An internet radio show about the internet starring Dave Rupert and Chris Coyier.

Subscribe on iTunes or RSS


Special One on One with a Hacker

00:55:43 Download

Show Description

We realize that this crosses the line of "feeding the trolls" or giving attention to "bad guys", but we feel it relevant for our industry. Our lives and work are completely online and we're all highly susceptible to types of hacks and identity theft. It should go without saying that you should not try to be a hero here: if you visit EarlDrudge's site(s), try to expose his identity, or try to snoop around on him, you might actually put yourself in a position where you yourself might be vulnerable to being attacked. We advise you to simply listen.

**Update since the recording (from Chris)**: I was able to talk with Media Temple directly only hours after this conversation. One good end result is that they have changed their policy of how/when/what documents can be approved in which to grant access and who can do that. The retaliation attempt ("honeypot") was verified to have been done by Media Temple. They were trying to catch the bad guy for me, and while I wish there was better communication about that, it's nice to know they were trying to fight back on my behalf.

Show Sponsors

Interested in sponsoring?


DAVE:  	Hi.  You're listening to a very special episode of the Shop Talk Show.  In this episode, Chris sits down with Earl Drudge, the person who hacked his server and stole his identity.  We realize this crosses the line of feeding the trolls or giving attention to "bad guys", but we feel it relevant for our industry.  Our lives and work are completely online, and we're all highly susceptible to these types of attacks and identity theft.  

It should go without saying that you should not try to be a hero here.  If you visit Earl Drudge's site or try to expose his identity or try to snoop around on him, you might actually put yourself in a position where you yourself might be vulnerable to being attacked.  Probably best to stay away so as to not cause attention to yourself.  

As always, thanks for listening to Shop Talk.  We hope you enjoy this episode and find it informative.  We now join Chris and Earl Judge in their prerecorded Skype call.

CHRIS:	Hello, everybody.  Thanks for listening to Shop Talk Show.  Notice there was no theme song this week.  Dave is traveling out at a conference, so he's not going to be on the show and, thus, no sound effects and stuff like that -- sad day.  But also because this is a very unusual show with possibly the most unusual guest we've ever had on Shop Talk Show.  And he goes by the name of Earl Drudge.  Hi, Earl.  Thanks for joining me.

EARL:	Yep.  Hi, Chris.  It's nice to have invited me on the show.  Yeah.

CHRIS:	Yeah.  So I thought we would -- there's a reason me and you are talking right now, and this is going down, and it's kind of strange and interesting.  I thought I would just kind of explain the back-story of why that is, and then we'll kind of try to synch up our stories and figure it out all.

	So it was, I guess it was, just to put on a date on it because I'm trying to be kind of accurate about this.  It was March 7th, and today is March 18th, so it was like 11 days ago or something like that.  I woke up to an email that I got from my hosting company, Media Temple, that said, essentially, "Here's your account --" it was your account reactivation letter or a resending of my account activation letter.  

	And as people know, when you sign up for a hosting company, you get this email from your hosting company that has a bunch of stuff in it, your, you know, welcome to the hosting company.  Here's like FTP access and whatever.  I forget all the stuff that's in there.  

	But it also lists what the primary email address is for your account.  And at that, it wasn't mine.  It was somebody else's.  And I was like, oh, crap!  Somebody was able to, you know, get access to my hosting account, and that's kind of a big deal, right, because it's all -- I mean, I actually have two different accounts there and stuff hosted elsewhere, but this was my main account, the one that has CSS-Tricks on it and a couple of other sites.  

	I was like, crap!  I wonder if this is like -- because, you know, once in a while you can get an email, like from PayPal, that's like your PayPal account has been compromised, but it's just spam.  But this was real.  It was a real letter from Media Temple, so I was understandably nervous and worried.

	The first thing I did was go to Media Temple and try to log into my account, and I couldn't.  The password had been reset or whatever.  So I'm like, this is real!  Somebody has gotten into my site, and I was nervous about that and reached out to Media Temple on Twitter and said, well, look, I can't get into my account.  This is crazy.  And they kind of reacted fairly quickly.

	Then I got another one of those emails, that same kind of account activation email with my corrected information and stuff on it, maybe 15 minutes after I reached out to them on Twitter.  I was able to log into my account again and kind of -- cool!  To me it was like, well, this was a real thing, but it was resolved fairly quickly.  

	The person who did that is Earl Drudge.  That's not your real name, right?  But that was you, right?

EARL:	Yeah, that's me.

CHRIS:	Okay.  I mean, and I guess we shouldn't have to say, but it's not Earl's real name here.  I'm sure he's taking every precaution to make sure he's very anonymous in this.

EARL:	Yeah.  So my timeline of the events is pretty much the same except it extends a little bit more in both directions.  Previous to when I had gone after your site, what had happened was, I was trying to get easy money.  I was going after like Bitcoin gambling websites because a lot of those sites will pay out automatically.  And the problem with that is that you have to have the coins in like hot storage on the website.  

CHRIS:	Okay.

EARL:	And I had found one.  It was that was hosted by Media Temple, and so I started exploring what my options were to go steal the coins, which I did end up doing.  I only got $96, which given the time that I had spent on it, I mean I guess it was worth it.  I did only spend a couple hours, but --

CHRIS:	So that's pretty interesting.  You found a Bitcoin gambling site, which I think we can all basically imagine what that is, right?  It's a real gambling site, but you use Bitcoin to do it.

EARL:	Yeah.

CHRIS:	And you just happen to figure out that they were hosted by Media Temple.  How do you even--?  It's easy to figure out on CSS-Tricks.  I say it all the time.  But how did you figure out this site was hosted on Media Temple?

EARL:	What you can do is check the whois, and normally you can see the name servers will give you some kind of hint, or you can go to, and they host cached information of like old whois information from websites, and sometimes that'll list name servers in case they've moved it to like CloudFlare or whatever.

CHRIS:	Sure.  And that's what matters, right, is the name server because every hosting company will have their own name servers that essentially point to.

EARL:	Yeah, some people set up their own, but for the most part, if it's something worth spending the time on, it's already got some of the stuff just sitting out there for you.

CHRIS:	Yeah.

EARL:	And so what I did with SatoshiSquared was, I called Media Temple because I had never heard of them.  I called them, and I said, like, "Hey, this is--" I'm not going to say his name --

CHRIS:	Sure.

EARL:	-- because I'm not sure how he would feel about that but, "This the owner of  I don't know what my primary email address is on file.  I was wondering if you could change that for me."  And they said, "Yeah, sure.  We've got this form our website.  You just fill it out, sign it, and send in a picture of your government issued photo ID."

CHRIS:	They told you how they want you to do the --

EARL:	Yeah, and normally you would think that's a very good practice because, if you're actually verifying the government IDs, then that would be a very good process because it would be very hard, through any method, to get you to send in a picture of your government ID, like to get a picture to send in.

CHRIS:	Mm-hmm.

EARL:	But the problem is that they don't, like, they don't check the government IDs.  So what I did was I found a Photoshop document of an American passport, and knowing the --

CHRIS:	Yeah, I've seen this one.  This is kind of good, but go on.

EARL:	Yeah.

CHRIS:	Yeah.

EARL:	And knowing that they didn't have a picture of him, they didn't know his date of birth because all they would have at most would be like maybe his credit card details.

CHRIS:	Mm-hmm.

EARL:	So most of the information didn't even have to be right.  All I really needed was his name and --

CHRIS:	For it to look reasonably realistic.

EARL:	Yeah.  And then I just checked.  I think I just checked the whois information on his website, and that listed his address.  And in the form, the other little hurdle that you have to get over is they expect a signature.  If you wanted to make it really real, you could print out the form and actually sign it and just scan it, and it wouldn't matter because, you know, unless you -- it'd be pretty amazing if they could find you based on your handwriting.  But what I had just done was, because his name had no repeating characters, I just used a handwriting font, and apparently nobody picked up on that during the reset process.  

CHRIS:	Wow!  You know what's funny to me, as I'm a bit of a designer, I've seen the -- because you just, you have it up on a domain.  You can download this Photoshop file from one of your servers, or at least Media Temple knew about it, you know, or maybe you just sent them a link to it, and that's how they downloaded it.  Anyway, Media Temple has seen and downloaded this file as well.  It's still there as far as I know.

EARL:	Yeah.

CHRIS:	It has this big, gnarly, fake drop shadow behind it.  And a drop shadow like that can only be applied in something like Photoshop.  There's no way it's a scan.  You know, I don't know where you originally got --

EARL:	Yeah, because it would be -- I just found it on some -- I found it on a website that was meant for like fraud related things.

CHRIS:	Yeah, sure.

EARL:	And, like, the people who post there, they always, the never speak very good English, so it took me awhile to find it, actually.  But I just worked with what I had.

CHRIS:	Sure, I mean, okay.  The point is that it's kind of funny in that anybody --

EARL:	Yeah.

CHRIS:	-- worth their salt, there's no way it's a scan.  I mean, scans don't have drop shadows like that.  Photographs don't have -- it looks like a fake, applied layer style to that thing.  It's just funny that that somehow passed muster.

EARL:	Yeah, yeah.  

CHRIS:	Okay.  Yeah, go ahead.

EARL:	There was actually one little article written about me.  If you Google my email address, like in quotations, you can find it.  Yeah, if you Google that, there's an article.  It's called like, "Oh, hi.  Let me verify your identity," and it was someone making fun of a really poor--  I was trying to get a woman's website, and I put up a picture of the person smiling in the passport, which you're not allowed to do in a passport photo.  And even then, I mean, it got caught, but it got caught significantly into the reset process.  

CHRIS:	Yeah, this is the same.  This is the same thing.  It's not even a passport.  It's a passport card.  I didn't even know that was a thing.

EARL:	Yeah.

CHRIS:	Okay.  Yeah, that's funny.  I've actually never seen a Google result with only four results, but that's the case here.  Okay.  So you got access to -- and so it was effective, your attack on the Bitcoin gambling site.  I forget what it was.

EARL:	Yeah.

CHRIS:	But that worked, so that's what led you to believe that Media Temple has these practices in place that you can exploit in which to get into other Media Temple sites.

EARL:	Yeah.  And the reason that it didn't work on your site, I'm not sure if you had checked, you had seen the time that the first email came, but --

CHRIS:	3:31 a.m.

EARL:	Yep.  

CHRIS:	Yeah.

EARL:	I was asleep when it got sent out.  And if I hadn't been, it actually would have gotten me into the site.  But just because their legal team decided to be doing paperwork at 3:00 in the morning, it didn't work.  

CHRIS:	Yeah, okay.  So that's interesting.  I mean, not that -- I am in no way trying to track you, track this information or whatever, but you are saying that this 3:33 a.m. is your 3:33 a.m.  And, based on your accent or whatever, even though this PSD is available at some .fr domain, and I think you might have another FR domain, you're not French.

EARL:	No, not even a little bit.  

CHRIS:	Okay.  So that was funny.  People were like, "He's in France."  You know, I'm like, yeah, maybe we should hold off on that.   

EARL:	If you check the whois details, I think it lists the name Earl Drudge, and then it lists the country as Iceland.

CHRIS:	Oh, yeah.

EARL:	That's also wrong.

CHRIS:	I'm sure, so it sounds a little bit more like a North America situation, but whatever.

EARL:	Yeah.

CHRIS:	We don't have to get into that.  Okay, so that's interesting you say that it didn't work on my site, so it didn't?  I mean, you were never able once to log into my Media Temple account and do anything at all?

EARL:	Well, the first time I wasn't, but then on the 14th, and to this day I actually don't know whether you did this or whether Media Temple did it because it had to be either your actions or Media Temple acting as you to try to catch me.  

CHRIS:	Well, let's wait on that and get into that in a minute.

EARL:	Okay.

CHRIS:	Because that's all -- that's a very interesting thing.  But it's just, it's a little bit later in the timeline.  

EARL:	Yeah.

CHRIS:	And it's of big relevance to this because things really do get weird at that point.  But so there was a social media or social -- social media -- engineering is what they call that, right, when you're willing to pick up a phone and impersonate somebody, essentially that's what they call that, yeah?

EARL:	Yeah.

CHRIS:	And, you know, interesting to me, to your credit, I think it takes some balls.  You know, I couldn't.  I don't know that I would have it in me to pick up a phone and just call and just completely impersonate somebody.  I don't know.  I don't know what my point is there.  I'm just saying that's kind of --

EARL:	Yeah, it's funny.  I've actually--  You're right.  It does take more than some people realize.  Like I used to record myself when I would do it.  I had originally made calls to Comcast, and you could just say, "Hey, my name is Earl Drudge.  I'm working at the Comcast service center in Milwaukee, Wisconsin.  I was wondering if you could help me look up a customer's information on Grand Slam.  I'm having a little bit of trouble.  Grand Slam keeps freezing."  And like you could look up a customer's information and get them to read them out to you.

CHRIS:	So you practiced this before.  This is -- it's a --

EARL:	Yeah, and --

CHRIS:	-- you know, a little bit of a hobby of yours.

EARL:	And I used to record myself, and my voice used to shake, and it doesn't anymore because I've just done this so many times.

CHRIS:	That's -- that's great.  All right, so that's how you could get in.  And at one point you had blocked some kind of thing where it stopped working.  And Media Temple has reached out to me a little bit because, as this -- what -- I'm forgetting the day exactly, but slightly after this and when they reset it or whatever and you didn't get the activation email in time, you didn't stop.  I mean, you straight up just tried it again, right?

EARL:	For a little bit, I tried it again, but then I was ready to just walk away.  

CHRIS:	Right.

EARL:	And if you want to get into why I had targeted your site, I can explain that because that kind of ties into --

CHRIS:	Yeah, maybe we'll go with that too because of course anybody that's been in this position has this kind of why me feeling, you know, like I was targeted.  I was targeted by you.  In some regards, if you had it your way, something would have happened to my site.  I'm not sure what you would have done.  Maybe you could talk about that too, but maybe talk about why me, why Chris Coyier, why CSS-Tricks, and then what would you have done if you got in and were able to do what you wanted.

EARL:	Well, the reason that I had picked your site was, if you visit the website HostCabinet, but it's like, you can type in a website, and it'll tell you where that site is hosted.  And what's cool about that is you can sort it by the amount of traffic that the site gets.  And the first most traffic heavy website hosted by Media Temple was, which I found out is actually, despite being listed on the, list is no longer hosted by Media Temple.  


EARL:	And the next one down, the second one, the one that gets the second most traffic was CSS-Tricks.

CHRIS:	Wow!  I had no idea.  I can't even imagine that's true.  I mean, on it doesn't surprise me because who knows how they get their data or whatever, but there's surely, there's got to be some mommy blogger or something who is crushing me.  But apparently that's not.

EARL:	Apparently not, but yeah, what I was going to do --

CHRIS:	Is that solely what it is?  It was solely traffic only?  It was like I want to get a high-level traffic thing.  I've never heard of CSS-Tricks or Chris Coyier before, but --

EARL:	It was that, and it was also that your Twitter had like a ton of followers because what I was trying to do, you know, to be clear, I'm not like the good guy here, and I'm not going to try to make myself sound that way, but what I did want to do in doing this was get a positive message out about the fact that Media Temple does not verify government IDs and that that is a major security issue because let's say that were to be hosted there, and let's say I get into jQuery, and I can go mess with the stuff that people are referencing from  I could have malicious code in thousands of websites all across the planet because they're all referencing jQuery.  And Media Temple in not verifying the IDs and not, you know, making sure that their customers are safe, that puts a lot of other people at risk too.

CHRIS:	That's true.  It's true, and it does, and maybe this will help in some small way.  Although, like I said, you're willing to say that you're not the good guy in this and, you know --

EARL:	Yeah, I also did it for attention because I'm a vain kind of --

CHRIS:	As we all are.

EARL:	-- person like that.  Yeah.  

CHRIS:	We can get into that a little bit too in that, you know, as different as the ways that we choose to spend our time are, I do things for money and attention also, which makes us not entirely different at our core.

EARL:	Yeah.

CHRIS:	Okay.  So CSS-Tricks was a good target for that for various reasons: Twitter followers and such.  That's -- this is all just -- it's almost hard to listen to and interesting.  This is going to work out so that people are aware of this.  

	Now at some point they kind of did change there, so you tried again after it failed, and they didn't let you in.  So at some point there was some kind of -- they'd learned their lesson, maybe, or there's extra protection specifically on my account because they know it's being targeted.  

EARL:	Yeah, it was your account specifically that they had put extra protection on.

CHRIS:	Yeah, and hopefully there's some policy change.  And they alluded to me that there is going to be some policy change about what government IDs can be accepted and not and whatever.  And we'll see if they have a public statement about that because I think people will want to know.  You know, as much as I don't want to piss off my host anymore, I feel a social responsibility here to explain all of their actions and how this went down so that they can change for the better too.  I think we have a similar goal there in that I want to, you know, give them credit where credit is due, and hold them responsible for the things that they did wrong, one of which is allowing this crazy Photoshop document to straight up allow you to change my email.  That is crazy to me.

	So, all right, I kind of want to move forward in the timeline a little bit.  Maybe just before we go to the final part with the honeypot and all that craziness, maybe we could talk a little bit about you and just, you know, as deep as you want to go into it.  Obviously we can't talk about the town you live in or anything like that because --

EARL:	Yeah.

CHRIS:	-- irresponsible of you as a bad guy, but what kind of generic background do you have, or is this how you spend most of your time on this kind of thing, or do you also have a job?

EARL:	I do not have a job.  I'm a third year security student at an unnamed college.  Of course -- 

CHRIS:	Interesting.

EARL:	Yeah.

CHRIS:	You literally go to college for computer security.

EARL:	Yeah.  I started when I was -- like I started getting into the computer security when I was probably like 13 or 14, and I quickly realized that the technical end of stuff like SQL injection, I just didn't really get it.  I’m a competent programmer, but just stuff like that has always just escaped me.  But lying to people and, you know, tricking people, deceiving people because that's all that social engineering really is when you get down to it, that's just something that I have always kind of been really good at.

CHRIS:	Yeah.  You did mention at one point that you don't even have to be particularly good at it for it to work.

EARL:	Yeah, like the Photoshop document, I'm sure that like there are other websites online where you can pay for a very high quality Photoshop document of a passport like one that looks like it was just sitting on a scanner when the image was taken.  But I just didn't want to spend that kind of money when I could find a free one that worked adequately.

CHRIS:	Okay, so computers is your thing now.  That's what you do.  That's what you go to school for.  What else?  I mean, do you have classmates at university?  Do friends do this kind of thing too, or are you kind of off on your own?  Do you have kind of online friends that you commiserate with about this kind of thing?  Is there camaraderie amongst the community?

EARL:	I have online friends.  I also do -- I sell drugs.  That's one thing, so I have a lot of people that I know from doing that, and I'm pretty social.  A lot of people seem to think with the like hacker stereotype that I'm like some greasy dude sitting at the computer for 18 hours a day.  But I'm pretty normal, aside from all of this.  The people in my life don't really know about this for the most part.

CHRIS:	That's probably a good idea for your sake, huh?

EARL:	Yeah.

CHRIS:	This is technically illegal, right?  

EARL:	Yeah.

CHRIS:	This was kind of funny.  You know, because obviously I'm somewhat normal myself and have some friends, and when I kind of explained to them what happened to me because this is kind of a crazy story.  You know, it makes for a good bar conversation.  Of course the first place they go is, "Let's get this guy!"  You know, I'm sure you've experienced that type of thing before.

EARL:	Oh, absolutely, yeah.

CHRIS:	People get redheaded right away, and they have all these ideas about what they want to do and how they're going to do it and all this stuff.  I'm like, "Listen.  A) There's no way you're going to find this guy.  That's the whole point is that--"

EARL:	Yeah.

CHRIS:	"-- it's untrackable."  Even if you could, you're just doing the same.  You're just stooping to a possibly worse level than what happened to me to begin with.  And nothing actually happened.  I mean, we'll get to one thing that actually did happen in a minute, but anyway.  Anyway, I just wanted to get a sense of who you are a little bit.  Literally go to school somewhere in North America for computer security.  You know a bunch of people, are relatively normal otherwise.  They probably, most of them, don't have any idea that you do this type of thing on the side.  But motivationally, you do it like the reason most of us do things, for some money and for some attention.

EARL:	Yeah.

CHRIS:	There we go.

EARL:	Pretty much that encapsulated me pretty well.

CHRIS:	What about the -- when you graduate from this, are you intending to take some kind of criminal behavior as a career or it will always be kind of a side project?  I guess, does it even matter?  Do you even think about that?

EARL:	It's always kind of a tough choice because, you know, criminals tend to get caught in the end, and I'm not, like, I'd say I'm a pretty smart guy, but I'm not like a super genius.

CHRIS:	Yeah, and not looking to get caught either, right.

EARL:	Yeah, exactly.  So I would like to take it legal, and it would be nice to be able to site some of this experience because I have done things openly, like with my own name, for security that kind of gives me credit, like for getting a job.  But on the other hand, the criminal behavior is always a lot easier.

CHRIS:	Yeah, well, yeah, that's what --

EARL:	And that is why people do it, I guess.  

CHRIS:	Yeah, that's what they say.

EARL:	So I'm not really sure where I'm going to take it.

CHRIS:	Okay.  Let's take it for a minute and move forward in the timeline just a little bit, a week later maybe.  You know, March 7th was when I got the reactivation letter.  And then it was March 15th, I think.  Of course, I took some actions to protect myself because I was like, this is happening to me.  This is crazy.  I have no idea what to do.  Something like this specifically hasn't happened to me directly.  I had a weird situation that I don't even know if you know about, but I'll explain to you at the end where something else was stolen from me related to CSS-Tricks, and I would actually like to get your insight on it because I have never gotten to the bottom of it to this day.  

	But what happened is, they wanted to catch you, I think.  Media Temple wanted to give me the good news that they got the guy.  So what they did -- what's funny about this is the reason I know this even happened is through you.  They won't even talk to me.  And I feel weird saying that, but I've been trying to get Media Temple to explain to me what the heck happened from their side of the story, and they won't even tell me.  

EARL:	Yeah.

CHRIS:	So I think they're trying to handle this in a medias kind of way that's really clean, but anyway, so they did what you call a honeypot.  And I had to go to Wikipedia to try to figure out what it is.  Maybe you could explain to me and to this audience what the hell, and what did they do to try to --

EARL:	So, all right.  I'm going to read out.  I'm not going to read out all the account details I got in that one email on March 7th, but I'm going to read out some of them, and I'm going to sensor it, you know, for your safety because I don't want someone else trying to take your site using the same information.  So on March 7th, I got an email saying dear Chris, below is blah, blah, blah.  Here's your information.  It says account owner: Chris Coyier.  Am I saying that right?

CHRIS:	Yeah.

EARL:	Yeah, and says account number: 121--  Those were the first three digits.  There are also some other ones I'm not going to read.  And it says: account anniversary date 2008-11-15.  And that was your real site.  And the primary domain was  So that was the legitimate --

CHRIS:	But there wasn't a dash, wasn't there?  Where did I see this?  I have a screen capture of it somewhere, but it wasn't really my domain because it didn't have a dash between CSS and --

EARL:	No, and there was -- then this is the other one that I got.  I got another one on March 14th at --


EARL:	Yeah, and I got another one --

CHRIS:	This is the fake one or whatever?

EARL:	Yeah, this is the one where I think either -- I guess it wasn't you, but I think --

CHRIS:	Well, it wasn't me.  I'll tell you that.  I have no idea about any of this.

EARL:	Yeah, I think it was Media Temple trying to handle the situation on their own.  It says account owner Chris Coyier, account number 271613, and account anniversary date 2014-03-14.  And for the primary domain, it was dev-csstricks (with no dash) .com.  

CHRIS:	Okay.  So what is their goal in sending you a letter like that?

EARL:	Well, what I think what they were hoping to happen was that I would click it, like out of curiosity, which I did, and that -- because they had set up a VPS that was the lowest tier of VPS that they had, I believe, and it was in no way connected to your regular account, which immediately stood out to me as a red flag, like this is obviously not his regular account.

CHRIS:	Mm-hmm.

EARL:	And it was created the same day I got the email, so I was thinking like how would he just accidentally type my email in.  And so I log into the VPS through Tor and everything, you know, taking the precautions because it was obvious to me right away that it was some kind of trick.

CHRIS:	What do they want from a trick like that?  Is it your IP address?  Is that what--?

EARL:	I would think so, yeah, because if they get my IP address then they could contact my ISP, which given they should have considered that I had been on a VPN when I sent the emails to them, and I had also --

CHRIS:	I mean, what does a VPN mean?  I know it means virtual private network, but it means that it masks your real IP in some way, yeah?

EARL:	Pretty much, yeah, and the idea is that they don't keep logs of what you do, so in case the government ever comes to them and says, hey, this IP address has been doing bad things to someone.  

CHRIS:	Mm-hmm.

EARL:	Whose is it?  They can say, sorry, we can't help you, don't know, even if they have like a court order.

CHRIS:	Okay.  Because they don't know.

EARL:	Yeah.

CHRIS:	Okay.

EARL:	And so I logged into the VPS, and I started just poking around and breaking shit just because I knew it wasn't going to stay around for long.  And I kept checking if there was anyone else logged in, and there were other people logged in, and there were other people logged in, presumably watching what I was doing on it.  And so I decided to download one of those little pearl denial of service scripts and point it at your regular website to see what would happen because I knew they were watching.  And within a minute of doing that, the VPS shut down and it has not been back up since.

CHRIS:	Okay.  So there wasn't a sustained DDoS on my own site through this.

EARL:	No.  It was just probably a minute's worth and then they took it.  They took the VPS down, and that's when I was like absolutely 100% sure that it was someone trying to set me up.

CHRIS:	Right, and you possibly had been, like, why wouldn't it have been me?  Or least why wouldn't have I okayed this thing.  

EARL:	Yeah.

CHRIS:	You probably assumed that it either was me or it was Media Temple acting on my behalf that I agreed to.

EARL:	Yeah, that was absolutely what I had figured.

CHRIS:	Yeah, which of course you would believe that.  It just so happens that that isn't true, and I think this is what, you know, it kind of irks me in both directions.  I don't like being attacked, period.  But I also don't like that -- it kind of annoys me that the reason things escalated from here is from some honeypot thing, which I guess what that means is setting up a fake server to try to get somebody to log into it.  

EARL:	Yeah.  In this case, yeah.

CHRIS:	That's what really pissed you off.  And believe me, there's been some anger thrown around in both directions at some point.  You've called me some names.  There's obviously been some, like, if I would Tweet in frustration, I could sense some enjoyment from you.  I'm sure that you'd --

EARL:	Yeah.

CHRIS:	-- get a kick out of that once in a while when I'm like, you know, just at my wit's end trying to reach out to Media Temple for help and stuff.  You can tell that you enjoy that kind of thing, not to, you know --

EARL:	Yeah.

CHRIS:	-- put you too much on the spot here.  But, you know --

EARL:	Yeah, I think it --

CHRIS:	-- the reason that it got where it got is because of some activity from some company that I didn't even approve, that makes it double frustrating to me.  I get to be frustrated at both sides.  Anyway, do you have any--?

EARL:	Yeah, I think that that was a really irresponsible move on their part because knowing that I had already gone after the site, you would think that they would expect, like, yeah, he already beat -- I mean, I did kind of get in in the sense that it would have worked if I hadn't been asleep.  And so you'd think that they would have considered that before taking action, like, on your behalf using your name that you did not approve that could have incited further, like, fighting.

CHRIS:	Yeah, well, they didn't, and they won't even talk to me, apparently.  I'm sure they'll talk to me after this.  And I feel a little weird about it because they've -- I don't know.  They actually don't give me free hosting anymore.  I used to have some kind of media deal with them where they did, but actually I'm so frick'n unorganized financially that I just learned -- I was doing my taxes, as we do this time of year, that I was like going through my credit card statements like, oh, my God.  I pay a bunch of money for hosting through them.  Anyway, they have sponsored various things I did in the past, but they do not pay for my hosting.  I pay for that.  

	What happened after this is that you were angry at what happened, and somehow you have my social security number, and this is one thing that we need to figure out.  And I don't know if we'll be able to get to the bottom of it or not, but they swear up and down that they don't have it.  They don't store it.  Their agents don't have access to it.  There is -- they just -- at one point they even got a fake, just like you have the passport, you have a fake social security card too, they said, that that -- and that you sent that into them too that had my real social security number on it, and they said they could do nothing ith it because they don't have anything to compare that number to because they don't have it in my system.

EARL:	Well, that's funny because that part was either not true or not me because I didn't send that in.  And I do have the font for the social security cards, but I don't know if -- I don't think I have the actual social security card Photoshop document up on my site.  But that part actually is not true.  Like, I didn't send them in that, but I --

CHRIS:	Okay.  They might have been just confused or something too.

EARL:	And I did lie about getting it from them because I just wanted to see if I could get a reaction out of them too.  

CHRIS:	Okay, so that's interesting.  They're true.  They don't have my social security number.

EARL:	Yeah, that's true.

CHRIS:	But you do, so Media Temple wasn't your only target for me.  You got this some other way.  

EARL:	Yeah.

CHRIS:	I don't publish it.

EARL:	You can get that from a couple different places.  If you have the money, there were a couple sites that have recently gone down for various reasons.

CHRIS:	My God!  Really?  There's a site where you can just cough up a few bucks and get anybody's social security number.

EARL:	Yeah, I believe it's like $3.70.

CHRIS:	Oh, my God!  It's that commoditized too!  Like somebody works at some office somewhere where they can look it up, and they'll just look it up for you and sell it?

EARL:	Yeah.  It's and  Both of them are down.  Ssndob had their name servers attacked, like their name servers have been changed back and forth because --

CHRIS:	But you found the one that was up, and you were able to get mine for $3.

EARL:	And also you can get it, because they were down at the time, you can get it through various like phone providers, your Internet company, your --

CHRIS:	If you call up and do social engineering.  

EARL:	Yeah.  You just call up and lie to them.  Just lie, lie, lie to someone.

CHRIS:	They'll tell -- I'm fascinated by that.  So you say, "I forgot my social security number.  Will you tell it to me?"  And they will?

EARL:	No, you don't even do that.  You just pretend to be an employee.  

CHRIS:	Oh, that's even better, right?  Because of course they'll give it to an employee.  They won't just give it to somebody else.

EARL:	Yeah.  And what's funny is all you need to do is figure out the name of like whatever software they use to look it up.  For instance, Comcast is Grand Slam is what they call it.

CHRIS:	Oh, that makes you seem legit when you say it like that.

EARL:	Yeah, like if you just use that, that's like the magic word, and they just believe that you're really an employee.

CHRIS:	That's great.  But in your case, you found a website to do it for you.

EARL:	Yeah.

CHRIS:	So then you got it.  In some twisted way it makes me feel a little better because then the thing that happened in reaction to this is that you posted a whole bunch of information to something called Doxbin, which I've never heard of, but maybe you could tell us what that is.  I mean, just because you posted on it, I went to their website and looked.  It looks like dox means documents.  Essentially it's like a post anything kind of site.  Is that right?

EARL:	Yeah.  And because it's run through the Tor network, which I do have like Tor mirrors of my website up, because it's hosted exclusively through Tor and the service is configured right, there's basically nothing that anyone can do to get it taken down.  Unless the owner of the website decides to take some action against it, which I actually am going to, given the circumstances.  Like there is a strict non-removal policy, but I'm willing --

CHRIS:	Yeah, let me read what it says because I was able to log in through -- I didn't actually set up Tor on my computer.  Apparently that means the onion router or something.  I don't know anything about it but --

EARL:	Yeah.

CHRIS:	But there's a way that you can do it through the Web, and it says like, well, if you don't really care too much about your security or whatever, and I was like, I don't really.  I mean, I guess I should, but I was able to go -- I was able to view it through a Web browser without having to configure anything.  And I went to the homepage of it, and it says -- there's a big text area.  That's all there is.  

And it says, "Docs go here.  This not your personal slam page, nor is the page on which you brag about having owned someone or to complain that they owned you.  Post whatever info you have and shut up.  There are no limits of what you can post, so feel free to drop social security numbers, financial, medical info, or anything else that is blatantly illegal.  We have a strict non-removal policy, so once docs go up, they stay up unless they are inaccurate or you didn't include at least a name and an address.  Asking for docs to be removed is probably the surest way for them to be updated and expanded upon.  You have been warned."

	So it's kind of like a whatever, like a WikiLeaks kind of thing, right?  Post it here and it will forever be on the Internet.  

EARL:	Yeah, a lot of people in like the hacker crowd put stuff up there because it's a way to go after people, and there's not much recourse they can do, you know, if you've protected yourself.  And it's basically just like do this if you're mad at someone.  

CHRIS:	Yeah, which you were.

EARL:	That's pretty much the gist of it.

CHRIS:	And there's literally a link on one of your places to the Doxpin, which I originally clicked, and it just goes to a white page, right, because if you don't have Tor set up or whatever, you can't get access to the site.  But if you go through one of their little Web -- I don't know how it works.  But there's some way you can look at a Doxpin without having to set up that kind of thing.  

I did, and what's posted under my name is literally my real social security number and date of birth and places where I've lived and my websites and that account -- I mean, so that forever on the Internet is this thing, right?  And even if you were to -- even if we were to contact them, the chances are, if anything, they'll promote it, you know.

EARL:	Yeah, most of the time what they'll do is, if you scroll through the archive on their site, anything that you see that has the little orange envelope symbol next to it is something where the person in the file has tried to contact the admins to get the post removed.  

CHRIS:	Wow!  So it's extra juicy or something.

EARL:	Yeah.  So they put it up to --

CHRIS:	Discourage that.

EARL:	-- to create more.  Yeah.

CHRIS:	So if I were to call Doxpin, they would just -- of course it would be the opposite of --

EARL:	Yeah.

CHRIS:	It would just -- it would be bad news.

EARL:	I feel like if I were to contact them, and I am going to try because I understand that the honeypot was not your idea, not your fault.  Hopefully it'll do something other than get my email put up there saying, "Hey, could you take this down or something?"

CHRIS:	I don't know what to tell you.  The reason I felt better about the reason that you bought it for $3 is that anybody could do that for me, I mean theoretically.  So the fact that it's on Doxpin really sucks and, of course, not knowing what to do, I immediately signed up for this like LifeLock service, which I don't even know if it works or not.  But it's kind of the thing like if people have this number of mine, they can sign up for credit cards in my name.  And if I'm in a delicate position right now or if my credit were to go bad, there's some life stuff that would really, really … my life pretty good.  So I signed up for this thing to make sure that that doesn't happen, you know.  But if somebody really wanted to open a credit card in my name, it would be easy.  They would just go to one of these sites, buy my social security number for $3 and do it.  So the fact that it's on Doxpin doesn't make that a whole lot worse.  

EARL:	Yeah.

CHRIS:	Which I guess is some frick'n shining light in this mess.

EARL:	And LifeLock, I understand, they do -- they actually are pretty good about what they do.  My understanding of it is just that it makes it very, very much more difficult to steal your identity to the point where it really wouldn't be worth it unless someone had a personal vendetta and wanted to do it to you specifically because --

CHRIS:	You could still beat LifeLock is what you're saying?

EARL:	Pretty much, yeah, but it's more dedicated.  And if you're in the fraud scene, you're not in it to go after this one specific person.  You're just trying to go after anyone that you can get some money out of, and so they probably just take the $4 loss and move on.  

CHRIS:	Mm-hmm.  Oh, they wouldn't even find out until they've already paid the $4, so at least I'll get them for $4.

EARL:	Yeah.

CHRIS:	Grrr.  All right, so yeah, anybody that wants -- well, I'm not even going to say that.  Let's -- that's where this, hopefully this story ends, kind of, is that -- I don't know.  Whatever.  There was some retaliation on both sides and some rising anger and stuff.  And there's some kind of, you know, irreversible damage in that it's a little easier to find my social security number that it once was online.  But thank God if you Google it, it still doesn't show up.  At least Doxpin isn't indexed by Google, as far as I know.

EARL:	It actually was.  It's not anymore because a couple of the ClearNet Tor websites where you could get on Tor through the regular Internet, they did have Doxpin listed, but they have now banned people from accessing Doxpin on their service because of stuff like that.

CHRIS:	Yeah.  I mean, that seems like a bad policy for a company like Google.  So here's something.  You know, our HIPAA and SOPA, right?  And I'm sure you do, right?

EARL:	Yeah.

CHRIS:	You know, the Stop Online Piracy Act and whatever HIPAA stand for, and it was pretty much the whole Internet was united in their outcry that this is a bad idea.  It gives the government a little too much control over things that they -- for example, you could just accuse a website of something and get it removed from the host until it could be sorted out kind of thing, and it was a little bit of a guilty before, you know, proven innocent kind of thing, and it was weird.  Were you against it philosophically?  Did you have some say in that fight?

EARL:	I don't really care for it too much because, with the Tor network, well, like, one thing you have to understand about SOPA is that SOPA would be, from my understanding, an American agreement.  And given that my host is in Iceland, that doesn't really matter to me too much.

CHRIS:	So it wouldn't have affected you personally is the point.

EARL:	No, and with Tor, because Tor encrypts the traffic end-to-end, and there's no trust involved in Tor, like you don't have to trust -- like with my VPN, I have to trust that they're not going to give up my real IP address, but with Tor, you don't have to trust anyone just because of the complex way that Tor is created.  And with Tor and the other darknet that I use, I2P, SOPA would basically have no effect.  And what I think eventually is going to happen is something, either SOPA or something very similar to SOPA, is going to pass.  And then things like Tor and I2P are going to become more and more common because it's a way of getting around the censorship, and that's exactly what those programs were created to do.

CHRIS:	But it doesn't make for a better Internet, does it?  I mean, despite the fact that it might not affect you directly very quickly.

EARL:	Yeah, I think it would be bad if it passed, definitely, but I've just never felt too strongly on it.

CHRIS:	Okay.  That's fair.  And what's interesting to me is, of course I was against it just because I feel like most people were.  And what I read up on it, it'd be like kind of nasty.  The way I understood it was that if somebody kind of like accused my site of doing something nasty, even a copywrite violation, that they could reach out to my host, which obviously is a very easy thing to find, and they could kind of shut me down until it was sorted out, and that feels very dangerous and way too big brothery and scary to me, and that's the limited part that I understood of it and, thus, was against it.

	But what it does is it kind of gave the government some power over the Internet, which they have very little of now, as we know.  And for the first time when this stuff went up on Doxpin or whatever, it made me kind of feel like it's funny to me that I can't reach out to the government at all.  Let's say I was so mad at you right now that I was going to do everything in my power to find you and get all mad about it.  And I was like, I'm going to call the FBI, you know.  They couldn't help me.  The jails are not piling up with Internet criminals.  If they could even find you, which I'm sure they couldn't, you know.  

	But I feel like if something like SOPA happens, if we were to give the government more control over the Internet, maybe they could have.  Maybe it would be easier for them to find and shut down a site like Doxpin.  My technological understanding of all this is little, but for the first time in my life I kind of felt like, just for a moment, and I'm not sure I truly in my heart of hearts believe this, but I felt for a moment like, gosh, I wish the government had control, more control over the Internet.

EARL:	Yeah.  The thing with that is actually with Tor, the way that it's set up, when you visit a website that has a .onion domain, you're not actually -- like if I were to visit Media Temple, then I know Media Temple's IP address, and I know, like it's pretty simple to find out where it's hosted and stuff.

CHRIS:	Mm-hmm.

EARL:	But with services like Doxpin and hidden services, that's what they call the onion domains, they're set up in a way that you're just going through the Tor network, and all you can see is random Tor network IP addresses, and you aren't actually able to find the owner of the website.  And, inversely, the owner of the website is unable to find you, which as bad as it sounds because, you know, I like Tor, and I think that Tor has a very good uses, does allow people to do very bad things and have really -- nobody has any legal recourse.

CHRIS:	Okay.  But -- yeah, okay.  So -- whatever.  The government couldn't even find the thing to shut down if they wanted to.

EARL:	Nope, and they have tried.

CHRIS:	Even if there was legal -- yeah, if there was some -- even if they were granted the power to do so.

EARL:	Yeah, I'm pretty sure Obama's social security number is even on Doxpin.

CHRIS:	Oh, gees.

EARL:	And hasn't been removed.  

CHRIS:	Wow!  I guess that says something.  There's an endorsement.  Just like the LifeLock guy's social security number he made available at one point….

EARL:	Yeah, yeah.  It ended up on billboards and stuff.  

CHRIS:	Okay.  So there's going to be some people out there who are not pleased with me in a new way, and that is that I'm giving you, who is a self-admitted bad guy, a larger voice, right, because why, you know, why encourage the trolls?  Why celebrate the bad people or whatever?  

	The reason I'm doing this is for my own -- I don't know -- my own understanding.  I needed to know what's going on.

EARL:	Yeah, like closure.

CHRIS:	Yeah, hopefully.  

EARL:	Hopefully.

CHRIS:	Closure is a good word for it.  Let's call it closure.  

EARL:	Yeah, I think that one thing that people, I would not say misconceive about because I am a bad guy, but I would say that people have a little skewed is that I did go after as something purely malicious.  I just wanted free money.  And I went after your site and caused you a lot of personal trouble, and I did, like, laugh at you on Twitter during the time that I had done it.  And, like, I opened up with I'm going to hacks your site.  

CHRIS:	It did not seem like you were the kind of college student at a university at that time, but anyway --

EARL:	Yeah.

CHRIS:	-- go on.

EARL:	But when I had put CSS-Tricks in mind as like my target, it was because I actually thought, wow, Media Temple, especially when I saw that jQuery was hosted with Media Temple, or was in the past, but is no longer hosted with Media Temple, I thought, wow; someone that really wanted to just watch the world burn could go after a big site like jQuery.  And because Media Temple doesn't do its job very well in making sure that people aren't getting into their customers' accounts, that could cause a lot of people, from a lot of different websites, a lot of trouble.  

CHRIS:	I'm sure we'll hear from them after.

EARL:	It was malicious in the way I did it, but I think that I did have a good goal in mind, but that's not to say that the end justifies the means.

CHRIS:	Yeah.  Well, so that's interesting.  We're raising some awareness in that way. 

EARL:	Yeah.

CHRIS:	You know, despite some anger and some back and forth name calling and whatnot, some personal attacks, as it were, are you not a watch the world burn type of hacker or whatever?  I feel like the grandpa talking about skateboarding when I say the word hacker, but.

EARL:	No, I get the same feeling.  I know what you mean, but no.  I mean, there have been times.  It's all just kind of whatever I feel like doing.  I just felt like doing something that I saw as mildly good. 

CHRIS:	That's what I needed an answer to.  I was like, is it malice against me?  Because even if it is, I would just want to know.  Like attacking me through a computer has some level of safety to it.  You could come up to me on the street and punch me in the face, but it's more way risky.  I just saw you do that.  I can whatever.  

EARL:	Yeah.

CHRIS:	You're going to get caught for doing something like that.  But let's say there was a way that you could do a similar kind of thing, but not get caught.  Have it be as anonymous as safe as attacking my website.  Let's say there's a button on a wall somewhere, and you could press it, and a man will come break my legs and disappear into the nights.  Would you press that button?  Is it that kind of vindictiveness against me or not?

EARL:	No, it's not.  It's -- the reason that I put the social security number up was because I really did not appreciate the honeypot thing.  I saw that as a very personal attack.  And in my anger, I just put the recourse on you because I didn't consider, as well as I should of, that Media Temple was the ones responsible for it.  But I don't have any actual like malice for you.  It was more just I wanted to send a message that -- 

CHRIS:	Well, we'll get that.  We'll try and get that message on.

EARL:	-- I'm not going to….

CHRIS:	Yeah, I don't know if we could if we wanted.

EARL:	Yeah, I don't -- like because, you know, people have tried.  There's actually been one post about me that was put on Doxpin and later removed due to a lack of information that had a couple of my user names on it, but nothing really anything important.

CHRIS:	So you know how it feels in a way.

EARL:	Yeah, there actually is one post on Doxpin under a nickname that I had used when I was like probably like 13 that actually is on Doxpin with my real information, but it has no connection to this user name.  

CHRIS:	Well, okay.  So like I kind of started this ending with is that there's going to be people out there that are mad at me for giving you a bigger voice, so I want to make this show a little bit worthwhile.  I think it was worthwhile in kind of hearing how this stuff goes down, spreading a little awareness.  

	What about something that people could do to protect themselves?  Is there any kind of somewhat positive message that we can make this a little bit extra worthwhile so, at the end, when people are yelling at me for this, I can say, look; at least there was this good message at the end.  Is there some--?

EARL:	The best advice I could give would be either pick a host that you know is going to want a lot of information from you and will verify all of it, or pick a host that wants no information from you and just is not very cooperative if something happens because that's like how my host is.  I paid for my hosting.

CHRIS:	So can we -- can we have a takeaway?  What is that host?  Are there good?

EARL:	Yeah,, it's an Icelandic host, and they accept Bitcoins.  And they're open about people being anonymous on their website.  Like they don't mind if they don't have your real details.  Like if there's a problem, they'll take stuff down off from their host.  They're not like hosting openly illegal things, but --

CHRIS:	How do you contact them to change something if you have to then?

EARL:	Basically you just hope that whatever email you put on, you just need to be able to hold onto that very well.  Another recommendation that I have is gmail is a very good email provider because they require like a lot of different information to reset your password, and they don't have like a funnel support line because people are always….

CHRIS:	Yeah, I was pretty sure you didn't get into my email because I got the two-way auth on there, and I think that's pretty good security.

EARL:	Yeah, stuff like that, and then signing up with a host where the only way to reset is your email address.  Like my host doesn't know my real name.  They have no address on file for me.  They've got no phone number, so the only way that you can reset like my hosting account, for instance, would be to have access to my email, which isn't impossible, but it's a lot harder than opening up Photoshop for 15 minutes.

CHRIS:	Yeah.  Well, there's one thing I need to ask, even though this is weirdly placed in this show, but before we wrap up here is that a couple years ago, maybe it was two years, a year and a half, something like that, my website was stolen in a more dangerous way, I think.  And what they did was they stole my domain name, the ownership of the domain name.  A) Did you have anything to do with that?

EARL:	No.  I actually did find that though because, just looking for to see like the fruits of what I had done, I had Googled CSS Tricks hacked just to see if what I had done would come up.  And, no, I actually didn't have anything to do with what.

CHRIS:	Okay, just curious.  I mean, I didn't expect that you did somehow, but as somewhat of an Internet criminal, did you read the post?  Do you kind of understand what happened?  I can sum it up pretty quickly if you did not.

EARL:	Yeah.  I'd read the post.  Basically what happens with that a lot is similar tactics can be used on domain registrars.

CHRIS:	I mean, I never got to the bottom of it.  This is a total mystery to me to this day is that you think that that is somewhat likely is that they were able to call Go Daddy?  It was where it was hosted at first, and then it kind of bounced around to a couple of them.  You think that they did it over the phone?  I mean, you don't have to be right.  I'm just curious as to how you think it happened.

EARL:	I think that it was either a social engineering attack or it was already just there was some bug in the website.  But whatever it was, it was definitely whatever was wrong with -- it was some missed thing on the domain registrar's part that they had let that happen.  And actually, that one site that I had bought your social security number from,, that was recently hacked because someone gained control of their domain because they have the entire domain registrar hacked.

CHRIS:	Yeah, and to be -- so people understand, the reason that's more dangerous is, let's say Earl here were to have gotten complete access to my servers and did whatever he want with them, just totally trashed them, put spam on there, used them as a DDoS, who knows what.  I don't even know what you would have did if you're into that kind of thing or not.  But the point is, let's say you were to have full rein over it, root access, whatever.  And that's another question.  You don't still have root access to my site, do you?

EARL:	No, I don't.  I never got into the main CSS Tricks.

CHRIS:	Okay.  Let's say you did though.  Let's say you did.

EARL:	Yeah.

CHRIS:	And you could do whatever you wanted.  Because I still own the domain name, I could, fairly quickly, register a new host somewhere.  Of course, I have backups of everything.  It's even version controlled and stuff.  Throw up all the files from CSS Tricks, grab a copy of the database taken, backed up in real time actually, move it over to the new host, and then point my domain registered at that new thing and I'd be back up and running with a hack free website.  Because I own the domain name, I have that power.  But if you lose the domain name, you lose it all.  So anyway, the point is that sucked.  

EARL:	Yeah.

CHRIS:	I was able to get it back because Go Daddy fought to get it back for me.  And I am a little mad at Media Temple for doing what they did to you because, of course, that's the thing that spurned the actual fallout from this is that it is a little easier to get my social security number out there in the world, and that kind of sucks for me.  And even if Earl wanted to get it back, which, you know, it sounds like he may try and get it back for me, that would be, you know, it's weird to say nice.

EARL:	It would be an undertaking.

CHRIS:	But it would be nice of you.  Anyway, I would urge you to be nervous about that because I don't want an orange icon next to mine, you know.

EARL:	Yeah.

CHRIS:	That -- whatever.  You know what I mean.  

EARL:	Yeah, I know what you mean.

CHRIS:	Okay.  So, people, don't be too mad at me for this.  I thank you, Earl, for coming on and explaining to me all this, what went down, and who you are and what your background is.  Hopefully some people can protect themselves, get a host that's less susceptible to this kind of thing, that kind of thing.  Hopefully it was interesting listening.  Any final words?

EARL:	Nope.  I think I'm pretty much good.  Thanks for having me.

CHRIS:	All right, well, until next time, folks.  See you later.  


  • 420 Studios

    wow interesting topic. lol good show guys

  • Basti

    Informative and entertaining. I don’t think you should worry about people complaining about this. You are some kind of journalist after all and a journalist’s job is to bring a good story. Which you did.

  • Wow. Amazing interview!

  • This is just excellent stuff.

  • Eric

    I agree. – Great Conversation and good Journalist job as always.

  • sarawr

    This guy is a hacker and he pronounced “cached” as “cash-ayed”. lol.

    • benmarks

      This is the proper pronunciation.

      • Cache

        No it’s not, hahaha

        • benmarks

          This may be the best thing I’ve seen today, possibly stretching into yesterday.

          • lmaooooo

            you’re wrong.

        • Guest

          I am sorry, but it is.

      • John Malon

        I hate to be pedantic about this, but proper according to whom? ‘cache’ isn’t pronounced like ‘cachet’, at least according to Webster –

        • KevinACrider

          You need more upvotes on this post

        • Adam Erickson

          Cache, the hoard of stuff, is very different from caché: being respected and admired. Pirates have a cache of treasure, but not (until Johnny Depp became one) a lot of caché.

      • John Malon

        I think I’m just catching on now…

      • Gabriel Luethje
        • Guest

          Graphics Interchange Format. How does that = Jiff?

          • I always pronounced it “giff”

          • transpar3nt

            I pronounce it like Gift without the T. Seems the most logical to me.

          • It clearly depends on which language you are used to speak as a mother tongue. For example, in Italian it makes perfect sense.


        Just type it in on define Google and it is pronounced differently. It’s like how every calles PorshAAAAs porshs. Annoying!

  • Very interesting read and listen. Thanks for sharing Chris!

  • Kyle B. Johnson

    Crazy opportunity to have this interview and very calmly done, I might add. Wow. Insane.

  • “i sell drugs” lol

  • Really loved honesty of both the hacker/hackee. Why the internet is still better than not the Internet.

  • I definitely appreciate you doing this interview. While I’ll never really understand the hacker mindset re posting things on docspin etc… is important to highlight the divide between what most web developers know about security and what hackers are actually exploiting. I’ll be double checking my registrars security practices.

    I wonder how this differs in other countries eg. because of the design/availability of identification cards/passports and how easy they are to fake digitally.

  • Loved this! Great episode!

  • Isaac Chansky

    Really enjoyed this – super open discussion about an issue that is (IMO) understated in our industry out of worry of pandering to ‘trolls’ & ‘hackers’. Great stuff Chris & Dave.

  • Thanks for doing this Chris, people need to be aware things like this happen.

  • Seven Minaya

    I like how you took the situation and turned it into something we all can benefit from. Well done sir.

  • Haha man… the underbelly of the web is a deep, dark place. I always enjoy learning more about how the darker side lives and works. I’ve always found that there’s a lot to be learned from the more “black hat” aspects of the web.

    Everything from questionable SEO tactics to straight up cracking has plenty to teach people who have no interest in doing things like breaking into websites or gaming Google. The thought processes and inventive tactics they employ can be reverse engineered and used for other, more legitimate things.

    Great show Chris! I almost never listen and I was totally glued to this episode. Personally, I’d love to hear more of this type of stuff in the future.

  • Matt Soria

    Excellent interview, thanks a lot Chris! You really put yourself out there with stuff like this, time and time again, and it’s definitely appreciated!

  • This isn’t giving attention to bad guys it’s raising the fact that we’re not doing enough to ensure we have privacy and security online.

  • Just want to note to those that didn’t take a peek at hostcabi, Css-tricks is worth some serious cash, Good work Chris.

  • lindsaycasey

    This was fascinating. Thanks for the open discussion.

  • minasdesign

    That was amazing!

    I don’t know why but I kept expecting for the guy to say “sorry man”, but not once. Of course, this is a daily job for him.

    Chris, congratulations for keeping it together and conducting this awesome interview. I’d have lost it and call this guy some pretty ugly names. Thanks for sharing!

  • Krivaten

    This was a great episode! Odd, but great. Even if you didn’t know how to code (Which the cast wasn’t really about), you can “social engineer” access to many places, previously thought to be secure.

  • Logan Pennington

    Chris, I’m proud of you for doing this podcast. Took guts. Keep being awesome.

  • Zoe Soto

    Great episode!

  • greenweb

    WoW Chris – I hope MT has done something super nice to make up for all the stress. I am amazed that you got the chap to talk to you. That my friend is a story I would like to hear sometime.

  • Winston Ford

    How bout this for a take away: the only hosting password that is 100% secure from social engineering is a machine on your home network, period. Like most people here, I have a few hosting accounts with different companies and I used to have my own hardware colocated at data centers. Regardless of company policy, a phone rep at a hosting company or person in a colo can be duped by a skilled social engineer. But no one can call you pretending to be you, ask for the password on your home linux box, and get it- nor can they ring your doorbell, say they are you and have popped by to work on your server, and get escorted into your home. Right? Have I missed a possible scenario?

  • This is so forking crazy and amazing! Thanks for talking about the topic.

  • Thanks for sharing man. You made a crappy situation into something great.

  • This helped me a lot actually. When it comes to choosing a host, and not to choose the “biggest and best” but considering the factor of what they would do if something similar to this would happen to me too.

  • Winston Ford

    How bout this for a take away: the only hosting password that is 100% secure from social engineering is a machine on your home network, period. Like most people here, I have a few hosting accounts with different companies and I used to have my own hardware colocated at data centers. Regardless of company policy, a phone rep at a hosting company or person in a colo can be duped by a skilled social engineer. But no one can call you pretending to be you, ask for the password on your home linux box, and get it- nor can they ring your doorbell, say they are you and have popped by to work on your server, and get escorted into your home. Right? Have I missed a possible scenario?

  • Brilliant, Chris. Time and time again you find ways to make the internet better for everyone.

  • Ryan Brown

    At least something positive was gleaned from something negative

  • goodbedford

    This was a great show and very well paced. It had a very serious tone and ultra compelling. It would have been nice if Dave was on but the sound effects might have distorted the beautiful humanity of it all. Really cool.

  • This was so fascinating. Thanks for doing the talk – perfect way to turn what was a terrible situation into fodder for your site and for discussion.

  • Matt Kreiling

    Thank you so much for this triumph of compassion, curiosity, and communication. It is gratifying and inspiring to see how you resolved this conflict and turned it into something so much more valuable than if there hadn’t been a conflict in the first place.

  • Whoah… so many comments and replies. Great podcast Chris!

  • agentfitz

    I’ve listened to and enjoyed Shoptalk since its inception. This was the best episode I’ve heard to date. Fantastic interview and content Chris, learned a ton – thank you.

  • Great show as always. This has really opened my eyes to quite a few things, I will be thinking a lot more about security from now on!

  • Mark Phoenix

    That was pretty compelling, but has irked my sense of justice somewhat. Wheres internet Batman when you need him?

  • Dr Madvibe

    Wow! A very interesting show (not that the others aren’t: oh you know what I mean).

    Could only have been bettered if you interviewed him in your magnificent British accent.

  • Amazing EP. $3.70 for a SSN blew my mind but after I thought about it I’m not surprised. I can relate to this guy, I grew up in the 90’s and my daily read was the anarchist cookbook.

  • Hackers are jerks. Very smart jerks, but still; we don’t need the bullying.

  • This was great :). Really enjoyed it. Thanks for making this public.

  • maroberto1

    Wow, that was a pretty surreal conversation, what a joke that he got annoyed because you tried to catch him, it’s like a thief getting annoyed because the police try to catch him. He sounds like a real charmer, selling drugs on the side as well! If someone like you Chris, can get caught out along with media temple which has a very good reputation I guess it doesn’t leave much hope for the rest of us!

  • Tyler Benziger

    Hey Chris. Awesome interview. Has anyone told Comcast about the loop-hole he mentioned to get someone to tell him private information?

    • Abe Simpson

      I think it’s not really so much a loop-hole as it just general con-artistry. They weren’t expecting to be tricked that way, so they were complacent with the request instead of scrutinizing it. I suppose they could add a mandate that says any request for a SSN must require the caller to give his Comcast employee ID, or something like that, but it wouldn’t be too hard for someone like Early to spoof this info either.

  • Wow, I didn’t expect to listen to the whole thing when I pressed play, but I just couldn’t stop listening! It was even harder to listen to, hearing the frustration in your voice. I’m already pretty paranoid w.r.t. security, but this has prompted me to beef up my security measures even more.

  • transpar3nt

    This prompted me to request more info from my host on how they handle this stuff. I guess they ask for the server’s Root password over the phone. Better than some, and I guess I can just change the pwd after the call so the call center rep doesn’t use it. I had them add a pin code required for phone calls as well. Thanks for reminding us to keep taking security seriously!

  • kirtan gajjar

    Ever guessed what “earl” means ?

    Well according to –

    The sexiest man alive. If there is a God, he is God’s gift to women. Definately the greastest kisser on the planet. A night spent with him will always be the greatest night of your life. He is said to know the contours of a womans body better than she does. *WARNING* Simply making eye contact with him may result in an orgasm on spot that’s how amazing he is. If you have him, never let go.

  • steven

    Hi Im trying to hack game of war but cant off my I phone if you can help or do it for me id love you for ever lol

  • Dan

    That guy is headed for prison.

  • Ugo

    Thank you so much for that interesting and instructive show :). (It’s been open on my web browser for a very long while and I just listened to it 🙂 :)).
    Thanks again :).

  • Abe Simpson

    Amazing show. Thanks to you and Earl for being real about everything. I learned a whole lot, and it seems like everyone else did too.

  • Came here after seeing the podcast list on reddit 🙂

    Thank you

Job Mentions

Check out all jobs over on the Job Board. If you'd like to post a job, you can do that here, and have it mentioned on ShopTalk for a small additional charge.