Episode 7: David Jacoby aka pewp

David Jacoby:
We wanted to be like the cool kids from America. We wanted to be like them. We wanted to be like the American hackers, but we didn’t have access to that code. We had access to this code. Why don’t I give you one of my codes? If you give me one of your codes, there’s this underground economy where it wasn’t about money, it was about knowledge. As

Voice Over:
An ethical hacker for over 30 years, David Jacoby, AKA poop is on a mission to unh, the planet. His work has captivated global audiences and left a mark on pop culture from the Millennium Book series to TV shows like Hack Hat. His influence has reshaped how the world sees cybersecurity onscreen on the page and in the real world.

David Jacoby:
Inside this trusted inner circle, you could confess anything and no one would judge you. No one would care. Deep inside you’ll always be a hacker. It’s part of your DNA. It’s like that is who you are. The CIA website is top one of the targets that you want to deface and suddenly you have a Swedish group doing that. Hacking has such a negative word. I’m talking about getting back to the community, sharing knowledge with each other. What we had during those 20 whatever years was extremely unique and that will follow us until we die. There’s this hierarchy of people and you can’t apply to become a member. You just become a member.

Nathan Sportsman:
David Jacoby, welcome man.

David Jacoby:
Hey man, thank you.

Nathan Sportsman:
You are here all the way from Sweden. I really appreciate you. You coming out. How’s the jet lag?

David Jacoby:
The jet lag is finally okay. It’s actually the first night I slept an entire night, woke up at six. The other days I’ve been waking up at two o’clock, being wide awake, just can’t sleep. And then I’m just thinking about now I’m flying back home as well. Probably going to

Nathan Sportsman:
We took you to Salt Licklast night. Have you ever had barbecue or Texas barbecue?

David Jacoby:
Well, not in the same way as you guys had it. Not in the same way, but of course we had barbecue back home in Sweden. But this place was really cool. It wasn’t like a gas stove or anything. It was like proper, a proper barbecue and I really liked it.

Nathan Sportsman:
Awesome, awesome. Yeah, I appreciate you spending time yesterday. And so today we’re going to talk about you. Every story has a beginning, and so I’d like to just start from that, the very beginning where you grew up, what life was like in Sweden, and so let’s just start there. Where’d you grow up?

David Jacoby:
So I grew up actually on the west coast in Sweden. That’s where I grew up and I stayed there until I was nine. Then I moved to the east coast, a small town called Erla in Sweden. So I don’t say that I’m raised at the west coast. I’m raised in, that’s where I got my close friends, school, all that kind of stuff.

Nathan Sportsman:
And what about family? Do you have any brothers, sisters, or your only child?

David Jacoby:
No, I have a big brother. He’s three years older than me. He’s actually an IT as well, but not security or anything, but he’s a game developer and I live with my two parents, mom and dad and dad. Dad is a network technician. IT kind of guy. My mom just hates computers because me, my son and my dad, we just love computers. And it just took over, I guess in all the discussions at the dinner table and everything was just about games and things. But I didn’t actually like computers when I was a kid. I was not really a big computer guy until really, I was maybe 12, 13, but before I wanted to be a stuntman. When I grew up, I wanted to do for the movies, parkour and do stunts and that kind of stuff. So I was like, no, computers wasn’t really my thing, but I was still intrigued by my brother coding games when I was really young. So he saved up money to buy his own Omega 500 and he was coding on that Omega. I was intrigued about it, but it wasn’t something that I wanted to do. I was like, I wanted to hang out with my brother, so he wanted to do computer stuff. So that was our way to hang out was through the computer. And the same thing with my dad actually. So he was also more a techie than I was.

Nathan Sportsman:
And so those two being kind of a big influence and ultimately it was wanting to have a closer relationship that got you into computers or did you just start to fall in love with it as you saw your brother coding video games? What turned the corner between stuntman to, okay, I actually want to spend some more time on this.

David Jacoby:
It was actually BBS. So what happened was we always had access to a computer. The first thing that you have to do, you didn’t need to have access to the technology that you want to play with. So because of that, and my brother was really into this tech stuff, computer stuff. There was always a computer at home, so I had access to it, but I didn’t want to be a game developer and I wanted to do other stuff. And then my brother’s like, oh, you should check out this thing called BBSs. But there was one thing that also was really intriguing, that’s war dialing that was like, that opened up a completely new world as well. Suddenly you had all these BBSs, right? But you were very comfortable with the software on the other side, you’re like, okay, this is A BBS, I’m going to dial into this BBS, I’ll register, get a username password, I’ll log in. And you know how the menu system works and everything, but when you start to ward dial suddenly you just found systems that was not a BBS. It was something completely different.

Nathan Sportsman:
And so as you were finding these hacking text files, that sounds like they’re more US based, but you got exposed to BBSs through more cracking software from your brother and then you figure out what war dialing is. Does he know that you’re starting to move more in towards security and just doesn’t have as much of an interest? Or after piggybacking on understanding what a BBS was from him, you just kind of started doing your own thing. Was he involved at all as you started figuring other things out?

David Jacoby:
No, he was not involved at all. It was probably also because he was really, really good at, I mean, coding games. He still does it today. I mean, he’s been a software game developer for the past 30 plus years, and I think it was my way of trying to not gain respect, but to show something to my family like, oh, I’m good at these things. Some kids, they want to be good at playing soccer or riding your bike on the back wheel, whatever kind of thing. But since my family was very tech oriented and my dad and my brother, they were not impressed by me doing a back flip or something like that. They were more impressed, like, oh, look at, I shouldn’t say I hacked the system. Look what I’m doing with the computer. That was more how they put some value on your activities

Nathan Sportsman:
In the,

David Jacoby:
Did that make sense?

Nathan Sportsman:
Yeah, yeah, a hundred percent. In the Amigo 500, were you and your brother kind of fighting over time to use it or did you eventually have your own computer?

David Jacoby:
So I didn’t have my own computer until I was 15 that MI was his computer and then my dad had a PC in the living room and I was allowed to use that for one hour in the evenings if I’ve done my homework. So I had basically two identities at that time. I was this guy in school who was doing backflips and want to be a stuntman, and I was a super social guy hanging out with everybody, playing soccer, doing all these kind of normal stuff to say, go to the beach, hanging out with my friends. But when I come home, I had this hour where I became someone else, I became this other person who is this tech nerd who really loved playing around with technology, not really this social sporty guy at all. I was like, I’m part of that network, but only for one hour every day

Nathan Sportsman:
For that one hour. As you started to search these BBSs, starting to find stuff that you were interested in, started to learn about war dialing, can you talk to me a little bit about the sort Swedish hacking scene and is a lot of the stuff that’s talked about, it’s very US focused, but I’d love to hear about what are the origins of hacking freaking in Sweden? What got your inspiration as you found these T files and groups and things like that that you looked up to?

David Jacoby:
Yeah, so what actually happened was I didn’t even know that there was a community in Sweden that was, I knew BBSs and I was part of the discussion that was happening there, but at that point there was not for me living in a small town as well. I mean at that time, living in a small town dialing into A BBS that was located in Stockholm, the capital of Sweden, that’s a long distance phone call that would cost so much money. So I was not able to dial into the hardcore BSS probably where all these kind of underground hacking discussions were going on. So I was just based in my own little bubble and that was the information that I could have. So I actually didn’t know about the Swedish hacking scene at all, but I was intrigued by the text files from masses of Deception, leading of Doom Phone, looses of America, all these other groups I like. Okay, that is just so intriguing.

Nathan Sportsman:
And so while you get on the internet and dial up and interacting with these folks, are you not looking at BBSs anymore? I think at one point you ran your own BBS on a Commodore 64, and I think you’re deal running

David Jacoby:
A

Nathan Sportsman:
BBS on Commodore 64, but when was that?

David Jacoby:
So what happened is I ran my own BBS before getting access to the dial-up internet,
But we only had one phone line at home, so I couldn’t occupy the phone line for 24 hours a day. We only had one. So my BBS was just open between six o’clock and midnight basically. And it’s also in Sweden, you had two different rates on a phone call. There was a cheap rate after six o’clock in the evening before six o’clock, it was quite expensive, so everyone waited until six o’clock to start dialing. You don’t want to download a game at three o’clock in the afternoon. That’s just expensive. So my BBS was not running full time 24 7. It was just running a few hours every single evening.

Nathan Sportsman:
And so you did the BBSs for a bit, but then you got internet and then that’s when you really started to get exposed, not to just us hacking groups, but you started to learn about Swedish hacking groups as well.

David Jacoby:
Yeah, so on our CO, I mean suddenly randomly you had this individuals just joining some channel and you could see where they were coming from and it’s like, oh, that’s a Swedish guy because it’s just whatever. You can just see on the domain, on the top level domain that, okay, that’s a Swedish person. And there was a guy called Contagion, almost like Contagious, but contagion who joined these channels. And we started to talk like, oh, another Swedish guy, and we founded a channel called Swack. And Swack we wrote, we had our own magazine, and after we published the first version, then some more people would join, and then after the second magazine, even more people would join. And that was actually quite big channel with Swedish, Swedish people.

Nathan Sportsman:
How old are you at this point?

David Jacoby:
That’s a very good question. I’m probably 13, 14, something like that. 13, 14. Yeah.

Nathan Sportsman:
And these articles that you’re, what was the focus? So

David Jacoby:
It was like 50 50 of security stuff, but some article was like, oh, this is what Ward dialing is and this is how do you log into a Linux system? Very basic stuff. But then we also at that point, we also start to write reviews of things like we wrote reviews of caffeine during, so do you remember Jolt?

Nathan Sportsman:
Yeah, enjoyed Cola.

David Jacoby:
So that was the trigger. Then we had Jolt, but then we had other stuff as well. Okay. So suddenly we started to review those things, stuff that was somehow related to the computer hacking, nerdy stuff. Not everyone drank Jolt, but all the nerdy people did. So the first, they were super bad. They were really, really crappy magazines, but for us it was just sharing knowledge. We wanted to be the cool kids from America. We wanted to be like them. They were always a few years ahead of us. We tried to copy what they were doing, but on the Swedish scene, instead of writing a magazine in English, we wrote it in Swedish. We wanted to be the American hackers.

Nathan Sportsman:
At this point, as you start doing, you said it was Pound,

David Jacoby:
Swhack,

Nathan Sportsman:
Swack. Had you learned yet of Swedish Hackers Association or any of those triad or any of those groups?

David Jacoby:
It was probably around the same time. So Triad and Fairlight, those I knew, but that they were not really hackers cracking. They were like the software cracking guy. So I knew them from the BBS scene, like, okay, here’s a game that’s been cracked by a Fairlight or a triad or these groups. But with the Swedish Hackers Association, I was not introduced them to them until way later. I mean, until today, I actually don’t know the real identities of the people behind these people, but I think we overlapped a little bit. So they were the generation before me. I mean, according to me, there were some of the pioneers in the Swedish hacking scene, the hacking community. They did stuff when I was very young. I mean when they were active, I was probably 10, 11, 12, maybe around that time. So it wasn’t until later I knew that they existed. But they existed more on the BBS scene, not on the IRC stuff as far as I remember. They were a few years older than me.

Nathan Sportsman:
I think they had started, if I remember correctly, like 86, 87, but pretty prolific. And is it fair what LOD is to the US S Shah was kind of that to the Swedish scene?

David Jacoby:
Yeah, I would say so. I mean they, I have this view of the Swedish Hackers Association that they are this godlike creatures who just was these pioneers in the hacking community. They did the forbidden stuff on all these systems. I mean, it is weird to say that you idolize criminal activity, but at that point I did. I can’t lie about it. I actually did. I idolized what they did, not because of the legal aspect to it, but it was just a forbidden knowledge basically. You’re not supposed to be hacking into a system that you’re not supposed to, but at that time it was so innocent. It was really innocent. You’re just messing around with technology really. But if I understand correctly, they also went on some credit card hacking some stuff for credit card information, selling credit card information, and that I don’t agree with at all. For me, it’s this other thing about this forbidden knowledge to be able to control, to have the power of technology, to be able to switch or flip that bit that changes everything from this one to this zero. And then suddenly you have something else going on. For me that was, and they did that

Nathan Sportsman:
Really. And so these protocols, and whether it was a group or a collective, but you have Pound SWE hack, did you and the members of SWE Hack, did you consider yourselves a group or was it more just people just kind of coming together to put out these files? Was it loose knit? Was there, you had to be invited to it? How did that work?

David Jacoby:
So since Pound SWE Hack, that was an open channel. Everyone could join a channel. There were still some core members, and this is where it becomes really complicated. I think this is something that works for most of the RRC channels and IRC groups to say it’s like it’s not organized as a group, but there is a group, it’s just invisible. There’s a core group of people who, there’s this hierarchy of people and there’s no, you can’t apply to become a member. You just become a member. So pound swhack, there was this group of people who did things together. We talked on the phone, we met in real life, but it was not a group, not at all. And then we did the magazines, the Swac magazines, and that was organized as a group, but still taking in submissions from whoever. But it was still this core, core group of people.
And when we were running, so we were running this on a network called D Net, right? So Sweet Hack was on dnet. Then we found out, oh, there’s something called Pound Hack esi, that’s like, who are these people? We thought we were the only Swedish hacking channel out there. No, but there’s something else like Pound hacky. And that intrigued me. I want to get to know these guys. So I found them on F net, so not down. I found ’em on F Net. I was like, okay. And Pound Hacky actually originated from IR cnet. So there was actually two versions of hacked at E. It was the IR cnet, which was a closed invite only channel. And then you had Pound hacked thatI on F net, which was also open, almost like pound. We hack, and again, you have to prove yourself. You have to become one of these core members of Pound hacked at se.

Nathan Sportsman:
From the research I was able to do, is this accurate? Some of those hardcore people included, either one or both of the co-founders of Pirate Bay were in this pound hack se,

David Jacoby:
Correct? That was correct. Both of them. So Pirate Bay was basically founded by three people. You have Godfried who goes by the nickname akata. You have Fredrik who goes by the nickname tmo, and then you have Peter who goes by the nickname, bro or bro PI don’t know how to pronounce it. And Akata and tmo. So got and Frederick, they were part of this inner circle of hack. I

Nathan Sportsman:
See. I remember Pirate Bay growing up, but if someone’s watching, say they’re in their twenties, what was Pirate Bay? Why is it a big deal? What happened to it?

David Jacoby:
I’m not the right person to comment on what Pirate Bay is, but since I have a little bit knowledge about the history, I mean from my point of view, the PAR is a technological masterpiece. That’s the first thing. I don’t care about the politics, I don’t care about the agenda that they had when they founded pei. But from a technology point of view, to be able to develop your own torn tracker with everything that’s required from a system administrative point of view, from configuration point of view, from a coding point of view, to have the system of handling torrents and these peer-to-peer networks at that time was the masterpiece. Then for me, I don’t care about the politics behind it, about information should be free for everybody, all that I don’t care about at all. But when they started to talk about the Paris being that they were developing this and creating this, and I mean, we saw how it developed from this little seed into something really big.

Nathan Sportsman:
And when you say a technical masterpiece, if I understand. So these torrents, it was basically a distributed system where you would download pieces of the various whatever it was you were downloading from these various things, and it would pull it all back together through these torrents Torrance. And so they were doing that while they were also members of Hack sc. Both of those things were going on.

David Jacoby:
Yeah, so hacked sc, I mean, as I said before, it is a group, but it’s still not a group. It is not like you get a membership and you join a club. It’s this really close inner circle of people who are in one way or another, really interested in computer security, exploit development, writing tools, system administration, like alternative operating systems, like different kind of BSD or Solaris Irx machines. It’s just a bunch of people with different interests. But the common thing is computer security

Nathan Sportsman:
And was it focused? So it’s sort of a collective, the commonality is computer security, but was there first principles or anything of what we’re focused on is research specifically vulnerability and exploit dev, specifically Unix? Was there any sort of, or it could just be anything that,

David Jacoby:
It could be anything, but I think what most people looked into was some kind of Unix-based operating system and finding vulnerabilities in those systems. A lot of remote code exports were found, and what happened was, so Hack had this inner circle of people, and we had our own at that time, it was a subversion server, like GitHub, basically our own repository where not everyone had access to that. That was an invite only thing. And very few people had access to that. It became this almost like a secret society. Like, okay, we have this thing, we have this repository of code with zero day stuff, and suddenly like, oh, but there’s other groups out there as well that has a similar approach. Suddenly we start to see groups like THC, the Hackers Choice, TSO, vu, A-D-M-E-L-A, all these other groups and Electronic Souls, synergy, all these other groups had a similar approach.
You had individuals that was writing code, but we didn’t have access to that code. We had access to this code. Why don’t I give you one of my codes? If you give me one of your codes, and suddenly you started to trade, there’s this underground economy where it wasn’t about money, it was about knowledge. So I can trade knowledge with you guys, or you would publish one of your exploits or one of your tools and you’ll put it under your nickname, and suddenly you gain a lot of trust with all these other people that you’ve never met before. Just random people on their own version of hacked, I say their own community, their own IRC channel, and suddenly you start to know each other. And I mean all these things, it became kind of like a family, really like a family. I mean, some of the things we talked about in hacked at SE as well, I mean everything from losing your virginity to getting fired, to getting your first job, to have fighting with your parents or very, very, very personal things.
So it was not just about technology. It was about almost like in Swedish, you say bta, I don’t know the English word for it. When you go to church and you confess, it was like almost a place where inside this trusted inner circle, you could confess anything and no one would judge you. No one would care which skin color you are, how tall you are, if you have muscles, if you’re fat, if you’re skinny, if you’re good at sports, no one cared because you were that individual with that nickname and you were part of this thing. You were just accepted by your knowledge about who you are. And that’s the only thing that matters. If you want to join a soccer club, you have to be good at soccer. If you have to be approved, and even if you’re good at soccer, it’s not good enough. You still have to be maybe one of the cool kids or whatever. That didn’t really apply

Nathan Sportsman:
There. When did this group form, is it still kind of around today? And if it’s not just given some of the stuff you just mentioned, do you still keep up with these people? Are you still close with them? Or what’s the timeline of Hack se?

David Jacoby:
I would say we’re extremely close,

Nathan Sportsman:
Even to this day,

David Jacoby:
Even to, yes, absolutely. The channel is not open anymore. The channel does exist. So pound Hack that SE does exist is protected by a key. It might only, you will never be allowed in. It’s this just our internal club. But I mean, some of these individuals will be my, they will come to my wedding. This is the closest friends I’ll have in life hacked that Essie really shaped me. I mean, it’s such a big part of who I am today. And not just hack that, but also these other groups that became friends of Hack. I mean, some of these individuals, and I mean, I can go to whatever country in the world and I can ping one of these people, one of these persons and say, Hey, I’m in town. Do you want to hang out? Or I need a couch to stay at, or I need to, don’t ask any questions. I need a thousand dollars for whatever reason.

Nathan Sportsman:
And how long ago did it start? Is this early nineties, mid nineties? The Hack

David Jacoby:
Hack? So there was two versions of it. So I was mostly part of this F net hack, not the RRC network, because the one on RRC net was basically people who not only, but they studied at a certain university in Sweden. So there was a big majority of people who came from that university that met at that, almost like the Swedish Hackers Association. They met at that university and hacked as he was probably the local computer club. But then, I don’t want to say the real hack that I see, but the other one that I’m talking about, it’s like, that’s something else. And that’s probably 92, 94, maybe around that, around that time some.

Nathan Sportsman:
So then we’re talking about relationships you’ve had for 30 years?

David Jacoby:
Yes, absolutely. And I talked to them. One of the guys I talked to just a few days ago, and these are some of the closest friends that I have. It is weird to say that you can be so close with someone that you’ve never met in person. It’s just a name on a screen. Of course we met, most of us have met in real life

Nathan Sportsman:
At this point with this group and all the stuff that was going on. What were some around that time period? Were there any sort of big hacks in Sweden? Just any cool stories from any of these groups that were up to all of this various stuff?

David Jacoby:
So Sweden is quite small country, but still, I mean, we had the exploit developers and all that stuff, but some of the hacks, I mean, there was of course some very well-known, some of the major websites, news outlets, telcos, they got their websites defaced, and that was the thing, changing the name to something funny. So we have this telco in Sweden, which is called Elia

Nathan Sportsman:
Te

David Jacoby:
Lia, and they got their name, they got their website and their name was changed to failure. And Failure is a funny version of failure basically. So FEL is when something is wrong, it’s fail. So they took the name Elia and switched one letter and it becomes failure, like failure basically. But that was the website, the basement. But then there was actually something else happening as well, and that was, we had toll free numbers in Sweden as well. So this is back at the time when we had dial up modems still access to the internet. So you could either have your own internet connection and pay the bill yourself based on how many minutes you spent online. But then they started this service, which was like a toll free number, a zero to zero number. You’ll dial in there and you would get billed based on your username that was used to log to those to get connected to the internet and tell I got hacked by a pop vulnerability. And

Nathan Sportsman:
I remember Q Pop,

David Jacoby:
You remember?

Nathan Sportsman:
Yeah.

David Jacoby:
So there’s this pop three email service, right? So I was running a software called Q Pop, Qualcomm pop, wasn’t it? Something like that? Qual. Gosh, what was the Q?

Nathan Sportsman:
I don’t remember, but I do remember the exploit was fairly reliable, but yeah, I don’t remember what the Q stood for.

David Jacoby:
Okay, so tell got hacked several times, not just this failure times. Several times when they hacked tell through this Q pop vulnerability and extracted the password file basically containing these usernames that was needed to dial into these toll free numbers and ran them through a password crack or like John the Ripper, whatever. So those names was something that was published on underground forums and websites. There was a magazine called FNA, like the Flashback News Agency, and they had a section with available usernames and passwords that people leaked somehow, but suddenly basically all accounts got hacked at once, and now you have this massive list of hacked accounts, and those accounts were blocked, but around the same time, there’s this code, the circling in the underground community where someone cracked the algorithm to create these usernames and passwords basically because apparently there’s a fault in the encryption in the algorithm, not even encryption in the algorithm on how to generate these usernames and passwords. So you remember back in the day, you could generate credit card numbers. There was like an algorithm to generate. Here was an algorithm to create those usernames and passwords basically. So you didn’t need to trade anything. You could just use this generator and generate a password for a use stream.

Nathan Sportsman:
How long did it take for them to figure that out and change things? Are we talking about days, months, years? How long could people actually use that before they figured out the loophole and shut it down?

David Jacoby:
Now, this is a very long time ago, but as far as I remember, it actually took quite some time, not like several years, but at least a few months because of course this was circulating in the underground community, the hacking community, before it became public. So I think someone at the fraud division at Teya had a very, very tough couple of months figuring how this is even possible before they actually found out that this was happening. And

Nathan Sportsman:
So when someone had an oh two oh number and they had a username and password that they could use, whether it was in that breach list or generated on their own, what do you do with that? Do you call that number and then from there you can make calls outbound or how does that

David Jacoby:
No, it was to getting online on the internet

Nathan Sportsman:
To get online and the internet. Okay. You basically had free

David Jacoby:
Internet. Yeah, just to get online. So you would dial into this modem pool and get access to the internet. So it wasn’t like a PBX that you use for phone calls or anything like that? It was to get online to the internet.

Nathan Sportsman:
That’s awesome. So you mentioned Shaw, these folks, a lot of people looked up to the origins of hacking in Sweden, and I think there was a BBS previously that might even predate them. I’m not going to even try the name

David Jacoby:
Monotone.

Nathan Sportsman:
And so that was one of the first BBSs that had, from what I’ve researched, had these hacking and freaking files along with anarchy files. But then along comes this group, and like you said, you and a lot of other folks, once you became aware of ’em, you looked up to ’em, the technical capabilities that they had. I did a little bit of research on ’em, and I think it was like Frack 48. It was Linus article, king Fisher, and he talked about some of the more epic stuff that they did, one of which was like a NIS bug, that they were able to get to 600,000 passwords, hundreds and hundreds of systems. And so ultimately they get busted for computer intrusions and I think for credit card fraud. But then there’s a protest later where the CIA’s website gets hacked based on them getting busted. I don’t quite understand the association. And so Shaw gets busted. Several of the members get busted, the ccia, a website gets hacked. And I think it said something like Central Stupidity Agency or something like that. And then it had various things that they had talked about. What is the relationship between CIA and Shaw members getting busted? Is there a tie in?

David Jacoby:
I understand the question. Like Swedish hacker groups get busted, the American Central Intelligence agencies websites get hacked.
What’s the relationship? So think about, I mean the Swedish Hackers Association, I mean they were active before me, this BBS, the T, the monotone, wasn’t it active in 1986 or something? I was five years old. I was just a kid. But people looked up to them. They were like the original hack hackers from Sweden. I don’t know if there was actually hackers before them. As far as I know, that was the first one that was basically, if you look at homo sapiens, that was the first people on earth. That was the first hackers out there. So we looked up to them, and actually until today’s date, it’s not known who these individuals were. They’re just nicknames floating around. It is not common knowledge about their real identities. But the CIA website got hacked and by a group called Power Through Resistance, PTR, and they had one other phrase, like a quote on the website, which is, or something, I don’t dunno his last name, but I think that was one of the people from either the Swedish police or from, oh, what’s the English word for it? From what’s the name of some in court? You have the judge, you have all these

Nathan Sportsman:
Jury prosecutor.

David Jacoby:
Yeah, I think it was the prosecutor that apparently told lies in court about the Swedish Hackers Association and this group Power through Resistance. They hacked the CI website to basically take a stand and say, stop lying. It’s big. It got a lot of media attention probably in the US but also in Sweden because it was like suddenly you have this Swedish hackers hacking, probably one of the biggest websites that you want to hack, like the CIA website is top one of the targets that you want to deface in the world. And suddenly you have a Swedish group doing that. Not a Danish one, not a German one, not a French one, not an American, a Swedish team, which was big news in Sweden. So it was like the first hacktivist, I don’t know what to say, but doing this to take a stand and put Sweden on the hacker map, I guess.

Nathan Sportsman:
So it wasn’t necessarily that there was some sort of tie in between CIA and this prosecutor, but it was a way to, by hacking that website to raise awareness that this prosecutor was putting information or claims that weren’t true. And it was a way to protest that.

David Jacoby:
Yeah, it feels a little bit strange to tell this story since I was not involved, but it is such an important thing in the Swedish history of hacking and the hacking community. But yeah, I don’t know who did it. I don’t know who they were. I don’t really know. I don’t know how they did it, but it is part of the Swedish hacking history because suddenly Swedish hackers are known worldwide. And after that, just more hacker groups popped up and it just became a different community. And I also hope that, I mean whoever’s listen, I hope I’m telling this story super accurate as well, but this is, as far as I know, it’s a big deal, this hack, right?

Nathan Sportsman:
And for the avoidance of doubt, you weren’t there, it’s just it is fairly an epic event hacking the CIA and just trying to make sure that we’re encompassing the history of the Swedish hacking scene. So hack se, you’re keeping up with those people. You’re still keeping up to those people today off camera. I asked when was the last time we talked to ’em? Said literally talked to ’em every day, which is amazing.
There’s a new group that you start to get involved with Synergy, I believe. And so is there kind of overlap between this pound Hack SE channel and then this new group forming, I think in, was it 98? I’d have to go back and look at the notes, but what was the inspiration behind this new group and what was it that this new group was up to that Hack SE wasn’t doing? I’ve started to learn through all this research is a lot of people were moving around between various groups, oftentimes in two or three different groups at once. But how did Synergy come about?

David Jacoby:
Remember what I said before about when I first got online, I went to IRC and I found all these hacking channels, pound hack, pound security, pound hacking, and so on. That’s where I became friends with people from all over the world, not just related to the Swedish hacking scene, but other people. And at the same time as we were chatting in hacked about Swedish stuff and Swedish things, I was still connected with these friends from before Hacked actually, and specifically a guy from the Netherlands. We talked in pound security. And one day he was like told me, join this channel and said, pound synergy and pound synergy. There was just a few people, it was me, script, vak, deathly, fish sticks, and some other people, some people I knew before, some people I did not know before. It was maybe his local friends from his version of hack that is, if that makes sense.
So he was also connected to other people and suddenly some people over here and some people over here just joined forces and became this group where we wrote articles, wrote tools, and wrote exploits. So Synergy was a very loose group of people. We were not really as personal with each other as, for example, hack that I see, but we still hang out every single day. Talked about different kind of research that was maybe more like a group who were focused on the coding and research. So I shouldn’t say academic because it wasn’t academic at all, but more like from a knowledge point of view, it attracted some extremely intelligent and smart people who wrote some really advanced stuff, was really pioneer when it comes to exploit development. And that was something that I was really intrigued about. Okay, how do you find vulnerabilities? How do, what’s the process like?
Okay, what kind of ways can you ride a buffer overflow vulnerability or heap overflow or Forster attack? And synergy was not this, if I say cocky hacking group, I don’t know if you mean we were not a hacking group. We was not a hacking crew at all. It was more like adults doing, we were not adults, but it was more serious than most of the other channels and other communities I was involved in. It was a bit serious. Okay, in this channel you talk about that thing only you talk about research, you talk about coding, you share code with each other. And we didn’t have our own GitHub or repository or subversion or whatever. We published everything online at that point. We just shared everything to the public. That was the idea with the synergy was to share knowledge, to write documents, write articles about our own research. It was not a group that was organized, but everyone just knew like, okay, I can do stuff together with other people. I can ask for help. It was a very intimate group of people that was just doing computer security stuff.

Nathan Sportsman:
And how many people roughly, and it sounds like more of a collective group, but how many people were roughly in it? Was it mostly folks from Sweden and Denmark? Were there people from the US or UK or

David Jacoby:
So it was mostly people from Europe. I would say most of the people were European. There was one guy, I think it was from Australia, but most of the people were in Europe, and that’s because of the time zone as well. So when we were active talking, it was during the same time zone. So the founders is from the Netherlands. A few other members were also from the Netherlands. I think there was mostly people from the Netherlands. And then we other people just joined from the size, but 10 people, maybe around 10 individuals.

Nathan Sportsman:
And at this time, hack SE is still active though, right?

David Jacoby:
Correct.

Nathan Sportsman:
So how do you decide where you want to publish your research? This will go to Synergy versus this will be under the Hack SE banner.

David Jacoby:
So sometimes if you look at my code and you find it, it says, my nickname from Synergy and Hack that I see and whatever groups, it’s not like I didn’t decide it’s either this or that. It could be both, but to separate it, somehow the stuff that was done in Hacked SE stayed there. But the stuff that was done through Synergy was everywhere.

Nathan Sportsman:
So how long did you do Synergy? How long was that group around

David Jacoby:
Until it was around for several years. Then I think what happened with Synergy, and it is the same thing that happened to a lot of other groups. We grew up, we become older, we get careers, we get jobs, we get families, we get kids, we get all these other things that is happening in life. And an RC starts fading away as well, like RC, it had its prime time, it had its peak. That was the platform to communicate. And then suddenly MySpace and Facebook and all these other things pops up and you start use that instead of IRC. And as soon as people start getting real careers, they’re spending less time on IRC. And I think that’s what happened with synergies. People just spend less time there. Eventually the channel was empty. People did not log in, people did not join the channels anymore. So it was around that time where IRC disappeared. And I think that happened with all the other groups that from all the other individuals that you’ll interview, same stuff. It’s like it just had its prime time where everyone who was in the hacking or underground or that type of scene, they were on IRC in some channel in someplace. Right.

Nathan Sportsman:
Is IRC around at all now or is everyone pretty much either on Slack or signal groups or stuff like that? Is IRC even a thing? Does anyone hang out there anymore?

David Jacoby:
So Hack

Nathan Sportsman:
Still

David Jacoby:
There is actually on RC, we try to have signal groups and WhatsApp groups and LinkedIn and Facebook, but it’s IRC
Still IRC, but it is not, I mean, the people who are there is, I mean percentage wise is very few people. It’s really, really, really the core. We will not let anyone in the channel. It is us. It’s been that for the past 5, 6, 7, 8, 9 years or whatever. We don’t want to have anyone else there. No, it’s our channel, but it’s not as active. But the channel exists. There’s people there. People are talking every single day. But what happened is I think other groups merged. There’s now Signal groups and WhatsApp groups and Discord channels and Slack stuff where these individuals from the same basically time era are sitting together. So the groups don’t exist anymore. But now the individuals still have contact. I still have contact with many of the people that was part of other hacking groups and other communities out there. We still have contact today to this day. I mean, that’s 30 plus years. It’s pretty insane.

Nathan Sportsman:
And the Synergy website, that’s still live too, right?

David Jacoby:
No, sir. We lost the Synergy domain.

Nathan Sportsman:
You did?

David Jacoby:
A long time ago. We lost it, but now I was able to actually buy it, so now I bought it, and now I just put up a placeholder. Basically just this page where we have our nicknames, we have some history, and that’s it. So Synergy as a group doesn’t exist anymore. I do have contact with some of the people from Synergy, like the founder. I still have contact with him. I see him, I wouldn’t say once a year, not even once every third, fourth year, I try to reach out to him and visit him where he lives, just to have a coffee and see that he’s doing good. Again, we don’t have to have daily contact. I just want to make sure that he’s doing good, that everyone’s doing fine.

Nathan Sportsman:
And I mean, what I’ve seen with True Friendships, lifelong friendships, you can not see each other even for a year, but as soon as you reconnect, you almost fall right back, right back into it. And it seems like that’s what a lot of you had to those groups back then. I visited the Synergy website. I did the LS to see the member list and all that sort of stuff. And so then how did it go from that to legions of underground?

David Jacoby:
So one of the founders of Legions of Underground Digital Ebola, he was also connected to some of the IRC channels that I joined when I first found IRC when I first found this hacking community stuff. And he was part of another IRC network was under net, so he was there. So now I have some friends on Down Net, some friends on F Net, some friends on IC Net and some friends on Net. And he was very active there. There was this massive Channel Pound hack freak, mostly American people I would guess. But I known him since the LL Net times. And he then founded this Legion of the Underground group where they basically released a lot of e-science and text files these magazines and just asked, do you want to write something for the magazine? And became part of that. And those individuals were then everything weaves together at the end. There’s some individuals that knows the same people. It’s like, I think in real life there’s this saying, right? There’s everyone just like Four steps away or something like that, right? It’s the same thing with the Hacking community. It all weaves together. Some of these individuals, they know each other and you’re part of the same network, the same group, the same friends does. You live in the same city, whatever, right?

Nathan Sportsman:
Have you ever heard the American term Seven Degrees from Kevin Bacon?

David Jacoby:
No.

Nathan Sportsman:
Is the same concept that basically that you’re seven degrees separated from anyone,

David Jacoby:
All

Nathan Sportsman:
You have to go through is seven people and you’ll actually know Kevin Bacon. Is that

David Jacoby:
A thing? Has anyone else ever heard that?

Nathan Sportsman:
Okay.

David Jacoby:
Yeah. But it is kind of similar because you know this guy and that guy knows this one and so on. And the hacking community was quite small at that time. But so Legion of the Underground was this mostly American group. There was a few individuals in the Channel Pound allegiance that was not US based, but most of the people were US based,

Nathan Sportsman:
Was Digital Ebola, was he US or somewhere else?

David Jacoby:
He was us.
He was in the US and they did things as a group. So when I say they, it’s again, they formed, they actually did some defacements, they did some proper hack and people, individuals actually got arrested that was associated with that group. So that was my closest experience to the Black Hat community as that you were asking about before individuals who was actually doing hacks, getting busted for it and so on. That was the closest thing that I had that was not really hacked, that it wasn’t absolutely not the Synergy people, but the ANCE people, they hacked stuff to face stuff and did that kind of stuff. They were active and it was again, this intriguing, this thing that was, it was illegal. It was on the edge of is it okay, is it not okay? And I think some individuals in Lead Underground, they were also part of the Hacktivist history. They took a stand against China and did some defacements, some hacks related to that. And that was very, very early when it comes to activity and hacktivists and stuff like that. So that’s I think where Legions actually obtained a good, I shouldn’t say good, a status in the community. Suddenly people knew who these individuals were and what they were doing. But that was again, those individuals, not the entire group per se or So

Nathan Sportsman:
I read a little bit about the activism. I think they took a stance against China, against Iraq. They were basically looking for where there were human rights violations and sort of as a protest against that. And I had also read about this Hong Kong blondes group that was actually helping to pull Chinese dissidents out of China to get ’em out of the country. And apparently they were trained by CDC, read Space RO and a couple other articles on it. But they had taken a stance where I guess they were doing denial of service targets on China and Iraq and stuff like that. Is there anything you want to talk about there in terms of public information, things the group was notable for or just anything that you’re comfortable talking about?

David Jacoby:
No, not really. But

Nathan Sportsman:
That said,

David Jacoby:
What I think is really interesting to mention is also what’s happening in the world around this time. Because I mean, this is a timeline of events that’s happening and around that time when those type of hacktivism was blooming, and it wasn’t just Legion of the Underground, also other groups, and there were some projects, maybe you’ve heard about this, like eap, ethical Hackers Against Pedophilia.

Nathan Sportsman:
I have not,

David Jacoby:
For example. That’s another of those hacktivists projects that was created around the same time where combining computer security, hacking culture with some political agenda or doesn’t have to be political. It could also be from a social aspect as well. Okay. We do not like pedophiles.

Nathan Sportsman:
So was it where they were targeting online predators and going after them or was it just making that issue available and raising awareness? What was the

David Jacoby:
Well, as far as I remember, it was about using technology to find pedophiles basically. So I don’t think they were exposing individuals and stuff like that, but I was not part of the project. I just know from what was happening around that time. There was a lot of hackers that became older and the entire digital landscape was changing, was modifying. You started to have individuals taking a stand on politics or from a social point of view what they think, what they prioritize in life and so on. So you also had, and you probably maybe you’ll interview people from the Antis SEC movement from Project Mayhem. Suddenly you had hackers with opinions hackers that wasn’t really just focusing on writing cool code and finding cool vulnerabilities, but hackers with opinions. And this was around the same time where ions of the underground did this hacktivist stuff, and I guess the same thing with the loft guys doing their thing. So suddenly you have a bunch of hackers doing things for different reasons than not just technology from forming groups because of different political opinions and social opinions.

Nathan Sportsman:
So whether it was legions of underground or this project around pedophilia and stuff like that, or mill worm, it seems like there was sort of this activist trend that was starting in folks. We actually could be deep facing a website. It could be something else, but it’s ultimately to raise awareness around an issue as society evolves. Is that fair?

David Jacoby:
That’s absolutely fair. And we have to think about what we’re talking about here is at a timeframe of let’s say 30 years, think about what happened in those 30 years in society. I mean, we had collapses of economy. We had a big political things happening. We as humans has changed on how we live our lives through technology. A lot of things happened during those third years. And the same thing kind of applies to the hacking community as well. Whatever’s happening in society gets reflected to the community. Individuals with opinions, with history, with religious beliefs, with, they’re based on different parts of the world. Whatever’s happening in Sweden might not happen in the US and so on. So of course what’s happening in the real world is reflecting back to the hacking community

Nathan Sportsman:
And tying it in with society and then LLU. So was it a subset of LLU that was looking at these various activism things? We can think about that as a microcosm of society versus the entire group or when the group was formed. Was it with this mandate or did some people within that group choose that as their own sort of mandate?

David Jacoby:
I think most of the hacking groups don’t have that mandate as you’re talking about. I think it starts out with A IRC channel, pound legions, and pound legions. A lot of people can just be there, can just hang around. Then you have the people contributing to the magazines, people’s actually writing code, writing articles, sharing knowledge and so on. Then you have the other two subsets, which is the people defacing and say, Hey, I’m this individual. I represent legions of the underground. That’s far from everyone else. That’s part of the IRC channel or writing the document. Then you have the fourth subset. It’s like the people who actually says, well, we are going to do this because they might have in this channel, they might find X amount of other individuals with the same belief, with the same agenda, and then they do whatever they want to do. In this case, they did this activist thing that was not mandated by anyone or approved by anyone. It was like, there’s not a CEO of these hacker groups. It’s just people do that. But then the problem is if not everyone can be behind that message, that’s probably where groups start splitting and becoming maybe two separate groups and so on.

Nathan Sportsman:
And then to that point, as best I could research, I think LOU is from 98, 99 to 2005. So pretty good long run. Was it more, did the end ultimately happen? It was a divergence of where people fell on those sort of things. Did people get busted? What ultimately caused the group to disband or go away? How did that go down?

David Jacoby:
I think a bust won’t kill group in that unless it’s a very small group of people where everyone gets busted, then of course the group doesn’t exist. But if a certain individual in a group gets busted, then that doesn’t affect the group. I would say I think what killed most of the hacking groups, I’m talking about all the hacking groups, is we become adults. We find we enjoy different things in life. We get girlfriends and boyfriends and wives and husbands and children and couriers, and the life that you lived is fading away. And I think you might hear the same story from your other interviews with people. It’s like now when you’re at another time, another place in life, you start getting that feeling back. That’s nossal feeling about, okay, I used to be this individual. I lost that part of my life, but now I want to have that back as deep inside.
You’ll always be a hacker. It’s part of your DNA. It’s like that is who you are. You are that hacker person. You just had a break building a family, getting career, doing whatever you were doing. But deep inside you are that person. And I think what you are doing as well, by interviewing all these individuals is actually much more valuable than on this. You’re preserving knowledge and history and maybe even awakening some things that’s been hidden in a lot of people for the good. I mean, they are hackers. They just lost it. They want to probably get back to hacking. And hacking has such a negative word, meaning I’m not talking about defacing websites or dropping car generators or selling credit card. I’m talking about getting back to the community, finding those old friends, talking about things that you really have a passion about, sharing knowledge with each other. Same thing as we did back on RC. Now it’s just maybe on whatever kind of slack channel or signal or whatever it is. So what you’re doing is not just preserving history, but also binding people together, finding old friends, finding that passion in life. So thank you for that.

Nathan Sportsman:
Thank you for being here. I mean, the two really cool things I get to do is, one is I get to sit down and talk to someone like you. And then two, to your point about rekindling community, I don’t have anything to add to the conversation. I wasn’t there. But whether it’s the individual that we had dinner with last night, or I’ll see three individuals that have not physically been in the same room for 20 years and just watching them kind of go back to that state, that era where it brings back joy to them and memories and it’s just really cool to watch and help reestablish those connections. So yeah, thank you for being here. And it is really cool to see

David Jacoby:
Because the hacking community is so unique in that sense. And I think I mentioned it before, can basically jump on a plane. I can go to basically any place in the world and you just can associate just relate to another individual even if you’ve never ever met before because you have this bond that very few people have. I do not think this will happen with people playing Fortnite and Roblox and doing all this kind of stuff today. It just will not happen. And I don’t think it will ever happen again. To be honest, I think what we had during those 20 whatever years was extremely unique and that will follow us until we die.

Nathan Sportsman:
Now

David Jacoby:
I’m actually very emotional, but it is really something that defines who you are. You are a hacker and you can relate to other hackers in a way that people will never, ever understand. It’s very, very special. And I think many of us maybe also had a problem growing up, finding friends, being socially accepted. We’re a bit of a weirdos, every one of us in one way or another because what we’ve had at that time was very unique in the sense that it was not public knowledge. There was no security industry. The security industry did not even exist. People told me so many times, why don’t you get a real job? Don’t play with that computer. Go out, become a doctor, go do whatever. Do not play around with the computer now it’s completely different. So what we had with the acceptance of whoever you are, as I said before, I don’t care about your religion, about your skin color, about your sexuality. I do not care if you’re good at coding. If you’re a nice person, I don’t even care if you’re a nice person, IRC, I can just disconnect you whenever I want. I can just leave you. But it’s your knowledge that that is really attractive. The rest, I don’t care.

Nathan Sportsman:
Yes. And as an outsider looking in, when I studying this era, I don’t know what the right word is, but golden age renaissance, that was a very special moment in time that you had that we hadn’t seen before. And I don’t think we’re going to see again in cybersecurity. And I think that special time where it was the connection between technology being introduced to society, the notion of security being formed, I think it’s part of the reason why all of you have such strong bonds together. Because being sort of pioneers on that curve, finding a sense community, something that y’all enjoyed and appreciated together, it’s just very special. And the kind of friendships that you all, I don’t think I know anyone outside of my family. There’s no one I’ve known for 30 years. That’s a little bit unusual what you have. And so it is very special. And I really do appreciate you guys sharing these stories. We were the viewers get to experience that through your interviews.

David Jacoby:
And also, I mean we’re not driven by money maybe now, but I’m about at that time there was no thought that you would capitalize on this in any way. It was a true passion. It was like, we do this for fun. There was today most of us make good money. We have good jobs, we have good lives. But at that time, that was not the case. That was not the thing. The thing was something else. It was exploration. Yeah, it was something else.

Nathan Sportsman:
Yeah. 2014, I don’t even know. I can’t remember if an IOT was a name yet, but you were seeing something early on in the risk to it. If I pulled up my home network, there’s probably a hundred devices that are connected in this house. It’s everywhere now. Cards are connected and all that sort of stuff. And so similar to what we talked about with not activism or activism, but just raising awareness of things that are important to me. I watched the entire video and it looks like someone that’s raising awareness of the risks, the privacy concerns, all this sort of stuff. Coming back to what you had mentioned before, when you do a project like that, do you give yourself downtime after that to kind of reset? Or is the horror films that downtime so that you’re not going from Yes to yes to yes to yes. Because I mean from this project, there’s like 10 projects that we’re about to talk about that you’ve done. Do you ever give yourself a break at all just to recharge the batteries for a minute?

David Jacoby:
I’ve been waiting for that break to happen. I don’t know what I’m waiting for, but I’m still waiting. So until this day, I’m still waiting to be able to say, okay, I’m done. Now I can take a break and relax. So to answer your question, no, I don’t give myself downtime. You mentioned it yesterday when we were at the barbecue place and I feel exactly the same, and I see myself almost like a musician. You go in your studio, you write the songs, you do an album. Are you done after you’ve done the album or what do you do as soon as you create the album? What do you do as a musician?

Nathan Sportsman:
Go on tour.

David Jacoby:
You go on tour. Exactly. That’s what I do. I go on tour. I’ve created this thing which raises awareness. There’s not a single person that will read my blog post or whatever. That’s only for the technical audience. So if I should really make awareness, if I should really be out there and try to inform people about something, I cannot just write a blog post about it. I have to go out there. And I’m a quite introvert person really, but I still do this. I don’t know, as you said, maybe, I dunno why you’re doing it, but I go on tour basically that’s what I do. I submit my research to a lot of black hat or InfoSec or different kind of hacking security conferences. And recently, since the security industry has changed a lot, it’s not just a security audience as well, it’s everyone recently that security is not just for the technical audience any longer. It’s for everybody. But yeah, so I go on tour and then when I come back home, I do another research and then I go on tour and then I do another research project, and then I just like this endless loop like this.

Nathan Sportsman:
Yes. And I’m an introvert too. I have anxiety the entire week leading up to this interview where I just get anxious and more and more anxious. And whether I was at school or whatever, same thing if I had to give a presentation in front of people, and then even after this, as much as I love the conversation, I always have to have downtime afterwards and I don’t, yeah, I’m not sure why we put ourselves through this sort of stuff. So you do that project, you do that analysis, then you go on tour and Yeah, you were at, I can’t remember, it’s called Blue Con, but there was a bunch of conferences where you spoke at that they had the video that I watched.

David Jacoby:
Blue Code in Tokyo.

Nathan Sportsman:
Yes, yes. And so that’s going on. And then probably even while you’re doing that, other things come up that you feel like you just have to say yes to.

David Jacoby:
We experienced one of the worst hacks in Swedish history is a supply chain attack where a company called Kaseya gets hacked and they deliver a service for POS devices. So we have, and those affect a specific retailer called coop or co-op or coop. And it’s so bad that they physically have to close down these shops. So you cannot buy milk, cannot buy groceries because cannot pay. They cannot receive any payments because the POS devices are completely out. They’re basically blocked because of this hack. And that was a supply, it was maybe not intended to happen, but it was just like so ransomware attack against this company that then the code spread to a third company and then eventually it spread down to these POS devices. And I mean, imagine that you’re running a grocery shop and you have milk, you have eggs, you have all these things, all the dairy, all this stuff that you cannot sell.
Do you know how much money you lose that? And that’s again, part of critical infrastructure that is part of hacking a country. It’s not just about power plants and windmills and electricity. It’s also about if you cannot fill gas in your car, if you cannot buy groceries in the store, if you cannot receive medicine because logistics is not working, you cannot pay payment. And that really made Sweden as a country to rethink what critical infrastructure is as well. So now I think with new legislation, even more things are covered as critical infrastructure. It’s not just power or gas, electricity or whatever. It’s also these other type of things

Nathan Sportsman:
And sort of why you got involved in this. Stop a thief,

David Jacoby:
Swish ish thing to say. So stop is a really cool project about awareness. So it is actually the third episode, if I’m not mistaken, that I was part of, there was two other episodes of this TV show where they tried to stop the thief from breaking into your house. So it was initiated by something called the stu, which is the anti-fat organization in Sweden to raise awareness about physical security, like how to lock your bike and your car and your keys and your wallet and all these things. But we are moving away from just needing to protect our physical stuff. Also, we need to protect our physical stuff through hacking or cybersecurity. So they involved me in this project where I would have to work together with actually an ex thief, like a real ex thief. So he would demonstrate on how to hack stuff physically. And I would demonstrate on how easy it was to hack stuff digitally by copying someone’s credit card information or get access to someone’s online identity or hacking RT stuff or setting up a fake wifi access point and typical easy stuff, but still awareness for the average people.
People.

Nathan Sportsman:
So were you a technical advisor or were you actually on the show or how did that

David Jacoby:
Work? I was, I was on the show. I was hacking stuff on the show.

Nathan Sportsman:
What was that experience like? Did you enjoy it?

David Jacoby:
I did enjoy it. But again, what we talked about before about putting a lot of pressure on you,
I mean, when you have discussions with non-technical people, they don’t understand what’s required to actually perform a hack. They think it’s some kind of magic trick. Oh, can you break into my phone right now? No, it’s not that easy. If you have an exploit or a vulnerability, of course I can, but it will take me month to find that vulnerability to write an exploit and then I can use it. They don’t understand that process. They think that it’s something you just do like this, but you don’t. It takes time. So when they said, oh, can you come to Stockholm tomorrow? I want you to be able to set up a fake access point and capture all my data. I had to like, okay, how do I build all these things? I need to have a raspberry pie or something, and then I need to somehow set up this fake access point. I need to somehow get it connected to the internet and route traffic so it looks legit. Then I somehow need to capture passwords from that machine. It is not enough just so you connecting to it. I need to somehow break SSL encryption and all that stuff. And at that time, SSL strip still worked, but you need to compile all this thing to this magic cake that you can provide to them. And they don’t understand what’s required to actually do that. They think, oh, you’re a hacker. So just hack,

Nathan Sportsman:
Just

David Jacoby:
Hack stuff. But the other guy, he has a crowbar, he can break it away. That’s what he has. I have to write code and build all these things and make it look legit

Nathan Sportsman:
And they don’t understand the operational development. So the asks are not only well-formed, but also last minute. It’s just like, Hey, play it tomorrow and just do your hacker thing.

David Jacoby:
Make work. Exactly. Bring your crowbar and just break into that thing. Not that easy. Once you have the exploit, it’s easy, but the time and the effort to find a vulnerability, know how to exploit that and then brighten a working exploit that’s stable, that takes time. Everyone who’s been in exploit development knows how difficult and how much time consuming that process is

Nathan Sportsman:
Because you went from that then it sounds like pretty last minute stuff, high expectations, not understanding how this stuff works. But you then went on to do the Hack TV series. Why go through all of that again,

David Jacoby:
But at that time, so when hacked, when we start to do that, so Hacked is a TV show where we hack companies live on tv. Not to demonstrate that those specific companies are bad at security, but from a social point of view, what’s the impact of being compromised? What does it mean to be hacked? We talk about for consumers, do not click links or do not open attachments, blah, blah, blah, right? No one knows what a hacker can actually do if you do hack someone. Or even companies like what does it mean to hack a municipality? What does it mean to hack a telco? What does it mean to hack a software development company or a IT consulting company? We wanted to demonstrate the biggest impacts on society through hacking with Hacked, which was a really cool project. Really cool. So with six episodes in the first episode, we hack normal individuals like you and me, private persons, private individuals.
We hack a telco, we hack Telenor, big telco, we hack a municipality and why would you want to hack a municipality? But when you think about it, a municipality has data of everyone who’s living in that area. They have, at least in Sweden, all that data is basically given to the municipalities, but it is more like the social welfare, for example, is related to the municipality also. If you are, for example, fleeing your house because of domestic violence or whatever, you can go to the social welfare and they will give you a new identity or maybe the police, but you get a new identity and you get the safe houses. I don’t know the English word for it, but like a safe house where you can stay that’s owned by the government, owned by the municipality. If I hack the municipality and I can extract all that information, I have the addresses of where people live.
I have their identities, I have all this sensitive information that should not be shared with the public. And in Sweden it’s also very common. And this is a cool hack. So in Sweden, it’s very common for when you move away from home. When you want your first apartment, you can get a state sponsored apartment basically, which is owned by the municipalities own real estate company. Kind of like that. Or if you have enough money, you can buy your own apartment. But if you want to have those house apartments that’s owned by the municipality, you have to basically be in a queue. So you have to wait in line until it’s your time, and then you can

Nathan Sportsman:
Don’t pay anything. Or they cover for you to pay. Of

David Jacoby:
Course you do pay, but it’s like there’s only X amount of apartments. So you basically stand in line and wait for several years until it’s your turn to get an apartment. Not that easy if you don’t have the money upfront. So you can pay for an apartment, this is one option to do it. What if you can cheat that system? What if you can like, oh, I don’t want to stand Hawaiian. I want to be number one right here, right now. That was one of the goals that we had to do in the series, and I don’t want to spoil anything, but yes, we were successful in putting our name first in the list, cheating the system. Also getting access to all that data that we should not have access to.
So from a social point of view, that series is really important. It shows the consequences of when your security fails. And it also shows how difficult it is from a hacker point of view, how much we struggle in hacking stuff. But at the end, we actually won. That was the most intense project I’ve ever done. We were basically filming two episodes in parallel and finding all these vulnerabilities, all these writing, all the code, everything that we did in times 10 times, it was nuts. It was really nuts. If you watch the series, you’ll hear one guy, he just like, I’m done. I’m so tired, I, I’m done. He just leaves, leaves, goes to bed basically. And even the camera guy or the sound technicians, they also leave. I mean, it was a crazy show. So we divided ourselves in two groups. It was me and Linis.
Linis was responsible for the Microsoft platforms since he’s really good at that. So we decided to basically create those two files like PDF files, but it was not really PDF file. There was some code happening. As soon as you execute the PDF file, there was code executed. And so he had all this framework where there was a command and control server. So if someone executed the PDF file, that would communicate back to our control server. And from that control server we could jump back and execute code on their machine and so on. But we didn’t have that framework. I didn’t have a framework for Mac OS at all.

Nathan Sportsman:
And so ultimately, were the two teams successful, both teams, the Windows team and the Mac team.

David Jacoby:
So a lot of antivirus products actually caught his stuff. And the good thing if people live with this faith that doesn’t, there’s no viruses from mes, so there’s no antivirus things kicking in to this date. The tools and the stuff that I’m using, the is not detected by any endpoint protection. Apple did fix the ability to rename the files in the applications folder. They fixed that at least. So that doesn’t work anymore from

Nathan Sportsman:
That work. Did you disclose it to Apple and then they fixed it later? They just figured it out later.

David Jacoby:
I think they figured out that later. I think they maybe saw my talk or something. I gave a talk about it

Nathan Sportsman:
With Stop A Thief and then hacked. You do these TV series, but you also, and it might be a little bit out of order, but the Millennium Trilogy. And so from what I’ve read, there was an author and he had intended to write actually 10 books, but I think he passed away in 2004 before they were ever done. But one of them is pretty famous. They turned it into a movie, the Girl With the Dragon Tattoo. But it’s a series of these. You became involved as a technical advisor for I think two of them. Is that right? And three. Three, okay. So what can you tell me about that?

David Jacoby:
Yeah, so he wrote three books. His name is Steve Lawson. So he wrote the three original ones. Then he passed away, and then another famous Swedish author called Dovid Log Accounts actually got the job to write three more books in the same series. And his philosophy was that these books needs to be authentic. So the hacking stuff, the technology should not be science fiction. And so he went, did some research and a common friend of ours just reached out and said, David, do you want to help with just have a meeting and see what you can do? And it actually ended up being a quite nice relationship where he wrote these books and I had opportunity to become least bit slander, which is the main character in those books, and design the hacks and explain these things for him. Because in Sweden, they’re very iconic. These books, it’s like they’re very well known. So for me it was a really obvious choice to just say yes. It was such a privilege to help him write these books and make them authentic and describing how hacking actually works for someone who’s not involved in that at all. I think it was really cool. It hasn’t happened that many times before where someone writes about hacking and technology and actually has everything correct from a factual point of view. The stuff that she’s doing is possible. There’s no made up stuff. It’s fully possible.

Nathan Sportsman:
Once you saw sort of the finished copy of translating very technical things into something that an audience could understand, but still accurate, do you think it came to life in the book and the stories

David Jacoby:
And also make it interesting because hacking, when you look at it, it’s not cool. It’s like a black screen with white text and that’s it. That’s his commands. But he has to create a story around this. There needs to be a purpose of what she’s doing and everything. And I think he did that very well.

Nathan Sportsman:
So you mentioned the series, it’s a big deal in Sweden. It’s a big deal here too, and that it was an easy yes for you. But what did it mean personally for you having been involved in that?

David Jacoby:
It’s a little bit of a legacy that I can tell my children and my grandchildren and so on. My name is in every single book translated to every single language out there. If you look at the last page, my name will be there. And for me, that was back to what we discussed before about proving yourself. That was one of the things that was very valuable for myself that I think, okay, that is cool. I did that. Not anyone else. I was chosen for this. And I’m trying to be very humble about it, but for me, that was a very important thing in my life.

Nathan Sportsman:
Is it 20 22, 20 23, you decide to found unreached ab? Was that the first company that you had found?

David Jacoby:
Not the first company that I’ve founded, but the first company that I founded, 100% on my own. Just me. No one else was involved, just me. And it started out a little bit as a statement to the industry because after all these years, like 30 years basically in the industry, I felt like we’re not solving the problem. We are spending so much money. We’re spending so much time. We have so extremely talented people trying to solve this problem. Why haven’t we solved this problem? What’s the problem? And of course, there’s many answers to that question, but for me it’s a little bit about the underdogs, which we talked about before as well. I strongly believe that cybersecurity for a very long time has been a luxury, a commodity that no one, not everyone can afford. And when I say afford, I don’t mean only from a financial point of view, but also from knowledge or understanding or just ability to run some of the services that’s out there.
There’s a lot of companies who have really good services, but they’re not available for everybody. There’s a lot of companies who won’t even sell their service to a company if they’re small enough. And for me, that’s just mind blowing. If we would do the same thing in the physical world, people would die. Imagine that you’re not allowed to have a fire alarm or a bicycle helmet or an airbag. Your car is, you can’t have an airbag in your car because of whatever reason. We need to have those kind of systems everywhere. Everyone should be entitled to good security. So I found it unreached because of that. I wanted to offer services for everybody. Why do we sell, still sell pen test by the hour, for example? How long does it take to crack a password? Can you answer that question, please?

Nathan Sportsman:
Well, it depends on how long it is, but how long the password is and how complex it is. But typically where what most people pick for passwords, it’s fairly quick,

David Jacoby:
But it still depends, right? Depends on the complexity of the password and depends on a lot of things, right?

Nathan Sportsman:
Yeah.

David Jacoby:
And if you were doing a penetration test, a security audit, the outcome of that pen test and secure audit would be completely different if you could crack that password or not crack that password. Correct? Correct. So why are you selling Penta by ours? Why not in a different way? And there’s a million of these examples on how we can modify the industry to give the kinds a higher value of what they’re testing. For example, when I do my pen test, I will of course try to crack that password, but I’ll also tell the client that hash is now compromised. It’s a matter of time until I crack that. Maybe it’s a month, maybe it’s 10 minutes, maybe it’s a year. I don’t know. Give me the password for that account so I can move on and continue testing the value that the customer want to have. They want to know what can happen if I crack that password. I don’t want them to say, well, you weren’t able to crack that password, so you lose, well, how do you know you only pay me for 40 hours or whatever amount of hours to try to crack that password? We’re doing so many things wrong. And that’s why I found it unreached to reinvent how the security industry should sell its services and do that thing.

Nathan Sportsman:
And the company unreached ab, it was founded in 2022. 2023.

David Jacoby:
Yeah, 2022.

Nathan Sportsman:
Where could folks go to find you? Where could folks go to learn about the company?

David Jacoby:
So right now, well, they can go to on breach, eo, of course Breach or LinkedIn or whatever. But now I also work for SYN

Nathan Sportsman:
In Syn is company based in Iceland?

David Jacoby:
Yes, correct. So it’s an Icelandic security company. So after I founded Breached, I was invited to Iceland to give a talk at their annual security conferences. And after my talk, I talked, I had a nice conversation with the CEO, and we share the same idea about this ability to be innovative and creative in the industry. I basically gave them that pitch as well, we have to change things, we have to do things in a different way. And they basically said, so you’re a one man show over here. Why don’t you join? Well, we can join forces and we can do stuff together. So now basically I’m the chief strategy officer for syn and trying to do the same thing together with syn, reinventing things, how coming up with new ideas on pen testing, on audits, on running a soc. And a lot of things, like one of the first thing that I was thinking about was when I was joining syn. So we have basically three to four business areas. So we have pen testing, offensive security, we have a soc, a level three soc, and we have management consultants doing ISO 27 0 0 1 and BCP plans and all that kind of stuff.

Nathan Sportsman:
Do we talk about their lineage, where they came from, or is that on their story for another day from another person?

David Jacoby:
So Cindy’s is founded by hackers that I’ve known from the IRC time. And that’s one of the reasons why I decided to go to the conference. Been, I shouldn’t say working with Sinis. I have not, but I’ve been around Sinis since they founded cidi. I’ve kept an eye on the company. I know the founders. They’re extremely good, skilled hackers. And in the beginning we talked about doing whatever things together if we could, but that was just fun and giggles. It was just having fun stuff, doing fun stuff together. But now it is a proper company with management and staff and customers and everything. Now it’s completely different. So I’m actually really happy that I can work with these people. I know them from the past and I know it is like a very hacker driven company, which I also like, of course, everyone needs to be able to pay their bills, but the philosophy, the willingness of trying new things to be innovative and creative, I like it. It’s a really cool thing to do.

Nathan Sportsman:
Yeah,

David Jacoby:
It is a new purpose in life, but I like it.

Nathan Sportsman:
And speaking of that, to your roots, to their roots, this whole mural board, one of the big things that I’m learning through that research is 35, 40%, maybe more of these companies, their origins are from the hacking community. And then they ultimately founded these companies to some of the stuff we had talked about. And we just project opportunity after opportunity over the last several years. And then here you’re doing another project again with Warlocks, but you have talked about trying to do less and trying to prioritize yourself too. This tendency to help everywhere, whether it’s you or someone similar in your shoes or maybe your younger self. What advice would you give people for the balance between trying to have a legacy, trying to help, but also trying not to burn the candle at both ends in that process? Do you have any thoughts or advice on that?

David Jacoby:
Some thoughts is don’t try to create a legacy, something that just happens. Don’t overthink what you’re doing in life, just do it. Just do fun stuff. But always reflect on what you’re doing. Take some time off to just reflect on what you’re doing. Some of these conversations we had now made me think about how I’m prioritizing things in life, family, friends, work, balance, all these different things. And I think that that’s a good lesson. Follow your heart, do your passion. I’ll always be a hacker. I’ll always do hacking stuff. I’ll never ever leave that. I’ll be a hacker until I die. But I want to be a happy hacker. I want to be finding peace with myself. And the older you get, the more knowledge you have, take advantage of that knowledge and hopefully you’ll find your legacy. You’ll find your thing, you’ll find whatever you’re doing. And I’m still trying, but hopefully I’ll come to some conclusion at some point in life.

Nathan Sportsman:
And so you have this story cv, and you’re here in Austin right now on jet lag from Sweden. Is there some project that is potentially coming up that’s going to be another one of those things where you’re going to say yes to and is the question not should I do this or should I not do this, but by saying yes to this, what am I saying no to? Whether it’s I’m saying no to prioritizing family or I’m saying no to prioritizing my physical health, mental health, or whatever the case is. How do you make sure that you give yourself time for yourself through all of these things that you’re doing

David Jacoby:
By having a really strict schedule? And what I mean with that is actually if I want to go, for example, now, before coming here, I just signed up to a gym membership again. And before I just had the gym membership, but I didn’t actually specify something in the calendar saying on Monday at eight o’clock, between eight and 10, I’m at the gym period. So I think the lesson to me for myself is to put things in the calendar and commit to the stuff that’s in the calendar. Even private things, not just work related stuff, even private things. And the other thing is we value our time, not value. We measure availability through minutes. If I would call you Nathan and I would say, can you help me with this thing? You will look in the calendar and see if you have time to do something. We’re missing One important thing. And that’s what I’m bringing with myself is also your energy level inside your body. Like, okay, you might have minutes to help me, but do you have the energy to help me? So I’m trying to combine my calendar with energy as well. If I’ve been in the US filming for warlocks for a week, when I come back home, I’m probably going to be really tired. I do have the minutes, but I don’t have the energy.

Nathan Sportsman:
So

David Jacoby:
I’m going to add energy into my calendar. My life hack is not measuring things in minutes, but in energy and the willingness to do things. So if someone says, can you give a presentation in Stockholm or in New York or in London or Paris or whatever, the answer will probably be, no, I don’t have the energy to do it even if I have the minutes to do it.

Nathan Sportsman:
And so this notion of, to your point about energy and time is the great equalizer. Everyone on this planet gets the same 24 hours a day. And I think there’s a book called, I think it’s called 4,000 Weeks, if I remember correctly. I don’t know if you’ve ever read this book, but basically that’s all you have. And then for us at our age, we don’t have 4,000 weeks anymore. We have about 2000 weeks left. And so prioritizing ruthlessly, you put time towards what matters. You mentioned you’ll probably be jet lagged coming back to Sweden, just like jet lagged coming to here. Why devote time to warlocks? Why are you doing this? Why did you decide to make that part of your time and it could potentially exhaust some of your energy?

David Jacoby:
We had some really nice hackers. People in the community pass away, Barnaby, Jack, Kevin, Mitnick, Jason, all these famous hackers who never had the chance to tell their story. I don’t know, maybe I’ll die tomorrow. I have no idea. Or in a year, or maybe I won’t. But this is part of history. This is part of my life and the world that we live in right now. If I can somehow, again, help someone, motivate someone, share something with my projects that I’m doing, I think we’ll build a better world. And I just strongly believe in what we’re doing right now and what you’re doing, not what I’m doing. What you are doing is preserving history. And I mentioned that before. For me, it was really obvious when you reached out and say, do you want to do warlocks? Yes, I want to do warlocks because this is part of the world. This is just something that should have been told. Because a lot of these stories are just shared within the community. It’s not shared outside the community. And of course, there’s a lot of things we can talk about, but maybe those things are not important. But let’s talk about what we can. And I think it’s a very important piece of computer history. So thank you for doing this. For me, it was obvious. I mean, you’re doing the hard job. I’m just sitting here doing nothing, really telling my story.

Nathan Sportsman:
That’s not true. And you guys are doing the hard job. I really do appreciate you giving this some of your time and some of your energy. David Jacobi, thank you. Thank you so much.

David Jacoby:
Thanks.