WEBVTT 00:00:00.620 --> 00:00:02.080 JACK: Hey, it’s Jack, host of the show. 00:00:02.080 --> 00:00:05.110 Did I ever tell you about the time I tried to sneak into the Pentagon? 00:00:05.110 --> 00:00:09.380 Yeah, after college I took a trip to Washington, DC all by myself. 00:00:09.380 --> 00:00:10.380 I like traveling alone, I guess. 00:00:10.380 --> 00:00:14.940 There’s a certain kind of freedom I like about it which allows me to reinvent myself 00:00:14.940 --> 00:00:15.940 on trips. 00:00:15.940 --> 00:00:20.439 Anyway, there’s this metro, a subway, that goes underground through Washington, DC. 00:00:20.439 --> 00:00:25.189 I jumped on it just to see where it would go and one of the stations it took me to was 00:00:25.189 --> 00:00:26.189 the Pentagon. 00:00:26.189 --> 00:00:28.160 I’m like alright, this sounds cool. 00:00:28.160 --> 00:00:33.840 So, I jumped off and somehow ended up at the employee entrance to the Pentagon. 00:00:33.840 --> 00:00:39.800 There were no visitors allowed in this area for sure, so I stood and watched how people 00:00:39.800 --> 00:00:41.640 were getting in and out. 00:00:41.640 --> 00:00:43.820 Out were one-way turnstiles. 00:00:43.820 --> 00:00:48.590 In; everyone was scanning their badges and went through a metal detector. 00:00:48.590 --> 00:00:53.510 I decided to try to do a fake badge scan and see if I could just walk on in. 00:00:53.510 --> 00:00:57.770 I saw some guy walking up, so I followed him and did exactly what he did. 00:00:57.770 --> 00:01:01.150 He leaned over, scanned his badge on the reader, and then walked through. 00:01:01.150 --> 00:01:06.370 I leaned over, waved my hand over the reader and walked through, too. 00:01:06.370 --> 00:01:10.729 Immediately two security officers stopped me and didn’t even ask what I was doing. 00:01:10.729 --> 00:01:13.409 They simply turned me around and sent me right back out. 00:01:13.409 --> 00:01:18.100 They knew exactly what I was up to and must have spotted me like, a mile away. 00:01:18.100 --> 00:01:22.670 I’ve never been shut down so fast or kicked out of some place that quickly. 00:01:22.670 --> 00:01:26.550 No words were even spoken; they just blocked me, wouldn’t let me go any further, and 00:01:26.550 --> 00:01:28.299 pointed me straight to the exit. 00:01:28.299 --> 00:01:31.390 It’s funny what we remember on our trips, isn’t it? 00:01:31.390 --> 00:01:34.980 Anyway, this episode I interview two different NSA agents. 00:01:34.980 --> 00:01:38.500 I really like both of these guys and I think you will, too. 00:01:38.500 --> 00:01:42.409 What’s common between them is that they both started something at the NSA which still 00:01:42.409 --> 00:01:44.149 goes on today. 00:01:44.149 --> 00:01:52.049 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:52.049 --> 00:01:57.270 I’m Jack Rhysider. 00:01:57.270 --> 00:02:00.350 This is Darknet Diaries. 00:02:00.350 --> 00:02:06.159 [INTRO MUSIC ENDS] 00:02:06.159 --> 00:02:17.250 JACK: Alright, so our first guest is quickly becoming a legend in the IT security space. 00:02:17.250 --> 00:02:20.110 He’s written four or five books on security now. 00:02:20.110 --> 00:02:21.370 I can’t even keep track. 00:02:21.370 --> 00:02:25.760 I started out by asking him where he grew up and he said in a small little country town 00:02:25.760 --> 00:02:31.590 in Texas and had horses and stuff, which sort of shocked me because I thought – actually, 00:02:31.590 --> 00:02:34.360 I don’t even know what I thought. 00:02:34.360 --> 00:02:38.320 MARCUS: Hey man, hey, ask me any question you want to because this is one of the – this 00:02:38.320 --> 00:02:40.220 is quite funny to me. 00:02:40.220 --> 00:02:42.590 I can explain the country/hood paradigm. 00:02:42.590 --> 00:02:47.090 JACK: Yeah, I mean – alright, I’m gonna hit Record again. 00:02:47.090 --> 00:02:50.480 MARCUS: We’re gonna have some fun, man. 00:02:50.480 --> 00:02:55.239 JACK: Okay, I don’t want to be embarrassed here with my wrong questions, so… 00:02:55.239 --> 00:03:01.220 MARCUS: No, I get – no, you can’t embarrass me, so you shouldn’t feel – I feel totally 00:03:01.220 --> 00:03:04.220 comfortable with any question you can ask. 00:03:04.220 --> 00:03:08.820 JACK: Well, I mean, I’m picturing Lil Nas X at this point, the black country singer. 00:03:08.820 --> 00:03:09.950 MARCUS: Basically, yeah. 00:03:09.950 --> 00:03:13.340 [MUSIC] I mean, I’ll explain this to you, man. 00:03:13.340 --> 00:03:15.230 This is a crazy story. 00:03:15.230 --> 00:03:17.730 My dad’s actually originally from LA. 00:03:17.730 --> 00:03:23.480 Before I was even conceived, my dad moved from LA to my small little country town because 00:03:23.480 --> 00:03:26.310 his uncle was there – my uncle too, right? 00:03:26.310 --> 00:03:32.819 So, he was in LA and his vision of what Texas was was cowboy boots and all that stuff, so 00:03:32.819 --> 00:03:37.470 before he came to Texas he had bought all this cowboy gear to wear. 00:03:37.470 --> 00:03:39.700 This was in the 70s, right? 00:03:39.700 --> 00:03:41.030 He came to Texas. 00:03:41.030 --> 00:03:43.379 He was dressed up like a cowboy. 00:03:43.379 --> 00:03:47.720 But when he went out to meet other people, they were dressed like they were from LA, 00:03:47.720 --> 00:03:49.140 like Shaft or something. 00:03:49.140 --> 00:03:52.290 You know, like Black Panther Party. 00:03:52.290 --> 00:03:55.569 [00:05:00] But people thought he was cool because he was from LA. 00:03:55.569 --> 00:04:01.020 Now, many people where I from, my little small Texas town, they started dressing like cowboys, 00:04:01.020 --> 00:04:02.319 all the black people. 00:04:02.319 --> 00:04:07.590 The world is crazy, man, how we all fit in and stuff. 00:04:07.590 --> 00:04:13.060 Yeah, so that whole – I really feel that whole – that Lil Nas X thing, yeah, for 00:04:13.060 --> 00:04:14.060 sure. 00:04:14.060 --> 00:04:16.440 I mean heck, I got some cowboy boots still to this day. 00:04:16.440 --> 00:04:17.950 I got some nice cowboy boots. 00:04:17.950 --> 00:04:23.130 JACK: But even though he was outside wrestling pigs, chasing chickens, he was still drawn 00:04:23.130 --> 00:04:24.130 to computers. 00:04:24.130 --> 00:04:27.370 MARCUS: [MUSIC] Yeah, computers has been my love since I saw WarGames. 00:04:27.370 --> 00:04:33.590 I saw WarGames when I was young and I’ve been absolutely fascinated with computers 00:04:33.590 --> 00:04:38.240 and playing with them, so that was my introduction to – wow, I need to get one of those things. 00:04:38.240 --> 00:04:42.280 JACK: But his family wasn’t able to get a computer for their home, so the only way 00:04:42.280 --> 00:04:46.840 he could really learn on it was at school or a library or other people’s computers. 00:04:46.840 --> 00:04:48.990 MARCUS: In high school, I took Pascal. 00:04:48.990 --> 00:04:54.470 I also took BASIC in elementary, so it was something that I was always interested in. 00:04:54.470 --> 00:04:57.060 I just didn’t have the financial means. 00:04:57.060 --> 00:05:01.740 One day, a Navy guy was walking on campus. 00:05:01.740 --> 00:05:05.070 I didn’t have money ‘cause I grew up poor. 00:05:05.070 --> 00:05:10.430 I didn’t have money to go to college and I didn’t know about any grants or anything, 00:05:10.430 --> 00:05:12.789 and I ended up scoring high on my military entrance exam. 00:05:12.789 --> 00:05:15.300 I said, I want to work with computers. 00:05:15.300 --> 00:05:20.800 He’s like alright, we have this thing called cryptographic communications. 00:05:20.800 --> 00:05:24.440 We don’t know what that is because it’s classified. 00:05:24.440 --> 00:05:25.630 Do you want to do that? 00:05:25.630 --> 00:05:26.979 I was like yeah, sure, I’ll do that. 00:05:26.979 --> 00:05:31.010 JACK: So, he joined the Navy but no matter what you want to do in the Navy, everyone 00:05:31.010 --> 00:05:36.570 first has to go through boot camp, [SINGING] where you get fit, learn combat techniques, 00:05:36.570 --> 00:05:58.810 and learn how to follow protocols. 00:05:58.810 --> 00:06:03.560 Marcus graduated and became a sailor and after that, he went on to study cryptography. 00:06:03.560 --> 00:06:09.460 MARCUS: Yeah, so basically you go to Corry Station and you become – they teach you 00:06:09.460 --> 00:06:13.050 about signals intelligence and cryptography and all kind of crazy stuff. 00:06:13.050 --> 00:06:14.789 I was born in a small town. 00:06:14.789 --> 00:06:21.220 I graduated from Waco High and then I immediately go into – get a top-secret clearance and 00:06:21.220 --> 00:06:23.320 all this other crazy stuff. 00:06:23.320 --> 00:06:30.030 I’m poor, homeless pretty much in high school, and moving around on a lot of places until 00:06:30.030 --> 00:06:34.600 I moved to a – I’m on this military base and I get this top-secret clearance and I 00:06:34.600 --> 00:06:36.639 start learning all this crazy stuff. 00:06:36.639 --> 00:06:39.199 It was absolute night and day experience. 00:06:39.199 --> 00:06:40.770 It was the craziest thing ever. 00:06:40.770 --> 00:06:45.750 JACK: He was taken care of in the Navy; always had food, medical checkups, clothes, a place 00:06:45.750 --> 00:06:46.750 to sleep. 00:06:46.750 --> 00:06:50.700 MARCUS: My family though were still struggling and all that stuff. 00:06:50.700 --> 00:06:55.569 Psychologically that was tough because I was doing fine myself personally, but I had a 00:06:55.569 --> 00:06:57.580 family still back in the hood, struggling. 00:06:57.580 --> 00:07:01.410 JACK: Back in – is it really – do you really call it the hood in the country? 00:07:01.410 --> 00:07:07.230 MARCUS: So, let me explain that to you. 00:07:07.230 --> 00:07:13.460 100% the black side of town, the poor side of town, definitely down south, is the hood. 00:07:13.460 --> 00:07:16.410 It doesn’t matter how big the town is. 00:07:16.410 --> 00:07:18.780 Absolutely, certainly hood. 00:07:18.780 --> 00:07:21.080 JACK: Okay. 00:07:21.080 --> 00:07:27.360 Alright, so can you tell me some of the training you did in cryptographic communications? 00:07:27.360 --> 00:07:28.759 Was that what it was? 00:07:28.759 --> 00:07:29.759 MARCUS: Yeah, yeah. 00:07:29.759 --> 00:07:33.360 Basically, when I went – the Navy taught me cryptosystems. 00:07:33.360 --> 00:07:41.710 Basically, the Navy has these ridiculous cryptosystems that secure communications. 00:07:41.710 --> 00:07:46.740 I had to learn how to operate those and I had to learn communications techniques that 00:07:46.740 --> 00:07:48.690 were specific to the Navy. 00:07:48.690 --> 00:07:53.539 Some of that stuff’s still classified like a mug, but you learn particular protocols 00:07:53.539 --> 00:07:58.820 and things that you – how to communicate from ship to ship, from ship to the White 00:07:58.820 --> 00:07:59.949 House, even. 00:07:59.949 --> 00:08:03.820 You learn how to do these communications protocols. 00:08:03.820 --> 00:08:06.930 Yeah, so it was pretty cool. 00:08:06.930 --> 00:08:12.200 I went from wanting to work computers to be fully immersed with computers in a couple 00:08:12.200 --> 00:08:14.200 weeks. It was crazy. 00:08:14.200 --> 00:08:15.270 JACK: Did you do much time on a ship? 00:08:15.270 --> 00:08:17.759 MARCUS: Yeah, I did three years on a ship. 00:08:17.759 --> 00:08:22.180 JACK: While you were on that ship, were you handling the communication aspect of it? 00:08:22.180 --> 00:08:28.940 MARCUS: Yeah, on the ship – my whole job in the military was you’re pretty much an 00:08:28.940 --> 00:08:32.400 attache or an asset for NSA. 00:08:32.400 --> 00:08:35.220 The whole time I was in, I was kinda like a spy. 00:08:35.220 --> 00:08:37.289 It was the craziest thing, man. 00:08:37.289 --> 00:08:44.270 Yeah, you do serious collection work and all that stuff, so you’re tasked by NSA to do 00:08:44.270 --> 00:08:45.270 what you do. 00:08:45.270 --> 00:08:47.520 It was the craziest experience ever, man. 00:08:47.520 --> 00:08:51.640 JACK: [MUSIC] Hm, secret [00:10:00] missions, huh? 00:08:51.640 --> 00:08:55.540 This is fascinating to me because I thought the NSA was their own separate group but yeah, 00:08:55.540 --> 00:09:01.490 if there’s a Navy ship positioned in a place the NSA has no eyes or ears on, then sure, 00:09:01.490 --> 00:09:04.740 utilizing the cryptographic capabilities of the ship and crew makes sense. 00:09:04.740 --> 00:09:11.810 MARCUS: Yeah, so the people don’t realize the NSA is the Department of Defense asset. 00:09:11.810 --> 00:09:17.780 The whole NSA supports the military. 00:09:17.780 --> 00:09:25.079 In each service; Navy, Army, Air Force, all of us had our own – and the Marines – had 00:09:25.079 --> 00:09:28.880 their own little signals group, you know what I’m saying? 00:09:28.880 --> 00:09:31.029 Like, that supports the mother ship. 00:09:31.029 --> 00:09:34.310 The mother ship is NSA. 00:09:34.310 --> 00:09:41.160 Pretty much, even though you’re a Navy sailor, you belong to – you’re an intel asset. 00:09:41.160 --> 00:09:47.220 I don’t know if that makes sense but that whole time – and you can get stationed at 00:09:47.220 --> 00:09:48.220 the mother ship, too. 00:09:48.220 --> 00:09:49.220 JACK: Interesting. 00:09:49.220 --> 00:09:53.340 So, the DOD or Department of Defense is the department that the military falls under, 00:09:53.340 --> 00:09:54.399 and the NSA. 00:09:54.399 --> 00:09:58.440 I guess it does make sense now that they share resources sometimes. 00:09:58.440 --> 00:10:01.300 Marcus himself was that shared resource. 00:10:01.300 --> 00:10:04.520 Sometimes he would do missions for the Navy and sometimes he would do assignments for 00:10:04.520 --> 00:10:05.520 the NSA. 00:10:05.520 --> 00:10:09.600 MARCUS: Definitely, geographically-specific stuff that you could do to be helpful. 00:10:09.600 --> 00:10:12.860 There was stuff that we did; we helped find people. 00:10:12.860 --> 00:10:16.510 If there was a ship that was lost, we could help find that. 00:10:16.510 --> 00:10:22.890 If there was a pilot shot down, we could help find them, or if there was some kinda incident. 00:10:22.890 --> 00:10:25.870 The tools that we had could be used for a lot of different things. 00:10:25.870 --> 00:10:31.199 It was cool doing it and it was great being out there on the front lines doing that work. 00:10:31.199 --> 00:10:32.390 It was dope. 00:10:32.390 --> 00:10:37.880 JACK: Back in 1969, a Navy patrol plane was shot down in the Sea of Japan and there wasn’t 00:10:37.880 --> 00:10:43.250 a good method for handling all the real-time communications that were needed to help rescue 00:10:43.250 --> 00:10:44.250 them. 00:10:44.250 --> 00:10:49.010 After that, an operations center was constructed in order to get real-time updates from any 00:10:49.010 --> 00:10:51.460 ship, plane, or base nearby. 00:10:51.460 --> 00:10:56.260 Now, Marcus really took his job seriously and really sunk his teeth into the computers 00:10:56.260 --> 00:11:01.010 that were on this ship, learning about servers and networking and wireless technologies, 00:11:01.010 --> 00:11:03.889 cryptography, security, programming, and command line tools. 00:11:03.889 --> 00:11:09.140 MARCUS: There was also HF communications, UHF, all the different stuff; satcom. 00:11:09.140 --> 00:11:12.560 I learned all kind of communication in the military. 00:11:12.560 --> 00:11:18.290 That made me pretty thorough in understanding how radio frequencies work and all that stuff. 00:11:18.290 --> 00:11:21.220 Definitely, you did a lot of communications training. 00:11:21.220 --> 00:11:23.160 That included air networking. 00:11:23.160 --> 00:11:27.769 JACK: Now, while you’re on the ship, you’re – are you – you’re doing more training, 00:11:27.769 --> 00:11:28.769 right? 00:11:28.769 --> 00:11:32.089 You’re learning more about programming or cryptanalysis or something? 00:11:32.089 --> 00:11:35.550 MARCUS: I mean, the Navy is full-time education. 00:11:35.550 --> 00:11:37.130 You’re always learning. 00:11:37.130 --> 00:11:39.380 You’re always doing OJT as well. 00:11:39.380 --> 00:11:41.500 We called it on-the-job training. 00:11:41.500 --> 00:11:44.670 You’d never stop learning in the military. 00:11:44.670 --> 00:11:50.250 I think the military, just like college, it teaches you how to learn. 00:11:50.250 --> 00:11:55.420 Since being in the military, that helped me be able to put my hand to anything. 00:11:55.420 --> 00:11:59.839 Yeah, I learned coding at the military, I learned internetworking. 00:11:59.839 --> 00:12:07.170 I was a CCNP when I was in the Navy, so mass notifications, and definitely being affiliated 00:12:07.170 --> 00:12:09.589 with NSA, I got any training I wanted to. 00:12:09.589 --> 00:12:14.959 When I was there, I got well over $100,000 worth of training and I did a Master’s degree, 00:12:14.959 --> 00:12:15.959 too. 00:12:15.959 --> 00:12:23.370 It’s like, I tell people it’s like being the Jason Bourne of IT or technology. 00:12:23.370 --> 00:12:27.160 JACK: You got your Bachelor’s and Master’s in the Navy? 00:12:27.160 --> 00:12:32.010 MARCUS: I got my Bachelor’s in the Navy and I got my Master’s as soon as I got out. 00:12:32.010 --> 00:12:35.449 I was still working around that stuff, but I got a free Master’s degree. 00:12:35.449 --> 00:12:37.650 I didn’t have no college debt or anything. 00:12:37.650 --> 00:12:39.410 JACK: Because the Navy paid for it. 00:12:39.410 --> 00:12:42.200 MARCUS: Yep, the military paid for it. 00:12:42.200 --> 00:12:45.850 I went in with no college or nothing like that. 00:12:45.850 --> 00:12:49.740 But after eight years I had a Bachelor’s degree and three years after that, I did my 00:12:49.740 --> 00:12:51.280 Master’s degree. 00:12:51.280 --> 00:12:53.230 That’s the good of the military. 00:12:53.230 --> 00:12:58.329 JACK: He spent four years in the Navy and during that time he somehow met his wife and 00:12:58.329 --> 00:13:00.660 got married, and they had two kids. 00:13:00.660 --> 00:13:03.560 Because of this, he decided to spend another four years in the Navy. 00:13:03.560 --> 00:13:05.680 It was good job security. 00:13:05.680 --> 00:13:09.760 After eight years of being in the Navy, he then went to Fort Meade. 00:13:09.760 --> 00:13:18.120 MARCUS: [MUSIC] I didn’t want to go to Fort Meade but I ended up – pretty much I had 00:13:18.120 --> 00:13:22.200 two options; I had Washington State and I was like, I don’t want to go to Washington 00:13:22.200 --> 00:13:23.200 State. 00:13:23.200 --> 00:13:24.200 They said or Fort Meade. 00:13:24.200 --> 00:13:27.820 We got a couple of places – a couple of jobs at Fort Meade that you can do. 00:13:27.820 --> 00:13:30.870 I was on a ship, so – and you had to be like, okay. 00:13:30.870 --> 00:13:33.370 You had to pick it right then and there. 00:13:33.370 --> 00:13:35.860 The military has these people called detailers that send you places. 00:13:35.860 --> 00:13:39.770 JACK: So, if you haven’t guessed, Fort Meade is where the NSA headquarters are. 00:13:39.770 --> 00:13:41.950 Marcus went to work for the NSA. 00:13:41.950 --> 00:13:46.769 But he was still in the Navy and sort of on loan to the NSA. 00:13:46.769 --> 00:13:48.760 It’s called augmented staff. 00:13:48.760 --> 00:13:52.000 MARCUS: Initially there I was doing [00:15:00] communications. 00:13:52.000 --> 00:13:57.339 It was proprietary communications systems that the military and DOD used. 00:13:57.339 --> 00:14:04.529 But what’s cool about that – I kinda worked at a NOC, and the NOC also had all kind of 00:14:04.529 --> 00:14:05.529 other cool stuff. 00:14:05.529 --> 00:14:10.899 Like, they had a heavy Cisco – they had heavy Cisco stuff back then and I learned 00:14:10.899 --> 00:14:13.660 – that’s how I started getting to the CCNA. 00:14:13.660 --> 00:14:20.100 I became a beast at Cisco stuff, so I ended up getting promoted to an engineering team 00:14:20.100 --> 00:14:25.020 of network engineers and I got to manage the whole NSA’s network. 00:14:25.020 --> 00:14:30.540 I started off doing a crappy job at Fort Meade and then the certifications allowed me to 00:14:30.540 --> 00:14:32.371 ascend to top teams there. 00:14:32.371 --> 00:14:34.990 That was during my day job. 00:14:34.990 --> 00:14:36.250 My day job, I was Navy. 00:14:36.250 --> 00:14:41.090 At night time, I took – I had a part-time job with a DOD contractor so I was like, doing 00:14:41.090 --> 00:14:43.649 a night job since I had the clearance. 00:14:43.649 --> 00:14:47.399 I ended up helping build out the NSA’s SOC. 00:14:47.399 --> 00:14:49.730 I ended up helping build that out. 00:14:49.730 --> 00:14:54.399 I wrote stuff like SIMs and all that stuff, so I started coding heavy as well. 00:14:54.399 --> 00:14:58.661 I made as much on my night time job as I did with my Navy salary. 00:14:58.661 --> 00:15:00.110 I was like man, I gotta get out. 00:15:00.110 --> 00:15:02.480 I gotta get out of the Navy and make this money. 00:15:02.480 --> 00:15:06.519 JACK: Alright, so two words in there you may not know; NOC and SOC. 00:15:06.519 --> 00:15:11.090 This stands for Network Operation Center and Security Operation Center. 00:15:11.090 --> 00:15:15.080 This is a place where people watch the network for any kinds of problems, so there are typically 00:15:15.080 --> 00:15:19.140 multiple monitors on everyone’s desks and even a big screen in front of the room which 00:15:19.140 --> 00:15:20.910 monitors all the networks. 00:15:20.910 --> 00:15:25.350 The NOC typically looks for network-related faults; a router that went down, a switch 00:15:25.350 --> 00:15:29.519 went down, some office lost internet connectivity, and that sort of thing. 00:15:29.519 --> 00:15:34.350 A SOC watches out for security incidents and responds to threats. 00:15:34.350 --> 00:15:40.550 But both the NOC and the SOC are monitoring NSA’s network itself, looking for any threats 00:15:40.550 --> 00:15:42.380 that have targeted the NSA. 00:15:42.380 --> 00:15:43.660 MARCUS: Oh, 100%, man. 00:15:43.660 --> 00:15:50.079 NSA is probably the – probably one of the most attacked organizations in the world. 00:15:50.079 --> 00:15:54.139 Absolutely crazy amount of attacks that go on there. 00:15:54.139 --> 00:15:57.339 That SOC has to manage all the networks. 00:15:57.339 --> 00:16:01.870 What they’re doing is they – there’s all kind of different levels, like high side 00:16:01.870 --> 00:16:06.410 networks and medium-tier networks, and then there’s unclassified networks. 00:16:06.410 --> 00:16:10.899 You have to defend all three of those or however many there are. 00:16:10.899 --> 00:16:15.779 There’s like, all kind of – and then there’s inner agency networks. 00:16:15.779 --> 00:16:16.990 Nobody trust nobody. 00:16:16.990 --> 00:16:17.990 It’s crazy. 00:16:17.990 --> 00:16:23.019 JACK: Now, of course, I’m super-interested to hear what goes on in the NSA. 00:16:23.019 --> 00:16:27.120 What kind of detection capabilities do they have and what offensive tools are they using? 00:16:27.120 --> 00:16:32.589 But I can’t ask any of that to Marcus because they’re not allowed to share means and methods 00:16:32.589 --> 00:16:34.130 of how the NSA operates. 00:16:34.130 --> 00:16:36.820 MARCUS: You don’t want people knowing how you collect information. 00:16:36.820 --> 00:16:41.730 I’ll give you a good example; a couple years ago – I don’t know if you remember this, 00:16:41.730 --> 00:16:50.080 but supposedly Bin Laden was using satellite phones to communicate, so – and basically, 00:16:50.080 --> 00:16:53.589 Orrin Hatch was – he was a Republican senator from Utah. 00:16:53.589 --> 00:16:58.140 He came out of a intel brief and he’s like oh, don’t worry about Bin Laden. 00:16:58.140 --> 00:17:00.870 We’re tracking him on a satellite phone, right? 00:17:00.870 --> 00:17:04.679 Orrin Hatch said that, out of the intel community. 00:17:04.679 --> 00:17:08.730 So, that’s a means and a method, right? 00:17:08.730 --> 00:17:15.310 The method we were tracking this number-one terrorist in the world was satellite phone. 00:17:15.310 --> 00:17:20.919 What happened is that burnt all – that burnt that method, you feel me? 00:17:20.919 --> 00:17:27.900 Now all the criminals that were using satellite phones and stuff, they now knew that – something 00:17:27.900 --> 00:17:29.260 that was being tracked. 00:17:29.260 --> 00:17:34.419 Bin Laden went silent and that’s why it took so long to find him. 00:17:34.419 --> 00:17:39.610 When it comes to intelligence, the – how we collect the data is what matters. 00:17:39.610 --> 00:17:44.340 Now, as far as securing data, securing data is just like any other thing. 00:17:44.340 --> 00:17:50.679 A matter of fact, NSA and NIST, they work hand-in-hand to try to help all American businesses 00:17:50.679 --> 00:17:52.620 stay secure as well. 00:17:52.620 --> 00:17:59.460 As far as what NSA’s doing on the defensive side, you just look at what NSA tells people 00:17:59.460 --> 00:18:04.342 to do and most of that stuff’s public. 00:18:04.342 --> 00:18:05.540 Good defense is public. 00:18:05.540 --> 00:18:12.380 It’s the offensive means and the way that people – how they collect information that’s 00:18:12.380 --> 00:18:14.110 really secretive. 00:18:14.110 --> 00:18:16.730 I would never talk about how we collect information. 00:18:16.730 --> 00:18:21.740 JACK: Yeah, it’s odd to me because there are publications that the NSA puts out, like 00:18:21.740 --> 00:18:25.780 Best Practices for Keeping Your Home Network Secure or Securing the Teleworker. 00:18:25.780 --> 00:18:29.570 They even have configuration recommendations for securing certain systems. 00:18:29.570 --> 00:18:35.720 But at the same time, the NSA loves the ability to collect data on their targets. 00:18:35.720 --> 00:18:40.940 If you follow the guidelines, then it makes it harder if the NSA were to target you. 00:18:40.940 --> 00:18:43.179 MARCUS: That’s not true, though. 00:18:43.179 --> 00:18:48.350 NSA’s core mission is to protect US communications and assets. 00:18:48.350 --> 00:18:50.820 That’s like, the core mission. 00:18:50.820 --> 00:18:54.100 [00:20:00] People don’t understand that. 00:18:54.100 --> 00:19:02.380 A lot of the crypto research and breaking crypto and all of that stuff, and even exploitation; 00:19:02.380 --> 00:19:07.809 that stuff is – the core mission is to protect US assets and interests because what happens 00:19:07.809 --> 00:19:14.220 is all these American companies that go overseas to do business, they’re being spied on by 00:19:14.220 --> 00:19:15.260 foreign intelligence. 00:19:15.260 --> 00:19:20.350 Heck, foreign intelligence hired people to work in these big companies, by the way. 00:19:20.350 --> 00:19:25.000 All these big companies that you can think of, they have IP – I can guarantee you that 00:19:25.000 --> 00:19:30.539 they’re either paying an employee or they have moles inside of them stealing information 00:19:30.539 --> 00:19:32.179 and sending it over to their countries. 00:19:32.179 --> 00:19:33.680 I mean friendly countries, too. 00:19:33.680 --> 00:19:35.770 Think of a friendly country. 00:19:35.770 --> 00:19:40.320 They’re spying on us, too. 00:19:40.320 --> 00:19:46.670 What the agency’s core mission is – to do all this crypto research and all that stuff, 00:19:46.670 --> 00:19:49.080 is to protect our interests. 00:19:49.080 --> 00:19:52.880 That’s part of the mission and people don’t think about that piece. 00:19:52.880 --> 00:19:56.230 It’s a serious mission and people take that seriously. 00:19:56.230 --> 00:19:59.410 The other side of it – go ahead. 00:19:59.410 --> 00:20:04.289 JACK: Well, my counterargument there is if there – if they want the US companies to 00:20:04.289 --> 00:20:10.080 stay secure, how come when they find zero-days on things like Microsoft or Google products, 00:20:10.080 --> 00:20:14.410 they don’t just tell Microsoft and Google hey, there’s a bug in your code? 00:20:14.410 --> 00:20:21.050 MARCUS: You know, it’s funny though because you know that people say this all the time. 00:20:21.050 --> 00:20:22.930 There is nothing new under the sun. 00:20:22.930 --> 00:20:27.510 I can guarantee you if we find an exploit, somebody – some other country, some other 00:20:27.510 --> 00:20:33.760 person on the market somewhere found that exploit. 00:20:33.760 --> 00:20:38.000 I think that they should disclose everything. 00:20:38.000 --> 00:20:44.280 That’s not my decision to make, but the reason why though is so – is to help out 00:20:44.280 --> 00:20:45.280 our country. 00:20:45.280 --> 00:20:52.130 I totally believe – I 100% believe that the folly on their part is the thinking nobody 00:20:52.130 --> 00:20:58.799 else has the zero-day ‘cause I think that if you have it, somebody else has it, too, 00:20:58.799 --> 00:21:01.640 right? That’s the folly. 00:21:01.640 --> 00:21:06.320 But the reason why they try to protect that method is so they can help out the country. 00:21:06.320 --> 00:21:09.909 JACK: This is obviously a complicated topic that we’re not gonna solve here. 00:21:09.909 --> 00:21:14.370 NSA has made many mistakes but at the same time, they’ve saved many lives. 00:21:14.370 --> 00:21:17.340 That’s a hard line to walk for anyone. 00:21:17.340 --> 00:21:22.559 But because it has some of the most advanced technologies, Marcus was having a blast working 00:21:22.559 --> 00:21:23.559 there. 00:21:23.559 --> 00:21:24.559 MARCUS: [MUSIC] I loved it. 00:21:24.559 --> 00:21:27.029 It was so much fun, so much like, leading edge technology. 00:21:27.029 --> 00:21:30.970 Like I said, their – NSA put like hundreds of thousands of dollars into my education. 00:21:30.970 --> 00:21:37.470 NSA has its own training environment as well, so they train you their stuff and then you 00:21:37.470 --> 00:21:40.510 get to pick a list of what class I want to go to. 00:21:40.510 --> 00:21:41.510 Do I want to go to SANS? 00:21:41.510 --> 00:21:43.090 Do I want to go to the Cisco course? 00:21:43.090 --> 00:21:44.650 Do I want to do this? 00:21:44.650 --> 00:21:45.650 You get to take whatever you want to. 00:21:45.650 --> 00:21:50.150 Oh, do I want to take this course at the community college here? 00:21:50.150 --> 00:21:54.690 It was like, I worked two or three weeks and then I was off for training for a week. 00:21:54.690 --> 00:21:58.210 It was like, every month I was training. 00:21:58.210 --> 00:22:03.390 It really was so crazy as far as the educational benefits. 00:22:03.390 --> 00:22:08.020 That’s what you’re dealing with there. 00:22:08.020 --> 00:22:13.960 I would say that our foreign adversaries, those people are well-trained too, right? 00:22:13.960 --> 00:22:19.549 Basically it’s a lot of really smart people fighting this little behind-the-scenes battle. 00:22:19.549 --> 00:22:20.549 It’s crazy. 00:22:20.549 --> 00:22:24.640 JACK: For a while, he was working for the NSA while still in the Navy, building out 00:22:24.640 --> 00:22:25.640 their network. 00:22:25.640 --> 00:22:31.220 At night he was a contractor and helped build NSA’s SOC which is pretty cool because the 00:22:31.220 --> 00:22:35.040 SOC is still up and operational today and Marcus is the one who built it. 00:22:35.040 --> 00:22:40.150 Once it was built, he was using it to defend NSA’s networks. 00:22:40.150 --> 00:22:44.321 But after a few years of that, he got out of the Navy and went to work for the Department 00:22:44.321 --> 00:22:46.260 of Defense Cyber Crime Center. 00:22:46.260 --> 00:22:52.299 MARCUS: The Defense Cyber Crime Center does all the forensic investigations and things 00:22:52.299 --> 00:22:55.409 of that nature for the DOD. 00:22:55.409 --> 00:22:57.770 They’re like Cyber Command. 00:22:57.770 --> 00:23:04.070 Basically, the DC3 was the lead on all of the investigations until the – ‘til they 00:23:04.070 --> 00:23:07.789 created Cyber Command, essentially. 00:23:07.789 --> 00:23:09.970 The DC3 still exists. 00:23:09.970 --> 00:23:11.800 It has this thing called DCFL. 00:23:11.800 --> 00:23:13.000 They do forensics. 00:23:13.000 --> 00:23:14.930 It’s a forensic laboratory. 00:23:14.930 --> 00:23:17.510 They do a lot of forensic investigations. 00:23:17.510 --> 00:23:21.590 They do a lot of high-profile investigations that you’ve probably heard of on the news 00:23:21.590 --> 00:23:22.590 before. 00:23:22.590 --> 00:23:29.520 I work for CSC and at the time CSC had the contract to help train federal agents and 00:23:29.520 --> 00:23:33.710 all the DOD agents on how to do forensics. 00:23:33.710 --> 00:23:35.789 It was a pretty cool curriculum. 00:23:35.789 --> 00:23:43.310 They started from log analysis, Windows forensics, Linux forensics, Macintosh forensics. 00:23:43.310 --> 00:23:47.390 We teach these federal agents all these different forensic techniques, working with the best 00:23:47.390 --> 00:23:50.830 of the best software back in the day, and they still [00:25:00] do it today. 00:23:50.830 --> 00:23:56.779 The agents would get to use EnCase and all of these different open-source tools and all 00:23:56.779 --> 00:23:58.250 these different forensic things. 00:23:58.250 --> 00:24:02.910 But what was cool is I got a chance to build up a cyber range. 00:24:02.910 --> 00:24:06.310 This cyber range had – it was a complete mock-up of a corporate network. 00:24:06.310 --> 00:24:08.670 I mean, this is before cyber range is even cool. 00:24:08.670 --> 00:24:10.290 This is over ten years ago. 00:24:10.290 --> 00:24:12.140 JACK: Do you know what a cyber range is? 00:24:12.140 --> 00:24:13.720 Let me tell you a story. 00:24:13.720 --> 00:24:17.660 Before I was podcasting I was working in a SOC myself, watching the network for security 00:24:17.660 --> 00:24:21.970 incidents, and I saw one of my co-worker’s computers lighting up my screen. 00:24:21.970 --> 00:24:26.549 It was triggering alerts telling me that this co-worker’s computer was actively trying 00:24:26.549 --> 00:24:29.100 to hack itself. 00:24:29.100 --> 00:24:33.669 To me, it looked like maybe someone took over his computer and was trying to get more access 00:24:33.669 --> 00:24:34.669 or something. 00:24:34.669 --> 00:24:38.460 I went over to his desk and I said hey, everything okay? 00:24:38.460 --> 00:24:39.460 He’s like yeah, what’s up? 00:24:39.460 --> 00:24:44.779 I said, I’m seeing some alerts that some pretty nasty PowerShell commands are being 00:24:44.779 --> 00:24:47.110 executed on your computer. 00:24:47.110 --> 00:24:51.850 He said oh yeah, I downloaded a PowerShell tool to see if it actually works. 00:24:51.850 --> 00:24:56.430 I said, this is not a safe environment to be running random hacking tools. 00:24:56.430 --> 00:24:57.659 Please stop that. 00:24:57.659 --> 00:25:00.279 Delete it and run an antivirus scan right away. 00:25:00.279 --> 00:25:04.990 But see, the thing is, we didn’t have a safe environment to try hacking tools like 00:25:04.990 --> 00:25:08.070 that, so this is what a cyber range solves. 00:25:08.070 --> 00:25:13.120 It’s a separate network with all kinds of servers and computers to attack, as well as 00:25:13.120 --> 00:25:17.010 a whole range of nasty weapons to launch attacks with. 00:25:17.010 --> 00:25:19.679 A cyber range is great because you can really go nuts. 00:25:19.679 --> 00:25:23.549 You could try to exploit anything you want and you don’t have to worry about any vulnerability 00:25:23.549 --> 00:25:27.549 or virus or worm escaping and hitting production equipment. 00:25:27.549 --> 00:25:32.920 On top of that, defending teams can use the cyber range to see if they can detect and 00:25:32.920 --> 00:25:34.980 defend against such attacks. 00:25:34.980 --> 00:25:38.390 It’s a great place to practice network and system security. 00:25:38.390 --> 00:25:43.419 MARCUS: Yeah, you can use them to detonate malware, all kind of different things of that 00:25:43.419 --> 00:25:44.419 nature. 00:25:44.419 --> 00:25:49.779 Usually some companies are trying to mock-up their corporate network almost like a development 00:25:49.779 --> 00:25:55.049 play, or I used to have dev environments and production environments. 00:25:55.049 --> 00:25:59.070 A cyber range is like that kind of thing but is used for cyber-security testing. 00:25:59.070 --> 00:26:00.070 JACK: What does it look like? 00:26:00.070 --> 00:26:01.460 ‘Cause I’m trying to picture it. 00:26:01.460 --> 00:26:05.540 Do people go into a classroom and then there’s a server in the middle of the room and that’s 00:26:05.540 --> 00:26:09.030 where the range is and everyone tries to connect to it or is it all remote? 00:26:09.030 --> 00:26:13.030 MARCUS: Our range was – the thing that we built was ridiculous. 00:26:13.030 --> 00:26:19.220 We had a complete – we had a nice-sized network room. 00:26:19.220 --> 00:26:28.950 Picture like, six or seven stacks of devices; Cisco devices, Windows servers, Linux servers. 00:26:28.950 --> 00:26:36.580 You’re talking about DNS, firewalls, IDSs, switches, routers, the whole complete corporate 00:26:36.580 --> 00:26:39.990 network, and we had physical gear back then. 00:26:39.990 --> 00:26:43.490 Everything was physical and real devices. 00:26:43.490 --> 00:26:49.720 In another room there was a classroom environment but it was networked to be into the – into 00:26:49.720 --> 00:26:52.250 this comp – into all this gear. 00:26:52.250 --> 00:26:57.169 Why this was important is because it allowed the investigators to actually interact with 00:26:57.169 --> 00:26:58.169 real stuff. 00:26:58.169 --> 00:27:03.659 They could come in and physically put a USB drive and collect information off of a server 00:27:03.659 --> 00:27:09.380 or they could go onto a CICSO switch and they could do a spam port on it. 00:27:09.380 --> 00:27:14.230 A lot of cyber ranges now are virtual but this was a physical representation of a real 00:27:14.230 --> 00:27:16.370 corporate network, and it was dope. 00:27:16.370 --> 00:27:21.000 JACK: So, him and another guy named Johnny Long set up this cyber range to teach federal 00:27:21.000 --> 00:27:24.510 agents how to react to cyber-security incidents more effectively. 00:27:24.510 --> 00:27:30.020 MARCUS: We had complete network – corporate network set up. 00:27:30.020 --> 00:27:32.750 Funny enough, I worked with Johnny Long at the time. 00:27:32.750 --> 00:27:34.760 Johnny Long was my buddy. 00:27:34.760 --> 00:27:40.680 Johnny Long would come up with scenarios where we had to attack, and the federal agents would 00:27:40.680 --> 00:27:45.070 have to find us on this network that we built. 00:27:45.070 --> 00:27:51.309 Since Johnny was always gone a lot, I ended up taking over all of the offensive scenarios, 00:27:51.309 --> 00:27:54.380 and so I became the bad guy. 00:27:54.380 --> 00:27:56.519 But these federal agents were like, forensics gurus. 00:27:56.519 --> 00:28:03.770 Some of these – this was like, the capstone course and they were beasts at forensics and 00:28:03.770 --> 00:28:04.770 stuff. 00:28:04.770 --> 00:28:08.860 Many of those people have gone to work for places like Mandiant and CrowdStrike and all 00:28:08.860 --> 00:28:09.860 that stuff. 00:28:09.860 --> 00:28:15.059 It was like a CTF but I was playing against professional people that catch people – bad 00:28:15.059 --> 00:28:16.059 guys on their network. 00:28:16.059 --> 00:28:17.530 It was pretty dope. 00:28:17.530 --> 00:28:22.510 What happens is people don’t know how to respond to an incident live on the fly. 00:28:22.510 --> 00:28:27.030 Usually when incidents are happening, they happen way before time, but if you were to 00:28:27.030 --> 00:28:30.299 drop people in, how do they respond live on the fly? 00:28:30.299 --> 00:28:33.360 That’s why we built this course. 00:28:33.360 --> 00:28:37.240 Basically, you – we taught them how to collect live information. 00:28:37.240 --> 00:28:42.909 We taught them how to set up a intrusion detection system on the fly, doing packet captures on 00:28:42.909 --> 00:28:46.200 the fly, setting up those SPAN ports. 00:28:46.200 --> 00:28:48.130 It was like, super-intense, man. 00:28:48.130 --> 00:28:49.130 It was dope. 00:28:49.130 --> 00:28:53.550 It was like, an [00:30:00] immersive course. 00:28:53.550 --> 00:28:54.970 They got a lot out of it. 00:28:54.970 --> 00:29:00.840 JACK: Well, yeah, I mean, this is exactly what I picture when somebody goes into training 00:29:00.840 --> 00:29:02.190 at the NSA, right? 00:29:02.190 --> 00:29:06.840 ‘Cause if you say oh no, I just sat in a classroom and they taught me Pascal or something 00:29:06.840 --> 00:29:08.940 like that, that’s kind of boring. 00:29:08.940 --> 00:29:12.250 You’re sitting at a terminal with a bunch of other people and you just work on your 00:29:12.250 --> 00:29:18.370 own little thing and whatever, but going into an entire organization like a full campus 00:29:18.370 --> 00:29:22.920 network and getting access to all these things and you’re running around, plugging USB 00:29:22.920 --> 00:29:27.470 drives in or SPAN ports and figuring things and putting collectors in – like, physically 00:29:27.470 --> 00:29:32.190 in the network to get off the SPAN ports and stuff, that’s so much – yeah, like you 00:29:32.190 --> 00:29:36.570 said, it’s immersive and that sounds like the training I think everyone wants. 00:29:36.570 --> 00:29:40.120 MARCUS: Yeah man, it was crazy, and they spent a lot of money on it. 00:29:40.120 --> 00:29:46.250 That’s the thing about working with the DOD, bro; money’s not a problem. 00:29:46.250 --> 00:29:52.010 We got to do pretty cool stuff like that man, and come up with different scenarios. 00:29:52.010 --> 00:29:57.179 Dude, we had like live Chinese malware on that network, bro. 00:29:57.179 --> 00:29:59.289 I was doing command and control for it. 00:29:59.289 --> 00:30:00.940 It was real attacks. 00:30:00.940 --> 00:30:05.380 JACK: Like zero-day malware I bet, too, like stuff never – no one knows about. 00:30:05.380 --> 00:30:09.700 MARCUS: We would grab stuff off – we would grab stuff and put it on there and they had 00:30:09.700 --> 00:30:11.700 to figure it out. 00:30:11.700 --> 00:30:18.390 JACK: [MUSIC] Marcus took what he learned at this place and started his own company 00:30:18.390 --> 00:30:23.309 creating threat scenarios and doing more cyber range and tabletop exercises. 00:30:23.309 --> 00:30:24.960 He called it Threatcare. 00:30:24.960 --> 00:30:29.720 But Threatcare was acquired by a larger company called ReliaQuest which is where Marcus works 00:30:29.720 --> 00:30:30.720 now. 00:30:30.720 --> 00:30:34.320 But Marcus likes giving back to the community, so he wrote a book and it’s called Tribe 00:30:34.320 --> 00:30:35.320 of Hackers. 00:30:35.320 --> 00:30:39.789 The book interviews a bunch of notable people in IT security and tries to distill meaningful 00:30:39.789 --> 00:30:41.550 advice from them. 00:30:41.550 --> 00:30:45.910 When the book did well, he wrote another and then another, so now there’s Tribe of Hackers 00:30:45.910 --> 00:30:49.700 Red Team Edition, Blue Team Edition, and Tribe of Hackers Security Leaders. 00:30:49.700 --> 00:30:51.899 I’ll have links to all these books in the show notes. 00:30:51.899 --> 00:30:56.010 I own three of them so far and I find these books super-informative to me for finding 00:30:56.010 --> 00:30:57.649 interesting guests for this show. 00:30:57.649 --> 00:31:04.200 MARCUS: Yeah, so basically the first edition of that book, we happened to be able to give 00:31:04.200 --> 00:31:10.159 out a lot of donations to a lot of different organizations. 00:31:10.159 --> 00:31:12.710 Rainforest Project did one of those things. 00:31:12.710 --> 00:31:18.180 We also donated thousands of dollars to Hackathons for kids. 00:31:18.180 --> 00:31:23.690 Just all kind of different organizations we’ve been able to give money to from those books. 00:31:23.690 --> 00:31:30.090 Also, we – I partnered with Wiley, we also raised additional money with the new books 00:31:30.090 --> 00:31:32.149 doing the Humble Bundle program. 00:31:32.149 --> 00:31:37.299 So, we just – I’m just continuously finding ways to try to give back to the community. 00:31:37.299 --> 00:31:41.730 What’s cool about the first book; we gave it away – we gave away that book for free, 00:31:41.730 --> 00:31:42.730 too. 00:31:42.730 --> 00:31:47.250 So, we had thousands and thousands of downloads from people that – they got that book, too. 00:31:47.250 --> 00:31:49.639 It was definitely well-received and helped a lot of people. 00:31:49.639 --> 00:31:53.889 JACK: On top of all that, Marcus has even written a children’s book about security. 00:31:53.889 --> 00:31:57.260 There’s a lot of people out there that once they figure something out, they’re afraid 00:31:57.260 --> 00:32:01.669 to teach others because they fear someone else will learn it and get better than them. 00:32:01.669 --> 00:32:03.260 But Marcus is the opposite. 00:32:03.260 --> 00:32:06.270 He knows that the more he teaches, the better he becomes. 00:32:06.270 --> 00:32:11.130 I just love it when people out there are sharing all their skills and knowledge with anyone 00:32:11.130 --> 00:32:12.429 interested in learning. 00:32:12.429 --> 00:32:14.870 MARCUS: Here’s the deal, man; work hard. 00:32:14.870 --> 00:32:19.240 I tell people, be so good that they can’t ignore you. 00:32:19.240 --> 00:32:23.640 Another thing that I find in life; if you self-train yourself, if you learn, the more 00:32:23.640 --> 00:32:25.840 you learn, the more people are gonna give you. 00:32:25.840 --> 00:32:30.649 JACK: Oh, and of course, one of the people he teaches the most is his son who is also 00:32:30.649 --> 00:32:31.769 into technology. 00:32:31.769 --> 00:32:33.519 MARCUS: Yeah, certainly. 00:32:33.519 --> 00:32:37.230 This is the story about my son; it’s a funny story. 00:32:37.230 --> 00:32:42.110 When he was eleven years old, he hated doing his homework. 00:32:42.110 --> 00:32:45.679 So what I did is I – my son is super-spoiled, man. 00:32:45.679 --> 00:32:48.840 My son had every iPhone that ever existed when he was growing up. 00:32:48.840 --> 00:32:53.200 He’s twenty-four now so he’s out of the house and he’s definitely doing well for 00:32:53.200 --> 00:32:54.200 himself. 00:32:54.200 --> 00:32:58.970 But he had the first iPhone, he had a MacBook, the whole nine – when he was like, eleven. 00:32:58.970 --> 00:33:01.010 He’s used to jailbreak iPhones all day. 00:33:01.010 --> 00:33:03.330 He was the jailbreak dude at school. 00:33:03.330 --> 00:33:10.809 He didn’t like doing homework so I was like hey, we can actually do code and your code 00:33:10.809 --> 00:33:12.590 can do your work. 00:33:12.590 --> 00:33:18.950 So, we used to write the math formulas in Pearl, all the algorithms, and it would give 00:33:18.950 --> 00:33:24.409 him the answers, and we programmed it to give him the work too, so he could work out the 00:33:24.409 --> 00:33:25.409 work. 00:33:25.409 --> 00:33:30.299 He used to do – eleven years old, he was writing programs to do his math. 00:33:30.299 --> 00:33:35.760 Fast forward ten years, like fifteen, sixteen, he’s like, I want to be a video – I want 00:33:35.760 --> 00:33:37.080 to make video games. 00:33:37.080 --> 00:33:38.080 So, I was like alright, cool. 00:33:38.080 --> 00:33:44.590 So, I did the front end UI stuff for him and he wrote all the back end code and Objective-C, 00:33:44.590 --> 00:33:47.830 and he did six iPhone apps. 00:33:47.830 --> 00:33:53.470 He also wrote – this is crazy – [00:35:00] he wrote a Metasploit front end on the iPhone 00:33:53.470 --> 00:33:58.929 so you could connect to the Metasploit API and you control it from your iPhone. 00:33:58.929 --> 00:34:01.440 This is when he was like, sixteen or something like that. 00:34:01.440 --> 00:34:02.820 So, Rapid7 saw it. 00:34:02.820 --> 00:34:09.019 I worked at Rapid7 at the time but they was like holy crap, this sixteen-year-old kid 00:34:09.019 --> 00:34:16.570 – he was my kid but he wrote it all himself and he could pop shells from his iPhone. 00:34:16.570 --> 00:34:20.210 JACK: Rapid7 is a security company that’s known for creating a vulnerability scanner 00:34:20.210 --> 00:34:23.520 and owns Metasploit which is a very popular hacking framework. 00:34:23.520 --> 00:34:29.099 MARCUS: Rapid7, he started interning for them when he was sixteen and then he did another 00:34:29.099 --> 00:34:31.139 internship when he was seventeen. 00:34:31.139 --> 00:34:36.310 He graduated high school at seventeen and then he’s like hey, I don’t want to go 00:34:36.310 --> 00:34:37.310 to college. 00:34:37.310 --> 00:34:38.970 Then Rapid7 gave him a full-time offer. 00:34:38.970 --> 00:34:43.879 [MUSIC] Now he’s been working there for like, five years and he’s a software engineer. 00:34:43.879 --> 00:34:45.940 He’s got his own team. 00:34:45.940 --> 00:34:47.169 It’s nuts, bro. 00:34:47.169 --> 00:34:56.100 He’s a phenom and Rapid7’s lucky they got him. 00:34:56.100 --> 00:35:01.470 JACK: The other guest we have on today is the wonderful Mr. Jeff Man. 00:35:01.470 --> 00:35:03.890 JEFF: I’m happy to start. 00:35:03.890 --> 00:35:08.150 Do you want me to just ramble or do you want to just start with questions? 00:35:08.150 --> 00:35:12.690 JACK: Yeah, I mean, I’ll just kind of lead you through where I want with the questions 00:35:12.690 --> 00:35:14.500 and then you can go from there. 00:35:14.500 --> 00:35:17.620 Yeah, start right where you wanted to start. 00:35:17.620 --> 00:35:20.060 How did you get into the NSA? 00:35:20.060 --> 00:35:25.030 JEFF: Okay, so it all started when I was a small child. 00:35:25.030 --> 00:35:29.560 [MUSIC] I’ve essentially been a hacker my whole life. 00:35:29.560 --> 00:35:32.349 I’ve had the hacker mentality my whole life. 00:35:32.349 --> 00:35:34.960 I wouldn’t necessarily have called it that, but… 00:35:34.960 --> 00:35:37.910 JACK: So, you say you call yourself a hacker mentality. 00:35:37.910 --> 00:35:44.079 Now, I think a lot of listeners might think oh, that’s the hoodie and causing chaos 00:35:44.079 --> 00:35:47.610 at school and getting on the dark web and doing stuff. 00:35:47.610 --> 00:35:49.500 Is that what you mean or it’s something else? 00:35:49.500 --> 00:35:50.720 JEFF: Fair question. 00:35:50.720 --> 00:35:57.980 When I say hacker mentality, I sort of equate a lot of critical thinking skills and a lot 00:35:57.980 --> 00:36:06.350 of curiosity about how things work and wanting to learn but not – but wanting to do it 00:36:06.350 --> 00:36:11.420 probably at a faster pace than the general population, the general classroom. 00:36:11.420 --> 00:36:19.370 I remember being a child being bored in most of my classes because I either did the work 00:36:19.370 --> 00:36:22.890 really quickly or it was just boring to me. 00:36:22.890 --> 00:36:30.560 I had already read up on the topic and knew what I wanted to know, and so I was a bored 00:36:30.560 --> 00:36:32.200 student most of the time. 00:36:32.200 --> 00:36:35.250 Therefore, I looked for things to do to entertain myself. 00:36:35.250 --> 00:36:38.839 It was nothing necessarily extremely malicious. 00:36:38.839 --> 00:36:43.010 I was known as the class clown or the class cut-up. 00:36:43.010 --> 00:36:45.619 JACK: His dad was a physicist; worked for the DOD. 00:36:45.619 --> 00:36:53.600 JEFF: He was in the Pacific on a ship and got to witness the detonation of the first 00:36:53.600 --> 00:36:55.200 hydrogen bomb. 00:36:55.200 --> 00:36:59.280 I went through college, look – and I went through five majors when I went to college 00:36:59.280 --> 00:37:03.589 and I was basically looking for the major where I had to do the least amount of book 00:37:03.589 --> 00:37:04.589 work. 00:37:04.589 --> 00:37:06.089 JACK: He ended up graduating with a business major. 00:37:06.089 --> 00:37:14.080 JEFF: I was working for a naval organization, Naval Surface Warfare Center because my mom 00:37:14.080 --> 00:37:19.950 was in HR there and she was able to get me a job, so it was a low-level clerk typist-type 00:37:19.950 --> 00:37:20.950 position. 00:37:20.950 --> 00:37:25.810 It was a way to earn some money while I was looking for what I wanted to do with my life. 00:37:25.810 --> 00:37:34.220 She had a friend within HR whose daughter, I think, had gotten a job at NSA. 00:37:34.220 --> 00:37:36.349 This was in the mid-80s now. 00:37:36.349 --> 00:37:38.950 She thought well, you should apply. 00:37:38.950 --> 00:37:44.380 I was born and raised in Maryland which is where NSA is located, Fort Meade, Maryland. 00:37:44.380 --> 00:37:46.880 I had never heard of NSA. 00:37:46.880 --> 00:37:50.390 Back in the day, NSA was no such agency. 00:37:50.390 --> 00:38:00.079 It was a super-big ultra-secret that the organization even existed; unmarked, fenced buildings off 00:38:00.079 --> 00:38:04.980 the bottom where Washington [00:40:00] Parkway in central Maryland, a little bit between 00:38:04.980 --> 00:38:06.570 Baltimore and DC. 00:38:06.570 --> 00:38:12.690 Filled out the government application, sent it in, and heard back from them and they eventually 00:38:12.690 --> 00:38:20.990 invited me up to take a couple days worth of various aptitude and skills qualification 00:38:20.990 --> 00:38:21.990 tests. 00:38:21.990 --> 00:38:26.110 At the end of the day, I scored well enough that they offered me a job. 00:38:26.110 --> 00:38:29.470 What was weird at the time – and I still think it’s kind of weird – was they kinda 00:38:29.470 --> 00:38:31.900 hired me because I had potential. 00:38:31.900 --> 00:38:34.839 I didn’t actually have a job when I went to work for NSA. 00:38:34.839 --> 00:38:38.960 JACK: Right, so Jeff started working at the NSA in the fall of 1986. 00:38:38.960 --> 00:38:44.490 Oh, how different the world of technology was in 1986. 00:38:44.490 --> 00:38:48.490 To actually start working at the NSA, he had to pass a fairly rigorous background check. 00:38:48.490 --> 00:38:51.440 JEFF: They focus on several different areas. 00:38:51.440 --> 00:38:58.190 They want to know where you lived in the past ten or fifteen years, you had to list neighbors 00:38:58.190 --> 00:39:04.140 of all the different places you lived, friends, people you had contact with, social and beyond, 00:39:04.140 --> 00:39:08.280 which when you’re a young kid is pretty much your whole life. 00:39:08.280 --> 00:39:14.390 They asked all sorts of questions about your political affiliations, your political leanings. 00:39:14.390 --> 00:39:21.349 They were trying to find out things about you that had been used against people in terms 00:39:21.349 --> 00:39:27.460 of blackmail or were motivations of people that they had encountered that had basically 00:39:27.460 --> 00:39:33.180 – basically had committed espionage and become traitors. 00:39:33.180 --> 00:39:39.050 Lifestyle questions back in the day; if you happened to be a homosexual or have some sort 00:39:39.050 --> 00:39:40.750 of alternative lifestyle. 00:39:40.750 --> 00:39:46.280 It wasn’t so much an issue they wouldn’t hire you if you were like that; they just 00:39:46.280 --> 00:39:53.240 wanted to know about it so that somebody couldn’t blackmail you into giving away secrets because 00:39:53.240 --> 00:39:56.310 somebody had, and that had happened. 00:39:56.310 --> 00:40:01.020 They wanted to know about your financial records so that you weren’t – they wanted to know 00:40:01.020 --> 00:40:07.060 if you had a gambling problem and had huge debts which would be, again, a way that somebody 00:40:07.060 --> 00:40:11.950 could motivate you to steal secrets and they could pay things off, or they’re the people 00:40:11.950 --> 00:40:15.690 that you became indebted to, and that was your way of repaying. 00:40:15.690 --> 00:40:20.080 JACK: This process took weeks since they needed to visit all his neighbors and friends to 00:40:20.080 --> 00:40:22.670 see if all this information he gave them checked out. 00:40:22.670 --> 00:40:26.690 So, while he’s waiting for his clearance, he tries to figure out what he’s gonna do 00:40:26.690 --> 00:40:31.900 at the NSA, so he starts shopping around, looking for a job there, meeting people at 00:40:31.900 --> 00:40:33.859 the NSA to learn what they did. 00:40:33.859 --> 00:40:40.390 JEFF: Going out on these essentially job interviews that were really more like – as it turned 00:40:40.390 --> 00:40:45.460 out, it wasn’t so much a job interview as a sales pitch of oh, we want you to come work 00:40:45.460 --> 00:40:47.930 for us. 00:40:47.930 --> 00:40:53.370 One of the first interviews that I went on happened to be on the defensive side of the 00:40:53.370 --> 00:40:54.370 house. 00:40:54.370 --> 00:41:01.569 Back in those days, NSA was operations which is what most people know NSA for; intercepting 00:41:01.569 --> 00:41:06.140 communications, stealing all the secrets of the rest of the world, our enemies. 00:41:06.140 --> 00:41:11.200 Then there was also the defensive side which was called information security or InfoSec. 00:41:11.200 --> 00:41:15.980 I happened to – my first interview was on the InfoSec side. 00:41:15.980 --> 00:41:24.770 It was an office that was responsible for manual or paper crypto-systems. 00:41:24.770 --> 00:41:31.359 They were looking for someone to do a cryptologic, cryptographic review of all the manual paper 00:41:31.359 --> 00:41:33.720 crypto-systems that were currently deployed. 00:41:33.720 --> 00:41:38.710 JACK: They needed a cryptographer and nobody at the NSA seemed to want to step into that 00:41:38.710 --> 00:41:41.200 role and help that particular office out. 00:41:41.200 --> 00:41:45.250 JEFF: They thought well, the next best thing is let’s grow one, so let’s hire somebody 00:41:45.250 --> 00:41:46.250 off the street. 00:41:46.250 --> 00:41:51.160 We can go to the pool of people that are out there and train somebody up and train them 00:41:51.160 --> 00:41:54.000 to be a cryptographer and then have them do the review. 00:41:54.000 --> 00:41:56.550 JACK: So, he took the job as a cryptographer. 00:41:56.550 --> 00:42:03.940 JEFF: [MUSIC] So, I ended up going to work in InfoSec and working for what was known 00:42:03.940 --> 00:42:06.140 as the Manual Cryptosystems Branch. 00:42:06.140 --> 00:42:12.020 My job was to do cryptographic reviews of the systems that were being used at the time. 00:42:12.020 --> 00:42:16.619 JACK: At this point, he had to learn what cryptography was and get good at it. 00:42:16.619 --> 00:42:19.700 JEFF: NSA ran its own cryptologic school. 00:42:19.700 --> 00:42:24.900 They had 100, 200, 300, 400 courses, dozens of courses that you would take on various 00:42:24.900 --> 00:42:26.700 aspects of cryptography. 00:42:26.700 --> 00:42:33.120 I basically went back to school and took a lot of these training courses. 00:42:33.120 --> 00:42:38.040 What was interesting was I was learning a lot of classic manual cryptography on – back 00:42:38.040 --> 00:42:46.780 to the Ancient Greeks and Romans and how all the cryptosystems were used over time and 00:42:46.780 --> 00:42:49.550 how they evolved and all that type of thing. 00:42:49.550 --> 00:42:53.569 JACK: Which was perfect because this was the same stuff he was tasked with reviewing as 00:42:53.569 --> 00:42:55.099 a cryptologist. 00:42:55.099 --> 00:42:58.560 One of the things he learned about is what a one-time pad is. 00:42:58.560 --> 00:43:05.369 JEFF: A one-time pad is – the name [00:45:00] implies it’s a pad of paper usually forty, 00:43:05.369 --> 00:43:10.310 fifty pages, and on each page there is printed-out random characters. 00:43:10.310 --> 00:43:18.329 But it was essentially a key and the very basic form of encryption is you take your 00:43:18.329 --> 00:43:23.410 message, what we would call plain text; you would write that message out one letter at 00:43:23.410 --> 00:43:27.569 a time over or above the letters that were printed on the pad. 00:43:27.569 --> 00:43:32.170 So, you have plain text and you have the key pre-printed. 00:43:32.170 --> 00:43:37.559 You would go through some sort of cryptographic algorithm to produce a third letter which 00:43:37.559 --> 00:43:42.200 was the message, the encrypted message, or what we called the cipher. 00:43:42.200 --> 00:43:47.720 Quite simply, the way a one-time pad works is it’s – you use some sort of substitution 00:43:47.720 --> 00:43:51.780 algorithm to produce that third character that’s reversible. 00:43:51.780 --> 00:43:58.329 The beauty of it is that if – there’s obviously two copies of the pad but if those 00:43:58.329 --> 00:44:03.790 copy – if those pads are kept secret and nobody can see them and nobody steals them, 00:44:03.790 --> 00:44:08.800 there is no cryptographic solution if you intercept the cipher. 00:44:08.800 --> 00:44:10.210 You can collect it all day. 00:44:10.210 --> 00:44:15.859 There’s no way to break the underlying key because it’s random and therefore, there’s 00:44:15.859 --> 00:44:18.570 no way to break back what the actual message is. 00:44:18.570 --> 00:44:23.220 It’s called a one-time pad because you use the key one time. 00:44:23.220 --> 00:44:28.180 You write a message down on a page or two pages if it takes two pages, and as soon as 00:44:28.180 --> 00:44:32.910 you do the ciphering and transmit it, you destroy the pages. 00:44:32.910 --> 00:44:37.119 JACK: These one-time pads were often used by spies like when a handler needed to talk 00:44:37.119 --> 00:44:41.740 to an asset, they would encrypt messages by hand using this method. 00:44:41.740 --> 00:44:45.630 Then the receiver would have to spend a while decrypting the message. 00:44:45.630 --> 00:44:50.670 But a lot of the time, spies didn’t want to lug around big pads of paper, so they shrunk 00:44:50.670 --> 00:44:56.099 the one-time pad down to like, an inch or two wide so it can be transported in a shoe 00:44:56.099 --> 00:44:57.609 or rolled up into a pen. 00:44:57.609 --> 00:45:02.700 In fact, some of them were printed on rice paper because you needed to destroy the pad 00:45:02.700 --> 00:45:08.270 after you used it and some spies would destroy it by chewing it up and swallowing it. 00:45:08.270 --> 00:45:14.410 JEFF: But there was a run one time, a production run made one time of a set of one-time pads 00:45:14.410 --> 00:45:20.869 where they printed them on rice paper but for some reason, they didn’t take into account 00:45:20.869 --> 00:45:25.030 what type of ink that they were using, and they used some – I don’t know if they 00:45:25.030 --> 00:45:29.960 got a deal on some different kind of ink, but the ink that they ended up using was toxic, 00:45:29.960 --> 00:45:37.680 so our loyal spies that were sharing secrets with us in the field were getting sick. 00:45:37.680 --> 00:45:41.500 JACK: Now that he was getting up-to-date on all this cryptography, it was time for him 00:45:41.500 --> 00:45:43.320 to start using it on the job. 00:45:43.320 --> 00:45:50.160 JEFF: [MUSIC] My first assignment was – we were approached by I’ll just say a customer 00:45:50.160 --> 00:45:57.230 generically that was working with people in the field, and they were having these people 00:45:57.230 --> 00:46:04.271 report back to him on a rather regular basis; reporting information, data, secrets, things 00:46:04.271 --> 00:46:07.150 that they were observing. 00:46:07.150 --> 00:46:13.670 They were lamenting that it sometimes took them hours to do the decryption of these messages 00:46:13.670 --> 00:46:18.730 that were being sent to them and they asked the question; we’ve got this new-fangled 00:46:18.730 --> 00:46:22.119 IBM PC on our desk. 00:46:22.119 --> 00:46:27.089 Is there any way that we could do this encryption and decryption on the computer and just speed 00:46:27.089 --> 00:46:29.700 things up? 00:46:29.700 --> 00:46:36.619 My naivety, because I wasn’t experienced in the workings of NSA and in particular the 00:46:36.619 --> 00:46:40.020 InfoSec organization, I thought yeah, that seems reasonable. 00:46:40.020 --> 00:46:41.020 Why not? 00:46:41.020 --> 00:46:47.329 So, I set out to try to figure out how to get a computer program written that could 00:46:47.329 --> 00:46:55.140 be performed on the PC and then how to get the one-time paper pad into the PC which the 00:46:55.140 --> 00:46:57.720 option available at the time was on a floppy disc. 00:46:57.720 --> 00:47:02.200 JACK: Now, remember, this is 1987 at this point. 00:47:02.200 --> 00:47:07.640 Windows wasn’t a thing yet, so everything he was doing was on the command line. 00:47:07.640 --> 00:47:11.369 Did you understand software or programming or anything at the time? 00:47:11.369 --> 00:47:17.420 JEFF: No, not really, and what I set out to do was I went and started asking questions 00:47:17.420 --> 00:47:21.339 about all the different groups within InfoSec of how do you do this? 00:47:21.339 --> 00:47:26.480 ‘Cause InfoSec had a production facility that would actually print these one-time pads. 00:47:26.480 --> 00:47:32.540 We had an office that would generate the key and that they had a way of generating a random 00:47:32.540 --> 00:47:39.200 key that could be used to put on the one-time pads, and there was other uses for keys. 00:47:39.200 --> 00:47:46.150 There was a lot of machine-based cryptographic systems available that was much more prevalent 00:47:46.150 --> 00:47:47.430 at the time. 00:47:47.430 --> 00:47:50.470 I kinda set out to – well, how do you do this? 00:47:50.470 --> 00:47:52.809 How do we design something and produce something? 00:47:52.809 --> 00:47:58.230 That certainly wasn’t something that was ordinarily done within the manual cryptosystems 00:47:58.230 --> 00:47:59.230 shop. 00:47:59.230 --> 00:48:03.440 But we had to design something and [00:50:00] how’s it gonna work? 00:48:03.440 --> 00:48:08.570 We need to have a computer program and the program needs to be written securely. 00:48:08.570 --> 00:48:14.550 If we’re gonna put the key on the floppy disc, how do we emulate pages of key? 00:48:14.550 --> 00:48:19.339 Especially, how do we emulate the destruction of a page of key? 00:48:19.339 --> 00:48:24.520 JACK: At some point Jeff starts to think surely there’s gotta be a standard in the NSA for 00:48:24.520 --> 00:48:26.320 how to secure software like this. 00:48:26.320 --> 00:48:31.760 Like, if you’re transporting keys on a floppy, what encryption do you use and so on? 00:48:31.760 --> 00:48:35.540 So, he looked around for such a standard and he found one. 00:48:35.540 --> 00:48:38.430 It described how to secure a cryptographic device. 00:48:38.430 --> 00:48:44.260 JEFF: This is where it started getting interesting because it was written for hardware. 00:48:44.260 --> 00:48:52.490 There was no concept of doing anything cryptographic in terms of software back in the late 80s. 00:48:52.490 --> 00:48:59.550 I say this, I’m in contact with a fellow alumni from the InfoSec organization and people 00:48:59.550 --> 00:49:03.460 that were there years before I was, and I’ve asked. 00:49:03.460 --> 00:49:08.780 To the best that I have been able to figure out, what we ended up producing which was 00:49:08.780 --> 00:49:13.740 half paper pad, half key on a floppy, and a computer program that would do the encryption 00:49:13.740 --> 00:49:15.109 and decryption. 00:49:15.109 --> 00:49:20.570 That was the first foray into software-based cryptography that NSA produced. 00:49:20.570 --> 00:49:24.300 JACK: [MUSIC] Now, hold on, it wasn’t that easy. 00:49:24.300 --> 00:49:28.559 Any cryptographic-based hardware that was made had a strict review process. 00:49:28.559 --> 00:49:34.430 So, he had to submit this software to a few departments to get it approved for use in 00:49:34.430 --> 00:49:35.510 the field. 00:49:35.510 --> 00:49:38.380 They had some push-back and questions on this software. 00:49:38.380 --> 00:49:43.470 JEFF: So, I had to go through several iterations of presenting to senior management. 00:49:43.470 --> 00:49:49.050 They gave me the initial blessing, came back; here’s all the security concerns. 00:49:49.050 --> 00:49:50.050 Go address them. 00:49:50.050 --> 00:49:51.790 I came back, addressed them. 00:49:51.790 --> 00:49:57.540 They ultimately said alright, we’ll let you do it but don’t do this again. 00:49:57.540 --> 00:50:02.890 JACK: Like most government agencies, the NSA was resistant to change. 00:50:02.890 --> 00:50:07.869 They weren’t entirely sure if this new-fangled computer thing was the direction they wanted 00:50:07.869 --> 00:50:09.210 to go in yet. 00:50:09.210 --> 00:50:11.730 That’s why they were hesitant with this whole thing. 00:50:11.730 --> 00:50:17.030 JEFF: We produced what to my knowledge, the best I’ve been able to figure out, the first 00:50:17.030 --> 00:50:19.990 software-based system that NSA produced. 00:50:19.990 --> 00:50:22.350 Now, years later, I’m a hacker. 00:50:22.350 --> 00:50:24.690 I’ve done all the hacking pen testing things. 00:50:24.690 --> 00:50:26.920 I look back and say I hacked NSA. 00:50:26.920 --> 00:50:29.859 I did something that wasn’t supposed to be able to be done. 00:50:29.859 --> 00:50:31.770 I didn’t take no for an answer. 00:50:31.770 --> 00:50:36.180 I figured out a way to hack the system, hack the process, and I got through it. 00:50:36.180 --> 00:50:41.480 Not saying I would have been successful at any other time and certainly wouldn’t have 00:50:41.480 --> 00:50:49.869 recommended this solution in a networking world, but for the time, it worked and it 00:50:49.869 --> 00:50:56.530 was revolutionary in terms of being the first foray into software. 00:50:56.530 --> 00:51:02.710 My career at NSA was roughly three different tours of duty as – or three different assignments; 00:51:02.710 --> 00:51:07.020 this initial assignment where I did the work with the manual cryptosystems, produced the 00:51:07.020 --> 00:51:11.700 first software-based manual cryptosystem. 00:51:11.700 --> 00:51:17.480 That ended and I became a cryptanalysis intern. 00:51:17.480 --> 00:51:24.059 The intern programs were special programs that were designed to get you the training, 00:51:24.059 --> 00:51:32.240 the diversity of experience, and higher education to advance you to higher levels of your career 00:51:32.240 --> 00:51:33.240 field. 00:51:33.240 --> 00:51:34.450 In this case, cryptanalysis. 00:51:34.450 --> 00:51:39.390 What it meant was essentially that I jumped from InfoSec over to the operation side. 00:51:39.390 --> 00:51:46.150 Then I was actually on Fort Meade and a couple of my six-month tours as an intern were in 00:51:46.150 --> 00:51:51.540 one or more of those – there’s actually two of those big, black buildings beyond the 00:51:51.540 --> 00:51:53.839 four-storey structure. 00:51:53.839 --> 00:51:59.770 I was all over that which most – if you’ve seen the aerial photos of NSA, I was in those 00:51:59.770 --> 00:52:00.770 buildings. 00:52:00.770 --> 00:52:03.720 JACK: So, he went to work in another department and that department was in the middle of looking 00:52:03.720 --> 00:52:08.700 for how you can crack encryption or exploit systems if they weren’t using best practices 00:52:08.700 --> 00:52:10.440 and securing their stuff properly. 00:52:10.440 --> 00:52:15.809 For instance, remember that one-time pad and how each page of the pad was only good once 00:52:15.809 --> 00:52:19.049 and then you had to use a different piece of paper for the next message? 00:52:19.049 --> 00:52:21.260 Well, suppose someone doesn’t do that. 00:52:21.260 --> 00:52:23.810 Suppose they used the same pad over and over. 00:52:23.810 --> 00:52:25.079 Does that make it weaker? 00:52:25.079 --> 00:52:27.000 JEFF: People were doing exactly that. 00:52:27.000 --> 00:52:32.780 They would take a one-time pad sheet of key and they would use it for thirty days. 00:52:32.780 --> 00:52:39.799 We could amass dozens or hundreds of messages that we knew had the same key on the bottom 00:52:39.799 --> 00:52:45.119 and you can cryptographically break that and figure out what the message is. 00:52:45.119 --> 00:52:51.140 Or if it was any kind of machine system of cryptographic radio or transmitting device, 00:52:51.140 --> 00:52:57.640 there’s things that you can do to bypass the security or shortcuts to get the message 00:52:57.640 --> 00:53:02.690 through that you think you’re doing it in a secure manner but sometimes [00:55:00] you’re 00:53:02.690 --> 00:53:03.690 not. 00:53:03.690 --> 00:53:08.210 So, somebody figured out – some group figured out, okay, if the bad guys or the adversaries, 00:53:08.210 --> 00:53:14.781 the rest of the world doesn’t use the crypto correctly and we’re producing all the crypto 00:53:14.781 --> 00:53:23.640 that the US uses, the DOD and everything US-related, and we produce the best crypto in the world 00:53:23.640 --> 00:53:29.220 and it’s tested and tires were kicked on it and everything and it has to be rated to 00:53:29.220 --> 00:53:35.150 be secure for however long it needs to be keeping the data secure, how do we know that 00:53:35.150 --> 00:53:39.849 our people that are in the field are using it the way that it’s been designed in the 00:53:39.849 --> 00:53:41.480 lab and the pristine condition? 00:53:41.480 --> 00:53:43.640 JACK: It’s a great question to ask. 00:53:43.640 --> 00:53:48.960 If the NSA can crack codes because someone isn’t using best practices in security, 00:53:48.960 --> 00:53:52.630 is the NSA guilty of not following those best practices themselves? 00:53:52.630 --> 00:53:58.170 [MUSIC] So, his task was to go around and look at servers and computers in the NSA to 00:53:58.170 --> 00:54:00.200 make sure the NSA itself was secure. 00:54:00.200 --> 00:54:04.760 JEFF: To make sure not so much that they were designed correctly. 00:54:04.760 --> 00:54:06.099 That was sort of assumed. 00:54:06.099 --> 00:54:10.670 That was a given, but that they were being used correctly, that they were being implemented 00:54:10.670 --> 00:54:11.670 correctly. 00:54:11.670 --> 00:54:16.150 JACK: Jeff was there in the NSA in 1993 and what’s so important about ‘93? 00:54:16.150 --> 00:54:20.410 Well, that’s when the first web browser was created, called Mosaic. 00:54:20.410 --> 00:54:23.329 This is where the web and HTML sprang out from. 00:54:23.329 --> 00:54:27.059 Once they saw people were using this more commonly, this gave them a new idea. 00:54:27.059 --> 00:54:32.170 JEFF: That’s when the focus within this office for a small group of us started to 00:54:32.170 --> 00:54:38.500 be hey, why don’t we start doing that hacking thing that we’ve seen in the movies and 00:54:38.500 --> 00:54:43.750 start doing that and start coming up with a methodology of looking into how do you break 00:54:43.750 --> 00:54:48.970 into networks and computers, this whole internet security thing? 00:54:48.970 --> 00:54:53.829 That’s what I and a small group of us gravitated to within this office. 00:54:53.829 --> 00:54:59.280 JACK: When browsers reshaped how the internet looks and feels, it brought tremendous growth 00:54:59.280 --> 00:55:02.641 to the internet which caused a sea change at the NSA. 00:55:02.641 --> 00:55:06.840 In fact, around this time, the US created the fifth domain of warfare. 00:55:06.840 --> 00:55:13.450 Historically, they had land, sea, air, and space, but in 1995, they added cyber-space 00:55:13.450 --> 00:55:18.200 as a domain of warfare and Jeff was right there at the dawn of when the NSA really started 00:55:18.200 --> 00:55:20.099 the internet hacking that it does today. 00:55:20.099 --> 00:55:24.830 JEFF: Yeah, all the really smart people, the suits, as I and many of us used to call them, 00:55:24.830 --> 00:55:27.680 they got together and decided to reorganize. 00:55:27.680 --> 00:55:33.990 So, they set up what became known as the System and Network Attack Center. 00:55:33.990 --> 00:55:38.819 It was built to be the – again, we didn’t use the term ‘cyber’ but it was supposed 00:55:38.819 --> 00:55:43.289 to be a center of excellence for everything computer and network security-related. 00:55:43.289 --> 00:55:49.059 Essentially, a lot of the InfoSec side of the world was a research organization because 00:55:49.059 --> 00:55:51.320 we were designing and building things. 00:55:51.320 --> 00:55:52.680 They set it up like that. 00:55:52.680 --> 00:55:58.490 There was a design and a research arm and a couple other variations of the theme. 00:55:58.490 --> 00:56:00.319 One group was supposed to look at networks. 00:56:00.319 --> 00:56:02.640 One group was supposed to look at operating systems. 00:56:02.640 --> 00:56:10.319 The intent was to do a lot of research, dig into them, and produce standards and guides 00:56:10.319 --> 00:56:11.579 on how to secure them. 00:56:11.579 --> 00:56:15.970 JACK: Jeff and the people in his team really wanted to embody the hacker culture within 00:56:15.970 --> 00:56:20.099 the NSA and learn how to break into systems remotely over the internet and stuff. 00:56:20.099 --> 00:56:25.579 JEFF: This small group of guys that had gotten together originally in this branch that was 00:56:25.579 --> 00:56:32.230 focused on fielded systems, we got swept into this reorganization and moved to a different 00:56:32.230 --> 00:56:33.230 building. 00:56:33.230 --> 00:56:37.340 We were moved off Fort Meade to one of the satellite locations and we were given our 00:56:37.340 --> 00:56:39.849 own office. 00:56:39.849 --> 00:56:44.049 We were given license to keep doing what we were doing. 00:56:44.049 --> 00:56:48.360 Everybody was happy with it although they didn’t necessarily understand it. 00:56:48.360 --> 00:56:57.470 [MUSIC] But we were testing the security mostly of NSA networks and domains within the NSA 00:56:57.470 --> 00:57:03.829 proper as well as other DOD customers, let’s just say. 00:57:03.829 --> 00:57:06.750 Things were bopping along nicely. 00:57:06.750 --> 00:57:11.480 JACK: Okay, this sounds like a good place to start; learn how to hack stuff, then test 00:57:11.480 --> 00:57:13.930 your hacking ability on the NSA itself. 00:57:13.930 --> 00:57:17.309 JEFF: We nicknamed our office The Pit. 00:57:17.309 --> 00:57:23.401 We referred to our little hacker hang-out, as it were although again, we didn’t call 00:57:23.401 --> 00:57:27.660 it that at the time but that’s essentially what it was. 00:57:27.660 --> 00:57:29.270 We called that The Pit. 00:57:29.270 --> 00:57:35.670 We decided we wanted to have our space and give it an identity and some – one of the 00:57:35.670 --> 00:57:38.750 members of the group said well, we should give it a name. 00:57:38.750 --> 00:57:42.740 A popular show at the time was a show called MASH. 00:57:42.740 --> 00:57:48.869 The irreverent doctors in the show MASH, their tent that they lived in, they called The Swamp. 00:57:48.869 --> 00:57:52.599 So, they said well, let’s do something along those lines like The Swamp. 00:57:52.599 --> 00:57:56.089 We didn’t want to call it The Swamp ‘cause that had been used. 00:57:56.089 --> 00:57:58.619 Somebody came up with Pit and it stuck. 00:57:58.619 --> 00:58:03.950 So, within our little office which we came to [01:00:00] call The Pit, we had to get 00:58:03.950 --> 00:58:08.559 special permission to get a little mini-fridge installed in it and we filled it up with Mountain 00:58:08.559 --> 00:58:09.559 Dew. 00:58:09.559 --> 00:58:15.039 That was the beverage of choice for the hacker culture in the early-to-mid 90s. 00:58:15.039 --> 00:58:19.859 Initially there was four of us in terms of our background. 00:58:19.859 --> 00:58:26.881 I was the business major so I sort of gravitated towards the business side of things; finding 00:58:26.881 --> 00:58:29.680 customers to do this. 00:58:29.680 --> 00:58:36.710 I think most if not all the other guys were computer scientists in terms of their academic 00:58:36.710 --> 00:58:37.710 training. 00:58:37.710 --> 00:58:42.680 JACK: This Pit as they called it was part of SNAC, the System Network and Attack Center, 00:58:42.680 --> 00:58:46.360 and they were certainly participating in the attacking part of that. 00:58:46.360 --> 00:58:50.970 They were learning how hackers operated by reading hacker magazines and forums, and they 00:58:50.970 --> 00:58:54.250 would try these attacks out on some practice computers. 00:58:54.250 --> 00:58:57.069 They were also doing their own research and generating their own exploits. 00:58:57.069 --> 00:59:02.480 JEFF: Back in those days, we weren’t relying as much on – in fact, we didn’t even have 00:59:02.480 --> 00:59:05.460 the term yet zero-days or 0-days. 00:59:05.460 --> 00:59:10.140 We were basically learning how the operating systems worked and learning about all the 00:59:10.140 --> 00:59:17.720 hidden or undocumented features of the operating systems at the time that could get you root 00:59:17.720 --> 00:59:19.080 privileges. 00:59:19.080 --> 00:59:21.160 We were learning a lot of the tricks and the trades. 00:59:21.160 --> 00:59:26.170 Now, there were some exploitation-types of things. 00:59:26.170 --> 00:59:31.740 Some of the – and again, this is where I like to caveat these are the types of things 00:59:31.740 --> 00:59:32.810 that were done at the time. 00:59:32.810 --> 00:59:36.430 I’m not saying that we necessarily did any of these. 00:59:36.430 --> 00:59:37.859 Use your imagination. 00:59:37.859 --> 00:59:43.180 But again, everything that we did against the classified system was labeled classified, 00:59:43.180 --> 00:59:48.930 so technically if I tell you that I was doing something to a classified system, I would 00:59:48.930 --> 00:59:51.470 be sharing secrets. 00:59:51.470 --> 00:59:57.920 With that caveat, what was commonly done back then to break into UNIX systems and UNIX networks 00:59:57.920 --> 01:00:00.089 was – there was password-guessing… 01:00:00.089 --> 01:00:07.420 JACK: Ah, yeah; according to Rapid7, the oldest vulnerability discovered in 1970 were computers 01:00:07.420 --> 01:00:10.730 using the username admin and the password admin. 01:00:10.730 --> 01:00:14.430 I think it’s really embarrassing that forty years later we still battle with the same 01:00:14.430 --> 01:00:15.430 vulnerability. 01:00:15.430 --> 01:00:20.830 JEFF: Everybody was getting on – getting a UNIX workstation and getting a network credential. 01:00:20.830 --> 01:00:25.650 Not everybody wanted to get on that new-fangled computer so very often everybody was set up 01:00:25.650 --> 01:00:28.839 with accounts but they hadn’t actually been used yet. 01:00:28.839 --> 01:00:32.590 The way that they were typically set up was everybody would get an account. 01:00:32.590 --> 01:00:37.710 But until you logged into it, you wouldn’t set a password, so there would be idle accounts 01:00:37.710 --> 01:00:39.039 that were just sitting out there. 01:00:39.039 --> 01:00:43.910 If you could identify the username, guess the user ID, you could get in without a password 01:00:43.910 --> 01:00:46.890 and set it and it would become your account. 01:00:46.890 --> 01:00:52.190 Back in those days, the password hashes were in ETSI password files or world readable, 01:00:52.190 --> 01:00:56.670 so you could just copy them and run crack programs like Crack or John the Ripper. 01:00:56.670 --> 01:01:01.339 JACK: Jeff and the team in The Pit were doing internal penetration testing, red teaming. 01:01:01.339 --> 01:01:04.880 But at the time, these sort of terms just didn’t exist yet. 01:01:04.880 --> 01:01:08.270 It’s typical that when you’re in government and you’re helping other government offices, 01:01:08.270 --> 01:01:10.250 you call them your customer. 01:01:10.250 --> 01:01:15.030 They would find a target which was just another office or department, and that’s their customer. 01:01:15.030 --> 01:01:19.810 JEFF: If we wanted to do an attack, we had a target, we had a customer and let’s say 01:01:19.810 --> 01:01:24.790 it was an internal customer, we had to get permission to do what we wanted to do. 01:01:24.790 --> 01:01:28.200 In order to get that permission, we had to get management sign-off. 01:01:28.200 --> 01:01:34.030 It had to go up our management chain, across the executive suite, and down the management 01:01:34.030 --> 01:01:38.050 chain of our potential target or customer. 01:01:38.050 --> 01:01:45.000 Because it was getting physical signatures or initials on a document from ten or twelve 01:01:45.000 --> 01:01:49.240 or fifteen people sometimes, that could take weeks or months. 01:01:49.240 --> 01:01:54.500 It was frustrating because being able to break into a network, being able to break into a 01:01:54.500 --> 01:01:56.400 computer, you kinda know what you want to do. 01:01:56.400 --> 01:01:57.539 You know what’s gonna work. 01:01:57.539 --> 01:02:02.940 You think you know what’s – you’re ready to do it and sort of develop the methodology 01:02:02.940 --> 01:02:08.069 which was required in this form without actually executing the methodology, so you sort of 01:02:08.069 --> 01:02:13.000 get right up to the edge and then get told to stand down for a month until you get permission 01:02:13.000 --> 01:02:14.260 to do it. 01:02:14.260 --> 01:02:15.599 That wasn’t cutting it with us. 01:02:15.599 --> 01:02:19.400 JACK: Yeah, I’ve heard this from other hackers in the NSA too, that they have a target they 01:02:19.400 --> 01:02:23.070 want to hack but first they have to get approvals for what they’ll do. 01:02:23.070 --> 01:02:27.210 They don’t know exactly what exploits they’ll use until they get inside that network to 01:02:27.210 --> 01:02:28.250 see what they have. 01:02:28.250 --> 01:02:32.940 It’s still a problem today in the NSA, actually, and the only way they’ve been able to solve 01:02:32.940 --> 01:02:38.869 this is to do as much open-source intelligence-gathering on your target as you can to know what to 01:02:38.869 --> 01:02:42.539 expect once you get in there so that you can get approvals for your mission. 01:02:42.539 --> 01:02:48.410 JEFF: We’d try to learn as much as we could about the target from a benign perspective; 01:02:48.410 --> 01:02:50.619 what kind of information’s out there? 01:02:50.619 --> 01:02:51.770 Who are the people involved? 01:02:51.770 --> 01:02:57.670 Can we identify what their user ID’s naming convention is so we can start to guess account 01:02:57.670 --> 01:02:58.839 names? 01:02:58.839 --> 01:03:03.579 What can we learn about the people; their interests, their hobbies, [01:05:00] their 01:03:03.579 --> 01:03:08.819 birthdays and anniversaries and pets’ names and kids’ names, because these are all very 01:03:08.819 --> 01:03:14.119 probably password possibilities when we were just trying to guess passwords. 01:03:14.119 --> 01:03:19.170 We would do that sort of open-reconnaissance which was very rudimentary back in – we 01:03:19.170 --> 01:03:20.619 didn’t have Google back then. 01:03:20.619 --> 01:03:21.619 We didn’t have LinkedIn. 01:03:21.619 --> 01:03:26.529 We didn’t have all this stuff that is so readily available like it is today. 01:03:26.529 --> 01:03:27.529 But there were ways. 01:03:27.529 --> 01:03:33.650 JACK: It sounds to me that Jeff helped start the very first red team in the NSA which is 01:03:33.650 --> 01:03:36.820 quite remarkable seeing what the NSA has become. 01:03:36.820 --> 01:03:39.740 Now, this term ‘red team’, it actually comes from the military. 01:03:39.740 --> 01:03:44.099 The red team was someone who acts like an adversary to test your defenses. 01:03:44.099 --> 01:03:48.309 They think like the bad guys and the blue team is someone who defends against red team 01:03:48.309 --> 01:03:49.309 attacks. 01:03:49.309 --> 01:03:52.730 JEFF: A couple years ago, a book was published called Dark Territory by a gentleman named 01:03:52.730 --> 01:03:54.339 Fred Kaplan. 01:03:54.339 --> 01:04:00.289 In that book, in the fourth chapter which is entitled Eligible Receiver, there is a 01:04:00.289 --> 01:04:07.299 paragraph that talks about NSA’s super-secret red team – was called The Pit. 01:04:07.299 --> 01:04:12.680 Now, none of us that were the original members of The Pit have any idea how the folklore 01:04:12.680 --> 01:04:18.480 grew to the point where it was included in this book but when one of us got a copy of 01:04:18.480 --> 01:04:20.359 the book and read it, we all got very excited. 01:04:20.359 --> 01:04:22.339 It’s like hey, we’re all in a book. 01:04:22.339 --> 01:04:28.220 So, apparently what we did in the early days in our office called The Pit came to be known 01:04:28.220 --> 01:04:30.730 as the NSA red team in The Pit. 01:04:30.730 --> 01:04:33.980 JACK: They were doing pretty good, making a good name for themselves in The Pit and 01:04:33.980 --> 01:04:35.970 helping out a lot of customers. 01:04:35.970 --> 01:04:40.560 But everything they had worked on so far was attacking and securing classified networks. 01:04:40.560 --> 01:04:43.730 But that was about to change when the DOJ heard about them. 01:04:43.730 --> 01:04:50.990 JEFF: ‘Cause the Department of Justice had heard that NSA had this crack team of hackers, 01:04:50.990 --> 01:04:56.589 pen testers that would test the security of networks and they wanted to have that, too. 01:04:56.589 --> 01:05:02.730 When I first found out about that, I had to go to the lawyers and say can we do that? 01:05:02.730 --> 01:05:09.279 We went to the lawyers, or the lawyers got wind of the fact that an unclassified network 01:05:09.279 --> 01:05:13.950 organization was asking us to do the work and we’re like sure, they’re a customer. 01:05:13.950 --> 01:05:15.010 Let’s do it. 01:05:15.010 --> 01:05:17.299 The lawyer’s like well, hold on a minute. 01:05:17.299 --> 01:05:22.680 The general council said let us educate you a little bit on how things work here. 01:05:22.680 --> 01:05:27.270 JACK: The lawyers explained to him that while the NSA is responsible for protecting classified 01:05:27.270 --> 01:05:32.770 networks, another department, NIST, is responsible for protecting unclassified networks. 01:05:32.770 --> 01:05:37.500 It’s not the NSA’s jurisdiction to help the DOJ in this situation since they wanted 01:05:37.500 --> 01:05:40.210 Jeff to test their public-facing website. 01:05:40.210 --> 01:05:45.520 JEFF: While NIST was responsible for unclassified networks, it was fairly well-acknowledged 01:05:45.520 --> 01:05:50.280 back in those days that they had no capability and this is all I’m learning from the general 01:05:50.280 --> 01:05:51.730 council. 01:05:51.730 --> 01:05:57.859 What effectively happened was sort of a nod and a wink, handshake agreement where NIST 01:05:57.859 --> 01:06:05.539 would be responsible but they would very quietly sort of pass it back to NSA to actually do 01:06:05.539 --> 01:06:07.799 the work. 01:06:07.799 --> 01:06:14.940 [MUSIC] When we were first approached by people in the DOJ saying we want you to come do your 01:06:14.940 --> 01:06:18.940 thing – went to the general council and they said well, there’s a way that you have 01:06:18.940 --> 01:06:24.890 to do this and you sort of have to just follow the rules, so we proceeded – I proceeded 01:06:24.890 --> 01:06:26.700 to start following the rules. 01:06:26.700 --> 01:06:33.410 The first thing they said was well, this is sort of – this sort of has to be a cabinet-level 01:06:33.410 --> 01:06:38.630 favor that’s being asked by one cabinet member to another, so the request to do this 01:06:38.630 --> 01:06:45.410 work has to come from the attorney general to the Secretary of Defense. 01:06:45.410 --> 01:06:51.069 I worked with the DOJ people to generate a letter that was ultimately written by – signed 01:06:51.069 --> 01:06:58.490 by the attorney general who at the time was Janet Reno asking NSA to do that thing, that 01:06:58.490 --> 01:07:02.589 vulnerability threat assessment thing that you guys do, we’d like you to do it to this 01:07:02.589 --> 01:07:11.619 particular internet-facing public-facing aspect of the DOJ. 01:07:11.619 --> 01:07:15.880 That took a little while to get going. 01:07:15.880 --> 01:07:21.660 The director of NSA had to respond officially back saying yes, we would be happy to do that 01:07:21.660 --> 01:07:26.369 for you, that letter going back to the attorney general. 01:07:26.369 --> 01:07:33.549 It was like a three-month process and in all of this negotiation, we were down to the letter 01:07:33.549 --> 01:07:42.630 had been actually drafted, signed by the director of NSA who at the time was General Minihan 01:07:42.630 --> 01:07:48.079 – he was an Air Force general – who, his previous tour of duty had actually been down 01:07:48.079 --> 01:07:51.300 at AFWIC, so he came to us from AFWIC. 01:07:51.300 --> 01:07:57.470 Right before the letter could be delivered, I came in on a Monday morning and I had a 01:07:57.470 --> 01:08:02.589 call – I got a call from my point of contact at the Department of Justice [01:10:00] saying 01:08:02.589 --> 01:08:07.300 help, our website was hacked over the weekend. 01:08:07.300 --> 01:08:10.410 JACK: Oh, wow, the very website that Jeff was supposed to run a security assessment 01:08:10.410 --> 01:08:12.530 on had been hacked. 01:08:12.530 --> 01:08:17.069 But Jeff didn’t have all the approvals yet to help out the DOJ, so he just couldn’t 01:08:17.069 --> 01:08:18.069 do much. 01:08:18.069 --> 01:08:23.179 But Jeff asked for more details and what happened became actually pretty big news. 01:08:23.179 --> 01:08:29.120 On August 16th, 1996, a hacker broke into one of the DOJ’s websites and replaced the 01:08:29.120 --> 01:08:33.770 picture of Janet Reno who was the attorney general with a picture of Adolf Hitler. 01:08:33.770 --> 01:08:38.271 They changed the name of the website to Department of Injustice and replaced the seal with a 01:08:38.271 --> 01:08:39.271 Nazi flag. 01:08:39.271 --> 01:08:43.990 Lucky for them it was a somewhat benign defacement attack and didn’t go much further than that. 01:08:43.990 --> 01:08:49.170 JEFF: It was the first hack of any government installation facility website. 01:08:49.170 --> 01:08:56.040 It was the first time the government had been publicly hacked, compromised. 01:08:56.040 --> 01:09:03.880 Everybody was paranoid about it, everybody was very reactionary; crap, we gotta do something. 01:09:03.880 --> 01:09:06.500 It became very public very quickly. 01:09:06.500 --> 01:09:11.460 JACK: I find this ironic because just before this, Janet Reno approved Jeff’s team to 01:09:11.460 --> 01:09:14.331 pen test that website, and now her picture is what got defaced. 01:09:14.331 --> 01:09:19.140 But the DOJ still wanted the team in The Pit to come help and take a look. 01:09:19.140 --> 01:09:21.410 JEFF: I said well, let me see what I can do. 01:09:21.410 --> 01:09:26.720 [MUSIC] Knowing that ordinarily to engage them is a three-month process, I hung up with 01:09:26.720 --> 01:09:32.520 them, I got on the phone with the general council’s office and I said this is what’s 01:09:32.520 --> 01:09:33.520 happened. 01:09:33.520 --> 01:09:37.799 We’re this close to being legal, engaging with them anyway. 01:09:37.799 --> 01:09:39.759 The last letter has been signed. 01:09:39.759 --> 01:09:41.620 It just hasn’t been delivered yet. 01:09:41.620 --> 01:09:47.630 What do I have to do to get a team onsite tomorrow to help them out? 01:09:47.630 --> 01:09:52.529 They talked about it and they got back to me and said well, have them make the request 01:09:52.529 --> 01:09:53.529 in writing. 01:09:53.529 --> 01:09:54.529 Get it written down. 01:09:54.529 --> 01:09:58.850 So, I ended up having them do that and they said don’t go on your own. 01:09:58.850 --> 01:10:03.860 Make sure that it’s a group and have your management send you. 01:10:03.860 --> 01:10:05.719 Don’t go on your own authority. 01:10:05.719 --> 01:10:09.480 Have somebody tell you go ahead and go, somebody in the management chain. 01:10:09.480 --> 01:10:11.500 I was like okay, that’s easy. 01:10:11.500 --> 01:10:15.989 So, I followed all those steps and I assembled a team. 01:10:15.989 --> 01:10:23.270 Three or four of us went down to the DOJ office in Washington, DC and we were there Tuesday, 01:10:23.270 --> 01:10:25.390 we were there Wednesday. 01:10:25.390 --> 01:10:31.120 Thursday morning we’re down there for the third day and I get a phone call from somebody 01:10:31.120 --> 01:10:33.780 that was still back at The Pit. 01:10:33.780 --> 01:10:36.010 They said dude, the shit’s hit the fan. 01:10:36.010 --> 01:10:40.560 You guys gotta drop what you’re doing and come back now. 01:10:40.560 --> 01:10:41.800 I was like, okay. 01:10:41.800 --> 01:10:43.090 So, we did. 01:10:43.090 --> 01:10:47.150 So, it took us a couple hours to get back to the office. 01:10:47.150 --> 01:10:52.530 When we got back to the office, we were escorted into the executive conference room for the 01:10:52.530 --> 01:11:00.699 deputy director of InfoSec and waiting for us there was the same general council, the 01:11:00.699 --> 01:11:05.090 same lawyer that I had been working with for the last several months. 01:11:05.090 --> 01:11:08.140 He’s an Irish guy and he was mad. 01:11:08.140 --> 01:11:14.100 He was red in the face and he was reading us the Riot Act about how what we had done 01:11:14.100 --> 01:11:15.200 was illegal. 01:11:15.200 --> 01:11:17.460 Didn’t we know that it was illegal? 01:11:17.460 --> 01:11:24.890 Didn’t we know that we could not only get the director fired but possibly go to jail? 01:11:24.890 --> 01:11:28.340 Don’t you know that you could go to jail? 01:11:28.340 --> 01:11:33.810 For the first time in my life, I was introduced to what was known as the Church Proceedings. 01:11:33.810 --> 01:11:36.909 He asked us haven’t you ever heard of the Church Proceedings? 01:11:36.909 --> 01:11:39.670 Of course, no, I hadn’t heard of the Church Proceeding. 01:11:39.670 --> 01:11:45.429 JACK: So, he had to learn that in 1975, there was a senate sub-committee led by Idaho Senator 01:11:45.429 --> 01:11:50.770 Frank Church to review whether any of the intelligence agencies had abused their powers 01:11:50.770 --> 01:11:54.500 and what it would look like if they did overreach and abuse their power. 01:11:54.500 --> 01:12:01.270 JEFF: The essence of the findings was these organizations have a lot of power and a lot 01:12:01.270 --> 01:12:04.780 of capability and a lot of potential. 01:12:04.780 --> 01:12:09.070 But they don’t have much oversight officially. 01:12:09.070 --> 01:12:13.360 How do we know that they’re benevolent and gonna do all the things that they do to the 01:12:13.360 --> 01:12:16.720 bad guys and not US citizens? 01:12:16.720 --> 01:12:22.880 One of the outcomes of the Church Proceedings was what came to be known as the NSA Charter 01:12:22.880 --> 01:12:32.239 which is a classified document, but it essentially says that NSA can only do what NSA does to 01:12:32.239 --> 01:12:33.719 foreign nationals. 01:12:33.719 --> 01:12:43.610 Anybody other than US citizens and NSA may explicitly not do what NSA does to US citizens. 01:12:43.610 --> 01:12:49.780 Well, you can imagine that in terms of ethical hacking, white hat hacking, breaking into 01:12:49.780 --> 01:12:56.380 US – what’s effectively US systems and networks sort of flies in the face of the 01:12:56.380 --> 01:12:57.480 NSA Charter. 01:12:57.480 --> 01:13:02.960 Now, we had never really confronted that explicitly in [01:15:00] all the negotiations with the 01:13:02.960 --> 01:13:08.330 lawyers for the months or years that we were working with them to do our vulnerability 01:13:08.330 --> 01:13:11.750 and threat assessments, but they certainly had it in mind. 01:13:11.750 --> 01:13:18.220 It just came to a head when, for whatever reason, somebody decided that we had not followed 01:13:18.220 --> 01:13:23.989 the right procedures to go down and help the DOJ out with their forensic exercise. 01:13:23.989 --> 01:13:25.360 It was a big deal. 01:13:25.360 --> 01:13:27.690 Well, at the time we didn’t think it was a big deal. 01:13:27.690 --> 01:13:32.739 We thought it was overblown but because I was sort of the project leader, I was the 01:13:32.739 --> 01:13:34.710 one that was thrown under the bus. 01:13:34.710 --> 01:13:38.060 I was put on probation. 01:13:38.060 --> 01:13:39.560 My clearance was pulled. 01:13:39.560 --> 01:13:43.969 JACK: The NSA did an investigation on Jeff and they called him back into the office for 01:13:43.969 --> 01:13:45.830 a chat with the director. 01:13:45.830 --> 01:13:50.699 New rules were laid down which the people in The Pit had to follow from then on. 01:13:50.699 --> 01:13:56.390 But this whole incident just took the wind out of the sails for the people in The Pit. 01:13:56.390 --> 01:13:59.910 Their energy and passion was sapped, including Jeff’s. 01:13:59.910 --> 01:14:05.989 At this point, Jeff was with the NSA for twelve years and he had built up quite a lot of skills 01:14:05.989 --> 01:14:09.190 there, even getting his Bachelor’s degree in Computer Science. 01:14:09.190 --> 01:14:15.449 So, he looked at the private sector for jobs and sure enough, jobs for him were available 01:14:15.449 --> 01:14:16.830 and paying a lot more. 01:14:16.830 --> 01:14:21.800 So, he quit the NSA shortly after this incident and after that, three more people from The 01:14:21.800 --> 01:14:22.800 Pit quit, too. 01:14:22.800 --> 01:14:30.579 JEFF: Then I started a week later that I think initially was a 50% pay increase. 01:14:30.579 --> 01:14:36.300 From a strictly economics perspective, it wasn’t a difficult decision to make. 01:14:36.300 --> 01:14:42.400 But if things hadn’t have gone south like that – a lot of people asked me why do people 01:14:42.400 --> 01:14:43.400 work at NSA? 01:14:43.400 --> 01:14:47.050 It’s like, because they really are patriots and they really are loyalists and they really 01:14:47.050 --> 01:14:48.300 believe in the mission. 01:14:48.300 --> 01:14:50.060 I probably would have been in that boat, too. 01:14:50.060 --> 01:14:56.620 I probably would have stuck it out and stayed there and enjoyed whatever notoriety which 01:14:56.620 --> 01:15:04.080 certainly I wasn’t seeking, whatever professional career success, I would have stayed there. 01:15:04.080 --> 01:15:11.820 JACK: [MUSIC] The following year, in 1997, the NSA launched Operation Eligible Receiver. 01:15:11.820 --> 01:15:16.409 This was a no-notice training attack that the NSA would simulate on the US government 01:15:16.409 --> 01:15:17.650 and military. 01:15:17.650 --> 01:15:21.820 They were actively conducting DDoS attacks and using open-source intelligence to figure 01:15:21.820 --> 01:15:25.360 out ways to infiltrate different military bases and networks. 01:15:25.360 --> 01:15:30.070 The NSA had built a red team and were hacking into the US government networks. 01:15:30.070 --> 01:15:35.070 I found an old video of a Navy captain who worked at the NSA and was part of this exercise. 01:15:35.070 --> 01:15:40.870 CAPTAIN1: Planning for Eligible Receiver at the National Security Agency began in 1996. 01:15:40.870 --> 01:15:46.350 A small handful of people who were appropriately cleared into the program at that time began 01:15:46.350 --> 01:15:51.090 laying the groundwork for the IW campaign in support of JCS objectives. 01:15:51.090 --> 01:15:58.260 JACK: Jeff quit the NSA in ‘96 and believes that guy was taking notes from the team in 01:15:58.260 --> 01:15:59.260 The Pit. 01:15:59.260 --> 01:16:03.320 JEFF: I’m like, I remember when they used to visit us all the time and a very congenial 01:16:03.320 --> 01:16:08.199 fellow – and he always had a clipboard and he always was asking lots of questions and 01:16:08.199 --> 01:16:10.350 taking lots of notes. 01:16:10.350 --> 01:16:15.070 Putting two and two together, looking back on it, I’m like damnit, he was asking us 01:16:15.070 --> 01:16:19.179 questions because he was working on putting together Eligible Receiver. 01:16:19.179 --> 01:16:24.650 But we were not ever planned to be part of Eligible Receiver ‘cause they didn’t want 01:16:24.650 --> 01:16:28.340 to put the A-team out on the job. 01:16:28.340 --> 01:16:35.639 They were recruiting people and training people up to be lower-level hackers, what they referred 01:16:35.639 --> 01:16:40.940 to as the B-team, to actually execute the exercise. 01:16:40.940 --> 01:16:43.760 Yeah, so yes, I was involved. 01:16:43.760 --> 01:16:46.070 I didn’t know it at the time. 01:16:46.070 --> 01:16:51.690 JACK: Eligible Receiver, this exercise that the NSA was doing to hack into the US government, 01:16:51.690 --> 01:16:56.290 wanted to use the B-team ‘cause they didn’t want the best, most elite hackers trying this. 01:16:56.290 --> 01:16:57.590 Those people were busy, anyway. 01:16:57.590 --> 01:17:02.360 They wanted a little less-sophisticated team to try this and all with off-the-shelf tools, 01:17:02.360 --> 01:17:03.360 nothing super-advanced. 01:17:03.360 --> 01:17:07.679 CAPTAIN1: We were faced with a very interesting situation. 01:17:07.679 --> 01:17:13.060 That is, there was a no-notice exercise that had not even been announced yet that it was 01:17:13.060 --> 01:17:14.060 coming. 01:17:14.060 --> 01:17:19.030 Yet, we were required to do reconnaissance of both the MILNET and the SIPRNet ahead of 01:17:19.030 --> 01:17:24.159 time to be able to characterize our attack for approval. 01:17:24.159 --> 01:17:30.510 This required us to actually conduct reconnaissance in such a way that we looked as if we were 01:17:30.510 --> 01:17:32.889 real to the outside world. 01:17:32.889 --> 01:17:38.500 This was done with commercial internet service providers and it was from those providers 01:17:38.500 --> 01:17:43.840 that we touched military sites in the Navy and in the Air Force and so on in order to 01:17:43.840 --> 01:17:48.409 gain our information, to do our open-source research, to do our web-surfing on the internet 01:17:48.409 --> 01:17:49.870 and move off from there. 01:17:49.870 --> 01:17:56.730 CAPTAIN2: How we went about doing the reconnaissance was we looked for access points, ways to get 01:17:56.730 --> 01:18:05.050 into the DII or the .mil domain, better known as [01:20:00] MILNET or NIPRNet. 01:18:05.050 --> 01:18:06.330 We needed to get in… 01:18:06.330 --> 01:18:12.570 JACK: Chunks of this video are just redacted but it became clear that the US military wasn’t 01:18:12.570 --> 01:18:14.610 securing their networks as good as they should have been. 01:18:14.610 --> 01:18:16.409 JEFF: They were allowing fourteen days. 01:18:16.409 --> 01:18:24.570 They had to call it off after like, two or three days because somebody on a naval vessel 01:18:24.570 --> 01:18:31.050 noticed something weird going on with the network and they pulled the alarm which started 01:18:31.050 --> 01:18:35.340 kicking in the whole Defcon escalation thing. 01:18:35.340 --> 01:18:38.090 They wanted to stop it before real shots were fired. 01:18:38.090 --> 01:18:44.949 CAPTAIN1: The most important lesson that we learned on the red team, given how we approached 01:18:44.949 --> 01:18:52.290 the US as a target; on open-source alone, no insider information, is that we know quite 01:18:52.290 --> 01:18:59.440 clearly how to take the DII down and how to attack the United States in an information 01:18:59.440 --> 01:19:00.719 warfare campaign. 01:19:00.719 --> 01:19:04.340 JACK: Wow, that is scary stuff. 01:19:04.340 --> 01:19:09.219 To think that a B-team of hackers with off-the-shelf tools using commercial gear and conducting 01:19:09.219 --> 01:19:13.690 open-source reconnaissance was able to successfully access so much stuff. 01:19:13.690 --> 01:19:19.330 Well, I’m glad this exercise was conducted to help secure the whole network but again, 01:19:19.330 --> 01:19:23.650 I feel like Jeff and his team in The Pit was who created the original red team at the NSA, 01:19:23.650 --> 01:19:28.980 a rag-tag group of six hackers all hopped up on Mountain Dew. 01:19:28.980 --> 01:19:34.200 It seems like if that team didn’t exist, then Operation Eligible Receiver may not have 01:19:34.200 --> 01:19:37.159 happened or would have happened years later. 01:19:37.159 --> 01:19:41.440 This also speaks to the importance of conducting red team assessments. 01:19:41.440 --> 01:19:45.311 If you need to protect important data or valuable assets in your network, it’s probably a 01:19:45.311 --> 01:19:49.490 good idea to hire an ethical hacker to see if they can get into your stuff. 01:19:49.490 --> 01:19:53.100 Hey, if it’s what the NSA has been doing since the 90s, it’s probably good enough 01:19:53.100 --> 01:19:54.990 for your company to do, too. 01:19:54.990 --> 01:19:57.580 It’s not impossible to defend against cyber-attacks. 01:19:57.580 --> 01:20:01.630 Often it’s just a couple misconfigurations that can easily be fixed. 01:20:01.630 --> 01:20:04.320 It’s good to run a self-check sometimes. 01:20:04.320 --> 01:20:08.260 I have one more conspiracy question at the end, here. 01:20:08.260 --> 01:20:10.140 JEFF: I’ll try. 01:20:10.140 --> 01:20:17.230 JACK: Bitcoin uses SHA-256 as its private public key mechanism thing. 01:20:17.230 --> 01:20:20.990 SHA-256 was made by the NSA. 01:20:20.990 --> 01:20:26.940 Does this mean the NSA has a backdoor into all Bitcoin wallets? 01:20:26.940 --> 01:20:35.760 JEFF: Well, as a cryptographer, I happened to be NSA-trained. 01:20:35.760 --> 01:20:37.679 If I knew the answer, I couldn’t tell you. 01:20:37.679 --> 01:20:45.870 My opinion is all the descriptions of backdoors or all the conspiracy theories that I’ve 01:20:45.870 --> 01:20:51.850 heard about backdoors are essentially – depending on how you define backdoor, I don’t see 01:20:51.850 --> 01:20:57.000 having a master key is a backdoor but call it that if it’s what you will. 01:20:57.000 --> 01:21:00.150 I don’t know how you would do that with a hashing algorithm. 01:21:00.150 --> 01:21:07.300 I suppose it’s possible so I’m gonna say no, I don’t think so, is my – that’s 01:21:07.300 --> 01:21:11.550 my final answer. 01:21:11.550 --> 01:21:20.380 (OUTRO): [OUTRO MUSIC] A big thank you to Marcus J. Carey and Jeff Man, two excellent 01:21:20.380 --> 01:21:24.080 people who work hard at giving back to the community and making us all better. 01:21:24.080 --> 01:21:27.590 I’ll have links to both of their stuff in the show notes, but you can check out Marcus’ 01:21:27.590 --> 01:21:28.590 book. 01:21:28.590 --> 01:21:29.780 The title is Tribe of Hackers. 01:21:29.780 --> 01:21:35.219 Again, that book has brought value to me by helping me find guests for this show, so thank 01:21:35.219 --> 01:21:36.219 you Marcus. 01:21:36.219 --> 01:21:37.929 You’ve helped make this show better in some ways. 01:21:37.929 --> 01:21:41.540 If you want to hear more stories from Jeff, tune into the podcast Paul’s Security Weekly 01:21:41.540 --> 01:21:44.580 which is a podcast that goes into security news every week. 01:21:44.580 --> 01:21:48.410 It’s a great show that has lots of really cool, amazing guests too, and I’ve enjoyed 01:21:48.410 --> 01:21:49.770 many episodes of it. 01:21:49.770 --> 01:21:53.450 If you want to hear more about the NSA, I’ve made quite a few other episodes about this, 01:21:53.450 --> 01:21:54.850 interviewing people from there, even. 01:21:54.850 --> 01:21:59.620 Check out Episode 53 called Shadowbrokers, Episode 50 called Operation Glowing Symphony, 01:21:59.620 --> 01:22:01.920 or Episode 29, Stuxnet. 01:22:01.920 --> 01:22:04.730 Not many of you stick around this far into the episode. 01:22:04.730 --> 01:22:05.830 I watch the stats. 01:22:05.830 --> 01:22:08.270 I know how many of you have dropped off by now. 01:22:08.270 --> 01:22:12.120 But if you’re the type of person who’s still here with me, I can tell you really 01:22:12.120 --> 01:22:14.310 like this show and want more of it. 01:22:14.310 --> 01:22:17.920 The best way to help support the show is to donate to it through Patreon. 01:22:17.920 --> 01:22:21.190 This helps keep the mic powered up and the .wav files flowing. 01:22:21.190 --> 01:22:23.400 Please consider donating at patreon.com/darknetdiaries. 01:22:23.400 --> 01:22:25.210 Thank you. 01:22:25.210 --> 01:22:29.219 This show is made by me, the irate monk, Jack Rhysider. 01:22:29.219 --> 01:22:33.360 Editing help this episode by cottonmouth Damienne, and our theme music is by the howler monkey 01:22:33.360 --> 01:22:35.300 Breakmaster Cylinder. 01:22:35.300 --> 01:22:40.330 Even though I don’t back up my data because I know the NSA does it for me, this is Darknet 01:22:40.330 --> 01:22:40.590 Diaries.