WEBVTT 00:00:00.160 --> 00:00:01.920 The Cardiff giants is an interesting 00:00:01.920 --> 00:00:05.040 story. In the Bible, Genesis 6:4, it 00:00:05.040 --> 00:00:07.120 says, "There were giants on the earth in 00:00:07.120 --> 00:00:08.960 those days, and they mated with people 00:00:08.960 --> 00:00:12.240 and created mighty men of renown." This 00:00:12.240 --> 00:00:14.000 guy named George Hall was like, "Wow, 00:00:14.000 --> 00:00:16.080 there were giants on earth." But the 00:00:16.080 --> 00:00:17.440 reverend argued with him and said, "No, 00:00:17.440 --> 00:00:19.119 no, no. There were never giants here." 00:00:19.119 --> 00:00:20.880 But George was like, "No, no, the Bible 00:00:20.880 --> 00:00:22.320 says so. There's got to be a way to 00:00:22.320 --> 00:00:24.400 prove it." But George could not prove 00:00:24.400 --> 00:00:26.960 it, of course. So, he decided to fake 00:00:26.960 --> 00:00:29.519 it. He went to a quarry and dug up a 00:00:29.519 --> 00:00:31.840 huge block of gypsum. Then hired some 00:00:31.840 --> 00:00:33.840 stone cutters to make the block into the 00:00:33.840 --> 00:00:36.480 shape of a giant man. They created a 00:00:36.480 --> 00:00:38.800 rough statue of a man that was 10 ft 4 00:00:38.800 --> 00:00:41.040 in tall. Then George stained it with 00:00:41.040 --> 00:00:43.200 acid to make it look old and put it on a 00:00:43.200 --> 00:00:45.360 train and took it to his cousin's farm 00:00:45.360 --> 00:00:47.920 in Cardiff, New York. And late at night, 00:00:47.920 --> 00:00:50.559 he buried it on his cousin's farm. A 00:00:50.559 --> 00:00:52.879 year later, his cousin went to dig a 00:00:52.879 --> 00:00:55.280 well and hired a crew to come out and 00:00:55.280 --> 00:00:57.760 dig the hole. and they ran into this 00:00:57.760 --> 00:01:00.239 giant in their dig. And one of the 00:01:00.239 --> 00:01:02.399 workers immediately shouted, "This must 00:01:02.399 --> 00:01:04.799 be an ancient burial site." And so they 00:01:04.799 --> 00:01:07.040 dug up the giant. And the word spread 00:01:07.040 --> 00:01:10.960 that they found a buried giant. People 00:01:10.960 --> 00:01:12.960 from all over flocked to the farm to 00:01:12.960 --> 00:01:15.360 take a look. It was quite surprising to 00:01:15.360 --> 00:01:18.560 see a petrified giant of a man. A lot of 00:01:18.560 --> 00:01:20.000 people believed it was a petrified 00:01:20.000 --> 00:01:22.720 human. The Bible says so. See? But some 00:01:22.720 --> 00:01:24.560 thought it was just a statue. [music] 00:01:24.560 --> 00:01:26.080 But pretty quickly, George's cousin 00:01:26.080 --> 00:01:27.840 realized how valuable this thing was. 00:01:27.840 --> 00:01:29.680 So, he put a tent over it and started 00:01:29.680 --> 00:01:31.920 charging people 50 cents to come in and 00:01:31.920 --> 00:01:35.360 see it. 500 people came a day [music] to 00:01:35.360 --> 00:01:38.880 see this amazing giant. The whole town 00:01:38.880 --> 00:01:40.479 started to profit from it. Restaurants 00:01:40.479 --> 00:01:41.759 were filling up. Hotels [music] were 00:01:41.759 --> 00:01:44.479 booked. And that's when PT Barnum came. 00:01:44.479 --> 00:01:46.240 And he was like, "Sir, I will give you 00:01:46.240 --> 00:01:48.479 $50,000 for that giant. What do you 00:01:48.479 --> 00:01:51.360 say?" The fireman was like, "No way." So 00:01:51.360 --> 00:01:53.920 PT Barnum hired someone to make a waxed 00:01:53.920 --> 00:01:56.560 copy of it. And Barnum displayed this 00:01:56.560 --> 00:01:59.280 unauthorized copy at his circus and 00:01:59.280 --> 00:02:01.360 claimed it was the actual giant [music] 00:02:01.360 --> 00:02:03.360 and charged people to come see his fake 00:02:03.360 --> 00:02:06.079 replica. A year later, George Hall came 00:02:06.079 --> 00:02:07.520 out and said this whole thing was a 00:02:07.520 --> 00:02:09.200 hoax, that he's the one who buried it 00:02:09.200 --> 00:02:11.200 there. But while it didn't prove that 00:02:11.200 --> 00:02:13.680 giants roam the earth, it did make his 00:02:13.680 --> 00:02:16.560 cousin pretty wealthy. And that's how 00:02:16.560 --> 00:02:24.080 scammers would get you in the 1860s. 00:02:24.080 --> 00:02:26.080 These are true stories from the dark 00:02:26.080 --> 00:02:30.651 side of the internet. 00:02:30.651 --> 00:02:33.599 [music] I'm Jack Reider. 00:02:33.599 --> 00:02:36.546 This is Darknet Diaries. 00:02:36.546 --> 00:02:49.840 [music] [music] 00:02:49.840 --> 00:02:51.920 I want you to meet Maxi. Uh, 00:02:51.920 --> 00:02:54.080 >> my name is Maxi Reynolds. 00:02:54.080 --> 00:02:55.760 >> She grew up in Scotland and had an itch 00:02:55.760 --> 00:02:57.360 for adventure when she was young. She 00:02:57.360 --> 00:02:59.360 knew she wasn't fit for a sort of sit 00:02:59.360 --> 00:03:01.200 down, do a lot of paperwork, office type 00:03:01.200 --> 00:03:03.680 job. No, her head was always up in 00:03:03.680 --> 00:03:05.760 class, looking out the window, dreaming 00:03:05.760 --> 00:03:07.760 of far away lands that she could visit. 00:03:07.760 --> 00:03:10.080 >> I left home at a really early age, about 00:03:10.080 --> 00:03:13.680 15, and I had no idea what I was going 00:03:13.680 --> 00:03:16.080 to do, what I wanted to do. And so I 00:03:16.080 --> 00:03:18.000 tried everything and I was ending up, 00:03:18.000 --> 00:03:19.519 you know, working in bars and as a 00:03:19.519 --> 00:03:20.800 cleaner and all these sorts of things 00:03:20.800 --> 00:03:22.159 and I just thought, no, this isn't for 00:03:22.159 --> 00:03:24.159 me and I want a job where I can travel 00:03:24.159 --> 00:03:26.480 and see the, you know, outside of 00:03:26.480 --> 00:03:31.519 Scotland. So I went to a university in 00:03:31.519 --> 00:03:35.040 England, which is somewhat retro being a 00:03:35.040 --> 00:03:38.400 Scottish person, and I got a degree in 00:03:38.400 --> 00:03:40.080 underwater robotics. 00:03:40.080 --> 00:03:41.680 >> She was hoping this degree was her 00:03:41.680 --> 00:03:44.080 ticket to travel. maybe if you're going 00:03:44.080 --> 00:03:46.159 to be operating underwater vehicles, 00:03:46.159 --> 00:03:47.840 you'll get to go to some pretty far away 00:03:47.840 --> 00:03:49.680 places. So, she started applying to 00:03:49.680 --> 00:03:51.519 every company she knew that used these 00:03:51.519 --> 00:03:53.040 remote operating vehicles. 00:03:53.040 --> 00:03:54.959 >> And I couldn't get a job. And it was 00:03:54.959 --> 00:03:56.879 because I was female. 00:03:56.879 --> 00:03:58.239 >> The reason why this was a problem is 00:03:58.239 --> 00:03:59.680 because sometimes she'd have to go out 00:03:59.680 --> 00:04:01.680 to sea in small vessels or be stationed 00:04:01.680 --> 00:04:03.920 on some kind of platform at sea, which 00:04:03.920 --> 00:04:06.159 also had small living quarters. And the 00:04:06.159 --> 00:04:07.360 problem was that these companies 00:04:07.360 --> 00:04:09.280 required men and women to have separate 00:04:09.280 --> 00:04:11.040 cabins and they simply couldn't 00:04:11.040 --> 00:04:12.239 accommodate her because a lot of these 00:04:12.239 --> 00:04:13.760 cabins had four beds in them and they 00:04:13.760 --> 00:04:15.200 didn't have any single bed cabins that 00:04:15.200 --> 00:04:17.040 she could be in. And there just wasn't 00:04:17.040 --> 00:04:18.799 enough women to fill up a sleeping 00:04:18.799 --> 00:04:22.079 cabin. So she just didn't get the job. I 00:04:22.079 --> 00:04:24.560 was told this same story over and over. 00:04:24.560 --> 00:04:26.080 But that didn't stop her. She kept 00:04:26.080 --> 00:04:28.400 applying at places and eventually a 00:04:28.400 --> 00:04:30.479 Norwegian company finally said yes to 00:04:30.479 --> 00:04:32.560 her. finally got a Norwegian company to 00:04:32.560 --> 00:04:34.240 accept me and they said, "If you get 00:04:34.240 --> 00:04:36.720 your private pilot's license, we will 00:04:36.720 --> 00:04:40.160 take you on." So, I went to a bank in 00:04:40.160 --> 00:04:41.600 Scotland and asked for a career 00:04:41.600 --> 00:04:43.680 development loan and I got my private 00:04:43.680 --> 00:04:44.880 pilot's license. 00:04:44.880 --> 00:04:46.880 >> Well, now this pilot is different than 00:04:46.880 --> 00:04:48.479 ROV pilot. This is air. 00:04:48.479 --> 00:04:50.880 >> Yes. This is a small. Yes. So, I can fly 00:04:50.880 --> 00:04:52.960 a Cessna although I haven't in America. 00:04:52.960 --> 00:04:55.680 I can do that. And so, they it was 00:04:55.680 --> 00:04:57.199 supposed to be quite similar. And then I 00:04:57.199 --> 00:04:59.199 called the company back and said, "Hey, 00:04:59.199 --> 00:05:00.560 like I've got this." and it took it 00:05:00.560 --> 00:05:02.720 takes months. So, and I was getting 00:05:02.720 --> 00:05:06.240 further and further into debt. So, I um 00:05:06.240 --> 00:05:07.520 called them back and said, "Hey, I've 00:05:07.520 --> 00:05:09.280 got this." And there had been this 00:05:09.280 --> 00:05:10.560 change of management and they were like, 00:05:10.560 --> 00:05:12.320 "It's not actually we don't know why 00:05:12.320 --> 00:05:14.080 they said that. It's not a private 00:05:14.080 --> 00:05:15.759 pilot's license you need for a plane. 00:05:15.759 --> 00:05:18.240 It's we're we're more like as an ROV 00:05:18.240 --> 00:05:21.840 pilot. It's closer to a helicopter." So, 00:05:21.840 --> 00:05:24.240 I changed my name. I went back to the 00:05:24.240 --> 00:05:26.560 bank in Scotland, got another career 00:05:26.560 --> 00:05:28.000 development loan and went back and got 00:05:28.000 --> 00:05:31.280 my PPL for helicopters. Then I went back 00:05:31.280 --> 00:05:34.000 to them and said, "Okay, I've got this, 00:05:34.000 --> 00:05:36.560 but listen, like no more surprises and 00:05:36.560 --> 00:05:38.479 can I have a job now?" And they took me 00:05:38.479 --> 00:05:40.320 on and it was it was sort of 00:05:40.320 --> 00:05:42.720 life-changing [music] for me. This job 00:05:42.720 --> 00:05:44.639 required her to travel a lot. North 00:05:44.639 --> 00:05:46.560 America, South America, Europe, Asia. 00:05:46.560 --> 00:05:47.808 She got to travel the whole world 00:05:47.808 --> 00:05:49.919 [music] while working as an underwater 00:05:49.919 --> 00:05:52.080 ROV pilot and sometimes flying 00:05:52.080 --> 00:05:52.880 helicopters. 00:05:52.880 --> 00:05:54.880 >> So [music] I lived in Venezuela for a 00:05:54.880 --> 00:05:58.400 while. I lived in Trinidad. I have been 00:05:58.400 --> 00:06:00.320 to sort of everywhere [music] from 00:06:00.320 --> 00:06:02.639 Nigeria to Australia. A lot of 00:06:02.639 --> 00:06:04.639 coastlines. So I've seen a seen a lot of 00:06:04.639 --> 00:06:06.960 water. While she was doing this work, 00:06:06.960 --> 00:06:08.160 she started getting more [music] 00:06:08.160 --> 00:06:10.639 fascinated with it. Computers became her 00:06:10.639 --> 00:06:12.400 passion. She was enrolled in remote 00:06:12.400 --> 00:06:14.080 learning courses and was able to get a 00:06:14.080 --> 00:06:16.319 degree in computer science. Then she 00:06:16.319 --> 00:06:18.240 took a month off work and landed in Los 00:06:18.240 --> 00:06:19.840 Angeles, California, just to take a 00:06:19.840 --> 00:06:21.600 break for a while. But she fell in love 00:06:21.600 --> 00:06:23.440 with LA. And while there, she started 00:06:23.440 --> 00:06:25.600 going to a gym to exercise and work out. 00:06:25.600 --> 00:06:26.960 >> One of the people that I was training 00:06:26.960 --> 00:06:29.680 with in the gym was a stunt man. And I 00:06:29.680 --> 00:06:32.000 was I sort of begged him to please like, 00:06:32.000 --> 00:06:34.160 let me hang out with you, let me be 00:06:34.160 --> 00:06:39.360 cool, too. So, um, eventually he sort of 00:06:39.360 --> 00:06:42.880 he got me some training in stunts and he 00:06:42.880 --> 00:06:44.720 actually got me one of my first jobs. 00:06:44.720 --> 00:06:46.560 She was in a few independent films, did 00:06:46.560 --> 00:06:48.160 a few stunts for them. She got an 00:06:48.160 --> 00:06:50.160 opportunity to be in House of Cards, and 00:06:50.160 --> 00:06:51.600 she did a stunt for them, but they 00:06:51.600 --> 00:06:53.360 decided not to use it for some reason. 00:06:53.360 --> 00:06:54.800 While that was cool, it was also 00:06:54.800 --> 00:06:57.199 short-lived because while it's exciting, 00:06:57.199 --> 00:06:59.440 she didn't see it as a long-term career. 00:06:59.440 --> 00:07:03.039 >> I studied quantum computing, and it was 00:07:03.039 --> 00:07:05.599 really difficult. It was it was it was 00:07:05.599 --> 00:07:08.720 extremely difficult for my feeble mind, 00:07:08.720 --> 00:07:10.800 but it was really enjoyable, and I I 00:07:10.800 --> 00:07:12.880 loved it. This turned her attention to 00:07:12.880 --> 00:07:15.280 new technologies and companies. At some 00:07:15.280 --> 00:07:17.360 point, she got a job for a company in 00:07:17.360 --> 00:07:19.280 Australia and moved there. 00:07:19.280 --> 00:07:22.560 >> My first entry point into both social 00:07:22.560 --> 00:07:24.560 engineering really and pentesting was in 00:07:24.560 --> 00:07:26.160 Australia and I worked for a big company 00:07:26.160 --> 00:07:28.240 down there. They gave me a shot on their 00:07:28.240 --> 00:07:31.360 graduation team for for cyber security. 00:07:31.360 --> 00:07:33.759 >> This company had penetration testers, 00:07:33.759 --> 00:07:35.599 people who try to break into a building 00:07:35.599 --> 00:07:38.319 or a network to test the security of it. 00:07:38.319 --> 00:07:39.759 She got to watch one of these pen 00:07:39.759 --> 00:07:41.520 testers work by monitoring their 00:07:41.520 --> 00:07:43.199 activity through cameras. 00:07:43.199 --> 00:07:48.160 >> And I was witnessing a a pen test but 00:07:48.160 --> 00:07:50.160 with this social engineering component. 00:07:50.160 --> 00:07:52.960 And it was a guy. He was a he was a 00:07:52.960 --> 00:07:55.840 really good hacker. And he had gone into 00:07:55.840 --> 00:07:58.639 the network of one of our targets and he 00:07:58.639 --> 00:08:00.560 was opening all of the security doors 00:08:00.560 --> 00:08:03.599 and automated doors for one of the team, 00:08:03.599 --> 00:08:05.120 the cyber security team. And they were 00:08:05.120 --> 00:08:06.319 just walking through and they were 00:08:06.319 --> 00:08:07.919 filming the whole thing. and you know it 00:08:07.919 --> 00:08:10.319 was being broadcast live back to us and 00:08:10.319 --> 00:08:12.479 it was amazing and I was thinking okay 00:08:12.479 --> 00:08:14.319 this is a good job this is the kind of 00:08:14.319 --> 00:08:17.199 job that I would like to do 00:08:17.199 --> 00:08:19.039 >> being a physical penetration tester 00:08:19.039 --> 00:08:21.440 seemed like just the thing for Maxi 00:08:21.440 --> 00:08:23.199 breaking into a building acting like a 00:08:23.199 --> 00:08:26.560 spy that seemed really fun she asked if 00:08:26.560 --> 00:08:27.759 she could do that and 00:08:27.759 --> 00:08:29.280 >> they were like well your luck is in 00:08:29.280 --> 00:08:33.039 because we have to test them without 00:08:33.039 --> 00:08:34.959 these technical capabilities so we're 00:08:34.959 --> 00:08:36.800 just doing a physical pen 00:08:36.800 --> 00:08:37.120 >> [music] 00:08:37.120 --> 00:08:39.360 >> would you like to be involved? And I 00:08:39.360 --> 00:08:40.880 jumped at the chance. 00:08:40.880 --> 00:08:42.880 >> So they gave her an assignment which was 00:08:42.880 --> 00:08:45.680 to try to get into a company and film 00:08:45.680 --> 00:08:47.600 what they were working on inside it. And 00:08:47.600 --> 00:08:49.360 to start figuring out how to get in, 00:08:49.360 --> 00:08:51.519 penetration testers often use OSENT, 00:08:51.519 --> 00:08:53.839 which is just gathering data on a target 00:08:53.839 --> 00:08:56.560 through open public searches online. So 00:08:56.560 --> 00:08:58.160 she does a little OSENT and starts 00:08:58.160 --> 00:08:59.839 learning about the company more. 00:08:59.839 --> 00:09:03.360 >> They had some very interesting IP. They 00:09:03.360 --> 00:09:05.440 were a transport company and they were 00:09:05.440 --> 00:09:10.880 building some unique uh buses and large 00:09:10.880 --> 00:09:14.160 transport vehicles within this um whole 00:09:14.160 --> 00:09:17.279 complex. So my job was to get into there 00:09:17.279 --> 00:09:20.800 past reception, past all security, get 00:09:20.800 --> 00:09:24.160 in and look at all of the assets and the 00:09:24.160 --> 00:09:28.640 IP. And I didn't need to, you know, hack 00:09:28.640 --> 00:09:31.440 any computers or even plug into any 00:09:31.440 --> 00:09:34.240 computers. It was it was simply to get 00:09:34.240 --> 00:09:36.320 in and to essentially have a look 00:09:36.320 --> 00:09:37.040 around. 00:09:37.040 --> 00:09:39.040 >> How fun, right? Can you get into this 00:09:39.040 --> 00:09:40.640 factory, take a few photos of what 00:09:40.640 --> 00:09:42.320 they're building, and get out without 00:09:42.320 --> 00:09:45.040 them knowing you're a spy? As she starts 00:09:45.040 --> 00:09:46.240 learning more about this company, she 00:09:46.240 --> 00:09:47.920 found out that they had some big 00:09:47.920 --> 00:09:50.880 connections with Sweden, as in some of 00:09:50.880 --> 00:09:53.120 their offices were located in Sweden. 00:09:53.120 --> 00:09:55.440 >> If you squint your eyes and you were 00:09:55.440 --> 00:09:57.839 very far away from me, I could probably 00:09:57.839 --> 00:10:00.399 pass as Swedish. 00:10:00.399 --> 00:10:03.200 So, I had decided and no one stopped me. 00:10:03.200 --> 00:10:05.600 I'd like to point out I decided that I 00:10:05.600 --> 00:10:08.800 was g I was going to um pretext or or 00:10:08.800 --> 00:10:11.600 present myself as like a Swedish 00:10:11.600 --> 00:10:13.920 ambassador for this for this company and 00:10:13.920 --> 00:10:17.760 I had the CEO's name and some other top 00:10:17.760 --> 00:10:19.839 execs names and things like that. 00:10:19.839 --> 00:10:22.320 >> She does have blonde hair, but even 00:10:22.320 --> 00:10:23.839 though she may be able to pass as 00:10:23.839 --> 00:10:26.079 Swedish looking, there's no way she's 00:10:26.079 --> 00:10:27.760 going to sound Swedish. Not with that 00:10:27.760 --> 00:10:30.320 Scottish accent. So her plan was just to 00:10:30.320 --> 00:10:33.040 put yah on the end of everything and 00:10:33.040 --> 00:10:34.399 hope they didn't notice. 00:10:34.399 --> 00:10:36.959 >> No. And it gets worse because so even I 00:10:36.959 --> 00:10:38.320 cuz they're they're Australian, right? 00:10:38.320 --> 00:10:40.000 They're not idiots. So I was thinking 00:10:40.000 --> 00:10:41.279 that will never work. 00:10:41.279 --> 00:10:43.120 >> But that was her plan and she decided to 00:10:43.120 --> 00:10:45.120 go forward with it. She liked the idea 00:10:45.120 --> 00:10:47.839 of acting like someone else. So she was 00:10:47.839 --> 00:10:49.839 set on being the Swedish ambassador for 00:10:49.839 --> 00:10:51.839 this company. Walk in, tell them she's 00:10:51.839 --> 00:10:53.440 from the Swedish branch and she's just 00:10:53.440 --> 00:10:55.440 flown in to inspect the building. But in 00:10:55.440 --> 00:10:56.880 order to do that, she's got to look the 00:10:56.880 --> 00:10:58.640 part. So, she takes a trip down to the 00:10:58.640 --> 00:11:00.800 local clothing store, buys a new outfit, 00:11:00.800 --> 00:11:02.240 something that would make her look like 00:11:02.240 --> 00:11:03.279 an executive. 00:11:03.279 --> 00:11:04.880 >> I bought a clipboard and I looked 00:11:04.880 --> 00:11:06.240 professional and I had like a little 00:11:06.240 --> 00:11:09.200 briefcase and I was really trying to 00:11:09.200 --> 00:11:10.399 look professional. 00:11:10.399 --> 00:11:12.320 >> She's all set, ready to go in. Outfit 00:11:12.320 --> 00:11:15.519 on, camera rolling. Deep breath. Let's 00:11:15.519 --> 00:11:17.200 go. >> [music] 00:11:17.200 --> 00:11:20.480 >> So, I go in to reception and I approach 00:11:20.480 --> 00:11:23.600 the receptionist with like a warm smile 00:11:23.600 --> 00:11:26.160 and I'm, you know, being as as nice as I 00:11:26.160 --> 00:11:30.959 can be. And I said, I'm here for this. 00:11:30.959 --> 00:11:32.480 I'm here for this appointment and this 00:11:32.480 --> 00:11:33.839 is what I want to do and this is where 00:11:33.839 --> 00:11:35.760 I'm from. And [music] 00:11:35.760 --> 00:11:38.320 she said, okay. And I was like, what? It 00:11:38.320 --> 00:11:40.320 was that easy. This doesn't make sense. 00:11:40.320 --> 00:11:42.880 But, you know, I'm not going to get in 00:11:42.880 --> 00:11:44.959 my own way. So I followed her and she 00:11:44.959 --> 00:11:47.600 took me to this little room just sort of 00:11:47.600 --> 00:11:50.480 directly behind reception and I was 00:11:50.480 --> 00:11:54.560 greeted by this adorable little old lady 00:11:54.560 --> 00:11:56.079 and there was one other person in the 00:11:56.079 --> 00:11:58.160 room but we didn't really talk. So I had 00:11:58.160 --> 00:12:01.360 to present ID which is another stumbling 00:12:01.360 --> 00:12:05.360 block and I got to talking to them. So 00:12:05.360 --> 00:12:07.040 they asked me why I was there again and 00:12:07.040 --> 00:12:08.160 all those things and they said they 00:12:08.160 --> 00:12:09.760 weren't expecting me but it wasn't a 00:12:09.760 --> 00:12:11.680 problem and I thought well this is 00:12:11.680 --> 00:12:13.760 really easy this is great and I gave 00:12:13.760 --> 00:12:15.839 them my ID and I had an Australian ID at 00:12:15.839 --> 00:12:18.959 the time and they said you're from 00:12:18.959 --> 00:12:21.279 Sweden and you've got an Australian ID 00:12:21.279 --> 00:12:22.720 and I said yeah and I've got a dodgy 00:12:22.720 --> 00:12:24.959 accent. I I went to school in the UK so 00:12:24.959 --> 00:12:26.240 I tried to get around it like that and 00:12:26.240 --> 00:12:27.760 it works beautifully and I don't know 00:12:27.760 --> 00:12:32.160 how. So I got in. Okay, at this point 00:12:32.160 --> 00:12:33.680 she's doing pretty good passing as this 00:12:33.680 --> 00:12:35.600 Swedish person from another office. She 00:12:35.600 --> 00:12:37.519 got into the building. Check. Past 00:12:37.519 --> 00:12:39.519 reception. Check. And past the two 00:12:39.519 --> 00:12:41.279 people that she was handed off to. 00:12:41.279 --> 00:12:43.680 Check. Check. Check. Now she's in and 00:12:43.680 --> 00:12:45.200 she's trying to film things, take 00:12:45.200 --> 00:12:47.120 pictures of what's going on. There's an 00:12:47.120 --> 00:12:48.480 engine room. That looks interesting. 00:12:48.480 --> 00:12:50.399 Film that. So, she goes in closer to 00:12:50.399 --> 00:12:54.320 take a look. And I was walking towards 00:12:54.320 --> 00:12:57.279 one of these large engines 00:12:57.279 --> 00:13:01.360 and this man was walking towards me with 00:13:01.360 --> 00:13:03.920 I think it was like two other men and he 00:13:03.920 --> 00:13:05.680 stood out. He had this beautiful blonde 00:13:05.680 --> 00:13:07.839 hair and these big blue eyes like 00:13:07.839 --> 00:13:08.560 completely [music] 00:13:08.560 --> 00:13:10.480 stereotypical 00:13:10.480 --> 00:13:15.040 um like Nordic look and he came up to me 00:13:15.040 --> 00:13:18.240 and he said something in a language I 00:13:18.240 --> 00:13:21.360 don't understand but immediately guessed 00:13:21.360 --> 00:13:23.600 correctly this is Swedish. I'm supposed 00:13:23.600 --> 00:13:26.160 to be Swedish. I don't know any Swedish. 00:13:26.160 --> 00:13:28.079 So I'm racking my brain for the limited 00:13:28.079 --> 00:13:32.320 amount of Norwegian that I know. And um 00:13:32.320 --> 00:13:35.040 he whatever he said I kind of just 00:13:35.040 --> 00:13:37.680 looked and I felt my body get tense and 00:13:37.680 --> 00:13:41.440 I felt like the my brain says open up 00:13:41.440 --> 00:13:43.760 like let me cannonball into hell this is 00:13:43.760 --> 00:13:47.360 torture please no and so I said to him 00:13:47.360 --> 00:13:52.240 yeah and he looked at me like okay baby 00:13:52.240 --> 00:13:54.320 that that doesn't make sense but okay 00:13:54.320 --> 00:13:58.000 and then he repeated it and so I tried 00:13:58.000 --> 00:13:59.440 the one word I could remember in 00:13:59.440 --> 00:14:03.360 Norwegian which is nigh for no cuz if 00:14:03.360 --> 00:14:06.880 yes didn't work then maybe no would 00:14:06.880 --> 00:14:10.880 maybe one of my dumbest moments but um 00:14:10.880 --> 00:14:14.720 so then he quickly just understood like 00:14:14.720 --> 00:14:16.720 this isn't right and then security was 00:14:16.720 --> 00:14:19.519 called they they had a very prompt 00:14:19.519 --> 00:14:22.720 security team they came I was detained 00:14:22.720 --> 00:14:25.040 >> oh no she was caught this is every 00:14:25.040 --> 00:14:27.199 pentester's fear but just because she's 00:14:27.199 --> 00:14:29.360 caught doesn't mean it's over maybe she 00:14:29.360 --> 00:14:31.040 can somehow Oh, get out of trouble. 00:14:31.040 --> 00:14:32.480 Convince security that everything's 00:14:32.480 --> 00:14:34.000 fine. Or at least just try to leave the 00:14:34.000 --> 00:14:36.160 building without being caught more. She 00:14:36.160 --> 00:14:38.160 tried to change the story. No, no, I'm 00:14:38.160 --> 00:14:41.040 I'm not from Sweden. I'm just working 00:14:41.040 --> 00:14:43.440 with the Swedish team. I'm based in 00:14:43.440 --> 00:14:45.760 England. So, they asked to see her ID 00:14:45.760 --> 00:14:48.000 again, and it just wasn't checking out. 00:14:48.000 --> 00:14:49.839 They were very confused by the whole 00:14:49.839 --> 00:14:52.079 thing. At that point, she just couldn't 00:14:52.079 --> 00:14:54.000 see any way out of it. So, she pulled 00:14:54.000 --> 00:14:56.000 out her get out of jail free letter. 00:14:56.000 --> 00:14:57.519 This is a letter that all penetration 00:14:57.519 --> 00:14:59.040 testers have that gives them 00:14:59.040 --> 00:15:01.120 authorization to do what they're doing. 00:15:01.120 --> 00:15:02.399 Has a phone number on it, which is 00:15:02.399 --> 00:15:04.320 typically the head of security and says 00:15:04.320 --> 00:15:06.639 who actually authorized her to sneak in. 00:15:06.639 --> 00:15:08.240 So, they call the number on it and the 00:15:08.240 --> 00:15:10.000 head of security says, "Yep, this is all 00:15:10.000 --> 00:15:11.760 a planned test. Uh, good job for 00:15:11.760 --> 00:15:12.480 catching her." 00:15:12.480 --> 00:15:14.720 >> We had like this sort of laugh after it 00:15:14.720 --> 00:15:17.120 and even the security guy was like, "Why 00:15:17.120 --> 00:15:18.639 would you pretend to be Swedish?" I was 00:15:18.639 --> 00:15:20.560 like, "I don't know. I'm Scottish." He's 00:15:20.560 --> 00:15:22.160 like, "I can tell and you don't look 00:15:22.160 --> 00:15:24.880 Swedish." I was like, "I know." That was 00:15:24.880 --> 00:15:27.120 Max's first pen test where she tried to 00:15:27.120 --> 00:15:29.920 break into buildings. But she loved it. 00:15:29.920 --> 00:15:32.000 This was adventurous, adrenalinefueled. 00:15:32.000 --> 00:15:33.360 You need to keep your wits, be quick on 00:15:33.360 --> 00:15:35.440 your toes, and know all about computers 00:15:35.440 --> 00:15:37.519 all at once. She felt like this is where 00:15:37.519 --> 00:15:40.000 she was meant to be. This was cool. And 00:15:40.000 --> 00:15:41.600 decided to pursue a career in 00:15:41.600 --> 00:15:43.360 pentesting. She did a number of 00:15:43.360 --> 00:15:45.279 penetration testing engagements while in 00:15:45.279 --> 00:15:46.880 Australia, learning new techniques and 00:15:46.880 --> 00:15:48.560 getting official training on how to get 00:15:48.560 --> 00:15:50.320 better, reading a bunch of books on how 00:15:50.320 --> 00:15:52.000 to improve. And one of the things that 00:15:52.000 --> 00:15:53.920 intrigued her was thinking like an 00:15:53.920 --> 00:15:55.839 attacker. That attacker mindset was 00:15:55.839 --> 00:15:57.199 something she spent a lot of time 00:15:57.199 --> 00:15:59.440 thinking about. How do people with bad 00:15:59.440 --> 00:16:02.560 intentions act? Soon it was time for 00:16:02.560 --> 00:16:04.399 another penetration test. Still, while 00:16:04.399 --> 00:16:06.000 she was working for a company in 00:16:06.000 --> 00:16:06.720 Australia, 00:16:06.720 --> 00:16:09.199 >> the company I worked for was working 00:16:09.199 --> 00:16:11.839 with the local government in in the city 00:16:11.839 --> 00:16:13.279 that we were in. And I won't say the 00:16:13.279 --> 00:16:15.759 name because I don't want any further 00:16:15.759 --> 00:16:16.480 embarrassment. 00:16:16.480 --> 00:16:18.480 >> Now, penetration tests are not always 00:16:18.480 --> 00:16:20.320 physical. In fact, I'd say most of them 00:16:20.320 --> 00:16:22.240 are just done over a computer. Like the 00:16:22.240 --> 00:16:24.079 penetration tester might be outside the 00:16:24.079 --> 00:16:25.360 company and just trying to hack their 00:16:25.360 --> 00:16:26.639 way into the company through the 00:16:26.639 --> 00:16:28.800 internet or sometimes companies will 00:16:28.800 --> 00:16:30.399 just invite the penetration tester right 00:16:30.399 --> 00:16:31.839 into the building and give them a desk 00:16:31.839 --> 00:16:34.160 and a network jack and say go for it 00:16:34.160 --> 00:16:36.880 from the inside because even if you get 00:16:36.880 --> 00:16:39.199 into the network, there should be layers 00:16:39.199 --> 00:16:40.880 of security which should still keep you 00:16:40.880 --> 00:16:42.959 from getting into important things. 00:16:42.959 --> 00:16:45.600 That's called defense in depth. So, this 00:16:45.600 --> 00:16:48.000 was a pen test on a local government 00:16:48.000 --> 00:16:50.000 office. And with this one, they invited 00:16:50.000 --> 00:16:52.000 her to come into the building and plug 00:16:52.000 --> 00:16:54.160 into a port and see what vulnerabilities 00:16:54.160 --> 00:16:56.560 she could find from within the company. 00:16:56.560 --> 00:16:58.000 She wasn't alone on this one, though. 00:16:58.000 --> 00:16:59.440 There were two other people with her. 00:16:59.440 --> 00:17:00.959 And the two other people were very 00:17:00.959 --> 00:17:03.199 experienced network penetration testers, 00:17:03.199 --> 00:17:04.400 and she was still learning how to do 00:17:04.400 --> 00:17:06.079 this. So, she was shadowing them and 00:17:06.079 --> 00:17:10.400 watching what they were doing. 00:17:10.400 --> 00:17:12.559 So I wasn't a noob, but I was [music] 00:17:12.559 --> 00:17:16.079 this was my first job in cyber security. 00:17:16.079 --> 00:17:18.000 I have a very technical background. 00:17:18.000 --> 00:17:21.760 Building ROVs, [music] flying them or um 00:17:21.760 --> 00:17:24.079 steering them, I suppose that's all 00:17:24.079 --> 00:17:26.000 technical. Even stunts [music] are 00:17:26.000 --> 00:17:28.880 technical to a certain degree. This was 00:17:28.880 --> 00:17:31.280 a step further because I [music] there 00:17:31.280 --> 00:17:33.600 no physical components to it. That's why 00:17:33.600 --> 00:17:36.000 it was so difficult for me. I [music] 00:17:36.000 --> 00:17:39.520 it's all on screen and like Linux is its 00:17:39.520 --> 00:17:42.240 own beautiful scary world [music] for 00:17:42.240 --> 00:17:44.559 me. So I was still getting to grips with 00:17:44.559 --> 00:17:48.640 this whole world and all of the [music] 00:17:48.640 --> 00:17:50.559 commands and what these things meant and 00:17:50.559 --> 00:17:51.679 how to undo things. 00:17:51.679 --> 00:17:53.200 >> And they all sat down, pulled out their 00:17:53.200 --> 00:17:55.280 laptops and plugged into the network. 00:17:55.280 --> 00:17:57.120 She [music] starts by firing up a 00:17:57.120 --> 00:17:59.440 network vulnerability scanner. I got to 00:17:59.440 --> 00:18:02.799 run the Nessa scan which was 00:18:02.799 --> 00:18:04.480 not the most technical job in the world 00:18:04.480 --> 00:18:06.559 but it felt good at the time and I got 00:18:06.559 --> 00:18:09.039 to [music] look at what vulnerabilities 00:18:09.039 --> 00:18:11.897 were there and I got to go and see 00:18:11.897 --> 00:18:12.720 [music] 00:18:12.720 --> 00:18:16.320 exploits for those and I got to like run 00:18:16.320 --> 00:18:17.120 end [music] map. 00:18:17.120 --> 00:18:18.799 >> These are fine basic tools to start 00:18:18.799 --> 00:18:20.880 with. It'll scan the network for known 00:18:20.880 --> 00:18:22.960 vulnerabilities. They're easy to use and 00:18:22.960 --> 00:18:24.880 typically benign as in they're not going 00:18:24.880 --> 00:18:26.640 to cause any trouble on the network just 00:18:26.640 --> 00:18:28.559 by running them. And when you run these 00:18:28.559 --> 00:18:30.559 tools, it's [music] not hacking. It's 00:18:30.559 --> 00:18:32.960 just to try to find what's hackable. And 00:18:32.960 --> 00:18:35.520 she wasn't exactly sure how to hack into 00:18:35.520 --> 00:18:37.440 this company. [music] When you're rammed 00:18:37.440 --> 00:18:39.200 experienced pentesters who love their 00:18:39.200 --> 00:18:41.372 job and these two loved everything 00:18:41.372 --> 00:18:43.919 [music] that every like line they wrote 00:18:43.919 --> 00:18:47.440 was um sort of like a piece of art for 00:18:47.440 --> 00:18:49.919 them. They loved it and they they really 00:18:49.919 --> 00:18:51.600 like got this high [music] out of it. 00:18:51.600 --> 00:18:54.640 And that's contagious. So I started to 00:18:54.640 --> 00:18:57.039 think like this is amazing. This is so 00:18:57.039 --> 00:18:58.799 cool. [music] look how far we'd ran. And 00:18:58.799 --> 00:19:01.440 one guy um one of the guys that I was 00:19:01.440 --> 00:19:03.360 there with got a call from [music] one 00:19:03.360 --> 00:19:04.880 of our points of contact and he was 00:19:04.880 --> 00:19:06.400 saying I can see you in the network and 00:19:06.400 --> 00:19:08.400 it was this big game and it was [music] 00:19:08.400 --> 00:19:10.080 fun and it was interesting and I got 00:19:10.080 --> 00:19:11.120 caught up in that. 00:19:11.120 --> 00:19:12.640 >> So after seeing all the cool things that 00:19:12.640 --> 00:19:14.080 those other penetration testers were 00:19:14.080 --> 00:19:16.640 doing, Maxi wanted to have some fun too. 00:19:16.640 --> 00:19:18.799 How far could she get into this network? 00:19:18.799 --> 00:19:20.720 She saw there were vulnerabilities on 00:19:20.720 --> 00:19:23.440 certain systems on her scan and she 00:19:23.440 --> 00:19:24.880 tried to exploit those vulnerabilities 00:19:24.880 --> 00:19:26.400 and get into those systems [music] 00:19:26.400 --> 00:19:28.000 because there's a sort of high you get 00:19:28.000 --> 00:19:29.520 from getting into a computer when you 00:19:29.520 --> 00:19:31.808 shouldn't be able to. And she was making 00:19:31.808 --> 00:19:33.600 [music] progress. She got into a few 00:19:33.600 --> 00:19:35.440 systems and she was looking around 00:19:35.440 --> 00:19:37.919 making notes on how she got in. She 00:19:37.919 --> 00:19:39.840 would look over her shoulder and always 00:19:39.840 --> 00:19:40.960 see those other [music] penetration 00:19:40.960 --> 00:19:43.280 testers many steps ahead of her. So she 00:19:43.280 --> 00:19:44.880 kept looking around to see what else she 00:19:44.880 --> 00:19:48.160 could get into. [music] I 00:19:48.160 --> 00:19:51.039 found my way to 00:19:51.039 --> 00:19:55.440 some internal environment and I hit the 00:19:55.440 --> 00:19:58.960 kill switch on a city's worship play. 00:19:58.960 --> 00:20:01.440 >> She accidentally typed the wrong command 00:20:01.440 --> 00:20:04.000 into the wrong computer which controlled 00:20:04.000 --> 00:20:07.440 the flow of water to the whole city. 00:20:07.440 --> 00:20:10.320 >> The person I was with immediately saw 00:20:10.320 --> 00:20:12.160 within the network that wait, that 00:20:12.160 --> 00:20:14.000 wasn't right. I will assume that he was 00:20:14.000 --> 00:20:16.640 sort of with me like following me 00:20:16.640 --> 00:20:17.919 throughout the network and could see a 00:20:17.919 --> 00:20:20.640 lot of what I was doing. And then I was 00:20:20.640 --> 00:20:22.720 thinking, yeah, this isn't I don't think 00:20:22.720 --> 00:20:26.080 that was maybe good, right? And so I 00:20:26.080 --> 00:20:29.360 looked at him and I could sort of see on 00:20:29.360 --> 00:20:30.960 his face and he comes over to me and he 00:20:30.960 --> 00:20:33.600 says like, "What did you do?" And I, you 00:20:33.600 --> 00:20:36.000 know, you can look at your history quite 00:20:36.000 --> 00:20:37.679 quickly and I still had quite a lot on 00:20:37.679 --> 00:20:39.919 screen. And I showed him and he put his 00:20:39.919 --> 00:20:42.559 head in his hands and I was like, "What? 00:20:42.559 --> 00:20:44.000 Is it really bad?" 00:20:44.000 --> 00:20:46.320 >> It was really bad. Shutting off the 00:20:46.320 --> 00:20:49.039 water to the whole city. Showers, 00:20:49.039 --> 00:20:51.760 faucets, sinks, even toilets were not 00:20:51.760 --> 00:20:54.320 functioning citywide. Her two other 00:20:54.320 --> 00:20:55.919 penetration testers immediately tried to 00:20:55.919 --> 00:20:57.600 figure out ways to fix the issue. One 00:20:57.600 --> 00:20:59.039 was looking at how the system operated 00:20:59.039 --> 00:21:00.320 and if it was possible to just turn it 00:21:00.320 --> 00:21:01.679 back on, but you don't want to just do 00:21:01.679 --> 00:21:03.200 that if it's going to cause a problem. 00:21:03.200 --> 00:21:04.720 The other pentester immediately phones 00:21:04.720 --> 00:21:06.320 the point of contact letting them know 00:21:06.320 --> 00:21:08.400 this is a major problem. Maxi was sort 00:21:08.400 --> 00:21:10.559 of in shock and incredibly embarrassed. 00:21:10.559 --> 00:21:12.559 She took her hands off the keyboard and 00:21:12.559 --> 00:21:13.840 just waited. 00:21:13.840 --> 00:21:17.200 >> I was detained by security guards and 00:21:17.200 --> 00:21:21.840 they they were not very pleased. 00:21:21.840 --> 00:21:23.520 >> Now, this is a completely different 00:21:23.520 --> 00:21:25.200 situation from the last time she was 00:21:25.200 --> 00:21:27.360 detained by security. The last time she 00:21:27.360 --> 00:21:29.200 had a get out of jail free card. This 00:21:29.200 --> 00:21:30.559 time they knew that she was supposed to 00:21:30.559 --> 00:21:31.919 be there. In fact, it was her point of 00:21:31.919 --> 00:21:34.799 contact that called security on her. She 00:21:34.799 --> 00:21:36.559 was authorized to be there and do this, 00:21:36.559 --> 00:21:37.919 but this was not supposed to be 00:21:37.919 --> 00:21:40.320 disruptive to the organization. Not only 00:21:40.320 --> 00:21:41.760 was it disruptive to the organization, 00:21:41.760 --> 00:21:43.520 but it was disruptive to the whole town. 00:21:43.520 --> 00:21:44.880 So, they wanted to at least get her 00:21:44.880 --> 00:21:47.039 recount of the matter recorded so they 00:21:47.039 --> 00:21:48.159 had it for later. 00:21:48.159 --> 00:21:52.000 >> I go down to a windowless room and I'm 00:21:52.000 --> 00:21:54.799 questioned. [music] And all of a sudden, 00:21:54.799 --> 00:21:56.799 one of the sort of accusations, if you 00:21:56.799 --> 00:21:59.840 want, was that I was a Russian spy. And 00:21:59.840 --> 00:22:02.000 I was thinking, how did we get there so 00:22:02.000 --> 00:22:04.640 quickly? like what happened? 00:22:04.640 --> 00:22:06.320 >> Apparently, [music] she spoofed her IP 00:22:06.320 --> 00:22:07.679 at one point to make herself look like 00:22:07.679 --> 00:22:10.000 she's coming from Russia to try to test 00:22:10.000 --> 00:22:11.600 to see if they could detect that. But 00:22:11.600 --> 00:22:13.039 that was just very brief. And she was 00:22:13.039 --> 00:22:15.280 definitely not a Russian spy. But this 00:22:15.280 --> 00:22:17.280 was becoming scary now because it wasn't 00:22:17.280 --> 00:22:19.440 just a confession of a mistake she made. 00:22:19.440 --> 00:22:20.720 It was like they were treating this more 00:22:20.720 --> 00:22:22.240 like an investigation. 00:22:22.240 --> 00:22:25.760 >> So I was held there for like a couple of 00:22:25.760 --> 00:22:27.280 hours and of course the police were 00:22:27.280 --> 00:22:30.080 called. The police had to be called. I 00:22:30.080 --> 00:22:32.720 didn't have any ID on me. I had my work 00:22:32.720 --> 00:22:34.640 card, but that doesn't really matter cuz 00:22:34.640 --> 00:22:36.320 it it's just a photo. [music] I could 00:22:36.320 --> 00:22:38.880 have printed it myself. And I kept 00:22:38.880 --> 00:22:40.320 saying to them, you know, if you let me 00:22:40.320 --> 00:22:41.840 go back to my apartment, I can get my 00:22:41.840 --> 00:22:43.760 passport for you. I'm British and I'm 00:22:43.760 --> 00:22:45.360 not a spy and you can contact my 00:22:45.360 --> 00:22:47.120 employer and I'm actually here with two 00:22:47.120 --> 00:22:49.679 people. And I kept [music] going and 00:22:49.679 --> 00:22:51.440 they didn't want to hear it. And that's 00:22:51.440 --> 00:22:53.520 okay. That's kind of their job to to do 00:22:53.520 --> 00:22:55.919 to [music] not believe me and to, you 00:22:55.919 --> 00:22:57.760 know, look for the worst because they've 00:22:57.760 --> 00:22:59.440 got to protect themselves against the 00:22:59.440 --> 00:23:02.880 worst. And eventually that at [music] 00:23:02.880 --> 00:23:06.559 some point I said to them like I need a 00:23:06.559 --> 00:23:08.640 can I have a glass of water? And the 00:23:08.640 --> 00:23:11.039 look is would would have been enough to 00:23:11.039 --> 00:23:13.760 like you know turn most people to stone. 00:23:13.760 --> 00:23:15.840 And I was thinking yeah that was not an 00:23:15.840 --> 00:23:19.039 ideal question. And then eventually my 00:23:19.039 --> 00:23:22.159 employers at the time called in and it 00:23:22.159 --> 00:23:27.760 did get sorted and I narrowly escaped um 00:23:27.760 --> 00:23:30.159 essentially what would I think you would 00:23:30.159 --> 00:23:32.240 call it prosecution. I I escaped any 00:23:32.240 --> 00:23:34.960 legal action because of that and I was 00:23:34.960 --> 00:23:37.120 on the graduation team. That lent me 00:23:37.120 --> 00:23:39.600 some credibility in the fact that okay, 00:23:39.600 --> 00:23:41.200 she doesn't know what she's doing and 00:23:41.200 --> 00:23:43.360 it's okay 00:23:43.360 --> 00:23:45.200 and my employer didn't fire me and I 00:23:45.200 --> 00:23:49.226 will be eternally grateful for that. 00:23:49.226 --> 00:23:54.640 [music] 00:23:54.640 --> 00:23:56.400 She doesn't know how long the water was 00:23:56.400 --> 00:23:58.240 out that day. It could have been hours, 00:23:58.240 --> 00:24:00.480 minutes, seconds. It doesn't matter. The 00:24:00.480 --> 00:24:02.400 fact that it could be shut off and it 00:24:02.400 --> 00:24:04.960 did get shut off is why the police had 00:24:04.960 --> 00:24:07.200 to respond. But she narrowly got out of 00:24:07.200 --> 00:24:09.360 serious trouble from that one. But this 00:24:09.360 --> 00:24:11.200 sort of [music] baptism by fire is how 00:24:11.200 --> 00:24:13.039 we learn the most important lessons in 00:24:13.039 --> 00:24:14.960 life. I mean, knowing firsthand what 00:24:14.960 --> 00:24:16.960 kind of true power a penetration tester 00:24:16.960 --> 00:24:19.200 has is profound. And this feeling 00:24:19.200 --> 00:24:21.440 sometimes flips back and forth, too. 00:24:21.440 --> 00:24:23.440 Sometimes you feel completely blocked 00:24:23.440 --> 00:24:24.799 with no access [music] to anything, and 00:24:24.799 --> 00:24:26.720 it makes you feel dumb. And other days, 00:24:26.720 --> 00:24:28.559 you feel like with a single keystroke, 00:24:28.559 --> 00:24:31.120 you can wreck this entire business. It 00:24:31.120 --> 00:24:33.039 almost reminds me of visiting a barber 00:24:33.039 --> 00:24:34.880 and getting an oldfashioned shave. the 00:24:34.880 --> 00:24:36.799 barber has this razor and they're 00:24:36.799 --> 00:24:39.440 shaving your neck with it. You feel very 00:24:39.440 --> 00:24:42.000 vulnerable in that situation. And I 00:24:42.000 --> 00:24:43.760 think many companies do feel vulnerable 00:24:43.760 --> 00:24:45.760 when they allow a penetration tester to 00:24:45.760 --> 00:24:48.400 come in. Who knows what they saw or 00:24:48.400 --> 00:24:50.320 took. In my last job, we had a 00:24:50.320 --> 00:24:51.919 penetration tester come in and see what 00:24:51.919 --> 00:24:52.960 they could do. And they were able to 00:24:52.960 --> 00:24:55.760 crack 25% of all our passwords 00:24:55.760 --> 00:24:57.600 companywide. That's like thousands of 00:24:57.600 --> 00:25:00.159 passwords. Of course, I read the report 00:25:00.159 --> 00:25:01.840 to see whose passwords got popped, but 00:25:01.840 --> 00:25:04.000 it only contains statistics, not 00:25:04.000 --> 00:25:06.159 passwords or usernames. And it made me 00:25:06.159 --> 00:25:08.640 think, you know, this pentester is 00:25:08.640 --> 00:25:11.039 walking out of our building with a bunch 00:25:11.039 --> 00:25:13.919 of our passwords. I've never felt more 00:25:13.919 --> 00:25:16.320 vulnerable at work before. 00:25:16.320 --> 00:25:17.760 We're going to take a quick ad break 00:25:17.760 --> 00:25:19.520 here, but stay with us because Maxi is 00:25:19.520 --> 00:25:20.880 going to tell us about a penetration 00:25:20.880 --> 00:25:24.720 test story that changed her life. 00:25:24.720 --> 00:25:26.559 Making some big mistakes on past 00:25:26.559 --> 00:25:29.120 pentests did not make Maxi back down 00:25:29.120 --> 00:25:30.960 from pen testing. Instead, she doubled 00:25:30.960 --> 00:25:33.039 down. She was fascinated by the power of 00:25:33.039 --> 00:25:35.840 the pen tester, but more so the attacker 00:25:35.840 --> 00:25:37.760 mindset allured her, but she had to 00:25:37.760 --> 00:25:39.039 leave Australia. 00:25:39.039 --> 00:25:40.559 >> Well, yeah. So, I'd come back from 00:25:40.559 --> 00:25:43.520 Australia, my visa had run out, um, 00:25:43.520 --> 00:25:45.760 moved back to the States. My model in 00:25:45.760 --> 00:25:47.520 life is like, if I'm free to do it, and 00:25:47.520 --> 00:25:50.400 I want to do it, then I will do it. I 00:25:50.400 --> 00:25:53.360 kind of always want to be infatuated 00:25:53.360 --> 00:25:55.600 with what I'm doing and focused and I'm 00:25:55.600 --> 00:25:57.919 okay if whatever the thing is that I 00:25:57.919 --> 00:26:00.960 want to do changes and it has obviously 00:26:00.960 --> 00:26:03.360 but I want to love what I do because 00:26:03.360 --> 00:26:05.840 functionally right we'll I'll live for 00:26:05.840 --> 00:26:08.000 70 years maybe I'll live to 90 but 00:26:08.000 --> 00:26:11.520 functionally I've got max 70 good years 00:26:11.520 --> 00:26:14.240 and I want to do well we might do two 00:26:14.240 --> 00:26:16.000 interesting things a year so I've got 00:26:16.000 --> 00:26:17.679 140 interesting things that I'll do in 00:26:17.679 --> 00:26:20.080 my life that doesn't sound like a lot. 00:26:20.080 --> 00:26:22.159 So, I just always wanted to do the 00:26:22.159 --> 00:26:24.320 things that were most interesting, that 00:26:24.320 --> 00:26:25.919 would give me the most sort of 00:26:25.919 --> 00:26:28.400 interesting, exciting experiences. 00:26:28.400 --> 00:26:30.080 >> And for her, the thing that excited her 00:26:30.080 --> 00:26:32.000 the most was red teaming, penetration 00:26:32.000 --> 00:26:34.000 testing, social engineering, physically 00:26:34.000 --> 00:26:35.760 breaking into buildings was just a 00:26:35.760 --> 00:26:37.840 thrill to her. So, she looked for more 00:26:37.840 --> 00:26:39.039 jobs doing that. 00:26:39.039 --> 00:26:42.960 >> So, I was hired on a sanctioned red team 00:26:42.960 --> 00:26:45.440 contract to test this high security 00:26:45.440 --> 00:26:47.120 logistics company. And there were two 00:26:47.120 --> 00:26:48.960 testers that were booked. It was a large 00:26:48.960 --> 00:26:50.240 company, but they wanted the two of them 00:26:50.240 --> 00:26:51.520 to try to get into one of their 00:26:51.520 --> 00:26:53.840 satellite warehouses. They told her, 00:26:53.840 --> 00:26:55.360 "Look, there's a locked fence around 00:26:55.360 --> 00:26:57.279 this whole property. Security alarms are 00:26:57.279 --> 00:26:58.960 on the doors. There's security cameras 00:26:58.960 --> 00:27:00.240 watching the whole property. There's 00:27:00.240 --> 00:27:02.960 active security patrols at night." And 00:27:02.960 --> 00:27:04.480 they just wanted to prove that she could 00:27:04.480 --> 00:27:06.000 get to them. They didn't want her to do 00:27:06.000 --> 00:27:07.840 anything to those machines. And they 00:27:07.840 --> 00:27:09.440 gave her a little USB device and said, 00:27:09.440 --> 00:27:11.120 "Hey, if you can actually get to it, 00:27:11.120 --> 00:27:12.880 plug it in and take a picture that you 00:27:12.880 --> 00:27:14.720 got there, and this will prove that you 00:27:14.720 --> 00:27:16.559 made it." because uh presumably if 00:27:16.559 --> 00:27:17.840 somebody wanted to get a customer list 00:27:17.840 --> 00:27:19.679 or shipment list or whatever, it would 00:27:19.679 --> 00:27:21.360 be just as easy for them to plug in a 00:27:21.360 --> 00:27:23.919 USB device, grab the stuff and unplug 00:27:23.919 --> 00:27:25.520 it. So, they asked her to see if she 00:27:25.520 --> 00:27:28.720 could do that. So, her and her coworker 00:27:28.720 --> 00:27:30.400 take a drive out to this facility during 00:27:30.400 --> 00:27:32.240 the day and just drive by just to look 00:27:32.240 --> 00:27:35.120 at the place. And uh well, driving by is 00:27:35.120 --> 00:27:36.400 too quick. You can't see anything. So, 00:27:36.400 --> 00:27:38.240 they decided to get out and just walk 00:27:38.240 --> 00:27:40.559 down the sidewalk and go around the 00:27:40.559 --> 00:27:42.320 whole property just to see what they can 00:27:42.320 --> 00:27:44.320 notice. Any points of entry? Are there 00:27:44.320 --> 00:27:45.679 any areas where the cameras aren't 00:27:45.679 --> 00:27:48.159 pointed? 00:27:48.159 --> 00:27:52.880 >> When we had kind of gone around the very 00:27:52.880 --> 00:27:55.039 edge of the perimeter was like metal 00:27:55.039 --> 00:27:57.200 fence like chain link fencing. So the 00:27:57.200 --> 00:28:01.279 chain link fencing had just it wasn't it 00:28:01.279 --> 00:28:03.840 was years old, probably decades old and 00:28:03.840 --> 00:28:05.760 so it was a bit rickety so you could 00:28:05.760 --> 00:28:07.919 just kick the edge up. So we knew that. 00:28:07.919 --> 00:28:09.520 They took some other notes and got an 00:28:09.520 --> 00:28:11.200 idea of what the place was like. There's 00:28:11.200 --> 00:28:13.520 a twostory warehouse building with 00:28:13.520 --> 00:28:16.080 loading docks and sort of two parking 00:28:16.080 --> 00:28:18.399 lots. One normal one with big transport 00:28:18.399 --> 00:28:20.880 trucks and cargo trucks and a second one 00:28:20.880 --> 00:28:23.440 that had a chainlink fence around it 00:28:23.440 --> 00:28:25.279 with many more of those big cargo 00:28:25.279 --> 00:28:27.279 trucks. We're talking eight wheelers 00:28:27.279 --> 00:28:29.520 here, the big trucks. This warehouse 00:28:29.520 --> 00:28:31.360 would load stuff onto them and then they 00:28:31.360 --> 00:28:33.919 deliver it. So, they leave and decide to 00:28:33.919 --> 00:28:37.520 come back at 900 p.m. But Max's coworker 00:28:37.520 --> 00:28:38.559 called her up. 00:28:38.559 --> 00:28:41.600 >> He's like, "I'm sick." And I was like, I 00:28:41.600 --> 00:28:43.360 hate you. You're not I know you're not 00:28:43.360 --> 00:28:45.600 sick. You're hung over. But anyway, last 00:28:45.600 --> 00:28:47.279 minute he gets sick. So the scope 00:28:47.279 --> 00:28:49.120 allowed for a solo run. So I was like, 00:28:49.120 --> 00:28:49.919 I'm going to do it. 00:28:49.919 --> 00:28:51.600 >> She waits until night and then drives 00:28:51.600 --> 00:28:53.679 back to the facility at 9:00 p.m. By 00:28:53.679 --> 00:28:55.440 that time, the place was all closed and 00:28:55.440 --> 00:28:57.200 there should be no workers there and 00:28:57.200 --> 00:28:58.960 just those security patrols that she was 00:28:58.960 --> 00:28:59.760 told about. 00:28:59.760 --> 00:29:02.559 >> I then parked behind a tree line outside 00:29:02.559 --> 00:29:05.200 of the logistics [music] park. I was 00:29:05.200 --> 00:29:08.799 keeping away from, 00:29:08.799 --> 00:29:11.279 you know, the the lights. I [music] was 00:29:11.279 --> 00:29:13.840 staying where the the shadows fell in. 00:29:13.840 --> 00:29:16.080 >> Okay, it's go time. I like the quiet 00:29:16.080 --> 00:29:17.679 approach of being on foot myself, too. 00:29:17.679 --> 00:29:19.760 You can hide easier, change directions 00:29:19.760 --> 00:29:22.640 more quickly, be more stealthy. 00:29:22.640 --> 00:29:26.480 So, come up um through a tree line off 00:29:26.480 --> 00:29:27.865 to the side of the whole complex. 00:29:27.865 --> 00:29:28.399 [music] 00:29:28.399 --> 00:29:30.159 Moving pretty slow. I'm far enough from 00:29:30.159 --> 00:29:32.480 the walls to see the whole facade. I'm 00:29:32.480 --> 00:29:34.880 close enough to spot like opportunities 00:29:34.880 --> 00:29:37.679 and I do the usual first pass. I don't 00:29:37.679 --> 00:29:40.320 force anything. I don't touch anything. 00:29:40.320 --> 00:29:42.320 She passes by the building. The classic 00:29:42.320 --> 00:29:44.080 first pass gives you plausible 00:29:44.080 --> 00:29:46.080 deniability, right? If you don't touch 00:29:46.080 --> 00:29:48.170 anything or don't go on the property, 00:29:48.170 --> 00:29:49.840 [music] you can just say you're passing 00:29:49.840 --> 00:29:53.520 by if anyone asks, but it's quiet. There 00:29:53.520 --> 00:29:56.030 seems to be no signs of life inside. No 00:29:56.030 --> 00:29:58.320 [music] noise, no doors open, no lights 00:29:58.320 --> 00:30:00.240 on. And there were a lot of trucks in 00:30:00.240 --> 00:30:01.440 the parking lot, but all of them were 00:30:01.440 --> 00:30:03.890 dark and quiet. No regular cars there. 00:30:03.890 --> 00:30:04.720 [music] 00:30:04.720 --> 00:30:07.440 But surprisingly, she didn't see any 00:30:07.440 --> 00:30:09.520 security patrols. 00:30:09.520 --> 00:30:11.279 So, [music] since she's around the back 00:30:11.279 --> 00:30:12.960 of the building, she starts jiggling 00:30:12.960 --> 00:30:14.799 door knobs and windows to see if any of 00:30:14.799 --> 00:30:16.320 them will open. [music] 00:30:16.320 --> 00:30:18.799 And everything obvious that you would 00:30:18.799 --> 00:30:21.760 look at to gain entry was a no. So, 00:30:21.760 --> 00:30:24.880 doors, no. Hatches, couldn't see them. 00:30:24.880 --> 00:30:26.880 Gramm windows, they didn't open. and 00:30:26.880 --> 00:30:30.159 they were just double pane windows. Um, 00:30:30.159 --> 00:30:33.200 so yeah, so you know, good security is 00:30:33.200 --> 00:30:37.360 frustrating in some sense. Um, but it 00:30:37.360 --> 00:30:39.600 was this like corrugated all of the 00:30:39.600 --> 00:30:41.200 warehouses in the area were these 00:30:41.200 --> 00:30:45.279 corrugated sort of um steel structures 00:30:45.279 --> 00:30:49.760 or metal structures. And this the 00:30:49.760 --> 00:30:52.399 warehouse that I had, there was sort of 00:30:52.399 --> 00:30:55.760 this grass alley in the back at the back 00:30:55.760 --> 00:30:59.679 of it. and um its neighboring warehouse 00:30:59.679 --> 00:31:01.760 also had stacks of pallets. So there was 00:31:01.760 --> 00:31:04.320 just these stacks of pallets all the way 00:31:04.320 --> 00:31:10.080 like through this almost alley and 00:31:10.080 --> 00:31:12.000 there was this high stack of pallets 00:31:12.000 --> 00:31:15.279 that kind of touched it was within four 00:31:15.279 --> 00:31:18.799 3 4t of a second floor window that was 00:31:18.799 --> 00:31:20.960 just this little it was like a little 00:31:20.960 --> 00:31:23.279 rectangular window but it was open and I 00:31:23.279 --> 00:31:26.240 was like oh that sounds like a great way 00:31:26.240 --> 00:31:28.720 to get in there. So, kind of moved a 00:31:28.720 --> 00:31:30.799 couple of palettes start to climb up 00:31:30.799 --> 00:31:32.720 these other [music] like this other high 00:31:32.720 --> 00:31:35.520 stack of palettes. Um, and most of them 00:31:35.520 --> 00:31:38.159 have kind of been um like secured to one 00:31:38.159 --> 00:31:39.919 another. So, it's they're still a little 00:31:39.919 --> 00:31:42.559 rickety. It wasn't like I I wasn't 00:31:42.559 --> 00:31:44.480 feeling very confident that they 00:31:44.480 --> 00:31:47.120 wouldn't crash to the ground, but they 00:31:47.120 --> 00:31:49.120 didn't. I'm, you know, pretty light on 00:31:49.120 --> 00:31:50.960 my feet. I'm built I am built for speed 00:31:50.960 --> 00:31:55.200 and not power. Um, so I do end up 00:31:55.200 --> 00:31:56.559 getting to the top, poke my head 00:31:56.559 --> 00:31:58.880 through. 00:31:58.880 --> 00:32:00.880 >> While the building looks two stories 00:32:00.880 --> 00:32:03.279 tall, it's really just a single story, 00:32:03.279 --> 00:32:05.600 but just with really tall walls. So when 00:32:05.600 --> 00:32:07.919 she looks down, it's straight down all 00:32:07.919 --> 00:32:09.519 the way to the warehouse floor. That's 00:32:09.519 --> 00:32:12.000 not good. That's too high to jump down. 00:32:12.000 --> 00:32:14.399 So she looks around and notices that the 00:32:14.399 --> 00:32:17.440 walls are made of like a lockboard. 00:32:17.440 --> 00:32:19.600 It is essentially is pegboard. [music] 00:32:19.600 --> 00:32:22.720 So pegboard is basically, if you aren't 00:32:22.720 --> 00:32:25.840 familiar, it's steel or aluminum sheet 00:32:25.840 --> 00:32:29.039 in and it's got this regularly spaced 00:32:29.039 --> 00:32:31.600 like square or round holes that you you 00:32:31.600 --> 00:32:33.440 basically put on walls in warehouses 00:32:33.440 --> 00:32:35.360 usually and then you hang like heavy 00:32:35.360 --> 00:32:37.760 tooling on it. So I'm [music] looking at 00:32:37.760 --> 00:32:41.840 this lockboard peg board and I'm like, 00:32:41.840 --> 00:32:43.760 "All right, well climbing down [music] 00:32:43.760 --> 00:32:45.360 it, you know, grav gravity is your 00:32:45.360 --> 00:32:47.200 friend." So, it's like fingers in and 00:32:47.200 --> 00:32:49.440 got my little sneakers on and I I 00:32:49.440 --> 00:32:51.679 actually get down. It's It wasn't as 00:32:51.679 --> 00:32:52.960 difficult as you think. 00:32:52.960 --> 00:32:55.120 >> Okay, she did it. She got into the 00:32:55.120 --> 00:32:57.440 building. Nice. Now, her objective is to 00:32:57.440 --> 00:32:59.360 simply see if she could get into those 00:32:59.360 --> 00:33:01.279 computers in the building. So, she looks 00:33:01.279 --> 00:33:02.880 around for them. They were easy to find 00:33:02.880 --> 00:33:04.640 since the monitors were on and they were 00:33:04.640 --> 00:33:05.760 glowing in the dark. 00:33:05.760 --> 00:33:08.880 >> Get to the terminals and they're all 00:33:08.880 --> 00:33:11.440 they're all open. It was It was 00:33:11.440 --> 00:33:13.760 beautiful. you know when in movies the 00:33:13.760 --> 00:33:17.279 they're like ah the [laughter] 00:33:17.279 --> 00:33:19.360 like the heavens light I was like this 00:33:19.360 --> 00:33:21.519 is great so they were yeah they were all 00:33:21.519 --> 00:33:23.360 unlocked and so I connected this 00:33:23.360 --> 00:33:25.760 approved device I snapped the required 00:33:25.760 --> 00:33:28.240 photos um you know proof I could touch 00:33:28.240 --> 00:33:30.480 one attack I would want to touch and 00:33:30.480 --> 00:33:32.559 then I felt about the exit and I was 00:33:32.559 --> 00:33:34.159 like I looked at the pegboard and I was 00:33:34.159 --> 00:33:37.600 thinking well cuz climbing up is a 00:33:37.600 --> 00:33:39.360 little bit different than climbing down. 00:33:39.360 --> 00:33:41.039 Okay, so climbing out the way she came 00:33:41.039 --> 00:33:43.360 was not going to work. She looked around 00:33:43.360 --> 00:33:45.120 for another way out. There are a lot of 00:33:45.120 --> 00:33:46.960 doors. She She's inside. She could just 00:33:46.960 --> 00:33:49.120 open one up and walk out. No, wait. Hold 00:33:49.120 --> 00:33:50.320 on. That's not going to work because 00:33:50.320 --> 00:33:52.159 they're security alarms. And she looked 00:33:52.159 --> 00:33:53.760 around the doors and yes, they were 00:33:53.760 --> 00:33:56.080 armed. Okay, [snorts] scratch that. You 00:33:56.080 --> 00:33:57.600 can't open those doors. It would trigger 00:33:57.600 --> 00:33:59.120 noises. And since she hasn't had any 00:33:59.120 --> 00:34:00.799 security on her yet, she doesn't want to 00:34:00.799 --> 00:34:02.640 get their attention now. So, she looks 00:34:02.640 --> 00:34:04.480 around for other points of exit. 00:34:04.480 --> 00:34:06.480 >> It was a loaden door that wasn't in the 00:34:06.480 --> 00:34:08.560 best shape. So a loading door like a 00:34:08.560 --> 00:34:11.200 like a dock where the truck backs in so 00:34:11.200 --> 00:34:13.359 it can get whatever the load is it can 00:34:13.359 --> 00:34:15.679 it can get into the warehouse and you 00:34:15.679 --> 00:34:17.119 don't always need a forklift and so on 00:34:17.119 --> 00:34:20.079 so forth. So it was um it was it was 00:34:20.079 --> 00:34:21.760 essentially that. So it was on a pulley 00:34:21.760 --> 00:34:26.159 system and it wasn't attached to an 00:34:26.159 --> 00:34:29.919 alarm which was mental for what they you 00:34:29.919 --> 00:34:32.800 know for how secure they wanted to be. 00:34:32.800 --> 00:34:35.440 Um, so yeah. So I I kind of it was a 00:34:35.440 --> 00:34:37.440 little bit buckled at the side and maybe 00:34:37.440 --> 00:34:39.040 that's why it wasn't on the alarm. I'm 00:34:39.040 --> 00:34:42.079 not sure, but little pulley system pull 00:34:42.079 --> 00:34:45.280 the chain up just enough to sneak out 00:34:45.280 --> 00:34:47.679 and I get back to my car through a 00:34:47.679 --> 00:34:49.919 forest, which is by far, by the way, the 00:34:49.919 --> 00:34:53.440 worst part of the story for me because I 00:34:53.440 --> 00:34:56.720 do not like insects. But um, so yeah. So 00:34:56.720 --> 00:34:59.200 then I I back to my car or I think I'm 00:34:59.200 --> 00:35:01.520 roughly back to my car and I phoned my 00:35:01.520 --> 00:35:04.560 point of contact and our report was a 00:35:04.560 --> 00:35:07.119 success, right? Like I got in, I've 00:35:07.119 --> 00:35:08.560 managed it. I've got the photos. I'll 00:35:08.560 --> 00:35:11.040 write you a report. And he listened and 00:35:11.040 --> 00:35:14.000 he was like, I want to [sighs and gasps] 00:35:14.000 --> 00:35:15.680 issue a scope change. 00:35:15.680 --> 00:35:17.839 >> A scope change? This means the client 00:35:17.839 --> 00:35:20.640 wants to change what he wants her to do. 00:35:20.640 --> 00:35:22.000 I guess he was impressed that she was 00:35:22.000 --> 00:35:23.599 able to do everything he tked her with 00:35:23.599 --> 00:35:26.160 and wants her to try more. So he says to 00:35:26.160 --> 00:35:28.320 her, "You know all those moving trucks 00:35:28.320 --> 00:35:30.560 in our parking lots? See if you can 00:35:30.560 --> 00:35:33.599 steal those trucks." And she's like, "I 00:35:33.599 --> 00:35:34.880 don't know how to hotwire a truck." And 00:35:34.880 --> 00:35:36.240 he's like, "No, no, no. See if you can 00:35:36.240 --> 00:35:37.920 find the keys to any of them. And if so, 00:35:37.920 --> 00:35:38.640 take them." 00:35:38.640 --> 00:35:40.720 >> And I was like, "All right, let's do 00:35:40.720 --> 00:35:44.079 it." Cuz 140 interesting things in my 00:35:44.079 --> 00:35:45.680 life, this might be one of them. 00:35:45.680 --> 00:35:47.200 >> She walks back through the woods, 00:35:47.200 --> 00:35:49.119 cursing at all the spiderw webs that she 00:35:49.119 --> 00:35:51.040 comes across and then looks at the 00:35:51.040 --> 00:35:53.200 facility. There are a lot of trucks 00:35:53.200 --> 00:35:55.280 here. And they're the big trucks, like 00:35:55.280 --> 00:35:56.880 the 00:35:56.880 --> 00:35:58.880 long trucks, you know, they've got 20 to 00:35:58.880 --> 00:36:00.800 40 foot containers on the back. And I've 00:36:00.800 --> 00:36:02.640 never driven one of them. Some are 00:36:02.640 --> 00:36:04.720 parked inside the fenced area, and some 00:36:04.720 --> 00:36:06.640 aren't. She starts with the trucks that 00:36:06.640 --> 00:36:09.280 aren't in the fenced area. Step one, see 00:36:09.280 --> 00:36:11.119 if the door is unlocked. The first one 00:36:11.119 --> 00:36:13.839 she tries, the door is unlocked. Wo. So, 00:36:13.839 --> 00:36:16.160 she opens it, gets in the driver's seat. 00:36:16.160 --> 00:36:17.760 She looks at the ignition. The keys were 00:36:17.760 --> 00:36:20.160 not there. But to her surprise, the key 00:36:20.160 --> 00:36:21.520 was sitting right there in the cup 00:36:21.520 --> 00:36:23.359 holder in the center console. 00:36:23.359 --> 00:36:25.520 >> A little bit humorous. I'm like, eight 00:36:25.520 --> 00:36:28.000 billion people on the planet. I'm the 00:36:28.000 --> 00:36:30.320 best driver. So, what I'm going to do is 00:36:30.320 --> 00:36:32.160 I'm going to move all these trucks. I'm 00:36:32.160 --> 00:36:34.240 not going to worry about it. Reversing 00:36:34.240 --> 00:36:35.280 that truck. I was like, I'm going to 00:36:35.280 --> 00:36:37.280 have to leave this here cuz I'm I'm not 00:36:37.280 --> 00:36:38.880 going to be able to do this. So, yeah. 00:36:38.880 --> 00:36:41.119 So, I took them up just other end of the 00:36:41.119 --> 00:36:43.680 culdeac almost. It was like a little 00:36:43.680 --> 00:36:46.800 sort of um quiet area, a little 00:36:46.800 --> 00:36:50.560 logistical parking spot, I guess. So, I 00:36:50.560 --> 00:36:52.160 just parked them all up there. [music] 00:36:52.160 --> 00:36:54.560 >> She parked it about a/4 mile away and 00:36:54.560 --> 00:36:56.720 then ran back to get another truck. 00:36:56.720 --> 00:36:58.960 >> The keys were not consistently 00:36:58.960 --> 00:37:00.880 controlled and the fleet wasn't 00:37:00.880 --> 00:37:02.880 consistently parked on the inside of the 00:37:02.880 --> 00:37:04.880 secure [music] perimeter. So, basically, 00:37:04.880 --> 00:37:06.800 it just became this live demonstration 00:37:06.800 --> 00:37:08.160 of risk. 00:37:08.160 --> 00:37:10.240 >> One after another, she was able to find 00:37:10.240 --> 00:37:12.640 keys for these trucks. So when a driver 00:37:12.640 --> 00:37:15.920 comes back to this area and it's past 00:37:15.920 --> 00:37:18.160 hours, they they sometimes leave the 00:37:18.160 --> 00:37:19.839 keys like they'll leave them under mud 00:37:19.839 --> 00:37:22.400 flaps or just actually inside of the 00:37:22.400 --> 00:37:23.040 truck. 00:37:23.040 --> 00:37:24.960 >> It was incredible how many keys she 00:37:24.960 --> 00:37:26.880 found in and around these trucks. 00:37:26.880 --> 00:37:27.920 >> Sometimes they were still in the 00:37:27.920 --> 00:37:29.119 ignition. Sometimes they were on the 00:37:29.119 --> 00:37:30.560 seat. Sometimes they were in the, you 00:37:30.560 --> 00:37:32.800 know, the visor, the sun flaps. 00:37:32.800 --> 00:37:34.160 Sometimes they were in the mud flaps. 00:37:34.160 --> 00:37:35.839 And sometimes they weren't there at all. 00:37:35.839 --> 00:37:37.440 >> Some trucks were locked and she couldn't 00:37:37.440 --> 00:37:39.680 get into or move them. She thought about 00:37:39.680 --> 00:37:41.440 climbing back in through the window of 00:37:41.440 --> 00:37:42.800 the building and looking for the keys 00:37:42.800 --> 00:37:44.640 inside, but she already proved she can 00:37:44.640 --> 00:37:46.560 get in there. Maybe it's just better to 00:37:46.560 --> 00:37:48.800 try another truck instead. After taking 00:37:48.800 --> 00:37:51.040 the ones from the unsecured parking lot, 00:37:51.040 --> 00:37:52.480 she wanted to get into the fenced area 00:37:52.480 --> 00:37:54.079 and try to take one of those. She 00:37:54.079 --> 00:37:55.440 remembered where you can lift the fence 00:37:55.440 --> 00:37:57.520 up and get in there. So, she scurries 00:37:57.520 --> 00:37:59.200 under the fence and looks at the trucks 00:37:59.200 --> 00:38:02.000 inside. Sure enough, same story. Keys 00:38:02.000 --> 00:38:03.760 were typically in and around the trucks 00:38:03.760 --> 00:38:05.760 there, too. So, she hops in one, finds 00:38:05.760 --> 00:38:07.520 the keys, starts it up, and starts to 00:38:07.520 --> 00:38:10.480 drive out. but realizes, "Oh, wait. This 00:38:10.480 --> 00:38:12.960 fence is locked." She gets out, looks at 00:38:12.960 --> 00:38:15.520 the padlock. She thinks about picking 00:38:15.520 --> 00:38:16.640 the padlock. 00:38:16.640 --> 00:38:18.240 >> That did not work. And I was like, I bet 00:38:18.240 --> 00:38:19.599 there's a key for this someplace. And 00:38:19.599 --> 00:38:21.680 I'm thinking, do I go back inside? Do I 00:38:21.680 --> 00:38:24.400 climb up the pallets, climb down the gr, 00:38:24.400 --> 00:38:25.760 look for the keys? And I was thinking, 00:38:25.760 --> 00:38:27.359 you know what? This is probably proof 00:38:27.359 --> 00:38:29.440 enough. This is bad enough because the 00:38:29.440 --> 00:38:31.920 report is going to say, well, I couldn't 00:38:31.920 --> 00:38:34.079 break into your secure perimeter. Why 00:38:34.079 --> 00:38:35.920 don't you park your trucks in there? By 00:38:35.920 --> 00:38:37.760 2:00 a.m., she had stolen a bunch of 00:38:37.760 --> 00:38:39.599 trucks and felt like she accomplished 00:38:39.599 --> 00:38:41.839 the mission. Security never stopped her. 00:38:41.839 --> 00:38:43.839 There was no one around all night. So, 00:38:43.839 --> 00:38:45.200 she goes back to her car and calls her 00:38:45.200 --> 00:38:46.880 point of contact and says, "She stole 00:38:46.880 --> 00:38:49.599 the trucks." He's like, "Wow, okay, 00:38:49.599 --> 00:38:51.440 great. Hey, can you come into the office 00:38:51.440 --> 00:38:53.119 in the morning and tell us how it went?" 00:38:53.119 --> 00:38:55.920 She's like, "Sure, but let me sleep 00:38:55.920 --> 00:38:58.240 first because I'm exhausted." So, she 00:38:58.240 --> 00:39:00.079 goes home and then the workers start 00:39:00.079 --> 00:39:03.440 coming to the warehouse in the morning. 00:39:03.440 --> 00:39:05.920 day shift did arrive and they didn't 00:39:05.920 --> 00:39:08.160 notice anything was wrong for like a 00:39:08.160 --> 00:39:11.760 fair amount of time when I think it like 00:39:11.760 --> 00:39:14.000 how I would say it maybe is it took a 00:39:14.000 --> 00:39:16.720 beat for the penny to drop for them and 00:39:16.720 --> 00:39:20.160 yeah headquarters finally called and my 00:39:20.160 --> 00:39:21.760 contact I think walked them through the 00:39:21.760 --> 00:39:25.680 findings and eventually we gave a report 00:39:25.680 --> 00:39:28.640 and you know where was security they're 00:39:28.640 --> 00:39:30.640 supposed to have 24-hour roll in 00:39:30.640 --> 00:39:33.280 security where was it cuz I didn't see 00:39:33.280 --> 00:39:36.000 them. Like, why were there pallets? Why 00:39:36.000 --> 00:39:38.240 were there unlocked windows? Why weren't 00:39:38.240 --> 00:39:40.800 the loading bays connected to the alarm 00:39:40.800 --> 00:39:44.560 system? Things like that. Like, it was, 00:39:44.560 --> 00:39:47.280 you know, treat keys like access badges, 00:39:47.280 --> 00:39:49.520 not souvenirs. 00:39:49.520 --> 00:39:51.599 >> Did you have to give like a debrief to 00:39:51.599 --> 00:39:54.320 that uh facility and say, "Hey, by the 00:39:54.320 --> 00:39:55.760 way, you if you're wondering what 00:39:55.760 --> 00:39:57.520 happened, let me tell you." 00:39:57.520 --> 00:39:59.920 >> Not to the facility. So, I I didn't go 00:39:59.920 --> 00:40:01.920 back to that facility. We I gave it to 00:40:01.920 --> 00:40:03.520 my like to their headquarters 00:40:03.520 --> 00:40:05.680 essentially. We went in and we gave a 00:40:05.680 --> 00:40:07.200 presentation 00:40:07.200 --> 00:40:10.640 um and a report and you know as is all 00:40:10.640 --> 00:40:13.200 it's always the case people's sort of 00:40:13.200 --> 00:40:15.599 mouths drop and I think their tummies 00:40:15.599 --> 00:40:17.760 probably dropped too. Um they're like 00:40:17.760 --> 00:40:19.920 how has this how has this happened sort 00:40:19.920 --> 00:40:20.480 of thing but 00:40:20.480 --> 00:40:22.240 >> yeah but it's it's another thing to be 00:40:22.240 --> 00:40:24.800 like wait who did this? Oh we hired this 00:40:24.800 --> 00:40:26.820 person Max to do it. this guy Max 00:40:26.820 --> 00:40:28.240 [clears throat] is must it must be a 00:40:28.240 --> 00:40:30.480 jerk to be breaking in and all this. And 00:40:30.480 --> 00:40:32.320 then if you were to actually show up and 00:40:32.320 --> 00:40:34.320 be like, "Hi, I'm Maxie [clears throat] 00:40:34.320 --> 00:40:35.760 and I'm the one who stole all your 00:40:35.760 --> 00:40:36.320 tracks." 00:40:36.320 --> 00:40:40.000 >> I'm so sorry. You have to you have to be 00:40:40.000 --> 00:40:42.560 soft with them. Like, well, maybe that's 00:40:42.560 --> 00:40:46.560 just personality. Maybe that's 00:40:46.560 --> 00:40:48.320 a a preference of mine, but 00:40:48.320 --> 00:40:50.480 stylistically, I think be soft with 00:40:50.480 --> 00:40:54.720 them. They do not know for the most part 00:40:54.720 --> 00:40:58.079 that our industry exists. Yes, they know 00:40:58.079 --> 00:41:00.240 that there are, you know, bad actors out 00:41:00.240 --> 00:41:01.599 there, but they don't know that some of 00:41:01.599 --> 00:41:03.839 us are making a career out of it and you 00:41:03.839 --> 00:41:05.280 have to go in and you have to be soft. 00:41:05.280 --> 00:41:07.440 It isn't their fault. There there's 00:41:07.440 --> 00:41:09.280 that's what it is to run a company. Not 00:41:09.280 --> 00:41:12.960 everything's safe. Um, you can make it a 00:41:12.960 --> 00:41:14.560 little harder for people, but that's our 00:41:14.560 --> 00:41:16.720 job to tell them. And I just think tell 00:41:16.720 --> 00:41:20.160 them that in the most direct but soft 00:41:20.160 --> 00:41:22.319 way possible. you don't it's not a blame 00:41:22.319 --> 00:41:24.800 game. And so yeah, I I went to 00:41:24.800 --> 00:41:26.160 headquarters and I was like, "Hi guys." 00:41:26.160 --> 00:41:28.880 It was I think you might have heard what 00:41:28.880 --> 00:41:31.839 happened. Um and like so yeah, so now on 00:41:31.839 --> 00:41:34.160 my resume I've got, you know, expert 00:41:34.160 --> 00:41:36.560 climber and uh truck driver. 00:41:36.560 --> 00:41:38.720 >> She did a lot more penetration tests and 00:41:38.720 --> 00:41:40.480 got so serious about it that she wrote a 00:41:40.480 --> 00:41:42.880 book called The Art of Attack: Attacker 00:41:42.880 --> 00:41:45.119 Mindset for Security Professionals. 00:41:45.119 --> 00:41:47.119 >> Yeah. Well, here's what I'd say about my 00:41:47.119 --> 00:41:49.760 book. I'm going to explain it. If you 00:41:49.760 --> 00:41:51.680 don't like the sound of it, just buy it 00:41:51.680 --> 00:41:53.839 for somebody you don't like. If you do 00:41:53.839 --> 00:41:56.400 like the sound of it, it was on me. You 00:41:56.400 --> 00:41:57.849 should buy it. It'll be great. 00:41:57.849 --> 00:42:00.160 [laughter] No, in all seriousness, it's 00:42:00.160 --> 00:42:02.240 called The Art of Attack. And it's 00:42:02.240 --> 00:42:05.680 central argument is that in order to 00:42:05.680 --> 00:42:08.880 design defenses that truly work, 00:42:08.880 --> 00:42:11.440 security professionals must adopt this 00:42:11.440 --> 00:42:14.000 quotequote attacker mindset. and its 00:42:14.000 --> 00:42:17.520 basic position is that simply focusing 00:42:17.520 --> 00:42:19.680 on tools, networks or policies is 00:42:19.680 --> 00:42:22.160 completely insufficient. It's necessary 00:42:22.160 --> 00:42:24.240 but it's not sufficient. So 00:42:24.240 --> 00:42:26.480 understanding how an attacker thinks, 00:42:26.480 --> 00:42:30.079 how they strategize, manipulate, persist 00:42:30.079 --> 00:42:33.359 is fundamental to building resilient 00:42:33.359 --> 00:42:36.240 systems. And I would probably finish on 00:42:36.240 --> 00:42:38.400 it by saying 00:42:38.400 --> 00:42:41.359 the skills of a good attacker are the 00:42:41.359 --> 00:42:44.400 same skills that a I want as a person 00:42:44.400 --> 00:42:47.440 going through life, normal life. Also 00:42:47.440 --> 00:42:49.119 the things that I would teach and will 00:42:49.119 --> 00:42:51.920 teach to my children like grit, 00:42:51.920 --> 00:42:54.560 determination, we're goal orientated, 00:42:54.560 --> 00:42:57.440 resilient, so forth, so on. They are 00:42:57.440 --> 00:43:01.280 cognitive skills that we need and how 00:43:01.280 --> 00:43:03.920 you apply them is what matters and that 00:43:03.920 --> 00:43:09.440 is basically the premise of the book. 00:43:09.440 --> 00:43:11.599 >> Somewhere in her life she went on a 00:43:11.599 --> 00:43:13.839 penetration test that changed the whole 00:43:13.839 --> 00:43:15.520 trajectory of her life. 00:43:15.520 --> 00:43:18.800 >> It was probably the most highly strung 00:43:18.800 --> 00:43:23.599 uh you know tensioned job uh of my 00:43:23.599 --> 00:43:26.560 career. was for a company that we've all 00:43:26.560 --> 00:43:28.560 heard of and that we all use and [music] 00:43:28.560 --> 00:43:33.040 we had their internal red team 00:43:33.040 --> 00:43:34.319 accompanying us. 00:43:34.319 --> 00:43:36.160 >> This company had a big data center and 00:43:36.160 --> 00:43:37.760 they wanted to see if they could get 00:43:37.760 --> 00:43:40.880 unauthorized access inside. 00:43:40.880 --> 00:43:42.720 Now, I don't know if you've ever gone 00:43:42.720 --> 00:43:44.880 into one of these data centers, but 00:43:44.880 --> 00:43:46.400 sometimes these things are extremely 00:43:46.400 --> 00:43:48.480 secure. I've seen them where there's 00:43:48.480 --> 00:43:50.000 like a big fence around the company and 00:43:50.000 --> 00:43:51.520 just to get into the parking lot, you 00:43:51.520 --> 00:43:53.839 have to go through a gate guard and 00:43:53.839 --> 00:43:55.520 they'll check your ID and make sure that 00:43:55.520 --> 00:43:57.200 you're authorized to be there. And then 00:43:57.200 --> 00:43:58.480 when you finally park your car and get 00:43:58.480 --> 00:43:59.599 to the front door of the building, the 00:43:59.599 --> 00:44:01.520 front door is locked and so you need a 00:44:01.520 --> 00:44:03.599 badge to get in. Forget about any open 00:44:03.599 --> 00:44:06.079 windows. They don't open ever. Then upon 00:44:06.079 --> 00:44:07.440 walking in, there's a security guard 00:44:07.440 --> 00:44:08.560 watching what you're doing, but you're 00:44:08.560 --> 00:44:09.920 only in the lobby. You're not even in 00:44:09.920 --> 00:44:11.040 the data center part of the building 00:44:11.040 --> 00:44:12.960 yet. To get in there, you need a second 00:44:12.960 --> 00:44:14.560 key. And sometimes they do an eyeball 00:44:14.560 --> 00:44:16.560 scan to verify your identity. And there 00:44:16.560 --> 00:44:18.319 are man traps, meaning there's only one 00:44:18.319 --> 00:44:19.920 person allowed through at a time so they 00:44:19.920 --> 00:44:22.000 can check you. But then once you're in 00:44:22.000 --> 00:44:23.839 the data center, there's sometimes a 00:44:23.839 --> 00:44:25.760 cage around the server racks you need to 00:44:25.760 --> 00:44:27.440 get to, and you might need a third key 00:44:27.440 --> 00:44:29.040 to get into those and maybe an extra 00:44:29.040 --> 00:44:30.319 form of identification like a 00:44:30.319 --> 00:44:31.920 fingerprint scan or something. [music] 00:44:31.920 --> 00:44:34.880 In short, it's extremely hard to sneak 00:44:34.880 --> 00:44:36.319 into a data center. 00:44:36.319 --> 00:44:38.640 >> There are actually on this job armed 00:44:38.640 --> 00:44:41.440 guards patrolling this perimeter and 00:44:41.440 --> 00:44:43.200 there are vehicles that are scanned for 00:44:43.200 --> 00:44:45.680 anomalies. like it is a very in terms of 00:44:45.680 --> 00:44:48.240 security the very robust comprehensive 00:44:48.240 --> 00:44:52.079 site um and you know inside everything 00:44:52.079 --> 00:44:54.240 it's a data center everything is 00:44:54.240 --> 00:44:57.040 controlled um temperature humidity are 00:44:57.040 --> 00:44:59.359 controlled to the decimal the power and 00:44:59.359 --> 00:45:02.079 the fiber run through you they're 00:45:02.079 --> 00:45:04.640 redundant there's blast proof like 00:45:04.640 --> 00:45:08.000 conduits every corridor every door every 00:45:08.000 --> 00:45:10.319 bite is sort of like logged but once 00:45:10.319 --> 00:45:12.960 you're in you're in and nation state 00:45:12.960 --> 00:45:13.920 actors 00:45:13.920 --> 00:45:16.000 will will get in and they're willing to 00:45:16.000 --> 00:45:17.839 do what it takes. And so that was that 00:45:17.839 --> 00:45:18.640 was our job. 00:45:18.640 --> 00:45:20.880 >> Well, she decided to try going right in 00:45:20.880 --> 00:45:22.240 through the front gate. So she just 00:45:22.240 --> 00:45:23.599 drove her car right to the security 00:45:23.599 --> 00:45:25.359 checkpoint and acted like she was 00:45:25.359 --> 00:45:26.720 supposed to be there and talk to the 00:45:26.720 --> 00:45:27.359 guard. 00:45:27.359 --> 00:45:30.079 >> Hello. Yeah, we're visitor. Yeah. Like, 00:45:30.079 --> 00:45:32.000 hi, can we, you know, we're here to do 00:45:32.000 --> 00:45:34.880 this? Cuz your Osen can find you some of 00:45:34.880 --> 00:45:36.560 those entry points. Like if they're 00:45:36.560 --> 00:45:38.560 doing immersion cooling, we know there 00:45:38.560 --> 00:45:40.319 is maintenance required on immersion 00:45:40.319 --> 00:45:43.119 cooling for the fluid for instance. So 00:45:43.119 --> 00:45:44.480 you go out and you're like, "Here, we're 00:45:44.480 --> 00:45:47.119 here to do this." And you, you know, you 00:45:47.119 --> 00:45:48.480 some sites that will work and they'll be 00:45:48.480 --> 00:45:50.960 like, "Oh, okay. Um, we just tell the 00:45:50.960 --> 00:45:53.280 right person or here, wait here." They 00:45:53.280 --> 00:45:54.640 were like, "You're not on the list. 00:45:54.640 --> 00:45:55.839 You're not coming in." 00:45:55.839 --> 00:45:58.400 >> Okay, so there's a list. This is a clue. 00:45:58.400 --> 00:46:00.400 Maybe she could get on that list. Who 00:46:00.400 --> 00:46:02.480 maintains that list? What if she called 00:46:02.480 --> 00:46:03.920 acting like the maintenance team and 00:46:03.920 --> 00:46:06.240 says they have to do a fluid change or 00:46:06.240 --> 00:46:07.680 something and they're coming out? 00:46:07.680 --> 00:46:10.319 >> So we we tried to get on that list. We 00:46:10.319 --> 00:46:12.960 tried to call ahead. We tried to spoof 00:46:12.960 --> 00:46:14.319 phone calls so that it looked like we 00:46:14.319 --> 00:46:16.560 were calling from hopefully the right 00:46:16.560 --> 00:46:18.720 point of contact. It wasn't working. 00:46:18.720 --> 00:46:21.359 There was too many checks. They were 00:46:21.359 --> 00:46:23.680 comprehensive. They were robust. They 00:46:23.680 --> 00:46:26.319 were sharp. And so we were like, how are 00:46:26.319 --> 00:46:27.712 we going to get in here? And it's like, 00:46:27.712 --> 00:46:31.520 [gasps] you know, sort of a bit like 00:46:31.520 --> 00:46:33.359 they've built a wall. Do we dig under 00:46:33.359 --> 00:46:35.040 it? Do we go over it? Like it wouldn't 00:46:35.040 --> 00:46:37.839 have mattered. It was the sensors, the 00:46:37.839 --> 00:46:40.720 security, they were on top of it. And so 00:46:40.720 --> 00:46:49.280 we're like, all right, what do we do? 00:46:49.280 --> 00:46:50.637 >> Time to step back and think about 00:46:50.637 --> 00:46:52.640 [music] some sort of out of the box way 00:46:52.640 --> 00:46:55.440 to get into this data center. One way to 00:46:55.440 --> 00:46:56.560 try to think through something like that 00:46:56.560 --> 00:46:57.839 is just to learn more about this 00:46:57.839 --> 00:46:58.800 company. [music] 00:46:58.800 --> 00:47:01.359 Maxi was curious how the building was 00:47:01.359 --> 00:47:02.079 built. 00:47:02.079 --> 00:47:05.839 >> So we actually went to the [music] 00:47:05.839 --> 00:47:09.040 municipalities. We'd gotten some like 00:47:09.040 --> 00:47:10.800 almost you could think of them as 00:47:10.800 --> 00:47:12.907 blueprints and we figured out that 00:47:12.907 --> 00:47:15.280 [music] there was in fact a sewage line. 00:47:15.280 --> 00:47:17.040 Sewage lines are too small and would be 00:47:17.040 --> 00:47:18.480 way too disgusting for [music] a person 00:47:18.480 --> 00:47:21.520 to go into. However, they sometimes run 00:47:21.520 --> 00:47:24.160 through underground tunnels that are 00:47:24.160 --> 00:47:26.640 accessible by service workers like a 00:47:26.640 --> 00:47:29.359 smaller pipe inside a big tunnel. So, 00:47:29.359 --> 00:47:31.599 she traced where the lines leave the 00:47:31.599 --> 00:47:35.520 property. It sat at a point where we 00:47:35.520 --> 00:47:38.000 could get to another access point 00:47:38.000 --> 00:47:40.400 through basically a a junction. 00:47:40.400 --> 00:47:43.040 >> Well, it's worth a shot to try. So, they 00:47:43.040 --> 00:47:45.040 drive over to where they expect there to 00:47:45.040 --> 00:47:47.440 be a manhole which is off the property. 00:47:47.440 --> 00:47:48.800 And if their calculations are right, 00:47:48.800 --> 00:47:50.480 these pipes would lead right into the 00:47:50.480 --> 00:47:52.960 data center. But the question is, will 00:47:52.960 --> 00:47:55.119 there be a service tunnel also leading 00:47:55.119 --> 00:47:57.599 to the data center? So, they pried open 00:47:57.599 --> 00:48:00.400 the manhole lid and looked in. it was 00:48:00.400 --> 00:48:02.240 big enough to crawl down into. So they 00:48:02.240 --> 00:48:05.200 did and then they saw a tunnel going 00:48:05.200 --> 00:48:07.920 towards the data center. So they crawled 00:48:07.920 --> 00:48:10.400 through it 00:48:10.400 --> 00:48:12.960 and it's a long, shall we call it 00:48:12.960 --> 00:48:15.760 journey from one access point, one 00:48:15.760 --> 00:48:18.240 manhole to the other, but we have to do 00:48:18.240 --> 00:48:20.000 it. It's not glamorous. It was not 00:48:20.000 --> 00:48:22.800 enjoyable, but we got through it. Sure 00:48:22.800 --> 00:48:24.640 enough, it led them right to the data 00:48:24.640 --> 00:48:25.280 center 00:48:25.280 --> 00:48:29.280 >> and then make our way up into the site 00:48:29.280 --> 00:48:31.280 and then into the data center. 00:48:31.280 --> 00:48:33.520 >> They got in, snapped a few photos to 00:48:33.520 --> 00:48:35.920 prove they were in there, unauthorized. 00:48:35.920 --> 00:48:37.280 And then they called the security team 00:48:37.280 --> 00:48:38.960 to tell them they got in and the 00:48:38.960 --> 00:48:40.640 security came and was like, "What? How 00:48:40.640 --> 00:48:41.680 did you get in here?" 00:48:41.680 --> 00:48:45.520 >> And so our report was, 00:48:45.520 --> 00:48:49.040 "Your guy's security is bob on. We we 00:48:49.040 --> 00:48:51.920 hate it. It was amazing. you didn't let 00:48:51.920 --> 00:48:53.680 us in here. We weren't able to phone 00:48:53.680 --> 00:48:55.200 ahead. We weren't able to forge 00:48:55.200 --> 00:48:56.960 documents. We weren't able to do any of 00:48:56.960 --> 00:48:59.200 the things that we would try to do 00:48:59.200 --> 00:49:00.960 ordinarily. We couldn't have created a 00:49:00.960 --> 00:49:03.760 diversion to, you know, have security 00:49:03.760 --> 00:49:05.520 take their eyes off of the gates to get 00:49:05.520 --> 00:49:07.599 through. They weren't looking. It wasn't 00:49:07.599 --> 00:49:10.160 it wasn't going to happen. We got into 00:49:10.160 --> 00:49:14.400 your data center through a manhole for a 00:49:14.400 --> 00:49:17.599 sewer line and that was the bulk of our 00:49:17.599 --> 00:49:19.440 report. the that the the rest of it was 00:49:19.440 --> 00:49:21.599 going, but it kind of didn't matter to 00:49:21.599 --> 00:49:23.040 them. They're like, "Yeah, but you still 00:49:23.040 --> 00:49:23.839 got in." 00:49:23.839 --> 00:49:26.800 >> But this made Maxi think even more. If a 00:49:26.800 --> 00:49:29.839 data center wants ultimate security so 00:49:29.839 --> 00:49:32.079 nobody ever gets in, how could they 00:49:32.079 --> 00:49:34.640 improve this? And that's when it 00:49:34.640 --> 00:49:35.520 occurred to her. 00:49:35.520 --> 00:49:36.800 >> And I was like, well, if you want to 00:49:36.800 --> 00:49:38.800 keep them that safe, you put them 00:49:38.800 --> 00:49:39.760 underwater. 00:49:39.760 --> 00:49:42.720 >> An underwater data center. Could that 00:49:42.720 --> 00:49:45.040 even work? Then I started to think, "Oh, 00:49:45.040 --> 00:49:48.319 is that did I just have a good idea?" 00:49:48.319 --> 00:49:51.920 Amazing. So I called my old boss who I 00:49:51.920 --> 00:49:54.319 used to work offshore for and with. I 00:49:54.319 --> 00:49:55.599 was like, "Hey, what do you what do you 00:49:55.599 --> 00:49:57.839 think of this?" And he's like, "I've 00:49:57.839 --> 00:49:59.760 actually thought of something fairly 00:49:59.760 --> 00:50:02.000 similar and I had this like autocad 00:50:02.000 --> 00:50:03.440 drawn at this point." He tweaked it, 00:50:03.440 --> 00:50:05.760 tweaked the design. I was like, "Would 00:50:05.760 --> 00:50:08.079 you consider working with me? Here's 00:50:08.079 --> 00:50:09.680 what I want to do. I want to I want to 00:50:09.680 --> 00:50:11.839 put data centers underwater. I want to 00:50:11.839 --> 00:50:15.200 do it in a modular fashion and I want to 00:50:15.200 --> 00:50:16.720 do it cuz it keeps them safe. 00:50:16.720 --> 00:50:18.400 >> So, the two of them got busy designing 00:50:18.400 --> 00:50:20.559 and building modular underwater data 00:50:20.559 --> 00:50:22.160 centers where you load up the servers 00:50:22.160 --> 00:50:23.839 into what looks like a small shipping 00:50:23.839 --> 00:50:26.240 container that's watertight and she will 00:50:26.240 --> 00:50:29.040 then drive them down to a safe spot on 00:50:29.040 --> 00:50:30.319 the bottom of the ocean. 00:50:30.319 --> 00:50:32.319 >> It's also a lot cheaper to do. So, it's 00:50:32.319 --> 00:50:35.520 about 80% less expensive in terms of in 00:50:35.520 --> 00:50:38.960 terms of capex to get compute underwater 00:50:38.960 --> 00:50:41.680 the way we do it. I I don't know 00:50:41.680 --> 00:50:43.359 anything about underwater data centers. 00:50:43.359 --> 00:50:45.359 This is all new to me. So, I didn't even 00:50:45.359 --> 00:50:47.440 know this was possible or even this was 00:50:47.440 --> 00:50:49.040 happening. But you're telling me this is 00:50:49.040 --> 00:50:50.000 something you've made. 00:50:50.000 --> 00:50:51.200 >> This is something we've made. This is 00:50:51.200 --> 00:50:53.839 something we've we've done, performed, 00:50:53.839 --> 00:50:56.000 and and now there are actually a lot of 00:50:56.000 --> 00:50:56.720 companies. 00:50:56.720 --> 00:50:59.040 >> Is there like a long like extension cord 00:50:59.040 --> 00:51:00.559 that goes to these things to keep 00:51:00.559 --> 00:51:03.280 >> them? There essentially is. So what's 00:51:03.280 --> 00:51:04.640 really interesting about the subt 00:51:04.640 --> 00:51:06.079 environment and we touched upon it 00:51:06.079 --> 00:51:08.240 earlier is that 00:51:08.240 --> 00:51:10.720 everything you and I use one way or 00:51:10.720 --> 00:51:13.920 another um so there are power cords 00:51:13.920 --> 00:51:15.920 under under the water that's how we you 00:51:15.920 --> 00:51:18.079 know that's how we light up oil and gas 00:51:18.079 --> 00:51:19.920 platforms that's how we manage to eat on 00:51:19.920 --> 00:51:22.079 them and things like that and there are 00:51:22.079 --> 00:51:25.359 also countries that export so France 00:51:25.359 --> 00:51:29.119 exports power to Denmark we that's a 00:51:29.119 --> 00:51:32.400 long lady cable to do that for them So 00:51:32.400 --> 00:51:35.200 there's actually a lot of subc cables. 00:51:35.200 --> 00:51:38.160 There's also a lot of subc cables for 00:51:38.160 --> 00:51:40.000 there's like 700 cables or something 00:51:40.000 --> 00:51:42.720 like that, maybe more now that carry 00:51:42.720 --> 00:51:44.640 this internet signals. So they they 00:51:44.640 --> 00:51:46.000 pulse the light. 00:51:46.000 --> 00:51:47.359 >> So you don't have to lay your own 00:51:47.359 --> 00:51:49.680 cables. You can just tap tap off some of 00:51:49.680 --> 00:51:50.559 the stuff that's there. 00:51:50.559 --> 00:51:51.839 >> Yeah, it depends where we're So if we're 00:51:51.839 --> 00:51:54.480 in a port, then we might extend from an 00:51:54.480 --> 00:51:56.880 onland substation. If we're further 00:51:56.880 --> 00:51:58.880 offshore, then we'll splice the power 00:51:58.880 --> 00:52:00.559 cable, 00:52:00.559 --> 00:52:03.200 put it in wet. So, we've got offshore 00:52:03.200 --> 00:52:05.520 they're wet mates wet mate cables. So, 00:52:05.520 --> 00:52:08.160 we'll they look like headphones with a 00:52:08.160 --> 00:52:10.319 mic jacks on them. Like they look like 00:52:10.319 --> 00:52:12.000 that. They're just really big ones of 00:52:12.000 --> 00:52:13.680 that essentially. We plug them into our 00:52:13.680 --> 00:52:15.839 units or our units look like 20ft 00:52:15.839 --> 00:52:19.680 shipping containers and they we put them 00:52:19.680 --> 00:52:21.599 on the subsec floor. We secure them 00:52:21.599 --> 00:52:25.680 there through guide posts, lock them in, 00:52:25.680 --> 00:52:28.720 uh, plug in the power, wet, wet mate the 00:52:28.720 --> 00:52:30.319 power, and do the same for the fiber, 00:52:30.319 --> 00:52:32.240 and then it's up and running. And we can 00:52:32.240 --> 00:52:35.359 do about 3 megawatt in a unit just now, 00:52:35.359 --> 00:52:38.160 which is meaningless to most people, but 00:52:38.160 --> 00:52:40.640 uh, that's kind of what we need just to 00:52:40.640 --> 00:52:44.400 do small amount of compute. And yeah, we 00:52:44.400 --> 00:52:46.400 we sent them on the sea floor. But what 00:52:46.400 --> 00:52:48.559 if uh what about maintenance and stuff 00:52:48.559 --> 00:52:50.720 like you need to change out a hard 00:52:50.720 --> 00:52:51.359 drive? 00:52:51.359 --> 00:52:53.280 >> Yeah. So there's a few ways that we 00:52:53.280 --> 00:52:54.800 perform maintenance. So it's it's 00:52:54.800 --> 00:52:56.400 actually not that much different than 00:52:56.400 --> 00:53:00.000 than um online. So what I will say is 00:53:00.000 --> 00:53:02.400 the maintenance cycles are reduced 00:53:02.400 --> 00:53:04.240 because there's no dust, right? We've 00:53:04.240 --> 00:53:08.000 got the the servers are filled or are 00:53:08.000 --> 00:53:11.119 surrounded by this dialectric fluid. So 00:53:11.119 --> 00:53:13.359 there's no dust, there's no debris, 00:53:13.359 --> 00:53:16.960 there's no people jostling the cables 00:53:16.960 --> 00:53:20.000 and those are the biggest factors in 00:53:20.000 --> 00:53:21.839 maintenance. That's why compute goes 00:53:21.839 --> 00:53:24.960 down 18% of the time. We don't have that 00:53:24.960 --> 00:53:26.800 then. But you know it happens. We do 00:53:26.800 --> 00:53:28.720 have to maintain. There's some fault. So 00:53:28.720 --> 00:53:30.960 we do that a few different ways. If one 00:53:30.960 --> 00:53:32.559 server fails, it kind of doesn't matter. 00:53:32.559 --> 00:53:35.119 We'll load balance. We'll shift the load 00:53:35.119 --> 00:53:37.680 and it'll go to some other server or 00:53:37.680 --> 00:53:41.119 some other site that we have. Um 00:53:41.119 --> 00:53:44.480 if a whole rack fails, it may fail in 00:53:44.480 --> 00:53:50.319 place and again load balancing or if a 00:53:50.319 --> 00:53:52.079 rack fails and it's important depending 00:53:52.079 --> 00:53:54.559 on what the client depend on who the 00:53:54.559 --> 00:53:56.400 client is and what the client is doing. 00:53:56.400 --> 00:53:59.760 We may have to bring the unit up and it 00:53:59.760 --> 00:54:02.000 takes we we guarantee you can do it 00:54:02.000 --> 00:54:06.240 within about 12 hours. Um so we've got a 00:54:06.240 --> 00:54:10.559 vessel at site. the vessel goes picks 00:54:10.559 --> 00:54:13.520 the unit up with an ROV because that's 00:54:13.520 --> 00:54:15.040 my background and that's how I knew how 00:54:15.040 --> 00:54:18.000 to do it. So, picks it up, put it on 00:54:18.000 --> 00:54:20.400 deck, we drain it, we do the fixes. You 00:54:20.400 --> 00:54:22.400 can also do them remotely a lot of the 00:54:22.400 --> 00:54:25.599 time. Um, so it really just depends. But 00:54:25.599 --> 00:54:28.559 then it it it doesn't cost any more time 00:54:28.559 --> 00:54:30.480 and it doesn't cost anymore in terms of 00:54:30.480 --> 00:54:32.480 the financials 00:54:32.480 --> 00:54:37.040 and and before people like come for me. 00:54:37.040 --> 00:54:39.839 It does not heat the water. We are not 00:54:39.839 --> 00:54:43.359 heating the oceans. So 00:54:43.359 --> 00:54:46.880 I have to say it. So water warms up more 00:54:46.880 --> 00:54:49.920 slowly than air and it can actually hold 00:54:49.920 --> 00:54:52.240 more heat. So the specific heat of water 00:54:52.240 --> 00:54:54.240 is higher than most other substances. 00:54:54.240 --> 00:54:56.319 And what that means is that it absorbs 00:54:56.319 --> 00:54:58.880 more heat before its own temperature 00:54:58.880 --> 00:55:02.559 increases by 1°. So say it another way, 00:55:02.559 --> 00:55:04.240 water needs about four times as much 00:55:04.240 --> 00:55:07.680 energy to raise its temperature by 1° C 00:55:07.680 --> 00:55:10.559 as the same mass of air does. So what 00:55:10.559 --> 00:55:12.720 we've measured in our testing is that 00:55:12.720 --> 00:55:15.520 the water heats up by about a thousandth 00:55:15.520 --> 00:55:18.640 of a degree, which is statistically 00:55:18.640 --> 00:55:20.400 insignificant, and that's within a meter 00:55:20.400 --> 00:55:23.200 of the unit. You put a data center on 00:55:23.200 --> 00:55:25.839 land, first of all, you have to use air 00:55:25.839 --> 00:55:28.000 conditioning to cool it for the most 00:55:28.000 --> 00:55:29.920 part. That's what people are doing. So 00:55:29.920 --> 00:55:32.800 about 40 to 50% of all the power that 00:55:32.800 --> 00:55:36.319 that data center is pulling is used to 00:55:36.319 --> 00:55:39.599 air condition. And then that is pushed 00:55:39.599 --> 00:55:41.680 out as heat and then the ocean has to 00:55:41.680 --> 00:55:44.079 take that cuz that's our heat sink. The 00:55:44.079 --> 00:55:45.920 ocean takes that and now you're warming 00:55:45.920 --> 00:55:48.400 the oceans. So, it's like a very 00:55:48.400 --> 00:55:50.000 unintuitive 00:55:50.000 --> 00:55:52.319 but very like scientifically proven 00:55:52.319 --> 00:55:54.079 method of getting rid of heat. Put it 00:55:54.079 --> 00:55:56.400 into water. And so, yeah. 00:55:56.400 --> 00:55:58.880 >> And I imagine if someone does try to pen 00:55:58.880 --> 00:56:00.640 test this place or break into it, as 00:56:00.640 --> 00:56:02.160 soon as they open the door, it just gets 00:56:02.160 --> 00:56:03.680 flooded and then all the computers shut 00:56:03.680 --> 00:56:04.240 off. 00:56:04.240 --> 00:56:06.559 >> You can't open the door. So, it's like 00:56:06.559 --> 00:56:08.799 you would basically our biggest threat 00:56:08.799 --> 00:56:11.119 is like a sub, you know, like a a 00:56:11.119 --> 00:56:14.400 Russian sub maybe. Let's see. So, what 00:56:14.400 --> 00:56:16.640 happens is you have you need a sub or 00:56:16.640 --> 00:56:19.680 you need a vessel with an ROV attached 00:56:19.680 --> 00:56:23.200 or maybe if we're if we're uh like a 00:56:23.200 --> 00:56:24.880 shallow depth, you could use a diver, 00:56:24.880 --> 00:56:26.160 but a diver is not going to be able to 00:56:26.160 --> 00:56:27.680 do anything. You can't pull a door open 00:56:27.680 --> 00:56:29.920 because of the pressure of the water. 00:56:29.920 --> 00:56:32.000 So, basically, you couldn't really pen 00:56:32.000 --> 00:56:34.400 test it without getting a vessel, an 00:56:34.400 --> 00:56:37.119 ROV, or a bunch of divers or a 00:56:37.119 --> 00:56:39.680 submarine. And good luck to you. I don't 00:56:39.680 --> 00:56:41.839 even know how I would do that. And if 00:56:41.839 --> 00:56:43.200 anybody's going to pen test it, it's 00:56:43.200 --> 00:56:44.720 going to be me because that is a that is 00:56:44.720 --> 00:56:49.359 a fun job. But um basically, let's say a 00:56:49.359 --> 00:56:53.440 a nation state sub came along. Great. It 00:56:53.440 --> 00:56:55.359 would have to connect it and it would 00:56:55.359 --> 00:56:59.839 have to pull it off of its security 00:56:59.839 --> 00:57:02.960 mechanisms that we've got sort of uh 00:57:02.960 --> 00:57:06.079 fastened to the seabed. And once you'd 00:57:06.079 --> 00:57:07.839 done that, you would basically 00:57:07.839 --> 00:57:11.040 self-destruct the data that was on the 00:57:11.040 --> 00:57:13.359 servers cuz now you've ruined the 00:57:13.359 --> 00:57:16.400 housing that that is, you know, keeping 00:57:16.400 --> 00:57:18.160 them safe from the the water and the 00:57:18.160 --> 00:57:20.960 pressure of the water. So physically 00:57:20.960 --> 00:57:24.799 they are very very secure. 00:57:24.799 --> 00:57:26.160 Digitally they're it's the same 00:57:26.160 --> 00:57:28.319 footprint like you pentest the same way 00:57:28.319 --> 00:57:31.119 you would any other server data center 00:57:31.119 --> 00:57:32.799 company. 00:57:32.799 --> 00:57:34.720 >> Incredible. I think I'm stunned by that 00:57:34.720 --> 00:57:38.000 sort of thing. I mean, I my brain goes 00:57:38.000 --> 00:57:40.400 into weird directions here. Like, um, is 00:57:40.400 --> 00:57:43.839 it are there laws offshore where you can 00:57:43.839 --> 00:57:45.760 host things that aren't legal in this 00:57:45.760 --> 00:57:47.440 country or whatever and all this sort of 00:57:47.440 --> 00:57:49.680 stuff? And now now suddenly I I like 00:57:49.680 --> 00:57:52.799 this idea of pirated 00:57:52.799 --> 00:57:56.400 websites or piracy. Is there's piracy in 00:57:56.400 --> 00:57:58.160 the sea as well? Like this my brain is 00:57:58.160 --> 00:57:59.599 just goes in all directions here. 00:57:59.599 --> 00:58:01.680 >> That's right. Yes, there are maritime 00:58:01.680 --> 00:58:05.920 laws. very difficult to enforce them and 00:58:05.920 --> 00:58:08.319 you rely on satellites to some level. 00:58:08.319 --> 00:58:11.119 You rely on like boats to police but the 00:58:11.119 --> 00:58:15.359 ocean is vast. So it is very difficult 00:58:15.359 --> 00:58:18.559 to enforce. So basically we're counting 00:58:18.559 --> 00:58:22.079 on people doing the right thing and that 00:58:22.079 --> 00:58:24.720 doesn't always work. So what we do is we 00:58:24.720 --> 00:58:26.960 make sure that we're in the green. So we 00:58:26.960 --> 00:58:30.000 colllocate with existing assets offshore 00:58:30.000 --> 00:58:31.920 whether it be in national or 00:58:31.920 --> 00:58:35.760 international waters. Every country has 00:58:35.760 --> 00:58:39.440 an EEZ an economic zone essentially and 00:58:39.440 --> 00:58:42.000 that's about it goes from coastline to 00:58:42.000 --> 00:58:45.599 about 12 miles out and then just a 00:58:45.599 --> 00:58:47.040 little further out from that you start 00:58:47.040 --> 00:58:48.799 to get into what is essentially 00:58:48.799 --> 00:58:51.760 international waters. You can do what 00:58:51.760 --> 00:58:54.079 you want inside of them. Who's going to 00:58:54.079 --> 00:58:56.480 stop you? but we choose not to as you 00:58:56.480 --> 00:59:00.640 know an American company and so we 00:59:00.640 --> 00:59:04.319 colllocate with other assets in the area 00:59:04.319 --> 00:59:07.599 um usually like offshore wind platforms 00:59:07.599 --> 00:59:13.440 or rigs or anchored boats. So yeah I I 00:59:13.440 --> 00:59:17.520 think subc is definitely part of the the 00:59:17.520 --> 00:59:27.359 future for data centers. 00:59:27.359 --> 00:59:29.280 A big thank you to Maxi Reynolds for 00:59:29.280 --> 00:59:30.640 coming on the show and sharing these 00:59:30.640 --> 00:59:31.839 stories. You can learn more about her 00:59:31.839 --> 00:59:35.520 underwater data center at subccloud.com. 00:59:35.520 --> 00:59:36.880 If you want to get a book, it's called 00:59:36.880 --> 00:59:39.040 The Art of Attack, Attacker Mindset. 00:59:39.040 --> 00:59:40.400 It's the one with the chess pieces on 00:59:40.400 --> 00:59:42.480 the cover. If you like the show, if it 00:59:42.480 --> 00:59:44.240 brings value to you, consider supporting 00:59:44.240 --> 00:59:46.240 the show by giving directly to the show. 00:59:46.240 --> 00:59:48.400 It helps keep ads at a minimum. It keeps 00:59:48.400 --> 00:59:49.920 the lights on here, but most of all, it 00:59:49.920 --> 00:59:52.160 tells me you want more of it. Not only 00:59:52.160 --> 00:59:53.920 that, but you'll get bonus episodes and 00:59:53.920 --> 00:59:56.000 an adree version of the show, too. So, 00:59:56.000 --> 00:59:59.440 please visit plus.darknetdiaries.com. 00:59:59.440 --> 01:00:02.000 That's plus.darknetdiaries.com. 01:00:02.000 --> 01:00:04.079 Thank you. The show is made by me, the 01:00:04.079 --> 01:00:06.319 packet tickler, Jackie Cider, editing by 01:00:06.319 --> 01:00:07.839 Control Alt Delight, [music] Tristan 01:00:07.839 --> 01:00:09.760 Ledger. Mixing by Proximity Sound, and 01:00:09.760 --> 01:00:11.280 our theme music is by the mysterious 01:00:11.280 --> 01:00:13.920 break cylinder. I have a bad habit of 01:00:13.920 --> 01:00:15.920 doom scrolling social media, but lately 01:00:15.920 --> 01:00:18.079 I've been trying to break it by 01:00:18.079 --> 01:00:19.680 confusing the algorithm as much as 01:00:19.680 --> 01:00:22.319 possible. I'll play like long recordings 01:00:22.319 --> 01:00:24.799 of fog horns blaring or I'll watch 01:00:24.799 --> 01:00:27.440 curling matches from 2006 or I'll just 01:00:27.440 --> 01:00:28.960 search for like the most bizarre things 01:00:28.960 --> 01:00:31.359 I can think of like can I legally marry 01:00:31.359 --> 01:00:35.200 a ghost in Ohio or a baroque 01:00:35.200 --> 01:00:38.640 interpretations of dialup modem sounds? 01:00:38.640 --> 01:00:41.040 Can you potty train a squirrel using 01:00:41.040 --> 01:00:42.559 jazz? 01:00:42.559 --> 01:00:44.000 Not because I'm interested in those 01:00:44.000 --> 01:00:46.240 results, but because I like tossing the 01:00:46.240 --> 01:00:48.319 algorithm a bag of trail mix and just 01:00:48.319 --> 01:00:51.280 watching it chew on that for a while. 01:00:51.280 --> 01:00:55.480 This is Darknet Diaries.