WEBVTT 00:00:00.626 --> 00:00:05.200 JACK: Hey, hey, it's Jack, host of the show. I went to IKEA the other day to buy a lamp, 00:00:05.200 --> 00:00:11.760 and when I went in, I saw that they had a recall notice on the bulletin board. Their garlic press 00:00:11.760 --> 00:00:17.040 was getting recalled. They said that ten people got injured using it, and I think little metal 00:00:17.040 --> 00:00:22.400 bits would fall off and cut some fingers. So, they stopped selling it and were issuing full refunds 00:00:22.400 --> 00:00:29.760 to anyone who bought one. It made me think, hold on; [music] has this ever happened with computers? 00:00:29.760 --> 00:00:36.720 Like, has a store ever recalled a computer because it was dangerous? What does dangerous mean? 00:00:36.720 --> 00:00:41.040 There was a story that came out a few years back which was about a super-cheap gaming computer 00:00:41.040 --> 00:00:46.640 that was being sold on Amazon, but little did anyone know the computer came with malware on 00:00:46.640 --> 00:00:51.920 it. People who bought it would get their crypto wallets drained, their Steam accounts taken over, 00:00:51.920 --> 00:00:57.360 and their e-mail compromised. The computers were made in China and came shipped with Windows 11. 00:00:57.360 --> 00:01:00.560 But the thing is, the company didn't want to pay for Windows keys so that they could sell 00:01:00.560 --> 00:01:05.600 the computers cheaper. So, they found a hacked version of Windows 11 installer, 00:01:05.600 --> 00:01:11.120 which would bypass the whole license key thing, but the problem is the installer 00:01:11.120 --> 00:01:15.680 would embed malware into the Windows install, so the seller didn't even 00:01:15.680 --> 00:01:20.720 know it had malware on it. Amazon reviews started showing up; this computer is unsafe. 00:01:20.720 --> 00:01:25.920 Don't buy it. One star. More reports came in about people saying that their computers came with 00:01:25.920 --> 00:01:31.680 malware on it. I mean, if you got a new gaming PC and during the time you were setting it up, it 00:01:31.680 --> 00:01:37.840 stole your cryptocurrency, took over your e-mail, and stole your Steam account, how much would that 00:01:37.840 --> 00:01:43.280 hurt you? How dangerous is that? Would it hurt more than getting a metal sliver in your finger 00:01:43.280 --> 00:01:50.400 from a garlic press? I think so. Yet, as far as I know, computer shops such as Best Buy, Amazon, or 00:01:50.400 --> 00:02:00.320 wherever, never issue recall notices for computers or tech which are malicious. Retailers who sell 00:02:00.320 --> 00:02:05.360 defective items that are unsafe typically issue recall notices to buy back faulty items that are 00:02:05.360 --> 00:02:11.040 dangerous. [Music] But I just wonder if a computer riddled with malware doing enormous amount of harm 00:02:11.040 --> 00:02:20.720 to users will ever fall into the category of dangerous or faulty or harmful to retailers. 00:02:20.720 --> 00:02:25.040 [Intro]: These are true stories from the 00:02:25.040 --> 00:02:48.680 dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. 00:02:48.680 --> 00:02:49.680 JACK: 00:02:49.680 --> 00:02:55.080 Today I'm so excited because I finally get to talk with D3ada55. It's good to see you again. 00:02:55.080 --> 00:02:55.760 D3ADA55: I know. 00:02:55.760 --> 00:03:00.480 JACK: So, we started — we start — I met you at Defcon like five, six years ago. 00:03:00.480 --> 00:03:03.000 D3ADA55: Like, one of my first ever Defcons, yeah. 00:03:03.000 --> 00:03:08.560 JACK: It was your first Defcon, and you messaged me like, hey, you want to meet? Where — can we 00:03:08.560 --> 00:03:12.320 meet? I got something to tell you. I was like, yeah, where? This was back in the days where 00:03:12.320 --> 00:03:16.960 I actually checked my DMs at Defcon. Now it's impossible for me to do that. So, I was like, 00:03:16.960 --> 00:03:22.400 okay, [inaudible]. This is what I'm wearing. Okay, cool. Then we sat down at a couch, and 00:03:22.400 --> 00:03:28.480 you're like, okay, I got something. It was still hush-hush. I was like, what is going on here? 00:03:28.480 --> 00:03:33.760 You had — I won't give names here, but you had a contact with somebody who you knew had 00:03:33.760 --> 00:03:38.320 a good story. Like, I can connect you with this person. I was like, great, and what e did. We 00:03:38.320 --> 00:03:45.200 connected and we had conversations. So, thank you for that. So, that's where we first met, 00:03:45.200 --> 00:03:51.920 but then I just watched you have talk after talk, and I learned more about you. Like, at the time, 00:03:51.920 --> 00:03:57.680 you told me your name was D3ada55, and over time I've just learned that your name — you really 00:03:57.680 --> 00:04:04.320 should be called Badass, because you're really — I think even back then you were working on all 00:04:04.320 --> 00:04:09.960 kinds of really cool projects. Do you want to give us a background of just like, your tech career? 00:04:09.960 --> 00:04:14.720 D3ADA55: Yeah. I mean, it's kind of — I'm very much the textbook 00:04:14.720 --> 00:04:19.600 definition of non-traditional background as far as technology is concerned. Like, 00:04:19.600 --> 00:04:25.280 I have an English degree. I went to Berkeley for rhetoric and propaganda. Like, it wasn't... 00:04:25.280 --> 00:04:29.440 JACK: So, you — okay, so, I heard that today because we're here at CactusCon and I just 00:04:29.440 --> 00:04:34.299 heard your talk. But you did say that you have a degree in rhetoric and propaganda. 00:04:34.299 --> 00:04:34.314 D3ADA55: Mm-hm. 00:04:34.314 --> 00:04:35.440 JACK: Is that true or was that a joke? 00:04:35.440 --> 00:04:38.720 D3ADA55: That's legitimately basically what the degree was in. It was all 00:04:38.720 --> 00:04:44.320 about understanding argument, understanding like the rhetorical devices and tools. So, 00:04:44.320 --> 00:04:50.400 I hyper focused on the efficacy of propaganda from that. That actually is what informed — when 00:04:50.400 --> 00:04:56.000 I started looking at the topic of my talk, why I knew there was something weird about it. Like, 00:04:56.000 --> 00:05:00.320 it kind of touched that part of my brain, and I hadn't really seen anything like this yet. 00:05:00.320 --> 00:05:04.280 JACK: So, you — that was a career path for you; I want to go into propaganda. 00:05:04.280 --> 00:05:08.000 D3ADA55: Well, more so I want to go to law school. Or, at least I thought I wanted to go to 00:05:08.000 --> 00:05:14.720 law school at one point, and then, you know, the Bay is expensive. Life is expensive. Then I built 00:05:14.720 --> 00:05:20.720 my first computer and I was like, oh, wait, I can do this for a job? Why was I not just doing that? 00:05:20.720 --> 00:05:24.400 JACK: So, you got into tech, and then give us kind 00:05:24.400 --> 00:05:27.320 of a potted summary of some of the tech roles you've had. 00:05:27.320 --> 00:05:33.360 D3ADA55: Yeah, so I've worked at some of the biggest names in security, so Palo Alto, Google, 00:05:33.360 --> 00:05:40.320 Apple. I've already been kind of around the valley, as they say, and now I'm over at CENSUS. 00:05:40.320 --> 00:05:42.480 JACK: Yeah. What do you do at CENSUS? 00:05:42.480 --> 00:05:48.466 D3ADA55: I'm a senior sales engineer, so not even like a researcher. I just do research for fun. 00:05:48.466 --> 00:05:51.040 JACK: [Music] But the thing is, a few years back, D3ada55 discovered 00:05:51.040 --> 00:05:54.560 something that was like discovering something you weren't supposed to see, 00:05:54.560 --> 00:05:58.560 a discovery which would send her down a rabbit hole that would take her years 00:05:58.560 --> 00:06:03.520 of research to get to the bottom of, and it all started at her dad's house. 00:06:03.520 --> 00:06:09.160 D3ADA55: Without giving away too much, he's one of the senior people at his oil and gas company. 00:06:09.160 --> 00:06:12.680 JACK: Okay. So, you go to visit him and... 00:06:12.680 --> 00:06:18.640 D3ADA55: Yeah. So, my dad is very — I don't want to say nonchalant, but he's like — he's chill, 00:06:18.640 --> 00:06:22.240 right? Like, he's a very chill kind of person. So, for him to be excited, 00:06:22.240 --> 00:06:28.680 I was like, oh, well, what are you excited about? Like, you're very deadpan. You don't get excited. 00:06:28.680 --> 00:06:32.080 JACK: Her dad was excited about all the channels and shows and movies that 00:06:32.080 --> 00:06:35.760 he could get on his TV now. He's like, look at this. I got hundreds of movies, 00:06:35.760 --> 00:06:40.480 full series of all the latest TV shows, thousands of channels, sports, 00:06:40.480 --> 00:06:45.200 even pay-per-view wrestling matches. You like wrestling, D3ada55. You would love this thing. 00:06:45.200 --> 00:06:49.120 D3ADA55: He's telling me about it, and he's like, yeah, it's just 300 bucks. It just works. It's 00:06:49.120 --> 00:06:55.120 called the SuperBox. Immediately I'm like, okay, this already sounds weird, but keep going. So, 00:06:55.120 --> 00:07:00.960 I asked, well, how does it work? He says, oh, it just works. That's not what I asked you. I asked 00:07:00.960 --> 00:07:08.240 you, how does it work? So, my younger sister was also studying cybersecurity. She comes in and she 00:07:08.240 --> 00:07:15.280 says, oh yeah, the network's been really slow at the house ever since those boxes came home. So, 00:07:15.280 --> 00:07:19.440 that was kind of my final red flag to be like, I'm gonna get one just to see what it's doing. 00:07:19.440 --> 00:07:20.040 JACK: Boxes. 00:07:20.040 --> 00:07:21.600 D3ADA55: Yeah, boxes. 00:07:21.600 --> 00:07:22.400 JACK: What? 00:07:22.400 --> 00:07:23.760 D3ADA55: More than three. 00:07:23.760 --> 00:07:25.080 JACK: Why does he have so many? 00:07:25.080 --> 00:07:27.733 D3ADA55: Because they're convenient. That’s how they get you. 00:07:27.733 --> 00:07:28.231 JACK: Oh, are they all for each TV? 00:07:28.231 --> 00:07:29.120 D3ADA55: Yeah, for each TV. 00:07:29.120 --> 00:07:30.880 JACK: Okay. How did he get it? 00:07:30.880 --> 00:07:37.040 D3ADA55: Somebody at his job told him he needed to get one really, really bad, so he got one. 00:07:37.040 --> 00:07:41.360 JACK: She takes one home to look at it. She's not a researcher, 00:07:41.360 --> 00:07:45.440 so she's not sure where to start. She knows enough that she should quarantine this thing, 00:07:45.440 --> 00:07:49.520 though, so she put it in a separate network so it doesn't learn about her home network or try 00:07:49.520 --> 00:07:53.520 to bother any of her other devices, and she puts it behind a firewall. 00:07:53.520 --> 00:07:57.200 Then she starts googling where to start. D3ADA55: It was the weirdest question I've 00:07:57.200 --> 00:08:01.120 ever asked out loud; how do I get PCAPs at the house? Because I had to figure 00:08:01.120 --> 00:08:04.960 out how to get packet captures off the thing, and I'm like, how do you do PCAPs? 00:08:04.960 --> 00:08:09.840 JACK: The idea was that when she turns it on, she wanted to see where it would try to talk 00:08:09.840 --> 00:08:14.320 out to. Who does this thing communicate with? How does it send those packets? So, 00:08:14.320 --> 00:08:17.080 she learned how to do packet captures in order to watch this. 00:08:17.080 --> 00:08:23.040 D3ADA55: I got one of those Packet Squirrels from Hak5, and I had laughed to myself because 00:08:23.040 --> 00:08:27.760 I remember when I first came into security and thought I was gonna be a badass hacker — I was 00:08:27.760 --> 00:08:31.680 like, oh, I'm gonna get all this stuff off Hak5. So, I had one, and I hadn't ever opened it, 00:08:31.680 --> 00:08:35.840 and I learned how to use it, and that was my kind of inline packet captures. 00:08:35.840 --> 00:08:38.400 JACK: So, she gets it all set up, turns it on, 00:08:38.400 --> 00:08:42.703 and just lets it do its thing, and she watches what it talks to. 00:08:42.703 --> 00:08:45.520 D3ADA55: [Music] The first thing it does is call out to Tencent. Like, just straight... 00:08:45.520 --> 00:08:46.200 JACK: Tencent is...? 00:08:46.200 --> 00:08:48.360 D3ADA55: Like, in China, yeah, like qq.com. 00:08:48.360 --> 00:08:54.400 JACK: Tencent is a massive tech company that owns QQ in China, and it's not entirely unusual for 00:08:54.400 --> 00:08:59.280 something to be talking to it. So, at first I was like, okay, maybe this isn't that bad, 00:08:59.280 --> 00:09:04.240 but then when you apply the rest of it — like, oh, you're an oil and gas executive, 00:09:04.240 --> 00:09:09.200 somebody new told you to get this, the network's running really slow, and this thing is talking 00:09:09.200 --> 00:09:15.840 out to China, right? It's all of that, right? Individually those things don't mean anything, 00:09:15.840 --> 00:09:22.160 but we — when we're looking at this strategically or in a big picture, you're like, oh, I see. 00:09:22.160 --> 00:09:27.280 JACK: But maybe she's connecting dots that aren't there. So, she keeps looking for traffic logs. 00:09:27.280 --> 00:09:30.240 D3ADA55: I'm kind of just watching the traffic, watching the traffic. I would 00:09:30.240 --> 00:09:34.160 turn them on for like a day, turn them off. I'm looking at logs. I'm kind of just trying 00:09:34.160 --> 00:09:39.600 to get a feel for what they're trying to do. Then I get a hit in my vulnerability log, 00:09:39.600 --> 00:09:44.680 like in the threat log on my Palo Alto firewall, and it's for a SCADA vulnerability. 00:09:44.680 --> 00:09:51.680 JACK: A SCADA vulnerability. This makes no sense. SCADA is the control systems used in large-scale 00:09:51.680 --> 00:09:57.520 industrial settings. Think pumps, valves, conveyor belts, compressors, elevators, railway switches. 00:09:57.520 --> 00:10:03.200 This is where SCADA systems live. Why in the world is this box that's here to deliver TV and 00:10:03.200 --> 00:10:10.000 movies attempting to trigger a SCADA exploit on D3ada55’ network? This is very concerning. 00:10:10.000 --> 00:10:14.880 So, she continues to look at the traffic this thing is sending. She notices it's communicating 00:10:14.880 --> 00:10:20.000 hard with all the other devices on her local network. Typically, a streaming box will not 00:10:20.000 --> 00:10:24.480 care about what else is on your local network and only want to go out to the internet and get 00:10:24.480 --> 00:10:30.240 the content so that it can show it to you on your TV. But this box was super busy feeling around to 00:10:30.240 --> 00:10:35.200 see what else is in her network. Specifically, it starts arping out to any device in the same 00:10:35.200 --> 00:10:39.520 network as it. So, basically, ARP is when a device is like, hey, are there any computers 00:10:39.520 --> 00:10:46.560 on this network that have the IP 192.168.1.10, or whatever? If there is a device that has that IP, 00:10:46.560 --> 00:10:51.200 it'll respond. It’ll say, yeah, that's me. You want to chat? Here's my MAC address. Then it 00:10:51.200 --> 00:10:56.760 gives the MAC address. So, this SuperBox was arping out to every IP in D3ada55’ network. 00:10:56.760 --> 00:11:00.320 D3ADA55: I would say it was almost more of like an ARP DOS, because it was arping 00:11:00.320 --> 00:11:06.400 at things so hard that they would freak out and lose their IP address reservation. Yeah. 00:11:06.400 --> 00:11:06.800 JACK: Really? 00:11:06.800 --> 00:11:10.960 D3ADA55: Yeah, they were just so chatty, and that was also something weird to me, 00:11:10.960 --> 00:11:17.120 because normal devices, they're chatty, but they're not chatty like that, 00:11:17.120 --> 00:11:21.920 right? So, it's this noisy thing on a network, it's arping everything, 00:11:21.920 --> 00:11:26.960 it's sniffing around. It's just way too interested in things going on on my network. 00:11:26.960 --> 00:11:31.600 JACK: So, this thing would ask, ‘who has this IP?’ and when the device with that IP would respond, 00:11:31.600 --> 00:11:36.480 then it would just continually ask again and again, thousands of times, flooding it with ARP 00:11:36.480 --> 00:11:42.080 requests until that device would get overwhelmed and go offline, which would then allow this 00:11:42.080 --> 00:11:47.840 SuperBox to pose as that device. It would change its own IP and MAC address to match that thing it 00:11:47.840 --> 00:11:54.800 just took down, which is such a wild attack to knock out other things and then pose as them to 00:11:54.800 --> 00:12:01.440 see if they are communicating with anything more juicy. Holy cow, this thing is scary. So, she 00:12:01.440 --> 00:12:06.000 keeps googling this thing to try to learn more. D3ADA55: It looks like it's all been SEO poisoned 00:12:06.000 --> 00:12:10.320 because it's the only place to buy the SuperBox. There's no negative — like, 00:12:10.320 --> 00:12:14.480 you can't even find Reddit posts even questioning anything about the SuperBox. 00:12:14.480 --> 00:12:17.640 The entire first page is where to buy and everything that's great about it. 00:12:17.640 --> 00:12:22.463 JACK: Now she's getting curious. Who makes this thing? What brand is it? Where does it come from? 00:12:22.463 --> 00:12:25.360 D3ADA55: [Music] One of the more common things a lot of us have probably done — we're like, what's 00:12:25.360 --> 00:12:32.080 this device? What's its MAC address? Who makes it? I look into who makes it. It's some weird looking, 00:12:32.080 --> 00:12:40.160 website templated, just strange-looking company called GBS Labs or something like that, and it's 00:12:40.160 --> 00:12:46.160 basically a shell. Like, there's stock photos on the site and just all kinds of the telltale signs 00:12:46.160 --> 00:12:53.200 of we stood this up to look just legit enough, not actually be legit. So, I look into them as 00:12:53.200 --> 00:12:58.480 a manufacturer. I'm finding fake LinkedIns and all kinds of stuff like that. So, I'm like, okay, 00:12:58.480 --> 00:13:06.640 this obviously isn't real. So, I keep digging. I get worried because as I continue to kind of 00:13:06.640 --> 00:13:11.280 acquire boxes — I got a couple off Amazon, I got one from Best Buy, one from Walmart... 00:13:11.280 --> 00:13:14.720 JACK: Whoa, whoa, whoa, these things are available at Amazon and Best Buy and Walmart? 00:13:14.720 --> 00:13:16.554 D3ADA55: Yes, they are. Like... 00:13:16.554 --> 00:13:18.960 JACK: You could buy a SuperBox right on these sites? 00:13:18.960 --> 00:13:19.740 D3ADA55: Yeah. 00:13:19.740 --> 00:13:28.960 JACK: Hold on a second. A bunch of pirated movies and TV shows sold in a box that you just 00:13:28.960 --> 00:13:34.640 plug into your TV and now you don't have to pay for a cable or any movies, that sounds illegal. 00:13:34.640 --> 00:13:38.560 D3ADA55: Yeah. I mean, it is, but they — even on the box itself, 00:13:38.560 --> 00:13:40.920 when you turn it on, it pops up a little disclaimer. 00:13:40.920 --> 00:13:44.720 JACK: Here, I actually want to read to you the notice that pops up when you just plug this thing 00:13:44.720 --> 00:13:49.760 in for the first time. It says, thank you for choosing SuperBox. SuperBox is an empty and open 00:13:49.760 --> 00:13:54.240 entertainment device. Due to the nature of this item, we are not in any way responsible for the 00:13:54.240 --> 00:13:59.920 content streamed or viewed by any user. It is the user's responsibility to satisfy themselves that 00:13:59.920 --> 00:14:04.320 the sites accessed for streaming the content to have correct copyright agreements in place and are 00:14:04.320 --> 00:14:09.600 entitled to the content. The burden of determining this falls completely on you, the user. SuperBox 00:14:09.600 --> 00:14:15.200 in no way takes any responsibility for how you use this device. Unbelievable. Does that even work? 00:14:15.200 --> 00:14:20.160 Like, can you sell a box that markets itself for having thousands of pirated shows on it 00:14:20.160 --> 00:14:25.680 and movies but then put a disclaimer up that says, oh, we're not reliable for anything that you do on 00:14:25.680 --> 00:14:30.880 it? I mean, they're doing exactly that. So, in theory, no, it shouldn't work, but in reality, 00:14:30.880 --> 00:14:37.920 yeah, it's working since this is for sale on Amazon, Walmart and Best Buy's websites. I should 00:14:37.920 --> 00:14:43.360 mention that Amazon, Walmart, and Best Buy aren't listing this themselves. These are third-party 00:14:43.360 --> 00:14:48.880 marketplace areas of the site where anyone can go and set up a shop on those sites and start selling 00:14:48.880 --> 00:14:53.280 whatever they want. While these listings would get removed every now and then, they would just 00:14:53.280 --> 00:14:57.800 come right back up, listed by a totally different seller. Of course, eBay has them for sale too. 00:14:57.800 --> 00:15:01.440 D3ADA55: So, as I start kind of looking around, I go into YouTube and I'm like, 00:15:01.440 --> 00:15:07.520 okay, SuperBox. So, I see a bunch of different influencers. They're not like Linus Tech Tips, 00:15:07.520 --> 00:15:12.160 or, you know, some of these other bigger folks that have a huge following on YouTube. These 00:15:12.160 --> 00:15:18.320 are folks with sometimes 800 followers, sometimes fifty, sometimes, you know, 00:15:18.320 --> 00:15:25.600 50k. One guy had pictures of motorcycles and his wife and pictures of food, 00:15:25.600 --> 00:15:30.320 and then just a hard right turn, and he's now talking about SuperBoxes. I saw one kid who 00:15:30.320 --> 00:15:35.680 was talking about speakers, and then suddenly the SuperBox. So, I'm like, that's really weird. So, 00:15:35.680 --> 00:15:40.960 obviously they had to be paying them. It took me a while to figure this out, but I went way back to 00:15:40.960 --> 00:15:46.800 a seven-year-old SuperBox video, and this one influencer was like, yeah, they contacted me, 00:15:46.800 --> 00:15:52.600 and they're offering me 50% of the proceeds of every device that I sell if I talk about this. 00:15:52.600 --> 00:15:57.920 JACK: Whoa. So, there's SuperBox influencers out there, people paid to spread this thing? Gosh, 00:15:57.920 --> 00:16:02.240 this makes it a lot harder to control and stop this. If they're being sold by random people just 00:16:02.240 --> 00:16:07.160 trying to make a few extra bucks, it's almost like they have an army of marketers and salespeople. 00:16:07.160 --> 00:16:12.400 D3ADA55: They start appearing in weird places. I start seeing it on TikTok. They're on Facebook 00:16:12.400 --> 00:16:16.720 Marketplace. So, I start getting suspicious — even more suspicious because I'm like, this has 00:16:16.720 --> 00:16:21.600 to be a whisper campaign, because I'm not seeing it — like, I'm not watching cable television, 00:16:21.600 --> 00:16:25.200 and there's like, an ad for the SuperBox. If that ever happens, I'm gonna just move out of 00:16:25.200 --> 00:16:31.360 the country at that point. But I haven't seen that yet, but what I have been seeing is, oh, 00:16:31.360 --> 00:16:36.240 check out the SuperBox. Here's YouTube Shorts about the SuperBox. Check out my Tiktok. Get 00:16:36.240 --> 00:16:42.000 it off my store. So, it's spreading, and then I find out later that because of how they're 00:16:42.000 --> 00:16:48.400 using the reseller market, they're basically penetrating the suburbs everywhere to get 00:16:48.400 --> 00:16:54.120 these sold and get these out to people and get that kind of foothold across the United States. 00:16:54.120 --> 00:17:00.320 JACK: Holy cow, these things aren't just spreading; they're spreading in specific places. 00:17:00.320 --> 00:17:07.440 Suburban families are getting them, and why there? Okay, let's think about it. By targeting suburban 00:17:07.440 --> 00:17:12.800 families, it's almost like a bottom-up approach to intelligence gathering. Don't attack companies or 00:17:12.800 --> 00:17:18.400 even the government at the front door, where their strongest firewall and security control is set up. 00:17:18.400 --> 00:17:25.840 Don't even come in through the back door. Instead, focus on the workers at their homes, because a lot 00:17:25.840 --> 00:17:32.080 of people bring their work home, and if they can jump off this thing onto a work laptop or find a 00:17:32.080 --> 00:17:39.120 VPN into the office from home, then bingo, they just gained access to the corporate network. Or 00:17:39.120 --> 00:17:45.200 even worse, it might hitch a ride in someone's backpack or pocket and get plugged in at work. 00:17:45.200 --> 00:17:50.240 So, if this is a malicious device disguised to be a TV streaming box, 00:17:50.240 --> 00:17:55.280 then yeah, targeting suburban family homes in the US makes a lot of sense if your goal 00:17:55.280 --> 00:18:03.440 is to try to set up a large-scale attack against major US companies. Geez, that just gave me the 00:18:03.440 --> 00:18:08.720 chills. [To D3ada55] At that point, did you have any guesses as to who might be behind all this? 00:18:08.720 --> 00:18:13.680 D3ADA55: So, that's been kind of the weird part. I mean, obviously, if it's talking to China, I just 00:18:13.680 --> 00:18:20.720 assumed China, but it does look like there's a few layers to this. Still trying to crack the code, 00:18:20.720 --> 00:18:26.320 but a lot of folks here in the cybersecurity industry in the United States — of course, 00:18:26.320 --> 00:18:30.560 we're very concerned about this because you can't really detect them on a network 00:18:30.560 --> 00:18:36.480 unless you know what you're looking at or know exactly where your things in your network live, 00:18:36.480 --> 00:18:42.800 and what the baselines are and what looks normal. So, if you're not using it and it's sitting there, 00:18:42.800 --> 00:18:47.520 your traffic is going to look normal. We all stream and everything, but what a lot of folks 00:18:47.520 --> 00:18:52.720 don't know is that with traditional streaming services like a Netflix, a Hulu, whatever, 00:18:52.720 --> 00:18:57.040 when they ask you, are you still there? That's the bandwidth control. So, it's not just sucking 00:18:57.040 --> 00:19:02.160 up and chewing up the pipe. These don't have anything like that. They'll just keep going. 00:19:02.160 --> 00:19:06.440 Then when you factor in the residential proxy stuff, that's a lot of bandwidth. 00:19:06.440 --> 00:19:11.520 JACK: Oh, I see; if thousands of these are in homes across America, and those homes all have 00:19:11.520 --> 00:19:17.440 high-speed internet, that means these boxes have quite a lot of bandwidth at their fingertips. When 00:19:17.440 --> 00:19:22.640 you have control of that much bandwidth, there's a lot of damage you could do with just that. So, at 00:19:22.640 --> 00:19:27.360 this point, it's 2023. D3ada55 has really started to get deep into researching this thing. She 00:19:27.360 --> 00:19:33.200 learned that the operating system on this thing is just Android, and not Android TV, just Android. 00:19:33.200 --> 00:19:37.000 D3ADA55: I looked at the Android information, and it was a patch from 2021. 00:19:37.000 --> 00:19:39.080 JACK: Okay, so, a three-year-old operating system. 00:19:39.080 --> 00:19:43.680 D3ADA55: At that point, yeah. it's on purpose, because this was one of the ones that have a 00:19:43.680 --> 00:19:49.040 lot of holes in it. When we think about not-great Android patches that came out, 00:19:49.040 --> 00:19:54.160 2021 was kind of a strange year for that. So, I'm looking at that and I'm like, okay, 00:19:54.160 --> 00:19:59.120 that's super, super weird. I keep digging in. I'm looking at the box. I'm like, let's look 00:19:59.120 --> 00:20:05.182 through the apps. Like, there’s TeamViewer on it, right? Like, why does it have TeamViewer? 00:20:05.182 --> 00:20:09.760 JACK: TeamViewer? Okay, so, TeamViewer is a way to remotely manage a computer. It allows you to 00:20:09.760 --> 00:20:14.400 connect to that thing and control it as if you're sitting right in front of it. So, with TeamViewer 00:20:14.400 --> 00:20:18.480 installed on it, that means that whoever is behind this has a dashboard at their fingertips 00:20:18.480 --> 00:20:24.240 of all the SuperBoxes out there with TeamViewer running, and with one click, they could just jump 00:20:24.240 --> 00:20:31.280 right into any of them. That's horrible. Holy cow. The idea that someone is inside your home looking 00:20:31.280 --> 00:20:37.400 around in your network and you have no idea — no, no, no, no, I do not want this. Burn it with fire. 00:20:37.400 --> 00:20:40.800 D3ADA55: Watching Reddit and stuff like that, and people are like, is this thing too good to 00:20:40.800 --> 00:20:48.800 be true? So, there was an account on Reddit that was created about — at that time, about four years 00:20:48.800 --> 00:20:53.520 ago, which lines up with kind of the initial timeline of everything we were seeing with this 00:20:53.520 --> 00:20:59.360 starting about 2019, 2020, and that account did not post a single thing for four years, 00:20:59.360 --> 00:21:06.960 and then it pops up just to say I've had the SuperBox for forever. I get NFL, MLB, you know, 00:21:06.960 --> 00:21:11.360 Sunday Ticket. Like, this is the best thing ever. Like, everyone should get one, and then it never 00:21:11.360 --> 00:21:19.440 posted again. So, they're, of course, nudging it and trying to prop it up in places. I'm like, 00:21:19.440 --> 00:21:23.680 so this is — again, it's spreading. People are talking about it, but I still have not heard 00:21:23.680 --> 00:21:29.920 a thing about it in the security community. So, I decided to do a talk on it initially, 00:21:29.920 --> 00:21:35.400 and that was my first ever technical talk at a hacker con. I was scared to even get up there. 00:21:35.400 --> 00:21:40.800 JACK: So, she gave the talk at a BSides event, and the crowd was stunned with her 00:21:40.800 --> 00:21:44.640 findings. Her talk was so scary, I think everyone after the talk called home to 00:21:44.640 --> 00:21:48.720 see if their parents had bought one of these or installed anything like that. Which reminds me, 00:21:48.720 --> 00:21:52.880 I need to call my dad to see if he has one. Let me take a quick ad break real quick, 00:21:52.880 --> 00:22:00.320 but stay with us, because everything got way more serious after she gave that talk. Okay, 00:22:00.320 --> 00:22:04.880 my dad says he does not have one, but he says the guy at the gym has one, and he keeps inviting 00:22:04.880 --> 00:22:10.000 him over to come watch shows. [To D3ada55] Okay, so after that talk, what happened next? 00:22:10.000 --> 00:22:18.880 D3ADA55: How can I put this without sounding crazy? 00:22:18.880 --> 00:22:24.940 Our government was very, very interested in knowing more. I can put it to you that way. 00:22:24.940 --> 00:22:28.560 JACK: [Music] Okay. Yeah, word got out and an investigation was opened up, and they brought her 00:22:28.560 --> 00:22:34.160 in to learn more. If this is another nation trying to plant boxes in family homes across America with 00:22:34.160 --> 00:22:40.240 malicious intent, then the Department of Defense was interested in knowing more. But the thing was, 00:22:40.240 --> 00:22:45.840 because this was now an active investigation, it meant D3ada55 had to be quiet about this, 00:22:45.840 --> 00:22:50.560 so she wasn't allowed to talk publicly about it. But it didn't stop her from researching it further 00:22:50.560 --> 00:22:56.000 and talking privately about it. So, for years she continued to research it and gave talks, 00:22:56.000 --> 00:23:01.360 but every one of those talks had to be no cameras, no recording, no photos in order to keep this hush 00:23:01.360 --> 00:23:07.360 hush, and it's been driving me crazy since I've been attending her talks for years, 00:23:07.360 --> 00:23:11.120 and I think it's such a good story to get out to you, but she's never been allowed to be 00:23:11.120 --> 00:23:15.360 interviewed for it. That's why I'm so happy to finally, finally, finally get this interview to 00:23:15.360 --> 00:23:19.800 tell you her story. But as it turns out, this wasn't the first time we've seen bad boxes. 00:23:19.800 --> 00:23:25.760 D3ADA55: Human security and Google and all those guys had kind of done the stuff on the first bad 00:23:25.760 --> 00:23:30.880 box, and so — and they were sourced for a lot of the stuff on the second bad box. But 00:23:30.880 --> 00:23:36.480 we basically discovered that this thing was part of what's now referred to as the BadBox botnet. 00:23:36.480 --> 00:23:40.560 JACK: The BadBox botnet. So, we've been referring to it as SuperBox this whole time. 00:23:40.560 --> 00:23:41.040 D3ADA55: Yeah. 00:23:41.040 --> 00:23:46.640 JACK: Where's BadBox come from? BadBox comes from the fact that there are just other Android 00:23:46.640 --> 00:23:50.480 streaming devices, and they're actually a lot cheaper. This was actually an anomaly 00:23:50.480 --> 00:23:55.200 that I noticed when I was looking at the SuperBox. They're like, anywhere from thirty bucks to maybe, 00:23:55.200 --> 00:23:59.760 like 100 at most. So, again, cheap devices, they're kind of everywhere, they can get 00:23:59.760 --> 00:24:04.960 them out there pretty quickly. So, a lot of those made sense already infected. You know, 00:24:04.960 --> 00:24:11.200 the behavior looked the same once I started kind of like providing information and stuff. So, 00:24:11.200 --> 00:24:16.320 we all came to the determination that it should just be — it's still BadBox, but it's BadBox 2.0 00:24:16.320 --> 00:24:23.760 even though we had shut down the first BadBox. So, yeah, it's for any Android, basically, 00:24:23.760 --> 00:24:30.240 device that's got malware or is beaconing out to interesting places, etc. But the SuperBox — my 00:24:30.240 --> 00:24:36.600 focus on it is because it's $300 and the rest of them are $30. So, why is this one $300? 00:24:36.600 --> 00:24:41.040 JACK: So, she gave the authorities all the information that she discovered about this. 00:24:41.040 --> 00:24:45.440 D3ADA55: I provided network traffic, some logs, just things so that they could get 00:24:45.440 --> 00:24:48.720 an idea of what they were looking at, and they just kind of took it from there, so... 00:24:48.720 --> 00:24:54.160 JACK: Okay, and then for your own — you didn't stop with your own research. 00:24:54.160 --> 00:24:57.280 D3ADA55: Oh, no, I was like, there were not even — we haven't even scratched the surface. 00:24:57.280 --> 00:24:57.327 JACK: I know. 00:24:57.327 --> 00:25:01.200 D3ADA55: Like, I'm — you know, we're still — at that point, I was just like, there's still 00:25:01.200 --> 00:25:05.760 more. I know there's still more because there were still so many unanswered questions. Like, 00:25:05.760 --> 00:25:14.480 okay, I get why it's beaconing. I get that it's talking to this IP, but, again, why? Why? So, 00:25:14.480 --> 00:25:19.960 I keep digging. [Music] I just keep digging, and I continue to dig, and I continue to dig. 00:25:19.960 --> 00:25:24.000 JACK: She got obsessed with this box, and she knew she needed to skill up in order 00:25:24.000 --> 00:25:28.800 to research it better. So, she took some SANS courses, got her GCIA certification, 00:25:28.800 --> 00:25:32.880 upgraded her tools, and once again looked at the traffic this thing was sending. She 00:25:32.880 --> 00:25:39.360 saw that it was talking to a lot of domains ending in .top. Most websites end in .com, 00:25:39.360 --> 00:25:43.520 but not this box. It likes speaking to things in the .top domain. 00:25:43.520 --> 00:25:49.720 D3ADA55: Which, we all know there's nothing good for anybody at .top domain. That's not for us. 00:25:49.720 --> 00:25:55.120 JACK: Of course, it talked a lot to the .cn domains, too, which is clearly China. 00:25:55.120 --> 00:26:00.960 She studied protocols deeper, domains, IP addresses, analyzed the hardware and the 00:26:00.960 --> 00:26:04.480 company that makes it all, and she saw that this thing was just automatically 00:26:04.480 --> 00:26:09.480 downloading different apps and stuff for Android and was able to capture those and analyze those. 00:26:09.480 --> 00:26:14.400 D3ADA55: So, that was new for me, too. I said, I worked at the SOC. I did my little alerts and 00:26:14.400 --> 00:26:20.480 like, okay, escalate. That's all I used to do. So, to figure out how to decompile APKs was insane, 00:26:20.480 --> 00:26:25.120 but I figured it out, and I kind of started looking inside of them. I'm like, oh, that 00:26:25.120 --> 00:26:30.160 doesn't seem right. You shouldn't be sending that in clear text, or — you know, stuff like that. So, 00:26:30.160 --> 00:26:34.200 I mean, there was just so much smoke, right? I knew there was going to be fire. 00:26:34.200 --> 00:26:37.440 JACK: Because this thing is running the Android operating system, 00:26:37.440 --> 00:26:40.880 it has the Google Play Store. But of course, that's not where you'll find 00:26:40.880 --> 00:26:44.800 the thousands of channels that it says it has. Instead, you need to basically rip out 00:26:44.800 --> 00:26:49.600 the Google Play Store and instead install something called the SuperBox App Store. 00:26:49.600 --> 00:26:55.920 D3ADA55: What got me is when I tried to download the app store, and my firewall basically showed 00:26:55.920 --> 00:27:01.840 me that it was like a multi-layer encoded file. So, it was zipped up like six, seven times. So, 00:27:01.840 --> 00:27:08.160 that was weird, because that's still not normal for an app store. If anything, 00:27:08.160 --> 00:27:11.120 you should just be using the Google Play Store; it's an Android device. But they 00:27:11.120 --> 00:27:16.640 have their own app store that you had to download and install to get access to their piracy apps. 00:27:16.640 --> 00:27:18.640 JACK: Their app store looked nice and polished? 00:27:18.640 --> 00:27:25.440 D3ADA55: Oh, my god, it was — it's pretty brutal. It's weird because you click on it, 00:27:25.440 --> 00:27:29.520 it installs, it turns blue, which I thought was just kind of funny. I'm like, 00:27:29.520 --> 00:27:33.440 it’s — why is it blue? You click on it, and it just has the three apps in there. 00:27:33.440 --> 00:27:38.640 There's nothing else in it. So, it's only so you can, again, get access to their stuff, 00:27:38.640 --> 00:27:43.520 and they want it to look as legitimate as possible so people will use it. You'll appreciate this; 00:27:43.520 --> 00:27:50.320 so, they're all running Android Debug Bridge, which makes sense if they're pretending to be 00:27:50.320 --> 00:27:56.400 an Android device, because it's not an Android TV device. It's just straight up Android, which is 00:27:56.400 --> 00:28:04.800 already weird from the other types of devices. This was super strange to me because there's 00:28:04.800 --> 00:28:11.440 no authentication on it. I was able to connect just straight across the Android Debug Bridge, 00:28:11.440 --> 00:28:16.280 and then I just typed in, you know, ‘su’ for Switch User, and it gave me a root shell. 00:28:16.280 --> 00:28:18.720 JACK: So, you have root access to the SuperBox? 00:28:18.720 --> 00:28:21.680 D3ADA55: I have root access to the six that I have in my house, yeah. 00:28:21.680 --> 00:28:22.320 JACK: Oh my gosh. 00:28:22.320 --> 00:28:26.080 D3ADA55: Then I did finally dump the firmware, and there's entire 00:28:26.080 --> 00:28:32.000 sectors missing off of the device. If you're looking at, say, the structure, 00:28:32.000 --> 00:28:38.080 like the boot structure, there's twenty-seven partitions, but you can only see fifteen. 00:28:38.080 --> 00:28:38.360 JACK:What? 00:28:38.360 --> 00:28:41.040 D3ADA55: Right. That doesn't make any sense. It's not normal. 00:28:41.040 --> 00:28:42.880 JACK: That is strange. 00:28:42.880 --> 00:28:43.780 D3ADA55: Yeah. 00:28:43.780 --> 00:28:48.240 JACK: I just assume that if there are partitions on it but you can't see them, 00:28:48.240 --> 00:28:53.200 then that means it has some sort of software deep inside it, and who knows what's going on 00:28:53.200 --> 00:28:57.760 in there? What's in those partitions, and how scary is it? Nobody knows. 00:28:57.760 --> 00:29:00.960 D3ADA55: I'm also, at the same time, still digging into the shell company. 00:29:00.960 --> 00:29:06.560 They have these weird fake certificates of award to look legitimate. I'm like, 00:29:06.560 --> 00:29:10.080 what even is — is that supposed to be a certificate of authenticity? That's 00:29:10.080 --> 00:29:13.160 basically what they're putting out for the SuperBoxes to make them look legit. 00:29:13.160 --> 00:29:18.160 JACK: Yeah. So, the packaging of this thing, you got a few, right? So, what is...? 00:29:18.160 --> 00:29:18.634 D3ADA55: Oh, man. 00:29:18.634 --> 00:29:22.240 JACK: Does it just look like a regular device, or is there anything silly about it? 00:29:22.240 --> 00:29:23.600 D3ADA55: I mean, I look at it and I'm like, 00:29:23.600 --> 00:29:29.040 why does it look evil? It feels evil to me. Have you ever seen something and you're like, 00:29:29.040 --> 00:29:34.360 I don't like that? It kind of gives me those vibes. But it says 6k on the box. 00:29:34.360 --> 00:29:35.120 JACK: 6k... 00:29:35.120 --> 00:29:40.800 D3ADA55: Right? Like, what is 6k? I must have missed that memo between 4 and 8k. 00:29:40.800 --> 00:29:45.840 But yeah, it has 6k on the box. There's even regulatory information printed on the box, 00:29:45.840 --> 00:29:49.200 but then we can't find FCC information on it. 00:29:49.200 --> 00:29:53.680 JACK: Okay, so, the regulatory stuff looks like it's just made up. 00:29:53.680 --> 00:29:54.400 D3ADA55: Yeah. 00:29:54.400 --> 00:29:57.920 JACK: Yeah. Like, oh, we're certified in all these things, but not really. 00:29:57.920 --> 00:29:58.794 D3ADA55: Right, and again... 00:29:58.794 --> 00:30:00.560 JACK: Well, that's crazy. That’s illegal. 00:30:00.560 --> 00:30:04.640 D3ADA55: Well, and so, the average everyday person, it looks like anything else they might 00:30:04.640 --> 00:30:09.960 buy. It's got the regulatory information. It tells me what the product is. It says who makes it. 00:30:09.960 --> 00:30:12.800 JACK: That seems highly illegal. The government's not going to want 00:30:12.800 --> 00:30:16.960 you to put regulated — or, you know, certifications on there that aren't, 00:30:16.960 --> 00:30:19.920 especially for some of the safe electronics out there... 00:30:19.920 --> 00:30:20.320 D3ADA55: Exactly. 00:30:20.320 --> 00:30:24.320 JACK: ….and make it safe for consumers. They’re just putting it on there and not... 00:30:24.320 --> 00:30:30.000 D3ADA55: It's not actually vetted. They're just like, here you go. This is safe for consumers. 00:30:30.000 --> 00:30:30.680 JACK: Okay. 00:30:30.680 --> 00:30:34.320 D3ADA55: It's ridiculous, and it just stays ridiculous. So, you know, just 00:30:34.320 --> 00:30:43.120 buckle up. [Music] There's just so many glaring red — I would call them more like neon red flags, 00:30:43.120 --> 00:30:47.760 if that's even a thing. I'm just — again, at this point — this is like the end of 2024 at 00:30:47.760 --> 00:30:55.760 this point. I'm just like, does no one else see this? Like, no one else sees this, really? So, 00:30:55.760 --> 00:31:02.800 I get into 2025 and that's where it kind of like really started to take off. So, 00:31:02.800 --> 00:31:06.720 the BadBox PSA comes out in June. That was a huge deal. 00:31:06.720 --> 00:31:11.760 JACK: Oh yeah, I saw that announcement. Let me pull it up for you. It's titled Home Internet 00:31:11.760 --> 00:31:17.600 Connected Devices Facilitate Criminal Activity. Here's what the FBI warning says. The FBI is 00:31:17.600 --> 00:31:22.720 issuing a public service announcement to warn the public about cyber-criminals exploiting IoT 00:31:22.720 --> 00:31:28.560 devices. Cyber-criminals gain unauthorized access to home networks through compromised IoT devices 00:31:28.560 --> 00:31:34.400 such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital 00:31:34.400 --> 00:31:38.880 picture frames, and other products. Most of the infected devices were manufactured in China. 00:31:38.880 --> 00:31:43.520 Cyber-criminals gained unauthorized access to home networks by either configuring the product with 00:31:43.520 --> 00:31:47.760 malicious software prior to users purchasing or infecting the device with back doors, 00:31:47.760 --> 00:31:55.040 usually during the setup process. Gosh, wow. So, the FBI put this warning out, but that wasn't 00:31:55.040 --> 00:32:00.640 enough for them to get banned off of Amazon, Best Buy, and Walmart marketplaces, and even with this 00:32:00.640 --> 00:32:04.440 FBI warning, it wasn't enough for D3ada55 to convince her father to get rid of it, either. 00:32:04.440 --> 00:32:06.840 D3ADA55: He did, at least, unplug it. 00:32:06.840 --> 00:32:08.680 JACK: Only when you're home. 00:32:08.680 --> 00:32:10.302 D3ADA55: Only when I’m home. 00:32:10.302 --> 00:32:11.440 JACK: He probably plugs it back in when you leave. 00:32:11.440 --> 00:32:12.385 D3ADA55: It's just so frustrating. 00:32:12.385 --> 00:32:16.800 JACK: Alright, so, how do you convince...? I imagine it's my dad here or your dad 00:32:16.800 --> 00:32:22.860 here. What do you say to them? Say, do not do this? Because, what matters to them, right? 00:32:22.860 --> 00:32:22.874 D3ADA55: Yeah. 00:32:22.874 --> 00:32:24.480 JACK: So, you have to bring it to their level. 00:32:24.480 --> 00:32:31.040 D3ADA55: Well — so, what was interesting — I think what got through to my dad was when I said, hey, 00:32:31.040 --> 00:32:36.080 if something goes wrong with this — and, you know, you're in a pretty high position at your 00:32:36.080 --> 00:32:40.480 company — I mean, people were reporting their bank accounts getting hacked. Like, 00:32:40.480 --> 00:32:45.040 do you care about your money? Do you care about your retirement? Again, 00:32:45.040 --> 00:32:48.640 they're looking at your credentials. They're monitoring the network. They're going to see 00:32:48.640 --> 00:32:52.640 when you're logging into your bank, and they're going to see when you're doing things that we 00:32:52.640 --> 00:32:58.640 might all consider sensitive. If you don't want that to now become a negative or get 00:32:58.640 --> 00:33:04.000 exploited or become a problem, you have to think about what you're bringing home on the network. 00:33:04.000 --> 00:33:07.265 JACK: Okay, you said someone's bank account got wiped out from this thing? 00:33:07.265 --> 00:33:09.440 D3ADA55: Yeah. Somebody — yeah, somebody reported on Reddit. They're like, oh, 00:33:09.440 --> 00:33:11.200 they tried to hack our bank account, so put it on 00:33:11.200 --> 00:33:15.280 a guest network. Not stop using it. Just put it on a separate network. 00:33:15.280 --> 00:33:21.040 JACK: Gosh, what are we even doing? Imagine you had some roommate that tried to steal money from 00:33:21.040 --> 00:33:25.200 your bank account every time you turned your back and was constantly spying on you. You wouldn't 00:33:25.200 --> 00:33:29.200 just move them to the guest bedroom; you'd throw them out of the house. How is it that this thing 00:33:29.200 --> 00:33:34.880 can clearly be so dangerous, yet people still don't throw it in the trash? It's because it's 00:33:34.880 --> 00:33:40.000 still proving value to them even after it's an apparently dangerous and harmful device to have 00:33:40.000 --> 00:33:46.000 in your home. This puts me in deep thought, actually, on how to fix this. This isn't a 00:33:46.000 --> 00:33:50.560 one off. It's an industry trend, and it's not even just an industry trend in cybersecurity. 00:33:50.560 --> 00:33:56.880 It's a bug in human beings. We often ignore good advice. Like, we all know you should 00:33:56.880 --> 00:34:01.120 take your health seriously, eat healthy, work out five times a week, and get plenty of sleep. 00:34:01.120 --> 00:34:05.120 Yet, most of us don't do it. It's not because we don't know better. We all know better, 00:34:05.120 --> 00:34:09.520 and there's nothing you should value more in your life than your own life. So, it's not like there's 00:34:09.520 --> 00:34:15.040 something more important to focus on. Yet, we still don't take care of ourselves properly. 00:34:15.040 --> 00:34:21.760 This is what I think is a bug in human beings. We know what the right thing to do is, yet we still 00:34:21.760 --> 00:34:29.440 don't do it. Here's an example of this bug being exploited so perfectly. Even when the SuperBox 00:34:29.440 --> 00:34:37.040 rears its ugly head and shows us how dangerous and harmful it is, people still use it because 00:34:37.040 --> 00:34:41.520 they like getting their TV shows. [To D3ada55] To be clear, how do you feel about piracy? 00:34:41.520 --> 00:34:45.040 D3ADA55: I mean, I personally do not care. That's you and your business 00:34:45.040 --> 00:34:48.240 of — between you and your ISP. That has nothing to do with me. 00:34:48.240 --> 00:34:50.382 JACK: Yeah, that's not what you're out here... 00:34:50.382 --> 00:34:50.394 D3ADA55: No. 00:34:50.394 --> 00:34:51.040 JACK: …saying is bad. 00:34:51.040 --> 00:34:56.560 D3ADA55: Yeah. It's the fact that like, to make it easier to have access to these things, 00:34:56.560 --> 00:35:00.960 because a lot of people do not have the technical know-how to potentially 00:35:00.960 --> 00:35:08.400 participate in sailing the internet high seas safely. This is a one stop, easy pre-box shop. 00:35:08.400 --> 00:35:12.240 JACK: Can we talk more about who you were seeing getting these things? 00:35:12.240 --> 00:35:18.800 D3ADA55: Yeah. So, I had folks reporting to me that they were getting them mailed to them 00:35:18.800 --> 00:35:24.080 at their house. [Music] I'm like, what? They work in oil and gas. They're like, 00:35:24.080 --> 00:35:29.400 I didn't order this. I'm like, yeah, definitely don't plug it in. So, one of those got sent to me. 00:35:29.400 --> 00:35:34.400 JACK: Wow. How scary is that, to have one mysteriously show up at 00:35:34.400 --> 00:35:40.640 your doorstep and you work in oil and gas? Man, this is a very serious 00:35:40.640 --> 00:35:44.800 and dangerous campaign. I already said this thing should be burned with fire, 00:35:44.800 --> 00:35:47.920 but now I think you need to take a sledgehammer to it first and then burn it. 00:35:47.920 --> 00:35:51.920 D3ADA55: Of course, I'm seeing stuff on social media, kind of all the different platforms; like, 00:35:51.920 --> 00:35:58.160 oh, my parents got gifted one. My uncle was telling us about it. All the — again, 00:35:58.160 --> 00:36:04.720 it was lots of stuff like that. I had a friend in Sacramento tell me that he 00:36:04.720 --> 00:36:10.160 saw one of the single moms that is known in the neighborhood — she had them. I'm like, 00:36:10.160 --> 00:36:15.360 That's so weird. Again, if it's the gray money, I guess, 00:36:15.360 --> 00:36:20.040 and you want to make some extra cash on the side, it's a great business. I mean, that’s... 00:36:20.040 --> 00:36:27.040 JACK: I mean, if we look back at — I think it was the late 90s, early 2000s we had a similar thing 00:36:27.040 --> 00:36:34.960 where you could buy the — some sort of streaming box. It was a cable box, but it was like a... 00:36:34.960 --> 00:36:36.320 D3ADA55: Like a black box, or whatever? 00:36:36.320 --> 00:36:41.360 JACK: Yeah, it was jailbroken, and so, you would get free cable. So, 00:36:41.360 --> 00:36:43.899 this wasn't sold by the moms in the neighborhood. 00:36:43.899 --> 00:36:43.914 D3ADA55: Right. 00:36:43.914 --> 00:36:46.685 JACK: This wasn't sold by your — maybe your uncle, but... 00:36:46.685 --> 00:36:46.714 D3ADA55: But it was some guy. 00:36:46.714 --> 00:36:48.560 JACK: It was sold in the seedy parts of town. 00:36:48.560 --> 00:36:48.960 D3ADA55: Yeah, exactly. 00:36:48.960 --> 00:36:51.920 JACK: Or you had to know someone who knew someone who knew someone, 00:36:51.920 --> 00:36:59.360 and then make a deal with them to get your pirated — you know, your jailbroken cable box. 00:36:59.360 --> 00:36:59.840 D3ADA55: Yeah. 00:36:59.840 --> 00:37:04.000 JACK: That's what this — this doesn't smell the same. This has a different scent to it, 00:37:04.000 --> 00:37:10.120 because it's people who are — the people who are selling it are almost like hustlers in some way... 00:37:10.120 --> 00:37:10.760 D3ADA55: Yeah, exactly. 00:37:10.760 --> 00:37:13.520 JACK: ….where they're — they got like, six side businesses... 00:37:13.520 --> 00:37:14.120 D3ADA55: Exactly. 00:37:14.120 --> 00:37:15.680 JACK: ….and they've got a lot of free time. 00:37:15.680 --> 00:37:19.280 D3ADA55: Mm-hm. It's like a — there's a weird profile overlap that I was noticing, 00:37:19.280 --> 00:37:23.920 because at first it was real estate agents. I'm like, okay, I could kind of see that. Then I'm 00:37:23.920 --> 00:37:27.920 seeing reports online where someone's like, oh, my cable guy tried to sell me one. I'm like, 00:37:27.920 --> 00:37:33.280 your cable guy who just installed your internet is trying to sell you one of these boxes? Like, 00:37:33.280 --> 00:37:40.640 what? Then, of course, there's the whole issue with just as you're — you know, as we start 00:37:40.640 --> 00:37:43.920 looking at kind of the whole thing, I'm like, okay, well now I'm starting to see people — like 00:37:43.920 --> 00:37:49.040 you said, like five, six businesses, and they're not tech savvy people. They're just like, oh yeah, 00:37:49.040 --> 00:37:53.440 it just works. I've been using mine for two years. I don't have any problems. They're usually the 00:37:53.440 --> 00:37:58.160 ones that will go into a lot of these social media posts and naysay anyone trying to say anything 00:37:58.160 --> 00:38:03.360 negative about it. They're ready to squash any negativity as soon as you try to post about it. 00:38:03.360 --> 00:38:06.560 JACK: The marketing images of this thing is ridiculous. There's one with a family 00:38:06.560 --> 00:38:11.120 sitting on a couch, which looks like a stock photo, and the SuperBox is oddly placed on 00:38:11.120 --> 00:38:14.800 the TV in front of them, and the mother is smiling, all happy with this thing, 00:38:14.800 --> 00:38:19.680 holding her daughter. Again, to me, this thing looks like it's targeting suburban families. 00:38:19.680 --> 00:38:24.640 D3ADA55: There's a piece here that I don't think we talk about enough in cybersecurity, 00:38:24.640 --> 00:38:30.720 and it's really, truly the cyberpsychology of us as consumers, of us as practitioners, 00:38:30.720 --> 00:38:37.600 of everyone, really. So, we don't have a culture of understanding, 00:38:37.600 --> 00:38:43.680 again, scams and stuff. We lose billions of dollars every year to pig butchering, fishing, 00:38:43.680 --> 00:38:49.120 all kinds of get-rich-quick schemes. Everybody wants to make a buck, or everybody thinks that, 00:38:49.120 --> 00:38:52.800 oh, I'm gonna — I'm no longer going to be a temporarily-embarrassed millionaire; 00:38:52.800 --> 00:38:58.000 I'm going to be a millionaire now. Or, I get to watch TV and I don't see what the problem is. 00:38:58.000 --> 00:39:03.040 JACK: Yeah, I want to — I was — at first I was going to push back and say, well, you know, 00:39:03.040 --> 00:39:08.774 we assume that the stuff we buy has already been vetted and secure and all that stuff... 00:39:08.774 --> 00:39:08.794 D3ADA55: Absolutely. 00:39:08.794 --> 00:39:10.240 JACK: ….or else it wouldn't be in the store, 00:39:10.240 --> 00:39:14.360 because the store should have some sort of responsibility. 00:39:14.360 --> 00:39:18.480 D3ADA55: There's implied trust when you go to Best Buy, right? There's a reason I'm not 00:39:18.480 --> 00:39:22.160 going to go stand out here on the corner and say, hey, does anyone have an iPhone 00:39:22.160 --> 00:39:27.120 17 I can just buy real quick? I'm gonna go to Apple. I'm gonna go directly to Best Buy. So, 00:39:27.120 --> 00:39:30.720 again, as consumers, especially in the United States like you said, 00:39:30.720 --> 00:39:33.560 we go to Best Buy, we assume that what we're getting is okay. 00:39:33.560 --> 00:39:36.960 JACK: Okay. Well, let me ask you this; once the FBI warning came out, 00:39:36.960 --> 00:39:39.720 did all of the stuff evaporate off Best Buy and Walmart? 00:39:39.720 --> 00:39:43.600 D3ADA55: Nope, it's still there, and part of the problem is because they have very 00:39:43.600 --> 00:39:49.760 un-monitored third-party marketplaces. However, I did receive reports from other 00:39:49.760 --> 00:39:54.320 contacts that they had a parent that was able to get one off the shelf at Best Buy. 00:39:54.320 --> 00:39:54.920 JACK: What? 00:39:54.920 --> 00:39:58.640 D3ADA55: Which, I was like, how did that even happen? Because it's very hard to 00:39:58.640 --> 00:40:03.200 get things on the shelf at Best Buy. But if there's this other kind of influence of like, 00:40:03.200 --> 00:40:08.400 hey, let me slide you some cash in this envelope, secondarily, put this on the 00:40:08.400 --> 00:40:14.160 shelf at Best Buy. I can absolutely see that happening if we just think about humanity. 00:40:14.160 --> 00:40:19.600 JACK: So, I mean, I want to assume that it did get wiped off of all these online marketplaces, 00:40:19.600 --> 00:40:23.840 but then it's a cat and mouse game, and so, it just comes right back. There is a different 00:40:23.840 --> 00:40:28.640 seller selling it, and there's another person, and maybe there's tens or dozens or hundreds of 00:40:28.640 --> 00:40:34.000 people trying to get it back onto Amazon, and since Amazon has this sort of — anybody could 00:40:34.000 --> 00:40:38.619 come on and sell something, then it becomes very hard for Amazon to pop every mole on the head. 00:40:38.619 --> 00:40:39.360 D3ADA55: Like police it, yeah. 00:40:39.360 --> 00:40:43.200 JACK: Okay, so you feel like that's what happened? 00:40:43.200 --> 00:40:47.920 D3ADA55: I think that's probably got a lot to do with it. I mean, the third-party marketplace 00:40:47.920 --> 00:40:52.800 thing — I still have questions about how Temu came out of nowhere and got two Super 00:40:52.800 --> 00:40:59.440 Bowl commercials the first year of its existence. But, yeah, looking at Amazon, I did look recently 00:40:59.440 --> 00:41:04.640 and it's actually harder to find them. So, I think Amazon did make some changes. But Walmart is still 00:41:04.640 --> 00:41:10.240 just pages and pages and pages. Again, I mean, they get a lot of money out of having all these 00:41:10.240 --> 00:41:15.600 sellers on their marketplaces, but they're selling something that's kind of dangerous. 00:41:15.600 --> 00:41:20.800 JACK: Gosh, this device is so insidious in the way it's wriggling into our homes across the 00:41:20.800 --> 00:41:26.640 nation. We humans are vulnerable to scams and manipulation, and this seems to be the perfect 00:41:26.640 --> 00:41:31.360 thing to exploit that. Americans are sick of paying for twenty different streaming services. 00:41:31.360 --> 00:41:36.000 Like, if you pay for Netflix, Disney+, Amazon Prime, and HBO Max, you still don't get any 00:41:36.000 --> 00:41:44.480 news channels. It's so fractured and crazy. I just remembered this YouTube video by videogamedunkey, 00:41:44.480 --> 00:41:48.784 who has a guide on how to watch all the seasons of Pokemon. Here, take a listen. 00:41:48.784 --> 00:41:52.800 DUNKEY: [Music] For Pokemon, there is a website that tells you how to watch this. 00:41:52.800 --> 00:41:56.640 You start off on Netflix, then swap over to the Pokemon streaming service, 00:41:56.640 --> 00:42:02.160 which is the only place that has Season 2, then swap over to Prime Video for Seasons 3 through 5, 00:42:02.160 --> 00:42:08.000 swap to Freevee, then Hoopla. Season 13 is only on Amazon, though. Then swap to Tubi, then Hulu, 00:42:08.000 --> 00:42:12.680 then Roku channel, and then finally back to the Pokemon streaming, and then Netflix. Easy. 00:42:12.680 --> 00:42:19.440 JACK: What are these streaming services doing? It's like the more they battle, the more we lose. 00:42:19.440 --> 00:42:25.440 Disney bought Marvel in 2009 for $4 billion, but even Disney+ doesn't have the rights to play all 00:42:25.440 --> 00:42:32.560 the Spider Man movies? What's happening? So, this SuperBox hit us right where our pain point is when 00:42:32.560 --> 00:42:37.840 it comes to watching TV and movies. It solves so many problems. People don't want to pirate, 00:42:37.840 --> 00:42:42.960 but when it's so painful and so complicated to find the shows you want to watch, then they just 00:42:42.960 --> 00:42:48.000 migrate to a simpler way to watch the shows. It's not even less expensive, since they're paying 00:42:48.000 --> 00:42:52.640 $300 or $400 for one of these boxes, which just has all the shows they want to watch. 00:42:52.640 --> 00:42:57.360 I'm sure they'd be happy paying a monthly fee if it was for a streaming service which gave them 00:42:57.360 --> 00:43:02.640 what they wanted. But piracy is on the rise because of how complicated and frustrating 00:43:02.640 --> 00:43:07.040 streaming services are today, and when it's 1000 times easier to pirate a movie than it 00:43:07.040 --> 00:43:11.440 is to research where things are streamed, only to create an account there, only to find that 00:43:11.440 --> 00:43:17.040 they're no longer streaming it there, then people are going to give up and just pirate. Honestly, 00:43:17.040 --> 00:43:22.080 I blame the streaming services for this explosion of piracy that we're currently seeing. They 00:43:22.080 --> 00:43:26.480 need to start treating their users with more respect, and we'd all be much happier for it. 00:43:26.480 --> 00:43:31.760 D3ADA55: I had been hyper-focused on the SuperBox, but then I saw some of the same characteristics of 00:43:31.760 --> 00:43:37.200 a bunch of sellers and folks on social media talking about the vSeeBox. [Music] So, again, 00:43:37.200 --> 00:43:41.840 another one that's like, still something something box, but a lot of the same stuff; 00:43:41.840 --> 00:43:46.400 oh, we've got this playback feature, you get all the channels. I'm like, 00:43:46.400 --> 00:43:54.400 this sounds familiar. So, I start digging into the vSeeBox, and so, I buy one of these. 00:43:54.400 --> 00:43:56.560 JACK: This thing looks equally as strange. 00:43:56.560 --> 00:44:01.840 D3ADA55: It was another weird Reddit post, too. Reddit was weird and got me all these breadcrumbs, 00:44:01.840 --> 00:44:07.200 by the way, because people just tell on themselves in Reddit piracy, by the way. 00:44:07.200 --> 00:44:12.800 But this particular post stuck out to me because they're like, oh yeah, there's no Chinese here. 00:44:12.800 --> 00:44:16.240 I got this new box and it still gives you all the channels, and it's better than the SuperBox. 00:44:16.240 --> 00:44:17.880 JACK: Does it say no Chinese here? 00:44:17.880 --> 00:44:23.440 D3ADA55: It literally says — that's the first thing it says. They started the post like that. 00:44:23.440 --> 00:44:29.680 I'm like, what? Like, why? Who? In the thread, no one said anything about China. That's the thing 00:44:29.680 --> 00:44:36.720 that was weird. I was like, why are you telling on yourself? So, I read this post. This person 00:44:36.720 --> 00:44:41.600 in particular was like, no, everything was great. My seller was awesome. Everything's responsive. 00:44:41.600 --> 00:44:46.640 It's the best ever. You should get the vSeeBox now. I'm like, why is there another one? So, 00:44:46.640 --> 00:44:51.840 they look like almost competing companies. So, I buy one, and it's also beaconing straight 00:44:51.840 --> 00:44:57.680 to China via Tencent infrastructure. I'm like, I'm not crazy, right? So, 00:44:57.680 --> 00:45:00.880 I put them all on the same network together, and they all start talking to each other. 00:45:00.880 --> 00:45:01.440 JACK: Really? 00:45:01.440 --> 00:45:06.960 D3ADA55: Yeah. I was like, oh no, are you guys sentient? I'm scared. So, 00:45:06.960 --> 00:45:12.160 again, I continue to dig. I continue to dig. I'm looking again, actually getting access 00:45:12.160 --> 00:45:16.360 to — I was using CENSUS at this point because I started at CENSUS in the beginning of 2025. 00:45:16.360 --> 00:45:17.680 JACK: What is their tool? 00:45:17.680 --> 00:45:26.560 D3ADA55: They’re internet intelligence, internet scanning, like Shodan for grownups. Got to do 00:45:26.560 --> 00:45:34.880 the job. So, as — again, it just continues kind of to get weird. I'm now tracking the different 00:45:34.880 --> 00:45:42.480 marketing campaigns. I'm tracking when new models come out. So, when I started, the SuperBox S5 was 00:45:42.480 --> 00:45:47.546 the model that was available, and now they're up to the 7. So, they're still just releasing... 00:45:47.546 --> 00:45:47.591 JACK: They’re coming out with new versions. 00:45:47.591 --> 00:45:48.160 D3ADA55: With new versions. 00:45:48.160 --> 00:45:50.000 JACK: Wow. 00:45:50.000 --> 00:45:57.520 D3ADA55: I'm like, wow, this one has USB C on it. Look at them go. So, yeah. So, 00:45:57.520 --> 00:46:03.360 again, it's — just kind of continued. I got to the — kind of towards the end of 00:46:03.360 --> 00:46:10.800 2025, and I start seeing more posts about suspicious activity blocked from users on Reddit, 00:46:10.800 --> 00:46:17.360 getting messages about — oh, my ISP says that I'm visiting malicious IPs and things like that. So, 00:46:17.360 --> 00:46:20.640 I'm like, okay, so maybe there's some traction picking up here, 00:46:20.640 --> 00:46:24.960 because now there’s starting to be signals that — folks are starting to pick up on this. 00:46:24.960 --> 00:46:30.960 Folks are starting to notice this and make those changes with regard to our own infrastructure. So, 00:46:30.960 --> 00:46:37.680 I'm still looking, and in the beginning of last year, I found a third box called the Magabox. 00:46:37.680 --> 00:46:38.720 JACK: Manga. 00:46:38.720 --> 00:46:39.520 D3ADA55: Maga. 00:46:39.520 --> 00:46:40.480 JACK: Oh, Magabox. 00:46:40.480 --> 00:46:41.520 D3ADA55: Like M-A-G-A. 00:46:41.520 --> 00:46:43.280 JACK: Oh my gosh. 00:46:43.280 --> 00:46:48.480 D3ADA55: That actually — finally I got the answer I was looking for just this week 00:46:48.480 --> 00:46:53.680 from an interesting Verge article I'll talk about here in a second. But that one, of course, stuck 00:46:53.680 --> 00:47:01.280 out to me because I'm like, well, who could they possibly be trying to advertise to? I was just 00:47:01.280 --> 00:47:07.600 like, wow. It was so blatant, and it looked just like the SuperBox. That's what got me. I'm like, 00:47:07.600 --> 00:47:14.160 why does it look like the SuperBox? I don't understand. So, again, there was just so many 00:47:14.160 --> 00:47:19.920 weird things. I'm like, why is this still happening? Just a lot of like, why this? 00:47:19.920 --> 00:47:21.640 JACK: Did you get one of the Magaboxes? 00:47:21.640 --> 00:47:26.720 D3ADA55: I did. I think it — I don't know if they killed it or what, because I hooked 00:47:26.720 --> 00:47:31.040 it back up recently to kind of put back into my little baby botnet that I'm running at the house, 00:47:31.040 --> 00:47:35.600 and it wasn't getting updates or anything. So, something else may be going wrong with that, 00:47:35.600 --> 00:47:40.080 or they've just kind of shifted focus back to the other ones. But yeah, I ran it for a little bit; 00:47:40.080 --> 00:47:44.480 kind of the same thing. Had a weird little, you know, get the little app store. Get the 00:47:44.480 --> 00:47:50.640 little video app. Watch your TV shows. Here's your local listings of channels. They have, you know, 00:47:50.640 --> 00:47:55.345 all the different fandoms and things that you can get access to, but it worked like the other two. 00:47:55.345 --> 00:47:56.160 JACK: Do these things come with remotes? 00:47:56.160 --> 00:47:57.920 D3ADA55: They come with remotes. 00:47:57.920 --> 00:47:59.600 JACK: Anything interesting in the remote? 00:47:59.600 --> 00:48:05.840 D3ADA55: They have self-signed certificates for some reason. They, of course, have microphones, 00:48:05.840 --> 00:48:13.200 but again, they have open ports on them as remotes. So, I can — if I'm 00:48:13.200 --> 00:48:19.280 looking for SuperBoxes on the internet, I can actually see the ports, but it's the remote. 00:48:19.280 --> 00:48:23.840 So, I still have some some mysteries I'm trying to solve there, but I did see it had 00:48:23.840 --> 00:48:28.520 a long antenna. I'm like, why is that antenna so long if it's just like an infrared remote? 00:48:28.520 --> 00:48:31.840 JACK: Yeah. Okay, so, infrared wouldn't even need an antenna. 00:48:31.840 --> 00:48:32.560 D3ADA55: Exactly. 00:48:32.560 --> 00:48:37.160 JACK: So, did you find any — do you know what protocols it can handle? 00:48:37.160 --> 00:48:42.320 D3ADA55: I mean, I know it's Bluetooth. My tinfoil-hat moment is cellular, 00:48:42.320 --> 00:48:47.200 but I haven't confirmed that yet. I'm talking to some cellular nerds to see if we can have a 00:48:47.200 --> 00:48:52.000 way to figure that out. But again, it's very strange, because with most of the Android 00:48:52.000 --> 00:48:56.400 boxes I found — I bought some cheap ones, and they just have a generic Android TV remote. 00:48:56.400 --> 00:48:56.960 JACK: Okay. 00:48:56.960 --> 00:49:02.720 D3ADA55: The remotes are specific to the SuperBox that it comes with, 00:49:02.720 --> 00:49:09.280 or the vSeeBox that it comes with. You have to use the remote they give you. Even if you go on, say, 00:49:09.280 --> 00:49:15.920 Amazon, Best Buy, and you look for, say, SuperBox remote, it'll — it's a specific remote that you 00:49:15.920 --> 00:49:21.320 can only use with those boxes. It doesn't work with other Android boxes, which is also weird. 00:49:21.320 --> 00:49:26.640 JACK: God, this thing just gets worse and worse. It's like a never ending nightmare. 00:49:26.640 --> 00:49:32.480 The remote has a microphone? At this point, I'm certain that that thing must always be 00:49:32.480 --> 00:49:38.160 on and is listening and maybe even using AI to parse out what's being said in the privacy of 00:49:38.160 --> 00:49:42.880 our living rooms and bedrooms and sending those conversations to who knows where, 00:49:42.880 --> 00:49:46.960 which — the living room is probably the place where you make private phone calls and stuff. 00:49:46.960 --> 00:49:52.560 Holy cow. It interacts with the SuperBox using infrared. So, why in the world is there even a 00:49:52.560 --> 00:49:57.760 Bluetooth antenna on it at all? Look, let me tell you, a lot of us are walking Bluetooth signals. 00:49:57.760 --> 00:50:01.680 The Bluetooth that's on our phone is always looking to see what it can connect to. You might 00:50:01.680 --> 00:50:06.400 have a Bluetooth smartwatch or earbuds, and I've seen pacemakers and hearing aids with Bluetooth, 00:50:06.400 --> 00:50:11.760 and all this can make quite a fingerprint that's unique to you. I mean, have you ever gone to add 00:50:11.760 --> 00:50:16.960 a new Bluetooth device and you see things like Diane's Earbuds or Bill's Fitness Tracker? 00:50:16.960 --> 00:50:21.440 I imagine that this thing is taking notes of what Bluetooth devices come near it, 00:50:21.440 --> 00:50:27.280 so we can tell who's nearby. As a side note, to improve my home defence strategy, I recently got a 00:50:27.280 --> 00:50:32.320 Bluetooth antenna which is just scanning for what Bluetooth devices are near my home, and it records 00:50:32.320 --> 00:50:36.800 it. My theory is that if someone ever breaks into my home, I'll pull up the logs to see what 00:50:36.800 --> 00:50:41.280 Bluetooth devices were in range at that point and try to see if they ever visited before to try to 00:50:41.280 --> 00:50:48.080 figure out who it was. There is a lot of data you can get from sniffing Bluetooth signals. So, if 00:50:48.080 --> 00:50:55.120 this remote has a Bluetooth antenna, a long one at that, and is quite the malicious little box, I can 00:50:55.120 --> 00:51:00.720 only take guesses as to what it's doing with that antenna. Keep in mind, it doesn't use Bluetooth as 00:51:00.720 --> 00:51:04.160 a feature. You can't connect to it that way, and it doesn't try to connect to Bluetooth speakers 00:51:04.160 --> 00:51:13.040 or anything. The Bluetooth antenna is covertly installed on it and is not user accessible. Brr! 00:51:13.040 --> 00:51:19.160 D3ADA55: Then we get to kind of fall 2025. I see BSides Portland. 00:51:19.160 --> 00:51:23.600 JACK: I did go to BSides in Portland, a hacker conference, and at that point, she's given 00:51:23.600 --> 00:51:28.160 talks about this box about a half dozen times, but because there's a federal investigation going on, 00:51:28.160 --> 00:51:32.880 she has strict rules; no cameras, no mics, no recording, no pictures. It's a very hush-hush 00:51:32.880 --> 00:51:38.000 kind of talk that she gives, but it was one of my favorite talks I've ever seen, 00:51:38.000 --> 00:51:42.640 and the crowd was stunned for two hours after the talk. She had a mob of people 00:51:42.640 --> 00:51:47.520 around her just asking more questions about what she found, and they were giving her information. 00:51:47.520 --> 00:51:53.040 I even stood there perplexed by this whole thing, listening to everyone ask her questions for hours. 00:51:53.040 --> 00:51:57.440 Everyone thought it was such a fascinating little box. At this point, this is probably 00:51:57.440 --> 00:52:01.280 the third or fourth time I've seen her give a talk on this, and it just gets better every 00:52:01.280 --> 00:52:06.160 single time because there's just more to the story. Every time I would tell her, listen, 00:52:06.160 --> 00:52:10.880 when you're ready, let's please make an episode. But she was very hesitant, 00:52:10.880 --> 00:52:14.880 mostly because there's an active investigation, and if she exposes them in a big way, 00:52:14.880 --> 00:52:19.600 it might ruin the ability to collect more evidence. But at the same time, the story 00:52:19.600 --> 00:52:24.560 was burning in her. She wanted to get the word out as a warning to everyone and their parents; 00:52:24.560 --> 00:52:32.000 don't buy these things. But she felt worried about it, so she told me, no, not yet, but soon. 00:52:32.000 --> 00:52:39.040 D3ADA55: Then Mr. Krebs reached out to me not too long after that, and he was asking about the 00:52:39.040 --> 00:52:44.080 SuperBox. So, he wrote a really good article that basically broke down kind of the interconnection 00:52:44.080 --> 00:52:50.240 between the SuperBoxes and the residential proxy networks. I didn't think that the 00:52:50.240 --> 00:52:54.560 SuperBox finding was going to be anything major. I was just kind of like, hey, I wanted to share, 00:52:54.560 --> 00:52:58.880 and come to find out that all of the residential proxy stuff and the botnet stuff and all that 00:52:58.880 --> 00:53:02.880 stuff that we're seeing in the news, a lot of that were breakthroughs because of what we all 00:53:02.880 --> 00:53:08.360 discovered looking at streaming devices. We hadn't considered them a true vector until recently. 00:53:08.360 --> 00:53:11.680 JACK: So, when she says Mr. Krebs, she's talking about Brian Krebs, 00:53:11.680 --> 00:53:16.640 the journalist behind Krebs on Security. [To D3ada55] How'd you feel about that article? 00:53:16.640 --> 00:53:21.760 D3ADA55: You know what? I thought — I mean, I didn't say anything factually incorrect in the 00:53:21.760 --> 00:53:25.680 article. So, there was that. No, I think it was a good article because I think that was 00:53:25.680 --> 00:53:31.760 kind of another big push to kind of just show awareness. Some awesome folks also got quoted 00:53:31.760 --> 00:53:37.200 in that article, folks from Spur and things like that, who also specialize in proxy networks and 00:53:37.200 --> 00:53:42.160 stuff like that. That's what they hunt. So, it was really cool to kind of see this amalgamation 00:53:42.160 --> 00:53:46.160 of all the different little pieces that all of us were looking at, and then kind of seeing 00:53:46.160 --> 00:53:49.920 the full picture and having it explained in an approachable way. Because when you're sitting 00:53:49.920 --> 00:53:52.800 here listening to me talking about this, you're like, oh my god, this is so much stuff. I'm like, 00:53:52.800 --> 00:53:58.400 I know, but there's a lot of this other stuff that kind of builds up to sort of these major 00:53:58.400 --> 00:54:04.720 events that we've had happen in the last sixty days, just beginning of 2026 and end of 2025. 00:54:04.720 --> 00:54:08.160 So, the Krebs article comes out, [music] and then I get phished, 00:54:08.160 --> 00:54:14.720 or at least someone tried to fish me, because when Mr. Krebs published that article, 00:54:14.720 --> 00:54:20.240 another IoT researcher got a SuperBox and started finding some cool stuff, and 00:54:20.240 --> 00:54:25.360 there was a posting of the store itself. Like, the repo they were using was just kind of out 00:54:25.360 --> 00:54:32.000 there. When it started to get bigger on YouTube because of Matt Brown's work, 00:54:32.000 --> 00:54:37.360 all of the sudden the store is not there. It's not — you can't find the repo anymore. Then I get this 00:54:37.360 --> 00:54:43.360 e-mail saying, hey, do you have the app store dumps? Do you have some TCP dump? But I'm like, 00:54:43.360 --> 00:54:48.080 first of all, that's a very personal question. You don't just start off asking for people's 00:54:48.080 --> 00:54:54.720 TCP dump logs. Come on. But I'm like, holy crap. It's, of course, coming from a Proton Mail. They 00:54:54.720 --> 00:54:58.560 said they were a computer science student, but they're not emailing me from an academic 00:54:58.560 --> 00:55:04.880 e-mail. They emailed me at my academic e-mail where I adjunct that I don't put out anywhere. 00:55:04.880 --> 00:55:13.040 I was like, how the hell did you get this, number one? Number two, wow. That was a hard nudge trying 00:55:13.040 --> 00:55:16.720 to kind of sniff around and see what was going on. So, of course I didn't answer. I was just like, 00:55:16.720 --> 00:55:22.960 nope. Then I got a LinkedIn phishing message, too, asking about — we want to see your SuperBox 00:55:22.960 --> 00:55:29.200 research. We work at ISP. I'm like, that's the tell. There's certain things that give 00:55:29.200 --> 00:55:34.640 away these folks. So, obviously, the stuff that I've been working on and looking at this — like, 00:55:34.640 --> 00:55:39.760 this is making somebody a lot of money. So, I'm sure they don't want me going around telling 00:55:39.760 --> 00:55:45.520 people not to buy the SuperBox, but here's me just blanket saying don't buy the SuperBox. So, 00:55:45.520 --> 00:55:52.320 a lot of interesting points have been kind of interested in what I've been finding and 00:55:52.320 --> 00:55:56.794 where I got. So, after that happened, I got d-dossed at my house. [Music] 00:55:56.794 --> 00:55:57.440 JACK: What? 00:55:57.440 --> 00:56:02.560 D3ADA55: Yeah. That was wild. 00:56:02.560 --> 00:56:04.640 JACK: Externally coming from the internet to you? 00:56:04.640 --> 00:56:05.520 D3ADA55: Yeah, yeah. 00:56:05.520 --> 00:56:07.640 JACK: How in the world would anybody know your IP? 00:56:07.640 --> 00:56:11.680 D3ADA55: Well, I don't think — I think in the very, very beginning — and I've 00:56:11.680 --> 00:56:16.960 changed ISPs, too, which I thought was kind of hilarious that I still got hit. But again, 00:56:16.960 --> 00:56:21.360 depending on who's behind it, they probably have more resources than I do. So, I mean, 00:56:21.360 --> 00:56:26.760 if they really wanted to know, they could probably find out. But, yeah, I got nailed pretty bad. 00:56:26.760 --> 00:56:28.240 JACK: How long did it last? 00:56:28.240 --> 00:56:32.560 D3ADA55: I think it was like fifteen minutes. We couldn't — nothing would play, 00:56:32.560 --> 00:56:36.960 nothing would stream. I was actually on a Signal voice call with a friend, 00:56:36.960 --> 00:56:41.680 and it was all choppy more so than usual, because Signal voice can be hit or miss anyway, 00:56:41.680 --> 00:56:45.360 but it was really bad. I'm like, holy crap. I can't even talk to you. 00:56:45.360 --> 00:56:48.000 JACK: Did you look at the Palo Alto when it was telling you? 00:56:48.000 --> 00:56:53.600 D3ADA55: Oh yeah, it was just over, over, over. It was just — it was like, three pages worth of just 00:56:53.600 --> 00:56:58.160 this one IP. I looked it up. It was in Ireland. I'm like, okay, well, that's not — it was in 00:56:58.160 --> 00:57:02.800 Cloudflare. I'm like, Okay, well, I don't know who the hell did it right now. But yeah, I was 00:57:02.800 --> 00:57:07.680 more upset that, you know, my husband was watching Spaceballs and that totally got paused because of 00:57:07.680 --> 00:57:15.520 this DDoS attack. So, yeah, I was like, wow, I made a new friend. I got d-dossed at the house. 00:57:15.520 --> 00:57:22.960 JACK: So, this brings us into January of 2026, and around then we saw the largest botnet DDoS 00:57:22.960 --> 00:57:31.120 attack ever. It was the Kimwolf botnet, and it was launching attacks at 31 terabytes per second. 00:57:31.120 --> 00:57:37.440 It basically had control of 2 million devices, and could tell them all to send traffic to a specific 00:57:37.440 --> 00:57:42.480 IP on the internet, which would basically flood any computer with so much traffic that it would 00:57:42.480 --> 00:57:46.480 knock it offline. [To D3ada55] You think the SuperBoxes were part of that botnet. 00:57:46.480 --> 00:57:48.680 D3ADA55: They were confirmed as part of that botnet. 00:57:48.680 --> 00:57:53.200 JACK: But here's the thing; from my understanding, it wasn't the makers of SuperBox who were involved 00:57:53.200 --> 00:57:58.160 at all in this botnet. These things shipped with a really old version of Android and are loaded 00:57:58.160 --> 00:58:01.840 with all kinds of remote access features like TeamViewer, Netcat, and stuff. So, 00:58:01.840 --> 00:58:07.920 the person behind the Kimwolf botnet simply found how vulnerable these SuperBoxes were and spread 00:58:07.920 --> 00:58:14.000 their botnet onto a ton of them. So, now this guy, Dort, who's the one who made the Kimwolf botnet, 00:58:14.000 --> 00:58:19.120 controls the SuperBoxes. I mean, if I wasn't already extremely concerned about who's in 00:58:19.120 --> 00:58:22.800 these SuperBoxes listening, now there's Dort in there, too, and who knows what he's doing 00:58:22.800 --> 00:58:26.800 with these things; turning them into weapons, I guess. If Dort can get into any SuperBox 00:58:26.800 --> 00:58:30.320 that's on the internet, then does that mean anyone else can get into these things, too? 00:58:30.320 --> 00:58:34.160 Like, are there a dozen spies in these things listening to us, seeing what we're doing on 00:58:34.160 --> 00:58:38.480 our microphones and stuff and poking around on our networks? Gosh, I was telling someone about 00:58:38.480 --> 00:58:42.720 this the other day, and their first instinct is that the CIA must be in there listening, 00:58:42.720 --> 00:58:46.800 too. You know what? At this point, I don't doubt it. The fact that these SuperBoxes are getting 00:58:46.800 --> 00:58:52.480 infected with more malware by random people on the internet just makes it so much worse. So, 00:58:52.480 --> 00:58:55.440 at this point, it doesn't even matter if China's behind this, because pretty much 00:58:55.440 --> 00:59:00.160 anyone can take these things over and eavesdrop on us or use the device to attack someone else 00:59:00.160 --> 00:59:06.160 with. This thing is radioactive and it should be smashed, burned, and yeeted into space. 00:59:06.160 --> 00:59:10.560 D3ADA55: Cloudflare put out a report that talks about the DDoS statistics 00:59:10.560 --> 00:59:15.120 for the year for 2025, and they said that the Aisuru-Kimwolf botnet was the busiest, 00:59:15.120 --> 00:59:18.960 and they mitigated — I think it was — I think the number was crazy, like over 00:59:18.960 --> 00:59:24.800 2,000 attacks they mitigated originating from this botnet. I'm like, wow. So, it's been busy. 00:59:24.800 --> 00:59:29.680 JACK: Basically, the Kimwolf botnet is a DDOS-as-a-service business. You can pay 00:59:29.680 --> 00:59:33.280 them money, and then they'll aim this botnet wherever you want, the target of your choice, 00:59:33.280 --> 00:59:38.480 and it'll take down whatever you tell them to. So, it's purely profit-driven for whoever's behind 00:59:38.480 --> 00:59:44.865 it. [To D3ada55] Did this box try to communicate with other devices on the network internally? 00:59:44.865 --> 00:59:48.880 D3ADA55: Yeah, yeah. So, I had my two little sacrificial Raspberry Pis, as I call them. I was 00:59:48.880 --> 00:59:53.200 like, well, once you've touched this network, you can never go back anywhere else. So, thank you, 00:59:53.200 --> 00:59:58.000 my little lambs. So, the Raspberry Pi’s sit there on the network, and I — you know, 00:59:58.000 --> 01:00:02.480 I didn't even name them anything interesting, but I'm looking; I've got tcpdump running on them, 01:00:02.480 --> 01:00:07.760 and the boxes are just going freaking crazy. Like, all of them are just actively trying to poke at 01:00:07.760 --> 01:00:12.080 it. I'm watching scanning. I'm like, are you guys nmapping this little Raspberry Pi in here? Like, 01:00:12.080 --> 01:00:17.040 what the hell? Again, they're doing that discovery when they get on a network to see what's on 01:00:17.040 --> 01:00:22.480 the network. So, if you're working, say, from home, and maybe you're in a position of trust; 01:00:22.480 --> 01:00:28.960 you're in some type of important position where you have privileged credentials, things like that, 01:00:28.960 --> 01:00:33.360 you have this thing sitting on your network and don't know what it's potentially doing. 01:00:33.360 --> 01:00:37.760 It could be sniffing creds every time you log into work. It could be discovering your 01:00:37.760 --> 01:00:42.080 work device on your home network, because a lot of folks don't have any segmentation on 01:00:42.080 --> 01:00:47.760 their home networks. I mean, you know, the possibilities really are endless if we think 01:00:47.760 --> 01:00:53.840 about it as just like an attack tool. I did get a report from someone that there was one 01:00:53.840 --> 01:00:58.960 at a remote employee's house that was actually trying to poke stuff on their corporate network. 01:00:58.960 --> 01:01:04.320 JACK: Okay, so try to figure — do they have a VPN between their home and corporate network? 01:01:04.320 --> 01:01:05.460 D3ADA55: Uh-huh. 01:01:05.460 --> 01:01:10.560 JACK: Gosh, this thing is bad. I still cannot get over how it scans your house, attacks the 01:01:10.560 --> 01:01:15.640 devices on your network, knocks them offline, and impersonates them. Ah, it’s such a nightmare. 01:01:15.640 --> 01:01:20.320 D3ADA55: It's like a perfect Trojan horse, like in the traditional sense. If we go back 01:01:20.320 --> 01:01:25.040 to the original story, here's this big present, and we're gonna hide inside. 01:01:25.040 --> 01:01:30.080 Here is this device that lets you get all the channels, and somebody is going to hide inside. 01:01:30.080 --> 01:01:33.600 JACK: Okay, fair, it solves a ton of problems for people, and that's 01:01:33.600 --> 01:01:37.440 the big reason why they want to get it. But my gosh, at this point the veil is lifted, 01:01:37.440 --> 01:01:43.440 we can see the spies are inside of it, and I'm glad that word is out now, right? That means that 01:01:43.440 --> 01:01:47.600 there's enough information that everyone should be extremely careful and not buy these things, 01:01:47.600 --> 01:01:52.720 and it should be clear that nobody should get this thing because it's just pure evil, right? 01:01:52.720 --> 01:01:59.520 D3ADA55: Earlier this week an article comes out on The Verge, and I'm like, oh, The Verge. It's 01:01:59.520 --> 01:02:05.600 talking about the SuperBox and the vSeeBox, and basically — and, you know I'm a big wrestling fan, 01:02:05.600 --> 01:02:09.520 so we call it getting over or putting someone else over. [Music] It's basically trying to put over 01:02:09.520 --> 01:02:15.680 the SuperBox and say, oh, well, there's people at the farmers market selling these, and, you know, 01:02:15.680 --> 01:02:20.560 they've also got some goat cheese and stuff. So, they're just trying to make it. This guy was a 01:02:20.560 --> 01:02:26.160 retired cop in upstate New York, and now he's trying to help his church get access to quality 01:02:26.160 --> 01:02:32.560 television. I'm reading this like, this is literal propaganda. Like, oh my goodness. This is what 01:02:32.560 --> 01:02:37.920 they mean when they say it's gonna be plain as day in your face and you're not gonna understand 01:02:37.920 --> 01:02:42.400 that — again, an average, everyday person is going to read that and be like, oh, well, these 01:02:42.400 --> 01:02:47.520 people don't care. In the article it verbatim said, oh, I don't care about sending a couple 01:02:47.520 --> 01:02:53.840 thousand dollars a month to China every month because I'm helping people get affordable TV. 01:02:53.840 --> 01:03:01.760 JACK: Sorry, I had to pick my jaw up off the floor. What? This Verge article is titled 01:03:01.760 --> 01:03:08.640 Everyone is Stealing TV, and yeah, it simply talks about how so many Americans are selling and using 01:03:08.640 --> 01:03:14.000 these things. They interviewed Jason and Natalie and James and Eva, all who are happy SuperBox 01:03:14.000 --> 01:03:20.640 users and resellers. The quote from Eva is, I've been on a crusade to try to convert everyone. I'm 01:03:20.640 --> 01:03:27.120 completely flabbergasted by this article. What are we even doing? I mean, let me read one part 01:03:27.120 --> 01:03:32.240 to you. They interviewed this guy Jason, who earns a commission for every SuperBox he sells. After 01:03:32.240 --> 01:03:38.080 signing him up as a reseller, Jason's SuperBox contact also recruited him for a unique side gig; 01:03:38.080 --> 01:03:43.120 whenever Jason finds a SuperBox advertised for less than the company's suggested retail price, 01:03:43.120 --> 01:03:47.840 he buys it and sells it back to the company for a premium. He says that the SuperBox 01:03:47.840 --> 01:03:52.000 maker then checks the device's MAC address against a list of past sales and remotely 01:03:52.000 --> 01:03:58.160 deactivates all boxes it sold to the reseller who openly advertised the unauthorized discount. 01:03:58.160 --> 01:04:03.200 Offending sellers are then asked to pay a fine, Jason says. Consumers who happen to buy a box 01:04:03.200 --> 01:04:07.440 for the wrong price find it locked with an on-screen warning telling them to contact 01:04:07.440 --> 01:04:12.480 their service provider. To alleviate the concerns of would-be buyers fearful of getting scammed, 01:04:12.480 --> 01:04:17.040 device makers maintain online verification tools. Each reseller gets a certificate with 01:04:17.040 --> 01:04:21.840 a unique code. Enter that code into a web form, and the company will tell you if the reseller in 01:04:21.840 --> 01:04:29.200 question is in good standing. Oh, thanks, Verge for squashing my concerns about being scammed 01:04:29.200 --> 01:04:34.560 by someone selling me a cheap SuperBox. I feel much better now that you told me that there's 01:04:34.560 --> 01:04:42.800 an online verification tool to check whether this seller is legit or not. This article, 01:04:42.800 --> 01:04:47.600 in my opinion, is all hype for this thing. It doesn't raise any of the red 01:04:47.600 --> 01:04:52.480 flags that I see on it. I simply cannot believe The Verge posted this article. 01:04:52.480 --> 01:04:57.600 This is ridiculous. I am officially nominating this article for a pony award. 01:04:57.600 --> 01:05:05.120 D3ADA55: Then yesterday there was — I think it was called the Tech Brew Ride Home or something 01:05:05.120 --> 01:05:09.360 like that. At the end of the episode from yesterday, he spends about five minutes 01:05:09.360 --> 01:05:15.120 and he's basically — it sounds like he's reading The Verge article. I'm like, no, 01:05:15.120 --> 01:05:20.720 don't repeat it. We’re already — again, they're already trying to discredit any 01:05:20.720 --> 01:05:24.400 of the research that any of us have done on this to basically prove that 01:05:24.400 --> 01:05:29.280 this isn't something you should be getting. What cracked me up is in the article it said, well, 01:05:29.280 --> 01:05:32.800 it's not like you can get these at Walmart and Best Buy, because everyone knows it's illegal 01:05:32.800 --> 01:05:40.560 to have pirate devices at the store. I'm like, no shit, but they're at Walmart and Best Buy. 01:05:40.560 --> 01:05:44.560 JACK: I don't think you understand how crazy it is to have an influencer marketing campaign 01:05:44.560 --> 01:05:48.640 working against us here. You're not buying these things from some shady guy in a dark 01:05:48.640 --> 01:05:54.800 alley who you know is 100% illegal and is probably scamming you. You're buying it from a soccer mom, 01:05:54.800 --> 01:05:59.360 a guy with a stand at the farmers market, your church friend, family members, gym buddies, 01:05:59.360 --> 01:06:04.880 co-workers. When it comes into your life in this way, it doesn't feel illegal, 01:06:04.880 --> 01:06:09.760 it doesn't seem shady. It feels like you're clever and smart to get such a cool gadget. 01:06:09.760 --> 01:06:14.800 D3ADA55: I remember kind of the old adage — you know, back in the 90s, early aughts, 01:06:14.800 --> 01:06:18.560 especially all of us who've been on the internet a long time and those of us who are in high school 01:06:18.560 --> 01:06:23.360 and stuff like that, when in the early days of the internet you felt like you could spot a scam 01:06:23.360 --> 01:06:29.600 from a mile away because the skill wasn't there. But this is sophisticated. Again, they're hitting 01:06:29.600 --> 01:06:34.320 it from a few different angles. They're making sure that they have people ready to counter any 01:06:34.320 --> 01:06:40.080 negative like press or posts or anything like that. They're making sure, like we've said, 01:06:40.080 --> 01:06:47.360 to tap into the economic anxiety. It's crazy. I'm like, wow, they've put so much time into this. 01:06:47.360 --> 01:06:49.760 JACK: But then you think about where these things end up. 01:06:49.760 --> 01:06:53.600 D3ADA55: I mean, you know; you know people that work weird shifts, 01:06:53.600 --> 01:06:58.000 or maybe they work in some kind of weird office. It's boring at night. Maybe they're 01:06:58.000 --> 01:07:05.040 on graves. Oh, I want to watch the UFC fight. Let me bring my SuperBox. 01:07:05.040 --> 01:07:10.080 JACK: Then that thing just gets busy devouring all the computers at work, 01:07:10.080 --> 01:07:15.280 or it's brought to a hotel to watch TV on the go, or maybe the coffee shop owner installed one so 01:07:15.280 --> 01:07:21.040 they could play shows on the TVs in the shop. Now when you get on the Wi-Fi in that shop, suddenly 01:07:21.040 --> 01:07:26.640 you're on the same network as a computer that's probing and scanning you and attacking you. This 01:07:26.640 --> 01:07:32.240 is why I never use Wi-Fi in a coffee shop or a public place. I just picture it riddled with these 01:07:32.240 --> 01:07:37.040 diseased and infected boxes that are desperately trying to get access to my machine the moment it 01:07:37.040 --> 01:07:42.000 connects. I bring my own Wi-Fi hotspot with me everywhere I go, so I only trust my own network. 01:07:42.000 --> 01:07:50.720 D3ADA55: The funniest thing, I think, that has happened so far was being out at a pho restaurant. 01:07:50.720 --> 01:07:54.400 I'm looking around because someone had just told me they were at a pho restaurant and saw three of 01:07:54.400 --> 01:08:00.320 them in there. So, now I go into places and I'm looking and making sure there's not a SuperBox 01:08:00.320 --> 01:08:05.040 behind the TV and stuff like that, because even if it's not doing anything else, just the fact that 01:08:05.040 --> 01:08:08.800 anything you connect to it, it wants to know about it, and it's gonna start poking at it, to me, 01:08:08.800 --> 01:08:14.240 is scary. If I connect my — and what made me upset about this whole situation with my dad was like, 01:08:14.240 --> 01:08:19.440 I went over there and didn't know he had these and had connected my work computer at the time 01:08:19.440 --> 01:08:24.480 and my phone and stuff to the home network ‘cause I was visiting for a couple days, and I'm like, 01:08:24.480 --> 01:08:30.320 you have these things in the — these have been plugged in the whole time? What? So, 01:08:30.320 --> 01:08:34.080 it exposes all of us in a lot of ways that we may not want to be 01:08:34.080 --> 01:08:39.680 exposed in. I'm not doing anything shady, but like, I want my privacy. 01:08:39.680 --> 01:08:43.920 JACK: I saw you are bringing a Faraday bag with you everywhere you go. Is this why? 01:08:43.920 --> 01:08:47.200 D3ADA55: I mean, it could have something to do with it, for sure, but also just trying 01:08:47.200 --> 01:08:52.560 to be more cognizant of my own personal security hygiene, because I think for a lot of us that have 01:08:52.560 --> 01:08:56.720 been doing this for a while, there's always gonna be places where we're just like, eh, 01:08:56.720 --> 01:09:02.240 I just don't care, because we already were already in it so much all the time. But I spent some time 01:09:02.240 --> 01:09:08.160 kind of reflecting on — I was out traveling, and I think I got popped with something because 01:09:08.160 --> 01:09:12.560 my phone was acting crazy and all this other stuff. So, I blew away everything in the house, 01:09:12.560 --> 01:09:17.120 re-imaged everything. Everything's fine now, but I'm like, I'm just gonna take some extra 01:09:17.120 --> 01:09:21.280 steps just to make sure. ‘Cause I usually — you know, I always have VPNs on and stuff like that, 01:09:21.280 --> 01:09:26.320 but a VPN can only do so much if somebody's really interested in what you've got going on 01:09:26.320 --> 01:09:32.160 on the other side of that. So, yeah, I will just encourage everyone to just keep practicing basic 01:09:32.160 --> 01:09:36.280 security hygiene, because the moment we get complacent, that's usually when we get got. 01:09:36.280 --> 01:09:40.240 JACK: Okay, that's it. I'm taking D3ada55’ cue here. If she always keeps her phone in 01:09:40.240 --> 01:09:44.720 a Faraday bag, I think I have to do that now, too. A Faraday bag is one that just doesn't 01:09:44.720 --> 01:09:48.480 let wireless signals pass in and out of it. Think of it like the door of your microwave, 01:09:48.480 --> 01:09:52.720 which blocks it so your microwave doesn't cook the whole kitchen. Because who knows what coffee 01:09:52.720 --> 01:09:56.480 shops and restaurants have these things in them and are scanning my phone even if I'm 01:09:56.480 --> 01:09:59.840 not connected to the Wi-Fi? Like, what's with the Bluetooth and other antennas on 01:09:59.840 --> 01:10:02.800 this thing? It's proven to be so malicious that I don't trust it for a second. I don't 01:10:02.800 --> 01:10:05.560 even want to be in range of this thing. [To D3ada55] Let's put all the pieces together. 01:10:05.560 --> 01:10:06.160 D3ADA55: Yeah. 01:10:06.160 --> 01:10:08.120 JACK: Where do you land on this? 01:10:08.120 --> 01:10:14.240 D3ADA55: Okay, so the whole picture is somebody — and I'm going to be vague on purpose, because 01:10:14.240 --> 01:10:20.400 I am still working to get the full picture of the somebody. Somebody is basically getting 01:10:20.400 --> 01:10:26.240 influencers, of course, to show these. There's an entire distribution network of distributors 01:10:26.240 --> 01:10:30.560 and resellers. So, they're getting folks in their neighborhoods and in their communities 01:10:30.560 --> 01:10:37.760 and all these places to sell these boxes to friends, family, everybody, as much as they can, 01:10:37.760 --> 01:10:42.720 which, again, already weird. They've already infiltrated all the big box stores. So, again, 01:10:42.720 --> 01:10:48.880 it's — now looks like this normal, every day has-been-around-for-nine-years consumer product. 01:10:48.880 --> 01:10:53.760 We still, of course, have the whole issue with them targeting people directly in oil and gas, 01:10:53.760 --> 01:10:56.960 which that's still — to me, I'm like, this got mailed to you at your house, 01:10:56.960 --> 01:11:03.760 friend? Are you gonna move? I just, you know, I'm worried for you. Then we still, of course, 01:11:03.760 --> 01:11:09.600 just have the endless problem of there's no legitimate regulatory tracking on it. 01:11:09.600 --> 01:11:16.560 They're dark. There's no FCC IDs. You can't find really any information on these things. The 01:11:16.560 --> 01:11:22.560 one that we did find information on, when you're importing something and it's coming from overseas, 01:11:22.560 --> 01:11:27.520 you have to sign off on it and say that it's — everything's correct, it's labeled, 01:11:27.520 --> 01:11:35.440 it's got the FCC ID, things like that. It had a signed one, but the name did not — it was a QQ 01:11:35.440 --> 01:11:43.760 e-mail that signed it. I'm like, so the US agent has a qq.com e-mail signing off on this device 01:11:43.760 --> 01:11:49.200 that — it has all the regulatory information and the things it's supposed to have when it doesn't. 01:11:49.200 --> 01:11:50.720 JACK: That's not legit. 01:11:50.720 --> 01:11:55.520 D3ADA55: Yeah. So, it's kind of like — they've got us on the MLM thing, too. I don't know what 01:11:55.520 --> 01:12:00.880 it is about America, and we love our MLMs, man. There's been, you know, Amway and all the — there 01:12:00.880 --> 01:12:06.520 was even a power one. So, this is just a new MLM. It's a streaming box MLM, it seems like. 01:12:06.520 --> 01:12:09.760 JACK: Yeah, and I think they're hitting us in such a unique way, 01:12:09.760 --> 01:12:15.520 ‘cause they know we're frustrated with the rising cost of cable, and all the different streaming 01:12:15.520 --> 01:12:19.440 services are branching off into their own, so now you have to have ten different streaming 01:12:19.440 --> 01:12:23.560 subscriptions. People are sick of this, so they're just like, we got the solution for you. 01:12:23.560 --> 01:12:25.600 D3ADA55: It's perfect. You get all the channels. 01:12:25.600 --> 01:12:27.080 JACK: We don't care about breaking the law. 01:12:27.080 --> 01:12:27.640 D3ADA55: Exactly. 01:12:27.640 --> 01:12:31.440 JACK: Yeah, so, someone is doing this. Do you have an idea who might be behind this? 01:12:31.440 --> 01:12:35.760 D3ADA55: I mean, given everything that's going on geopolitically, of course, everyone was kind 01:12:35.760 --> 01:12:42.560 of just like, hands up. Like, China — it just seems like it's obvious right at this point, 01:12:42.560 --> 01:12:48.320 because why else would it be beaconing straight into Tencent? The other thing, too, 01:12:48.320 --> 01:12:55.200 is that as I've kind of been looking at this and everything else, the devices themselves, 01:12:55.200 --> 01:13:01.440 they've got a whole manufacturing arm that has to be — again, China's gotten the manufacturing 01:13:01.440 --> 01:13:07.280 thing down. We're all sitting around with iPhones and all these other things. China makes our stuff, 01:13:07.280 --> 01:13:10.320 so they've gotten really good at how to fabricate this stuff. So, 01:13:10.320 --> 01:13:16.080 it actually looks nice. It looks like it's good quality to make it look even more credible for the 01:13:16.080 --> 01:13:21.840 price that people are paying. If we think about like you said, everyone's stressed out for money. 01:13:21.840 --> 01:13:27.120 Everybody always wants a quick fix. We are such suckers for get-rich-quick schemes and 01:13:27.120 --> 01:13:33.120 things like that, and that is peak multi-level marketing. The distributors get a cut from the 01:13:33.120 --> 01:13:39.120 resellers. The resellers get a cut from the boxes. Then if you get friends to also help you resell, 01:13:39.120 --> 01:13:43.840 you get more of a cut of their boxes. So, it's a perfect MLM. So, they're hitting 01:13:43.840 --> 01:13:48.400 us from the things that are built into our culture, TV, multi-level marketing, 01:13:48.400 --> 01:13:53.520 get rich quick. They're building into our economic anxiety. They're building into our 01:13:53.520 --> 01:13:59.120 complacency with just accepting things that even if you know we don't know that much about it, 01:13:59.120 --> 01:14:02.147 it's like, oh, well, we get all our stuff from Walmart or all our stuff from Best Buy. 01:14:02.147 --> 01:14:02.640 JACK: We got social proof. 01:14:02.640 --> 01:14:06.880 D3ADA55: Yeah. So, they're hitting us from a few different angles just psychologically, 01:14:06.880 --> 01:14:12.240 not even from a technical perspective. The tactics and everything that the box are using, 01:14:12.240 --> 01:14:15.760 those are like table stakes. You expect reconnaissance. You expect some of these 01:14:15.760 --> 01:14:20.800 other things. You don't expect an influencer network that's trying to get these out there. 01:14:20.800 --> 01:14:25.920 You don't expect there to be marketing, because if you look at some of the other devices — there 01:14:25.920 --> 01:14:30.480 might be one or two videos here and there maybe talking about an NVIDIA Shield as an 01:14:30.480 --> 01:14:36.080 example. But this thing has a whole campaign, websites and everything else. So, I’m like, 01:14:36.080 --> 01:14:44.080 who is doing...? You set up a whole brand just to sell these things. This is insane. 01:14:44.080 --> 01:14:47.600 So, yeah, all that to say we're now at this point where I'm like, okay, 01:14:47.600 --> 01:14:53.120 well, we have to make a decision, I guess, as like a nation. Do we want cheap, easy cable, 01:14:53.120 --> 01:14:58.960 or do we want to continue to have basically back doors plugged into all of our networks? 01:14:58.960 --> 01:15:06.080 JACK: Okay, so, if it is China, even the Chinese government — it's crazy to 01:15:06.080 --> 01:15:09.120 think that the Chinese government would be behind this, but it sounds like it may be. 01:15:09.120 --> 01:15:14.440 D3ADA55: They have that unified front as far as integrating everything with the military, so... 01:15:14.440 --> 01:15:19.600 JACK: Sure. So, if the Chinese government is trying to get into Americans’ homes in 01:15:19.600 --> 01:15:24.560 order to gain more access into them and visibility and all that sort of things, 01:15:24.560 --> 01:15:30.720 it doesn't seem like we'd be their first target. So, I'm just wondering if there is a — if we've 01:15:30.720 --> 01:15:36.080 seen this activity in other countries, these kind of boxes in other countries. 01:15:36.080 --> 01:15:39.600 D3ADA55: Yeah. That was kind of interesting because I kind of immediately — when I first 01:15:39.600 --> 01:15:42.080 started looking at it, of course, I wanted to see if there was anything else that had been 01:15:42.080 --> 01:15:48.000 reported. There was a researcher. I'm spacing out his name right now. But he had done a write 01:15:48.000 --> 01:15:52.800 up on the malware that was in the T95 box. So, that kind of got me already thinking like, okay, 01:15:52.800 --> 01:16:00.640 so we have seen behavior similar to this before. I did look in like other countries and stuff, and 01:16:00.640 --> 01:16:05.520 China had already cracked down on these types of device. I think New Zealand had already cracked 01:16:05.520 --> 01:16:10.640 down on these types of devices. So, it seems like this had already been a similar problem, 01:16:10.640 --> 01:16:17.120 but apparently there was also a similar campaign in Taiwan about ten-ish years ago. It was all 01:16:17.120 --> 01:16:22.400 centered around illegal piracy of sports. So, it was the same idea, though; they had 01:16:22.400 --> 01:16:26.000 these streaming boxes that were convenient, and you could get all the sports channels, and they 01:16:26.000 --> 01:16:30.960 were all over Taiwan, and then they got busted, and then they weren't all over Taiwan anymore. 01:16:30.960 --> 01:16:36.160 But that could have been a test bed to then see, okay, well, how do we make it work here? 01:16:36.160 --> 01:16:41.280 JACK: So, how does a country bust them so that it's no longer valid 01:16:41.280 --> 01:16:45.760 in that country or whatever? What are the — even approach to stop something like this? 01:16:45.760 --> 01:16:50.320 D3ADA55: I mean, they, of course, were like, you got to pull them off the shelves. They’re banned. 01:16:50.320 --> 01:16:58.000 They can't be imported. Those big-kid controls, as I like to call them. I don't know how long 01:16:58.000 --> 01:17:01.920 it's going to take to even see that here. We did just finally get some stuff taken off the shelf 01:17:01.920 --> 01:17:07.120 that — again, we were — we all had concerns about China and we all had concerns about — what are 01:17:07.120 --> 01:17:11.720 these devices actually doing? But it was years after the fact when it was already a problem. 01:17:11.720 --> 01:17:17.920 JACK: Yeah. I mean, even if you did get it banned from Walmart and Amazon and Best Buy, 01:17:17.920 --> 01:17:22.208 you still have the soccer mom down the road slinging them... 01:17:22.208 --> 01:17:22.234 D3ADA55: Exactly, exactly. 01:17:22.234 --> 01:17:24.160 JACK: ….and your electrician coming over and saying, 01:17:24.160 --> 01:17:27.040 I got some extra stuff for you if you want to buy these things. 01:17:27.040 --> 01:17:27.440 D3ADA55: Man, yeah. 01:17:27.440 --> 01:17:32.800 JACK: So, it would be really hard to put the genie back in the bottle at this point. So, 01:17:32.800 --> 01:17:38.960 that's one prong, and then maybe another prong is getting ISPs to do something and say, hey, 01:17:38.960 --> 01:17:42.480 this is illegal streaming, so we don't allow that here. 01:17:42.480 --> 01:17:46.240 D3ADA55: Yeah, and the ISPs have been really good about this. 01:17:46.240 --> 01:17:49.200 JACK: I actually got word from a friend who works on an ISP, 01:17:49.200 --> 01:17:54.000 and he says that a lot of users are reporting that their allocated bandwidth is getting maxed 01:17:54.000 --> 01:17:57.760 out super early in their billing cycle. They're like, I'm not online that much, 01:17:57.760 --> 01:18:04.160 yet it says I've uploaded 360 gigabytes of data. Clearly you have a faulty meter. So, the ISP 01:18:04.160 --> 01:18:08.800 technicians go out to the house and investigate, and they can't find an issue, and so they swap 01:18:08.800 --> 01:18:14.160 out their ISP devices and reset their bandwidth usage. But then the problem persists. Next month, 01:18:14.160 --> 01:18:18.400 the customers call back saying it shows that I've uploaded so much data that my ISP is 01:18:18.400 --> 01:18:25.120 now throttling me. One customer was even seen uploading 4,000 gigabytes in a single day. So, 01:18:25.120 --> 01:18:32.320 the ISP asks the customers, by chance, do you have a SuperBox? Many of them say, yeah, I do. 01:18:32.320 --> 01:18:39.120 Why? Well, it's because those things are sending enormous amounts of data to the internet. But what 01:18:39.120 --> 01:18:43.360 is it sending? Sure, it's part of a botnet. So, it's attacking other devices by sending floods of 01:18:43.360 --> 01:18:48.240 data, but also it just might be exfiltrating tons of data that it's collecting in that home network; 01:18:48.240 --> 01:18:53.120 voice logs, network data, photos, files, anything that it might find valuable. It just sucks it 01:18:53.120 --> 01:18:59.200 up and sends it off. I mean, if a device is sending terabytes of data a day or a month, 01:18:59.200 --> 01:19:04.960 then the question isn't what is it uploading? It's more like, what isn't it uploading? So, yeah, ISPs 01:19:04.960 --> 01:19:10.320 are getting hit in the face with these boxes, too, and are unsure how to effectively handle them. 01:19:10.320 --> 01:19:15.360 D3ADA55: I think the telecom and ISP networks understand, I think, their vulnerabilities a 01:19:15.360 --> 01:19:19.440 little bit better. They're like, okay, yeah, we actually have to look at what is going on 01:19:19.440 --> 01:19:23.680 in home networks, because we are no longer at the point where we can just pretend, oh, well, 01:19:23.680 --> 01:19:29.360 it's the consumer. That doesn't impact me. We're all in it now. There's no — we can't — like you 01:19:29.360 --> 01:19:33.520 said, we can't put the genie back in the bottle. So, they've been pretty good about trying to, 01:19:33.520 --> 01:19:38.800 of course, sinkhole traffic. So, ISPs can, of course, see downstream. But we have to 01:19:38.800 --> 01:19:44.880 kind of think about are we prepared to be a country where we are now policing what's going 01:19:44.880 --> 01:19:49.348 on on home networks? Obviously, like that would be problematic for a lot of people. 01:19:49.348 --> 01:19:50.467 JACK: Yeah, I think that's going too far. 01:19:50.467 --> 01:19:54.200 D3ADA55: No, no, right. No, exactly. I think — and I don't think we should have to do that. 01:19:54.200 --> 01:19:58.640 JACK: But this might be the one time that I want Disney to get litigious. 01:19:58.640 --> 01:19:58.742 D3ADA55: Yeah, right? 01:19:58.742 --> 01:20:01.200 JACK: Like, why hasn't Disney figured out, hey, 01:20:01.200 --> 01:20:04.240 they're streaming this pirate — ‘cause I know that they've always been... 01:20:04.240 --> 01:20:07.920 D3ADA55: The mouse is always ready to strike when it comes to that stuff. 01:20:07.920 --> 01:20:12.320 I'm actually really surprised that it hasn't been one of these bigger 01:20:12.320 --> 01:20:17.800 media companies actually striking back. I mean, Google sued the BadBox operators. 01:20:17.800 --> 01:20:19.120 JACK: Okay. 01:20:19.120 --> 01:20:26.720 D3ADA55: There was a bunch of DMCA kind of notices and stuff like that, but it's still going. So, 01:20:26.720 --> 01:20:32.640 is that gonna actually do what we want it to do? I don't know. We still — so much has 01:20:32.640 --> 01:20:38.560 happened in the last couple of weeks that it's gonna be a busy year in 2026. That's all I can 01:20:38.560 --> 01:20:44.040 really say. There's so much more that's going to come from this. I guarantee it. 01:20:44.040 --> 01:20:49.120 JACK: Yeah, and it seems so easy for it to just be 01:20:49.120 --> 01:20:52.951 eliminated since it is illegal, and that's the thing I'm surprised at. 01:20:52.951 --> 01:20:58.000 D3ADA55: I've been stuck on that, honestly. To me, I'm just like, 01:20:58.000 --> 01:21:04.000 this is the most blatant example of this, and y'all are out here sending these ISP 01:21:04.000 --> 01:21:08.800 letters to a single mom because she wanted to download Shrek 2 for her kids. But we're 01:21:08.800 --> 01:21:12.857 not doing anything about this entire network of bootleg streaming devices. 01:21:12.857 --> 01:21:17.520 JACK: That’s what’s so surprising, is the pushback on piracy all these years, 01:21:17.520 --> 01:21:20.840 and how terrible it's been to torrent things, and how people are — yeah. 01:21:20.840 --> 01:21:23.600 D3ADA55: Yeah. We're all evil trash for... 01:21:23.600 --> 01:21:28.065 JACK: Apparently, that's not a problem anymore. 01:21:28.065 --> 01:21:28.640 D3ADA55: Yeah, I guess... 01:21:28.640 --> 01:21:32.480 JACK: Or they haven't got the memo. That's what's surprising about it. So, 01:21:32.480 --> 01:21:39.680 that's what I think is going to unravel this year, is there's — it's no longer unknown. It's like, 01:21:39.680 --> 01:21:46.480 okay, this is clearly — but because if it is allowed, then why don't we just make... 01:21:46.480 --> 01:21:47.840 D3ADA55: A legit one. 01:21:47.840 --> 01:21:51.040 JACK: Not a legit one, but a non-malicious one? 01:21:51.040 --> 01:21:54.640 D3ADA55: Non-malicious one. We could have a whole new business model, man. Again, I'm 01:21:54.640 --> 01:21:59.680 surprised someone just hasn't, right? I won't be surprised when somebody's like, hey, I'm ethical 01:21:59.680 --> 01:22:04.960 and I'm gonna help you get all the channels. Like, here comes everyone else's money, because we don't 01:22:04.960 --> 01:22:11.200 want implant devices. But again, there's just a lot all going on at the same time. Obviously when 01:22:11.200 --> 01:22:15.440 we think about the whole geopolitical picture, there's a lot of different moving pieces. We've 01:22:15.440 --> 01:22:21.200 seen a lot of stuff overseas, internationally, and so, I still am trying to understand how 01:22:21.200 --> 01:22:27.880 this might even be a part of that. So, I will be digging more this year, that's for sure. 01:22:27.880 --> 01:22:30.320 JACK: Oh, yeah. I mean, I hope that the 01:22:30.320 --> 01:22:37.621 update or whatever comes next isn't — these BadBoxes destroyed America. 01:22:37.621 --> 01:22:37.656 D3ADA55: Yeah. Like, oh my God, no. 01:22:37.656 --> 01:22:41.200 JACK: Because it is — you’re right; I said if you put — this is a pre-positioning move, 01:22:41.200 --> 01:22:44.720 what is their final intent? And maybe we don't know yet. 01:22:44.720 --> 01:22:47.520 D3ADA55: That's what I — yeah, that's the part that I'm still kind of scratching 01:22:47.520 --> 01:22:51.920 my head about. It's just — it's the why. I mean, I'm like, yeah, 01:22:51.920 --> 01:22:59.040 I guess maybe the ad fraud, maybe it's the residential proxy business they're running, 01:22:59.040 --> 01:23:05.200 maybe it's just the botnet. But there's so many other ways to do all of that that's not 01:23:05.200 --> 01:23:10.280 stand up a whole brand and then market these boxes to people so they buy them. 01:23:10.280 --> 01:23:15.280 JACK: Yeah, I predict that we haven't seen the full wrath of what these things are capable of 01:23:15.280 --> 01:23:20.160 yet. It's possible that all this is just some pre-positioning move of some kind, 01:23:20.160 --> 01:23:24.320 and whoever's behind this is trying to get blue-collar workers to give them access into 01:23:24.320 --> 01:23:28.880 US corporations. Then what? If someone gets a hold of our critical infrastructure in a 01:23:28.880 --> 01:23:35.120 large scale way, it's like having a chokehold on us. They could do whatever they wanted. So, 01:23:35.120 --> 01:23:41.040 the potential damage these things could do could feasibly be in the realm of nation 01:23:41.040 --> 01:23:46.720 toppling. Does that make me crazy to say that? This is the very reason why I don't like getting 01:23:46.720 --> 01:23:51.520 into politics. Politics is designed to confuse you and to keep you from getting to the truth, 01:23:51.520 --> 01:23:55.520 so you can never be sure of what's actually happening. But even when you get a glimpse of 01:23:55.520 --> 01:23:59.200 the truth, you then sound like a lunatic when you start telling other people. 01:23:59.200 --> 01:24:03.360 Because if I ever see one of these things plugged in anywhere, I'm going to immediately unplug it 01:24:03.360 --> 01:24:07.360 and try smashing it to bits, and I can only imagine the owner of it yelling at me, hey, 01:24:07.360 --> 01:24:12.800 what are you doing, man? I'd be like, don't you know this thing is evil? And if we don't stop it, 01:24:12.800 --> 01:24:19.200 it might be the end of our nation. I feel like a lunatic just thinking that scenario 01:24:19.200 --> 01:24:25.440 through. But maybe this is the new world that I just need to get used to, because even if we 01:24:25.440 --> 01:24:30.560 all team up to get these things smashed and burned and yeeted once and for all, there's 01:24:30.560 --> 01:24:35.520 just going to be another thing that pops up, a 3D printer with spyware, a drone with spyware, 01:24:35.520 --> 01:24:42.400 a projector with spyware, a router, a computer, or even a car. Because if these things are cheaper or 01:24:42.400 --> 01:24:46.320 better than the competition, or if they just have a better marketing campaign by paying 01:24:46.320 --> 01:24:51.440 influencers to spread it, then this battle to discover it and eradicate it is just going to 01:24:51.440 --> 01:25:00.720 start all over again. I'm not sure it's possible to fix this, and that's what makes it so scary. 01:25:00.720 --> 01:25:06.400 The whole goal of information security is to conduct business in a hostile environment. 01:25:06.400 --> 01:25:09.600 For instance, when you do anything online, you're traveling through a bunch of networks that you 01:25:09.600 --> 01:25:14.720 have no idea who owns them, so you have to operate in a zero-trust kind of way by encrypting your 01:25:14.720 --> 01:25:18.240 connections so that they can't snoop on you and doing things to verify that they didn't 01:25:18.240 --> 01:25:24.000 tamper with the message. So, maybe this is the new hostile environment that we need to learn how to 01:25:24.000 --> 01:25:31.040 operate safely in. Our homes and workplaces, our coffee shops and bars could all be out against us 01:25:31.040 --> 01:25:38.320 now. I never expected our home networks to be hostile environments, but let's take this as a 01:25:38.320 --> 01:25:44.400 sign that they probably are. Spring is here now, so it's time to clean up our networks and make 01:25:44.400 --> 01:25:55.280 them safe again. I'm drawing a line on my front door. Spyware is not allowed past this point. 01:25:55.280 --> 01:26:00.320 (Outro): [Outro music] 01:26:00.320 --> 01:26:03.440 Thank you so much to D3ada55 for finally sharing this story with us. 01:26:03.440 --> 01:26:06.320 It has been such a treat watching her progress through this over the years, 01:26:06.320 --> 01:26:11.600 and I'm so happy to finally tell you all about it. Hey, listen, I've got some big 01:26:11.600 --> 01:26:16.080 things cooking up this year. I'm going to be releasing a new bonus episode real soon here, 01:26:16.080 --> 01:26:21.840 which is going to only be available to premium subscribers, and I'm also going to be releasing 01:26:21.840 --> 01:26:29.200 a whole new podcast later this year. This is by far the most insane story anyone has ever told me, 01:26:29.200 --> 01:26:35.840 and it's taken me eight years to make and it's finally in its final touches, but premium 01:26:35.840 --> 01:26:42.080 subscribers are going to get to listen to it way earlier than everyone else. What I'm saying is I 01:26:42.080 --> 01:26:47.040 really want you to become a premium subscriber. So, you just let me know what it is I need to do 01:26:47.040 --> 01:26:52.880 in order for you to buy me a cup of coffee once a month. Not even 1% of you are premium subscribers. 01:26:52.880 --> 01:26:56.880 So, I know it's not you; it's me. I need to do something to amaze you, or wow you, 01:26:56.880 --> 01:27:00.480 or give you something that you can't find anywhere else. So, you just let me know 01:27:00.480 --> 01:27:05.840 what is it that I can say or do so you chuck me a few bucks for what I bring you. If you're like, 01:27:05.840 --> 01:27:10.480 oh, Jack, you've given me enough; now it's time for me to give to you, then thank you. I 01:27:10.480 --> 01:27:17.040 really appreciate that. You can become a premium subscriber by going to plus.darknetdiaries.com, 01:27:17.040 --> 01:27:21.760 and you'll get ad free episodes and a bunch of bonus episodes, and you'll be the first 01:27:21.760 --> 01:27:26.720 to listen to my new podcast coming out in a few months. The show is created by me, 01:27:26.720 --> 01:27:31.600 the failed pro gamer, Jack Rhysider. Our editor is AI's worst nightmare, Tristan Ledger, 01:27:31.600 --> 01:27:35.200 mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster 01:27:35.200 --> 01:27:43.920 Cylinder. What's a pirate's favorite movie? Anything rated R. This is Darknet Diaries. 01:27:43.920 --> 01:27:47.264 [End of recording] Transcription performed by LeahTranscribes