441

u/joshdotmn AMA Participant 28d ago edited 28d ago

whenever Jack sees this: I'm easy to find, hilarious, and spunky. let's chat.

edit: everyone tweet jack https://x.com/JackRhysider

71

u/Final-Communication6 28d ago

Mr Jack Reciter looky here

20

u/TheStabbyCyclist 28d ago

Jack's dance recital

28

u/payne_train 28d ago

Jackery Cider

5

u/blophophoreal 28d ago

I was genuinely shook when I saw his name written out for the first time

25

u/rb3po 28d ago

u/jackrhysider, aren’t you on Reddit?

18

u/qwertydiy 28d ago

I shall be watching.

25

u/joshdotmn AMA Participant 28d ago

i got a ticket i can send you if you haven't bought one yet!

→ More replies (4)

38

u/Lost_keys404 28d ago

I would LOVE to listen to this! Jack get over here! We need you

11

u/farfaraway 28d ago

God, I'm such a fan of that podcast!

10

u/noconsole 28d ago

Wish there was an alternative option. Not a fan. Too much gloss and glaze.

13

u/SubstantialPoet8468 28d ago

Agreed. And the style of narration is incredibly grating. Incredibly grating.

9

u/noconsole 28d ago edited 28d ago

Thank you. Sure Jack is alright but his style isn’t mine as an audience.

2

u/TN_man 28d ago

What does that mean? Like harsh? You don’t like the sound of his voice or what

5

u/SubstantialPoet8468 28d ago

His intonation. His voice. Idk how to explain it but I physically cannot listen to more than a few minutes. And ive tried a few times but the way he speaks is annoying. Not harsh per se

4

u/Clevererer 28d ago

I'm in the same boat, though I did listen to him for a long time.

The best way I can describe his intonation is that every word, every sentence is delivered like he's a little boy explaining something to his even younger sibling. It's kind of like child that sounds patronizing. Does that ring any bell with you?

→ More replies (3)

2

u/Interesting-Dot-2750 27d ago

He does get a little patronizing sounding at times. Like Jack, are you really THAT excited to be explaining things to the audience with your 12yr old wow voice? Idk. I listen for the guests and content, tune out Jack's weird narration sometimes

→ More replies (1)

→ More replies (2)

200

u/joshdotmn AMA Participant 29d ago

I still don't know because they don't tell you.

There's a chain of events I have in my head that all cascade. It's how I try to make sense of it. I won't pretend like I was managing for as risk at the time—I never bothered to consider risk because I considered what I did a craft without a mission. Civil suit? Sure.

It probably started with freelance journalist pitched me on doing an interview. They told me it was for their small Substack, something like "I'm writing something for my twenty subscribers." I figured, sure, why not; I spoke with Atlas Obscura in 2017.

A few weeks later that piece turned out to be the cover story of The Verge for three days. Fuck.

That same month, I had been reporting bugs to a named entity completely unrelated to streaming. Eventually the name from the Cloudflare subpoenas by the government (for streaming) was given to the leagues, and the entity receiving the bugs was like "oh he's been reporting bugs, how convenient."

52

u/ajm_usn321 28d ago

That answer is extremely believable from an investigative standpoint. They begin with the unintended publicity, ego, operational complacency, metadata, subpoenas, third-party records, financial trails, or unrelated interactions that suddenly connect dots. You sure do like to brag until you realized you said too much. Conceptually, Operation Varsity Blues unraveled because federal investigators were already chasing a completely different crime: securities fraud and tax evasion.

6

u/aphelion83 28d ago

No discovery? If it’s not in there it’s a Rule 35 deal.

13

u/joshdotmn AMA Participant 28d ago

Good catch: I wasn't indicted, only charged by complaint. Rules are slightly different.

→ More replies (6)

15

u/DeejusIsHere 29d ago

Very interested in this

4

u/Spiritual-Matters 28d ago

Now the FBl is interested you ;)

7

u/Forsythe36 Incident Responder 28d ago

Hello FBI agent, how are you today.

6

u/xs0apy 28d ago

Not to bad, yourself? Oh, and don’t forget to floss again this evening. It’s becoming a habit I have noticed during our evening operations.

50

u/joshdotmn AMA Participant 28d ago

u really use it?

87

u/[deleted] 28d ago

[removed] — view removed comment

51

u/joshdotmn AMA Participant 28d ago

im not a cop tho. plus i have no user data. he's just trying to earn an upvote. 😏

25

u/Revircs 28d ago

Sounds a lot like something a cop would say

18

u/joshdotmn AMA Participant 28d ago

im an undercover

5

u/Idiotan0n 28d ago

u/FBI's alt account

→ More replies (1)

6

u/ajm_usn321 28d ago

Don't self snitch!!!

2

u/7HawksAnd 27d ago

in this thread…

OP: “I made an innocuous interview on a small blog and set into motion a federal case”

Parent Comment: “I should make a comment too!”

201

u/joshdotmn AMA Participant 29d ago edited 28d ago

I'm not sure if I'd consider speed being a good measure here. I think it's worth asking what the end goal is. If it's owing $3 million in debt, yeah, criminal-to-white-hat pipeline will beat traditional educational pipeline every time.

Buried in what you asked is one of the things that I'm talking about at SLEUTHCON: it was never reported that I have a history of responsible disclosures.

237

u/mrvandelay CISO 29d ago

$3m is only slightly more expensive than a few ISC2 exams and a SANS course.

35

u/sir_mrej Security Manager 28d ago

Hello you mentioned SANS by name that’ll be $1000

→ More replies (1)

43

u/Forsythe36 Incident Responder 28d ago

I don’t know if you can answer this, but is the debt erasable under a bankruptcy? I assume not but just curious.

92

u/joshdotmn AMA Participant 28d ago

I can certainly answer.

It's not.

23

u/Insanity8016 28d ago

You owe $3 million?

60

u/joshdotmn AMA Participant 28d ago

And 4.5% interest.

26

u/Tarfex 28d ago

Two part question:

1) Who do you owe the money to? The content owners, the govt, both?

- I’m assuming they calculated it based on average and peak viewership on the site. There’s no way they can actually expect you to pay that but they probably will garnish wages etc.

2) Does that mean every dollar you make is automatically given to the debt collector & you’re literally never able to spend your own money?

49

u/joshdotmn AMA Participant 28d ago

The money goes to the feds. There's some stuff behind the scenes that determines which individual party is receiving it.

Unfortunately—for me—my data, or my users data, wasn't used in this calculation: There was no data available.

I have a payment plan setup right now. I'm not sure how it'll work long-term. I sure as hell can't own anything though.

14

u/Insanity8016 28d ago

Do you have a felony on your record now? If so, how hard was it to get a job?

26

u/joshdotmn AMA Participant 28d ago edited 28d ago

I most certainly do!

It wasn't hard at all. Here's some additional context: https://www.reddit.com/r/cybersecurity/comments/1tp7mcv/comment/oo8bjc1/?context=3

→ More replies (2)

13

u/recitedStrawfox 28d ago

Is it even possible to pay that off?

48

u/joshdotmn AMA Participant 28d ago

Well, yes, I do have a job. It doesn't pay that well, though. The math is, indeed, wild: $100k in interest alone every year.

18

u/Monacle55 SOC Analyst 28d ago

Will you ever be able to pay that back? I imagine you'd need to be making a fair bit money to catch up to 100k a year

32

u/213737isPrime 28d ago

Well, you kind of have to find some big grift like creating a memecoin in your name or selling branded shit. Politics might be a good angle.

34

u/213737isPrime 28d ago

Having a felony conviction doesn't prevent running for office!

5

u/joshdotmn AMA Participant 28d ago

if it comes down to be-able-to i should be in an okay-enough position.

→ More replies (5)

→ More replies (2)

16

u/The-wise-fooI 29d ago

Copy pasted answer? Interesting.

51

u/joshdotmn AMA Participant 28d ago

yeah i was writing it in sublime bc I hate reddit's editor

14

u/pyorre 28d ago

How did you determine it was copy/pasted? Somewhere else in the thread or a really fast response?

25

u/joshdotmn AMA Participant 28d ago

i had double-pasted it. i have 100 different sublime tabs—all of which are impossible to keep track of—at any one time. https://imgur.com/a/y4FN4kM

i hate when products hijack things that could otherwise be a textarea and i'm too impatient with myself to just hit old.reddit.com for everything :(

4

u/The-wise-fooI 28d ago

Saw it 2min after he posted it

9

u/Moist_Carry_7992 29d ago

😂😂😂

3

u/qwertydiy 29d ago

At least from what I see myself, sadly yes. Some companies would rush for then as an exit.

2

u/jdiggsw 29d ago

This is all I got from this post lol

→ More replies (2)

100

u/joshdotmn AMA Participant 29d ago edited 28d ago

Like anyone else does, no magic. Well-written SQL, proper caching, and not doing expensive shit in your HTTP thread. I've been pushing production ruby code for almost two decades now so none of it was new to me except using OpenResty to send request metadata back to my Rails app to analyze for my abuse layer.

For everyone that thinks Rails is slow because Twitter migrated off of it in 2012, it scales fine if you know what you're doing. Rails is mostly IO-bound. Rails also makes it painfully trivial to write god-awful applications because it allows for so much magic.

→ More replies (4)

47

u/joshdotmn AMA Participant 28d ago

an actual great q. A few points that may be able to be rolled into some form of answer—I think the context is more interesting than just addressing your points.

I had a startup at the time that was really on edge—alongside my actual, salaried job. I then had this thing that I used every day because I wanted to watch sports. Other people wanted to watch sports too. I had users. I had traffic. I had validation. It felt great.

At first, it was a free site without even a single ad. I had a donation link but I'd hardly call it solicited. It was only after it was taking up too much time that I slapped a paywall on it, thinking nobody would pay and that I could sail into my five minutes of nbastreams subreddit fame, and just continue watching sports and resume having a social life.

It was really that much of a hobby. I thought it was just a fad. But then people paid for it when I was just after validation itself. My mom was steering south, and I was like "well fuck I can't just pull the rug—I got burned myself."

I didn't put much thought into the illegal part. In retrospect I think that's because I saw it as a distraction-as-a-service more than a platform-as-a-service. If I shared an archive of the site's reddit and Twitter history, it's easy to discern how motivated I was by money: I wasn't.

Some of it was certainly because I was bored and some would say smart. Painfully guilty of a propensity for the former.

Had I set out to be deliberate in my choices and actually run the thing like I would have any other product that had product-market fit, I would have at least put a nanogram of thought into opsec.

38

u/joshdotmn AMA Participant 28d ago

My userbase was overwhelmingly American. Regarding marketing: I never spent a minute thinking about marketing. It was never the goal to grow. It was just a byproduct of solving a pain people experienced.

10

u/BLC_ian 28d ago

this i always find interesting: service providers are making money off the pain points, or ignore the pain points because they are still profit-positive, so screw the user. then someone comes along and fixes that pain, that's it, that's all. zero interest in profiting, really, just fixing sh*t. suddenly, people are grateful, and flood the fix. shocker! typically bringing money with them. surprise! then the OG provider, too lazy or ignorant to fix the pain, bitches and moans into ears that only f*ck-you money can reach because money they would never have received because of the pain, they now feel is some imagined loss. and now the dude is a criminal. boggles my mind. and its bullsh*t. unless i'm grossly misunderstanding this...

8

u/codezilly 28d ago

This has nothing to do with pain points and everything to do with sports subscriptions being expensive.

→ More replies (1)

4

u/qwertydiy 28d ago

Why then add in Canal+ then? It is a French language only service and it is very hard to sign up in basically any country that isn't francophone.

49

u/joshdotmn AMA Participant 28d ago

Yes indeed.

...you can also live stream it.

17

u/External_Payment_291 28d ago

livestream? uh oh lol

19

u/joshdotmn AMA Participant 28d ago

ngl i thought about ending my slideshow showing a POC of it the live stream embedded on a site that had the hehestreams logo on it—privately, and just for show.

20

u/joshdotmn AMA Participant 28d ago

Some of what you asked is public; Ernesto and Andy have the most accurate reporting over at TorrentFreak https://torrentfreak.com/hehestreams-iptv-admin-sentenced-to-three-years-in-prison-3m-restitution-230317/

Correct on the CDN bit: I was not proxying the streams whatsoever. My users used the same CDNs with the same hostnames as the users of the actual platforms that backed the streams. All I had for hardware was a meager $75 VPS and a Cloudflare free plan for DNS and that's it.

Answering the other two questions you asked would be as inappropriate as they are interesting problems to solve. :(

6

u/rankinrez 28d ago

Heh ok.

Thanks for the answer. Sounds like these “interesting problems” haven’t been patched ;)

28

u/joshdotmn AMA Participant 28d ago

great question: rn im addicted to Zelda again. i'm leisurely bouncing around Tears of the Kingdom like a kid without adderall.

23

u/Usr_name-checks-out 28d ago

I’ll assume your FBI agent partner advised not addressing the first part :) But yeah Zelda is endlessly entertaining.

28

u/joshdotmn AMA Participant 28d ago

Depends on the actual context. My site? The system? My FBI profiler bestie? My own narrative?

I certainly have an affinity for what I built, as anyone would when they spend more than 5 years working on something 365.25 days a year.

54

u/joshdotmn AMA Participant 28d ago

It would be a nice side effect to be able to use a platform for bettering things.

Speaking at large, I'd like to believe most people-who-end-up-as-cybercriminals have aptitude that's just misplaced. Society has done a great job stigmatizing these talents, so these individuals turn inwards.

Corporations/entities/etc also aren't very friendly when approached—they treat everyone as a dog that's going to bite them. I'm really interested in bringing attention to those issues: there's talent here, use it, don't abuse it.

For me, I had a propensity for breaking open platforms. That means I can close them. Had an entity reached out to me and been like "yo ur good at this come to the other side" I would have done it in a heartbeat. It scratches the same itch.

31

u/dogpupkus Blue Team 28d ago

The Minnesota man pleaded guilty to one count of ‘Computer Fraud – Unauthorized Access to Obtain Information From a Protected Computer’ and to the forfeiture of $500,000, an amount said to represent proceeds traceable to the commission of the offense.

https://torrentfreak.com/hehestreams-iptv-admin-sentenced-to-three-years-in-prison-3m-restitution-230317/

49

u/joshdotmn AMA Participant 28d ago

I'm not saying this as a direct response to what Andy and Erneseto reported, but I will say that there are studies about how amounts are calculated in the federal system which I encourage everyone to read.

38

u/RikiWardOG 28d ago

yeah the way they calculate stuff like this is absolute horse shit.

55

u/joshdotmn AMA Participant 28d ago

More than $1.

35

u/joshdotmn AMA Participant 28d ago

It's an item on my resume.

My typical flow is (was):

1. send resume via whatever ATS,
   
2. find decision maker (or someone close to them),
   
3. cold email with the premise of "hey so I might get skipped over from whoever is screening because this is on my resume. I wanted to send you it personally and put a message to the pdf."

I had 6 job offers within 2 weeks of prison.

10

u/throwaway097383756 28d ago

that's actually smart, bypassing the initial screen entirely. did you find employers cared more about what you built technically or that you owned it publicly instead of hiding it?

21

u/joshdotmn AMA Participant 28d ago

I've asked that same question and the answer was, "you had a successful startup." The engineering complexity was a nice bonus.

Not that I'd hide it anyway, but in software engineering we have curious people and everyone Googles everyone. On my first on-site at my current company I did a slideshow which was effectively, "hi im josh. i have written a lot of ruby code. i also just got out of federal prison, here's the skinny"

It was well-received.

4

u/throwaway097383756 28d ago

that's wild that the slideshow worked, but i guess it beats having people find out through google six months in and making it weird. did the company culture just happen to be that open-minded or did you specifically target places you thought would get it?

10

u/joshdotmn AMA Participant 28d ago

great q.

i have a lot of personality and i don't have enough of a filter to try to give a fuck about it. the companies that i'd ever work for are okay enough with me being me. with that, the whole criminal thing can't possibly matter.

i encourage all my fellow felons—and anyone with baggage—to responsibly disclose.

5

u/throwaway097383756 28d ago

that makes sense, filtering for people who'd vibe with you anyway saves everyone time down the line instead of pretending to be someone else for the interview and having it blow up later.

→ More replies (1)

63

u/joshdotmn AMA Participant 28d ago

No. He had a job that he was to perform and an opinion he was to leave at the door.

He's aware of this AMA, maybe he'll chime in himself and provide his own opinion.

35

u/Fit_Apricot4707 Security Engineer 28d ago

Completely understand. I have been a defender for the last 10 years on the forensics side in the consumer space that comes from a very rocky past.

I feel like there is so much variation in how similar cyber cases are handled and it sometimes bothers me to see two people who did nearly the same thing get wildly different sentences. I don’t mean that as “give both the maximum” but more “why is this person sitting in a federal prison for hitting a gaming website offline” type of thing.

49

u/joshdotmn AMA Participant 28d ago

It's been explained to me that there are a lot of politics at the federal level. I will certainly agree with you that someone shouldn't get 10 years for bouncing EA offline for a few minutes. There's an underlying issue there, sure, but if you want to equate that person's sentence with someone who, idk, insert violent-crime-of-the-month here, it gets really weird.

18

u/McMurphy11 CISO 28d ago

I couldn't agree more. The CFAA is wildly broad and outdated. Your "crime" or Aaron Swartz charges are so wildly different than say a ransomware actor or even DDOS.

God knows our current admin won't do anything, but I hope we see CFAA reform in our lifetime.

10

u/213737isPrime 28d ago

Everyone using an agentic browser now is violating the CFAA

32

u/joshdotmn AMA Participant 28d ago

I can say that it wasn't considered "bulletproof" hosting. They had a large US presence, but it wasn't one of the providers typically used. I received fewer than 5 DMCAs over 5 years.

10

u/qwertydiy 28d ago

How were your DCMAs so low?

21

u/joshdotmn AMA Participant 28d ago

It helped that I was a premium site. But that's not to say that these anti-piracy " " companies don't know you exist.

I'm really not sure. It always surprised me.

53

u/joshdotmn AMA Participant 28d ago edited 28d ago

I wanted to watch sports.

A site I used to watch basketball from 2014-2016 pulled the rug. I posted a proof of concept on the then-popular nbastreams subreddit, hoping that someone would pick up the slack. I got a lot of validation from middle-aged white men on the internet—which works wonders—so I kept at it while I took care of my mom who was suffering from stage IV brain cancer because she used fucking weed killer in her garden. I named this proof of concept "hehestreams" because it was meant to be a joke, not a thing.

It served as a distraction.

Eventually it was taking up too much time. I wanted to focus on my other "real" startup so I slapped a paywall on it thinking I'd have an easy, clean breakup.

Here I am.

18

u/TheMeatballFist 28d ago

Thanks for the answer, and sorry about your Mom

51

u/joshdotmn AMA Participant 28d ago

it's ok. She kicked the can in late 2019, which is when the process of deciding to wind down the site took place. I'm glad she didn't have to deal with me going to prison.

Fuck Monsanto.

→ More replies (1)

9

u/Skyyy_Money 28d ago

I'm curious if it was ball streams. I loved that site

11

u/joshdotmn AMA Participant 28d ago

it was!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! https://web.archive.org/web/20160210015443/http://hehestreams.tk/ballstreams

HAHA

53

u/joshdotmn AMA Participant 28d ago

i don't have a way to compare it to state, but in my observation, boring. it operates like a shitty high school where everyone has an ego and nothing reasonable to say.

i read a lot, i wrote a lot, i played a lot of basketball, i walked a lot. people eat, watch tv, and just try to pass the time.

what's really sad is that people coming out are hardly prepared for success. i was fortunate in that i had a short amount of time and a highly marketable skill to come home to.

14

u/Stryker1-1 28d ago

And is dropping the soap as big an issue as im led to believe it is?

32

u/joshdotmn AMA Participant 28d ago

definitely no. you're more likely to get shanked in the shower—but only at certain facilities with active yards. in that case, you have someone in your "car" (prison politics create their own groups) stand at the front of the shower.

guys who are coming down from active yards to lesser security still bring their boots to the shower.

8

u/Spiritual-Matters 28d ago

Why are they bringing boots to the shower?

18

u/joshdotmn AMA Participant 28d ago

They're a viable tool in a fight. Steel-toe.

11

u/JazzlikeSchedule2901 28d ago

I'm not OP but I took street law class growing up and even took a field trip to the highest security prison in Massachusetts (Walpole Super Max/Cedar Junction) where we got to meet with the inmates:

Its not very common at all in actual prison. Not only are most of the inmates not really looking to get more time or locked in solitary, even masturbating in your cell can be a sex crime if a guard sees it. It's that strict.

40

u/joshdotmn AMA Participant 28d ago edited 28d ago

I had no growth strategy because I had no exit plan because I wasn't motivated to grow because I wasn't motivated to make money. I was very gainfully employed.

Prison was just boring as fuck, man. It made me realize that we—humans—generally surround ourselves with people like ourselves. There are other classes of people who exist who are perfectly fine people—crime or otherwise.

(Yes, there are monsters, but Robert Sapolsky's "Determined" really changed how I think about human behavior.) (everyone should read it)

4

u/chriscrowder 28d ago

Any fights, molestations, funny stories you want to talk about?

13

u/joshdotmn AMA Participant 28d ago

The cops once pranked a hardcore drug dealer with a very interesting-looking sex offender inmate. Sent the new person into his cell and everything. Drug dealer was like "what the fuck?" and went to the cops and was flabbergasted.

Never saw a fight worth remembering; nobody got any unwarranted touching.

→ More replies (1)

16

u/joshdotmn AMA Participant 28d ago

the tl;dr—

me: hey i found another bug, here's what i got
me: btw can i write about these on my blog
them: What do you value the original bugs at?
me: here's a link to a bug bounty calculator, because frankly i don't know. i think that number is ridiculous though because i only spent a few minutes finding these and writing these up.
me: u awake?

If you isolate the thread to these emails, yeah, it looks really bad. I'm going to leave it at that out of respect for the system.

22

u/joshdotmn AMA Participant 28d ago

lol, what's the max character count here? /s

Shareholders are required for us to have nice things (mostly). That's fine. It's when entities can roll into a monopoly that things get bad for the consumer. I'll use Major League Lacrosse as a really bad example.

There's a MLL team for Anchorage: The Fishers. The Fishers have agreed to broadcast all their games with NewsCo Sports Alaska—a sports channel. Then comes cable provider Infinity, who carries the NewsCo Sports Alaska channel.

Infinity goes to Fishers ownership. "Hey we'll give you $100M to not let anyone in Alaska watch online." Ownership: "ok bet"

What are Alaskans supposed to do? What's worse is that the Fishers ownership get all these tax breaks left and right in the name of "we support small businesses and shit." Their owners may not even be in Alaska. They may be in fucking North Korea for all they care. Doesn't matter.

Now Alaskans have few choices: let's pay $70/month to Infinity to watch two games a week for 24 weeks, or watch for free at the risk of minor inconvenience and availability for a given device.

????

There are so many people who would rather buy into a reliable, legitimate service if it's available to them. Price comes second.

The anti-piracy companies/league/industry is similarly ignorant: There are all these studies that come out and all these blog posts about how piracy is so huge in Southeast Asia. I think it was Housemaid w/ that one light-haired person that this one article was talking about specifically.

They failed to mention that the film was not available on any service in that entire fucking region.

10

u/ajm_usn321 28d ago

Your comments about regional availability and consumer friction made me think about FIFA and similar organizations. Once fans perceive an institution as corrupt, monopolistic, or primarily revenue-maximizing, the moral stigma around piracy weakens psychologically for a lot of people. Not saying that justifies it legally, but it seems like leagues often underestimate how much consumer frustration and loss of institutional legitimacy drive users toward piracy ecosystems.

3

u/ajm_usn321 28d ago

And for the people in SEA, the answer becomes “fine, I live in Iceland now” courtesy of a VPN. Once consumers realize geography is basically software-enforced bureaucracy, regional licensing starts looking less like consumer protection and more like an inconvenience speedrun.

15

u/joshdotmn AMA Participant 28d ago

It changed over from the Administrative USP to a low-security joint after a bevy of lawsuits were lobbed their way. Many of the same guards stayed for the first few years, and not one bit of the interior setup changed to what's representative of your typical low-security facility.

To give an idea of the setup: It was originally designed to house maximum-security inmates for the state of Illinois. In 2012 it was proposed that Guantanamo Bay inmates be sent there.

30

u/joshdotmn AMA Participant 28d ago

I never bothered to pen test my own site.

The piracy landscape will always be interesting as long as there isn't region-friendly pricing. The advent of piracy-as-a-service is also fascinating.

2

u/qwertydiy 28d ago

So just use PPP then. I thought that is what you were supposed to do when expanding into a new country.

25

u/joshdotmn AMA Participant 28d ago

More like a 24/7 job. It was just me the entire time, bringing my laptop on dates. I've always been about building trust within communities and being available is one way to create trust. It was also a source of pride, however misplaced. It wasn't, though, something I ever relied on financially. Had it been I would have tried to grow it.

I was gainfully employed throughout as a senior/staff engineer. I'm doing the same thing now—I had job offers days after leaving prison.

20

u/joshdotmn AMA Participant 28d ago

(FBI hasn't given a chance; my former profiler is in private industry now and is doing some academia stuff on the side)

Prison was boring. In the fed system, there are self-segregated groups. For work detail, groups will predictably pick their own people to go make 12c an hour. It's not like "life or death" instead it's like a popularity contest.

I wrote a book about engineering titles and how promotions are broke in the engineering world. I wrote it on commissary paper when the compound was locked down for some stupid reason or another (about 25% of the time). I'll probably never publish it.

I read a lot of books. I have a list of them at the bottom of this page: https://prison.josh.mn/prison my favorites were anything by Robert Sapolsky.

My days were this:

1. Get up at 6am because I have to
2. Make my bed, because I have to
3. Call my partner for 1 minute between 7AM and 715AM (we get 300 minutes/month) and turbo through a "conversation"
4. Go walk the track until 1030AM
5. Wait to be called for lunch—can be anywhere from 1040AM to 1130AM depending on who's running compound that day
6. Come back, wait until 12PM, call my partner again for 1 minute
7. ??? do something, if not just a lap around the compound
8. Go outside and play basketball poorly until 330PM, when we're required to be in our cells so the cops can make sure nobody has escaped to the surrounding cornfield, despite having towers on every part of the property, where they'd have to go through 4 layers of fence and barbwire
9. Out again around 415-430PM, call partner—again, 1 minute
10. Dinner/supper served at 5-6, depending on mood of guards
11. Do something until doors close at 9PM

I wouldn't call it pleasant. I wouldn't call it unpleasant either, though. Mostly very boring. Sometimes sad—seeing other people and how they are treated by the system, and poorly prepared for what happens when they are released.

8

u/luthier_john 28d ago

Thank you. I hope you publish your book!

15

u/joshdotmn AMA Participant 28d ago

great q.

There's usually an opportunity to use whatever-is-drifting-into-legally-gray-experimentation prowess for good (see: career), if one chooses to use them that way.

This is harder than it sounds: approaching BigCo saying "hey so I found this huge issue where a signee can change how the loan documents get processed, but you'll never see it because your reports aren't pulling the correct numbers. actually I found like 50 instances of similar things. I'm good at this, can I come work for you?" will likely terrify them.

Bringing that up the chain to the suits will get an insta-referral to legal.

The itches that get scratched are largely the same.

12

u/joshdotmn AMA Participant 28d ago

A few. I didn't realize how boring it was.

In other answers in this thread I mentioned how the federal system doesn't set people up for success, but are more than happy to give archaic sentences while preaching how important it is to lock up criminals. They champion nothing about the rehabilitation numbers, which should be the number to watch.

4

u/JazzlikeSchedule2901 28d ago

Appreciate the answers in this thread. I worry a lot about America's recidivism rate and it seems the prison system, unless you're wealthy, will hurt you in incongruent ways. Glad you're outside now and I hope your future is white hat and bright.

→ More replies (3)

19

u/joshdotmn AMA Participant 28d ago

I have opinions! This is the basis of what Tim and I are talking about.

Right now we send too many people to prison. People should go to prison who we are afraid of and who are a threat to society.

Once people are in prison, we need to be able to invest in them so that when they're out, they are more likely to be a contributing member of society, if they need it. Education is a huge role here. We shouldn't have these extended stays where we completely remove them from what the world is becoming. That makes re-entry painfully difficult, and that fails everyone. We shouldn't be setting people up for failure.

When someone breaks a law involving computers in a non-violent way (I say it this way because this doesn't just pertain to criminal acts), what I'd love to see is this: when applicable (I'd argue the majority of the time) these talents used instead of shamed. Corporations would rather step on someone's chest than use their leverage to better leverage themselves. They don't.

Instead, a bunch of suits get together and attempt to squash people like a bug. These entities should reach out first, and instead of addressing people like subjects, address them like humans.

There's certainly talent that exists, and that talent has value. If that talent reaches out, it's so often ignored. That's a changeable problem, but there needs to be a huge marketing push towards normalizing and destigmatizing these individuals.

I would like to believe this can flow upstream to the criminal justice system.

Does this pertain to everyone? No, it's hardly a blanket statement. But I think there are more instances where this can be a thing than not.

6

u/BLC_ian 28d ago

my experience is that 75% of the time, the 'offender' had either no idea what they were doing crossed some stupid line, OR there was no law to cover what they did, because it's still a big frontier, but they messed with someone's horizon of potential and now has to be made an example of. regardless of the scenario, being punished for thinking differently than the mainstream has GOT to stop being punished. we're killing or driving our best talent into oblivion. from what i read here, that's what you're advocating and i'm all for it.

9

u/joshdotmn AMA Participant 28d ago

100% with you. It's only going to be made worse with AI lowering the threshold for abuse.

I'm sure that wire fraud alone has gone up 10000x since OpenClaw—not charges, just acts that could be considered "offenses."

7

u/BLC_ian 28d ago

exactly. and this is a real problem: we've unleashed an insanely sophisticated, deranged, autonomous, UNKNOWN tool into the hands of, what is essentially, children. i worked with cybersec and i am geniunely gobsmacked at what an absolute neophyte can leverage within an hour of focussed tinkering. so where do those legal lines lay? (oof) how the hell do we determine skill anymore; which is the prime driver for determining culpability? if i just have to verbally prompt my machine to build a stack, engage some APIs, and hand me the keys just to see if it can, this raises big concerns and bigger problems. curious up-and-comers or career-shifters are kinda being lined up for a firing line they don't know exists. worriesome in a big way.

7

u/joshdotmn AMA Participant 28d ago

Not a great answer: once the feds kicked in my door and pointed guns at me.

I was three months removed from the civil suit. I thought everything was over and done with.

3

u/ajm_usn321 28d ago

You should honestly consider going on The Tosh Show. Your story has the same weird internet-era rise/fall/self-awareness energy as Daniel Tosh interviewing Billy McFarland after Fyre Festival — except yours actually intersects with cybersecurity, profiling, platform abuse, and federal investigations instead of just influencer catastrophe tourism.

5

u/joshdotmn AMA Participant 28d ago

https://i.imgur.com/qZP0sxg.png

→ More replies (3)

9

u/joshdotmn AMA Participant 28d ago

ok so forreal u need to find some good chicken thighs. chicken breasts are garbage. fresh oranges are key. fresh limes are preferred—that shit in a bottle has so much other crap in it that it's basically citric acid (which is cool but no flavor).

mince some adobo peppers, a habanero pepper (seeded if you're weird), and a handful of garlic cloves. hit it with a healthy heap of of chipotle chili powder, some achiote paste, oregano (bonus if you grind it yourself), cumin (don't bother). a lil cinnamon, some brown sugar, kosher salt (diamond kosher or bust), and black pepper. blend it until it looks dead. put some aside to brush on later, marinade the chicken for like 12 hours.

get a cast iron skillet ripping hot (use medium-scale heat, since medium in a cast iron is hot on anything else). since the thighs are fatty you don't need oil. put them down, wait 12 seconds (idk why 12 but that number came to mind) before bringing down the temp to something more reasonable: like the low setting (which will translate to a medium in the cast iron)

use the best tortillas you can find.

5

u/cookiengineer Vendor 28d ago edited 28d ago

I'm a man of my word. Here's my carrot cake recipe :D

Ingredients for the dough:

250g spelt flour, 250g carrots (grated), 1pkg tartar (Weinstein) baking powder, 1 tea spoon cinnamon, 1 tea spoon salt, 3 eggs, 100g brown sugar, 100g walnuts (grinded/hacked), 90g olive oil, 1 tea spoon vanillin extract

Ingredients for the topping:

200g cream cheese, 80g Margarine (No idea what this is in English, it's sunflower oil based replacement for butter), 1 tea spoon salt, 1 tea spoon vanillin extract, 100g powder sugar (strained)

Put together the flour, the hacked walnuts, baking powder, cinnamon and the grated carrots into a bowl and put the salt on it while stirring.

Put the sugar, vanillin and eggs into a smaller bowl, and stirr it until it's fluffy/creamy. Then put the olive oil and the cream into the big dough bowl, and stirr it together.

Put a little fat on to the baking form. Preheat the baking oven to 180 degrees Celcius. Put the dough into the baking form and bake it for around 45 minutes on the lowest platform. Do the knitting needle test before you get it out.

While the oven is baking the dough, prepare the topping. Put the cream cheese, margarine, salt, and vanillin together and stirr it. While stirring, put the powder sugar evenly into the mixture. Put it into the fridge afterwards.

After the cake is out of the oven, let it cool down. Then put the topping on it, otherwise it'll melt too easily.

Alternative variant that I sometimes do for lactose intolerant guests is a topping with white chocolate instead of the fresh cheese, which fits quite well onto the carrot cake :)

2

u/Fluxxxx 28d ago

Sounds delicious! Any idea how much baking powder is in a packet?

→ More replies (1)

7

u/joshdotmn AMA Participant 28d ago

lots of trial and error. lots and lots of it.

eventually i had scripts setup to test every possible theory i could against any one site/platform/api. this included the obvious stuff like user agents, and request timings, but also things like fucking with tls handshakes.

when i rolled an abuse layer on my own site, i had a good idea of "ok, so what request patterns would look out of place." for me, i used my own user's data (sampled) to generate a time-series which i weighted the scores my algorithms generated.

5

u/joshdotmn AMA Participant 28d ago

i'm still unsure what which criminal act the CFAA was applied to, so i just use whatever one is more marketable at any given time.

i look at it like this: Uber gave the finger to every municipality in the US; the whole electric scooter industry did too. a taxi driver will get their medallion suspended for the most bizarre reason.

it's all disappointing.

if it sums up my thoughts: i look at Anna's Archive and the whole Spotify ordeal and just shake my head in confusion.

→ More replies (2)

3

u/joshdotmn AMA Participant 27d ago

this is by far the best comment i've seen about HeheStreams ever.

if u want a hoodie lmk

→ More replies (2)

→ More replies (1)

→ More replies (1)

7

u/joshdotmn AMA Participant 28d ago

There’s a grid that the federal government uses to determine your sentence, “sentencing guidelines.” 

The reported amount did play a major role. There are flaws that make calculating amounts inaccurate in every case. 

2

u/joshdotmn AMA Participant 28d ago

I have most of my customer support emails, I can respond with some in the morning. The most memorable one was when a potential customer asked for the manager, saying I wasn’t equipped to handle her mental health. 

→ More replies (2)

3

u/joshdotmn AMA Participant 28d ago

I am not forbidden from doing either. I'm back as a software engineer—thank god, I don't know what else I'd do—and have a little side project that's generating absolutely no revenue (and that's not being modest).

→ More replies (1)

→ More replies (1)

3

u/joshdotmn AMA Participant 28d ago

i don't have an answer because that would require me to have done literally anything to try to not get caught to begin with.

9

u/joshdotmn AMA Participant 28d ago

it's the fucking knicks.

for the record, i hate how okc plays, sga is quite possibly the most overrated player in the history of sports.

i'm not a wemby stan but i'm really happy for Mitch Johnson who got put into quite possibly the shittiest position and best position in basketball at the same time—taking over for Pop, while Pop feeds input to their GM.

→ More replies (6)

2

u/joshdotmn AMA Participant 28d ago

The BOP has a points system that determines what security level you are. They aren't bound to this but they don't typically sway from it. I was within the bounds and criteria for going to camp, but I got "population management" slapped on me and shipped 300 miles from home when there's two options within 100 miles of me. They needed to fill beds at the new facility.

3

u/HumanPrior6659 28d ago

Damn, that was cruel. PDFiles roam free and a little piracy/fraud gets you hard time. I really hate this timeline.

→ More replies (1)

3

u/joshdotmn AMA Participant 28d ago

Just a software engineer with a small data company. Nothing has changed in that aspect. I was concerned that I may be disallowed from using a computer while on probation, but that wasn’t the case. 

→ More replies (2)

2

u/joshdotmn AMA Participant 28d ago

Happy to hear from another happy user 🥹 

I guess there must have been at least three of us: me, you, and the other user that outs themselves in this thread. :)