WEBVTT 00:00:00.000 --> 00:00:06.080 JACK: Hey, hey, it’s Jack, host of the show. I am feeling good. I am feeling healthy, strong, 00:00:06.080 --> 00:00:12.080 fit. I’m in the game. So, I’m coming at you with a second episode this month. Let’s go! Defcon 00:00:12.080 --> 00:00:17.280 is coming up in a few weeks. I’ll be there. I wouldn't miss it. You know me. If you don’t know, 00:00:17.280 --> 00:00:23.760 it’s the premiere hacking conference in Vegas, and I love going because every year something crazy 00:00:23.760 --> 00:00:28.560 happens. You don’t always know what it’ll be, but you know something is going down somewhere. Like, 00:00:28.560 --> 00:00:33.040 maybe someone will drop a zero-day live on stage, which will suddenly make us all panic and call 00:00:33.040 --> 00:00:38.160 home; shut everything down! Or maybe the FBI breaks into someone’s hotel room and arrests 00:00:38.160 --> 00:00:43.680 someone who they’ve been chasing for a decade. Or maybe someone gives a talk that makes history. 00:00:43.680 --> 00:00:45.520 I mean, Julian Assange 00:00:45.520 --> 00:00:51.200 once gave a talk at the Chaos Computer Camp in Germany to announce WikiLeaks. Lots of people 00:00:51.200 --> 00:00:56.400 come to drop big ideas at hacker conferences, and if there’s a talk that makes history, I want to 00:00:56.400 --> 00:01:00.560 be there for that moment. I want to be in the room where it happens. Anyway, I’m not planning 00:01:00.560 --> 00:01:06.480 any party or anything this year. I’ll just be floating around all over the place, but check my 00:01:06.480 --> 00:01:12.800 Discord or Twitter for live updates on where I’ll be, though. If you see me, please say hi, because 00:01:12.800 --> 00:01:17.760 I love meeting you. It’s your energy that gives me the fuel to fly this thing to the moon. Oh, 00:01:17.760 --> 00:01:22.480 and if you don’t know what I look like, I wear a big, black hat, and I cover my face entirely 00:01:22.480 --> 00:01:32.457 with a bandana. I look like a bandit. Alright, I promise I’ll bring you back some stories. 00:01:32.457 --> 00:01:34.880 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:01:34.880 --> 00:01:57.320 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:01:57.320 --> 00:02:01.640 JACK: I guess we’re gonna call you MG in this. Is that what you want to be known as, is MG? 00:02:01.640 --> 00:02:02.800 MG: Perfect, yeah. 00:02:02.800 --> 00:02:06.160 JACK: Yeah, I like MG 'cause I didn’t — I never — I didn’t 00:02:06.160 --> 00:02:08.800 know for the longest time if it was milligram or… 00:02:08.800 --> 00:02:10.080 MG: It’s great. 00:02:10.080 --> 00:02:10.980 JACK: Megagram. 00:02:10.980 --> 00:02:13.120 MG: It’s so many things it could be. 00:02:13.120 --> 00:02:18.320 JACK: That initial mystery I think is what intrigued me about MG. He had this raw type 00:02:18.320 --> 00:02:23.040 of energy to him. He’s always building. He goes hard on hacking. He’s always in 00:02:23.040 --> 00:02:27.360 the zone, and he seems like he’s part of the counter-culture. He’s probably got stories, 00:02:27.360 --> 00:02:30.800 right? People kept telling me, you should get MG on the show. So, 00:02:30.800 --> 00:02:35.600 here we are. Color me intrigued. He tells me MG is just his initials, and he started using 00:02:35.600 --> 00:02:41.240 that name when he signed up for Twitter back in 2008. His Twitter name is _MG_. Nice and simple. 00:02:41.240 --> 00:02:43.920 MG: I grew up in Wisconsin. Both of my parents were in medicine, 00:02:43.920 --> 00:02:52.240 and I guess a big thing that I learned growing up with them is you can pretty much DIY anything. 00:02:52.240 --> 00:03:00.000 Also, DIY-ing stuff is a great way of having control, stretching the value of what you have, 00:03:00.000 --> 00:03:06.160 and things like that. So, they designed and built their house from the ground up, like, 00:03:06.160 --> 00:03:12.000 every aspect of that. This was while they were working full-time in medicine and, of course, 00:03:12.000 --> 00:03:16.240 raising me and my sister. I think the house started around when I was in 00:03:16.240 --> 00:03:24.320 first grade, roughly. So, I was just constantly around raw materials, DIY, tools everywhere… 00:03:24.320 --> 00:03:29.200 JACK: Yeah. Yeah, but didn’t you get into magic also when you were young? 00:03:29.200 --> 00:03:35.120 MG: Oh, I mean, what kid didn’t, right? But, no, once I got into roughly middle school, I got 00:03:35.120 --> 00:03:42.320 into magic, sleight of hand, deception, and all that cool stuff. I also got into trouble 00:03:42.320 --> 00:03:48.640 doing that. I brought a prop cigarette to school, got suspended for not taking it seriously enough… 00:03:48.640 --> 00:03:52.920 JACK: You took a cigarette to school, a fake cigarette, and they suspended you over it? 00:03:52.920 --> 00:03:56.640 MG: Yes, they did. I mean, it was — there’s even more to that story. So, 00:03:56.640 --> 00:04:00.080 yeah, it wasn’t really believable. One, a little — it looked like the tip was glowing, 00:04:00.080 --> 00:04:04.080 and you blow on it and some talc powder comes out. It makes a nice cloud. So, it was kinda 00:04:04.080 --> 00:04:08.160 believable. The teacher — like, whoa, what is this? So, they confiscated it. But then they were 00:04:08.160 --> 00:04:13.520 holding it and some of the talc came out of it and they were like, oh, white powder. Uh-oh. So, 00:04:13.520 --> 00:04:19.040 they called the cops, had them drug-test it. [Music] My buddy at the time decided to say, 00:04:19.040 --> 00:04:26.880 that’s not even how you’d smoke cocaine. Did not help the situation at all. But yeah, I think we 00:04:26.880 --> 00:04:33.680 both got suspended, and mine was specifically for not taking the situation seriously enough. 00:04:33.680 --> 00:04:42.600 It was kind of the start of my conflicts with authority. We’ll just leave it at that. 00:04:42.600 --> 00:04:48.080 JACK: As MG grew up, he got influenced by his parents being in medicine and 00:04:48.080 --> 00:04:51.920 was gravitating towards biology. But the seductiveness of computers and 00:04:51.920 --> 00:04:53.880 technology would ultimately change his direction. 00:04:53.880 --> 00:04:59.120 MG: I was really into biology until Quake. Quake came out, and that changed everything 00:04:59.120 --> 00:05:03.120 for me about computers. You had to learn how they work to play Quake, 00:05:03.120 --> 00:05:10.400 especially multiplayer. First of all, you don’t just run an app on your machine. Back then, 00:05:10.400 --> 00:05:15.680 you're at least rebooting the Windows machine up into DOS mode. Oh, you want to connect with 00:05:15.680 --> 00:05:20.000 people? Cool; you're gonna have to learn how your modem works and dial-up works and 00:05:20.000 --> 00:05:23.680 peer-to-peer connections work, and all these other things, and eventually that would migrate 00:05:23.680 --> 00:05:31.840 into modifying the game environment to play Team Fortress, kind of a modification to Quake itself. 00:05:31.840 --> 00:05:37.120 Then you got multiplayer lobbies and all this other stuff starts happening. It’s like, 00:05:37.120 --> 00:05:41.280 wait a second, the computer does all these things. You can mess around with 00:05:41.280 --> 00:05:45.200 this. You can start breaking stuff. They weren't checking client-side content, 00:05:45.200 --> 00:05:53.280 so you could modify player skins to be way bigger or have an XYZ axis sticking way farther out than 00:05:53.280 --> 00:05:56.720 the actual player was, so you could see them coming around corners. You can add 00:05:56.720 --> 00:06:02.080 a fluorescent coloring to the skin to make them stand out in the dark. That’s really cool to me. 00:06:02.080 --> 00:06:09.280 JACK: Oh, that’s brilliant. So, if you make the enemy model extra big, then you can see 00:06:09.280 --> 00:06:15.829 them coming and give — you have the big advantage over. That’s amazing that you thought of that. 00:06:15.829 --> 00:06:20.320 MG: Right? Or the skins of the walls and stuff like that, you can set 00:06:20.320 --> 00:06:23.560 them to partial transparency and see through those walls. 00:06:23.560 --> 00:06:28.400 JACK: Most video game players at some point wished they had a faster computer. So, 00:06:28.400 --> 00:06:32.960 a lot of gamers get into overclocking. They force their computer to run faster than 00:06:32.960 --> 00:06:38.000 it’s designed for. But when you overclock your CPU, you run the risk of your CPU overheating, 00:06:38.000 --> 00:06:43.200 and it can get really hot and melt, which means you need to have a better cooling system. Water 00:06:43.200 --> 00:06:48.320 cooling is a pretty effective way to cool your CPU, but it requires all this extra hardware. 00:06:48.320 --> 00:06:52.720 You need tubes and reservoirs and pumps. But when MG heard that people were putting tubes 00:06:52.720 --> 00:06:57.680 and pumps inside their computers to cool them better, he was in. [Music] That sounded great. 00:06:57.680 --> 00:07:01.280 MG: You get a pond pump, you get a heater core from a car, 00:07:01.280 --> 00:07:05.680 you go on McMaster-Carr — first of all, you learn what McMaster-Carr is, and you're like, 00:07:05.680 --> 00:07:10.560 whoa, I can just buy chunks of metal pre-cut? Awesome. I’m gonna drill these 00:07:10.560 --> 00:07:15.600 out in my basement and plug them and create all these water channels inside the blocks, 00:07:15.600 --> 00:07:20.800 strap that the processor and the graphics card, just start cooling everything down in 00:07:20.800 --> 00:07:25.920 the computer. It just kinda escalates and you're like — that was actually a really 00:07:25.920 --> 00:07:31.200 good example of merging non-traditional computer skills with computers. It’s like, 00:07:31.200 --> 00:07:36.240 okay, we're gonna merge shop class here or auto skills. When you're — you've got this liquid 00:07:36.240 --> 00:07:41.520 moving through a multi-metal loop, you're gonna get corrosion unless you understand the chemistry 00:07:41.520 --> 00:07:46.680 of how to block that with some additives. So, lots of really cool stuff to just pick up and learn. 00:07:46.680 --> 00:07:51.040 JACK: Man, I’m the same way. I truly believe that getting hands-on experience is the best 00:07:51.040 --> 00:07:56.160 way to learn. For me, when I was young, that was looking for cheap or free computers to 00:07:56.160 --> 00:08:00.720 just play around with like a sand box and build without the fear of breaking them. 00:08:00.720 --> 00:08:05.040 Having a playground to try out random things was very helpful to me. Like, 00:08:05.040 --> 00:08:10.960 what happens if you don’t put RAM in the computer? Are the fans actually needed? What happens if you 00:08:10.960 --> 00:08:14.720 disconnect the hard drive mid-boot up or take out a thumb drive while you're trying to write 00:08:14.720 --> 00:08:19.920 to it? What if you try to delete all the files? I wanted to see all those things, 00:08:19.920 --> 00:08:23.840 and I tried them all because this is the stuff that was interesting to me, and I wasn’t finding 00:08:23.840 --> 00:08:28.880 it in textbooks. It vastly brought in my understanding of how all this operates. 00:08:28.880 --> 00:08:34.560 [Music] MG’s first IT job was at a help desk fixing people’s PC problems, 00:08:34.560 --> 00:08:38.240 but one of his buddies moved out to San Francisco and started working on the 00:08:38.240 --> 00:08:44.240 10,000-Year Clock. It’s a fascinating project that simply asks, can we build a clock that’ll 00:08:44.240 --> 00:08:48.480 last for ten thousand years? Clocks live a long time without an issue. Surely that 00:08:48.480 --> 00:08:53.040 can't be that hard. But when you lean into the problem, it starts to get really tricky. First, 00:08:53.040 --> 00:08:57.040 it raises the questions; wait, are humans even gonna be here in ten thousand years? 00:08:57.040 --> 00:09:01.040 That’s not a given. So, if you're gonna build a clock that’s gonna last that long, 00:09:01.040 --> 00:09:04.240 it kinda needs to function all on its own without humans around to help it. So, 00:09:04.240 --> 00:09:07.840 where does it get its power from? That’s an interesting challenge by itself. But then you 00:09:07.840 --> 00:09:14.240 think about the pieces and parts that it has to be made of. Everything must have extreme longevity. 00:09:14.240 --> 00:09:18.880 Like, it’s gotta be entirely made of metals or ceramics. Plastics or rubber 00:09:18.880 --> 00:09:23.520 is just gonna wear out too easily. MG got fascinated with this idea and decided to 00:09:23.520 --> 00:09:27.680 join his buddy out in San Francisco to see what was going on with that project, 00:09:27.680 --> 00:09:34.400 and immediately he was amazed at the DIY culture out there. He met people from Burning Man who were 00:09:34.400 --> 00:09:38.960 creating art for art’s sake. He visited the Maker Faire, which is a really cool place where people 00:09:38.960 --> 00:09:43.600 show off their projects that they're building. It’s so inventive and clever and inspiring. It 00:09:43.600 --> 00:09:48.240 was like everyone around him there was big into building things themselves or tackling really 00:09:48.240 --> 00:09:53.800 interesting problems or just had a really unique way of seeing the world. MG found his new home. 00:09:53.800 --> 00:09:59.600 MG: The 3D-printed gun movement, that added a new layer to the whole thing. Let’s see, that 00:09:59.600 --> 00:10:06.160 was Defense Distributed. I think it was 2013 where they started showing off the first 3D-printed guns 00:10:06.160 --> 00:10:11.600 that were — there was a whole community that was working on these at the time. But Defense 00:10:11.600 --> 00:10:18.560 Distributed showed these off to the world and with so much bravado that it was impossible to miss. 00:10:18.560 --> 00:10:24.720 So, everybody took note. It had this interesting tone to it and this message that I was picking up, 00:10:24.720 --> 00:10:33.520 which is creation can also be power in politics. Like, you can't take something back once you put 00:10:33.520 --> 00:10:38.160 it out into the world. So, you've gotta be thoughtful on how you do it, but also, you 00:10:38.160 --> 00:10:46.480 can't take it back. Nobody can take it and make it go away. That — regardless of what you think about 00:10:46.480 --> 00:10:52.360 that specific topic, just the larger power and political nature of it was just fascinating to me. 00:10:52.360 --> 00:10:56.560 JACK: Yeah, that was an interesting time. The US government has always tried to regulate guns by 00:10:56.560 --> 00:11:01.280 acting as a gatekeeper, controlling who can sell them, trade them, or move them across 00:11:01.280 --> 00:11:06.000 state lines. That’s where most of the laws live, not at the moment that the gun is used, 00:11:06.000 --> 00:11:12.320 but it regulates the system that makes it and delivers it. But the 3D-printed guns changed 00:11:12.320 --> 00:11:17.760 all that. It didn’t need to be bought or sold or registered or traced. It didn’t pass through any 00:11:17.760 --> 00:11:24.080 other traditional checkpoints. Suddenly, most of the regulations became powerless because you could 00:11:24.080 --> 00:11:31.920 just print one at home and no one would ever know. That kind of knowledge fascinated MG. There are 00:11:31.920 --> 00:11:38.640 certain technologies that once released changed the power dynamics of the world. It changes who’s 00:11:38.640 --> 00:11:45.920 in control. New types of technology allow you to completely sidestep outside the system that 00:11:45.920 --> 00:11:51.400 was supposed to be there to control and shape you. Yeah, that sort of thing intrigued him. 00:11:51.400 --> 00:11:56.000 MG: That was also around the same time as Bitcoin was taking off, and I was also into that. I really 00:11:56.000 --> 00:12:02.800 like it at the time and the concept of it to just changing and decentralizing power. It was really 00:12:02.800 --> 00:12:09.200 sticking with me. So, this was also at the same time that the Snowden leaks happened. I didn’t 00:12:09.200 --> 00:12:16.240 know at the time what it would be, but I just — I really wanted to participate in that type of 00:12:16.240 --> 00:12:20.560 creation, right? I didn’t know what it was. So, I would join some of these groups and just kinda 00:12:20.560 --> 00:12:25.760 help them. Like, hey, I do IT; maybe I could help with some of your stuff. Or, I do security; let me 00:12:25.760 --> 00:12:31.480 help you. You can kinda see how the artist works, right? That’s kinda where I was at for a while. 00:12:31.480 --> 00:12:33.920 JACK: So, you worked at Defense Distributed? 00:12:33.920 --> 00:12:35.720 MG: Let’s just say volunteered. 00:12:35.720 --> 00:12:39.280 JACK: Another thing that sort of shocked the world was the ANT catalog, 00:12:39.280 --> 00:12:45.040 which came out in 2008. This was some leaked NSA documents which showed different types of devices 00:12:45.040 --> 00:12:50.720 and technology that the NSA had in its possession and could use for missions if you were in the NSA. 00:12:50.720 --> 00:12:57.200 MG: Yeah. So, the ANT catalog, this was commonly mis-attributed to Snowden. I believe officially 00:12:57.200 --> 00:13:02.560 it’s just another leaker around that time. But the NSA ANT catalog had this 00:13:02.560 --> 00:13:10.560 catalog of all this cool espionage tooling; hardware, software, just so many cool things. 00:13:10.560 --> 00:13:14.480 If you ever saw the back of a magazine with the spy catalog stuff back there 00:13:14.480 --> 00:13:22.080 with disappearing ink and whatever it may be, this was that just with an entire budget. So, 00:13:22.080 --> 00:13:28.000 one of the things in there was a malicious cable called the Cottonmouth. It had multiple 00:13:28.000 --> 00:13:33.680 layers of PCBs inside there. It looked really big and chunky, really complicated to make, 00:13:33.680 --> 00:13:40.320 but it also cost — you had to have at least a million dollars to afford for this and for the 00:13:40.320 --> 00:13:47.520 NSA customer population of their own department. But yeah, you had to have a million dollars just 00:13:47.520 --> 00:13:55.160 to get fifty cables. So, that’s twenty grand each. It was just cool seeing all of these things. 00:13:55.160 --> 00:13:59.920 JACK: Okay, so this Cottonmouth cable that the leaked NSA docs showed was wild. It 00:13:59.920 --> 00:14:05.760 looked like a regular USB cable, but somehow it had the ability to install a Trojan horse on a 00:14:05.760 --> 00:14:12.000 computer wirelessly. So, if your enemy plugs in this cable to their computer, you could somehow 00:14:12.000 --> 00:14:17.120 get into that cable and infect their computer with malware. Now, for most of us at the time, 00:14:17.120 --> 00:14:22.960 we were blown away by the technology in this catalog. How was it possible for a USB cable 00:14:22.960 --> 00:14:28.720 to function both as a regular USB cable but also have the ability to infect a computer? 00:14:28.720 --> 00:14:33.840 We were all wondering how it was possible, but MG was actually trying to figure it out. [Music] He 00:14:33.840 --> 00:14:37.760 was tinkering with hardware, building 3D projects, helping out at the Maker Faire, 00:14:37.760 --> 00:14:44.080 and building random things. Around 2017, he got an idea. There’s this device called a USB 00:14:44.080 --> 00:14:49.040 Rubber Ducky, which looks like a USB thumb drive, but when you plug it into a computer, 00:14:49.040 --> 00:14:54.160 it’ll automatically run a script that could infect your computer with malware. Basically, the Rubber 00:14:54.160 --> 00:15:00.800 Ducky was already terrifying, but MG wondered how he could make it even worse, and thought, 00:15:00.800 --> 00:15:07.000 what if he took the USB Rubber Ducky thumb drive and made it explode when you put it in a computer? 00:15:07.000 --> 00:15:10.400 MG: I kinda spent a while making exactly that. 00:15:10.400 --> 00:15:12.120 JACK: An exploding thumb drive. 00:15:12.120 --> 00:15:22.080 MG: Yes. So, I’m a big Nine Inch Nails fan, so naturally I called this Mr. Self Destruct. So, 00:15:22.080 --> 00:15:29.280 the — why this is important here is because there’s not much space in a USB Rubber Ducky. 00:15:29.280 --> 00:15:35.120 It’s all PCB and components. So, I needed to figure out how to make space inside of a thumb 00:15:35.120 --> 00:15:41.120 drive while retaining Ducky functionality to an extent. I had a really limited version of it. So, 00:15:41.120 --> 00:15:48.000 I shrunk it down to I think what was ultimately an 8x12 millimeter PCB with 00:15:48.000 --> 00:15:52.720 a couple really limited components on it, just enough to run a tiny payload 00:15:52.720 --> 00:15:56.960 that can maybe open up a browser to a specific site, right? Good enough. 00:15:56.960 --> 00:16:04.080 Then, it could also trigger an electronic detonator to then fire 00:16:04.080 --> 00:16:10.320 a firecracker or something like that and have a bunch of confetti in there. 00:16:10.320 --> 00:16:13.760 I was doing this all with the idea of this is gonna be just art I’m gonna present to 00:16:13.760 --> 00:16:19.200 the world in a video form, and, hey, everyone can just look at it, right? So, the payload 00:16:19.200 --> 00:16:25.840 was — you'd plug it into the computer; it opens up the browser, goes to a video of a Jack-in-the-Box 00:16:25.840 --> 00:16:31.440 animation. Jack-in-the-Box is cranking the box for a awkwardly long amount of time to 00:16:31.440 --> 00:16:41.440 build up tension, and then the explosion happens. Confetti goes everywhere. Pop. That was great. 00:16:41.440 --> 00:16:43.960 JACK: Such a ridiculous project, but I love it. 00:16:43.960 --> 00:16:51.120 MG: Since that’s happened, there’s been evidence of exploding thumb drives shipped to journalists 00:16:51.120 --> 00:16:58.000 and stuff like that that had RDX in it. That would — yeah, that would do a lot of damage, 00:16:58.000 --> 00:17:03.160 and it’s exactly why I did not productize that despite many people asking for it. 00:17:03.160 --> 00:17:06.960 JACK: I mean, yeah, I was just thinking of the Hezbollah pagers at this point. 00:17:06.960 --> 00:17:07.167 MG: Uh-huh. 00:17:07.167 --> 00:17:11.000 JACK: Did those people see your presentation somewhere and be like, oh, that’s great? 00:17:11.000 --> 00:17:12.920 MG: Oh god, I hope not. 00:17:12.920 --> 00:17:18.000 JACK: So, he’s tinkering around with these USB drives that will physically self-destruct, 00:17:18.000 --> 00:17:20.640 and his buddy is like, hey, you should take those things to Defcon. 00:17:20.640 --> 00:17:25.520 MG: I think it was around 2013. I finally made my first Defcon before wanting — I 00:17:25.520 --> 00:17:29.920 had been wanting to go for years, but 2013 was the first time. That’s where I linked up 00:17:29.920 --> 00:17:37.600 with a long-time online buddy, YTCracker, Bryce, and he kinda just introduced me to 00:17:37.600 --> 00:17:43.360 more stuff and showed me around the security space. It was very helpful for me at the time 00:17:43.360 --> 00:17:50.080 just learning and meeting more people. Yes; so, at Defcon I would absolutely make little 00:17:50.080 --> 00:17:56.560 devices that were just highly-custom one-offs or two-offs, maybe five-offs 00:17:56.560 --> 00:18:04.480 to people who wanted a custom thing. You had to know me, and — yeah, back-alley deals at Defcon. 00:18:04.480 --> 00:18:10.240 JACK: Oh man, the back-alley deals at Defcon are always very interesting to me. The first 00:18:10.240 --> 00:18:13.680 time I went to Defcon, someone told me I should try to find and buy some 00:18:13.680 --> 00:18:18.720 rainbow tables. This is a list of hashes and passwords. You could download it back then, 00:18:18.720 --> 00:18:23.680 but it was a lot easier to just get it on a stack of CDs if you knew someone. The point of it is 00:18:23.680 --> 00:18:28.000 that it makes cracking passwords a lot faster. So, I went to Defcon and I started asking vendors, 00:18:28.000 --> 00:18:33.680 hey, do you have any rainbow tables for sale? They all said, no. What? LOL. Then eventually 00:18:33.680 --> 00:18:38.480 someone was like, hey, you said you wanted some rainbow tables? I was like, yeah. He said, 00:18:38.480 --> 00:18:43.040 you should go ask Paul. I’m like, who the hell is Paul? He showed me where Paul hangs out, and it 00:18:43.040 --> 00:18:47.840 turned out to be Paul Asadoorian. When I met him, I asked him, hey, do you have any rainbow tables? 00:18:47.840 --> 00:18:50.240 He’s like, oh, I just ran out. I was like, oh, man. He’s like, 00:18:50.240 --> 00:18:54.000 I brought a bunch last year for Defcon, but there wasn’t many people who really wanted them, 00:18:54.000 --> 00:18:58.640 so I only brought a few leftovers this year and just ended up giving them away. So, 00:18:58.640 --> 00:19:03.760 that hunt to find secret stuff at Defcon is real and it’s exciting, and I’ve been properly blown 00:19:03.760 --> 00:19:10.560 away at some of the secret things I’ve seen people bring to Defcon. So, MG fell in love with Defcon. 00:19:10.560 --> 00:19:14.960 These people were just like him, building cool stuff, subverting the gates of power, 00:19:14.960 --> 00:19:20.800 and using technology to reinvent new things. A lot of people at Defcon are building just for the fun 00:19:20.800 --> 00:19:27.200 of it. The endless curiosity cannot be tamed in some people, and it sparked a whole lot of 00:19:27.200 --> 00:19:33.280 new energy and ideas for MG. Around that time, the whole world was shrinking at a rapid rate. 00:19:33.280 --> 00:19:38.960 Like, for the longest time, we only had USB type A cables, the big wide ones that it takes you 00:19:38.960 --> 00:19:44.800 three tries to plug in, right? But then suddenly those shrank and then we got mini USB cables and 00:19:44.800 --> 00:19:49.520 then micro USB cables. Computers used to be big and clunky, right? Desktops, of course, 00:19:49.520 --> 00:19:53.680 but even small laptops; you couldn't fit those in your pocket. But then the iPhone came out 00:19:53.680 --> 00:19:58.160 and you had a whole computer in your pocket. This brought forth a whole bunch of smaller computers 00:19:58.160 --> 00:20:03.600 like BeagleBoards and Gumstix and Raspberry Pi’s, tiny computers that you could fit into 00:20:03.600 --> 00:20:09.520 your pocket but were also pretty powerful. So, while the NSA’s version of this malicious 00:20:09.520 --> 00:20:16.720 cable costs them $20,000 to make, with all the miniaturization of electronics hitting the market, 00:20:16.720 --> 00:20:22.948 MG was wondering if it was feasible to build one himself for a far cheaper price. 00:20:22.948 --> 00:20:28.320 MG: [Music] Yeah, exactly, right? The miniaturization of microcontrollers and 00:20:28.320 --> 00:20:32.640 other things like that certainly opened some doors for me in which 00:20:32.640 --> 00:20:36.320 I could experiment and play. You know, it’s actually important to 00:20:36.320 --> 00:20:40.240 mention right around this time is also when I met Darren Kitchen from Hak5. 00:20:40.240 --> 00:20:45.920 JACK: Darren Kitchen was already making malicious devices like the Rubber Ducky and Wi-Fi Pineapple, 00:20:45.920 --> 00:20:50.240 and was also making YouTube videos to a channel called Hak5 to teach people how to hack. 00:20:50.240 --> 00:20:54.640 MG: First of all, what a Rubber Ducky is — it does keystroke injection. What that means is it 00:20:54.640 --> 00:21:02.880 emulates a keyboard and will very rapidly type those keystrokes. So, I think the Ducky’s doing 00:21:02.880 --> 00:21:09.360 150, 200 keystrokes a second. So, anything I could do at your keyboard, 00:21:09.360 --> 00:21:18.160 the Ducky can do for me. Great for IT sysadmin — IT sysadmin automation, but also, you know, 00:21:18.160 --> 00:21:24.240 maybe some nefarious stuff, too. If you don’t care about speed, payload size, 00:21:24.240 --> 00:21:31.280 you don’t care about all of these nice product aspects, you can totally compromise and get 00:21:31.280 --> 00:21:38.160 something barely usable in return for making it much smaller. That’s effectively what I did. I 00:21:38.160 --> 00:21:42.960 compromised on a lot of things. Even some basic electrical safety things I ended up 00:21:42.960 --> 00:21:46.800 compromising there. Like, hang on; this thing’s gonna blow up. What’s it matter, right? So… 00:21:46.800 --> 00:21:50.880 JACK: To make his exploding thumb drive, he basically had to make a smaller version of 00:21:50.880 --> 00:21:56.720 the Rubber Ducky, and this gave him an idea. What can you do with a super-tiny keyboard 00:21:56.720 --> 00:22:02.720 connected to a computer? So, he decided to make his first malicious USB cable. 00:22:02.720 --> 00:22:10.160 MG: It’s identical to the Mr. Self Destruct except it didn’t explode and it was inside of a cable 00:22:10.160 --> 00:22:16.240 instead. So, basically to put a payload onto this, you had to have physical access to the cable. 00:22:16.240 --> 00:22:21.040 You program it, and it’s gonna delay however long you tell it 00:22:21.040 --> 00:22:24.960 before running the payload after it gets plugged in. Like, the end, right? 00:22:24.960 --> 00:22:28.960 JACK: Basically, imagine what someone could do if they had access to your 00:22:28.960 --> 00:22:33.840 keyboard. That’s what this cable did. It acted like a pre-programmed keyboard. If 00:22:33.840 --> 00:22:37.280 you plugged it in, whatever it was programmed to type, it would type. 00:22:37.280 --> 00:22:42.960 MG: So, you could do some basic keystroke injection attacks, which — open a browser, 00:22:42.960 --> 00:22:51.080 open a reverse shell. You can do a lot of stuff. But it wasn’t this tool I knew it could be. 00:22:51.080 --> 00:22:54.800 JACK: He was posting about this online and stuff, making a handful of them, 00:22:54.800 --> 00:22:59.680 and selling them in the corners of rooms in Defcon. But the first version was lacking 00:22:59.680 --> 00:23:04.960 features and really buggy. From his visits to Defcon, he met a guy named Fuzzyknob who got MG 00:23:04.960 --> 00:23:11.280 a job red-teaming for a Fortune 500 company, which was MG’s first cybersecurity job specifically 00:23:11.280 --> 00:23:15.760 hacking into places to test their security. How cool is that? But while he was at work doing 00:23:15.760 --> 00:23:20.320 his red-team stuff, [music] he just kept thinking about, how can he make this little device better? 00:23:20.320 --> 00:23:26.960 MG: So, obviously the next step is, well, what could that product actually be? 00:23:26.960 --> 00:23:33.360 The next time I had a vacation, which was actually in-between jobs — so I had — I think it was six 00:23:33.360 --> 00:23:40.800 weeks between my first red-team job and when I was leaving an IT role. So, six weeks in-between. 00:23:40.800 --> 00:23:46.480 I’m like, you know what? I have not figured out how to design PCBs yet, so I’m gonna get a mill. 00:23:46.480 --> 00:23:52.000 JACK: PCB is printed circuit board. It’s typically a green board inside an electronics device that 00:23:52.000 --> 00:23:56.880 has the capacitors and resistors, and they're soldered onto it. A mill is a way to create one 00:23:56.880 --> 00:24:01.520 of those PCBs yourself, making the traces and drilling holes for the components. So, 00:24:01.520 --> 00:24:05.840 he spent six weeks learning how to design PCBs and created them on his mill. 00:24:05.840 --> 00:24:13.600 MG: The cool thing about a mill is that you get rapid iteration. So, with software, you can just 00:24:13.600 --> 00:24:20.400 change some code, save it, hit Compile. Seconds later, you can test. But when it comes to a PCB, 00:24:20.400 --> 00:24:26.000 it’s usually weeks. You gotta design it, send it off to a fab, wait for it to come back, 00:24:26.000 --> 00:24:32.400 then you assemble the components on it, and then you test it and debug it before you can even get 00:24:32.400 --> 00:24:37.760 a change you want to make to test it over. But with a mill, you can do some primitive stuff. 00:24:37.760 --> 00:24:43.680 I can't get super-advanced here, but you can test some basic things to — you do it in the span of a 00:24:43.680 --> 00:24:50.160 few hours, and make a revision, kick it out again, and just maybe go through two, three revisions 00:24:50.160 --> 00:24:55.080 in a day, easily, depending on how complex it is. That allowed me to level up really quickly. 00:24:55.080 --> 00:24:59.920 JACK: So, he spent a lot of time in his home lab trying to jam more features into this cable 00:24:59.920 --> 00:25:04.720 of his. But one thing bugged him about this cable; you have to physically take control of 00:25:04.720 --> 00:25:10.560 it to program what keys it will type. It would be way better if you could plug the cable into your 00:25:10.560 --> 00:25:16.880 target and then tell it what to type remotely. So, he was fiddling around, trying to figure out how 00:25:16.880 --> 00:25:23.120 to give this thing an antenna or something, maybe Wi-Fi, in the smallest way possible. 00:25:23.120 --> 00:25:27.840 MG: The Wi-Fi radio allowed it to connect to networks or you, 00:25:27.840 --> 00:25:34.080 with a phone, to connect to it. There was no need to get access to the cable to update 00:25:34.080 --> 00:25:42.400 a payload on it or to trigger a payload. So, that changed the entire value of this, 00:25:42.400 --> 00:25:47.360 being able to dynamically change what it did while it was in play. 00:25:47.360 --> 00:25:51.120 JACK: Yeah, so instead of blindly hoping your cable is typing the right keystrokes that you 00:25:51.120 --> 00:25:57.040 pre-programmed it to do, now with Wi-Fi, when this cable connects to a computer, it’s almost like it 00:25:57.040 --> 00:26:02.080 turns into a wireless keyboard. Whatever you type on your phone, those keystrokes would show up on 00:26:02.080 --> 00:26:06.160 the computer it was plugged into, but it didn’t look like a keyboard, of course. [Music] It looked 00:26:06.160 --> 00:26:11.520 like a regular USB cable that you typically have hanging off your computer anyway. This made it a 00:26:11.520 --> 00:26:19.120 very spooky cable. Suddenly, USB cables were no longer safe. This malicious cable was starting 00:26:19.120 --> 00:26:23.840 to finally look promising. The first version didn’t have a lot of functionality, but this one, 00:26:23.840 --> 00:26:30.080 this one’s starting to look sharp. So, he came up with a name for this cable, the O.MG cable. 00:26:30.080 --> 00:26:35.680 It works for so many reasons, but since his initials are MG, then O.MG is a nice fit. 00:26:35.680 --> 00:26:41.360 MG: That took off. Then Defcon was coming up, August 2019. I’m like, okay, this is getting a 00:26:41.360 --> 00:26:48.000 lot of traction. So, by August I wanted to have some of these things to actually sell. Now, 00:26:48.000 --> 00:26:55.200 I was making them still from the ground up in my kitchen, basically. It took me eight hours 00:26:55.200 --> 00:27:02.960 per cable, on average, to make these, and the components were so fiddly and tiny that 00:27:02.960 --> 00:27:07.840 fifty percent of them were failures. I would throw out fifty percent. That turned into — if 00:27:07.840 --> 00:27:13.360 you do the math on that, that is sixteen hours of work per viable cable. Really not scalable, 00:27:13.360 --> 00:27:16.560 but you know what? I just wanted as many as I could for Defcon, right? So, 00:27:16.560 --> 00:27:23.440 I just focused entirely on this in my free time while still doing my red-team role full-time. 00:27:23.440 --> 00:27:28.640 JACK: You have to think, he’s trying to fit a microcontroller inside a USB cable so that 00:27:28.640 --> 00:27:33.600 nobody thinks there’s a microcontroller in it. He’s working with incredibly small components, 00:27:33.600 --> 00:27:38.560 soldering under a microscope, sometimes with exposed silicon, with almost no room for 00:27:38.560 --> 00:27:42.560 error or it won't fit in there. So, he makes as many as he can and brings them 00:27:42.560 --> 00:27:46.240 all to Defcon to sell. He’s leveled up from the back-alley deals by this point, 00:27:46.240 --> 00:27:50.080 and Darren from Hak5 was letting him sell them out of the Hak5 booth. 00:27:50.080 --> 00:27:52.560 MG: They sold out. Everybody wanted them. 00:27:52.560 --> 00:27:56.560 JACK: They sold out fast. So, Darren was like, why didn’t you bring more? MG was like, because 00:27:56.560 --> 00:28:01.920 they take forever to make. So, Darren started teaching MG about mass-producing electronics. 00:28:01.920 --> 00:28:08.800 MG: Okay, let’s learn how to do manufacturing. Find somebody who can do certain steps. So, we 00:28:08.800 --> 00:28:15.600 got one person — one factory who creates the raw PCB, another factory who assembles the components, 00:28:15.600 --> 00:28:22.160 solders the components to the PCB, and another factory who integrates those PCBs into a cable. 00:28:22.160 --> 00:28:27.680 Even at that point, there was still plenty that I had to do after receiving them; final assembly, 00:28:27.680 --> 00:28:34.800 putting the hoods on, gluing the hoods on, running QA, calibrating them, running — putting firmware 00:28:34.800 --> 00:28:40.160 on them, packing them, shipping them off to the — all that stuff. But anyway, 00:28:40.160 --> 00:28:45.360 doing any of this outsourcing would have been a huge help for me, and that’s what the goal is. 00:28:45.360 --> 00:28:51.840 So, it took about five months of back and forth, teaching the shop how to do what I needed. So, 00:28:51.840 --> 00:28:57.360 I get the first batch. This was the tail end of 2019. [Music] I finished the assembly. I 00:28:57.360 --> 00:29:01.920 do some basic tests. I flash them, pack them, and I send them off to the Hak5 warehouse in 00:29:01.920 --> 00:29:08.080 like — I think it was January 1, 2020; start the online sales. This is where I quickly learned it 00:29:08.080 --> 00:29:15.040 was going to take a lot more work to have a manufacturer do what I needed. Customers 00:29:15.040 --> 00:29:20.640 started having issues, and it was all over the board. There was no obvious pattern. 00:29:20.640 --> 00:29:24.960 So, I had to do a lot of investigating to discover what was really going on here. 00:29:24.960 --> 00:29:32.000 Just really weird problems. It was probably an upstream manufacturing problem, but I couldn't 00:29:32.000 --> 00:29:40.880 think about the upstream manufacturing. I had mostly-finished product currently in hand, 00:29:40.880 --> 00:29:47.280 and if I couldn't sell that, that was a gigantic loss, like financial loss. Like, 00:29:47.280 --> 00:29:55.600 mortgage-the-house-level loss that was a little bit scary. There were enough issues happening 00:29:55.600 --> 00:30:00.440 with customers that I just decided to pause the sales and figure out what was going on. 00:30:00.440 --> 00:30:05.840 JACK: He analyzed the cables coming back from the factory and found that on the power supply inside 00:30:05.840 --> 00:30:13.360 the cable was a tiny, microscopic crack, and to his horror, it was on over half the cables, which 00:30:13.360 --> 00:30:19.600 meant his first batch of cables — half of them had to be thrown out. A huge financial loss for 00:30:19.600 --> 00:30:25.520 him. He had to teach the manufacturer how to test for quality at every stage of the build process in 00:30:25.520 --> 00:30:30.080 order to find exactly where the cracks were coming from. He discovered at some point the manufacturer 00:30:30.080 --> 00:30:34.160 would throw all the finished components into a bag to give to the next build stage, 00:30:34.160 --> 00:30:38.080 and when they were getting all jostled around in the bag is when the cracks would show up. 00:30:38.080 --> 00:30:41.280 Typically, that may not be a problem, but since he’s working with such small 00:30:41.280 --> 00:30:46.560 components where silicon is exposed in some areas, then it was damaging the circuitry. 00:30:46.560 --> 00:30:51.200 So, he got that fixed and was back on track, and he was back to selling the O.MG cables to 00:30:51.200 --> 00:30:56.800 whoever wanted them online through the Hak5 shop. These cables look amazing. They look 00:30:56.800 --> 00:31:01.600 exactly like a normal USB cable, one that you would charge your phone with, and you would 00:31:01.600 --> 00:31:06.640 never be able to tell that it’s a malicious one. It’s supposed to be stealthy like that. 00:31:06.640 --> 00:31:14.240 MG: One of my manufacturers lost an entire box of cables. Could not account for it. So, the way the 00:31:14.240 --> 00:31:21.840 cables are configured, they're not very useful, luckily. They're not hot, so to say, but there’s 00:31:21.840 --> 00:31:26.640 a good chance that this box just got shipped to one of their customers who was expecting totally 00:31:26.640 --> 00:31:32.160 normal USB cables. So, there is absolutely a chance that there are some O.MG cables just 00:31:32.160 --> 00:31:37.680 floating out there. I forget what the exact number is; like a hundred or so, which is kinda scary. 00:31:37.680 --> 00:31:41.760 JACK: MG strikes me as someone who just obsesses over making his cable 00:31:41.760 --> 00:31:45.680 better and better, and it’s amazing how he’s constantly improving the 00:31:45.680 --> 00:31:50.040 manufacturing process and the functionality and the build quality of the whole thing. 00:31:50.040 --> 00:31:55.120 MG: For the first several years, I wasn’t trying to focus on profit here. I was 00:31:55.120 --> 00:31:59.600 just — every dollar that we ended up getting that turned into — be product, I’d put it right 00:31:59.600 --> 00:32:07.280 back into improvements, R&D, because it was a passion project. I mean, it still is, right? 00:32:07.280 --> 00:32:13.280 But that just allowed me to focus on so many trivial things. The cable clips themselves — so, 00:32:13.280 --> 00:32:20.800 people would routinely lose their cables, so we started creating these fluorescent clips that 00:32:20.800 --> 00:32:24.480 we would include with the cables to prevent that, right? You can take them off if you 00:32:24.480 --> 00:32:30.320 don’t want it or just keep it on, whatever. But this was — I’ll make this one short, 00:32:30.320 --> 00:32:34.160 but it’s another example of scale in a hilarious way. It’s so simple. 00:32:34.160 --> 00:32:39.280 So, I’m 3D-printing all of these little clips, these fluorescent clips, 00:32:39.280 --> 00:32:45.520 and they're great when you got a few of them, but when you got a hundred or a thousand in a bag, 00:32:45.520 --> 00:32:50.720 they start getting tangled. So, that’s really annoying to pull out tangled clips when you're 00:32:50.720 --> 00:32:56.480 trying to pack envelopes. So, I redid the design. Okay, now I’ve got tangle-free clips, you know, 00:32:56.480 --> 00:33:01.840 and now we got the woven cables that are more snag-less and things like that. How can I speed 00:33:01.840 --> 00:33:08.640 it up so I can get a bed of 600 clips in a single 3D-printed bed without it cascading and falling 00:33:08.640 --> 00:33:16.720 apart? How can I improve the labeling process from a hand-held labeller to an automated-machine-done 00:33:16.720 --> 00:33:24.080 labeller? It probably doesn't make financial sense to do it, but it’s fun to automate and obsess. So, 00:33:24.080 --> 00:33:32.080 yeah, point being, I have the opportunity of obsessing at the sacrifice of profit. 00:33:32.080 --> 00:33:35.760 JACK: Now, over time, his cables have gone through many revisions, 00:33:35.760 --> 00:33:40.800 a lot of feature upgrades, too. So, if you were to buy an O.MG cable today, here’s what it can do. 00:33:40.800 --> 00:33:47.360 MG: It comes in all types of different forms, whether it’s got a USB-A or USB-C active end. 00:33:47.360 --> 00:33:54.320 In the passive end it’ll have Lightning micro USB-C, usually meant to emulate the aesthetics 00:33:54.320 --> 00:34:02.480 of exactly the common cables that are out there. It acts exactly like a normal USB data cable, 00:34:02.480 --> 00:34:09.040 right? But it’s got an implant inside, as you can probably deduce by now, and that 00:34:09.040 --> 00:34:14.400 thing stays dormant. But an attacker can remotely connect to it via Wi-Fi nearby, 00:34:14.400 --> 00:34:19.040 or they can have the cable connect out over the internet to a server you control 00:34:19.040 --> 00:34:23.520 anywhere. It can also do some autonomous things like geofencing and triggering 00:34:23.520 --> 00:34:28.400 things automatically based on wireless networks it does or doesn't see, right? 00:34:28.400 --> 00:34:33.520 Okay, cool, but what does that do? So, you get a whole web UI on a full or a laptop, 00:34:33.520 --> 00:34:39.200 whatever it is, that gives you full control over this cable. We already talked about keystroke 00:34:39.200 --> 00:34:46.880 injection payloads, emulating a keyboard. We cranked up the speed at which these things can 00:34:46.880 --> 00:34:52.320 run to nearly a thousand keystrokes a second, added some mouse injection as well, so you can 00:34:52.320 --> 00:34:57.920 navigate a mouse around the screen, click on stuff, expanded the capacity of these things to 00:34:57.920 --> 00:35:02.320 store hundreds of individual payloads if you want or just really giant payloads. The name of the 00:35:02.320 --> 00:35:07.680 game is always just flexibility. So, if you want one giant payload or two hundred tiny ones, cool. 00:35:07.680 --> 00:35:11.600 You can do that for your need. We added USB key-logging a while back. So, 00:35:11.600 --> 00:35:16.720 if you deploy a cable between a keyboard and a desktop or a laptop, 00:35:16.720 --> 00:35:22.000 which happens a whole lot in corporate spaces, you can log those keystrokes if 00:35:22.000 --> 00:35:28.000 it’s a full-speed keyboard. Most recently we added kind of a novel communication link. So, 00:35:28.000 --> 00:35:34.960 we're calling it HIDX StealthLink. What it does is — imagine a network interface that 00:35:34.960 --> 00:35:38.400 looks like a keyboard to the host. So, it says, I am a keyboard, and it looks like a 00:35:38.400 --> 00:35:43.360 keyboard if you open up Device Manager, but it’s got a bidirectional raw data link. So, 00:35:43.360 --> 00:35:49.040 if you've ever used Netcat or something like that to create little tunnels for data, same concept. 00:35:49.040 --> 00:35:54.960 So, you can have a remote shell running on the target that’s on a completely 00:35:54.960 --> 00:36:00.000 air-gapped machine. It doesn't even have a network interface. So, very cool. I had 00:36:00.000 --> 00:36:04.640 also mentioned a lot of these other types of features like the ability to run self-destruct, 00:36:04.640 --> 00:36:11.680 the ability to do geofencing. The self-destruct specifically is to wipe the data. So, if you've 00:36:11.680 --> 00:36:17.600 got some proprietary malware on there you don’t want to be found, if it gets lost, 00:36:17.600 --> 00:36:22.560 we can help wipe that. If you got keylogs on there with sensitive data, like, I don't know, 00:36:22.560 --> 00:36:29.440 passwords or whatever it may be, cool, we can wipe that. You can also disable the cable so that 00:36:29.440 --> 00:36:33.840 it just stops acting like a cable, and hopefully that’ll encourage your target to throw the cable 00:36:33.840 --> 00:36:39.560 away and get it out of play. That’s kinda just a high level of all the different things it can do. 00:36:39.560 --> 00:36:44.000 JACK: Yeah, this thing is pretty scary, and it’s one of those things that now 00:36:44.000 --> 00:36:48.560 that you know a normal-looking USB cable can be an evil thing, 00:36:48.560 --> 00:36:55.920 it makes you distrustful of all USB cables. Like, if you see a random USB cable sitting around, 00:36:55.920 --> 00:37:00.400 it might be some sort of trap that someone left for you, hoping that you'll plug it 00:37:00.400 --> 00:37:05.440 into your computer so that they can get into your computer. I’ve got it in my hand here and 00:37:05.440 --> 00:37:11.800 I’m looking at it compared to another cable I have, and it is identical. It’s crazy how… 00:37:11.800 --> 00:37:13.360 MG: Nice. Which one is it? 00:37:13.360 --> 00:37:14.800 JACK: iPhone one, Lightning. 00:37:14.800 --> 00:37:16.720 MG: C to Lightning or A to Lightning? 00:37:16.720 --> 00:37:17.560 JACK: C to Lightning. 00:37:17.560 --> 00:37:22.720 MG: Oh, so, funny story about that one; if you hold up the C — type C ends and look at 00:37:22.720 --> 00:37:29.040 the white hoods, I delayed that cable by — I think it was a couple months because 00:37:29.040 --> 00:37:36.320 it was 0.3 millimeters longer than the actual thing. So, I was just like, oh, 00:37:36.320 --> 00:37:42.240 man, it matters. It didn't really matter, but at the same time, the guy who does 00:37:42.240 --> 00:37:48.400 the front-end work for us is blind. He was a customer originally when we released the 00:37:48.400 --> 00:37:54.160 keylogger edition of the cable, and he came to me. He’s like, dude, I’ve got — I’m feeling these 00:37:54.160 --> 00:37:59.600 two cables side by side, and I cannot tell the difference. So, that was amazing to me. 00:37:59.600 --> 00:38:05.120 JACK: Yeah, it’s just remarkable. Going back to the ANT catalog and Cottonmouth, 00:38:05.120 --> 00:38:12.320 I wonder if the NSA has bought a thousand of these to be like, oh, 00:38:12.320 --> 00:38:17.840 this is so much cheaper than the $20,000 per unit we have, and it has way better features, 00:38:17.840 --> 00:38:22.240 and we don’t have to run the R&D and all that sort of thing. You have any idea? 00:38:22.240 --> 00:38:24.960 MG: I mean, I’ve heard some whispers that I probably shouldn't talk about, 00:38:24.960 --> 00:38:30.560 but I’ll say this, is that there’s many reasons why that could occur, which, I mean, 00:38:30.560 --> 00:38:38.560 sure, price point — yeah, absolutely. Maybe ease of use. I can't really speak to what the 00:38:38.560 --> 00:38:43.440 product experience is of their stuff, but I can suspect. But here’s another thing, 00:38:43.440 --> 00:38:49.760 is deniability. If you found a Cottonmouth cable, you're gonna know where that came from, 00:38:49.760 --> 00:38:53.440 right? Or especially if you're certain intelligence services, 00:38:53.440 --> 00:38:56.960 you're gonna have a good idea of who made this highly-custom hardware. But if you're 00:38:56.960 --> 00:39:04.000 seeing something off the shelf, there’s some deniability in there for NSA as an example, right? 00:39:04.000 --> 00:39:08.640 Like, I don't know where that came from. That’s just a off-the-shelf O.MG cable, right? So, 00:39:08.640 --> 00:39:17.440 I would imagine — yeah, I have certainly talked with numerous people who are in that 00:39:17.440 --> 00:39:24.080 space whether directly or kinda third parties employed by them to do tests and stuff like 00:39:24.080 --> 00:39:30.880 that where these are absolutely in a whole lot of those types of environments for various needs 00:39:30.880 --> 00:39:36.000 whether it’s testing, third-party assessments like red-teaming, stuff like that. I’ve talked 00:39:36.000 --> 00:39:40.680 to police departments, stuff like that, who are using it for all kinds of different needs. 00:39:40.680 --> 00:39:49.360 JACK: Yeah, but again, it’s that interesting aspect of circumventing things, right? 00:39:49.360 --> 00:39:50.320 MG: Yeah. 00:39:50.320 --> 00:39:57.440 JACK: So, before, Cottonmouth was only available to US intelligence agencies and maybe Five Eyes. 00:39:57.440 --> 00:40:09.760 But now the O.MG cable is available to the world, so all of NSA’s adversaries also have this, and 00:40:09.760 --> 00:40:14.320 that is interesting that it’s — the technology isn't only in one person’s 00:40:14.320 --> 00:40:17.920 hands now but that there’s a level playing field of like, nope, we’ve got that, too. 00:40:17.920 --> 00:40:24.400 MG: Yep. I mean, at the same time, I think it should be. Like, if I could have made that the 00:40:24.400 --> 00:40:30.880 way I did, I feel like others can make that, and therefore it was just a matter 00:40:30.880 --> 00:40:36.280 of time. Whether or not we heard about it in public was probably the only question there. 00:40:36.280 --> 00:40:42.000 JACK: That’s an interesting way to look at it, right? It used to be that only an exclusive 00:40:42.000 --> 00:40:49.120 group of people could get their hands on such a thing, and now anyone can. Yeah, 00:40:49.120 --> 00:40:55.600 that’s scary that this thing could be anywhere now, but maybe the bigger danger here isn't when 00:40:55.600 --> 00:41:02.960 the cable went public but when it was kept secret, when the only ones who had it were shadows, 00:41:02.960 --> 00:41:08.400 people who didn’t want you to know they had it, people who didn’t want you to know this existed, 00:41:08.400 --> 00:41:14.480 people who didn’t have to follow the law. I mean, compare it to smallpox. For centuries, 00:41:14.480 --> 00:41:20.320 people died of smallpox, and we had no idea why. But then we discovered what it was and we learned 00:41:20.320 --> 00:41:25.120 how to contain it, and then we learned how to fight it, and then we learned how to defeat it. 00:41:25.120 --> 00:41:29.920 But in that process, we learned how to weaponize it, and that’s the double-edged sword of 00:41:29.920 --> 00:41:38.560 knowledge. We're in danger without it, but we're dangerous with it. We're gonna take an ad break 00:41:38.560 --> 00:41:43.200 here, but stay with us because when we come back, MG’s gonna tell us stories about how this cable 00:41:43.200 --> 00:41:50.000 is used in the wild. So, over the years, people have shared stories with MG about how they're 00:41:50.000 --> 00:41:54.640 using his cable, and have asked for some really interesting feature requests. One story he was 00:41:54.640 --> 00:42:00.160 told was from someone who’s a red-teamer for the DoD, the Department of Defense. That is, 00:42:00.160 --> 00:42:04.720 his job was to try to hack into the US government’s networks to test their security. 00:42:04.720 --> 00:42:13.120 MG: This team posed as an Xfinity tech via e-mail and phone. So, they got a legit comcast.net 00:42:13.120 --> 00:42:20.800 account which literally every Comcast customer gets, but you got username@comcast.net. They're 00:42:20.800 --> 00:42:23.760 just like, you know what? We can pretend to be a Comcast employee with that, 00:42:23.760 --> 00:42:29.360 and I bet it’ll pass. It did. So, after some back and forth with this target, 00:42:29.360 --> 00:42:36.480 they set up an appointment. They found some Comcast/Xfinity clothing at a thrift store, 00:42:36.480 --> 00:42:41.280 stuff like a hat and jacket. They did some OSINT, found some fake IDs, 00:42:41.280 --> 00:42:50.640 printed those out. They show up. [Music] They say, hey, we only need access to the MPOE. MPOE 00:42:50.640 --> 00:42:56.080 is main point of entry. So, that’s where they — the line comes into the building, typically the 00:42:56.080 --> 00:43:03.120 basement or something like that. Tends to be a lower-security area compared to the server room. 00:43:03.120 --> 00:43:11.120 So, they're given access, and they install a small device that allows them to remotely 00:43:11.120 --> 00:43:18.480 disrupt that line, the main line of the ISP, in the future. So, they leave, they wait a few weeks, 00:43:18.480 --> 00:43:25.840 let everything kinda just settle, and then they start causing disruptions. They return on site. 00:43:25.840 --> 00:43:32.160 They ask to look at the MPOE first, which lets them reclaim that remote device that they had 00:43:32.160 --> 00:43:38.080 planted. They say, ah, it’s not fixed. I see you're having issues, but we're gonna need to 00:43:38.080 --> 00:43:41.840 find the other end of this cable. Where does this go? They knew that’s gonna be going up 00:43:41.840 --> 00:43:49.280 to the server room, typically. So, they brought them up. They brought two supposed Xfinity techs 00:43:49.280 --> 00:43:57.120 up. There was a camera in the server room. So, they had two techs; one tech would strategically 00:43:57.120 --> 00:44:04.160 block the camera with their back each time the other needed to deploy a piece of hardware. 00:44:04.160 --> 00:44:10.640 So, at first they deployed two different malicious network devices, two different types of things, 00:44:10.640 --> 00:44:14.160 but then they see a server with a monitor and a keyboard hooked up, 00:44:14.160 --> 00:44:20.080 and then there’s a USB cable hanging off of it. I think it was an ADA micro. It seemed to be for 00:44:20.080 --> 00:44:25.120 charging a wireless mouse, right? There was a wireless mouse nearby. It was just like, dude, 00:44:25.120 --> 00:44:30.720 that is the perfect spot for an O.MG cable. I think we got a perfect match in the kit. So, 00:44:30.720 --> 00:44:35.120 they pull it out. They noticed, oh, this cable even has a very distinct scratch on it. I’m 00:44:35.120 --> 00:44:39.920 gonna scratch this cable, make it look perfect, right? They were obsessed with the details. The 00:44:39.920 --> 00:44:46.160 cable is already configured to connect to their guest Wi-Fi and then call back to a C2 server. 00:44:46.160 --> 00:44:51.440 They wait for an offsite teammate to confirm that the cable’s now connected not only to that, 00:44:51.440 --> 00:44:57.600 but back to their C2 server. That means they got full remote connection from anywhere. They 00:44:57.600 --> 00:45:03.360 were left unattended in this room for a little bit, so they call the target back. They're like, 00:45:03.360 --> 00:45:08.400 hey, I think the internet’s fixed. Can you check it out? They use that same server that 00:45:08.400 --> 00:45:12.880 they were eyeballing to — oh yeah, it looks like the internet’s good, which gave them a 00:45:12.880 --> 00:45:18.480 little bit more insight into what’s running on that server. They leave and kinda start their 00:45:18.480 --> 00:45:24.000 initial work. They’ve got these tools in play. Now, within a day, the target knew something 00:45:24.000 --> 00:45:29.360 was up. They found at least one of those malicious network devices which immediately 00:45:29.360 --> 00:45:34.440 led them to the next network device that was in there. It got cleaned out. Everything is fine. 00:45:34.440 --> 00:45:38.000 JACK: What was the malicious network device? It’s not the O.MG cable. It’s… 00:45:38.000 --> 00:45:42.720 MG: It’s not, yeah. It’s other hardware that is not as physically stealth. 00:45:42.720 --> 00:45:46.600 JACK: Oh, okay. So, they left it there as dropboxes, kinda thing. 00:45:46.600 --> 00:45:47.040 MG: Yeah… 00:45:47.040 --> 00:45:47.356 JACK: Okay, gotcha. 00:45:47.356 --> 00:45:52.000 MG: …something like a dropbox. It was slightly disguised, but it’s visibly 00:45:52.000 --> 00:45:57.840 there. It’s like a new thing. So, they picked up on that, and immediately — okay, 00:45:57.840 --> 00:46:01.354 we got a — there’s an issue. We don’t know how this got here; sweep the room, cleared out… 00:46:01.354 --> 00:46:03.425 JACK: Okay, and this is kind of how pen tests go. 00:46:03.425 --> 00:46:03.434 MG: Yeah. 00:46:03.434 --> 00:46:09.440 JACK: It’s like, let’s go at stages, right? Let’s first see if we can be super stealthy, 00:46:09.440 --> 00:46:12.222 and then if we didn’t catch us, we’ll be a little bit more sloppy… 00:46:12.222 --> 00:46:12.234 MG: Exactly. 00:46:12.234 --> 00:46:16.080 JACK: …and then if they don’t catch us, we’ll be overtly breaking rules, 00:46:16.080 --> 00:46:18.800 and if they still don’t catch us, then they've got a lot to explain, 00:46:18.800 --> 00:46:22.305 and we could try stealing company cars or something, and what’s the next step, right? So… 00:46:22.305 --> 00:46:22.314 MG: 100%. 00:46:22.314 --> 00:46:25.520 JACK: …I’ve heard these stories before, and it sounds like that’s what they were doing. Like, 00:46:25.520 --> 00:46:28.080 we're gonna put a super-stealthy thing in, a medium-stealthy, 00:46:28.080 --> 00:46:30.360 and a very obvious — this thing shouldn't be here. 00:46:30.360 --> 00:46:36.080 MG: Yeah, but the funny thing is they did a whole remediation sweep and they didn’t catch the O.MG 00:46:36.080 --> 00:46:44.640 cable. It’s still — it was still in play after — like, hey, red alarm; something happened here. 00:46:44.640 --> 00:46:50.480 Sweep it. We found two malicious devices. But the thing is the cable was dormant. It 00:46:50.480 --> 00:46:56.640 hadn't run anything. It was just sitting there connecting to their guest Wi-Fi, waiting. So… 00:46:56.640 --> 00:47:01.680 JACK: Yeah. I mean, what would have triggered the other device discoveries? Were they doing stuff? 00:47:01.680 --> 00:47:07.600 MG: Yeah, they were more active, so definitely go looking — but, you know, it depends. What would 00:47:07.600 --> 00:47:13.120 you assume if you're like, oh, there’s malicious hardware in here? What level of sweep do you need 00:47:13.120 --> 00:47:19.120 to do to that room and how thorough does it have to be? But, hey, the O.MG cable survives an active 00:47:19.120 --> 00:47:25.040 sweep. So, the server had some constraints that made things a little bit difficult, which was 00:47:25.040 --> 00:47:32.720 probably why they were a little less thorough, which was, a) they had some EDR in their endpoint 00:47:32.720 --> 00:47:39.520 detection-and-response tooling that would have detected any form of malware persistence. So, they 00:47:39.520 --> 00:47:46.160 can run a payload on this and deploy some malware that would just live until the server rebooted. 00:47:46.160 --> 00:47:53.040 Also, the entire OS was just completely wiped about once a week. So, even if you did have 00:47:53.040 --> 00:47:59.120 persistence, that’s still getting wiped. That’s a pretty locked-down environment, right? But 00:47:59.120 --> 00:48:03.840 since they had a cable attached physically at all times, that was the persistence. So, 00:48:03.840 --> 00:48:08.480 anytime they lost the malware connection, they would just rerun that payload. Boom, 00:48:08.480 --> 00:48:16.400 they're back in. They’d change the payload over the times, but ultimately this allowed them to 00:48:16.400 --> 00:48:23.920 run and just work completely undetected for what turned into a six-month period of time. The only 00:48:23.920 --> 00:48:29.680 reason the exercise ended was because they — the contract came to an end and they needed to 00:48:29.680 --> 00:48:35.760 wrap things up to explain the full processes and procedures they were using for the op. 00:48:35.760 --> 00:48:39.840 JACK: Is this kind of what you were hoping to — like, this is exactly the story that I was 00:48:39.840 --> 00:48:44.880 wanting someone to do this with, is stick it in a place, have it be there forever, you can 00:48:44.880 --> 00:48:50.000 get in there whenever you want, have the remote persistence, trigger payloads, get into systems, 00:48:50.000 --> 00:48:54.560 and no one’s gonna detect you forever? That’s gotta be exactly what you were hoping, right? 00:48:54.560 --> 00:48:56.880 MG: Oh, absolutely. There was just so many like — oh, yes, 00:48:56.880 --> 00:49:02.480 you used a lot of the features to just really push this, and it makes me happy 00:49:02.480 --> 00:49:07.200 'cause it’s — are we doing Rickrolls? Are we really pushing the boundaries and improving 00:49:07.200 --> 00:49:15.746 environments and just doing some really cool James Bond shit? Yeah, that’s — I love that. 00:49:15.746 --> 00:49:19.440 JACK: [Music] Because MG has brought this cable into the world, he’s met some very 00:49:19.440 --> 00:49:23.440 interesting people from all around the world and heard some wild stories. Like, 00:49:23.440 --> 00:49:28.400 there was this one person who was telling him how he used the cable to get into an air-gapped 00:49:28.400 --> 00:49:34.160 computer. That is, there’s no way possible to hack into it from outside. The reason why the 00:49:34.160 --> 00:49:39.040 computer was air-gapped is because it was part of a digital forensics lab that was collecting 00:49:39.040 --> 00:49:43.760 evidence and looking at computers without the risk of any of that data getting out. 00:49:43.760 --> 00:49:48.960 MG: This group was hired to audit an entire security policy, including the physical 00:49:48.960 --> 00:49:55.600 security of the building. So, they monitor 24/7 with a whole bunch of cameras at all 00:49:55.600 --> 00:50:01.200 sides of this building that they had deployed, and it was really hard when there were guards 00:50:01.200 --> 00:50:08.560 present just constantly, 24/7. Everything was fully access-controlled. It was all logged. 00:50:08.560 --> 00:50:16.080 It was all audited. How are they gonna do this? Of course, the goal was get — to gain access to 00:50:16.080 --> 00:50:24.880 that evidence computer which was air-gapped. Had access to that large SAN for storage via network. 00:50:24.880 --> 00:50:29.680 After a whole bunch of discussion, they decided, you know what? We're gonna use an O.MG cable. 00:50:29.680 --> 00:50:34.880 JACK: Their first idea was to submit a hard drive that needed to be forensically analyzed 00:50:34.880 --> 00:50:40.160 by that computer, but then throw an O.MG cable in the package, and hopefully the tech opens 00:50:40.160 --> 00:50:46.080 it up and pulls out the cable and says, oh, I’ll use this to plug something in. But they thought, 00:50:46.080 --> 00:50:49.920 no, that might not work. They probably have their own USB cables in the lab, 00:50:49.920 --> 00:50:55.200 and they're not gonna use the one in our package. So, they decided to get a USB external hard drive. 00:50:55.200 --> 00:50:58.960 You know, the ones where there’s a hard drive with the little USB pigtail coming off of it, 00:50:58.960 --> 00:51:02.720 and you just plug it in your computer and you can see it as an external drive. Well, 00:51:02.720 --> 00:51:07.680 they cut that little USB pigtail off and then snipped off the end of the O.MG cable and 00:51:07.680 --> 00:51:12.560 soldered it onto this hard drive, because the O.MG cable only has one active end, 00:51:12.560 --> 00:51:16.240 and the other end — it really isn't needed for anything. So, they just took the end with all the 00:51:16.240 --> 00:51:21.040 functionality and stuck it into this hard drive so that when the forensic tech opened it up, 00:51:21.040 --> 00:51:25.240 they would have no choice but to plug in this USB hard drive into the computer. 00:51:25.240 --> 00:51:29.840 MG: Now it’s integrated to that drive, and the drive looks like a totally normal drive. 00:51:29.840 --> 00:51:34.880 It’s the cable of that drive that suddenly is the problem, and it stays dormant. So, 00:51:34.880 --> 00:51:40.000 yeah, put all these different payloads on there in advance. The most important note; 00:51:40.000 --> 00:51:45.680 they ran a boot pay — so, a boot payload on this thing is it run — on an O.MG cable, 00:51:45.680 --> 00:51:50.400 it runs every single time the cable powers on, so when you plug it in, right? So, they include 00:51:50.400 --> 00:51:57.040 a geofence that would check to make sure it’s in bounds. It’s like, it’s at this evidence computer, 00:51:57.040 --> 00:52:00.560 which — they were given some insider info on this one to make it safe. They're like, 00:52:00.560 --> 00:52:07.360 okay, here’s the network that you should use to keep this in play, basic checks to ensure 00:52:07.360 --> 00:52:12.800 it only ran on that evidence system, so, something an actual adversary wouldn't do, 00:52:12.800 --> 00:52:18.080 but when you're a third party trying to keep everything safe, you do a little extra. 00:52:18.080 --> 00:52:24.560 So, they placed the hard drive in an envelope with the — let’s just say required labeling that they 00:52:24.560 --> 00:52:30.240 were able to find via some public record requests. Say, hey, this is probably what 00:52:30.240 --> 00:52:35.840 this envelope should look like to make it believable. So, they turned it in at the front 00:52:35.840 --> 00:52:41.840 desk via a courier service which was totally not a courier service; it was them. They advised, hey, 00:52:41.840 --> 00:52:49.120 this is for an active thing. It’s needed for legal discovery. Probably need it soon. Done, 00:52:49.120 --> 00:52:55.920 right? Now, the drive sat for two weeks unplugged, just waiting, right? But then it got plugged in, 00:52:55.920 --> 00:53:01.680 and once it was, they got a notification that kinda detected when it would come up, 00:53:01.680 --> 00:53:06.880 and they left it plugged in for six days to do a full image of this drive. 00:53:06.880 --> 00:53:11.760 So, they had intentionally kinda downgraded the speed to USB 2.0 to get a USB 2.0 00:53:11.760 --> 00:53:17.200 connection on a four-terabyte drive. So, they were imaging this thing for six days, 00:53:17.200 --> 00:53:22.400 which means six days they had an O.MG cable plugged into the evidence computer. Now, they 00:53:22.400 --> 00:53:26.080 could have set up a bunch of automated payloads and stuff like this, but for damage control, 00:53:26.080 --> 00:53:31.680 they decided to keep an active human in the loop for this whole thing. So, when it got plugged in, 00:53:31.680 --> 00:53:38.800 they got the alert. They returned and accessed the cable from basically the lobby or the parking lot, 00:53:38.800 --> 00:53:45.600 right? One payload allowed them to create and modify files on both the local system and, 00:53:45.600 --> 00:53:50.240 more importantly, the SAN. That’s where all the evidence is, right? 00:53:50.240 --> 00:53:54.880 You can manipulate the evidence. They have just proven that. Evidence is supposed to 00:53:54.880 --> 00:54:01.280 be just pure and untouched. Then they noticed that — okay, yeah, obviously the SAN — you need 00:54:01.280 --> 00:54:06.560 a network to connect to it, so it was connected via Ethernet from this machine. But they learned 00:54:06.560 --> 00:54:13.840 that while the evidence machine was supposed to be air-gapped, it was only by DNS. So, 00:54:13.840 --> 00:54:21.680 instead of doing a domain name connection out, you just connect out via IP address, and suddenly, 00:54:21.680 --> 00:54:27.600 hey, it’s working. You can connect out to the internet by just going direct via IP. Boom. 00:54:27.600 --> 00:54:39.200 Now they got the ability to exfil evidence from the storage device out over the internet. I think 00:54:39.200 --> 00:54:45.240 you can immediately assume some terrible scenarios where that’s a big problem. 00:54:45.240 --> 00:54:51.920 JACK: How prolific is this cable? How many companies out there are using it? 00:54:51.920 --> 00:54:57.920 MG: One day I’ll probably find a way to disclose that, but basically, 00:54:57.920 --> 00:55:02.720 I don't know many places that don’t have one. 00:55:02.720 --> 00:55:04.640 JACK: What? 00:55:04.640 --> 00:55:10.720 MG: Yeah, it’s — I’m continually amazed. I learn about new places that I didn’t even 00:55:10.720 --> 00:55:18.640 know exist. Like, wait; a) you exist. That’s crazy. B) You have my stuff? What? Okay, cool. 00:55:18.640 --> 00:55:24.000 It’s a wild ride going from — I’m just making something that I thought was borderline art 00:55:24.000 --> 00:55:30.640 in my kitchen to all of these types of stories I am telling you. It’s a little 00:55:30.640 --> 00:55:34.600 hard to digest sometimes, but at the same time, I’m trying to take it very seriously. 00:55:34.600 --> 00:55:39.760 JACK: Yeah, but I mean, Hak5 or even your own website could be 00:55:39.760 --> 00:55:44.200 used by these companies if you do know which ones. 00:55:44.200 --> 00:55:47.920 MG: Oh, I mean, yeah, I think that would be bad form. There’s a lot of companies that probably 00:55:47.920 --> 00:55:54.800 don’t want that info out there. I think have — I will list the media that it’s been seen on, 00:55:54.800 --> 00:56:01.520 like Nat Geo and stuff like that. I just saw the O.MG cable in a Netflix episode, apparently, 00:56:01.520 --> 00:56:06.720 of a zero-day. They're talk — I think it was Robert De Niro talking about the O.MG cable 00:56:06.720 --> 00:56:12.160 on screen, and I think Jesse Plemons’ face was in there. I’m like, dude, what? That’s wild. 00:56:12.160 --> 00:56:20.840 JACK: Okay, so, Hak5 is who sells these things. Is there anyone they don’t sell to? 00:56:20.840 --> 00:56:27.920 MG: Yeah, so — absolutely. They have a couple ways to think about this, and I’m gonna just 00:56:27.920 --> 00:56:31.760 generalize it here a little bit to make it easier to understand. But basically you can kinda think 00:56:31.760 --> 00:56:39.920 of three categories of countries, first being countries who are explicitly allowed. You could 00:56:39.920 --> 00:56:46.480 kinda think of those as friendly NATO countries and Five Eyes, right? Then the second category 00:56:46.480 --> 00:56:53.840 would be countries who are explicitly disallowed. So, think sanctioned countries like Iran and North 00:56:53.840 --> 00:57:00.960 Korea. But then you got this third category — is countries who are on neither of those lists. 00:57:00.960 --> 00:57:07.600 So, if the goal was to make as much money as possible, you'd be selling to that third group. 00:57:07.600 --> 00:57:13.360 But if you're trying to do more than the legal minimum, you might avoid selling to 00:57:13.360 --> 00:57:17.200 that third group, especially if you're operating in a space that many people 00:57:17.200 --> 00:57:22.720 perceive to be a gray area. Even if it’s not a gray area, perception still matters. But 00:57:22.720 --> 00:57:30.640 Hak5 only sells explicitly to the allowed countries and skips over that third group. 00:57:30.640 --> 00:57:37.120 It’s a voluntary decision on their end, but it’s also a factor of kinda having to be more diligent 00:57:37.120 --> 00:57:44.160 when you have tools that are more capable. So, toys versus professional tools kinda steps up 00:57:44.160 --> 00:57:53.360 the level of attention to following the rules and going a little bit over the minimums, right? 00:57:53.360 --> 00:57:58.320 JACK: Those rules fascinate me. It’s really export controls that the US government has 00:57:58.320 --> 00:58:06.640 set up where certain electronics can't be sent to certain countries. The classic one that just 00:58:06.640 --> 00:58:14.552 came to mind 'cause of recent events was the — DeepSeek surprised us all with their AI ability. 00:58:14.552 --> 00:58:14.560 MG: Yes. 00:58:14.560 --> 00:58:19.840 JACK: Then it turns out that they had tens of thousands of Nvidia cards, 00:58:19.840 --> 00:58:24.080 which I believe is against the export control rules. 00:58:24.080 --> 00:58:31.840 Nvidia is not allowed to send tens of thousands of these cards to China. So, it’s just like, well, 00:58:31.840 --> 00:58:36.944 how come Nvidia didn’t get shut down or fined or slapped on the wrist by the US government… 00:58:36.944 --> 00:58:36.954 MG: Right? 00:58:36.954 --> 00:58:41.440 JACK: …for selling so many of these? At some point they gotta be like, okay, we need more, 00:58:41.440 --> 00:58:46.640 we need more. Okay, who are you distributing this to? Oh, don’t ask. Okay, so, I don't know, 00:58:46.640 --> 00:58:53.360 I just wonder if these — the export control rules even matter or if they have teeth or if anyone 00:58:53.360 --> 00:58:59.840 follows them, 'cause honestly, I’ve filled out forms before and sometimes it’s just a checkbox; 00:58:59.840 --> 00:59:04.160 do you live in any of these countries? No. Okay, good, we’ll send it to you, then. 00:59:04.160 --> 00:59:11.840 MG: Right? I think the Nvidia one’s a pretty good example. I don't think all of their products are 00:59:11.840 --> 00:59:18.240 export-controlled. So, this probably goes back to the capabilities and the toys versus the upper-end 00:59:18.240 --> 00:59:25.280 stuff, and can you do good or bad things with them? Almost dual-use kinda territory. Ultimately 00:59:25.280 --> 00:59:32.240 any restriction, kind of as what you were getting at, can be bypassed. But introducing any degree 00:59:32.240 --> 00:59:39.600 of friction generally is good if you're trying to stop a certain activity. Perfect controls are 00:59:39.600 --> 00:59:45.440 hard. It’s a balancing game much like almost all security defense is, right? We often get 00:59:45.440 --> 00:59:49.120 that wrong in the security industry. It’s like, oh, it’s not perfect, so it’s not worth doing. 00:59:49.120 --> 00:59:56.080 It’s like, not necessarily. Speed bumps help to some measurable degree in a large scale. 00:59:56.080 --> 01:00:02.640 But it’s worth reminding; again, Hak5 is the only entity I sell to, but — and as much as I love not 01:00:02.640 --> 01:00:08.560 having to worry about it for my own stuff, I absolutely love supply chains in general, 01:00:08.560 --> 01:00:13.200 especially when you look at them from the offensive security mindset. So, 01:00:13.200 --> 01:00:18.640 I’m totally with you in terms of being fascinated. I think that stuff gets way too little attention, 01:00:18.640 --> 01:00:25.720 and if you focus on it, you can wield crazy amounts of power if you understand it. So, yeah. 01:00:25.720 --> 01:00:31.120 JACK: Okay, so you've told us a few stories of your cable being used for good. Do you 01:00:31.120 --> 01:00:35.280 know any instances of it being used for bad? Does anyone tell you about those stories? 01:00:35.280 --> 01:00:40.400 MG: So, I don't know of any stories specifically for my stuff, but Hak5 01:00:40.400 --> 01:00:45.840 actually had a semi-recent example that is super applicable here with their Wi-Fi 01:00:45.840 --> 01:00:54.560 Pineapple and the Russian GRU. So, let’s — what was this? So, the Wi-Fi Pineapple, 01:00:54.560 --> 01:00:59.520 it’s specifically designed not to be perfect. This is for doing security pen tests, right, 01:00:59.520 --> 01:01:04.400 not for evading. That’s the product design. So, simple things like MAC address randomization 01:01:04.400 --> 01:01:11.920 are omitted. What else? There’s a certain way it sends management frames that could 01:01:11.920 --> 01:01:15.920 make it harder to fingerprint if they modified how that works, but they don’t. 01:01:15.920 --> 01:01:20.480 It’s intentional, 'cause the product is meant to enable pen testers to do 01:01:20.480 --> 01:01:26.080 Wi-Fi audits where they've got permission not to evade the detections. So, anyway, 01:01:26.080 --> 01:01:32.960 late 2018, Russian GRUs caught in Brussels targeting, I believe, UN facilities, 01:01:32.960 --> 01:01:37.920 right — not the place if you were making this that you kinda want to see your stuff showing up. But 01:01:37.920 --> 01:01:44.640 the Wi-Fi Pineapple was being used in the trunk of a car, and that explicit choice to not make 01:01:44.640 --> 01:01:50.240 the device super stealthy definitely helped law enforcement track this down and figure out 01:01:50.240 --> 01:01:55.440 what was going on probably a lot faster than if they made other choices in their product design. 01:01:55.440 --> 01:02:02.160 JACK: Well, I’m surprised there’s not more malicious intent stories, because — you know, 01:02:02.160 --> 01:02:09.760 I just go to the grocery store today and the cash register — I could see the back of it. I can plug 01:02:09.760 --> 01:02:14.960 something into the back if I wanted, and there are so many other restaurants and stuff where 01:02:14.960 --> 01:02:19.040 I’ve seen a computer exposed. At the bank — I was at the bank, and the back of their computer 01:02:19.040 --> 01:02:23.920 was easily there, that — I could just pull a cable out of my backpack, shove it in, and they wouldn't 01:02:23.920 --> 01:02:30.640 know. I’m surprised there’s not just stories of people using this to rob grocery stores and banks. 01:02:30.640 --> 01:02:36.080 MG: I mean, there — behind the scenes, and I don't think a lot of people see it, I put a lot 01:02:36.080 --> 01:02:45.200 of work into just gaming out all of the potential risks to minimize that. It’s not perfect. It’s 01:02:45.200 --> 01:02:49.920 totally possible that bad things will eventually happen. There will be a news story. But I think 01:02:49.920 --> 01:02:56.720 over the last five to six years it’s been sold, I personally cannot point to any news stories where 01:02:56.720 --> 01:03:02.160 a bad thing happened, whereas if you compare it against other peer devices — let’s just say 01:03:02.160 --> 01:03:06.720 that — in the field, I think there’s quite a bit more news stories just comparatively, 01:03:06.720 --> 01:03:12.880 if we're taking a sampling. So, that track record I’m just very happy with so far. 01:03:12.880 --> 01:03:20.240 JACK: I mean, you can — I assume that people are buying this and using it for malicious 01:03:20.240 --> 01:03:23.600 intent. I mean, you self-described the thing as a malicious cable, right? So, 01:03:23.600 --> 01:03:33.520 we can assume that people are gonna do bad things with it. But I worry about your 01:03:33.520 --> 01:03:40.960 liability here because if you're saying I have a malicious thing, this thing is very dangerous, 01:03:40.960 --> 01:03:44.400 you could do this and this and this with it, and someone’s like, great, 01:03:44.400 --> 01:03:51.040 I’m gonna go do that with it — but it says here — I have the package in front of me and it says 01:03:51.040 --> 01:03:56.400 do not use this unless it’s on a network that you are — have permission to use and such like 01:03:56.400 --> 01:04:02.960 that. I wonder if that’s enough to make you not liable for people actually using this maliciously. 01:04:02.960 --> 01:04:04.240 MG: Yeah, so… 01:04:04.240 --> 01:04:08.640 JACK: ‘Cause, the thing is is that you've got people who are malware creators out there, 01:04:08.640 --> 01:04:13.760 botnet creators; they don’t unleash it to the world. They don’t spread it. They don’t infect 01:04:13.760 --> 01:04:17.200 people. They just make it, and then they're the ones who are going to jail for this. 01:04:17.200 --> 01:04:23.040 MG: Yeah. There’s definitely some differences there, but just, is that legal message enough? 01:04:23.040 --> 01:04:29.920 Absolutely not. Not for me. When you're in the gray areas, you can't just do the minimum. It’s 01:04:29.920 --> 01:04:34.640 also important to point out that legal is not the same thing as ethical, which is, 01:04:34.640 --> 01:04:40.240 again, why it’s not enough for me. Product design, like I mentioned, detectable defaults, 01:04:40.240 --> 01:04:46.000 they're not legally required, but I think they're critical in terms of reducing harm. 01:04:46.000 --> 01:04:51.440 Community management — like not just dropping a tool and then letting the Lord of the Flies 01:04:51.440 --> 01:04:56.320 happen, for instance, right? We're talking about a lot of nuances. You and I right now 01:04:56.320 --> 01:05:01.120 are talking about a lot of nuances that a lot of people haven't spent the time thinking about. 01:05:01.120 --> 01:05:07.040 So, I think it’s good to try and share those nuances and just generally keep things from going 01:05:07.040 --> 01:05:12.960 off the rails within those communities, 'cause this, again, helps the outcomes. It’s sort of like 01:05:12.960 --> 01:05:18.480 open source. A lot of people will just drop code and call it done, but it takes a lot more work, 01:05:18.480 --> 01:05:24.640 in my opinion, to do it responsibly. You gotta — real open source is code that you've cleaned up, 01:05:24.640 --> 01:05:28.560 that you've maintained, and the community around it has maintained, too. It takes 01:05:28.560 --> 01:05:35.520 work and effort. But it’s also important that — this isn't just about self-preservation, which 01:05:35.520 --> 01:05:42.640 is kinda the topic here. It’s about community preservation as well, which is really important. 01:05:42.640 --> 01:05:47.920 So, one entity just being too reckless is basically all it takes to ruin it for everybody, 01:05:47.920 --> 01:05:53.520 and there’s tons of examples of that type of thing happening. Obviously if my goal was to push the 01:05:53.520 --> 01:05:59.040 limits of the law, then sure, my answers would be different. But my goal is to push the limits 01:05:59.040 --> 01:06:06.000 within security. I guess that — I want to keep focusing on that, and that’s why I spend tons 01:06:06.000 --> 01:06:12.640 of time thinking about all the ways I can reduce harm and risk in all the other areas. This cable 01:06:12.640 --> 01:06:19.440 started off as just a one-off, a proof of concept, but it moved over time into large manufacturing, 01:06:19.440 --> 01:06:26.880 sales, and the way I think about the risks has evolved along the way right alongside that. 01:06:26.880 --> 01:06:30.560 JACK: Yeah. So, you talk about supporting the community; 01:06:30.560 --> 01:06:35.266 I assume that’s the ethical hackers, the white hats of the world… 01:06:35.266 --> 01:06:35.274 MG: Yep. 01:06:35.274 --> 01:06:36.640 JACK: …that have permission. 01:06:36.640 --> 01:06:38.000 MG: Yeah. 01:06:38.000 --> 01:06:46.880 JACK: And that’s great that that’s your intent to help improve security for networks, to help people 01:06:46.880 --> 01:06:56.160 test it ethically, but that intent, I think, does — is what matters in the eyes of the law 01:06:56.160 --> 01:07:02.480 and a lot of situations. You just told us that you've sold these things in the back alleys of 01:07:02.480 --> 01:07:10.240 Defcon and dark corners. Defcon in general is a place that has malicious actors and criminals. 01:07:10.240 --> 01:07:17.280 We’ve seen people get arrested there and such like that. So, I wonder if there’s any sort 01:07:17.280 --> 01:07:22.720 of — if that’s proof enough just to be like, no, this guy sells it at Defcon; of course 01:07:22.720 --> 01:07:27.440 he’s got malicious intent. There’s no way he’s doing it — like, he would be selling it at a 01:07:27.440 --> 01:07:33.920 legit conference that’s just all about securing and not hacking. This is a hacker conference. 01:07:33.920 --> 01:07:39.440 There’s just something there that — and not just that; there’s — people 01:07:39.440 --> 01:07:43.600 might come to you and they’d be like, hey, I want this feature, and you're like, oh, 01:07:43.600 --> 01:07:50.640 that’s a good idea, and you add that feature. Maybe that — you judge them first and be like, 01:07:50.640 --> 01:07:55.920 wait, hold on, who do you work for? Do you have permission? Or do you hear people be like, man, 01:07:55.920 --> 01:07:59.760 I keep plugging it into the bank and the bank keeps popping me. I need a feature to be more 01:07:59.760 --> 01:08:05.120 stealthy. Then you're like, wait, hold on, I’m not gonna help you. There’s gotta be this world 01:08:05.120 --> 01:08:10.240 of who you actually do business with and who you don’t or who you help and who you don’t, because, 01:08:10.240 --> 01:08:15.200 again, that intent matters. If there’s a criminal coming to you and saying, hey, I need this for 01:08:15.200 --> 01:08:21.960 criminal reasons, do you — what do you do there? Because that’s where the intent comes in, right? 01:08:21.960 --> 01:08:27.120 MG: Yeah, so, helping could be, again, anything, right? It could be operational advice for 01:08:27.120 --> 01:08:31.920 running an op, it could be feature changes or additions. It could even be custom hardware. 01:08:31.920 --> 01:08:36.480 I’ve been offered thirty grand for a cable, and I have turned it down because it’s like, hey, 01:08:36.480 --> 01:08:44.640 this could risk the future. But there’s also other things. People will come in, 01:08:44.640 --> 01:08:50.160 they’ll have — they're clearly not in the space of information security and they're 01:08:50.160 --> 01:08:53.680 trying to do some spouseware stuff. I’m like, as soon as I get a hint of that, it’s like, 01:08:53.680 --> 01:09:00.880 immediately no. Also, what you're doing, I just have tons of issue with. You need to redirect 01:09:00.880 --> 01:09:07.280 this. Spend your money on couples therapy or something. This cable is not a marital aid. 01:09:07.280 --> 01:09:11.280 JACK: Well, yeah, see? This is what I imagine, right? So, there’s these privacy 01:09:11.280 --> 01:09:16.946 phones of the world, and they specifically wanted to help criminals, right? So… 01:09:16.946 --> 01:09:16.954 MG: Yes. 01:09:16.954 --> 01:09:22.720 JACK: …they would enter — they would get them in the hands of drug dealers and such and say, 01:09:22.720 --> 01:09:27.920 what can we do to make these phones more private? What features do you want? That’s what made the 01:09:27.920 --> 01:09:33.040 people who made the privacy phones go to prison. We have phones that are secure, even the iPhone, 01:09:33.040 --> 01:09:38.080 right? It’s secure to some degree, and you don’t see the Apple team going to prison 01:09:38.080 --> 01:09:43.200 because they're making things private or secure. But it’s the fact that they — those other privacy 01:09:43.200 --> 01:09:53.997 phone creators were doing things to work with criminals. So, I imagine some, I don't know, 01:09:53.997 --> 01:09:54.640 street hacker gang being like, alright, MG, we got all these cables but we need it to be one 01:09:54.640 --> 01:10:00.080 step better here. We need you to put this in. I just imagine this world where people are 01:10:00.080 --> 01:10:06.920 approaching you and you've gotta be like, sorry, I will probably go to jail if I help you, so, no. 01:10:06.920 --> 01:10:11.680 MG: Again, kinda like as you were pointing out there, I don't do this for just anyone. I get to 01:10:11.680 --> 01:10:17.360 know who they are, who I’m giving custom help to. Actually, so, the operational stories I’m 01:10:17.360 --> 01:10:22.480 sharing with you were from those relationships. Ultimately, you need to do some due diligence, 01:10:22.480 --> 01:10:27.360 kinda like you were saying; contact the entity being targeted, verify a contract for offensive 01:10:27.360 --> 01:10:33.840 work is in place with the other person asking for help, simply verifying the identity of the 01:10:33.840 --> 01:10:40.000 entity asking for help to ensure they're legit, definitely not just offering it up to anybody. 01:10:40.000 --> 01:10:55.577 I have turned down very large offers of cash because it wasn’t exactly where I wanted it to be. 01:10:55.577 --> 01:10:58.480 (Outro): [Outro music] A huge thank you to MG for coming on the show and sharing these 01:10:58.480 --> 01:11:05.200 stories with us. You can find more about him by visiting his website, which is o.mg.lol. This 01:11:05.200 --> 01:11:10.000 episode was created by me, your pseudo-mama, Jack Rhysider. Our editor is the last jpeg, 01:11:10.000 --> 01:11:14.960 Tristan Ledger, mixing by Proximity Sound, intro music by the mysterious Breakmaster Cylinder. 01:11:14.960 --> 01:11:20.160 Sometimes I feel like the biggest cybersecurity threat to myself is my future self, that version 01:11:20.160 --> 01:11:25.360 of me who forgets to update software or reuses a password or falls for a phishing e-mail. So, 01:11:25.360 --> 01:11:30.960 to stay safe, I started locking myself out of my own accounts. Let’s just say future 01:11:30.960 --> 01:11:51.760 me and past me now officially hate each other. This is Darknet Diaries.