WEBVTT 00:00:04.981 --> 00:00:07.520 JACK: [App beeping] Hey. 00:00:07.520 --> 00:00:08.640 DAD: Man, I don't see you. 00:00:08.640 --> 00:00:10.943 JACK: Yeah, my tape is usually over my camera. 00:00:10.943 --> 00:00:11.320 DAD: Why don’t I see you? 00:00:11.320 --> 00:00:13.520 JACK: I got my tape on my camera. One second. 00:00:13.520 --> 00:00:15.440 DAD: Ah. I can't even hear you. 00:00:15.440 --> 00:00:17.080 JACK: You can't hear me? 00:00:17.080 --> 00:00:17.096 DAD: My sound… 00:00:17.096 --> 00:00:21.280 JACK: [Background talk] There’s a story I had that I totally forgot about but I remembered recently, 00:00:21.280 --> 00:00:25.800 and I wanted to call up my dad and walk through it again with him to try to remember how it went. 00:00:25.800 --> 00:00:26.560 DAD: Yeah. 00:00:26.560 --> 00:00:29.360 JACK: I want to recollect the story with you. 00:00:29.360 --> 00:00:30.120 DAD: Yes. 00:00:30.120 --> 00:00:33.600 JACK: Because as I tell it, I don't think people will believe it. So, 00:00:33.600 --> 00:00:37.760 I figure you can verify that this is true. 00:00:37.760 --> 00:00:38.480 DAD: Yeah. 00:00:38.480 --> 00:00:42.640 JACK: Alright, so, do you remember my senior year at high school? 00:00:42.640 --> 00:00:43.240 DAD: Okay. 00:00:43.240 --> 00:00:47.600 JACK: I had my own car then. I was mentally done with school. I did not 00:00:47.600 --> 00:00:51.280 want to go to high school anymore. I was just sick of it. I just had been 00:00:51.280 --> 00:00:58.160 there too long. I had one elective left, and I said, what is the easiest possible 00:00:58.160 --> 00:01:02.880 class I could take? Do you remember what I chose as my last elective in my senior year? 00:01:02.880 --> 00:01:06.000 DAD: It was either welding or typing. I can't remember. 00:01:06.000 --> 00:01:13.960 JACK: Typing, yeah. But typing — how fast could I type as a senior in high school? 00:01:13.960 --> 00:01:16.874 DAD: At least 99 words a minute [inaudible]. 00:01:16.874 --> 00:01:20.880 JACK: Right, right. So, choosing that as an elective… 00:01:20.880 --> 00:01:22.440 DAD: Oh… 00:01:22.440 --> 00:01:27.520 JACK: …that’s the easiest class ever. That would — that’s gonna be a walk in the park. 00:01:27.520 --> 00:01:30.600 DAD: [Music] I was happy for you. Senior year. 00:01:30.600 --> 00:01:36.160 JACK: Here’s the problem, though. The class was the first period of the day, and… 00:01:36.160 --> 00:01:36.880 DAD: 8:40? 00:01:36.880 --> 00:01:45.520 JACK: 8:40, yeah. So, I had to be at Typing, first class of the day. Yeah, the class was real easy. 00:01:45.520 --> 00:01:51.040 When I got there I was like, oh good, this is just a beginner typing class. I could type super fast. 00:01:51.040 --> 00:01:56.400 So, I’ll tell you what I’ll do, is I’ll finish up my lesson in like, ten minutes. I could do this 00:01:56.400 --> 00:02:01.760 whole — these — all the stuff you guys are doing today, I’ll do it in ten minutes and I’m done. So, 00:02:01.760 --> 00:02:07.200 I even worked ahead. I said, hey, teacher, can I go on to the next lesson? Sure, sure. So, 00:02:07.200 --> 00:02:13.120 I would do a whole week’s worth of work on Monday, and then I would help out some 00:02:13.120 --> 00:02:18.040 of the other students and stuff. I mean, I think I was the star student in that class. 00:02:18.040 --> 00:02:20.320 DAD: Of course you were. 00:02:20.320 --> 00:02:26.640 JACK: But once I got ahead enough — I mean, 00:02:26.640 --> 00:02:30.480 you know what my morning routine is. Am I a morning person? 00:02:30.480 --> 00:02:36.520 DAD: I probably woke you up at 8:30 and said, you have ten minutes. You could not wake up. 00:02:36.520 --> 00:02:40.000 JACK: Yeah, I had trouble waking up. So… 00:02:40.000 --> 00:02:42.240 DAD: You had narcolepsy or something. 00:02:42.240 --> 00:02:46.120 JACK: I did. Yeah, that was — I used to use that excuse all the time. 00:02:46.120 --> 00:02:46.800 DAD: You did. 00:02:46.800 --> 00:02:53.840 JACK: So, I would get to school late on this typing class. I thought, no problem, 00:02:53.840 --> 00:02:58.000 I’m a perfect straight-A student in this typing class. I’m helping the other ones. 00:02:58.000 --> 00:03:02.240 All my work is complete. I don't think it’s gonna be an issue if I’m seven minutes late, 00:03:02.240 --> 00:03:08.943 ten minutes late. That’s fine. So, I would show up late consistently to this typing class. 00:03:08.943 --> 00:03:08.954 DAD: Oh no. 00:03:08.954 --> 00:03:15.520 JACK: But yeah, well, the teacher didn’t like that. She said, you can't come in late like — I 00:03:15.520 --> 00:03:19.280 have to send you to the principal’s office if you come in late one more time. You gotta come 00:03:19.280 --> 00:03:24.000 in on time. This is like, your fifth time being late. I said, yeah, but I’m getting 00:03:24.000 --> 00:03:29.040 all the work done. What’s the problem? She said, no, no, no, if you come in late again, 00:03:29.040 --> 00:03:34.960 I’m gonna have to report you. So, the next day, I couldn't get it together. You tried waking me 00:03:34.960 --> 00:03:40.400 up again, and I was late. She said, that’s it. You gotta go to the principal’s office. 00:03:40.400 --> 00:03:44.960 The principal didn’t want to see me, but the vice principal was there. He said, what’s the problem? 00:03:44.960 --> 00:03:49.920 I said, no problem. I’m doing well. He said, well, the report here says that you're late, 00:03:49.920 --> 00:03:56.880 so this is — you're a senior, you know? If you get late too many times, you're not gonna graduate. 00:03:56.880 --> 00:03:57.800 DAD: Oh, my. 00:03:57.800 --> 00:04:04.240 JACK: I said, listen, I — have you looked at my grade in this class? He said, that doesn't matter 00:04:04.240 --> 00:04:08.000 if you're late. I said, no, it should matter. Listen, I think your priorities are all screwed 00:04:08.000 --> 00:04:13.120 up. If I’m acing this class, if I’m getting it all correct and if I’m helping the other students 00:04:13.120 --> 00:04:18.720 and I’m a value add to the class in general, not just myself, then don’t you think that I should be 00:04:18.720 --> 00:04:24.560 graduating with that sort of work ethic? He said, no, it has everything to do with being on time. 00:04:24.560 --> 00:04:30.000 It has nothing to do with work ethic. You have one more chance, and if you — I’m gonna be there 00:04:30.000 --> 00:04:36.160 tomorrow, and if you are late again this year, you are not gonna graduate. I said, really? You're 00:04:36.160 --> 00:04:42.400 gonna hold me back just for being late even though I have perfect grades? The next day, of course, 00:04:42.400 --> 00:04:47.960 I’m late. I could not get it together. The vice principal was standing at the door when I arrived. 00:04:47.960 --> 00:04:49.040 DAD: Oh. 00:04:49.040 --> 00:04:56.480 JACK: He said, that’s it. You're late. This is the last straw. You’ve failed this class. I said, 00:04:56.480 --> 00:05:01.280 how would you — why would you do this to me? It’s not like I’m struggling with this class. 00:05:01.280 --> 00:05:06.800 This class is easy. I’ve got it nailed. I’m like, three weeks ahead of every other student in the 00:05:06.800 --> 00:05:16.320 class. He said, I don't care. You can't come to school on time, so therefore, you fail. Fail. So, 00:05:16.320 --> 00:05:21.560 they wanted to hold me back a year, a whole year of high school, and not let me graduate. 00:05:21.560 --> 00:05:25.920 DAD: Now, you're only missing a half a credit at that point if you didn’t 00:05:25.920 --> 00:05:30.920 graduate. You could have went to summer school and picked up a half a credit. 00:05:30.920 --> 00:05:32.120 JACK: That’s right, I could have. 00:05:32.120 --> 00:05:33.840 DAD: But you did something else. 00:05:33.840 --> 00:05:38.400 JACK: [Music] So, what I brought — when I brought this news home to you and I said, 00:05:38.400 --> 00:05:42.400 listen, I’m not gonna graduate this year, 00:05:42.400 --> 00:05:48.560 your brain started going into overtime and you started thinking up of — solutions. 00:05:48.560 --> 00:05:55.200 DAD: Yeah, here’s a couple things. One, after you got thrown out of the class, I noticed you didn’t 00:05:55.200 --> 00:06:02.000 go to school when I’d wake you up in the morning. I’m not even sure what was going on. You'd say, 00:06:02.000 --> 00:06:06.960 don't worry about it, dad. I can get in there. Second period I gotta be there. So, 00:06:06.960 --> 00:06:13.680 that. But third, your social engineering wasn’t 100% yet. That was your problem. 00:06:13.680 --> 00:06:14.040 JACK: Yeah. 00:06:14.040 --> 00:06:17.680 DAD: You should have done a lot better with the assistant principal and the teacher. 00:06:17.680 --> 00:06:20.520 JACK: Oh yeah. But you saved me that year. 00:06:20.520 --> 00:06:21.560 DAD: Of course I did. 00:06:21.560 --> 00:06:27.320 JACK: I don't know how you came up with the idea, but you found me an extra half credit. 00:06:27.320 --> 00:06:36.080 DAD: Well, you one time switched high schools for, I don't know, four weeks or something. You 00:06:36.080 --> 00:06:40.880 didn’t like those kids, so you went back to the original high school, which, by the way, 00:06:40.880 --> 00:06:44.760 was less than a mile from our house. I don't know how you were ever late; less than a mile. 00:06:44.760 --> 00:06:46.440 JACK: Yeah, it was very close. 00:06:46.440 --> 00:06:53.760 DAD: So, I knew you were at that other school. I went over there, and one of my kinda best 00:06:53.760 --> 00:07:00.480 friends — played sports together and things — I said, do you remember my son Jack? Yeah, yeah, 00:07:00.480 --> 00:07:07.280 nice kid. Well, is he in your PE class? Yeah, yeah. I said, you never gave him credit for 00:07:07.280 --> 00:07:12.800 that. He said, oh, man, this is so hard. Credit? I said, not only do you gotta give him credit, 00:07:12.800 --> 00:07:19.760 but you gotta get it done before graduation. You got like, six days. He just said, I don't 00:07:19.760 --> 00:07:25.920 think I can do it. I said, no; you go to the registrar, you put his name down. Well, he said, 00:07:25.920 --> 00:07:34.880 you owe me big time, and somehow magically gave you a C for PE, sent it over to your high school, 00:07:34.880 --> 00:07:39.200 and that’s really not the end of it. The end of it was graduation at your high school. 00:07:39.200 --> 00:07:44.080 JACK: Yeah, yeah. So, that sorted it. Now I was back on track to graduate and everything 00:07:44.080 --> 00:07:49.520 was fine. I went to the ceremony, I sat in the stands, and then how did the ceremony go? 00:07:49.520 --> 00:07:55.440 DAD: The assistant principal, your arch enemy, he’s the one handing out the diplomas. 00:07:55.440 --> 00:07:58.160 JACK: The same guy who told me I can't graduate. 00:07:58.160 --> 00:08:05.600 DAD: Yeah, just six days before; you're not graduating, and now he calls your name. You 00:08:05.600 --> 00:08:11.760 come up. He looks at the diploma, stares at you. I didn’t think he was gonna hand it to you, 00:08:11.760 --> 00:08:18.160 and then he grimaced and gave it to you. There you had the diploma with the missing 00:08:18.160 --> 00:08:25.680 half credit. I think the statute of limitations ran out on all that, so… 00:08:25.680 --> 00:08:28.640 JACK: Okay, I won't be kicked out of school? 00:08:28.640 --> 00:08:30.200 DAD: Permanent record. 00:08:30.200 --> 00:08:33.320 JACK: It’ll go on my permanent record, this one. Oh, no. 00:08:33.320 --> 00:08:34.160 DAD: Yeah. 00:08:34.160 --> 00:08:38.320 JACK: Yeah, so that was quite the — all because of the typing. 00:08:38.320 --> 00:08:44.465 DAD: Unbelievable. Yeah, so, do you still know how to type? 00:08:44.465 --> 00:08:47.600 JACK: [Laughs] Yeah, I do, but do you know how at this point? 00:08:47.600 --> 00:08:51.920 DAD: No. I’ve never had a job in forty years where I needed a 00:08:51.920 --> 00:09:01.817 typewriter or a computer. Never needed one, or a cell phone. I’m analog all the way. 00:09:01.817 --> 00:09:04.240 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:09:04.240 --> 00:09:24.200 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:09:24.200 --> 00:09:27.680 JACK: 00:09:27.680 --> 00:09:29.400 I want you to meet Greg. 00:09:29.400 --> 00:09:37.840 GREG: So, I grew up really, really poor. I grew up in Tucson. Fortunately my father 00:09:37.840 --> 00:09:43.600 was a avionics technician, and he was a un-diagnosed autistic. Brilliant man. He 00:09:43.600 --> 00:09:48.160 was a MacGyver. The man would just tinker and make things throughout 00:09:48.160 --> 00:09:54.640 his life. While we were poor, my father decided to dumpster dive. 00:09:54.640 --> 00:09:59.440 JACK: His dad would find various computer parts in trash dumpsters behind buildings and bring 00:09:59.440 --> 00:10:04.640 them home. After doing that a few times, he had enough spare parts to assemble whole computers. 00:10:04.640 --> 00:10:07.920 GREG: I had a Commodore VIC-20, I had a trash 80, 00:10:07.920 --> 00:10:14.946 and then I had an Apple IIe, all when I was born, and I always loved them. 00:10:14.946 --> 00:10:19.040 JACK: [Music] Back then, computers were not as common as they are now. Having one in your house 00:10:19.040 --> 00:10:24.960 was a luxury. Having three, you were really fancy, and simply having these things within 00:10:24.960 --> 00:10:29.680 easy reach enabled Greg to learn tons growing up instead of maybe getting introduced to them 00:10:29.680 --> 00:10:32.640 sometime in high school if your school was lucky enough to even have computers. 00:10:32.640 --> 00:10:38.880 GREG: That was my escape as a kid. I was a un-diagnosed autistic kid until in my 00:10:38.880 --> 00:10:42.880 thirties, and I just immediately loved computers. 00:10:42.880 --> 00:10:45.680 JACK: Computers were a novelty for me as 00:10:45.680 --> 00:10:49.560 a kid until we got AOL. Then I became obsessed with them. 00:10:49.560 --> 00:10:55.440 GREG: I was an AOL kid, too. Matter of fact, that’s where most of my first programs 00:10:55.440 --> 00:11:01.600 ever came around. I was one of the first to discover the 1IM exploit. That was my first 00:11:01.600 --> 00:11:08.080 vulnerability I ever discovered, was the integer overflow in the AOL client when you sent a font 00:11:08.080 --> 00:11:14.440 size with a long enough number. I remember finding that and making the 1IM punter back in the day. 00:11:14.440 --> 00:11:20.080 JACK: I remember AOL punters. You could send someone a message but then put something in 00:11:20.080 --> 00:11:23.920 that message that when they receive it, their client wouldn't know how to process it, and it 00:11:23.920 --> 00:11:29.360 would just crash their AOL session. So, you could come into a chat room, send everyone a message, 00:11:29.360 --> 00:11:34.160 and then see half the room suddenly disappear because their apps would be crashing, and they 00:11:34.160 --> 00:11:40.160 would disconnect. So, all this fascinated Greg, to be able to force someone else’s computer to do 00:11:40.160 --> 00:11:46.080 something it’s not supposed to. That’s cool. What else can you do? [Music] His interest in hacking 00:11:46.080 --> 00:11:51.800 took root and grew. Soon he found himself in an online group that was trying to create malware. 00:11:51.800 --> 00:11:59.200 GREG: When I was a virus writer, my ideology — I had — I actually targeted pedophiles. Every 00:11:59.200 --> 00:12:06.080 single — every piece of malware I ever wrote was designed to target pedophiles. We ran a 00:12:06.080 --> 00:12:10.960 group in there to target people who were targeting children. The best part about targeting pedophiles 00:12:10.960 --> 00:12:16.560 is I think it’s the only case that you can say I gave malware to someone and they're absolutely not 00:12:16.560 --> 00:12:21.120 gonna report you to the police, because what are they gonna say? I was trying to pick up this kid 00:12:21.120 --> 00:12:28.320 and they sent me a jpeg.exe to them? That was the case for many years. When I wrote viruses, that 00:12:28.320 --> 00:12:33.680 was the only people I targeted. Otherwise, for me, writing viruses, again, was the thrill of learning 00:12:33.680 --> 00:12:41.760 about polymorphism, metamorphism, and — as well as high-level, low-level code execution. I just 00:12:41.760 --> 00:12:46.720 generally loved the thrill of the knowledge of it. It was an art. I still think it’s an art form. 00:12:46.720 --> 00:12:53.920 JACK: His specialty was using Visual Basic to code malicious macros in Microsoft Word documents. So, 00:12:53.920 --> 00:12:59.280 he would send the Word doc to someone, trick them into opening it, and if they had macros enabled, 00:12:59.280 --> 00:13:04.640 that would allow Greg to take over their computer. Now, keep in mind, he was doing 00:13:04.640 --> 00:13:09.200 all this in middle school, not even in high school yet, and middle schools back then didn’t 00:13:09.200 --> 00:13:14.320 even have computer classes. If they did, it was just to take a math quiz or something like that, 00:13:14.320 --> 00:13:17.840 not really teaching how to use them and stuff. By the time he got to high school, 00:13:17.840 --> 00:13:22.960 they were just starting to teach kids commands and certain applications on computers. So, 00:13:22.960 --> 00:13:27.360 one of the first classes he took was keyboarding, which is learning to type. 00:13:27.360 --> 00:13:33.440 GREG: I was like, no, fuck that. I ain’t gonna type. I know how to type. [Music] So, 00:13:33.440 --> 00:13:42.320 our school worked on Excel. All the great systems were in Excel. So, I’m one of the old-school macro 00:13:42.320 --> 00:13:47.920 virus writers. I remember Colors, and back in the day, those series of Colors and Tristate, 00:13:47.920 --> 00:13:53.520 those were the areas of macro viruses I remember I started programming in. So, with Excel, 00:13:53.520 --> 00:13:57.520 I was like, I could do this. I don't want to be in this class. I don't want to be in this school. 00:13:57.520 --> 00:14:01.520 So, the entire grade system was in Excel, and I made a macro virus that would look 00:14:01.520 --> 00:14:09.200 for my student ID number — a trick number, identify the areas where the grades were in, 00:14:09.200 --> 00:14:16.160 take the average number of the number of the percentage, or if it was A through F, 00:14:16.160 --> 00:14:22.480 it would be — I’d make myself as a B, and it would average a number to be 87%, and gave myself 87%. 00:14:22.480 --> 00:14:27.920 JACK: He was able to take this malicious Excel file and get it onto the teacher’s computer, 00:14:27.920 --> 00:14:33.440 and suddenly he was getting all B’s in his classes. On top of that, he made it so he had 00:14:33.440 --> 00:14:39.440 perfect attendance, too, no matter if he was there or not. So, he just stopped going to class. What’s 00:14:39.440 --> 00:14:46.000 hilarious is he did all this while in his typing class. He even coding in obfuscation techniques 00:14:46.000 --> 00:14:50.480 to avoid detection. Like, after the teacher would record his grade and then close Excel, 00:14:50.480 --> 00:14:55.440 that’s when the macro would trigger, on close. He would stage all this information in a column 00:14:55.440 --> 00:14:59.960 that he hid off to the side so you couldn't see any of the funny business happening. 00:14:59.960 --> 00:15:05.440 GREG: This worked really well. I was in school for nine days. That’s how long it took me to write 00:15:05.440 --> 00:15:11.040 this and then put it into the school system. Then every day I went home. I was just at home. One day 00:15:11.040 --> 00:15:15.200 my friends came over and — they came back from class 'cause I still would hang out with them. 00:15:15.200 --> 00:15:20.800 They were like, hey, Greg, man, the computers at school are really weird. I was like, oh, what are 00:15:20.800 --> 00:15:25.360 they doing? He’s like, well, they're crashing. Everyone says Excel’s not doing well. [Music] 00:15:25.360 --> 00:15:31.040 I remember my stomach sinking. Like, oh, what do you mean? They're like, well, they — when they're 00:15:31.040 --> 00:15:36.400 getting everyone ready for the finals, everything changed and something crashed. I think they're 00:15:36.400 --> 00:15:43.360 calling McAfee over it. I was like, oh no. So, I walk — I went to school the next day, get into the 00:15:43.360 --> 00:15:49.280 school library — and I hadn't been in school for so long that the librarian was like, who are you? 00:15:49.280 --> 00:15:51.520 I was like, I go to this school. I promise. I’m here. She’s like, 00:15:51.520 --> 00:15:56.480 I’ve never seen you. Who are you? I was like, well — do you have a student ID? I was like, 00:15:56.480 --> 00:16:01.600 no, I don't have a student ID. She’s like, okay, go to the principal’s office. So, the principal, 00:16:01.600 --> 00:16:06.720 they’re just like, hey, we know you're a kid. We know your name checks out. You're in these 00:16:06.720 --> 00:16:11.280 classes, but none of your teachers recognize who you are. I was like, oh, I’m sorry. I just 00:16:11.280 --> 00:16:17.680 kinda shut up at that point. They sent me home, and what happened was the school added a column 00:16:17.680 --> 00:16:22.320 in all the Excel sheets to calculate final grades and to do something for final grades, 00:16:22.320 --> 00:16:27.040 and unfortunately that column just happened to be where I stored the previous data of all the 00:16:27.040 --> 00:16:36.080 columns. So, the virus would restore the doc — the sheets when teachers opened up the sheets. 00:16:36.080 --> 00:16:42.080 That caused the Excel files to crash on grade, and they sent the sample to McAfee. McAfee at 00:16:42.080 --> 00:16:48.800 the time was like, yeah, this is a macro virus and it was custom-written for your school. So, 00:16:48.800 --> 00:16:54.640 the school decided to call the police. The police showed up, knocked on my door, arrested me, and… 00:16:54.640 --> 00:16:55.120 JACK: Really? 00:16:55.120 --> 00:16:57.680 GREG: Yeah, yeah. I mean, it’s a government — it’s a public 00:16:57.680 --> 00:17:00.480 school. It’s a public high school, so it’s technically the government. 00:17:00.480 --> 00:17:06.240 JACK: This was real bad. He went to juvie, juvenile detention. They locked him up 00:17:06.240 --> 00:17:11.760 in a concrete room with a steel door and a tiny, little window. It’s a scary place for 00:17:11.760 --> 00:17:18.480 a teenager. [Music] So, I have a note here. It says you're the youngest hacker to be arrested… 00:17:18.480 --> 00:17:18.954 GREG: Youngest… 00:17:18.954 --> 00:17:19.440 JACK: …in Arizona. 00:17:19.440 --> 00:17:24.240 GREG: I was the youngest child to be arrested in the state of Arizona for a computer crime, 00:17:24.240 --> 00:17:28.000 for — I’m not sure if that still holds, but that was the case for a long, long time. 00:17:28.000 --> 00:17:31.440 JACK: A politician wanted to make an example of him, saying, 00:17:31.440 --> 00:17:37.280 see? Cyber criminals are really bad and we should do more to stop them. But he caught a lucky break. 00:17:37.280 --> 00:17:40.960 GREG: But they came back that the Tucson police failed to handle the 00:17:40.960 --> 00:17:45.280 evidence correctly and my case got dropped, luckily for me. 00:17:45.280 --> 00:17:50.000 JACK: However, he was ordered not to touch computers for a whole year. 00:17:50.000 --> 00:17:53.200 Can you imagine no computers for a whole year? 00:17:53.200 --> 00:17:57.600 GREG: I made a deal with the courts to say I won't touch a computer for a year. I’ll have 00:17:57.600 --> 00:18:05.200 to get a probation officer to sit next to me when I operate computers, and then I — and after that 00:18:05.200 --> 00:18:11.360 we’ll re-evaluate the situation. So, for a year, any time I wanted to touch a computer, 00:18:11.360 --> 00:18:14.480 which was mostly the library back in the day — if you remember when libraries had the little 00:18:14.480 --> 00:18:21.840 internal library machines to go look up for books in the library — I had to go call this very large 00:18:21.840 --> 00:18:27.120 sixty-year-old man who was — absolutely had no idea what computer hacking looked like, 00:18:27.120 --> 00:18:31.520 and I remember fucking with him quite a bit and saying, oh, I’m getting into the system. He’d 00:18:31.520 --> 00:18:36.880 look at me and grab my hand and pull me away from the computer and — like, we're going now. 00:18:36.880 --> 00:18:41.160 JACK: [Music] What kind of person — what kind of kid were you like in high school? 00:18:41.160 --> 00:18:46.080 GREG: Oh man, I was absolutely — I was a goth kid. I was the goth kid who wore 00:18:46.080 --> 00:18:52.240 the large — I got in trouble for wearing a black trench coat 'cause unfortunately 00:18:52.240 --> 00:18:58.800 going to high school during the 2001 era, you come across the Combine incident. 00:18:58.800 --> 00:19:01.680 JACK: You know, back in the nineties when I saw a goth kid, 00:19:01.680 --> 00:19:05.120 I just thought they really liked the movie The Crow. 00:19:05.120 --> 00:19:09.760 GREG: Yeah, The Crow was a good one. My best friend at the time, his name was John Oller. 00:19:09.760 --> 00:19:14.240 John was a huge Crow fan. He actually — he kinda looked like Brandon Lee, too. So, he 00:19:14.240 --> 00:19:21.920 was a goth-of-The Crow type. I was more into the industrial music. I always loved Skinny Puppy and 00:19:21.920 --> 00:19:26.880 Suicide Commando, Velvet Acid Christ, all that — all those late-nineties industrial bands. So, 00:19:26.880 --> 00:19:30.880 I was more of a rivethead. I didn’t know at the time what a rivethead was, 00:19:30.880 --> 00:19:37.040 but I was just an industrial kid; big, stomping boots, goth, industrial music. I liked metal but 00:19:37.040 --> 00:19:41.440 I didn’t like metal so much; I like electronic music. So, when I found out industrial music, 00:19:41.440 --> 00:19:46.800 which is essentially goth music mixed with techno, I was like, this is it. This is my lifestyle. 00:19:46.800 --> 00:19:47.600 JACK: You wear earrings? 00:19:47.600 --> 00:19:50.560 GREG: No. I actually — well, sorry, I take that 00:19:50.560 --> 00:19:56.640 back. In high school I think I had nine piercings. I had, you know… 00:19:56.640 --> 00:19:58.320 JACK: Did you wear eyeliner? 00:19:58.320 --> 00:20:03.760 GREG: No, I was not a makeup goth. I was not a makeup goth. I had the dog collars, so I 00:20:03.760 --> 00:20:10.600 had the goth collars. So, I had the bondage outfits. I was one of those goths for sure. 00:20:10.600 --> 00:20:16.944 JACK: Okay, so this just emphasizes when they're looking for the person who did this. 00:20:16.944 --> 00:20:16.954 GREG: Yep. 00:20:16.954 --> 00:20:18.208 JACK: They’re just like, you're the one… 00:20:18.208 --> 00:20:18.234 GREG: Yeah, I’m sorry… 00:20:18.234 --> 00:20:19.920 JACK: …who does not look like everyone else. 00:20:19.920 --> 00:20:24.560 GREG: I’m sorry, everyone. The goth stereotype for the virus writers, 00:20:24.560 --> 00:20:29.720 that was me. That was me, everyone. I apologize. Yeah, I remember… 00:20:29.720 --> 00:20:30.720 JACK: You started this. 00:20:30.720 --> 00:20:34.000 GREG: I did, I did. So, my parents kicked me out of my house. I lived 00:20:34.000 --> 00:20:36.480 in a group home after being arrested. I was in a… 00:20:36.480 --> 00:20:37.840 JACK: Wow, just because of that event? 00:20:37.840 --> 00:20:39.760 GREG: Yeah, yeah. So, I lived in… 00:20:39.760 --> 00:20:45.440 JACK: And you're not normal, Greg. You're wearing — you got too many piercings. Come on. 00:20:45.440 --> 00:20:51.840 GREG: Yeah, I did that all myself, too. So, I got kicked out. I lived 00:20:51.840 --> 00:20:58.160 in a group home from the age of fourteen to eighteen. [Music] So, I was in and out… 00:20:58.160 --> 00:20:59.263 JACK: That was a tough time. 00:20:59.263 --> 00:20:59.274 GREG: Yeah. 00:20:59.274 --> 00:21:01.040 JACK: So, at fourteen is when you got arrested. 00:21:01.040 --> 00:21:01.680 GREG: Correct. 00:21:01.680 --> 00:21:04.400 JACK: Then, that’s a hard time to go through an 00:21:04.400 --> 00:21:06.480 arrest. That’s scary. You don’t know what you're facing there. 00:21:06.480 --> 00:21:07.040 GREG: Correct, yeah. 00:21:07.040 --> 00:21:08.783 JACK: Then to be thrown out of the house… 00:21:08.783 --> 00:21:08.794 GREG: Yeah. 00:21:08.794 --> 00:21:11.828 JACK: …and then like, what? I gotta do this on my own? Gosh. 00:21:11.828 --> 00:21:15.360 GREG: Yeah. So, I lived in a group home; didn’t have access to a real computer. So, 00:21:15.360 --> 00:21:23.040 my only computers at the time were the ones in school. It was rough, man. It’s one of the 00:21:23.040 --> 00:21:27.200 big reasons why I always try to reach out to people who are kind of in rough situations, 00:21:27.200 --> 00:21:33.600 'cause my life has not been an easy one. It has not been easy. Living in a group home, 00:21:33.600 --> 00:21:39.040 which — the group home was — the one I got assigned to was a government group home, 00:21:39.040 --> 00:21:43.520 and it was mostly for kids who were domestic violence or runaways. So, 00:21:43.520 --> 00:21:52.720 it was a lot of violent kids in there. It was a small — it was like a small four-bedroom house, 00:21:52.720 --> 00:22:01.280 but it had — at any time it had between six guys and six girls and then staff members there. So, 00:22:01.280 --> 00:22:09.920 it was cramped. Everything was shared. It was not a good time. It was a rough life. 00:22:09.920 --> 00:22:17.600 JACK: I think I just got some clarity on what it means to be goth just now. It’s not about 00:22:17.600 --> 00:22:24.560 the clothes and the makeup and the music. It’s about not fitting into a world that tells you to 00:22:24.560 --> 00:22:31.360 shrink and conform and smile when you're falling apart inside. [Music] It’s about understanding 00:22:31.360 --> 00:22:37.840 that you are different and you can embrace your difference, and you gotta pay the price. 00:22:37.840 --> 00:22:43.440 Being misunderstood by your teachers, so-called friends, even your own family, 00:22:43.440 --> 00:22:49.520 can become isolating. There’s this moment I imagine that every goth must face. 00:22:49.520 --> 00:22:55.680 You have a choice; either break yourself down into something more acceptable, force yourself 00:22:55.680 --> 00:23:02.560 into a version of normal that everyone wants you to be, or you can embrace that shadow inside you, 00:23:02.560 --> 00:23:06.800 that one that’s screaming out, wanting to be seen, wanting to be heard, but knows that it’s 00:23:06.800 --> 00:23:12.400 just too weird for people to understand. Goths choose to embrace that inner shadow, 00:23:12.400 --> 00:23:19.120 lean into their weirdness, wear it like armor, and let your darkness be your beauty. 00:23:19.120 --> 00:23:24.960 When you're in a place like a halfway house with nowhere to go and no one who really knows you, 00:23:24.960 --> 00:23:30.000 that identity, being goth, can become more than just a style. 00:23:30.000 --> 00:23:35.920 It becomes your anchor, because being goth means you already know what it’s like to live 00:23:35.920 --> 00:23:41.120 on the outside. You already live in the cracks of the system. So when the worst happens, when 00:23:41.120 --> 00:23:48.160 your life is shattered, being goth is a reminder that it’s okay to be on the outside of society. 00:23:48.160 --> 00:23:54.160 The music reinforces the idea that it’s okay to live outside what’s normal, and there’s a level of 00:23:54.160 --> 00:24:00.480 comfort to hear that music and to see other goths who are also struggling to fight what’s normal, 00:24:00.480 --> 00:24:07.120 those quiet rebels, the kids who find beauty in broken places. I imagine that being goth 00:24:07.120 --> 00:24:13.680 makes you more resilient to problems like this. It gives you a tribe without borders. 00:24:13.680 --> 00:24:18.560 It gives you a sense of self when the world pretends you're invisible. So, 00:24:18.560 --> 00:24:25.280 I imagine being goth in that halfway house was an amazingly helpful way to get through it, to 00:24:25.280 --> 00:24:31.440 self-soothe. Every time he put on dark clothes, it was like he was giving himself a hug and saying, 00:24:31.440 --> 00:24:36.400 it’s okay to be different. Don't worry about what everyone else thinks of you. 00:24:36.400 --> 00:24:41.200 Man, to go through something like that, and goth being your anchor, 00:24:41.200 --> 00:24:48.360 that could easily make you goth for life. Man, I think I got carried away there. Okay. 00:24:48.360 --> 00:24:56.320 GREG: So, after I get out of high school — so, I was doing music, one of the few things — so, 00:24:56.320 --> 00:25:04.240 I became — I was a musician and I was a successful musician. If you've ever seen 00:25:04.240 --> 00:25:07.920 The Matrix sequels movies, then you've heard my music. At one… 00:25:07.920 --> 00:25:10.800 JACK: What? Your music is in The Matrix sequels? 00:25:10.800 --> 00:25:15.680 GREG: Yeah. So, I got contacted by a company called Spiderbite Studios, and they wanted 00:25:15.680 --> 00:25:20.080 to make music for The Matrix, especially behind-the-scenes Matrix stuff. They wanted 00:25:20.080 --> 00:25:26.240 to do some music there. The big thing is they were looking for someone to make music for the trailer 00:25:26.240 --> 00:25:33.440 for the video game The Matrix Online. [Music] So, they sent me an e-mail and they were like, 00:25:33.440 --> 00:25:40.000 hey, your music sounds great. So, that was my first example of being exploited in a contract 00:25:40.000 --> 00:25:47.680 by a large company. I sold my music rights for $400 each. I think I got $4,000 total out of 00:25:47.680 --> 00:25:54.560 that deal. So, I was like, I’m $4,000 richer. That is awesome. After that, that got into — a lot of 00:25:54.560 --> 00:26:00.240 people asked me to do music and go touring. So, I did a European tour. It was all throughout Europe. 00:26:00.240 --> 00:26:05.640 I think I went to every country except for Latvia and Lithuania. Toured for a while and I came back… 00:26:05.640 --> 00:26:07.120 JACK: What are you playing here? 00:26:07.120 --> 00:26:11.440 GREG: Synthesizer. It was a one-man project. So, I did — I love synthesizers. At one point 00:26:11.440 --> 00:26:19.280 I owned over eighty of them. So, yeah, after that, I came back. After a long tour time, 00:26:19.280 --> 00:26:24.000 I came back to Arizona. I was homeless for a while because you only make $30,000 as a musician, 00:26:24.000 --> 00:26:28.320 average, a year at that time, especially an industrial musician. You don’t make any money. So, 00:26:28.320 --> 00:26:34.360 I came back homeless, and then I lucked out in getting a job working at Massage Envy. 00:26:34.360 --> 00:26:40.160 JACK: Massage Envy is a massage parlor, but it’s a chain and they have over a thousand locations 00:26:40.160 --> 00:26:45.040 all over the US, and their headquarters are in Scottsdale, Arizona, and they needed someone to 00:26:45.040 --> 00:26:49.800 work on the back end of their booking system. They gave Greg a shot, and he excelled at it. 00:26:49.800 --> 00:26:58.320 GREG: It was all vb.net and ASP code back end. So, I was coding that, and I was breaking software in 00:26:58.320 --> 00:27:04.640 the meantime. Millworm — so, I was coding exploits on Millworm and just throwing them up there, 00:27:04.640 --> 00:27:12.880 and I was literally trying to throw an exploit up there a day. I remember I got an e-mail from 00:27:12.880 --> 00:27:19.280 eEye, [music] and they were like, you're cracked. What is going — like, what are you doing? Where do 00:27:19.280 --> 00:27:23.280 you work at? Tell us about you. I was like, well, I’m a software developer in the middle of Phoenix, 00:27:23.280 --> 00:27:27.440 Arizona. I work on Massage Envy’s back end. They couldn't believe it. They were like, 00:27:27.440 --> 00:27:32.280 what? You're not in security at all? I was like, no. I was just like, I just break stuff for fun. 00:27:32.280 --> 00:27:35.760 JACK: eEye was a cybersecurity company based in California. It’s 00:27:35.760 --> 00:27:41.920 spelled E-E-Y-E, eEye. They created some tools to help people be more secure. Like, 00:27:41.920 --> 00:27:46.000 they made a vulnerability scanner, and that’s how they were able to make money. So, 00:27:46.000 --> 00:27:50.880 eEye saw that Greg was writing a lot of malware and posting it publicly, 00:27:50.880 --> 00:27:55.600 and they liked that and decided to hire him, and flew him out to California to give him a job. 00:27:55.600 --> 00:28:00.880 GREG: Yeah, well, the team I was on, we were all about finding zero-days and finding exploits. 00:28:00.880 --> 00:28:02.400 JACK: Yeah, but there’s no money in that. 00:28:02.400 --> 00:28:05.200 GREG: Marketing, my friend. When you have a good research team and 00:28:05.200 --> 00:28:08.560 they're rockstars, they're gonna look at you and your product and think, 00:28:08.560 --> 00:28:11.840 oh man, those guys know what they're doing. So, yeah, when I got there, 00:28:11.840 --> 00:28:17.520 the person I replaced was Barnaby Jack. I took — I actually had his desk and everything, man. 00:28:17.520 --> 00:28:18.634 JACK: Wow. 00:28:18.634 --> 00:28:27.600 GREG: Yeah, yeah. Lots of respect to him, man. It was — I never filled his shoes, 00:28:27.600 --> 00:28:31.760 but it was just an honor to be a part of — you know, 00:28:31.760 --> 00:28:34.800 be around him. I got to meet him multiple times. He was a great guy. 00:28:34.800 --> 00:28:39.680 JACK: See, back then, nobody had a bug bounty program. If you found a vulnerability in some 00:28:39.680 --> 00:28:44.640 software, that company wouldn't pay you anything. You'd be lucky if they sent you a t-shirt. 00:28:44.640 --> 00:28:50.720 There was zero money in vulnerability research then. But the reason eEye did this research to try 00:28:50.720 --> 00:28:58.560 to find vulnerabilities in software was for two important reasons. One, to earn credibility. eEye 00:28:58.560 --> 00:29:02.960 company must have some pretty sharp researchers to constantly be finding vulnerabilities in 00:29:02.960 --> 00:29:10.320 things. I bet their tools are great. It works. Two, recruitment. By making the news again and 00:29:10.320 --> 00:29:16.000 again that they keep finding vulnerabilities, top talent would want to come work there. 00:29:16.000 --> 00:29:20.240 Now, they did follow responsible disclosure. When they'd find a vulnerability, they would 00:29:20.240 --> 00:29:25.440 do two things; first, tell the software maker and show them exactly what they found. Then 00:29:25.440 --> 00:29:29.920 they would announce publicly that they found a vulnerability in a product. They wouldn't 00:29:29.920 --> 00:29:34.640 say what the vulnerability was, though; not until after the software company was able to 00:29:34.640 --> 00:29:39.600 fix it and patch it. So, that was the team that Greg joined, to simply find new bugs 00:29:39.600 --> 00:29:45.080 in software that nobody knows about, which is what’s known as a zero-day vulnerability. 00:29:45.080 --> 00:29:55.280 GREG: So, I get there, and Office drops — Office 2007 drops probably about four weeks — like, 00:29:55.280 --> 00:29:59.520 within my first month of working there. We were looking at other software. We were looking at, 00:29:59.520 --> 00:30:05.280 I think, CA Arcserve Backup, if you remember that terrible product. I have — as a macro 00:30:05.280 --> 00:30:11.360 virus author and — I can look at Office — hex editors in Office; I could tell you 00:30:11.360 --> 00:30:17.600 where the blobs are in Office. I know the bit format very, very well. So, when it comes to… 00:30:17.600 --> 00:30:22.560 JACK: So, there — your boss or someone told you… 00:30:22.560 --> 00:30:27.674 GREG: Marc Maiffret, yes. We’ll put his name for the record here. [Laughs] 00:30:27.674 --> 00:30:30.320 JACK: Marc Maiffret; I’ve heard that name before. 00:30:30.320 --> 00:30:35.120 GREG: If you don’t know, Marc Maiffret got famous from MTV’s True Life of a 00:30:35.120 --> 00:30:38.640 Hacker. [Music] That’s where — that was his claim to fame. He was on that. 00:30:38.640 --> 00:30:43.760 MARC: You know, over the last few years and basically ever since I got into hacking, it’s just 00:30:43.760 --> 00:30:50.080 been kinda like a wild ride or somewhat of a movie. After the raid, started thinking a 00:30:50.080 --> 00:30:55.560 lot different about my life and what I wanted to start doing with it and turn things around. 00:30:55.560 --> 00:30:59.840 MTV: These days, Chameleon is living the hacker dream, 00:30:59.840 --> 00:31:04.936 creating security software for companies to protect themselves from people just like him. 00:31:04.936 --> 00:31:09.680 JACK: [Background talk] That was a clip from the MTV show called True Life Hacker 00:31:09.680 --> 00:31:16.080 from 1999. The show follows Marc around as he hacks stuff. He was wild back then. So, 00:31:16.080 --> 00:31:22.400 I imagine it’d be really crazy to have him as a boss. So, your boss told you Office 2007 just 00:31:22.400 --> 00:31:25.280 came out. Do you want to take a look at it? It’d be great if you could find some sort of 00:31:25.280 --> 00:31:31.577 virus or bug — or, not a virus but a exploit in there, a bug that we could use for Marketing… 00:31:31.577 --> 00:31:31.594 GREG: Absolutely. 00:31:31.594 --> 00:31:35.760 JACK: …and make a big deal about. So, jump in there. You were assigned to do that. 00:31:35.760 --> 00:31:40.960 GREG: Yeah, that’s exactly how it worked. Anything that came out, any big thing — we were 00:31:40.960 --> 00:31:44.800 essentially bounty hunters. We would go out and be like, yeah, let’s go break this thing. If we have… 00:31:44.800 --> 00:31:49.120 JACK: Yeah, but there wasn’t paid bounties back then. You'd get a t-shirt if anything. 00:31:49.120 --> 00:31:52.960 GREG: It was all about the honor of being the first. We 00:31:52.960 --> 00:31:54.868 wanted to be the first, too. That was a big deal. 00:31:54.868 --> 00:31:56.120 JACK: Yeah, the honor was a reward. 00:31:56.120 --> 00:31:59.600 GREG: Yup. It was be the people who first found a 00:31:59.600 --> 00:32:08.066 bug. So, I went in there and started manually fuzzing Word at the time. 00:32:08.066 --> 00:32:14.080 JACK: [Music] Fuzzing; the first time I did fuzzing was when I was five years old and I 00:32:14.080 --> 00:32:18.880 went to the supermarket and they had a gumball machine. My mom gave me a dime and showed me 00:32:18.880 --> 00:32:25.680 how you put it in and you turn the crank and you get candy. It was awesome. For years I 00:32:25.680 --> 00:32:30.560 was drawn to them. I just had to touch them every time I saw them and check them out. I 00:32:30.560 --> 00:32:34.400 would try turning the crank on every one to see if it would just give me candy with no 00:32:34.400 --> 00:32:39.040 money in it. Nope. Unless you put money in it, the crank won't turn. I would sometimes try to 00:32:39.040 --> 00:32:43.600 put money in it and turn it very slowly to see if I could get a little bit of candy, 00:32:43.600 --> 00:32:49.120 and as soon as I do, turn it back real quick to reset it and do it again, but that didn’t work. 00:32:49.120 --> 00:32:53.440 I would check the dispenser chutes to see if anyone left candy behind there, and yes, 00:32:53.440 --> 00:32:57.840 sometimes they did, and that was cool, a bit of free candy. I would shake the machine sometimes to 00:32:57.840 --> 00:33:02.720 see if I could get candy to come out that way, and that did sometimes work, too. But then I was like, 00:33:02.720 --> 00:33:07.600 how does it know I put money in here? Like, how does it know what a quarter or a nickel 00:33:07.600 --> 00:33:12.960 or a dime actually is? So, I started jamming anything I could find that would fit in there; 00:33:12.960 --> 00:33:18.320 plastic pieces, metal washers, cardboard, shoelaces. I’d shove it in, I’d turn the crank, 00:33:18.320 --> 00:33:23.360 and I would see what happens. I’m telling you, from five years old all the way to 00:33:23.360 --> 00:33:28.160 fifteen years old, I was fiddling with these things every time I saw one. 00:33:28.160 --> 00:33:34.400 That, to me, is what fuzzing is. It’s trying to use the tool or machine or application in 00:33:34.400 --> 00:33:40.320 ways it’s not supposed to be used to see if you could glitch it or somehow get it to act weird. 00:33:40.320 --> 00:33:45.040 What Greg was doing was he was opening Microsoft Word and trying to put something 00:33:45.040 --> 00:33:49.200 in a Word document that wasn’t allowed. I don't know, maybe trying to put a Chinese 00:33:49.200 --> 00:33:52.640 letter in there or some strange ASCII symbol. Word would accept some of these 00:33:52.640 --> 00:33:58.160 characters but then just deny others. Now, if Word won't let you input a strange character, 00:33:58.160 --> 00:34:04.400 why? Will it break if you somehow force it to take that strange character? Well, Greg wanted to try. 00:34:04.400 --> 00:34:10.000 So, he opened up a Word doc, not in Microsoft, though; in a hex editor where you can manipulate 00:34:10.000 --> 00:34:15.520 the ones and zeros directly in the file, almost like doing surgery on the file, and he put in 00:34:15.520 --> 00:34:21.440 a character directly into the file that he knows Microsoft Word can't accept, and then he’d save it 00:34:21.440 --> 00:34:28.080 and try to open it up in Word to see what it would do. Nothing. Okay, fine. That didn’t work. But 00:34:28.080 --> 00:34:34.160 let’s try again. This time, let’s see what the max font size is in Word. 16.38. Well, that’s pretty 00:34:34.160 --> 00:34:39.600 big. Okay, so, Word won't let you make a font size bigger than that number. Challenge accepted. Let’s 00:34:39.600 --> 00:34:45.600 set the font to the max, 16.38, close down Word, open up the file in a hex editor, look for where 00:34:45.600 --> 00:34:53.120 that number is. 16.38, where does that show up? Ah, right there. Maybe that means the font size. 00:34:53.120 --> 00:34:58.560 So, let’s change that to 9999 and save it and open it up in Word and be like, 00:34:58.560 --> 00:35:03.680 what now, Word? You wouldn't let me set the font bigger, but I did. What are you gonna do? Nothing. 00:35:03.680 --> 00:35:08.320 It just reverts back to the default font size. It had some sort of logic to handle 00:35:08.320 --> 00:35:13.600 what happens with a font size that we can't accept. That is what fuzzing is, 00:35:13.600 --> 00:35:18.720 and that’s what Greg was tasked with doing, to try to make the brand-new Microsoft Office 00:35:18.720 --> 00:35:26.320 2007 Suite crash. It’s really a hunt to try to see if the developers at Microsoft accounted 00:35:26.320 --> 00:35:31.760 for every single problem that could possibly go wrong in Word and handle it gracefully. 00:35:31.760 --> 00:35:36.320 GREG: So, you're modifying these files at the lowest level possible and you're introducing all 00:35:36.320 --> 00:35:41.280 this unexpected code, unexpected code paths. It’s parsing these files and it’s parsing these files; 00:35:41.280 --> 00:35:45.600 it’s encountering these unexpected data points. These unexpected data points are 00:35:45.600 --> 00:35:50.640 introducing areas of opportunity for you to find a vulnerability. 00:35:50.640 --> 00:35:55.520 JACK: Basically, the goal is to get Word to execute malicious code, such as giving 00:35:55.520 --> 00:36:00.320 someone else control of that computer. But you can't just put malicious code in a Word 00:36:00.320 --> 00:36:05.040 doc and then when someone opens it, it runs. Word doesn't execute code like that. It just 00:36:05.040 --> 00:36:10.560 displays it as text. That’s its job. So, can you hide this malicious code somewhere in the 00:36:10.560 --> 00:36:15.840 Word document that it will also get executed when Word gets opened? No, not really that, 00:36:15.840 --> 00:36:21.680 either. Yeah, there’s macros that act like code, but that’s different. What we want is for Word 00:36:21.680 --> 00:36:27.520 to take our malicious little code and stick it into the memory of the computer. So, the goal is 00:36:27.520 --> 00:36:34.400 to cause Word to crash, but then use that crash to force malicious code into memory or a pointer that 00:36:34.400 --> 00:36:38.800 references the code into memory. [Music] Now, just opening Word is not enough to see all the 00:36:38.800 --> 00:36:43.520 stuff that’s happening. You want extra visibility on how well Word is behaving, what stuff it’s 00:36:43.520 --> 00:36:48.720 putting into memory and everything. That’s where a debugger comes in. At the time, he was using 00:36:48.720 --> 00:36:53.120 a debugger called Olly, which would show him a lot more details of what Word is actually doing. 00:36:53.120 --> 00:36:58.160 GREG: Correct. Olly is a tool that you attach to your — any application that you want to see at 00:36:58.160 --> 00:37:02.480 low level, assembly level. You want to see what the code’s actually doing, your registers and 00:37:02.480 --> 00:37:07.200 your memory output and what’s going on with the application. You attach a debugger; that allows… 00:37:07.200 --> 00:37:11.040 JACK: Sounds like a wrapper for the app. So, you open Olly and then tell Olly to open this, 00:37:11.040 --> 00:37:13.506 and then Olly would be like, I will watch all the memory… 00:37:13.506 --> 00:37:13.520 GREG: Exactly. 00:37:13.520 --> 00:37:15.320 JACK: …everything that’s happening here and tell you everything. 00:37:15.320 --> 00:37:18.360 GREG: That is a great summary of that, and that’s exactly what it does. 00:37:18.360 --> 00:37:24.160 JACK: It sounds a bit tedious to open a file in a hex editor, manually change one or two numbers, 00:37:24.160 --> 00:37:28.880 then close it, and then open Word up and then see how it behaves; and nothing, 00:37:28.880 --> 00:37:33.520 so just close it all and try again. So, all day he’s editing these files, 00:37:33.520 --> 00:37:35.280 opening them in Word, and then closing them. 00:37:35.280 --> 00:37:40.880 GREG: I just really liked looking at the files in the hex editor, modifying the files, 00:37:40.880 --> 00:37:46.480 opening the file, and noticing the UI change. It would distort the — it would — if you had your 00:37:46.480 --> 00:37:50.480 Office file, if you had graphics and stuff in there, it would distort it or make it 00:37:50.480 --> 00:37:55.760 look wrong 'cause it’s rendering improperly. So, you could actually get better feedback, 00:37:55.760 --> 00:38:01.360 I found, by doing it that way, to identify where in the file you're affecting. So, 00:38:01.360 --> 00:38:05.720 I did this for like, two days, and all of a sudden I had a crash. 00:38:05.720 --> 00:38:11.600 JACK: Ooh, a crash. This is what he’s been trying to create. Okay, first thing’s first; 00:38:11.600 --> 00:38:17.920 will it crash every time? Yes. Awesome. Okay, it wasn’t a fluke. Next, can he inject code 00:38:17.920 --> 00:38:24.240 into memory when it crashes? Yes. Wow, this is great. Now he has to see if he can get control 00:38:24.240 --> 00:38:29.680 of a pointer or inject some shell code into memory along with this crash. Yes, he can. 00:38:29.680 --> 00:38:36.560 GREG: It was a classic crash at that time where you overwrote a data pointer and you could control 00:38:36.560 --> 00:38:43.000 the data pointer at that, which is — allows — that’s the basis for remote code execution. 00:38:43.000 --> 00:38:48.640 JACK: So, what he’s discovered is he can craft a malicious Word doc so that when the user opens it, 00:38:48.640 --> 00:38:54.320 Word crashes, but then malicious code is put into memory, and now the system is severely 00:38:54.320 --> 00:38:59.600 weakened. It’s vulnerable. Wow, very cool, all within weeks of Microsoft Office coming 00:38:59.600 --> 00:39:04.880 out. Greg has discovered a pretty serious vulnerability in it, which allows arbitrary 00:39:04.880 --> 00:39:11.520 code execution. He feels great. His team is impressed. So, you tell your coworker, 00:39:11.520 --> 00:39:16.200 your coworker tells your boss, you tell your boss, whatever, and what does your company do with this? 00:39:16.200 --> 00:39:24.080 GREG: My boss is like, awesome. He immediately starts writing all the press. Marc Maiffret 00:39:24.080 --> 00:39:30.080 is — if you know him, he’s very enthusiastic. He’s just like, oh my god, we're gonna fuck — this is 00:39:30.080 --> 00:39:34.560 gonna be fucking awesome. We're gonna send this to the press. We're gonna throw this out there. So, 00:39:34.560 --> 00:39:39.435 he immediately starts writing to everyone, all these typical — you know, the tech writing — the 00:39:39.435 --> 00:39:43.560 tech writers. So, they immediately start writing, and then we report to Microsoft. 00:39:43.560 --> 00:39:47.600 JACK: Again, they aren't sharing exactly what the vulnerability is to the press. They're just 00:39:47.600 --> 00:39:53.120 telling them that eEye found another zero-day, this time in the latest Microsoft Office, 00:39:53.120 --> 00:39:58.320 and of course only giving Microsoft the full details so they can fix it. Once it’s fixed, 00:39:58.320 --> 00:40:02.560 then eEye will show the world how it was done. The news spread fast. A few 00:40:02.560 --> 00:40:06.640 big tech publications were talking about this zero-day that Greg found. 00:40:06.640 --> 00:40:14.000 GREG: Three days later we get a e-mail back from Microsoft and it says, hey, we can't reproduce 00:40:14.000 --> 00:40:19.680 this. [Music] We're like, this is typical. This is — we’ve dealt with this before. This 00:40:19.680 --> 00:40:25.360 is a typical Microsoft security response, response team typical action. So, they're like, okay. So, 00:40:25.360 --> 00:40:29.760 we send them — we send the sample again and we're like, hey, you know — we show the debug 00:40:29.760 --> 00:40:36.960 output. We show — and then another day after that, it comes back, and they're like, hey, 00:40:36.960 --> 00:40:44.400 did you try this without a debugger attached? Marc Maiffret is like, of course we did. Then he looks 00:40:44.400 --> 00:40:58.400 over to Andre; Andre looks at me, and I’m like, I don't think so. So, we go run it again, and there 00:40:58.400 --> 00:41:05.040 is a special trap that Microsoft added. This is — at the time, this was pretty new technology where 00:41:05.040 --> 00:41:12.160 they had debug-only routing inside Office. So, it would reach a code flow path that was 00:41:12.160 --> 00:41:20.240 only exploitable, only triggerable when you had a debug attached to the Word, meaning no one’s gonna 00:41:20.240 --> 00:41:26.040 be vulnerable to this unless they have a debug attached, unless they're a security researcher. 00:41:26.040 --> 00:41:33.840 JACK: Oh man. How embarrassing. The news is out there saying that eEye found a 00:41:33.840 --> 00:41:39.440 serious vulnerability, but now it turns out they don’t actually have a vulnerability. 00:41:39.440 --> 00:41:45.360 It’s because this new kid, this weird-looking goth kid, didn’t verify it all the way. 00:41:45.360 --> 00:41:55.280 GREG: So, I remember there was yelling. There was yelling involved. I remember I was there for 00:41:55.280 --> 00:42:02.240 three weeks and I remember just — literally just staring down, being ashamed, just being like, oh 00:42:02.240 --> 00:42:09.360 god. This is it. This is how I lose my career. It was nice. It was a good couple months in security. 00:42:09.360 --> 00:42:14.080 JACK: Okay, 'cause the stress here is because a press release was written, right? 00:42:14.080 --> 00:42:20.000 GREG: Yes, yes. eEye at the time was — they're like the rockstars. This is — everyone else in 00:42:20.000 --> 00:42:28.160 the room, all those rockstars; Yugi, Derek, Daniel Soder, the brothers, everyone else in there has 00:42:28.160 --> 00:42:32.160 written vulnerabilities in a professional manner. They've all done this for years. They've found the 00:42:32.160 --> 00:42:40.320 first Vista vulnerability. They found — this is their thing. Now I’m the new guy who screwed up 00:42:40.320 --> 00:42:48.160 and made them look bad. So, behind the closed door, they were like, we gotta fire this guy. 00:42:48.160 --> 00:42:53.040 Luckily for me, I believe Andre was like, nah, dude, we gotta give him a chance. He’s 00:42:53.040 --> 00:43:01.840 gotta — we're gonna give him a chance to make this right. So, they come out and they were like, look, 00:43:01.840 --> 00:43:07.240 man, you gotta find a vulnerability. We don’t care how you do it. It’s gotta happen. I’m like, okay. 00:43:07.240 --> 00:43:13.040 JACK: There’s some hope still. The press release just said they found a vulnerability in Microsoft 00:43:13.040 --> 00:43:21.440 Office, which consists of Excel, Word, PowerPoint, Visio, and more. It didn’t give any details as to 00:43:21.440 --> 00:43:28.160 how the vulnerability works. So, if they can find a bug in any of these products, it’ll save the 00:43:28.160 --> 00:43:35.360 reputation of the company. But to be clear, for a young guy in his first cybersecurity job to find a 00:43:35.360 --> 00:43:42.800 zero-day vulnerability in Microsoft Office, that’s an incredibly complicated task. The entire team of 00:43:42.800 --> 00:43:48.640 coders at Microsoft worked tirelessly to prevent people like him from finding bugs like that. 00:43:48.640 --> 00:43:55.520 So, he’s gotta find something they missed? This was a big deal for Greg. [Music] He needed to find 00:43:55.520 --> 00:44:01.600 a zero-day vulnerability in Microsoft Office or else he’s going to be fired. He calls his 00:44:01.600 --> 00:44:06.720 girlfriend and says, don’t wait up for me tonight. I am going to be working late. Sorry, I just have 00:44:06.720 --> 00:44:12.720 to do this. He just gets down right into the zone, downing energy drinks, grabbing extra monitors to 00:44:12.720 --> 00:44:17.600 be more productive, ordering pizza right to his desk. He’s fully committed to doing this. He was 00:44:17.600 --> 00:44:23.080 so committed that he was going to stay in that office until he found a zero-day vulnerability. 00:44:23.080 --> 00:44:27.440 GREG: So, I am there twenty-four hours by myself, 00:44:27.440 --> 00:44:31.200 just manually — and I’m just like, oh god, I can't do it. 00:44:31.200 --> 00:44:34.840 JACK: He’s sleeping under his desk, he’s living off of donuts and coffee. 00:44:34.840 --> 00:44:39.680 GREG: So, what happened here, man, was — so, the crew comes up to me and they're like, dude, 00:44:39.680 --> 00:44:44.880 we're not gonna let you do this by yourself. We got your back. So, everyone stayed in there, 00:44:44.880 --> 00:44:53.360 and we were in there for three days. Man, I — that — I remember girlfriends calling, wives calling 00:44:53.360 --> 00:44:57.200 guys and being like, are you guys coming home yet? They're like, no, we gotta do this. This is an 00:44:57.200 --> 00:45:06.000 important thing. We ordered pizza. We had Mountain Dew. That area of the office, I remember, it was 00:45:06.000 --> 00:45:10.440 not smelling great. The other teams were like, what are you guys doing? What is going on in here? 00:45:10.440 --> 00:45:13.520 JACK: Are you just like, opening text files in edit and then close, 00:45:13.520 --> 00:45:14.800 and then open, and then close? 00:45:14.800 --> 00:45:20.400 GREG: We have — okay, so, I think during that time — so, there’s at least six of us. We have one guy 00:45:20.400 --> 00:45:27.280 who’s writing his own program to fuzz it. We have — I think Yugi had three screens up fuzzing data, 00:45:27.280 --> 00:45:31.040 reverse-engineering. He’s trying to reverse-engineer that. I have a program 00:45:31.040 --> 00:45:34.800 I have written running on one machine over here. I have a machine to my left. I have 00:45:34.800 --> 00:45:38.160 a machine left to me that’s running software to try to find this vulnerability. I’m in a 00:45:38.160 --> 00:45:44.320 hex editor editing files left and right. I think Derek was also editing files. Derek found — was 00:45:44.320 --> 00:45:48.320 finding something else. He found — I think he later found another vulnerability out of this, 00:45:48.320 --> 00:45:51.760 but he’s going in there editing, looking at this, and we're all look — everything 00:45:51.760 --> 00:45:55.680 we find is really interesting stuff, which turns out it was — we found a lot of really 00:45:55.680 --> 00:46:00.240 cool stuff in Office at the time, but none of it was a vulnerability as we described. So, we 00:46:00.240 --> 00:46:06.760 are literally just sitting there geeking out and just — pizza being ordered. eEye was a wild time. 00:46:06.760 --> 00:46:11.920 JACK: Days go by like this where all the researchers are pouring tons of time into 00:46:11.920 --> 00:46:16.320 this. Nobody was going home. People were sleeping in shifts under their desks, 00:46:16.320 --> 00:46:19.280 in the break room. The energy was amazing to have 00:46:19.280 --> 00:46:23.760 so many people come together to try to save the reputation of the company. 00:46:23.760 --> 00:46:35.680 GREG: Day three, I was modifying a file, and all of a sudden it popped. We look at it and we're 00:46:35.680 --> 00:46:43.440 like, oh, wait. I remember Yugi — Yugi looks at it first and he’s like — Yugi is this incredibly, 00:46:43.440 --> 00:46:49.360 unbelievably talented Japanese hacker. He’s like, oh, it looks good. When Yugi says it’s good, 00:46:49.360 --> 00:46:54.160 everyone’s like, okay. So — and the first thing that happens after that is — I remember one of the 00:46:54.160 --> 00:46:59.040 guys was like, is the debugger detached? We're like, oh yeah, get that thing off there. So, 00:46:59.040 --> 00:47:05.520 retry it, and it happens to be in Office Visio. It was another product inside the Office suite. So, 00:47:05.520 --> 00:47:12.560 it wasn’t Word, not as sexy as Word, but, hey, we only said Office 2007. So, again, 00:47:12.560 --> 00:47:18.080 saved our butt. So — and the thing is, when Microsoft sent that e-mail, they were like, 00:47:18.080 --> 00:47:23.840 hey, man, this vulnerability occurs in this wrapper function called safent. What 00:47:23.840 --> 00:47:31.040 safent does is it prevents the integer overflow from occurring and causing that control flow, 00:47:31.040 --> 00:47:34.280 your code execution, to occur. So, it checks all the integers. 00:47:34.280 --> 00:47:39.200 [Music] What happened with the new vulnerability we found was we happened — just happened 00:47:39.200 --> 00:47:46.960 to have found a legacy pointer for a integer that was not safented-wrapped and was vulnerable. So, 00:47:46.960 --> 00:47:54.480 they sent that e-mail out, and unfortunately, David LeBlanc in Microsoft — David, if you're 00:47:54.480 --> 00:48:00.480 listening to this, I’m sorry, man — I think he was on vacation. He got called back. Maybe he 00:48:00.480 --> 00:48:04.640 didn’t get called back, but that’s what I heard, 'cause he was the one who was in charge of safent. 00:48:04.640 --> 00:48:10.960 Safent was his baby, and it’s an awesome security feature. He got called back because when we sent 00:48:10.960 --> 00:48:19.920 that sample to Microsoft and it worked, that was a big deal to them. So, we are all happy. 00:48:19.920 --> 00:48:27.040 The vulnerability goes out. A couple months later it gets disclosed, and we have indeed the first 00:48:27.040 --> 00:48:36.800 vulnerability in Microsoft Office. That was the case. That was a wild time, to say the least. 00:48:36.800 --> 00:48:42.640 JACK: He saved his butt on that one. His whole career was on the line, and he did what he 00:48:42.640 --> 00:48:48.280 had to do to save it. Being awake for so long wasn’t much of a celebration after he found it. 00:48:48.280 --> 00:48:53.840 GREG: Dude, I crashed. I fell asleep. I remember being — just being so exhausted, I straight — at 00:48:53.840 --> 00:48:57.840 the time when I found it, I was already tired because I was half-asleep. I remember the alarm 00:48:57.840 --> 00:49:03.680 that I had for it to find it, I nearly spilled — I think I did spill soda all over the place, 'cause 00:49:03.680 --> 00:49:07.200 I was just waking up — like, we're all fasting out — like, we're literally sleeping at our desk here. 00:49:07.200 --> 00:49:10.880 There’s no — we're not sleeping on hammocks or anything. We're just sleeping at our desk. 00:49:10.880 --> 00:49:18.000 So, I remember it being — like, we find the — we're like, yes, and we were all so tired 00:49:18.000 --> 00:49:24.520 to actually have a proper — I guess we did have a proper — we did yell out extremely — a malware — 00:49:24.520 --> 00:49:28.160 like, yes, we're finally — and then immediately after — 'cause we're like, we're celebrating, 00:49:28.160 --> 00:49:33.040 high-fiving, everything was like that. But man, after that, I just remember us all being like, 00:49:33.040 --> 00:49:37.760 and we're going home. I fell asleep at the office. I didn’t even make it home at the time, 00:49:37.760 --> 00:49:42.480 'cause I had to — I lived walking distance. I was too tired to even walk home that day. So, I just 00:49:42.480 --> 00:49:50.960 crashed out, woke up, went home, and I remember my girlfriend just drew me — the pillow and the 00:49:50.960 --> 00:49:57.840 blanket, and I was on the couch for like a week for that one, rightfully so. She was so pissed. 00:49:57.840 --> 00:50:01.520 JACK: But it was your job on the line. She should understand that. Like, listen, 00:50:01.520 --> 00:50:06.760 I’m gonna get fired or I could stay three days and not see you. What would you rather I do? 00:50:06.760 --> 00:50:09.680 GREG: Oh man, I was a newly father. My kid was probably… 00:50:09.680 --> 00:50:12.939 JACK: Okay. 00:50:12.939 --> 00:50:13.920 GREG: [Laughs] Yeah. My kid… 00:50:13.920 --> 00:50:16.960 JACK: Well, hold on, so you just had a kid at the time. 00:50:16.960 --> 00:50:22.160 GREG: My kid when I started, yeah, was six months old. So, that kid was not even a year old, 00:50:22.160 --> 00:50:28.800 and colic — and my kid was extreme colic, like twelve hours a day crying. Oh man, she was so mad. 00:50:28.800 --> 00:50:33.560 JACK: Oh, that’s — that makes it even more stressful. 00:50:33.560 --> 00:50:42.880 GREG: Oh yeah. Oh, oh yeah. But yeah, so — oof, yeah, that was — I remember the e-mails — that 00:50:42.880 --> 00:50:46.880 was — oh, the e-mails I was getting from her was always popping up, just being like — her 00:50:46.880 --> 00:50:51.600 just getting angrier and angrier as the day is going on. She’s like, where are you? Like, I 00:50:51.600 --> 00:50:55.680 don't believe you're at work for three days doing this. I was like, okay, I’ll send you a picture of 00:50:55.680 --> 00:51:04.946 us. We had the team just doing random pictures. I was like, oh man, this is — this was a time. 00:51:04.946 --> 00:51:09.200 JACK: [Music] eEye was a magic place. A lot of amazing talent worked there, 00:51:09.200 --> 00:51:13.120 and many went off to start their own cybersecurity businesses. Rumor has it 00:51:13.120 --> 00:51:16.640 that some of the anecdotes from the TV show Silicon Valley came from stories 00:51:16.640 --> 00:51:20.880 that happened at eEye. Greg learned a ton from working there for years. 00:51:20.880 --> 00:51:31.200 GREG: So, years later — god, this is like my third year at eEye. I remember we had a honeypot system, 00:51:31.200 --> 00:51:36.080 which — it’s a system that’s designed to catch hackers and lure in individuals. 00:51:36.080 --> 00:51:40.880 We tried to — we were trying to get zero-day exploits and definitely try to lure people into 00:51:40.880 --> 00:51:45.840 attacking the system. It was one of the largest honeypots at the time. It was nearly a Class B 00:51:45.840 --> 00:51:53.280 internet group of honeypots. It was massive. I remember I was logging into one of the systems 00:51:53.280 --> 00:52:02.320 that we had maintained for that, and I see a log-in called Lfeng. I was just like, 00:52:02.320 --> 00:52:08.000 what is this? Who’s account is this? Maybe this is a new hire I just don’t 00:52:08.000 --> 00:52:18.400 know about. I walk into my boss’ office and I was like, hey, I got that all set up. However, 00:52:18.400 --> 00:52:21.920 there was someone who logged in recently, and maybe it’s someone we hired in dev ops 00:52:21.920 --> 00:52:27.520 or something. Do you know a Lfeng? I remember my boss was just typing. 00:52:27.520 --> 00:52:33.360 All of a sudden I remember the distinct sound of him stopping and the sound of the chair creaking 00:52:33.360 --> 00:52:42.960 back and him looking at me. He’s like, you found what? Who? I was like, yeah, Lfeng. I think I 00:52:42.960 --> 00:52:51.600 looked at — the extended name was Li Feng. He was like, what do you mean you found a Li Feng log-in? 00:52:51.600 --> 00:52:56.560 I was like, yeah, it’s on the honeypot system. It was — it looks like it was a maintainer. He 00:52:56.560 --> 00:53:01.760 goes and he closes the door behind me and he’s like, alright, I’m gonna tell you a story about 00:53:01.760 --> 00:53:10.240 Li Feng. I was like, okay, let’s hear about it. So, back in the day, like I mentioned, eEye was 00:53:10.240 --> 00:53:18.080 the rockstar group for finding vulnerabilities. It was like, eEye and I-Defense. That was the two big 00:53:18.080 --> 00:53:29.040 companies back in the day for finding zero-day vulnerabilities. At one point, eEye was so good 00:53:29.040 --> 00:53:38.160 at what they were doing, Microsoft decided to hire someone in order to go work at eEye 00:53:38.160 --> 00:53:45.200 in order to get them to tell them, Microsoft, about the zero-days they found in Microsoft. 00:53:45.200 --> 00:53:55.274 JACK: Wait, wait, what — hold on a second. You're saying Microsoft got someone to — a job at eEye… 00:53:55.274 --> 00:53:56.698 GREG: It was a different time. 00:53:56.698 --> 00:53:57.840 JACK: …so that they could — but they worked for 00:53:57.840 --> 00:54:00.880 Microsoft so they could report to Microsoft what eEye is working on. 00:54:00.880 --> 00:54:03.040 GREG: It was a different time. Yep. 00:54:03.040 --> 00:54:07.320 JACK: This is ridiculous. You don’t hear about this ever. 00:54:07.320 --> 00:54:08.720 GREG: It was a different time. 00:54:08.720 --> 00:54:11.000 JACK: Did this news ever actually go public? 00:54:11.000 --> 00:54:13.600 GREG: I don't think so. This is… 00:54:13.600 --> 00:54:18.560 JACK: I can't imagine Microsoft hiring to work — getting people 00:54:18.560 --> 00:54:21.640 to work at a other company; this is corporate espionage. 00:54:21.640 --> 00:54:25.200 GREG: That’s correct. [Music] Well, 00:54:25.200 --> 00:54:30.200 it gets even better. It gets even better after that. It gets even better after that. 00:54:30.200 --> 00:54:39.040 JACK: Okay, so Microsoft hires Li Feng to work for them, but then plants him in eEye to go find 00:54:39.040 --> 00:54:44.640 out what they're working on and report back to Microsoft. So, Li Feng was working at eEye 00:54:44.640 --> 00:54:49.440 for a while, but then suddenly left, and nobody really knows why. He just disappeared one day. 00:54:49.440 --> 00:54:53.280 GREG: But then Microsoft, sometime after he left, they're like, hey, we gotta have a talk. 00:54:53.280 --> 00:55:00.320 We gotta have a conversation. So, we're like, okay. So, Microsoft was like, so, 00:55:00.320 --> 00:55:07.800 Li Feng, he was working for us to identify zero-days that you guys may have found. 00:55:07.800 --> 00:55:10.960 JACK: Which had to be a bombshell for your company to hear. 00:55:10.960 --> 00:55:11.914 GREG: I think… 00:55:11.914 --> 00:55:12.800 JACK: They thought that must have… 00:55:12.800 --> 00:55:17.760 GREG: I think they had suspicions that he was being a little odd, but — so, 00:55:17.760 --> 00:55:23.280 Microsoft then goes to say, so, apparently he was also working 00:55:23.280 --> 00:55:31.560 for a foreign government entity to do the same for us and you. So…[laughs] 00:55:31.560 --> 00:55:35.280 JACK: So, someone placed him in Microsoft? 00:55:35.280 --> 00:55:36.200 GREG: Correct, correct. 00:55:36.200 --> 00:55:37.680 JACK: Go get a job there and… 00:55:37.680 --> 00:55:42.320 GREG: And then he got chosen to go work for us. We hired him, and he got planted, 00:55:42.320 --> 00:55:48.720 and then he was siphoning zero-days from not only us; apparently he also had privy information at 00:55:48.720 --> 00:55:57.080 Microsoft, and that went back to his foreign government that he was ultimately working for. 00:55:57.080 --> 00:56:02.080 JACK: Holy moly, someone planted him at Microsoft and then Microsoft planted him 00:56:02.080 --> 00:56:07.920 at eEye? That’s unreal. How embarrassing for Microsoft. It’s like being caught doing 00:56:07.920 --> 00:56:11.200 something you shouldn't have been doing, like, I don't know, having your pants down 00:56:11.200 --> 00:56:15.440 when the elevator door opens. They know they shouldn't have been playing that game, but now 00:56:15.440 --> 00:56:21.840 they realized that they got played themselves. Oof. So, I really wanted to confirm this story, 00:56:21.840 --> 00:56:26.000 and I reached out to people that I know who have been at Microsoft for a very long time, 00:56:26.000 --> 00:56:30.320 and all of them said that does not sound like something Microsoft would do. So, 00:56:30.320 --> 00:56:35.280 I can't confirm that that story is true, but I would love to know if it is or isn't. So, 00:56:35.280 --> 00:56:40.320 if you have information about Microsoft planting people in other companies, tell me about it. 00:56:40.320 --> 00:56:44.080 Because here’s the thing; we know corporate espionage is happening. There’s people sending 00:56:44.080 --> 00:56:49.680 secrets back and forth to tech giants all the time, but it’s a secret, so we don’t know about 00:56:49.680 --> 00:56:54.560 it. We only know about the ones who get caught. So, it seems plausible like something like that 00:56:54.560 --> 00:57:02.160 could happen. You know what? I’m curious what corporate espionage stories are out there. Taking 00:57:02.160 --> 00:57:07.920 a quick peek, there seems to be some cool ones. In fact, I think I’m gonna take an ad break and look 00:57:07.920 --> 00:57:12.800 at this a little deeper, because I’m fascinated by corporate espionage, and I might have to do a 00:57:12.800 --> 00:57:17.040 few episodes on that sort of stuff. But stay with us because after the break, Greg is gonna tell us 00:57:17.040 --> 00:57:24.720 some penetration testing stories that he’s done. After a while, Greg left eEye and started doing 00:57:24.720 --> 00:57:29.680 red-team stuff. That is penetration testing, breaking into companies to test their security. 00:57:29.680 --> 00:57:36.480 He also does threat intelligence, which he tells me he got some really interesting contacts and 00:57:36.480 --> 00:57:42.640 worked at some very interesting places. But we're gonna have to skip those stories because they're 00:57:42.640 --> 00:57:48.000 too sensitive to talk about. But he is willing to tell us a few pen test stories that he did 00:57:48.000 --> 00:57:53.120 go on. The first story is about a time when he was paid to try to hack into a major tech firm 00:57:53.120 --> 00:57:58.480 which has a lot of user data. I mean, they have millions of users. But not just simple user data; 00:57:58.480 --> 00:58:03.680 they’ve collected highly personal information on their users as part of their service. So, 00:58:03.680 --> 00:58:08.080 Greg meets with the customer, and it started out weird from the get go. The customer was saying, 00:58:08.080 --> 00:58:13.520 look, we are crazy about security. We go over the top on cybersecurity because we cannot 00:58:13.520 --> 00:58:18.960 risk our user data getting out. So, we don’t think you're going to find anything. In fact, 00:58:18.960 --> 00:58:24.320 the last pen testing company struggled so bad to try to hack us that they got arrested. 00:58:24.320 --> 00:58:29.040 GREG: [Music] So, they use a third-party payment processing system that is not used by them, 00:58:29.040 --> 00:58:34.240 and their previous pen testers accidentally exploited the third-party payment system that 00:58:34.240 --> 00:58:40.880 was vital to them. The third-party payment system was an Oracle system and not owned by 00:58:40.880 --> 00:58:46.320 the customer at all. So, when — apparently — that’s why I heard from the customer; 00:58:46.320 --> 00:58:53.360 they were — they did their exploitation and then they said, hey, we got into credit cards and we're 00:58:53.360 --> 00:59:00.000 gonna present it to you in the next day in a presentation. So, they got the blue team there, 00:59:00.000 --> 00:59:05.840 all the blue team, all the people, and then he presented them and said, hey, we exploited this. 00:59:05.840 --> 00:59:12.480 We exploited this IP address. We got access. We gain it. Here is your raw credit card details. 00:59:12.480 --> 00:59:18.480 As you can imagine, the team looks at it and they're like, what IP is that? That’s not local. 00:59:18.480 --> 00:59:23.760 That’s not — it’s a ten — it’s a local address, but that’s not ran by us. That 00:59:23.760 --> 00:59:27.680 is not. Then they found it was actually owned by the third-party payment system, 00:59:27.680 --> 00:59:32.480 and they had exploited a zero-day and that gained access to there. On top of that, 00:59:32.480 --> 00:59:37.360 the credit card details were now — it was a stream of credit card details. So, I believe it was 00:59:37.360 --> 00:59:43.280 outside of even scope for the customer. So, the customer reported them on the safety of their half 00:59:43.280 --> 00:59:47.920 'cause they didn’t want to think that someone on their network compromised them, and reported them 00:59:47.920 --> 00:59:54.000 to the law enforcement authorities. I believe that led to the arrest of them. Either way, 00:59:54.000 --> 00:59:58.560 that was — that’s always wonderful to hear going into a pen test. You hear, hey, the previous 00:59:58.560 --> 01:00:05.960 guys got arrested. Why don’t you guys come in here? So, great start already. Great start. 01:00:05.960 --> 01:00:13.360 [Music] So, if you know me, I still dress like a goth kid. I’m still all black. I’m 01:00:13.360 --> 01:00:18.720 cyber-punked out. I wear Neo4ic; love them. I’ll wear everything from vx-underground, 01:00:18.720 --> 01:00:24.160 all black, anything I can. So, I show up at this facility — oh, and at this time, 01:00:24.160 --> 01:00:29.840 we also have a coworker of mine, and my — this is my coworker’s first big — real big pen test. So, 01:00:29.840 --> 01:00:37.440 he comes in, too, and I will never forget the people there because they look at me and they 01:00:37.440 --> 01:00:42.160 look at each other and they're like, oh god, we gotta put you guys in the back room. So, 01:00:42.160 --> 01:00:47.360 they set us a separate room away from everyone else. Throughout my career, 01:00:47.360 --> 01:00:52.000 this is kinda the thing. I’m the guy in the back room. I’ve been there because of how I am. So, 01:00:52.000 --> 01:01:02.146 they sent us back there, and this is a five-day insider-threat pen test. Go. 01:01:02.146 --> 01:01:06.240 JACK: [Music] So, his job was to simulate an employee there who had gone rogue or 01:01:06.240 --> 01:01:12.160 had been hacked. Just by being in the building, what could he do? Sniff some 01:01:12.160 --> 01:01:17.120 Wi-Fi traffic? Plug into some network ports? All that’s worth checking out, 01:01:17.120 --> 01:01:23.200 but they did give him a single user’s login, and they said, that user should be locked 01:01:23.200 --> 01:01:28.160 down so tight that you shouldn't be able to do any harm even by knowing their password. 01:01:28.160 --> 01:01:34.320 GREG: This customer — I’ve been red-teaming a lot of places. Their blue team, their SOC 01:01:34.320 --> 01:01:41.920 team is absolutely legit, one of the best defense teams I’ve ever had the honor of working with. So, 01:01:41.920 --> 01:01:46.640 they literally are running their own kind of built-in EDR system that they built themselves 01:01:46.640 --> 01:01:55.040 that’s tied into their SOC, going in there. We get nowhere, man. Day one; nothing. Day two; nothing. 01:01:55.040 --> 01:02:01.840 Day three; my coworker’s laptop dies in the middle of it, and he can't even work anymore, and we had 01:02:01.840 --> 01:02:08.880 to give a report to the customer. I remember them just looking at us and being like, I think we 01:02:08.880 --> 01:02:13.600 hired the wrong people. Literally, they were like, do you — you guys want to resign and we can scrap 01:02:13.600 --> 01:02:18.560 this up, call it quits, and then we can go hire somewhere else? I was like, no, man, we got this. 01:02:18.560 --> 01:02:29.520 [Music] Day four happens, and we — I remember it was 4:30 and we have to give — at 5:00 we 01:02:29.520 --> 01:02:34.160 have to give our meeting, and my coworker had to go to Best Buy and buy a brand-new machine. 01:02:34.160 --> 01:02:39.360 He spent the entire day imaging a machine on a red-team engagement. He looks at me; 01:02:39.360 --> 01:02:42.640 he’s like, man, I don't know what to do. So, I was like, hey, let’s try one more — let’s 01:02:42.640 --> 01:02:51.840 do some ARP poisoning and just do one more time. I remember looking up, and that ARP 01:02:51.840 --> 01:02:58.480 poison grabbed one plain text credential that just happened to be an FTP job. We're like, 01:02:58.480 --> 01:03:05.760 oh, we got a credential. We got somewhere. We got something. It turns out that credential was 01:03:05.760 --> 01:03:13.600 to build system process, and it allowed us to get into the build system to roll code throughout the 01:03:13.600 --> 01:03:20.880 entire thing. It just so happened at 4:30 they rolled it out to do a end-of-day lockdown and 01:03:20.880 --> 01:03:25.600 build system configuration, lock everything down so no one is doing any more builds. 01:03:25.600 --> 01:03:32.240 We went into that meeting; said, hey, we just intercepted this. I remember them all thinking, 01:03:32.240 --> 01:03:37.760 wait a minute, that’s the old build — and that credential is still active. At that 01:03:37.760 --> 01:03:40.640 point we had a really cool exploit for that one. We got into the build system, 01:03:40.640 --> 01:03:45.600 and they had a lot of controls on the actual files in there. So, we couldn't modify in the 01:03:45.600 --> 01:03:50.800 build files, but we could edit the command line. So, we rolled an inline assembly.net 01:03:50.800 --> 01:03:56.080 include in there to roll in, go into their portal, and steal all the customer data, 01:03:56.080 --> 01:04:00.720 who’d enter a credit card in there. We marked it in the data. We locked out that credit card, 01:04:00.720 --> 01:04:06.320 but we put a asterisk in there, *stolen last four digits*, and then had it sent out to them. They 01:04:06.320 --> 01:04:11.360 test it, they ran it out, and they were like, holy crap, we have not had a red team roll out code to 01:04:11.360 --> 01:04:18.228 production in eight, nine, ten years that we’re here. Come back next year. Come back next year. 01:04:18.228 --> 01:04:21.440 JACK: Whew, talk about a Hail Mary. Not a single find all week, 01:04:21.440 --> 01:04:26.080 and then 4:30 p.m. on the last day, they catch a lucky break by sniffing a credential in the 01:04:26.080 --> 01:04:30.280 network which gave them tons of access. What a good find that saved their butts. 01:04:30.280 --> 01:04:32.640 GREG: I come back next year, and they’re like, 01:04:32.640 --> 01:04:39.586 hey, we want you to do something kinda crazy. We want you to target DNA. 01:04:39.586 --> 01:04:44.400 JACK: [Music] Part of what this company did was genetics studies. They had DNA data on 01:04:44.400 --> 01:04:49.040 their users, and this was regarded as one of the most protected assets of the company. 01:04:49.040 --> 01:04:52.800 So, why not hire a hacker to try to find it and steal it? 01:04:52.800 --> 01:05:00.720 GREG: We don’t care how you get it. Any way you can get it, that’s fair game. So, 01:05:00.720 --> 01:05:08.920 I spent a week in there as a malicious insider. 01:05:08.920 --> 01:05:15.440 JACK: He starts with a basic employee login again. It is locked down pretty tight, but it’s just 01:05:15.440 --> 01:05:20.240 enough for him to get a foothold somewhere else, and from there he finds an exploit in another 01:05:20.240 --> 01:05:25.440 system, and then he was able to pivot from there, collecting more system logins, and finally he’s 01:05:25.440 --> 01:05:32.640 able to get in a system which manages backups of machines. He can see there’s some really large 01:05:32.640 --> 01:05:40.000 files here. Maybe those are system snapshots or backups? But what system is it a backup for? No 01:05:40.000 --> 01:05:45.200 idea. But he decides to try to download it anyway to see if he can look at what’s in these files. 01:05:45.200 --> 01:05:49.120 GREG: It literally errored out on the share size. I was like, 01:05:49.120 --> 01:05:52.880 I’ve never seen that before. I remember clicking a file, and I’m on a local 01:05:52.880 --> 01:06:00.400 network. I remember that file taking forever to get to me. I was like, how big is this? So, 01:06:00.400 --> 01:06:06.320 I grab the file and I’m on the local machine, and I remember looking at it, and it’s 01:06:06.320 --> 01:06:16.080 TCGA CT, like those letters. I was just like, I think that’s DNA. I think that’s DNA. I was like, 01:06:16.080 --> 01:06:24.800 huh. Maybe — this has gotta be — this can't be right. So, I grab it and I cut off as much as I 01:06:24.800 --> 01:06:30.080 could. I remember — and then I sent it over — I work with a biologist. She was a very, 01:06:30.080 --> 01:06:36.320 very smart girl, and she just happened to be a biologist who was working with mice at the time. 01:06:36.320 --> 01:06:43.120 She actually knows DNA and she worked with DNA. I was like, hey, what does this look like to you? 01:06:43.120 --> 01:06:50.160 I sent it to her and she looks at it and she’s like, oh, this is a DNA sequence mapped out by 01:06:50.160 --> 01:06:53.520 this program, and this looks like — I was like, oh, okay, cool. Then she was like, 01:06:53.520 --> 01:06:59.680 hang on, I could even tell you what kind of DNA this is. A couple minutes go by and she was like, 01:06:59.680 --> 01:07:06.640 why do you have human DNA? I was like, I gotta go. I gotta — bye! Click. So, my next task was 01:07:06.640 --> 01:07:12.960 like — they were like, you have to get the data out. You can get in; you had to get access. We 01:07:12.960 --> 01:07:21.360 had to get it out. So, at the time, again, it was ran by a very, very good SOC team. There was a 01:07:21.360 --> 01:07:29.760 lot of — the environment I was in was very, very well-restricted. The only way I got to her was 01:07:29.760 --> 01:07:34.560 through sending a picture. I remember selecting it all and then putting it into an app, sending 01:07:34.560 --> 01:07:40.080 her a picture of it. It was so bad quality, I had to send it a couple times, actually. 01:07:40.080 --> 01:07:43.680 But so, I was like, how am I gonna get all this data? I can't do it with a phone. I 01:07:43.680 --> 01:07:49.440 can't do it with a picture. How am I gonna get all this data out? [Music] I was a malicious insider, 01:07:49.440 --> 01:07:55.520 so I was working as a quote, unquote, “IT member”. So, I got introduced to the IT 01:07:55.520 --> 01:07:59.600 group and they were like, oh, yeah, you'll be working in this environment. It’s cool. So, 01:07:59.600 --> 01:08:04.720 I was like, I gotta figure out a way I can get a bunch of hard drives, and I have to get a bunch 01:08:04.720 --> 01:08:11.760 of hard drives back into the building. So, what I did was there’s printers that were scheduled 01:08:11.760 --> 01:08:19.120 for — to be — these printers were scheduled to be taken to repair. I remember grabbing one of those 01:08:19.120 --> 01:08:23.440 printers and gutting it as much as I could. Walking out, I’m going out to the front desk, 01:08:23.440 --> 01:08:28.080 going out the front door and being like, hey, I gotta send this printer to the repair shop. 01:08:28.080 --> 01:08:32.080 It has to be done today, immediately. So, the front desk people were like, okay, just sign off 01:08:32.080 --> 01:08:38.240 work. Cool. Sign off for the printer. Load that into the — my rental car, and I go to Best Buy, 01:08:38.240 --> 01:08:43.040 and I’m like, I have to get hard drives. I have to get a lot of hard drives. So, 01:08:43.040 --> 01:08:49.280 I went by — and this is back in the day where external hard drives were those big, obnoxiously 01:08:49.280 --> 01:08:59.520 ugly-colored things, and they came in — I think 32GB or 64GB was a big hard drive at that time. 01:08:59.520 --> 01:09:03.920 So, I go through — I have a shopping cart, and I just go from the end line of these and just 01:09:03.920 --> 01:09:08.960 pull the whole thing into the shopping cart. I have a full shopping cart of hard drives. 01:09:08.960 --> 01:09:10.720 JACK: You put your arm on the shelf and just…? 01:09:10.720 --> 01:09:14.560 GREG: You know that meme where that guy is running around Best Buy and he’s like, all — hacked all 01:09:14.560 --> 01:09:18.240 the things, I hacked all the things? That was me except with hard drives, shoving it into 01:09:18.240 --> 01:09:27.600 a shopping cart. I remember going to Best — the front of the desk, maxing out my credit card, and 01:09:27.600 --> 01:09:34.960 then — of hard drives, and then going back into my hotel at the time and loading them all into the 01:09:34.960 --> 01:09:39.680 printer. I put the shelled out — the hollowed-out printer — I just stacked the hard drives in there 01:09:39.680 --> 01:09:46.240 and pulled it up together, and then I show up to work the next day, get the little trolley carts 01:09:46.240 --> 01:09:53.680 they have, go out and say, bring it back. I remember I’m bringing back the printer, 01:09:53.680 --> 01:10:02.960 and the front desk person was like, wait, you sent that off to be fixed yesterday. I was like, yeah. 01:10:02.960 --> 01:10:07.600 He was like, you gotta tell me how you got those guys to fix that in twenty-four hours because, 01:10:07.600 --> 01:10:15.040 man, they are always so slow. I was like, oh shit. Well, I bought them a root beer. They're like, oh, 01:10:15.040 --> 01:10:21.120 that makes sense. I was like, I brought them a six pack of root beer. He was like, ah, okay, good to 01:10:21.120 --> 01:10:26.480 know. So, I go back to my area of the building, putting it — and I have this printer next to me, 01:10:26.480 --> 01:10:33.200 and then I am opening up the little panel, and I am just — USB drive — literally copy, pasting, 01:10:33.200 --> 01:10:42.560 mounting, copy, pasting. I started at like, 8:15 a.m. and I am there until they kicked me out of 01:10:42.560 --> 01:10:50.880 the building at 9:00 p.m. doing nothing but moving over data. Then I leave the printer there, and 01:10:50.880 --> 01:10:58.240 for the next two days — I am literally doing this every day. Then, on my last day of the pen test, 01:10:58.240 --> 01:11:04.080 I remember I walk out and I go to the front desk, and the guy there — he’s still there. 01:11:04.080 --> 01:11:09.360 He’s like — I was like, oh, dude, the printer broke again. He’s like, oh, don't worry, 01:11:09.360 --> 01:11:13.920 I got something for you. He goes in the fridge, the little fridge he has, and he brings out a 01:11:13.920 --> 01:11:20.240 six pack of root beer. He’s like, give this to them and tell them I said hi. I am sitting there 01:11:20.240 --> 01:11:26.080 trying not to laugh while I’m holding petabytes of — I can imagine — I think — I don't know how — I 01:11:26.080 --> 01:11:30.800 couldn't get it all, but I remember I bought over eighty hard drives from Best Buy. I think I 01:11:30.800 --> 01:11:35.200 actually went back a couple days later and bought some more because I didn’t think I had enough, 01:11:35.200 --> 01:11:41.760 and put them in my jacket and my pants, and I loaded this HP printer and filled that thing up, 01:11:41.760 --> 01:11:48.160 and got to my hotel. Then at that point, had — I had a secondary laptop that I asked — I requested 01:11:48.160 --> 01:11:53.440 to prove for exfiltration. I kinda [inaudible] that laptop, I loaded it up and said, done. 01:11:53.440 --> 01:11:58.240 JACK: So, when it was time to show him what he found, he has them go into the room where he was 01:11:58.240 --> 01:12:04.880 working in and said, open up the printer. They open it up, and when they do, a bunch of hard 01:12:04.880 --> 01:12:10.680 drives just come pouring out of it. He says, those hard drives are filled with all your DNA data. 01:12:10.680 --> 01:12:14.480 GREG: Yeah. They later said, hey, you were the first person to do 01:12:14.480 --> 01:12:19.440 that. I worked for the red teaming for another — I think three or four more 01:12:19.440 --> 01:12:23.920 times after that. It was — after that it was a call center I attacked — targeted. 01:12:23.920 --> 01:12:27.360 JACK: Okay, here’s the big question, though, right; the first time they're like, 01:12:27.360 --> 01:12:31.600 you gotta go in the back office. We can't have that. After doing it three, 01:12:31.600 --> 01:12:34.800 four times, when you're walking through, are you feeling more confident? Like, oh, 01:12:34.800 --> 01:12:36.960 no, you can be in the front office. We don’t mind you being around here. 01:12:36.960 --> 01:12:41.440 GREG: Oh man, I went to their barbecues. I went to their family — they were all very 01:12:41.440 --> 01:12:45.840 nice. After the first time, they were like, look, 01:12:45.840 --> 01:12:54.866 you could never meet the execs, but we will absolutely hire you every single time. 01:12:54.866 --> 01:12:59.600 JACK: [Music] A few years go by of him doing pen tests, and he gets another job which also has an 01:12:59.600 --> 01:13:05.120 interesting story. This time, a venture capital company has hired him to try to hack them. Now, 01:13:05.120 --> 01:13:10.240 they wanted to see if he could hack into them to get data that would influence the market 01:13:10.240 --> 01:13:14.560 or something that might hurt the reputation of the company or see if he can gain information 01:13:14.560 --> 01:13:19.440 that he can be used against the company. So, Greg gets tasked with going on site to 01:13:19.440 --> 01:13:25.120 try to hack into this venture capital company, which, remember, even though he’s well into his 01:13:25.120 --> 01:13:30.720 thirties at this point, he is still dressing all goth and considers himself a goth kid. 01:13:30.720 --> 01:13:36.720 GREG: I’m still a goth kid, man. I still dress in black. I still wear my goth — like I said, 01:13:36.720 --> 01:13:40.800 I don't wear the colors or anything, but I still dress all black. I wear my goth outfits. 01:13:40.800 --> 01:13:48.640 I wear my vx-underground, my Neo4ic shawls and everything. I wear my goth boots. What’s funny 01:13:48.640 --> 01:13:55.280 is every single contract I’ve signed for work, I have two clauses in there. Clause number one; 01:13:55.280 --> 01:14:02.400 I will never code in Ruby. Fuck Ruby. Clause number two; I’ll never adhere to a dress code, 01:14:02.400 --> 01:14:05.920 period. Those don’t — if those two don’t happen, I don't work there, 01:14:05.920 --> 01:14:14.960 period. So — and that goes back to — I was one of the — when I was in cybersecurity, 01:14:14.960 --> 01:14:19.120 I was one of the kids who never went to college for cybersecurity. So, all these places are like, 01:14:19.120 --> 01:14:23.760 oh, you gotta get a college degree, you gotta do all this kinda stuff, and you gotta wear suits. 01:14:23.760 --> 01:14:28.400 I was like, no, fuck that, man. I got — if you don’t hire me for the things I know, 01:14:28.400 --> 01:14:32.400 then I don't want to work there. That’s been a long belief and I still believe that to this 01:14:32.400 --> 01:14:40.320 very day. I told my boss, the day that my goth outfit interferes with the way I work, 01:14:40.320 --> 01:14:46.000 I will stop doing it. I still do it to this very day. It’s been twenty years. Anyway, 01:14:46.000 --> 01:14:50.720 so, they send me over, and I remember I get — they're like, hey, we want you to meet at 01:14:50.720 --> 01:14:57.280 this outside — it’s gonna be outside the hotel that we're all staying at. 01:14:57.280 --> 01:15:03.840 I walk up to this guy, and this guy is wearing a suit. He is wearing a suit that costs probably 01:15:03.840 --> 01:15:09.840 more than what I make in a month. He’s in there. He’s smoking a cigarette, clean cut. 01:15:09.840 --> 01:15:15.040 The guy looks like he’s still active Secret Service. I think he even had an ear piece in. 01:15:15.040 --> 01:15:25.360 He looks at me and I was like, hey, are you this guy? We’ll call him Brando. Are you Brando? He was 01:15:25.360 --> 01:15:33.760 just like, yeah. He’s like, are you Greg? I was like, yeah, nice to meet you. I remember he takes 01:15:33.760 --> 01:15:43.680 the longest drag out of his cigarette. You know that meme from — what’s that HBO…? True Detective 01:15:43.680 --> 01:15:48.160 where the meme of looking at the phone and the guy is just inhaling the cigarette, or Matthew 01:15:48.160 --> 01:15:53.760 McConaughey, I think, is inhaling the cigarette? I got that exact look from this guy looking at 01:15:53.760 --> 01:15:59.120 me. He just tosses that cigarette and he’s like, this is gonna be a long week. He’s like, let’s go. 01:15:59.120 --> 01:16:02.640 JACK: So, this guy is his escort and drives him to the building where he’s supposed to 01:16:02.640 --> 01:16:08.240 do the pen test. He takes Greg to the front door and he tries to go in with his escort. 01:16:08.240 --> 01:16:13.280 GREG: I remember physical security is like, sir, who are you? What are you doing here? 01:16:13.280 --> 01:16:18.560 They literally get in front of me. I was like, no, I’m with Brando over there and 01:16:18.560 --> 01:16:25.840 I’m part of a assessment. They're like, give us some ID. They escort me into the building, 01:16:25.840 --> 01:16:30.240 and all of a sudden I’m getting a call from my contact. He’s like, where are you? I was like, 01:16:30.240 --> 01:16:36.240 I’m being detained. He’s like, oh god, this is a great start. So, they come over and they 01:16:36.240 --> 01:16:41.840 realize that I’m supposed to be there, and then I go meet my contact, and I remember him 01:16:41.840 --> 01:16:48.560 looking at me and being like, oh, man. He’s like, alright, well, you can go work in that 01:16:48.560 --> 01:16:54.720 back room over there. We're gonna tell everyone you're an auditor or someone so no one bothers 01:16:54.720 --> 01:17:00.360 you. You're gonna set up in this back room, and just don’t bother anyone. Just go there. 01:17:00.360 --> 01:17:07.120 JACK: So, they sat him down and said, okay, hack this place. He’s like, well, can you give me a 01:17:07.120 --> 01:17:14.160 user login or something? No. Alright, can you give me the Wi-Fi password at least? No. Well, 01:17:14.160 --> 01:17:18.640 listen, I see a bunch of wireless networks, and I don't want to accidentally hack into 01:17:18.640 --> 01:17:22.960 the wrong wireless network. So, can you at least tell me which Wi-Fi network is yours? 01:17:22.960 --> 01:17:29.520 GREG: I could see the contact at the venture capital is like, man — it was like, he looked 01:17:29.520 --> 01:17:34.560 at me and he wanted me to be out of this building and to fail as much as possible. So, he’s like, 01:17:34.560 --> 01:17:41.760 our guest Wi-Fi ID is this. Go. [Music] That’s it. That’s all I had to go on. Nothing else. 01:17:41.760 --> 01:17:47.520 Just the guest Wi-Fi. So, I get up and I’m like, okay. So, I start walking around the building, 01:17:47.520 --> 01:17:53.760 and the security team is absolutely following me at every step of this. Brando from the other 01:17:53.760 --> 01:17:56.160 third party is like, where are you going? What’s going on? I was like, 01:17:56.160 --> 01:18:00.080 I’m looking for a Wi-Fi password. He’s like, I think — he’s like, I’m pretty sure you're 01:18:00.080 --> 01:18:04.560 supposed to do that with the computer stuff. I was like, nah, nah, they're gonna have this. 01:18:04.560 --> 01:18:10.160 I walk around the building and eventually I find it on a whiteboard. I’m like, bingo. So, 01:18:10.160 --> 01:18:14.680 I go back and I sit down, and now I’m on their guest Wi-Fi network. 01:18:14.680 --> 01:18:19.120 JACK: Nice. How clever; just look around the building for the password. Alright, 01:18:19.120 --> 01:18:21.080 so now he’s connected to the guest Wi-Fi. 01:18:21.080 --> 01:18:27.840 GREG: So, I get the password, I sit down, and from there I start scanning. The first thing I go — is 01:18:27.840 --> 01:18:37.440 I hit the Wi-Fi router. It’s a Cisco device. This team — I’ll later learn that this team is very, 01:18:37.440 --> 01:18:45.120 very good. However, again, like they mentioned, they've never had a full red team event. So, the 01:18:45.120 --> 01:18:52.640 router security is nowhere near where it should be. It’s actually — the router is a single router, 01:18:52.640 --> 01:19:02.080 a single Cisco device that is both the guest Wi-Fi and the internal Wi-Fi as well. So, I exploit the 01:19:02.080 --> 01:19:07.200 router, I jump on the router, and then I make the entire network flat. I bridge over everything. So, 01:19:07.200 --> 01:19:13.200 now my machine can be — can attack anything on the inside of the network. Even though I’m on 01:19:13.200 --> 01:19:17.920 the guest Wi-Fi, I can still start attacking anything on the inside network, or on certain 01:19:17.920 --> 01:19:21.560 networks. They had multiple inside networks, so I start bridging them over one by one. 01:19:21.560 --> 01:19:23.840 JACK: How did you exploit the router? 01:19:23.840 --> 01:19:27.920 GREG: The router didn’t have — like, a) their password was default, 01:19:27.920 --> 01:19:35.520 as — unfortunately. Number two, I was — they had a administrative password on the panel. So, 01:19:35.520 --> 01:19:40.640 the access was one password and then I brute-forced, I believe, the password of 01:19:40.640 --> 01:19:48.120 the admin panel. It was very close to standard password on there. Gained access, unfortunately. 01:19:48.120 --> 01:19:56.000 JACK: So, the guest Wi-Fi should only have very minimal access, like just to the internet and 01:19:56.000 --> 01:20:01.360 no internal systems in the building. But when he bridged the networks, he could then access 01:20:01.360 --> 01:20:06.040 anything that other employees could access, which gives him access to a ton of internal systems. 01:20:06.040 --> 01:20:11.520 GREG: There, I start doing man-in-the-middle attacks, and let me tell you, red teamers out 01:20:11.520 --> 01:20:18.800 there, pen testers out there, never skip out on layer two attacks. Layer two is your responders, 01:20:18.800 --> 01:20:29.440 your Cain and Abels, your ARP poisoning, your DHCP spoofing, all of those. That is gonna 01:20:29.440 --> 01:20:33.520 be your bread and butter. I promise you those vulnerabilities are still existing there. They 01:20:33.520 --> 01:20:40.480 still work. I work engagements to this very day — that is where so many places fail. So, 01:20:40.480 --> 01:20:45.120 I man-in-the-middle. Become — I start stealing credentials, and this is back in the era before 01:20:45.120 --> 01:20:51.280 SSL security was everywhere, so you could still do man-in-the-middle and downgrade websites to HTP 01:20:51.280 --> 01:20:58.640 logins. [Music] I start getting credentials to people logging into work e-mails. After 01:20:58.640 --> 01:21:06.800 about an hour, I get access to a relatively new hire. She has six months of work in her inbox. 01:21:06.800 --> 01:21:13.200 I access her e-mail, and the first thing I do is I go all the way down to day one. What do 01:21:13.200 --> 01:21:20.800 you get in day one? E-mail. You get your employee training, you get your on-boarding information, 01:21:20.800 --> 01:21:24.640 you get your on-boarding documentation, and if you come to this building, 01:21:24.640 --> 01:21:30.080 you get your building alarm code. So, I have a physical alarm code that goes to her, 01:21:30.080 --> 01:21:36.160 and I also have her badge ID number and what she looks like and such. So, I’m like, okay, 01:21:36.160 --> 01:21:42.400 so what can I do next? I remember the — Brando, the — my — the ex-Secret Service guy looking 01:21:42.400 --> 01:21:46.480 over my shoulder and he’s like, what are you doing? He was like — I was like, okay, so, 01:21:46.480 --> 01:21:50.800 you know the card readers? Like, yeah; he’s like, we're gonna clone one of these card readers. He’s 01:21:50.800 --> 01:21:55.760 at this point where he’s like, alright, goth guy, you're not so bad. Okay, I like this idea. 01:21:55.760 --> 01:21:59.040 He’s like, alright, I’m gonna work with you on this and I’m gonna — he’s like, 01:21:59.040 --> 01:22:03.200 I talked with them, and we're gonna talk about guard shift and times to get into 01:22:03.200 --> 01:22:06.960 this building. I was like, okay. So, I tell him my plan and I was like, 01:22:06.960 --> 01:22:13.200 man, so I got a building alarm code. I’m gonna put a RFID cloner next to their badge reader, 01:22:13.200 --> 01:22:16.400 and when they badge in, I’m gonna start getting all these badges. He’s like, 01:22:16.400 --> 01:22:24.560 okay. So, a day goes by, and eventually the girl whose building alarm code comes in, badges in, 01:22:24.560 --> 01:22:29.120 and I get her — I have a Proxmark system; I keep pulling it and all of a sudden I notice 01:22:29.120 --> 01:22:34.640 her ID matches up. So, now I have her employee ID badge and her building access alarm code. 01:22:34.640 --> 01:22:38.560 JACK: To get into this building you need to use your little badge and tap the badge reader, 01:22:38.560 --> 01:22:43.040 and the door unlocks. What Greg did is he put a little badge sniffer behind 01:22:43.040 --> 01:22:46.800 the real badge reader so that anytime anyone taps their card, 01:22:46.800 --> 01:22:51.440 he gets to see what their badge is, and that essentially allows him to clone a badge. 01:22:51.440 --> 01:22:58.000 GREG: They gave me a tour of the building at one point, very against their will. They were 01:22:58.000 --> 01:23:02.960 kinda hushing me around. The two things I noticed when they gave me that tour was, 01:23:02.960 --> 01:23:08.800 a) there was a balcony on the second floor that had a tree next to it, and 01:23:08.800 --> 01:23:13.600 from that balcony was a straight shot into their server room. Basically you go through one room; 01:23:13.600 --> 01:23:18.080 in that room you get into — you go down one hallway and you're in a server room, 01:23:18.080 --> 01:23:23.920 and the server room did have a badge reader on it. The second thing I notice is sort of like — almost 01:23:23.920 --> 01:23:31.920 like a spiral staircase downward, there was lots and lots and lots of paintings. I remember asking 01:23:31.920 --> 01:23:38.880 during the tour; I was like, whoa, these look like real paintings. They nodded. They're like, 01:23:38.880 --> 01:23:45.200 yeah, CEO — well, the CEO is here; loves paintings, and this is their pride and joy. 01:23:45.200 --> 01:23:50.800 They like to show art and they like to make sure that — and I was like, huh. 01:23:50.800 --> 01:24:00.560 That’s interesting. That’s cool. So, I remember — so, for the next couple days, 01:24:00.560 --> 01:24:05.840 I had to get a badge of an IT guy 'cause I needed to get access to the server room, and eventually I 01:24:05.840 --> 01:24:10.240 get it. It’s through the Proxmark system as well. In the meantime, I’m doing man-in-the-middle, 01:24:10.240 --> 01:24:14.160 getting credentials, doing the traditional attacking methods, but I really wanted to focus on 01:24:14.160 --> 01:24:20.560 this whole physical element because the — Brando, working with me, he was just like, man — he’s 01:24:20.560 --> 01:24:26.560 like, we could do some Mission Impossible stuff. I was like, yeah, yeah, we could. [Music] So, the 01:24:26.560 --> 01:24:33.520 next phase was — they had cameras everywhere. They had internal cameras, sort of external cameras. 01:24:33.520 --> 01:24:39.120 I remember doing the net — so, eventually, every day I’m folding different parts of that — of their 01:24:39.120 --> 01:24:43.520 internal networks into the guest network that I’m at so I can bridge over and start looking, 01:24:43.520 --> 01:24:48.480 and eventually I find all their camera — their camera network. Luckily for me, 01:24:48.480 --> 01:24:54.560 they are using access cameras. If anyone’s worked physical security, everyone knows there was an era 01:24:54.560 --> 01:25:03.200 of access cameras from like, 2001 to about 2008, ‘09, ‘10, where everyone had — all these places 01:25:03.200 --> 01:25:08.080 had these access cameras 'cause they had a ton of features, they were cheap, they were Chinese-made, 01:25:08.080 --> 01:25:15.280 wonderful cameras. However, they were the worst security ever. They had so many default passwords. 01:25:15.280 --> 01:25:21.680 They had buffer overflows — in the access control systems, they had buffer overflows, and their web 01:25:21.680 --> 01:25:26.720 interface — they had a web interface that when you connected to it, it looked like GeoCities. 01:25:26.720 --> 01:25:31.280 It was straight up like 2002 internet all over again, and that’s how you controlled 01:25:31.280 --> 01:25:36.000 the cameras directly. So, talking to Brando and he was like, okay, look, man — he’s like, 01:25:36.000 --> 01:25:41.840 I know they do a guard change around — it’s 2:30 a.m. during — around that time. He’s like, 01:25:41.840 --> 01:25:48.720 you gotta be in and out of a building around this time. I was like, well — and he’s like, also, 01:25:48.720 --> 01:25:52.960 there’s gonna be someone always watching these cameras. I was like, okay, that’s fine. He’s like, 01:25:52.960 --> 01:25:57.920 what are you gonna do with the cameras? So, I show him, and I start connecting to all these cameras, 01:25:57.920 --> 01:26:03.920 and at the time there was an access — I think they were still running firmware from 2005, 01:26:03.920 --> 01:26:07.120 and there’s an access buffer overflow that allows you to control and gain access to 01:26:07.120 --> 01:26:10.880 every one of these cameras. Still running that. They hadn't patched them. Jump in, 01:26:10.880 --> 01:26:14.800 and them from there I can access the shitty little interface. 01:26:14.800 --> 01:26:20.080 I show him; I was like, look what happens if I modify these two values. The values is brightness 01:26:20.080 --> 01:26:24.560 and contrast, and you can edit both of them. It’s usually for when a viewer wants to look at the 01:26:24.560 --> 01:26:31.280 camera. Oh, it’s too dark or too bright. They can edit these. In UI, you can edit them a little bit, 01:26:31.280 --> 01:26:35.760 but programmatically, you can edit them all the way from 0 to 255 values. So, 01:26:35.760 --> 01:26:42.240 you can make them go all black or all white. So, I show him. I was like, watch. We can 01:26:42.240 --> 01:26:47.600 make their cameras go boom. Watch; I show the camera. It goes distinctly black for a second, 01:26:47.600 --> 01:26:54.080 and then I undo it. He’s like, oh. I was like, yeah. [Music] He’s like, alright, 01:26:54.080 --> 01:26:58.640 goth guy, alright. I see what you're cooking here. So, he’s like, well, 01:26:58.640 --> 01:27:03.360 how are you gonna get these into an area that — how are you gonna do this in a way that…? 01:27:03.360 --> 01:27:08.160 You're gonna have to be carrying a laptop with you. It’s gonna just be awkward. I was like, 01:27:08.160 --> 01:27:11.600 that’s a good point. So, in this engagement, I had a shuttle device with me, a little, 01:27:11.600 --> 01:27:15.600 tiny — computers are the size of a shoebox. A lot of pen testers 01:27:15.600 --> 01:27:22.880 use them for leave-behind devices. On that shuttle device I put a Bluetooth radio on it. So, 01:27:22.880 --> 01:27:27.920 with the Bluetooth radio, I was like, okay, I’m gonna walk around the building and I’m 01:27:27.920 --> 01:27:31.360 gonna get measurements of where I’m at with the Bluetooth. It’ll signal their noise ratio, 01:27:31.360 --> 01:27:36.320 and when I’m in front of those areas, I’m gonna map out what cameras those are at, 01:27:36.320 --> 01:27:42.880 and I’m gonna make sure that I can get access to this. So, I tested out the Bluetooth range. 01:27:42.880 --> 01:27:46.720 I had to put a big antenna on this thing to get the Bluetooth receiver on it. That worked, 01:27:46.720 --> 01:27:50.800 so I could have the Bluetooth show — I go in front of these two cameras. 01:27:50.800 --> 01:27:54.800 The two cameras that point outside to the patio, I could have them identified. There 01:27:54.800 --> 01:27:59.440 was a camera on the inside there, and then there was a camera facing the server room. So, 01:27:59.440 --> 01:28:06.160 those are the cameras I needed to black out. So, my app sends a signal to the Bluetooth. 01:28:06.160 --> 01:28:10.640 The shuttle device would take that signal and relay it, and when I receive those, 01:28:10.640 --> 01:28:15.680 it would send the packets to those cameras to make the values, brightness or contrast, 01:28:15.680 --> 01:28:19.600 to 255 or 0. It was completely random. It’s flipped back and forth between them to make 01:28:19.600 --> 01:28:22.914 it look like a black and white screen, sort of like an effect that was like the camera 01:28:22.914 --> 01:28:28.640 was malfunctioned for a bit. So, I was like, man, I have — I could look at these cameras. I could 01:28:28.640 --> 01:28:32.240 test to see if this works. Not sure if this is really gonna work, but we're gonna try it. 01:28:32.240 --> 01:28:36.240 JACK: So, he set everything up to try to break into the building overnight and not 01:28:36.240 --> 01:28:41.200 be seen at all. The front door might have extra security and he didn’t want to take the risk, 01:28:41.200 --> 01:28:46.400 so his whole plan was to sneak up to the building, black out the cameras, get in, 01:28:46.400 --> 01:28:51.520 and gain access to the server room. Keep in mind, everyone already was on high alert from 01:28:51.520 --> 01:28:56.320 this kid. They thought he was very suspicious, and he was going to have to do something over 01:28:56.320 --> 01:29:02.560 the top to get in. That’s when he realized his point of entry should be the balcony. 01:29:02.560 --> 01:29:09.120 GREG: So, that night, man, I came in, 2:30 in the morning, climbed up the tree. I get onto the 01:29:09.120 --> 01:29:14.240 balcony. I push open — they had a security door on the balcony that they would lock 01:29:14.240 --> 01:29:21.680 before you can get to the badge-reading door there. I pry that open, I hit the badge key, 01:29:21.680 --> 01:29:27.120 go into the building. The alarm starts beeping. I hit the building alarm code, and lucky for me, 01:29:27.120 --> 01:29:33.360 the girl had not changed her alarm code. I was in. [Music] I look at the cameras and I remember 01:29:33.360 --> 01:29:39.440 being so nervous about this and being like, oh man, this is — hopefully this will work or I’m 01:29:39.440 --> 01:29:46.000 gonna get tackled very soon. So, I make my way over to the server room, and my secondary badge, 01:29:46.000 --> 01:29:50.000 the other one I have from the IT guy, works for that one. Badge cloned. Got into there. Went to 01:29:50.000 --> 01:29:54.400 the server room, and from there, boot-rooted all the machines. So, if you're unfamiliar with boot 01:29:54.400 --> 01:30:02.000 root, back in the day, this was — you plug a USB device into the machine, you turn off the server. 01:30:02.000 --> 01:30:08.640 The machine would then boot off the USB device as a recovery device, and from here you would replace 01:30:08.640 --> 01:30:15.040 a Windows component. Sticky Keys would be a ideal favorite. So, you replace Sticky Keys with command 01:30:15.040 --> 01:30:19.920 shell, and then you reboot the machine. So, the machine — after you do that, the machine — you 01:30:19.920 --> 01:30:25.680 reboot the machine. It goes into the password login prompt, and you hit Shift five times. 01:30:25.680 --> 01:30:30.800 That would then launch Sticky Keys, which has now been — become a command prompt instead, and now 01:30:30.800 --> 01:30:36.280 you have a command screen on it, and then you can run commands as elevated privileges like you're 01:30:36.280 --> 01:30:42.000 on a system. So, you’d have elevated command. So, from there I exploited all the machines. I dropped 01:30:42.000 --> 01:30:48.340 a flag that said I was here, and then I went into their stores and put flags on all of those. 01:30:48.340 --> 01:30:53.760 JACK: He’s done it. He’s successfully hacked into the servers Mission Impossible style. So, 01:30:53.760 --> 01:30:56.720 he starts to go out, but he notices something. 01:30:56.720 --> 01:31:02.080 GREG: Those paintings. So, I proceed to go down the staircase, and I go down to the 01:31:02.080 --> 01:31:08.880 paintings. I just quickly grab a sticky pad and put little happy faces, like a little sticky page, 01:31:08.880 --> 01:31:13.280 and start putting them right next to all these paintings. There’s a little placard for each of 01:31:13.280 --> 01:31:18.720 these paintings telling you essentially who made these paintings, what did it symbolize, 01:31:18.720 --> 01:31:24.709 in some cases how much they were worth. I stick little happy faces on it that says, I stole this. 01:31:24.709 --> 01:31:29.440 JACK: Huh. So, it’s typical for a physical pen tester to leave a token behind to prove 01:31:29.440 --> 01:31:34.960 that they were there in a server room or a desk drawer or something. I mean, just think about how 01:31:34.960 --> 01:31:38.800 you would feel if you went to bed and then woke up and there was a sticky note on your bathroom 01:31:38.800 --> 01:31:45.680 mirror that said, Greg was here. Just a small note like that can say a lot, can't it? Here, what Greg 01:31:45.680 --> 01:31:51.200 was doing was proving that he had access to these paintings and he had time to go right up to them, 01:31:51.200 --> 01:31:56.800 put notes on them, and security never saw him do it. So, he wrote ‘I stole this’ on a bunch 01:31:56.800 --> 01:32:01.280 of sticky notes, and just kept putting the sticky notes on painting after painting after painting. 01:32:01.280 --> 01:32:11.120 GREG: I remember 6:05; I get a call. Greg, Greg. Yeah? Was this you? What’s the happy face? What’s 01:32:11.120 --> 01:32:19.600 that mean? How did you do…? What is…? It doesn't matter. The CEO wants to talk with you today. Get 01:32:19.600 --> 01:32:28.640 in here, like 8:00. He’s like, I don't know, man. He’s really upset. We have to figure out — I was 01:32:28.640 --> 01:32:36.960 like, okay, okay. In the meantime, physical security had — they had a incident 'cause 01:32:36.960 --> 01:32:40.720 they were looking over and they were like, well, someone walked in and put all these happy face 01:32:40.720 --> 01:32:45.360 stickers on there, and they walked out the building. They're like, what does this mean, 01:32:45.360 --> 01:32:50.400 ‘I stole this’? I remember they are coming around — and I get to the building. They 01:32:50.400 --> 01:33:01.520 escort me to the board room. The board room has this massive table on it. Me, in my awkwardness, 01:33:01.520 --> 01:33:07.120 I pick — I remember sitting and picking the exact opposite of where I imagine every one — the exact 01:33:07.120 --> 01:33:11.520 corner of it. The physical security is like, no, get over here, get over here. First, 01:33:11.520 --> 01:33:14.840 give us your ID again. We're gonna run some background checks on you again just to make sure. 01:33:14.840 --> 01:33:19.040 JACK: Physical security knows to treat those paintings with a very high level 01:33:19.040 --> 01:33:24.320 of security. So when the CEO came in and he saw his paintings had sticky notes on them, 01:33:24.320 --> 01:33:30.560 he simply asked, who did this? What does this mean? When security had no idea, 01:33:30.560 --> 01:33:35.920 then the CEO is like, okay, well, find out. Then when security looked at the cameras, 01:33:35.920 --> 01:33:41.120 they saw they were glitched out during that time, and they had almost no evidence of who 01:33:41.120 --> 01:33:47.600 did it. This made the CEO furious. What do you mean no security footage? Find out who put these 01:33:47.600 --> 01:33:51.840 sticky notes on this. The cameras around the building were just all black or white because 01:33:51.840 --> 01:33:56.200 Greg hacked into them to prove he could sneak into the building late at night with nobody noticing. 01:33:56.200 --> 01:34:02.160 GREG: The VC came in. The VCO came in and was like, what the fuck? What is this? What do you 01:34:02.160 --> 01:34:07.440 mean, stole my paintings and little happy faces on them? That’s what kicked off the security team 01:34:07.440 --> 01:34:13.440 alert. I remember I was sitting there, and then my contact leans over to me and he’s like, look, 01:34:13.440 --> 01:34:20.480 again, I have never seen him cancel meetings and move so and to see someone like this. So, 01:34:20.480 --> 01:34:28.000 I don't think it’s gonna go well. Then I look over to Brando, and Brando is just like — you know, 01:34:28.000 --> 01:34:31.600 he’s like, maybe we flew a little bit too close to the sun here, a little Icarus just a little hard, 01:34:31.600 --> 01:34:36.920 but whatever. [Music] So, the CEO comes in with this single security team. 01:34:36.920 --> 01:34:49.760 They hand me back my ID, and he looks at me, and I — you can tell the thoughts of this goth kid 01:34:49.760 --> 01:35:00.000 in his board room is not what he expected and not what he was expecting to meet for when he — and he 01:35:00.000 --> 01:35:04.960 looks over and he’s like, you hired this guy? My contact who worked at the company was just like, 01:35:04.960 --> 01:35:14.080 yeah. Looking at him, he’s like, alright. He’s like, so, walk me through what you did. For the 01:35:14.080 --> 01:35:20.000 next ten minutes, I retell him the story of exactly how I did it. This VC previously had 01:35:20.000 --> 01:35:23.680 been very technical. He was a code developer. He worked on software. So, he starts going and 01:35:23.680 --> 01:35:26.800 he starts asking me very intelligence questions about — we start having a back-and-forth about, 01:35:26.800 --> 01:35:36.800 oh, okay, so why…? He’s like, so, two questions for you. First, what were you gonna do with the 01:35:36.800 --> 01:35:42.400 paintings? I was like — I was dating a girl out of Brooklyn at this time, and I was like, you know, 01:35:42.400 --> 01:35:46.560 I was thinking of taking them to Pratt University and maybe fencing them at the university there. 01:35:46.560 --> 01:35:50.880 There’s gotta be someone who knows some weird connections at Pratt Art — Pratt Institute of 01:35:50.880 --> 01:35:58.320 Art. He starts laughing. He’s like, alright. He’s got a plan. I was like, okay. He’s like, 01:35:58.320 --> 01:36:02.960 I really like those paintings. He was like, I can't believe you would — I was like, yeah, 01:36:02.960 --> 01:36:08.160 I absolutely would have stole them right out from — nothing to do. He’s like, alright. So, 01:36:08.160 --> 01:36:15.760 then he’s like, alright. So, my next question is what are you doing next year at this time? That’s 01:36:15.760 --> 01:36:21.120 how I became their reoccurring red teamer for four years until they got tired of me breaking 01:36:21.120 --> 01:36:27.680 into the buildings and doing all the things, and hired me as full time. So, after this I 01:36:27.680 --> 01:36:35.360 got introduced to a lot of the various levels of executives for this, and I got to pen test all 01:36:35.360 --> 01:36:42.320 their personal houses and got to show them how — why physical security is important, gaining access 01:36:42.320 --> 01:36:51.520 to all their penthouse suites, all their large houses. I did that for quite some time afterwards. 01:36:51.520 --> 01:36:59.120 (Outro): [Outro music] 01:36:59.120 --> 01:37:04.000 A big thank you to Greg Linares, AKA, Laughing Mantis, for coming on the show and sharing these 01:37:04.000 --> 01:37:09.520 stories with us. Please consider supporting this show by visiting plus.darknetdiaries.com. If you 01:37:09.520 --> 01:37:14.560 do, you'll get eleven bonus episodes and an ad-free version of the show. By becoming a 01:37:14.560 --> 01:37:18.720 supporter is the most direct way that you can help make sure this show continues running and 01:37:18.720 --> 01:37:24.560 delivers you more episodes. Please visit plus.darknetdiaries.com. This episode is 01:37:24.560 --> 01:37:30.720 created by me, CAPTCHA America, Jack Rhysider. Our editor is the super subnetter, Tristan Ledger, 01:37:30.720 --> 01:37:35.520 mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. 01:37:35.520 --> 01:37:40.560 I’ve been working on a new dance lately. It requires the most efficient use of muscle memory 01:37:40.560 --> 01:37:48.800 in order to spin at the perfect RPM. I call my dance the algorhythm. This is Darknet Diaries.