Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
163
hpr_transcripts/hpr3858.txt
Normal file
163
hpr_transcripts/hpr3858.txt
Normal file
@@ -0,0 +1,163 @@
|
||||
Episode: 3858
|
||||
Title: HPR3858: The Oh No! News.
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3858/hpr3858.mp3
|
||||
Transcribed: 2025-10-25 06:46:23
|
||||
|
||||
---
|
||||
|
||||
This is Hacker Public Radio Episode 3858 for Wednesday, the 17th of May 2023.
|
||||
Today's show is entitled The Oh No News.
|
||||
It is part of the series' privacy and security.
|
||||
It is hosted by some guy on the internet, and is about 15 minutes long.
|
||||
It carries a clean flag.
|
||||
The summary is, Scotty talks about Toyota's dead-a-leak and more on the Oh No, news.
|
||||
Hello and welcome to another episode of Hacker Public Radio.
|
||||
I'm your host, some guy on the internet, and this is The Oh No News.
|
||||
Oh no!
|
||||
Threat analysis, your attack service.
|
||||
In this article,
|
||||
for-profit companies charging sex-stortion victims for assistance,
|
||||
and using deceptive tactics to elicit payments.
|
||||
Wow, these are some scummy people in this article.
|
||||
The FBI is warning about for-profit companies offering sex-stortion victims
|
||||
assistance services.
|
||||
That's reported that these companies are charging exorbitant fees,
|
||||
whereas law enforcement organizations normally do this kind of stuff for free.
|
||||
So if you were to contact the FBI through their internet crime complaint center
|
||||
and try to get help, they would help you for free, which is the right thing to do.
|
||||
And also while we're on the topic, for anybody out there, you know, I'm going to go out on the
|
||||
limb here. I'm going to take the risk as some guy on the internet.
|
||||
I feel like if somebody has to do it, I should be the one to do it.
|
||||
Please do not send anyone, images of yourself,
|
||||
scantly clad, or less than scantly clad, either as a means of affection or any means.
|
||||
Please don't do it. There's even terms for some of these type of transactions.
|
||||
I guess you'll recall them. I don't know what else to call them.
|
||||
I've heard a one called UDP. This was brought to my attention by a female.
|
||||
She explained to me what UDP means. And, you know, in the tech industry,
|
||||
we know of TCP, IP, you know, UDP packets, that kind of thing. UDP stands for unsolicited
|
||||
dog picks, except you replace dog with male extension, which is usually referred to with a D.
|
||||
Don't do it. Whatever you do, don't do that. Okay, how strongly you feel or how much you think
|
||||
this will help your chances with the other party. Don't do it. Now with that said, these companies,
|
||||
they're using deceptive tactics, including threats and manipulation and providing false
|
||||
information to coherse, extortion victims in the paying for their services. This article tells
|
||||
victims, you know, be careful here. A few things that you can look out for if you're approached by one
|
||||
of these companies, where they want you to do things like sign a contract first, you know,
|
||||
some form of agreement, and you have to pay first before any sort of help happens, especially
|
||||
if the help come, especially if the contract includes something like a non-disclosure agreement,
|
||||
you know what I mean? Virtually anything that has a non-disclosure agreement in it,
|
||||
if you're not working with very private data that belongs to someone else and you're managing
|
||||
it for them, or some sort of government secret, you know, some sort of secret. It didn't have to
|
||||
be government. It could be just, I mean, you could be working for like, I don't know, Kentucky Fried
|
||||
Chicken, and they don't want their recipe to get out. So you might have to sign a non-disclosure
|
||||
agreement. So that's norm. But when you're going to these guys for help and they're supposed to be
|
||||
helping you and they're saying, hey, look, non-disclosure agreement here, you know, don't tell anybody
|
||||
about what we're dealing to you. That's a red flag. So they use these high pressure situations
|
||||
and scare tactics after they get you into a contract to keep the business flowing, all that kind
|
||||
of stuff. FBI is just telling you to watch out. You can contact the FBI internet crime complaint
|
||||
center for help, free help, help at no cost, I should say. They also have some other information
|
||||
down in there about the cyber tip line. If you are getting any sort of sex torsion, emails or
|
||||
text messages or whatever, they got more information down there and article. In our next story,
|
||||
former ubiquity dev who extorted the firm gets six years in prison.
|
||||
All right, so a former senior developer for ubiquity by the name of Nicholas Sharp. Sorry,
|
||||
if you keep hearing that little clink sound, that's my UBGs. It's around my neck from time to time
|
||||
accidentally click it and it'll make that noise. Yeah, Nicholas Sharp, former senior dev over at
|
||||
you, you book a little over there. The guy got six years in prison for stealing company data.
|
||||
Now, apparently, I don't know if he got fired or whatever, but he left the company and decided
|
||||
he would take some data. I'm guessing the company did not cancel his credentials. So they were
|
||||
still active. He used a VPN and I'm not going to say the name of the VPN because I don't want to
|
||||
get dragged to the mud here. The story does mention the VPN. Well, you know what, it'll be fine.
|
||||
He used Surfshark VPN to hide his IP during the attack. Now, the story says that there was an
|
||||
internet outage during the time of the attack. So I guess when it when it reconnected his IP was
|
||||
exposed. So they learned that it was him through that. That's how the FBI found out it was him.
|
||||
Yeah, so they got him. He got a bunch of charges basically wire fraud and stealing the data
|
||||
making false statements to the FBI. That kind of stuff came to the potential of 37 years in prison.
|
||||
But they decided to go easy on him gave him six. You know, he must have decent lawyer.
|
||||
He also got three years of supervised release afterwards. So that's like probation or whatever.
|
||||
Pretty sure he's a felon. Good luck getting a job after that. At least in in IT anywhere,
|
||||
really. Oh, and he was also ordered to pay restitution to ubiquity restitution of $1.5 million.
|
||||
So if you're a company out there hiring in the IT space, be on the lookout for Mr. Sharp.
|
||||
In our next article, Toyota car location data of two million customers exposed for 10 years.
|
||||
Well, somebody at Toyota Motor Corporation is looking for a job or more specifically,
|
||||
Toyota Connect Corporation. Over at Toyota Connect, which manages the cloud infrastructure for
|
||||
the Toyota Motor Corporation, they misconfigured the cloud environment.
|
||||
Yeah, so apparently they had it open to the internet basically and anyone could go in and get the data.
|
||||
Or if you believe the story, that is now the models of the Toyota that were affected were the
|
||||
any Toyota between January, second of 2012 all the way up to April 17th of 2023. And those are the
|
||||
cars that have the T Connect G link and T Connect G link light or T Connect G book services within
|
||||
those vehicles. So those those are the services that provide like voice assistance, customer support,
|
||||
car status management and emergency roadside assistance that kind of stuff the Toyota cloud
|
||||
infrastructure manages that and the data that was exposed. This was not a hack. It was an exposure
|
||||
due to misconfiguration. It exposes your car's GPS information. So you can be tracked by anyone
|
||||
on it or during the time of the leak. You could have been tracked by anyone during that time,
|
||||
as well as have all the information about your car, you know, the chassis number and other,
|
||||
you know, identifiers for your car. Yeah, two million people wide open on the internet fully
|
||||
exposed in our next story. Failure to comply with bus open data regulations.
|
||||
All right, this is happening out in the UK, a PSV operator Thia Dred LTD, I guess a bus company.
|
||||
They didn't exactly comply with England's open data regulations of 2022. Naughty Naughty.
|
||||
So the traffic commissioner for the West Midlands. Yeah, he got to work one day rolled up his sleeves
|
||||
and decided to slap a big fat $1,500 fine or 1,500 pound fine, which was based on 100 pound
|
||||
penalties for each vehicle that did not comply to this bus company. I mean, since we already had
|
||||
to tell you the story, tell you this over here, just giving away data. Now you got over here in the
|
||||
UK. Well, apparently they're trying not to give away the data in the UK, so you got to give us the
|
||||
data in our next story. Criminals pose as Chinese authorities to target US-based Chinese community.
|
||||
So the FBI has a warning out there, letting US citizens or visitors long-term visitors
|
||||
of the United States living within the Chinese community to be on a lookout because there are
|
||||
criminals from overseas posing as Chinese law enforcement, Chinese prosecutors, things of that
|
||||
nature. They're making contact with the US citizens and Chinese community here within the US,
|
||||
telling them, hey, we believe that you were involved in some sort of financial crime or fraud,
|
||||
and then they threaten to arrest them. They start showing what looks like legitimate warrants
|
||||
for their arrest. They also have a lot of a lot of basic information about their victims,
|
||||
so information they may have picked up from data leaks. They use that as a part of the,
|
||||
I guess you would call it an attack. This isn't really fishing, they're not fishing for credentials
|
||||
they're just trying to get money, so it's extortion through this fraud I guess. Any FBI is just letting
|
||||
people know, hey, if you're contacted by someone who's pretending to be law enforcement, be on a
|
||||
lookout, and I will say the same for anybody who's not out of the Chinese community. With all these
|
||||
data leaks, data breaches, and other attacks going on, whether it be a bank, the US government,
|
||||
or, you know, last pass, Cody, whatever. Wherever you have your data, once these leaks get out
|
||||
there, it all gets sold, and people who want to, you know, commit fraud, and fish you or scam you,
|
||||
they're going to use all of that stolen data, leaked data, whatever you want to call it,
|
||||
and build it into their attack against you. They're socially engineered attack. So everyone here
|
||||
listening, understand these attacks are becoming more sophisticated, just because they're receiving
|
||||
more and more personalized data through these breaches. For our next article, Twitter rolls out
|
||||
encrypted DMs, but only for paying accounts. All right, these articles brought to us from
|
||||
bleeping computers, and they're talking about how Twitter for the blue check mark paying customers
|
||||
are going to have the into and encrypted DMs feature. Right now they're saying it's still
|
||||
testing, so don't use for production, or don't trust, you know, quote unquote, yet, but you can
|
||||
try it out. That kind of thing, Elon apparently put a tweet out as well, telling people, you know,
|
||||
test it, but don't rely on it just yet. I guess this is a feature to get people to pay for the blue
|
||||
check mark, saying, hey, you know, we'll have into an encryption, and this is something you'll only
|
||||
get if you pay us for it. I'm going to tell you as some guy on the internet, someone you can clearly
|
||||
trust, if you're sending anything sensitive via Twitter, you're doing it wrong. Sensitive
|
||||
information should not be on Twitter or near Twitter. I would even argue not even on a device
|
||||
that contains Twitter app, you know, with these apps, you have to give these apps permission to
|
||||
access all of the data on the device. So if you have something sensitive on the device with
|
||||
these apps that you just hand over all permissions to, yeah, you're in trouble. I would not be doing
|
||||
that. And I'm pretty sure 12 to 24 months from now, we'll have a court case where somebody got
|
||||
dragged through the court system and nailed to a cross because they thought that the end to end
|
||||
encryption meant only they had the private key, and only the people they wanted to communicate
|
||||
with had the public key. The case will reveal that no Twitter indeed also has that private key.
|
||||
They're probably the ones who generated it for you, you know, like you have no, I'm pretty sure
|
||||
you won't have control over that key, like you can't change it. You'll probably have to have the
|
||||
app, like it'll probably only work inside of the app, which means, yeah, Twitter will simply have
|
||||
control over that feature, you will not. Yeah, so if you want to send encrypted messages, you know,
|
||||
try a proton email or figure out what GPG is and how that works with Thunderbird.
|
||||
The Lord knows I sure can't. No, a matter of fact, call a platoon platoon. Get your setup with that.
|
||||
I think he did a show on it not too long ago. Clatoon, where are you? We need you over here. Clatoon,
|
||||
quick. In our next article, Discord discloses data breach after support agent got hacked.
|
||||
All right, this is a quick and simple one. It was a data breach over at Discord, not Discord
|
||||
or the company, but one of their support agents at their party. I'm guessing it was a session
|
||||
token attack. The story does not give those kind of details, but that's what's been happening
|
||||
a lot recently. Whenever you save accounts on your system, like for Discord, Thunderbird, Firefox,
|
||||
any sort of web-based technology, a lot of them have the ability to save your login as a session
|
||||
token or a session ID, which means, yay, it's convenient. You can rejoin or start a session with
|
||||
that client without verifying because you've already authenticated it once in the past, where
|
||||
it's bad is that little bit of convenience removes security. That little session token, that cookie,
|
||||
that little bit of data, if it's stolen, now someone else can also have access to your data via a
|
||||
separate client using that session token because it's already verified that it's an authentic,
|
||||
it's an authenticated request. Thank you for listening to Hacker Public Radio. I'm some guy
|
||||
on the internet and this concludes the Oh No News. Oh no! You have been listening to Hacker Public
|
||||
Radio as Hacker Public Radio does work. Today's show was contributed by a HBR listener like yourself.
|
||||
If you ever thought of recording a podcast, you click on our contribute link to find out how easy
|
||||
it really is. Hosting for HBR has been kindly provided by an honesthost.com, the internet archive,
|
||||
and our syncs.net. On the Sadois status, today's show is released under Creative Commons,
|
||||
Attribution 4.0 International License.
|
||||
Reference in New Issue
Block a user