAIC wanted to do something, could it. Aside from taking the software down now, this is where it becomes complicated, Chris, because some organizations are like, we're making so much money with this on running vulnerable than not. Yeah. You know, so then they have to kind of. Then they have to like, look at their risk appetite and say, well, are we willing to lose money? Or we do want to just continue with business as usual until we get hit. And that's what happened here.
Chris Sharbo
Yeah. I'd love to find out what Shiny Hunters paid for this zero deck. I'd love to know the behind the scenes.
Hector Monsegore
Well, listen, brother, the game's changed, you know, Game has changed. If you had a couple bucks in crypto, you could buy whatever the hell you want.
Chris Sharbo
Unfortunately true. Unfortunately. So we kind of teased this story. Now we're going to AI corner this hacker in the Fed is becoming AI centric in the last couple episodes. So Ford. No, it's all right. Ford hired AI and sacked humans. It backfired badly. So Ford, the automaker hired and promoted and promoted over 350 veterans, engineers, what they call gray beards, like old heck over here. After AI driven automated quality inspection systems failed to detect complex issues Causing billions in billions and quality problems. It's occurred over the last three years as part of an aggressive AI adoption in manufacturing. Humans now lead reviews and retrain AI systems. So Ford fired a bunch of people, said AI is going to do your job. And they got at the cost of billions of dollars because of it.
Hector Monsegore
Heck yeah. Well, we're gonna see a lot more of this. This is what happens when you drink the Kool Aid. Thinking that these guys, these little techno oligarchs, you know, and I changed up the, the verbiage. The, the, the, you know the terminology, Chris. I used to call them technocrats. So, you know, technocrats is wrong. You want to know why?
Chris Sharbo
Why?
Hector Monsegore
Because a technocrat would imply that they're, they're highly technical and they're smart and they're willing to help people. That's not what a techno oligarch is. They just keep taking from humanity as much as they can. This is exactly what happened here. There was a point before the last three months, the last quarter where you know, OpenAI Sam Altman would come out and say, well the idea for us is to make AI so good and so accessible that it could replace humans. Now he's backed off from that, by the way, way I'm sure you've noticed some stories recently, he doesn't believe that and he doesn't believe it in it anymore publicly. This is the consequence of that. You have organizations and companies like Ford and others, Ford in this case, that said. Yeah, you know what, that makes a lot of sense. Let's put together a system, a harness, an orchestrator, a wrapper around these frontier models. Or maybe we'll run something locally that's going to replace our gray beards. The people that have been here 20, 30 years who know the systems in and out, who know the context of these systems. And the AI does it. The AI comes in as a replacement and look what happens. You lose billions of dollars. Is anti human. I'm pro human. I don't like the idea that Ford lost money because now that's going to trickle down. That's the real trickle down effect. It's going to trickle down to the vehicles and trickle down to the rest of the employees while their CEOs get probably a nice bonus for, for figuring out they were losing money. Right. And, and now you have to rehire these 350 plus engineers, assuming they want to come back. And it's probably going to cost you a lot more. You had a really good idea on how to deal with this. What's that which is the 10 year contracts. Oh yeah, yeah.
Chris Sharbo
That's great idea. If someone's begging you to come back to work for some after they they screwed you over. Yeah. Ask for a 10 year contract. Always ask for 10 years contract. You can get a raise and all that but get guaranteed money is so much better.
Hector Monsegore
That's right.
Chris Sharbo
So we're starting to see it more and more. An Asian AI startup launched Mythos like model as Anthropic's export band drags on. So we talked about this in the last two weeks but we still have a band on Anthropic. But an Asian AI startup launched an alternative to anthropics. Restricted mythos Fable 5 models the Tokyo base Shekana Sakana AI release Fugo oh
Hector Monsegore
wait, that's close to Fugazi.
Chris Sharbo
It is close to Fugazi. The Beijing based 360 Security unveiled. I'm not even going to try to pronounce that. And what's the other one?
Hector Monsegore
And I don't know that one yet.
Chris Sharbo
Yeah, there you go. Positioned as Mythos rivals, it was triggered by an ongoing U.S. export control that was banning the foreign access to anthropics advanced models over national security and jailbreak concerns. So the export ban remains in effect as of today as recording this June 28th and partially list reported on on one model anthropic disabled Fab 5 and mythos sorry Fable 5 and mythos 5 globally for compliance shortly after the order. So we banned them. We banned access outside the country. You've told me a hundred times that China is still accessing it through VPNs or stolen credentials or US citizens selling IP access through their their machines. So the Chinese are still accessing it, but now Asian based IP AI companies are releasing competitors for it. So what's your solution to this whole thing?
Hector Monsegore
Open it up. These export controls are akin to blacklist. They're obsolete conceptually, you know, and it just doesn't work. Think about it like this. Chris. My beautiful, handsome Chris. So you're Anthropic. You have a bunch of employees that you brought in that are, you know, the half of them are American. The other half are a mix of Canadians and Mexicans and Chinese and South Koreans. Your American workers, not my company. Well, in this case Anthropic. Right.
Chris Sharbo
I'm kidding, I'm kidding.
Hector Monsegore
Not in my backyard.
Chris Sharbo
It's a joke.
Hector Monsegore
It's a joke. It's a joke. And so what happens is you probably, and this is me probably exaggerating a little bit. You know, sometimes I Exaggerate.
Chris Sharbo
What.
Hector Monsegore
But you. You probably have situations where even Anthropic's own engineers cannot access their own model because they're not American citizens. So you have this system in place that was not effective during the crypto wars. It was not effective when the United States government tried to do expert controls on. On the Mac 1 giga, 1 gigahertz, you know, processor back in the days in the 2000s. And it's not going to work with these Frontier AI models. It just doesn't make sense. It also doesn't make sense because at the same token, in the same token, you have organizations releasing open source frontier or open source models that are as effective. Remember, Mythos must. Mythos. It sounds very cool. I haven't been able to access it myself because I don't spend enough. Anthropic. And Anthropic is pay to play. You know, if you could talk about that. That's a good rant right there. But while you. While you're blocking legitimate researchers from accessing these models, adversarial researchers, the counterparts are able to access these models through auction sites in Russia and China. It's a. It's a. It's a joke. We're shooting ourselves in the foot. We're kneecapping ourselves. And we need to go beyond that. We need to rethink the strategy here.
Chris Sharbo
I'll open it up. I'll give you a chance to rant if you'd like, for the pay to play.
Hector Monsegore
Oh, man, that's. Listen, you know, that's a good one. You know what? You might do it. I might do it.
Chris Sharbo
All right. You're not going to do it and then make us cut it out of the show like you did that one time.
Hector Monsegore
Well, that one time I was worried I might get whacked. But you know what? Now I'm less fearful of that.
Chris Sharbo
I love that.
Hector Monsegore
Yeah, well, I'm less fearful now because a lot more people talking about it. You know, when you. When you and I.
Chris Sharbo
You need to lead the way, brother. You need to lead the way.
Hector Monsegore
Yeah. It's all right. Listen, You've done that before. I've done that before.
Chris Sharbo
And it only got you in trouble.
Hector Monsegore
You got me in trouble. I'd rather wait till somebody else talks about a person. Hey, you know what? I think that guy's right. I think he might be right.
Chris Sharbo
Sounds a little fugazi.
Hector Monsegore
But here's the truth, right? We have some of the brightest minds here in America. That's some really smart people here. Researchers, engineers. We have people that can do a lot of good. Now, once you start putting restrictions on those researchers and those people, you're doing a disservice to America. We have to modernize, not go backwards. Right. You know, it's, It's. I understand the concern from the United States government perspective, which is we don't want to allow adversaries to be able to access something that's so powerful that could be used and leveraged against us.
Chris Sharbo
Well, yeah, you don't want to. You don't want to leave a ladder outside your house for someone to break into the upstairs window.
Hector Monsegore
The problem is 40 people already broke in. It's already too late. Right? So taking down the. Taking down the ladder is. Is boots. You know, taking down that ladder makes. It doesn't matter anymore. That's the truth. So, you know, we need to rethink the strategy. And now I think I go on that rat now. Beatomize.
Chris Sharbo
Start it up, brother.
Hector Monsegore
So here's what you have. You have organizations like Anthropic who will put together something really cool like Mythos and even Fable 5, and they'll tell you, hey, this is a weapon. Could be a weapon. It's very dangerous. They shot themselves in the foot with that marketing, by the way. They could have kept it very simple, said, hey, we're doing this X, Y and Z, and this is how we're doing it. And it could benefit you in this way. And I think it's going to help the United States. I think it's going to help the world deal with their obvious, very obvious cyber security issues. Instead, they turn into a marketing piece. They made it into a marketing piece. And they really put themselves in a position where now the US Government has them by the throats, forcing the founders and the CEO and everybody in between to now bend the knee to the United States government. And it's led us down a path where now only a select few companies, or in the Russians and Chinese, a select few, plus the Russians and Chinese, could access something that the rest of us, like me as a researcher, could access. It could be able to help clients and help other people. What? I spoke to Anthropic. So this. This is. This is the. This is. This is the fun one for you guys. When I spoke to Anthropic, I had a meeting with them. I met with this guy, very nice guy, was introduced by somebody and another. And you know, you know how that works. I met with this guy and I said, hey, listen, I. I'm a. I'm. I run this company called Safil we have, you know, 15 researchers. We, we live and breathe in sleep security. We would love to get access to Mythos and Fable. Not this is before Fable. Let's get access to Mythos and continue our research and maybe even release some tools, open source some stuff. And I had the camera on, like we're doing it here right now, right? And the guy, the guy looks at me is like, well, Hector, what we got to do is we have to build a relationship first. And the relationship building is usually spend based. And I said, hold on a second. So that means I have to spend X amount of dollars before you consider me for that. Yeah. Okay, cool. How much do I have to spend? Well, you know, you know, some companies spend millions of dollars to get. To get access to that, right? But then, you know, you hear that I walked away dejected because I don't have millions of dollars to, to pay into something, right? And plus, we have our own servers, we have our own GPUs, we're doing a lot of local AI work. We're not reliant on something like a clock or opus. 4.7, 4.8, whatever. So mind you, I walked away a little bit dejected, like. Yeah, you know. Yeah, I guess that's how they build relationships. The more you spend, the more they consider you for access to Mythos. So they pushed away legitimate researchers because there's no other way to prove that I'm a researcher unless I spend a million dollars with you. Now, here's the thing. It is what it is. It's a free market. I could go back to OpenAI, use Cyber or GPT 5.5 Cyber. It's not a problem. I wasn't that dejected. I kind of accepted it. But then as I continue going forward in my life, I start to see more and more companies that have certain connections, certain relationships. Some of them are even startups that I know for a fact haven't raised millions of dollars, let alone or spending millions of dollars in service. And they have access to Anthropic and Mythos and all that good stuff. So here's what I tell you guys. I'll tell all of you. Listening. Once you see an organization, right? This is not me admonishing Anthropic. I'm just giving you guys an example. When you see any organization that is on the frontier of research, whether it's AI, cybersecurity, anything, and they're offering a service, access to said research, but then they release something shinier, right? Something that's more exclusive, right? But you can't access that unless you spend a certain amount of dollars or, you know, the right people, right? It's. It's fugazi. Because now you're creating a class. You're creating. You're creating a new set of clout. Oh, my God, look at my camera. You're creating a whole new subclass of people. It's. It's elitism. Now, here's what I told you. I am for opening of the models. I don't. I don't feel. I don't think. And maybe I'm wrong. And listen, I'm just a normal guy. I'm a normal guy from New York. What do I know? But kneecapping ourselves and limiting ourselves from being able to defend ourselves because you think, your opinion is that, you know, that something like that, like a mytho, should only be accessible to the best of the best. And the rest of you guys kind of sort it out and wait is bs. So just like I was full disclosure back in the 90s and 2000s. Listen, I'm full model right now. You know, open the models up, stop pushing around it. But that's it. That's my rant.
Chris Sharbo
All right, brother. Excellent show today. Excellent rant. Support Hacker and the Fed on Patreon. Support us on the merch side. Like we said at the beginning, we're going to have a new shirt coming out that says it's free. Fugazi. Hacker the fed.com to order your merch. Big thanks to Safil for their support with the. The podcast. And we're doing a. I think we're doing a live event sometime in June.
Hector Monsegore
Let's keep up with that. July. No, July.
Chris Sharbo
June's almost over. Five star reviews wherever you download. Subscribe to Hacker in the Fed. Share us on social media. Tell your co workers, tell your friends, tell your lovers, tell your podcast co
Hector Monsegore
hosts you love him.
Chris Sharbo
Check out Hacker in the Fed.
Hector Monsegore
Oh, yeah, that too.
Chris Sharbo
No, that too. All right, brother, big love to you. Cheers. Love and respect.
Hector Monsegore
Much love, Sa.
Episode: They Mocked the Hackers... Then Lost $3 Million
Hosts: Chris Tarbell & Hector Monsegur
Date: July 2, 2026
In this episode, Chris Tarbell (former FBI Special Agent) and Hector Monsegur (ex-LulzSec/Anonymous hacker "Sabu", now penetration tester) dissect recent high-profile cybersecurity breaches and trends, with emphasis on the $3 million PolyMarket hack, a resurgence of physical intrusion attacks against law firms, a massive data theft at a national agency, and AI’s pitfalls in security and enterprise. The hosts blend deep technical insight with stories from the frontlines, industry context, and the irreverent humor of two longtime friends and cyber adversaries turned allies.
[07:15–14:43]
Notable Quotes:
[15:27–25:28]
Notable Quotes:
[25:28–30:06]
Notable Quotes:
[31:16–33:29]
Notable Quotes:
[33:29–43:55]
Notable Quotes:
This episode delivers cutting, practical, and often hilarious real-world cybersecurity analysis from two unique perspectives—an ex-hacker and an ex-FBI agent. Want to understand how arrogance, poor monitoring, and misapplied AI disrupt the real world? This episode is a must-listen.