The Nostalgic Nerds Podcast
The Nostalgic Nerds Podcast, where we take a deep dive into geek culture, tech evolution, and the impact of the past on today’s digital world.
The Nostalgic Nerds Podcast
S2E2 - Blue Boxes, SIM Swaps, and the Myth of Secure Phones
In this episode of The Nostalgic Nerds Podcast, S2E2 – Blue Boxes, SIM Swaps, and the Myth of Secure Phones, Renee and Marc go from the days when long-distance calls were timed with a stopwatch to a world where your phone number quietly doubles as your identity. Along the way, they unpack Blue Boxes, SIM swaps, eSIMs, SS7, and why modern phone “security” is mostly about trust… and who the network feels like believing today.
Spoiler: it’s not a bug. It’s a feature… from 1975.
Join Renee and Marc as they discuss tech topics with a view on their nostalgic pasts in tech that help them understand today's challenges and tomorrow's potential.
email us at nostalgicnerdspodcast@gmail.com
Come visit us at https://www.nostalgicnerdspodcast.com/episodes or wherever you get your podcasts.
Hello, nerds. It's your favorite duo, Marc and Renee, and this week we're diving. Into a topic that's near and dear to our hearts. We say that every week, but it really is telecommunications. All right, buckle up, folks. First stop on this wild ride will be the Blue Box. Marc, back in 1970s, people figured out a way to hack the phone system with this little device called a blue box invented by none other than the legendary Steve Jobs and Steve Wozniak. Woz was living large in that moment, right? Yes, that's right. Before they were revolutionizing personal computers, Jobs and Wozniak were out there making illegal calls to anywhere, anytime, and paying nothing. It was a hacker's dream, and all it took was a box the size of a Rubik's Cube. Slightly more technical, though. These blue boxes allowed people to mimic the special tones that the phone system used to route calls. Think of it like tricking your phone into thinking you're in the next room, when really you're calling from a couch while not paying A&T and T for long distance. Wait, I have to talk about this for one second, because seriously, long distance used to be really, really, really, really, really expensive. Really expensive. When I first moved to California, I had the budget to call my parents. I had to budget that. Right. So they were bypassing the system to make free calls anywhere in the world. I mean, it's impressive. But also, can you imagine being AT&T and finding out your entire phone system is getting punked by a couple of teenagers in their garage? Yeah, right. AT&T was not having it. They were losing money left and right. But the fact that people were pulling this off, especially with something as simple as a box that played sound tones, was mind blowing. Marc, did you do this? Did you use it?
Marc:No, I, you know, no, not at all. I heard that they called like the Vatican once and tried to get the Pope and stuff. It's very sort of typical laws, right? No, I didn't do this. I mean, by the time I was a kid and knew what this stuff was, and we talked about this right before we started, it was the little cap and crunch whistle was 2,600 hertz, and that's the tone that was magic to the signaling system. But it was a little bit before my time, you know? I was in grade school,
Renee:So it was probably that. Yeah, you know, it was definitely before my time, and I wouldn't have done it. I wouldn't have gone out and bought a box where I went. I'm afraid of going to jail.
Marc:So, but you know, it, it, I do remember like the, the long distance stuff quite, quite, you know, directly because it was, it wasn't long distance to call like grandma, you know, but it was because grandma was in Orange County. Both the grandmas were in Orange County, but it was just a little bit more expensive than just calling, you know, the next door neighbor. And, and I, I think, I can't remember what it was, you know, it might've been like a like a bulletin board or you know some modem thing that i was using and oh i remember it was sierra online they had a had they had a bulletin board system way way way back in the olden days and so i had a modem and you could go and you could download stuff and get updates and you know do different things and and it was a long distance call so you know i had to run it with the parents over the price of, of turning the, you know, turning the computer on, hitting the modem, dialing and, you know, basically, you know, being online for hours, you know, and, and you remember how, remember back in the day you had to have like a computer share or was it, yeah, was it comp, comp, comp, share, computer share? Yeah, CompuShare, right? Or CompuServe, CompuServe. Oh. And AOL and— Oh,
Renee:Yeah, because you had to get there somehow, right? Yeah, and you dialed up the motor.
Marc:Remember the local numbers? Yeah. Yeah, yeah, yeah. You had to have a local number. Yeah, because if you didn't have a local number, you'd dial the 800 number, and then you'd put it back on them.
Renee:Yeah, yeah, yeah. Yeah, yeah.
Marc:But way back in the 60s and 70s, phone calls themselves weren't background noise. It was like a metered utility. And that's what this is all about, right? You paid by the minute, by the distance, sometimes even by the time of day. I remember that, like, you know, after 7 o'clock. After 7. Yeah. Yeah. A coast-to-coast call could be close to a dollar a minute. Like, can you imagine how much a dollar is, you know, way back, you know, 30, 40, 50 years ago?
Renee:Well, I can because you could get two McDonald's hamburgers for a dollar. Like, yes, I do remember.
Marc:Yeah. So it's quite expensive, you know, which it doesn't sound like a lot now, but even a dollar a minute, it's quite a lot. But it's several, you know, pounds or dollars per minute today. So families planned phone calls, right? Did you ever do this? You like everybody get around and it wasn't like chatting on the phone. It was like reporting. Yes. It was like, yes. Yeah, and there was timers and how much time and stuff. Fortunately for us, like, I remember it wasn't too bad because most of the family was in California, at least when we were growing up, but it wasn't too bad. But yeah, off peak, you know, and sometimes it might even be cheaper to fly and to see parents instead of calling them, you know, every day.
Renee:But that was just it. So even going away to Penn State, so I'm in the middle of the state of Pennsylvania, just so you know, main campus for Penn State is literally in the middle of the state of Pennsylvania. For me to call back to Pittsburgh, it was interstate long distance. That cost 53 cents a minute or something crazy like that. So you couldn't even really do that. And then when I moved to California, that was full-on long distance. Yeah, yeah, yeah. So that was a lot of – but then what AT&T would do is be like, oh, hang on. You can buy a long-distance plan. We'll give you 31 minutes for $30. And you're like, wow, what a bargain. Like, no, I shouldn't have to pay for any of this, right?
Marc:Yeah, yeah, yeah.
Renee:I shouldn't have to pay for any of this, and here we are, right? I'm thinking it's a bargain to get $30 for 30 minutes, right?
Marc:Well, and that's the thing with these blue boxes, right? It's not just like pranking the Vatican or something like that. It's people actually figuring out that, hey, this really tightly controlled system is being held together by you know, whistles and toads.
Renee:Just so everybody's clear, like just like Captain Crunch, General Mills put out. And, you know, when you get a box in America, when you get a box of cereal for kids, not only do you get a ton of sugar and almost no nutritional value, but you get a plastic toy that you can choke on if you eat it. So they in this toy was a whistle because Captain Crunch was a captain on a ship. And so I guess whistles make sense. Right. But this particular whistle was exactly 2,600 hertz, which is the tone you needed to switch to a long-distance line, but you didn't have to pay for it. So everybody's running out buying Captain Crunch, throwing out the Captain Crunch part, which I don't know why. I guess it does cut the roof of your mouth until it gets soft, but when it does, no, dude, it's peanut butter. It's pretty okay. Anyway, you have this, they would, so you'd pick up the phone and get, okay, just so you got, because I know all of you have cell phones, and when you pick up your cell phone, there's no dial tone to let you know it's okay to start, like, boop, boop, boop, boop. No, first you had to wait for, like, oh, I can boop, boop, boop, boop, boop. That's what you would do, right? So without, you would get up, you'd listen to the dial tone, and then you'd blow the whistle into it, and then you'd dial, and then boom, you're not paying for anything. That's exactly how it worked. to think that AT&T got robbed blind by General Mills. Okay, fast forward a couple of decades. The Blue Box era passed, but Hunger for Hacking didn't. Now we've got SIM swap frauds, and it's way more sophisticated. Instead of hijacking a phone system with a few tones, fraudsters today are hijacking your SIM card. SIM swap, which is hard to say, fraud, is like the evolution of the blue box hacking, but for your identity, right? So here's how it goes. Someone fraudulently convinces your mobile carrier to swap your phone number into a new SIM card that is in their possession. Boom. They've got access to your calls, messages, even things like your bank account if you link that number for two-factor authentication. Just so we're clear, like when you log into your bank and it says to you, I'm going to text you this number, you put it in here and you can get in. That's multi-factor authentication. And when you do that, when someone else owns your SIM card, they get that number too, which means they now have access to your bank accounts. Sounds crazy, but it happens. Yeah. They've got access to your calls, your messages, and everything like that. And it's not like the fraudsters doing this with a bulky box. Nope. They're just talking to customer service, pretending to be you, getting your number switched over to their own SIM. It's social engineering at its finest. And the worst part? They can now access your multi-factor authentication codes. You know, the ones that are supposed to make your accounts extra secure. With just that one text message, they've got everything they need. It's like a digital sneak attack. And let's not forget that the actual professional scammers out there using this as their side hustle. This isn't some kid in a basement anymore. It's a multi-million dollar operation now with tons of identity theft at stake. So, Marc, I mean, we always say this is why we can't have nice things, because as soon as we get nice things, they get weaponized against us. Is this the weaponization of the phone?
Marc:Yeah, I mean, we've been seeing these sorts of SIM attacks. And we'll go into eSIM stuff in a minute. But, you know, these kinds of attacks around SIMs have existed for as long as there have been SIM issues. And, you know, the weaponization here, you hear you've got this really secure thing, a SIM card, you know. And for people that don't know, these SIM cards, they're smart cards. And there's a whole set of standards around smart cards and chips. It's the same exact technology that's on your credit cards. If you look at the form factor of a SIM and you look at your credit card, there's a shiny little gold spot on the card or whatever. It's the same thing. And so it's a really extra secure piece of hardware. But, right, the least secure part is the human element, right? And so when people started to figure out that actually you could start calling carriers and you could play around and you could socially engineer this, then, you know, that's where the bad stuff starts to happen. You know, and because, you know, people use this for so much of their life, like, okay, Brene, you lose your keys. Do you ever lose your phone? Yeah. You never lose your phone. No.
Renee:I have thrown it in the trash on the plane once, and a pilot did have to go through that trash for me. But no, I've never actually lost it.
Marc:I don't. Yeah. I mean, people's phones are attached all the time. And so it's an identity factor. So, you know, what changed here wasn't just the technology. It's what your phone number means now. Your number is your recovery key for your email, your bank, your social accounts, and sometimes even your job. Like if you have a BYOD, bring your own device kind of scenario. So if I can control your number, I don't just control calls or texts. I control like the digital aspect of you. And this pattern should sound familiar. The blue box hacked trust in the network. The SIM swap hacks trust in people and processes. So it's the same idea, but completely different blast radius. What's scary is that this isn't some like elite technical exploit. It's social engineering. It's people being very good at sounding legitimate to customer service. The system isn't broken. It's doing exactly what it was designed to do, optimize for speed and convenience. And fraud lives in that gap. Can it squeeze in between that security and convenience factor? And that's where all of these sort of attacks happen.
Renee:It's like lockpicking, right? So if you ever go to a security conference, RSA is a good one, right? NSA is there because they're always recruiting. And they'll have tables full of padlocks, essentially, right? And a bunch of lockpicking tools. And it's just laid out there. And they want to see who can pick a lock. Because if you can figure out how to pick that lock, you could probably figure out how to pick any lock. Because once you realize how the tumblers work in that lock, yeah, it becomes super easy to exploit. I can unlock one. I can unlock all of them. I can unlock your front door. I can unlock your back door. I can unlock a car. I can unlock anything if I can figure out how to do it once. Because once I know fundamentally how the tumblers work, whether they're single-sided, double-sided, if you're wondering, I do have a lock, like I have a lock pick kit that I play with just because I'm a nerd. But I mean, that's just it, right? That's any exploit. I'll say that about anything, any software exploit, any hardware exploit, like any exploit is once you figure it out to recreate that over and over and over and over and over again at scale actually isn't all that hard right like you know what the exploit is go exploit it like that's exactly how this stuff works and i guess like this idea that like the more technology we get the harder it's going to be to exploit it nope as soon as we figure it out we own it yeah as soon as they figure out how to get to your phone they own it as soon as they figure out how to get to your computer they own it like they own it like that's not okay that's not okay well.
Marc:In that you know like with locks and lockpicking, right? You, you, my fit one of my favorite youtube channels a lock picking lawyer i don't know if you've seen him he's really good um oh yeah you got to check out the lock picking lawyer i'm still stuck in
Renee:The whole like everyone hates megan markle thing so i'm in an all different youtube thing.
Marc:Yeah no so the lock picking lawyer but you know people try to build and there's been some makers that have built like a quick unpickable locks and stuff and it's not that any lock is is isn't pickable or unpickable or whatever, it's that, you know, the cost and convenience of building some of these systems to make them more difficult to pick is sort of counterintuitive and counter to the objectives, right? If Master Lock wanted to mass produce a lock, well, it costs money to make them more pick resistant. And so they don't, right? So there's just enough deterrent. They're selling a deterrent. They're not selling security, right? And that's where lockpicking kind of skates that security convenience, the continuum there. If you make it more and more secure, then convenience drops off the continuum. And that's the way it is on every single one of these technologies.
Renee:All right, well, hold on to your smartphones because this is where things get real tricky. Enter eSIM technology, the latest, most secure, and almost easily hackable advancement in the mobile industry. The beauty of the eSIM, no more messing around with physical SIM cards. You can switch carriers and plans setting directly from your phone. But guess what? That new digital SIM also comes with a new set of vulnerabilities that scammers have figured out how to exploit because we can't have nice things. Yeah. Imagine this. No more physical card to swipe. But now the hacker doesn't need to swap out a SIM card physically. They just need to access your phone account online, mess with the eSIM activation process. And with the right tools, they can activate a new eSIM on your phone and boom, they got control of your number and your life. It's like magic. And they don't even have to break a sweat. And when you when you're left with a phone number that isn't even yours anymore. Like that's crazy. Like every phone call you're getting is being listened to by another person. Every voicemail, everything you search, every app you use, every password you implement, it's all in the hands of somebody else. If you're lucky, it's law enforcement. If it's not law enforcement, you're in bigger trouble. What's worse, though, Marc? Like, law enforcement gets it all or a bad person gets it all? I think it's equally bad.
Marc:It's equally bad. Well, yeah, there's no good choice there.
Renee:So how do we secure it? Like, can you secure an eSIM? Like, am I just destined to go around the world, like, with people just trying to steal me?
Marc:Well, you know, eSims... The technology itself is pretty secure. Like, I shouldn't even say it like that. It's very secure. Like, from a standards and practices perspective, you look at the cryptography, all of that's like, it's bulletproof. Like, the way that these eSIMs work, you know, the way that you can essentially provision a new phone onto an eSIM is because you're provisioning cryptographic material onto an eSIM. And then that process then allows you to then put the secure material into the secure element on the phone. Like this is a major simplification, but that's essentially what it is. And for people in the payments industry, this is like pin key rotation, right? Pin key changes. Like, can you change the, you know, master PIN keys in a PIN device without having to bring it back to a place to then have new keys injected into it in a secure facility? Well, with an eSIM, that essentially that original material that allows you to encrypt some things is there. And then you can reprovision new cryptographic material to do new activity. And that's all Technically it's all locked down There's a secure element of the device And you can't clone it You can't pull it out of the physical card That part is all That's all good But what happens is, you know, the provisioning process here is the weakest link. So with eSIMs, you're not protecting the piece of plastic. You're protecting the workflow. So to activate an eSIM, a carrier has to decide three things. One, who are you? Two, do you have the right to this number? And three, should we move that number right now? Those decisions don't happen on the phone. Okay, fine. They happen in the carrier systems, different portals, call centers, back-end APIs, and a lot of times they're triggered remotely. And I don't know if people have done eSIM, you know, like I travel a lot, go to Africa, you know, walk into Tangier or, you know, Agadir or something like that in Morocco, and you get an eSIM. Well it's like you literally walk up to one of the booths and they they take your phone and they you know tap tap tap tap zip zip zip you know put in a couple codes you get a phone call you know put it down and then two minutes later you got an eSIM activated on your on your phone and that whole provisioning process you know it goes through several steps to to make that all happen but All the decisions to do that happen through things like, as I said, portals, your email, text messages, phone calls, codes, those sorts of things. And that's not hacking the eSIM, right? That's hacking the process around the eSIM process. So, you know, for example, someone can compromise email or convince a carrier they're you. they can initiate that provisioning event. It might even involve a QR code or some sort of app-based activation or a backend transfer. So from a network's point of view, this all looks legit. The customer asked to move the number, the system did exactly what it was designed to do. And that's the same pattern that we had with SimSwap, but eSIM removes just that last bit of friction. So it's like, yeah, it's a more secure technology, but the processes to make it work are pretty much the same. So there's no physical handoff so actually it's made things easier from from a you know from one perspective you know the security of this case it didn't it didn't disappear it's sort of upstream
Renee:But that's just it right like this idea that the last line of defense was this account says renee murphy and the person inside of standing in front of me is some guy.
Marc:Like this right
Renee:You know what i mean like this isn't right like it's just like that last line of defense is gone.
Marc:Yeah yeah i mean you know and and i shouldn't make it sound like these sims are worse because in a lot of ways it's better they do make some attacks harder you can't you can't steal a sim from a table right you can't yeah okay weird story so our family doing citizenship in the uk We went to one of these places that was, like, taking all of our information and, you know, photocopying our documents. And we had to get our pictures taken and biometrics and all that stuff. So as we're sitting there, on the table is stacks and stacks and stacks of data sims. Like, here you go. Would you like to 20-gig data sim? And I'm like, okay, interesting. but like in the uk you literally just sims are easy you know super easy to get you just pick them up off the table but you can't pick an e-sim off the table not exactly you know you can pick up like an e-sim you know qr code or an activation process something like that the problem is that most people don't secure these these accounts right that they're associated with email addresses you know, account pins, you know, various kinds of systems that people use to secure their data, those are vulnerable. So, you know, we obsess over phone locks and biometrics, but forget the real keys live in those email boxes and carrier profiles and recovery flows. So eSIMs aren't a failure of cryptography or hardware. They're a reminder that modern security is mostly about process design And process design is where convenience and security are constantly at war.
Renee:I don't know. Every time I walk into an Apple store and I see people like upgrading their phones, right? And they're in there for 20 minutes. They leave their old phone and everything on it behind. And they take their new phone that magically has everything on it again. And they walk away thinking like that was, that's perfect. Look, it's secure. I did it with a vendor I trusted. That trusted vendor like is not known for misbehaving that way. And they have enough internal processes that I probably feel okay about it, right? Right. But I mean, I mean, OK. OK, so I'm in Russia on vacation because, of course, I would be. Right. And I'm in St. Petersburg.
Marc:We're talking about Victor again?
Renee:Victor with a K, who was selling corn on the street, which I thought was amazing. We don't have enough corn vendors on the street as far as I'm concerned. So and we're going to the hermitage and the hermitage is closed that day because it's May Day. It's there. It's the day that they celebrate the liberation from the Nazis. Right. And so it's May Day and everybody's out in the streets with, you know, celebrating and all of these other places are closed. Banks are closed. Museums are closed. It's a national holiday. But because we're a bunch of foreigners, they let us in the hermitage. So there's people working in the hermitage that day. We have a tour guide. We're going through the I swear to you. And I'm not kidding. I turned off Wi-Fi. I turned off Bluetooth. I put it in airplane mode because I want my camera. I don't have any other camera with me. So I need my phone for my camera. There's tons of stuff in the Hermitage, some of it being fabric art that is actually pretty amazing. And so I definitely want to see it. And I definitely want a souvenir of that, and I want to take a photo. And I don't know how this happened. I don't know how this happened. I still am confused. I cross the threshold of the hermitage and everything turns on. Everything turned on. And I'm getting text messages from America.
Marc:Yeah.
Renee:Screaming at me, oh, my God, he fired Comey. It's all I'm getting, like, over and over and over and over again. Like, oh, my God, he fired Comey. Oh, my God. And I'm thinking all the crap I could get in Russia. I don't want it to be political crap.
Marc:Yeah, exactly.
Renee:Like, I just don't want this. Like, this is not okay, right? Right. But but when I think about the attack vector of that, I'm in a foreign country. They're definitely an adversary of the United States. That is definitely a national security problem. And I still think to this day, my phone number has something attached to it with the Russians. Like, why wouldn't it? They know I was there. They I had a phone. They have the data. Like, of course, that's what happened. Of course, that's what happened.
Marc:I mean, state actors are state actors. I mean, there's not much you could do.
Renee:But think of how many people cruise and go to other countries and they have no concept of that kind of thing. Like if I were smart and I cared about national security, I would have turned my phone off and left it on the boat.
Marc:Yeah, yeah, yeah.
Renee:Right? And I don't think we think like that. I don't think normal people think like that. I don't think regular people think like that. I think the CIA thinks like that, but they don't tell me to think like that. And now Victor with a K picks me up when I am in the National Zoo, right? Right. So, yeah, I think we need to be smarter.
Marc:I think, isn't it? I haven't traveled. I mean, I've only been in Hong Kong. I haven't been to mainland. So but I think if you go to mainland China, you've got to you've got to put like the tourist app on your phone, which, you know, come on, if you're going to put, you know, some state derived. App on your phone you're you're done you know that's gonna
Renee:Well i mean don't i already have that since i shop at timu like all you guys who have timu on your phone or sheen like that's all china tracking you like like they know where you go they know i'm.
Marc:Editing editing out editing
Renee:Yeah yeah yeah you've got a national chinese app if you've got timu yeah congratulations Yeah.
Marc:I think, I mean, yeah, maybe people.
Renee:In all fairness, we do it too in the United States, and we do it for people who are coming here for asylum. And so we let you across, we used to anyway, let you across the border, ask you to put this app on your phone, and then tell you you have to answer it if we talk to you. We are tracking where you go and what you do. And you're going to schedule all of your court hearings and all of your check-ins on this. And it worked really, really well for many.
Marc:Well, I mean, for Asylum, I mean... Yeah, I mean, it's your those rules. You do it.
Renee:Yeah. So what does this all mean for us as users? Well, first, we're living in an era where hacks are so slick and so sophisticated, it's easy to forget how we got here from simple blue boxes to the multilayered cyber crimes of today. But if we've learned anything, it's the digital security needs to be taken way more seriously. And it doesn't help at all. All of this hacking is done with no physical wires, no devices. The size of your old VHS tapes. It's just digital tools that require very little effort. And yet, here we are, navigating the new digital wild west. It's like the whole landscape shifted from, here's a thing to hack, to everything's hackable. In the past, we were talking about people dialing into a phone system with few frequencies. Now we're talking about the dark web, social engineering, and the underworld of frosters swapping SIM cards and controlling eSIMs.
Marc:Yeah, I think so. I want to give an example of kind of, you know, big hack that can take down, you know, kind of infrastructure. And we talked about Signal System 7 before SS7. And while this is an old system, these attacks are happening now. But it's a big, it's kind of a big piece of infrastructure. But this is not the only example. But I just wanted to, you know, go into this for a second. So, and just kind of reset expectations, right? Because it's not like a movie style hacker shutting down the internet. And, you know, I think, when did we talk about Signal 7? Was it in the authentication episode?
Renee:Probably, yeah. Yeah, yeah, yeah.
Marc:And, you know, they probably were thinking, oh, you know, this is kind of weird. But basically it's like a nervous system of the global phone network. So if you go back to, you know, the phone freaking and, you know, Captain Crunch and all of that, A lot of that infrastructure exists still today. It may be worked differently and there's, you know, other controls around it. But, you know, that stuff was designed in the 70s. Telecoms are, there's a handful, not thousands. And so if you're on the network, you're assumed to be legitimate. And this is how a lot of network-type systems, particularly that grew up in the 80s, 70s, and 80s, work. Like the Federal Reserve. If you're on the node in the Federal Reserve, your presence assumes, well, you're a trusted node. I mean, obviously, there's authentication mechanisms now that didn't exist before.
Renee:Are we talking about the SWIFT system?
Marc:Oh, yeah. I mean, SWIFT and, you know, yeah, of course, again, like, I've done a lot of stuff with SWIFT. So now you've got to have, you know, multiple authentication and dual and, you know, all that stuff.
Renee:Well, it used to be you just had a dial-up to it. Yeah, yeah, yeah. And you knew the numbers, so you were on Swift and you were trusted.
Marc:Right, yeah. I mean, well, and, you know, there's these kinds of... Why would I, you know, the types of things that happen for certain things, like, well, I couldn't, you can't create, like, magical accounts. So, like, what are you doing? You know, are you causing chaos or are you, you know, you already have a compromised account? Like, this is how certain types of, you know, some of these systems resisted security for a long time because the types of activities that you could participate on in these systems didn't really benefit an attacker. But, you know, but benefiting an attacker doesn't necessarily, it's not where the attack necessarily ends. Right. And that's the point of these sort of Signal 7 attacks. And, you know, just to cut it short, there's real-world cases where attackers gain access to the signaling network through whatever, small or compromised telecom providers, and they use that access to silently intercept SMS messages. And once you see SMS traffic, you can capture one-time passcodes. And once you do that, SMS-based two-factor authentication just kind of falls over. And this is where it should be kind of scary, right? Because I've just told you that in the real world, real-life hackers have successfully intercepted SMS messages. That should be a little bit concerning.
Renee:Especially since we use it for so much still, right? We still use SMS for so much stuff.
Marc:Yeah. But that's, and there's probably lots and lots of examples that are like that. Telecoms aren't unique here. The internet has similar trust-based routing problems, right? We've continually have DNS issues, right? Where we have DNS poisoning, right? If you're assumed to be one of the large DNS servers, you're assumed to be trustworthy. Well, we know that that's not necessarily the case, right? Right. So, so look, talking about Signal 7, you know, it's not that the protocols or the systems are broken. It's that there's a huge amount of modern infrastructure built on historic trust models, whether it's DNS or, you know, signaling systems or text messages or whatever. And, you know, that's kind of the uncomfortable piece here that most of these attacks don't work because people are careless. They work because the systems we rely on are designed, you know, to trust first and verify later, right? Trust but verify, one of our favorite sayings. And that's the big sort of global slow problem that we have to fix, you know, but it does not, but it does bring us back to the smaller, boring things individuals can actually do like right now.
Renee:Yeah, I aspire to agoraphobia. There's no reason to leave the house. I'm just going to make my life smaller and smaller. I'm going to talk to less and less people. Is it possible, I'm going to ask you this because I'm not sure, is it possible for you to gain access to my SIM, not to receive, but to send? So I have, let's say I go through mainland China. I now have that little app attached to me everywhere I go. I probably gave that little app access to everything, including my phone number. And that phone number can now be used to communicate with me through nefarious, maybe not even nefarious. You're just looking to disrupt, right? Could a nation state do that to you? Like once they have that data, why couldn't they?
Marc:Yeah. I mean, that's sort of the, I mean, that's kind of how SIM swaps work, right? Is that they can impersonate you Yeah. Nothing's real anymore. I don't even think that that's necessarily state sponsored. We didn't have it in the script, but, you know, I, have you, have you seen the, the new or heard about these new attacks where, and maybe it's not so much in the States because of do not call. I don't know. But in the, in the UK here, we get lots of phone calls on mobiles, right? You know, solicitations, but a lot of them were fake. Like, oh, I heard you were just in an accident or I lost my phone. It was me calling my daughter. You know, it would be somebody saying to Keely, oh, I lost, you know, it's your dad.
Renee:That's happening here. It happens on social media.
Marc:Yeah, yeah. But what's getting interesting is that the crafting of these attacks is starting to use AI. So what will happen is they'll call one person, me, and they'll record my voice enough of it to then generate a bot or an overlay, a filter for somebody else to talk, right? To make it sound like it's my voice and then to try to fool whoever's on the other side. And so there's new protections against this even now too because it's starting to happen. So if you don't recognize a number, you can – I know Apple has implemented this. You can implement a screening feature where – Oh,
Renee:I did. I actually did.
Marc:I saw this. It's really good. It's a good thing to do because you don't want unknown characters to – capturing your voice, because your voice is not only an authentication mechanism on a phone, right, to just people that you're talking to, but it's also, like, banks use it as an authentication, you know, mechanism. Maybe not the only one, but it is an authentication mechanism. So, anyways, sort of tangent.
Renee:I remember being, because one of the things you do as an analyst is you get briefed on stuff, and companies are always looking to find an analyst who will listen to them just because now you have someone on your side and they can do webinars for you or something. I don't know. But I remember it was a Hollywood company who reached out and said, we can faithfully reproduce your voice. All we need is 23 minutes. Now, 23 minutes was 10 years ago. So now they just need like two, right? And when you think about how much content you and I just put out onto the internet, like we are prime candidates for that crap. And I have 10 and a half years of that i've done hundreds and hundreds and hundreds of webinars like it would be very very easy to reproduce me but what's terrible about this and this is happening right now so female golfers in on the pro tour in the u.s they said they're having this problem where these men come to their to their to their meets or to their their game what do you call that when you event yeah i guess it's a golf event where they come to to the event and they and these guys get really aggressive with them. Like, why did you quit calling me? I sent you all that money and you act like you don't even know me. Yes. And it's because they're getting... Somebody has a video of them. They can make that pro golfer say anything in a video. And they do this thing where they send them these texts and it's like, hey, John, hi, it's me. How are you? Hey, you know what? I'm heading to the next city. I need some money. Here's my GoFundMe. Can you help me out? And then they just keep it going and they don't have to even do anything. It's a chat. So it's a chat bot having a relationship. And this one guy said, I have tried to convince my father over and over and over again that this is not real. He sold his house. This guy thinks he's in love with a 23-year-old golfer, and there's nothing his son can say or do about it, right? It has gotten to the point where, because what you used to think was, well, that's not her, because I know what she looks like. Well, okay, that's what she looks like. And she's talking to me. Well, that's not her. That's not her voice. Well, no, that is her voice. And so, yeah, I feel like that to me, that deep fake crap that people are using to steal your money and they're doing it on a on this crazy macro level so you don't even have to be famous it's that some your your godson or your grandson or somebody has a youtube channel they'll go steal it and they'll give you to give him money like it's the craziest thing right and these people are falling for it and it's really hard to talk them off that ledge once they're on it it's terrible no.
Marc:This is heavy it's it's really
Renee:Scary for our parents i and i feel for late us as we get older, Well.
Marc:Like, you know, no offense to the boomer generation, right? But, like, so much crap gets pushed onto the Internet from, you know, just AI people. You know, stuff.
Renee:Yeah, I just want to remind everybody, here's my friendly service announcement to the world. The internet is not real.
Marc:Yeah.
Renee:It's just don't believe anything it ever tells you. It's not real.
Marc:There's more, there's more, you know, AI content now than there is real content, you know, so. Yeah.
Renee:I'm a fan of Bigfoot AI slop though. I just put that out there. Like, if you have an AI slop channel that's like, that's Bigfoot, send it my way. I love it. All right. So listen, this is how do we avoid becoming the next target? Well, there's a few tips for keeping your phone and your identity safe. First up, use two-factor authentication on everything, banking, social media, email. The more layers you have, the harder it is for someone to mess with your account. Even if someone gets your password, they still need the second factor. Also, be careful when someone calls or texts you asking you to verify your identity. This one happens to me a lot. Hey, your Coinbase account's been hacked. I don't have a Coinbase account. You think you could be better at this, right? The real companies won't ask you to confirm sensitive info over the phone. That's the other thing. Facebook will never call you.
Marc:Yeah, exactly.
Renee:They will never call you. They'll never. Google will never. Amazon will never call you. Don't answer those phones, right? Yeah. And set up a—so that's all it is. Be careful when someone calls their tests and asks you to verify your identities. Real companies won't ask you to do that.
Marc:Yeah, yeah. And set up pins and passwords on your mobile account with your carrier. Like, nobody does this hardly.
Renee:Yeah.
Marc:Yeah. And so just so, like, what does this actually do? Like, if you put a pin on the carrier account, then basically you can't, you know, so many people don't put pins on them that all the hacks are designed to work without that. So as soon as you put that on there, and if it's only, you know, the pin for that carrier account... You're done. Like, you know, your SIM is safe. They won't be able to access your account without the PIN.
Renee:And for the love of all things digital, never click on suspicious links or respond to unsolicited messages from unknown numbers. If it feels off, trust your gut, right? If your grandson is behaving in a way they never behaved before, it's probably not your grandson.
Marc:Yeah.
Renee:So from the blue box to SIM swapping to eSwim fraud, one thing is clear. We've come a long way in technology and not always in the right direction. Isn't that our whole podcast should be about that? Like, yes, we can do it. But should we? But with the awareness, good security practices and a little caution, we can keep our devices safe from scammers lurking in the shadows. And who knows? Maybe in the future, phone hackers will be sneaking into your car or your smart fridge. Nothing's safe anymore. Everything's connected. So it's up to you to keep it all locked down. All right. So, hey, you guys, thanks for tuning into the Nostalgic Nerds podcast. If you've enjoyed today's episode, be sure to subscribe, share, and leave a review. You can email us at Marc. What's our email address?
Marc:NostalgicNerdsPodcast at gmail.com.
Renee:Until next time, keep geeking out about tech, stay secure, and remember, if it's too good to be true, it's probably a hack.
Marc:That's right. So I want to talk about some numbers. Oh, okay. Yeah, because, okay, so you know how Spotify does Spotify Wrapped? Yep, yep. Okay, so I, all right, because I always like to bag on LinkedIn. LinkedIn, did you see LinkedIn did like a wrap sort of clone thing? It's pretty pathetic. Is it?
Renee:I haven't seen it.
Marc:Oh, you should see, yeah, go onto your profile and then see, it's there. Okay. But because we host with Buzzsprout, the podcast, Buzzsprout today sent me a, hey, here's what you did in 2025. And I thought, oh, how wonderful. So by the numbers here, let's see if I can pull it up here. Let me get to the end of it. It's not very well done. So I'll have to, you know.
Renee:Note to our vendor, it's not very well done.
Marc:Yeah, I mean, Spotify wrapped is pretty slick. So, you know, take a clue from there. Okay. So four months of podcasting in 2020. Oh, we should have said at the beginning, this is our first episode of our second season.
Renee:Oh, yay, season two.
Marc:Four months of podcasting, 22 episodes published, 862 downloads, um, across 30 countries and 163, 163 cities. We published a total of 831 minutes across our 22 episodes. Wow. So, yeah, almost 1,000 downloads, 163 cities globally. So that's really cool. I think that's neat for only four months.
Renee:If you are the person who listens to this, thank you, thank you, thank you. Like, we started this as – why did we start this? Mostly I just wanted to hang it up.
Marc:I don't remember. What was it like – We were
Renee:Both not working.
Marc:We just wanted to see. Well, that's the, yeah, that's just sort of, you know. Well, I mean, we're both working, just working for ourselves, I suppose, now.
Renee:Yes, we are now, yeah. And so now we have time to do a podcast.
Marc:Yeah, exactly. It was some LinkedIn thing. Like, wasn't it Kirk? We should do that. We should do like a cooking.com reunion show or something.
Renee:That'd be fun to talk about technology in the old days, how we used to have that stupid cookie switching, and we thought that was the most amazing thing we'd ever said.
Marc:Oh, I know. Yeah. And, yes, so, like, there was some LinkedIn thing and we put some messages and Kirk was, you know, and we said something, we should do a podcast or something. I don't remember.
Renee:Something like that. Well, I'm glad we do it. I have a lot of fun every week. It's fun to write them. It's fun to do them. I'm glad people listen. Yeah. And maybe one day we'll write a book.
Marc:Yeah, well, you know, okay, so plans here. So Renee and I have talked about this, And if you've downloaded some of the other sort of extra material, I've started making songs for each episode that we do.
Renee:Oh, we're going to do an album.
Marc:Yeah. So the first season, I have the plans for each episode, each episode song. And I've written lyrics for several of them and actually used some tools to generate some songs. And if you've listened, I've released one for Vulcanized Rubber, you know, because that was awesome. That was a fun song. and then one about shipping containers. And then the one that I'm struggling with right now, but it's sort of just getting close, is kind of like an acoustic bawdy pub tale that I've titled Tales from the Booth for the cinema episode. Oh, nice. Yeah, it's pretty funny. I think I've almost got it. I've almost got it. It's taken quite a while to get the chord progressions right and everything and get the right sound. But, yeah, the first season, all of the songs will be recorded by, like, a bluesy, hard metal kind of band. And then Renee wants to do Yacht Rock.
Renee:I do want to do Yacht Yacht. And I'm really into Classic Soul, too. So we should do some of that. Some Phil Withers. Yeah. Some Otis Redding. Yeah.
Marc:So Season 2, maybe we'll do all the songs as a Yacht Rock album. Yacht Rock.
Renee:I love Yacht Rock. I can't get enough of it.
Marc:But I started looking around, and I thought this was kind of a fun idea, like to have a theme song, not a theme song so much, but a song that kind of takes something from the episode and then writes a stupid song about it. And nobody else is doing that in the podcast universe. And I thought, well, maybe there's a reason why nobody's doing that in the podcast universe.
Renee:I was going to say, maybe they're on to something.
Marc:Yeah, but then, and you can't, I got to tell you, the thing that I've gotten the most feedback on over the last couple of months is the songs. Each song has just as many downloads as any episode. Really? Yeah, yeah. And then people asked me to put the songs onto Spotify and set up the album on Spotify, which is like, okay.
Renee:Let's do it.
Marc:Let's do that.
Renee:That's hilarious. And then it's a nostalgic nerds album and each season has its own album. Yeah, I would be into that. I'd be into that.
Marc:So I think that's cool. And each one, you know, it's not like it's a summary of the episode, but it's like one was about shipping containers. Like, that's just stupid,
Renee:You know? It's stupid, but I love it. It's like, what was that band, The Presidents of the United States of America, where they would sing about picking peaches?
Marc:Peaches, yeah.
Renee:Yeah, why not?
Marc:Like, who builds a speed metal, a bluesy speed metal song about vulcanized rubber? We would. We would.
Renee:Good for us.
Marc:Anyway, so that's what I do in my spare time.
Renee:And I use AI to write fan fiction of The Office, which, by the way, I've got a whole season going. It's really good. Michael runs for mayor of Boulder.
Marc:I will admit, I do use AI for some of it. But frankly, I've been writing lyrics. I've been writing chord progressions. I've been, you know, doing a lot of it and then editing and all of that. Check this out. I actually have merch. I have new stickers.
Renee:Oh, I like that.
Marc:And you know what? It's a real QR code. Is it? Yeah, yeah. It'll scan.
Renee:So when are we going to do merch? We'll have to figure that out.
Marc:I don't know. I'll have to figure it out. Anyways, all right. So if you were still listening at this point, then thank you very much.
Renee:We'll see you later.
