160: Greg

Hey. Well, man, I don't see you. Yeah, my tape is usually over my camera. I see you. I caught my tape on my camera one second. Ah, I can't even hear you. You can't hear me. There's a story I had that I totally forgot about, but I remembered recently, and I wanted to call up my dad and walk through it again with him to try to remember how it went. Yeah. I want to recollect the story with you. Yes. Because as I tell it, I don't think people believe it. So I figure you can verify that this is true. Yeah. All right. So do you remember my senior year at high school? Okay. I had my own car then. I was like mentally done with school. I did not want to go to high school anymore. I was just sick of it. I just had been there too long. And I had one elective left and I said, what is the easiest possible class I can take? Do you remember what I chose as my last elective in my senior year? It was either welding or typing. I can't remember. Typing. Yeah. But typing. But typing. How fast could I type as a senior in high school? At least 99 words a minute. Right. Right. So choosing that as an elective. Oh. That's the easiest class ever. That's going to be a walk in the park. I was happy for you. Senior year. Here's the problem though. The class was the first period of the day. 840? 840. Yep. And so I had to be at typing first class of the day. And the class was real easy. When I got there, I was like, oh, good. This is just a beginner typing class. I could type super fast. So I'll tell you what I'll do is I'll finish up my lesson in like 10 minutes. I could do this whole. All the stuff you guys are doing today, I'll do it in 10 minutes. And I'm done. And so I even worked ahead. I said, hey, teacher, can I go on to the next lesson? Sure or sure? And so I would do like a whole week's worth of work on Monday. And then I would help out some of the other students and stuff. I mean, I think I was the star student in that class. Of course you were. But once I got ahead enough, I mean, if you know what my morning routine is, my morning person, I'd probably walk you up at 8.30 and said, you have 10 minutes. Get the school. You could not wake up. Yeah, I had trouble waking up. So you had narcolepsy or something. I used to use that excuse all the time. So I would get to school late on this typing class. And I thought, no problem. I'm a perfect straight A student in this typing class. I'm helping the other ones. All my work is complete. I don't think it's going to be an issue if I'm 7 minutes late, 10 minutes late. That's fine. And so I would show up late consistently to this typing class. Yeah, well, the teacher didn't like that. And she said, you can't come in late like that. I have to send you to the principal's office if you come in late one more time. You've got to come in on time. This is like your fifth time being late. I said, yeah, but I'm getting all the work done. What's the problem? And she said, no, no, no. If you come in late again, I'm going to have to report you. And so the next day, I couldn't get it together. You tried waking me up again and I was late. And she said, that's it. You've got to go to the principal's office. And the principal didn't want to see me, but the vice principal was there. And he said, what's the problem? I said, no problem. I'm doing well. He said, well, the report here says that you're late. So this is your senior. If you get late too many times, you're not going to graduate. Oh, my. I said, listen, have you looked at my grade in this class? He said, that doesn't matter. No, it should matter. Listen, I think your priorities are all screwed up. If I'm asing this class, if I'm getting it all correct, and if I'm helping the other students, and I'm a value add to the class in general, not just for myself, then don't you think that I should be graduating with that? I'm just sort of a work ethic. And he said, no, it has everything to do with being on time as nothing to do with the work ethic. You have one more chance. And if you, I'm going to be there tomorrow. And if you are late again this year, you are not going to graduate. I said, really, you're going to hold me back just for being late, even though I have perfect grades. And the next day, of course, I'm late. I could not get it together. And the vice principal was standing at the door when I arrived. Oh. And he said, that's it. You're late. This is the last draw you failed this class. I said, how would you, why would you do this to me? Like, it's not like I'm struggling with this class. This class is easy. I've got it nailed. I'm like three weeks ahead of every other student in the class. And he said, I don't care. You can't come to school on time. So therefore, you're fail. Fail. And so they wanted to hold me back a year. A whole year of high school and not let me graduate. No, you're only missing a half a credit at that point. You didn't graduate. You could have went to summer school and picked up a half a credit. That's right. I could have. But you did something else. So when I brought this news home to you and I said, listen, I'm not going to graduate this year. Your brain started going into overtime. And you started thinking up of solutions. Yeah, here's a couple of things. One, after you got thrown out of the class, I noticed you didn't go to school when I'd wake you up in the morning. I'm not even sure what was going on. You'd say, don't worry about it, Dad. I can get in there. It's second period. I got to be there. So that, but third, your social engineering wasn't 100% yet. That was your problem. Yeah. And a lot better with the assistant principal and the teacher. Oh, yeah. But you saved me that year. Of course I did. I don't know how you came up with the idea, but you found me an extra half credit. Well, you one time switched high schools for, I don't know, four weeks or something. You didn't like those kids. So you went back to the original high school. Which, by the way, was less than a mile from our house. I don't know how you were ever late. Less than a mile. Yeah, it was very close. So I knew you read that other school. I went over there and one of my kind of best friends played sports together and things. I said, do you remember my son, Jack? Yeah, yeah, nice kids. Was he in your PE class? Yeah, yeah. I said, you never gave him credit for that. He said, oh, man, that's so hard. Credit? I said, now do I gotta give him credit? But you gotta get it done before graduation. You got like six days. And he just said, I don't think I can do this. I said, no, you go to the registrar. You put his name down. Well, he said, you owe me big time. And somehow, magically, gave you a seed for PE, send it over to your high school. And that's really not the end of it. The end of it was graduation at your high school. Yeah. And so that sorted it. Now I was back on track to graduate. And everything was fine. I went to the ceremony. I sat in the stands. And then what had the ceremony go? He assisted principal, your arch-edity. He's the one handing out the diplomas. The same guy who told me, I can't graduate. Yeah, just six days before, you're not graduate. And now he calls your name, you come up. He looks at the diplomas. There's it, you. I didn't think he was going to hand it to you. And then he grimaced and gave it to you. And there you have the diploma with the missing half credit. And I think the Statue of Limitations ran out and all that. So I won't be kicked out of school. Permanent record. I'll go on my permanent record. This one, oh no. Yeah, so that was quite all because of the typing. I don't believe it. Yeah. So you still not a type? Yeah, I do. But do you know how at this point? No. I've never had a job in 40 years where I needed a typewriter computer. Never needed one. Or a cell phone. I'm analog all the way. These are true stories from the dark side of the internet. I'm Jack Recyder. This is Dark Net Diaries. This episode of Dark Net Diaries is brought to you by Flashpoint. 2025 has proven to be a pivotal year for security leaders. It's not just cyber threats anymore, physical risks, and geopolitical tensions are colliding, creating a web of challenges no one can afford to ignore. That's where Flashpoint comes in. As one of the largest private providers of threat intelligence, Flashpoint delivers what security teams need most. Clarity. By combining cunning edge technology with the expertise of world-class analyst teams, their ignite platform gives organizations instant access to critical data, expertly analyzed insights, and real-time alerts, all in one seamless platform. From Fortune 500 companies to government agencies, Flashpoint is a name trusted to keep people, assets, and operations secure. To access some of the industry's best threat data and intelligence, visit flashpoint.io. Today, that's flashpoint.io. This episode is sponsored by Black Hills. Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008. You've got to already know that if you want to test your defenses or need around the clock monitoring, Black Hills is where you look. And I really hope you've already checked out their anti-siphon training programs too, where they teach you to think like an attacker. It's hands-on, practical training, built for defenders who want to level up. But did you know about the webcasts, blog, zines, and comics all designed by hackers, four hackers? They even spun up a whole comic series called The Future Is from Reck-Up Comics. It's like Black Mirror meets hackers, filled with hands-on cybersecurity challenges. You can find it in over 700 comic shops worldwide, or from the comfort of your keyboard at their online store, the Spearfish General Store. And that place is a rabbit hole of its own. They've got the backdoors and breaches card game, shirts, stickers, and the reka hoodie, which is hackers spelled backwards. So when you look in the mirror, well, yeah, you get it. You see the hacker that you always knew you were. And because you're a Dark Knight Dyer's listener, they've got a very special thing waiting for you. I'd blackhillsinfosec.com slash Dark Knight. That website is blackhillsinfosec.com slash Dark Knight. I want you to meet Greg. So I grew up really, really poor. I grew up in Tucson. And fortunately, my father was a avionics technician. And he was an undiagnosed autistic, brilliant man. He was a meaghyver. And the man who would just tinker and make things throughout his life. And while we were poor, my father decided to dumpster dive. His dad would find various computer parts in trash dumpsters behind buildings and bring them home. And after doing that a few times, he had enough spare parts to assemble whole computers. I had a Commodore Vic 20, I had a trash 80, and then I had an Apple IIE. All, you know, like all, but when I was born, and I always loved them. Back then, computers were not as common as they are now. Having one in your house was a luxury. Having three, you were really fancy. And simply having these things within easy reach enabled Greg to learn tons growing up instead of maybe getting introduced to them sometime in high school. If your school was lucky enough to even have computers. That was my escape as a kid. I was a undiagnosed autistic kid until my 30s. And I just immediately loved computers. Computers were a novelty for me as a kid. Until we got AOL, then I became obsessed with them. I was an AOL kid too, no matter if fact. That's where most of my first programs that ever came around. I was one of the first to discover the one I am. Explain, that was my first vulnerability I ever discovered was the integer overflow and the AOL client when you sent a font size with a long enough number. And I remember finding that and making the one I am punter back in the day. I remember AOL punters. You could send someone a message, but then put something in that message that when they receive it, their client wouldn't know how to process it. And it would just crash their AOL session. So you could come into a chat room, send everyone a message, and then see like half the room suddenly disappear because their apps would be crashing and they would disconnect. So all this fascinated Greg, to be able to force someone else's computer to do something it's not supposed to, that's cool. What else can you do? And his interest in hacking took root and grew. Soon he found himself in an online group that was trying to create malware. When I was a virus writer, my ideology I had, I actually targeted pedophiles. Every single, there were pieces of malware I ever wrote was designed to target pedophiles. And we ran a group in there to target people who were targeting children. And the best part about targeting pedophiles is I think it's the only case that you can say I gave malware to someone and they're absolutely not going to report you to the police. Because whether you're going to say, I was trying to pick up this kid and they sent me a JPEG.exe to them. And that was a case for many years. When I wrote viruses, that was the only people I targeted. Otherwise, for me writing viruses again, was the thrill of learning about polymorphism, metamorphism, and as well as high level, low level code execution. I just genuinely loved the thrill of the knowledge of it. It was an art. I still think it's an art form. His specialty was using visual basic to code malicious macros in Microsoft Word documents. So he would send the Word doc to someone, tricks them in opening it. And if they had macros enabled, that would allow Greg to take over their computer. Now, keep in mind, he was doing all this in middle school, not even in high school yet. And middle schools back then didn't even have computer classes. If they did, it was just to like take a mask quiz or something like that, not really teaching how to use them and stuff. And by the time he got to high school, they were just starting to teach kids commands and certain applications on computers. So one of the first classes he took was keyboarding, which is learning to type. And I was like, no, fuck that. I ain't gonna type. I know what to type. So our school worked on Excel, all the great systems were in Excel. And so I went to the old school macro virus writers. I remember like colors and back of the day that most series of colors and tri-state. Those were the areas of macro viruses I remember started programming in. And so with Excel, I was like, I can do this. Like, I don't know what to be in this class. I don't know what to be in the school. So the entire grade system was in Excel. And I made a macro virus that would look for my student ID number with a metric number, identify the areas where the grades were in, take the average number of the percentage or if it was a through F, it would be, I make it myself as a B. And when average number to be able to 87%, and gave myself 87%. He was able to take this malicious Excel file and get it onto the teacher's computer. And suddenly, he was getting all Bs in his classes. On top of that, he made it so he had perfect attendance too, no matter if he was there or not. So he just stopped going to class. It was hilarious as he did all this while in his typing class. He even coded in obfuscation techniques to avoid detection. Like after the teacher would record his grade and then close Excel, that's when the macro would trigger on close. And he would stage all this information in a column that he hid off to the side so you couldn't see any of the funny business happening. This worked really well. I was in school for nine days. That's how long it took me to write this and then put it into the school system. And then every day I went home. I was just at home. And one day my friends came over and they came back from class so they still would hang out with them. And they were like, hey Greg, man, the computers at school are really weird. I was like, oh, what are they doing? And he's like, well, they're crashing. Everyone says Excel's not doing well. And I remember my stomach sinking like, oh, what do you mean? They're like, well, they, you know, when they're getting everybody ready for fun, you know, the finals day, you know, everything changed and something crashed. I think they're calling back a fee over it. And I was like, oh no. So I walked, I went to school the next day. I went into the school library and I had been in school for like so long that the librarian was like, who are you? And I was like, I go to the school, I promise. I'm here. And she's like, I've never seen you. Like, who are you? And I was like, well, do you have a student ID? I was like, no, I don't have a student ID. She's like, okay, go to the principal's office. So principal like, they're saying, hey, we know you're a kid. You know, we know your name checks out. And these classes, but none of your teachers recognize who you are. And I was like, oh, I'm sorry. I just kind of shut up at that point. They sent me home. And what that happened was the school added a column in all the Excel sheets to calculate final grades and to do something for final grades. Unfortunately, that column just happened to be where I store the previous data of all the columns. So the virus will be stored the sheets when the teacher's opened up the sheets. That caused the Excel files to crash on grade. And they sent the sample to McAfee. And McAfee at the time was like, yeah, this is a macro virus. And it was custom written for your school. So the school decided to call the police. Police showed up knocked on my door, rested me. And really? Yeah. I mean, it's a government. It's a public school. It's a public high school. So it's technically a government. This was real bad. He went to Juvee, Juvee Nile detention. They locked him up in a concrete room with a steel door and a tiny little window. It's a scary place for a teenager. So I have a note here that says you're the youngest hacker to be arrested in Arizona. I was the youngest child to be arrested in the state of Arizona for a computer crime. For I'm not sure if that's still hold, but that was the case for a long, long time. A politician wanted to make an example of him saying, see, cyber criminals are really bad. And we should do more to stop them. But he caught a lucky break. But they came back that the Tucson police failed to handle the evidence correctly. And my case got dropped, luckily for me. However, he was ordered not to touch computers for a whole year. Can you imagine no computers for a whole year? That made a deal with the courts to say, I won't touch a computer for a year. I'll have to get a probation officer to sit next to me when I operate computers. And then I, and after that, we'll reevaluate the situation. So for a year, anytime I wanted to touch a computer, which is mostly the library back in the day, if you remember where libraries had the little internal library machines to go look up for books in the library. I think I'll call this very large 60 year old man who absolutely had no idea what computer hacking looked like. And I'm ever fucking with him quite a bit and saying, on him, I'm getting into the system. He'd like, look at me and grab my hand and pull me away from the computer. And we're going now. What kind of person, what kind of kid were you like in high school? I was absolutely, I was a goth kid. I was the goth kid who wore the large, I had a, I got in trouble for a black trench coat because unfortunately going to high school and during 2001 era that you come across the column by incident. You know, back in the 90s when I saw a goth kid, I just thought they really liked the movie The Crow. Yeah, The Crow was a good one. My best friend at the time, his name was John Aller. John was a, was a huge crow fan. He actually kind of looked like Brandon Lee too. So he was like, he was like, he was a goth of the Crow type. I was more than industrial music. I always loved like skinny puppy and suicide commando, Velvadasa, Crystall, all those like late 90s industrial bands. So I was more of a rivet head. I didn't know the time what rivet head was, but to just an industrial kid, big stompy boots, goth an industrial music. I liked metal, but I didn't like metal so much. I like electronic music. So when I found out industrial music, which is essentially goth music with techno, I was like, this is it. This is my lifestyle. Do you wear earrings? No, I actually, well, sorry, take that back. In high school, I think I had like nine piercing. So I had, you know, and now did you wear eyeliner? No, I was not, I was not a makeup goth. I was not a makeup goth. I had, I had the dog collar. So I had the goth collar. So I had the, the, the bondage outfits. I was one of those goss for sure. Okay, so this, this just emphasizes like when they're like, looking for the person who did this. There's like, you're the one. Yeah, I'm sorry, everyone else. I'm sorry, everyone. The goss, the goss stereotype for the virus writers, that was me. That was me, everyone. I apologize. I remember you started this. I did, I did. So my parents kicked me out of my house. I lived in a group home after, after being arrested. I was in a group. Just because of that event. Yeah. Yeah. So I lived in a group and you're not, you're not normal Greg. You're wearing, you're too many pairs of things. Come on. Yeah, I did that all myself too. So I, I got kicked out, I lived in a group home from age of 14 to 18. So I, I was in, in an outhouse. That was a tough time. So at 14 is when you got arrested. Correct. That's a hard time to go through and arrest. That's scary. You don't know what you're facing there. Correct. And then to be thrown out of the house. And then like, what? I got to do this in my own. Yes. So I lived in a group home. Didn't have access to a real computer. So my only computer is at the time were the ones in school. And it was, it was rough, man. It's, it's one of the big reasons why I always try to reach out to people who are kind of in rough situations. Because my life has not been an easy one. It is not been easy. And living in a group home, which, the group home was, the one I always got assigned to was a garment group home. And it was mostly for kids who were domestic violence or runaways. And so it was a lot of violent kids in there. It was, it was a small, it was like a small four bedroom house, but it had, at any time, it had between six, six guys and six girls and then staff members. There. So it was cramped. Everything was shared. It was not a, it was not a good time. It was a rough life. I think, I think I just got some clarity on what, it means to be goss just now. It's not about the clothes and the makeup of the music. It's, it's about not fitting into a world that tells you to shrink and conform and smile when you're falling apart inside. It's about understanding that you are different and you can embrace your difference and you got to pay the price. Being misunderstood by your teachers, so-called friends, even your own family can become isolating. There's this moment I imagine that every goss must face. You have a choice. Either break yourself down into something more acceptable, force yourself into a version of normal that everyone wants you to be, or you can embrace that shadow inside you, that one that's screaming out, wanting to be seen, wanting to be heard, but knows that it's just too weird for people to understand. Goss choose to embrace that inner shadow, lean into their weirdness, wear it like armor and let your darkness be your beauty. And when you're in a place like halfway house with nowhere to go and no one who really knows you, that identity being goss can become more than just a style, it becomes your anchor. Because being goss means you already know what it's like to live on the outside. You already live in the cracks of the system. So when the worst happens, when your life is shattered, being goss is a reminder that it's okay to be on the outside of society. The music reinforces the idea that it's okay to live outside what's normal. And there's a level of comfort to hear that music and to see other goss who are also struggling to fight what's normal. Those quiet rebels, the kids who find beauty in broken places. I imagine that being goss makes you more resilient to problems like this. It gives you a tribe without borders. It gives you a sense of self when the world pretends you're invisible. So I imagine being goss in that halfway house was an amazingly helpful way to get through it. To self-sooth, every time he put on dark clothes, it was like he was giving himself a hug and saying, it's okay to be different. Don't worry about what everyone else thinks of you. And man, to go through something like that and goss being your anchor, that could easily make you goss for life. Yeah, I think I've got carried away there, okay. So after I get out of high school, so I was doing music, one of the few things, 10. So I became, I was a musician and I was a successful musician if you've ever seen the Matrix sequels movies, then you've heard my music at one point. Your music is in the Matrix sequels? Yeah, so I got contacted by a company called Spider-bytes Studios and they wanted to make music for the Matrix, especially behind the scenes matrix stuff. They wanted to do some music there. The big thing is they were looking for someone to make music for the trailer for the video game in the Matrix Online. And so they sent me an email and they were like, hey, your music sounds great. So that was my first example of being exploited in a contract by a large company. I sold my music rights for $400 each. I think I got a $4,000 total on that deal. So I was like, I'm $4,000 richer. That is awesome. And after that, that got into a lot of people asking me to do music and go touring. So I did a European tour, it was all throughout Europe. I think I went to every country except for Latvia and Lithuania, toured for a while, and then came back. Are you playing here? Synthesizer, that was a one man project. So I did, I love synthesizers. I won't play and I owned over 80 of them. So yeah, after that, I came back, after a long tour time, I came back to Arizona. I was homeless for a while because you only make $30,000 as a musician average or a year at that time, especially like an industrial musician. You don't make any money. So I came back homeless and then I locked out and getting a job working at that massage envy. Massage envy is a massage parlor, but it's a chain and they have over a thousand locations all over the US. And their headquarters are in Scottsdale, Arizona and they needed someone to work on the back end with their booking system. They gave Greg a shot and he excelled at it. We was all VB.NET and ASP code back end. And so I was coding that and I was breaking software in the meantime, Millworm. So I was coding exploits on Millworm and just throwing them up there. And I was literally trying to throw an exploit up there a day. And I remember I got an email from EI and they were like, you're cracked. What is going, like what are you doing? Like where are you working? Tell us about you. And I was like, well, I'm a software developer in the middle of Phoenix, Arizona. I work on massage envy. Massage envy is back end. And they couldn't believe it. They were like, what? You're not in security at all. I was like, no, I was just like, I just break stuff for fun. EI was a cybersecurity company based in California. It's spelled E-E-Y-E-E-I. They created some tools to help people be more secure. Like they made a vulnerability scanner. And that's how they were able to make money. So EI saw that Greg was writing a lot of malware and posting it publicly. And they liked that and decided to hire him and flew him out to California to give him a job. Yeah, well, the team I was on, we were all about finding zero days and finding exploits. Yeah, but there's no money in that. Marketing, my friend. When you have a good research team and they're rock stars, they're gonna look at you and your products and think, oh man, those guys know what they're doing. So, yeah, when I got there, the person I replaced was Barnaby Jack. I took, I actually had his desk and everything, man. Yeah, yeah. Lots of respect to him, man. It was, I never filled his shoes, but it was just an honor to be a part of, be around. I got to meet him multiple times. He was a great guy. See back then, nobody had a bug bounty program. If you found a vulnerability on some software, that company wouldn't pay you anything. You'd be lucky if they sent you a T-shirt. There was zero money and vulnerability research then, but the reason EI did this research to try to find vulnerabilities in software was for two important reasons. One, to earn credibility. Well, at EI company, must have some pretty sharp researchers to constantly be finding vulnerabilities in things. I bet our tools are great. It works. And two, recruitment. By making the news again and again that they keep finding vulnerabilities, top talent would want to come work there. Now, they did follow responsible disclosure. When they'd find a vulnerability, they would do two things. First, tell the software maker and show them exactly what they found. Then, they would announce publicly that they found a vulnerability in a product. They wouldn't say what the vulnerability was though, not until after the software company was able to fix it and patch it. So that was the team that Greg joined. To simply find new bugs in software that nobody knows about, which is what's known as a zero-day vulnerability. So I get there in Office Drops, Office 2007, drops probably about four weeks after, within my first month of working there. And we are looking at other software, I think CA arcs are back up if you remember that terrible product. I have, as a macro virus author, and I can look at Office, like hack setters in Office, I can tell you where the blobs are in Office. I know the BIF format very, very, very well. So I'm gonna come up. So you're object, I mean, you're your boss or someone told you. Mark Mayfre. Yes, we'll put his name for the record here. Mark Mayfre, I've heard that name before. If you don't know, Mark Mayfre got famous from MTV's True Life on the Hacker, that's where, that was his claim to fame. He was on that. You know, over the last few years, and like basically, I was just like out in the hack, he just been kind of like a wild ride or, you know, someone of a movie. After the raid, started thinking a lot different about like my life. And like when I wanted to start doing with it, and then you know, turn things around. These days, Camillean is living the Hacker dream, creating security software for companies to protect themselves from people just like him. That was a clip from the MTV show called True Life Hacker from 1999. The show follows Mark around as he hacks stuff, his wild back then. So I imagine it'd be really crazy to have him as a boss. So your boss told you, office 2007 just came out, you want to take a look at it, it would be great if you could find some sort of virus or bug and not virus, but an exploiting there, a bug that we could use for marketing and make a big deal about. So jump in there like, and then you were assigned to do that. No, yeah, that's exactly how it worked. Anything that came out, any big thing, we were essentially bounty hunters, you know, we would go out and be like, yeah, let's go break this thing. If we have customers. Yeah, but there wasn't paid bounties back then, you'd get a T-shirt if anything. It was all about the honor of being the first, we wanted to be the first, too. That was a big deal. Yeah, honor was a reward. Yep, it was be the people who first found a bug. And so I went in there and sort of manually fuzzing word at the time. Fuzzing, the first time I did fuzzing, was it when I was five years old and I went to the supermarket and they had a gumball machine. My mom gave me a dime and showed me how you put it in and you turned the crank and you get candy. It was awesome. And for years, I was drawn to them. I just had to touch them every time I saw them and checked them out. Like I would try turning the crank on every one to see if it would just give me candy with no money in it. Nope, unless you put money in it, the crank won't turn. I would sometimes try to put money in it and turn it very slowly to see if I could get a little bit of candy in as soon as I do. Turn it back real quick to reset it and do it again, but that didn't work. I would check the dispenser shoots to see if anyone left candy behind there. And yes, sometimes they did. And that was cool, a little bit of free candy. I would shake the machine sometimes to see if I could get candy to come out that way. And that did sometimes work too. But then I was like, how does it know I put money in here? Like how does it know what a quarter or a nickel or dime actually is? So I started jamming anything I could find that would fit in there. Plastic pieces, metal washers, cardboard, shoelaces. I'd shove it in, I'd turn the crank and I would see what happens. And I'm telling you, from like five years old all the way to 15 years old, I was fiddling with these things every time I saw one. And that to me is what fuzzing is. It's trying to use the tool or machine or application in ways it's not supposed to be used to see if you could glitch it or somehow get it to act weird. What Greg was doing was he was opening Microsoft Word and trying to put something in a Word document that wasn't allowed. I don't know, maybe trying to put a Chinese letter in there or some strange ASCII symbol. Word would accept some of these characters but then just deny others. Now if Word won't let you input a strange character, why will it break if you somehow force it to take that strange character? Well, Greg wanted to try. So he opened up a Word doc not in Microsoft though, in a hex editor where he can manipulate the ones and zeros directly in the file, almost like doing surgery on the file. And he'd put in a character directly into the file that he knows Microsoft Word can't accept and then he'd save it and try to open it up in Word to see what it would do. Nothing, okay fine, that didn't work. But let's try again, this time let's see what the max font sizes and Word, 1638. Whoa, that's pretty big. Okay, so Word won't let you make a font size bigger than that number, challenge accepted. Let's set the font to the max, 1638 to close downward, open up the file in a hex editor, look for where that number is, 1638. Where does that show up? Ah, right there. And maybe that means the font size. So let's change that 109999 and save it and open it up in Word and be like, what now Word, you wouldn't let me set the font bigger, but I did, what are you gonna do? Nothing, it just reverts back to the default font size. It had some sort of logic to handle what happens with the font size that we can't accept. And that is what fuzzing is. And that's what Greg was tasked with doing to try to make the brand new Microsoft Office 2007 suite crash. It's really a hunt to try to see if the developers at Microsoft accounted for every single problem that could possibly go wrong in Word and handle it gracefully. So you're modifying these files at the lowest level possible and you're introducing all this unexpected code, unexpected code paths, it's parsing these files and it's parsing these files, it's encountering these unexpected data points and these unexpected data points are introducing areas of opportunity for you to find a vulnerability. And basically the goal is to get Word to execute malicious code such as giving someone else control of that computer, but you can't just put malicious code in a Word doc and then when someone opens it, it runs, Word doesn't execute code like that. It just displays it as text, that's its job. So can you hide this malicious code somewhere in the Word document that it will also get executed when Word gets open? No, not really that either. Yeah, there's macros that act like code, but that's different. What we want is for Word to take our malicious little code and stick it into the memory of the computer. So the goal is to cause Word to crash, but then use that crash to force malicious code into memory or a pointer that references the code into memory. Now just opening Word is not enough to see all the stuff that's happening, you want extra visibility on how well Word is behaving, what stuff it's putting into memory and everything. And that's where a debugger comes in. At the time, he was using a debugger called Oli, which will show him a lot more details of what Word is actually doing. Correct, Oli is a tool that you attach to any application that you want to see at low level, assembly level. You want to see where the code's actually doing, your registers and your memory output, and what's going on with the application. You attach to a bugger that allows you to... Sounds like a wrapper for the app. So you open Oli and then tell Oli to open this and then Oli would be like, I will watch all the memory and everything that's happening here and tell you everything. That is a great summer to that. And that's exactly what it does. It sounds a bit tedious to open a file in a hex editor, manually change one or two numbers, then close it and then open Word up and then see how it behaves and nothing, so just close it all and try again. So all day, he's editing these files, opening them in Word and then closing them. I just really liked looking at the files in the hex editor, modifying the files, opening the file and noticing the UI changes, it would distort, if you had your office file, if you had graphics and stuff in there, it would distort it or make it look wrong because it's rendering improperly. So you could actually get better feedback by doing it that way to identify where in the file you're affecting. And so I did this for two days and also I had a crash. Ooh, a crash. This is what he's been giant and create. Okay, first things first. Will it crash every time? Yes, awesome. Okay, it wasn't a fluke. Next, can he inject code into memory when it crashes? Yes, wow, this is great. Now he has to see if he can get control of a pointer or inject some shell code into memory along with this crash and yes, he can. And it was a classic crash at that time where you overrode a data pointer and you can control the data pointer at that, which allows, that's the basis for remote code execution. So what he's discovered is he can craft a malicious word doc so that when the user opens it, word crashes but then malicious code is put into memory and now the system is severely weakened. It's vulnerable. Wow, very cool. All within weeks of Microsoft Office coming out, Greg has discovered a pretty serious vulnerability in it, which allows arbitrary code execution. He feels great. His team is impressed. So you tell your coworker, your coworker tells your boss, you tell your boss, whatever. And what is your company do with this? My boss is awesome. He immediately starts writing all the press. And Mark Mayfrey is, if you know him, he's very enthusiastic. He's just like, oh my god, we're gonna, we're gonna, this is gonna be fucking awesome. We're gonna send this to the press. We're gonna throw this out there. And so he immediately starts writing to everyone. All these typical tech writing, the tech writers. And so they immediately start writing. And then we report to Microsoft. Again, they aren't sharing exactly what the vulnerability is to the press. They're just telling them that EI found another zero day. This time in the latest Microsoft Office. And of course, only giving Microsoft a full details so they can fix it. And once it's fixed, then EI will show the world how it was done. The news spread fast. A few big tech publications were talking about this zero day that Greg found. Three days later, we get an email back from Microsoft and says, hey, we can't reproduce this. And we're like, this is typical. This is, we've dealt with this before. This is a typical Microsoft security response team typical action. So they're like, okay, so we send them, we send the sample again and we're like, hey, we show the debug output, we show like a, and then like another day after that, it comes back. And they're like, hey, did you try this without a debugger attached? And my, my mark may for is like, of course we did. And then he looks over the, you know, he looks over the Andre, Andre looks at me. And I'm like, I don't think so. So we go, we go, we go run it again. And there is a special trap that Microsoft added. This is at the time, this is pretty new technology where they had debug only routing inside office so it would reach code flow path that was only exploitable, only trickable when you had a debug attached to the word. Meaning no one is gonna be vulnerable to this unless they're having a debugger or unless they're security researcher. Oh man, how embarrassing. The news is out there saying that EI found a serious vulnerability, but now it turns out they don't actually have a vulnerability. And it's because this new kid, this weird looking goth kid didn't verify it all the way. And so I remember, there was yelling, there was yelling involved. I remember I was there for three weeks and I remember just literally just staring down being ashamed just like, oh God, this is it, this is how it leaves my career. It was nice. It was a good couple of months. It's okay. Because the stress here is because a press release was written, right? Yes. And EI at the time was like, they were like the rock stars. Like this is all of them else in the room, you know, all those rock stars, UG, Derek, Derek, Daniel, Soder, the brothers, everyone else in there has written vulnerabilities in a professional manner. They've all done this for years. They found the first and this to vulnerability. They found, you know, this is their thing. And now I'm the new guy who screwed up and made them look bad. So behind the closed door, they were like, we got to fire this guy. And luckily for me, I believe Andre was like, no, no, we're gonna give him a chance. He's gonna, we're gonna give him a chance to make this right. So they come out and they were like, look man, you gotta find a vulnerability. We don't care how you do it. It's gonna happen. Okay. There's some hope still. The press release just said they found a vulnerability in Microsoft Office, which consists of Excel, Word, PowerPoint, Visual, and more. It didn't give any details as to how the vulnerability works. So if they can find a bug in any of these products, it'll save the reputation of the company. But to be clear, for a young guy in his first cybersecurity job, to find a zero-day vulnerability in Microsoft Office, that's an incredibly complicated task. The entire team of coders at Microsoft worked tirelessly to prevent people like him from finding bugs like that. So he's gotta find something they missed. This was a big deal for Greg. He needed to find a zero-day vulnerability in Microsoft Office, or else he's going to be fired. He calls his girlfriend and says, don't wait up for me tonight. I am going to be working late. Sorry, I just have to do this. And he just gets down right into the zone. Downing energy drinks, grabbing extra monitors to be more productive, ordering pizza right to his desk. Like he's fully committed to doing this. He was so committed that he was going to stay in that office until he found a zero-day vulnerability. So I am there, the 24 hours by myself, just like manly, tricking, and I'm just like, oh God, I can't do it. He's sleeping under his desk. He's living off of donuts and coffee. So what happened here, man, was like, so the crew comes up to me and they're like, dude, we're not gonna let you do this by yourself. We got you back. And so everyone stayed in there. And we were in there for three days in, man, I remember girlfriends calling wives, calling guys and being like, are you guys coming home yet? They're like, no, we gotta do this. This is an important thing. We ordered pizza. We had Mountain Dew. That area of the office, I remember it was not smelling great. Like other teams were like, what are you guys doing? What is going on here? Are you just like opening text files and edit and then close and then open and then close? Yeah, we have, okay, so I think during that time, so there's at least six of us. We have one guy who's writing his own program to fuzz it. We have, I think Eugene had like three screens up buzzing data reverse engineering. He's like trying to reverse engineer that. I have a program I've written running on one machine over here. I have a machine to my left. I have a machine next to me that's running software to find and find this vulnerability. I'm an hex editor editing files left and right. I think Derek was also editing files. Derek found was finding something else. He found, I think he later found another vulnerability out of this, but he's going in there editing looking at this and we're all looking, everything we find is really interesting stuff, which turns out it was like, we found a lot of really cool stuff in office at that time, but none of it was a vulnerability as we described. So we are literally just sitting there, geeking out and just pizza being ordered. E.I. was a wild time. Days go by like this where all the researchers are pouring tons of time into this. Nobody was going home. People were sleeping in shifts under their desk in the break room. The energy was amazing to have so many people come together to try to save the reputation of the company. And day three, I was modifying a file and all said it popped and we look at it and we're like, oh, wait, and I remember UG, UG looks at it first and he's like, UG is this incredibly unbelievably talented Japanese hacker and he's like, oh, it looks good. And when UG says it's good, everyone's like, okay. So and the first thing that happens after that is I remember when the guys is like, is the debugger detached? We were like, oh yeah, get that thing off there. So retry it and it happens to be in office, Visio, it was another product inside the office suite. So it wasn't word, not as sexy as word, but we only said office 2007. So again, saved our butt. And so and the thing is when Microsoft sent that email, they're like, hey, man, this vulnerability occurs in this wrapper function called safe int. And what safe int does is it prevents the integer overflow from occurring and causing the that controlled flow and the code execution to occur. So it checks all the integers. What happened with the new vulnerability found was we just happened to find a legacy pointer for an integer that was not safe into wrapped and was vulnerable. So they sent that email out and unfortunately, David Leblanc in Microsoft, David, if you were listening to this, I'm sorry, man. I think he was on vacation, you got called back. Maybe he didn't get called back, but that's what I heard. Cause he was the one who was in charge of safe and safe and it was his baby. And it's an awesome security feature. At least he got called back because when we sent that sample to Microsoft and it worked, that was a big deal to them. So we are all happy with the vulnerability goes out. A couple months later, it gets disclosed and we have indeed the first vulnerability in Microsoft office and that was the case. That was a wild time to say the least. He saved his butt on that one. His whole career was on the line and he did what he had to do to save it and being awake for so long that wasn't much of a celebration after he found it. Dude, I crashed. I fell asleep. I remember being like just being so exhausted. I straight up, like at the time where I found it, I was already tired because I was half asleep and I remember the alarm that I had for it to find to like, find it. I nearly spilled, I think I did spill soda all over the place because I was just waking up. Like we're all fasting out. Like we're literally sleeping at our desk here. There's no, we were not sleeping on hammocks or anything. We're just like sleeping at our desk. And so I remember it being, we find the vulnerability, we were like, yes. And we were all so tired to actually have a proper, I guess we did have a proper, we did yell out extremely like a malware, yes, we're finally, and then immediately after we're like, we're celebrating, like high-fiving, everything was like that. But man, after that, I just remember us all just being like, and we're going home. And I fell asleep at the office. I didn't even make it home at the time because I lived walking distance. I was too tired to even walk home at that day. So I just crashed out, woke up, went home, and I remember my girlfriend, this threw me the pillow and the blanket, and I was on a couch for like a week for that one. Rightfully so. Yeah, she was so pissed. But it was your job on the line. She should understand that, like, listen, I'm gonna get fired, or I could stay at three days and not see you. What would you rather I do? Oh man, I was a newly father. My kid was like, probably like, oh, okay. Okay. My kid. So well done. So you just had a kid at the time. A kid when I started, yeah, I was six months old. So that kid was not even a year old. And my kid was extreme colleague, like 12 hours a day crying. Man, she was so mad. That makes it even more stressful. Oh yeah. Oh yeah. But yeah, so. Yeah, that was, I remember the emails, and that was, like the emails getting from her was like always popping up, just be like, her gistying angry or angry as the day is going on. And she's like, where are you? Like I don't believe you're at work for three days doing this. And I was like, okay, I'll send you a picture of us. We had like, like the team just like doing random pictures. So I was like, oh, man, this is, this was a time. EI was a magic place. A lot of amazing talent worked there. And many went off to start their own cybersecurity businesses. Rumor has it that some of the anecdotes from the TV show Silicon Valley came from stories that happened at EI. And Greg learned a ton from working there for years. So years later, like years later, like this is like my third year at EI. I remember we had a HODY POTS system, which you know, it's a system that's designed to catch hackers and lure in individuals. And we were trying to get zero day exploits. And they've definitely tried to lure people into attacking the system. It was like one of the largest honey pots at the time. It was nearly a class B internet group of HODY POTS. It was massive. And I remember I was logging into one of the systems that we had maintained for that. And I see a log in called LVANG. And I was just like, what is this? Who the hell is this? Maybe this is a new hire. And I just don't know about it. And I walk into my boss's office and I was like, hey, you know, I got that all set up. However, there was someone who logged in recently. Maybe it's someone who hired in DevOps or something. Do you know LVANG? And I remember, I remember my boss was just typing, also I remember there's a distinct sound at him stopping. And the sound of the chair creaking back and him looking at me. And he's like, you found what? Who? And I was like, yeah, LVANG. I think I looked at the extended name as leaf bang. And he's like, what do you mean? You found a leaf bang log in. And I was like, yeah, it's on the honey pot system. And I was like, look, it was a maintainer. And he goes and he closes the door behind me. And he's like, all right, I'm going to tell you a story about leaf bang. And I was like, OK, let's hear about it. So back in the day, like I mentioned, EI was the rock star group for finding vulnerabilities. So it was like EI and I defense. And that was like the two big companies back in the day for finding zero-day vulnerabilities. And at one point, EI was so good at what they are doing. Microsoft decided to hire someone in order to go work at EI in order to get them to tell them Microsoft about the zero days they found in Microsoft. Wait, wait, what? Hold on a second. You're saying Microsoft got someone to a job at EI. It was a different time. But they worked for Microsoft so they could report to Microsoft what EI is working on. It was a different time. There's this is ridiculous. Like you don't hear about this ever. Does this news ever actually go public? I don't think so. I can't imagine Microsoft. Hiring to work at other companies. This is corporate espionage. That's correct. Well, it gets even better after that. You can save him better after that. OK, so Microsoft hires Lee Feng to work for them, but then plants him in EI to go find out what they're working on and report back to Microsoft. So Lee Feng was working at EI for a while. But then suddenly left, and nobody really knows why he just disappeared one day. But then Microsoft sometime after he left, they're like, hey, we got to have a talk. We have a discussion conversation. And so we're like, OK, Prairie. And so Microsoft was like, so Lee Feng, he was working for us to identify zero days that you guys may have found. Which had to be a bombshell for your company to hear. They thought that must have been. I think they had suspicions in being a little odd. But so Microsoft then goes to say, so apparently, he was also working for a foreign government entity to do the same for us and you. So I'm so in place to meet you in Microsoft. Correct. Correct. Go get a job there. And then he got chosen to go work for us. We hired him. And he got planted. And then he was siphoning zero days. From not only us, apparently, he also had privy information at Microsoft. And that went back to his foreign government that he was ultimately working for. Holy moly. Someone planted him at Microsoft. And then Microsoft planted him at EI. That's unreal. How embarrassing for Microsoft. It's like being caught doing something you shouldn't have been doing. Like, I don't know, have your pants down when the elevator door opens. They know they shouldn't have been playing that game. But now they realized that they got played themselves. Ooh. So I really wanted to confirm this story. And I reached out to people that I know who have been at Microsoft for a very long time. And all of them said that does not sound like something Microsoft would do. So I can't confirm that that story is true. But I would love to know if it is or is it? So if you have information about Microsoft planting people in other companies, tell me about it. Because here's the thing. We know corporate espionage is happening. There's people sending secrets back and forth to tech giants all the time. But it's a secret. So we don't know about it. We only know about the ones who get caught. So it seems plausible like something like that could happen. And you know what? I'm curious what corporate espionage stories are out there. And take it a quick peek. There seems to be some cool ones. In fact, I think I'm going to take an ad break and look at this a little deeper. Because I'm fascinated by corporate espionage. And I might have to do a few episodes on that sort of stuff. But stay with us. Because after the break, Greg is going to tell us some penetration testing stories that he's done. This episode is sponsored by DeleteMe. DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable. DeleteMe does all the hard work of wiping you and your family's personal information from data brokers websites. Since privacy is super important topic to me, a few years ago I signed up DeleteMe and immediately got busy scouring the internet from my name and gave my reports on what they found. Then they got busy deleting things. It's great to have someone on my team when it comes to my privacy. Plus, the New York Times wire cutter has named DeleteMe their top pick for data removal services. Take control of your data and keep your private life private by signing up for DeleteMe. Now, a special discount for Dark Knight Diaries listeners. Get 20% off your DeleteMe plan. When you go to joindeleteMe.com slash Dark Knight Diaries and use promo code DD20 at checkout, the only way to get 20% off is to go to joindeleteMe.com slash Dark Knight Diaries and enter code DD20 at checkout. That's joindeleteMe.com slash Dark Knight Diaries code DD20. After a while, Greg left EI and started doing red team stuff. That is penetration testing. Breaking into companies to test their security. And he also does threat intelligence, which he tells me he got some really interesting contacts and worked at some very interesting places. But we're gonna have to skip those stories because they're too sensitive to talk about. But he is willing to tell us a few pen test stories that he did go on. The first story is about a time when he was paid to try to hack into a major tech firm, which has a lot of user data. I mean, they have millions of users, but not just simple user data. They collected highly personal information on their users as part of their service. So Greg meets with the customer. And it started out weird from the gate goal. The customer was saying, look, we are crazy about security. We go over the top on cybersecurity because we cannot risk our user data getting out. So we don't think you're going to find anything. In fact, the last pen testing company struggled so bad to try to hack us that they got arrested. So they use a third party payment processing system that is not used by them. And their previous pen testers accidentally exploited a third party payment system that was vital to them. And the third party payment system was an Oracle system and not owned by the customer at all. So when apparently, as far as I heard from the customer, they were nearly did their exploitation and then they said, hey, we got to credit cards and we're going to present it to you in the next day and the presentation. So they got the blue team there, all the blue team, all those people were like, and they presented them and said, hey, we exploited this, we exploited this IP address, we got access, we gain in here is your raw credit card details. And as you can imagine, the team looks at it and they're like, what IP is that? That's not local. That's not like, it's a 10, you know, it's like local edges, but that's not ran by us, that is not. And then they found it was actually owned by the third party payment system and they had exploited a zero day and that gained access to there. And on top of that, the credit card details were not. There was a stream of credit card details. So I believe it was outside of even the scope for the customer. So the customer reported them on the safety of their half because they didn't want to think that someone on their network compromised them and reported them to the law enforcement authorities. And I believe that led to the arrest of them. Either way, that's always wonderful to hear going into a pen test. You're here like, hey, the previous guys got arrested. Why don't you guys come in here? So great start already, great start. So if you know me, I still dress like a god kid. I'm still all black. I'm cyber punked out. I wear Neo4k, love them. I'll wear everything from VX Underground, all black. Anything I can. So I show up at this facility. And at this time, we also have a coworker of mine. And this is my coworker's first big, real big pen test. And so he comes in too. And I will never forget the people there because they look at me and they look at each other and they're like, oh god, we gotta put you guys in the back room. And so they said, that's a separate room away from everyone else. I draw my career, this is kind of the thing. I'm the guy in the back room. I've been there because of Hollywood. So they saw us back there. And this is a five day insider threat pen test go. So his job was to simulate an employee there who had gone rogue or had been hacked just by being in the building. What could he do? Sniff some wifi traffic, plug into some network ports. Well, that's worth checking out. But they did give him a single user's login. And they said that users should be locked down so tight that you shouldn't be able to do any harm even by knowing their password. This customer, I've been red teaming a lot of places. Their blue team, their sock team is absolutely legit. One of the best defense teams I've ever had the honor of working with. And so they literally are running their own kind of like built in ER system that they built themselves that's tying into their sock, going in there. And we get nowhere man, day one, nothing. Day two, nothing. Day three, my co-workers laptop dies in the middle of it. And he can't even work anymore. And we had to give a report on the customer. And I remember them just looking at us and being like, I think we hired the wrong people. Like literally like do you, are you guys wanna resign? And we can scrap this up, call it quits. And then we can go hire somewhere else. And I was like, no man, we got this. Day four happens. And we, I remember it was like four, four 30. And we have to give, at five o'clock we have to give our meeting. And my co-worker had to go to Best Buy buy a brand new machine and he spent the entire day imaging a machine on a red team engagement. And he looks at me and he's like, man, I don't know what to do. So I was like, hey, let's try one more. Let's do some art poisoning. And just do one more time. And I remember looking up and that art poison grabbed one plain text credential that just happened to be an FTP job. And we're like, oh, we got credential, we got somewhere, we got something. It turns out that credential was the build system process and it allowed us to get into the build system to roll code throughout the entire thing. And it just so happened that four 30, they rolled it out to do an end of day lockdown and build system and the configuration lock everything down. So no one is doing any more builds. We went to that meeting, said, hey, we just intercepted this. And I remember them all thinking, wait a minute, that's the old build, like in that credential is still active. At that point, we had a really cool exploit for that one. We got into the build system and they had a lot of controls on the actual files in there. So we couldn't modify into build files, but we could edit the command line. So we rolled an inline assembly.net include in there to roll in, go into their portal and steal all the customer data who enter a credit card in there. We marked it in the data. We blocked out that credit card, but we put an asterisk in there, stolen last four digits and then had it sent out to them. They test it, they round out, they were like, holy crap, we have not had a red team roll out code to production. And like eight, nine, 10 years that we heard, come back next year, come back next year. Talk about a hail, Mary, not a single find all week and then 4.30 pm on the last day they catch a lucky break by sniffing a credential in the network, which gave them tons of access. What a good find that saved their butts. I come back next year and they're like, hey, we want you to do something kind of crazy. We want you to target D&A. Part of what this company did was genetics studies. They had DNA data on their users. And this was regarded as one of the most protected assets of the company. So why not hire a hacker to try to find it and steal it? And we don't care how you get it. Anyway, you can get it. That's that's fair game. So I spent like a week in there as a malicious insider. He starts with a basic employee login again. He is locked down pretty tight, but it's just enough for him to get a foothold somewhere else. And from there, he finds an exploit in another system. And then he was able to pivot from there, collecting more system logins. And finally, he's able to get in a system which manages backups of machines. He can see there's some really large files here. Maybe those are system snapshots or backups. But what system is it a backup for? No idea. But he decides to try to download it anyway to see if he can look at what's in these files. It literally aired out on the share size. And I was like, I've never seen that before. And I remember clicking a file and I'm at a local network. And I remember that file taking forever to get to me. And I was like, how big is this? So I grabbed the file and I'm on the local machine. And I remember looking at it and it's TCGACT, like those letters. And I was just like, I think that's DNA. I think that's DNA. And I was like, huh. I don't know. Maybe this is gotta be. This can't be. This can't be right. So I grabbed it. And I cut off like as much as I could. And then I sent it over. I work with a biologist. She was very, very smart girl. And she just happened to be a biologist who was working with mice at the time. And she actually knows DNA. And she worked with DNA. And I was like, hey, what does this look like to you? And I said to do her and she looks at it. And she's like, oh, this is a DNA sequence mapped out by this program. And then this is like, I was like, oh, okay, cool. And then she's like, hang on. I can even tell you what kind of DNA this is. And she, like, come on, let's go by. She was like, why do you have human DNA? I was like, I gotta go. I gotta buy a click. And so my next task was like, they were like, you have to get the data out. You can get in, you have to get access it. You have to get it out. So at the time, again, it was ran by a very, very good sock team. There was a lot of the environment I was in was very, very well restricted. And the only way I got to her was through, you know, sending a picture. I remember selecting it all and then putting it into it, like, a nap, sending her a picture of it. And it was like so bad quality. I just said it a couple times actually. But so I was like, how am I gonna get all this data? I can't do with the phone. You know, I can't do with the picture. How am I gonna get all this data out? I was a malicious insider. So I was working as a quote unquote IT member. And so I would got introduced to the IT group and they're like, oh, yeah, you're gonna be working on this environment. You're cool. And so I was like, I gotta figure out a way I can get a bunch of hard drives. And I have to get a bunch of hard drives back into the building. So what I did was there was printers that were scheduled for to be, these printers were scheduled to be taken to repair. I remember grabbing all those printers and gutting it as much as I could and walking out and going out to the front desk going out the front, where I'm gonna be like, hey, I gotta send this printer to repair shop. It has to be done today immediately. And so the front desk people were like, okay, just sign off for the printer. Load that into my rental car and I go to Best Buy. And I'm like, I have to get hard drives. I have to get a lot of hard drives. So I went by, and this is back in the day where those were external hard drives were those big obnoxiously ugly colored things. And they came in like, I think 32 gigs or 64 gigs was like a big hard drive at that time. So I go through, I have a shopping cart and I just go from the end line of these and just pull the whole thing into the shopping cart. I have a full shopping cart of hard drives. You put your arm on the shelf and just, do you know that meme where the guy's running around Best Buy? He's like all hacked all the things, they hacked all the things. That was me except with hard drives, I got into a shopping cart. And I remember going to the front of the desk maxing out my credit card and then of hard drives and then going back into my hotel at the time and loading them all into the printer. I put it, I shelled out the hollowed out printer. I just stacked the hard drives in there and clotted up together and then shop to work the next day, get the little trolley carts they have, go out and say bring it back and I remember, I remember I'm bringing back the printer and the front desk person was like, wait, you sent that off to be fixed yesterday? And I was like, yeah, he's like, you gotta tell me how you got those guys to fix that in 24 hours because man, they are always so slow. And I was like, oh shit. Well, I bought them a root beer and they're like, oh, that makes sense. I was like, I bought a wrong with six pack of root beer. And he was like, ah, okay, good to know. So I go back to my area of the building, putting it and I have this printer next to me and then I am opening up a little panel and I'm just USB drive literally copy-pasting, mounting copy-pasting and I started it. I started it like 815 AM and I am there until they kicked me out of the building at like 9 PM. Doing it nothing but moving over data. And then I leave the printer there. And for next two days, I am literally doing this every day and then on my last day of the pen test, I remember I walk out and I go to the front desk and a guy there and he's still there. He's like, I was like, oh dude, printer broke again. And he's like, oh, don't worry, I got something for you. And he goes to the fridge, little little fridge he has and he brings out a six pack of root bears like give this to them and tell them I said hi. I am sooner trying not to laugh while I'm holding the pen of bytes, like I can imagine. I think, I don't know how, I couldn't get it all but I remember I bought over like 80 hard drives for Best Buy. I think I actually went back a couple days later and brought some more because I didn't think I had enough and put them in my jacket and my pants and I loaded this HP printer and filled that thing up and got to my hotel and then at that point, I had a secondary laptop that I asked or I requested to prove for exfiltration, connected to that laptop, loaded up and said done. So when it was time to show him what he found, he has them go into the room where he was working again and said open up the printer and they open it up and when they do, bunch of hard drives just come pouring out of it and he says those hard drives are filled with all your DNA data. Yeah and they later said, hey, you were the first person to do that and I worked for the rent teaming for I think three or four more times after that and after that was a call center I talked to, okay, here's the big question though, right? The first time they're like, we've got to go in the back office, we can't have that. After doing it like three or four times when you're walking through, are you feeling more confident? Like, oh no, you could be in the front office, we don't mind you being around here. Oh man, I went to their barbecues, I went to their family and they're all very nice. After the first time they're like, look, you can never meet the execs but we will absolutely hire you every single time. A few years go by him doing Pentez and he gets another job which also has an interesting story. This time a venture capital company has hired him to try to hack them. Now they wanted to see if he could hack into them to get data that would influence the market or something that might hurt the reputation of the company or see if he can gain information that can be used against the company. So Greg gets tasked with going on site to try to hack into this venture capital company which remember even though he's well into his 30s at this point, he is still dressing all off and considers himself a goth kid. I'm still a goth kid man. I still dress in black, I still wear my goth. Like, like, I'm like I said, I don't wear, I don't like the colors or anything but I still just all black, I wear my goth outfits, I wear my VX underground, my Neo4k, shawls and everything, I wear my goth boots. And what's funny is every single contract I sign for work, I have two clauses in there. Clause number one, I'll never code in Ruby, fuck Ruby. Now clause number two, I'll never hear to a dress kind of period. If those don't two don't happen, I don't work there, period. So, so, Neck goes back to, like, when I was in cybersecurity, I was one of the kids he never went to college for cybersecurity and so like all these places are like, oh, you gotta get a college degree, you gotta do all this kind of stuff and you gotta wear suits and I was like, now fuck that man. If you don't hire me for like the things I know, I don't wanna work there. And that's been a long believe and I still believe that, to this very day. And I told my boss, the day that my, my goth outfit interferes with the way I work, I would stop doing it. Still do it to this very day. It's been 20 years. Anyways, so they send me over. And number, I get out, they're like, hey, we want you to meet at this area, meet at this outside, it's gonna be outside the hotel that we're all staying at. And I walk up to this guy and this guy is wearing a suit. He is wearing like a suit that costs probably more than what I make out of month. And he's in there, he's smoking a cigarette, clean cut. The guy looks like he's still like active sink or service. I think he even had a earpiece in there. And he looks at me and I was like, hey, are you, are you this guy? What we'll call him Brando. What are you Brando? And he was just like, yeah. And he's like, are you Greg? And I was like, yeah, nice to meet you. I know where he takes the longest drag at this cigarette. You know that meme from, what's that HBO true detective where the meme of looking at the phone and the guys is inhaling the cigarette where Matthew McConaughey and I think is inhaling the cigarette. I got that exact look from this guy looking at me and he just tosses that cigarette and he's like, this is gonna be a long week. He's like, let's go. So this guy is his escort and drives him to the building where he's supposed to do the pentast and he takes Greg to the front door and he tries to go in with his escort. And I remember physical security is like, sir, who are you? What are you doing here? They literally get in front of me. I was like, no, I'm with Brando over there and I'm part of the assessment and they're like, give a semi-D. And they escort me into the building and also I'm getting a call from like my contact and he's like, where are you? I was like, I'm being detained and he's like, oh, it's a great start. So they come over and they realize that I'm supposed to be there. And then I go meet my contact and I remember him looking at me and being like, oh man, he's like, all right, well, you can go working that backroom over there. We're gonna tell everyone you're an auditor or someone so no one bothers you. You're gonna set up in this backroom and just don't bother anyone. Just together. So they sat him down and said, okay, hack this place. And he's like, well, can you give me like a user login or something? No. All right, can you give me the wifi password at least? No. Well, listen, I see a bunch of wireless networks and I don't want to accidentally hack into the wrong wireless network. So can you at least tell me which wifi network is yours? I can see the contact at the venture capital is like, man, it was like, he looked at me and he wanted me to be out of this building to fail as much as possible. So he's like, our guest wifi ID is this, go. That's it. That's all I had to go on. Nothing else, just the guest wifi. So I get up and I'm like, okay. So I start walking around the building and the security team's absolutely following me at every step of this and Brando from the other third party is like, where are you going? Like what was going on? I was like, I'm looking for a wifi password. And he's like, I think, he's like, I'm pretty sure you're supposed to do that with the computers. So I was like, nah, nah, like they're gonna have this and I walk around the building and eventually I find it on a whiteboard. And I'm like, they go, let's go there. So I go back and I sit down and now I'm on their guest wifi network. Nice. How clever. Just look around the building for the password. All right. So now he's connected to the guest wifi. So I get the password, I sit down and from there, I start scanning and the first thing I go is I hit the wifi router and it's a Cisco device. And this team, I'll later learn that this team is very, very good. However, again, like they mentioned, they've never had a full red team event. So the router security is nowhere near where it should be. It's actually the router is a single router, a senior Cisco device that is both the guest wifi and the internal wifi as well. So I exploit the router, I jump on the router and then I make the entire network flat, I bridge over everything. So now my machine can be, it can attack anything on the inside of the network, even though I'm on the guest wifi, I can still start attacking anything on the inside network or on certain networks. They had multiple inside networks. So I start bridging them over one by one. How did you exploit the router? The router didn't have like, A, their password was default, as unfortunately as it did. Number two, they had an administrative password on like the panel. So the access, the access was one password and then I brute force, I believe the password of the admin panel. It was very close to standard password on there, gain access unfortunately. So the guest wifi should only have very minimal access like just to the internet and no internal systems in the building. But when he bridged the networks, he could then access anything that other employees could access, which gives him access to a ton of internal systems. There, I start doing men in the middle of attacks and let me tell you, red teamers out there, pentesters out there, never skip out on layer two attacks. Layer two is your responders, your can and ables, your art poisoning, your DHCP, your DHCP spoofing, all of those, that is gonna be your bread and butter. I promise you, those vulnerabilities are still existing there, they still work. I work engagements to this very day. That is where so many places fail. So I'm in the middle, I start stealing credentials and this is back in the era before SSL security was everywhere. So you could still do men in the middle and downgrade websites to DHCP logins. And I start getting credentials to people logging into work emails. After about an hour, I get access to relatively new hire she has like six months of work in her inbox. I access for email. And the first thing I do is I go all the way down to day one. And what are you getting day one email? You get your employee training, you get your onboarding information, you get your onboarding documentation. And if you come to this building, you get your building alarm code. So have physical alarm code that goes in her and also have her badge ID number and what she looks like, it's such. So I'm like, okay, so what can I do next? And I remember the brando, the ex secret service guy looking over my shoulder and he's like, what are you doing? And he's like, I was like, okay, so you know these car videos, he's like, yeah, he's like, we're gonna, we're gonna clone one of these car readers. And he's at this point where he's like, all right, golf guy, you're not so bad, okay? I like this idea. And he's like, all right, I'm gonna work with you on this. And I'm like, he's like, I talked with them and we're gonna talk about guard ships and times to get into this building. And I was like, okay. So I tell my plan and I was like, man, so I got a building alarm code. I'm gonna, I'm gonna put a RFID cloner, next to their badge reader and when they badge in, I'm gonna start getting all these badges. And he's like, okay. And so a day goes by and eventually the girl who's building alarm code comes in, badges in and I get her, I have like a proxmark system. I keep pulling it and also I notice I got her ID matches up. So now I have her employee ID badge and her building access alarm code. To get into this building, you need to use your little badge and tap the badge reader and the door unlocks. And what Greg did is he put a little badge sniffer behind the real badge reader. So that anytime anyone taps her card, he gets to see what their badge is. And that essentially allows him to clone a badge. They gave me a tour of the building at one point, very against their will. They're trying to like hush me around. The two things I noticed when they gave me that tour was A, there was a balcony on the second floor that had a tree next to it. And from that balcony was a straight shot into their server room. And basically you go through one room in that room, you get into, you do it on one hallway and you're in a server room. And the server did have a badge reader on it. The second thing I noticed is, it's sort of like almost like a spiral skirt. Stere case downward. There was lots and lots and lots of paintings. I never were asking during the tour. I was like, whoa, these look like real paintings and they nodded, they're like, yeah, CEO, what does he know is here, loves paintings. And this is their pride and joy. They like to show art and they like to make sure that, and I was like, huh, that's interesting. That's cool. And so I remember, so for the next couple of days, I had to get a badge of an IT guy because I needed to get access to the server room. And eventually I get it. And it's through the Parkmark system as well. And the meantime, I'm doing men in the middle, getting credentials, doing traditional attacking methods, but I really wanted to focus on this, on this whole physical element because the brando working with me, he was just like, man, he's like, we can do some mission impossible stuff. And I was like, yeah, yeah, we could. And so the next phase was, they had cameras everywhere. They had internal cameras, outside of external cameras. And I remember doing the network. So eventually every day I'm folding different parts of their internal networks into the guest network that I'm at so I can bridge over and start looking. And eventually I find all their camera network. And luckily for me, they are using access cameras. And if anyone's work physical security, everyone knows there was an error of access cameras from like 2001 to about 2008, 910 where everyone had, all these places had these access cameras because they had a ton of features. They were cheap. They were Chinese made, wonderful cameras. However, they were the worst security ever. They had so many default passwords. They had buffer overflows and access control systems that buffer overflows and their web interface. They had like a web interface that when you connect to it, it looked like GeoCity. Like it was like straight up like 2002 internet all over again. And that's how you controlled the cameras directly. So talk to a brand down, he was like, okay, look, man. He's like, I know they do a guard change. It's 2.30 am between around that time. He's like, you gotta be in and out of a building around this time. And I was like, well, he's like, and he's like, also, there's gonna be someone always watching these cameras. And I was like, okay, that's fine. He's like, what are you gonna do with the cameras? So I show him, and I start connecting to all these cameras. And at the time, there's an access. I think they're still running like firmware from like 2005. And there's an access buffer overflow that allows you to control again access to everyone in these cameras. Still running that, then patch them, jump in. And then from there, I can access the city little interface. And I show him, I was like, look, what happens if I modify these two values? And the values is brightness and contrast. And you can edit both of them. It's usually for, you know, when a viewer wants to look at the camera, they're trying to, oh, it's too dark or too bright, they can edit these. And UI, you can edit them a little bit, but programmatically, you can edit them all the way from zero to 255 values. So you can make them go all black or all white. So as show them, I was like, watch, we can make their cameras go boom. And then watch, I showed the camera, it goes distinctly black for a second. And then I undo it. And he's like, oh, I was like, yeah. He's like, all right, goth guy. All right, I see what you're cooking here. And so he's like, well, how are you going to get these into an area that, you know, how are you going to like, do this in a way that you're going to be carrying a laptop with you, it's going to be just be awkward. I was like, you know, that's a good point. So in this engagement, I had a shuttle device just being, a little tiny laptop, computers are like the size of a shoe box, a lot of pen testers used to leave behind devices. And on that shuttle device, I put a Bluetooth radio on it. And so with the Bluetooth radio, I was like, okay, I'm going to walk around the building and I'm going to get measurements of where I'm out with the Bluetooth signal or noise ratio. And when I'm in front of those areas, I'm going to map out what cameras those are at. And I am going to make sure that I can get access to this. And so I test out the Bluetooth range. I had to put a big antenna on this thing to get the Bluetooth receiver on it. And that worked. So I could have the Bluetooth show. I'd go in front of these two cameras, the two cameras that point outside to the patio. I could have them identify there was a camera on the inside there. And then there was a camera facing the server room. Those are the cameras. I needed to black out. So my app set signals to the Bluetooth. The shuttle device would take that signal and relay. And when I received those, it would send the packets to those cameras to make the values of brightness or contrast to 255 or zero, completely random. It's like back and forth between them to make it look like a black and white screen. So like an effect that was like the camera's malfunction for a bit. So I was like, man, I have to delete. I could look at these cameras. I could test to see if this works. Not sure if this is really going to work, but we're going to try it. So he set everything up to try to break into the building overnight and not be seen at all. The front door might have extra security and he didn't want to take the risk. So his whole plan was to sneak up to the building, black out the cameras, get in and gain access to the server room. Keep in mind, everyone already was on high alert from this kid. They thought he was very suspicious. And he was going to have to do something over the top to get in. And that's when he realized his point of entry should be the balcony. So that night, man, I came in 2, 30 in the morning, climbed up the tree. I get off the balcony. I push open. They had to get a security door on the balcony that they would lock before you can get to the badge reading door right there. I pry that open. Hit the badge, go into the building. The alarm starts beeping. I hit the building alarm code. And lucky for me, the girl had not changed her alarm code. And I was in. And I look at the cameras. And I remember being so nervous about this. And being like, oh, man, this is hopefully this is work. Or I'm going to get tackled very soon. So I make my way over to the server room. And my secondary badge, the other one I have for the IT guy works for that one. Badge clone got him in there. Went to the server room. And from there, bootrooted all the machines. So if you're unfamiliar with bootroot back in the day, this was you plug a USB device into the machine. You turn off the server. This machine would then boot off the USB device as a recovery device. And from here, you would replace a Windows component. Sticky keys would be ideal favorite. So you replace sticky keys with command shell. And then you reboot the machine. So the machine, after you do that, machine, you reboot the machine. It goes into the password login prompt. And you hit shift five times. That would then launch sticky keys, which has now been become a command prompt instead. And now you have a command screen on it. And then you can run commands as elevated pages. You run a system. So you'd have elevated command. So from there, I exploited all the machines. I dropped a flag that said I was here. And then I went into their stores and put flags on all those. He's done it. He successfully hacked into the server's mission and possible style. And so he starts to go out. But he notices something. Those paintings. So I proceeded to go down the staircase. And I go down to the paintings. I just quickly grab a sticky pad and put us little happy faces. I get a little sticky page. And start putting them right next to all these paintings. Like there's a little placard for each of these paintings tell you essentially who made these paintings, what it would it symbolize, in some cases, how much they were worth. And I stick little happy faces on it. And that says, I stole this. So it's typical for a physical pen tester to leave a token behind, to prove that they were there in a server room or a desk drawer or something. I mean, just think about how you would feel. If you went to bed and then woke up and there was a sticky note on your bathroom mirror that said, Greg was here. Just a small note like that can say a lot, can't it? Here, what Greg was doing was proving that he had access to these paintings. And he had time to go right up to them, put notes on them, and security never saw him do it. So he wrote, I stole this on a bunch of sticky notes and just kept putting the sticky notes on painting after painting after painting after painting. And I remember like 605, like I get a call. Greg, Greg, yeah, yeah, was this you? What's the happy face? What's that mean? How did you do that? What is, it doesn't matter. The CEO wants to like talk with you today. Get in here like eight o'clock. Like, he's like, I don't know man, he's really upset. We had to figure out, I was like, okay, okay. And in that meantime, like physical security had an issue. Like they had a, they had an incident because they were like, they were looking over and they were like, well, someone walked in and put all these happy face stickers on there and they walked out the building. They're like, what does this mean? I stole this and I remember they were coming around and I get into the building, they escort me to the like the boardroom and the boardroom has this massive table on it. And me and my awkwardness, I pick, I remember sitting and picking the exact opposite of where I imagine everyone in the exact corner of it. And the physical security is like, no, get over here. Get over here and first, they give us your idea and we're gonna run some background checks on you again, just to make sure. Physical security knows to treat those paintings with a very high level of security. So when the CEO came in and he saw his paintings had sticky notes on them, he simply asked, who did this? What does this mean? And when security had no idea, then the CEO is like, okay, we'll find out. And then when security looked at the cameras, they saw they were glitched out during that time and they had almost no evidence of who did it. This made the CEO furious. What do you mean no security footage? Find out who put these sticky notes on this and the cameras around the building were just all black or white because Greg hacked into them to prove he could sneak into the building late at night with nobody noticing. The VC, K-Man, the VC, okay, came in and was like, what the fuck is this? Who's like, what do you mean stole my paintings and little happy faces on them? And that's what kicked off the security team, Allure. And I remember I was sitting there and then my contact leans over to me and he's like, look, again, I have never seen him cancel meetings like and move so into see someone like this. So I don't think it's gonna go well. And then I look over to Brando and Brando is just like, you know, he's like, maybe we flow a little bit too close to the sun here, a little atchristus, a little hard, but you know, whatever. So CEO comes in with this security team, they hand me back my ID and he looks at me and he, you can tell the thoughts of this goth kid in his boardroom is not what he expected and not what he was expecting to meet for when he, and he looks over and he's like, you hired this guy and my contact who worked at the company was just like, yeah. Yeah, like looking at him. He's like, all right, and he's like, so walk me through what you did. And for the next 10 minutes, I retell him the story of exactly how I did. And this VC, previously, had been very technical. He was a code developer, he worked on software. And so he starts going and he starts asking me very intelligent questions back. We start having them back and forth about, oh, okay, so why those things, all right. And he's like, so two questions for you. First, what were you gonna do with the paintings? And I was like, I was dating a girl at a Brooklyn at this time and I was like, you know, I think about taking him to Pratt University and maybe fencing him at the university there, that it's gonna be someone who knows like some weird connections at the Pratt Institute of Hurt. And he starts laughing. He's like, all right, he's got a plan. And I was like, okay. And he's like, I really like those paintings. And I was like, I can't believe you, like you would, you know, I was like, yeah. I absolutely would have stole right out the front of the building, I was like, all right. So then he's like, all right. So the next question is, what are you doing next year this time? And that's how I became their reoccurring rent teamer for four years until they got hired at me breaking into the buildings and doing all the things and hired me as full time. So after this, I got introduced to a lot of the various levels of executives for this. And then I got to pen test all their person houses and got to show them how life is equal security is important, getting access to all their pet house suites, all their large houses that I did that for quite some time afterwards. Okay. Big thank you to Greg Lineras, aka Laughing Mantis for coming on the show and sharing these stories with us. Please consider supporting the show by visiting plus dot darknetdirys dot com. If you do, you'll get 11 bonus episodes and an ad free version of the show by becoming a supporter is the most direct way that you can help make sure this show continues running and delivers you more episodes. Please visit plus.darknetdys.com. This episode is created by me, Capsha America, Jack Recyder. Our editor is the super subnetter, Tristan Ledger, mixing done by proximity sound and our intro music is by the mysterious break master cylinder. I've been working on a new dance lately. It requires the most efficient use of muscle memory in order to spin at the perfect RPM. I call my dance the algorithm. This is Darknet Diaries.