CANNABIS VILLAGE - Cruising the Cannabis Hiiighway: A Series of Major Breaches in Cannabis

Video thumbnail (Frame 0) Video thumbnail (Frame 1320) Video thumbnail (Frame 2212) Video thumbnail (Frame 15213) Video thumbnail (Frame 17002) Video thumbnail (Frame 19445) Video thumbnail (Frame 20421) Video thumbnail (Frame 21138) Video thumbnail (Frame 23396) Video thumbnail (Frame 25491) Video thumbnail (Frame 30157) Video thumbnail (Frame 31865) Video thumbnail (Frame 32937) Video thumbnail (Frame 33783) Video thumbnail (Frame 34523) Video thumbnail (Frame 36029) Video thumbnail (Frame 37009) Video thumbnail (Frame 38468) Video thumbnail (Frame 40772) Video thumbnail (Frame 42113) Video thumbnail (Frame 45268) Video thumbnail (Frame 46037) Video thumbnail (Frame 46743) Video thumbnail (Frame 49505)
Video in TIB AV-Portal: CANNABIS VILLAGE - Cruising the Cannabis Hiiighway: A Series of Major Breaches in Cannabis

Formal Metadata

CANNABIS VILLAGE - Cruising the Cannabis Hiiighway: A Series of Major Breaches in Cannabis
Alternative Title
Cruising the Cannabis Highway: Major Breaches in Cannabis Software
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Case studies of breaches in Cannabis Software. Recently a major Cannabis POS provider found itself on the business end of a sophisticated digital attack not once, not twice, but thrice. Or maybe four times; Poor disclosure policy and a lack of transparency made it hard to tell. A large portion of all dispensaries in the country were forced to enter sales by paper, spreadsheet, or to close their doors temporarily when this software was crashed by attackers. Government contracts were lost. All eyes are on the industry right now and, given its precarious federal legal status, the next moves made will be crucial. What mightve actually happened? How far beyond the carefully prepared press releases can we see by using OSINT, Social Engineering, source code analysis,and some good ol fashioned scripting & hacking? What makes the Cannabis industry a hotbed for this kind of behavior? Lets umm....answer those questions!
Series (mathematics) Web-Designer Hacker (term) Series (mathematics) Software developer Right angle Software industry Information security Front and back ends
Suite (music) Presentation of a group State of matter Multiplication sign Insertion loss Client (computing) Likelihood-ratio test Mereology Software bug Cuboid Information Website Extension (kinesiology) Information security Physical system Area Cybersex Service (economics) Shared memory Sound effect Digital object identifier Flow separation Process (computing) Touch typing Internet service provider Chain Self-organization Website output Right angle Moving average Quicksort Hacker (term) Physical system Spacetime Point (geometry) Trail Slide rule Statistics Freeware Moment (mathematics) Similarity (geometry) Vector potential Product (business) Number Sound effect Revision control Latent heat Profil (magazine) Hacker (term) Operator (mathematics) Touch typing Green's function Energy level Form (programming) Scaling (geometry) Information Surface Analytic set Client (computing) Line (geometry) Pivot element Exploit (computer security) Vector potential Software Radio-frequency identification
Backup Context awareness Hoax Open source Code Multiplication sign Source code Cellular automaton Letterpress printing Frustration Spreadsheet Goodness of fit Information Physical system God Boss Corporation Information Sine Open source Client (computing) Perturbation theory Process (computing) Mixed reality Blog Statement (computer science) Quicksort
Rule of inference Information Software Different (Kate Ryan album) Mixed reality Authorization Quicksort Digital object identifier Perspective (visual)
Information Copyright infringement Code Multiplication sign Source code Open source Internet service provider Leak Number Peer-to-peer Inclusion map Quicksort Pirate Bay Thomas Bayes Address space Proof theory
Functional (mathematics) Service (economics) Code Multiplication sign Software developer Disintegration Physical law Electronic mailing list 1 (number) Bit Directory service Likelihood-ratio test Exploit (computer security) Information technology consulting Architecture Process (computing) Software Software repository Hacker (term) Telecommunication Core dump Configuration space Remote procedure call Metropolitan area network
Point (geometry) Slide rule Trail Mobile app Dynamical system User interface State of matter Multiplication sign Disintegration Regulator gene 1 (number) Design by contract Mereology Revision control Architecture Whiteboard Core dump Energy level Diagram Damping Aerodynamics Information Website Summierbarkeit Information security Plug-in (computing) Computing platform Physical system Fingerprint Area Graph (mathematics) Information Surface Multitier architecture Data storage device Instance (computer science) Lattice (order) Exploit (computer security) Process (computing) Web-Designer Chief information officer Website Self-organization Quicksort Local ring Row (database)
Email Email Code File format Hacker (term) Electronic visual display Directory service Maxima and minima Whiteboard Exploit (computer security) Metadata
Area Email Email Social software Key (cryptography) Multiplication sign Electronic mailing list Information technology consulting Profil (magazine) Hypermedia Right angle Extension (kinesiology) Address space
Point (geometry) Execution unit Email Code Software developer Exploit (computer security) Wave packet Uniform resource locator Uniform resource locator Message passing Software repository Hacker (term) Website Reading (process) Address space Row (database) Address space Tunis
Email Email Patch (Unix) Patch (Unix) Software developer Projective plane Internet service provider Bit Price index Social engineering (security) Message passing Integrated development environment Software repository Googol Quicksort Local ring Address space Local ring
Web page Trail Email Link (knot theory) State of matter State of matter Database Bit Database Open set Computer icon Attribute grammar Type theory Message passing Process (computing) Blog Core dump Website Whiteboard Address space
Trail Information Euler angles State of matter Computer file Cellular automaton Fitness function Database Likelihood-ratio test Sphere Goodness of fit Energy level Right angle Process (computing) Quicksort Whiteboard Physical system Row (database)
Word Process (computing) Whiteboard Conformal map
Suite (music) Causality Email Personal digital assistant Software State of matter Simulation
Freeware Electronic data interchange User interface Twin prime Artificial neural network Menu (computing) ACID Euler angles Causality Personal digital assistant Software Computing platform Spacetime
Area Point (geometry) Trail Slide rule Email Regulator gene State of matter Surface 1 (number) Bit Software industry Disk read-and-write head Hacker (term) Ideal (ethics) Computing platform Right angle Quicksort Spacetime
all right I'm Rex and I'm gonna give a talk about a series of major breaches in the cannabis compliance software industry in the year 2017 I gave this talk before I think ah there was a guy here who would like seen it and I was like somebody's gonna have seen this talk twice and that's pretty funny to me I gave it a few days ago at another security convention called be sighs that happened right before this one and they helped me polish it up so you guys are gonna get the better version but okay so this is crew teasing cruising the Cannabis highway who am i I'm a longtime software developer a web developer mainly full-stack I've been to a handful of hackers summer camps it's a lot of fun not in InfoSec though I do work for some InfoSec companies doing front-end stuff and I'm also nosey AF with this
talk I hope to give you an overview of the cannabis industry present a compelling narrative that touches upon disclosure this is definitely gonna be an exercise in OS end there won't be any elite exploits though however there is someone who will be presenting right after me and they will be going over a specific surface area attacks for point of sale stuff in cannabis and really I just hope to foster a more general or broader discussion about InfoSec and cannabis because it's sorely needed so
why should you care a lot of times when you come to hacker summer camp you see a lot of talks about people where people basically discuss the current state of some industry and then they say oh this is very terrible and we all need to do a better job of securing it and sometimes it's something like medical and medical devices and that's really important sometimes it's other things but I feel like cannabis is one of those similar watershed sort of industries because well there's a lot of new tech coming into it a lot of players trying to corner this compliance software market and so a lot of people are potentially cutting corners to cut their time to market and have a greater market share but of course that means more problems more bugs there's also a lot of high monetary value obviously in both cannabis itself and therefore in all the ancillary tools there's also a high number of policy touch points so we have lobbyists and lawmakers who are active in the political space as it pertains to cannabis but then we also have software makers who are making software for dispensaries and they're also making software and very often these same companies for compliance tracking at the state level and then they're also lobbying in politics so to me that's kind of funny maybe potentially a conflict of interest but I'm not a lobbyist so I couldn't say for sure and potentially this is an untapped market right for as much learning and drunken partying as goes on at hacker summer camp there are also all sorts of like random to a.m. business deals being made in fancy Suites while people get intoxicated further so maybe this is something somebody wants to look into and maybe there's money in I don't know so without further ado cannabis the sweet nugs you smoke with your friends or whatever except not really we're really talking about the cannabis industry which in 2017 was actually a nine point two billion dollar industry in all of North America so that makes it kind of less like my burnout stoner neighbor and more like your rich friends even more affluent uncle in putting this village together and also doing research for this talk I've met or at least read about a number of guys who like don't smoke at all yet have extensive cannabis portfolios so that's where the future is headed I think if we don't pay attention not there is anything wrong with that we just can't let it be only that and another thing related to that is like you know a lot of people are saying like okay well maybe I'll get into it maybe it's like the Green Rush or whatever but if these guys are doing this you realistically already missed the mark pretty much but in that light the cannabis supply chain is probably a lot more complex than you probably think and it looks like this the green lines are product actual cannabis the black lines our data so to walk through it sort of quickly you start all the way on the Left we have grow-ops which are where the cannabis is growing obviously it could be hydroponic could be otherwise organic in dirt outdoors that can be shipped to a processing facility to be turned into some other form that people enjoy consuming and then from there it's sent to dispensaries sometimes it's just sent directly to the dispensaries and they'll make their own little pre rolls and wrap it in the box and put branding on it but whatever and then it goes to the customer now at every step along that chain that I just pointed out people or these organizations are interfacing with the government in some way usually through the form of compliance tracking software so when the grow-op starts their grow they'll often tag the plant with perhaps an NFC tag or some other sort of radio tech or if not then just a more than yeah low key whatever the plastic lock numbered equivalent is and then when they pass it off to the processing processing facility they off they also have to input data into this system and the dispensaries have to input data into the system about where their products come from and also potentially who they're selling it to and a lot of these dispensaries have extensive profiles on their customers we also have some sales analytics so these dispensaries are furthermore sometimes uploading this data to do number crunching to figure out which products sell the best and why we also have grow analytics that is becoming more of a thing not as popular as the sales analytics perhaps but grow ops I guess kind of like what Harry was saying you know entering their data into these systems to be told to figure out how to get the best yield right if this was my best crop what did I do to get that and how can i replicate it and then fall over there we have ancillary products by which I'm that's that's a pretty broad umbrella as I'm using it could be anything from smart nutrient dispensers that prosumer level growers are using to smart vapes I'm considering well any vape really but vapes are becoming smart and enteric an internet-connected which yeah so here are some of the major players in the cannabis point-of-sale space we have metric which is a subsidiary of Fran well which is just a more general tech company like a GE or something I would say and I just cherry picked some of these stats because they just to me they give you an idea of like the scale that these organizations are operating at so they claim to have tracked 4 million plants and 3 million parcels and also they're pretty known I think for yeah they're pretty known for their their radio tag technology so I almost get the sense that like they while they do have software that exists that both the dispensary and the state level they also make a lot of money off of that and have a lot of market share around their radio technology another player is bio track THC I believe the original company's still around bio track they basically made medication dispensers that go in hospitals like if anybody will watch that show Nurse Jackie and saw the part where she had her boyfriend sort of turn the Pyxis off so she could get the opioids distributed without leaving a trace or maybe you didn't see that show but they pivoted into the medical cannabis space mainly through dispensary and compliance tracking software and then we have MJ freeways pretty much the main topic of this talk they are the originators of the idea of c2 sale and that is what I described in the previous slide basically the tracking that happens at each stage but what are we actually talking about here right MJ freeway they were really one of the largest point-of-sale providers in the industry present in many many states at the state compliance level present in probably you know an overwhelming majority of dispensaries and as such they had a lot of data to lose so we're talking about a breach that happen on or about November 19 2016 with no data loss that is according to MJ freeway and according to them that is what they were told by a third party security auditing company but in actuality it was two breaches and around two months that time with data loss as they would and out some months after the fact except no maybe it's more like three really with the potential pivot into government infrastructure and the definite loss of personally identifiable information and a several month outage and also in one of these states which you know this hasn't necessarily been attributed but I think the attacks are probably related that's me speculating but there was a state where attackers modified basically some live delivery information of cannabis restocking so some pretty gnarly stuff is happening and I was kind of like alright this is crazy and so I started reading more about it and this is some things that were said from MJ freeways marketing department that they were the victim of a vicious cyber attack and also that they are only really coming out to say this because a lot of people are saying that this was not an AK and not an attack and it absolutely was which is interesting when you get hacked and a lot of data is lost and your customers say maybe you're a DevOps person just fucked up and then on January 8th our clients began to experience the effects of this the MJ freeway system went offline for all our clients who also had no access to the MJ freeway site so this is actually I went
to a dispensary a few years ago here in Las Vegas during DEFCON and I was able to talk to the budtender that I met there about her experience while this was going down and this is Brianna g?del but I guess their boss walked in and they said hey the system's down we can't really do anything he said you're all liars who tried the most to avoid work so I wanted more anecdotal evidence because even though objective evidence is probably better anecdotal still fun so I went to Reddit which is the best place for subjective hot takes but instead I actually found a lot of people who are involved in the industry just really venting their frustrations and you don't have to read all this but to sum it up they did not do a good job of disclosing that this was happening and a lot of people found out just like I said with my friend by going into work and finding that this system was down and then over the course of the next few weeks and months they would receive a lot of mixed signals about you know what kind of backups were available because the attackers targeted the backups as well by the way and when they would have the backups rolled out have the system backup a lot of people jump ship so my first reaction is like oh my
god why is nobody talking about this is a big deal this company as I came to realize is so large in the cannabis community or in the cannabis industry rather but as it turns out that's inaccurate everybody was talking about it like from national print based news publications to mom-and-pop blogs that focus on the cottage cannabis industry so a lot of people were talking about it but still that made me that still gave me a funny feeling though because I'm like alright if everybody is talking about it then why didn't I hear about it if major news outlets are talking about it why isn't everybody aware of this and I think they just did a really good job of sort of getting in front of it in controlling the narrative so I do give them kudos for that actually but like I said you know looking at anecdotal stuff and just reading a lot of speculation from a lot of people and one of the things I read about was that the source code was hacked too so not only was personally identifiable information leaked and put on the Pirate Bay by the way but also source code was uploaded to get lab and initially I think MJ freeway came out with a statement saying that this wasn't real I don't understand what they meant by real did they mean like that's fake news or more like we didn't do that so please don't look at our code that's there it got taken down pretty quickly though but it was definitely posted up on the Pirate Bay as well so I grabbed that and I started finding any kind of news source I could and there were a lot of them and I figured that the timing was going to be important so I made a spreadsheet as one does with a timeline and then like I said since
everybody was talking about it I grabbed every news article that I could and what was interesting was that some of them like it was interesting to see their perspective and where they were getting the information from some of them would just say stuff like you know they would take a very interest approach and say out age affects major you know cannabis point-of-sale lots of dispensaries having trouble and then other people would be like MJ freeway fucked up really bad but then some people even though there were these sort of different perspectives some of the authors of these articles did manage to find nuggets here and there that I couldn't really find anywhere else that really led me further down the rabbit hole so
back to Reddit so I read the post from the people who were in the industry and directly affected but then in that mix were these weird things where like these people were just sort of chiming in with what looked like hotcakes this one dude is like yeah I know the guy who made this software and I've been an IT for twenty years and here's how I think it happened which sounds really suspicious and apparently I wasn't the only one that thought that because MJ
freeway subpoenaed reddit and also Google for information about all those accounts that sort of had first-hand knowledge I guess thinking that maybe they were affiliated with the tax amount that's pretty logical thinking in my opinion I mean I don't know that I think that they did have something to do with it but it's worth checking so like I
said I was interested in the source code as well because a lot of the other stuff is subjective source code is pretty objective so I went on the Pirate Bay I grabbed this torrent I also I was told by the e FF that it's very important that you know that I got it from the Pirate Bay but what you're looking at here took me about four months to download to get to that 46.1% and that's after fiddling with like distributed decentralized peers and all that stuff and really just what I realize is that nobody was interested in this source code and going back to Reddit I found posts that were like who gives a shit about this leak it's really old Drupal code that was never patched so I'm not gonna learn anything from that and I was a little bit disheartened because even if that's true I still wanted to know what was going on in there and then somebody told me to do another search and I was like duh I didn't think of that and as it turned out this code was reposted a number of times in the pirate base so to me that makes an interesting narrative you have some people saying I don't care and other people saying no please please look please so again I don't know what that means but it makes my stomache I know it makes my spider-sense tingle so I grabbed this and started digging in
so okay first off just even doing this directory listing not a great start for them I mean like I think it's pretty cool that like I'm all up in their shit so I'm not a hacker like I was saying I have a pretty decent background in consulting by which I mean working for a company that outsources my services to another company and so I've worked with a lot of other developers on various teams and various configurations I've worked with offshore teams and other remote teams and things like that and one thing I can tell you is a if you look at so you see how there's up at the top it says CC leaf and then if you read down there other ones that like just leaf or like Washington Leaf or those other things what you're seeing there is like like if I can sort of put on my like Oracle psychic add a little bit this was a team that could not decide on a software development process that would allow them to share a common core and easily build a custom customer functionality on top of it so what they chose to do instead was just split the repo five times which is a pain in the fucking ass I actually have a tattoo on my leg of a man named Melvin Conway he makes something called Conway's law that says your software is going to look how the communication between your team's looks so I would say this communication between these teams is probably not pretty good it's probably not very good and that will lead me to believe that
you're gonna find exploits when you look deep into the code a note on how some of
this stuff is laid out right your Quinn tiered obligatory stack diagram so we're most concerned what's going on in the middle those are dispensary level trackers you have MJ freeways gram tracker that's the one that was based on like a six or five or six year old Drupal core with like a bunch of custom plugins that basically made it so that there was no upgrade path so really a person could just fingerprint their Drupal instance from afar go to any like CVE site and say what are all the exploits that have been found for Drupal since this version and I believe that's what the attackers did pretty much then you have MJ freeways MJ platform and that was supposed to be their new and improved thing made from scratch I think they got a lot of flack from people in the community because some of the stuff I saw and read it was like a guy who works in a dispensary but he also had a lot of tech knowledge and maybe even some InfoSec and so he was like hey I did a scan on my instance of MJ freeway and I didn't like what I saw and I think some of those people were very vocal about that so perhaps that was part of the motivation for MJ free-weight to roll that out but then also they were just sitting on graham cracker for a while so you can't really I mean you can be the industry leader and not really innovate and then you you get surpassed by somebody else so they didn't want that to happen and then we have other third-party dispensary trackers from other companies but below that you have MJ freeways leaf data system and that is their state level compliance tracking now I definitely read something from their marketing department where someone sent them a question saying isn't this kind of a conflict of interest and they were like no no that's a separate company it's okay so that was kind of funny but the middle tier is supposed to integrate with the lower tier everything the dispensaries are doing they have to feed to the government like I was showing in the previous graph based slide now a lot of times these companies they're this selling point is that you will automatically be compliant your data that needs to be uploaded to these compliance trackers will that will be done automatically so to me that means that your data is probably being double dipped depending on like where you live and where you're buying your legal weed and if it is in company with not a great track record of security that's like kind of troubling and then if that surface area wasn't enough you have stuff like um dynamic websites that are being made by your local mom-and-pop web developer web developers and so they are using the API is that these trackers offer to perhaps you know show the most up-to-date inventory at that dispensary you have in store menus like the ones you see above the counter at McDonald's but for weed and those also integrate with your dispensary tracker you have your vendor or suppliers so maybe your processes processing facility is directly uploading data to you based on what they're doing and then you have mobile apps that again are showing potentially what is available at your local dispensary so those things can be hacked as well it's a lot of things going on here so one of the things that
I wound up reading a lot about was MJ freeways dealings with the Washington legal cannabis industry and the sort of organizations that exist at the state level that that are required to implement that and I would have fired in fact I thought like oh finally now this is my first chance to like have something good to like submit a FOIA for and then I like to seriously miss manage my time and couldn't but I found something that's like almost this is good it this is a Salesforce instance that has like PDF minutes of every meeting that the chief information officer of Washington State has and so there are just tons of things about MJ freeway and their bids to win the contract and also how they miss deadlines with the the handoff because bio track at some point had that had this this state contract essentially and at some point Washington State decided they would rather use MJ freeway MJ freeway missed several deadlines and so there's much information in here about that as well as some posted videos from
the Washington State liquor and cannabis board to dispensary owner telling them not to worry about all the rigmarole that's been going around related to breaches in the cannabis industry so
back to the code again I'm not a hacker I'm not looking at the code trying to find exploits I mean I probably could I'm sure but I thought it would be much more interesting to see what the metadata would say so I harvested all the emails from get get log let's you format the display in any way you want so I pretty much made it look like a CSV and with a minimal amount of D duping and manual cleanup I'm on up with a very
long list that is poorly redacted now if you notice this is just like the A's right here so it was a pretty extensive list and as you can notice a lot of those email addresses do not end with MJ freeway comm because they use a lot of dis of a lot of consultants some of which are offshore or near shore or probably even working with them for an extended amount of time but some companies just like to structure themselves that way for whatever reason sometimes it's beneficial oh and then after I got these
emails I fed them into recon ng which is a fucking amazing tool I believe I was using the jigsaw puzzle to enumerate on other social media profiles and although that API key cost like a bajillion dollars if I had it I would probably buy it because I'm very nosy so okay
collected a lot of stuff there's much reading to be done I had blog entries tweets reddit articles podcast transcripts training manuals get commits and I found a lot of interesting things so first off like I said there are a lot
of email addresses that are from contractors obviously so I can see the contractor companies because a lot of them end in those URLs but a lot of them are also Gmail addresses and some people just would like alternatively commit from their gmail address or from their work address I've been there I've also fixed it which is saying a lot because I can be a lazy developer too but that's the kind of thing I don't want I don't want sitting around in a git repo for other people to look at and point fingers at and then I noticed so like if you're looking at the top what does that mean I didn't bother verifying it but my thought is that that's them committing directly from the get UI like is that how you get that email in your in your git log does anybody know no okay one guy made eight commits in a row using just his name as a commit message which I'm sure the commits weren't all that important but again if I was a hacker and I was gonna look for a exploits in code I probably start with his code and
so again lots of local contractors lots of various lots of varying Gmail addresses I would probably like if I was a less principled person Fudge one of those Gmail addresses like make that's very similar and differs by one letter and start emailing like everybody on this list and because I see all your git commits like sort of even keeping in mind that this stuff has been leaked or maybe you know if I pathetically we were talking about an open-source project I still feel like if you say some really specific stuff to somebody that's gonna resonate with them they're gonna be like oh well maybe this is legit especially it kind of especially if it looks like an email that I've interacted with before for work and why why else would I
have a reason to doubt such a specific message so here's what that sweet spear-phishing pretext would look like hey developer I've been dealing with some of your commits as of late and I wanted to point out that you do this weird thing when you commit from your vagrant environment because that's what one of those weird ending addresses was - that makes it really hard for me to reconcile some of your other work when I rebase off master could you please not do that anymore also I think there's some stuff in your local repo that you probably didn't push to master would you mind sending me a patch of that and I think that would work I don't know and I received a little bit of indication so when I was reading the subpoena documents that that MJ freeway submitted to Google that was one of the email addresses that's not the person's email address they swapped two letters I'm not sure if the attacker tried any social engineering stuff it might have just been an address from which they like used to do this smear campaign and whoa I'll tell you about that in a second actually
so perhaps most interesting is this letter an open letter to the state of Washington cannabis industry I'm sorry I should be looking at you guys I'm connecting with you but the icon is really small on my screen and yeah anyway so this was written by a guy named Patrick veau president and CEO bio track and he I don't even think I found a blog on this site or any other letters so I thought it was very interesting that they posted this one and then even a link to download a copy of this click here so there's a lot it's like eight pages and it's very heated he is not happy but to just summarize it he was pretty tight over how things went down in the handoff that I mentioned before from bio track 2 MJ freeway in Washington State and he gets at the Washington State liquor and cannabis board a little bit over there lack of accountability and how they sort of mismanaged the process as far as he was concerned and he said a lot of things about MJ freeway but basically the biggest one was we really can't afford to have our reputation commingled with another company that is this insecure because it will also make us insecure which there's some truth to that but like they were really what they had to do concretely was like a ship around like CSVs by FTP upload so I'm kind of like okay how insecure is that making you really but you know I'm not a business owner so but it also references these data ransom attempts that the attackers made so he
was nice enough to copy and paste a message that someone received and they posted it I believe to a Google Group for dispensary owners and workers but basically the attackers were uploading snippets of the data to these like Bitcoin lockbox sites and then ransoming it and sending these emails from spoofed addresses to all these dispensary owners and I think the prices I'm not sure if it was for a sample or for the actual dump but it was like 8 bucks and then also it's got this like so like I want to mess up your attribution by using what I think a foreigner who doesn't speak English well would type like you know what I mean like you are by database Bitcoin 100% are not a mouse and like I was gonna try to see if I could like do some like a laypersons threat attribution but it's kind of obvious here who did it I probably don't
need to go into that anymore I didn't have to make that graphic it was just this is a good fit but jokes aside while
this animosity as I said before I've worked in consulting I've worked with some pretty asshole c-level guys who when cameras were off or nobody was around they would talk shit about their their employees their customers definitely their competitors but in a public sphere even if a competitor was like messing up really bad they would just be really like gracious about it and I think they understand on some level that engaging in drama is a Pyrrhic victory kind of right you probably are just not gonna look good even if you're you know you kind of are effectively dragging your opponent down so but be again that spider sense is tingling and I'm basically telling myself there's something else going on here I don't think that just this idea of you know your reputation being commingled with someone insecure is enough for all that vitriol so I did more digging and as it turns out there is definitely something so apparently both bio track and MJ freeway we're in the same bid to be the state level dispensary the state level compliance tracker for Puerto Rico and because of transparency and how many sort of public records get uploaded now you can just find information about that it's posted online invitation for bid for seed to sale inventory tracking system PR gov Wow okay and this is a lawsuit from NJ freeway against the Puerto Rican Health Department and bio track the winner of the bid so basically their attitude was hey wait a minute according to Puerto Rican rules a company that has a felon on the board should not be allowed to win this bid and has it turned out bio track did have an ex-felon on the board now this is something I don't know they just kind of stuck out to me I don't even speak Spanish but I was like let me peruse this and see what happens
ana conforme means unhappy I'm not a lawyer but to me unhappy sounds like an awfully subjective word to be in a legal document but that's neither here nor there it's definitely telling though but so okay more about you know the board member and the tttd that the felonies or what have you it was a mr. steven seagal
not this Steven Seagal but like it would have been really cool if it was and I wouldn't have even been surprised to be honest
and so basically back in 1999 the guy that I am talking about was involved in some mail fraud and some stuff like that and so you know I guess objectively speaking perhaps MJ freeway had a leg to stand on but you know I I don't really know like ethically speaking or morally speaking like what what side I fall on here but it was definitely entertaining to read about and here's another suit
that uh biotech was involved in so I guess there's a lot of just litigation in this space in general it's highly competitive so okay drawing to the end
here but here right this is from the timeline again this is a very dense you know snippet from the timeline and if you look at the top I'm gonna get up because I can't read what's all the way over there nine days later MJ freeway watches there MJ platform business conference here at rebuking closer at that I don't want to
say aliens but you know but then I did
install their stuff I kept saying I'm not a hacker but I did want to dig around a little bit but fortunately a much more experienced person in pentesting wrote me like two weeks before Def Con it was like hey I'm actually working on some of this stuff and I would love to present so I'm just gonna leave that as an exercise for him but in conclusion who was to blame again
I don't know I am definitely speculating about all of this really but like in my head at some point I was like maybe this is some kind of foreign state actor thing right it sounds implausible but I'm not really kidding like some of those consulting emails were some from some pretty interesting places and also I would like to thank that um you know if I wanted to point out the sort of downsides to to one's Western capitalist bourgeois ideals probably shitting on your newfound fledgling vice industry and like you know letting it fall on his face that would probably be a good way to do that and there's been a lot of psyops going on so maybe that could be a related thing maybe it's like some right-wing anti weed activists they are you know alright hackers now that's a thing competitors perhaps very competitive space or just maybe bored teenagers like advanced persistent ones the cannabis space has a lot of interesting concerns regulations and compliance there's a lot of it and when it's done poorly it equals increased surface area for attack the space is obscenely competitive so if you are weak at all your competitors will smell your fear and devour you apparently with lawsuits and maybe other things and also another thing that's interesting is that when you are in the legal cannabis space and you get hacked you probably are not going to go to the feds the feds are probably not going to help you and even if they would you probably would not want them to help you and I didn't change the slide so I said come to the cannabis village and check this out but you're here thank you and that's it yeah I believe that is mr. Lewis in the back with a question yeah I don't even know I was super curious I think they might have been like second runner-up and maybe MJ for you it was like both of you yeah and like some of the later lawsuits that I was showing was between bio track and other legal cannabis software companies also in Florida so I thought that was pretty interesting also any other questions okay