WEBVTT 00:00:04.540 --> 00:00:08.690 JACK: [MUSIC] You ever drive by a prison or juvenile correction facility and see the prisoners 00:00:08.690 --> 00:00:10.170 outside in the yard? 00:00:10.170 --> 00:00:15.670 Am I the only one who immediately starts looking at ways they can escape? 00:00:15.670 --> 00:00:21.020 Seriously, I’ve parked and stared at prison fences multiple times when I was young, looking 00:00:21.020 --> 00:00:26.289 at how high the fence goes, examining the razor wire on top, watching the gate. 00:00:26.289 --> 00:00:30.220 These gates are typically doubled up; you can go in the first gate and then they close 00:00:30.220 --> 00:00:32.570 it behind you, and then the second gate opens. 00:00:32.570 --> 00:00:34.880 They never open both gates at once. 00:00:34.880 --> 00:00:38.450 I like to look up at the guard towers to see if anyone is up there. 00:00:38.450 --> 00:00:41.260 I’m sure they’re looking back down at me. 00:00:41.260 --> 00:00:45.170 The windows of a prison are typically too small for a human to squeeze through. 00:00:45.170 --> 00:00:48.399 They like to be really narrow within a brick wall. 00:00:48.399 --> 00:00:52.360 The fences are usually doubled up; if you can get over one, there’s just another one 00:00:52.360 --> 00:00:56.300 that you need to climb over which gives the guards enough time to notice you climbing 00:00:56.300 --> 00:00:59.120 over one and stop you from getting over the second. 00:00:59.120 --> 00:01:05.650 Getting out or in through these barriers seems impossible. 00:01:05.650 --> 00:01:11.970 But get ready because in this episode, we’re going to test the security of a prison. 00:01:11.970 --> 00:01:20.979 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:20.979 --> 00:01:25.590 I’m Jack Rhysider. 00:01:25.590 --> 00:01:29.950 This is Darknet Diaries. 00:01:29.950 --> 00:01:39.159 [INTRO MUSIC ENDS] 00:01:39.159 --> 00:01:47.860 JACK: As a teenager, what was life like for you? 00:01:47.860 --> 00:01:51.430 JOHN: I actually think I had a great childhood. 00:01:51.430 --> 00:01:53.329 JACK: This is John Strand. 00:01:53.329 --> 00:01:55.299 JOHN: My mom was awesome. 00:01:55.299 --> 00:01:58.130 My dad was a crazy pain in the ass. 00:01:58.130 --> 00:02:01.620 He got addicted to opiates after a back surgery. 00:02:01.620 --> 00:02:05.240 Periodically he’d go running through the house in his underwear screaming that the 00:02:05.240 --> 00:02:07.009 walls were bleeding. 00:02:07.009 --> 00:02:09.830 I know that people would look at that and be like oh, that’s terrifying, but that 00:02:09.830 --> 00:02:10.929 was hilarious. 00:02:10.929 --> 00:02:14.120 You know, I just absolutely loved it. 00:02:14.120 --> 00:02:18.540 I lived out in the middle of the woods; we had a dial-up modem on the computer, I spent 00:02:18.540 --> 00:02:23.160 a lot of time motorcycling and mountain-biking and getting in the middle of the woods. 00:02:23.160 --> 00:02:24.160 Played a lot of guitar. 00:02:24.160 --> 00:02:30.980 My dad was in bands growing up, my mom was just super great to be around. 00:02:30.980 --> 00:02:33.820 All told, yeah, my childhood was pretty fantastic. 00:02:33.820 --> 00:02:39.090 That’s not to say there wasn’t some interesting things that happened but overall, I wouldn’t 00:02:39.090 --> 00:02:40.970 have changed or traded anything for the world. 00:02:40.970 --> 00:02:45.310 JACK: He grew up near the Black Hills which is a mountain range that spans between South 00:02:45.310 --> 00:02:46.690 Dakota and Wyoming. 00:02:46.690 --> 00:02:51.300 His dad did some kind of technician-type work where he troubleshot industrial electronic 00:02:51.300 --> 00:02:55.879 devices and from there, John was exposed to computers and started to like it. 00:02:55.879 --> 00:03:00.440 Through his teenage years he had a computer at home and got more and more into it, just 00:03:00.440 --> 00:03:02.060 learning how to do stuff with it. 00:03:02.060 --> 00:03:05.319 While living out there near the Black Hills, he also had a sister. 00:03:05.319 --> 00:03:07.230 JOHN: My sister was a pain in the ass. 00:03:07.230 --> 00:03:11.870 She’s about three years younger than me and she spent our entire childhood trying 00:03:11.870 --> 00:03:14.330 to make my life miserable. 00:03:14.330 --> 00:03:18.870 If there was ever any girl that I liked, she would make sure to shout at this girl in the 00:03:18.870 --> 00:03:20.830 hallway, you know; my brother likes you! 00:03:20.830 --> 00:03:24.840 Which pretty much guaranteed – that and my crippling obsession with computers and 00:03:24.840 --> 00:03:30.200 playing guitar, pretty much guaranteed that I didn’t date in high school. 00:03:30.200 --> 00:03:33.180 She was just kind of a pain all the way through. 00:03:33.180 --> 00:03:37.740 JACK: John wasn’t always the sweetest kid himself; he would sometimes act out and get 00:03:37.740 --> 00:03:38.740 in trouble. 00:03:38.740 --> 00:03:41.410 JOHN: I went to a Catholic high school and my mom was the food service director. 00:03:41.410 --> 00:03:44.390 JACK: What does that consist of, the food service director? 00:03:44.390 --> 00:03:49.569 JOHN: She was the head lunch lady; the hairnet, the whole thing. 00:03:49.569 --> 00:03:52.239 She was ordering the food, keeping the employees going, and then basically… 00:03:52.239 --> 00:03:53.590 JACK: At the school you went to? 00:03:53.590 --> 00:03:55.829 JOHN: Yeah, all the way through school. 00:03:55.829 --> 00:03:57.510 She ran the food service program. 00:03:57.510 --> 00:04:02.180 [00:05:00] When I got to high school, we were in line and we were getting ready to get some 00:04:02.180 --> 00:04:07.909 food, and for some reason I got this idea that I was gonna read the menu like an old 00:04:07.909 --> 00:04:11.000 southern Baptist bully pulpit pastor. 00:04:11.000 --> 00:04:17.280 I was like praise Jesus, today we’re gonna be having chicken fried steak and then we’re 00:04:17.280 --> 00:04:18.979 gonna have a side of peas, everybody. 00:04:18.979 --> 00:04:20.190 Can I get a halleluiah? 00:04:20.190 --> 00:04:25.320 Of course, the entire lunchroom is going through and they’re like, dropping on the floor. 00:04:25.320 --> 00:04:29.410 I’ve got a couple of my friends speaking in tongues and I’m just like, doing this 00:04:29.410 --> 00:04:30.750 whole thing. 00:04:30.750 --> 00:04:36.120 All of a sudden, I get this sharp shooting pain on the back of my head. 00:04:36.120 --> 00:04:42.419 I wake up and I’m on the floor and there’s Brother Anthony who was a very formative person 00:04:42.419 --> 00:04:45.320 in my life; he was our algebra teacher. 00:04:45.320 --> 00:04:47.290 He was this monk. 00:04:47.290 --> 00:04:53.740 He was standing over me with a cane and he goes, I don’t find that amusing, Mr. Strand. 00:04:53.740 --> 00:04:58.100 In my field of vision, I see Brother Anthony above me with this cane ‘cause he clearly 00:04:58.100 --> 00:05:03.240 hit me in the back of the head with his cane, and then my mom comes into view and she goes 00:05:03.240 --> 00:05:05.350 hit him again, Brother. 00:05:05.350 --> 00:05:10.310 That was kind of – I’ve had people contact me whenever I’ve told that story and they’re 00:05:10.310 --> 00:05:12.130 like, that’s child abuse and that’s not okay. 00:05:12.130 --> 00:05:14.729 But I want to make it clear I probably deserved it. 00:05:14.729 --> 00:05:22.250 But no, Brother Anthony was just a very hard-nosed person but he was very fair, except of course, 00:05:22.250 --> 00:05:23.310 the rampant abuse. 00:05:23.310 --> 00:05:28.380 JACK: John finished high school, went to university, and got a degree in political science. 00:05:28.380 --> 00:05:32.660 He had a hard time finding a job with that kind of degree but a computer consulting company 00:05:32.660 --> 00:05:36.000 recognized his skills with computers and offered him a job. 00:05:36.000 --> 00:05:40.110 While there, he really got to sink his teeth into computers and fell in love with the security 00:05:40.110 --> 00:05:41.190 side of things. 00:05:41.190 --> 00:05:46.520 He went to work for a defense contractor doing cyber-security for years. 00:05:46.520 --> 00:05:52.300 This really gave him incredible exposure to the threat landscape and security and penetration 00:05:52.300 --> 00:05:58.070 testing, so much that he became a SANS instructor and actually taught hacking techniques, penetration 00:05:58.070 --> 00:06:02.020 testing, and offensive counter-measures; some pretty gnarly stuff. 00:06:02.020 --> 00:06:03.960 But he quit his job as a defense contractor. 00:06:03.960 --> 00:06:08.630 JOHN: Moved to South Dakota in the middle of the economic collapse of 2008 and decided 00:06:08.630 --> 00:06:09.630 what the hell? 00:06:09.630 --> 00:06:11.979 It’s time to start a pen testing company. 00:06:11.979 --> 00:06:16.949 JACK: [MUSIC] John called his pen testing company Black Hills Information Security. 00:06:16.949 --> 00:06:21.650 Since he was teaching penetration testing at SANS, this is what he felt best at so Black 00:06:21.650 --> 00:06:26.070 Hills started doing penetration testing for customers who wanted to see if a hacker could 00:06:26.070 --> 00:06:29.139 get into their building or network or computers. 00:06:29.139 --> 00:06:32.639 John was good at the technical aspect of it but there’s a lot more to running a business 00:06:32.639 --> 00:06:35.060 than just doing the technical work. 00:06:35.060 --> 00:06:40.340 He got some help from the people who supported him and believed in him most of all; his family. 00:06:40.340 --> 00:06:44.889 JOHN: Yeah, so when I started Black Hills Information Security, it was my sister who 00:06:44.889 --> 00:06:49.870 was doing report editing ‘cause I’m a horrible writer, and my mom actually started 00:06:49.870 --> 00:06:54.800 out with the finances, helping my wife and I get started, making sure the finances for 00:06:54.800 --> 00:06:56.360 the company were set up properly. 00:06:56.360 --> 00:06:59.949 That’s created problems over the years. 00:06:59.949 --> 00:07:03.740 For example, if I’m at a conference with Ed Skoudis and Mike Poor… 00:07:03.740 --> 00:07:07.560 JACK: These are a couple of his friends who also have great stories themselves and I should 00:07:07.560 --> 00:07:11.330 probably get them on the show one day, but these three friends got together in Vegas 00:07:11.330 --> 00:07:12.940 and decided to let loose. 00:07:12.940 --> 00:07:17.840 JOHN: [MUSIC] We end up doing two dinners; I remember they took me out to Bradley Ogden 00:07:17.840 --> 00:07:22.840 Steakhouse in Vegas which was stupid expensive, and then Mike said I feel bad about this. 00:07:22.840 --> 00:07:25.919 We’re gonna go out and we’re gonna have sushi for dessert. 00:07:25.919 --> 00:07:29.229 It was something like $350 for both the meals. 00:07:29.229 --> 00:07:30.229 It was insane. 00:07:30.229 --> 00:07:33.639 JACK: Now, when you go to a conference for work, you can expense it, right? 00:07:33.639 --> 00:07:37.710 The company will pay for it because meals are included in your travel, right? 00:07:37.710 --> 00:07:40.340 But his mom is the CFO. 00:07:40.340 --> 00:07:41.520 She looked at these charges. 00:07:41.520 --> 00:07:44.740 JOHN: She calls me up, she goes I saw the credit card statement from last night. 00:07:44.740 --> 00:07:46.940 I got these charges; what happened? 00:07:46.940 --> 00:07:49.290 Did you take a group of people out to eat? 00:07:49.290 --> 00:07:53.050 I’m like no, I didn’t take a group of people out to eat. 00:07:53.050 --> 00:07:54.449 She goes, it was just you? 00:07:54.449 --> 00:07:56.699 I’m like well, yeah, that was my portion. 00:07:56.699 --> 00:07:59.009 I was eating with some other people. 00:07:59.009 --> 00:08:00.669 She goes, how much did you eat? 00:08:00.669 --> 00:08:03.520 I’m like well, it was just two meals. 00:08:03.520 --> 00:08:06.570 It was just a steak and then some sushi. 00:08:06.570 --> 00:08:14.449 Then I promptly got the Riot Act about being really derelict in my duty of running a company. 00:08:14.449 --> 00:08:18.320 Got off the phone sweating ‘cause my mom just kind of chewed my butt, and then I get 00:08:18.320 --> 00:08:22.381 a call from my sister and she’s like I just got off the phone with mom; I can’t believe 00:08:22.381 --> 00:08:26.430 you spent that much money on two meals for yourself in one night! 00:08:26.430 --> 00:08:27.430 What were you thinking? 00:08:27.430 --> 00:08:29.460 Okay, then I hang up with her. 00:08:29.460 --> 00:08:34.229 Then my wife calls and she’s like I just got done talking with your sister and you 00:08:34.229 --> 00:08:40.260 are not allowed to go out to eat with Mike Poor and Ed Skoudis ever again at the same 00:08:40.260 --> 00:08:41.320 time. 00:08:41.320 --> 00:08:42.419 It just kind of cascaded. 00:08:42.419 --> 00:08:46.490 JACK: Alright, let’s hear some of John’s penetration testing stories because I love 00:08:46.490 --> 00:08:50.130 hearing all the tactics and methods people use to get into places. 00:08:50.130 --> 00:08:54.459 John’s penetration testing consisted of either going onsite to see if he can sneak 00:08:54.459 --> 00:08:58.640 into a building, or testing the network to see if he can hack into [00:10:00] it through 00:08:58.640 --> 00:08:59.640 a computer. 00:08:59.640 --> 00:09:03.390 He was doing some odd business with some company for a while and one day they called him up 00:09:03.390 --> 00:09:05.190 just to pick his brain on something. 00:09:05.190 --> 00:09:08.860 JOHN: They called me up one day and they said hey, we got an airbase, we got a classified 00:09:08.860 --> 00:09:12.340 facility in the middle of this base and we want you to break into it. 00:09:12.340 --> 00:09:17.180 Do you have any ideas how you would actually get to the point where you could get into 00:09:17.180 --> 00:09:21.209 and touch a network jack that would have a classified network? 00:09:21.209 --> 00:09:26.850 JACK: This company was asking him for tips on how to break into an active military base. 00:09:26.850 --> 00:09:31.600 Now typically, these things are extremely well-guarded, better guarded than a prison, 00:09:31.600 --> 00:09:35.970 for sure, with armed guards sometimes just at the perimeter of the base, checking everyone 00:09:35.970 --> 00:09:37.720 who enters to see if they belong. 00:09:37.720 --> 00:09:41.899 It’s intense to the point you might even be shot at, but John thinks about this for 00:09:41.899 --> 00:09:46.720 a moment and has an idea about how he can get inside a secured area of the base. 00:09:46.720 --> 00:09:48.520 JOHN: I’m like yeah, get arrested. 00:09:48.520 --> 00:09:49.959 They’re like, what do you mean? 00:09:49.959 --> 00:09:55.649 I’m like well, if you’re trying to break into a military base and you get arrested, 00:09:55.649 --> 00:10:02.019 there’s a possibility you might actually end up in a room that has a network jack that 00:10:02.019 --> 00:10:03.610 might be on a classified network. 00:10:03.610 --> 00:10:05.230 They’re like, are you willing to try that? 00:10:05.230 --> 00:10:07.340 I’m like sure, how bad can that be? 00:10:07.340 --> 00:10:12.510 JACK: [MUSIC] There were a couple people at this military base that knew John was coming. 00:10:12.510 --> 00:10:15.769 After all, they hired him to do a penetration test on the building. 00:10:15.769 --> 00:10:19.771 They didn’t know what John’s plan was and how he’d get in, but they knew the operation 00:10:19.771 --> 00:10:24.570 could go wrong really fast, so they gave John some duress words. 00:10:24.570 --> 00:10:28.750 These are words that if he got in too much trouble, he could tell the military officers 00:10:28.750 --> 00:10:32.360 and they’d stop harassing him, and they’d know to report this to the higher-ups. 00:10:32.360 --> 00:10:36.589 It was a sort of ticket to safety if all goes wrong. 00:10:36.589 --> 00:10:40.940 John starts memorizing these duress words and it was something like ‘sasquatch’, 00:10:40.940 --> 00:10:46.390 ‘pineapple’, ‘porcupine’, some combination of words that makes no sense unless you know 00:10:46.390 --> 00:10:48.710 that these are the duress words. 00:10:48.710 --> 00:10:52.260 John loads up his gear, the tools and devices that he would be able to use once he gets 00:10:52.260 --> 00:10:56.930 inside the military base so he can plug in and prove that he had access to this classified 00:10:56.930 --> 00:10:57.930 network. 00:10:57.930 --> 00:10:58.980 John heads to the base. 00:10:58.980 --> 00:11:03.240 There was nobody at the front gate so he just drove in. 00:11:03.240 --> 00:11:08.650 There was a common public area to this base, but then once he got in, he saw an area that 00:11:08.650 --> 00:11:09.650 was clearly off-limits. 00:11:09.650 --> 00:11:13.280 You needed to have permission to get into that area. 00:11:13.280 --> 00:11:17.130 JOHN: The classified part, they had a fence and then they have a perimeter of gravel going 00:11:17.130 --> 00:11:18.130 all the way around it. 00:11:18.130 --> 00:11:23.390 Then of course, the parking lot had big signs that were like, No Salute Zones. 00:11:23.390 --> 00:11:27.019 I figured I would try to walk up to the gravel which had pressure sensors underneath it. 00:11:27.019 --> 00:11:29.880 JACK: He starts walking across the gravel. 00:11:29.880 --> 00:11:34.120 This was a restricted area and he was clearly not authorized to go to. 00:11:34.120 --> 00:11:38.889 He’s hoping he’s triggering some sort of alarm where someone sees him on camera 00:11:38.889 --> 00:11:40.660 and comes and gets him. 00:11:40.660 --> 00:11:46.550 But if not, Plan B is just to keep on walking into the classified part of the space. 00:11:46.550 --> 00:11:50.290 JOHN: Sure enough, a whole bunch of really, really twitchy eighteen-year-olds showed up 00:11:50.290 --> 00:11:51.899 with fully automatic weapons. 00:11:51.899 --> 00:12:00.089 I laid down on the ground and I was told when you lay down, put your hands immediately behind 00:12:00.089 --> 00:12:06.610 your back, cross your ankles, and just wait; they’re going to throw you into a car. 00:12:06.610 --> 00:12:14.060 I’m laying on the ground and I – they immediately shove the back of the rifle in 00:12:14.060 --> 00:12:17.699 the back of my head really hard. 00:12:17.699 --> 00:12:23.380 It hurt a lot, and then they handcuffed me, but that wasn’t bad; what was bad is they 00:12:23.380 --> 00:12:26.510 immobilized me by grabbing the handcuffs and lifting up. 00:12:26.510 --> 00:12:30.829 So, they lifted me up off the ground by the handcuffs which dislocated my shoulder and 00:12:30.829 --> 00:12:37.089 still to this day I have this huge scar where years later I had to have a Latarjet to repair 00:12:37.089 --> 00:12:38.560 the damage to my shoulder. 00:12:38.560 --> 00:12:43.639 I already had a weak shoulder from a high school injury and that just tore my arms right 00:12:43.639 --> 00:12:44.769 out of socket. 00:12:44.769 --> 00:12:49.170 They threw me into the car and I’m screaming out my duress words, right? 00:12:49.170 --> 00:12:51.640 It’s like, pineapple! 00:12:51.640 --> 00:12:53.640 Porcupine! Sasquatch! 00:12:53.640 --> 00:12:54.640 Whatever the other word was. 00:12:54.640 --> 00:12:56.860 They’re like, he’s freaking delusional. 00:12:56.860 --> 00:13:00.580 I could hear them like; we think this guy’s on drugs. 00:13:00.580 --> 00:13:02.190 They threw me into a room. 00:13:02.190 --> 00:13:06.230 Sure enough there was a network jack and it was part of a classified network, but the 00:13:06.230 --> 00:13:11.310 whole time I’m like, I’m a contractor; I was hired and these are my duress words. 00:13:11.310 --> 00:13:14.160 They brought in the right people and I was able to let go. 00:13:14.160 --> 00:13:15.880 They were like, good job. 00:13:15.880 --> 00:13:16.880 Was that fun? 00:13:16.880 --> 00:13:17.980 I was like, it wasn’t fun at all. 00:13:17.980 --> 00:13:20.839 It took me a long time to recover. 00:13:20.839 --> 00:13:25.699 Yeah, I never really did a physical pen test against a military facility that involved 00:13:25.699 --> 00:13:29.200 firearms again. 00:13:29.200 --> 00:13:40.040 JACK: [00:15:00] [MUSIC] John is a great penetration tester. 00:13:40.040 --> 00:13:44.269 He loves the challenge of getting into buildings or using computers to break into a network. 00:13:44.269 --> 00:13:49.000 Earlier in his career, he was given the task to break into a building and gain access to 00:13:49.000 --> 00:13:50.130 the computers inside. 00:13:50.130 --> 00:13:54.709 JOHN: I was meant to get in and take over as many systems as possible. 00:13:54.709 --> 00:13:57.209 JACK: First thing’s first, he does some passive reconnaissance. 00:13:57.209 --> 00:14:01.040 This is where he can investigate ways to get in without any fear of getting caught. 00:14:01.040 --> 00:14:04.540 JOHN: One of the things I did, is I used Google Street View to go around the building. 00:14:04.540 --> 00:14:07.589 I found that there was a window that was open, in the Street View. 00:14:07.589 --> 00:14:11.890 JACK: Wow, isn’t it nice that Google sent someone to this building to take a bunch of 00:14:11.890 --> 00:14:13.970 photos of it and then post them publically? 00:14:13.970 --> 00:14:18.199 This way, anyone who wants to break in can just use Google Street View to plan their 00:14:18.199 --> 00:14:20.070 attack without even leaving home. 00:14:20.070 --> 00:14:24.430 JOHN: I saw that it was open and I figured that it might be unlocked ‘cause a lot of 00:14:24.430 --> 00:14:27.680 times windows that are open and closed a lot, they never latch them completely. 00:14:27.680 --> 00:14:32.740 JACK: John has a plan and an objective, and it’s time to suit up. 00:14:32.740 --> 00:14:39.290 JOHN: [MUSIC] My backpack just has my notebook computer, a series of USB thumb drives with 00:14:39.290 --> 00:14:41.829 various utilities and tools on it, and that’s it. 00:14:41.829 --> 00:14:46.949 I wasn’t wearing, you know, a black facemask or anything. 00:14:46.949 --> 00:14:51.769 I was wearing a black fleece and just jeans because this is one of the things that always 00:14:51.769 --> 00:14:57.950 bothers me about superhero movies; if you take Batman or you take Daredevil, they always 00:14:57.950 --> 00:15:02.990 show up to the scene where they’re supposed to do stuff, and they do something awesome, 00:15:02.990 --> 00:15:05.839 like they destroy the cartel and that’s awesome. 00:15:05.839 --> 00:15:09.320 I’m always thinking how the hell did they get there? 00:15:09.320 --> 00:15:11.170 Did they walk there in their suit? 00:15:11.170 --> 00:15:14.940 Did they jump across – ‘cause you can’t jump across buildings the whole time. 00:15:14.940 --> 00:15:22.160 My point is, you can’t dress like a burglar while you walk out of your house. 00:15:22.160 --> 00:15:24.390 I just dress in normal clothes. 00:15:24.390 --> 00:15:26.490 It’s just something I’ve always done. 00:15:26.490 --> 00:15:31.760 I know it’s a personal preference and style but a lot of physical pen testers have like, 00:15:31.760 --> 00:15:37.740 tactical bags and tactical patches, and they look somewhat sketchy, right? 00:15:37.740 --> 00:15:42.100 I just prefer to go with the standard backpack so I don’t freak people out too much. 00:15:42.100 --> 00:15:44.100 JACK: John drives to the building. 00:15:44.100 --> 00:15:45.750 It’s night and it’s dark out. 00:15:45.750 --> 00:15:47.769 He arrives and looks around. 00:15:47.769 --> 00:15:51.880 The building is pitch dark; there’s no lights on at all in it. 00:15:51.880 --> 00:15:55.709 He walks up to it to try to find that window to break into. 00:15:55.709 --> 00:15:57.850 Alright, breathe now. 00:15:57.850 --> 00:16:00.370 Calm the nerves. 00:16:00.370 --> 00:16:02.130 This is no time to be stressed. 00:16:02.130 --> 00:16:03.350 It’s go-time. 00:16:03.350 --> 00:16:07.630 JOHN: [MUSIC] I went up to this window, pushed up. 00:16:07.630 --> 00:16:09.990 Sure enough, it was unlocked. 00:16:09.990 --> 00:16:15.440 From the ground up to where the bottom of the window was, was right above mid-chest, 00:16:15.440 --> 00:16:16.820 okay? 00:16:16.820 --> 00:16:22.330 I pushed the window open but it’s kind of a little bit narrow so I can’t get my body 00:16:22.330 --> 00:16:25.550 halfway in and ride it like a cowboy and then go in. 00:16:25.550 --> 00:16:32.319 I go in kind of headfirst like a really clumsy, slightly overweight snake. 00:16:32.319 --> 00:16:35.839 I come in over the window and it’s over someone’s desk. 00:16:35.839 --> 00:16:38.950 As soon as I start slithering down onto the desk and get to the point where I can kick 00:16:38.950 --> 00:16:43.200 my leg out, that’s when I kicked the flower pot. 00:16:43.200 --> 00:16:48.120 JACK: The flower pot flew off the desk and smashed on the ground, making a loud breaking 00:16:48.120 --> 00:16:49.120 noise. 00:16:49.120 --> 00:16:50.880 Now dirt is all over the floor. 00:16:50.880 --> 00:16:54.899 This instantly added a whole new level of stress to the already stressful situation. 00:16:54.899 --> 00:16:58.750 If somebody was in the building, they might have heard this commotion and come and investigate. 00:16:58.750 --> 00:17:04.380 JOHN: But then when my bodyweight came down on the desk, [CREAKING] the desk was not designed 00:17:04.380 --> 00:17:09.990 to support my significant girth at the time, and the whole desk collapsed. 00:17:09.990 --> 00:17:10.990 [CRASH] 00:17:10.990 --> 00:17:13.630 JACK: Oh great; even more of a mess. 00:17:13.630 --> 00:17:15.380 Even more awful crashing noises. 00:17:15.380 --> 00:17:17.910 His intention is never to cause physical damage. 00:17:17.910 --> 00:17:22.330 Otherwise he could just smash a window and get into the building, but that’s not the 00:17:22.330 --> 00:17:24.120 point of a penetration test. 00:17:24.120 --> 00:17:30.810 Breaking flower pots and desks is unprofessional but the damage was done and John was in the 00:17:30.810 --> 00:17:31.810 building. 00:17:31.810 --> 00:17:34.980 He stands up, looks at the mess he made and feels bad about it. 00:17:34.980 --> 00:17:36.500 So, what does he do? 00:17:36.500 --> 00:17:39.850 JOHN: I just wrote a note; sorry I broke your flower pot. 00:17:39.850 --> 00:17:41.820 I put my name and my phone number. 00:17:41.820 --> 00:17:47.059 [00:20:00] I figure it’s better to own up for that stuff really, really quickly because 00:17:47.059 --> 00:17:49.900 the alternative makes it look like you’re trying to skirt around the issue. 00:17:49.900 --> 00:17:53.600 I just wrote a letter, put it on there, apologized profusely. 00:17:53.600 --> 00:17:55.980 JACK: Okay, he’s in. 00:17:55.980 --> 00:17:57.250 It wasn’t very elegant. 00:17:57.250 --> 00:17:59.260 But it’s now dark in this office. 00:17:59.260 --> 00:18:02.800 There’s no lights on anywhere, so option one is to turn a light on. 00:18:02.800 --> 00:18:06.570 But surely this makes your presence known; someone who works there might be driving by 00:18:06.570 --> 00:18:09.780 and notice a light on and think something’s wrong. 00:18:09.780 --> 00:18:13.340 So, he chooses option two, a flashlight. 00:18:13.340 --> 00:18:15.760 But this might not have been the best idea. 00:18:15.760 --> 00:18:20.419 JOHN: Then I turned on my flashlight and I’m running around plugging in USB drives and 00:18:20.419 --> 00:18:23.760 executing malware on as many computer systems as I can. 00:18:23.760 --> 00:18:28.460 Now, the horrible thing about this was the lights were off in the building, I’m running 00:18:28.460 --> 00:18:32.720 around with a flashlight trying to plug in USB sticks. 00:18:32.720 --> 00:18:36.549 [MUSIC] The reason why that’s funny is because it’s stupid. 00:18:36.549 --> 00:18:40.440 If you look across at a building and the lights are on, you’re like hm, okay; someone’s 00:18:40.440 --> 00:18:41.440 there. 00:18:41.440 --> 00:18:44.190 If you look across at a building and the lights are off, you’re like, no one’s there. 00:18:44.190 --> 00:18:49.620 If you look across at a building and you see a flashlight running like crazy all over the 00:18:49.620 --> 00:18:53.250 building, you think time to call the police, and that’s what someone did. 00:18:53.250 --> 00:18:58.450 The police show up, come into the building with their guns drawn, and I am just kind 00:18:58.450 --> 00:19:00.710 of sitting there freaked out. 00:19:00.710 --> 00:19:03.940 I’m like hey, I’m doing a penetration test. 00:19:03.940 --> 00:19:07.350 Here is my permission-to-test memo, my get out of jail free card. 00:19:07.350 --> 00:19:10.760 I hand it to them and they’re looking at it and they’re reading it and they’re 00:19:10.760 --> 00:19:12.220 like okay, so you’re John Strand. 00:19:12.220 --> 00:19:13.220 I’m like, yeah. 00:19:13.220 --> 00:19:14.690 Can we see some ID? 00:19:14.690 --> 00:19:16.230 I give my driver’s license. 00:19:16.230 --> 00:19:18.070 They’re like okay, okay, good, good. 00:19:18.070 --> 00:19:21.100 First guy puts his gun away, the second guy puts his gun away, and they’re like so, 00:19:21.100 --> 00:19:22.280 what are you doing here? 00:19:22.280 --> 00:19:25.950 I’m like oh, I’m plugging in these USB drives, I’m taking over these computer systems. 00:19:25.950 --> 00:19:27.970 They’re like, how does that work? 00:19:27.970 --> 00:19:29.870 I’m like, well, come on, let me show you. 00:19:29.870 --> 00:19:35.520 I’m plugging in devices, I’m using, I don’t know, it was like, I think it was 00:19:35.520 --> 00:19:36.520 Kon-Boot. 00:19:36.520 --> 00:19:40.300 Just taking over systems and dropping malware and they’re like, this is really cool. 00:19:40.300 --> 00:19:41.380 People pay you to do this? 00:19:41.380 --> 00:19:42.380 I’m like, yeah. 00:19:42.380 --> 00:19:43.380 They’re like, oh, that’s neat. 00:19:43.380 --> 00:19:46.720 Well, have a great evening then. 00:19:46.720 --> 00:19:50.280 They never bothered to call my point of contact. 00:19:50.280 --> 00:19:55.350 It was like as soon as they saw the piece of paper, it was like oh, this dude’s legit. 00:19:55.350 --> 00:19:59.549 We’re gonna totally let this guy continue doing this pen test. 00:19:59.549 --> 00:20:01.960 JACK: Huh, that is odd, right? 00:20:01.960 --> 00:20:06.400 Maybe he has a real innocent face or something but if I were a cop and I saw the mess and 00:20:06.400 --> 00:20:10.570 damage caused from climbing in the window and then saw a guy walking around with a flashlight 00:20:10.570 --> 00:20:11.840 being all suspicious? 00:20:11.840 --> 00:20:15.810 Yeah, I would definitely call the number on the paper just to make sure. 00:20:15.810 --> 00:20:17.810 But the cops let him go. 00:20:17.810 --> 00:20:24.289 So, he turned on the light switch in the office and just kept plugging in USB drives until 00:20:24.289 --> 00:20:30.310 he got everything he needed, and then turned the lights off and left. 00:20:30.310 --> 00:20:40.159 [LIGHTSWITCH CLICK] [MUSIC] A few years back, John went to a security conference in Atlantic 00:20:40.159 --> 00:20:41.230 City. 00:20:41.230 --> 00:20:44.110 While there, he got a phone call that he’ll never forget. 00:20:44.110 --> 00:20:46.900 JOHN: I’m in Atlantic City and I’m sleeping. 00:20:46.900 --> 00:20:49.850 I get a call at like, 2:00 in the morning. 00:20:49.850 --> 00:20:54.120 It’s from a friend of mine who does some work with law enforcement agencies and they 00:20:54.120 --> 00:20:58.350 were tracking down an individual that had abducted a young girl. 00:20:58.350 --> 00:21:00.720 The girl just happened to be about the same age as my daughter. 00:21:00.720 --> 00:21:08.140 JACK: Okay, it’s 2:00 a.m. and this caller is asking him to help catch a child kidnapper. 00:21:08.140 --> 00:21:11.640 I guess it makes sense; you have a much higher chance of catching the kidnapper in the first 00:21:11.640 --> 00:21:14.470 twenty-four hours, so time was of the essence. 00:21:14.470 --> 00:21:19.230 The law enforcement officers had already collected a lot of clues by asking the family if they 00:21:19.230 --> 00:21:21.880 suspected anyone who could have done this. 00:21:21.880 --> 00:21:26.549 There was a guy who was known to the family who was a suspect, so they decided to chat 00:21:26.549 --> 00:21:29.750 with that person through Skype where they normally talk with them. 00:21:29.750 --> 00:21:31.870 But this gave them another clue. 00:21:31.870 --> 00:21:37.950 JOHN: They knew who the suspect was because he had changed his Skype icon to be a picture 00:21:37.950 --> 00:21:39.090 of this girl crying. 00:21:39.090 --> 00:21:42.370 JACK: Not only that, but they were actually able to have a conversation with this guy 00:21:42.370 --> 00:21:43.490 over Skype. 00:21:43.490 --> 00:21:48.299 JOHN: They approached me and they said is there any way we can track this individual 00:21:48.299 --> 00:21:51.220 using pen test-like techniques? 00:21:51.220 --> 00:21:55.150 One of the techniques that we use all the time in pen testing, [MUSIC] is you can send 00:21:55.150 --> 00:22:02.169 a document to someone and you can have that document beacon back through a cascading stylesheet 00:22:02.169 --> 00:22:03.510 or an img source tag. 00:22:03.510 --> 00:22:07.090 You’re not trying to get access to the system; you’re just trying to prove that someone 00:22:07.090 --> 00:22:08.480 opened the document. 00:22:08.480 --> 00:22:15.179 JACK: John prepared a document which, when opened, would show that person’s IP address. 00:22:15.179 --> 00:22:19.210 John gave this document to the law enforcement officers working on this and showed them how 00:22:19.210 --> 00:22:22.090 to watch for the IP address when it gets opened. 00:22:22.090 --> 00:22:25.299 They gave this to the person who was talking with the guy on Skype. 00:22:25.299 --> 00:22:27.809 JOHN: And sent a document to the suspect. 00:22:27.809 --> 00:22:31.010 The document was opened and then it started beacon back. 00:22:31.010 --> 00:22:36.230 Now, geolocation based on IP address is really suspect under the best of circumstances but 00:22:36.230 --> 00:22:40.900 if you have a warrant and you have the source IP address, source port, and date timestamp, 00:22:40.900 --> 00:22:44.270 [00:25:00] you can actually go to an internet service provider and they can tell you exactly 00:22:44.270 --> 00:22:45.610 where that file was opened. 00:22:45.610 --> 00:22:47.919 JACK: So, that’s what they did. 00:22:47.919 --> 00:22:52.490 As soon as law enforcement officers knew the IP address of the suspect, they already had 00:22:52.490 --> 00:22:56.679 a warrant and so they asked the ISP for the name and location of the person who owns that 00:22:56.679 --> 00:22:58.240 IP address. 00:22:58.240 --> 00:23:02.120 ISP responded right away with this information. 00:23:02.120 --> 00:23:04.740 JOHN: In this situation, they found it at a motel. 00:23:04.740 --> 00:23:08.970 Then shortly, right after we started getting a beacon back, they were able to get the little 00:23:08.970 --> 00:23:09.970 girl back. 00:23:09.970 --> 00:23:14.670 JACK: Wow, what a gnarly way to use social engineering and phishing methods for good. 00:23:14.670 --> 00:23:20.620 JOHN: That kind of changed my philosophy on the offensive versus defensive side of things. 00:23:20.620 --> 00:23:24.510 You could see how these things could be blended for a better defense, how we could use some 00:23:24.510 --> 00:23:28.510 offensive tactics to actually do some attribution for attackers as well. 00:23:28.510 --> 00:23:30.890 JACK: Of course, yeah, that does make sense. 00:23:30.890 --> 00:23:34.840 It’s so fascinating to think about ethical hacking like this. 00:23:34.840 --> 00:23:38.890 While the years go on, John continues doing penetration tests for companies all over the 00:23:38.890 --> 00:23:39.890 country. 00:23:39.890 --> 00:23:42.370 His family continues to help run things on the business side. 00:23:42.370 --> 00:23:47.340 Again, his mom is who handled all the finances of this company, and she was the chief finance 00:23:47.340 --> 00:23:48.700 officer, CFO. 00:23:48.700 --> 00:23:53.440 But his mom was watching what John was doing and got a crazy idea. 00:23:53.440 --> 00:24:00.179 JOHN: [MUSIC] She had been the CFO of Black Hills Information Security for some time and 00:24:00.179 --> 00:24:07.669 she’s always reading about – reading reports about awesome things that testers do. 00:24:07.669 --> 00:24:13.210 I’m telling stories about stuff that I do, and I still to this day believe doing offensive 00:24:13.210 --> 00:24:15.750 security is one of the coolest jobs in the world. 00:24:15.750 --> 00:24:17.220 We have exciting lives. 00:24:17.220 --> 00:24:19.799 It’s dynamic and it’s interesting. 00:24:19.799 --> 00:24:24.170 She saw that and she really wanted to get in and do something. 00:24:24.170 --> 00:24:29.000 When we were doing physical pen testing, she came to me and she goes, I want to do a physical 00:24:29.000 --> 00:24:30.000 pen test. 00:24:30.000 --> 00:24:33.070 She’s my mom; I’m not gonna tell her no, right? 00:24:33.070 --> 00:24:38.120 ‘Cause she might have a monk hit me, but she wants to do this. 00:24:38.120 --> 00:24:40.640 I say mom, you gotta come up with a ruse. 00:24:40.640 --> 00:24:42.190 I explain to her what a ruse is. 00:24:42.190 --> 00:24:43.290 She’s says I already got it. 00:24:43.290 --> 00:24:44.290 I’m like, what is it? 00:24:44.290 --> 00:24:45.290 She goes, food service. 00:24:45.290 --> 00:24:50.130 I’ll go in and I’ll do a food service inspection and I will get right in. 00:24:50.130 --> 00:24:53.850 It just floored me; that was a ruse that we never really thought of. 00:24:53.850 --> 00:24:59.770 It’s a ruse with authority, it’s a ruse that’s kind of inauspicious. 00:24:59.770 --> 00:25:06.020 My mom, at this point, was in her sixties and she shows up, you’re not gonna look 00:25:06.020 --> 00:25:08.280 at her and go hm, this lady looks like a hacker. 00:25:08.280 --> 00:25:09.669 No, it’s not gonna happen. 00:25:09.669 --> 00:25:15.140 JACK: Now, keep in mind that his mom was the food service director at a high school, so 00:25:15.140 --> 00:25:17.800 this is actually something she knows a lot about. 00:25:17.800 --> 00:25:21.330 JOHN: She knows food service inside out and backwards, right? 00:25:21.330 --> 00:25:25.960 She was a food service director for something like twenty-five years, so she had been through 00:25:25.960 --> 00:25:31.539 dozens and dozens of inspections, so she knew how the inspection process worked. 00:25:31.539 --> 00:25:39.419 She got the inspection checklist, she got a little badge, she got an ID. 00:25:39.419 --> 00:25:44.610 She knew exactly what everything needed to look like to make it look legit because she 00:25:44.610 --> 00:25:45.990 had done this so many times. 00:25:45.990 --> 00:25:48.990 JACK: He says okay mom, let’s do this. 00:25:48.990 --> 00:25:51.679 [MUSIC] Time to pick a target. 00:25:51.679 --> 00:25:57.010 JOHN: We had a series of physical pen tests that were scheduled that day. 00:25:57.010 --> 00:26:01.640 It was the fifth of July and it was on a Friday which meant that all of the target sites were 00:26:01.640 --> 00:26:08.080 soft targets; there was very little staff and a skeleton crew onsite and many of the 00:26:08.080 --> 00:26:10.289 people in authority wouldn’t even be there. 00:26:10.289 --> 00:26:12.900 It was a perfect time for this. 00:26:12.900 --> 00:26:19.550 Myself, Benjamin Donnelly, and my mom all piled in the car and off we went to break 00:26:19.550 --> 00:26:20.850 into a number of locations. 00:26:20.850 --> 00:26:27.000 JACK: They had a few targets that day; a couple of offices, various facilities, and a prison. 00:26:27.000 --> 00:26:30.070 JOHN: My mom wanted the prison which was crazy. 00:26:30.070 --> 00:26:32.080 I thought it was the hardest one to break into. 00:26:32.080 --> 00:26:34.690 But she’s like no, this won’t take me long at all. 00:26:34.690 --> 00:26:40.120 The objective of the prison was to establish callback documents and get a shell out of 00:26:40.120 --> 00:26:41.120 the prison. 00:26:41.120 --> 00:26:46.400 JACK: Now, a shell in computer lingo is remote access to a computer through the command line, 00:26:46.400 --> 00:26:53.100 so his mom needed to get in and access a computer so that she could connect to John’s server. 00:26:53.100 --> 00:26:57.700 That way, John and Ben would be able to safely access this prison’s network from down the 00:26:57.700 --> 00:26:59.700 road. Hm. 00:26:59.700 --> 00:27:02.050 So, how can she do that? 00:27:02.050 --> 00:27:06.649 John digs into his bag of tricks and pulls out a USB drive and gives it to her. 00:27:06.649 --> 00:27:12.010 JOHN: The USB drive had a .exe which just simply dropped an implant on the system. 00:27:12.010 --> 00:27:13.700 Then there was also a document. 00:27:13.700 --> 00:27:15.980 That document had beaconing on it. 00:27:15.980 --> 00:27:18.370 We said if you ever get a chance, you plug it in. 00:27:18.370 --> 00:27:20.950 If somebody’s looking over your shoulder, open the document. 00:27:20.950 --> 00:27:23.900 If there’s no one looking over your shoulder, run the executable. 00:27:23.900 --> 00:27:30.929 JACK: [MUSIC] Ah, okay, this is clever; basically, the executable program on that USB drive tries 00:27:30.929 --> 00:27:33.389 to open a connection to John’s server. 00:27:33.389 --> 00:27:38.370 Once that connection is open, John can then remotely control whatever computer ran that 00:27:38.370 --> 00:27:39.370 program. 00:27:39.370 --> 00:27:42.039 Now, I might even go so far as to say this isn’t even [00:30:00] malware; this is a 00:27:42.039 --> 00:27:46.120 tool that has the functionality of getting a remote connection to another computer. 00:27:46.120 --> 00:27:51.380 It might be used by system administrators of the network to remotely admin a computer 00:27:51.380 --> 00:27:55.830 but in John’s case and John’s mom’s case, they were going to use it to gain remote 00:27:55.830 --> 00:27:58.299 access to these computers in the prison. 00:27:58.299 --> 00:28:04.150 So, John teaches his mom how to use this USB stick to help him get remote access to these 00:28:04.150 --> 00:28:05.150 computers. 00:28:05.150 --> 00:28:06.810 JOHN: My mom was totally calm. 00:28:06.810 --> 00:28:08.640 Like, she wasn’t nervous about it at all. 00:28:08.640 --> 00:28:10.650 I was more nervous than she was. 00:28:10.650 --> 00:28:17.850 We’re all in the same car and we stop at a coffee shop that does amazing pies, and 00:28:17.850 --> 00:28:19.840 Ben and I sit in the coffee shop. 00:28:19.840 --> 00:28:22.390 JACK: His mom gathers up her supplies and gets ready. 00:28:22.390 --> 00:28:27.100 JOHN: She had a clipboard, a checklist, and a USB drive. 00:28:27.100 --> 00:28:28.120 That was it. 00:28:28.120 --> 00:28:29.590 That was all she had. 00:28:29.590 --> 00:28:32.100 Oh, she did have her phone; she was recording audio. 00:28:32.100 --> 00:28:33.880 We had her record audio of everything that she did, too. 00:28:33.880 --> 00:28:35.820 JACK: Again, a clipboard. 00:28:35.820 --> 00:28:38.750 Forget about some hi-tech gadget that you need to get into a building. 00:28:38.750 --> 00:28:41.350 A clipboard is the only weapon you need. 00:28:41.350 --> 00:28:43.870 Okay, so perfect; she’s ready. 00:28:43.870 --> 00:28:48.490 She loads up the car and drives off, leaving John and Ben at the coffee shop. 00:28:48.490 --> 00:28:52.440 Now, keep in mind they’re in a town that they had to travel to in order to do these 00:28:52.440 --> 00:28:57.649 tests, so they had one rental car and she just drove off with the only car they had, 00:28:57.649 --> 00:29:00.580 leaving Ben and John at the coffee shop to wait. 00:29:00.580 --> 00:29:04.980 But not only that; she took John’s phone to record the audio. 00:29:04.980 --> 00:29:07.130 He doesn’t even have a phone to call anyone with. 00:29:07.130 --> 00:29:11.549 JOHN: The first thing that goes through my head was this is the dumbest thing I have 00:29:11.549 --> 00:29:15.400 ever done, and she’s gone. 00:29:15.400 --> 00:29:20.610 [MUSIC] Honestly, we were so – sometimes whenever you get wrapped up in a ruse, you’re 00:29:20.610 --> 00:29:27.730 so excited about that ruse that you don’t think rationally about it. 00:29:27.730 --> 00:29:29.590 You’re like, this is gonna work, this is awesome. 00:29:29.590 --> 00:29:34.000 This is the coolest thing ever, and there’s a lot of times whenever you’re doing pen 00:29:34.000 --> 00:29:38.941 tests from a technical side or a physical side, you’re walking a tightrope and by 00:29:38.941 --> 00:29:42.870 the time you get across to the other side, you look back at where you came from and what 00:29:42.870 --> 00:29:45.230 you did and you’re like, that was stupid. 00:29:45.230 --> 00:29:50.120 When she took off, that little voice of doubt started talking in the back of my head, saying 00:29:50.120 --> 00:29:51.120 this is stupid. 00:29:51.120 --> 00:29:53.090 JACK: I mean, what could have been the consequences here? 00:29:53.090 --> 00:29:57.669 JOHN: Oh, absolutely she could have been arrested. 00:29:57.669 --> 00:30:00.260 That absolutely could have been the consequence, and she’s my mom, right? 00:30:00.260 --> 00:30:02.450 I know we probably could have gotten her out of prison. 00:30:02.450 --> 00:30:09.649 I know that more than likely everything would have been okay, but just, my mom getting arrested 00:30:09.649 --> 00:30:14.059 just at that point when she started driving away seemed to me like that was one, a very 00:30:14.059 --> 00:30:18.770 real possibility and two, it’s not something I ever want to deal with as a son. 00:30:18.770 --> 00:30:22.490 My mom gets arrested and I’m the reason she got arrested. 00:30:22.490 --> 00:30:27.860 This could have easily gone from a super awesome story to just a really tragic one very quickly. 00:30:27.860 --> 00:30:31.140 JACK: Your blood pressure starts rising as she drives off. 00:30:31.140 --> 00:30:32.250 JOHN: Yeah, yeah. 00:30:32.250 --> 00:30:37.850 JACK: Do you guys have, I don’t know, a sync-up time or like…? 00:30:37.850 --> 00:30:38.850 JOHN: No. 00:30:38.850 --> 00:30:40.909 JACK: Come rescue me after thirty minutes or anything? 00:30:40.909 --> 00:30:41.909 JOHN: No. 00:30:41.909 --> 00:30:45.549 Dude, I gave her my cell phone and I told her here’s how you start the record function 00:30:45.549 --> 00:30:47.419 on my cell phone. 00:30:47.419 --> 00:30:52.539 She takes our only car and she had to drive six miles to get to this facility. 00:30:52.539 --> 00:30:55.950 We’re stranded and I don’t have a way of communicating with her. 00:30:55.950 --> 00:30:59.590 Yeah, it was really scary. 00:30:59.590 --> 00:31:03.519 JACK: John and Ben are in this coffee shop. 00:31:03.519 --> 00:31:07.299 They open up their computers and connect to their command and control server. 00:31:07.299 --> 00:31:11.720 This is the server that listens for when someone runs that executable on the USB stick. 00:31:11.720 --> 00:31:14.840 That’s all they can do to monitor the situation. 00:31:14.840 --> 00:31:21.660 [MUSIC] They just sit there, looking at the screen to see if any connections were successful. 00:31:21.660 --> 00:31:25.350 The facility was about ten minutes away. 00:31:25.350 --> 00:31:28.100 They ordered some coffee and tried to relax. 00:31:28.100 --> 00:31:30.700 JOHN: Lots of coffee. 00:31:30.700 --> 00:31:35.990 JACK: The next ten minutes goes by and they’re starting to get worried. 00:31:35.990 --> 00:31:36.990 Did she get in? 00:31:36.990 --> 00:31:38.370 Did she get stopped? 00:31:38.370 --> 00:31:40.500 Is she arrested? 00:31:40.500 --> 00:31:43.049 The server shows no activity. 00:31:43.049 --> 00:31:45.000 The wait was terrifying. 00:31:45.000 --> 00:31:46.880 JOHN: Oh, it was miserable. 00:31:46.880 --> 00:31:52.059 That was probably some of the longest – it was probably some of the longest twenty-five, 00:31:52.059 --> 00:31:55.809 thirty minutes I’ve ever had in my entire life ‘cause you’re absolutely convinced 00:31:55.809 --> 00:32:00.289 that she’s busted because there’s no response, there’s no connections, you’re in this 00:32:00.289 --> 00:32:05.750 void of information so your brain starts filling in worst-possible scenarios. 00:32:05.750 --> 00:32:08.860 Yeah, it’s just – the waiting was horrible. 00:32:08.860 --> 00:32:12.330 JACK: Another ten minutes goes by; still nothing. 00:32:12.330 --> 00:32:15.470 Ben and John are getting more coffee and getting more worried. 00:32:15.470 --> 00:32:19.660 JOHN: I can’t remember if it was Ben or it was me but one of us said it’s okay, 00:32:19.660 --> 00:32:20.740 she’s fine. 00:32:20.740 --> 00:32:23.090 We’re getting shells. 00:32:23.090 --> 00:32:27.190 As soon as we started getting call backs, as soon as we started getting shells, we knew 00:32:27.190 --> 00:32:31.380 at that very second that my mom was okay. 00:32:31.380 --> 00:32:33.309 They just kept coming. 00:32:33.309 --> 00:32:35.220 It was the coolest thing ever. 00:32:35.220 --> 00:32:39.399 Then finally, one of the computer systems that called back was actually the director 00:32:39.399 --> 00:32:41.090 of that correctional facility. 00:32:41.090 --> 00:32:47.720 [00:35:00] It was just this really euphoric, amazing moment where this oppressive weight 00:32:47.720 --> 00:32:50.080 was just lifted off of our shoulders. 00:32:50.080 --> 00:32:54.850 Then, shortly thereafter, about ten minutes, she shows up and she walks in. 00:32:54.850 --> 00:32:57.100 We all get around her; we’re like how did it go? 00:32:57.100 --> 00:32:58.100 How did it go? 00:32:58.100 --> 00:32:59.100 How did it go? 00:32:59.100 --> 00:33:00.100 She goes, it’s fine. 00:33:00.100 --> 00:33:01.100 It went really, really well. 00:33:01.100 --> 00:33:02.940 I’m like, tell me about it. 00:33:02.940 --> 00:33:06.610 She immediately launches into did you know that somebody that works there actually went 00:33:06.610 --> 00:33:07.860 to high school with you? 00:33:07.860 --> 00:33:09.899 Now, you were a senior and they were a freshman. 00:33:09.899 --> 00:33:11.470 [MUSIC] I don’t know if you would remember them. 00:33:11.470 --> 00:33:17.850 I’m like, I don’t care about who I went to high school with; just tell me the story. 00:33:17.850 --> 00:33:21.880 She just walked right up to the front, she said she was with the Health Department, it’s 00:33:21.880 --> 00:33:23.360 a surprise health inspection. 00:33:23.360 --> 00:33:25.870 They let her right in. 00:33:25.870 --> 00:33:27.880 They asked her what she needed to gain access to. 00:33:27.880 --> 00:33:31.731 She said I need to gain access to the employee workstations to make sure that there’s not 00:33:31.731 --> 00:33:36.650 food or drink there, and then I also need to get around the food preparation locations, 00:33:36.650 --> 00:33:39.519 and I also need to gain access to your NEWC. 00:33:39.519 --> 00:33:40.630 They were like, our what? 00:33:40.630 --> 00:33:42.880 She’s like, NEWC, your Network Operation Center. 00:33:42.880 --> 00:33:46.669 They’re like oh, the NOC, okay. 00:33:46.669 --> 00:33:51.659 They walked her to each of those locations and let her go unsupervised. 00:33:51.659 --> 00:33:58.230 She was completely free to roam anywhere that she wanted to go, and she chose to give them 00:33:58.230 --> 00:34:00.630 a full health inspection first. 00:34:00.630 --> 00:34:04.139 She started going through; she had a laser thermometer and she was taking temperatures 00:34:04.139 --> 00:34:05.139 of the refrigerator. 00:34:05.139 --> 00:34:07.290 By the way, their refrigerator was a bit too warm. 00:34:07.290 --> 00:34:10.650 It wasn’t within the guidelines of the Health Department. 00:34:10.650 --> 00:34:13.250 She was going through, she found mold in different places. 00:34:13.250 --> 00:34:18.640 So, she went, she did a full health inspection, then she started plugging in the USB drive 00:34:18.640 --> 00:34:20.500 in computer systems. 00:34:20.500 --> 00:34:24.010 Because it was the fifth of July, there was hardly anyone there. 00:34:24.010 --> 00:34:25.940 Then she went back to the front desk. 00:34:25.940 --> 00:34:27.790 She talked to the person; said she was done. 00:34:27.790 --> 00:34:31.679 They said that the director wanted to talk to her which of course, my mom said at that 00:34:31.679 --> 00:34:33.060 point I started getting nervous. 00:34:33.060 --> 00:34:34.620 I’m like, I bet you did. 00:34:34.620 --> 00:34:37.700 She sits down with the director and the director’s like, so how did we do? 00:34:37.700 --> 00:34:43.190 My mom gave her the score and said this is your overall score that you got, and the director 00:34:43.190 --> 00:34:47.190 asked is there a way that we could prep for this in the future? 00:34:47.190 --> 00:34:48.470 Kind of do a self-check? 00:34:48.470 --> 00:34:49.859 My mom’s like, absolutely. 00:34:49.859 --> 00:34:55.120 On this USB drive, we have this document with a self-checklist that you can fill out. 00:34:55.120 --> 00:34:57.040 Here you go, open it up. 00:34:57.040 --> 00:35:00.070 Sure enough, she got the director to open up the file. 00:35:00.070 --> 00:35:04.730 They clicked it, and got a reverse connection out of that network on the director’s computer. 00:35:04.730 --> 00:35:06.740 JACK: Oh, wow. 00:35:06.740 --> 00:35:08.079 That’s incredible. 00:35:08.079 --> 00:35:12.300 Well, the prison was very surprised with this report. 00:35:12.300 --> 00:35:17.070 They did not think somebody would be able to break into their prison at all. 00:35:17.070 --> 00:35:22.220 I don’t think they ever expected someone to get access to the computers after that. 00:35:22.220 --> 00:35:25.099 When they heard all this, they were shocked. 00:35:25.099 --> 00:35:27.690 They realized people weren’t following procedure. 00:35:27.690 --> 00:35:31.080 I mean, number one, nobody confirmed she was who she said she was. 00:35:31.080 --> 00:35:35.050 They didn’t call the Food Health Inspection Office to ask if there was a legit inspection 00:35:35.050 --> 00:35:36.730 planned for today. 00:35:36.730 --> 00:35:40.390 Number two, they allowed her to go into places that she shouldn’t have been able to go, 00:35:40.390 --> 00:35:45.010 like the Computer Network Operations Center, and they let her plug USB drives into computers 00:35:45.010 --> 00:35:47.220 there and run an executable program. 00:35:47.220 --> 00:35:52.710 That’s a big no-no that someone should have noticed and said whoa, whoa, whoa, who are 00:35:52.710 --> 00:35:53.710 you? 00:35:53.710 --> 00:35:59.210 The prison had to clean up all these failures on top of cleaning up the mold and other stuff 00:35:59.210 --> 00:36:01.339 she found. Unbelievable. 00:36:01.339 --> 00:36:07.550 JOHN: I think the reaction to this – there’s a couple of things; one, talking about it 00:36:07.550 --> 00:36:13.040 at DerbyCon and then I also talked about it at RSA, was really kind of a cathartic bit 00:36:13.040 --> 00:36:19.730 of closure because my mom, shortly thereafter that, was diagnosed with pancreatic cancer 00:36:19.730 --> 00:36:22.990 and she passed away after nine months of fighting it. 00:36:22.990 --> 00:36:30.760 It’s one of those really amazing stories that kind of highlights who this person was 00:36:30.760 --> 00:36:36.430 and what they did, and the way that they looked at the world that I think overshadows all 00:36:36.430 --> 00:36:40.940 the bad things that fighting cancer had with it. 00:36:40.940 --> 00:36:44.040 My mom was incredibly dedicated to our company. 00:36:44.040 --> 00:36:49.180 I remember she tried to work all the way through when she was fighting cancer. 00:36:49.180 --> 00:36:52.359 About two days before she died, she called me over to the house. 00:36:52.359 --> 00:36:58.220 We all went over and we had dinner, and she goes, I forgot the password to my computer. 00:36:58.220 --> 00:37:01.849 I basically got into the computer and handed it over to her. 00:37:01.849 --> 00:37:05.500 She got to the password change screen and she hands it to me and she goes, you need 00:37:05.500 --> 00:37:06.690 to set a password now. 00:37:06.690 --> 00:37:07.690 I’m like, why? 00:37:07.690 --> 00:37:10.540 She goes, I’m not gonna need this computer anymore. 00:37:10.540 --> 00:37:13.860 She died less than forty-eight hours after that. 00:37:13.860 --> 00:37:20.859 The cool thing is, I have a lot of great stories about my mom but this is one of those stories 00:37:20.859 --> 00:37:29.990 that is – it sums her up completely, being fearless, just being very good at everything 00:37:29.990 --> 00:37:36.550 that she does, and just being dedicated to what we did as far as a company. 00:37:36.550 --> 00:37:41.990 It was just really cool to have that as something that I can hold onto [00:40:00] instead of 00:37:41.990 --> 00:37:44.329 thinking about all the bad things the last nine months. 00:37:44.329 --> 00:37:47.829 JACK: Can you talk about that superhero picture? 00:37:47.829 --> 00:37:55.860 JOHN: Yeah, so my mom’s dying and she – I actually have it here. 00:37:55.860 --> 00:37:57.660 I unpacked my bags from RSA. 00:37:57.660 --> 00:38:02.099 She found this picture of me and it’s whenever I’m like, I don’t know, four years old. 00:38:02.099 --> 00:38:07.150 I’m in blue jeans, black boots, and I’ve got my red underwear on the outside of my 00:38:07.150 --> 00:38:12.819 jeans and I’m wearing this blue corduroy jacket, and then this Superman cape because 00:38:12.819 --> 00:38:15.260 I wanted to be Superman. 00:38:15.260 --> 00:38:19.520 My mom always told me I was gonna end up either a superhero or in prison. 00:38:19.520 --> 00:38:22.460 She said there’s no place in-between for you. 00:38:22.460 --> 00:38:27.609 Growing up, I always had this prison picture that was drawn by my godfather in my hallway, 00:38:27.609 --> 00:38:30.619 or the hallway right outside of my bedroom. 00:38:30.619 --> 00:38:34.859 She would always point that out; you know, you could either end up in prison or you could 00:38:34.859 --> 00:38:36.270 end up being Superman. 00:38:36.270 --> 00:38:39.600 Being a little kid, I always loved Superman. 00:38:39.600 --> 00:38:44.450 She calls me over when she’s – just before we put her on morphine, ‘cause as soon as 00:38:44.450 --> 00:38:49.050 we put her on morphine, we lost – I lost my mom as soon as we put her on morphine. 00:38:49.050 --> 00:38:51.079 Her mind just kind of went away. 00:38:51.079 --> 00:38:56.670 She pulls out this Superman cape, the actual Superman cape from when I was three or four 00:38:56.670 --> 00:39:00.700 years old, like the Superman cape that she made. 00:39:00.700 --> 00:39:06.720 She hands it to me and she says I’m glad you chose wisely. 00:39:06.720 --> 00:39:30.150 JACK (OUTRO): [OUTRO MUSIC] A big thank you to John for sharing your story with us. 00:39:30.150 --> 00:39:37.310 John, you are certainly a superhero and your mom is a legend. 00:39:37.310 --> 00:39:42.170 This show was created by me, the ULA violator, Jack Rhysider. 00:39:42.170 --> 00:39:47.690 Original music this episode created by the lone operator Andrew Meriwether, editing help 00:39:47.690 --> 00:39:53.910 from the net cat Damienne, and our theme music is by the ever-sounding Breakmaster Cylinder. 00:39:53.910 --> 00:39:58.760 Even though when someone reports a security problem some companies will just send a cease-and-desist 00:39:58.760 --> 00:40:12.770 letter instead of actually patching their servers, this is Darknet Diaries.