WEBVTT

00:00:01.342 --> 00:00:05.200
JACK: [MUSIC] Okay, so this one time in high school I had some friends over. Actually,

00:00:05.200 --> 00:00:10.240
it was a sleepover. My parents weren’t home that night but I had permission to have friends stay

00:00:10.240 --> 00:00:13.680
over. We stayed up late at night and we were playing outside in the front yard.

00:00:13.680 --> 00:00:18.160
We had all the lights on out front and the garage door was open, too. We took a break from playing

00:00:18.160 --> 00:00:21.760
and came in the house to get some snacks. We were sitting in the living room laughing and

00:00:21.760 --> 00:00:27.120
eating chips, and just then a woman opens my front door and walks into my house.

00:00:27.120 --> 00:00:31.840
We all freeze; nobody knows this woman. She looks at us, turns around, and walks back

00:00:31.840 --> 00:00:37.040
outside. My friends ask who was that? I have no idea. I sprang up, peeked out the front window.

00:00:37.040 --> 00:00:42.400
Nobody was there. I could feel my heart pumping. I slowly opened the front door and went outside.

00:00:42.400 --> 00:00:47.680
As I got out there I saw someone going into my house through the garage door. I go after them,

00:00:47.680 --> 00:00:52.640
following them. By the time I get inside there are three strangers standing in my living room looking

00:00:52.640 --> 00:01:00.080
at my friends. It was freaky. I was bewildered. One turned to me and said you must be Albert.

00:01:00.080 --> 00:01:04.960
I’m not Albert! I shouted. Then they said oh, you must be Eric, then. I’m not Eric,

00:01:04.960 --> 00:01:10.480
either. Nobody here is Albert or Eric. Panic set in on the strangers in my house.

00:01:10.480 --> 00:01:15.520
They all looked at each other with their eyes widening. I then spoke up, but there is an Albert

00:01:15.520 --> 00:01:20.240
and an Eric that live next door. They looked at the piece of paper in their hand and back to me,

00:01:20.240 --> 00:01:24.880
and immediately started apologizing. They came to visit the neighbors but they didn’t read the

00:01:24.880 --> 00:01:28.240
directions right. The neighbors told them they’ll just leave the door open and they

00:01:28.240 --> 00:01:32.640
should just walk on in since they’re arriving so late. But then they got the house wrong and

00:01:32.640 --> 00:01:38.000
walked into my house instead. I can laugh about this now but I was freaked out at the time.

00:01:38.000 --> 00:01:43.600
You ever make a mistake like this where when you misread one number it puts you in a situation that

00:01:43.600 --> 00:01:49.760
has crazy consequences? JACK (INTRO): [INTRO MUSIC]

00:01:49.760 --> 00:01:59.120
These are true stories from the dark side of the internet. I’m Jack Rhysider.

00:01:59.120 --> 00:02:14.720
This is Darknet Diaries. [INTRO MUSIC ENDS] JACK:

00:02:14.720 --> 00:02:18.800
I’m gonna try something a little different this episode. Usually I do one long story but instead

00:02:18.800 --> 00:02:23.040
I’m going to do a few mini-stories. These are shorter stories which are too good to ignore

00:02:23.040 --> 00:02:27.600
but not long enough for a full show. This first story is about a guy named Rob Fuller

00:02:27.600 --> 00:02:32.160
who also goes by Mubix and I like using hacker names for people so I’m gonna call

00:02:32.160 --> 00:02:37.040
him Mubix for the rest of the story. MUBIX: I work at Uber as a senior security

00:02:37.040 --> 00:02:44.400
engineer. I’m a senior technical advisor for the HBO show Silicon Valley as well as the

00:02:44.400 --> 00:02:48.800
host of the Hak5 show Metasploit Minute. JACK: Before he did all that he was a penetration

00:02:48.800 --> 00:02:52.160
tester and his job was to hack into companies to test their security.

00:02:52.160 --> 00:02:56.240
MUBIX: We were doing these tests pretty regularly for different companies.

00:02:56.240 --> 00:02:59.600
JACK: He’d often come into work, be given a URL and a block of IP addresses,

00:02:59.600 --> 00:03:04.080
and be told when to begin scanning to try to break into the client’s network. It’s exciting

00:03:04.080 --> 00:03:08.880
work but it often gets repetitive. But there was one test he’ll always remember.

00:03:08.880 --> 00:03:14.560
MUBIX: It was just a standard test out of the gate. It was really

00:03:14.560 --> 00:03:20.880
cookie-cutter, even. We do the scope and call, we get all the IPs. The test was a bunch of IPs; it

00:03:20.880 --> 00:03:26.640
was a company that, let’s just say made widgets. We were supposed to go after the widget maker and

00:03:26.640 --> 00:03:30.080
the source code for the widget maker. JACK: Mubix and his team have everything they

00:03:30.080 --> 00:03:35.040
need to start the mission to see if they can gain access to this widget maker server.

00:03:35.040 --> 00:03:42.960
MUBIX: We start scanning and look at the website and it’s kind of off-ish.

00:03:42.960 --> 00:03:51.200
The company that had these websites was like an LLC and the company that we had talked to

00:03:51.200 --> 00:03:58.720
was a corporation co. It’s like this is weird but it’s similar. Same name, not a big deal.

00:03:58.720 --> 00:04:03.520
JACK: Mubix double checks the IP addresses he was given to test and confirmed this was the same IP

00:04:03.520 --> 00:04:08.400
block that the client gave him to test on. Him and his team proceeded to penetrate the website.

00:04:08.400 --> 00:04:12.640
First he scans the entire IP range and starts looking for various points of entry.

00:04:12.640 --> 00:04:17.360
There’s a web server, an e-mail server, and more but those sites look pretty secure.

00:04:17.360 --> 00:04:21.760
No obvious vulnerabilities are reported on the scan. The members of his team start digging

00:04:21.760 --> 00:04:25.600
into lesser-known vulnerabilities, trying to find anything that might be exploitable.

00:04:25.600 --> 00:04:28.640
Thinking that he may not be able to get in using a web vulnerability,

00:04:28.640 --> 00:04:33.360
Mubix gets a new plan and starts to… MUBIX: Set up a phish, get our phish ready,

00:04:33.360 --> 00:04:38.640
find the different domains that we can send the phish to, find a couple of users.

00:04:38.640 --> 00:04:42.400
JACK: A phish is an e-mail that is designed to trick the user to click on something they

00:04:42.400 --> 00:04:46.960
shouldn’t be clicking so Mubix can infect their machine. But before they send the phish…

00:04:46.960 --> 00:04:52.800
MUBIX: One of our guys on the team finds a remote code execution under one of the web apps.

00:04:52.800 --> 00:04:58.000
JACK: Remote code execution means they can run commands on that web server. This is sometimes

00:04:58.000 --> 00:05:01.200
called getting a shell. This is bad because people on the internet [00:05:00] should

00:05:01.200 --> 00:05:04.800
never be allowed to execute commands on your web server directly. From there they

00:05:04.800 --> 00:05:09.360
can do a lot of malicious things. MUBIX: He found a web application that he

00:05:09.360 --> 00:05:13.360
could run code just remotely. JACK: The team brims with delight

00:05:13.360 --> 00:05:16.880
upon getting this access. MUBIX: Yeah, the first shell that you

00:05:16.880 --> 00:05:24.800
get on a pen test is really an amazing feeling. It’s great. Obviously you have bad feelings

00:05:24.800 --> 00:05:30.720
for the company. It sucks that their security wasn’t good enough for their whatever it was or

00:05:30.720 --> 00:05:36.240
it’s not so great for them but it’s still a great feeling that you had the skill,

00:05:36.240 --> 00:05:45.440
or you had the timing, or whatever it was that ended up with you a shell. We all were really

00:05:45.440 --> 00:05:55.520
excited. Everything else kind of dropped by the wayside because we had access internally.

00:05:55.520 --> 00:05:58.720
We get into the command injection. Everybody’s really excited. We’re like awesome,

00:05:58.720 --> 00:06:02.080
so we dumped the phish. We’re not going to do the phish anymore. We start looking at

00:06:02.080 --> 00:06:08.880
where we can go from there. We get into the company, get the execution going,

00:06:08.880 --> 00:06:14.560
get the call backs going to command and control stuff, we dump a Meterpreter

00:06:14.560 --> 00:06:17.600
session on there. It calls back. JACK: A Meterpreter session is sort of a

00:06:17.600 --> 00:06:21.440
super tool that lets you remotely control a computer. You can see what applications are

00:06:21.440 --> 00:06:25.600
open and what it looks like from their desktop point of view, and what files are on the system,

00:06:25.600 --> 00:06:29.280
and you can turn on the microphone, and run a programming script, and so much more.

00:06:29.280 --> 00:06:34.240
This is part of a tool called Metasploit. MUBIX: Then we pivot into the network. It’s a

00:06:34.240 --> 00:06:40.400
pretty Swiss cheese network. We find the same admin on every single box;

00:06:40.400 --> 00:06:46.960
the Linux boxes have the same password as the Windows boxes. It’s just really a simple test

00:06:46.960 --> 00:06:51.760
and we’re just hipping and hollering, very happy that all this is going on.

00:06:51.760 --> 00:06:55.600
JACK: At this point they have gained access to a large number of systems in the network.

00:06:55.600 --> 00:06:59.120
They have admin access to most Linux and Windows machines and have mapped out their

00:06:59.120 --> 00:07:02.960
network pretty well. They’ve even gained access to their e-mail server and can read

00:07:02.960 --> 00:07:06.800
all e-mails being sent in and out. MUBIX: We hadn’t found the goal yet. That

00:07:06.800 --> 00:07:15.200
goal was the widget machine and the code for it. As we find more detail and try and figure out

00:07:15.200 --> 00:07:21.120
where this widget machine is and where the source code for it is and stuff like that, no one on the

00:07:21.120 --> 00:07:25.680
different team seems to have any information on this specific widget name. It’s like a key

00:07:25.680 --> 00:07:33.200
word or a code name this company had for this new product they’re building now. We couldn’t find it

00:07:33.200 --> 00:07:37.920
anywhere, we couldn’t find it anywhere. JACK: A week is up and it’s time to call the

00:07:37.920 --> 00:07:43.840
client to give a progress report. MUBIX: We tell them hey, we broke in,

00:07:43.840 --> 00:07:51.120
we found an easy web app, we found a bunch of admin access. They guy’s like,

00:07:51.120 --> 00:07:57.680
that’s weird. We don’t really normally have admin shared at all. We do some really good security

00:07:57.680 --> 00:08:04.400
there. That’s awesome, I’m really looking forward to the report. Then he asked about our goal. We’re

00:08:04.400 --> 00:08:10.400
like yeah, we haven’t even found anyone who’s working on this widget thing. He’s like well,

00:08:10.400 --> 00:08:15.840
that’s good. At least we have some security there where you’re not being able to find the developers

00:08:15.840 --> 00:08:19.280
pretty well. He was really happy. JACK: The weekend passes. The team

00:08:19.280 --> 00:08:22.320
starts again on Monday looking for this widget machine in their network.

00:08:22.320 --> 00:08:30.080
MUBIX: [MUSIC] We’re still having zero luck at all finding anyone that has anything remotely

00:08:30.080 --> 00:08:35.520
to do with this widget that we’re searching for. We can’t even find mention of it anywhere.

00:08:35.520 --> 00:08:39.760
Like, we have access to pretty much everything this company does; e-mails,

00:08:39.760 --> 00:08:43.040
wikis, and shares. JACK: Mubix and his team spend the

00:08:43.040 --> 00:08:48.160
whole week scouring through the entire company looking for any information about that target

00:08:48.160 --> 00:08:53.040
system they’re trying to find, a widget maker of some kind. But they’re finding nothing at all.

00:08:53.040 --> 00:08:57.280
They read tons of e-mails, they map the entire network. They took full control of all

00:08:57.280 --> 00:09:02.320
important systems and still couldn’t find it. At the end of the week they get on another call with

00:09:02.320 --> 00:09:06.320
the client to give another progress report. MUBIX: We’re like we broke into all these things.

00:09:06.320 --> 00:09:13.840
We couldn’t find the widget. Here’s the websites. The client’s like, that isn’t my website.

00:09:13.840 --> 00:09:17.760
Those aren’t my IP ranges. We’re like

00:09:17.760 --> 00:09:25.600
um, well, those are the ones you gave us. We quickly double-checked that we’re right.

00:09:25.600 --> 00:09:34.000
The client goes and looks at the IP range that he sent me. He’s like oh, crap. That IP is one off.

00:09:34.000 --> 00:09:42.160
We’re like uh, okay. Time to get lawyers involved and insurance involved. We need to

00:09:42.160 --> 00:09:46.080
figure out how to fix this. JACK: Mubix and his team have realized

00:09:46.080 --> 00:09:50.880
the severity of what’s wrong here. They have systematically and precisely broken into a

00:09:50.880 --> 00:09:55.120
company that they do not have permission to break into. Not only that, they’ve scoured

00:09:55.120 --> 00:10:00.480
through almost everything in that company, reading a lot of private information. This is

00:10:00.480 --> 00:10:05.200
a serious [00:10:00] problem. This is worse than walking into the wrong house late at night. This

00:10:05.200 --> 00:10:10.080
is more like when the SWAT team gets the address wrong and busts down the door of the wrong house.

00:10:10.080 --> 00:10:14.000
Mubix didn’t get the IP address wrong, though; his client did. They gave him

00:10:14.000 --> 00:10:18.080
the wrong IP to test against. MUBIX: Uh-huh. It was just the perfect

00:10:18.080 --> 00:10:23.440
typo that went to this other company that did almost the exact same thing

00:10:23.440 --> 00:10:25.360
which is insane. JACK: It’s kind of like if

00:10:25.360 --> 00:10:29.520
someone misdialed your phone but the person who picked up had the same name as you and

00:10:29.520 --> 00:10:33.840
went to the same school as you and worked at the same company as you, but it’s not you. Something

00:10:33.840 --> 00:10:40.320
like this happening is incredible. MUBIX: It was just this weird stroke of luck or

00:10:40.320 --> 00:10:47.920
fate, whatever, that the company we were a client of at the time, that had been on the

00:10:47.920 --> 00:10:56.800
phone calls and stuff, was literally one digit in the IP range different than this other company.

00:10:56.800 --> 00:11:06.400
The company that we’d broken into made very similar stuff with a very similar name.

00:11:06.400 --> 00:11:10.480
They just didn’t make that particular type of widget.

00:11:10.480 --> 00:11:15.680
We hadn’t noticed. We didn’t notice at all. JACK: Mubix and his team were getting increasingly

00:11:15.680 --> 00:11:18.240
concerned. The tension in the office was very high.

00:11:18.240 --> 00:11:28.000
MUBIX: Absolutely astronomical. The lawyers were looking up all kinds of cyber-law and

00:11:28.000 --> 00:11:31.920
trying to find if we were on the hook for this even though it was their fault,

00:11:31.920 --> 00:11:37.280
right, the point-of-contact’s fault. They combed through probably an entire weekend

00:11:37.280 --> 00:11:45.440
without getting much sleep of all of the different laws and litigation and

00:11:45.440 --> 00:11:52.320
precedence that’s out there and talking to our insurance to see what kind of liability we’re in

00:11:52.320 --> 00:11:56.640
for and how much that’s gonna cost. JACK: The weekend passes. Monday comes

00:11:56.640 --> 00:11:59.680
and it’s time to call the company they broke into and tell them what

00:11:59.680 --> 00:12:05.360
happened. Lawyers prepare for the worst. MUBIX: They were bracing for the point-of-contact

00:12:05.360 --> 00:12:13.840
to point blame at us, that we hadn’t verified it or that we hadn’t done due diligence on

00:12:13.840 --> 00:12:20.240
the IP range. They were kind of legitimate claims, right; the pen test

00:12:20.240 --> 00:12:26.080
company should have noticed. We should have noticed that the IP range was not

00:12:26.080 --> 00:12:31.920
the same company but like, the company and what they did were so – the company name

00:12:31.920 --> 00:12:36.880
and what they did were so similar. JACK: It’s time to call the client. They

00:12:36.880 --> 00:12:41.440
wanted to speak to the head of security but they needed to get his e-mail address and phone number

00:12:41.440 --> 00:12:45.120
but they found a clever way to get it. MUBIX: Easy; we had access to everything.

00:12:45.120 --> 00:12:51.200
We just looked at their global address list for [inaudible] and find their security guy.

00:12:51.200 --> 00:12:55.760
JACK: Since they had full control of their active directory server they could look anyone up

00:12:55.760 --> 00:13:00.160
internally using their global address list. So Mubix, his manager, his team,

00:13:00.160 --> 00:13:04.000
and the lawyers all get on the conference call. They call the head of security of the company

00:13:04.000 --> 00:13:08.800
they just broke into. Mubix’s manager explains that they just broke into the

00:13:08.800 --> 00:13:12.800
company and gained access to everything. MUBIX: He started apologizing, we all started

00:13:12.800 --> 00:13:21.040
apologizing, and the security gentleman at the other company was like wait, what happened?

00:13:21.040 --> 00:13:27.200
How’d that work? You broke in?

00:13:27.200 --> 00:13:34.240
Great. We’ve been trying to get a pen test here for like, years and no one has ever given me

00:13:34.240 --> 00:13:44.320
enough buy-in for it. I’m like what? You’re happy? Yeah, this is great. Do you have a report?

00:13:44.320 --> 00:13:49.200
And we’re like yeah, here it is. Here’s the report out. He’s like, that’s amazing. Can we get you

00:13:49.200 --> 00:13:56.960
guys back next year? It was like, holy crap. Now I can get budget for all the security problems,

00:13:56.960 --> 00:14:07.520
the local admin stuff I’ve known for years and I just can’t get rid of it. It’s like oh my god.

00:14:07.520 --> 00:14:10.720
[MUSIC] That could have gone so much worse.

00:14:10.720 --> 00:14:14.560
The lawyers were on the phone and they couldn’t believe it.

00:14:14.560 --> 00:14:21.920
It was unbelievable and he was so happy. JACK: At this point, two weeks into this,

00:14:21.920 --> 00:14:27.040
Mubix still hasn’t even begun to test the actual company he was supposed to test against.

00:14:27.040 --> 00:14:30.640
MUBIX: The other company was just so happy that there was not going to be a lawsuit

00:14:30.640 --> 00:14:35.920
because technically they were at fault for providing us wrong information that they didn’t

00:14:35.920 --> 00:14:47.120
even want another test from us. The security guy was okay. Their lawyers were kind of pissed

00:14:47.120 --> 00:14:55.680
and their management were kind of pissed and I get it. They don’t know the technical aspects

00:14:55.680 --> 00:15:06.160
of what went wrong and how serendipitous it was with the IP ranges [00:15:00] being so similar.

00:15:06.160 --> 00:15:08.560
We didn’t get them back as a client but we got a new client.

00:15:08.560 --> 00:15:13.440
JACK: This new company they actually tested against remained a client for years

00:15:13.440 --> 00:15:18.000
and would get regular penetration tests from Mubix and his team but eventually years later

00:15:18.000 --> 00:15:22.160
Mubix moved on from doing pen tests. MUBIX: I actually still talk to the

00:15:22.160 --> 00:15:31.600
point-of-contract pretty regularly and he’s still telling that story to this day. The world aligned

00:15:31.600 --> 00:15:37.840
in a lot of ways; one to screw us up by having the company so close to the original

00:15:37.840 --> 00:15:44.720
and two to make it so that that new company wasn’t going to make us liable for it and was really

00:15:44.720 --> 00:15:58.240
totally cool about it. JACK: [MUSIC]

00:15:58.240 --> 00:16:04.960
Our next story is so strange that it stunned our guest and me. Maybe it’ll stun you, too. I

00:16:04.960 --> 00:16:09.520
suppose an introduction is in order. ROBERT: Sure. Robert M. Lee. I am the CEO

00:16:09.520 --> 00:16:11.520
and founder of Dragos. JACK: Robert started out in the

00:16:11.520 --> 00:16:16.720
Air Force where he faced-off against many nation state attackers and advanced persistent threats.

00:16:16.720 --> 00:16:20.800
He then moved onto the private sector doing incident response for cyber-attacks.

00:16:20.800 --> 00:16:24.240
He then took an interest in industrial control systems and started his own

00:16:24.240 --> 00:16:28.400
company called Dragos to defend against industrial attacks like attacks against

00:16:28.400 --> 00:16:33.840
dams and nuclear facilities and water treatment plants. One day he gets a call from a client who

00:16:33.840 --> 00:16:40.240
thinks they’re infected with malware. ROBERT: The client operates wind turbines and

00:16:40.240 --> 00:16:44.480
effectively started noticing some abnormal behavior in their environment. They’re reaching

00:16:44.480 --> 00:16:53.280
out and calling us to go do an incident response with them. When I first took the call, my question

00:16:53.280 --> 00:16:57.440
immediately to them was well, how do you know – what are the indications that you have an

00:16:57.440 --> 00:17:01.360
incident? How do you know that you already need an incident response? Usually there’s – unless it’s

00:17:01.360 --> 00:17:05.280
entirely obvious, there’s questions. First off, a) we think we’re compromised.

00:17:05.280 --> 00:17:11.040
These folks were pretty persistent that they were absolutely compromised but every question I asked

00:17:11.040 --> 00:17:16.400
them around is data leaving your environment or are any of the turbines down? You know, any of the

00:17:16.400 --> 00:17:21.040
normal things that might come up. They were just very cool-headed about it all and said no, no,

00:17:21.040 --> 00:17:27.520
everything’s fine, we just know we’re compromised. It struck me to be kind of lackadaisical,

00:17:27.520 --> 00:17:31.520
sort of laid-back attitude they were taking to the incident which my first indication this might

00:17:31.520 --> 00:17:34.640
be an interesting case. JACK: Robert takes the case

00:17:34.640 --> 00:17:39.920
and heads to the wind farm. ROBERT: This is not a huge wind farm.

00:17:39.920 --> 00:17:46.800
We’re not talking your large operation. In the world of wind energy you’ve got everything from

00:17:46.800 --> 00:17:51.280
those folks that are kind of your management companies to the folks that may be doing control

00:17:51.280 --> 00:17:57.680
centers and SCADA, work for multiple companies. But you’ve got tons of these small little

00:17:57.680 --> 00:18:06.880
companies that pop up that might have access to a dozen, twenty, fifty or so wind-generating units.

00:18:06.880 --> 00:18:10.160
They’re not even really connected to the grid. They’re not really

00:18:10.160 --> 00:18:14.960
normal electric providers like we think. They’re definitely not utilities; they’re just

00:18:14.960 --> 00:18:19.760
generating a small amount of electricity and they sell it off to a larger company or somebody

00:18:19.760 --> 00:18:23.520
who can get it onto the grid for them. JACK: He takes a look around the wind turbines

00:18:23.520 --> 00:18:27.760
to see what the network looks like. The client was reporting that a dozen of their wind turbines

00:18:27.760 --> 00:18:32.800
were infected with malware. Each of the turbines had their own Windows computer connected to it.

00:18:32.800 --> 00:18:36.960
This computer would monitor the wind-speed, production output, health checks, and be

00:18:36.960 --> 00:18:41.200
able to control parts of the turbine. ROBERT: As we got on-site we asked a) what

00:18:41.200 --> 00:18:45.920
all took place? How do you know for sure that something is wrong? What made you so cool-headed

00:18:45.920 --> 00:18:51.520
about knowing that there was an incident and not freaking out? They said oh, it’s real simple.

00:18:51.520 --> 00:18:57.040
Our wind turbine network has been patching itself. [00:20:00] We were kind of pushed

00:18:57.040 --> 00:19:00.960
back a little bit like, okay. So it’s been patching itself. That’s

00:19:00.960 --> 00:19:04.560
definitely an interesting behavior. I’m like well, are you sure there’s not somebody from

00:19:04.560 --> 00:19:10.320
IT that’s been doing patching or coordinating with the operations folks? They said oh no, no,

00:19:10.320 --> 00:19:14.640
we checked with IT. It’s definitely just patching itself.

00:19:14.640 --> 00:19:20.240
At that point we thought it was pretty interesting of course. We go take a look. As it turns out,

00:19:20.240 --> 00:19:27.440
where there were Windows operating systems in the environment, they absolutely were being patched.

00:19:27.440 --> 00:19:32.640
As we looked at it, it was pretty clear that there was malicious activity on the systems. It wasn’t

00:19:32.640 --> 00:19:39.280
hurting anything. It wasn’t damaging anything but it was effectively early crypto-jacking software

00:19:39.280 --> 00:19:46.880
where they were effectively using the spare resources on the system to be able to do various

00:19:46.880 --> 00:19:51.840
crypto-currency type mining. I think this one was actually Bitcoin if I remember correctly.

00:19:51.840 --> 00:19:56.160
JACK: The hackers who got into the computers at these wind turbines were using the systems

00:19:56.160 --> 00:20:00.000
to mine Bitcoin. The way hackers like this work is they get dozens or hundreds

00:20:00.000 --> 00:20:04.240
or thousands of computers that they don’t own to all mine Bitcoin for them at once.

00:20:04.240 --> 00:20:09.360
A handful of computers mining Bitcoin like this isn’t much profit but if hundreds or thousands are

00:20:09.360 --> 00:20:14.000
going all at once then the daily profit starts to become significant. Basically they infect

00:20:14.000 --> 00:20:19.440
the machines with software that would utilize the spare CPU and graphics power to make money off it.

00:20:19.440 --> 00:20:23.600
These wind turbines were connected to the internet and the hackers somehow found their way into these

00:20:23.600 --> 00:20:27.200
systems and were making money from it. ROBERT: It seemed that the adversary was

00:20:27.200 --> 00:20:33.200
keeping up with the patches. Our assessment of the situation was they were keeping other

00:20:33.200 --> 00:20:37.920
malware and other adversaries off those systems by updating and then maintaining

00:20:37.920 --> 00:20:45.520
them so that they could have their little crypto-currency farm there across the wind farm.

00:20:45.520 --> 00:20:51.360
But probably the most interesting thing, what makes it really interesting from an IR story

00:20:51.360 --> 00:20:55.520
has nothing to do with the fact that adversaries are taking advantage of Windows systems.

00:20:55.520 --> 00:21:00.400
Sure, it’s interesting that it was a wind farm but what really got interesting is we made the

00:21:00.400 --> 00:21:08.160
recommendation; here’s how we can clean this up. We figured it all out. Here’s this activity

00:21:08.160 --> 00:21:15.360
group that’s related to cyber-crime. We can absolutely take care of this for you no problem.

00:21:15.360 --> 00:21:21.520
It won’t be any big deal. The business leaders had come back to us and said well,

00:21:21.520 --> 00:21:30.160
operations have pulled the data to show that we now have a faster and more reliable patch cycle

00:21:30.160 --> 00:21:36.160
with the adversaries than our own IT departments.

00:21:36.160 --> 00:21:40.080
It’s like look, you can’t really just let the adversary stay. There’s a lot

00:21:40.080 --> 00:21:44.960
of risk in doing that. You don’t know what else the IP connections would be used for.

00:21:44.960 --> 00:21:48.000
When they eventually make a mistake, all that risk is completely on you.

00:21:48.000 --> 00:21:55.680
I advocated every which way I could but as much as I hate to admit it, the business owners decided

00:21:55.680 --> 00:22:02.960
that they were going to let the activity remain but just put some additional monitoring in place

00:22:02.960 --> 00:22:11.520
since they were affected and had deployed patches across the environment.

00:22:11.520 --> 00:22:16.000
From then, operations respected what was done. These were systems that weren’t really

00:22:16.000 --> 00:22:21.280
supported on the contract anyway. They didn’t have warranties that were gonna be voided by

00:22:21.280 --> 00:22:25.280
the deployment of the patch. All of the normal considerations

00:22:25.280 --> 00:22:29.200
that would have pushed against this had met this perfect storm where

00:22:29.200 --> 00:22:34.480
they were completely comfortable with having the adversary being in that environment. It

00:22:34.480 --> 00:22:44.960
was just stunning to me. From the adversary’s perspective, I imagine they were trying to do a

00:22:44.960 --> 00:22:49.760
fairly low and slow approach to not be noticed in the first place, or not be

00:22:49.760 --> 00:22:54.560
kicked out in the first place so it wasn’t like they were bogging down the systems to a point that

00:22:54.560 --> 00:22:58.080
it was having an impact to the operations. The systems were definitely slower and the

00:22:58.080 --> 00:23:01.520
resource utilization was high on them but it wasn’t

00:23:01.520 --> 00:23:12.160
making it where they couldn’t produce energy from the wind turbines. Yeah, I was stunned.

00:23:12.160 --> 00:23:18.640
Normally an operations team, industrial – your operators in the industrial control environments,

00:23:18.640 --> 00:23:23.680
not in a million years would they allow that. Even if it somehow was better than IT they don’t want

00:23:23.680 --> 00:23:29.360
random patches to go out whenever somebody feels like it, uncoordinated, unscheduled. But this was

00:23:29.360 --> 00:23:35.360
a very small operation. We’re not talking like a national wind farm, a national company. This

00:23:35.360 --> 00:23:42.160
was a smaller company that didn’t have a ton of resources in the first place. The idea of free IT

00:23:42.160 --> 00:23:49.120
services probably seemed pretty enticing, I guess. I don’t know what went through their mind.

00:23:49.120 --> 00:23:56.240
I was pretty stunned. I don’t want to instill the idea in people that this is common [00:25:00] at

00:23:56.240 --> 00:24:01.680
all, or that this in any way representative of the electric industry. This is a small

00:24:01.680 --> 00:24:06.800
junior company who didn’t know what to do in this situation and made a decision that they

00:24:06.800 --> 00:24:12.480
were comfortable with that I wasn’t fully a fan of. As I think about this case study out loud now,

00:24:12.480 --> 00:24:16.240
I can already see somebody being like, oh, the electric grid was threatened by blah, blah. No,

00:24:16.240 --> 00:24:23.360
no. It’s a small number of wind turbines. It has no impact on electric grid whatsoever.

00:24:23.360 --> 00:24:27.520
JACK: While Robert came to do incident response and clean the malware up, he left the wind farm

00:24:27.520 --> 00:24:32.400
with malware still running. The client was happy that he was able to solve the mystery of why these

00:24:32.400 --> 00:24:36.560
systems were patching. The client put together a plan to clean these systems up when the time

00:24:36.560 --> 00:24:40.800
was needed and they made sure they had backups and isolated the systems so they wouldn’t be able to

00:24:40.800 --> 00:24:46.160
get anywhere else. But they let the hacker stay on the systems and mine the Bitcoin and they let the

00:24:46.160 --> 00:25:02.160
two live in a strange symbiosis harmony. [MUSIC] This summer I took a trip to Defcon,

00:25:02.160 --> 00:25:04.240
the largest hacker conference in the world.

00:25:04.240 --> 00:25:08.080
It’s just like you would imagine a hacker conference to be; lots of people wearing black,

00:25:08.080 --> 00:25:13.120
dyed mohawks everywhere, antennas sticking out of backpacks, and blinking lights everywhere.

00:25:13.120 --> 00:25:17.520
When I was there I got to meet Snow. She started telling me about an interesting story so I turned

00:25:17.520 --> 00:25:22.320
on the mic and started recording. I started out by asking her how she got started as a hacker.

00:25:22.320 --> 00:25:28.160
SNOW: It’s funny that you ask that question as we’re here at Defcon. Actually, everything that

00:25:28.160 --> 00:25:35.680
brought me to do my career is because of Defcon. It was Defcon 18 or 19. My husband who’s been in

00:25:35.680 --> 00:25:42.480
security for years finally decided to come and he asked me if I wanted to go. I had no interest

00:25:42.480 --> 00:25:46.400
at all in attending a hacker conference. That was just not something I wanted to

00:25:46.400 --> 00:25:50.160
do. But I wanted to go to Vegas and just wanted to sit out by the pool all day, and

00:25:50.160 --> 00:25:55.520
sip on drinks and that sounded perfect. He actually ended up getting me a badge

00:25:55.520 --> 00:26:01.120
and I think the very first talk I went and saw was something about malware reversing and it just went

00:26:01.120 --> 00:26:05.440
over my head and I just had to get out of there as soon as possible. Where I went from there is I

00:26:05.440 --> 00:26:11.120
found the lock-picking village. That day I picked my first couple locks and I got out of handcuffs.

00:26:11.120 --> 00:26:16.960
I remember just feeling that rush was amazing and I loved it. From there I wandered around some

00:26:16.960 --> 00:26:22.720
more trying to avoid talks as much as possible. I found the social engineering village. I remember

00:26:22.720 --> 00:26:26.960
sitting in the room and watching the calls and just thinking that this was made for me.

00:26:26.960 --> 00:26:30.320
JACK: The social engineering village at Defcon is an area where you can practice,

00:26:30.320 --> 00:26:35.120
learn, and compete in social engineering. SNOW: Just watching people sit there and ask

00:26:35.120 --> 00:26:41.920
like, creative ways they asked questions to get specific pieces of information and then –

00:26:41.920 --> 00:26:46.560
I mean, they made it look easy and I knew it wasn’t that easy but how creative they were,

00:26:46.560 --> 00:26:50.480
I think is what really sparked my interest. JACK: On stage during the competition you can

00:26:50.480 --> 00:26:54.480
watch a live person in a sound-isolation booth on a call trying to trick someone

00:26:54.480 --> 00:26:58.800
into giving them information they shouldn’t give out. It’s fascinating to watch this live

00:26:58.800 --> 00:27:02.560
and to learn all the effective ways they’re lying to people to get what they want.

00:27:02.560 --> 00:27:06.800
SNOW: After that I remember researching everything I could on social engineering.

00:27:06.800 --> 00:27:11.040
I bought every book that was made. JACK: She went home from Defcon with a

00:27:11.040 --> 00:27:15.120
completely new passion and she felt like she was pretty good at it so she came back

00:27:15.120 --> 00:27:18.480
to Defcon the next year. SNOW: I went back and I competed

00:27:18.480 --> 00:27:21.920
in the contest. JACK: She didn’t win but she learned a lot.

00:27:21.920 --> 00:27:26.720
This contest is actually several months long and the final part being a live call on stage

00:27:26.720 --> 00:27:30.960
at Defcon. [MUSIC] When she competed she saw what everyone else was doing and she learned

00:27:30.960 --> 00:27:35.600
about all the places she forgot to look and all the things she forgot to do and all the different

00:27:35.600 --> 00:27:39.760
techniques there are for lying to someone to get them to tell you the information you need.

00:27:39.760 --> 00:27:45.280
She practiced and read even more and came back again to Defcon the next year and competed again,

00:27:45.280 --> 00:27:50.640
this time ranking high but still not winning the competition. But Snow was determined so she went

00:27:50.640 --> 00:27:55.360
back to studying social engineering some more and practiced even more and came back to compete for

00:27:55.360 --> 00:27:58.560
a third year. SNOW: I won Defcon

00:27:58.560 --> 00:28:03.440
22. I won the Black Badge. JACK: The coveted Black Badge at Defcon is rare.

00:28:03.440 --> 00:28:07.920
It’s only given to contest winners and a select few, and besides the bragging rights of being the

00:28:07.920 --> 00:28:13.040
winner, you also get free entry to Defcon for life. But what’s more is this started

00:28:13.040 --> 00:28:17.440
Snow on a totally new path in life. SNOW: After I think my second year competing,

00:28:17.440 --> 00:28:21.280
I had a good handful of people in the audience come up to me after and ask

00:28:21.280 --> 00:28:26.960
if I would do that work for their companies. That’s really what got me going. I started my

00:28:26.960 --> 00:28:32.720
own consultancy and I’ve worked for a handful of companies doing this. Ever since then I’ve been

00:28:32.720 --> 00:28:37.840
just doing this work professionally. JACK: More and more companies are seeing how

00:28:37.840 --> 00:28:41.120
the humans in the office are often the weakest link in the security

00:28:41.120 --> 00:28:45.440
so they hire social engineers to not only test the security of the people in the company

00:28:45.440 --> 00:28:50.000
but also they use it as an opportunity to teach them how to be safer. She tests for a variety

00:28:50.000 --> 00:28:53.200
of security controls. SNOW: The main ones that I do

00:28:53.200 --> 00:28:57.200
are physical security, phishing, which is [00:30:00] sending the e-mails,

00:28:57.200 --> 00:29:03.520
vishing, with a v, voice phishing, and then I do a lot of open source intelligence-gathering. Before

00:29:03.520 --> 00:29:07.760
I do any of these assessments I’m always going online, seeing what information I can use

00:29:07.760 --> 00:29:11.360
to better craft my campaigns. JACK: For years she continued to do this

00:29:11.360 --> 00:29:17.040
consulting work, testing networks and people, and one day she got a call from a Fortune 500 company

00:29:17.040 --> 00:29:22.000
wanting her to do some social engineering tests against them.

00:29:22.000 --> 00:29:28.320
SNOW: They just opened up a brand-new headquarters in Europe. They wanted to test their brand-new

00:29:28.320 --> 00:29:34.800
European headquarter location. My goals for that assessment were mainly to see if I can make it

00:29:34.800 --> 00:29:42.960
onto their floors. It was like, a twenty-floor skyscraper and they had five floors in there. That

00:29:42.960 --> 00:29:46.880
was the main goal; get onto the floors, follow it up by seeing what information I could get

00:29:46.880 --> 00:29:54.640
from the employees. However, the scope was really limited. I couldn’t do RFID cloning; I couldn’t do

00:29:54.640 --> 00:30:00.080
any type of bypassing, lock-picking things like that. My hands were kind of tied in that sense.

00:30:00.080 --> 00:30:08.080
[MUSIC] From there I decided to try to figure out who I wanted to be for this assessment.

00:30:08.080 --> 00:30:12.640
While I’m doing open source intelligence-gathering I’m trying to find where they have their doors,

00:30:12.640 --> 00:30:17.440
what kind of security is in place. That way I know what I’m getting into before I go on-site.

00:30:17.440 --> 00:30:22.240
As I’m doing all this research, I’m not finding shit. It’s a brand-new building. It’s not even

00:30:22.240 --> 00:30:28.160
on Google Maps yet. Most of my clients that I’ve done, I’m able to find their property management

00:30:28.160 --> 00:30:34.000
companies, phone numbers, all their buildings so I can do street-view around the building,

00:30:34.000 --> 00:30:38.080
all kinds of stuff. This one had nothing ‘cause it’s new. They didn’t even have a huge employee

00:30:38.080 --> 00:30:43.120
presence online ‘cause that’s another thing I like to do; I like to look at Facebook, Instagram, even

00:30:43.120 --> 00:30:48.320
LinkedIn to see who’s posting pictures of their employee badges. That way before I go on-site

00:30:48.320 --> 00:30:54.320
I can create my own so I can blend in. I’m not finding anything during this phase. The

00:30:54.320 --> 00:30:59.760
only thing I could think to do was show up on-site and before I actually start the assessment, do

00:30:59.760 --> 00:31:04.320
reconnaissance. While I’m doing that I’m looking for employees wearing their badges. That way I

00:31:04.320 --> 00:31:11.440
can snap some pictures, go back to my hotel room, create my own and then hopefully I can blend in.

00:31:11.440 --> 00:31:16.240
I’m doing my reconnaissance. I’m walking around the building. Everything is very locked-down.

00:31:16.240 --> 00:31:20.800
Most buildings will have a main entrance that people can come in and out of the lobby.

00:31:20.800 --> 00:31:28.720
This one had turnstiles just into the building. They had RFID which was out of scope,

00:31:28.720 --> 00:31:35.920
so I had a really hard time trying to figure out how to get into the building.

00:31:35.920 --> 00:31:42.560
I was able to find a side door that was unlocked and go in that way. The second I’m in the lobby,

00:31:42.560 --> 00:31:46.960
I’m looking around trying to find employees, trying to look for IDs,

00:31:46.960 --> 00:31:51.520
and the receptionist looks at me. I must have stood out like a sore thumb ‘cause

00:31:51.520 --> 00:31:57.840
she started grilling me all kinds of questions. I just explained I was waiting for a friend.

00:31:57.840 --> 00:32:03.520
She said no, you’ve gotta wait outside. She kicks me out. Right there I’m like shit, my

00:32:03.520 --> 00:32:09.120
cover is probably already blown, I haven’t found any pictures of employee badges. I’m stressing

00:32:09.120 --> 00:32:15.920
out. This company paid a lot of money to fly me very far to test their security and I’m having a

00:32:15.920 --> 00:32:22.080
hard time just finding stuff online, let alone [inaudible]. So I go back to my hotel and I’m

00:32:22.080 --> 00:32:26.400
still trying to research. Hopefully I can find some nugget of information. I’m not

00:32:26.400 --> 00:32:33.200
finding anything. Lots of pressure with these kinds of assessments ‘cause you wanna do good,

00:32:33.200 --> 00:32:39.360
and especially if they’re sending you all that way to perform this kind of assessment. I’m

00:32:39.360 --> 00:32:44.560
banging my head against the wall for a while and I finally come up with the idea because I saw a

00:32:44.560 --> 00:32:49.520
news article they released that they had a bunch of new investors for this new building.

00:32:49.520 --> 00:32:55.440
My idea was I was gonna be an investor-relations manager from the Americas building and I was

00:32:55.440 --> 00:33:01.120
coming over to check out the new building and to set up meetings with potential new investors. When

00:33:01.120 --> 00:33:08.480
you throw around the word investors with companies that big, they will bend over backwards for you.

00:33:08.480 --> 00:33:13.680
[MUSIC] What I did is I found the phone number for a VP in the Americas. I spoofed my number

00:33:13.680 --> 00:33:17.920
to look like it was calling from her and I called the European headquarters and said hey,

00:33:17.920 --> 00:33:22.640
we’re sending out this investor relations manager. She just needs to do a quick tour

00:33:22.640 --> 00:33:27.440
of the facility and then set up some times to meet with some investors. She’ll be there

00:33:27.440 --> 00:33:32.400
tomorrow morning at 9 a.m.; please make sure she has a guest badge ready, and pretty much

00:33:32.400 --> 00:33:38.080
give her whatever she wants ‘cause she could be bringing in a lot of money for us.

00:33:38.080 --> 00:33:43.040
That conversation with the receptionist, she seemed very willing to help and very happy.

00:33:43.040 --> 00:33:48.400
That kind of gave me a little boost like okay, this might work.

00:33:48.400 --> 00:33:56.000
I show up the next morning at 9 a.m. I was wearing a business suit and I had a – [00:35:00] I

00:33:56.000 --> 00:34:03.200
wasn’t able to find employee IDs from the Americas office so I created one from the Americas office

00:34:03.200 --> 00:34:07.840
‘cause I wasn’t sure if they looked different in Europe which they actually did. I had an ID

00:34:07.840 --> 00:34:12.880
created for that, I was in a business suit, I had a clipboard which was a forged document with just

00:34:12.880 --> 00:34:20.000
a handful of questions. On the next page I had a bunch of information about local large companies

00:34:20.000 --> 00:34:24.000
that could be potential investors. I show up to the receptionist that morning

00:34:24.000 --> 00:34:28.800
hoping she wouldn’t recognize me ‘cause I changed my hair around, I changed my clothes,

00:34:28.800 --> 00:34:32.960
and I had my badge on so that gave me a lot of credibility. I said hey,

00:34:32.960 --> 00:34:41.360
I’m this person and I need to get onto – I have a meeting on this floor. She hands me a guest pass

00:34:41.360 --> 00:34:47.360
and walks me right through to the turnstiles and the elevators and walks me right up to their

00:34:47.360 --> 00:34:52.480
main floor which is I don’t know, floor five or six or something like that, and just leaves me

00:34:52.480 --> 00:34:58.640
there to wait for their receptionist. I was like holy shit, I’m on the floor. I got the big goal.

00:34:58.640 --> 00:35:05.680
I made it onto the floor. It’s just, it’s a rush. It is, oh yeah. It’s very scary and a

00:35:05.680 --> 00:35:10.560
lot of people think that I’ve been doing this for years, like it’s easier, it doesn’t.

00:35:10.560 --> 00:35:14.880
Every time before I do anything or if I’m talking to someone, I get that feeling in

00:35:14.880 --> 00:35:21.520
my gut like oh god, I’m gonna get caught. But it is such a rush. I’m always nervous every time,

00:35:21.520 --> 00:35:26.960
every time. I get onto the floor and I introduce myself to their receptionist, not the building’s

00:35:26.960 --> 00:35:31.680
receptionist but my client receptionist now. She says oh, we’re so excited you’re here,

00:35:31.680 --> 00:35:38.560
we’ve been waiting for you. She offered to get me some coffee and she said that she had the

00:35:38.560 --> 00:35:44.240
facility manager that was gonna show me around and give me a tour of the building. He comes a little

00:35:44.240 --> 00:35:51.680
bit later and he gives me a tour of every inch of their five floors. As we’re going on the tour I’m

00:35:51.680 --> 00:35:56.240
trying to keep in mind I need to get information from him ‘cause that’s my second goal.

00:35:56.240 --> 00:36:00.800
So I start saying things like well, I have a couple potential investors who are really

00:36:00.800 --> 00:36:04.960
concerned about physical security. They’ve invested in other firms before and they’ve

00:36:04.960 --> 00:36:11.520
been broken into so I need to make sure I can assure them that this is not an issue. I said

00:36:11.520 --> 00:36:17.840
I need to know now where your issues are so I can make sure they’re fixed before I go back to them.

00:36:17.840 --> 00:36:22.720
He went through and showed me a handful of places that were actually vulnerable. He

00:36:22.720 --> 00:36:29.600
explained how one of the side employee entrances only, it was RFID protected. It had the red light

00:36:29.600 --> 00:36:34.000
so it should have been locked; it actually was unlocked during business hours. That right there

00:36:34.000 --> 00:36:41.440
is a huge finding. He showed me how if they did have meetings which were listed on their website

00:36:41.440 --> 00:36:46.720
that they would let the receptionist just check anyone in without verifying

00:36:46.720 --> 00:36:53.920
and a handful of other things that were just huge findings that should not be the case at all,

00:36:53.920 --> 00:36:59.600
especially for a brand-new building. From my point of view, if I was an attacker,

00:36:59.600 --> 00:37:03.040
I know exactly when I can get into the building, when it’s going to be unlocked. I

00:37:03.040 --> 00:37:07.360
just have to look at their calendar which they actually had a couple events that next week,

00:37:07.360 --> 00:37:10.400
and I would know that I just need to say hey, I’m here for this event and they would

00:37:10.400 --> 00:37:17.120
let me right in, give me a guest badge and I would have full access to their whole office.

00:37:17.120 --> 00:37:22.800
I was able to complete my two goals which I was so excited about. However, I wanted to see if I could

00:37:22.800 --> 00:37:30.400
get just a little bit more information from him. I explained how I did have a phone call and asked if

00:37:30.400 --> 00:37:35.360
there was an office I can sit in ‘cause I wanted to see if I would get access to an office.

00:37:35.360 --> 00:37:41.360
They actually put me up in an office and they wrote my name even on the wall,

00:37:41.360 --> 00:37:47.920
just like a name plate. I was left alone in this office with my name on it, which was really weird

00:37:47.920 --> 00:37:54.480
and I wish I took a picture of it ‘cause it just was so surreal. As I was leaving for the

00:37:54.480 --> 00:38:00.800
day ‘cause I was there, oh man, like four hours on-site. He gave me a very, very detailed tour. As

00:38:00.800 --> 00:38:06.960
I was leaving, the receptionist actually offered a limo service back to my hotel which was pretty

00:38:06.960 --> 00:38:12.400
badass. I didn’t take it because I was staying, actually at a hotel right across the street so

00:38:12.400 --> 00:38:16.080
I thought that’d be a little suspicious. JACK: She got back to her hotel room bursting with

00:38:16.080 --> 00:38:20.080
joy with the feeling of a job well done. SNOW: Just this huge rush. I remember going

00:38:20.080 --> 00:38:24.400
out and getting a steak dinner that night. JACK: Snow delivered the report to the client,

00:38:24.400 --> 00:38:26.880
outlining numerous vulnerabilities she found in her assessment.

00:38:26.880 --> 00:38:31.600
SNOW: They were very surprised. They did not think I was gonna be able to get in.

00:38:31.600 --> 00:38:35.840
I guess they actually had an internal bet; the guy from the Americas office and the European

00:38:35.840 --> 00:38:40.720
office. They’re like, there’s no way. This is a brand-new building. We have RFID in place

00:38:40.720 --> 00:38:45.360
everywhere. Every big security thing. We have cameras, we have all this, but

00:38:45.360 --> 00:38:49.840
just by a simple lie and spoofing my phone number I was able to get so much credibility

00:38:49.840 --> 00:38:53.120
that I didn’t look like a threat. JACK: Social engineering is becoming a

00:38:53.120 --> 00:38:56.320
more common test for many companies. It’s always safe to [00:40:00] verify

00:38:56.320 --> 00:39:00.480
the strange calls you get by calling that person back or e-mailing them to confirm

00:39:00.480 --> 00:39:04.400
and to not let people tailgate you into a building, and to double-check people’s

00:39:04.400 --> 00:39:08.480
credentials and not always trust when someone else vouches for them, or just

00:39:08.480 --> 00:39:14.240
remember Ronald Regan’s Russian maxim… REAGAN: The maxim is ‘doveryai, yo proveryai’ -

00:39:14.240 --> 00:39:21.040
trust but verify. JACK (OUTRO): [OUTRO MUSIC]

00:39:21.040 --> 00:39:24.880
You’ve been listening to Darknet Diaries. You can find links and more information about each

00:39:24.880 --> 00:39:29.360
guest in the show notes on darknetdiaries.com and this show is made by me, Jack Rhysider,

00:39:29.360 --> 00:39:34.080
and theme music is by the ghostly Breakmaster Cylinder. Please help this show out by going

00:39:34.080 --> 00:39:41.520
to darknetdiaries.com/donate. It means a lot to me when you do. Thank you.