WEBVTT

00:00:00.000 --> 00:00:05.960
JACK: Back in 2010, there was a guy named Omar who worked at a car dealership in Austin,

00:00:05.960 --> 00:00:10.240
Texas. He was twenty years old at the time and was trying to build his career up. Well,

00:00:10.240 --> 00:00:15.680
for whatever reason, it didn’t work out and the car dealership fired him. Omar was mad.

00:00:15.680 --> 00:00:21.760
I don’t know why; he was furious for being fired. He wanted revenge. He wanted justice.

00:00:21.760 --> 00:00:27.120
He felt like what they did to him was wrong and he wanted to fight back. Omar knew the computers

00:00:27.120 --> 00:00:33.640
and systems at the car dealership because he had to know them to do his job. So, after he’s fired,

00:00:33.640 --> 00:00:39.680
he checks to see if he still has access to the systems, but nope; the dealership disabled his

00:00:39.680 --> 00:00:46.960
account and he couldn’t get in. [MUSIC] But he had another employee’s login who still worked there.

00:00:46.960 --> 00:00:53.720
He was able to use this other employee’s login to access the computers at this car dealership. He

00:00:53.720 --> 00:01:00.120
logs in and looks around. The first thing he goes for is their Web Tech Plus system. See,

00:01:00.120 --> 00:01:04.440
if a customer is late paying their car payment, the dealership may repossess the car, which

00:01:04.440 --> 00:01:09.040
means they’re gonna physically go and get that car back. But this is hard and time-consuming.

00:01:09.040 --> 00:01:15.000
Car dealerships today can implement a feature which can remotely disable a car so that person

00:01:15.000 --> 00:01:20.720
can’t use it until they pay their payment, and that’s what this Web Tech Plus system did. It

00:01:20.720 --> 00:01:27.400
remotely disabled cars from starting. So, Omar gets into that system and starts typing customer

00:01:27.400 --> 00:01:32.440
names that he remembers, and he just starts clicking on them and disabling cars so they

00:01:32.440 --> 00:01:39.160
couldn’t start. He also starts making the cars honk continuously. Phones started ringing at the

00:01:39.160 --> 00:01:43.640
car dealership. People were calling in saying they can not start their car, and their car just keeps

00:01:43.640 --> 00:01:48.720
honking. The dealership was baffled, thinking it must have been a mechanical error. They were

00:01:48.720 --> 00:01:52.520
walking people through how to disconnect their car battery to make it stop honking,

00:01:52.520 --> 00:01:55.680
and then they were sending tow trucks out to pick up these cars and bring them to

00:01:55.680 --> 00:01:59.920
the dealership to take a look. The dealership couldn’t understand what was going on. They

00:01:59.920 --> 00:02:05.200
were scratching their heads and had no clue why this was happening. Omar kept logging in

00:02:05.200 --> 00:02:12.000
and disabling more cars. Day after day, he was getting in and causing grief to their customers.

00:02:12.000 --> 00:02:17.360
At some point, he found a way to see all 1,100 cars that were connected to this system,

00:02:17.360 --> 00:02:22.320
and just started going down the list one at a time, disabling them. The dealership kept

00:02:22.320 --> 00:02:26.960
getting phone call after phone call from angry customers saying their cars won’t start and it

00:02:26.960 --> 00:02:34.240
just keeps honking. This continued to go on for five days. A hundred people called the dealership

00:02:34.240 --> 00:02:40.000
with these problems. The dealership reset all the passwords on the Web Tech system which stopped

00:02:40.000 --> 00:02:47.280
Omar from being able to get in and do any more. That meant the madness stopped, too. This gave

00:02:47.280 --> 00:02:52.640
the dealership a clue that it had something to do with that system. They turned over the system

00:02:52.640 --> 00:02:59.280
logs to the Austin police who were able to track it back to a home internet connection that Omar

00:02:59.280 --> 00:03:05.560
had. He was arrested for this, but I couldn’t find what the punishment was that he got for this. A

00:03:05.560 --> 00:03:12.800
remote kill switch for a car is a powerful piece of technology, and when there’s such a powerful

00:03:12.800 --> 00:03:23.577
piece of technology that exists like that, it’s only a matter of time before it becomes abused.

00:03:23.577 --> 00:03:25.920
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:03:25.920 --> 00:03:49.474
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:03:49.474 --> 00:03:54.160
JACK: In this episode, we’re gonna hear a story from someone who’s been in tech all their life.

00:03:54.160 --> 00:03:56.140
MARQ: You can just call me Marq, of course.

00:03:56.140 --> 00:03:59.680
JACK: Marq grew up in Florida, but he moved around as a kid.

00:03:59.680 --> 00:04:05.760
MARQ: I’m a military brat, so I lived in Korea. My eighth-grade year in Korea,

00:04:05.760 --> 00:04:08.520
I had a computer programming class where we were learning Java.

00:04:08.520 --> 00:04:11.640
JACK: Coding was a fun thing for him to do, and from there,

00:04:11.640 --> 00:04:16.160
he learned more about Windows, DNS, IP addresses, and all kinds of stuff.

00:04:16.160 --> 00:04:21.800
MARQ: I want to say probably the next year when we got back to America, going into my ninth-grade

00:04:21.800 --> 00:04:27.400
year, that’s when I started experimenting with Linux, once I got my own laptop.

00:04:27.400 --> 00:04:31.320
JACK: From there, he heard about BackTrack and was drawn to different

00:04:31.320 --> 00:04:36.560
hacking tools. [MUSIC] BackTrack was a Linux distribution system that came with hundreds of

00:04:36.560 --> 00:04:41.880
different hacker tools just pre-built into it like Metasploit, Aircrack, Burp Suite,

00:04:41.880 --> 00:04:45.960
SQL Map, stuff like that, which makes it easy to just get started playing around with some

00:04:45.960 --> 00:04:50.400
of these tools and see what they can do. BackTrack has since become Kali Linux,

00:04:50.400 --> 00:04:54.840
which is still a popular hacking operating system. So, this was a while ago, but this

00:04:54.840 --> 00:05:01.600
version of Linux made it easy to also access Tor, the darknet. There was a Tor browser that came

00:05:01.600 --> 00:05:06.440
with it, so it was just as easy as loading it and waiting to connect to Tor, and then

00:05:06.440 --> 00:05:11.620
you were on the darknet. When Marq was in high school, he heard about this and checked it out.

00:05:11.620 --> 00:05:16.880
MARQ: Yeah, yeah. You know, the dark web always seemed pretty enigmatic around that time. You

00:05:16.880 --> 00:05:24.520
had Anonymous doing a lot of hacktivist things – going on, and a lot of times,

00:05:24.520 --> 00:05:29.600
depending on what they were doing, they would be using Tor. So, that’s when I first found out

00:05:29.600 --> 00:05:37.360
what Tor was. I went on Tor a couple of times, but honestly I never did anything. It always – I don’t

00:05:37.360 --> 00:05:43.160
know, it just – back then I was never really – I had never really delved too deep into it,

00:05:43.160 --> 00:05:49.560
but I dabbled in it and just got on just to see how to work it and things like that.

00:05:49.560 --> 00:05:53.800
JACK: He would check out the typical places; anonymous chat rooms,

00:05:53.800 --> 00:05:58.680
hacker forums, but he never really participated. He was just lurking

00:05:58.680 --> 00:06:03.360
to see what was going on there. After he graduated high school, he put his resume

00:06:03.360 --> 00:06:08.500
online and a recruiter from Oracle found it and reached out, and Oracle hired him.

00:06:08.500 --> 00:06:14.320
MARQ: I worked on their point-of-sale software called Micros. I was a support engineer. So for

00:06:14.320 --> 00:06:20.800
example, you were a company; you called in and you had let’s say a check stuck in the system. I would

00:06:20.800 --> 00:06:26.880
basically remote to the system and then connect to their SQL database. Once you’re connected,

00:06:26.880 --> 00:06:31.000
it’s pretty simple. A lot of times, depending on the issue, like I said, if it’s something

00:06:31.000 --> 00:06:36.880
like a stuck check, you can just go into the SQL database and then you can see the check,

00:06:36.880 --> 00:06:42.200
you can see the error, and you just write a couple of SQL commands to basically kick it out,

00:06:42.200 --> 00:06:45.800
and then just have them restart the POS system, and everything would work.

00:06:45.800 --> 00:06:48.800
JACK: He worked there about a year and a half and decided to leave and

00:06:48.800 --> 00:06:51.920
go somewhere else. This was his decision.

00:06:51.920 --> 00:06:58.280
MARQ: After that, I went and worked at a local NOC, Network Operation Center,

00:06:58.280 --> 00:07:03.840
for a ISP. I actually enjoyed that a lot as well because prior to that,

00:07:03.840 --> 00:07:08.560
I didn’t know much about networking. Now, I knew basic things about networking,

00:07:08.560 --> 00:07:12.912
[MUSIC] but from there, I actually learned quite a bit about networking.

00:07:12.912 --> 00:07:16.480
JACK: A Network Operation Center, or NOC, is a place where people sit

00:07:16.480 --> 00:07:20.400
and watch the systems for any faults in the network. If the internet goes down,

00:07:20.400 --> 00:07:24.080
this is who will be the first to know. If a computer has a high CPU,

00:07:24.080 --> 00:07:28.240
then they’ll go in and check it out. If a router isn’t able to keep up with the amount of traffic

00:07:28.240 --> 00:07:33.520
that’s going through it, they’ll see this alert and jump into action. Marq gained a lot of IT

00:07:33.520 --> 00:07:39.820
experience working for this company, but then he decided to apply for a job at Microsoft.

00:07:39.820 --> 00:07:44.840
MARQ: While I was at the NOC, I saw that they were hiring. It was in Orlando,

00:07:44.840 --> 00:07:50.240
so it was like forty-five minutes away from where I currently resided. I just

00:07:50.240 --> 00:07:57.720
put in for them as well. I got a message back saying that they would be very interested. So,

00:07:57.720 --> 00:08:04.760
I went through the interviewing process and I was hired. At Microsoft, I was a Exchange engineer, so

00:08:04.760 --> 00:08:12.000
I helped mostly systems administrator, but I would help them with pretty much any Exchange issue. So,

00:08:12.000 --> 00:08:19.200
it could be Exchange on-premises issues, it could be Office 365 issues, in the Cloud, or

00:08:19.200 --> 00:08:24.880
it could be hybrid setup issues as well. I would pretty much help them with a variety of anything.

00:08:24.880 --> 00:08:29.000
JACK: Exchange is the e-mail system that Microsoft sells,

00:08:29.000 --> 00:08:34.000
so Marq was really leveling up his skills in Exchange, too, understanding all the ins and

00:08:34.000 --> 00:08:40.060
outs of how to be an Exchange admin. He liked his job there too, but was tired of Florida.

00:08:40.060 --> 00:08:45.760
MARQ: I ended up moving just ‘cause I sort of wanted a chance of scenery. I’d been living in

00:08:45.760 --> 00:08:53.720
Florida for – since 2012, ‘cause I’m originally from Florida. I was doing high school in Georgia,

00:08:53.720 --> 00:08:58.240
then moved back to Florida, finished high school there, and that’s when I was doing

00:08:58.240 --> 00:09:05.800
college and working in Florida. So, I had an aunt who lived in Atlanta and she said hey,

00:09:05.800 --> 00:09:11.720
I think you might like living in Atlanta, and there’s a lot of IT jobs out here as well. It

00:09:11.720 --> 00:09:20.426
would be a good opportunity as well. So, I said sure, I’ll move to Atlanta. I ended up moving.

00:09:20.426 --> 00:09:24.120
JACK: [MUSIC] Of course, once he gets to Atlanta, he looks around to try to find a job in tech.

00:09:24.120 --> 00:09:28.180
MARQ: I worked at a MSP and I was a systems administrator.

00:09:28.180 --> 00:09:34.640
JACK: Ah, now, this job is quite a powerful role. First of all, this was at an MSP,

00:09:34.640 --> 00:09:39.280
or Managed Service Provider. If a business doesn’t have the people to take care of the

00:09:39.280 --> 00:09:44.200
computers in the network, they can hire an MSP to come in and do that work. So,

00:09:44.200 --> 00:09:49.400
the MSP would be the ones who go in and patch and update and fix faults in the systems,

00:09:49.400 --> 00:09:55.160
and keep things running smooth. This is what Marq did, too; he was assigned a few customers

00:09:55.160 --> 00:09:59.560
or companies, and in his customers’ networks were systems that he would

00:09:59.560 --> 00:10:04.860
need to take care of; Exchange servers, database servers, and domain controllers.

00:10:04.860 --> 00:10:10.840
MARQ: I had access to everything, access to servers, yeah, access to literally everything.

00:10:10.840 --> 00:10:15.520
JACK: Which is normal for a system administrator and even an MSP to have

00:10:15.520 --> 00:10:20.040
access to everything. They need complete control over all the things in order to

00:10:20.040 --> 00:10:25.520
fix stuff when there are issues. What was your relationship with the dark web at this point?

00:10:25.520 --> 00:10:31.400
MARQ: So, during the time that I moved from Florida to Atlanta

00:10:31.400 --> 00:10:35.000
and I was waiting to – I was applying for different positions, that’s when

00:10:35.000 --> 00:10:40.740
I started going on the dark web a little bit more, honestly probably just out of boredom.

00:10:40.740 --> 00:10:41.800
JACK: Doing what?

00:10:41.800 --> 00:10:46.560
MARQ: Nothing specific. Again, just looking at stuff. Around that time,

00:10:46.560 --> 00:10:51.020
I actually did [MUSIC] join a specific site. I can’t remember if that specific site…

00:10:51.020 --> 00:10:55.440
JACK: The site he joins was a hacking forum, one that criminals would like to

00:10:55.440 --> 00:11:00.120
visit and post data dumps to that they had for sale, like credential lists,

00:11:00.120 --> 00:11:05.200
malware, ransomware for sale, or botnet seats available, this kind of thing.

00:11:05.200 --> 00:11:09.560
MARQ: Then I would just look at postings of people saying what they were selling

00:11:09.560 --> 00:11:14.640
on the dark web. There was even a website I came across where people

00:11:14.640 --> 00:11:20.040
would sell zero-days. I thought that was pretty interesting. But I never – again,

00:11:20.040 --> 00:11:24.840
I never still did anything at the time. I was just more – looking more, but I was

00:11:24.840 --> 00:11:29.760
also engaging a little bit more. So, if someone posted something that seemed a little interesting,

00:11:29.760 --> 00:11:35.280
I might respond that seems pretty cool, but still never taking it up a notch yet.

00:11:35.280 --> 00:11:41.920
JACK: Yet. Stay with us because after the break, he goes up several notches on the

00:11:41.920 --> 00:11:59.360
dark web. Marq was working for an MSP as a system administrator during the day. At night, he liked

00:11:59.360 --> 00:12:06.040
tinkering around with hacking tools, and he liked visiting hacker forums on the dark web sometimes.

00:12:06.040 --> 00:12:13.880
MARQ: Then I started seeing more and more increasingly people selling databases of credit

00:12:13.880 --> 00:12:24.040
cards, hack users’ information, passwords, e-mail addresses, just things like that, stuff that I –

00:12:24.040 --> 00:12:29.280
when I first delved into the dark web I didn’t see as much, but now it seemed like no matter where

00:12:29.280 --> 00:12:35.360
you are on the dark web, there was a plethora of websites showing a variety of the same content.

00:12:35.360 --> 00:12:41.400
JACK: Right, yeah. So, why is this fascinating to you?

00:12:41.400 --> 00:12:52.080
MARQ: I’ve always found hacking interesting. Like I said, I never really tried to hack

00:12:52.080 --> 00:12:57.480
anyone or do anything previously before, but I always found it interesting. It’s a little

00:12:57.480 --> 00:13:04.160
mysterious and it seems like you have a little – you have power and knowledge that I’d say a good

00:13:04.160 --> 00:13:09.440
ninety-something percent of the population don’t have. So, I always found it a little intriguing.

00:13:09.440 --> 00:13:13.280
JACK: Was there something on these forums that you’re like,

00:13:13.280 --> 00:13:19.500
seeing people make a lot of money or just kind of attracted you to it, like man, if only?

00:13:19.500 --> 00:13:26.560
MARQ: Yeah. It’s probably the money. People were making tons and tons of money. So,

00:13:26.560 --> 00:13:30.600
a lot of these people were in Signal or they’d be using Telegram and they’d be

00:13:30.600 --> 00:13:37.160
in different rooms. You could join a room and you’d see the data that these people

00:13:37.160 --> 00:13:41.760
had available and how much money they were making, and they were making a lot of money.

00:13:41.760 --> 00:13:47.760
JACK: People were making money selling database dumps or selling their coding skills,

00:13:47.760 --> 00:13:53.760
and others were buying dumps and using this data to steal stuff or phish people and get into

00:13:53.760 --> 00:14:01.360
accounts. But Marq had absolutely no interest in participating in any of this. He liked watching,

00:14:01.360 --> 00:14:06.240
just mostly out of curiosity. He never hacked anyone before and knew that was

00:14:06.240 --> 00:14:09.920
wrong to do. The worst thing on Marq’s record up until that point was just a

00:14:09.920 --> 00:14:14.960
speeding ticket. He liked his job, too; he was a system administrator. There was

00:14:14.960 --> 00:14:19.820
one guy at work who seemed to disagree with Marq [MUSIC] on how to do stuff.

00:14:19.820 --> 00:14:23.920
MARQ: He was very knowledgeable in Exchange, but he – I would say

00:14:23.920 --> 00:14:28.600
he wanted to try and take shortcuts to do certain things, and I tried to explain to

00:14:28.600 --> 00:14:35.120
him that it couldn’t be done that way. Maybe he thought that I could possibly just do it,

00:14:35.120 --> 00:14:39.600
but I couldn’t. Then I do also remember there was one time he wanted me to write

00:14:39.600 --> 00:14:49.072
a PowerShell script for this specific client that was just way out of my zone.

00:14:49.072 --> 00:14:52.440
JACK: A few weeks after that, out of the blue, they fired Marq.

00:14:52.440 --> 00:14:57.960
MARQ: I was let go. I was told I was let go because it just wasn’t really

00:14:57.960 --> 00:15:04.560
working. That’s what the – one of the owners of the company told me.

00:15:04.560 --> 00:15:10.560
But there was really no specific reason that they provided besides that statement.

00:15:10.560 --> 00:15:12.840
JACK: How did you feel about being let go?

00:15:12.840 --> 00:15:17.560
MARQ: I was pretty upset, honestly. So, once I left,

00:15:17.560 --> 00:15:26.920
I ended up moving to another part of Georgia where my friends and – where I had more friends.

00:15:26.920 --> 00:15:34.040
JACK: What Marq is hesitant to say is that he went to see his best friend who had severe

00:15:34.040 --> 00:15:40.000
cancer. Marq wanted to spend some time with him and make some final memories together. So,

00:15:40.000 --> 00:15:44.920
he moved to that part of Georgia where his sick friend was, and some of his other friends lived

00:15:44.920 --> 00:15:51.280
there, too. He was looking for a job there, but wasn’t finding anything. He was also running out

00:15:51.280 --> 00:15:58.800
of money. [MUSIC] He was fired from his job in June of 2019, and in the two months after that,

00:15:58.800 --> 00:16:04.800
he moved on and wasn’t really thinking about that old job at all. But a few months after he was

00:16:04.800 --> 00:16:11.360
fired, something triggered him to think about it again, and this made him curious about something.

00:16:11.360 --> 00:16:17.880
MARQ: I can’t remember specifically why, either. I just checked to see if I still had access to

00:16:17.880 --> 00:16:25.960
one of the servers where we administered several of our clients. I still had access to everything.

00:16:25.960 --> 00:16:32.800
JACK: At his last job, he was a sysadmin for a few clients. To get to the clients’ network, he had to

00:16:32.800 --> 00:16:38.960
log in through a central dashboard portal-like system. From there, he could then connect to his

00:16:38.960 --> 00:16:45.800
clients’ devices. He had remembered his username and password to get into that dashboard when he

00:16:45.800 --> 00:16:53.720
worked there, and he tried to log into the portal, and it worked. His account was not disabled when

00:16:53.720 --> 00:17:05.240
he was let go, and it was two months later now. This is a huge failure of his former employer.

00:17:05.240 --> 00:17:11.000
MARQ: Then of course, once you are on the platform to access each individual server,

00:17:11.000 --> 00:17:13.660
they had a username and then a password.

00:17:13.660 --> 00:17:18.120
JACK: There were about five customers’ servers that he could connect to,

00:17:18.120 --> 00:17:23.960
but in order to connect to them, he had to know the username and password to get on them, which

00:17:23.960 --> 00:17:29.080
is different than his own username and password to log into the portal. It’s more like a shared one

00:17:29.080 --> 00:17:35.280
that the customer set up to allow this MSP to hop in and fix stuff. But since he had been in those

00:17:35.280 --> 00:17:40.640
customers’ devices so many times in the past, he had the username and password memorized still.

00:17:40.640 --> 00:17:46.466
MARQ: That’s when I delved into one of the servers.

00:17:46.466 --> 00:17:51.240
JACK: [MUSIC] The username and password was still the same from when he was working there. Now, this

00:17:51.240 --> 00:17:56.240
one is a little bit more tricky for this company to fix. Obviously it’s a no-brainer to disable the

00:17:56.240 --> 00:18:02.480
logins for former employees when they quit or get fired, but changing all the shared passwords that

00:18:02.480 --> 00:18:08.480
they may have seen while working there is a bit more complex. It would mean changing the passwords

00:18:08.480 --> 00:18:14.080
for all of Marq’s customers, because these were shared passwords that other system administrators

00:18:14.080 --> 00:18:20.440
used, too. The more secure way to handle this is to create a different login for everyone who

00:18:20.440 --> 00:18:26.240
will access those systems, which when you work in an MSP, that can be over a hundred people

00:18:26.240 --> 00:18:32.480
who might need access, so a lot of NOCs and SOCs and managed service companies don’t often have

00:18:32.480 --> 00:18:37.360
separate logins for everyone, because it’s a pain in the neck to get the customers to create new

00:18:37.360 --> 00:18:44.720
logins for every new hire and remove access for all former employees. But perhaps they should,

00:18:44.720 --> 00:18:49.680
just to prevent situations like this. So at this point, he has logged on as

00:18:49.680 --> 00:18:55.920
an administrator to an important server in one of the companies he used to be a sysadmin for.

00:18:55.920 --> 00:19:05.280
MARQ: From there, one of the companies had a database of a lot of information, so I’d

00:19:05.280 --> 00:19:16.700
say credit cards, banking information, because one of the customers was an accounting company.

00:19:16.700 --> 00:19:21.320
JACK: But he doesn’t steal it; he just wanted to see if he could gain access to some pretty

00:19:21.320 --> 00:19:27.200
important data that he shouldn’t be allowed to access, and yeah, he can. So, he sees that

00:19:27.200 --> 00:19:32.306
he can get there, but then he logs out and steps back and thinks about what’s going on.

00:19:32.306 --> 00:19:35.920
MARQ: [MUSIC] So, the first time I connected and realized just – not

00:19:35.920 --> 00:19:39.600
even connecting to a server, but just connecting to the hosting provider,

00:19:39.600 --> 00:19:44.520
I thought it was pretty odd that I still had access, for one. Then two, I was like,

00:19:44.520 --> 00:19:52.000
I shouldn’t be doing this. So, I do remember the first time I logged out. But just delving

00:19:52.000 --> 00:19:58.600
back into the dark web and going back on those specific sites that I was going to,

00:19:58.600 --> 00:20:07.160
it sort of – I don’t know, makes you believe that you can do things that you shouldn’t do.

00:20:07.160 --> 00:20:10.840
JACK: Go on, what do you mean?

00:20:10.840 --> 00:20:14.680
MARQ: Like I said, just seeing the amount of money that people were making, the type of things

00:20:14.680 --> 00:20:22.280
that people were doing. There were even similar postings of people saying that I work at X company

00:20:22.280 --> 00:20:29.880
and I have such-and-such access and I would like to sell it, or – I remember even one person said

00:20:29.880 --> 00:20:35.100
I will give you access to the server and you can ransomware it; just pay me. So, things like that.

00:20:35.100 --> 00:20:41.320
JACK: Marq was broke. His friend was actually dying of cancer. Marq had

00:20:41.320 --> 00:20:46.280
no job and he’s spending his nights scrolling through these forums where

00:20:46.280 --> 00:20:50.700
people are buying and selling data dumps or just access to servers.

00:20:50.700 --> 00:20:56.280
MARQ: So yeah, just going back on there more and more and seeing the type of stuff people

00:20:56.280 --> 00:21:04.120
was doing and the access I had led me to go back to the server, access it,

00:21:04.120 --> 00:21:10.720
and that’s when I started to download quite a bit of the information from one of the servers.

00:21:10.720 --> 00:21:15.680
JACK: He downloaded a lot of customer data that this company had,

00:21:15.680 --> 00:21:20.560
and this company did accounting for people, so they had not only names

00:21:20.560 --> 00:21:25.440
and addresses, but lots of financial information on lots of customers.

00:21:25.440 --> 00:21:32.280
MARQ: This database had banking account information, tax return information,

00:21:32.280 --> 00:21:38.440
addresses. For whatever reason, this accounting company also had people just take a picture of

00:21:38.440 --> 00:21:44.440
their driver’s license or credit card and debit card sometimes and just send it to them in an

00:21:44.440 --> 00:21:53.240
e-mail, which is a thing very insecure to do. So, I would have access to all of that. It was

00:21:53.240 --> 00:22:03.346
thousands and thousands of documents. I want to say probably 15,000 documents in total.

00:22:03.346 --> 00:22:09.520
JACK: [MUSIC] It was a juicy grab and Marq knew it, and thought surely someone would find this

00:22:09.520 --> 00:22:16.520
valuable. So, Marq grabs what he can and logs out. He takes a screenshot of a sample of the data,

00:22:16.520 --> 00:22:21.400
careful not to include the company’s name, because he doesn’t want them to know this happened,

00:22:21.400 --> 00:22:25.080
because if the company knew they had just been breached, they would start to investigate,

00:22:25.080 --> 00:22:28.280
and he didn’t want that. In fact, he did a few things to cover his

00:22:28.280 --> 00:22:32.160
tracks while in there. Because he was logged in as an admin to the server,

00:22:32.160 --> 00:22:37.520
he could just delete the event logs which showed his login and download activities. Hiding his

00:22:37.520 --> 00:22:41.660
tracks like this made him feel confident that they’re never gonna know about this.

00:22:41.660 --> 00:22:47.080
MARQ: I never honestly thought that they would know. Because of the way the company was set up,

00:22:47.080 --> 00:22:51.400
basically I just didn’t believe that or didn’t think that anyone would realize

00:22:51.400 --> 00:22:57.960
that that’s how I was getting the information. Honestly, I don’t know; it was stupid of me,

00:22:57.960 --> 00:23:00.880
but I just didn’t think anyone would connect the dots at the time.

00:23:00.880 --> 00:23:06.200
JACK: Now, keep in mind, he used to work at this MSP and manage this customer’s network, and so,

00:23:06.200 --> 00:23:12.560
he has a strong understanding of what they audit and how they go about finding security issues. So,

00:23:12.560 --> 00:23:16.440
he was careful not to do things that he knew would raise alarms. So,

00:23:16.440 --> 00:23:21.600
he takes the data he stole and posts a sample of it on a dark web hacking

00:23:21.600 --> 00:23:27.880
forum and says if you want to see the rest, it’ll cost you $600 in Bitcoin.

00:23:27.880 --> 00:23:33.400
MARQ: Yeah, yeah, basically that. So, basically posted a screenshot, basically,

00:23:33.400 --> 00:23:41.360
of some of the content I had, and then posted it just as a sneak-peek to show people that I

00:23:41.360 --> 00:23:45.600
actually had the access, ‘cause a lot of times people may BS on the dark web and

00:23:45.600 --> 00:23:51.360
rip you off. Once people started seeing that I was legitimate, then more and more people

00:23:51.360 --> 00:23:59.080
started requesting access to these documents, which was quite a bit of documents at the time.

00:23:59.080 --> 00:24:01.720
JACK: Now, posting something like this,

00:24:01.720 --> 00:24:06.100
it’s like opening a box of venomous snakes that you can’t close back up.

00:24:06.100 --> 00:24:13.840
MARQ: Yeah, it’s a little scary because one, you went from the first step which is being on the

00:24:13.840 --> 00:24:19.240
dark web looking at stuff, being interested, to the next step which is I submitted a post

00:24:19.240 --> 00:24:27.840
saying I would do something illegal. So, it is a little nerve-wracking, but it’s also a little bit

00:24:27.840 --> 00:24:35.740
of an adrenaline rush. So yeah, it is – [MUSIC] made me very anxious, honestly, at the time.

00:24:35.740 --> 00:24:41.720
JACK: He was giving a small sample of data for people to look at, and if they liked it,

00:24:41.720 --> 00:24:44.900
he was hoping they would come back and buy access to the rest.

00:24:44.900 --> 00:24:50.840
MARQ: So, I remember one day I actually got someone who messaged me, and they

00:24:50.840 --> 00:25:00.640
wanted to purchase some of the documents. So, I basically showed them another sneak-peek. I

00:25:00.640 --> 00:25:07.200
had more access to more documents than what I had before, so I sent him another screenshot.

00:25:07.200 --> 00:25:13.800
JACK: This buyer liked what they saw and agreed to pay the $600 in Bitcoin to see the rest.

00:25:13.800 --> 00:25:19.320
MARQ: So, someone messaged me on that specific website and requested the information. The $600,

00:25:19.320 --> 00:25:26.320
of course, was in Bitcoin. Then yeah, they transferred the money to my wallet and I gave

00:25:26.320 --> 00:25:34.640
them the information they wanted. But I made a big mistake there as well. Well, of course,

00:25:34.640 --> 00:25:40.240
the biggest mistake was going on the dark web and doing this, but at the time, the mistake was

00:25:40.240 --> 00:25:47.840
I had two Bitcoin wallets; I had a personal one for just Bitcoin when I was investing in Bitcoin

00:25:47.840 --> 00:25:55.600
and stuff like that, and then another wallet where I was throwing my dark web stuff. Any crypto or

00:25:55.600 --> 00:26:02.160
anything that I was given would be transferred to that wallet. When the person on the dark web sent

00:26:02.160 --> 00:26:13.080
me their Bitcoin, I transferred it to my personal one where I do investing. That was pretty dumb.

00:26:13.080 --> 00:26:17.360
JACK: Right; the reason why this is a problem is because whenever he bought

00:26:17.360 --> 00:26:22.960
and sold Bitcoin with his other wallet, he did it through an exchange, which in the US,

00:26:22.960 --> 00:26:27.800
exchanges are required to know their customers by collecting personal information on them,

00:26:27.800 --> 00:26:33.360
like upload-a-picture-of-your-driver’s-license kind of info. So, if the authorities were to

00:26:33.360 --> 00:26:38.840
somehow see that there was a transaction for $600 in Bitcoin, they could possibly

00:26:38.840 --> 00:26:43.400
follow that transaction to see his wallet was registered at an exchange, and then

00:26:43.400 --> 00:26:48.360
send that exchange a search warrant asking for information on who owns that wallet. So,

00:26:48.360 --> 00:26:54.120
I’m trying to figure out – in your mind here, the reason for this. Is it fifty

00:26:54.120 --> 00:26:58.800
percent you’re pissed off at this company for firing you and fifty percent you want money?

00:26:58.800 --> 00:27:04.080
MARQ: Yeah, it was more financial. I had a lot of things going on personally at the time as well,

00:27:04.080 --> 00:27:16.120
too. So, at the time I just needed money. My best friend, he was dying from cancer. I pretty much

00:27:16.120 --> 00:27:21.200
felt at the time I needed money so that I could go be with him and also do the last couple of things

00:27:21.200 --> 00:27:26.120
that he wanted to do before he passed. So, that was one of the main reasons why I was doing some

00:27:26.120 --> 00:27:31.280
of the things I was doing. [MUSIC] But it wasn’t necessarily that I was that upset at the company

00:27:31.280 --> 00:27:38.560
for being fired. I have worked at a job before and I’ve been let go. I understand that things happen,

00:27:38.560 --> 00:27:45.040
so I wasn’t necessarily that upset at the company. It was just the monetary gain that

00:27:45.040 --> 00:27:51.580
I could get from the information that some of the customers had convinced me to do it.

00:27:51.580 --> 00:27:56.160
JACK: If you had another job lined up and you didn’t need the money,

00:27:56.160 --> 00:28:00.280
would this have even been a thing for you?

00:28:00.280 --> 00:28:04.720
MARQ: No. Nope.

00:28:04.720 --> 00:28:12.040
JACK: There was only one buyer for this data dump, but by this point,

00:28:12.040 --> 00:28:17.840
Marq was all over the dark web, getting more familiar with different onion sites and who

00:28:17.840 --> 00:28:23.920
the players were. One day while surfing around there, he sees something that was surprising.

00:28:23.920 --> 00:28:31.440
MARQ: Some hackers I knew, they posted on a website on the dark web. This wasn’t really

00:28:31.440 --> 00:28:37.000
a forum, but it was a site where you could go on there and people could just anonymously post

00:28:37.000 --> 00:28:41.560
stuff or they could just go on there and request something. But yeah, so one day I’m on there.

00:28:41.560 --> 00:28:46.680
These hackers that I know, they let me know that they posted some information regarding Ring. I’m

00:28:46.680 --> 00:28:53.840
like okay, what did they post? So, I look and see, and they post a [MUSIC] credentials dump for about

00:28:53.840 --> 00:29:00.480
1,500 customers of Ring, so this included their password, their username, and also their address.

00:29:00.480 --> 00:29:04.880
JACK: Now, if you aren’t aware what Ring is, it’s a doorbell webcam. So,

00:29:04.880 --> 00:29:09.320
people buy it and they connect it outside their front door, and when someone approaches the door,

00:29:09.320 --> 00:29:15.000
you get an alert on your phone telling you someone is at your home. But that’s the weakness;

00:29:15.000 --> 00:29:20.480
you can view your camera from anywhere in the world. It’s connected to the internet,

00:29:20.480 --> 00:29:24.200
so you don’t have to be home. All you need is that username and password,

00:29:24.200 --> 00:29:29.720
and you can see what’s on the camera. Marq was looking at the posts of over 1,000

00:29:29.720 --> 00:29:35.640
usernames and passwords of Ring camera users which had their address of where they lived.

00:29:35.640 --> 00:29:43.280
MARQ: So, that was a little scary to me, because I – that’s real world harm that could

00:29:43.280 --> 00:29:47.520
happen to people if you have their address and you can look through their cameras. So,

00:29:47.520 --> 00:29:52.960
I did sign onto one of the accounts just to see if I could see through her Ring

00:29:52.960 --> 00:29:57.920
camera and see if this was real, and it was, this specific person’s camera. I just logged

00:29:57.920 --> 00:30:02.280
in there randomly – was someone bringing in their trashcans up into the driveway.

00:30:02.280 --> 00:30:09.120
JACK: Something about this was just going too far for Marq. He had to say something to Ring

00:30:09.120 --> 00:30:15.880
to let them know about this, and so he did. At first, they didn’t respond, so he got connected

00:30:15.880 --> 00:30:21.200
with Zack Whittaker at TechCrunch who wrote an article about this. Zack contacted twelve people

00:30:21.200 --> 00:30:25.080
on the list and told them their passwords, and they confirmed that was the correct password for

00:30:25.080 --> 00:30:31.520
their Ring camera. Then Amazon, the parent company for Ring, responded to Marq and sorted it out. I

00:30:31.520 --> 00:30:37.560
presume they changed the users’ passwords. Marq felt confident that he did the right thing here,

00:30:37.560 --> 00:30:42.520
getting these accounts cleaned up so they can’t be abused. He didn’t even ask for a bounty reward;

00:30:42.520 --> 00:30:45.880
since the passwords were just sitting out there on a website for anyone to see,

00:30:45.880 --> 00:30:51.840
it wasn’t like he posted it. But at the same time, Marq still needed money, [MUSIC] and his original

00:30:51.840 --> 00:30:58.200
listing made him $600 so far, so he decided to make another post on this dark web forum.

00:30:58.200 --> 00:31:01.760
MARQ: On the hosting provider, there was about four other servers,

00:31:01.760 --> 00:31:09.140
so I did make a post later on saying that I would sell access to the remaining servers.

00:31:09.140 --> 00:31:14.360
JACK: What he would do, since he had admin access to these servers, was that he would make a new

00:31:14.360 --> 00:31:19.880
user account and give it RDP access from the internet so he could sell that username and

00:31:19.880 --> 00:31:26.160
password that he just made to someone else so they could log in and do whatever they wanted to that

00:31:26.160 --> 00:31:31.800
server. He was basically selling backdoor access into a company’s network, and what

00:31:31.800 --> 00:31:37.720
people might do with that is they might look for customer data to take, like a fresh database dump,

00:31:37.720 --> 00:31:43.560
or they might just straight-up ransomware the machine and try to make some money that way. So,

00:31:43.560 --> 00:31:50.520
this kind of posting happens sometimes on these forums. Did anybody purchase this from you?

00:31:50.520 --> 00:31:57.880
MARQ: No, no one purchased that. The only thing that someone purchased was

00:31:57.880 --> 00:32:04.520
me selling customer information. I’m not sure specifically why. It seemed like on that site,

00:32:04.520 --> 00:32:11.080
especially at the time, more people were invested in buying information versus

00:32:11.080 --> 00:32:16.000
buying server access and then having to go in, put malware, and do things themselves.

00:32:16.000 --> 00:32:20.880
People just wanted the information and then they could just sell it on the dark web.

00:32:20.880 --> 00:32:28.480
JACK: Well, the person Marq sold this database dump to was a well-known IT security company

00:32:28.480 --> 00:32:33.720
called Binary Defense, founded by Dave Kennedy, and what they do is get on these forums,

00:32:33.720 --> 00:32:38.520
see posts like this, and buy the data. Then they investigate the data to try to figure

00:32:38.520 --> 00:32:43.160
out who the victim was and who the person is that sold this to them, and then they just

00:32:43.160 --> 00:32:48.760
turned all that over to the FBI. [MUSIC] It’s what’s known as a confidential informant. So,

00:32:48.760 --> 00:32:53.760
the combination of the forensic investigation that Binary Defense did and turning that over

00:32:53.760 --> 00:33:00.000
to the FBI, the FBI quickly identified Marq was the person who sold this data.

00:33:00.000 --> 00:33:08.160
MARQ: All I remember is one day in January, I was asleep. I heard a noise at the door and I

00:33:08.160 --> 00:33:13.640
was thinking it was my girlfriend because she worked about five minutes down the street,

00:33:13.640 --> 00:33:20.200
so I thought she was coming home, but there was the deadbolt on the door. So,

00:33:20.200 --> 00:33:24.320
the person was trying to open the door but didn’t realize the deadbolt was on the door,

00:33:24.320 --> 00:33:30.800
and two seconds later, they just bust open the door. I didn’t realize specifically what was going

00:33:30.800 --> 00:33:36.720
on at the time ‘cause this is like, 6:00 AM, and I had literally just went to sleep. But I remember

00:33:36.720 --> 00:33:43.760
rubbing my eyes and looking and saw it was the FBI. That’s when I realized – I didn’t put two

00:33:43.760 --> 00:33:48.360
and two together at first. Like, I didn’t realize specifically why they were there, but when they

00:33:48.360 --> 00:33:54.640
showed me the warrant and they started trying to ask questions, that’s when I knew what it was for.

00:33:54.640 --> 00:33:57.280
JACK: So, I mean, I imagine if they’re busting down doors,

00:33:57.280 --> 00:34:00.320
they’ve got weapons drawn and they’re pointing them at you.

00:34:00.320 --> 00:34:05.200
MARQ: Yes, that was very frightening. I’ve told people before who’ve asked me;

00:34:05.200 --> 00:34:10.560
it was like a scene out of Call of Duty. It was very nerve-wracking. I never want to go through

00:34:10.560 --> 00:34:16.160
anything like that again. But yeah, they had guns aimed at me. It was probably, say, about

00:34:16.160 --> 00:34:22.280
eight agents in there, all with guns aimed at me, and I was just on the ground with my hands up.

00:34:22.280 --> 00:34:28.200
JACK: The police come in his home, take all his electronics; laptops, his iPhone,

00:34:28.200 --> 00:34:33.360
thumb drive, even some books on programming. Oh, and they took his girlfriend’s MacBook,

00:34:33.360 --> 00:34:35.180
which she had nothing to do with any of this.

00:34:35.180 --> 00:34:40.000
MARQ: They left my Raspberry Pi which I always thought was interesting. But yeah,

00:34:40.000 --> 00:34:42.400
they turned the whole house upside-down looking for stuff.

00:34:42.400 --> 00:34:45.000
JACK: Of course, the police were asking him a million

00:34:45.000 --> 00:34:49.200
questions and wanted him to unlock his iPhone and computer and stuff,

00:34:49.200 --> 00:34:56.040
but he refused to talk at all. The only word he just kept repeating over and over was ‘lawyer’.

00:34:56.040 --> 00:35:01.840
MARQ: So, they took me down to the courthouse and once I was at the courthouse, I met my lawyer,

00:35:01.840 --> 00:35:07.800
who – I had a public defender. So, I met her and she explained to me specifically what was

00:35:07.800 --> 00:35:16.880
going on, and that’s when I had the feeling of [MUSIC] yeah, I messed up really bad. So,

00:35:16.880 --> 00:35:24.360
I go to court. The prosecutor is showing all the information and everything she has,

00:35:24.360 --> 00:35:32.520
and she’s talking to the judge, but this is where I found it very weird;

00:35:32.520 --> 00:35:40.120
I think they made it seem like at the time specifically that I had access to maybe way

00:35:40.120 --> 00:35:45.600
more stuff than what I did. I remember the prosecutor said that I had a whole criminal

00:35:45.600 --> 00:35:51.720
enterprise. It seemed like she was trying to convince the judge that I had, I don’t know,

00:35:51.720 --> 00:35:56.960
hundreds of thousands of dollars in Bitcoin. But at the time, I didn’t – I hardly had any

00:35:56.960 --> 00:36:01.380
Bitcoin because I had spent the Bitcoin that I had, so I didn’t have hardly any Bitcoin.

00:36:01.380 --> 00:36:06.360
JACK: He didn’t like that they were making things up about him, and they were trying to say he had

00:36:06.360 --> 00:36:12.200
lots of money from doing this. So, he pleads not guilty. The judge sentenced him to house arrest

00:36:12.200 --> 00:36:19.120
while the prosecutors can build the case against him. Sadly, while he’s in court dealing with this,

00:36:19.120 --> 00:36:24.960
his friend lost his battle against cancer and passed away. Marq didn’t even get to go to the

00:36:24.960 --> 00:36:32.280
funeral because he had court that day. Eventually, the prosecutors for this case and the FBI turned

00:36:32.280 --> 00:36:39.960
up all the evidence which clearly showed that Marq had accessed the server and taken this data and

00:36:39.960 --> 00:36:45.580
sold it on the dark web. They had a significant amount of data showing all of what he did.

00:36:45.580 --> 00:36:52.920
MARQ: They pretty much had me dead to rights, you know? There wasn’t that much of a great defense. I

00:36:52.920 --> 00:37:01.080
would say they tried to say that I did $900,000 in damage, which I’d say was nowhere near that

00:37:01.080 --> 00:37:09.880
amount. Later, that damage amount did come down to about $32,000. So, nowhere near a million.

00:37:09.880 --> 00:37:16.600
JACK: With all the evidence before him, he had no choice but to plead guilty to breaking in and

00:37:16.600 --> 00:37:22.960
stealing this data. What helped though was that he had a very clean criminal history,

00:37:22.960 --> 00:37:28.880
and the whole Ring camera thing came up, too. It actually looked good for him that he reported that

00:37:28.880 --> 00:37:35.360
problem to Amazon. He had to go see a judge to receive his sentencing, and he told the judge…

00:37:35.360 --> 00:37:40.760
MARQ: You know, I was sorry that I did this. It was really stupid of me. The owner of the

00:37:40.760 --> 00:37:44.760
MSP was actually there in court as well, so I did apologize to him and let him know that it

00:37:44.760 --> 00:37:51.640
was just very dumb of me to do this. I’m not a bad person. I don’t really want anyone to think that,

00:37:51.640 --> 00:38:00.080
but what I did was dumb. Hacking isn’t – hacking on your own devices, you know, you set up a router

00:38:00.080 --> 00:38:05.360
or something or you use Kali on your own devices, that’s perfectly fine, but doing it to someone

00:38:05.360 --> 00:38:14.040
else, it’s not good. The judge, he did grant me leniency because the feds, they were – they wanted

00:38:14.040 --> 00:38:23.200
me to be arrested and go to jail for about ten to twelve months. He actually gave me thirty days,

00:38:23.200 --> 00:38:31.160
but the – counting the time that I had already served when I was arrested and held,

00:38:31.160 --> 00:38:37.240
it was really twenty-four days. So, all-in-all, I just had to do – I was arrested for – I had to

00:38:37.240 --> 00:38:44.640
go to jail for [MUSIC] twenty-four days and three years of probation. But he did say he didn’t want

00:38:44.640 --> 00:38:52.520
to send me off for a long period of time because this was the only thing I had ever done, and I’m –

00:38:52.520 --> 00:38:59.080
I explained to him I was trying to change my life around, go back to school for engineering. I have

00:38:59.080 --> 00:39:07.640
a family as well, a son, so it wasn’t something – like I said, I’m not a malicious person,

00:39:07.640 --> 00:39:12.040
but what I did do was malicious, and there of course is repercussions for what you do.

00:39:12.040 --> 00:39:17.587
JACK: When did you serve your sentencing? Was it this year?

00:39:17.587 --> 00:39:20.800
MARQ: Mm-hm. It was in October, from October to November.

00:39:20.800 --> 00:39:22.380
JACK: That was just two months ago.

00:39:22.380 --> 00:39:23.240
MARQ: Yeah.

00:39:23.240 --> 00:39:26.440
JACK: Well, last month. So, you were in jail last month for this.

00:39:26.440 --> 00:39:28.300
MARQ: Yes.

00:39:28.300 --> 00:39:33.360
JACK: Marq is hoping to get another job in the IT space since this is what he knows

00:39:33.360 --> 00:39:38.760
best. But he might have a really hard time finding something with a criminal record

00:39:38.760 --> 00:39:43.140
like this. So, he’s currently going to school for electrical engineering.

00:39:43.140 --> 00:39:48.640
MARQ: Yeah, yeah. I hopefully plan to work on circuit boards and stuff like that, but

00:39:48.640 --> 00:39:56.400
I come from a family of engineers. My uncle’s a engineer at NASA, my aunt works at NASA, so, yeah.

00:39:56.400 --> 00:39:59.800
JACK: Insider threats is one of the biggest threats companies face today,

00:39:59.800 --> 00:40:02.540
and because of that, I wanted to bring on Lisa Forte.

00:40:02.540 --> 00:40:06.600
LISA: Yes, you pronounced it correctly. Most people in the UK pronounce it ‘Fort’,

00:40:06.600 --> 00:40:12.000
which is really annoying. But Americans tend to pronounce it correctly, so that’s good.

00:40:12.000 --> 00:40:16.320
JACK: Lisa consults with companies to help them handle insider threats. So first,

00:40:16.320 --> 00:40:18.060
I was just curious what she thought of this story.

00:40:18.060 --> 00:40:22.720
LISA: Well, for a start, I mean, to still have your credentials working for months afterwards is

00:40:22.720 --> 00:40:29.880
a little bit crazy. Those clearly should have been revoked. But also, I think the crucial thing with

00:40:29.880 --> 00:40:35.480
all insider threats is to understand that nobody wakes up one morning kind of happy, satisfied,

00:40:35.480 --> 00:40:42.080
fulfilled, and decides I’m going to attack my employer. It’s a process with many key moments

00:40:42.080 --> 00:40:47.680
and tipping points that lead to someone becoming an insider threat or, in this particular case,

00:40:47.680 --> 00:40:52.840
I suppose technically at the time he did it, he was an outsider. But it’s no – there’s no

00:40:52.840 --> 00:41:00.680
bad apple that exists in an organization. These people, it tends to be a product of circumstances,

00:41:00.680 --> 00:41:07.640
timing, and personality, and when you combine all three, sometimes it can yield an insider threat.

00:41:07.640 --> 00:41:11.640
JACK: What are the incentives on why insiders even become threats?

00:41:11.640 --> 00:41:16.920
LISA: So, there’s sort of three typical types of attack that we see with insider threats,

00:41:16.920 --> 00:41:23.360
and that’s fraud, sabotage, and theft. Ignoring fraud for a second, ‘cause it’s a

00:41:23.360 --> 00:41:28.560
little bit different from the other two, theft and sabotage tend to happen at the end of employment,

00:41:28.560 --> 00:41:34.280
so whether that’s because they’ve been fired or whether they’ve been made redundant or whatever

00:41:34.280 --> 00:41:40.600
it is that’s happened to them, those two attacks tend to happen at the end of that employment. A

00:41:40.600 --> 00:41:49.080
lot of the motivation is really complex. Sabotage tends to be very much motivated by vengeance or

00:41:49.080 --> 00:41:54.360
anger towards the employer, whereas theft often actually is a lot more complicated,

00:41:54.360 --> 00:42:00.760
and as in this case, it tends to be people who are in difficult situations, there’s been a mounting

00:42:00.760 --> 00:42:06.920
amount of pressure, they probably are dissatisfied with their employer or see their employer as oh,

00:42:06.920 --> 00:42:13.120
well, they can afford it, they can lose this information. Or even sometimes people think that

00:42:13.120 --> 00:42:17.880
the project that they’ve worked on is part theirs, and so they take a copy of it. So,

00:42:17.880 --> 00:42:23.280
it’s really, really complicated and it’s very easy to just say these people are bad people, but it’s

00:42:23.280 --> 00:42:28.320
actually a product of a lot of circumstances that leads people to do these things.

00:42:28.320 --> 00:42:30.300
JACK: You have any tips on how to combat this?

00:42:30.300 --> 00:42:33.480
LISA: So, I would say if you’re looking at theft,

00:42:33.480 --> 00:42:37.880
there are certain departments that are going to be key for that. It’s the same with sabotage;

00:42:37.880 --> 00:42:42.280
only certain departments are going to be capable of doing those kinds of attacks, so

00:42:42.280 --> 00:42:49.000
increasing some monitoring around those employees in particular, so not your whole cohort of staff,

00:42:49.000 --> 00:42:54.280
but also making sure that you’re increasing some monitoring during those crucial periods. So, theft

00:42:54.280 --> 00:42:59.720
and sabotage happen at the end of employment, so making sure that when someone’s notice is handed

00:42:59.720 --> 00:43:05.960
in or they’re fired or made redundant that you increase that monitoring at that crucial period,

00:43:05.960 --> 00:43:10.540
and make sure you communicate with your staff that that’s happening so there’s no cloak and daggers.

00:43:10.540 --> 00:43:17.200
JACK: I find what Lisa is saying very interesting, because it reminds me of General David Petraeus.

00:43:17.200 --> 00:43:23.040
Petraeus was director of the CIA, and before that, he had spent thirty-seven years in the army. He

00:43:23.040 --> 00:43:29.080
was rock solid when it came to handling classified and top-secret information. When someone dedicates

00:43:29.080 --> 00:43:34.280
their entire career to the US military, they probably are really great at keeping government

00:43:34.280 --> 00:43:42.200
secrets, and he was, until his marital situation started to unravel. He was having an affair with

00:43:42.200 --> 00:43:48.360
someone and he was sharing classified information with her. He even pled guilty of doing this,

00:43:48.360 --> 00:43:54.600
and I was shocked to hear this, because someone who is the director of the CIA

00:43:54.600 --> 00:44:00.240
must have had a rigorous background check and pass many interviews to get into that position.

00:44:00.240 --> 00:44:06.120
So to ultimately betray the same entity that employed him for thirty-seven years

00:44:06.120 --> 00:44:10.960
is crazy. Oh, and a note here about how he was exchanging information is interesting;

00:44:10.960 --> 00:44:15.280
both him and his mistress had access to a single Gmail account, and they would write

00:44:15.280 --> 00:44:19.640
messages back and forth to each other on there, but they would never send these e-mails. They

00:44:19.640 --> 00:44:24.080
would just keep them in the Drafts folder, so one person would go into the Drafts folder,

00:44:24.080 --> 00:44:28.360
read the message, and then delete it and write another message and keep that in the

00:44:28.360 --> 00:44:33.480
Drafts folder for the other person to see, so there weren’t ever any records of e-mails

00:44:33.480 --> 00:44:40.960
being sent. Crazy. But what Petraeus taught me the most was it doesn’t matter who you are,

00:44:40.960 --> 00:44:54.577
because even the leader of an organization might flip some day and become the next insider threat.

00:44:54.577 --> 00:44:58.320
(OUTRO): [OUTRO MUSIC] A big thank-you to Marq for sharing this crazy story with us. Oh,

00:44:58.320 --> 00:45:02.680
and thanks to Lisa Forte for jumping on and giving some good perspective, too. Don’t forget to check

00:45:02.680 --> 00:45:09.760
out darknetdiaries.com sometimes. Every episode of this show has unique artwork, which if you haven’t

00:45:09.760 --> 00:45:14.080
seen, you gotta go to the website and check it out. Every episode also has full transcripts

00:45:14.080 --> 00:45:18.080
posted too, so if you didn’t catch something, you can just go read about it there, and there’s

00:45:18.080 --> 00:45:22.440
a link to the shop where you can buy shirts with all this artwork on it, too. Also at the bottom

00:45:22.440 --> 00:45:28.120
of the page is an invite to the Darknet Diaries Discord server. We’ve got 10,000 members there

00:45:28.120 --> 00:45:32.080
and we would love for you to come join us there, too. Oh, and if you’re on Twitter, please find

00:45:32.080 --> 00:45:37.320
me there. My name is @JackRhysider. I’d love to hear from you. This show is made by me, a citizen

00:45:37.320 --> 00:45:42.720
of the Metaverse, Jack Rhysider. Sound design was done by the sparkling Andrew Meriwether, and our

00:45:42.720 --> 00:45:47.760
theme music is by the mysterious Breakmaster Cylinder. I renamed my printer the other day;

00:45:47.760 --> 00:45:55.880
it’s now called Bob Marley because it’s always jamming. This is Darknet Diaries.