Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: When I was in college, a scammer called me up. [MUSIC] He’s like, look, I’m not selling you anything or even telling you what to do. I just have information about a stock and I wanted to share it with someone, and you were just the lucky guy I found in the phone book. Listen; Stock Z is gonna go up next week. That’s all. I’ll call you back next week to prove it. I was like, alright, that was a strange call. Whatever. Yeah, he calls me back in a week and sure enough, the stock he told me about went way up. He was spot on. He was all excited about how much money he made. But I told him, you just got lucky, and he should cash out and take a trip somewhere. He’s like, no, no, no, it’s not luck. There’s an algorithm that can accurately predict this, and he said he knew which stock was gonna go up next. I was like, alright, so which one’s gonna go up next? He tells me and says to keep an eye on it and he’s gonna call me back next week to prove he was right. So, yeah, another week goes by, and the same guy calls me back and he’s like, boom. You see what I mean? He was all excited again and I was like, I don’t see what you mean, but let me check the price. I checked the price and again he was right. I was like, dang, good job, but I think you got lucky again. He said, no, he’s been doing this for a solid year now and he’s been right every time.
He tells me more about this algorithm, how he’s analyzing different indicators and watching the stock market extremely close and just has everything dialed in, and he tells me about another stock that he says is surely going to go up. I’m like, okay, call me back in a week. Let’s see if you’re right. Sure enough, after a week, I checked and he was right again. Three accurate stock price predictions in a row. He called me back and he’s like, dude! I’m like, dude! He’s like, you see that? I said, I saw that. How are you doing this? He’s like, I cracked the code. But then, like the snake he was, he tried to strike at me. He said, listen, the next one is the craziest one I’ve ever seen. There’s this company whose stock price is gonna explode, but the best part is they’re in the initial investor round, so you can get in on the ground floor if you want. How much do you want to invest? Ten grand? You’ve slept on three of these. You’re not gonna want to miss another, right? I’m like, [LAUGHING] I’m a college kid, dude. I’ve got thirty bucks in the bank. I don’t have ten grand. He’s like, ah, crap, and he hung up the phone. But this fascinated me. Who was this guy that was always getting the stocks right? What was his algorithm? So, I looked into it and met with a stock broker, and I asked him, how is this possible?
He’s like, oh, that guy was a scammer. I’m like, duh. I know. But how did he get the stocks right every time? This guy broke it down for me. He said, okay, that guy called up a whole bunch of people on week one, told half of them the stock was gonna go up and told the other half the stock was gonna go down. Then he called back the people who he was right with and he told half of them about another stock that would go up, and the other half he would say that stock’s gonna go down. Then he did it a third time, calling back the people he was right two times with, telling half of them that the stock is gonna go up and the other half saying it’s gonna go down. So, by the time he did that three times, he had this small pool of people who he was right with every time, but really he was just playing a math game with his victims. I think this is such a long but brilliant scam. Seemingly this guy was golden, perfect, getting it right every time, but what I didn’t know is that he was getting his predictions wrong all over town and I was just one of the unlucky few that saw him get it right every time.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Gather around. In this episode we’re gonna hear stories from Rachel Tobac, and she’s one of the best social engineers I’ve ever met. Let’s start with your origin story. As a kid, how did you get interested in this type of work?
RACHEL: Okay, my origin story. So, my first time that I ever thought about being any sort of hacker was when I realized that being a spy is a job that people do, and it’s a job that girls could do. I learned this through the movie Harriet the Spy. She goes around sneaking into people’s houses, spying. She takes her notebook everywhere. She sneaks through the dumbwaiter in this rich woman’s house and gets caught, and I just thought, oh my — I had no idea that a girl could be a spy. So, that basically became my personality for my childhood.
JACK: Did you get into computers when you were older or still in middle school, I suppose?
RACHEL: I did not get into computers. I wanted to get into computers; I went to my guidance counsellor in, I think, sixth grade and I said, hey, I want to take these coding classes. My guidance counsellor, she said, you know what, Rachel? You don’t want to take those coding classes. Those coding classes are forty boys. You’d be the only girl there. Just take home-EC instead.
JACK: Are you serious?
RACHEL: I know, and me being a child, I was like, oh, good call. Yeah, I don’t want to blame her for me never learning to code. I could have tried later in life, right? People try later in life all the time. But no, I’ve actually never written a single line of code. I ended up getting my degree in neuroscience and behavioral psychology. I was a teacher’s assistant for statistics. I never got into code.
JACK: Neuroscience?
RACHEL: Yeah. So, my path to infosec and hacking, to the untrained eye, it doesn’t make any sense. It’s almost completely nonlinear. To me, looking back, it makes a lot of sense. So, I got my degree in neuroscience and behavioral psychology. I was doing improv on the weekends. I was a teacher. I then was like, hey, I want to try and get into tech. I moved to San Francisco. I was a community manager at a tech company. I actually ended up leading a UX research team. Then while I was at that tech company, my husband was in security the entire time. I actually met my husband in high school. I met him when I was fifteen years old. So, my husband was like, hey, I heard about this thing called Defcon. I think you would get a kick out of it. [MUSIC] I was like, uh, pass. I think I’m not gonna do that.
JACK: Okay, so Defcon is the annual hacker conference in Las Vegas. It’s wild there. You’ll see people walking around with antennas sticking out of their backpacks, talks about how to bypass just about anything on a computer, and tons of villages that focus on specific areas of hacking. The Social Engineering Village is one of the more popular ones, and when Rachel’s husband went into this village and saw what they were doing, he immediately called her up to tell her what he was seeing.
RACHEL: They do this thing where they put you in a glass booth — it’s soundproof — in front of an audience of five hundred people. You call companies and you try and solicit information out of them over the phone. It’s the exact same skill that you use every month to get the bill lowered when you call these companies, you build rapport, you get a deep discount on things like the cable bill. You’ll love it.
JACK: She’s still like, no, I’ll pass. Thanks.
RACHEL: He called me back and he’s like, I just saw more of these calls, these social engineering calls. You have to come. I promise you if you don’t like it, we’ll just go gambling. As an aside, I love gambling. So I was like, okay, fine. I pack my bags. I get the first flight out Saturday morning. As you know, if you’re at Defcon, Saturday morning — it’s like, Defcon’s a third over at that point if not more. So, I show up, I see a few calls.
JACK: So, what she was watching was the social engineering contest. There’s fourteen contestants and they’re given the task to basically get enough information to hack into a company, all through phone calls. So you have to prepare and figure out who would be an easy target to get information from, and what’s their phone number? You better have backup numbers too in case that person you call doesn’t answer or hangs up on you. Once you do get someone on the phone, you get points for security data that you can get from them. So, if you can get them to tell you what operating system they use, you get a point or a flag, and maybe from there you try to figure out what browser they use or information about their security guards or what janitor service they use. You can’t just ask these questions directly; it raises suspicion, so you gotta provide a pretext. That is, pretend to be someone else, maybe someone who works in another department or someone brand-new to the company who doesn’t know anything and urgently has to get a report done by the end of the day. It’s tricky. It’s intense. It’s high-stakes because if you get caught on the phone, you’re burned and now you don’t get any points. The best part is the audience gets to watch it all live.
RACHEL: I see a few calls and I’m like, oh my — this is me. Like, I can do this. I was born for this. My husband was like, I know, right? I told you.
JACK: So, she immediately is like, okay, how do I compete in this? Yeah, it’s a whole process. You need to submit an application, create a video of yourself, and stand out from the crowd, because only fourteen are chosen to compete out of hundreds of people who try out for it.
RACHEL: I was like, oh, I got just the thing. I made this Twin Peaks-style video to convince them to let me get in and somehow they agreed to let me participate. Hundreds of people apply and fourteen contestants are selected every single year.
JACK: Now, they actually give you the target company that you have to attack ahead of time so you can do your research on it, a lot of research if you want, because you want to find as much information as you can about this company, like going through Google searches or just looking at public places. Maybe you get a list of people and phone numbers to call so that when it’s your turn to call, you know exactly who to call and what questions to ask. In fact, it becomes quite a lot of work to prepare for that moment for when you’re gonna call someone. You could spend a solid month learning everything you can about your target company so you can shine when you’re in the booth.
RACHEL: It was a major consulting firm, is really all I can say.
JACK: Now, these companies don’t know they’re about to get hacked. It’s really extraordinary to watch. It’s basically a live hack with an unsuspecting target. So, she gathers as much intel as she can and heads to Defcon to compete.
RACHEL: I get in that glass booth.
JACK: Now all eyes and ears are on her. Not only does she have to trick one person on the phone to give her the information they shouldn’t be giving her, but she needs to do it in front of an audience. But she’s done improv before and was absolutely ready for this.
RACHEL: I contact my target company. I pretend to be an employee who’s confused, who’s just starting out, and I end up getting flag after flag. I get out of the booth and I’m like, maybe I did okay. Then there’s a standing ovation. I’m like, oh, maybe I did better than okay. I ended up getting second place that first time ever hacking anybody. That first time ever hacking somebody happened in a glass booth in front of five hundred people.
JACK: Dang, second place. Of course, now she’s hooked. That was fun as hell. The nerves, the adrenaline, hacking and social engineering, all of this she was just craving more of, so she applies to compete again the next year.
RACHEL: Then I ended up getting second place the second year and I got second place the third year as well.
JACK: [MUSIC] Competing three years in a row in the social engineering contest and getting second place all three years, that’s what started her career in social engineering.
RACHEL: After folks started seeing me get second place at Defcon — you know, they’d see me on stage; they’d be like, hey, I want to chat with you. Can you come speak at my company about how you hack and how we can catch you? I live in Silicon Valley, so I got really lucky that people started asking me to do things that are a job, right? I’m like, oh, I guess I need to make a company? So, I made SocialProof Security in 2017. I mean, I live in Silicon Valley. I was so lucky; some of my first clients were Facebook, Snapchat, PayPal, Twitter, and from there it was US Air Force, NATO, Uber, Google, CISCO. It’s like, oh my gosh. I feel like I just got really lucky in this life.
JACK: The crazy thing is that I’ve heard this story over and over, someone who has no interest in hacking goes to Defcon, sees the social engineering stuff going on there, immediately wants to compete, does pretty good in the competition, and then decides to do that for a living and start their own company. It’s mind-boggling how many lives have changed from people attending Defcon.
RACHEL: Oh, it’s totally wild. If you would have asked me decades ago like, what did you think you were gonna get into, the word ‘hacker’ would have never even made the top 100 list, because I didn’t know it was possible, didn’t know it could be a job, and I certainly didn’t think I would be good at it. When I saw the concept of a hacker in TV or movies, it was usually a guy who wore a hoodie in a basement. I wear hoodies and basements are fine, but I didn’t think that I was gonna be good enough. So, yeah, you just have to see yourself in the position, and I’ve had multiple women come up to me and say, hey, I saw you in that competition; didn’t realize it was possible for people like me, and now I do this for a living.
JACK: Okay, so, she started a company called SocialProof Security, which is basically social engineering for hire, and companies were starting to hire her to see if they were vulnerable to social-engineering attacks and what they can do to stop them. Of course, I’m fascinated by these social engineering stories. How do you hack into a company with just your voice or your charm?
RACHEL: So, a bank hired me to penetration-test them. Effectively they hired me to hack them, and they told me that I could hack via phone call, e-mail, or chat, and my job was to take over multiple accounts and steal access — effectively steal money out of the accounts.
JACK: You want to steal money out of customers’ accounts?
RACHEL: Yes, and when we do a penetration test, it’s very particular. I don’t want to steal money from everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test. So, what we do is we create fake bank accounts. We work with a team on the back end so that the support organization, for all intents and purposes, sees a real customer. But we’ve created fake bank accounts for me to steal so I don’t actually harm real people, but the support team doesn’t know they’re fake.
JACK: Okay, so this company is a bank and she’s told that she can target customer support to see if she can access a customer’s bank account. She’s given the options to use a phone call, e-mail, or chat to get through.
RACHEL: That’s right. [MUSIC] So, I started with the chat feature and I posed as a customer to see if I could take over a customer account with just chatting. So, I told the bank support people my sob story; I lost access to my phone, my e-mail, my laptop. I got lost and I had a night out and I’m traveling abroad. I mean, the whole story, right? And I really need access to my bank account ‘cause I’m stuck and I don’t have money. The first thing that I usually try when I’m trying to do an account takeover is I try to see if I can get them to change the e-mail address or the phone number on the account, because if I can do that, then I can change effectively the admin on the account. Just by changing the e-mail address, I can then reset the password or reset to a phone number that I control. There’s SIM-swapping and all of that that could happen after that, but that’s basically how it works. They’re like, oh, well, we can’t do that because we need to only send the password reset to the e-mail address already on your account.
JACK: Good for them. That’s the protocol they’re supposed to follow.
RACHEL: That’s exactly right, so, good job, bank; horrible for me as a pen tester. A lot of times I have to play both sides of this game. I have to train the company and update their protocols to prevent people like me from getting in. But when I’m first attacking them, it’s so frustrating. So, I try chatting with multiple other support people. I’m trying again and again. They will not make any exceptions for me. It doesn’t matter my pretext — that’s who I’m pretending to be — it doesn’t matter how I contact them, what I say, my story, nothing. So, I decide to switch to phone-call-based attacking because I tend to be much more successful. So, I switch to phone calls. It leaves less of a paper trail. People tend to get less suspicious because I can build rapport, they can hear my voice, they can hear how trustworthy I sound, and also when I’m calling, I can spoof phone numbers and a lot of times that helps me gain access.
JACK: Spoofing phone numbers; how is this still possible? You can download an app from the mobile App Store and within a few taps you can change what phone number you’re calling from to have any phone number you choose. So, you can make it look like where you’re calling from is not actually where you’re calling from. Now, when I was young, I used to do this with e-mails. I would love to send e-mails to my friends pretending to be from the FBI or the president of the United States, and I’d be like, Bill, you’re in serious trouble. We’re coming to get you or something, and then my friend Bill would be freaking out, and it was awesome fun. But then the e-mail protocol got updated. They implemented SPF records somewhere around 2006, and this ensures that the place you sent the e-mails from is where the e-mails are supposed to come from. This effectively put an end to e-mail spoofing. Of course, not all companies configure their SPF records properly, and you could still spoof it, but at least the option is there if you want to block someone from spoofing your e-mail. But for phones, which have been around a lot longer than e-mail, it’s an unpatched vulnerability, in my opinion. You can still spoof phone numbers.
RACHEL: Yeah, it’s kinda wild. In the US right now it’s still possible because all of the telcos have to make the same decisions at the same time, and unless all of the companies get together and make the same choices, it’s gonna be really hard to implement the right solution. So, at least in the US, spoofing is still really possible for me.
JACK: Now, since phone companies refuse to fix this, their solution was to help pass a law making it illegal to spoof phone numbers. So, for now it just seems like telephone companies are just relying on the police to help keep people from doing this. But to me, this is an awful way to secure things. Telephone companies can fix this if they want. But while I see this as a vulnerability, telephone companies have historically said, wait, why are you using telephone numbers as identifiers? They were never meant to be identifiers. And they put the blame on us for doing that, because for a long time our phones didn’t have screens, so we never knew who was calling until you picked up the phone and said, hello. But then telephone companies gave us caller ID, where our phones would show who’s calling. So, I do blame telephone companies for making us think it is an identifier, since they were charging extra for that feature back in the nineties, and mobile phones today all come with this feature. So, I say, phone companies, turn caller ID off if you don’t want us to use it as an identifier. Otherwise patch it so phone numbers can’t be spoofed anymore. So anyway, Rachel was trying to get into a customer’s account — let’s call the customer Kelly — and she figured out what phone number Kelly had, and Rachel spoofs her number to look like she’s calling from Kelly’s phone.
RACHEL: I spoof my phone number. I make it look like Kelly on the account. By the way, on data brokerage sites when we’re doing OCINT, open-source intelligence, typically we can find most people’s phone numbers within a minute or two. So, when we’re searching, we can just know, okay, this is Kelly. This is Kelly’s phone number. I’m gonna go ahead and spoof that. I set that up. It usually costs me a dollar or so on the tools that are available on the App Store. These are not heavily regulated. You can just find then on the App Store. [MUSIC] I go ahead and I place that call.
JACK: Can you give me an example of how you sound on these calls?
RACHEL: You’re gonna make me act.
JACK: Yeah.
RACHEL: Okay. Okay, give me one second. I gotta get into character. I’m gonna change my clothes so I can get into character. Here we go. Okay, here we go. Ring, ring, ring…
JACK: Ring, ring, ring…
RACHEL: Oh, wait; we both said ‘ring’. Okay.
JACK: Thank you for calling the bank. How can I help you today?
RACHEL: Hi. I am so sorry — my name is Kelly Smith. So, I’m traveling right now and I just lost my laptop. My phone’s not working. I cannot get access to any of my funds. I’m super stressed out. Can you please, please help me?
JACK: That was good. I won’t make you do more.
RACHEL: Thank you.
JACK: So, yeah, they’ve got a script that they go through where they’re just like, okay, well, do you have the last four digits of your phone number or whatever the case is to verify you. Is that how — your challenge, or what happened?
RACHEL: No. So, this bank knew KBA, knowledge-based authentication, things like, what’s your address? What’s the last four digits of your phone number? This bank knows that that information is very easily found online, so they don’t use KBA, knowledge-based authentication, to verify your identity. They usually use MFA, multi-factor authentication. Now, this is great. This is exactly what I recommend. Send a code to the e-mail address on file and make them read it out to you rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that’s good, but as an attacker, that’s gonna be a challenge because I don’t have access to that e-mail address, and when I’m spoofing a phone number, I actually can’t receive text messages and if they call back, I’m not gonna be the one that answers that phone call. I’m just spoofing. It looks like I’m calling, but I don’t actually have access. Now, of course I could SIM-swap and many criminals will do that, but for the purposes of this pen test, that’s not what I’m testing. So they say, okay, we have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver’s license, your social security card, and a utility bill. Instantly I’m like, okay, bingo. We’re in. The other half of SocialProof Security is my husband, Evan. He does all of the technical stuff. I do all the human hacking stuff.
JACK: This is great because I need a fake driver’s license, so I can’t wait to hear how you got a fake driver’s license.
RACHEL: [LAUGHING] [MUSIC] No. Okay, so, my husband Evan, he gets to work editing a driver’s license, a social security card, and a utility bill to the exact information that they’re expecting for this account, which again we can find through a data brokerage site. So, we’re hoping that this company does not know the actual driver’s license number, the actual social security number, and they’re just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through OCINT, and a lot of times I’ve noticed that when they ask for these types of documents, they don’t know the right info. They’re just hoping that it matches and they stop there. So…
JACK: So, you didn’t need a real driver’s license, social security card; you just needed a JPEG, right?
RACHEL: Correct.
JACK: That’s the trick there.
RACHEL: So, we spend…
JACK: The Photoshop was your friend.
RACHEL: Photoshop, yes. We spent all night on these driver’s license, social security cards, and utility bills of the accounts we’re trying to hack. I e-mail the bank at 8:00 AM the next day. I tell them my story. I tell them the edge case that we have set up with support. I send them the driver’s license and social security card and utility bill. By 9:00 AM, I have full admin access to the bank account. I have changed it to be controlled by my attacker-controlled e-mail address, and I can steal all of the money in the account. So, once I finally get in, I have access to everything. I use the same method again and again. I get access to two more accounts throughout the day. I end up spreading out the requests so that we’re not raising suspicion with the same attack method over and over again, back-to-back. In the end, we took over each bank account that we were asked to to hack within two days.
JACK: That’s truly astonishing, the sheer force of the human voice, its ability to persuade, to move, to manipulate, all through a simple phone call. It also reminds me of how vulnerable customer support is to this kind of exploitation. When you’re met with a soft voice telling you a sad story but wrapped in kindness, it tugs at your heartstrings. You find yourself eager to assist, especially if you just off the phone with a real prick who was yelling at you about overcharging him ten cents. Contrast that with a kind voice that’s truly asking for help, and it really makes it hard to say no.
RACHEL: I know that in a lot of these organizations there are edge cases, so I’m helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don’t fall into this trap next time when the real criminals get here? So, I then help them with — okay, let’s set up some edge cases back-to-back so that we have something like a callback. That would thwart spoofing. If you don’t want to use that, you can use e-mail verification, one-time passwords, sending a code or just a word to the e-mail on file and having them read that out, SMS verification. Okay, they claim they’re calling you from this phone number, but maybe they’re just spoofing it. See if they can read out a text message. Callbacks thwart spoofing. Service codes, PINS or verbal passwords — if it’s some sort of internal support ticket, you can loop in a manager. There’s so many ways to do this right that a huge part of the pen test is not just hacking the company but helping the company figure out what is a real, practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in the next time? ‘Cause I’ll go in, I’ll make it harder for me to get in as an attacker, and then the next year I’m like, oh my — this is so hard for me to get in, and to the point where I can’t get in anymore, and that’s when I’m like, okay, you’ve done the most that you can do.
JACK: It’s time for a sponsor break, but stay with us because Rachel has a few more stories that she’s going to share with us. On another engagement, Rachel was hired by a company to help them sort out an issue that they kept encountering. It was a large technology company who would sometimes buy or acquire smaller companies. Now, when you’re buying another company, you typically want to keep it quiet until the official announcement. It could affect share price or cause panic in the company if things aren’t communicated properly. But for some reason, when this technology company would do any merger or acquisition, it would get scooped by some news agencies. The announcement would show up on news sites way before the company was ready to tell the world. So this company was like, Rachel, maybe you can help us figure out how this news keeps slipping out ahead of schedule.
RACHEL: So, they approached me about doing a pen test to figure out how this MNA info was getting leaked, where they could possibly improve their training, their messaging, their internal protocols, to figure out why is this happening. Why are folks being incentivized to talk about this and what can we do about this?
JACK: When you hear this, what’s your mind first going to? Like, oh, you’ve got an insider threat somewhere. You’ve got a breach, an active breach.
RACHEL: Yeah, so, insider threats happen, but what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So, we came out with a few different attack methods that might work to uncover where this is happening. Number one, I was gonna attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, e-mail, text message, et cetera, about their experience in tech and see if I could siphon out MNA info and just see where it goes. Number two, I was going to apply to their product manager role, go through the entire hiring process, and see if I could extract MNA-related info during the question portion of the hiring interview. I did not know what was gonna work and what wasn’t, but I just wanted to try both.
JACK: [MUSIC] Alright, so, if you’re gonna pose as either one of these people, it sounds like you’re gonna need a LinkedIn account or at least some online presence. You can’t just show up as a nobody, right? Or, at least it helps establish your background and your pretext.
RACHEL: Definitely.
JACK: Do you have any framework or methodology for how you establish an existing ghost in the world?
RACHEL: Yeah. So, we call these ghosts, we call them SOC accounts. Sometimes they’ll be real people and so, we’ll fashion them pretending to be a real person. Sometimes they’ll be fake people and they’ll just have this full life online. With the fake journalist, I figured it was gonna be a lot easier to pretend to be a real journalist and just not actually be them than create an entire persona of a fake journalist and populate real content. So, I built a fake journalist pretext — e-mail, background, and social media — based on a real journalist who I’m not going to name, of course.
JACK: Interesting. Rachel tried to be another journalist that actually exists, maybe by doing something like using a similar e-mail address or social media account? But the question is how do you know who to ask in a company to get information about upcoming mergers and acquisitions? These are typically closely-guarded secrets. Hm, but there is a website that’s extremely helpful to social engineers. There’s a website that lists pretty much every company and most of the employees that works there, and it tells you their job title, role, what duties they have, and full name. The website is LinkedIn, and personally, I feel like LinkedIn in a security risk to most companies on there. It makes it really easy for someone like Rachel to go down the list of people who work at a company and pinpoint the exact person to target. Once you have their name, it’s probably easy to guess their e-mail address. It’s usually first.lastname@companyname.com. Not only is there a list of people who work at most companies on LinkedIn, but they like to list their skills, too. If someone says they’ve worked for a company for ten years as a database admin and specifically they say they’re excellent at Microsoft SQL server, now you can guess with high confidence this company runs Microsoft SQL server internally, and this person probably has the admin password for it. We all know how susceptible people are to phishing e-mails.
My opinion is if you’re listing stuff like that, you’re just putting a big old beacon over your head saying, hey, I’m the person you’re gonna want to hack if you want to get in the database of this company. Come at me. Essentially, the private information that should just be kept inside the company is posted publicly for anyone to see on LinkedIn. I mean, here’s a story where the company is wondering, hey, how come the public knows about one of our internal memos? I say start by auditing what your employees are posting to LinkedIn. If the company is totally cool with all this internal stuff getting posted publicly, then maybe that’s perpetuating a culture that’s okay to blab about exciting news to whoever asks. I had someone message me on LinkedIn the other day asking me, hey, how can I get my data taken off the internet? I’m like, what? Is this your photo? Is this where you work? Is this where you went to school? Is that your actual name? You posted all this to LinkedIn and you’re wondering, how come the internet knows all this stuff about you? Because the thing is, a lot of what data brokers know about us is from the stuff we post publicly. Data brokers are scouring our social media profiles, our blog posts, and any mentions of us on the internet. Then data brokers store all that information about you that you posted.
RACHEL: It’s frightening, and the reality of the situation is that anybody can do a full background search in less than five minutes on most people in the US, and people don’t realize that this information’s out there about them. They have no idea that it’s being sold. They just don’t Google themselves.
JACK: I say we should take our own privacy seriously, because the more we don’t care about our privacy, the more companies won’t care about your privacy. Anyway, as you can imagine, Rachel had this target company and was able to quickly guess at who might know about upcoming mergers and acquisitions and started hyper-targeting them, doing full background searches on them, gathering up their details, and just started reaching out, acting like a journalist, e-mailing them, wanting to see if she can easily get this information from people.
RACHEL: Exactly, or we can reach out over social media DM, a DM on LinkedIn or Twitter or Instagram. That’s the thing; journalists really do reach out using all of those methods, so it’s hard to know what’s real and what’s fake sometimes.
JACK: [MUSIC] But it didn’t work. No matter who she reached out to or how convincing her backstory was, people weren’t freely giving her information about upcoming mergers and acquisitions. This method wasn’t working.
RACHEL: They let me know some minor details about excitement about potential MNA, but they’re not gonna confirm any juicy details. I try to get people on the phone to talk with me, but I think there’s just this inherent distrust of this particular pretext. So I’m like, okay, I gotta really go for the big guns here. I want to attack via the hiring process.
JACK: Attack via the hiring process? What an interesting sentence to say. I don’t think that idea crosses many people’s minds, that people applying for jobs might have malicious intent. I’ve heard of the evil maid attack, but what’s this called, the phantom applicant attack? There’s a lot of information that you can get just from reading a job posting. Like, when a company lists the job duties, it might tip their hand into what endeavors the company is going to do next or expose what technology they have in the company, and these things can be used against the company in social-engineering attacks. I think if you read enough job listings, you could probably develop a map of the data center. Hacking into the company through the employment process is actually a decent attack vector. I don’t think many companies would expect you to come in through that door. Anyway, what Rachel was going to do was pose as a job candidate and try to get an interview, and in the interview she was going to see if she could get some insider information about upcoming mergers and acquisitions.
RACHEL: Something to understand is as an attacker, this is not easy to do. I’ve never beem a PM, so to apply for a PM role takes a lot of background research. I led a UX research team at a tech company, so I do have a sense of what a PM, a product manager, does, but I am in no way prepared for a PM interview. So, I have to study for three full weeks for this role. I’m watching YouTube videos, I’m doing interview prep quizzes online, I’m taking free online courses like, So You Want to Be a PM, the whole nine yards. So, I’m building a full persona, a resume, a Twitter, LinkedIn, Facebook. All of these SOC accounts have photos, thousands of friends, reviews of my work from networking groups on LinkedIn, people I’ve never met — that like, you give them a review and they give you a review. All of this stuff is so gameable.
JACK: I suppose this is stuff you do at SocialProof. There’s this one person sitting over there like, hey, just keeping making SOC accounts all day, every day, ‘cause I’m gonna burn through them so fast.
RACHEL: Unfortunately, yes. We do change the names of many SOC accounts, but then you have to populate a lot of new information. It ultimately takes me about three weeks to build a believable social media account and enough examples of previous PM work to get anywhere near convinceable during the interview process.
JACK: Did you get help at getting your resume to the top of the pile?
RACHEL: No. I just had to apply.
JACK: That’s not easy. There’s a lot of people who don’t get callbacks.
RACHEL: Well, during this period of time, their — the tech hiring process wasn’t as bad as it is in this current year. [MUSIC] So, I apply for the role. I get a phone screen. I am sweating bullets ‘cause if I don’t get through this phone screen, I will not move on to a full interview process. I’m gonna have to do a bunch of work to change my SOC accounts on social media to match a new persona. It’s gonna be a lot more work for me. Luckily it took like, forty-five minutes. I passed. I get moved on to the next round. The next round has six different interviewers. So, it’s…
JACK: In person?
RACHEL: No; virtual, thank goodness.
JACK: Did you try to gain any information on the first round?
RACHEL: No, not during the phone screen. I wanted to get…
JACK: ‘Cause you were like, I’m gonna wait for the right time.
RACHEL: Yeah. I was terrified that they were gonna be like, this person’s a weirdo. Let’s not move them forward. So, I waited until the actual official interviewers, and it’s gonna be a packed day of interviews. I have six interviews back-to-back all day. These interviews are conducted over Zoom. I get all dressed up in my interview clothes that I haven’t worn in years. I’m prepped with all my anecdotes, my strengths and weaknesses, my KPIs and success stories, and a lot of these examples I’m using are heavily focused on UX research because if you remember, that’s something I used to do and many PMs do have advanced UX research skills, so I’m just hoping that they don’t think that’s weird. So, I get to the first interviewer and the interviewer is like, okay, asking me all these questions. I seem a little nervous but they’re like, oh, don’t worry about it. It’s gonna be fine. We go through all of the PM-related questions. This person’s a PM.
JACK: You’re nervous for all the wrong reasons. That’s what’s funny here.
RACHEL: I know, but I have to pass.
JACK: Yeah.
RACHEL: So, I’m going through this process…
JACK: I mean, they’re used to people being nervous, and so, I could see them saying, oh, it’s fine, you’re doing great; don’t worry about it. And you’re like, oh, thanks, ‘cause I’m trying to hack you.
RACHEL: No, see, the funny thing is when you’re hacking people, a lot of times it makes sense for your pretext to match how you’re actually gonna feel when you’re hacking.
JACK: Yeah.
RACHEL: A lot of times you are nervous when you’re calling support because you can’t gain access to your bank account. You are uncomfortable during an interview. These are normal human emotions, and so, it’s okay to not be way too overconfident. Sometimes that can even read as strange. So, yeah, I’m sweating bullets. It’s clear I’m nervous. We finally get to the end and the interviewer says, so, do you have any questions for me about the role? I have never been sweatier in my life. This is it. If they get suspicious during this moment, all of my work is for nothing. So, I say, I am so excited about this company. I hear there’s a lot of opportunity for growth. I did a bunch of research; I did find a few new stories that mentioned XYZ potential merger. I know you can’t confirm anything, but I just want to understand what an integration process looks like at your company during an MNA.
I know you can’t confirm anything again, but I just want to understand how my role could potentially change over time. The interviewer takes a beat and says, you’re right, I can’t confirm anything, and my heart sinks. I’m like, no, this person’s trained. Then they go, but just because I can’t confirm doesn’t mean I can’t talk in generalities, right? And winks, actually winks. I’m like, oh, this is gonna be so good. So, there’s a lot of hand-waving and ‘you know I can’t confirm but’ throughout the rest of these interviews. But it seems that everyone at this company knows you’re not allowed to say information in plain language about MNAs, but that doesn’t mean that I can’t glean pretty serious details about the upcoming acquisition plans that have been clearly discussed internally. By the end of this day, I got MNA info out of three of the six interviewers. So, fifty percent.
JACK: What kind of info are we talking?
RACHEL: Yeah, so, they wouldn’t tell me the names of the companies that were potentially going to be acquired, but I would say things like, I saw a rumor about XYZ company. Is this the type of company that you would be excited about? Then the wink, wink, hand-waving process starts of, you know I can’t confirm it, but we are interested in integrating things like XYZ. So, I was able to glean information such that when I reported it back to the team, they were like, I mean, yeah, you got the right information. Nobody said anything in plain language, but you can get people to say things kinda beating around the bush. So in the end, I got MNA info out of fifty percent of the interviewers, three out of six. I debrief with the security team. I ask them when they want to discuss the results with the organization. They say, well, let’s just wait up and just finish the hiring process so that it’s not a distraction to them. In the meantime, the next day, I actually get an e-mail that I used to apply for this role that I was being moved to the next stage of the interview process to get an offer. So, not only did I siphon out the info I needed during the interview pen test, I also got the job, I guess.
JACK: Well, congratulations. I hope that goes on your resume.
RACHEL: I know. I should put ‘PM’ on there.
JACK: So, she meets with the security team and explains to them how she found out about all this upcoming mergers and acquisitions, and together they had a chat about whether this was just an obscure edge case or a bigger problem.
RACHEL: They realized that when they explained to people that they were not allowed to say the words of the acquisition, they realized that they needed to be clearer in their communication, that, no, just because you’re not saying ‘we are acquiring XYZ company’, it doesn’t mean that friends, family on social media, people can’t glean information to understand, oh, they’re interested in AI. This person’s talking about how their role’s gonna change. They’re talking about how much they love this specific technology and they’re tagging certain companies on Instagram or Twitter. They realized that they needed to be much more specific in their protocols and language, saying, when we’re planning an acquisition, once we talk about it internally, please do not talk about it even in a hand-waving fashion with friends or family or on social media. Don’t talk about how your role’s gonna change on LinkedIn. Don’t talk about what you’re excited about upcoming on Instagram. They had to be really clear about that, and once they did that, those leaks stopped because it wasn’t an insider threat. It was just people not one hundred percent getting what an attacker is interested in and how they could find that info.
JACK: Oh, so it did solve the problem.
RACHEL: It did, yeah. It doesn’t necessarily mean that it’s coming through the interview process — now, maybe it was — but it’s probably just that people in general at the company didn’t understand that when talking in generalities, that can be used by attackers, too.
JACK: Yeah, and then you probably had recordings to show concrete proof of here’s — when you say this, I’m hearing this.
RACHEL: Exactly, and they were like, oh, I get it, so I can’t say that we’re talking about this technology and how it’s gonna change my role as a product manager because that tips off people to understand that we’re gonna be acquiring XYZ company in the next six months. That’s where these leaks are coming from.
JACK: [MUSIC] So, you came on my radar because you sometimes just create these crazy viral instances online where I’ve seen you hack — who’s Donie from?
RACHEL: Donie O’Sullivan from CNN.
JACK: From CNN; so, I’ve seen you hack the CNN correspondent, I’ve seen you hack voting machines before, I’ve seen you do all kinds of crazy things that suddenly you’ve got a million views on this thing. I’m just like, well, there she is again. Rachel’s out there doing things. But one thing was — interesting was when you went on 60 Minutes.
RACHEL: Yeah. Last year or so, I started talking more on Twitter about how I’m seeing AI get used by criminals to trick people. So, I’m talking about this, scammers are tricking grandparents out of $1,500 bucks posing as their grandson, spoofing the grandson’s voice number or voice-cloning or just modulating the pitch to sound like the grandson and saying they need money for bail, just talking about these examples. 60 Minutes sees this. They e-mail me. They reach out. They say, hey, we want you to do a hack live. It’s actually gotta trick somebody. Can you do that with us? I’m like, I mean, yeah, I can do that, but it’s complicated. I’ve done a lot of these live hacks over the years for large media pieces. I need consent. Before I do any sort of hacking, I get consent. When I hacked CNN’s Donie O’Sullivan, I hacked him through his service providers and I also hacked him through his leaked passwords, and I had his consent with a lengthy contracting process and scope discussion before I was able to contact his service providers pretending to be him, before I was able to log into his LinkedIn using his breached passwords and the things that I found online. So, I start explaining to them how much consent I’m gonna need, and they’re like, well, we’ll try — we’ll just try and see what happens. [MUSIC] So, I start to talk to them about who my target is gonna be. They want my target to be Sharyn Alfonsi. She’s an awesome correspondent for 60 Minutes.
SHARYN: Rachel Tobac is what’s called an ethical hacker. She studies how these criminals operate.
RACHEL: So, ethical hackers, we step in and show you how it works.
JACK: So, the mission was to use AI to somehow trick and scam the host of 60 Minutes while on the show, but the problem is the host needs to consent to being targeted, which if she knows she’s going to be scammed while on her show, it’ll really put her guard up, right? So, this was going to be tricky. How do you trick someone who’s asking you to trick them?
RACHEL: She’s got a lot of information about her online, so I do my OCINT.
JACK: Because the host of 60 Minutes has been on TV for years, Rachel realized there’s a lot of audio of Sharyn talking, and this might be useful. Maybe she can somehow use Sharyn’s voice to do something.
RACHEL: I determined through OCINT, open-source intelligence, that the best way to do this hack was to trick her coworker while pretending to be Sharyn, because sometimes our coworkers have just as much info and access on us as we do about ourselves. So, I needed to get consent from the coworker, and here’s the massive challenge; I needed to get her coworker’s consent because she was a major part of the hack. This coworker is named Elizabeth. I contacted her; I was like, hey, this is what we’re gonna do. We’re gonna do this hack. You need to consent to essentially being part of the hack, but you don’t know when, where, or how it’s gonna happen. You don’t know who I’m gonna pretend to be. You’re not gonna know the method of the attack whether it’s gonna be a phone call, e-mail, text, contacting your service providers pretending to be you. Elizabeth is awesome. She’s like, that’s fine. That’s completely fine. I’m really excited. I’m like, okay, let’s do this. [MUSIC] So, I decided that I wanted to do a phone call because I wanted to clone Sharyn’s voice and spoof Sharyn’s phone number to Elizabeth and trick her during a phone call to reveal some sort of personal information to me. Now, Sharyn is a famous reporter, so her voice is everywhere.
I grabbed about five minutes worth of samples of her voice just from YouTube videos from 60 Minutes. I put her voice into my voice-cloning tool. I start tweaking the tool. There’s voice clone settings for things like clarity, voice stability, style exaggeration, and I finally get the settings tweaked to a point where I feel like it’s gonna be credible at all during the phone call, but it’s not a hundred percent perfect. I do my open-source intelligence to find the right phone numbers to spoof and the right phone numbers to call. Like I said, data brokerage sites have personal contact details for almost everyone, and I need to find the right details to use during the hack like upcoming travel, the right information to try and siphon out for the demo. You can find most of this stuff through social media when people talk about their lives. The only issue; now, I’m gonna have to somehow get Elizabeth to participate in this hack without her realizing it’s the hack itself going down. How am I gonna do that? She’s already consented to this and she knows it’s coming. So, I figure the only way that this is gonna work is if it feels natural within the filming day, otherwise how is the film team going to catch the hack live so that anyone in the audience can watch it?
JACK: Yeah, so, when — so, they’ve got the cameras on you. They’ve got you in the studio. They’ve got Sharyn there.
RACHEL: [MUSIC] Not yet. Let me tell you these details. So, I get my hair and makeup done for 60 Minutes, right? I’m doing my vocal warm-ups. I’m like, la-la-la. I’m getting ready for recording. Sharyn’s still in her room prepping for the day. The light and the sound crew are getting the gear ready for the shoot. Elizabeth shows up. She’s getting ready. I pull aside the head of the sound and lighting crew and I let them know that I think the only way they’re gonna be able to catch this hack on camera live is this; I’m gonna go out into the hallway with my computer and phone. You, the camera crew, cannot follow me because it’ll be way too obvious to Elizabeth if you follow me, and it really shouldn’t matter anyway because it will be me on the other end of the phone call, so you should catch the interaction from her end, anyway. So, you the crew must ask Elizabeth to stand in for Sharyn so you can get lighting, sound, everything prepped so that when Sharyn finally comes down, she can just slide into the shot and we can get started. That way when I start the hack, you’ll be able to actually see and hear Elizabeth and be able to catch the attack in motion.
JACK: Wow.
RACHEL: The crew is like, what did we sign up for? This is ridiculous. I am so nauseated by this plan. I am so freaked out by this because if this doesn’t work and Elizabeth is like, sure, crew, I’ll stand in for Sharyn, and immediately realizes what is happening, then this entire shoot, all fifteen members of the 60 Minutes team, the lighting crew, sound, hair, and makeup, everybody’s here for nothing and I will just have to basically demonstrate what I would have done. That’s not gonna be fun for anyone. Now, mind you, it’s like, 7:00 AM, so this feels like the crack of dawn for all of us. People haven’t — they have not even had a cup of coffee yet. So, people are like, okay, Rachel, sure, we’ll do that. So, I walk over to my hacker laptop. I announce to the room that I need to go help my team with something back home. So, before we get started for the day, everyone get your coffee, whatever, set up. They say, no worries. I step out into the hallway. I’ve got my laptop and phone. I can’t hear anything that’s happening in the ballroom now, where we’re filming. I just have to hope that the sound and lighting crew have successfully gotten Elizabeth into the quote, “stand-in” position with the sound and lighting on, because otherwise they’re not gonna catch this and I’m not gonna fake it for them later. It needs to be real. So, I’m just praying that this works.
So, I open up my voice-cloning tool in the hallway. I type in my opening line into the voice-cloning tool. To be clear, this voice-cloning tool, I cloned Sharyn’s voice. I can then type in any words and it will spit out those words spoken in Sharyn’s voice. So, I type in my opening line. My opening line is ‘Elizabeth, sorry, need my passport number because Ukraine trip is on. Can you read that out to me?’ It has to be short and sweet, direct and to the point without requiring a lot of follow-up, because the issue with these tools is there’s a delay in me typing it into the voice-cloning tool and when it spits out the words in Sharyn’s voice. I’m also holding my phone up to the computer, so there’s kind of a strange audio vibe going on with this phone call, and I just want to minimize it and make it happen as fast as possible. So, I open up my spoofing tool on my phone. I type in Sharyn’s number to spoof. I type in Elizabeth’s phone number to call. I hit Go. It is one hundred percent silent. I hear Elizabeth’s phone. It’s audibly ringing inside of the ballroom and I’m just hoping she goes over and picks it up, right? My stomach’s in knots. I am sweating profusely, and then I hear her go, hello?
CLONE: It’s Sharyn.
RACHEL: Like, I hear it through my phone and I can also hear it in the ballroom. I’m like, oh my gosh, she can hear out here. So, I hit my voice-cloning Play button. It starts playing Sharyn’s voice asking for the passport number.
CLONE: Elizabeth, sorry, need my passport number because the Ukraine trip is on. Can you read that out to me?
RACHEL: Then, silence. For what feels like hours, I am sick to my stomach. My hands are shaking. This forever silence that I was experiencing was Elizabeth holding her phone in her hand, looking at the caller ID during the call to ensure it really does say Sharyn, because the voice sounds weird. I mean, I’m voice-cloning plus spoofing, so it looks like it’s calling from Sharyn but it sounds kinda far away ‘cause I’m holding my phone up to the computer. Elizabeth finally responds.
ELIZABETH: Oh, yes, yes, yes, I do have it. Okay, ready? It’s…
RACHEL: Then she reads out the passport number I just asked for. I’m like, let’s just get off this call as soon as possible. So, I say, thank you. She starts asking me questions; when am I gonna be down for the shoot? Do I need anything else? I have to deal with this delay back and forth typing in my replies, so I’m just thrilled that by this point I siphoned out information and I just wanted to get off this call as fast as I possibly could. So I said, oh, I’m just coming down, and I end the call. I walk into the ballroom. Elizabeth is sitting under the lights with the mic pinned on her and I’m like, oh my god, it worked. All I have to do now is do the interview with Sharyn and explain the mechanics of the hack to her live and make sure that Elizabeth knows that anyone would fall for this style of hack because most people don’t realize it’s possible yet. I wanted to make sure she didn’t feel horrible about it.
JACK: Yeah, she did the interview and explained what just happened, how she tricked Elizabeth into giving Sharyn’s passport number. But after listening to this story, I got really curious about this voice-cloning tool and wanted to try it myself. So, to clone someone’s voice, you give it a bunch of audio of them talking, and using some advanced AI, it will get to know that voice, and whatever you type, it’ll say it in their voice. I spent a few hours playing around in this tool, and I cloned my voice. I think it’s really interesting. Okay, I want to show you. I’m going to play two clips for you. I want you to listen and try to figure out which one is AI-generated. Ready? Here’s clip one; hey, this is Jack Rhysider. This morning I had a peanut butter and chocolate smoothie for breakfast. Okay, here’s clip two. Hey, this is Jack Rhysider. This morning I had a peanut butter and chocolate smoothie for breakfast. Okay? Punch in your votes. Ready for me to tell you? Both clips were AI-generated. In fact, what you’re hearing right now is AI-generated, too. I switched to having AI talk for me a few minutes back.
I just type whatever I want and it’ll narrate it for me. It’s really wild. It even adds in breaths like this — listen. [BREATHES IN] And sometimes it’ll even add plosives like how the P sounds in ‘nope’. It’s crazy how good this sounds. Huh…[BREATHES OUT]. Okay, okay, I’ll switch back to my normal voice now. There, I’m using my real voice now, okay? The future is gonna be weird, isn’t it? Okay, so, I just saw this article the other day on CNN’s website and it said there was this guy working for a company in Hong Kong who controlled the finances for that company. He got invited to a video call with the CEO and a few other colleagues that he recognized, and he saw them on the screen. He heard their voices, and he was positive it was the CEO and his colleagues. They were telling him there’s this new deal that just finished up and they wanted him to send $25 million to another company, so he did. But the problem was the video and the voices were all AI clones. Scammers tricked him into thinking he was on a video call with the CEO. Our future is almost surely not gonna be what we think it’s gonna be. I have a feeling we’re gonna have a hard time knowing what’s reality and what’s fiction.
DANIEL: Yeah, it’s a good point. Hey Jack, can I jump in here?
JACK: Yeah. Who’s this?
DANIEL: This is Daniel Miessler.
JACK: Oh, hey, Daniel. Yeah, what do you have to say about this?
DANIEL: Yeah, so, what I find fascinating about this whole story is that there’s a very early concept in security about how do I know it’s you, right? We normally don’t have to worry about this with video because seeing has always been believing, and the same with hearing for audio. But now with deepfakes, for both video and audio, we need a whole ‘nother layer. So, what I actually expect to see here is products coming out that are basically like, how do I establish early trust? As soon as you join a company, you’ll probably establish keys across all of Slack or across all of Microsoft Teams or something, and that’s your pre-determined channel.
JACK: Hm, I think this is a good idea. If you can cryptographically sign something, then that’ll prove the message or video came from you. So, I imagine this could cut down on people falling for fakes. If it’s not actually signed by the person who sent it, don’t trust it. Initially getting your key would be interesting, though. You still have to prove who you are at the beginning, right? One way to do that is to verify who you are in the meat space, the real world. When you’re face-to-face and in person, it’s still a valid verification technique that you are you. But with everyone having their own cryptographic keys to prove someone is real, the threat then moves to securing the key. If someone else grabbed the key, they could make it look like you sent something when really you didn’t. They just signed it using your key.
DANIEL: Yeah, yeah, absolutely. We’re gonna need something like that for all remote calls, essentially, ‘cause it’s like, first of all, the AI can copy both of our voices because we have our voice out there and that’s easy to copy. But very soon, I won’t know honestly if this is you right now on this call.
JACK: I just imagine making a whole CAPTCHA network for everyone I know, right, so my dad calls me on the phone and it says, before you can connect to this party, please solve this CAPTCHA.
DANIEL: Exactly, exactly. There’s going to be some sort of challenge or predetermined key exchange, yeah.
JACK: Oh my gosh. I personally am excited about our future. We are smarter than ever and more advanced than ever, and it feels like the human race is going through a Cambrian explosion of sorts with all new technologies and advancements popping off almost daily. We’re living in the exponential era. Time will move faster from here on out, and we get to witness it. We have tickets to watch the birth of Human 2.0. How special is that? Whatever comes next will surely be exciting.
(OUTRO): [OUTRO MUSIC] A big thank you to Rachel Tobac for coming on the show and sharing these stories with us. She wrote a free eBook on social engineering, and you can find a link to it in the show notes. Besides doing social engineering for companies, she also does security awareness training. In fact, she started a whole video production company where she creates fun and entertaining training videos. You can learn more about what she’s doing by visiting socialproofsecurity.com. Also thanks to Dan Miessler for giving us some insights into AI. This episode was created by me, the backseat rider, Jack Rhysider. Our editor is the gourmet sorbet, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. How does a computer get drunk? It takes screenshots. This is Darknet Diaries.
[END OF RECORDING]