Have You Ever Been Hacked?
We’ll get back to the Computronium series next week. This week, I am pulling an Interruption from from the archives, a recording that appeared on my podcast feed in 2017. These “I hacked this feed” interruptions are really fun because I take these hackers into a back room at the monthly Dallas Hackers Association meeting and just talk to them, asking them a handful vox-pop questions I keep on my phone, and compile them into these fun recordings.
Hey, this is Distinctive. You are listening to the story of eXclusivOR, but this podcast feed, has been hacked!
The first Wednesday of each month, the Dallas Hackers Association meets in a really cool karoake bar. They have CTFs, locksport, really awesome firetalks about everything. Tons of people show up every month, and I love it. DHA is the best.
And, even though they say I look, and I talk, and I act like a Fed, many of them let me record them anyway.
My hacker handle is Jek Hyde. HydeNS33k.
I go by Wirefall. I’ve had that since, about 1996.
I dunno. Do you have a name for me? What do I look like?
I go by Rexor.
Whiskey Neon: I have people call me Whiskey more than my legal name. And I feel weird if I’m being called by my legal name. So, Whiskey, is more my name than my real name.
R41nM4kr: Funny story. Back when I was a sysadmin at a company here in Texas, we were doing a data center move. Had a sev-1 outage and I don’t know exactly what I did but I ended up getting the system back up and online and every since then my VP called me R41nM4kr because saved the day and the name stuck.
Tinker: Alright, so Woody, what’s your handle?
Tinker: Well, there you have it.
Distinctive: It’s your real name?
Woody: It’s my real name.
Tinker: Woody is Woody and there won’t be any other Woody. My name is Tinker and that’s what my mother called me. I don’t claim to be some sort of l33t haxor or any of that dumb shit, I just take shit apart and put it back together.
Distinctive: Does it work when you put it back together?
Tinker: Fuck no.
Distinctive: How many parts do you have left over?
Tinker: I have screws left over that are loose from my own mind.
Woody: If you have parts left over, it didn’t need it!
R41nM4kr: Yes, I have been hacked in my personal life, and it’s quite embarassing actually.
Jek: I will never say I am unhackable.
I don’t know if I’ve been hacked or not.
Wirefall: I think the only appropriate answer for this one is either “yes” or, “I don’t know.” It’s never “no.”
Tinker: Everyone’s hacked. Everything is open. There’s no state of un-hacked-ness. Of course we’ve been hacked. We’ve been hacked left and right. There’s this popular conception of, on the perimeter, defenders have everything protect everything and all an offensive person, all a hacker has to do, is find one chink in the armor, the loose scale on the dragon, if you will, to get in. But once they’re on the inside, the roles flip. The attacker needs to do everything perfect and the defender needs to find one single thing to trace on back.
Commander Opsec: I’ve been hacked a couple of times, actually. This was on a home computer, on a home desktop. And this was when I was much, much younger, you know half my age now. My Start button turned into the word “Loser”. That was interesting. Saw that. Yeah, seriously man, that was the thing. I thought that was pretty interesting. Kudos to whoever did it. I spend the day wiping my OS, reinstalling. “Let’s not download from that site again.”
Distinctive: Wait, the first indication that you were hacked was…
Commander Opsec: Me finding the word “loser,” as the Start button. That was me waking up the next day, getting on my computer. Instead of “Start”, it welcomed me with “Loser.”
R41nM4kr: I happened to be hosting a WordPress blog. And, I had my credentials in clear text and they were able to ascertain that. What I had done, stupidly, was use my birthday as the password. So, the attacker happened to be from Iraq. This was during some of the US occupation and all that. He got into my email and basically locked me out of all of my social media. Then he saw a picture of my family, reached out to me on another email address and was like, “Oh, I didn’t realize you were such a nice guy, here’s everything back.” We actually ended up being pen-pals for about two years.
Jek: I had just given birth to my youngest son, and I was depressed. We were in some really dire financial straits. I was in this really weird mental space that women are often in after childbirth. I got this phone call one day, from somebody claiming to be from a daycare that my son used to attend. And they said — it had been like three years. And they said, “We have this check. It’s a reimbursement. You guys overpaid for tuition, and we really want to give it back to you guys. We need your address, so we can send this check to you.”
I was in the middle of a very intense trial. Where people wanted to hurt me and my family. Like a court trial. And, something that con artists will often do is, they will target people who are in those very vulnerable periods of transition. I was hurting for money and I was not really thinking about “is safe or not”, I was thinking, “Oh, my God, these people are offering me a safe haven right now. Like, three, four-hundred dollars worth of just peace, and I can sleep well at night, and I can pay some of my bills and so I was like, “yeah… here’s my address…” without really thinking about who I was speaking to. Without verifying. Without calling back. All of these things that I really encourage my clients to do now at this point. I just didn’t ask any questions.
And, I’m very fortunate. I’m very fortunate that they are exactly who they said they were. Yes, and this is not always the case.
Whiskey: My parents — when I was like nine years old — are flipping out because there’s this like, nine-hundred dollar phone bill. And it was because I had gotten some fucking dial-up ISP that I downloaded. And, it ends up being this free porn ISP, but it’s calling a 900 number for dialup. So they got charged $900 for half-a-days Internet usage.
Commander Opsec: Information security, and cyber security in general, was introduced in our generation. Prior to that, there was no such thing. It was all just open when the Internet hit.
Jek: I’ve fallen for phishes before. A lot of this was probably before I was involved in information security.
Moebius: And, being around InfoSec people, my family is like, “Oh, you’ve become so paranoid!” I don’t think I’ve become paranoid. I think I’m aware.
Tinker: I assume I’m being hacked, so I conduct my business as if I’m currently being monitored at any given time. So, when you detect being hacked, you detect failures of hacking, right? If a person is successful at hacking, you aren’t detecting it. If you’re proper hacked, you don’t know.
Distinctive: Even the best hackers can be hacked. Can it happen to you? Of course! Will it? Probably. You’re best defense, pay attention. Like Moebius said, be aware. And, you know, make friends with a hacker. And, sometimes… you just gotta wipe that OS and start fresh.
But a fresh start… a fresh start can be good.
Thanks to Wirefall, the DHA, and the hackers you just heard. R41nM4kr, Tinker, Moebius, Commander Opsec, Woody, Whiskey Neon, Rexor, Bluez, Atari Codame, Jek Hyde, and Wirefall.
I’m Distinctive… even this podcast feed can be hacked.