hpr_transcripts/hpr3858.txt

Episode: 3858
Title: HPR3858: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3858/hpr3858.mp3
Transcribed: 2025-10-25 06:46:23

---

This is Hacker Public Radio Episode 3858 for Wednesday, the 17th of May 2023.
Today's show is entitled The Oh No News.
It is part of the series' privacy and security.
It is hosted by some guy on the internet, and is about 15 minutes long.
It carries a clean flag.
The summary is, Scotty talks about Toyota's dead-a-leak and more on the Oh No, news.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet, and this is The Oh No News.
Oh no!
Threat analysis, your attack service.
In this article,
for-profit companies charging sex-stortion victims for assistance,
and using deceptive tactics to elicit payments.
Wow, these are some scummy people in this article.
The FBI is warning about for-profit companies offering sex-stortion victims
assistance services.
That's reported that these companies are charging exorbitant fees,
whereas law enforcement organizations normally do this kind of stuff for free.
So if you were to contact the FBI through their internet crime complaint center
and try to get help, they would help you for free, which is the right thing to do.
And also while we're on the topic, for anybody out there, you know, I'm going to go out on the
limb here. I'm going to take the risk as some guy on the internet.
I feel like if somebody has to do it, I should be the one to do it.
Please do not send anyone, images of yourself,
scantly clad, or less than scantly clad, either as a means of affection or any means.
Please don't do it. There's even terms for some of these type of transactions.
I guess you'll recall them. I don't know what else to call them.
I've heard a one called UDP. This was brought to my attention by a female.
She explained to me what UDP means. And, you know, in the tech industry,
we know of TCP, IP, you know, UDP packets, that kind of thing. UDP stands for unsolicited
dog picks, except you replace dog with male extension, which is usually referred to with a D.
Don't do it. Whatever you do, don't do that. Okay, how strongly you feel or how much you think
this will help your chances with the other party. Don't do it. Now with that said, these companies,
they're using deceptive tactics, including threats and manipulation and providing false
information to coherse, extortion victims in the paying for their services. This article tells
victims, you know, be careful here. A few things that you can look out for if you're approached by one
of these companies, where they want you to do things like sign a contract first, you know,
some form of agreement, and you have to pay first before any sort of help happens, especially
if the help come, especially if the contract includes something like a non-disclosure agreement,
you know what I mean? Virtually anything that has a non-disclosure agreement in it,
if you're not working with very private data that belongs to someone else and you're managing
it for them, or some sort of government secret, you know, some sort of secret. It didn't have to
be government. It could be just, I mean, you could be working for like, I don't know, Kentucky Fried
Chicken, and they don't want their recipe to get out. So you might have to sign a non-disclosure
agreement. So that's norm. But when you're going to these guys for help and they're supposed to be
helping you and they're saying, hey, look, non-disclosure agreement here, you know, don't tell anybody
about what we're dealing to you. That's a red flag. So they use these high pressure situations
and scare tactics after they get you into a contract to keep the business flowing, all that kind
of stuff. FBI is just telling you to watch out. You can contact the FBI internet crime complaint
center for help, free help, help at no cost, I should say. They also have some other information
down in there about the cyber tip line. If you are getting any sort of sex torsion, emails or
text messages or whatever, they got more information down there and article. In our next story,
former ubiquity dev who extorted the firm gets six years in prison.
All right, so a former senior developer for ubiquity by the name of Nicholas Sharp. Sorry,
if you keep hearing that little clink sound, that's my UBGs. It's around my neck from time to time
accidentally click it and it'll make that noise. Yeah, Nicholas Sharp, former senior dev over at
you, you book a little over there. The guy got six years in prison for stealing company data.
Now, apparently, I don't know if he got fired or whatever, but he left the company and decided
he would take some data. I'm guessing the company did not cancel his credentials. So they were
still active. He used a VPN and I'm not going to say the name of the VPN because I don't want to
get dragged to the mud here. The story does mention the VPN. Well, you know what, it'll be fine.
He used Surfshark VPN to hide his IP during the attack. Now, the story says that there was an
internet outage during the time of the attack. So I guess when it when it reconnected his IP was
exposed. So they learned that it was him through that. That's how the FBI found out it was him.
Yeah, so they got him. He got a bunch of charges basically wire fraud and stealing the data
making false statements to the FBI. That kind of stuff came to the potential of 37 years in prison.
But they decided to go easy on him gave him six. You know, he must have decent lawyer.
He also got three years of supervised release afterwards. So that's like probation or whatever.
Pretty sure he's a felon. Good luck getting a job after that. At least in in IT anywhere,
really. Oh, and he was also ordered to pay restitution to ubiquity restitution of $1.5 million.
So if you're a company out there hiring in the IT space, be on the lookout for Mr. Sharp.
In our next article, Toyota car location data of two million customers exposed for 10 years.
Well, somebody at Toyota Motor Corporation is looking for a job or more specifically,
Toyota Connect Corporation. Over at Toyota Connect, which manages the cloud infrastructure for
the Toyota Motor Corporation, they misconfigured the cloud environment.
Yeah, so apparently they had it open to the internet basically and anyone could go in and get the data.
Or if you believe the story, that is now the models of the Toyota that were affected were the
any Toyota between January, second of 2012 all the way up to April 17th of 2023. And those are the
cars that have the T Connect G link and T Connect G link light or T Connect G book services within
those vehicles. So those those are the services that provide like voice assistance, customer support,
car status management and emergency roadside assistance that kind of stuff the Toyota cloud
infrastructure manages that and the data that was exposed. This was not a hack. It was an exposure
due to misconfiguration. It exposes your car's GPS information. So you can be tracked by anyone
on it or during the time of the leak. You could have been tracked by anyone during that time,
as well as have all the information about your car, you know, the chassis number and other,
you know, identifiers for your car. Yeah, two million people wide open on the internet fully
exposed in our next story. Failure to comply with bus open data regulations.
All right, this is happening out in the UK, a PSV operator Thia Dred LTD, I guess a bus company.
They didn't exactly comply with England's open data regulations of 2022. Naughty Naughty.
So the traffic commissioner for the West Midlands. Yeah, he got to work one day rolled up his sleeves
and decided to slap a big fat $1,500 fine or 1,500 pound fine, which was based on 100 pound
penalties for each vehicle that did not comply to this bus company. I mean, since we already had
to tell you the story, tell you this over here, just giving away data. Now you got over here in the
UK. Well, apparently they're trying not to give away the data in the UK, so you got to give us the
data in our next story. Criminals pose as Chinese authorities to target US-based Chinese community.
So the FBI has a warning out there, letting US citizens or visitors long-term visitors
of the United States living within the Chinese community to be on a lookout because there are
criminals from overseas posing as Chinese law enforcement, Chinese prosecutors, things of that
nature. They're making contact with the US citizens and Chinese community here within the US,
telling them, hey, we believe that you were involved in some sort of financial crime or fraud,
and then they threaten to arrest them. They start showing what looks like legitimate warrants
for their arrest. They also have a lot of a lot of basic information about their victims,
so information they may have picked up from data leaks. They use that as a part of the,
I guess you would call it an attack. This isn't really fishing, they're not fishing for credentials
they're just trying to get money, so it's extortion through this fraud I guess. Any FBI is just letting
people know, hey, if you're contacted by someone who's pretending to be law enforcement, be on a
lookout, and I will say the same for anybody who's not out of the Chinese community. With all these
data leaks, data breaches, and other attacks going on, whether it be a bank, the US government,
or, you know, last pass, Cody, whatever. Wherever you have your data, once these leaks get out
there, it all gets sold, and people who want to, you know, commit fraud, and fish you or scam you,
they're going to use all of that stolen data, leaked data, whatever you want to call it,
and build it into their attack against you. They're socially engineered attack. So everyone here
listening, understand these attacks are becoming more sophisticated, just because they're receiving
more and more personalized data through these breaches. For our next article, Twitter rolls out
encrypted DMs, but only for paying accounts. All right, these articles brought to us from
bleeping computers, and they're talking about how Twitter for the blue check mark paying customers
are going to have the into and encrypted DMs feature. Right now they're saying it's still
testing, so don't use for production, or don't trust, you know, quote unquote, yet, but you can
try it out. That kind of thing, Elon apparently put a tweet out as well, telling people, you know,
test it, but don't rely on it just yet. I guess this is a feature to get people to pay for the blue
check mark, saying, hey, you know, we'll have into an encryption, and this is something you'll only
get if you pay us for it. I'm going to tell you as some guy on the internet, someone you can clearly
trust, if you're sending anything sensitive via Twitter, you're doing it wrong. Sensitive
information should not be on Twitter or near Twitter. I would even argue not even on a device
that contains Twitter app, you know, with these apps, you have to give these apps permission to
access all of the data on the device. So if you have something sensitive on the device with
these apps that you just hand over all permissions to, yeah, you're in trouble. I would not be doing
that. And I'm pretty sure 12 to 24 months from now, we'll have a court case where somebody got
dragged through the court system and nailed to a cross because they thought that the end to end
encryption meant only they had the private key, and only the people they wanted to communicate
with had the public key. The case will reveal that no Twitter indeed also has that private key.
They're probably the ones who generated it for you, you know, like you have no, I'm pretty sure
you won't have control over that key, like you can't change it. You'll probably have to have the
app, like it'll probably only work inside of the app, which means, yeah, Twitter will simply have
control over that feature, you will not. Yeah, so if you want to send encrypted messages, you know,
try a proton email or figure out what GPG is and how that works with Thunderbird.
The Lord knows I sure can't. No, a matter of fact, call a platoon platoon. Get your setup with that.
I think he did a show on it not too long ago. Clatoon, where are you? We need you over here. Clatoon,
quick. In our next article, Discord discloses data breach after support agent got hacked.
All right, this is a quick and simple one. It was a data breach over at Discord, not Discord
or the company, but one of their support agents at their party. I'm guessing it was a session
token attack. The story does not give those kind of details, but that's what's been happening
a lot recently. Whenever you save accounts on your system, like for Discord, Thunderbird, Firefox,
any sort of web-based technology, a lot of them have the ability to save your login as a session
token or a session ID, which means, yay, it's convenient. You can rejoin or start a session with
that client without verifying because you've already authenticated it once in the past, where
it's bad is that little bit of convenience removes security. That little session token, that cookie,
that little bit of data, if it's stolen, now someone else can also have access to your data via a
separate client using that session token because it's already verified that it's an authentic,
it's an authenticated request. Thank you for listening to Hacker Public Radio. I'm some guy
on the internet and this concludes the Oh No News. Oh no! You have been listening to Hacker Public
Radio as Hacker Public Radio does work. Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, you click on our contribute link to find out how easy
it really is. Hosting for HBR has been kindly provided by an honesthost.com, the internet archive,
and our syncs.net. On the Sadois status, today's show is released under Creative Commons,
Attribution 4.0 International License.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 3858`
			`Title: HPR3858: The Oh No! News.`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3858/hpr3858.mp3`
			`Transcribed: 2025-10-25 06:46:23`

			`---`

			`This is Hacker Public Radio Episode 3858 for Wednesday, the 17th of May 2023.`
			`Today's show is entitled The Oh No News.`
			`It is part of the series' privacy and security.`
			`It is hosted by some guy on the internet, and is about 15 minutes long.`
			`It carries a clean flag.`
			`The summary is, Scotty talks about Toyota's dead-a-leak and more on the Oh No, news.`
			`Hello and welcome to another episode of Hacker Public Radio.`
			`I'm your host, some guy on the internet, and this is The Oh No News.`
			`Oh no!`
			`Threat analysis, your attack service.`
			`In this article,`
			`for-profit companies charging sex-stortion victims for assistance,`
			`and using deceptive tactics to elicit payments.`
			`Wow, these are some scummy people in this article.`
			`The FBI is warning about for-profit companies offering sex-stortion victims`
			`assistance services.`
			`That's reported that these companies are charging exorbitant fees,`
			`whereas law enforcement organizations normally do this kind of stuff for free.`
			`So if you were to contact the FBI through their internet crime complaint center`
			`and try to get help, they would help you for free, which is the right thing to do.`
			`And also while we're on the topic, for anybody out there, you know, I'm going to go out on the`
			`limb here. I'm going to take the risk as some guy on the internet.`
			`I feel like if somebody has to do it, I should be the one to do it.`
			`Please do not send anyone, images of yourself,`
			`scantly clad, or less than scantly clad, either as a means of affection or any means.`
			`Please don't do it. There's even terms for some of these type of transactions.`
			`I guess you'll recall them. I don't know what else to call them.`
			`I've heard a one called UDP. This was brought to my attention by a female.`
			`She explained to me what UDP means. And, you know, in the tech industry,`
			`we know of TCP, IP, you know, UDP packets, that kind of thing. UDP stands for unsolicited`
			`dog picks, except you replace dog with male extension, which is usually referred to with a D.`
			`Don't do it. Whatever you do, don't do that. Okay, how strongly you feel or how much you think`
			`this will help your chances with the other party. Don't do it. Now with that said, these companies,`
			`they're using deceptive tactics, including threats and manipulation and providing false`
			`information to coherse, extortion victims in the paying for their services. This article tells`
			`victims, you know, be careful here. A few things that you can look out for if you're approached by one`
			`of these companies, where they want you to do things like sign a contract first, you know,`
			`some form of agreement, and you have to pay first before any sort of help happens, especially`
			`if the help come, especially if the contract includes something like a non-disclosure agreement,`
			`you know what I mean? Virtually anything that has a non-disclosure agreement in it,`
			`if you're not working with very private data that belongs to someone else and you're managing`
			`it for them, or some sort of government secret, you know, some sort of secret. It didn't have to`
			`be government. It could be just, I mean, you could be working for like, I don't know, Kentucky Fried`
			`Chicken, and they don't want their recipe to get out. So you might have to sign a non-disclosure`
			`agreement. So that's norm. But when you're going to these guys for help and they're supposed to be`
			`helping you and they're saying, hey, look, non-disclosure agreement here, you know, don't tell anybody`
			`about what we're dealing to you. That's a red flag. So they use these high pressure situations`
			`and scare tactics after they get you into a contract to keep the business flowing, all that kind`
			`of stuff. FBI is just telling you to watch out. You can contact the FBI internet crime complaint`
			`center for help, free help, help at no cost, I should say. They also have some other information`
			`down in there about the cyber tip line. If you are getting any sort of sex torsion, emails or`
			`text messages or whatever, they got more information down there and article. In our next story,`
			`former ubiquity dev who extorted the firm gets six years in prison.`
			`All right, so a former senior developer for ubiquity by the name of Nicholas Sharp. Sorry,`
			`if you keep hearing that little clink sound, that's my UBGs. It's around my neck from time to time`
			`accidentally click it and it'll make that noise. Yeah, Nicholas Sharp, former senior dev over at`
			`you, you book a little over there. The guy got six years in prison for stealing company data.`
			`Now, apparently, I don't know if he got fired or whatever, but he left the company and decided`
			`he would take some data. I'm guessing the company did not cancel his credentials. So they were`
			`still active. He used a VPN and I'm not going to say the name of the VPN because I don't want to`
			`get dragged to the mud here. The story does mention the VPN. Well, you know what, it'll be fine.`
			`He used Surfshark VPN to hide his IP during the attack. Now, the story says that there was an`
			`internet outage during the time of the attack. So I guess when it when it reconnected his IP was`
			`exposed. So they learned that it was him through that. That's how the FBI found out it was him.`
			`Yeah, so they got him. He got a bunch of charges basically wire fraud and stealing the data`
			`making false statements to the FBI. That kind of stuff came to the potential of 37 years in prison.`
			`But they decided to go easy on him gave him six. You know, he must have decent lawyer.`
			`He also got three years of supervised release afterwards. So that's like probation or whatever.`
			`Pretty sure he's a felon. Good luck getting a job after that. At least in in IT anywhere,`
			`really. Oh, and he was also ordered to pay restitution to ubiquity restitution of $1.5 million.`
			`So if you're a company out there hiring in the IT space, be on the lookout for Mr. Sharp.`
			`In our next article, Toyota car location data of two million customers exposed for 10 years.`
			`Well, somebody at Toyota Motor Corporation is looking for a job or more specifically,`
			`Toyota Connect Corporation. Over at Toyota Connect, which manages the cloud infrastructure for`
			`the Toyota Motor Corporation, they misconfigured the cloud environment.`
			`Yeah, so apparently they had it open to the internet basically and anyone could go in and get the data.`
			`Or if you believe the story, that is now the models of the Toyota that were affected were the`
			`any Toyota between January, second of 2012 all the way up to April 17th of 2023. And those are the`
			`cars that have the T Connect G link and T Connect G link light or T Connect G book services within`
			`those vehicles. So those those are the services that provide like voice assistance, customer support,`
			`car status management and emergency roadside assistance that kind of stuff the Toyota cloud`
			`infrastructure manages that and the data that was exposed. This was not a hack. It was an exposure`
			`due to misconfiguration. It exposes your car's GPS information. So you can be tracked by anyone`
			`on it or during the time of the leak. You could have been tracked by anyone during that time,`
			`as well as have all the information about your car, you know, the chassis number and other,`
			`you know, identifiers for your car. Yeah, two million people wide open on the internet fully`
			`exposed in our next story. Failure to comply with bus open data regulations.`
			`All right, this is happening out in the UK, a PSV operator Thia Dred LTD, I guess a bus company.`
			`They didn't exactly comply with England's open data regulations of 2022. Naughty Naughty.`
			`So the traffic commissioner for the West Midlands. Yeah, he got to work one day rolled up his sleeves`
			`and decided to slap a big fat $1,500 fine or 1,500 pound fine, which was based on 100 pound`
			`penalties for each vehicle that did not comply to this bus company. I mean, since we already had`
			`to tell you the story, tell you this over here, just giving away data. Now you got over here in the`
			`UK. Well, apparently they're trying not to give away the data in the UK, so you got to give us the`
			`data in our next story. Criminals pose as Chinese authorities to target US-based Chinese community.`
			`So the FBI has a warning out there, letting US citizens or visitors long-term visitors`
			`of the United States living within the Chinese community to be on a lookout because there are`
			`criminals from overseas posing as Chinese law enforcement, Chinese prosecutors, things of that`
			`nature. They're making contact with the US citizens and Chinese community here within the US,`
			`telling them, hey, we believe that you were involved in some sort of financial crime or fraud,`
			`and then they threaten to arrest them. They start showing what looks like legitimate warrants`
			`for their arrest. They also have a lot of a lot of basic information about their victims,`
			`so information they may have picked up from data leaks. They use that as a part of the,`
			`I guess you would call it an attack. This isn't really fishing, they're not fishing for credentials`
			`they're just trying to get money, so it's extortion through this fraud I guess. Any FBI is just letting`
			`people know, hey, if you're contacted by someone who's pretending to be law enforcement, be on a`
			`lookout, and I will say the same for anybody who's not out of the Chinese community. With all these`
			`data leaks, data breaches, and other attacks going on, whether it be a bank, the US government,`
			`or, you know, last pass, Cody, whatever. Wherever you have your data, once these leaks get out`
			`there, it all gets sold, and people who want to, you know, commit fraud, and fish you or scam you,`
			`they're going to use all of that stolen data, leaked data, whatever you want to call it,`
			`and build it into their attack against you. They're socially engineered attack. So everyone here`
			`listening, understand these attacks are becoming more sophisticated, just because they're receiving`
			`more and more personalized data through these breaches. For our next article, Twitter rolls out`
			`encrypted DMs, but only for paying accounts. All right, these articles brought to us from`
			`bleeping computers, and they're talking about how Twitter for the blue check mark paying customers`
			`are going to have the into and encrypted DMs feature. Right now they're saying it's still`
			`testing, so don't use for production, or don't trust, you know, quote unquote, yet, but you can`
			`try it out. That kind of thing, Elon apparently put a tweet out as well, telling people, you know,`
			`test it, but don't rely on it just yet. I guess this is a feature to get people to pay for the blue`
			`check mark, saying, hey, you know, we'll have into an encryption, and this is something you'll only`
			`get if you pay us for it. I'm going to tell you as some guy on the internet, someone you can clearly`
			`trust, if you're sending anything sensitive via Twitter, you're doing it wrong. Sensitive`
			`information should not be on Twitter or near Twitter. I would even argue not even on a device`
			`that contains Twitter app, you know, with these apps, you have to give these apps permission to`
			`access all of the data on the device. So if you have something sensitive on the device with`
			`these apps that you just hand over all permissions to, yeah, you're in trouble. I would not be doing`
			`that. And I'm pretty sure 12 to 24 months from now, we'll have a court case where somebody got`
			`dragged through the court system and nailed to a cross because they thought that the end to end`
			`encryption meant only they had the private key, and only the people they wanted to communicate`
			`with had the public key. The case will reveal that no Twitter indeed also has that private key.`
			`They're probably the ones who generated it for you, you know, like you have no, I'm pretty sure`
			`you won't have control over that key, like you can't change it. You'll probably have to have the`
			`app, like it'll probably only work inside of the app, which means, yeah, Twitter will simply have`
			`control over that feature, you will not. Yeah, so if you want to send encrypted messages, you know,`
			`try a proton email or figure out what GPG is and how that works with Thunderbird.`
			`The Lord knows I sure can't. No, a matter of fact, call a platoon platoon. Get your setup with that.`
			`I think he did a show on it not too long ago. Clatoon, where are you? We need you over here. Clatoon,`
			`quick. In our next article, Discord discloses data breach after support agent got hacked.`
			`All right, this is a quick and simple one. It was a data breach over at Discord, not Discord`
			`or the company, but one of their support agents at their party. I'm guessing it was a session`
			`token attack. The story does not give those kind of details, but that's what's been happening`
			`a lot recently. Whenever you save accounts on your system, like for Discord, Thunderbird, Firefox,`
			`any sort of web-based technology, a lot of them have the ability to save your login as a session`
			`token or a session ID, which means, yay, it's convenient. You can rejoin or start a session with`
			`that client without verifying because you've already authenticated it once in the past, where`
			`it's bad is that little bit of convenience removes security. That little session token, that cookie,`
			`that little bit of data, if it's stolen, now someone else can also have access to your data via a`
			`separate client using that session token because it's already verified that it's an authentic,`
			`it's an authenticated request. Thank you for listening to Hacker Public Radio. I'm some guy`
			`on the internet and this concludes the Oh No News. Oh no! You have been listening to Hacker Public`
			`Radio as Hacker Public Radio does work. Today's show was contributed by a HBR listener like yourself.`
			`If you ever thought of recording a podcast, you click on our contribute link to find out how easy`
			`it really is. Hosting for HBR has been kindly provided by an honesthost.com, the internet archive,`
			`and our syncs.net. On the Sadois status, today's show is released under Creative Commons,`
			`Attribution 4.0 International License.`