Ok, we know this one needs some explanation, so we'll jump right in. The Hot Ones podcast is not about computers at all, but it is all about hacking: taking an otherwise predictable process, applying something unexpected, and discovering something new and unique.

OSINT

For those who are unfamiliar, the series follows a set formula: a one on one interview unfolds as noted hoodie-appreciator/host Sean Evans and a celebrity guest eat progressively hotter wings. Attire aside, Evans exhibits another attribute shared by the best hackers I've had the privilege of working with: dedication to meticulous, zealous, and sometimes unsettlingly thorough research before an engagement even starts. The level of preparation before Hot Ones is like reconnaissance before a full scope red team assessment - sure, the project might be successful with lesser upfront effort, but having that deep subject expertise right in the front of your mind will pay dividends when opportunities arise during an engagment.

Hacking The Set

The low-budget of Hot Ones necessitated some creative problem solving that is a hallmark of the entire project. The set is always the same - black backdrop, black table cloths, two chairs, two people, twenty hot wings and sauces. It's portable, which allows them to film pretty much anywhere in the world while the audience sees the exact same camera frames. We have done many penetration tests out of a hotel room (though we haven't quite reached Joe Grand levels yet) or from the car, so this resonates with us.

With each video regularly reaching view counts in the millions, the real budget has likely grown quite a bit for support, marketing, and building other areas of the business, but the show itself seems cognizant of the fact that simplicity is elegance. We can also appreciate simplicity - why provide instructions to reproduce an IDOR vulnerability with Burp Pro when

for i in $(seq 1000 2000); do curl "http://yourwebsite.com/profile?uid=$i"; done 

works just as well? We created one of our favorite exploits using an early 2000s palm pilot we found at a pawn shop for $7 rather than shelling out $100 for a specialized dongle we would have otherwise needed.

Malicious Input

Remember when we were talking about what makes a good offensive security tool? No? It's ok, we were just getting started and we know no one read that post when it first came out. Go have a quick read in another tab, and we'll be here when you get back.

In Hot Ones, the wings are the primary tool. They are a malicious input that knocks the guest off-guard and bypasses known controls in a way that furthers the story and produces an unintended output that might not be possible under normal circumstances.

Like any offensive tool, the wings have known risks that require a mindful rules of engagement and sometimes a get-out-of-jail-free card. Even still, people are people, so there are other potential OPSEC issues.

Our Verdict

As a show, Hot Ones is very formulaic, which one would expect from a mass-media product. There is maybe a little less freedom to experiment with content intention or direction than some of my favorite security content. So many hackers are exploratory in nature, so we find that security content will evolve and grow, even within some mandatory confines for sustainability. Hot Ones is way to too dedicated to their formula to ever be as diverse a show as Darknet Diaries. But it's definitely not 60 Minutes, either. They are hacking the celebrity interview and making it more authentic to the viewer.

But based on Sean Evans' OSINT work alone, I would absolutely consider him a hacker. He and the entire crew at Hot Ones also use a lot of the same creativity and skills that we have seen in our field. We would happily put them alongside Alton Brown in our short list of non-traditional hackers.