161: mg
In this episode we talk with mg (https://x.com/MG), the brilliant (and notorious) hacker and hardware engineer behind the OMG Cable. A seemingly ordinary USB cable with extraordinary offensive capabilities.
Learn more about mg at: o.mg.lol
SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Support for this show comes from Axonius. Axonius transforms asset intelligence into intelligent action. With the Axonius Asset Cloud, customers preemptively tackle high-risk and hard-to-spot threat exposures, misconfigurations, and overspending. The integrated platform brings together data from every system in an organization’s IT infrastructure to optimize mission-critical risk, performance, and cost measures via actionable intelligence. Covering cyber assets, software, SaaS applications, identities, vulnerabilities, infrastructure, and more, Axonius is the one place to go for Security, IT, and GRC teams to continuously drive actionability across the organization. Bring truth to action with Axonius. Learn more at axonius.com.
Listen and follow along
Transcript
Hey, hey, it's Jack, host of the show.
I am feeling good.
I am feeling healthy, strong, fit.
I'm in the game.
And so I'm coming at you with a second episode this month.
Let's go.
DEF CON is coming up in a few weeks.
I'll be there.
I wouldn't miss it.
You know me.
And if you don't know, it's the premier hacking conference in Vegas.
And I love going because every year something crazy happens.
You don't always know what it'll be, but you know something is going down somewhere.
Like maybe someone will drop a zero day live on stage, which will suddenly make us all panic and call home, shut everything down.
Or maybe the FBI breaks into someone's hotel room and arrests someone who they've been chasing for a decade.
Or maybe someone gives a talk that makes history.
I mean, Julian Assange once gave a talk at the Chaos Computer Camp in Germany to announce WikiLeaks.
Lots of people come to drop big ideas at hacker conferences.
And if there's a talk that makes history, I want to be there for that moment.
I want to be in the room where it happens.
Anyway, I'm not planning any party or anything this year.
I'll just be floating around, like all over the place.
But check my Discord or Twitter for like live updates on where I'll be, though.
And if you see me, please say hi because I love meeting you.
It's your energy that gives me the fuel to fly this thing to the moon.
Oh, and if you don't know what I look like, I wear a big black hat and I cover my face entirely with a bandana.
I look like a bandit.
All right.
I promise I'll bring you back some stories.
These are true stories from the dark side of the internet.
I'm Jack Reeseider.
This is Darknet Diaries.
This episode is sponsored by my friends at Black Hills Information Security.
Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.
Through their anti-siphon training program, they teach you how to think like an attacker, from SOC analyst skills to how to defend your network with traps and deception.
It's hands-on, practical training built for defenders who want to level up.
Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses, all designed by hackers.
For hackers.
But do you need someone to do a penetration test to see where your defenses stand?
Or are you looking for 24-7 monitoring from their active SOC team?
Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.
Well, they can help you with all of that.
They've even made a card game.
It's called Backdoors and Breaches.
The idea is simple.
It teaches people cybersecurity while they play.
Companies use it to stress test their defenses.
Teachers use it in the classroom to train the next generation.
And if you're curious, there's a free version online that you can try right now.
And this fall, they're launching a brand new competitive edition of Back Doors and Breaches where you and your friends can go head to head hacking and defending just like the real thing.
Check it all out at blackhillsinfosec.com slash darknet.
That's blackhillsinfosec.com slash darknet.
This show is sponsored by DeleteMe.
DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance surveillance and data breaches are common enough to make everyone vulnerable.
DeleteMe knows your privacy is worth protecting.
Sign up and provide DeleteMe with exactly what information you want deleted and their experts will take it from there.
DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.
They're even on the lookout for new data leaks that might re-release info about you.
Privacy is a super important topic for me.
So a year ago, I signed up.
DeleteMe immediately got busy scouring the internet looking for my name and gave me reports of what they found.
Then they got busy deleting things.
It was great to have someone on my team when it comes to protecting my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com slash darknet diaries and use promo code dd20 at checkout.
The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout that's join delete me.com slash darknet diaries code dd20.
I guess we're going to call you mg in this.
Is that what you want to be known as is mg?
Perfect, yeah.
Yeah, I like mg because
I didn't know for the longest time if it was milligram or
it's great.
Megagram.
It's got so many things it could be.
That initial mystery, I think, is what intrigued me about MG.
He had this raw type of energy to him.
He's always building.
He goes hard on hacking.
He's always in the zone.
And he seems like he's part of the counterculture.
Like, he's probably got stories, right?
And people kept telling me, you should get MG on the show.
So here we are.
Color me intrigued.
He tells me MG is just his initials.
And he started using that name when he signed up for Twitter back in 2008.
His Twitter name is underscore MG underscore.
Nice and simple.
I grew up in Wisconsin.
Both of my parents were in medicine.
And I guess like a big thing that I learned growing up with them is you can pretty much DIY anything.
And also,
DIYing stuff is a great way of having control, stretching the value of what you have, and things like that.
So, they designed and built their house from the ground up, like every aspect of that.
And this was, you know, while they were working full-time in medicine and, of course, you know, raising me and my sister, I think the house started around when I was like in first grade, roughly.
So, I was just just constantly around raw materials diy just tools everywhere yeah yeah but um didn't you get into magic also when you were young oh i mean what kid didn't right but no once once i got into i don't know roughly middle school got into magic sleight of hand just deception and all that cool stuff also got into trouble uh doing that um brought a a a prop cigarette to school got suspended for not taking it seriously enough You took a cigarette to school, a fake cigarette, and they suspended you over it.
Yes, they did.
I mean, it was, there's even more to that story.
So, yeah, I mean, it was a really believable one.
A little, it looked like the tip was glowing, and you blow on it, and like some talc powder comes out, makes a nice cloud.
So, it was kind of believable.
The teacher, like, whoa, what is this?
And so, confiscated it, but then they were holding it, and like some of the talc came out of it, and they're like, oh, white powder.
Uh-oh.
So, they called the cops, had them like drug test it.
My buddy at the time decided to say, that's not even how you'd smoke cocaine.
Did not help the situation at all.
But yeah, I think we both got suspended.
And mine was specifically for not taking these situations seriously enough.
And, you know, that was kind of the start of my
conflicts with authority.
We'll just leave it at that.
As MG grew up, he got influenced by his parents being in medicine and was gravitating towards biology.
But the seductiveness of computers and technology would ultimately change his direction.
I was really into biology until Quake.
Quake came out and that changed everything for me about computers.
You had to learn how they work to play Quake, especially multiplayer.
Like, first of all,
you just don't just run an app on your machine.
Back then, you're at least rebooting the Windows machine up into DOS mode.
Oh, you want to connect with people?
Cool.
You're going to have to learn how your modem works and dial-up works and peer-to-peer connections work, all these other things.
And eventually that would migrate into, you know, modifying the game environment to play
Team Fortress, you know, kind of a modification to Quake itself.
And then you've got like multiplayer lobbies and all this other stuff starts happening.
And it's like, wait a second, the computer has all these things.
You can mess around with this.
You can start breaking stuff.
Like, they weren't checking client-side content.
So you could modify player skins to be way bigger, have you know an X, Y, and Z axis sticking way farther out than the actual player was.
You can see them coming around corners.
You can add a fluorescent coloring to the skin to make them stand out in the dark.
That's really cool to me.
Oh, that's brilliant.
So if you make the enemy model extra big, then
you can see them coming and
you have the big advantage over that.
That's amazing that you thought of that.
Or the
skins of the walls and stuff like that.
You can set them to partial transparency and see through those walls.
Most video game players at some point wish they had a faster computer.
So a lot of gamers get into overclocking.
They force their computer to run faster than it's designed for.
But when you overclock your CPU, you run the risk of your CPU overheating and can get really hot and melt, which means you need to have a better cooling system.
Water cooling is a pretty effective way to cool your CPU, but it requires all this extra hardware.
You need tubes and reservoirs and pumps.
But when MG heard that people were putting tubes and pumps inside their computers to cool them better, he was in.
That sounded great.
You get a pond pump, you get a heater core from a car, you go on McMaster Car.
First of all, you learn what McMaster Car is, and you're like, whoa, I can just buy chunks of metal pre-cut?
Awesome.
I'm going to drill these out in my basement and plug them and, you know, create all these water channels inside the blocks, strap that to the processor, the graphics card, just start cooling everything down in the computer, and it just kind of escalates.
And you're like, and that was actually a really good example of merging non-traditional computer skills with computers.
It's like, okay, we're going to, we're going to merge shop class here or auto skills when you're, you've got this liquid moving through a multi-metal loop.
You're going to get corrosion unless you understand the chemistry of how to block that with some additives.
So lots of really cool stuff to just pick up and learn.
Man, I'm the same way.
I truly believe that getting hands-on experience is the best way to learn.
For me, when I was young, that was looking for cheap or free computers to just play around with like a sandbox and build without the fear of breaking them.
Having a playground to try out random things was very helpful to me.
Like, what happens if you don't put RAM in the computer?
Are the fans actually needed?
What happens if you disconnect a hard drive, mid-boot up, or take out a thumb drive while you're trying to write to it?
What if you try to delete all the files?
I wanted to to see all those things and I tried them all because this is the stuff that was interesting to me and I wasn't finding it in textbooks.
And it vastly brought in my understanding of how all this operates.
MG's first IT job was at a help desk fixing people's PC problems.
But one of his buddies moved out to San Francisco and started working on the 10,000 year clock.
It's a fascinating project that simply asks, can we build a clock that'll last for 10,000 years?
Clocks live a long time without an issue.
Surely that can't be that hard.
But when you lean into the problem, it starts to get really tricky.
First, it raises the questions, wait, are humans even going to be here in 10,000 years?
That's not a given.
So if you're going to build a clock that's going to last that long, it kind of needs to function all on its own without humans around to help it.
So where does it get its power from?
That's an interesting challenge by itself.
But then you think about the pieces and parts that it has to be made of.
Everything must have extreme longevity.
Like, it's got to be entirely made of metals or ceramics.
Plastics and rubber is just going to wear out too easily.
MG got fascinated with this idea and decided to join his buddy out in San Francisco to see what was going on with that project.
And immediately, he was amazed at the DIY culture out there.
He met people from Burning Man who were creating art for art's sake.
He visited the Maker Fair, which is a really cool place where people show off their projects that they're building.
It's so inventive and clever and inspiring.
It was like everyone around him there was big into building things themselves or tackling really interesting problems or just had a really unique way of seeing the world.
MG found his new home.
The 3D printed gun movement, that added a new layer to the whole thing.
Let's see, that was Defense Distributed, I think it was like 2013, where they started showing off the first 3D printed guns that were, you know, there was a whole community that was working on these at the time, but Defense Distributed showed showed these off to the world and with like so much bravado that it was impossible to miss.
So, everybody took note.
And it had this interesting tone to it.
And this message that I was picking up, which is like creation can also be power and like politics.
Like, you can't take something back once you put it out into the world.
So, you've got to be thoughtful on how you do it, but also, you can't take it back.
Nobody can take it and make it go away.
That,
regardless of what you think about, you know, that specific topic, just the larger power and political nature of it was just fascinating to me.
Yeah, that was an interesting time.
The U.S.
government has always tried to regulate guns by acting as a gatekeeper, controlling who can sell them, trade them, or move them across state lines.
That's where most of the laws live.
Not at the moment that the gun is used, but it regulates the system that makes it and delivers it.
But the 3D printed guns changed all that.
It didn't need to be bought or sold or registered or traced.
It didn't pass through any of the traditional checkpoints.
Suddenly, most of the regulations became powerless because you could just print one at home and no one would ever know.
That kind of knowledge fascinated MG.
There are certain technologies that, once released, change the power dynamics of the world.
It changes who's in control.
New types of technology allow you to completely sidestep outside the system that was supposed to be there to control and shape you.
And yeah, that sort of thing intrigued him.
That was also around the same time as Bitcoin was taken off.
And I was also into that.
And I really liked it at the time and the concept of it to just changing and decentralizing power.
And it was really sticking with me.
So this was also at the same time that the Snowden leaks happened.
I didn't know at the time what it would be, but I just, I really wanted to participate in that type of
creation, right?
I didn't know what it was.
So, you know, I would join some of these groups and just kind of help them.
Like, hey, I do IT.
Maybe I could help with some of your stuff.
Or I do security.
Let me help you.
And you can kind of see how the artist works, right?
And that's kind of where I was at for a while.
So you worked at Defense Distributed?
Let's just say volunteered.
Another thing that sort of shocked the world was the Ant Catalog, which came out in 2008.
This was some leaked NSA documents which showed different types of devices and technology that the NSA had in its possession and could use for missions if you were in the NSA.
Yeah.
So the Ant Catalog, this was commonly misattributed to Snowden.
I believe officially it's just another leaker around that time.
But the NSA Ant Catalog had this just catalog of all this cool espionage tooling, hardware, software, just so many cool things.
Like if you ever saw the back of a magazine with the spy catalog stuff back there, disappearing ink and, you know, whatever it may be, this, this was that time just with a much higher budget so one of the things in there was a malicious cable uh called the cotton mouth it had multiple layers of pcbs inside there it looked really big and chunky really complicated to make but uh it also cost you you had to have at least a million dollars to afford afford this and for like the nsa
customer population of their own their own department but it yeah you had a million dollars just to get 50 cables so that's 20 grand each.
And it's just, it was just cool seeing all of these things.
Okay, so this cotton mouse cable that the leaked NSA docs showed was wild.
It looked like a regular USB cable, but somehow it had the ability to install a Trojan horse on a computer wirelessly.
So like if your enemy plugs in this cable to their computer, you could somehow get into that cable and infect their computer with malware.
Now, for most of us at the time, we were blown away by the technology in this catalog.
How was it possible for a USB cable to function both as a regular USB cable, but also have the ability to infect a computer?
We were all wondering how it was possible, but MG was actually trying to figure it out.
He was tinkering with hardware, building 3D projects, helping out at the Maker Fair, and building random things.
And around 2017, he got an idea.
There's this device called a USB rubber ducky, which looks like a USB thumb drive, but when you plug it into a computer, it'll automatically run a script that could infect your computer with malware.
Basically, the rubber ducky was already terrifying, but MG wondered how he could make it even worse and thought, what if he took the USB rubber ducky thumb drive and made it explode when you put it in a computer?
I kind of spent a while making exactly that.
An exploding thumb drive.
Yes, so
I'm a big Ninish Nails fan, so naturally I call this Mr.
Self-Destruct.
And so
why this is important here is because there's not much space in a USB rubber ducky.
It's all PCB and components.
So I needed to figure out how to make space inside of a thumb drive while retaining ducky functionality to an extent.
I had a really limited version of it.
So I shrunk it down to, I think, what was ultimately like an 8 by 12 millimeter PCB with a couple really limited components on it, just enough to run a tiny payload that can maybe open up a browser to a specific site, right?
Good enough.
And then it could also trigger an electronic detonator to then fire like a firecracker or something like that and have a bunch of confetti in there.
I was doing this all with the idea of this is going to be just like art I'm going to present to the world and like a video forum and hey, everybody can just look at it, right?
So the the payload was you plug it in a computer it opens up the browser goes to a video of a jack in the box animation jack in the box is cranking the box for an awkwardly long amount of time to build up tension and then
the explosion happens confetti goes everywhere pop and uh that was great
That's just a ridiculous project, but I love it.
Since that's happened, there's been evidence of exploding thumb drives shipped to journalists and stuff like that that had like RDX in it.
That would, yeah, that would do a lot of damage.
And it's exactly why I did not productize that, despite many people asking for it.
I mean, yeah, I was just thinking of the Hezbollah pages at this point.
Did those people see your presentation somewhere?
I'd be like, oh, that's great.
Oh, God, I hope not.
So he's tinkering around with these USB drives that will physically self-destruct.
And his buddy is like, hey, you should take those things to DEF CON.
I think it was around 2013.
I finally made my first DEF CON before wanting, you know, I had been wanting to go for years, but 2013 was the first time.
And that's where I linked up with a long time online buddy, Whitey Cracker Bryce.
And he kind of just introduced me to more stuff and showed me around the security space.
And
it was very helpful for me at the time, just learning and meeting more people.
And yes, so at DEF CON, I would absolutely make little devices that were just highly custom, one-offs or two-offs, maybe five-offs,
to people who wanted like a custom thing.
You had to know me.
And
yeah,
back alley deals at DEF CON.
Oh, man, the back alley deals at DEF CON are always very interesting to me.
The first time I went to DEF CON, someone told me I should try to find and buy some rainbow tables.
This is a list of hashes and passwords.
You could download it back then, but it was a lot easier to just get it on a stack of CDs if you knew someone.
And the point of it is that it makes cracking passwords a lot faster.
So I went to DEF CON and I started asking vendors, hey, do you have any rainbow tables for sale?
They all said, no, what?
LOL.
And then eventually someone was like, hey, wait, you said you wanted some rainbow tables?
I was like, yeah.
And he said, you should go ask Paul.
And I'm like, who the hell is Paul?
And they showed me where Paul hangs out.
It turned out to be Paul Asfidorian.
And when I met him, I asked him, hey, do you have any rainbow tables?
And he's like, oh, I just ran ran out.
And I was like, oh, man.
He's like, I brought a bunch last year for DEF CON, but there wasn't many people who really wanted them.
So I only brought a few leftovers this year and just ended up giving them away.
So that hunt to find secret stuff at DEF CON is real and it's exciting.
And I've been properly blown away at some of the secret things I've seen people bring to DEF CON.
So MG fell in love with DEF CON.
These people were just like him, building cool stuff, subverting the gates of power, and using technology to reinvent new things.
And a lot of people at DEF CON are building just for the fun of it.
The endless curiosity cannot be tamed in some people.
And it sparked a whole lot of new energy and ideas for MG.
Around that time, the whole world was shrinking at a rapid rate.
Like for the longest time, we only had USB type A cables, the big wide ones that it takes you three tries to plug in, right?
But then suddenly those shrank.
And then we got mini USB cables and then micro USB cables.
Computers used to be big and clunky, right?
Desktops, of course, but even small laptops, you couldn't fit those in your pocket.
But then the iPhone came out and you had a whole computer in your pocket.
And this brought forth a whole bunch of smaller computers like BeagleBoards and gumsticks and Raspberry Pis, tiny computers that you could fit into your pocket, but were also pretty powerful.
And so while the NSA's version of this malicious cable cost them $20,000 to make, with all the miniaturization of electronics hitting the market, MG was wondering if it was feasible to build one himself for a far cheaper price.
Yeah, exactly, right?
And the miniaturization of
microcontrollers and other things like that certainly opened some doors for me and in which I could experiment and play.
You know, it's actually important to mention right around this time is also when I met Darren Kitchen from Hack5.
Darren Kitchen was already making malicious devices like the rubber ducky and Wi-Fi pineapple and was also making YouTube videos through a channel called Hack5 to teach people how to hack.
First of all, what a rubber ducky is, does keystroke injection.
What that means is it emulates a keyboard and will very rapidly type those keystrokes.
So I think the ducky is doing like
150, 200 keystrokes a second.
So, you know, anything I could do at your keyboard, the ducky can do for me.
You know, great for IT sysadministration, IT sysadmin automation, but also, you know, maybe some nefarious stuff too.
And if you don't care about speed, payload size,
you don't care about all of these nice product aspects,
you can totally compromise and get something barely usable in return for making it much smaller.
And that's effectively what I did.
I compromised on a lot of things.
Like even some like basic electrical safety things, I ended up compromising there because, hey, I mean, this thing's going to blow up.
What's it matter, right?
So.
To make his exploding thumb drive, he basically had to make a smaller version of the rubber ducky and this gave him an idea what can you do with a super tiny keyboard connected to a computer and so he decided to make his first malicious usb cable it's identical to the mr self-destruct except it didn't explode
and it was inside of a cable instead so basically to put a payload onto this you had to have physical access to the cable you program it and you know it's gonna delay however long you tell it before running the payload after it gets plugged in.
I thought, like, the end, right?
Basically, imagine what someone could do if they had access to your keyboard.
That's what this cable did.
It acted like a pre-programmed keyboard.
If you plugged it in, whatever it was programmed to type, it would type.
So, you could do some basic keystreak injection attacks, which open a browser, open a reverse shell.
You can do a lot of stuff, but it wasn't this like
this tool I knew it could be.
He was posting about this online and stuff, making a handful of them and selling them in the corners of rooms in DEF CON.
But the first version was lacking features and really buggy.
From his visits to DEF CON, he met a guy named Fuzzy Knop, who got MG a job red teaming for a Fortune 500 company, which was MG's first cybersecurity job, specifically hacking into places to test their security.
How cool is that?
But while he was at work doing his red team stuff, he just kept thinking about how can he make this little device better so obviously the next step is well what what could that product actually be
and the next time i had um
vacation which was actually in between jobs so i had i think it was six weeks between my first red team job and when i was leaving uh an it role so six weeks in between i'm like you know what I have not figured out how to like design PCBs yet, so I'm going to get a MEL.
PCB is printed circuit board.
It's typically a green board inside an electronics device that has the capacitors and resistors and they're soldered onto it.
And a mill is a way to create one of those PCBs yourself, making the traces and drilling holes for the components.
So he spent six weeks learning how to design PCBs and created them on his mill.
The cool thing about a mill
is that you get rapid iteration.
So with software, You can just change some code, save it, hit compile, seconds later, you can test the output.
When it comes to a PCB, it's usually weeks.
You got to design it, send it off to a fab, wait for it to come back, then you assemble the components on it, and then you test it and debug it
before you can even get
a change you want to make to test it over.
But with a mill, you can do some primitive stuff.
I can't get super advanced here, but you can test some basic things to you do it in the span of a few hours and make a revision, kick it out again, and just, you know, maybe maybe go through two, three revisions in a day easily, depending on how complex it is.
And that allowed me to level up really quickly.
So he spent a lot of time in his home lab trying to jam more features into this cable of his.
But one thing bugged him about this cable.
You have to physically take control of it to program what keys it will type.
It would be way better if you could plug the cable into your target and then tell it what to type remotely.
So he was fiddling around trying to figure out how to give this thing an antenna or something, maybe Wi-Fi in the smallest way possible.
The Wi-Fi radio allowed it to connect to networks or you with like a phone to connect to it.
And there was no need to get access to the cable to update a payload on it or to trigger a payload.
So that changed the entire value of this.
being able to dynamically change what it did while it was in play.
Ah, yeah.
So instead of blindly blindly hoping your cable is typing the right keystrokes that you pre-programmed it to do, now with Wi-Fi, when this cable connects to a computer, it's almost like it turns into a wireless keyboard.
Whatever you type on your phone, those keystrokes would show up on the computer it was plugged into.
But it didn't look like a keyboard, of course.
It looked like a regular USB cable that you typically have hanging off your computer anyway.
This made it a very spooky cable.
Suddenly, USB cables were no longer safe.
And this malicious cable was starting to finally look promising.
The first version didn't have a lot of functionality, but this one, this one's starting to look sharp.
So he came up with a name for this cable, the OMG cable.
It works for so many reasons, but since his initials are MG, then OMG is a nice fit.
And that took off.
Then DEF GON was coming up, August 2019.
And like, okay, this is getting a lot of traction.
So by August, I wanted to have some of these things actually sell.
Now, I was making them still from the ground up in my kitchen, basically.
It took me eight hours per cable on average to make these.
And the components were so fiddly and tiny that 50% of them were failures.
I would throw out 50%.
That turned into, if you do the math on that, that is 16 hours of work per viable cable.
Really not scalable, but you know what?
I just wanted as many as I could for DEF CON, right?
So I just focused entirely on this in my free time while still doing my red team role full-time.
You have to think, he's trying to fit a microcontroller inside a USB cable so that nobody thinks there's a microcontroller in it.
He's working with incredibly small components, soldering under a microscope, sometimes with exposed silicon with almost no room for air or it won't fit in there.
So he makes as many as he can and brings them all to DEF CON to sell.
He's leveled up from the back alley deals by this point, and Darren from Hack5 was letting him sell them out of the Hack 5 booth.
They sold out.
Everybody wanted them.
And they sold out fast.
So Darren was like, why don't you bring more?
And MG was like, because they take forever to make.
So Darren started teaching MG about mass-producing electronics.
Okay, let's learn how to do manufacturing.
Find somebody who can do certain steps.
So, you know, we got one person, one factory who creates the raw PCB, another factory who assembles the components, solders the components to the PCB, and another factory who integrates those PCBs into a cable.
And even at that point, there was still plenty that I had to do after receiving them.
Final assembly, putting the hoods on, gluing the hoods on, running QA, calibrating them, running, you know, putting firmware on them, packing them, shipping them off to the wear, all, you know, all that stuff.
But anyway,
doing
any of this outsourcing would have been a huge help for me.
And that's what the goal is.
So it took about five months of back and forth teaching this shop how to do what i needed so i get the first batch this was like the tail end of 2019 i i finished the assembly i do some basic tests i flash them pack them and i send them off to the hack 5 warehouse and like i think it was january 1st 2020 start the online sales
this is where i quickly learned it was going to take a lot more work to have a manufacturer do what I needed.
Customers started having issues and it was all over the board.
Like there was no obvious pattern.
So, I had to do a lot of investigating to discover what was really going on here.
It's just really weird problems.
It was probably an upstream manufacturing problem, but I couldn't think about the upstream manufacturing.
I had
mostly finished product currently in hand.
And if I couldn't sell that, that was a gigantic loss, like financial loss, like
mortgage-the house-level level loss that was a little bit scary.
There were enough issues happening with customers that I just decided to pause the sales and figure out what was going on.
He analyzed the cables coming back from the factory and found that on the power supply inside the cable was a tiny microscopic crack.
And to his horror, it was on over half the cables.
which meant his first batch of cables, half of them had to be thrown out, a huge financial loss for him.
He had to teach the manufacturer how to test for quality at every stage of the build process in order to find exactly where the cracks are coming from.
And he discovered at some point the manufacturer would throw all the finished components into a bag to give to the next build stage.
And when they were getting all jostled around in the bag is when the cracks would show up.
Typically, that may not be a problem, but since he's working with such small components where silicon is exposed in some areas, then it was damaging the circuitry.
So he got that fixed, was back on track, and he was back to selling the OMG cables to whoever wanted them online through the Hack 5 shop.
And these cables look amazing.
They look exactly like a normal USB cable, one that you would charge your phone with, and you would never be able to tell that it's a malicious one.
It's supposed to be stealthy like that.
One of my manufacturers lost an entire box of cables.
Could not account for it.
So the way the cables are configured, they're not very useful.
Luckily, they're not hot, so to say.
But there's a good chance that this box just got shipped to one of their customers who was expecting totally normal USB cables.
So there is absolutely a chance that there are some OMG cables just floating out there.
I forget the exact numbers, like 100 or so, which is kind of scary.
MG strikes me as someone who just obsesses over making his cable better and better.
And it's amazing how he's constantly improving the manufacturing process and the functionality and the build quality of the whole thing.
For the first several years, I wasn't trying to focus on profit here.
I was just every dollar that we ended up getting that turned into be profit, I put it right back into
just improvements, R D, because it was a passion project.
And I mean, it still is, right?
But that just allowed me to focus on so many trivial things.
The cable clips themselves.
So people would routinely like lose their cables.
So we started creating these fluorescent clips that we would include with the cables to prevent that, right?
And you can take them off if you don't want it or just keep it on, whatever.
But, you know, this was, this is a, I'll make this one short, but it's another example of scale in a hilarious way.
It's so simple.
So, you know, I'm 3D printing all of these little clips, these fluorescent clips.
And
they're great when you got a few of them, but when you got a hundred or a thousand in a bag, they start getting tangled.
So that's really really annoying to pull out tangled clips when you're trying to pack envelopes.
So, you know, redid the design, you know, okay, now I've gotten a tangle-free clips, and you know, then we got the woven cables are more snagless and things like that.
And how can I speed it up so I can get a bed of you know 600 clips on a single 3D printed bed without it cascading and falling apart?
And, you know, how can I improve the labeling process from a handheld labeler to an automated machine-done labeler?
Probably doesn't make financial sense to do it, but it's fun to automate and obsess.
So yeah, point being, I have the opportunity of obsessing at the sacrifice of profit.
Now, over time, his cables have gone through many revisions, a lot of feature upgrades too.
So if you were to buy an OMG cable today, here's what it can do.
It comes in all types of different forms, whether it's got a USB-A or USB-C Active N.
You know, in the Passive N, it'll have like Lightning, Micro, USB-C, usually meant to emulate the aesthetics of exactly the common cables that are out there.
It acts exactly like a normal USB data cable, right?
But it's got an implant inside, as you could probably deduce by now.
That thing stays dormant, but an attacker can remotely connect to it via Wi-Fi nearby, or they can have the cable connect out over the internet to a server, you control anywhere.
It can also do some autonomous things like geofencing and triggering things automatically based on wireless networks it does or doesn't see, right?
Okay, cool.
But what does that do?
So you get a whole web UI on a phone or laptop, whatever it is, that gives you full control over this cable.
We already talked about keystroke injection payloads, emulating a keyboard.
We cranked up the speed at which these things can run to nearly a thousand keystrokes a second.
Added some mouse injection as well.
So you can navigate a mouse around the screen, click on stuff.
Expanded the capacity of these things to store hundreds of individual payloads if you want, or just really giant payloads.
Name of the game is always just flexibility.
So if you want one giant payload or 200s tiny ones, cool, you can do that for your need.
We added USB key logging a while back.
So if you deploy a cable between a keyboard and a desktop or a laptop, which happens a whole lot in corporate spaces,
you can log those keystrokes if it's a full-speed keyboard.
Most recently, we added kind of a novel communication link.
So we're calling it HIDX stealth link.
And what it does is imagine a network interface
that looks like a keyboard to the host.
So it says, I am a keyboard.
It looks like a keyboard if you open up device manager, but it's got a bi-directional, like raw data link.
So if you ever use like Netcat or something like that to create little tunnels for data, same concept.
So you can have a remote shell running on the target that's on like a completely air-gapped machine.
It doesn't even have a network interface.
So very cool.
And I had also mentioned a lot of these other types of features like the ability to run self-destruct, the ability to do geofencing, and the self-destruct specifically is to wipe the data.
So if you've got some proprietary malware on there, you don't want to be found, you know, if it gets lost, we can help wipe that.
If you've got key logs on there with sensitive data, like I don't know, passwords or whatever it may be, cool, we can wipe that.
Can also disable the cable so that it just stops acting like a cable.
And hopefully, that'll encourage your target to throw the cable away and get it out of play.
And that's kind of just a high level of all the different things it can do.
Yeah, this thing is pretty scary.
And it's one of those things that now that you know a normal-looking USB cable can be an evil thing, it it makes you distrustful of all USB cables.
Like if you see a random USB cable sitting around,
it might be some sort of trap that someone left for you, hoping that you'll plug it into your computer so that they can get into your computer.
I've got it in my hand here, and I'm looking at it compared to
another cable I have, and it is identical.
It's crazy how.
Nice.
Which one is it?
iPhone one, Lightning.
C to Lightning or Ada Lightning?
Ceda Lightning.
Oh, nice.
So funny story about that one.
If you hold up the C type C ends and look at the white hoods, I delayed that cable by, I think it was a couple months because it was 0.3 millimeters longer than the actual thing.
So I was just like, oh man, it matters.
It didn't really matter.
But at the same time, the guy who does the front end work for us is blind.
He was a customer originally when we released the Keylogger Keylogger edition of the cable.
And he came to me, he's like, dude,
I'm feeling these two cables side by side and I cannot tell the difference.
So that was amazing to me.
Yeah,
it is remarkable.
And I mean, going back to the ant catalog and cotton mouth, I wonder if the NSA
has bought like a thousand of these to be like, oh, this is so much cheaper than the $20,000 per unit we have.
And it has way better features and we don't have to run the RD and all that sort of thing.
You have any idea?
I mean, I've heard some whispers that I probably shouldn't talk about, but I'll say this: is that there's many reasons why that could occur, which I mean, sure, price point.
Yeah, absolutely.
Maybe ease of use.
Like, I, you know, can't really speak to what the
product experience is of their stuff, but I can suspect.
But here's another thing: deniability.
Like,
if you found a cottonmouth cable,
you're going to know where that came from, right?
Or especially if you're certain intelligence services, you're going to have a good idea of who made this highly custom hardware.
But if you're seeing something off the shelf, there's some deniability in there for,
you know, NSA, as an example, right?
Like, I don't know where that came from.
That's just an off-the-shelf OMG cable, right?
So
I would imagine.
Yeah,
I have certainly talked with numerous people who are in that space, whether directly or
kind of third parties employed by them to do tests and stuff like that, where these are absolutely in a whole lot of those types of environments for various needs, whether it's testing, third-party assessments, like red teaming, stuff like that.
I've talked to police departments, stuff like that, who are using for all kinds of different needs.
Yeah, but again, it's that interesting aspect
of
circumventing things, right?
Like, so
before Cottonmouth was only available to US intelligence agencies and maybe Five Eyes, but now the OMG cable is available to the world.
So all of NSA's adversaries also have this.
And
that
is interesting that the technology isn't only in one person's hands now, but that there's a level playing field of like, nope, we've got that too.
Yep.
I mean, at the same time, I think it should be.
Like, if I could have made that the way I did, I feel like others can make that.
And therefore, you know, it was just a matter of time.
Whether or not we heard about it in public was probably the only question there.
That's an interesting way to look at it, right?
It used to be that only an exclusive group of people could get their hands on such a thing.
And now anyone can.
And yeah, that's scary that this thing could be anywhere now.
But maybe the bigger danger here isn't when the cable went public, but when it was kept secret, when the only ones who had it were shadows, people who didn't want you to know they had it, people who didn't want you to know this existed, people who didn't have to follow the law.
I mean, compare it to smallpox.
For centuries, people died of smallpox and we had no idea why.
But then we discovered what it was and we learned how to contain it.
And then we learned how to fight it.
And then we learned how to defeat it.
But in that process, we learned how to weaponize it.
And that's the double-edged sword of knowledge.
We're in danger without it, but we're dangerous with it.
We're going to take an ad break here, but stay with us because when we come back, MG is going to tell us stories about how this cable is used in the wild.
This episode is sponsored by Shopify.
Starting a new solo project is really overwhelming.
When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.
And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.
For millions of businesses, that tool is Shopify.
Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the U.S.
From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.
And I love Shopify because of how easy it makes getting my business online.
And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.
So get started with your own design studio.
With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.
If you're ready to sell, you're ready for Shopify.
Turn your big business idea into
with Shopify on your side.
Sign up for your $1 a month trial and start selling today at shopify.com slash darknet.
Go to shopify.com slash darknet, shopify.com slash darknet.
So over the years, people have shared stories with MG about how they're using his cable and have asked for some really interesting feature requests.
One story he was told was from someone who's a red teamer for the DOD, the Department of Defense.
That is, his job was to try to hack into the U.S.
government's networks to test their security.
This team posed as an Xfinity tech via email and phone.
So they got a legit Comcast.net account, which literally every Comcast customer gets.
But, you know, you got username at Comcast.net.
And they're just like, you know what?
We can pretend to be a Comcast employee with that, and I bet it'll pass.
And it did.
So after some back and forth with this target, they set up an appointment um they found some comcast slash xfinity clothing at a thrift store stuff like a hat and jacket they did some osyn found some fake ids printed those out
they show up
they say hey um
we we only need access to the empo uh empo is a main point of entry so that's like where the uh the line comes into the building typically like the basement or something like that tends to be a lower security area compared to like the server room.
So they're given access and they install a small device that allows them to remotely disrupt that line, the main line of the ISP, in the future.
So they leave, they wait a few weeks, you know, let everything kind of just settle, and then they start causing disruptions.
They return on site.
They ask to look at the inpo first, which lets them reclaim that remote device that they had planted they say ah it's not fixed i see you're having issues but uh we're gonna need to find the other end of this cable where's this go and you know they knew that's gonna be going up to the server room typically so they brought them up they brought two supposed xfinity techs uh up
um there was a camera in the server room so you know they had two techs one tech would strategically block the camera with their back each time the other needed to deploy a piece of hardware.
So at first, they deployed two different malicious network devices, two different types of things.
But then they see a server with a monitor and a keyboard hooked up, and there's a USB cable hanging off of it.
I think it was an Adam micro.
It seemed to be for charging a wireless mouse, right?
And there was a wireless mouse nearby it.
And I was just like, dude, that is the perfect spot for an OMG cable.
And I think we got a perfect match in the kit so they pull it out they noticed oh this this cable even has like a very distinct scratch on it you know i'm gonna scratch this cable make it look perfect right they were obsessed with the details the cable is already configured to connect to their guest wi-fi and then call back to a c2 server they wait for an off-site teammate to confirm that the cable is now connected not only to that but back to their c2 server that means you know they got full remote connection from anywhere.
They were left unattended in this room for a little bit.
So they call the target back.
They're like, hey, I think the internet's fixed.
Can you check it out?
And they use that same server that they were eyeballing to,
oh yeah, it looks like internet's good, which gave them a little bit more insight into, you know, what's running on that server.
They leave and kind of start their initial work.
They've got these tools in play.
Now, like within a day, the target knew something was up.
They found at least one of those malicious network devices, which immediately led them to the next network device that was in there.
Got cleaned out.
Everything's fine.
What was a malicious network device?
It's not the OMG cable.
It's not, yeah.
It's other hardware that is not as physically stealth.
Oh, okay.
So they left it there as like Dropboxes kind of thing.
Yeah, something like
Dropbox.
It was slightly disguised, but it's like it's visibly there.
It's like a new thing.
So they picked up on that and immediately, okay, we got a, there's an issue.
We don't know how this got here.
Sweep the room.
Okay.
And this is kind of how Penn tests should go.
It's like, let's go at stages, right?
Let's first see if we can be super stealthy.
And then if they didn't catch us, we'll be a little bit more sloppy.
And then if they don't catch us, we'll be overtly
breaking rules.
And if they still don't catch us, then they've got a lot to explain.
And we could try stealing company cars or something as the next step, right?
So I've heard these stories before.
And it sounds like that's what they were doing.
Like, we're going to put a super stealthy thing in, a medium stealthy, and a very obvious this thing shouldn't be here.
Yeah.
But the funny thing is they, they did a whole like remediation sweep and they didn't catch the OMG cable.
Like it's still, it was still in play
after
like, hey, you're at alarms, something happened here, sweep it.
We found two malicious devices.
But the thing is that the cable was dormant.
Like it hadn't run anything.
It was just sitting there connecting to their guest Wi-Fi waiting.
So yeah, I mean, what would have triggered the other device discoveries?
Were they doing stuff?
Yeah, they were more active.
So, definitely go looking.
But, you know, it depends.
What would you assume if you're like, oh, there's malicious hardware in here?
What level of sweep do you need to do to that room?
And how thorough does it have to be?
But hey, OMG cable survives an active sweep.
So the server had some constraints that made things a little bit difficult, which is probably why they were a little
less thorough, which was, A, they had some EDR on there, an endpoint detection and response tooling that would have detected any form of malware persistence.
So
they could run a payload on this and deploy some malware that would just live until the server rebooted.
Also, the entire OS was just completely wiped about once a week.
So even if you did have persistence, that's still getting wiped.
So it's a pretty, pretty locked down environment, right?
But since they they had a cable attached physically at all times, that was the persistence.
So anytime they lost the malware connection, they would just rerun that payload.
Boom, they're back in.
They changed the payload over the times, but ultimately
this allowed them to run and just work completely undetected for what turned into a six-month period of time.
And the only reason the exercise ended was because
the contract came to an end and they needed to wrap things up to explain the full processes and procedures they were using for the op.
I mean, is this kind of what you were hoping to like?
This is exactly the story that I was wanting someone to do this with is stick it in a place, have it be there forever.
You can get in there whenever you want, have your remote persistence, trigger playloads, get into systems, and no one's going to detect you forever.
I mean, that's got to be exactly what you were hoping, right?
Oh, absolutely.
There's just so many like, oh, yes, you used a lot of the features to just really push this.
And it makes me happy because it's, you know, are we doing Rick rolls?
Are we really pushing the boundaries and improving environments and just doing some really cool James Bond shit?
Yeah, that's, that's, I love that.
Because MG has brought this cable into the world, he's met some very interesting people from all around the world and heard some wild stories.
Like there was this one person who was telling him how he used the cable to get into an air-gapped computer.
That is, there's no way possible to hack into it from outside.
And the reason why this computer was air-gapped is because it was part of a digital forensics lab.
It was collecting evidence and looking at computers without the risk of any of that data getting out.
This group was hired to audit an entire security policy, including the physical security of the building.
So they monitored 24-7 with a whole bunch of cameras at all sides of this building that they had deployed.
And it was really hardened.
There were guards present just constantly, 24-7.
Everything was fully access controlled.
It was all logged.
It was all audited.
How are they going to do this?
And of course, the goal was to gain access to that evidence computer, which was air gaps.
Had access to that large sand for storage via network.
After a whole bunch of discussion, they decided, you know what?
We're going to use an OMG cable.
Their first idea was to submit a hard drive that needed to be forensically analyzed by that computer, but then throw an OMG cable in the package, and hopefully the tech opens it up and pulls out the cable and says, oh, I'll use this to plug something in.
But they thought, no, that might not work.
They probably have their own USB cables in the lab, and they're not going to use one in our package.
So they decided to get a USB external hard drive.
You know, the ones where there's a hard drive with a little USB pigtail coming off of it, and you just plug it into your computer and you can see it as an external drive.
Well, they cut that little USB pigtail off and then snipped off the end of the OMG cable and soldered it onto this hard drive.
Because the OMG cable only has one active end, and the other end, it really isn't needed for anything.
So they just took the end with all the functionality and stuck it into this hard drive so that when the forensic tech opened it up, they'd have no choice but to plug in this USB hard drive into the computer.
Now it's integrated to that drive and the drive looks like a totally normal drive and
it's the cable of that drive that suddenly is the problem.
And it stays dormant.
So yeah, put all these different payloads on there in advance.
Most important note, they ran a boot payload.
So boot payload on this thing is it run on an OMG cable.
It runs every single time the cable powers on.
So when you plug it in, right?
So they included geofence that would check to make sure it's inbounds.
It's like it's at this evidence computer,
which, you know, they were given some insider info on this one to make it safe.
They're like, okay, here's the network that you should use to keep this in play.
Basic checks to ensure it only ran on that evidence system.
So something, you know, an actual adversary wouldn't do, but when you're a third party trying to keep everything safe, you do a little extra.
So they placed the hard drive in an envelope with the, let's just say, required labeling.
that they were able to find via some public record requests.
Say, hey, this is probably what this envelope should look like to make it believable.
So they turned it in at the front desk via a courier service, which was totally not a courier service.
It was them.
They advised, hey, this is for an active thing.
It's needed for legal discovery.
Probably need it soon.
Done, right?
Now, the drive sat for two weeks, unplugged, just waiting, right?
But then it got plugged in.
And once it was,
they got a notification.
They had kind of detected when it would come up.
And they left it plugged in for six days to do a full image of this drive.
So they had intentionally kind of downgraded the speed to USB 2 to get like a USB 2 connection on a four terabyte drive.
So
they were imaging this thing for like six days, which means six days they had an OMG cable plugged into the evidence computer.
Now they could have set up a bunch of automated payloads and stuff like this, but for damage control, they decided to keep an active human in the loop for this whole thing.
So
when it got plugged in, they got the alert, they returned and accessed the cable from basically the lobby or the parking lot, right?
One payload allowed them to create and modify files on both the local system and more importantly, the SAN.
That's where all the evidence is, right?
Like you can manipulate the evidence.
They have just proven that.
Evidence is supposed to be just like pure and untouched.
Then they noticed that, okay, yeah, obviously this SAN, you need a network to connect to it.
So it was connected via Ethernet from this machine.
But they learned that while the evidence machine was supposed to be air-capped, it was only by DNS.
So like instead of doing a
domain name connection out, you just connect out via IP address.
And suddenly, hey, it's working.
You can connect out to the internet by just going direct via IP.
Boom.
Now they got the ability to exfill
evidence from the storage device out over the internet.
Like,
I think you could immediately assume some terrible scenarios where that's like a big problem.
How prolific is this cable?
Like, how many companies out there are using it?
One day I'll probably find a way to disclose that, but basically,
I don't know many places that don't have one.
Yeah,
I'm continually amazed.
I learn about new places that I didn't even know exist.
I'm like, wait, A, you exist.
That's crazy.
B, you got my stuff?
What?
Okay, cool.
It's a wild ride going from I'm just making something that I thought was borderline art in my kitchen to
all of these types of stories I am telling you.
It's a little, it's a little hard to digest sometimes, but at the same time, I'm trying to take it very seriously.
Yeah, but I mean, Hack5 or even your own website could be like used by these companies
if you do know which ones.
Oh, yeah, I mean, yeah, I think that would be bad form.
There's a lot of companies who probably don't want that info out there.
I think Hack5 will list the media that it's been seen on, like cool, you know, NatGeo and stuff.
I just saw the OMG cable in a Netflix episode, apparently, of it was Zero Day.
They're talking, I think it was Robert De Niro talking about the OMG cable on screen.
And I think Jesse Plemons' face was in there.
I'm like, dude, what?
That is wild.
Okay, so
Hack 5 is who sells these things.
Is there anyone they don't sell to?
Yeah, so absolutely.
There's a couple of ways to think about this.
And,
you know, I'm going to just generalize it here a little bit to make it it easier to understand.
But basically, you can kind of think of three categories of countries.
First being countries who are explicitly allowed.
And you could kind of think of those as like friendly NATO countries and five eyes, right?
Then
second category would be countries who are explicitly disallowed.
You know, so think sanctioned countries like Iran and North Korea.
But then you got this third category is countries who are on neither of those lists.
So if the goal was to make as much money as possible, you'd be selling to that third group.
But if you're trying to do more than like the legal minimum,
you might avoid selling to that third group, especially if you're operating in space that many people perceive to be a gray area.
Even if it's not a gray area, you know, perception still matters.
But Hack5 only sells explicitly to the allowed countries and, you know, skips over that third group.
It's a voluntary decision on their end, but it's also a factor of kind of having to be more diligent when you have tools that are more capable.
So toys versus professional tools kind of steps up the level of
attention to
following the rules and kind of going a little bit over the minimums, right?
Yeah.
Those rules fascinate me.
It's really export controls that the US government has set up
where where certain electronics can't be sent to certain countries.
And the classic one that just came to mind because of recent events was the
DeepSeek surprised us all with their AI abilities.
And then
it turns out that they had tens of thousands of NVIDIA cards, which I believe is against the export control rules.
NVIDIA is not allowed to send tens of thousands of these cards to China.
And so
it's just like, well, how come Nvidia didn't get shut down or fined or slapped on the wrist by the U.S.
government for selling so many of these?
Like at some point, there's got to be like, okay, we need more, we need more.
Okay, who are you distributing this to?
Oh, don't ask.
Okay.
So I don't know.
I just wonder if...
if these export control rules even matter or if they have teeth or if anyone follows them.
Because honestly, I've filled out forms before and sometimes it's just a checkbox.
Do you live in any of these countries?
No.
Okay, good.
We'll send it to you then.
Right.
I think the NVIDIA one's a pretty good example.
I don't think all of their products are expert controlled.
So this probably goes back to the capabilities and the toys versus the upper end stuff.
And can you do good or bad things with them?
And almost dual use.
kind of territory.
And ultimately, any restriction kind of as what you were getting at
can be bypassed.
But introducing any degree of friction generally
is good if you're trying to, you know, stop a certain activity.
Like, perfect controls are hard.
It's a balancing game, much like almost all security defenses, right?
We often get that wrong in the security industry.
It's like, oh, it's not perfect.
So it's not worth doing.
It's like, not necessarily.
Like speed bumps help to some measurable degree in a large scale.
But is it worth reminding?
Again, Hack5 is the only entity I sell to, but and like as much as I love not having to worry about it for my own stuff, I absolutely love like just supply chains in general, especially when you look at them from like the offensive security mindset.
So I'm totally with you in terms of being fascinated.
I think that stuff gets like way too little attention.
And if you if you focus on it, you can wield like crazy amounts of power if you understand it.
So
yeah.
Okay.
So you've told us a few stories of your cable being used for good.
Do you know any instances of it being used for bad?
Does anyone tell you about those stories?
So I don't know of any stories specifically for my stuff, but Hack5 actually had a semi-recent example that super applicable here with their Wi-Fi Panapple and the Russian GRU.
So
let's, what was this?
So the Wi-Fi Pineapple.
It's specifically designed not to be perfect.
Like this is for doing security pen tests, right?
Not for evading.
That's the product design.
So, simple things like MAC address randomization are omitted.
What else?
There's like a certain way it sends management frames that could make it harder to fingerprint if they modified how that works, but they don't.
It's intentional because the product is meant to enable pen testers to do Wi-Fi audits where they've got permission not to evade the detections.
So, anyway, late 2018, Russian GRU was caught
in Brussels targeting, I believe, UN facilities, right?
Not the place, you know, if you're making this that you kind of want to see your stuff showing up, but the Wi-Fi pineapple was being used in the trunk of a car.
And that explicit choice to not make the device super stealthy definitely helped law enforcement track this down and figure out what was going on probably a lot faster than if they made other choices in their product design.
Well,
I'm surprised there's not more malicious malicious intent stories because, you know, I just go to a grocery store today and the cash register, I could see the back of it.
Like
I can plug something into the back if I wanted.
And there's so many other restaurants and stuff where I've seen a computer exposed at the bank.
I was at the bank and the back of their computer was easily there that I could just pull a cable out of my backpack, shove it in, and they wouldn't know.
And I'm surprised there's not just stories of people using this to rob grocery stores.
I mean,
behind the scenes, and I don't think a lot of people see it, I put a lot of work into just gaming out all of the potential risks to minimize that.
And it's not perfect.
It's totally possible that bad things will eventually happen.
There will be a news story.
But I think over the last five to six years, it's been sold.
I personally cannot point to any news stories where a bad thing happened.
Whereas if you compare it against other
peer devices, say that in the field, I think there's quite a bit more news stories just comparatively, if we're taking a sampling.
So, that track record, I'm just very happy with so far.
So,
I mean, you can,
I assume that people are buying this and using it for malicious intent.
I mean, you self-described the thing as a malicious cable, right?
So, we can assume that people are going to do bad things with it, but I worry about your
liability here because
if you're saying, I have a malicious thing, this thing's very dangerous.
You could do this and this and this with that.
And so I was like, great, I'm going to go do that, that, that with it.
But it says here, I have the package in front of me, and it says,
like, do not use this unless it's on
a network that you have permission to use and such like that.
I wonder if that's enough to,
make you not liable for people actually using this maliciously.
Yeah.
So because I mean, the thing is, is that you've got people who are malware creators out there, botnet creators.
They don't unleash it to the world.
They don't spread it.
They don't infect people.
They just make it.
And then they're the ones who are going to jail for this.
Yeah.
I mean, there's definitely some differences there, but just, is that legal message enough?
Like, absolutely not, not for me.
When you're in the gray areas, you can't just do the minimum.
And it's also important to point out that legal is not the same thing as ethical, which is, again, why it's not enough for me.
You know, product design, like I mentioned, detectable defaults, they're not legally required, but I think they're critical in terms of reducing harm.
Community management, like, you know, not just dropping a tool and then letting Lord of the Flies happen, for instance, right?
Like we're talking about a lot of nuances.
You and I right now are talking about a lot of nuances that a lot of people haven't spent spent the time thinking about.
So I think it's good to try and share those nuances and just generally keep things from going off the rails within those communities because this again helps the outcomes.
And it's kind of sort of like open source.
A lot of people will just drop code and call it done, but it takes a lot more work, in my opinion, to do it responsibly.
You gotta,
you know, like real open source is code that you've cleaned up, that you've maintained, and then community around it is maintained too.
It takes work and effort.
But it's also important that, you know, this isn't just about like self-preservation, which is kind of, you know, the topic here.
It's about kind of community preservation as well, which is really important.
So one entity just being too reckless is basically all it takes to ruin it for everybody.
And there's tons of examples of that type of thing happening.
Obviously, you know, if my goal was to push the limits of the law, then sure, my answers would be different.
But my goal is to push the limits within security.
And I guess, you know, that I want to keep focusing on that.
And that's why I spend tons of time thinking about all the ways I can reduce harm and risk in all the other areas.
Like this, this cable started off as just a one-off, a proof of concept, but it moved over time into large manufacturing, sales.
And the way I think about the risks has evolved.
along the way right alongside that
yeah so you talk about you you know, supporting the community.
I assume that's the ethical hackers, the white hats of the world
that have permission.
Yeah.
But and
that's great that that's your intent to help
to help improve security for networks, to help people
test it ethically.
But
that intent, I think, does it is what matters in the eyes of the law in a lot of situations.
And I mean, you just told us that you've sold these things in the back alleys of DEF CON and in dark corners.
And I mean, DEF CON in general is a place that has malicious actors and criminals.
We've seen people get arrested there and such like that.
And so
I wonder if there's any sort of, you know, if that's proof enough just to be like, no,
this guy sells it at DEF CON.
Of course, he's got malicious intent.
There's no way he's doing it.
Like he would be selling it at a legit conference that's just all about,
securing and not hacking.
This is a hacker conference.
There's just something there that, I mean, and not just that.
There's like, you know, people, people might come to you and they'd be like, hey, I want this feature.
And you're like, oh, that's a good idea.
And you add that feature.
And
like.
Maybe that you judge them first and be like, wait, hold on.
Who do you work for?
Do you have permission?
Or do you hear people be like, man, I keep plugging it into the bank and the bank keeps popping me.
I need a feature to be more stealthy.
And then you're like, wait, hold on.
I'm not going to help you.
Like, there's got to be this world of
who you actually do business with and who you don't or who you help and who you don't.
Because again, that intent matters.
And if, and if there's a criminal coming to you and saying, hey, I need this for criminal reasons, do you,
what do you do there?
Because that's where the intent comes in, right?
Yeah.
I mean, so helping could be kind of anything, right?
It could be operational advice for, you know, running an op.
It could be feature changes or additions, could even be custom hardware.
I've been offered 30 grand for a cable and I have turned it down because it's like, hey, this, this could risk just the future.
But there's also other things like
people will come in.
They'll have, they're clearly not in the space of, you know, information security and they're trying to do some like spouseware stuff.
And I'm like, as soon as I get a hint of that, it's like immediately know also what you're doing.
I just have tons of issue with like you, you need to redirect this.
Spend your money on like a couples therapy or something.
This cable is not, it's not a marital aid.
Well, yes, see, this is what I imagine, right?
So there's these privacy phones of the world, and they specifically wanted to help criminals, right?
And so they would entertain, they would get them in the hands of,
you know, drug dealers and such and say, what can we do to make these phones more private?
You know, what features do you want?
And that's what made the people who made the privacy phones go to prison.
I mean, we have phones that are secure, like even the iPhone, right?
It's secure to some degree.
And you don't see the Apple team going to prison because they're making things private or secure, but it's the fact that
all those other privacy phone creators were doing things to work with criminals.
And so I imagine some, I don't know, street hacker gang being like, all right, MG, we got all these.
We got all these cables, but we need it to be one step better here.
We need you to put this in.
I just imagine this world where where people are approaching you and you've got to be like sorry i will probably go to jail if i help you so no
again like kind of like as you were pointing out there i i don't do this for just anyone i get to know who they are who i'm giving custom help to uh actually so the the operational stories i'm sharing with you were from those relationships and you know ultimately you need to do some due diligence kind of like you were saying contact the entity being targeted verify a contract for offensive work is in place with the other person asking for help, simply verifying the identity of the entity asking for help to ensure they're legit.
Definitely not just offering it up to anybody.
I have turned down very large offers of cash because it wasn't exactly where I wanted it to be.
A huge thank you to MG for coming on the show and sharing these stories with us.
You can find more about him by visiting his website, which is o.mg.lol.
This episode was created by me, your pseudo mama, Jackry Sider.
Our editor is the last JPEG, Tristan Ledger, mixing by proximity sound, intro music by the mysterious breakmaster cylinder.
Sometimes I feel like the biggest cybersecurity threat to myself is my future self.
That version of me who forgets to update software or reuses a password or falls for a phishing email.
So to stay safe, I started locking myself out of my own accounts.
Let's just say future me and past me now officially hate each other.
This is Darknet Diaries.