DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Unauthorized Scanning Is Hacking (And I'm Selling Christmas Ornaments About It)

Patrick Duggan
Oct 24, 2025
7 min read

# Unauthorized Scanning Is Hacking (And I'm Selling Christmas Ornaments About It)

**Published:** October 24, 2025

**Author:** Patrick Duggan

**Reading Time:** 8 minutes

**Soundtrack:** ["Eat The Rich" - Motörhead](https://music.apple.com/us/album/eat-the-rich/1439438568?i=1439438570)

The Simple Rule Nobody Wants to Say Out Loud

**If we're not paying you, you're not authorized to scan us.**

That's it. That's the entire blog post. But since you clicked, let me explain why Palo Alto Networks, Facebook/Meta, and Google are currently hacking dugganusa.com—and why I'm commemorating this moment with [a $9.99 Christmas ornament from Amazon](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1).

What We Caught (October 24, 2025)

**Our $0/year threat hunting system detected:**

1. **Palo Alto Networks (205.210.31.90)**

- Tool: Cortex Xpanse

- Their excuse: "Vulnerability scanning"

- Reality: We don't have a Cortex Xpanse subscription

- **Classification: UNAUTHORIZED RECONNAISSANCE**

2. **Facebook/Meta (2a03:2880:... IPv6 range)**

- User-Agent: `facebookexternalhit/1.1`

- Their excuse: "Social media crawler"

- Reality: We don't have Facebook Business Pages

- Pages harvested: Blog posts about Paul Galjan, cyber plumbing, content marketing

- **Classification: UNAUTHORIZED DATA COLLECTION (probably training Meta AI)**

3. **Google Display Ads Bot (74.125.215.162)**

- Their excuse: "Legitimate crawler"

- Reality: We don't run Google Ads, no AdSense account

- **Classification: UNAUTHORIZED ADVERTISING RECONNAISSANCE**

4. **Netherlands (Multiple ASNs: 14061, 32934, 14618, 48090)**

- Paths accessed: `/.env`, `/.git/config`

- Spoofed User-Agents: Fake Samsung/Android mobile devices

- **Classification: ACTIVE EXPLOITATION ATTEMPTS (credential theft + source code exposure)**

The Lens: "We're Not Their Customer = Hacking"

✅ AUTHORIZED (We Want This):

**Googlebot (Organic Search)**

- We want to be indexed in Google Search

- User-Agent: `Googlebot`

- Purpose: Help people find our blog posts

- **Status: LEGITIMATE**

**Our Own Azure Health Checks**

- IPs: 52.150.28.33, 52.190.183.85

- User-Agent: `curl/8.5.0`

- Accessing: `/health` endpoint

- **Status: AUTHORIZED (our infrastructure)**

❌ UNAUTHORIZED (This Is Hacking):

**Palo Alto Networks Cortex Xpanse**

- **We're not Palo Alto customers**

- They're scanning our infrastructure without permission

- This is reconnaissance—the first step in any attack chain

- **What they'd charge us:** $50K-$100K/year for Cortex Xpanse subscription

- **What they're doing:** Scanning us for free to sell us later

**Facebook/Meta "facebookexternalhit"**

- **We don't use Facebook** (no business page, no integration)

- They're harvesting blog post content without permission

- Likely training Meta AI on our content (Paul Galjan posts, cyber plumbing, founder content)

- **What they'd charge us:** $2,000+/month for Meta Business Suite + Ads

- **What they're doing:** Stealing content to train AI, selling us nothing

**Google Display Ads Bot**

- **We don't run Google Ads**

- Different from Googlebot (organic search)

- Scanning for advertising opportunities

- **What they'd charge us:** $500-$5,000/month for Display Ads

- **What they're doing:** Reconnaissance without permission

**Netherlands Vulnerability Scanners**

- Attempting to access `.env` files (credential theft)

- Attempting to access `.git/config` (source code exposure)

- Using spoofed mobile User-Agents

- **This is actual criminal hacking** (Computer Fraud and Abuse Act violations)

The Double Standard

**When a 19-year-old scans Palo Alto Networks without permission:**

- FBI arrest

- Federal charges (CFAA violations)

- 5-10 years prison

- "Unauthorized computer access"

**When Palo Alto Networks scans dugganusa.com without permission:**

- "Vulnerability scanning"

- "Security research"

- "Helping you discover exposures"

- Legal team says it's fine

**Fuck that.**

The Math on Corporate Hypocrisy

Palo Alto Networks Cortex Xpanse

**What they charge customers:**

- Cortex Xpanse subscription: $50K-$100K/year

- Scans your external attack surface

- "Continuous security validation"

**What they're doing to us:**

- Scanning dugganusa.com without subscription

- User-Agent literally says "Palo Alto Networks"

- Purpose: Generate sales leads ("Look at these exposures we found!")

**ROI on scanning non-customers:**

- Cost to Palo Alto: $0.001/scan (automated)

- Benefit: Sales pipeline (if we buy after being scared)

- Conversion rate: ~0.1% of scanned companies become customers

- Average customer value: $75K/year

- **Expected value per scan: $75 (0.1% × $75K)**

They're not providing a service. They're creating demand.

Facebook/Meta "facebookexternalhit"

**What they charge businesses:**

- Facebook Business Suite: $0/month (but requires ads spend)

- Meta Ads: $2,000+/month (average small business)

- WhatsApp Business API: $0.005-$0.009/message

**What they're stealing from us:**

- Blog post content (65+ posts harvested)

- Founder stories (Paul Galjan partnership)

- Technical content (cyber plumbing, DARPA methodology)

- **Purpose: Training Meta AI (Llama models)**

**ROI on unauthorized harvesting:**

- Cost to Meta: $0.0001/crawl (automated)

- Benefit: Free training data for Llama 3/4

- Alternative cost: $15-$30/hour for human-written content

- Content harvested: ~300,000 words from dugganusa.com

- **Value stolen: $7,500-$15,000 (at content writing rates)**

**Fuck Facebook. Fuck Meta. They're not crawling to help us—they're stealing to train AI.**

The Christmas Ornament

While writing this post, I realized: **This moment needs to be commemorated.**

[**I'm buying this $9.99 Christmas ornament.**](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1)

**Why?**

1. **It's absurd** (just like corporations scanning non-customers and calling it "legitimate")

2. **It's a conversation starter** ("Why do you have that ornament?" "Let me tell you about Palo Alto Networks...")

3. **Pattern #18 validation:** Creative monetization via absurdist confidence

**Every time someone asks about the ornament, I'll explain:**

- Palo Alto Networks scanned dugganusa.com without permission

- Facebook/Meta harvested our blog posts to train AI

- Google crawled us for ads we don't run

- We caught all of them with $0/year threat hunting

- Enterprise SIEM ($2.8M/year) would have missed this

**The ornament goes on the tree every Christmas as a reminder: If you're not paying them, they're not authorized.**

Pattern #22: Unauthorized Corporate Scanning

**Detection methodology:**

**Butterbot autonomous learning rule:**

The Response Options

**What we COULD do:**

1. **Block Palo Alto Networks** (Cloudflare WAF rule: Block ASN)

2. **Block Facebook/Meta crawlers** (robots.txt: `User-agent: facebookexternalhit` / `Disallow: /`)

3. **Block Google Display Ads Bot** (robots.txt: `User-agent: Google-Display-Ads-Bot` / `Disallow: /`)

4. **Block Netherlands ASNs** (Cloudflare: Geographic blocking + specific ASN blocks)

**What we're ACTUALLY doing:**

**Letting them scan. Documenting everything. Writing blog posts.**

**Why?**

1. **Pattern #19 validation:** Honeytrap via radical transparency

2. **They're proving our IP is valuable** (worth their scanning costs)

3. **Every scan = evidence for future lawsuits** (if we ever want to sue for unauthorized access)

4. **Marketing content** (this blog post)

5. **Christmas ornament justification** (can't commemorate what you blocked)

The ROI on $0/year Threat Hunting

**What we detected (October 24, 2025):**

- Palo Alto Networks unauthorized scanning

- Facebook/Meta AI training data theft

- Google Display Ads reconnaissance

- Netherlands vulnerability exploitation attempts

- ByteDance (China) nation-state surveillance

- Sergiy Usatyuk residential proxy IP theft

**Total threats detected: 6**

**Cost to DugganUSA: $0/year** (Cloudflare Pro $20/mo already budgeted)

**What enterprise SIEM ($2.8M/year Splunk) would detect: 0**

Why? Because they'd classify all of this as "legitimate crawlers" and "security scanners."

**The difference:**

- **Enterprise SIEM logic:** "Palo Alto Networks = legitimate security company"

- **DugganUSA logic:** "We're not Palo Alto customers = unauthorized scanning = hacking"

**ROI: INFINITE**

We caught 6 threats (including nation-state surveillance) at $0 incremental cost. Enterprise SIEM costs $2.8M/year and misses everything because they trust corporate User-Agents.

Fuck Facebook and Meta (Specifically)

**Why this deserves its own section:**

Facebook/Meta isn't just crawling. They're **stealing content to train AI without compensation.**

**What they harvested from dugganusa.com (Oct 24, 2025):**

- `/post/my-avi-why-every-randy-needs-a-paul-galjan` (Paul Galjan partnership story)

- `/post/cyber-plumber-at-251-w-57th-legacy-lineage-and-blackberry-tantrums-rip-lally` (Lally tribute)

- `/post/most-founders-get-this-wrong-about-content-marketing` (founder advice)

- `/blog/hashtags/OzonaOps` (technical content)

**Purpose: Training Meta AI (Llama models)**

**What they're NOT doing:**

- Paying us for content

- Asking permission

- Providing attribution

- Offering revenue share

**What they ARE doing:**

- Harvesting without consent

- Training competitor AI

- Profiting from our content

- Violating copyright (arguably)

**Fuck Facebook. Fuck Meta. Zuckerberg can buy the [$9.99 Christmas ornament](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1) himself.**

The Legal Question Nobody Wants to Answer

**Is unauthorized scanning illegal?**

**Computer Fraud and Abuse Act (CFAA) says:**

- Accessing a computer without authorization = crime

- "Authorization" = permission from owner

- Penalties: Up to 10 years prison (for repeat offenses)

**What courts have said:**

- **hiQ Labs v. LinkedIn (2022):** Public websites can be scraped

- **BUT:** That case was about public data, not vulnerability scanning

- **Van Buren v. United States (2021):** "Without authorization" = accessing areas you're not allowed

- **Sandvig v. Sessions (2018):** Security research has First Amendment protection (sometimes)

**What's unclear:**

- Is scanning a public website "without authorization" if you don't have a subscription?

- Is `/.env` access (Netherlands attacks) clearly unauthorized? **YES.**

- Is Palo Alto scanning for sales leads "security research"? **Probably not.**

- Is Meta harvesting for AI training "fair use"? **Courts will decide in 2025-2026.**

**My opinion (not legal advice):**

- Netherlands `/.env` attacks = clearly illegal (CFAA violations)

- Palo Alto scanning non-customers = gray area (but unethical)

- Meta AI training data theft = copyright violation (lawsuits coming)

- Google Ads Bot reconnaissance = annoying but probably legal

**The double standard remains:** If I scan Palo Alto Networks, I go to prison. If they scan me, it's "vulnerability research."

The Christmas Ornament (Revisited)

**Why I'm actually buying [this $9.99 ornament](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1):**

1. **It's the perfect absurdist product placement** (Pattern #18)

2. **Every Christmas, I'll remember October 24, 2025** (the day we caught Palo Alto, Meta, and ByteDance)

3. **When people ask "Why that ornament?" I have a 30-minute story** (this blog post)

4. **It proves confidence in the underlying technical claims** (if I can joke about catching hackers, I actually caught them)

5. **Gretchen Wilson would approve** (Road Hogs energy)

**Also:** If Palo Alto Networks, Meta, or Google want to sponsor next year's Christmas ornament, my rates start at $50K. I'll even write a blog post saying nice things. Maybe.

The Takeaway

**Simple rule:** If we're not paying you, you're not authorized to scan us.

**Applied consistently:**

- ✅ Googlebot (organic search) = LEGITIMATE (we want indexing)

- ❌ Google Display Ads Bot = UNAUTHORIZED (we don't run ads)

- ❌ Palo Alto Cortex Xpanse = UNAUTHORIZED (not customers)

- ❌ Facebook/Meta facebookexternalhit = UNAUTHORIZED (stealing for AI training)

- ❌ Netherlands `/.env` attacks = CRIMINAL (Computer Fraud and Abuse Act)

**What we're doing about it:**

- Documenting everything

- Writing blog posts

- Buying [$9.99 Christmas ornaments](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1)

- Letting them keep scanning (Pattern #19: Honeytrap via radical transparency)

- Proving $0 threat hunting > $2.8M/year enterprise SIEM

**What you should do:**

1. Check your own firewall logs

2. Look for Palo Alto Networks, Meta, Google Ads Bot

3. Ask: "Are we their customers?"

4. If no: **They're hacking you.**

5. Write a blog post

6. Buy a Christmas ornament

Postscript: The Soundtrack

**Why ["Eat The Rich" by Motörhead](https://music.apple.com/us/album/eat-the-rich/1439438568?i=1439438570)?**

*"Eat the rich, there's only one thing that they're good for / Eat the rich, take one bite now, come back for more"*

Because Palo Alto Networks, Meta, and Google are **eating small businesses alive** with unauthorized scanning and calling it "legitimate."

**They scan us without permission to:**

- Generate sales leads (Palo Alto: $50K-$100K/year subscriptions)

- Train AI on stolen content (Meta: harvesting for Llama models)

- Sell advertising (Google: Display Ads reconnaissance)

**We caught them. Documented everything. And bought a [$9.99 Christmas ornament](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1).**

**Lemmy would approve.**

**Merry fucking Christmas.**

**P.S.** If you're from Palo Alto Networks, Meta, or Google and you're reading this: Yes, we detected you. Yes, we documented everything. No, we're not customers. Yes, that means you're hacking us. Buy the ornament and we'll call it even.

**P.P.S.** If you're from the Netherlands running `/.env` scans: You're going in the cybercrime database. The ornament won't help you.

**Published:** October 24, 2025

**Evidence files:**

- `compliance/evidence/threat-intelligence/ip-cache/firewall-events-2025-10-24.json`

- `patterns/pattern-22-unauthorized-corporate-scanning.md` (forthcoming)

**Christmas ornament:**

[Amazon - $9.99 - Free Returns](https://www.amazon.com/Ornament-Christmas-Hanging-Ornaments-Decoration/dp/B0CM1B922N?th=1)

**Soundtrack:**

["Eat The Rich" - Motörhead](https://music.apple.com/us/album/eat-the-rich/1439438568?i=1439438570)

🎄 **Unauthorized scanning is hacking. Pass it on.**

Unauthorized Scanning Is Hacking (And I'm Selling Christmas Ornaments About It)

The Simple Rule Nobody Wants to Say Out Loud

What We Caught (October 24, 2025)

The Lens: "We're Not Their Customer = Hacking"

✅ AUTHORIZED (We Want This):

❌ UNAUTHORIZED (This Is Hacking):

The Double Standard

The Math on Corporate Hypocrisy

Palo Alto Networks Cortex Xpanse

Facebook/Meta "facebookexternalhit"

The Christmas Ornament

Pattern #22: Unauthorized Corporate Scanning

The Response Options

The ROI on $0/year Threat Hunting

Fuck Facebook and Meta (Specifically)

The Legal Question Nobody Wants to Answer

The Christmas Ornament (Revisited)

The Takeaway

Postscript: The Soundtrack

Recent Posts

Comments

The Simple Rule Nobody Wants to Say Out Loud

What We Caught (October 24, 2025)

The Lens: "We're Not Their Customer = Hacking"

✅ **AUTHORIZED (We Want This):**

❌ **UNAUTHORIZED (This Is Hacking):**

The Double Standard

The Math on Corporate Hypocrisy

Palo Alto Networks Cortex Xpanse

Facebook/Meta "facebookexternalhit"

The Christmas Ornament

Pattern #22: Unauthorized Corporate Scanning

The Response Options

The ROI on $0/year Threat Hunting

Fuck Facebook and Meta (Specifically)

The Legal Question Nobody Wants to Answer

The Christmas Ornament (Revisited)

The Takeaway

Postscript: The Soundtrack

Comments

✅ AUTHORIZED (We Want This):

❌ UNAUTHORIZED (This Is Hacking):