 Welcome to How They Got Hacked episode four. Welcome for four. Wow, like a whole month of this. Whole month of this. Tom Lawrence, Xavier D Johnson, Maurice Nash. All right, so yeah whole month of this. That's we're figuring it out. We were actually discussing, you know there's so much that goes on before the show. If it wasn't between a lot of swearing and a lot of things maybe we can't talk about publicly, we should record it and have that show before the show. We've talked about that with my other podcast I do because the same thing happens. Like sometimes there's like an hour of, did you see this or did you see this? And we end up like with one set of show notes and then we spun off into it a whole another direction. And just before the first thing we'll do is I'm gonna talk about a couple corrections. I was wrong. You were right. Whoever, go clap right now. Clap for you. You, someone on the other side of that camera. I said steal and it was an aluminum company and there was a couple details. But details matter. They matter a lot. I skimmed the article because it was a really, you know, hot topic and I want to talk about it. But yeah, the company did get hacked, did get crypto, locker, locker, go go, did get them. The other parts were true. I left links to all the articles and even some point out the article you linked to has the correct information. I said, I know I skimmed it wrong, but I'll admit it. I did, but that's why I always leave all my sources. I'm not just spitting ideas off my head. So there. But the other thing I want to jump into is someone emailed me and asked me if I could get them information on the accounting firm. And I cannot. And the reality is, it's not, there's not anywhere that this is published. There's not anyone, it's not like these companies that get hacked, go and reach out to the news going, Hey, you want to do a story on how we got hacked? They're not going to matter of fact, they want no, they want to forget about the incident. They didn't want to have to tell their clients what they did. They followed compliance. They did all the things you're supposed to do. But you're not going to find a public write up on these things. And it's kind of this is some of the stories I want to bring out and bring the light is it's kind of a race awareness. Because when you think too many people think I'm just trying to scare, I'm going, Oh, you want to sell me cybersecurity? Like, no, these companies get hacked. They don't get in the news. Where where would someone publish this information? Only when these companies get sued, would you even find any public information? And the only time they get sued is when they don't comply and get caught, which is not easy. And then it's buried in there. And I commented last time that some of the people I know when they posted my forums like skip Olivia, they post some of the legal briefings about when the companies did things wrong. He actually posted one. I think it's about the emails. I don't know if either you read it. But it was a company tried destroying emails and got sued and things like that. But once again, you wouldn't know until there's a lawsuit. But by the time the lawsuit happened, the event that triggered it was three years prior. So it's so far out of the news when this stuff gets settled. Everyone's long sense forgot, you know, because we we have about a 15 minute attention span were raged about something new every five minutes. Right. That part is there is something new every five minutes that yeah, it arranges us. Yeah. So it's hard to follow up with the prosecutions and things like that. Second, I will, speaking of that, I will briefly as something popped in my head. And I didn't really share with these guys about it, but you know, talking about these companies to get hacked, I found an answer to something I didn't know about a company that got hacked, we get called in, and I got to talk to the technician on site that actually took care of it. So I got called by a company, and I didn't want to pay what it was going to cost to have their 80 systems, 80 computer systems unlocked from Crypto Locker, no backups, no nothing, nothing set up properly. They had Raider Rays because Raider Rays are backups, right? But when you encrypt it, it's it's well redundantly encrypt now. So my advice to them was to pay the ransom, because I gave a price on basically new can pave start over their whole network, as that was my suggestion. They thought that was unreasonable. I said, the next option to be pay the ransom, they said that's we don't pay terrorists. I'm like, okay, good. That's what the FBI is going to tell you to do. Yeah, they said you if you don't have back, I was to pay the ransom. And so they ended up I found out that the other company they got the bid they called someone else that they knew and the guy put a lot of billable hours, they paid the ransom, and it still cost them a lot of money, not just for the ransom, but to the billable hours to run around putting the key in and everything unlocking it. So unfortunately, it was a really boring phishing email, someone clicked on it. No segmented networks. Oh, yeah, this is this is like they called me wanting me to help them do all this. And it's funny because I crossed paths at an event with the technician. And I was like, they paid the ransom that they released information. Yes, he did. Because a lot of times you paid a ransom. Oh, these guys are good. Run away. These guys are good. They were professionals. The people who did the resume and they unleashed it and they got their documents back. So that was great. What if they still just had a beachhead sitting there waiting to press the button to re-encrypt or backup or backup? My advice is to once you get that data back of the data back the documents up cross your fingers that nothing was planted in there. And then set it aside new can pay put it back. That's Yeah, I they didn't do that. They're very there. They're low budget tech on technology. They're a big, big company that a big company that does not want to spend money on security. That's how they got themselves in the situation in first place. And they're right for that situation. Again, this is about a year and a half ago, the event occurred. But it's so funny. I ran into the technician, I recognized him. And we were talking about like, Yeah, I think you were the other one they called for he goes, I was I'm gonna did it. I'm like, Oh, so we sat down here. Let's talk about how that story went. Once again, this company's big. If you're in Michigan, they somehow affect you as much as I can say they're not my clients. I'm not I'm not gonna say their name still, but they're big enough that you would know. And it happened, but there's nothing in the news about it, not even a blurb. So once again, there's not write ups, there's not a lot of times I can point you to this. That's why we want to share these stories is because that's the kind of stuff going on. If if it doesn't news, don't worry, we leave links. I've never hiding my sources. But this is this going on all the time you only hear about like said, it's star hotels. It's a big company because then it's once you affect, you know, the quantity of people in here, you can't avoid the news. Usually they say face why they don't disclose this information. Yeah, they don't want to talk about it. And then it's just damaging their reputation. It is. It is. And then it's also letting people know that you guys probably weren't doing good cybersecurity, things like that that kind of ends up as the topic on there. But or they told their shareholders that they were doing good cybersecurity. Exactly. And they were getting assessments and giving reports to customers and giving reports to shareholders that still didn't paint the whole picture. Exactly. And you know, it's it's kind of a mess like that. And we go through PCI DSS compliance. Hey, Willie, if you're out there, I know he's someone who I've referred to a few times. He's a friend of mine on channel. He's done a lot of this PCI DSS. And it's like it does, but it's all kind of tongue in cheek, I feel. So another friend, he's fails his PCI compliance because he's got security cameras on his network. That fails your PCI compliance. The two things are not related at all. But if you have a port open on your IP address, they think, oh, that's a security risk. Any ports open security address for PCI without SSL has to have a signed SSL. So if you open a port without a signed SSL, you're out of PCI compliance. But the camera system is a physically separate network than its credit card system. But that's the problem. That's when bureaucracy gets in and these audits are hard to do and then they're also don't make any sense. It's because I will tell you every major breach when it comes to this credit card stuff, they were all PCI compliant companies. Star Wars PCI compliant. Target was PCI compliant. Dave and Busters was PCI compliant. Dave and Busters PCI. Yeah. So many of them. So that's why it's so hard for these computers. It's not an audit trail that, hence, you know, the laws and etc. So we'll jump off this topic because let's talk about ponying and owning. Yes. Ponying and owning a Tesla maybe. Oh man. Do I get to keep the Tesla if I own it? You get to keep the Tesla. Oh boy. You literally get to own if you own. Little incentive out there for you guys. Very much incentive out there. Not to mention the team that won it. We'll leave a link to this. But this is the Pone the Home Vancouver 2019. Wrapping up and rolling out. Rolling out with the Tesla. So every year they do the Pone Own Competition. Now there's a little bit of a controversialness of it because this is where I like the model that Hacker One has better than what the Pone Own. Pone Own has been around for a while. It's where people bring their favorite zero days that they've acquired and really worked hard to find and then own different systems though. So they have to walk in only using whatever crafting tools they have like a well-crafted website and try to get some of the click on it and try to gain vulnerability. But the scariness of it is if, you know, March 22nd is when they wrapped up the Pone Own Competition. If on March 23rd they find out our zero day that's 364 days where, one, they hope no one else finds it, two, they hope it doesn't get patched or anything else before they get to find it. But that also means they're not out there disclosing it because the way the Pone Own Competition works as they submit these, even though they show what they did, the homework behind the scenes is submitted to the vendor who's then putting up the prize money who gets to go patch it. So right after Pone Own there's patches in everything. Tesla, VM, everything else. So it's pretty cool how it works, but that's where the Hacker One model, as soon as you get something on there they get to pull it back out and they submit it to the vendor. So as soon as you figure out the zero day and you can prove it to Hacker One you get paid. Yep, nice. Getting paid is always nice. Getting paid is always nice. I mean, but getting good Tesla is always better. I like it. They hacked the Tesla infotainment system. That was uh... I don't think I can talk about my experiences with infotainment. Yeah, but it's one of those edge cases that, because it's so integrated on there, but they did it. Yes, so as far as my knowledge goes, infotainment is at ring zero. In some cars out there, allegedly, there is a system in which the infotainment is the bridge. It is actually passing the signal along for the CAN bus. Because the CAN bus is a network, right? So it gets really interesting, especially if you can, like you were talking about earlier, craft a malicious website that may be doing something like a heap spray or buffer overflow or something else to get control over memory and execution of code flow, which is... That's where all the good stuff lives. Yeah, so it's kind of interesting. I believe they browse to a web page with the Tesla. That was the Tesla hack on there. So clever. Probably a webkit bug. Yeah, a webkit bug. The real impressive one, now this is the part that took me by surprise and to me stood out. So one, they were able to escape a virtual machine. So specifically VMware player, they were able to get a crafted web page to escape to the host operating system. Now if you're familiar with how hosting environments work, they run as a series of virtual machines or sometimes stalkers. So it's different types of virtualization. But obviously escaping, let's say I rent a VM at a hosting company for my own use, but escaping out of that is supposed to be impossible, as we hope. But that's where the most prize money is paid out. So we've talked about Hacker One. There's a shadier company out there called Zerodium. Zerodium is not like Hacker One. Zerodium sells to undisclosed clients these type of exploits. Regimes. Probably regimes. Okay, definitely regimes. Yeah, they sell the clients that would be considered a regime. And so they offer quite a bit of money. So a VM escape right now, I believe is going for roughly a million dollars on Zerodium. And I'm impressed with the skill, because here's the thing. If you sell your zero data Zerodium for an escape on VMware, you do not get to ever speak that you did it. You get your money and then you get to shut up. So that's where Zerodium is messing up versus Pone to Own. Pone to Own on the other side is all about putting your name on lights, chief of the Pone, everything else. They didn't take away a million dollars from that competition. And that one, just the one hack, I mean don't want to give me wrong, tell us that's cool. But just that one hack of that VMware probably would have fetched them way more money over on Zerodium. But that's not the hacker way. These guys are true hackers as far as I'm concerned. They're not the kinds, they're not trying to screw over people, they're not trying to sell it to a regime. So that's my thoughts on that. It's impressive. I'll leave the write up. There's a ton of other great teams out there that hacked a lot of things. I don't have time to cover all of them. Ethos, right? Keeping close to the hacker ethos and making sure that you don't allow the things that you're researching to be weaponized. Right. That's a part of our, that's the responsibility of anyone who's looking for, or turning over rocks and looking for bugs in software. Yeah. It's one of the things that's why we're sitting here. We're talking about it. We're sharing with links, tools, how we did things. My tutorials on this channel outside of this, it's all about sharing knowledge. I like taking stuff apart. And I got, you know, you go to one of these hacker meetups and shout out to those. I was not able to make it myself, but some people came out to DC 313. Thank you for the people that watch and came out to DC 313. You are appreciated. Please come back and for those of you who haven't been out to DC 313, please come out to DC 313. We will enjoy you joining us. Yeah. So that's what, you know, we're there just to sit around talk tech, share knowledge and things like that. That's the world I grew up in. And that's what got me more into tech when a bunch of people can share it. So, and now I'm taking that skill so you know, the video platform to share it. And that's that, these guys are close to that hacker ethos because I mean, of course the other side is, I know they're itching to drop it of how they did it. They have, I forgot how many days they have the patch. If it's, I think the standard 90 days closure, they gave to VMware to come up with a patch for they can tell because it's one thing to win it, but then to say how they want it, that they get their name and lights again in a couple of weeks when they go, all right, now that they're patched because they won't release the source code to what they did until it's patched and you know, they're going to be dropping on GitHub. That's a whole new show. How to poem to own. How they poem to own. To poem to own. Well, we're going to work on that too. I'm going to, like I said, that's, I finished my big project. I said that on a day in my vlog. So I know who and so I'm going to be able to produce more videos. I want to get back to it. But I want to do a couple of those. Me and Xavier, I think me and him can tag team where I'll do like a walk through. And I'll jump in that next. So this Sequoia Cyber Security Solutions, this write up, a pentesters guide, part one, OSNT passive recon and discovery of assets. This is legal stuff. These are things that like you can do legally. Yes. And you will not get in any trouble for it. No one will come and knock on your door. Yep. This is passive. He's not actively trying passwords, not doing this all reconnaissance to try to figure out what pieces of information you can gather. And this is just an excellent, I love this write up. This is well crafted. I'm looking forward to part two. Oh, he's got part two on here. He must have published it since I looked last time. And this is show notes. Part two, LinkedIn, not just for jobs. So he takes you through that next step of what you do with the information. Oh, what? And this is one of those walkthroughs of a combination of finding the websites, social engineering. How do we look up what domains they have? You know what he doesn't mention in here, but MxToolbox has a really cool feature. I don't know if you knew about this. So you can go to MxToolbox. You can put in someone's host and they'll tell you who else is shared on all those IPs. Every other domain that they can find crawling the internet shared on that same IP range. I don't want it. That's a lot of information. So it's what they don't talk about that pivot in here. He does it differently because he does a bunch of domain names scraping with Google and reverse engineering because what you're looking for is all the subdomains. You can guess a lot of them. Mail.thecompanyname.com, remote, RDP, gateway, VPN.thecompanyname.com, all the different DNS. It's funny, he's pulling all them up here. And it's sad because those are, companies are not creative in that. We come up with... DC.companyname. Oh, I know. Yeah. What Northrop Domain Controller is. DC. Yeah. And this is all stuff. It's like I said, it's all passive. He's doing a bunch of reverse DNS lookups. And it's sad because that is, you know, when we set stuff up, I try, even though I know it's a little bit of security through security, at least it's not mail.thecompanyname.com. How about this? I'm not anti-security through obscurity. Right? I think that security through obscurity is another layer. Yeah. I am anti only having one layer. Right? Right. So think about this the normal way. Right? Throw in some obscurity. Throw in some, you know, routing. Throw in some rules on the firewall. Make sure that you have multiple layers into what the, you know, crown jewels are. Oh yeah. And just things like putting SSH on an odd port number. You know how much that just reduces your logs? Because the script kiddies are all day looking at default ports. Because don't worry, there's enough default ports open to keep people busy. 22 and I will also try 2222. Yeah. Yeah. So put them at a little bit of an odd number. I'm also going to try 1039. Because I don't know about you guys, but if you try and do like a release upgrade, they have to spin up that second SSH dammit on that nice low point of 1039. And I'd love to attack your system while all of its defenses are down because it's upgrading. That sounds like fun to me. Yeah. There's those, you got to watch for all those. So lock it all down. I can't believe people still use default. Just default credits. Oh man. All day, all day. Root tour. That's my favorite. When I go on to these hacking labs, right, like virtual hacking labs, the OSCP, what's another way that we do? Hack the box. They all tell you not to do exactly what I'm telling you that I do. I know, I know. I'm going to get comments about this. But if you just take the second that it takes to run a scanner and do add a root and tour as the username and password, you will own so many noob hackers that is scary. Yeah. It's scary how many the hackers get owned that way. Admin, admin. Well, they sell hacking kits now. So it's like if you think you want to get into it and you get some kid, he's got a few dollars and he doesn't want to take the time to actually learn, oh, I'm going to get into this real quick. He goes on, you know, wherever. I'm not going to say wherever. You go buy the kit and then they never even changed a password for it. It's just, but at least they get pwned and it just gets, you know, it becomes an entertaining. There you go. You just use up all of his licenses by activating this crime kit everywhere. You know, we got, we got so distracted last time, you know, we didn't talk about was the hackbacks. Oh yeah. Hacking back. Hacking back. So is that illegal? And maybe this is, Oh yeah, we didn't talk about the hackbacks. Yeah. So hacking back. This is the gray area. Super gray. Super gray. Let's say your company's under attack. You don't know who the attacker is. And this is all hypothetical. Not that this occurred or maybe anyone actually did this for their company to defend against it. But then you find out the script kitty who's really annoying, also left it at perhaps the default admin and password. The minute you type the password and you have now broke the law and you're very traceable, they can technically, but of course it would come at the expense of revealing themselves, come after you for that. But maybe you're doing everyone a favor by deleting your command and control servers and everything else and stopping a problem that's there. Where do you lie on that? This is where the morality of the gray hat black hat. Guilty smiling guy next to me. Why are you smiling, Mom? But this is one of those things that you run into occasionally of where do you land on this? There almost has to be, at some point, some type of rules established. I mean, we have similar equivalencies. If they're shooting at me, I can shoot back in the real world. It's dangerous. I mean, I think that should be a thing. I mean, really, heck, you should be able to have that. You can have a concealed weapons permit. You can have a concealed weapon. If you are shot at, you may shoot back. That's pretty clear. There's no similar equivalency right now in the hacking world. I mean, there is, just be it's happening. There's not any laws around it and trying to explain that to a judge. So you're broken up here, says, no, dude, the guy was trying to hack me. I went and typed admin, admin. I said, delete, man. You did what? What does this mean? What is it like? Right. Speak to your judge. Do you ever have enough time sorting out non-technical things? Oh boy. Yeah, this is a sticky one. I always tell people, just for the record, I'm throwing this out there, you should not hack back. Right. Just make sure that that's understood. I think that hacking back, although it is gratifying, you can find yourself in a situation that you can't get yourself out of. This is true. In the rare event that you're under attack by some crime mob in St. Petersburg, how do you know that they don't have a local chapter? Right. Yeah, they don't have a whole team that when you hack back, they're ready to hack back with. Yeah, what if they're not hacking back and they're just coming to your house instead of in on fire? Right. And you do what you can. Context, yeah. We're going to extreme route here, but generally speaking, you lay up your defenses, block the ranges that they're coming from and things like that. You double down, lock down, that's the proper things to do. You can get DDoS protection. You can do whatever it is that they're doing against you. The good news is at least you've identified where it's coming from and you pinpoint it. I have a block list that I've had to create where people I showed them and I talked to them before how I do this when I see people poking it. So on my servers, I'm like they've just poked one time too many and then I just blocked them permanently. Done. Done. So, you know, and it's funny if they ever call me, they make notes of why I blocked anyone on my firewall side. I make notes of why they're blocked. So if I were going to call, hey, I can't get to something. I don't know what's your IP address. Really? That's fascinating. It looks like you were scatting me from all your IP cameras. In 2018, you were on January of 2018, you were the guy that I made a note about in my journal here. That's interesting. So, you hack it back is... It's... But we need to deal with it at some point. I think there needs to be some laws addressed by it because picture companies that are much larger in scale or the size of Amazon. If Amazon pokes back at a nation state that pokes at them, does that start off something big? Amazon's got enough data center power and they're quasi-government entity. The Amazon government servers are the largest. They are the largest hoster of government. So is that a government attack? If Amazon DDoS Russia... That's a lot of cyber war. It's a cyber war, but who's responsible? Is that an American attack against them? What if the government leaves servers who initiates it? Did Jeff Bezos press the... What was that? A non-tool. The low... The Ion Cannon. L-O-I-C. L-O-I-C. Low orbit Ion Cannon. Yeah, what if... What if Bezos has got one of those buttons? He's like, I'm gonna turn the Internet off today. This has to be addressed at some point. I mean, these are serious topics. We laughing about it, but you know, I want to know, Jeff Bezos got someone who... Those pics ain't coming out today. I'm gonna turn the Internet off. Yeah, I'd imagine he has that button, but I don't think he uses it often. He doesn't make money on the days the Internet's off. I don't get my prime membership shipped to me, so... Yeah, the ethics around hacking back, I think is more so where we're at in our discussion, right? I think it's less legalities, right? When there's... When there are no legislation around a certain thing or a certain topic, it all comes down to ethics. Like, how do you feel about hacking back, right? Me personally, I find it to be... I mean, beyond gratifying or rewarding because you're getting back at someone who's probably caused so much damage, I find it to be putting a target on your back, right? Because you are now perpetrating the exact act that you're trying to defend against. Right, yeah. So as a hacker, you don't want to be attacking random systems. So think about it from a hacker's perspective. If I'm a black hat, I'm gonna attack you but not from my laptop. I'm sorry. I'm gonna attack you from some IP cams, some routers that I've put in my pocket. You're gonna pivot off of other networks to make it really hard to find you. So now you're hacking back based on what? Those IP addresses? Right. You may be just attacking the daycare. Right. So like... It gets you in a gray area real quick. It's not the best way to do it. You know the FBI. Yeah. Because they can do things like that because then they can get permission because this is... Krebs has done some good write-ups on this of how they do that reverse investigative. And this requires cooperation with authorities because he had someone attacking him. They got to the point of shipping drugs to him. It's one of the most incredible stories he's got written up and they thought they're gonna bust him. But he didn't know that by the time they tried to bust him with drugs, he'd already got their email passwords. And he's already working with authorities like these guys are after me. So that was what got them caught was the shipping of stuff to him to try to... Wow. Get him caught. Get him caught. Revealed their real name because the email didn't reveal the real name but he had some of the inside. But he completely... This was cooperating with the authorities to make all this happen. And that's an important aspect of it because they can stop by that daycare that that IP address is registered to. Have you guys never watched the movie Hackers? Like this happened, right? The dude was like, man, we got breached. He got the computer fraud and abuse act Black Dude involved to kick in everyone's door. And he was the one that was doing the hacking. This is a terribly good movie from forever ago and I'm gonna watch it again. And Angelina Jolie is beautiful in that movie. She is, she is. Oh man, bring me back to the... I don't know, I don't know. I've spent a while since I watched it but I need to watch it again. That's what the best. You die like the rest. Die like the rest. And I had Penjaledi in there. He's also here on mine. Oh yeah. So anyways, enough of that. Next thing, let's talk about Asus. Oh my God. Did a video on it, diving in a little, talking about some of the implications and we're all very fascinated by this because this is a supply chain attack. And I want to do soon another video related to one. I hope there's a debrief because we all don't know what happened. Everyone's being quiet about it. The other reason I'm bringing it up is because we now know what the 600 MAC addresses are. We don't know who they are. We know what they are. And another security team decided to reverse engineer the binary download that was provided by Kaspersky to determine whether or not your computer contained it. They would do a hash to determine, but they would not reveal what those 600 were. They would just give you a yes or no if your computer was on said list of 600 MAC addresses. So someone else reverse engineered that, which they walk through the write-up and it's beautiful code. They talk of every step of the way. I'll leave Lincoln to show notes because it's very, very detailed of how they used every piece to reverse engineer the hash and reverse engineer the salted hash, it turns out. So they cracked the salted hash, but they did so because they had one MAC address to start with to identify where it was in a compiled binary and reversed it back out. So they showed off their skills being able to reverse engineer it. So I was impressed because Kaspersky didn't just drop them in there, they hashed them in there. So it was equal plus there's some head starts if you're not sure how MAC address works. The first few octets of every MAC address is denoted to the manufacturer. So my Lenovo, the same octet is actually going to be on that one over there because IBM Lenovo is the same thing. So they had a little bit, so it's not like they had to do this, even though it's a strong hash, it's low entropy because there's not that many options. There's a lot, but not as many. It's half as many, right? Yeah, half as many. We roll it. So that's a fascinating rate up at the attack. We just don't know how it happened or how they acquired the 600, but somehow there are 600 computers that they're looking for that this tool activates on. Only 600. I mean ASUS sells millions of computers, but only 600 of them. How'd they get the list? This is where someone like originally social engineering, like did you tip off a salesperson? I got 600 laptops destined for Washington DC. They're headed towards, or a bank. These 600 laptops are headed to the C suite of this bank. We know who ordered it. We know where they're destined, generally. We know one of these 600 is going to the CEO of the company, the CFO of the company. One of those people are getting it. That is targeted. That is razor sharp. That's poking a pin at it. That is, I'm really impressed. That is impressive. That's advanced persistent. Well, they have the advanced persistent threat. It's on ASUS. So they, how long were they in ASUS? Seems to be a fuzzy question. They found this on, for going back to, I think it was September. It's quite a while. Don't don't very correct me on it. I will leave a link in there. And I did it. I did get the date right in my first, my video I did dedicated this, but picture this, they had it sitting there for a long time. And then they knew these 600. So they've already got ASUS. They've got something inside their company. They're able to push to all that live update. And it's a driver update. So this runs at the system level, which means it can bypass whatever and it's signed by ASUS's security cert. So it's passable. It's a driver. It can install things. It's job is to reach out. It's on ring zero. Ring zero. It's job is to reach out the internet and install things like drivers at the lowest system level to get things done. Because you need a driver update to keep you safe. But this tool, which is a trusted tool, was waiting for a MAC address when it found it, then it downloaded a payload. So it's actually, the Kaspersky's write-up is interesting how they even figured it out because they did not have one of the 600 laptops where that would have keyed it off. But it's just impressive and targeted. And it is the, it has to be a nation state behind it. The level of engineering it takes to pull this off is not arbitrary. But then again, we've seen things we thought were nation state that it turned out to be, you know, Geohot. Just like, or like, what did Trump say? A 400 pound hacker. 400 pound hacker. I mean, this person's really good, but the weirdness of the targeting doesn't make me think you're a standard hacker. They don't do things like target 600 computers. That's not a, We would just hit all of them. They hit all of them to get their name and lights. I hacked this. I hacked ASUS. I got it on a million computers, whatever. Your name and lights, you know, your hacker name and lights per se. Not your name and lights. Because if your name is in lights, there's some red and blue lights coming after you. You don't want your name in there. But the, so it's really interesting. I'm hoping, you know, we can keep up on the story as it develops and hopefully some information gets dropped on here. I really want to know who the 600 ours is. But yeah, that's, That's crazy. So speaking of trusted tools, you want to talk about the office max incident? It's not really hacking, but it's deception and scamming for sure. When the companies you think are protecting you, this is why you should never go to office max. And this is great. I actually, Maurice brought this up and told me, and I'm known about, I did a story on the office, the office max and the fact that their tool doesn't do anything but lie. It was an investigative report. It was tipped off of, I think by one of their staff members inside and said, Yeah, that's tool. It lies. You pop it in. It says there's these problems with your computer and we claim to secure it. And it doesn't PC checkup. Yeah, it's a PC checkup. PC checkup. That's given to you from the company bought the computer from. Good old Mac. Yep. Good old Mac. And then explain what happens after that. So you run the PC checkup. It tells you, you have all these problems and you have to come to us and pay all this money to get them fixed. Yeah. Yep. All this money to the tune of $330 million. $330 million. They have a $30 million fine. $30 million fine. The FTC has cited against them and has charged them $30 million. Yeah. This is one of the things I hate. It's this false sense of security. You just lied to consumers. And the way they busted them, and I demonstrated my video, the way they busted them was some inside people took a laptop, took it to the Office Macs, had them do the PC checkup cleanup, right? Certified to clean. They went to the three more Office Macs and each one of them kept finding the same problems over again and charging them the same thing again. Wow. Literally, here's your receipt from the Office Macs for an hour ago type thing and here I'm at the next one and oh no, you have this problem, this problem. Let me tell you this. Let me tell you this. It's like, no, I don't. I mean, that's pretty deceptive. It's just deceptive. I don't think a fine is enough. I don't think a fine is enough. Ooh, I want two more. Because you're really dealing with people's personal information. Would you like them to be tarred and feathered, Moe? Vlog, ten lashes. Vlog, ten lashes. We'll go with those. Vlogging of all the executives responsible for this. Oh man. So it's safe to say that we're never going to get an ad. If you see an Office Depot or Office Macs ad, that's ironic. It feels unlikely. It would be ironic if it shows up on here because we're talking about Office Macs, Office supplies. Hopefully it's keywording on this. I'd love to see their ad on there because I know none of you are going to buy from it. Hopefully it's the ad of them getting flogged. So it was a little exciting when we were talking about that. I thought that was interesting. I mean, back to false security, they lure people in. And unfortunately, when it comes to the PC computers, I didn't agree with this. No. When it comes to businesses, I say yes, but PC computers like your home computer, just use Windows Defender or things like that. Don't buy a bunch of crappy stuff. It doesn't work for crap. And these companies all want to sell you something upsell, upsell, upsell for your home PC stuff. I don't find it. I tell even some people we've got like their banking. We have some clients who don't just get a Chromebook separate. You just put everything on a, put your, that on a Chromebook separate because nothing can be loaded on it. It's locked down. You're not, you know, don't mess with it. Don't side load it. And then use your other PC for this. I mean, there's a lot of security you got to go through. And with the business stuff, the only reason I recommend even the tools we use for business is because we actively monitor and watch everything they're doing, making sure they're up to date and everything else. So we're, you know, on it for our clients. If you're not on it, just use Windows Defender. It's just as, just as good. Or you could just not use Windows. Or you could just not use Windows and use Linux. And I am doing a video soon on that particular topic because a lot of people ask about using Linux. Is it more secure? There's the answer is not as definitive as you might think, but the trust chain model, because if you're, if you're worried about the Asus hack but you're running Linux, I'm not worried. Because Lenovo and Komodo had a little incident a while ago where they were putting crap and stuff on the computers. And I'm not, people like, oh, you use Lenovo. They were caught doing that. I'm like, yeah, but I run Linux, but it doesn't matter. And because the, the chain of trust is what's important. So I'm going to do a video centered around how trust chains work and how signing certificates work and how that makes Linux very different from Windows for how you run things and how there's less risk and the risk mitigation. And it's not Windows fault. It's your fault for not using Windows, but the way Windows works, the way Windows use it, the way you're loading software on it is the problem. And Windows came out with a solution called Windows S, but then you can't run the programs you want. So you're back to the square, one of untrusted programs. I'm not going to spiral off into the details. So that's going to be safe for a separate video to talk about that. But chains of trust are what keeps that in order. That's how these businesses that do lock things down that aren't in the news, chains of trust, sign certificates, signing their own certificates for software, that's the way to do it. There you go. And Linux does it that way. So. Lay down the law. Bam. And the last thing we're going to talk about is I brought up GeoHot. So has he lost his mind yet? He's working on it. Working on it? He's GeoWarm right now. GeoWarm. He's a genius. Hands down, bow down to the level of sophistication if you don't know and look him up. I love GeoHot. Yeah, self-driving cars or anything else. But this video popped up. I couldn't help it because he's engaging. If he's, if he's having an hour talk, he didn't. And he's giving a talk about life is a simulation. Life is a simulation. Other people have touched on that, but he just kind of. He spent a lot of time thinking about it. A lot. It's not a drug induced rancher or anything like that. Not at all. Are we sure? Positive. I'm positive. Positive. And I actually I liked his answer when someone asked about do you do drugs to figure out for your simulation? He goes, no, that just messes with your head. It doesn't miss the simulation. And he said, he does comment though. It might cost some more CPU time though. He goes, you're going to run up someone's hosting bill. Wow. Oh, it's actually a fun talk. I don't think he's completely crazy. I enjoyed it. So you watched The Matrix. You watched The Matrix. I think he's watched it too. A few times. He's watching a few too many times. What happens when you're so good at hacking? When you're geo hot? When you can just do, the guy's a pure genius. All these hacks are brilliant. He's got to give me the zero day for the simulation hack then. Well, and that's got to escape the simulation. That's what he talks about. It's how to escape that. He dives into it from his hacker mentality. Okay, I got to watch it. You have to watch it. I got to watch it. I'll leave a link so you guys can watch it too. It's actually one of those. It's real like meta and things like that. But it's so kind of fun to watch. It's all provoking. Yes. His his take on it. We'll give you an idea. A little teaser here is, does Mario know he's in the simulation? Because we're the gods of Mario when we're playing. Is Mario aware? This is when they insert the Elon Musk smoking pot with the eyebrow look. Yeah. Are we in a simulation? I mean, it's really interesting and he breaks down a lot of interesting concepts, a lot of thought provoking stuff in there. It's fun. But I did start watching it. My first, you have to go through at least the first 10 minutes before you realize, okay, he's still rational. He's still having rational thoughts. Shout out to GeoHot. Yeah. GeoHot, if you're watching, we love you. I'm sure he's not watching. If you watch this one day. If you're watching this simulation, we watched yours. So I think that's about it. We're going to wrap up. Anything else to add? No, I have nothing special to add. Thank you for all of the fans. Thank you to everyone who came out to DC 313. Yes. And to the other numerous fans that I've met that are watching the show that haven't been to DC 313. Please come by to DC 313. And yeah, that's it for me. Should we give a shout out to the Facebook fan you have that's going hard in the pain on your Facebook account? No. All I can say is it's hard for me to log into my Facebook. So have fun, bro. Yeah. To FA, man. Like fucking multi, multi, multi FA. I guess it's intense. I'm at FA all day. I'm at FA all day. Throw the M's up. All right, man. Later. Until next time. Until next time.