WEBVTT 00:00:00.000 --> 00:00:04.620 JACK: Antwerp is a town in Belgium. Actually, it’s Belgium’s largest city, 00:00:04.620 --> 00:00:10.980 but what comes to mind when I say Antwerp? To me, at least, it’s diamonds. It’s the hub of 00:00:10.980 --> 00:00:16.620 the world’s diamond trade. Well, I imagine if the town is bustling with diamonds, then it’s 00:00:16.620 --> 00:00:23.100 probably also attracting some criminals wanting to steal those diamonds, right? [MUSIC] In 2019, 00:00:23.100 --> 00:00:28.740 a robbery occurred that really took things to the next level. It was actually a bank, and it 00:00:28.740 --> 00:00:34.320 was situated in the diamond trading district in Antwerp. Monday morning, bank employees came to 00:00:34.320 --> 00:00:38.940 work and checked out the vault, but something was wrong with the vault and they called the police, 00:00:38.940 --> 00:00:44.940 who had to force their way into the vault only to find that the place had been robbed. 00:00:44.940 --> 00:00:49.860 How, though? The bank had all the right security measures; cameras watching the 00:00:49.860 --> 00:00:53.880 bank doors, motion sensors in the bank and sensors in the vault doors themselves, 00:00:53.880 --> 00:00:57.540 and everything was secured tight. So, how did they get into the vault? 00:00:57.540 --> 00:01:02.280 DEVIANT: They went through the probably six to eight-foot-thick concrete wall. 00:01:02.280 --> 00:01:07.680 They just bore-holed – you could actually see three slightly overlapping – kinda like 00:01:07.680 --> 00:01:13.980 MasterCard logo interlocking circles – bore holes of about a twelve-inch diameter, maybe, 00:01:13.980 --> 00:01:19.320 and they just chewed through it, over time getting through the wall. They crawled all 00:01:19.320 --> 00:01:22.440 the way through, did everything they did, and crawled all the way out, 00:01:22.440 --> 00:01:26.880 just kind of army-crawled through these – this sandwich-shaped hole. 00:01:26.880 --> 00:01:34.200 JACK: Wow, drilling through a six-foot concrete wall? That must have taken a 00:01:34.200 --> 00:01:39.000 very long time. In fact, the criminals spent all weekend down there while the 00:01:39.000 --> 00:01:42.780 bank was closed so they could make a lot of noise without getting caught. 00:01:42.780 --> 00:01:48.360 DEVIANT: It really goes to show that if everything is – ‘cause the vault had 00:01:48.360 --> 00:01:53.400 basically been protected to oblivion on the door, and if anyone messed with that door, 00:01:53.400 --> 00:01:56.640 tampered with that door, tried to torch-cut, whatever, that door, 00:01:56.640 --> 00:02:01.200 that was where the alarm was. That’s where all the sensors were. All the investment was in the door 00:02:01.200 --> 00:02:04.980 because they said, well, what do you do with walls? There’s only so much you can do with 00:02:04.980 --> 00:02:10.380 walls. But you can believe that at least a few bank vaults in Antwerp started looking at their 00:02:10.380 --> 00:02:14.400 diamonds and they said, is concrete the only thing that’s protecting us? Because we’ve got 00:02:14.400 --> 00:02:19.200 to at least get some shake sensors in these walls or put one or two cameras in the vault, because 00:02:19.200 --> 00:02:21.960 if somebody goes into the concrete and they’re in there all weekend, well, that’s a problem. 00:02:21.960 --> 00:02:26.580 JACK: It reminds me of that Bob Dylan song. You know the one; Lily, Rosemary and the Jack 00:02:26.580 --> 00:02:33.000 of Hearts? It’s a nine-minute-long song and it’s an epic narrative ballad. The story summed up is 00:02:33.000 --> 00:02:38.940 that Jack had his gang try to drill through the wall into a neighboring bank while Lily 00:02:38.940 --> 00:02:44.040 and Rosemary distracted the bank owner, Big Jim, and the whole thing takes place in this 00:02:44.040 --> 00:02:49.500 cabaret. Lily and Rosemary got the judge and the bank owner drunk while the boys made their 00:02:49.500 --> 00:02:54.060 way through the wall. They cleaned out the safe and took off with the Jack of Hearts. 00:02:54.060 --> 00:02:58.860 (INTRO): [INTRO MUSIC] 00:02:58.860 --> 00:03:05.280 These are true stories from the dark side of the internet. 00:03:05.280 --> 00:03:16.080 I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:03:16.080 --> 00:03:26.700 JACK: Okay, so, who are you and what do you do? 00:03:26.700 --> 00:03:32.580 DEVIANT: My name is Deviant Ollam and I am a physical penetration specialist. I 00:03:32.580 --> 00:03:36.720 have been involved in lock-picking, safe manipulation, physical entry, 00:03:36.720 --> 00:03:41.040 physical bypass, and teaching about covert entry tactics for, 00:03:41.040 --> 00:03:46.230 well, well in excess of ten years at this point. We’ll say it that way. Much longer. 00:03:46.230 --> 00:03:50.460 JACK: Okay, so, Deviant is a very well-known physical penetration tester, 00:03:50.460 --> 00:03:54.780 and we’re gonna hear three stories about how he’s broken into buildings in this episode, 00:03:54.780 --> 00:03:58.320 and the third one is my favorite, so stick around for that. But I want to 00:03:58.320 --> 00:04:00.960 first quickly catch up about how he even got to this point. 00:04:00.960 --> 00:04:04.440 DEVIANT: I was a network person. I was a computer person. I was, 00:04:04.440 --> 00:04:10.500 like a lot of people in the tech world, mostly making my living on a keyboard. I liked locks 00:04:10.500 --> 00:04:14.460 and lock-picking and door bypassing. I knew about these tactics. It’s a very common hobby, 00:04:14.460 --> 00:04:21.000 but that’s your avocation. But I had clients; there was a law office in town. 00:04:21.000 --> 00:04:26.520 The law office had a sysadmin. Small to medium business, one-stop shop, single guy in an office. 00:04:26.520 --> 00:04:32.880 He ran the show with the IT and he just sort of rage-quit one day. Just, table flip, I’m 00:04:32.880 --> 00:04:37.440 outta here, and slammed his office door. It was a pretty crappy law firm, so I’m not surprised. 00:04:37.440 --> 00:04:43.560 But when he left, the staff kind of looked at each other and were like, I don’t know if he’s 00:04:43.560 --> 00:04:48.720 coming back. Are we supposed to do something if that happens? Because he’s got all the passwords. 00:04:48.720 --> 00:04:53.340 What are we doing here? Of course, you do need to put a plan into place. They just didn’t have one. 00:04:53.340 --> 00:04:56.220 JACK: So, they called up Deviant to come help recover the network, 00:04:56.220 --> 00:05:00.600 and he went down there but the network room was locked, and nobody could find the key 00:05:00.600 --> 00:05:05.040 to get in. So, they called a locksmith to come try to get the doors open. Now, 00:05:05.040 --> 00:05:09.960 because Deviant had a little practice picking locks by that time, he took a look at the door. 00:05:09.960 --> 00:05:15.540 DEVIANT: I’m looking at your standard office, standard, regular building, and I’m looking at the 00:05:15.540 --> 00:05:21.420 doors and the little badge-readers, but nothing serious. We get to this windowless door at the 00:05:21.420 --> 00:05:26.580 end of the hall, a sysadmin IT room, some network, whatever – name badge on the door, but it’s just a 00:05:26.580 --> 00:05:31.320 regular door. A little badge-reader on the wall and – this is – so, it’s not like a data center 00:05:31.320 --> 00:05:35.760 door. This is just a regular door? They said, yeah, but none of our badges work on the door 00:05:35.760 --> 00:05:42.120 and we don’t – apparently even the head partner doesn’t have a key. His key – we thought it was 00:05:42.120 --> 00:05:45.720 supposed to work. We’ll have to talk to building management about that. I said, okay, well, 00:05:45.720 --> 00:05:51.180 can I try something for a second? I’m looking at your doors – and I pick up the equivalent of a TPS 00:05:51.180 --> 00:05:55.860 report, just kinda ripped the cover off of that, and I said, well, here; if I kinda – and I just 00:05:55.860 --> 00:06:00.420 shoved – I shimmed the door. [MUSIC] I just popped it in, slid – toing, the door popped open. [MUSIC] 00:06:00.420 --> 00:06:05.400 I was like, well, alright, cool. Well, cancel the locksmith, I guess. Save you a couple bucks there, 00:06:05.400 --> 00:06:11.220 and I just breeze on into the room. I’m sticking flash drives in and the old NT boot tool. 00:06:11.220 --> 00:06:15.300 I’m rebooting machines and getting – restoring local admin access. Okay, 00:06:15.300 --> 00:06:19.500 resetting passwords – I mean, what was his name? Okay, so, I could see his user; 00:06:19.500 --> 00:06:24.480 I’m just gonna kill his user. There might be maybe backup accounts he made for maintenance, but I 00:06:24.480 --> 00:06:29.520 don’t see immediately a way that he’s getting in. You’re probably fine. I’ll send you a bill. 00:06:29.520 --> 00:06:33.480 We’re pretty good, man, and I hand – here’s your piece of paper with – so, here’s your new root 00:06:33.480 --> 00:06:38.220 passwords. The guy – the keys to the kingdom, he takes it, goes, yeah, yeah, sure, root password, 00:06:38.220 --> 00:06:44.040 sure, and just kinda puts it in his breast pocket. What’d you do to that door? I was like, oh, yeah, 00:06:44.040 --> 00:06:47.520 your doors are all installed with these electronic strikes. They’re actually – it’s a super-common 00:06:47.520 --> 00:06:52.800 vulnerability. You can speak to whoever your integrator was about that. He’s – hey, 00:06:52.800 --> 00:06:57.180 Steve! He brings this guy; come here! Can you show him what you did to that door? I was like, 00:06:57.180 --> 00:07:01.020 yeah. Do you want to show it at your office? I’ll pop your office. So, I’m just popping doors open 00:07:01.020 --> 00:07:06.360 and it bugged him out. They said, oh my – and that became the story of the day at the office, 00:07:06.360 --> 00:07:12.586 not the sysadmin who quit, but this kid who came in and opened all the law partners’ doors. 00:07:12.586 --> 00:07:17.280 JACK: [MUSIC] This resulted in them calling him back to the office to do a full penetration test. 00:07:17.280 --> 00:07:22.140 This law firm did not like that those office doors could be opened with just a basic folder, 00:07:22.140 --> 00:07:26.340 by just shimming it in between the latch and the door, and they wanted to know what 00:07:26.340 --> 00:07:32.160 else in this building was not secure. This got Deviant even more into bypassing doors 00:07:32.160 --> 00:07:36.840 and picking locks and breaking into rooms. Deviant was good friends with Dark Tangent, 00:07:36.840 --> 00:07:43.020 who’s the organizer of the hacker conferences Defcon and Black Hat, and Dark Tangent told him… 00:07:43.020 --> 00:07:46.200 DEVIANT: This lock-picking thing is really catching fire. You should do a training 00:07:46.200 --> 00:07:49.320 at Black Hat. I want you to propose a Black Hat training about lock-picking. 00:07:49.320 --> 00:07:52.560 I was like, no one’s gonna pay money for that. He said, no, trust me, 00:07:52.560 --> 00:07:57.540 trust me. I think it’ll be hot. You should do it. Yeah, so, that became my career, 00:07:57.540 --> 00:08:03.300 was a law firm who quit and a dear friend who said, hey, people pay money for this knowledge. 00:08:03.300 --> 00:08:09.480 Those two forces together really kicked off the idea of doing physical security consulting for me, 00:08:09.480 --> 00:08:15.120 and my main colleague through all this has been Babak Javadi. He and I have more than one company 00:08:15.120 --> 00:08:19.800 at this point doing training, consulting, advising, and I get to break into safes 00:08:19.800 --> 00:08:24.540 on army bases. It’s quite a career all from a few little things that you trip over as opportunities. 00:08:24.540 --> 00:08:32.040 JACK: The first Defcon I ever went to was Defcon 17 in 2009 at the Riviera, and that’s where I went 00:08:32.040 --> 00:08:36.660 up into the Lockpick Village and saw Deviant demonstrate how the inner mechanics of a lock 00:08:36.660 --> 00:08:42.180 worked. He put a rake and tension bar in my hand and had me practice how to get a lock open. I was 00:08:42.180 --> 00:08:47.340 fascinated by what he taught me that day, and that’s where I bought my first lockpick set. 00:08:47.340 --> 00:08:52.140 The Lockpick Village has grown since then. I also remember a contest that year which had people try 00:08:52.140 --> 00:08:56.400 to escape from jail. The premise is that you woke up in a jail but you had your lockpicks 00:08:56.400 --> 00:09:01.200 with you. So, you have to first undo your handcuffs and then pick open the cell door, 00:09:01.200 --> 00:09:06.840 and then pickpocket the guard, and then get the lock open to the jailhouse. It was hilarious. 00:09:06.840 --> 00:09:10.740 There are a million ways to get a locked door open. You don’t always need to pick it. In 00:09:10.740 --> 00:09:14.700 that law firm, it seemed that the latches in the door were installed incorrectly, 00:09:14.700 --> 00:09:18.720 and by putting a piece of plastic between the door and the frame, you could shim 00:09:18.720 --> 00:09:23.940 it open. I’ve also seen whole doors installed backwards, where the hinges are on the outside, 00:09:23.940 --> 00:09:28.680 so you could come in with a hammer and nail and just pop the hinges off and take the whole door 00:09:28.680 --> 00:09:34.080 off without having to touch the lock at all. So, throughout the years, Deviant has been getting 00:09:34.080 --> 00:09:39.000 better and better at understanding locks and doors and physical security measures, 00:09:39.000 --> 00:09:43.380 and I consider him one of the masters in this space. In fact, I’m willing to believe 00:09:43.380 --> 00:09:47.820 that Deviant has actually given more talks at security conferences than anyone else. 00:09:47.820 --> 00:09:51.240 DEVIANT: Someone did the math and I think they said one of the few 00:09:51.240 --> 00:09:56.160 people who’s talked more than I was the late and wonderful Dan, Dan Kaminsky. 00:09:56.160 --> 00:10:02.100 But I’ve – again, I just would say yes to everything, and I would drive or fly just 00:10:02.100 --> 00:10:06.240 because I love talking about this. So, yeah, it’s in – it’s well in excess of 00:10:06.240 --> 00:10:10.860 three or four hundred. That was the last time we checked, and that was years ago. 00:10:10.860 --> 00:10:17.100 JACK: Three hundred or four hundred talks about physical penetration testing. Yowsers. 00:10:17.100 --> 00:10:22.080 How in the world am I gonna fit all that information into a one-hour episode? 00:10:22.080 --> 00:10:26.640 Hm. Alright, I got a plan; I think I’m gonna take a break, play Elden Ring for like, 00:10:26.640 --> 00:10:32.340 two hundred hours, [MUSIC] and then listen to as many of his videos and then come back later. 00:10:32.340 --> 00:10:35.580 Okay, that was fun, and through the magic of editing, I’m back, 00:10:35.580 --> 00:10:41.160 and whew, there’s some good stuff that he talks about there. My favorite talk of his is this one. 00:10:41.160 --> 00:10:44.280 DEVIANT: So, yeah, this is the elevator hacking talk. This is the talk that we 00:10:44.280 --> 00:10:48.870 were told had to be on Sunday, because – [AUDIENCE LAUGHTER] – because reasons. 00:10:48.870 --> 00:10:53.640 JACK: Because here’s the thing; this is a full one-hour talk of him and his friend, 00:10:53.640 --> 00:10:59.340 Howard Payne, going over so many ways that you can take over an elevator, hack an elevator, 00:10:59.340 --> 00:11:04.620 and make it do stuff that you shouldn’t be able to do. But since this was a talk in Las Vegas 00:11:04.620 --> 00:11:09.780 where there are a lot of elevators, Defcon was a bit worried about what people would do with this 00:11:09.780 --> 00:11:15.240 information, so they pushed the talk back to be on the last day and the last talk of the last day, 00:11:15.240 --> 00:11:20.760 when people were flying home. So, it was kind of a hidden talk where most attendees had 00:11:20.760 --> 00:11:27.780 already gone. But it’s the most-watched video of all of Defcon’s videos on YouTube, and so, 00:11:27.780 --> 00:11:32.400 it’s no secret anymore. I think you should watch this video, too, on elevator hacking. It’ll make 00:11:32.400 --> 00:11:37.140 you think differently about elevators after you see it. For instance, you may have been in an 00:11:37.140 --> 00:11:41.700 elevator where you couldn’t get to certain floors unless you scan a key card. Deviant 00:11:41.700 --> 00:11:45.720 can bypass that. He can get on an elevator and then get it to go to whatever floor he wants. 00:11:45.720 --> 00:11:50.580 He shows you that there are some common keys that a lot of elevators use, and they aren’t 00:11:50.580 --> 00:11:55.620 hard to get, so elevators aren’t as secure as you think. You should probably consider them 00:11:55.620 --> 00:12:00.840 to be like doors, where you really should test the security of them and not like an elevator, 00:12:00.840 --> 00:12:04.380 which is just some mysterious box that goes up and down that only the elevator technician 00:12:04.380 --> 00:12:08.220 knows how to control. It’s one of those things that I just never thought about that’s something 00:12:08.220 --> 00:12:13.680 you need to secure in your building or office, and that’s what’s fun about Deviant, is how he 00:12:13.680 --> 00:12:18.900 has all this knowledge of bypassing physical security measures, and then he loves teaching 00:12:18.900 --> 00:12:25.860 that to others. I just imagine you at this point having, I don’t know, some sort of Matrix-style 00:12:25.860 --> 00:12:31.500 view into locks and security mechanisms that you see. Like, when you pop into an elevator, 00:12:31.500 --> 00:12:37.020 you just immediately start looking at what kind of key is in this elevator, how can I turn it on/off, 00:12:37.020 --> 00:12:42.300 any door that you look at – is that true or are you just kind of zoomed in on… 00:12:42.300 --> 00:12:42.960 DEVIANT: Oh, yeah. 00:12:42.960 --> 00:12:43.604 JACK: …any lock you’ve ever seen? 00:12:43.604 --> 00:12:47.100 DEVIANT: It’s absolute – it sounds silly, but it’s – I love that you said it and not me, 00:12:47.100 --> 00:12:52.200 ‘cause – but it’s true. There’s even a talk I made about this phenomenon called Eyes of a Thief, 00:12:52.200 --> 00:12:56.640 and the corporate audience is kinda like that one because you walk them through 00:12:56.640 --> 00:13:00.360 galleries of images and videos. I say, well, here’s what you see; 00:13:00.360 --> 00:13:03.900 now here’s what I see. I zoom in and I say, here’s this exploit, that exploit, bang, bang, 00:13:03.900 --> 00:13:09.300 bang. My wife is very used to the phenomenon of us walking down a city street and she’ll 00:13:09.300 --> 00:13:13.560 be talking – she’ll turn and I’m two steps back because I paused to pivot and take one picture 00:13:13.560 --> 00:13:19.080 of this building or that car or this fixture or this device. I’m – oh, that’s going in the slides. 00:13:19.080 --> 00:13:24.660 JACK: There was a strange paradigm shift when – it was you who taught me how to 00:13:24.660 --> 00:13:28.080 pick a lock for the first time, right? I brought it home and I showed my friend, 00:13:28.080 --> 00:13:31.920 and it just so happened that my friend’s mother was a locksmith. 00:13:31.920 --> 00:13:32.454 DEVIANT: Very cool. 00:13:32.454 --> 00:13:37.980 JACK: She’s like, you are not allowed to know this. I asked her in the past, hey, 00:13:37.980 --> 00:13:42.600 can you teach me how to pick a lock? She’s like, nope. I’m not allowed. I got a locksmith code. I 00:13:42.600 --> 00:13:47.580 can’t show you. It’s just – sorry. So, when I came home and I said, here, let me try opening 00:13:47.580 --> 00:13:51.720 your front door; I want to see if I could do it, and she saw the tools that I had, 00:13:51.720 --> 00:13:57.000 she was just flabbergasted by it. It gives me this kind of weird thing of like, 00:13:57.000 --> 00:14:01.560 this is kinda sacred knowledge. Why don’t locksmiths – why aren’t they physical 00:14:01.560 --> 00:14:07.320 penetration testers? How come that wasn’t just an easy, hey – like you said on that job you had, 00:14:07.320 --> 00:14:12.240 we need a locksmith here, they didn’t think, well, let’s get a physical penetration tester here, 00:14:12.240 --> 00:14:18.300 and a locksmith doesn’t consider themselves a physical penetration tester. So, why is 00:14:18.300 --> 00:14:22.140 there a gap there? Why doesn’t it all blend together? Do you have any thoughts on that? 00:14:22.140 --> 00:14:27.360 DEVIANT: Yeah. I think the real thing there that you hit on perfectly is the guardedness 00:14:27.360 --> 00:14:33.180 of knowledge and the old world of the trade of locksmithing. If you’re doing a physical 00:14:33.180 --> 00:14:40.200 penetration test, the value isn’t in the success of the tester. It’s in the deliverable. It’s in 00:14:40.200 --> 00:14:47.340 the report, the knowledge that they will give you. Giving out that knowledge – physical pen testers, 00:14:47.340 --> 00:14:51.960 yes, we are many times locksmiths, but much like Penn and Teller are magicians. But part 00:14:51.960 --> 00:14:57.420 of their whole shtick over the years has been showing the audience how they did the trick. 00:14:57.420 --> 00:15:02.220 There are some magicians that think that ruins it, that it takes all the shine and polish off of it 00:15:02.220 --> 00:15:08.640 and the magic is gone, but I think that showing the execution, if it’s elegant and well-done and 00:15:08.640 --> 00:15:14.580 impressive, it doesn’t take away. In fact, it enhances the audience’s appreciation for – wow, 00:15:14.580 --> 00:15:17.400 I would not have been – even knowing how it works, 00:15:17.400 --> 00:15:19.920 I would take five years to learn how to do that trick properly. 00:15:19.920 --> 00:15:23.880 Same thing with us. I can show you how it works, 00:15:23.880 --> 00:15:30.420 but it’s not really taking money out of my pocket or opportunity out of my colleague’s portfolio 00:15:30.420 --> 00:15:36.840 if people know how my job functions. They’re not all going out immediately trying to do this job. 00:15:36.840 --> 00:15:41.340 There’s, as you say, that sort of comprehensive knowledge of being able to walk through a space 00:15:41.340 --> 00:15:47.700 and instantly look and recognize every little detail that comes with years of experience. So, 00:15:47.700 --> 00:15:53.760 I’m not surprised at your friend’s mother. I’m not even disappointed. For the longest time, 00:15:53.760 --> 00:15:58.800 that was just part – it was deeply ingrained in the trade. Why aren’t locks – even now, 00:15:58.800 --> 00:16:04.080 as knowledge is opening up, why aren’t they getting into penetration testing? A lot of them, 00:16:04.080 --> 00:16:09.180 even with their knowledge as locksmiths, they can’t quite do what we do and they’re, frankly, 00:16:09.180 --> 00:16:11.989 making far – it’s a very different business model – they’re making far too much money. 00:16:11.989 --> 00:16:17.520 JACK: Huh, that’s really interesting to me. If you want someone to break into a place for you, 00:16:17.520 --> 00:16:22.980 call a locksmith. If you want someone to break into the place and then show you how they did it, 00:16:22.980 --> 00:16:29.580 call a physical penetration tester. While that skill set of both roles overlaps in many areas, 00:16:29.580 --> 00:16:35.280 it’s just two different mindsets, really. What is your percentage on – 00:16:35.280 --> 00:16:38.820 when you’re going on physical assessments, percentage of getting into a building? 00:16:38.820 --> 00:16:42.534 DEVIANT: We’ve never not gotten in. You’re always gonna get in. The question is… 00:16:42.534 --> 00:16:43.470 JACK: 100% of success. 00:16:43.470 --> 00:16:48.180 DEVIANT: 100% of success in terms of entering the building, yes. Every building we’ve ever 00:16:48.180 --> 00:16:52.980 seen we’ve been able to enter, sometimes quickly, sometimes it takes a while. The question is are 00:16:52.980 --> 00:16:59.040 we detected? Is there a response? How competent is that response? Can we talk our way out of it? 00:16:59.040 --> 00:17:02.580 JACK: Okay, enough gibber-gabber. Let’s get into some story time and hear what 00:17:02.580 --> 00:17:08.940 it’s like when Deviant goes on a mission to break into buildings. [MUSIC] So, this first 00:17:08.940 --> 00:17:13.260 story starts out where Deviant was hired to break into a building to test its security. 00:17:13.260 --> 00:17:20.340 DEVIANT: Their objective was to affect network access either externally from the parking lot, 00:17:20.340 --> 00:17:23.460 a cantenna or nowadays – we’re not poor hackers anymore; 00:17:23.460 --> 00:17:27.540 you get a nice Yagi. But trying to pick up on the building’s Wi-Fi. They said, 00:17:27.540 --> 00:17:32.220 did we – does the Wi-Fi leak? Or you could try to make internal connections. 00:17:32.220 --> 00:17:37.020 JACK: But it wasn’t the company itself that hired Deviant. It was another penetration 00:17:37.020 --> 00:17:42.060 testing company that got this job. But what they were good at was hands-on-keyboard type 00:17:42.060 --> 00:17:47.220 of activities, and what Deviant is good at is physically getting into buildings. So, 00:17:47.220 --> 00:17:53.940 this other pen test company hired Deviant to essentially team up with their computer guy to get 00:17:53.940 --> 00:17:58.680 him into the building to plant computers in the network and gain remote access to this building. 00:17:58.680 --> 00:18:05.220 DEVIANT: So, he was gonna get in the building with me, find an unused network port or compromise a 00:18:05.220 --> 00:18:10.440 network port in a conference room, and then basically just – do they have MAC 00:18:10.440 --> 00:18:14.100 filtering? Do they not? Can I get a device to connect to the network? Can I not? Let me 00:18:14.100 --> 00:18:18.180 see if I can get this little dropbox, headless computer, and then it would back haul offsite. 00:18:18.180 --> 00:18:22.050 JACK: So, he didn’t have physical access experience. That was your job, to get… 00:18:22.050 --> 00:18:22.067 DEVIANT: Correct. 00:18:22.067 --> 00:18:25.980 JACK: …him in, and then once you get him in, you’re gonna keep watch, 00:18:25.980 --> 00:18:29.700 distract people, stall, whatever you need to do to let him do his job. 00:18:29.700 --> 00:18:30.300 DEVIANT: Yeah, yeah. 00:18:30.300 --> 00:18:32.760 JACK: It sounds like a good crew there. 00:18:32.760 --> 00:18:35.280 DEVIANT: It’s great. JACK: Like, two high skill sets together. Okay. 00:18:35.280 --> 00:18:38.640 DEVIANT: It really – it’s a mutually beneficial relationship. It allows us 00:18:38.640 --> 00:18:43.140 to specialize only in what we’re good at, ‘cause I am, again, not a keyboard jockey these days, 00:18:43.140 --> 00:18:48.540 and it absolves a lot of headache and liability from the primary consultant team. They say, 00:18:48.540 --> 00:18:51.810 I don’t want to touch that elevator; I’m not qualified. Well, I’ll touch the elevator. 00:18:51.810 --> 00:18:53.880 JACK: So, what do you bring to this engagement? 00:18:53.880 --> 00:18:59.940 DEVIANT: So, I had a little field bag on me of some bypass tools, some lockpicks. 00:18:59.940 --> 00:19:04.200 I did have my elevator keys. I’ll have an under-door tool, I’ll have door shims, 00:19:04.200 --> 00:19:06.720 a mini-knife, kind of your typical kit. 00:19:06.720 --> 00:19:10.380 JACK: Deviant checked out the building just to get a good understanding of what’s there, 00:19:10.380 --> 00:19:15.300 just driving around into the parking lot and sitting with his car and watching what the 00:19:15.300 --> 00:19:20.820 building is doing. Like, okay, there are security guards there, but they never go outside to patrol 00:19:20.820 --> 00:19:25.440 anything. They just sit at the front desk all day. On top of that, the building was 00:19:25.440 --> 00:19:30.540 very quiet. Not many people at all are coming and going, and this made him think that they 00:19:30.540 --> 00:19:35.280 probably put all their security at one single point of entry, and they may not have secured 00:19:35.280 --> 00:19:43.080 the back doors very well. So, after monitoring the place for a while, it was go time. [MUSIC] 00:19:43.080 --> 00:19:48.840 Deviant and the other computer guy go up to the building in the middle of the day. They wanted 00:19:48.840 --> 00:19:54.180 to find a way in. The two of them started looking around the building for a way in. They found some 00:19:54.180 --> 00:19:59.520 side doors, but they were locked tight. No clear vulnerability, either. Deviant might 00:19:59.520 --> 00:20:04.260 have been able to bypass those doors, but he wanted to find an easier way in, you know, that 00:20:04.260 --> 00:20:09.720 demonstrates a simpler technique that lets just anyone walk right in with maybe no tools at all. 00:20:09.720 --> 00:20:14.880 So, he kept looking around the building, but was having a tough time finding an easy way in. 00:20:14.880 --> 00:20:21.300 All the doors were locked tight. No windows were open. No poorly-installed door or anything. So, 00:20:21.300 --> 00:20:26.340 he goes back to that side door he saw earlier. He wanted to take another look at it. Maybe there’s 00:20:26.340 --> 00:20:33.660 something there. Now, this side door was a double door. You first enter one door and then there’s 00:20:33.660 --> 00:20:37.680 a little room, a vestibule, and then there’s a second door that you need to get through to get 00:20:37.680 --> 00:20:41.820 into the building. When he looks for a way to get in through a locked door, he has a little 00:20:41.820 --> 00:20:46.020 checklist in his head that he runs through. It’s not like he has some magic tool that he just puts 00:20:46.020 --> 00:20:51.420 in the lock and the door immediately opens like on TV. He first analyzes the door and looks it over. 00:20:51.420 --> 00:20:56.280 He’ll at first just tug on the handle and see if it’s unlocked, then he’ll look at the hinges. 00:20:56.280 --> 00:21:00.720 Maybe it was installed backwards; then he could just unscrew the door. Then he’ll look at the gap 00:21:00.720 --> 00:21:05.640 between the latch and the strike plate. If this is too wide or missing parts or installed wrong, 00:21:05.640 --> 00:21:09.780 he can use tools to get in there and open the latch from between the door and the door 00:21:09.780 --> 00:21:13.740 frame. In fact, any gaps at all between the door and the frame can be exploited, 00:21:13.740 --> 00:21:18.960 but this door had no clear vulnerabilities like that. So, then he starts looking at the 00:21:18.960 --> 00:21:24.480 whole thing backwards. Instead of getting into this door, how do people get out? Is 00:21:24.480 --> 00:21:29.760 there a crash bar that you just push from the inside which unlocks a door and opens it? Well, 00:21:29.760 --> 00:21:34.260 he looked through the window, but he didn’t see that. He didn’t see a handle on this door 00:21:34.260 --> 00:21:39.360 that you could turn or unlock, either, which made him realize what kind of lock he’s dealing with. 00:21:39.360 --> 00:21:44.280 DEVIANT: It wasn’t a mechanically-released door. It was electronically locked. You can also 00:21:44.280 --> 00:21:50.700 tell – if you’re yanking on the door and it’s very clearly being held shut maybe at the very top, 00:21:50.700 --> 00:21:54.720 but the bottom of the door is wiggling by a quarter-inch, half-inch, you’re like, alright, 00:21:54.720 --> 00:21:59.880 that’s a mag lock. That’s a magnetic lock at the top of this door. I’m pretty sure we 00:21:59.880 --> 00:22:03.660 electronically can release that mag lock, either looking around and you see – I don’t see any 00:22:03.660 --> 00:22:08.160 push-to-exit buttons through the windows. No, it’s gotta be – looking through the window some more. 00:22:08.160 --> 00:22:15.180 It’s gotta be a sensor somewhere. Where is that REX sensor? Normally it’s right above the door. 00:22:15.180 --> 00:22:20.880 Eventually we had to look through another window from the side, and my buddy I was with, he’s like, 00:22:20.880 --> 00:22:26.100 oh my god, is that it? Is that it way the heck…? It’s almost down and to the right 00:22:26.100 --> 00:22:29.280 where the other – I said, by the other door? I’m like, god, yeah, that’s where they put it. Okay. 00:22:29.280 --> 00:22:34.500 JACK: Okay, so there’s a motion sensor. If Deviant can trigger that, 00:22:34.500 --> 00:22:41.160 it’ll unlock the door. But it’s a good ten feet inside the door, so how? 00:22:41.160 --> 00:22:47.940 DEVIANT: [MUSIC] It has a request-to-exit sensor, a REX sensor. These are sensors; 00:22:47.940 --> 00:22:53.220 they’re very common in physical access control environments, which will detect egress events, 00:22:53.220 --> 00:22:58.680 impending egress events, and they do it through motion sensors. Most of these are infrared, 00:22:58.680 --> 00:23:02.040 simple, passive infrared sensors. They sense a change in temperature; 00:23:02.040 --> 00:23:08.400 they presume it must be an individual making their egress from the building. 00:23:08.400 --> 00:23:15.360 Okay, no problem. So, how can you exploit this? If you’re on the outside of the building, do you 00:23:15.360 --> 00:23:18.900 throw a fire stick under the door, like a road flare, make it hot? Well, you don’t have to do 00:23:18.900 --> 00:23:24.540 anything quite like that. What you can do is take a can of compressed air, or if you’re very fancy, 00:23:24.540 --> 00:23:28.980 you go to a scientific supply shop and you get a can of tech spray or freeze spray, 00:23:28.980 --> 00:23:35.640 the idea being if you spray into the air a little cloud of propellant, a little refrigerant cloud, 00:23:35.640 --> 00:23:42.180 it will boil off in the atmosphere and make a very cold patch of air. You can do this to open doors. 00:23:42.180 --> 00:23:46.980 You stick the little straw through the door crack, blast, and all of a sudden you hear a click. Oh, 00:23:46.980 --> 00:23:52.200 that’s the lock. Okay, the lock is released; open the door. This was like that, although 00:23:52.200 --> 00:23:57.180 the position of the sensor was much further down in the vestibule. It was a double vestibule kind 00:23:57.180 --> 00:24:02.400 of door. I said, oh, man. I’m trying to spray the air, spray the air, and we literally killed 00:24:02.400 --> 00:24:06.120 one can of propellant. I said, oh man, we’re gonna have to go back to OfficeMax or something. 00:24:06.120 --> 00:24:15.060 Eventually I was able to rig up a long, skinny straw that I could feed all the way through, kind 00:24:15.060 --> 00:24:21.660 of snaking it down this vestibule, and – almost like a wacky, waving, inflatable arm flailing tube 00:24:21.660 --> 00:24:26.280 man; [WHOOSHING SOUNDS]. Looking way down at the end of the vestibule, you see this straw spinning 00:24:26.280 --> 00:24:30.300 its way all through the floor and this cloud going everywhere. The door finally popped open. 00:24:30.300 --> 00:24:32.985 JACK: That was on the floor. You went under the door. 00:24:32.985 --> 00:24:36.120 DEVIANT: Yeah. We had to go all the way under to keep it as straight as I could on the floor, 00:24:36.120 --> 00:24:39.780 and it wanted to curve around, but eventually I got this door to release. 00:24:39.780 --> 00:24:42.346 JACK: So, you hear a click and then you know the door’s unlocked. 00:24:42.346 --> 00:24:44.220 DEVIANT: Yes. Thank goodness, too, because we had been…this 00:24:44.220 --> 00:24:47.340 was a good forty-five minutes of poking and prodding and going back to the shop. Okay. 00:24:47.340 --> 00:24:53.100 JACK: Okay, so they successfully made it into the building. Now they need to find an 00:24:53.100 --> 00:24:57.780 open network jack for the other guy to plug his computer into to try to hack into the network. 00:24:57.780 --> 00:25:02.040 DEVIANT: We find a little conference room thing. I said, okay, look – oh, 00:25:02.040 --> 00:25:05.580 cool, a Polycom phone system, and there’s an RJ45 connect. I said, do you want to 00:25:05.580 --> 00:25:10.500 try this jack? He looks in his backpack and he goes, oh no, I didn’t bring the dropbox. 00:25:10.500 --> 00:25:12.600 JACK: [MUSIC] 00:25:12.600 --> 00:25:17.400 A dropbox in this case is a little computer that you could just plug in and leave behind and then 00:25:17.400 --> 00:25:23.460 try to access it from somewhere far away, like back at the hotel. But this guy forgot it. I guess 00:25:23.460 --> 00:25:28.500 he was configuring it the night before and just forgot to repack it, and it’s back at the hotel. 00:25:28.500 --> 00:25:32.940 DEVIANT: Said, we’ll go back – you go back. You take the keys; here you go. Take the car. Go 00:25:32.940 --> 00:25:37.500 back to the hotel. I’m not leaving the building. We took so long farting around with that door. 00:25:37.500 --> 00:25:43.020 I’m gonna stay in this building. I can just let you back in when you get here. He’s like, man, 00:25:43.020 --> 00:25:46.860 I mean, the hotel’s ten minutes away and I gotta get the thing, come back. I could be gone half 00:25:46.860 --> 00:25:51.480 an hour. You’re just gonna sit in this conference room? I said, no, I’ll find somewhere to hide. So, 00:25:51.480 --> 00:25:56.100 what I did is I chose to look around a little bit. I was looking for an empty office or maybe a 00:25:56.100 --> 00:26:01.200 janitor’s closet. Those are nice. If the janitor’s not around, you could break into the janitor’s 00:26:01.200 --> 00:26:05.580 closet and just sit in there silently because the guards aren’t going in the janitor’s closet, 00:26:05.580 --> 00:26:10.140 the staff aren’t going in the janitor’s closet. If a janitor comes along, you gotta say, I just 00:26:10.140 --> 00:26:14.940 had some anxiety. I work here. I needed a place to chill, or pretend you’re doing drugs, I don’t 00:26:14.940 --> 00:26:20.160 know. I promise I’m going to rehab. Don’t tell me – don’t narc on me, buddy. But no, I didn’t 00:26:20.160 --> 00:26:25.920 find any good closets or anything. I found an elevator. I said, okay, well, we got an elevator. 00:26:25.920 --> 00:26:31.080 It’s got no windows in the elevator cab. No, I didn’t see any cameras. I’m just gonna stay here, 00:26:31.080 --> 00:26:34.740 bro. He’s like, really? I said, yeah, I’m gonna put the elevator on independent service, 00:26:34.740 --> 00:26:42.600 which is a local admin mode that removes it from general dispatch demand around the building. So, 00:26:42.600 --> 00:26:47.700 this elevator cab will not answer call demand that other people might be registering, placing calls. 00:26:47.700 --> 00:26:52.500 I said, I’ll just stay in the elevator. There was even a little locked panel that I popped 00:26:52.500 --> 00:26:57.240 open. I said, there’s even a little power plug in here; I can plug my phone in. I’m just gonna hang 00:26:57.240 --> 00:27:01.020 out. I could just scroll Twitter, read posts on the internet. Said, you go to the hotel, 00:27:01.020 --> 00:27:06.360 get what you gotta get. Message me when you’re on your way back. I’ll let you in. I thought 00:27:06.360 --> 00:27:13.500 this would be half an hour of me just getting paid for free. It turned into hours, and I was like – I 00:27:13.500 --> 00:27:19.560 was messaging him, like, hey man, did you get to the hotel? Did you go to the wrong hotel? What is 00:27:19.560 --> 00:27:24.120 happening? Are you – did you fall into a bathroom? Do you have some bowel distress? So, I’m thinking, 00:27:24.120 --> 00:27:29.940 what is – finally I get an answer where he’s like, yeah, it’s not going well. I said, what’s 00:27:29.940 --> 00:27:34.140 not going well? I’ll tell you when I get there. He was sound – a little frustrated. I said, hey, 00:27:34.140 --> 00:27:37.680 I’m getting paid by your company either way. I’m on the clock. Back to Twitter. 00:27:37.680 --> 00:27:43.440 JACK: [MUSIC] Two hours go by of Deviant sitting, 00:27:43.440 --> 00:27:51.630 waiting in the elevator, scrolling Twitter, reading articles, and relaxing. Then suddenly… 00:27:51.630 --> 00:27:57.840 DEVIANT: I hear this really – boom, boom, boom, this pounding noise. Sounded like it was on 00:27:57.840 --> 00:28:03.060 the hoist-way door, just someone banging on the doors of the elevator. I went, holy crap, do they 00:28:03.060 --> 00:28:08.280 know I’m in here? Have they spotted me and I’m – maybe there is a hidden camera. What’s going on? 00:28:08.280 --> 00:28:12.240 No, calm down, calm down. It’s like if you’re camping, everything sounds loud in the woods. 00:28:12.240 --> 00:28:17.040 A deer could walk through your camp at night and you think it’s a bear. But I said, no, alright, 00:28:17.040 --> 00:28:21.720 it’s – I look at my phone. I’m like, alright, it’s after 5:00 at this point. This has gotta 00:28:21.720 --> 00:28:26.460 be the cleaners. They must be, I don’t know, getting fingerprints off of the hoist-way door 00:28:26.460 --> 00:28:29.760 chrome or something. I don’t know. But I just said, no, it’s fine, and I stayed in there a 00:28:29.760 --> 00:28:33.720 little longer. I really wanted to start to use the bathroom. Thank goodness my buddy’s like, alright, 00:28:33.720 --> 00:28:39.420 I’m coming back to the hotel. I’ll be there in a minute. Okay, elevator back to automatic. Go back 00:28:39.420 --> 00:28:43.680 to the lobby, open the doors, and I – him right near the vestibule. I’m gonna head toward it, 00:28:43.680 --> 00:28:48.360 but just – I don’t know what made me turn and look as the elevator was shutting itself automatically. 00:28:48.360 --> 00:28:56.940 I noticed that there was literally a notice that somebody had taped on the doors, ‘cause I had 00:28:56.940 --> 00:29:00.660 been sort of in-between two floors. I had been a little bit off the platform, but I could hear. 00:29:00.660 --> 00:29:04.740 I was right near the lobby level. They were, in fact, hitting that door, but they were – it 00:29:04.740 --> 00:29:09.900 was a security guard taping a notice that said, ‘This elevator out of service. Yes, 00:29:09.900 --> 00:29:15.540 we’re aware of it. We’re looking into it. Please use elevators on north bank of the building.’ 00:29:15.540 --> 00:29:18.960 I went, oh, man, I guess somebody noticed I was in there. Thank goodness they didn’t think I was 00:29:18.960 --> 00:29:23.820 there. I let my friend in. He’s in the building now. Thank goodness we didn’t have to fight with 00:29:23.820 --> 00:29:28.560 the long straw. Alright, back to the conference room, back to the conference room. Okay. We 00:29:28.560 --> 00:29:35.580 barely got six or seven steps down the hall [MUSIC] when around the corner, we see a guard. 00:29:35.580 --> 00:29:39.600 ‘Cause now we’re the only ones – now it is a little weird at this point. Yeah, 00:29:39.600 --> 00:29:44.100 why – what are you doing? It’s after 5:00. This place is dead. 00:29:44.100 --> 00:29:49.020 The guards look at him, look at me, walk – and my friend is like, oh, what’s gonna happen here? 00:29:49.020 --> 00:29:52.980 The guard immediately saw that I had – ‘cause I was in the elevator for so long, 00:29:52.980 --> 00:29:58.380 I had put a little badge on that just said Otis. I have a variety of little badges in my kit. He 00:29:58.380 --> 00:30:03.060 went – looked at me, looked at my Otis badge, and he went, oh, you guys got here fast. I was like, 00:30:03.060 --> 00:30:07.560 yeah, I heard there was a – and I just – I lie for a living. I just dropped into it. My friend, 00:30:07.560 --> 00:30:12.060 I don’t know if he was nervous or not, but I said, yeah, I heard you had a problem with one of your 00:30:12.060 --> 00:30:17.040 elevators today. They pulled us off of some other job. Usually you’re paying for this elite care 00:30:17.040 --> 00:30:21.180 service. You’ve got a good tier service package with us here at Otis. Point me at the problem. 00:30:21.180 --> 00:30:25.800 Let’s get you squared away. He proceeds to lead us right back to that elevator where I had been, 00:30:25.800 --> 00:30:31.200 with the notice still taped on the door, and he’s like, this friggin’ thing. I got calls 00:30:31.200 --> 00:30:36.000 all afternoon. Now I like this. I like that this guy, he’s invested in the problem. He’s invested 00:30:36.000 --> 00:30:40.980 in it being solved. I said, oh man, that’s – and it’s the only elevator in the bank. You don’t even 00:30:40.980 --> 00:30:44.640 have other cabs. You must have been – your phone must have been ringing nonstop. He’s like, oh, 00:30:44.640 --> 00:30:49.140 well, there’s not a lot of people in here, but they sure let me know about it. I said, well, 00:30:49.140 --> 00:30:54.420 let me see what I can do, sir. I pull out my keys. I still had my keys; the keys will turn, 00:30:54.420 --> 00:30:59.700 obviously, in all the key switches. So, I have the trappings of legitimacy where I, 00:30:59.700 --> 00:31:04.620 a) look like I have credentials, b) I’m sympathizing with his problem, 00:31:04.620 --> 00:31:09.720 I can express familiarity with his problem, and then c) I am pulling – casually pulling 00:31:09.720 --> 00:31:15.000 implements out of my pockets that clearly work in the system. If you were in a parking lot and 00:31:15.000 --> 00:31:21.360 you saw somebody with a red blazer and they – you thought they might be a valet and they say, oh, 00:31:21.360 --> 00:31:26.520 was it really busy in the restaurant tonight, sir? Then they are holding a key that opens a car door. 00:31:26.520 --> 00:31:31.980 Well, that’s gotta be the valet. They’re doing all the things that I’ve seen valets do. So, this 00:31:31.980 --> 00:31:36.780 guy just thought, well, he’s obviously the Otis guy. I’m rattling off some techno jargon and I’m 00:31:36.780 --> 00:31:41.940 turning key switches that don’t do much, but I’m claiming, oh, I’m resetting the door sensors now. 00:31:41.940 --> 00:31:46.260 This will reboot the door operator if we hold it for three seconds. Here; let’s everyone step into 00:31:46.260 --> 00:31:50.220 the cab for a second. Let’s let this door close. So, now I’m – we’re bringing the guard with us, 00:31:50.220 --> 00:31:55.200 and the doors close. I say, alright, well, that’s good. Let’s try door open. No, we’re still level; 00:31:55.200 --> 00:31:59.400 we’re not mis-leveled. Sometimes a mis-level event can cause the doors to jam. Let’s try 00:31:59.400 --> 00:32:03.660 to go up a few floors. So, he just starts taking us up to other floors, floors that I didn’t have 00:32:03.660 --> 00:32:09.120 credential access to, but he’s going up floors and we’re stuck – it platformed pretty well. I’m 00:32:09.120 --> 00:32:13.080 pretending to measure the platform leveling, ‘cause again, I have just enough industry 00:32:13.080 --> 00:32:19.200 knowledge to speak to what you’re expecting a technician to do. I’m actually a – you have a 00:32:19.200 --> 00:32:24.180 trained life safety fire door inspector – not because I do that for a living but because I 00:32:24.180 --> 00:32:28.320 can walk around a building if anyone catches me and say, what are you doing in here? I could say, 00:32:28.320 --> 00:32:31.920 what are you all doing in here? Because these fire doors are not to code, and I can rattle 00:32:31.920 --> 00:32:36.360 off all the different – the signage is wrong, the glazing is this, you can’t have pertinences that 00:32:36.360 --> 00:32:40.740 interfere with that. So, I look like a technician. We’re getting – we finally get to the top floor 00:32:40.740 --> 00:32:45.300 which is a really juicy floor in this building, and I say, let’s walk around for a minute here. 00:32:45.300 --> 00:32:48.300 I think this one – you said there’s another elevator? I’m pretty sure this one’s fine, 00:32:48.300 --> 00:32:52.980 but let’s try the south bank elevator, then the north bank elevators. Now the guard is 00:32:52.980 --> 00:32:59.100 so used to being in our company that even anyone else who’s in the building who sees us on camera 00:32:59.100 --> 00:33:05.280 or in person – well, this guy has been with the guard, so he must belong here. I start spinning 00:33:05.280 --> 00:33:09.660 a story about – do you have a room with a bunch of computers in it? [MUSIC] ‘Cause your elevator 00:33:09.660 --> 00:33:13.620 controller would be in that room. It would not be in that room. Said, but where’s the elevator? 00:33:13.620 --> 00:33:17.640 I can look for the error log data on the elevator controller. We can try to troubleshoot it, ‘cause 00:33:17.640 --> 00:33:22.200 you don’t want to have us coming out here again and again. Those stoppages, that was no fun for 00:33:22.200 --> 00:33:26.760 you. So, yeah, the guard took us to – he’s like, well, I walk around every night, and this is the 00:33:26.760 --> 00:33:30.600 one room – it’s got all these fans in here. So, he takes us and he – I think my badge works. Boom; 00:33:30.600 --> 00:33:35.820 he badges us into the server room. I say, alright, well, you help me look. There’s gonna be a bright, 00:33:35.820 --> 00:33:39.780 neon-green server, which is – again, I’m making that up, but I’m giving him a wild goose chase. 00:33:39.780 --> 00:33:43.463 JACK: Do you turn to your buddy and be like, this is the moment? 00:33:43.463 --> 00:33:44.340 DEVIANT: Oh, yeah, he… JACK: You go now. 00:33:44.340 --> 00:33:49.260 DEVIANT: He was tracking at that point. He knew what was up and he was amazed that it 00:33:49.260 --> 00:33:55.200 was working so well. But he was ready to go. A good friend will see you lying – and 00:33:55.200 --> 00:33:59.520 it’s all improv. It’s all ‘yes, and’. You just go with it. You build the world with 00:33:59.520 --> 00:34:02.580 them that they’re trying to build. So, my buddy was right – he had his – he had 00:34:02.580 --> 00:34:06.840 the dropbox kind of under his arm like it was a multimeter, right? It would plug into something. 00:34:06.840 --> 00:34:11.220 The guard goes down one aisle. I go down another aisle. Do you see it over there? 00:34:11.220 --> 00:34:16.560 My buddy, of course, he’s plugging stuff in, he’s plugging in flash drives, watching, documenting. 00:34:16.560 --> 00:34:19.380 The guard eventually says, well, I can’t find it. We can’t find it. Said, alright, 00:34:19.380 --> 00:34:24.420 that’s alright. It’s working for now. I’m gonna write it up. I’m gonna write it up as a priority 00:34:24.420 --> 00:34:28.860 ticket. We’ll get you squared away. What was your name again? He gave us a name. I said, 00:34:28.860 --> 00:34:33.000 okay, well, we’re gonna walk around, just check. There’s a few other lifts in a other buildings. 00:34:33.000 --> 00:34:35.940 If anyone else is on premises and they ask what we’re doing, I’ll just tell them to 00:34:35.940 --> 00:34:40.920 talk to you. But thanks for all your help. It’s all good. He was so happy that, yeah, 00:34:40.920 --> 00:34:46.680 we stuck – even though we were done, we stuck around and went into a few other spaces just in 00:34:46.680 --> 00:34:51.000 case we got – ‘cause you want to give the client a win. You want to try to see, will anyone push 00:34:51.000 --> 00:34:56.340 back on you? It’s not about getting away so clean and so – if you work for the government and you’re 00:34:56.340 --> 00:35:02.700 spying on a foreign adversary, sure, you want to get away and not experience a mortuary event. 00:35:02.700 --> 00:35:07.800 But if you’re doing a corporate test, you want to see what their reactions are. If this staff 00:35:07.800 --> 00:35:11.580 didn’t catch you, interface with a different staff member. If this building didn’t stop you, 00:35:11.580 --> 00:35:17.160 try a different building. Where are the good as well as the bad in their security posture? But 00:35:17.160 --> 00:35:20.820 yeah, we wound up walking everywhere for quite a long time. We got into everything 00:35:20.820 --> 00:35:26.400 at that facility at the end of the day, and – digitally and mechanically and physically, yeah. 00:35:26.400 --> 00:35:30.840 JACK: There are three things to test when testing a company’s security. You can test the physical 00:35:30.840 --> 00:35:35.580 building itself, you can test the people in the building, and you can test the electronics. 00:35:35.580 --> 00:35:41.940 This one tested all three. But there’s kind of a moral code that Deviant has when testing people, 00:35:41.940 --> 00:35:46.560 or otherwise known as social engineering. I mean, here, he tricked a guard into making 00:35:46.560 --> 00:35:51.180 him think he worked for the elevator company. But he also gave the guard many opportunities 00:35:51.180 --> 00:35:56.580 to check his credentials or verify who he is. Gosh, even if just the guard decided to give 00:35:56.580 --> 00:36:00.480 him a visitor’s pass and took their names down, that would be better than nothing, right? So, 00:36:00.480 --> 00:36:04.320 there were lots of training opportunities for this guard. But bad guys don’t really 00:36:04.320 --> 00:36:08.520 have these moral codes. They might wrestle the guard to the ground, tie him up in the elevator, 00:36:08.520 --> 00:36:13.560 or break some windows to get in. It’s possible to figure out where the owner of the company lives 00:36:13.560 --> 00:36:19.200 and kidnap their kids, holding them for ransom for some company data. But as a social engineer, 00:36:19.200 --> 00:36:24.600 you really want people that you trick to feel better for having met you instead of feeling 00:36:24.600 --> 00:36:31.380 awful because you screwed them over so bad. But where exactly that line is is hard to say, though. 00:36:31.380 --> 00:36:35.880 We’re gonna take a quick break here, but don’t go away. We have two more stories from Deviant when 00:36:35.880 --> 00:36:43.080 we come back. Deviant Ollam breaks into buildings for a living. He’s well-known for it. So, a 00:36:43.080 --> 00:36:47.520 company in Kansas heard about him and hired him to come out to test the security of their building. 00:36:47.520 --> 00:36:54.060 DEVIANT: [MUSIC] It was a small town, man. It was a small town. So, this was a company doing 00:36:54.060 --> 00:37:01.500 large – sort of blue-collar industry in a small town where I’m not from. The only thing I got 00:37:01.500 --> 00:37:06.360 going for me is that I’m a middle-aged white dude, and that’s where my flex ends, ‘cause I 00:37:06.360 --> 00:37:11.280 don’t know people in this town. I can’t speak to the widgets and wonkets that they pack into boxes 00:37:11.280 --> 00:37:17.840 and parcels and drive out on a big rig. I was going in – whew, we’ll see how this goes, boys. 00:37:17.840 --> 00:37:23.280 JACK: Being so far away, he had to fly out and rent a car and then drive to 00:37:23.280 --> 00:37:27.540 this town. He didn’t go alone, of course. He had two others with him who also worked 00:37:27.540 --> 00:37:31.860 at his penetration testing company, and one of his teammates brought his dog with him. 00:37:31.860 --> 00:37:35.820 DEVIANT: She’s a search-and-rescue dog. She’s amazing. So perfectly trained. You could let 00:37:35.820 --> 00:37:41.460 her off the leash and she knows commands where she could run and just kind of be hidden in the 00:37:41.460 --> 00:37:45.840 woods. So, now, he’s a guy walking around with a leash, and who doesn’t want to help a guy with a 00:37:45.840 --> 00:37:50.280 dog leash? Of course, you got – that beautiful dog of mine. So, eventually he’ll – she’ll 00:37:50.280 --> 00:37:52.980 come running out. If he gets challenged by – oh, here’s my dog; thank goodness. 00:37:52.980 --> 00:37:58.380 JACK: Holy cow, the dog is a social engineer, too. It’s part of the act. Go hide while I 00:37:58.380 --> 00:38:03.660 pretend to look for you, and wait for me to give you the secret command before you come. Oh man, 00:38:03.660 --> 00:38:07.500 I never thought of packing a dog in a physical penetration testing kit. 00:38:07.500 --> 00:38:11.143 But they’re gonna need it, because this place looked really hard to get into. 00:38:11.143 --> 00:38:15.120 DEVIANT: [MUSIC] The goal was to demonstrate access to quote, 00:38:15.120 --> 00:38:18.840 “sensitive areas”. We had a list of sensitive areas, manufacturing areas, 00:38:18.840 --> 00:38:23.820 certain people’s offices that were in charge of critical functions. If we could demonstrate we 00:38:23.820 --> 00:38:29.160 could tamper with end product before it goes to market, that would be – you just tamper; 00:38:29.160 --> 00:38:32.580 means you touch hands on this one machine or this one package and take a picture. 00:38:32.580 --> 00:38:37.551 JACK: So, why don’t you think you can get in? What’s the thing there that you’re like, ugh? 00:38:37.551 --> 00:38:42.300 DEVIANT: It was a small crew. It was maybe a dozen employees on any shift, 00:38:42.300 --> 00:38:46.560 and everyone knows each other. It’s not an environment that was open to the public, 00:38:46.560 --> 00:38:50.340 so it’s not like customers or visitors were coming and going, 00:38:50.340 --> 00:38:56.340 which is much more common in offices. Yeah, if we were onsite – not to mention, we had to read 00:38:56.340 --> 00:39:01.860 all their briefing materials on their OSHA regs and their best industry practices. So, 00:39:01.860 --> 00:39:05.400 if you’re in a production environment, you’ve got the hard hat here, you’ve got this, you’ve got the 00:39:05.400 --> 00:39:11.340 ear plugs. Otherwise the foreman will be – say, who is that person? Who let you in here, jackoff? 00:39:11.340 --> 00:39:15.720 So, we wanted to minimize contact with humans. We would go at night, we said, 00:39:15.720 --> 00:39:20.940 and we would try – small-town America; you play to what you think is going down. You say, it’s either 00:39:20.940 --> 00:39:25.260 gonna be Saturday-night football, or Sunday, everyone’s maybe at church. I don’t know. So, 00:39:25.260 --> 00:39:32.640 Saturday night, we started to weaken the target. So, we’d approach, we would remove card readers 00:39:32.640 --> 00:39:36.300 from their mounts. So, it turns out there was an open campus. You could walk onto the grounds. 00:39:36.300 --> 00:39:41.580 There were no fences. But we would remove card readers from the wall, we would install little 00:39:41.580 --> 00:39:45.120 interception devices behind the card reader, put them back on the wall. It’s a device called 00:39:45.120 --> 00:39:50.220 an ESP key. We had to check a few door – the doors were all tighter than – tight 00:39:50.220 --> 00:39:56.100 as a drum. We’ll compromise the card readers. Hopefully somebody coming or going on a late 00:39:56.100 --> 00:40:01.380 shift – ‘cause they did have a – they worked in three shifts. Maybe someone’s going to use a door 00:40:01.380 --> 00:40:07.080 and we’ll be able to compromise the credentials when we come by tomorrow. 00:40:07.080 --> 00:40:10.620 Sunday, there were no – there was – we asked, do you have any hours on Sunday? They said no, 00:40:10.620 --> 00:40:15.360 it’s pretty thin on Sunday. Okay. I mean, a production environment – the actual factory 00:40:15.360 --> 00:40:22.920 was running, but the offices were dead on Sunday. Okay, come by Sunday morning, and we drove by the 00:40:22.920 --> 00:40:26.820 parking lot, just pulled in and pulled out enough that I could dump the – remotely, 00:40:26.820 --> 00:40:31.320 I could radio in to the interception devices. I got some credentials; good. 00:40:31.320 --> 00:40:36.780 JACK: You caught all that, right? There are RFID key cards that employees use to unlock doors to 00:40:36.780 --> 00:40:41.160 get into the building. Deviant installed a card-sniffer behind the real card reader, 00:40:41.160 --> 00:40:46.860 and someone badged in during the night, and his sniffer caught that. Now he has that data and 00:40:46.860 --> 00:40:51.600 can write that onto a blank key card which would give him access into this building. Now, while he 00:40:51.600 --> 00:40:56.700 was doing that, another one of his teammates was hiding out, watching the building from a distance, 00:40:56.700 --> 00:41:03.300 taking pictures of people coming and going. This guy had a camera with a long-range zoom lens, 00:41:03.300 --> 00:41:08.100 so he was out there taking photos of what badges looked like for people who worked 00:41:08.100 --> 00:41:12.180 there. He couldn’t get high-quality close-up photos of the badges being that far away, 00:41:12.180 --> 00:41:18.000 but it was enough to allow them to replicate it in Photoshop so that if someone is walking 00:41:18.000 --> 00:41:22.740 by or from a distance, they wouldn’t know the difference. So, the team all met up 00:41:22.740 --> 00:41:27.780 at a coffee shop to put the right logo on the badge and to write the data onto the key card. 00:41:27.780 --> 00:41:32.640 DEVIANT: [MUSIC] As we’re there, my buddy, the guy who has the dog – he didn’t have the 00:41:32.640 --> 00:41:36.480 dog at this moment, but that one partner, he’s like, I’m just gonna take one more walk around 00:41:36.480 --> 00:41:43.200 to see – kinda see the factory and get myself a little coffee or something. He comes back to 00:41:43.200 --> 00:41:46.980 where we were as I’m making these badges. He comes back twenty minutes later; he’s like, 00:41:46.980 --> 00:41:52.260 this is gonna be interesting, man. I just stuck my head in at the post office. 00:41:52.260 --> 00:42:00.240 Everybody knows every – hey, Frankie, Sally, how you doing, Bobby? It’s like, if we run 00:42:00.240 --> 00:42:06.180 into anybody, it’s gonna be a record scratch. It’s gonna be weird, man. We said, alright, 00:42:06.180 --> 00:42:11.160 we’ve done this – we’ve been in hard jobs before. Let’s go, everybody. We pull into the parking lot. 00:42:11.160 --> 00:42:15.900 We had some PPE and hard hats with us, looking vaguely factory-ish, and we go… 00:42:15.900 --> 00:42:19.305 JACK: So, you’re looking like employees that are – should be there or technicians visiting? 00:42:19.305 --> 00:42:24.000 DEVIANT: Yeah, just looking like employees. If anybody literally – if a town cop was going by 00:42:24.000 --> 00:42:30.060 where they’ll think we must work here – we look like blue-collar workers. Sure enough, nobody – no 00:42:30.060 --> 00:42:34.380 police – it was right on Main Street. It was a tiny, tiny town, but this factory was right in the 00:42:34.380 --> 00:42:41.340 middle of town. It was the only thing in the damn town, honestly. So, boop, card reader works. Okay, 00:42:41.340 --> 00:42:47.820 we get in one building. Thank goodness we’re inside. [MUSIC] We’re walking around. Once you’re 00:42:47.820 --> 00:42:52.260 inside, a lot of buildings’ security’s a little weaker on the inside. You can get into offices, 00:42:52.260 --> 00:42:57.420 you can slip a latch, you can pop a drawer open. We found a company trucker cap. Somebody 00:42:57.420 --> 00:43:01.560 took a company jacket. Again, just so you’re looking a little more like you belong there. 00:43:01.560 --> 00:43:07.140 The thing is, the badges we made – we had seen long-distance photos of their badges, 00:43:07.140 --> 00:43:10.980 so I had pre-printed these badges with their logo and everything in roughly 00:43:10.980 --> 00:43:15.540 the right place to look – the badges look the part and the badges are opening doors. 00:43:15.540 --> 00:43:20.820 But within maybe half an hour, we hear one of my teammates come running. He’s like, hey man, 00:43:20.820 --> 00:43:24.720 someone just pulled into the parking lot, not to the factory. Somebody pulled into – they’re 00:43:24.720 --> 00:43:29.460 coming into this office building, which no one is in this office building this Sunday. 00:43:29.460 --> 00:43:32.520 We’re like, alright, we’re just – look like we’re working. We sat in the break room area, 00:43:32.520 --> 00:43:37.080 and this guy comes in. He must have been fifty-six, fifty-seven years old. 00:43:37.080 --> 00:43:43.440 He’s like, how do you do, gentlemen? Said, hey, how’s it going there? Can I ask what you’re doing 00:43:43.440 --> 00:43:49.440 in the office today? The vibe was instantly off. We said, oh, we’re just checking if – we 00:43:49.440 --> 00:43:53.460 had a story. I think we said we were doing an environmental audit. We were checking door seals. 00:43:53.460 --> 00:43:54.780 JACK: He was in the building? 00:43:54.780 --> 00:43:55.680 DEVIANT: He was already in the… 00:43:55.680 --> 00:43:56.400 JACK: How did he get in? 00:43:56.400 --> 00:43:57.240 DEVIANT: So, he clearly worked there. 00:43:57.240 --> 00:43:57.480 JACK: Okay. 00:43:57.480 --> 00:44:01.320 DEVIANT: He was – and he – we could see on his hip he had a badge. We said, no, we’re just 00:44:01.320 --> 00:44:05.760 checking some door seals. There were some door closure issues and – for regulatory compliance, 00:44:05.760 --> 00:44:10.500 you have to keep product separated, blah, blah, blah. We had a bit of a story and we said, 00:44:10.500 --> 00:44:13.800 we’ll get out of your hair. We’re just leaving this building anyway, not to – and we kind of left 00:44:13.800 --> 00:44:19.280 the building. The guy didn’t – he didn’t quite vibe on that. He was looking at us a little weird. 00:44:19.280 --> 00:44:25.080 JACK: Well, this was mostly a success. They needed to demonstrate access to sensitive 00:44:25.080 --> 00:44:28.740 equipment in areas, that they were able to get into the building and take pictures of 00:44:28.740 --> 00:44:32.700 them touching this equipment and stuff they just shouldn’t be able to get to. But since 00:44:32.700 --> 00:44:38.700 this guy really wasn’t buying their story, they decided to leave, because as a penetration tester, 00:44:38.700 --> 00:44:43.380 when you get caught, you want to see if you can get out of that situation, 00:44:43.380 --> 00:44:47.820 try to leave and get outta there, see what happens. Is this guy gonna stop them from leaving? 00:44:47.820 --> 00:44:55.200 So, they walked out and got to the parking lot. They could get in their cars and go, but there 00:44:55.200 --> 00:44:59.640 was another building in this parking lot that they also needed to test. So, might as well walk 00:44:59.640 --> 00:45:04.980 over to that and see what happens. [MUSIC] They thought this guy might be watching them, though, 00:45:04.980 --> 00:45:11.040 so they walked across the parking lot to the other building and made it very clear in case he was 00:45:11.040 --> 00:45:16.320 watching them that they had badges that they were using to get in the building. These were working 00:45:16.320 --> 00:45:20.640 badges, and if the guy was watching them, he could see they had valid key cards to get in the 00:45:20.640 --> 00:45:26.520 building. Don’t forget, on top of that, they have a jacket and a hat with the company logo on it. 00:45:26.520 --> 00:45:31.980 DEVIANT: Then we – in the new building, we’re like, peering out the windows through the blinds, 00:45:31.980 --> 00:45:36.060 and this guy walks to the parking lot. We’re like, alright, he’s gonna get in his car. 00:45:36.060 --> 00:45:40.260 Nope; walked by all the cars, walks to the building we just got in. We’re like, oh, my god. 00:45:40.260 --> 00:45:47.760 We hear him start walking around this building. At this point, we’re pretty sure we’re roasted here. 00:45:47.760 --> 00:45:51.840 Two of us break off. One guy goes – he meets two of the guys in some other hallway. He’s like, 00:45:51.840 --> 00:45:56.580 excuse me, gentlemen. I’m gonna ask the same question I asked before. What are you doing in 00:45:56.580 --> 00:46:02.340 this building? We said, well, we’re doing this – he’s like, no, no. Who hired you to do this job? 00:46:02.340 --> 00:46:08.280 We said, well, it was Francis, Francis in HR. She brought us – he’s like, I don’t know if Francis 00:46:08.280 --> 00:46:12.360 would have brought you on. I’m gonna have to try to call Francis. He couldn’t reach her, 00:46:12.360 --> 00:46:15.234 and he – and we – and as he’s dialing, it was like, no, no, come on, look… 00:46:15.234 --> 00:46:16.800 JACK: Was Francis a word you made up? 00:46:16.800 --> 00:46:22.620 DEVIANT: No, we knew – we checked their staff. We knew some staff. We said, no, Keith at the 00:46:22.620 --> 00:46:27.480 Wyoming plant, Keith knows that we’re here. He’s like, hm, I’ve been working with Keith for a long 00:46:27.480 --> 00:46:31.620 time. Keith might have said something about new folk. I haven’t heard that; I can call Keith. 00:46:31.620 --> 00:46:34.980 So, we’re like, oh my – and eventually after he’s getting – he keeps trying 00:46:34.980 --> 00:46:38.100 to dial phone numbers on Sunday, and we realize if he’s not gonna 00:46:38.100 --> 00:46:41.760 reach anybody, he’s just gonna call law enforcement. This was not gonna fly. 00:46:41.760 --> 00:46:47.700 JACK: Deviant and his crew were caught. All the windows of opportunity to lie their way out of it 00:46:47.700 --> 00:46:55.320 were closed. The game was over, so, time to come clean and show the get-out-of-jail-free card. See, 00:46:55.320 --> 00:46:59.280 here’s the thing; when you’re paid by a company to break into their building, it’s possible 00:46:59.280 --> 00:47:05.160 it could all go wrong, so you need a letter of authorization from the company, preferably someone 00:47:05.160 --> 00:47:10.920 real high up that can vouch for you that when you call them, they will say, yes, we did hire them to 00:47:10.920 --> 00:47:16.440 do a security test on the building. You print this agreement out and put it on a piece of paper and 00:47:16.440 --> 00:47:21.240 carry it with you at all times when you’re doing a physical penetration test like this. This is 00:47:21.240 --> 00:47:27.540 what’s known as the get-out-of-jail-free card. Now, what some penetration testers do is they 00:47:27.540 --> 00:47:33.720 print off a fake one. It’s got the right name of the head of security, but with a phone number to 00:47:33.720 --> 00:47:39.540 someone waiting in the parking lot who would act like that person if they got called. Deviant saw 00:47:39.540 --> 00:47:44.820 that this guy had everyone’s number in his phone already and thought the fake get-out-of-jail-free 00:47:44.820 --> 00:47:50.820 card isn’t gonna work here. So, he gave him his real one. This was the first and only time 00:47:50.820 --> 00:47:56.400 Deviant has ever been caught to the point that he had to show this paper and come clean like this. 00:47:56.400 --> 00:48:01.080 DEVIANT: He said, I know that person, but I’m gonna call her cell phone and not the number 00:48:01.080 --> 00:48:05.040 that you’ve printed here. So, as it turns out – and we spoke to him. He said, okay, 00:48:05.040 --> 00:48:07.920 alright. Well, if you say so. Alright, Susan. 00:48:07.920 --> 00:48:12.840 JACK: Brilliant. He did not trust the number on the paper that Deviant handed him. Instead, 00:48:12.840 --> 00:48:17.700 he looked up the names and number himself. This was the right thing to do. Sure enough, 00:48:17.700 --> 00:48:21.840 the head of security vouched for them and said, good job catching them. Yes, 00:48:21.840 --> 00:48:26.280 we did hire them and they are supposed to be there. So, now that he knows the real 00:48:26.280 --> 00:48:30.660 reason Deviant and his crew were there, Deviant had to ask, how did you catch us? 00:48:30.660 --> 00:48:36.060 DEVIANT: He was like, well, I was driving by – he wasn’t even on site that day. I was driving 00:48:36.060 --> 00:48:41.280 by and I saw a couple of you boys entering the building, just as we were just getting 00:48:41.280 --> 00:48:47.400 into a door. He’s like, it didn’t feel right. So, I got a block or two down the street and I turned 00:48:47.400 --> 00:48:53.160 around and came back. Who the hell gets past their office and has that much emotional investment to 00:48:53.160 --> 00:48:57.720 go, oh, I should go back to the office and see what’s – he drove all the way back in, parked, 00:48:57.720 --> 00:49:01.860 and started checking around buildings ‘til he could figure out why were these fellas he 00:49:01.860 --> 00:49:08.040 didn’t recognize from two hundred yards away – why are you in my buildilng? He had worked for 00:49:08.040 --> 00:49:13.980 this company for something like thirty-eight years and he had emotional investment in the company. 00:49:13.980 --> 00:49:19.680 The company mattered to him as a person, and he was not gonna take anybody giving 00:49:19.680 --> 00:49:24.300 him a line. He said, no, I want to know what you’re doing. It felt like if someone 00:49:24.300 --> 00:49:28.620 was in your backyard and they said, well, I’m just trimming your trees for your neighbor, 00:49:28.620 --> 00:49:31.800 but they kept kinda walking through your backyard. You might be like, 00:49:31.800 --> 00:49:35.880 I’m gonna knock on my neighbor’s door. Why is this person in my backyard? So, that’s what happened, 00:49:35.880 --> 00:49:39.780 and we – that was the first time we ever had to show the – and we knew we could have had a 00:49:39.780 --> 00:49:43.500 fake letter, but we’re like, that’s not gonna fly. This guy, he is switched on, he is sharp, 00:49:43.500 --> 00:49:47.280 and he got quite a little kudos out of that, and he was professional the whole time. Didn’t 00:49:47.280 --> 00:49:52.020 try to tackle us, didn’t make threats, just kind of slowly plodded after us. 00:49:52.020 --> 00:49:57.120 JACK: Okay, so, they were caught. That’s that, right? No. [MUSIC] They said, hey, 00:49:57.120 --> 00:50:00.960 good job. You caught us, but don’t tell anyone else because we’re gonna 00:50:00.960 --> 00:50:04.260 go and come back again later and try to see if anyone else will catch us. 00:50:04.260 --> 00:50:10.560 DEVIANT: We left for a few hours. We went to have lunch. We did come back and we only made it in, 00:50:10.560 --> 00:50:17.460 again – gosh, forty-five minutes, an hour until we ran across some other person. I didn’t even 00:50:17.460 --> 00:50:22.080 interact with this person. This was just in a production – just kinda walked past them, and they 00:50:22.080 --> 00:50:27.480 almost on their heels turned and spun and said, hi, can I help you? What are you doing in this 00:50:27.480 --> 00:50:36.120 space? We were like, son of a bitch. But that was a great day because we – this little Nowheresville 00:50:36.120 --> 00:50:42.480 facility, they had a really sharp head of security who had been coming to Defcon and Black Hat, 00:50:42.480 --> 00:50:47.280 watching talks like mine, really investing and upgrading their locks and their access control 00:50:47.280 --> 00:50:51.960 credentials. Even after that, he was like, oh, you did clone – you made the ESP key. 00:50:51.960 --> 00:50:57.300 We’re gonna revamp our back haul protocols, for a little nowhere factory in nowhere. Nowhere, 00:50:57.300 --> 00:51:03.540 not subject to threats and not subject to robber – the most threat they probably have is people 00:51:03.540 --> 00:51:07.500 trying to break in and, I don’t know, steal copper or something. Rural threats are not the 00:51:07.500 --> 00:51:13.500 same as an urban environment where you have a lot more potential risk of different kinds. But no, 00:51:13.500 --> 00:51:17.640 this one guy, he was really all about it and he took it to heart. He had a lot of buy-in 00:51:17.640 --> 00:51:21.840 from management and everyone was just – they were pleased and proud of their people. We told them, 00:51:21.840 --> 00:51:25.260 keep investing in your people. They like it here. Make sure they keep liking it here, 00:51:25.260 --> 00:51:28.140 because they are the best line of defense that we’re ever come across. 00:51:28.140 --> 00:51:32.280 JACK: You were caught. Do you consider this a caught? Do you consider this 00:51:32.280 --> 00:51:35.940 a fail? Is this the only time you’ve ever been caught or have you been caught before? 00:51:35.940 --> 00:51:40.800 DEVIANT: I will consider it a caught. I won’t consider it a fail because this – if you’re doing 00:51:40.800 --> 00:51:46.260 your job right, this is the best success you could have. We got caught for all the right reasons and 00:51:46.260 --> 00:51:50.820 I’d like to get caught like that much more in the future by companies that have employees that 00:51:50.820 --> 00:51:55.440 actually care about what’s going on. The only way you get that is if you have a real nice 00:51:55.440 --> 00:52:00.540 environment where you’re treating people well, not just as meat grinding through the mill, 00:52:00.540 --> 00:52:04.620 right? You actually have to make people want to work there by rewarding them, 00:52:04.620 --> 00:52:09.780 by paying them properly, by giving them real benefits. That’s the only time we’ve 00:52:09.780 --> 00:52:13.080 been caught and didn’t bluff our way out of it, you know, talk our way out of it. 00:52:13.080 --> 00:52:20.040 JACK: [MUSIC] 00:52:20.040 --> 00:52:24.600 Okay, let’s hear one more story of Deviant breaking into buildings, and this one’s 00:52:24.600 --> 00:52:30.480 my favorite. This one is against a critical infrastructure-type company, I think a utility 00:52:30.480 --> 00:52:36.420 company. If someone were to get in and cause harm, it could be ruinous for the whole town. 00:52:36.420 --> 00:52:40.560 DEVIANT: Most of our jobs, we get a list of sensitive assets or sensitive areas from the 00:52:40.560 --> 00:52:47.640 client and we say, would accessing this asset or being in this space represent a severe breach? 00:52:47.640 --> 00:52:52.500 Would a bad actor in this space have the ability to severely compromise operations 00:52:52.500 --> 00:52:59.280 or cause severe impact? Once you have that list of assets, you formulate a series of 00:52:59.280 --> 00:53:05.040 attack chains. You sit with your team after a lot of recon and you say, alright, so, 00:53:05.040 --> 00:53:10.320 do we think it’s smart enough to go to this one first or should we try to go through this one? 00:53:10.320 --> 00:53:14.580 We’ve identified where these assets are, which parts of the buildings and the grounds. Okay, 00:53:14.580 --> 00:53:19.080 so, which team is best suited to position here, here, here, and you come up with a plan. 00:53:19.080 --> 00:53:23.520 If one team gets burned, they’ll say, okay, well, that team is – alright, 00:53:23.520 --> 00:53:27.600 they might have gotten notice, might have not. Let’s pull them back; let’s get off-campus. They 00:53:27.600 --> 00:53:31.620 just became overwatch. They’re running a drone, they’re running long-range cameras. They’re back 00:53:31.620 --> 00:53:37.440 at the base on radios. Let’s put another team in. We do a lot of rotating out of rental cars where 00:53:37.440 --> 00:53:41.880 you go back to Hertz or National or somebody; you say, oh, this car’s pulling to the left a little 00:53:41.880 --> 00:53:46.560 bit. Say, we have another one. Said, do you have a different model? Maybe a really different color? 00:53:46.560 --> 00:53:49.380 Because if somebody’s seen that weird car in the parking lot – so, 00:53:49.380 --> 00:53:54.480 it was a job like that. It was meticulous and we had – it was a large job. There 00:53:54.480 --> 00:53:59.520 were probably three or four different field teams at any given time of pairs of people. 00:53:59.520 --> 00:54:04.680 JACK: Okay, wow, this is a big job. If you remember from other stories, 00:54:04.680 --> 00:54:08.880 Deviant likes to be prepared and bring a big kit of things, 00:54:08.880 --> 00:54:14.820 anywhere from having lockpicks and keys to the Otis elevator repair shirt, and having 00:54:14.820 --> 00:54:20.203 long-range cameras and full badge-printing machines. But this one, he needed even more. 00:54:20.203 --> 00:54:26.220 DEVIANT: [MUSIC] This job was the kitchen sink, man. This job had case upon – tons of Pelican 00:54:26.220 --> 00:54:31.740 cases shipped in. It was close enough that I – it was many states away from where I was at the time, 00:54:31.740 --> 00:54:38.400 but I was living in Montana. I just said, I’ll drive. If the budget’s there for me to – I’ll make 00:54:38.400 --> 00:54:43.320 it a couple day drive, and my truck was – I mean, we brought the works, man. We had a 3D-printer 00:54:43.320 --> 00:54:48.780 in the Airbnb, we had a couple of our really large key machines, our exotic key machines, 00:54:48.780 --> 00:54:52.980 just in the Airbnb on the living room table. We were ready for as much as we could be. 00:54:52.980 --> 00:54:55.020 JACK: Okay, so, when you have a job this big, 00:54:55.020 --> 00:55:00.480 it’ll help if you have a few extra people. Of course, Deviant drove out for this, 00:55:00.480 --> 00:55:04.560 but a half-dozen other people came out, too. Babak was also there. 00:55:04.560 --> 00:55:10.140 DEVIANT: We’re all cross-discipline. Babak is very electronic-focused. Of all the team members, 00:55:10.140 --> 00:55:15.780 he is the highest strength among us in the electronics department, especially as it relates 00:55:15.780 --> 00:55:22.080 to access control technologies, credentialing technologies. He gets good information from a 00:55:22.080 --> 00:55:25.860 lot of the industry sources and partners where he get – he’ll get the new badge printer that 00:55:25.860 --> 00:55:29.160 somebody’s just pioneering and he’ll get a sample model of that, and we’ll try it out. 00:55:29.160 --> 00:55:31.200 JACK: Drew came along for this one. 00:55:31.200 --> 00:55:36.480 DEVIANT: Drew is our main surveillance person. Drew is an incredible person with camera glass, 00:55:36.480 --> 00:55:42.180 drones, ultra-light aircraft. He is the eyes on the ground and in the sky. 00:55:42.180 --> 00:55:44.520 JACK: They called in Sophie, too. 00:55:44.520 --> 00:55:47.280 DEVIANT: Sophie is a devastating social engineer. 00:55:47.280 --> 00:55:49.920 JACK: Robert was another key player here. 00:55:49.920 --> 00:55:55.440 DEVIANT: Robert is an incredible physical tactician, along with being personable with 00:55:55.440 --> 00:56:00.660 people at the drop of a hat. He used to be a cop, right? So, he can lie through his teeth 00:56:00.660 --> 00:56:06.540 with a smile on, and his job is to manipulate you as a human, because he’s gonna get what he 00:56:06.540 --> 00:56:10.020 needs and he’s gonna get it out of you for information or he’s gonna get out of your 00:56:10.020 --> 00:56:15.120 sights ‘cause he wants to move. He can be – yeah, he can be front-and-center or he can be a ghost. 00:56:15.120 --> 00:56:21.060 JACK: Imagine being called a physical tactician. That’s quite the title, isn’t it? 00:56:21.060 --> 00:56:27.000 DEVIANT: Drew and I reached out to an old colleague of mine named Laz who was back East. We 00:56:27.000 --> 00:56:31.920 brought Laz in. We had a couple of interns at the company who wanted to get some exposure to field 00:56:31.920 --> 00:56:36.000 work. A lot of times jobs just aren’t big enough, but this was crazy. Yeah, they’re bringing the 00:56:36.000 --> 00:56:41.520 interns, so, we had quite the cadre of people. We actually had two Airbnb units right next to each 00:56:41.520 --> 00:56:47.640 other, we had so many people. It was these two little cabin-type houses on some park somewhere. 00:56:47.640 --> 00:56:52.020 JACK: Gosh, they rounded up the whole Ocean’s Eleven crew for this job. So, 00:56:52.020 --> 00:56:56.760 they all met at the safe house and started on phase one, surveillance. 00:56:56.760 --> 00:57:03.600 DEVIANT: That was almost a week of recon. Yeah, that included driving by for the first few days, 00:57:03.600 --> 00:57:10.320 just a lot of long-range camera work in cars, which led to then hikes through fields where 00:57:10.320 --> 00:57:16.020 it was a lot of Drew and Robert just in – they’re in hunter’s camo. They’re hunters, 00:57:16.020 --> 00:57:18.780 right? So, they’re gonna crawl through field – they were first 00:57:18.780 --> 00:57:22.140 walking and then they were low-crawling to get really up close to the buildings. 00:57:22.140 --> 00:57:25.800 JACK: See, I don’t quite get this, right? 00:57:25.800 --> 00:57:29.460 Some engagements you’re just like, let’s just see if we could walk in through the front door; 00:57:29.460 --> 00:57:33.720 let’s go. Then some engagements you’re like, okay, you feel like getting muddy? 00:57:33.720 --> 00:57:35.040 DEVIANT: Oh, yeah. 00:57:35.040 --> 00:57:39.600 JACK: You feel like getting the special equipment out? There’s work to that. Dude, 00:57:39.600 --> 00:57:42.780 really? You really want me to crawl through the mud so I can get a good photo? Yeah, 00:57:42.780 --> 00:57:45.885 yeah, go under the fence there, do it at night, so… 00:57:45.885 --> 00:57:49.140 DEVIANT: Yeah, and we were all about – who gets to do this and not ever really 00:57:49.140 --> 00:57:52.620 risk getting hurt for it? I think it’s a great thing to get to do it. 00:57:52.620 --> 00:57:58.260 JACK: Okay. I just don’t know – I guess I don’t understand the level of like, okay, let’s 00:57:58.260 --> 00:58:05.580 really start light and see how much we can get without even getting a foot on campus, or what…? 00:58:05.580 --> 00:58:11.940 DEVIANT: Some of that is spoken to in terms of the client’s willingness to have a more 00:58:11.940 --> 00:58:18.060 involved job. Labor is cost, right? So, time is money, and they provisioned – they said, 00:58:18.060 --> 00:58:21.870 no, we’re – they were really serious about – they’re targeted by foreign adversaries. 00:58:21.870 --> 00:58:22.620 JACK: Oh. 00:58:22.620 --> 00:58:28.020 DEVIANT: They are targeted by real threat actors at that point. An actual threat actor 00:58:28.020 --> 00:58:34.320 would not think twice about spending an entire night just in – belly-down in the dirt with 00:58:34.320 --> 00:58:38.040 long-range glass, learning which employees go through which doors 00:58:38.040 --> 00:58:41.160 at which times and when the security patrols come around and when they don’t. 00:58:41.160 --> 00:58:47.700 JACK: Okay, so, another thing to think about here is this company invested a lot into security; 00:58:47.700 --> 00:58:53.880 cameras all over the buildings, inside and out, trip sensors, security teams. They really, 00:58:53.880 --> 00:59:00.060 really wanted to detect and stop any sabotage or intrusion or disruption against this facility, 00:59:00.060 --> 00:59:06.840 and they did everything they could to stop this. In fact, this company had its own red team who 00:59:06.840 --> 00:59:11.520 just attacks their own company looking for weak points and vulnerabilities or whatever they could 00:59:11.520 --> 00:59:16.080 find that an adversary might exploit. They’re on the offense, which makes them the red team. The 00:59:16.080 --> 00:59:21.060 defense team is known as the blue team. But it was the head of the red team that hired Deviant 00:59:21.060 --> 00:59:26.880 and his crew so he could communicate and confirm certain things with the customer, the head of the 00:59:26.880 --> 00:59:32.280 red team. For instance, as they were doing their recon, they noticed something that looked like 00:59:32.280 --> 00:59:37.260 a radar system to detect intruders. So, he messaged the client and asked things like… 00:59:37.260 --> 00:59:40.980 DEVIANT: Keith, are they using SpotterRF? He’s like, yeah, yeah, you spotted the spotter. Cool, 00:59:40.980 --> 00:59:43.860 yeah. We have it pretty masked, but you must – he’s like, you must have been really close. 00:59:43.860 --> 00:59:47.640 I was like, yeah, we were right up against that fence like. He’s like, okay, yeah, no, you got it, 00:59:47.640 --> 00:59:51.960 you got it. Don’t approach from the west side; you spotted that one. Because again, let’s say 00:59:51.960 --> 00:59:58.440 you’re the Chinese government and you got a guy laying in the dirt, crawling up to a fence line, 00:59:58.440 --> 01:00:04.140 and then this guy takes some pictures. You say, look at those tech – are they using…? Oh, that’s 01:00:04.140 --> 01:00:11.100 RF. They’re using SpotterRF. It’s a way of looking for motion sensing in a field. If it’s the Chinese 01:00:11.100 --> 01:00:14.640 government, they would then back off and they would say, okay, let’s spend another two weeks 01:00:14.640 --> 01:00:20.580 figuring out who sold it to them. Let’s figure out which version they have, what its coverage is, 01:00:20.580 --> 01:00:25.320 whereas for us, we just Signal message. We said, hey, I found this. Is this what I’m seeing? 01:00:25.320 --> 01:00:28.440 They say, no, yeah, yeah, we’re not gonna make you charge us another week’s worth of effort 01:00:28.440 --> 01:00:33.540 to go get a sample unit, you know, and set it up in a lab and figure out the exact distance 01:00:33.540 --> 01:00:38.460 and range that it covers. It doesn’t match the manufacturer’s spec. So, it’s a week of that. 01:00:38.460 --> 01:00:43.140 It’s a week of getting close, taking pictures, coming back to the Airbnb, analyze – who’s this 01:00:43.140 --> 01:00:49.200 guard? Is this Mobile 2? No; he was on foot yesterday. No, the guy on foot was in – okay, 01:00:49.200 --> 01:00:53.280 no, this is the guy in the truck. Let’s make a name for him. You make up names. It’s like 01:00:53.280 --> 01:00:57.840 a pin board out of a detective show, right? You got a wall of people and one really great photo 01:00:57.840 --> 01:01:04.800 of a guard looking at us through these binoculars. Yeah, that guy – we printed that photo out a lot, 01:01:04.800 --> 01:01:09.300 put it around the Airbnb. So, some of those guards are really switched on. 01:01:09.300 --> 01:01:13.200 Well, ‘cause he couldn’t see us, but he saw something and he was like, what’s that? Rob and 01:01:13.200 --> 01:01:18.140 Drew just stood stock still in the dirt in the ghillie suits for like, an hour. 01:01:18.140 --> 01:01:23.880 JACK: Ghillie suits? Those are the big camouflage suits that you see military use, 01:01:23.880 --> 01:01:29.220 where they have tree branches and leaves sewn into the suit so that you look just 01:01:29.220 --> 01:01:34.380 like a bush when you’re holding still. Crazy. Now, of course they aren’t just 01:01:34.380 --> 01:01:39.300 casing the place physically. Sophie is also trying to infiltrate the people 01:01:39.300 --> 01:01:45.240 inside. [MUSIC] She’s trying to get pieces of information that could help her know more. She 01:01:45.240 --> 01:01:49.620 created a fake social media profile and started trying to connect with people who work there. 01:01:49.620 --> 01:01:57.540 DEVIANT: The work involved in setting up a fake profile is non-trivial. It’s 01:01:57.540 --> 01:02:04.080 really hard to create a fake LinkedIn or a fake anything these days that looks legit. 01:02:04.080 --> 01:02:08.340 You need to have history there. You need to have connections. It’s like planting crops. 01:02:08.340 --> 01:02:12.480 You have to create these profiles and then you water them; you come back and you connect and you 01:02:12.480 --> 01:02:18.480 make posts, and you connect to these people and you endorse that person. Months and years later, 01:02:18.480 --> 01:02:25.260 these are now fully-formed. You can maybe use one of them on a job to connect to other people and 01:02:25.260 --> 01:02:30.180 try to – but if you get burned, well, that’s – alright, there’s a year and a half of work 01:02:30.180 --> 01:02:35.520 that you – that profile’s roasted. So, you – the fact that she has access to these and she made 01:02:35.520 --> 01:02:40.020 those connections to find out what was going on and can – let’s – can I share your profile so I 01:02:40.020 --> 01:02:43.920 can see your photos from the – oh, okay, now you got the access to the private photos. Oh, 01:02:43.920 --> 01:02:46.620 that’s – the company’s having a pizza party on Friday, that kind of thing. 01:02:46.620 --> 01:02:52.080 JACK: Okay, so, after almost a week of watching this high-security building from the outside, 01:02:52.080 --> 01:02:58.020 they determined this place is completely secure. They found one little area that they could access, 01:02:58.020 --> 01:03:00.600 but it was kind of an insignificant finding. 01:03:00.600 --> 01:03:07.140 DEVIANT: So, we determined that it was feasible to get through the fence line. In fact, 01:03:07.140 --> 01:03:13.800 as a proof of concept one night, a small team did that. They crawled up to the dirt berm where the 01:03:13.800 --> 01:03:18.840 earth had been compacted but not quite enough in one spot. They trenched under the fence. 01:03:18.840 --> 01:03:24.600 They just dug and dug with hand – like, small entrenching tools, and they’re pulling out rocks. 01:03:24.600 --> 01:03:28.560 They proved you could slip under the fence, and they just took a picture of one guy on the other 01:03:28.560 --> 01:03:33.300 side of the fence and then came back. That’s not – it’s not super-practical. We knew this 01:03:33.300 --> 01:03:36.840 was still a site that was being built out, and we told our point of contact – we said, hey, 01:03:36.840 --> 01:03:41.280 just so you know, we proved we did this. The shake sensors in the fence didn’t catch us. 01:03:41.280 --> 01:03:44.880 He said, nope, I bet I can tell you which – you were probably on the north side. That’s 01:03:44.880 --> 01:03:49.740 all gonna be concreted in. The footer of the fence, it’s still being built. We said, okay, 01:03:49.740 --> 01:03:55.680 well, it’s a data point for the metrics, but we’re not gonna treat that as a standard entry point. 01:03:55.680 --> 01:04:00.960 JACK: So, the only way to get into this place was gonna be where everyone gets in, 01:04:00.960 --> 01:04:06.480 through the vehicle checkpoint. [MUSIC] This place had high fences, barbed wire, 01:04:06.480 --> 01:04:11.880 cameras, shake sensors, radar. It wasn’t kidding around, and that’s just to get on the property. 01:04:11.880 --> 01:04:16.680 DEVIANT: It’s like visiting – it was non-military. It was a civilian compound, but it’s a military 01:04:16.680 --> 01:04:21.660 base, right? If you have a working credential, you drive up to the vehicle checkpoint, they see it, 01:04:21.660 --> 01:04:26.280 you boop it, and you go. If you don’t have credentials, you’re going to the visitor’s 01:04:26.280 --> 01:04:30.840 building, the tiny shack, and someone is coming out and dealing with you. Without a credential, 01:04:30.840 --> 01:04:35.300 you’re not getting in. But there’s always some exploits here, right? 01:04:35.300 --> 01:04:40.500 JACK: There was some construction going on, and Deviant was able to drive into 01:04:40.500 --> 01:04:45.540 the construction area just to do some surveillance on the front gate. He got 01:04:45.540 --> 01:04:49.260 some good video footage of exactly how the vehicle checkpoints work. 01:04:49.260 --> 01:04:52.980 DEVIANT: We learned – we said, okay, this is interesting, this is interesting. Look at this. 01:04:52.980 --> 01:05:00.720 Look what happens here. You drive up, and staff were holding their badge up. Clearly they’re 01:05:00.720 --> 01:05:08.160 presenting a badge to the guard who visually would nod at it. Then they would drive further down a 01:05:08.160 --> 01:05:14.700 good ten yards past the little overhang, and there was a badge-reader sitting out in the middle of – 01:05:14.700 --> 01:05:19.080 just unattended. There’s just a big badge-reader on the – and they would, boop, they would badge 01:05:19.080 --> 01:05:24.540 that, and then a vehicle gate – a gate arm would open up. So, that’s an interesting thing. That’s 01:05:24.540 --> 01:05:32.400 an odd thing. Then we said, look at that gate arm. Look at that gate arm. Many gate systems will use 01:05:32.400 --> 01:05:38.220 ground loop sensors. Much like when you pull up to a stop light, it knows your car is there 01:05:38.220 --> 01:05:43.080 because it can detect the metal of your vehicle and it’ll cycle the light. A lot of gate systems 01:05:43.080 --> 01:05:49.140 use these. A very typical configuration would be – the most common one is a stop-or-safety loop. 01:05:49.140 --> 01:05:55.560 Right in where the gate arm is, if a vehicle stalls out and sits there for some reason, 01:05:55.560 --> 01:06:01.320 the gate arm won’t come down and hit the vehicle. You don’t want to damage anything. That’s typical. 01:06:01.320 --> 01:06:09.480 You might have entry loop so that once you pull up, the gate arm doesn’t – just doesn’t operate 01:06:09.480 --> 01:06:15.960 unless somebody boops their car. You can’t walk in on foot. This is not a pedestrian entrance. I’m 01:06:15.960 --> 01:06:20.160 sorry, you need a car. If you’re a pedestrian, go to the pedestrian entrance. It’s around the 01:06:20.160 --> 01:06:25.260 fence over there. This is a very common problem for certain motorcyclists or bicyclists. People 01:06:25.260 --> 01:06:29.700 on bikes sometimes don’t have enough metal to trip the ground loop, depending on how they’re built. 01:06:29.700 --> 01:06:35.400 But the real one – and this is the one that a lot of buildings do not use – you got an entry loop, 01:06:35.400 --> 01:06:40.320 you got that stop loop, you got the safety loop. There’s also sometimes a clear loop, 01:06:40.320 --> 01:06:45.900 clear meaning you have cleared the checkpoint. Bring that arm right down. It costs money 01:06:45.900 --> 01:06:50.040 to install these. You gotta cut into the asphalt and you do – everything’s money. 01:06:50.040 --> 01:06:54.540 A lot of installations, this one included, chose to configure it – well, we don’t need a 01:06:54.540 --> 01:06:59.280 clearage loop. We’ll just – the arm goes up, there’s a dwell time, and then after that, 01:06:59.280 --> 01:07:04.020 it’ll just drop down unless there’s somebody stalled out. So, they were using a dwell time, 01:07:04.020 --> 01:07:08.880 and the dwell time was set to – gosh, it was like, twenty seconds. It was long. 01:07:08.880 --> 01:07:17.580 We’re like, okay, this is news we can use. [MUSIC] So, our plan was, we’re gonna tailgate in 01:07:17.580 --> 01:07:22.980 behind what we think is a real vehicle, ‘cause it was a long entrance road off the main road 01:07:22.980 --> 01:07:27.960 to get even to the vehicle checkpoint. Our plan was, you’re gonna tailgate in, we’re 01:07:27.960 --> 01:07:33.540 gonna give Sophie in the front seat of the car, who looked businesslike – we’ll give her a badge 01:07:33.540 --> 01:07:37.680 that looks like their badges. We knew what their badges looked like. It’s a multinational company; 01:07:37.680 --> 01:07:41.520 we’ve seen their badges in other facilities. We don’t have their badge technology. They were 01:07:41.520 --> 01:07:46.620 using private keys on their credentials, so we couldn’t easily clone their badges. 01:07:46.620 --> 01:07:51.480 But Sophie could pull up and smile at a guard and hold up a badge. 01:07:51.480 --> 01:07:55.980 Then, ‘cause she’s tailgating behind someone’s vehicle, literally tailgating – as that person 01:07:55.980 --> 01:08:02.040 boops the reader and goes through, Sophie would pull up, pretend to boop the reader. Again, 01:08:02.040 --> 01:08:07.560 that’s ten yards away from the guard shack. They can’t hear a beep noise. Then before that dwell 01:08:07.560 --> 01:08:12.600 time finished, she would hightail it through. If a guard was really sharp, they might be like, 01:08:12.600 --> 01:08:16.920 huh, that gate came down kinda quickly after that car, but nobody’s gonna be that sharp. 01:08:16.920 --> 01:08:21.900 We said, alright. Now, the critical thing, we said – we need about three or – we need different ways 01:08:21.900 --> 01:08:28.200 to have you peel off if there’s a problem. The first thing is there’s that construction lot, 01:08:28.200 --> 01:08:36.240 right, where I parked to get the footage. We said, if for some reason the car you’re tailgating isn’t 01:08:36.240 --> 01:08:40.380 a regular employee, if anything goes wrong, if they ask for directions, they’re – who the 01:08:40.380 --> 01:08:46.620 hell knows – just pull into the construction lot, K-turn, and get outta there. It’s a little weird, 01:08:46.620 --> 01:08:53.820 but who cares? We’ll roast that car. We’ll switch the car out, we’ll regroup. Let’s say you’re fine. 01:08:53.820 --> 01:09:01.320 Let’s say you get past. You hold your thing up to the guard and the guard looks at you and says, 01:09:01.320 --> 01:09:04.740 hey, do you work here, do you not work here, et cetera. You say, no, 01:09:04.740 --> 01:09:10.320 I’m new here. Say, my – if you’re – you could social engineer that if you had to. 01:09:10.320 --> 01:09:14.760 If you say, oh, I’m lost, or is this not the main entrance to the – no, 01:09:14.760 --> 01:09:18.660 I just started. Okay, well, pull over there. Okay, we’ll figure that one out. 01:09:18.660 --> 01:09:26.820 The last one was a really slick one. We said, if for any reason you get trapped at the gate – like, 01:09:26.820 --> 01:09:31.560 let’s say the arm starts coming down and you’re like, oh shoot, I can’t tailgate in. 01:09:31.560 --> 01:09:38.820 We had printed a nearly-identical badge for a – it looked very similar but it was – the logo 01:09:38.820 --> 01:09:45.060 was another company in town. It was out in the rural area, but was another big firm that had a 01:09:45.060 --> 01:09:52.260 warehouse or something, a fulfillment warehouse in town. We said, act – boop – pretend to boop 01:09:52.260 --> 01:09:56.100 and say, my badge isn’t working, my badge – and make the guard get out of the shack and walk over, 01:09:56.100 --> 01:10:01.680 but she would switch the badge. It was on this red lanyard and she – my badge – so, 01:10:01.680 --> 01:10:06.060 the guard would go, oh, oh, is this the badge you just showed me? I’m sorry, 01:10:06.060 --> 01:10:10.320 ma’am, this is not – you’re – you’ve gotta go down the road another few miles. You’re 01:10:10.320 --> 01:10:14.820 in the wrong – oh, I just started; duh, sorry. So, we had all these little outs. 01:10:14.820 --> 01:10:21.540 JACK: Okay, this is a lot of work just to get into the parking lot. Sophie’s gonna try to drive in, 01:10:21.540 --> 01:10:26.400 and it was important that she’d be the only one in the car. That way, the guard doesn’t start asking 01:10:26.400 --> 01:10:31.560 for passengers to present their badge and get curious and interested in what’s going on. But 01:10:31.560 --> 01:10:37.260 through their surveillance, they noticed the guards never checked the trunks of the cars. 01:10:37.260 --> 01:10:43.620 DEVIANT: It wasn’t just her in the car. Robert and I were wedged into the trunk of this car because 01:10:43.620 --> 01:10:47.220 we wanted to get as many people as we could onto the corporate campus if we could get this to work. 01:10:47.220 --> 01:10:48.840 JACK: So, they load up their gear, 01:10:48.840 --> 01:10:54.060 jam themselves in the trunk, and off they go, [MUSIC] driving towards the facility. 01:10:54.060 --> 01:10:59.700 DEVIANT: All we could feel was the car kind of – kinda rocking back and forth, 01:10:59.700 --> 01:11:04.920 and we judge, okay, there’s some rough bumps; those are the speed bumps. Okay. 01:11:04.920 --> 01:11:10.260 Now we stop for a sec. That must be the guard – oh, we’re moving again. The guard didn’t stop her; 01:11:10.260 --> 01:11:15.480 okay. Then, okay, we slowed down a little bit. Oh, we’re really moving now; that must be the 01:11:15.480 --> 01:11:21.360 gate arm. We’re really – we’re jitter-bugging along for ten seconds, twenty – we’re like, 01:11:21.360 --> 01:11:26.280 we gotta be through that gate. We gotta be – I know we’re through that gate. 01:11:26.280 --> 01:11:30.380 We eventually hear Sophie’s voice, like, it totally – we’re through that gate, boys! 01:11:30.380 --> 01:11:35.460 JACK: Sophie pulls down the back seat so the guys can climb through the car, which will take 01:11:35.460 --> 01:11:40.980 a while. It’s a tight space. This is where they split up, though. Sophie goes right to the front 01:11:40.980 --> 01:11:45.000 door of the building to try to use her social engineering skills to get into the building. 01:11:45.000 --> 01:11:51.180 DEVIANT: She was just charming. She just said, I’m new – she followed some – a group of people. I’m 01:11:51.180 --> 01:11:55.500 new here; I just started this week. Oh, did you get the tour? She said, no, there was a tour – we 01:11:55.500 --> 01:12:00.720 knew that there was a company tour that somebody posted on social media, and we’re like, well, I 01:12:00.720 --> 01:12:05.100 didn’t get the tour last week. I heard about that. This guy who was like – I’ll give you the tour, 01:12:05.100 --> 01:12:09.600 little lady. So, yeah, he was like, you should check this out. He’s taking her to place – and 01:12:09.600 --> 01:12:14.640 there were a couple other employees, one of which even turned and looked at her and went, hey, 01:12:14.640 --> 01:12:19.080 I know it’s a tour, but you can’t tailgate. You have to use your badge. She goes, oh, 01:12:19.080 --> 01:12:25.500 you’re right, and just kinda pretended to boop her badge. It’s not making a sound, right? We have 01:12:25.500 --> 01:12:30.060 little – we’ve – have, like, beep, beep on our phones, so if you need to – everyone’s on their 01:12:30.060 --> 01:12:36.180 phones. You’re just gonna – oh yeah, beep, beep. Just, okay, then you walk in. But yeah, one woman 01:12:36.180 --> 01:12:40.440 literally said, are you trying to tailgate? She says, oh, you’re right, you’re right, they told 01:12:40.440 --> 01:12:45.480 us this in orientation training. Then they – but yeah, they took her into the heart of the beast, 01:12:45.480 --> 01:12:49.260 right? She was sending Signal messages to all of us, like, hi, I’m in this thing. 01:12:49.260 --> 01:12:50.280 JACK: With pictures? 01:12:50.280 --> 01:12:51.600 DEVIANT: Oh, with pictures, day one. 01:12:51.600 --> 01:12:55.320 JACK: Okay, so, while she’s making her way into different rooms and getting 01:12:55.320 --> 01:12:59.280 a solid lay of the land, Deviant and Rob climb out of the trunk of the car 01:12:59.280 --> 01:13:02.820 and come out of the car. Climbing out of the trunk directly would be weird, 01:13:02.820 --> 01:13:07.260 so they had to snake through into the car and then exit through the regular doors to look normal. 01:13:07.260 --> 01:13:10.800 DEVIANT: Robert and I looked like construction workers. I mentioned there was construction 01:13:10.800 --> 01:13:17.760 ongoing at the facility, so we had our jeans and steel-cap boots. We had some high-vis, 01:13:17.760 --> 01:13:21.660 we had the helmets clipped to our belts; if you want to throw a helmet on, 01:13:21.660 --> 01:13:27.300 you can. We had tools, we had workers tools on us, and more in the trunk, too. 01:13:27.300 --> 01:13:33.060 So, we just kinda walked around the building and started, quote, checking doors, checking 01:13:33.060 --> 01:13:38.280 the handle. Is this door really locked? But also, there’s a little door-gap checker. It’s used when 01:13:38.280 --> 01:13:43.560 I do fire door stuff. There are tolerances. This is a quarter-inch, eighth-inch. How much tolerance 01:13:43.560 --> 01:13:47.640 is this door? You can check the door jams and the top of the door and the bottom of the door. So, 01:13:47.640 --> 01:13:52.440 we’re just, quote, checking doors and pretending to take notes on a tablet. We’re going around and 01:13:52.440 --> 01:13:56.760 seeing if anybody left a door open, or could we tailgate in. Eventually we do. We tailgated in, 01:13:56.760 --> 01:14:03.120 we walk through some spaces, and between us and another team – was able to exploit 01:14:03.120 --> 01:14:06.900 a similar path. Now that we know, we’re like, well, Sophie got in; maybe Drew can do it. 01:14:06.900 --> 01:14:11.040 Drew’s not quite as charming as Sophie, but Drew can drive through a checkpoint. He did. 01:14:11.040 --> 01:14:15.720 JACK: Drew was able to tailgate into the building, too. This is where he just waited near a door 01:14:15.720 --> 01:14:20.100 until someone was going in or out, and then he just went in after them without having to use 01:14:20.100 --> 01:14:27.180 a badge. Day one was a success. All three teams got into sensitive areas and showed their contact 01:14:27.180 --> 01:14:32.940 how they got in. They took photos and were able to leave without being detected or caught. 01:14:32.940 --> 01:14:37.320 So, they decided to do it all again the next day, [MUSIC] but this time be a little more 01:14:37.320 --> 01:14:42.000 sloppy. You know, like standing near a locked door a little more obviously 01:14:42.000 --> 01:14:46.440 and actually looking like you’re waiting for someone to come open it for you. Sure 01:14:46.440 --> 01:14:51.180 enough, somebody did come open it and didn’t challenge them, and held the door open for them. 01:14:51.180 --> 01:14:55.560 Or they might have shouted at someone, hey, could you hold that door open for me? Thanks! 01:14:55.560 --> 01:15:00.600 DEVIANT: It was shocking how once we got past that fence line, 01:15:00.600 --> 01:15:04.980 we started realizing that no one really challenged us. 01:15:04.980 --> 01:15:11.040 JACK: Their outer perimeter was very secure, but it seemed like that was the main layer of 01:15:11.040 --> 01:15:17.640 defense. To properly secure a building, you want to do defense in-depth, and not just one gate at 01:15:17.640 --> 01:15:23.700 the front, but many gates the deeper you’re going. They didn’t encounter that. So, now that they’ve 01:15:23.700 --> 01:15:28.020 accomplished all their objectives by getting into all the sensitive areas that they were tasked to 01:15:28.020 --> 01:15:33.360 get into, it was time to step it up a bit or step it down, depending on how you look at it. 01:15:33.360 --> 01:15:37.320 DEVIANT: We said, let’s just try to be sloppy. Let’s just try to like – hey buddy, hold that 01:15:37.320 --> 01:15:41.640 door, and don’t be polite about it. We’re like, man, we just keep getting in everywhere. We kept 01:15:41.640 --> 01:15:47.340 getting into so many sensitive rooms and we’re messaging our contacts and we’re saying, hey, 01:15:47.340 --> 01:15:49.860 we’re in here today. You want us to try the third ware – you want us to try the – this 01:15:49.860 --> 01:15:55.020 generation building? Okay, try to get in that building. We’re really not getting challenged. So, 01:15:55.020 --> 01:15:58.860 by the end of the week, you’re like, we really want to give you some wins here. 01:15:58.860 --> 01:16:04.080 Do you want us to just start doing stupid shit? Trying to see what level of noise 01:16:04.080 --> 01:16:08.940 it would take to make the employees at the customer site say, hey, that’s not right; 01:16:08.940 --> 01:16:13.320 I should report this to security. We were setting off alerts and alarms at that point. 01:16:13.320 --> 01:16:17.280 We were propping doors open with doorstops that you’re not supposed to do, and if it’s held for 01:16:17.280 --> 01:16:20.580 more than thirty seconds, then a guard has to come out and go, why is there a doorstop here? 01:16:20.580 --> 01:16:27.720 At this point, we had literally caused headache on the part of the guards because we had been 01:16:27.720 --> 01:16:33.360 putting doorstops in and holding doors open and just really kind of – they were like, 01:16:33.360 --> 01:16:39.180 what’s going – why are the employees being such a pain these last twenty-four hours? This day, 01:16:39.180 --> 01:16:43.920 at one point I think I took caution tape and I propped a door open and put caution tape all 01:16:43.920 --> 01:16:48.960 around the door, and – just to – do we take the tape off? Do we not? What are they working on? I 01:16:48.960 --> 01:16:53.220 put a work order on it that’s – because we had seen other work orders and maintenance areas. 01:16:53.220 --> 01:16:55.110 JACK: An exit door? 01:16:55.110 --> 01:16:59.760 DEVIANT: No, this is an internal door to a sensitive machine room. The guards were like, 01:16:59.760 --> 01:17:02.940 do we…? They had to escalate to a supervisor and say, no, take the tape down and we’ll 01:17:02.940 --> 01:17:07.320 figure out who left that there later. We’re still not getting quite caught, 01:17:07.320 --> 01:17:11.820 right? We’re still – we were interacting with some guards. I said, hey, who took the tape 01:17:11.820 --> 01:17:17.940 off this door? That kind of – you know. But they kept seeing our badges. Okay, so, finally we said, 01:17:17.940 --> 01:17:23.160 what do you want us…? We’re on a quick three-way call with the customer. What do you want us to do 01:17:23.160 --> 01:17:28.080 here, man? We’re really trying. We’re trying to – we’re walking up to people saying hi, I’m not from 01:17:28.080 --> 01:17:32.220 this department; can you tell me where to…? And no one asked, why are you in here? They said, well, 01:17:32.220 --> 01:17:36.840 you said something once about destructive attacks. You can go destructive. What can you do that you 01:17:36.840 --> 01:17:43.380 said – could you drill a door or something? I was like, I mean, yeah. There are plenty of things we 01:17:43.380 --> 01:17:48.600 show to – other types of entry trainings we do for first responders or for military. We say, 01:17:48.600 --> 01:17:53.160 yeah, we could drill a cylinder out of the door, then you take the cylinder out, and then you can 01:17:53.160 --> 01:17:58.920 pop the door. We can do that. It’ll be noisy and it’ll cause some damage. They said, yeah, yeah, 01:17:58.920 --> 01:18:01.920 yeah, we’ll budget it. We’ll say, here’s how much you’re allowed to damage, and try to keep 01:18:01.920 --> 01:18:07.620 it under that amount, and let’s try it on a door or two if you want. We’ll pay for it. Said, okay. 01:18:07.620 --> 01:18:14.280 [MUSIC] So, we got out a giant – I went to Home Depot or Lowes or something and I bought a big, 01:18:14.280 --> 01:18:21.420 old Blue Makita hammer drill with a big handle off the side, and I bought some high-speed steel bits. 01:18:21.420 --> 01:18:25.560 There’s footage, there’s actually footage that Robert shot with his cell phone of he 01:18:25.560 --> 01:18:36.840 and I in our high-vis just [DRILLING] carving away at this lock and this door. Our point of 01:18:36.840 --> 01:18:43.200 contact was really trying to give his people a win. He’s in the SOC and he’s watching. 01:18:43.200 --> 01:18:48.420 He’s watching, he’s looking at his people, and he’s watching. He said, hey, Chris, can you pull 01:18:48.420 --> 01:18:54.480 up Monitor 17? Can we center stage that? First – and then, click – and this big screen – say, 01:18:54.480 --> 01:19:00.900 what’s going on outside Building 6? Do we have Sheridan here? Did you see a work order? Are we 01:19:00.900 --> 01:19:06.120 servicing doors or something on Building 6 today? I thought that building was already stood up. 01:19:06.120 --> 01:19:11.280 You hear the rustling of papers and their people are – what – I thought – they had so much work 01:19:11.280 --> 01:19:15.240 going on from so many contractors, they were growing so much of this site that someone’s like, 01:19:15.240 --> 01:19:21.600 I swear I saw something about that on the pass-off notes. I think we’re doing doors. I think we’re 01:19:21.600 --> 01:19:27.120 doing doors today. He’s like, okay, and he kinda stepped back and messaged us and said, 01:19:27.120 --> 01:19:31.740 no, man, they’re looking at you on camera and you look the part. What are you gonna…? 01:19:31.740 --> 01:19:37.800 So, yeah, I just kinda dropped the drill where it was, left – the door set off an alarm 01:19:37.800 --> 01:19:42.420 and I just left the alarm going. I just walked – we were trying everything. We were just setting 01:19:42.420 --> 01:19:49.320 off a chain of alarms until guards eventually came to us. [ALARMS BLARING] They said, hey, 01:19:49.320 --> 01:19:52.740 fella, stop what you’re doing for a – I was trying to under-door tool a door 01:19:52.740 --> 01:19:59.400 and not hiding it at all. Robert and I stand up and they say, so, what are you guys doing here? 01:19:59.400 --> 01:20:03.840 They’re like, were you working on the side of that – of Building 6? I’m like, yeah, yeah, there was 01:20:03.840 --> 01:20:12.000 an alarm. That was really loud. Like, yeah, so what are you doing here, guys? Robert, again, 01:20:12.000 --> 01:20:19.080 back pocket, hand on the letter, thinking this has gotta be – our ticket is up. I just Hail Mary it. 01:20:19.080 --> 01:20:23.400 I said, what does it look like we’re doing? It broke the guard’s brain. [MUSIC] He went, 01:20:23.400 --> 01:20:29.760 well, it looks like you’re working on – it looks like you’re trying to get open this door here, 01:20:29.760 --> 01:20:35.760 but you have badges. Robert’s hand kinda comes off the letter. Let’s see where this – the guy’s like, 01:20:35.760 --> 01:20:40.380 yeah, I mean, you work here. You’re obviously on the contract team, but you have a radio, 01:20:40.380 --> 01:20:44.700 ‘cause Robert had stolen a radio from a truck. He’s like, you know you can just 01:20:44.700 --> 01:20:48.420 call for remote unlock? You don’t have to have us come all the way out here and bother with it. 01:20:48.420 --> 01:20:52.680 We came all the way from the other side of the thing. So, he’s like, yeah, no, it’s the 01:20:52.680 --> 01:20:57.000 Sheridan guys. I’m here. Yeah, yeah, in warehouse – yeah, can you open the east-side warehouse? The 01:20:57.000 --> 01:21:02.040 door goes green, he opens the door. He’s like, yeah, see? You can just do that, man. You must 01:21:02.040 --> 01:21:06.480 be – don’t worry about it, but next time just call, man. We didn’t know what was going on with 01:21:06.480 --> 01:21:13.500 all these alarms. We said, oh, thank you. Yeah, the story continues to get crazier and crazier. 01:21:13.500 --> 01:21:19.200 I eventually took a bike – ‘cause they had corporate – they had a couple people who 01:21:19.200 --> 01:21:22.920 biked into the corporate office. I took someone’s bike and just biked it around the parking lot, 01:21:22.920 --> 01:21:30.300 hoping that someone would report a stolen bike. I took a golf cart and started driving that around. 01:21:30.300 --> 01:21:34.920 They eventually – because, again, we had radios – someone’s like, okay, D, they’re finally onto you. 01:21:34.920 --> 01:21:39.540 You’re gonna have some attention soon. I saw these white pickups with guards start trying to find 01:21:39.540 --> 01:21:43.980 me in parking lots. They thought I was a mental case. They were like, is that the same guy? No, 01:21:43.980 --> 01:21:49.080 he’s not wearing the high-vis anymore. Who is that guy? I was just – I was rolling around 01:21:49.080 --> 01:21:54.600 and there’s – yeah, yeah, a crazy guy’s on a bike. No, no, no, wait, crazy guy’s in one of our carts. 01:21:54.600 --> 01:22:01.200 But it distracted them so badly that I had – it was like an OJ Simpson pursuit. I was 01:22:01.200 --> 01:22:04.620 pursued by these flashing-light vehicles that couldn’t – what are they gonna do, 01:22:04.620 --> 01:22:09.960 knock me off a bike? Try to ram into a golf cart? You can’t cause injury. A bike can 01:22:09.960 --> 01:22:14.160 go places that trucks can’t. I would just cut through bushes or cut in-between buildings and 01:22:14.160 --> 01:22:17.940 then they would have to spin around and go drive around the other side. While I was doing that, 01:22:17.940 --> 01:22:24.600 the other teams knock down every target again and again and again, and they took pictures 01:22:24.600 --> 01:22:30.960 standing in all the sensitive rooms, because everyone’s eyes was suddenly on crazy guy. Yeah, 01:22:30.960 --> 01:22:36.660 at this point, nobody cared about trying to mask door sensors. There was so many alarms that it 01:22:36.660 --> 01:22:42.780 eventually was a supervisor who was offsite that day – it was his day off, and his phone, 01:22:42.780 --> 01:22:48.360 his work phone, was lighting up with – and it went, Door 21, Door 17, Door 17 again, 01:22:48.360 --> 01:22:55.620 Door 17 again, Door 55. Roll up Door 7, 6. He’s like, what is going…? He tried to call; no one 01:22:55.620 --> 01:23:02.280 would answer. He drove in – he lived a town over. He drove in, kinda burst through the doors of the 01:23:02.280 --> 01:23:09.240 security – he said, what is going the F on? He’s got a bunch of guys looking at this – this crazy 01:23:09.240 --> 01:23:13.020 guy is on a bike, sir. He’s like, I don’t give a damn about the guy – is he in the parking lot? 01:23:13.020 --> 01:23:16.620 What’s all this? He’s looking at all the alerts and they go, oh, 01:23:16.620 --> 01:23:19.800 really? Is something going on? He’s like, look at your screens. There’s all these red entries 01:23:19.800 --> 01:23:25.200 – access. There’s all these failed events, there’s all these door entry events. He’s like, get – so, 01:23:25.200 --> 01:23:31.860 we heard squawks on the radio start going out that said, Mobile 6, you watch bike guy. Everyone else 01:23:31.860 --> 01:23:37.860 return to your guard tours. Cancel all superfluous business. Challenge all unknown parties. Figure 01:23:37.860 --> 01:23:43.860 out the – what – there’s more afoot here. Some guy even said, bike guy may be a distraction. That’s 01:23:43.860 --> 01:23:49.380 what it took. That’s what it took to finally get them to start challenging our teams, and that 01:23:49.380 --> 01:23:55.320 was – at the end, I just got off the bike at one point and – now, these – all these trucks pull up 01:23:55.320 --> 01:23:58.620 and they all jump out, and, like, what are they gonna do? Again, they’re not cops. They’re not 01:23:58.620 --> 01:24:03.540 allowed to shoot you or go hands-on. He went, sir, could you please stop? I went, I’m stopped. I’m 01:24:03.540 --> 01:24:08.760 perfectly fine. What’s going on, fellas? Having a good day? They asked me to sit down. Oh, have 01:24:08.760 --> 01:24:12.600 a seat by the curb. I said, this might explain it, and I hand him a letter. Then some of the 01:24:12.600 --> 01:24:16.440 guys were – a former Service member and then he said, oh, alright, it’s an exercise, boys; look. 01:24:16.440 --> 01:24:20.160 JACK: One of the other teams just got in their car and left, and then security 01:24:20.160 --> 01:24:24.720 caught the third one and just asked them, are you supposed to be here? They said, 01:24:24.720 --> 01:24:29.340 no, thanks for asking. I’ve been here all week and nobody’s asked me that. With that, 01:24:29.340 --> 01:24:35.100 their engagement with this client was over. The client loved hearing all the different ways that 01:24:35.100 --> 01:24:39.540 they were able to defeat security that week, and they worked with security to fix all the things 01:24:39.540 --> 01:24:44.580 that they noticed in their assessment. It was a great training exercise for everyone involved at 01:24:44.580 --> 01:24:49.860 the facility. Wow. So, thank you so much for sharing with us the way you see the world. 01:24:49.860 --> 01:24:54.180 DEVIANT: Yeah, hopefully some people out there start seeing it this way, too. It’s not a bad way 01:24:54.180 --> 01:25:00.420 to be. You don’t have to live in fear. You just live in awareness. I’m a fan of Amanda Palmer. 01:25:00.420 --> 01:25:07.080 She’s a cool musician and poet, and she talks about how it’s not the job of the artist to make 01:25:07.080 --> 01:25:14.280 you feel joy all the time. It’s actually the job of the artist to take you into the darker places, 01:25:14.280 --> 01:25:20.700 and if you’ve ever heard her music, she’s good at that. But darkness isn’t scary because it’s 01:25:20.700 --> 01:25:25.620 dark. It’s scary because you’re alone, and I like to remind people that if we go into 01:25:25.620 --> 01:25:32.940 these dark places in our world with friends and allies and peers and loved ones, you realize that 01:25:32.940 --> 01:25:38.460 the dark isn’t that scary because it’s dark. It’s just because you didn’t know what was in there. 01:25:38.460 --> 01:25:41.760 That’s why I like to bring people into the darkness with me and realize it’s not 01:25:41.760 --> 01:25:44.640 that scary and they can learn from it and they can be improved by it. 01:25:44.640 --> 01:25:51.300 (OUTRO): [OUTRO MUSIC] 01:25:51.300 --> 01:25:55.980 A big thank-you to Deviant Ollam for coming on the show and sharing these stories with 01:25:55.980 --> 01:26:00.000 us. You should be able to easily find him online by just searching his name pretty much anywhere, 01:26:00.000 --> 01:26:06.240 Deviant Ollam, which is spelled O-L-L-A-M. He’s on YouTube, Instagram, Mastodon, Bluesky, 01:26:06.240 --> 01:26:11.220 and Twitter, or you could just look on his own website, which is deviating.net. I’ll have all 01:26:11.220 --> 01:26:14.340 these links in the show notes. Just check the description of this episode. This show 01:26:14.340 --> 01:26:19.260 is made by me, the tarnished Jack Rhysider. Editing and assembly by the omen-killer, 01:26:19.260 --> 01:26:24.420 Tristan Ledger, mixing by Proximity Sound, and our theme music is by the dreamlike Breakmaster 01:26:24.420 --> 01:26:31.200 Cylinder. Even though the only dates I get are updates, this is Darknet Diaries.