166: Maxie

The card of giants is an interesting story. In the Bible, Genesis 6.4, it says, there were giants on the earth on those days, and they made it with people and created mighty men of renown. This guy named George Hall was like, wow, there were giants on earth, but the Reverend argued with him and said, no, no, no, there were never giants here. But George was like, no, no, the Bible says so. There's got to be a way to prove it, but George could not prove it, of course. So he decided to fake it. He went to a quarry and dug up a huge block of gypsum, then hired some stone cutters to make the block into the shape of a giant man. They created a rough statue of a man that was 10 feet four inches tall. Then George stained it with acid to make it look old and put it on a train and took it to his cousin's farm in Cardiff, New York, and late at night, he buried it on his cousin's farm. A year later, his cousin went to dig a well and hired a crew to come out and dig the hole, and they ran into this giant in their dig. And one of the workers immediately shouted, this must be an ancient burial site. And so they dug up the giant and the word spread that they found a buried giant. People from all over flocked to the farm to take a look. It was quite surprising to see a petrified giant of a man. A lot of people believed it was a petrified human. The Bible says so, see? But some thought it was just a statue. But pretty quickly, George's cousin realized how valuable this thing was. So he put a tent over it and started charging people 50 cents to come in and see it. 500 people came a day to see this amazing giant. The whole town started a profit from it. Restaurants were filling up. Hotels were booked. And that's when PT Barnum came. And he was like, sir, I will give you $50,000 for that giant. What do you say? The farmer was like, no way. So PT Barnum hired someone to make a wax copy of it. And Barnum displayed this unauthorized copy at his circus and claimed it was the actual giant and charged people to come see his fake replica. A year later, George Hall came out and said, this whole thing was a hoax that he's the one who buried it there. But while it didn't prove that giants roam the earth, it did make his cousin pretty wealthy. And that's how scammers would get you in the 1860s. These are true stories from the dark side of the internet. I'm Jack Recyder. This is Dark Net Diaries. This episode is sponsored by DRADA. Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day, balancing security, risk, and compliance in an ever-changing landscape of threats and regulatory frameworks can feel like running a never-ending marathon. Enter DRADA's Agentex Trust Management Platform, designed for leaders like you. DRADA automates the tedious tasks, security questionnaires, responses, continuous evidence collection, and much more. Saving you hundreds of hours each year. With DRADA, you can spend less time chasing documents and more time solving real security problems. With DRADA, you also get access to a powerful trust center, a live customizable product that supports you in expediting your never-ending security review requests in the deal process. It's perfect for sharing your security posture with stakeholders or potential customers cutting down on the back and forth questions and building trust at every interaction. Ready to modernize your GRC program and take back your time? Visit DRADA.com-darknet-diaries to learn more. That's DRADA spelled D-R-A-T-A. DRADA.com-darknet-diaries. This episode is sponsored by Spy Cloud. With ransomware affecting 85% of organizations in the past year and fishing becoming the top entry point to ransomware, taking action on your company's exposure has never been more critical. I recently visited Spy Cloud.com to check my Darknet exposure and was shocked to discover just how much stolen identity data criminals have at their disposal. Spy Cloud's new Identity Threat Report reveals that nearly half of all corporate users have been infected by info-stealer malware at some point. With 63.8 billion distinct identity records now circulating on the Dark Web, the scale of this threat is staggering. What's even more alarming is that only 38% of organizations can actually detect these historical identity exposures that create ongoing risk, knowing what's putting you in your organization at risk, from stolen credentials to session cookies to PII, it's critical for protecting against identity-based threats, like account takeover, session hijacking, and yes, even ransomware. With Spy Cloud, you're never in the dark about your company's exposure from third-party breaches, successful fishes, or info-stealer infections. Read the full report and check your Darknet exposure for free at spycloud.com slash darknet diaries. That's spycloud.com slash darknet diaries. I want you to meet Maxi. My name is Maxi Reynolds. She grew up in Scotland and had an itch for adventure when she was young. She knew she wasn't fit for a sort of sit down, do a lot of paperwork, office type job. No, her head was always up in class, looking out the window, dreaming of faraway lands that she could visit. I left home at a really early age about 15, and I had no idea about what I was going to do, what I wanted to do. And so I tried everything and I was ending up working in bars, and I was a clean-out and all these sorts of things. I just thought, no, this isn't for me, and I want a job where I can travel and see the, you know, outside of Scotland. So I went to university in England, which is somewhat treacherous being a Scottish person. And I go out to get in underwater robotics. She was hoping this degree was her ticket to travel. Maybe if you're going to be operating underwater vehicles, you'll get to go to some pretty faraway places. So she started applying to every company she knew that used these remote operating vehicles. I couldn't get a job, and it was because I was female. The reason why this was a problem is because sometimes she'd have to go out to see in small vessels or be stationed on some kind of platform at sea, which also had small living quarters. And the problem was that these companies required men and women to have separate cabins. And they simply couldn't accommodate her, because a lot of these cabins had four beds in them, and they didn't have any single bed cabins that she could be in. And there just wasn't enough women to fill up a sleeping cabin. So she just didn't get the job. I was told the same story over and over. But that didn't stop her. She kept applying at places. And eventually, an Norwegian company finally said yes to her. Finally got an Norwegian company to accept me, and they said, if you get your private pilot's license, we will take you on. So I went to Banking Scotland and asked for a career development on, and I got my private pilot's license. What about Ruth Pilate? Is different than our V pilot deserve? Yes, this is a small, yes. So I can fly a Sessna, although it happened in America, I can do that. And so it was supposed to be quite similar. And then I called the company back and said, hey, I've got this, and it takes months. So, and I was getting further and further into debt. So I called them back and said, here, I've got this. And there had been this change of management. And I was like, it's not actually, we don't know why they said that. It's not a private pilot's license. You need for a plane. We're more, like, as an R-O-V pilot, it's closer to a helicopter. So, changed my name. I went back to the bank in Scotland, got another career development loan. And then we went back and got my PPL for helicopters. Then we went back to them and said, OK, I've got this, but listen, no more surprises. And can I have a job now? And they took me on. And it was sort of life-changer for me. This job required her to travel a lot, North America, South America, Europe, Asia. She got to travel the whole world while working as an underwater R-O-V pilot. And sometimes flying helicopters. So I lived in Venezuela for a while. I lived in Trinidad. I have been to sort of everywhere from Nigeria to Australia. A lot of course lines. I've seen a lot of war. While she was doing this work, she started getting more fascinated with IT. Computers became her passion. She was enrolled in remote learning courses. I was able to get a degree in computer science. Then she took a month off work and landed in Los Angeles, California, just to take a break for a while. But she fell in love with LA. And while there, she started going to a gym to exercise and work out. One of the people that I was training with in the gym was a stuntman. And I was sort of big down to, please let me hang out with you. Let me be cool too. So eventually he sort of got me some training in stunts. And he actually got me one of my first jobs. She was in a few independent films. Did a few stunts for them. She got an opportunity to be in House of Cards. And she does stunt for them. But they decided not to use it for some reason. Well, that was cool. It was also short-lived. Because while it's exciting, she didn't see it as a long-term career. I studied quantum computing. And it was really difficult. It was extremely difficult for my people mind. But it was really enjoyable. And I loved it. This turned her attention to new technologies and companies. At some point, she got a job for a company in Australia and move there. My first entry point into both social engineering and really and pen-test and was in Australia. And I worked for a big company down there. They gave me a shot on their graduation team for Cybersecurity. This company had penetration testers. People who tried to break into a building or network to test the security of it. She got to watch one of these pen testers work by monitoring their activity through cameras. And I was witnessing a pen test. But with this social engineering component and it was a guy, he was a really good hacker. And he had gone into the network of one of our targets. And he was opening all of this security doors and automated doors for one of the team, the Cybersecurity team. And they were just walking through and they were filming the whole thing. And it was being broadcast live back to us. And it was amazing. And I was thinking, OK, this is a good job. This is the kind of job that I would like to do. Being a physical penetration tester seemed like just the thing for Maxi. Breaking into a building, acting like a spy, that seemed really fun. She asked if she could do that. And they were like, well, your luck isn't because we have to test them without these technical capabilities. So we're just doing a physical pen test. Would you like to be involved? I jumped at the chance. So they gave her an assignment, which was to try to get into a company and film what they were working on inside it. And to start figuring out how to get in, penetration testers often use O-Sense, which is just gathering data on a target through open public searches online. So she does a little O-Sense and starts learning about the company more. They had some very interesting IP. They were a transport company. And they were building some unique buses and large transport vehicles within this whole complex. So my job was to get into their past reception, past security, get in and look at all of the assets and the IP. And it didn't need to hack any computers or even plug into any computers. It was simply to get in and to essentially have a look at them. How fun, right? Can you get into this factory? Take a few photos of what they're building and get out. Without them knowing your spy, as she starts learning more about this company, she found out that they had some big connections with Sweden. As in some of their offices were located in Sweden. If you squend your eyes and you were very far away from me, I could probably pass a Swedish. So I had decided, and no one stopped me, I'd like to point out, I decided that I was going to pretext or present myself as like a Swedish ambassador for this company. And I had the CEO's name and some other topic's ex names and things like that. She does have blonde hair, but even though she may be able to pass a Swedish looking, there's no way she's going to sound Swedish, not with that, it's got a cheque scent. So her plan was just to put ya on the end of everything and hope they didn't notice. No, and it gets worse because even I, because they're, they're stealing, right? They're not idiots. I was thinking that will never work. But that was her plan and she decided to go forward with it. She liked the idea of acting like someone else. So she was set on being the Swedish ambassador for this company. Walk in, tell them she's from the Swedish branch and she's just flown into inspect the building, but in order to do that, she's got to look the part. So she takes a trip down the local clothing store, buys a new outfit, something that would make her look like an executive. I bought a clipboard and I looked professional and I had like a little brief case. I was really trying to like professional. She's all set. Where did he go in? Outfit on, camera rolling, deep breath. Let's go. So I go in to reception and I approach the receptionist with like a warm smile and you know being as nice as I can be. I said, I'm here for this. I'm here for this appointment and this is what I want to do and this is where I'm from. And she said, okay. And I was like, what? It was that you see this doesn't make sense. But you know, I'm not going to get in my own way. So I followed her and she took me to this little room, just sort of directly behind reception. And I was greeted by this adorable little old lady. And there was one other person in the room, but we didn't really talk. So I had to present ID, which is another stumbling talk. And I got to talk into them. So they asked me why I was there again and all those things. And they said, they weren't expecting me, but it wasn't a problem. And I thought, oh, this is really easy. This is great. And I gave them my ID and I had to, and this is really an ID at the time. And they said, you're from Sweden. And you've got an Australian ID and I said, yeah, and I've got a dodgy accent. I went to school in the UK. So I tried to get around to like that. And it works beautifully and I don't know how. So I got in. Okay, at this point, she's doing pretty good. Passing as this Swedish person from another office, she got into the building, check, past reception, check, and passed the two people that she was handed off to. Check, check, check. Now she's in and she's trying to film things, take pictures of what's going on. There's an engine room. That looks interesting film net. So she goes in closer to take a look. And I was walking towards one of these large engines. And this man was walking towards me with, I think it was like, to their main. And he stood out. He had this beautiful blonde hair and these big, blue eyes, like completely staring at a typical, Nordic look. And he came up to me and he said something in a language I don't understand. But immediately, guests, correctly, this is Swedish. I'm supposed to be Swedish. I don't know any Swedish. So I'm racking my room for the limited amount of Norwegian that I know. And he, whatever he said, I kind of just looked and I felt my body get tense. And I felt like my brain said, get him to open up, let me can't involve into hell. This is torture, please no. And I saw he said, yeah. And he went to me like, okay, baby. That doesn't make sense, but okay. And then he repeated it. And so I tried the one word I could remember in Norwegian, which is, nah, for no. Because if you asked to work, there may be no word, which was the one of my dumbest moments. But so then he quickly just understood, this isn't right. And then security was called. They had a very prompt to security team. They came, I was detained. Oh no. She was caught. This is every pentester's fear. But just because she's caught doesn't mean it's over. Maybe she can somehow get out of trouble, convince security that everything's fine, or at least just try to leave the building without being caught more. She tried to change the story. Oh no, I'm not from Sweden. I'm just working with the Swedish team. I'm based in England. So they asked to see her idea again. And it just wasn't checking out. They were very confused by the whole thing. At that point she just couldn't see any way out of it. So she pulled out her get out of jail free letter. This is a letter that all penetration testers have that gives them authorization to do what they're doing. It has a phone number on it, which is typically the head of security and says who actually authorized her to sneak in. So they called the number on it. And the head of security says, yep, this is all a plan test. Good job for catching her. We had this sort of laugh after that. Even the security guys were like, why would you pretend to be Swedish? I don't know. I'm scared. She's like, I can tell and you don't look Swedish. I was like, I know. That was Maxi's first pen test, where she tried to break into buildings. But she loved it. This was adventurous, a adrenaline fuel. You need to keep your wids be quick on your toes and know all about computers all at once. She felt like this is where she was meant to be. This was cool and decided to pursue a career in pen testing. She did a number of penetration testing engagements while in Australia learning new techniques and getting official training on how to get better, reading a bunch of books on how to improve. And one of the things that intrigued her was thinking like an attacker. That attacker mindset was something she spent a lot of time thinking about. How do people with bad intentions act? Soon it was time for another penetration test. Still, while she was working for a company in Australia. The company I worked for was working with the local government and the state that we would end. And I won't say the name because I don't want any further embarrassment. Penetration tests are not always physical. In fact, I see most of them are just done over a computer. Like the penetration tester might be outside the company and just trying to hack their way into the company through the internet. Or sometimes companies will just invite the penetration tester right into the building and give them a desk and a network jack and say, go for it from the inside. Because even if you get into the network, there should be layers of security which should still keep you from getting into important things. That's called defense in depth. So this was a pen test on a local government office. And with this one, they invited her to come into the building and plug into a port and see what vulnerabilities she could find from within the company. She wasn't alone on this one. There were two other people with her and the two other people were very experienced network penetration testers. And she was still learning how to do this. So she was shadowing them and watching what they were doing. So I wasn't a nib, but I was. This was my first job in cyber security. I have a very technical background. Building ROVs, flying them or steering them, I suppose. That's all technical. Even stints are technical to a certain degree. This was a step further because there are no physical components to it. That's why it was so difficult for me. It's all on-screen in Linux. It's it's own beautiful, scary world for me. So I was still getting to get apps with this whole world and all of the commands and what these things meant and how to undo things. And they all sat down, pulled out their laptops, plugged into the network. She starts by firing up a network vulnerability scanner. I got to run the nest, the scan, which was not the most technical job in the world, but it felt good at the time. And I got to look at what vulnerabilities were there. And I got to go and see exploits for those. And I got to run in-map. These are fine basic tools to start with. It'll scan the network for known vulnerabilities. They're easy to use and typically benign. As in, they're not going to cause any trouble on the network just by running them. And when you run these tools, it's not hacking. It's just to try to find what's hackable. And she wasn't exactly sure how to hack into this company. When you're a ramped experience panthist, there's who love their job and needs to love everything. Every line they wrote was sort of like a piece of art for them. They loved it and they really got this high of it. And that's contagious. So I started to think like, this is amazing. This is so cool. Like, how far we'd end? And one guy, one of the guys that I was there with, got a call from one of our points of contact that he was saying, I can see you in the network. And it was this big game and it was fun and it was interesting. And I got caught up in that. So after seeing all the cool things that those other penetration testers were doing, Maxie wanted to have some fun too. How far could she get into this network? She saw there were vulnerabilities on certain systems, on her scan. She tried to exploit those vulnerabilities and get into those systems. Because there's a sort of high you get from getting into a computer when you shouldn't be able to. And she was making progress. She got into a few systems and she was looking around, making notes on how she got in. She would look over her shoulder and always see those other penetration testers many steps ahead of her. So she kept looking around to see what else she could get into. I found my way to some internal environment. And I hit the kill switch on a save rush play. She accidentally typed the wrong command into the wrong computer which controlled the flow of water to the whole city. The person I was with immediately saw within the network that that wasn't right. I will assume that he was sort of with me like following me through the network and you can see a lot of what I was doing. And then I was thinking, yeah, this isn't, I don't think that was maybe good. Right? And so I looked at him and I could sort of see on his face and he comes over to me and he said, what did you do? And I, you know, you can look at your yesterday quite, quite clearly and I still had quite a lot on screen. I showed him and he put his head in his hands and I was like, what is it really bad? It was really bad. Shunning off the water to the whole city. Shower's faucets, sinks, even toilets. We're not functioning. City wide. Her two other penetration testers immediately tried to figure out ways to fix the issue. One was looking at how the system operated and if it was possible to just turn it back on but you don't want to just do that if it's going to cause a problem. The other pentasture immediately phoned the point of contact, letting them know this is a major problem. Maxi was sort of in shock and incredibly embarrassed. She took her hands off the keyboard and just waited. I was detained by security guards and they, they were not very pleased. Now this is a completely different situation from the last time she was detained by security. The last time she had a get out of jail free card, this time they knew that she was supposed to be there. In fact, it was a point of contact that called security on her. She was authorized to be there and do this but this was not supposed to be disruptive to the organization. Not only was it disruptive to the organization but it was disruptive to the whole town. So they wanted to at least get her recount of the matter recorded so they had it for later. I go down to a window of the shrimp and I'm questioned. And all of a sudden, one of the sort of accusations if you want was that I was a Russian spy. I was thinking, how did we get there so quickly? Like, what happened? Apparently she's moved her IP at one point to make herself look like she's coming from Russia to try to test to see if they could detect that. But that was just very brief and she was definitely not a Russian spy. But this was becoming scary now because it wasn't just a confession of a mistake she made. It was like they were treating this more like an investigation. So I was held there for like a couple of hours and of course the police were called. The police had to be called. I didn't have any idea on me. I had my work card but that doesn't really mark because it's just a fault why could have printed it on myself. And I kept saying to them, you know, if you let me go back to my apartment I can get my passport for you in British and I'm not a spy and you can contact my employer and I'm actually here with two people and I kept going and they didn't want to hear it and that's okay, that's kind of their job to do, to not believe me and to look for the worst because they've got to protect themselves against the worst. And eventually that's some point I said to them like I need a glass of water and the look would have been enough to turn most people to stone asking and that was not an ideal question and then eventually my employers at the time called in and it did get sorted and I not only escaped essentially what I think you would call it prosecution I escaped any legal action because of that and I was on the good adulation team so that lent me some credibility in the fact that okay, she doesn't know what she's doing and it's okay and my employer didn't find me and I will be eternally grateful for that. She doesn't know how long the water was out that day. It could have been hours, minutes, seconds. It doesn't matter. The fact that it could be shut off and it did get shut off is why the police had to respond but she narrowly got out of serious trouble from that one. But the sort of baptism by fire is how we learn the most important lessons in life. I mean knowing firsthand what kind of true power a penetration tester has is profound and this feeling sometimes flips back and forth too. Sometimes you feel completely blocked with no access to anything and it makes you feel dumb and other days you feel like with a single keystroke you can wreck this entire business. It almost reminds me of visiting a barber and getting an old-fashioned shave. The barber has this razor and they're shaving your neck with it. You feel very vulnerable in that situation and I think many companies do feel vulnerable when they allow a penetration tester to come in who knows what they saw or took. In my last job we had a penetration tester come in and see what they could do and they were able to crack 25% of all our passwords, company wide. That's like thousands of passwords. Of course I read the report to see whose passwords got popped but it only contains statistics, not passwords or usernames. And it made me think, you know, this pen tester is walking out of our building with a bunch of our passwords. I've never felt more vulnerable about work before. We're going to take a quick ad break here but stay with us because Maxi's going to tell us about a penetration test story that changed her life. This episode of Dark Net Diaries is brought to you by Flashpoint. 2025 has proven to be a pivotal year for security leaders. It's not just cyber threats anymore, physical risks and geopolitical tensions are colliding, creating a web of challenges no one can afford to ignore. That's where Flashpoint comes in. As one of the largest private providers of threat intelligence, Flashpoint delivers what security teams need most. Clarity. By combining cunning edge technology with the expertise of world-class analyst teams, their Ignite platform gives organizations instant access to critical data, expertly analyzed insights and real-time alerts, all in one seamless platform. From Fortune 500 companies to government agencies, Flashpoint is a name trusted to keep people, assets and operations secure. To access some of the industry's best threat data and intelligence, visit flashpoint.io today. That's flashpoint.io. Making some big mistakes on past pen tests did not make Maxi back down from pen testing. Instead, she doubled down. She was fascinated by the power of the pen tester, but more so, the attacker mindset allured her. But she had to leave Australia. Oh, yeah. So I'd come back from Australia with my visa drone out. Um, move back to the States. My modeling life is like, if I'm free to do it, and I want to do it, then I will do it. I kind of always want to be infatuated with what I'm doing and focused. And I'm okay if whatever the thing is that I want to do changes, and it has obviously. But I want to love what I do because functionally, right, will I live for 70 years? Maybe I live to 90, but functionally, I've got Maxi 70 good years, and I want to do what we might do. Two interesting things a year. So I've got 140 interest in things that I'll do in my life. That doesn't sound like a lot. So I just always wanted to do the things that were most interesting. They would get me the most sort of interest in exciting experiences. And for her, the thing that excited her the most was red teaming, penetration testing, social engineering, physically breaking into buildings was just a thrill to her. So she looked for more jobs doing that. So I was hired on a sanctioned red team contract to test this high security logistics company. And there were two testers that were booked. It was a large company, but they wanted the two of them to try to get into one of their satellite warehouses. They told her, look, there's a locked fan around this whole property. Security alarms are on the doors. There's security cameras watching the whole property. There's active security patrols at night. And they just wanted to prove that she could get to them. They didn't want her to do anything to those machines. And they gave her a little USB device and said, hey, if you can actually get to it, plug it in and take a picture that you got there. And this will prove that you made it. Because presumably if somebody wanted to get a customer list or shipment list or whatever, it would be just as easy for them to plug in a USB device, grab the stuff and unplug it. So they asked her to see if she could do that. So her and her coworker take a drive out to this facility during the day and just drive by just to look at the place. And what driving by is too quick. You can't see anything. So they decided to get out and just walk down the sidewalk and go around the whole property just to see what they can notice. Any points of entry? Are there any areas where the cameras aren't pointed? When we had kind of gone around, the very edge of the perimeter was like chain-linked. So the chain-linked fence had just, it wasn't, it was years old, probably decades old. And so it was a bit reckty. So you could just kick the edge up. So we knew that. They took some other notes and got an idea of what the place was like. There's a two-story warehouse building with loading docs and sort of two parking lots, one normal one with big transport trucks and cargo trucks, and the second one that had a chain-link fence around it, with many more of those big cargo trucks. We're talking eight wheelers here, the big trucks. This warehouse would load stuff onto them and then they deliver it. So they leave and decide to come back at 9 p.m. But Maxi's co-worker called her up. He's like, I'm sick and I was like, I hate you. I know you're not sick, you're hungover. But anyway, last minute he gets sick. So the scope allowed for a solo run. So I was like, I'm going to do it. She waits until night and then drives back to the facility at 9 p.m. By that time, the place was all closed and there should be no workers there and just those security patrols that she was told about. I then parked behind a tree line outside of the logistics park. I was keeping away from the lights. I was staying where the shadows fell in. OK, let's go time. I like the quiet approach of being on foot myself too. You can hide easier, change directions more quickly, and be more stealthy. So come up through a tree line off to the side of the whole complex. I'm having pretty slow and far enough from the walls to see the whole facade. I'm close enough to spot opportunities and I do the usual first pass. I don't force anything. I don't touch anything. She passes by the building. The classic first pass gives you plausible deniability, right? If you don't touch anything or don't go on the property, you can just say you're passing by if anyone asks. But it's quiet. There seems to be no signs of life inside, no noise, no doors open, no lights on. There were a lot of trucks in the parking lot, but all of them were dark and quiet. No regular cars there. But surprisingly, she didn't see any security patrols. So since she's around the back of the building, she starts jiggling door knobs and windows to see if any of them will open. And everything obvious that you would look at to gain entry was a no. So doors, no hatches, you can see them. Grammed windows, they didn't open. They were just double-pain windows. So yeah, so good security as frustrating in some sense. But it was this like corrugated, all of the warehouses in the area where these corrugated sort of steel structures or metal structures. And this, the warehouse I had, there was sort of this grass alley in the back of it. And it's neighbouring warehouse. Also had stacks of pallets, so there was just these stacks of pallets all the way like through this almost alley. And there was this high stack of pallets that kind of touched it was within the four, three, four feet of a second floor window. There was just this little, it was like a little rectangular window, but it was open. And I was like, oh, that sounds like a great way to go. And they're so kind of moved a couple of pallets, started to climb up these other, like this other high stack of pallets. And most of them were kind of being like secured to one another. So it's, there's still a little wreckage. It wasn't like, I wasn't feeling very confident that they wouldn't crash to the ground, but they didn't, you know, pretty light on my feet. I'm built, I am built for speed and not power. Um, so I do end up getting to the top, poke my head through. While the building looks to stories tall, it's really just a single story, but just with really tall walls. So when she looks down, it's straight down all the way to the warehouse floor. That's not good, that's too high to jump down. So she looks around and notices that the walls are made of like a lockboard. It is essentially is pegboard. So pegboard is basically if you aren't familiar, it's steel or aluminum, she and it's got this regularly spaced like square or round holes that you basically put on walls in warehouses usually, and then you hang like heavy tooling on it. So I'm looking at this lockboard pegboard. And I'm like, all right, well, climbing down it, you know, grab it, grab a Asia friend. So it's like fingers in and go, well, sneakers on and I actually get down. It wasn't as difficult as you think. Okay, she did it. She got into the building. Nice. Now her objective is to simply see if she could get into those computers in the building. So she looks around for them. They were easy to find since the monitors were on and they were glowing in the dark. Get to the terminals and they're all, they're all open. It was, it was beautiful. You know when in movies, they're like, like the heavens light. I was like, this is great. So there were, yeah, they were all unlocked. And so I connected this approved device. I snapped the required foals. You know, proof I could touch one, I'd talk I would want to touch. And then I felt about the exit. And I was like, I looked at the pegboard and I was thinking, well, because climbing up is a little bit different than climbing down. Okay, so climbing out the way she came was not going to work. She looked around for another way out. There are a lot of doors. She's in size. She could just open one up and walk out. No way hold on that. It's not going to work because there's security alarms. And she looked around the doors and yes, they were armed. Okay, scratch that. You can't open those doors. It would trigger noises. And since she hasn't had any security on her yet, she doesn't want to get their attention now. So she looks around for other points of exit. It was a load and door that wasn't in the best shape. So a load and door, like a like a dock where the truck backs in so it can get whatever the load is. It can get into the warehouse and you don't always need a fork lift and so on. So forth. So it was it was it was essentially that. So it was on a pulley system. And it wasn't attached to an alarm, which was mental for what they, you know, for how secure they wanted it to be. So yeah, so I kind of it was a little bit buckled at the side. And maybe that's why it wasn't on that alarm. I'm not sure but a little pulley system pulled the chain up just enough to sneak out. And I get back to my car through a forest, which is by far, by the way, the worst part of the story for me because I do not like insects. So yeah, so then I I backed my car or I think I'm roughly back to my car and I phoned my point of contact and our report, what is the success, right? Like I got in, I've managed to, I've got the follows, I'll write your report. And he listened and he was like, I want to issue a scope change, a scope change. This means the client wants to change what he wants her to do. I guess he was impressed that she was able to do everything he tasked her with and wants her to try more. So he says to her, you know, all those moving trucks in our parking lots. See if you can steal those trucks and she's like, I don't know how to how to wear a truck and he's like, no, no, no, no, see if you can find the keys to any of them and if so, take them. I was like, all right, let's do it because 140 interesting things in my life, this might be one of them. She walks back through the woods, cursing at all the spider webs that she comes across, and then looks at the facility. There are a lot of trucks here. And they're the big trucks like the long trucks, you know, they've got 20 to 40 foot containers on the back and I've never driven one of them. Summer parked inside the fence area and some aren't. She starts with the trucks that aren't in the fence area. Step one, see if the door is unlocked. The first one she tries, the door is unlocked. Well, so she opens it, gets in the driver's seat and she looks at the ignition. The keys were not there. But to her surprise, the key was sitting right there in the cup holder in the center console. A little bit humorous. I'm like eight billion people on the planet. I'm the best driver. So I'm going to do, as I'm going to move all these trucks, I'm not going to worry about to reverse in that truck. I was like, I'm going to have to leave this here because I'm not going to be able to do this. So yes, so I took them up just other end of the cul-de-sac almost. It was like a little sort of quiet area, a little logistical park and spot, I guess. So I just parked them all up there. She parked it about a quarter mile away and then ran back to get another truck. The keys were not consistently controlled and the fleet wasn't consistently parked on the inside of the secure perimeter. So basically it just became this live demonstration of risk. One after another, she was able to find keys for these trucks. So when a driver comes back to this area and it's past hours, they sometimes leave the keys like they'll leave them under mud flaps or just actually inside of the truck. It was incredible how many keys she found in and around these trucks. Sometimes they were still in the ignition, sometimes they weren't on the seat, sometimes they were in the, you know, the visor, the sun flaps, sometimes they were in the mud flaps, and sometimes they weren't there at all. Some trucks were locked and she couldn't get into or move them. She thought about climbing back in through the window of the building and looking for the keys inside, but she already proved she can get in there. Maybe it's just better to try another truck instead. After taking the ones from the unsecured parking lot, she wanted to get into the fence area and try to take one of those. She remembered where you can lift the fence up and get in there so she scurries under the fence and looks at the trucks inside. Sure enough, same story. Keys were typically in and around the trucks there too. So she hops in, one finds the keys, starts it up and starts to drive out, but realizes, oh wait, this fence is locked. She gets out, looks at the padlock. She thinks about picking the padlock. That did not work in that. I was like, a bet there's a key for the someplace and I'm thinking, do I go back inside to climb up the pallets? Climb down the grate and look for the keys and I was thinking, you know what? This is probably proof enough. This is bad enough because the report is going to say, well, I couldn't break into your secure perimeter or why don't you park your trucks in there? By 2am, she had stolen a bunch of trucks and felt like she accomplished the mission. Security never stopped her. There was no word around all night. So she goes back to her car and calls her point of contact and says, she stole the trucks. She's like, wow, okay, great. Hey, can you come into the office in the morning and tell us how it went? She's like, sure, but let me sleep first because I'm exhausted. So she goes home and then the workers start coming to the warehouse in the morning. Day shift did arrive and they didn't notice anything was wrong for like a fair amount of time. When I think it like, how I would say it maybe is it took a beat for the penny to drop for them and yeah, headquarters finally called and my contact, I think walked them through the findings and eventually we gave a report and, you know, where was security? They're supposed to have 24 hour roll and security. Where was it? Because I didn't see them. Like, why were their pallets, why were their unlocked windows? Why weren't the loadembes connected to the alarm system, things like that? Like, it was, you know, treat keys like access badges, not souvenirs. Did you have to give like a debrief to that facility and say, hey, by the way, if you're wondering what happened, let me tell you. Not to the facility. So I didn't go back to that facility. We, I gave it to my, like, to their headquarters essentially. We went in and we gave a presentation on the report and, you know, as is all, it's always the case. People sort of mouths drop. And I think their tummy's probably dropped to. They're like, how has this, how has this happened? So our thing bit. Yeah, but it's so it's another thing to be like, wait, who did this? We heard this person max to do it. This guy max, it must be a jerk to be breaking in and all this. And then if you were to actually show up and be like, hi, I'm Maxi, and I'm the one who stole all your trucks. I'm so sorry. You have to, you have to be soft with them. Like, well, maybe that's just personally, maybe that's a preference of mine, but stylistically, I think, be soft with them. They do not know for the most part that our industry exists. Yes, they know that there are bad actors out there, but they don't know that some of us are making a career out of it. And you have to go in and you have to be soft. It isn't their fault. That's what it is to run a company, not everything's safe. You can make it a little harder for people, but that's our job to tell them. And I just think, tell them that in the most direct, but soft way possible. You don't, it's not blame game. And so yeah, I went to headquarters and I was like, hi guys, I think you might have heard what happened. And like, yes, so now on my resume, I've got, you know, expert climber and truck driver. She did a lot more penetration tests and got so serious about it that she wrote a book called The Art of Attack, Attacker Mindset for Security Professionals. Yeah, well, here's what I would say about my book. I'm going to explain it. If you don't like this end of it, just buy it for some. Do you don't like it? If you do like this end of it, it was all me. You should buy it. It'll be great. No, in all seriousness, it's called The Art of Attack. And it's central argument is that in order to design defenses that truly work security professionals must adopt this quote-unquote attacker mindset. And its basic position is that simply focusing on tools networks or policies is completely insufficient. It's necessary, but it's not sufficient. So understanding how an attacker thinks, how they strategize, manipulately, persist is fundamental to building resilient systems. And I would probably finish on it by saying that skills of a good attacker are the same skills that I want as a person going through life, normal life. Also the things I would teach and will teach to my children like grit, determination, or goal-oriented, or resilient, so forth, so on. They are cognitive skills that we need and how you apply them as what matters. And that is basically the premise of the book. Somewhere in her life, she went on a penetration test that changed the whole trajectory of our life. It was probably the most highly strung, you know, tensioned job of my career. It was far a company that we've all heard of and that we all use. And we had their internal red team accompany us. This company had a big data center and they wanted to see if they could get unauthorized access inside. Now I don't know if you've ever gone into one of these data centers, but sometimes these things are extremely secure. I've seen them where there's like a big fence around the company and just to get into the parking lot, you have to go through a gate guard and they'll check your ID and make sure that you're authorized to be there. And then when you finally park your car and get to the front door of the building, the front door's locked. And so you need a badge to get in. Forget about any open windows. They don't open ever. Then upon walking in, there's a security guard watching what you're doing, but you're only in the lobby. You're not even in the data center part of the building yet. To get in there, you need a second key. And sometimes you do an eyeball scan to verify your identity. And there are man triumphs, meaning there's only one person allowed throughout a time so they could check you. But then once you're in the data center, there's sometimes a cage around the server racks you need to get to. And you might need a third key to get into those and maybe an extra form of identification like a fingerprint scan or something. In short, it's extremely hard to sneak into a data center. They're actually on this job. Armed guards patrol in this perimeter. And there are vehicles that are scanned for anomalies. Like it has a very, in terms of security, a very robust comprehensive site. And you know, inside everything, it's a day center. Everything is controlled, temperature, humidity, or controlled to the decimal. The power and the fiber run through their redundant. There's glass proof like conduits every corridor, every door, every bite is sort of like a locked. But once you're in, you're in and nation-state actors will get in and they're willing to do what it takes. And so that was that was our job. Well, she decided to try going right in through the front gate. So she just drove her car right to the security checkpoint and acted like she was supposed to be there and talked to the guard. Hello. Yeah. We're visitor. Yeah. Like, hi. Can we, you know, we're here to do this? Because you're also in can find you some of those entry points. Like if they're doing immersion cooling, we know there is maintenance required on immersion cooling for the fluid, for instance. So you go up and you like, here, we're here to do this. And you, you know, you some sites that will work and they'll be like, oh, okay, let me just tell the right person or here, wait here. They were like, you're not in the list. You're not coming in. Okay. So there's a list. This is a clue. Maybe she could get on that list. Who maintains that list? What if she called acting like the maintenance team and says they have to do a fluid change or something? And they're coming out. So we, we tried to get on that list. We tried to call ahead. We tried to spiff phone calls so that it looked like we were calling from hopefully the right point of contact. It wasn't working. There were too many checks. They were comprehensive. They were robust. They were sharp. And so we're like, how are we going to get in here? And it's like, you know, sort of a bit like they've built a wall. Do we dig under it? Do we go over it? Like it wouldn't have mattered. It was the sensors, the security. They were on top of it. And so we're like, all right, what do we do? Hmm. Time to step back and think about some sort of out of the box way to get into this data center. The one way to try to think through something like that is just to learn more about this company. Maxley was curious how the building was built. So we actually went to the municipalities. We'd gotten some like almost you could think of them as blueprints. And we figured out that there was in fact a sewage line. A sewage lines are too small and would be way too disgusting for a person to go into. However, they sometimes run through underground tunnels that are accessible by service workers, like a smaller pipe inside a big tunnel. So she traced where the lines leaves the property. It saw a point where we could get to another access point through basically a junction. Well, it's worth a shot to try. So they drive over to where they expect there to be a manhole which is off the property. And if their calculations are right, these pipes would lead right into the data center. But the question is, will there be a service tunnel also leading to the data center? So they pride open the manhole lid and looked in. It was big enough to crawl down into it. So they did. And then they saw a tunnel going towards the data center. So they crawled through it. And it's a long, shall we call it, journey from one access point, one manhole to the other. But we have to do it. It's not glamorous. It was not enjoyable. But we got through it. Sure enough, it led them right to the data center. And then make our way up into the site and then into the data center. They got in, snapped a few photos to prove they were in there, all no authorized. And then they called the security team to tell them they got in. And the security came and it was like, what, how did you get in here? And so our report was your guy's security is Bob on we we hate it. It was amazing. You didn't let us in here. We weren't able to phone ahead. We weren't able to forge documents. We weren't able to do any of the things that we would try to do ordinarily. We couldn't have created a diversion to, you know, have security take their eyes off of the gates to get through. Well, it's the weren't looking. It wasn't, it wasn't going to happen. We got into your day at center through a minehole for a sewer line. And that was the bulk of our report. The the rest of it was going, but I kind of didn't march them. They're like, yeah, but you still got in. But this made Maxi think even more. If a data center wants ultimate security, so nobody ever gets in, how could they improve this? And that's when it occurred to her. And I was like, well, if you want to keep them that safe, you pick them underwater. An underwater data center. Could that even work? Then I started to think, oh, is that? Did I just have a good idea? Amazing. So I called my old boss who I used to work offshore for and with. And I was like, hey, what do you what do you think of this? And he's like, I've actually I've thought someone fairly similar. And I had this like, oh, I've drawn it at this point. He tweaked it, tweaked the design. I was like, would you consider working with me? Here's what I want to do. I want to I want to put data centers underwater. I want to do it in a modular fashion. And I want to do it because it keeps them safe. So the two of them got busy designing and building modular underwater data centers where you load up the servers into what looks like a small shipping container. That's watertight. And she will then drive them down to a safe spot on the bottom of the ocean. It's also a lot cheaper to do. So it's about 80% less expensive in terms of in terms of topics to get compute underwater the way we do it. I know I know anything about underwater data centers. This is all new to me. So I didn't even know this was possible or even this was happening. But you're telling me this is something you made. This is something we've made. This is something we've we've done performed. And now they're actually a lot of companies. So is there like a long extension cord that goes to do things to keep them there essentially is. So what's really interesting about the subsea environment and we touched upon it earlier is that everything you and I use one way or another. So there are power cards under under the water. That's how we you know that's how we light up oil and gas platforms. That's how we manage to eat on them and things like that. And there are also countries that exports will France exports power to Denmark. We not so long ago lead a cable to do that for them. So there's actually a lot of subsea cables. There's also a lot of subsea cables for there's like 700 cables or something like that. Maybe more now that carry this internet signals. So they they post the light. So you don't have to lay your own cables. You could just tap if tap off some of the stuff that's there. Yeah. It depends. So if we're in a port then we might extend from an online substation. If we're furthered offshore then we'll splice the power cable, put it in wet. So we've got offshore their wet mate, wet mate cables. So we'll they look like headphones with it mic jacks on them like they look like that. They're just really big ones of that. Essentially we plug them into our units are our units look like 20 foot shipping containers. And we put them on the subsea floor. We secure them there through guide posts, lock them in, plug in the power wet mate the power and do the same for the fiber. And then it's up and running. And we can do about three megawatts in a unit just now, which is meaningless to most people, but that's kind of what we need just to do a small amount of compute. And yeah we we sent them on the seafloor. But what if what about maintenance and stuff like you need to change out a hard drive? Yeah. So there's a few ways that we perform maintenance. So it's actually not that much different than than online. So what I will say is the maintenance cycles are reduced because there's no dust, right? We've got the servers are felt or are surrounded by this dielectric fluid. So there's no dust, there's no debris, there's no people jostling the cables and those are the biggest factors in maintenance. That's why compute goes down 80% of the time. We don't have that. Then but you know, it happens we do have to maintain there's some faults. So we do that a few different ways. If one server fails, it kind of doesn't matter. Well load balance will shift the load and it'll go to some other server or some other site that we have. If a whole rack fails, it may fail in place and again load balance in or if a rack fails and it's important to pin on what the kind, depend on who the kind is and what the kind is doing. We may have to bring the unit up and it takes we guarantee you can do it within about 12 hours. So we've got a vessel outside. The vessel goes, picks the unit up with an ROV because that's my background and that's how I knew how to do it. So picks up, put it on deck, we drain it, we do the fixes. You can also do them remotely a lot of the time. So it really just depends but it doesn't cost any more time and it doesn't cost any more in terms of the financials. And before people like come for me, it does not heat the water. We are not heat in the oceans. So I know how to say it. So water warms up more slowly than air and it can actually hold more heat. So the specific heat of water is higher than most substances and what that means is that it absorbs more heat before its own temperature increases by one degree. So say to another way, water needs about four times as much energy to raise its temperature by one degree Celsius as the same mass of air does. So what we've measured in our testing is that the water heats up by about a thousandth of a degree which is statistically insignificant and that's within a meter of the unit. You put a data center on land. First of all, you have to use air conditioning to cool it for the most part. That's what people are doing. So about 40 to 50% of all the power that that data centers pulling is used to air conditioning and then that is pushed out is heat. And then the ocean has to take that because that's our heat sink. The ocean takes that and now you're warming the oceans. So it's like a very unenture of that very scientifically proven method of getting rid of heat, put it into water. And so yeah. I imagine if someone does try to pen test this place or break into it. As soon as they open the door, it just gets flooded and then all the computers shut off. You can't open the door. So it's like you basically our biggest state is like a sub, you know, like a Russian sub movie, let's say. So what happens is you need a sub or you need a vessel with an ROV attached or maybe if we're a like a shallow depth, you could use a diver but a diver's not going to be able to do anything. You can't pull a door open because of the pressure of the water. So basically you couldn't really pen test it without getting a vessel an ROV or a bunch of divers or a submarine and good luck to you. I don't even know how I would do that. And if anybody's going to pen test there's going to be me because that is a that's a fun job. But basically let's say a nation state sub came along. Great. It would have to connect it and it would have to pull it off of its security mechanisms that we've got sort of fastened to the seabed. And once you'd done that, you would basically self-destruct the data that was on the servers because now you ruined the housing that is keeping them safe from the the water and the pressure of the water. So physically they're very, very secure. Digitly, it's the same footprint. You pen test the same way you would any other server data center company. Incredible. I think I'm stunned by that sort of thing. I mean my brain goes into weird directions here. Like, is it are there laws offshore where you can host things that aren't legal in this country or whatever and all this sort of stuff. And now suddenly I like this idea of pirate websites or piracy. There's piracy in this as well. This my brain just goes in all directions here. Yes, there are maritime laws. Very difficult to enforce them. And you rely on satellites to some level, you rely on boats to police. But the ocean is vast. So it is very difficult to enforce. So basically we're counting on people doing the right thing. And that doesn't always work. So what we do is we make sure that we're in the green. So we collocate with existing assets offshore, whether it be in national or international wars. Every country has an easy economic zone essentially. And that's about it goes from coastline to about 12 miles out. And then just a little further up and you start to get into what is essentially international wars. You can do what you want inside of them. Who's going to stop you? But we choose not to as an American company. And so we collocate with other assets in the area, usually like offshore wind platforms or regs or anchored boats. So yeah, I think Subsea is definitely part of the future for data centers. A big thank you to Maxi Reynolds for coming on the show and sharing these stories. You can learn more about her underwater data center at subseacloud.com. If you want to get her book, it's called the Art of Attack, Attacker Mindset. It's the one with the chest pieces on the cover. If you like the show, if it brings value to you, consider supporting the show by giving directly to the show. It helps keep ads at a minimum, it keeps the lights on here, but most of all, it tells me you want more of it. Not only that, but you'll get bonus episodes and an ad-free version of the show too. So please visit plus.darknetdirees.com. That's plus.darknetdirees.com. Thank you. The show is made by me, the packet tickler, jack recider, editing by control, all delight, Tristan Ledger, mixing by proximity sound and our theme music is by the mysterious break master cylinder. I have a bad habit of doom scrolling social media, but lately I've been trying to break it by confusing the algorithm as much as possible. I'll play like long recordings of fog horns blaring or a watch curling matches from 2006, or I'll just search for like the most bizarre things I can think of like, can I legally marry a ghost in Ohio or a baroque interpretations of dial-up modem sounds? Can you potty train a squirrel using jazz? Not because I'm interested in those results, but because I like tossing the algorithm a bag of trail mix, just watching it chew on that for a while. This is Darknet Direes.