160: Greg

1h 37m

Greg Linares (AKA Laughing Mantis) joins us to tell us about how he became the youngest hacker to be arrested in Arizona.

Follow Greg on Twitter: https://x.com/Laughing_Mantis.

Sponsors

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

This show is sponsored by Red Canary. Red Canary is a leading provider of Managed Detection and Response (MDR), helping nearly 1,000 organizations detect and stop threats before they cause harm. With a focus on accuracy across identities, endpoints, and cloud, we deliver trusted security operations and a world-class customer experience. Learn more at redcanary.com.

This show is sponsored by Miro. AI doesn’t have to be intimidating—in fact, it can help your team thrive. Miro’s Innovation Workspace changes that by bringing people and AI together to turn ideas into impact, fast. Whether you’re launching a new podcast, streamlining a process, or building the next big thing, Miro helps your team move quicker, collaborate better, and actually enjoy the work. Learn more at https://miro.com/.

Listen and follow along

Transcript

Hey,

well, man, I don't see you.

Yeah, my tape is usually over my camera.

I caught my tape on my camera.

One second.

Ah, I can't even hear you.

You can't hear me?

There's a story I had that I totally forgot about, but I remembered recently.

And I wanted to call up my dad and walk through it again with him to try to remember how it went.

Yeah.

I want to recollect a story with you.

Yes.

Because as I tell it, I don't think people will believe it.

So I figure

you can verify that this is true.

Yeah.

All right.

So do you remember my senior year at high school?

Okay.

I had my own car then.

I was like mentally done with school.

I did not want to go to high school anymore.

I was just sick of it.

I just had been there too long.

And I had one elective left.

And I said, what is the easiest possible class I could take?

Do you remember what I chose chose as my last elective in my senior year?

It was either welding or typing.

I can't remember.

Typing, yeah.

But typing, how fast could I type as a senior in high school?

At least 99 words a minute.

Right.

Right.

So choosing that as an elective.

Oh.

That's the easiest class ever.

It's going to be a walk in the park.

I was happy for you.

Senior year.

Here's the problem, though.

The class was the first period of the day.

8.40?

8.40, yep.

And so I had to be at typing first class of the day.

And yep, the class was real easy.

And when I got there, I was like, oh, good,

this is just a beginner typing class.

I could type super fast.

So I'll tell you what I'll do is I'll finish up my lesson.

in like 10 minutes.

I could do this whole, these, all the, all the stuff you guys are doing today, I'll do it in 10 minutes and I'm done.

And so I even worked ahead.

I said, hey, teacher, can I, can I go on to the next lesson?

Sure, sure.

And so I would do like a whole week's worth of work on Monday.

And then I would help out some of the other students and stuff.

I mean, Isaac, I was the star student in that class.

Of course, you were.

But once I got ahead enough,

I mean,

do you know what my morning routine is?

Am I a morning person?

I probably woke you up at 8.30 and said, you have 10 minutes.

Get to school.

You could not wake up.

Yeah, I had trouble waking up.

So

you had narcolepsy or something.

Yeah, that was, I used to use that excuse all the time.

So I would get to school late on this typing class.

And I thought, no problem.

I'm perfect straight A student in this typing class.

I'm helping the other ones.

All my work is complete.

I don't think it's going to be an issue if I'm seven minutes late, 10 minutes late.

That's fine.

And so I would show up late consistently to this typing class.

But yeah, well,

the teacher didn't like that.

And she said, you can't, you can't come in late like that.

I have to send you to the principal's office if you come in late one more time.

You got to come in on time.

This is like your fifth time being late.

I said, yeah, but I'm getting all the work done.

What's the problem?

And she said, nope, nope, nope.

If you come in late again, I'm going to have to report you and so the next day I couldn't get it together you tried waking me up again and I was late and she said that's it you got to go to the principal's office and the principal didn't want to see me but the vice principal was there and he said what's the problem I said no problem I'm I'm doing well he said well the report here says that you're late so um

This is your, you're senior, you know, if you, if you get late too many times, you're not going to graduate.

Oh, my.

I said, listen, I,

have you looked at my grade in this class he said that doesn't matter if you're late i said no it should matter listen i think your priorities are all screwed up if i'm acing this class if i'm getting it all correct and if i'm helping the other students and i'm a value add to the class in general not just for myself then don't you think that i should be graduating with that sort of uh work ethic And he said, no, it has everything to do with being on time.

It has nothing to do with the work ethic.

You have one more chance.

And if you, I'm going to be there tomorrow.

And if you are late again this year, you are not going to graduate.

I said, really?

You're going to hold me back just for being late, even though I have perfect grades.

And

the next day, of course, I'm late.

I could not get it together.

And the vice principal was standing at the door when I arrived.

And he said, that's it.

You're late.

This is the last straw.

You failed this class.

I said, how, how would you, why would you do this to me?

Like, it's not like I'm I'm struggling with this class.

This class is easy.

I've got it nailed.

I'm like three weeks ahead of every other student in the class.

And he said, I don't care.

You can't come to school on time.

So therefore you're you're fail fail.

And so

they wanted to hold me back a year, a whole year of high school and not let me graduate.

No, you're only missing a half a credit at that point if you didn't graduate.

So you could have went to summer school and picked up a half of credit.

That's right.

I could have.

But you did something else.

So

when I brought this news home to you and I said, listen,

I'm not going to graduate this year.

Your brain started going into overtime

and you started thinking up of solutions.

Yeah, here's a couple of things.

One, after you got thrown out of the class, I noticed you didn't go to school when I'd wake you up in the morning.

I'm not even sure what was going on.

You'd say, Don't worry about it, dad.

I can get in there.

It's second period.

I got to be there.

So, that, but third, your social engineering wasn't a hundred percent yet.

That was your problem.

Yeah, you should have done a lot better with the assistant principal and the teacher.

Oh, yeah, but you saved me that year.

Of course, I did.

I don't know how you came up with the idea,

but you found me an extra half credit.

Well,

you one time switched high schools for, I don't know, four weeks or something.

You didn't like those kids, so you went back to the original high school, which by the way, it was less than a mile from our house.

I don't know how you were ever late, less than a mile.

Yeah, it was very close.

So I knew you were at that other school.

I went over there and one of my...

kind of best friends played sports together and things.

I said, do you remember my son, Jack?

Yeah, yeah, yeah, nice kid.

Was he in your PE class?

Yeah, yeah.

I said, You never gave him credit for that.

He said, Oh man, this is so hard.

Credit?

I said, Not only you got to give him credit, but you got to get it done before graduation.

You got like six days.

And

he just said, I don't think I can do this.

I said, No, you go to the registrar, you put his name down.

Well, he said, You owe me big time.

And somehow, magically, he gave you a C for PE,

sent it over to your high school.

And that's really not the end of it.

The end of it was graduation at your high school.

Yeah, yeah.

And so that sorted it.

Now I was back on track to graduate and everything was fine.

I went to the ceremony.

I sat in the stands.

And then how'd the ceremony go?

The assistant principal, your arch enemy.

He's the one handing out the diplomas.

The same guy who told me I can't graduate.

Yeah, just six days before, you're not graduating.

And now he calls your name, you come up, he looks at the diploma, stares at you.

I didn't think he was going to hand it to you.

And then he grimaced and gave it to you.

And there you have the diploma with the missing half credit.

And I think the statute of limitations ran out on all that.

So

I won't be kicked out of school.

Permanent record.

It'll go out my permanent record this one.

Oh, no.

Yeah.

Yeah.

So that was quite

all because of the typing.

I don't believe it, Mo.

Yeah.

So do you still know how to type?

Yeah, I do.

But do you know how at this point?

No.

I've never had a job in 40 years where I needed a typewriter computer.

Never needed one.

Or a cell phone.

I'm analog all the way.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This show is sponsored by Delete Me.

Delete Me makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago I signed up.

Delete me immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to join deleteme.com slash darknet diaries and enter code dd20 at checkout.

That's joindeleteme.com slash darknet diaries code dd20.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle ready all the time.

Well, they can help you with all of that.

They've even made a card game, it's called Backdoors and Breaches.

The idea is simple: it teaches people cybersecurity while they play.

Companies use it to stress test their defenses, teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head to head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash slash darknet.

That's blackhillsinfosec.com slash darknet.

I want you to meet Greg.

So I grew up really, really poor.

I grew up in Tucson and fortunately my father was an avionics technician and he was an undiagnosed autistic brilliant man.

He was a MacGyver and the man would just tinker and make things throughout his life.

And while we were poor, my father decided to dumpster dive.

His dad would find various computer parts and trash dumpsters behind buildings and bring them home.

And after doing that a few times, he had enough spare parts to assemble whole computers.

I had a Commodore VIC-20, I had a Trash 80, and then I had an Apple IIe, all, you know, like all when I was born, and I always loved them.

Back then, computers were not as common as they are now.

Having one in your house was a luxury.

Having three, you were really fancy.

And simply having these things within easy reach enabled Greg to learn tons growing up instead of maybe getting introduced to them sometime in high school, if your school was lucky enough to even have computers.

That was my escape as a kid.

I was an undiagnosed autistic kid until I was in my 30s, and I just immediately loved computers.

Computers were a novelty for me as a kid until we got AOL.

Then I became obsessed with them.

I was an AOL kid too.

Matter of fact,

that's where most of my first programs that ever came around.

I was one of the first who discovered the 1IM exploit.

That was my first vulnerability I ever discovered was the integer overflow in the AOL client when you send a font size with a long enough number.

And I remember finding that and making the 1IM punter back in the day.

I remember AOL punters.

You could send someone a message, but then put something in that message that when they receive it, their client wouldn't know how to process it and it would just crash their AOL session.

So you could come into a chat room, send everyone a message, and then see like half the room suddenly disappear because their apps would be crashing and they would disconnect.

So all this fascinated Greg.

To be able to force someone else's computer to do something it's not supposed to, that's cool.

What else can you do?

And his interest in hacking took root and grew.

Soon he found himself in an online group that was trying to create malware.

When I was a virus writer, my ideology I had,

I actually targeted pedophiles.

Every single, every piece of malware I ever wrote was designed

to target pedophiles.

And

we ran a group in there to target people who are targeting children.

And the best part about targeting pedophiles is I think it's the only case that you can say, I gave malware to someone and they're absolutely not going to report you to the police.

Because what are they going to say?

I was trying to pick up this kid and they sent me a jpeg.exe to them.

And that was the case for many years.

When I wrote viruses, that was the only people I targeted.

Otherwise, for me, writing viruses, again, was the thrill of learning about polymorphism, you know, metamorphism, and as well as high-level, low-level code execution.

It was, I just genuinely loved.

the thrill of the knowledge of it.

It was an art.

I still think it's an art form.

His specialty was using Visual Basic to code malicious macros in Microsoft Word documents.

So he would send the Word doc to someone, trick them into opening it, and if they had macros enabled, that would allow Greg to take over their computer.

Now, keep in mind, he was doing all this in middle school, not even in high school yet.

And middle schools back then didn't even have computer classes.

If they did, it was just to like take a math quiz or something like that, not really teaching how to use them and stuff.

And by the time he got to high school, they were just starting to teach kids commands and certain applications on computers.

So one of the first classes he took was keyboarding, which is learning to type.

And I was like, nah, fuck that.

I ain't going to type.

I know how to type.

So our school worked on Excel, all the great systems were in Excel.

And so

I'm one of the old school macrovirus writers.

I remember like

colors and back of the day, those series of colors and tri-state.

Those were the eras of macroviruses I remember started programming in.

And so with Excel, I was like, I can do this.

Like, I don't want to be in this class.

I don't want to be in the school.

So the entire grade system was in Excel, and I made a macrovirus that would look for my student ID number, would have my trick number, identify

the areas where the grades were in,

take the average number of

the number of the percentage, or if it was A through F, it would be, I might get myself as a B, and would average a number to be like 87% and gave myself 87%.

He was able to take this malicious Excel file and get it onto the teacher's computer.

And suddenly, he was getting all Bs in his classes.

On top of that, he made it so he had perfect attendance too, no matter if he was there or not.

So he just stopped going to class.

It was hilarious as he did all this while in his typing class.

He even coded in obfuscation techniques to avoid detection.

Like after the teacher would record his grade and then close Excel, that's when the macro would trigger unclose.

And he would stage all this information in a column that he hid off to the side so you couldn't see any of the funny business happening.

This worked really well.

I was at school for nine days.

That's how long it took me to write this and then put it into the school system.

And then every day I went, I went home.

I was just at home.

And one day my friends came over and they came back from class because I still would hang out with them.

And they were like, hey, Greg,

man, the computers at school are really weird.

I was like, oh, what are they doing?

He's like, well, they're crashing.

Everyone says Excel's not doing well.

And I remember my stomach sinking, like, oh,

what do you mean?

They're like, well, they, you know, when they were getting everybody ready for

the finals, they, you know, everything changed and something crashed.

I think they're calling McAfee over it.

And I was like, oh, no.

So I walked, I went to school the next day.

went into the school library and I had been in school for like so long that the librarian was like,

who are you?

And I was like, I go to the school, I promise, I'm here.

And she's like, I've never seen you.

Like, who are you?

And I was like, well, she's like, do you have a student ID?

I was like, no, I don't have a student ID.

She's like, okay, go to the principal's office.

So principal, like, they're saying, hey, we know you're a kid.

You know, we know your name checks out.

You're in these classes, but none of your teachers recognize who you are.

I was like, oh, I'm sorry.

And I just kind of shut up at that point.

They sent me home.

And what happened was the school added a column in all the Excel sheets to calculate final grades and to do something you know something for final grades and unfortunately that column just happened to be where I stored the previous data of all the columns so so the the virus will restore the doc the the the the sheets um when teachers opened up the sheets that that caused the the excel files to crash on grade and they sent the sample to mccafee and mcafey at the time was like yeah this is a macrovirus and it was custom written for your school

so the school decided to call the police.

Police showed up, knocked on my door, arrested me.

Really?

Yeah, yeah.

I mean, it's a government, it's a public school.

It's a public high school.

So it's technically a government.

This was real bad.

He went to juvie, juvenile detention.

They locked him up in a concrete room with a steel door and a tiny little window.

It's a scary place for a teenager.

So I have a note here

that says you're the youngest hacker to be arrested.

Youngest?

In Arizona.

I was the youngest child to be arrested in the state of Arizona for a

computer crime.

I'm not sure if that still holds, but that was the case for a long, long time.

A politician wanted to make an example of him saying, see, cyber criminals are really bad and we should do more to stop them.

But he caught a lucky break.

But they came back that the Tucson police failed to handle the evidence correctly, and my case got dropped, luckily for me.

However, he was ordered not to touch computers for a whole year.

Can you imagine no computers for a whole year?

They made a deal with the courts to say, I won't touch a computer for a year.

I'll have to get a probation officer to sit next to me when I operate computers.

And then

after that, we'll re-evaluate the situation.

So for a year,

anytime I wanted to touch a computer, which is mostly the library back in the day, if you remember when libraries had the little internal library machines to go look up for books in the library, I had to go call this very large, 60-year-old man who absolutely had no idea what

computer hacking looked like.

And I remember fucking with him quite a bit and saying, I'm on him.

Like, oh, I'm getting into the system.

He'd like look at me and grab my hand and pull me away from the computer.

And like, we're going now.

What kind of person, what kind of kid were you like in high school?

Oh man, I was, I was absolutely, I was a goth kid.

I was the goth kid who wore the large,

I had a, I don't know, I got in trouble for a black trench coat because unfortunately going to high school

during 2001 era,

you come across the Columbine incident.

You know,

back in the 90s when I saw a Goth Kid, I just thought they really liked the movie The Crow.

Yeah, The Crow was a good one.

My best friend at the time, his name was John Awler.

John was a huge crow fan.

He actually kind of looked like Brandon Lee, too.

So

he was a goth of the crow type.

I was more in the industrial music.

I always loved like skinny puppy and Suicide Commando, Velvet Acid Christ, all those like late 90s industrial bands.

So I was more of a rivet head.

I didn't know at the time what rivet head was, but it's an industrial kid, big stompy boots, goth and industrial music.

I liked metal, but I didn't like metal so much.

I like electronic music.

So when I found out industrial music, which is essentially goth music mixed with techno, I was like, this is it.

This is my lifestyle.

Do you wear earrings?

No, I actually, actually, well, sorry, take that back.

In high school,

I think I had like nine piercings.

I had, you know,

did you wear eyeliner?

No, I was not, I was not a makeup goth.

I was not a makeup goth.

I had, I had the dog collars, I had the goth collars, I had the

bondage outfits.

I was one of those goths for sure.

Okay, so this just emphasizes like when they're like looking for the person who did this.

There's like, you're the one who does not look like everyone else i'm sorry everyone the goth the goth stereotype for the virus writers that was me that was that was me everyone i apologize yeah i remember you started this different i did i did so my parents kicked me out of my house i was i lived in a group home after after being arrested i was in a group wow just because of that event yeah yeah um so i lived in a group and you're and you're not you're not normal greg you're wearing you're you got too many piercings come on um yeah i did that all myself too um so I

got kicked out.

I lived in a group home from the age of 14 to 18.

So I

was in and out.

That was a tough time.

So at 14 is when you got arrested.

Correct.

And then

that's a hard time to go through an arrest.

That's scary.

You don't know what you're facing there.

Correct.

And then to be thrown out of the house.

Yeah.

And then like, what?

I got to do this on my own.

Yeah.

So I lived in a group home, didn't have access to a real computer.

So my only computers at the time were the ones in school.

And

it was rough, man.

It's one of the big reasons why I always try to reach out to people who are kind of in rough situations because my life has not been an easy one.

It has not been easy.

And living in a group home, which the group home was, the one I always got assigned to was a government group home.

And it was mostly for kids who were domestic violence or runaways.

And so it was a lot of violent kids in there.

It was a

It was like a small four-bedroom house,

but it had, at any time, it had between

six guys and six girls and then staff members there.

So it was cramped.

Everything was shared.

It was not a good time.

It was a rough life.

I think I just got some clarity on what it means to be goth just now.

It's not about the clothes and the makeup or the music.

It's about not fitting into a world that tells you to shrink and conform and smile when you're falling apart inside.

It's about understanding that you are different and you can embrace your difference and you gotta pay the price.

Being misunderstood by your teachers, so-called friends, even your own family, can become isolating.

There's this moment, I imagine, that every goth must face.

You have a choice.

Either break yourself down into something more acceptable, force yourself into a version of normal that everyone wants you to be, or you can embrace that shadow inside you, that one that's screaming out, wanting to be seen, wanting to be heard, but knows that it's just too weird for people to understand.

Goths choose to embrace that inner shadow, lean into their weirdness, wear it like armor, and let your darkness be your beauty.

And when you're in a place like a halfway house with nowhere to go and no one who really knows you, that identity, being goth, can become more than just a style.

It becomes your anchor.

Because being goth means you already know what it's like to live on the outside.

You already live in the cracks of the system.

So when the worst happens, when your life is shattered, Being goth is a reminder that it's okay to be on the outside of society.

The music reinforces the idea that it's okay to live outside what's normal.

And there's a level of comfort to hear that music and to see other goths who are also struggling to fight what's normal.

Those quiet rebels, the kids who find beauty in broken places.

I imagine that being goth makes you more resilient to problems like this.

It gives you a tribe without borders.

It gives you a sense of self when the world pretends you're invisible.

So I imagine being goth in that halfway house was an amazingly helpful way to get through it, to self-soothe.

Every time he put on dark clothes, it was like he was giving himself a hug and saying, it's okay to be different.

Don't worry about what everyone else thinks of you.

And man, to go through something like that and goth being your anchor,

that could easily make you goth for life.

Man, I think I've got carried away there.

Okay.

So after I get out of high school, so I was doing music.

One of a few things.

And

so I became, I was a musician and I

was a successful musician.

If you've ever seen the Matrix sequels movies, then you've heard my music at one point.

What?

Your music is in the Matrix sequels?

Yeah.

So I got contacted by a company called Spider-Bite Studios, and they wanted to make music for the Matrix, especially the scenes Matrix stuff.

They wanted to do some music there.

The big thing is they were looking for someone to make music for the trailer for the video game the Matrix Online.

And so they sent me an email and they were like, hey, you know, your music sounds great.

So that was my, that was my first example of being exploited in a contract by a large company.

I sold my music rights for $400 each.

I think I got a $4,000 total out of that deal.

So I was like, I am $4,000 richer.

That is awesome.

And after that, that got into a lot of people asking me to do music and go touring.

So I did a European tour.

It was all throughout Europe.

I think I went to every country except for Latvia and Lithuania.

Toured for a while and then came back.

What are you playing here?

Synthesizer.

It was a one-man project.

So I did, I love synthesizers.

At one point, I owned over 80 of them.

So, yeah, after that, I came back.

After a long tour time, I came back to Arizona.

I was homeless for a while because you only make $30,000 as a musician average a year at that time, especially like an industrial musician.

You don't make any money.

So I came back homeless.

And then I lucked out in getting a job working at that Massage Envy.

Massage Envy is a massage parlor, but it's a chain and they have over a thousand locations all over the U.S.

And their headquarters are in Scottsdale, Arizona.

And they needed someone to work on the back end of their booking system.

They gave Greg a shot and he excelled at it.

It was all VB.net and ASP code back end.

And so I was coding that and

I was breaking software in the meantime, Millworm.

So I was coding exploits on Millworm and just throwing them up there.

And

I was literally trying to throw an exploit up there a day.

And I remember I got an email from

EI and they were like,

you're cracked.

What is going on?

Like, what are you doing?

Like, where do you work at?

Tell us about you.

And I was like, well, I'm a software developer in the middle of Phoenix, Arizona.

I work on

Massage Envy's backend.

And they couldn't believe it.

They were like, what?

Like, you're not in security at all.

I was like, no.

And I was like, I just break stuff for fun.

EI was a cybersecurity company based in California.

It's spelled E-E-Y-E.

E-I.

They created some tools to help people be more secure.

Like they made a vulnerability scanner and that's how they were able to make money.

So EI saw that Greg was writing a lot of malware and posting it publicly.

And they liked that and decided to hire him and flew him out to California to give him a job.

Yeah, well, the team I was on, we were all about finding zero days and finding exploits.

Yeah, but there's no money in that.

Marketing, my friend.

When you have a good research team and they're rock stars, they're going to look at you and your products and think, oh man, those guys know what they're doing.

So yeah, when I got there, the person I replaced was Barnaby Jack.

I took, I actually had his desk and everything, man.

Yeah, yeah.

You know, lots of respect to him, man.

It was, it was, I, I, I, I never filled his shoes, but it was, it was just an honor to be a part of, you know, just be around him.

I got to meet him multiple times.

He was a great guy.

See, back then, nobody had a bug bounty program.

If you found a vulnerability in some software, that company wouldn't pay you anything.

You'd be lucky if they sent you a t-shirt.

There was zero money in vulnerability research then.

But the reason EI did this research to try to find vulnerabilities in software was for two important reasons.

One, to earn credibility.

Oh, that EI company must have some pretty sharp researchers to constantly be finding vulnerabilities and things.

I bet their tools are great.

It works.

And two, recruitment.

By making the news again and again that they keep finding vulnerabilities, top talent would want to come work there.

Now, they did follow responsible disclosure.

When they'd find a vulnerability, they would do two things: first, tell the software maker and show them exactly what they found.

Then, they would announce publicly that they found a vulnerability in a product.

They wouldn't say what the vulnerability was, though, not until after the software company was able to fix it and patch it.

So, that was the team that Greg joined to simply find new bugs in software that nobody knows about, which is what's known as a zero-day vulnerability.

So, I get there, and Office drops, drops,

Office 2007

drops probably about four weeks after, like within my first month of working there.

And we were looking at other software.

We were looking at, I think, CAA ArcServe Backup, if you remember that terrible product.

As a macrovirus author and I can look at Office

hex editors in Office.

I could tell you where the blobs are in Office.

I know the BIF format very, very, very well.

So when it comes up.

So

your object, I mean, you're, that your boss or someone told you Mark Mayfray.

Yes, we'll put his name for the record here.

Mark Mayfray, I've heard that name before.

If you, if you don't know, Mark Mayfray got famous from MTV's A True Life, I'm a Hacker.

That's where that was his claim to fame.

He was on that.

You know, over like the last few years and like basically ever since I got into hacking, it's just been kind of like a wild ride or, you know, somewhat of a movie.

After the raid, I started thinking a lot different about like my life and like what I wanted to you know start doing with it and then you know turn things around.

These days, Chameleon is living the hacker dream, creating security software for companies to protect themselves from people just like him.

That was a clip from the MTV show called True Life Hacker from 1999.

The show follows Mark around as he hacks stuff.

He's wild back then.

So I imagine it'd be really crazy to have him as a boss.

So your boss told you, Office 2007 just came out.

Do you want to take a look at it?

It would be great if you could find some sort of virus or bug, not a virus, but an exploit in there, a bug that we could use for marketing.

Absolutely.

Make a big deal about.

So jump in there.

And you were assigned to do that.

No, yeah, that's exactly how it worked.

Anything that came out,

any big thing, we were essentially bounty hunters.

We would go out and be like, yeah, let's go break this thing.

If we have customers, but there wasn't paid bounties back then.

You'd get a t-shirt, if anything.

It was all about the honor of being the first.

We wanted to be the first, too.

That was a big deal.

A lot of honor was a reward.

Yep.

It was be the people who first found the bug.

And so I went in there and started manually fuzzing Word at the time.

Fuzzing.

The first time I did fuzzing.

was when I was five years old and I went to the supermarket and they had a gumball machine.

My mom gave me a dime and showed me how you put it in and you turn the crank and you get candy.

It was awesome.

And for years I was drawn to them.

I just had to touch them every time I saw them and check them out.

Like I would try turning the crank on every one to see if it would just give me candy with no money in it.

Nope, unless you put money in it, the crank won't turn.

I would sometimes try to put money in it and turn it very slowly to see if I could get a little bit of candy.

And as soon as I do, turn it back real quick to reset it and do it again.

But that didn't work.

I would check the dispenser chutes to see if anyone left candy behind there.

And yes, sometimes they did.

And that was cool.

A little bit of free candy.

I would shake the machine sometimes to see if I could get candy to come out that way.

And that did sometimes work too.

But then I was like, how does it know I put money in here?

Like, how does it know what a quarter or a nickel or a dime actually is?

So I started jamming anything I could find that would fit in there.

Plastic pieces, metal washers, cardboard, shoelaces.

I'd shove it in.

I'd turn the crank and I would see what happens.

And I'm telling you, from like five years old all the way to 15 years old, I was fiddling with these things every time I saw one.

And that to me is what fuzzing is.

It's trying to use the tool or machine or application in ways it's not supposed to be used to see if you could glitch it or somehow get it to act weird.

What Greg was doing was he was opening Microsoft Word and trying to put something in a Word document that wasn't allowed.

I don't know, maybe trying to put a Chinese letter in there or some strange ASCII symbol.

Word would accept some of these characters, but then just deny others.

Now, if Word won't let you input a strange character, why?

Will it break if you somehow force it to take that strange character?

Well, Greg wanted to try.

So he opened up a Word doc, not in Microsoft though, in a hex editor, where you can manipulate the ones and zeros directly in the file, almost like doing surgery on the file.

And he'd put in a character directly into the file that he knows Microsoft Microsoft Word can't accept and then he'd save it and try to open it up in Word to see what it would do.

Nothing.

Okay, fine, that didn't work.

But let's try again.

This time, let's see what the max font size is in Word.

1638.

Whoa, that's pretty big.

Okay, so Word won't let you make a font size bigger than that number.

Challenge accepted.

Let's set the font to the max, 1638, to close down Word.

Open up the file in a hex editor.

Look for where that number is.

1638.

Where does that show up?

Ah, right there.

And maybe that means the font size.

So let's change that to 9999 and save it and open it up in Word and be like, what now, Word?

You wouldn't let me set the font bigger, but I did.

What are you going to do?

Nothing.

It just reverts back to the default font size.

It had some sort of logic to handle what happens with a font size that we can't accept.

And that is what fuzzing is.

And that's what Greg was tasked with doing to try to make the brand new Microsoft Office 2007 suite crash.

It's really a hunt to try to see if the developers at Microsoft accounted for every single problem that could possibly go wrong in Word and handle it gracefully.

So you're modifying these files at the lowest level possible, and you're introducing all this unexpected code, unexpected code paths.

It's parsing these files, and it's parsing these files, it's encountering these unexpected data points.

And these unexpected data points are introducing areas of opportunity for you to find a vulnerability.

And basically, the goal is to get Word to execute malicious code, such as giving someone else control of that computer.

But you can't just put malicious code in a Word doc, and then when someone opens it, it runs.

Word doesn't execute code like that.

It just displays it as text.

That's its job.

So can you hide this malicious code somewhere in the Word document that it will also get executed when Word gets open?

No, not really that either.

Yeah, there's macros that act like code, but that's different.

What we want is for Word to take our malicious little code and stick it into the memory of the computer.

So the goal is to cause Word to crash, but then use that crash to force malicious code into memory or a pointer that references the code into memory.

Now, just opening Word is not enough to see all the stuff that's happening.

You want extra visibility on how well Word is behaving, what stuff it's putting into memory and everything.

And that's where a debugger comes in.

At the time, he was using using a debugger called Ollie, which will show him a lot more details of what Word is actually doing.

Correct.

OLI is a tool that you attach to

any application that you want to see at low level, assembly level.

You want to see what the code is actually doing, your registers and your memory output and what's going on with the application.

You attach a debugger.

That allows you.

Sounds like a wrapper for the app.

So you open OLLI and then tell Ollie to open this.

And then Ollie will be like, I will watch all the memory and everything that's happening here and tell you everything.

That's a great summary of that.

And that's exactly what it does.

It sounds a bit tedious to open a file in a hex editor, manually change one or two numbers, then close it, and then open Word up and then see how it behaves and nothing.

So just close it all and try again.

So all day he's editing these files, opening them in Word, and then closing them.

I just really liked looking at the files in the hex editor, modifying the files.

opening the file and noticing the UI changes.

Like it would distort the, it would like, if you had your Office file, if you had like graphics and stuff in it would distort it or make it look you know wrong because it's rendering improperly so you could actually get better feedback i found by doing it that way to identify where in the file you're affecting and so i mean i did this for like two days

and all of a sudden i had a crash oh a crash this is what he's been trying to create okay first things first will it crash every time yes awesome okay it wasn't a fluke next can he inject code into memory when it crashes?

Yes.

Wow, this is great.

Now he has to see if he can get control of a pointer or inject some shell code into memory along with this crash.

And yes, he can.

And it was a classic crash at that time where you overwrote a data pointer and you can control the data pointer at that, which allows, that's the basis for

remote code execution.

So what he's discovered is he can craft a malicious Word doc so that when the user opens it, Word crashes, but then malicious code is put into memory.

And now the system is severely weakened.

It's vulnerable.

Wow, very cool.

All within weeks of Microsoft Office coming out, Greg has discovered a pretty serious vulnerability in it, which allows arbitrary code execution.

He feels great.

His team is impressed.

So

you tell your coworker, your coworker tells your boss, you tell your boss, whatever.

And what does your company do with this?

My boss is like, awesome.

He He

immediately starts writing all the press.

And Mark Mayfray is,

if you know him, he's very enthusiastic.

He's just like, oh my God,

we're going to fuck this.

This is going to be fucking awesome.

We're going to send this to the press.

We're going to throw this out there.

And so he immediately starts writing to everyone, you know, all his typical tech writing, you know, the tech writers.

And so they immediately start writing.

And then we report to Microsoft.

Again, they aren't sharing exactly what the vulnerability is to the press.

They're just telling them that EI found another zero day, this time in the latest Microsoft office.

And of course, only giving Microsoft the full details so they can fix it.

And once it's fixed, then EI will show the world how it was done.

The news spread fast.

A few big tech publications were talking about this zero day that Greg found.

About three days later, we get an email back from Microsoft and says, hey,

We can't reproduce this.

And we're like, this is typical.

This is, this is, we've dealt with this before.

This is a typical Microsoft security response, response team, typical action.

So they're like, okay, so we send them more, we send the sample again, and we're like, hey, you know, we show, we show the debug output, we show like a,

and then like another day after that, it comes back and they're like, hey,

did you try this without a debugger attached?

And my bot, my, Mark Mayford is like, of course we did.

And then he looks over to on, you know, he looks over to Andre.

Andre looks at me.

And I'm like,

I don't think so.

So

we go run it again.

And

there is a special trap that Microsoft added.

This is at the time, this was pretty new technology, where they had

debug-only routing inside Office.

So it would reach code flow path that was only exploitable, only triggerable when you had a debug attached

to the word.

meaning no one is going to be vulnerable to this unless they're having a debug attacher, unless they're a security researcher.

Oh man, how embarrassing.

The news is out there saying that EI found a serious vulnerability, but now it turns out they don't actually have a vulnerability.

And it's because this new kid, this weird-looking goth kid, didn't verify it all the way.

And

so

I remember there was yelling.

There was yelling involved.

I remember I was there for three weeks and I remember just literally just staring down, being ashamed and just like, oh, God, this is it.

This is how I lose my career.

It was, it was nice.

It was, it was a good, it was a good couple months.

It's okay.

Because the stress here is because a press release was written, right?

Yes.

And EI at the time was like, they were like the rock stars.

Like, this is all everyone else in the room, you know, all those rock stars, UG,

Derek, Daniel, Soder,

the brothers, everyone else in there has written vulnerabilities in a professional manner.

They've all done this for years.

They found the first Vista vulnerability.

They found, you know, this is their thing.

And now I'm the new guy who screwed up and made them look bad.

So

behind the closed door, they were like, we got to fire this guy.

And luckily for me,

I believe Andre was like, nah, dude, we're going to give him a chance.

We're going to give him a chance to make this right.

So

they come out and they were like, look, man, you got to find a vulnerability.

We don't care how you do it.

It's got to happen.

I'm like, okay.

There's some hope still.

The press release just said they found a vulnerability in Microsoft Office, which consists of Excel, Word, PowerPoint, Visio, and more.

It didn't give any details as to how the vulnerability works.

So if they can find a bug in any of these products, it'll save the reputation of the company.

But to be clear, for a young guy in his first cybersecurity job to find a zero-day vulnerability in Microsoft Office, that's an incredibly complicated task.

The entire team of coders at Microsoft worked tirelessly to prevent people like him from finding bugs like that.

So he's got to find something they missed.

This was a big deal for Greg.

He needed to find a zero-day vulnerability in Microsoft office or else he's going to be fired.

He calls his girlfriend and says, don't wait up for me tonight.

I am going to be working late.

Sorry, I just have to do this.

And he just gets dialed right into the zone, downing energy drinks, grabbing extra monitors to be more productive, ordering pizza right to his desk.

Like he's fully committed to doing this.

He was so committed that he was going to stay in that office until he found a zero-day vulnerability.

So I am there the 24 hours by myself, just like manly tricking.

And I'm just like, oh God, I can't do it.

He's sleeping under his desk.

He's living off of donuts and coffee.

So what happened here, man, was like, so the crew comes up to me and they were like, dude, we're not going to let you do this by yourself.

We got your back.

And so everyone stayed in there and we were in there for three days.

And man,

I remember girlfriends calling, wives calling guys and being like, Are you guys coming home yet?

They're like, no, we got to do this.

This is an important thing.

We ordered pizza.

We had Mountain Dew.

That area of the office, I remember it was, it was not smelling great.

Like the other teams were like, what are you guys doing?

What is going on in here?

Are you just like opening text files and edit and then close and then open and then close?

Yeah, we have, okay, so I think during that time, so there's at least six of us.

We have one guy who's writing his own program to fuzz it.

We have,

I think Yuji had like three screens up fuzzing data, reverse engineering.

He's like trying to reverse engineer that.

I have a program I've written running on one machine over here.

I have a machine to my left.

I have a machine next to me that's running software to try and bind this vulnerability.

I'm in a hex editor editing files left and right.

I think Derek was also editing files.

Derek found, was finding something else.

He found, I think he later found out another vulnerability out of this, but he's going in there, editing, looking at this, and we're all looking, everything we find is really interesting stuff, which turns out it was like we found a lot of really cool stuff in office at that time, but none of it was a vulnerability as we described.

So we are literally just sitting there geeking out and just pizza being ordered.

EI was a wild time.

Days go by like this, where all the researchers are pouring tons of time into this.

Nobody was going home.

People were sleeping in shifts under their desk in the break room.

The energy was amazing to have so many people come together to try to save the reputation of the company.

And

day three, I was modifying a file and

all of a sudden it popped.

And

we look at it and we're like, oh, wait.

And I remember Yuji.

Yuji looks at it first and he's like,

Yuji is this incredibly, unbelievably talented Japanese hacker.

And he's like, oh, it looks good.

And when Yuji says it's good, everyone's like, okay.

So, and the first thing that happens after that is, I remember one of the guys is like, is the debugger detached?

We were like, oh, yeah, get that thing off there.

So retry it.

And it happens to be in Office Visio.

It was another product inside the Office Suite.

So it wasn't Word,

not as sexy as Word, but hey, we only said Office 2007.

So again, saved our butt.

And so, and the thing is, when Microsoft sent that email, they're like, hey, man, this vulnerability occurs in this wrapper function called safe int.

And what safeInt does is it prevents the integer overflow from occurring and causing that controlled flow, code execution to occur.

So it checks all the integers.

What happened with the new vulnerability we found was we happened just happened to find a legacy pointer for integer that was not safe inted wrapped and was vulnerable.

So they sent that email out And

unfortunately, David LeBlanc in Microsoft, David, if you were listening to this, I'm sorry, man.

I think he was on vacation.

He got called back.

Maybe he didn't get called back, but that's what I heard.

Because he was the one who was in charge of SafeIn.

SafeIn was his baby.

And

it's an awesome security feature.

He got called back because when we sent that sample to Microsoft and it worked,

that was a big deal to them.

So,

you know, we are all happy.

The vulnerability goes out.

Like a couple months later, it gets disclosed.

And we have indeed the first vulnerability in Microsoft Office.

And that was, that was the case.

That was, that was a, that was a wild time, to say the least.

He saved his butt on that one.

His whole career was on the line.

And he did what he had to do to save it.

And being awake for so long, there wasn't much of a celebration after he found it.

Dude, i crashed i fell asleep i remember like being like just being so exhausted i straight like at the time where i found it i was already tired because i was half asleep and i remember the alarm that i had for it to find to like find it i nearly spilled i think i did spill soda all over the place because i was just like waking up like we were all fasting out like we're literally sleeping at our desk here there's no we were not sleeping on hammocks or anything we're just like sleeping at our desk and so i remember it being

like we find the vulnerable we like we're like yes and we were all so tired to actually have a proper like

I guess we did have a proper we did yell out extremely like amount we're like yes, we're finally and then and then immediately after because we're like we're celebrating like a high fiving everything was like that but man after that I just remember us all just being like and we're going home and I fell asleep at the office.

I didn't even make it home at the time because I had to, I was gonna, I lived walking distance.

I was too tired to even walk home at that day.

So I just crashed out, woke up, went home and I remember my girlfriend just threw me this like the the the like pillow and the and the blanket and i was on the couch for like a week for that one rightfully so yeah she was so pissed but but it was your job on the line she should understand that like listen i am gonna get fired or i could stay three days and not see you

what would you rather i do oh man i was a newly i was a newly father my kid was like probably like oh okay

so well hold on so you just had a kid at the time kid when i started ei was six months old.

So that kid was not even a year old

and colic.

And my kid was extreme colic, like 12 hours a day crying.

Oh, man, she was so mad.

Oh, that's, that's,

that makes it even more stressful.

Oh, yeah.

Oh, oh, yeah.

But yeah, so.

Yeah, that was, I remember, I remember the emails, that was like the emails getting from her was like always popping up, just be like, her just getting angrier and angrier as the the days going on.

And she's like, where are you?

Like, I don't believe you're at work for three days doing this.

And I was like, okay, I'll send you a picture of us.

And we had like

the team just like doing random pictures.

I was like, oh man, this is, this was a time.

EI was a magic place.

A lot of amazing talent worked there, and many went off to start their own cybersecurity businesses.

Rumor has it that some of the anecdotes from the TV show Silicon Valley came from stories that happened at EI.

And Greg learned a ton from working there for years.

So

years later, like years later,

this is like my third year at EI.

I remember

we had a honeypot system, which it's a system that's designed to catch hackers and lure in individuals.

And we were trying to get zero-day exploits.

And they definitely tried to lure people into attacking the system.

It was like one of the largest honeypots at the time.

It was nearly a Class B internet group of honeypots.

It was massive.

And I remember I was logging into one of the systems that we had maintained for that, and I see a login called Elfang.

And I was just like,

what is this?

Whose account is this?

Maybe this is a new hire.

I just don't know about.

And

I walk into my boss's office and I was like, hey, um, you know, I got that all set up.

However,

there was someone who logged in recently and maybe it's someone who we hired in like devops or something um do you know el fang

and i remember i remember my boss was just typing all of a sudden i remember the distinct sound of him stopping and the the sound of the chair creaking back and him looking at me and he's like you found what who and i was like yeah l fang and i i i think i looked at the extended name was lee fang and he's like

what do you mean you found a Lee Fang login?

And I was like,

yeah, it's on the honeypot system.

It was like, it looked like it was a maintainer.

And he goes and he closes the door behind me.

And he's like,

all right, I'm going to tell you a story about Lee Fang.

And I was like, okay, let's hear about it.

So

back in the day, like I mentioned, EI was the rockstar group for finding vulnerabilities.

It was like EI and iDefense.

That was like the two big companies back in the day for finding zero-day vulnerabilities.

And at one point,

EI

was

so

good at what they are doing, Microsoft decided to hire someone in order to go work at EI in order to

get them to tell them, Microsoft, about the zero days they found in Microsoft.

Wait, wait, what?

Hold on a second.

You're saying Microsoft

got someone to

a job at EI.

It's a different time.

But they worked for Microsoft so they could report to Microsoft what EI is working on.

It was a different time.

Yep.

This is ridiculous.

You don't hear about this ever.

It was a different time.

Does this news ever actually go public?

I don't think so.

I can't imagine Microsoft hiring to work to

getting people to work at other companies.

This is corporate espionage.

That's correct.

Well,

it gets even better.

It gets even better after that.

It gets even better after that.

Okay, so Microsoft hires Lee Feng to work for them, but then plants him in EI to go find out what they're working on and report back to Microsoft.

So Lee Feng was working at EI for a while, but then suddenly left, and nobody really knows why.

He just disappeared one day.

But then Microsoft, some time after he left, they're like, hey, we gotta have a talk.

We have a discon, you know, conversation.

And so we're like, okay.

Apparently, and so Microsoft was like, so Li Fang, he was working for us to

identify zero days that you guys may have found.

Which had to be a bombshell for your company to hear.

I think they had suspicions that he was being a little odd, but

so Microsoft then goes to say, so apparently

he was also working for a foreign government entity to do the same for us and you.

So

someone placed him in Microsoft?

Correct, correct.

Go get a job there.

And then he got chosen to go work for us.

We hired him and he got planted.

And then he was siphoning zero days from not only us, apparently, he also had privy information at microsoft um and that went back to his foreign government that he was ultimately working for holy moly someone planted him at microsoft and then microsoft planted him at ei that's unreal how embarrassing for microsoft it's like being caught doing something you shouldn't have been doing like i don't know having your pants down when the elevator door opens they know they shouldn't have been playing that game but now they realized that they got played themselves oof

So I really wanted to confirm this story, and I reached out to people that I know who have been at Microsoft for a very long time.

And all of them said that does not sound like something Microsoft would do.

So I can't confirm that that story is true, but I would love to know if it is or isn't.

So if you have information about Microsoft planting people in other companies, tell me about it.

Because here's the thing, we know corporate espionage is happening.

There's people sending secrets back and forth to tech giants all the time.

But it's a secret.

So we don't know about it.

We only know about the ones who get caught.

So it seems plausible like something like that could happen.

And you know what?

I'm curious what corporate espionage stories are out there.

And

taking a quick peek, there seems to be some cool ones.

In fact, I think I'm going to take an ad break and look at this a little deeper because I'm fascinated by corporate espionage and I might have to do a few episodes on that sort of stuff.

But stay with us because after the break, Greg is going to tell us some penetration testing stories that he's done.

This episode is sponsored by Shopify.

Starting a new solo project is really overwhelming.

When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.

And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.

For millions of businesses, that tool is Shopify.

Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the US.

From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.

And I love Shopify because of how easy it makes getting my business online.

And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.

So get started with your own design studio.

With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.

If you're ready to sell, you're ready for Shopify.

Turn your big business idea into

with Shopify on your side.

Sign up for your $1 a month trial and start selling today at shopify.com slash darknet.

Go to shopify.com slash darknet, shopify.com slash darknet.

After a while, Greg left EI and started doing red team stuff.

That is penetration testing, breaking into companies to test their security.

and he also does threat intelligence which he tells me he got some really interesting contacts and worked at some very interesting places but we're gonna have to skip those stories because they're too sensitive to talk about but he is willing to tell us a few pen test stories that he did go on the first story is about a time when he was paid to try to hack into a major tech firm which has a lot of user data.

I mean, they have millions of users, but not just simple user data.

They collected highly personal information on their users as part of their service.

So Greg meets with the customer, and it started out weird from the get-go.

The customer was saying, look, we are crazy about security.

We go over the top on cybersecurity because we cannot risk our user data getting out.

So we don't think you're going to find anything.

In fact, the last pen testing company struggled so bad to try to hack us that they got arrested.

So they use a third-party payment processing system that is not used by them.

And their previous pen testers accidentally exploited the third-party payment system that was that was vital to them.

And the third-party payment system was an Oracle system and not owned by the customer at all.

So when apparently, that's what I heard from the customer, they were, you know, they did their exploitation and then they said, hey,

we got into

credit cards and we're going to present it to you in the next day and

the presentation.

So they got the blue team there, all the blue team, all the people,

and they presented them and said, hey, we exploited this, we exploited this IP address, we got access, we gained, and here is your raw credit card details.

And as you can imagine, the team looks at it and they're like, what IP is that?

That's not local.

That's not like,

it's a tenant, you know, it's a local address, but that's not.

ran by us.

That is not.

And then they found it was actually owned by the third party payment system and they had exploited a zero day in that, gained access to there.

And on top of that, the credit card details were not, there was a stream of credit card details.

So I believe it was outside of even scope for the customer.

So the customer reported them on the safety of their half because they didn't want to think that someone on their network compromised them and reported them to the law enforcement authorities.

And I believe that led to the arrest of them.

Either way,

that's always wonderful to hear going into a pen test.

You hear like, hey, the previous guys got arrested.

Why don't you guys come in here?

So, you know,

great start.

Alrighty.

Great start.

So if you know me,

I still dress like a goth kid.

You know, I'm still all black.

I'm cyber punked out.

I wear neophoric, love them.

I'll wear everything from VX Underground, all black, anything I can.

So I show up at this facility.

And

at this time, we also have a coworker of mine.

And this is my coworker's first big, real big pen test.

and so he comes in too.

And I will never forget

the people there because they look at me and they look at each other and they're like, oh God,

we got to put you guys in the back room.

And so they set us a separate room away from everyone else.

And throughout my career, this is kind of the thing.

I'm the guy in the back room.

I've been there because of how I am.

So they saw us back there.

And this is a five-day insider threat pen test.

go.

So his job was to simulate an employee there who had gone rogue or had been hacked.

Just by being in the building, what could he do?

Sniff some Wi-Fi traffic, plug into some network ports?

Well, that's worth checking out.

But they did give him a single user's login.

And they said that user should be locked down so tight that you shouldn't be able to do any harm even by knowing their password.

This customer, I've been red teaming a lot of places.

Their blue team, their SOC team, is absolutely legit.

One of the best defense teams I've ever had the honor of working with.

And so they literally are running their own kind of like built-in EDR system that they built themselves that's tying into their SOC, going in there.

And we get nowhere, man.

Day one, nothing.

Day two, nothing.

Day three, my coworker's laptop dies in the middle of it and he can't even work anymore.

And we had to give a report on to the customer.

And I remember that them just looking at us and being like,

I think we hired the wrong people.

Like literally they were like, do you, are you guys want to resign and we can scrap this up, call it quits and then we can go hire somewhere else?

And I was like, no, man, we got this.

Day four happens

and

we

I remember it was like

4.30 and we have to give at five o'clock, we have to give our meeting and my coworker had to go to best buy buy a brand new machine and he spent the entire day imaging a machine on a red team engagement and we're he looks at me he's like man i don't know what to do so i was like hey let's let's try one more let's do let's do some art poisoning and just do one more time

and

i remember looking up and that art poison grabbed one plain text credential that just happened to be an FTP job.

And we're like, oh, got a credential.

We got somewhere.

You know, we got something.

It turns out that credential was the build system process and it allowed us to get into the build system to roll code throughout the entire thing.

And it just so happened at 4.30, they rolled it out to do an end-of-day lockdown and build system configuration, lock everything down so no one's doing any more builds.

We went to that meeting, said, hey, we just intercepted this.

And I remember them all thinking, wait a minute, that's the old build, like, and that credential is still active.

At that point, we had a really cool exploit for that.

We got into the build system, and they had a lot of controls on the actual files in there.

So we couldn't modify in the build files, but we could edit the command line.

So we rolled an inline assembly.net include in there to roll in, go into their portal and steal all the customer data who'd enter a credit card in there.

We marked it in the data.

We blocked out that credit card, but we put an asterisk in there, stolen last four digits, and then had it sent out to them.

They test it, they round out, and they were like, holy crap, we have not had a red team roll out code to production in the like eight, nine, 10 years that we're here.

Come back next year.

Come back next year.

Talk about a Hail Mary.

Not a single find all week.

And then 4.30 p.m.

on the last day, they catch a lucky break by sniffing a credential in the network, which gave them tons of access.

What a good find that saved their butts.

I come back next year and they're like, hey, we want you to do something kind of crazy.

We want you to target DNA.

Part of what this company did was genetics studies.

They had DNA data on their users, and this was regarded as one of the most protected assets of the company.

So why not hire a hacker to try to find it and steal it?

And we don't care how you get it.

Any way you can get it,

that's fair game.

So I

spent

like a week in there as

a malicious insider.

He starts with a basic employee login again.

It is locked down pretty tight, but it's just enough for him to get a foothold somewhere else.

And from there, he finds an exploit in another system.

And then he was able to pivot from there, collecting more system logins.

And finally, he's able to get in a system which manages backups of machines.

He can see there's some really large files here.

Maybe those are system snapshots or backups, but what system is it a backup for?

No idea.

But he decides to try to download it anyway to see if he can look at what's in these files.

It literally aired out on the share size.

And I was like, I've never seen that before.

And I remember clicking a file and I'm on a local network and I remember that file taking forever to get to me.

And I was like, how big is this?

So I grabbed the file and I'm on the local machine and I remember looking at it and it's

T-C-G-A-C-T, like those, those, those letters.

And I was just like,

I think that's DNA.

I think that's DNA.

And I was like, huh,

I don't know.

Maybe this has got to be.

This can't be.

This can't be right.

So I grab it and I cut off like as much as I could.

And then I sent it over.

I worked with a biologist.

She was a very, very smart girl.

And she just happened to be a biologist who was working with mice at the time.

And she actually knows DNA and she worked with DNA.

And I was like, hey, what does this look like to you?

And I sent it to her.

And she looks at it.

And she's like, oh,

this is a DNA sequence mapped out by this program.

And this looks like, I was like, oh, okay, cool.

And then she's like, hang on.

I can even tell you what kind of DNA this is.

And she like, a couple of minutes go by and she's like, why do you have human DNA?

I was like, I got to go.

I got to buy a click.

And so my next task was like,

they were like, you have to get the data out.

You can get in, you have to get access to it, but you have to get it out.

So at the time,

again, it was ran by a very, very good SOC team.

There was a lot of, the environment I was in was very, very, well, restricted.

And

the only way I got to her was through, you know, sending a picture.

Like I remember selecting it all and then putting it into like an app, sending her a picture of it.

And

it was like so bad quality, I had to set it a couple of times actually.

But so I was like, how am I going to get all this data?

I can't do it with the phone.

You know, I can't do it with a picture.

How am I going to get all this data out?

I was a malicious insider.

So I was working as a quote unquote IT member.

And so I got introduced to the IT group and they were like, oh, yeah, you're working in this environment.

It's cool.

And so so I was like, I got to figure out a way I can get a bunch of hard drives and I have to get a bunch of hard drives back into the building.

So

what I did was there's printers that were scheduled for to be to be,

these printers were scheduled to be taken to repair.

I remember grabbing all those printers and gutting it as much as I could and walking out and going out to the front desk, going out to the front door and be like, hey, I got to send this printer to the repair shop.

It has to be done today, immediately.

And so the front desk people are like, okay, just sign off for it.

Cool.

Sign off for the printer.

Load that into my rental car.

And I go to Best Buy.

And I'm like, I have to get hard drives.

I have to get a lot of hard drives.

So I went by, and this is back in the day where those external hard drives were those big, obnoxiously ugly

colored things.

And they came in like

I think 32 gigs or 64 gigs was like a big hard drive at the time.

So I go through, I have a shopping cart and I just go from the end line of these and just pull the whole thing into the shopping cart.

I have a full shopping cart of hard drives.

You put your arm on the shelf and just...

Do you know that meme where the guy's running around Best Buy and he's like all hacked all the things?

I hacked all the things.

That was me, except with hard drives, shoving it into a, into

a shopping cart.

And I remember...

I remember going to best, at the front of the desk, maxing out my credit card

of hard drives, and then

going back and to my hotel at the time and loading them all into the printer i put it i selled out the hollowed out printer i just stacked the hard drives in there and closed it up together and then i show up to work the next day get the little trolley carts they have go out and say bring it back and i remember i remember i'm bringing back the printer and the front desk person was like

wait you sent that off to be fixed yesterday and i was like yeah i uh he's like you got to tell me how you got those guys to fix that in 24 hours because man they are always so slow and i was like oh um well i bought them a root beer and they're like oh that makes sense i was like i bought it i brought him a six pack of root beer and he was like ah okay good to know so i go back to my area of the building putting it and i have this printer next to me and then i am opening up a little panel and i'm just USB drive, literally copy, pasting, mounting, copy, pasting.

And I started it, I started it like

8.15 a.m.

And I am there until they kicked me out of the building at like 9 p.m.

Doing nothing but moving over data.

And then I leave the printer there.

And for the next two days, I am literally doing this every day.

And then on my last day of the pen test, I remember I walk out and

I go to the front desk and the guy there, he's still there.

He's like, he's like, I was like, oh, dude, printer broke again.

And he's like, oh, don't worry.

I got something for you.

And he goes to the fridge, the little fridge he has, and he brings out a six pack of root beer.

He's like, give this to them and tell them I said hi.

I am sitting there trying not to laugh while I'm holding petabytes of like I can imagine.

I think, I don't know how, I couldn't get it all, but I remember I bought over like 80 hard drives from Best Buy.

I think I actually went back a couple days later and bought some more because I didn't think I had enough and put them in my jacket and my pants.

And I loaded this HP printer and filled that thing up and got to my hotel.

And then at that point,

I had a secondary laptop that I asked, I requested to prove for exfiltration, connected to that laptop, loaded it up and said, done.

So when it was time to show him what he found, he has them go into the room where he was working in and said, open up the printer.

And they open it up.

And when they do, a bunch of hard drives just come pouring out of it.

And he says, those hard drives are filled with all your DNA data.

Yeah.

And they later said, hey,

you were the first person to do that.

And I worked for the red teaming for another,

I think, three or four more times after that.

And it was after that was their call center I attacked targeting.

Okay, here's the, here's the big question, though, right?

The first time they're like, you got to go in the back office.

We can't have that.

After doing it like three, four times when you're walking through, are you feeling more confident?

Like, oh, no, you could be in the front office.

We don't mind you being around here.

Oh, man, I went to their barbecues.

I went to their family.

They were all very nice.

After the first time, they were like, look,

you can never meet the execs,

but we will absolutely hire you every single time.

A few years go by of him doing pen tests and he gets another job, which also has an an interesting story.

This time, a venture capital company has hired him to try to hack them.

Now, they wanted to see if he could hack into them to get data that would influence the market or something that might hurt the reputation of the company, or see if he can gain information that can be used against the company.

So, Greg gets tasked with going on site to try to hack into this venture capital company, which remember, even though he's well into his 30s at this point, he is still dressing all goth and considers himself a goth kid.

I'm still a goth kid, man.

I still dress in black.

I still wear my goth, like my, like, like I said, I don't wear, I don't like the collars or anything, but I still dress all black.

I wear my goth outfits.

I wear my VX Underground, like my neophoric shovels and everything.

I wear my goth boots.

And what's funny is

every single contract I sign for work, I have two clauses in there.

Clause number one, I'll never code in Ruby.

Fuck Ruby.

Then clause number two, I'll I'll never adhere to a dress code, period.

If those don't two don't happen, I don't work there, period.

So,

so

that goes, that's that goes back to like, I was one of the, when I was in cybersecurity, I was one of the kids who never went to college for cybersecurity.

And so, like, all these places are like, oh, you got to get a college degree, you know, got to do all this kind of stuff, and you got to wear suits.

And I was like, no, fuck that, man.

If you don't hire me for the things I know, then I don't want to work there.

and that's that's been a long belief and i still believe that you know to this very day um

and i i told my boss you know the day that my my goth outfit interferes with the way i work i would stop doing it and still do it to this very day uh it's been 20 years um anyways so they send me over and i remember i get out uh they're like hey we want you to meet at this air you know meet at this outside it's going to be outside the hotel that we're all staying at and

i walk up to this guy and this guy is wearing a suit.

He is wearing like a suit that costs probably more than what I make in a month.

And he's sitting there, he's smoking a cigarette, clean cut.

The guy looks like he's still like active secret service.

I think he even had an earpiece in man.

And he looks at me and I was like, hey, are you

Are you this guy?

And we'll call him, we'll call him Brando.

Are you Brando?

And he was just like,

yeah.

And he's like, are you Greg and I was like yeah nice to meet you I know where he takes the longest drag out of his cigarette

you know that meme from um

uh what's that hbo true detective where where the meme of looking at the the phone and the guy's just inhaling the cigarette where matthew mconahey i think is inhaling the cigarette i got that exact look from this guy looking at me and he just tosses that cigarette and he's like this is gonna be a long week he's like let's go so this guy is his escort and drives him to the building where he's supposed to do the pen test.

And he takes Greg to the front door and he tries to go in with his escort.

And I remember physical security is like, sir, who are you?

What are you doing here?

They think, like literally get in front of me.

I was like, no,

I'm with Brando over there and I'm part of the assessment.

And they're like, give us some ID.

And they escort me into the building.

And also I'm getting a call from

my contact.

And he's like, Where are you?

I was like, I'm being detained.

And he's like, Oh, God, this is a great start.

So they come over and they realize that I'm supposed to be there.

And then I go meet my contact.

And I remember him

looking at me and being like, oh, man.

He's like, all right, well, you can go work in that back room over there.

We're going to tell everyone you're an auditor or someone, so no one bothers you.

You're going to sit up in this back room and

just don't bother anyone.

Just go there.

So they sat him down and said, okay, hack this place.

And he's like, well, can you give me like a user login or something?

No.

All right.

Can you give me the Wi-Fi password at least?

No.

Well, listen, I see a bunch of wireless networks and I don't want to accidentally hack into the wrong wireless network.

So can you at least tell me which Wi-Fi network is yours?

I could see the contact at the Venture Capital.

It's like, man,

it was like he looked at me and he wanted me to be out of this building and to fail as much as possible.

So he's like, our guest Wi-Fi ID is this.

Go.

That's it.

That's all I had to go on.

Nothing else.

Just the guest Wi-Fi.

So I get up and I'm like, okay.

So I start walking around the building and the security team's absolutely following me at every step of this.

And Brando from the other third party is like, where are you going?

Like, what was going on?

I was like, I'm looking for a Wi-Fi password.

And he's like, I think, he's like, I'm pretty sure you're supposed to do that with the computers stuff.

I was like, nah, nah, like they're going to have this.

And I walk around the building, and eventually I find it on a whiteboard.

And I'm like, bingo.

Let's go to.

So I go back and I sit down.

And now I'm on their guest Wi-Fi network.

Nice.

How clever.

Just look around the building for the password.

All right.

So now he's connected to the guest Wi-Fi.

So I get it.

I get the password.

I sit down.

And

from there, I start scanning.

And the first thing I go is I hit the Wi-Fi router.

And it's it's a Cisco device.

And

this team,

I'll later learn that this team is very, very good.

However, again, like they mentioned, they've never had a full red team event.

So the

router security is nowhere near where it should be.

It's actually, the router is a single router, a senior Cisco device that is both the guest Wi-Fi and the internal Wi-Fi as well.

So I exploit the router, I jump on the router, and then I make the entire network flat.

I bridge over everything.

So now

my machine can be, I can attack anything on the inside of the network, even though I'm on the guest Wi-Fi, I can still start attacking anything on the inside network.

Or on certain networks, they had multiple inside networks.

So I start bridging them over one by one.

How did you exploit the router?

The router didn't have, like, A,

their password was default, as unfortunately as it.

number two um i was uh they had an administrative password on like the panels like so the access the access was one uh one password and then i brute forced i believe the the password of the admin panel it was very close to standard password on there gained access unfortunately

So the guest Wi-Fi should only have very minimal access

just to the internet and no internal systems in the building.

But when he bridged the networks, he could then access anything that other employees could access, which gives him access to a ton of internal systems.

There, I start doing man-in-the-middle attacks.

And let me tell you, red teamers out there, pen testers out there, never skip out on layer two attacks.

Layer two is your responders, your cane enables,

your art poisoning, your

DHCP, your DHCP spoofing, all of those.

That is going to be your bread and butter.

I promise you, those vulnerabilities are still existing there.

They still work.

I'm working engagements to this very day.

That is where so many places fail.

So I man in the middle, become, I start stealing credentials.

And this is back in the era before SSL security was everywhere.

So you could still do man in the middle and downgrade websites to HTTP logins.

And I start getting credentials to people logging into work emails.

After about an hour, I get access to a relatively new hire.

She has like six months of work in her inbox.

I access her email.

And the first thing I do is I go all the way down to day one.

And what do you get in day one?

Email.

You get your employee training, you get your

onboarding information, you get your onboarding documentation.

And If you come to this building, you get your building alarm code.

So have a physical alarm code that goes in her and also have her badge ID number and what she looks like and such.

So I'm like, okay, so what can I do next?

And I remember the Brando,

this ex-secret service guy, looking over my shoulder and he's like, what are you doing?

And he was like, I was like, okay, so you know these card readers.

He's like, yeah.

He's like,

we're going to clone one of these card readers.

And he's at this point where he's like, all right, Goth guy.

You're not so bad.

Okay.

I like this idea.

And he's like, all right, I'm going to work with you on this.

And I'm going to, he's like, I talked with them and we're going to talk about guard shifts and times to get into this building.

And I was like, okay.

So I tell him my plan.

And I was like, man, so I got a building alarm code.

I'm going to steal, I'm going to put a RFID cloner next to their badge reader.

And when they badge in, I'm going to start getting all these badges.

And he's like, okay.

And so a day goes by and eventually the girl who's building alarm code comes in.

badges in and I get her, I have like a proc smart system.

I keep pulling it and all of a sudden I notice I got her ID matches up.

So now I have her employee ID badge and her building access alarm code.

To get into this building, you need to use your little badge and tap the badge reader and the door unlocks.

And what Greg did is he put a little badge sniffer behind the real badge reader so that anytime anyone taps her card, he gets to see what their badge is.

And that essentially allows him to clone a badge.

They gave me a tour of the building at one point, very, very against their will.

They're kind of like hushing me around.

The two things I noticed when they gave me that tour was: A,

there was a balcony on the second floor that had a tree next to it, and from that balcony was a straight shot into their server room.

And basically, you go through one room in that room, you get into

one hallway, and you're in a server room.

And the server room did have a badge reader on it.

The second thing I noticed is

sort of like a like almost like a spiral staircase downward, there was lots and lots and lots of paintings.

I remember asking during the tour, I was like, whoa,

these look like

real paintings.

And they nodded.

They're like, yeah,

CEO, one of the CEOs here loves paintings.

And

this is their pride and joy.

They like to show art and they like to make sure that.

And I was like, huh,

that's interesting.

That's cool.

And

so

I remember, so for the next couple of days,

I had to get a badge of an IT guy because I needed to get access to the server room.

And eventually I get it.

And it's through the Poxmark system as well.

In the meantime, I'm doing man-in-the-middle, getting credentials, doing traditional attacking methods.

But I really wanted to focus on

this whole physical element because the Brando working with me, he was just like, man, he's like, we can do some mission impossible stuff.

And I was like, yeah, yeah, we could.

And so the next phase was

they had cameras everywhere.

They had internal cameras, outside external cameras.

And I remember doing the network, like, so eventually every day I'm folding different parts of that, of their internal networks into the guest network that I'm at so I can bridge over and start looking.

And eventually I find all their camera, their camera network.

And luckily for me, they are using access cameras.

And if anyone's worked physical security, everyone knows there was an era of access cameras from like 2001 to about 2008, 9, 10, where everyone had, all these places had these access cameras because they had a ton of features.

They were cheap.

They were, you know, Chinese-made, wonderful cameras.

However, they were the worst security ever.

They had so many default passwords.

They had buffer overflows and the access control systems.

They had buffer overflows and their web, their web interface.

They had like a web interface that when you connected to it, it looked like GeoCities.

Like it was like straight up like 2002 internet all over again.

And that's how you controlled the cameras directly.

So I talked to Brando and he was like, okay, look, man, he's like, I know they do a guard change around, it's 2.30 a.m.

between, you know, around that time.

He's like, you got to be in and out of a building around this time.

And I was like, well, you know, he's like, and he's like, also, there's going to be someone always watching these cameras.

And I was like, okay, that's fine.

You know, he's like, what are you going to do with the cameras?

So I show him and I start connecting to all these cameras.

And

at the time there was a there's an access I think they're still running like firmware from like 2005 and there's an access buffer overflow that allows you to control and gain access to every one of these cameras still running that they hadn't patched them jump in and then from there I can access the shitty little interface and I show them I was like look what happens if I modify these two values and the values is brightness and contrast and you can edit both of them it's usually for you know when a viewer wants to look at the camera they're trying oh it's too dark or too bright they can edit these and UI you can edit them a little bit but programmatically you can edit them all the way from zero to 255 values so you can make them go all black or all white

so i show him i was like watch we can make their cameras go boom and watch i show the camera it goes distinctly black for a second and then i undo it and he's like oh i was like yeah he's like all right goth guy all right i see what you're cooking here and so he's like well how are you gonna get these into an area that, you know, how are you going to like do this in a way that you're going to have to be carrying a laptop with you?

It's going to just be awkward.

And I was like,

you know, that's a good point.

So in this engagement, I had a shuttle device with me.

A little tiny computer that are like the size of a shoebox.

A lot of pen testers used them for leave-behind devices.

And on that shuttle device, I put a Bluetooth radio on it.

And so with the Bluetooth radio, I was like, okay, I'm going to walk around the building and I'm going to get measurements of where I'm at with with the Bluetooth signal to noise ratio.

And when I'm in front of those areas, I'm going to map out what cameras those are at.

And I am going to make sure that I can get access to this.

And so I tested out the Bluetooth range.

I had to put a big antenna on this thing to get the Bluetooth receiver on it.

And that worked.

So

I could have the Bluetooth show, I go in front of these two cameras, the two cameras that point outside to the patio.

I could have them identified.

There was a camera on the inside there.

And then there was a camera facing the server room.

So those are the cameras I needed to black out.

So my app set signals to the Bluetooth.

The shuttle device would take that signal and relay it.

And when I received those, it would send the packets to those cameras to make the values brightness or contrast to 255 or zero.

It's completely random.

They flip back and forth between them to make it look like a black and white screen, sort of like an effect that was like the cameras malfunctioned for a bit.

So I was like, man, I have, like, I could look at these cameras.

I could test to see if this works.

Not sure if this is really going to work, but we're going to try it.

So he set everything up to try to break into the building overnight and not be seen at all.

The front door might have extra security, and he didn't want to take the risk.

So his whole plan was to sneak up to the building, black out the cameras, get in, and gain access to the server room.

Keep in mind, everyone already was on high alert from this kid.

They thought he was very suspicious, and he was going to have to do something over the top to get in.

And that's when he realized his point of entry should be the balcony.

So that night, man, I came in, 2.30 in the morning, climbed up the tree.

I get onto the balcony.

I push open the, they had like a security door on the balcony that they would lock

before you can get to the badge reading door right there.

I pry that open,

hit the badge,

go into the building, the alarm starts beeping.

I hit the building alarm code and lucky for me, the girl had not changed her alarm code.

i was in

and i look at the cameras and i remember being so nervous about this and being like oh man this is hopefully this will work or i'm gonna get tackled very soon so i make my way over to the server room and my badge my secondary badge the other one i have for the it guy works for that one badge cloned got him in there went to the server room and from there boot rooted all the machines you know so if you're unfamiliar with bootroot back in the day this was you plug a usb device into the machine you turn off the server,

this machine would then boot off the USB device as a recovery device, and from here you would replace a Windows component.

Sticky keys would be an ideal favorite.

So you replace sticky keys with command shell and then you reboot the machine.

So the machine, after you do that, the machine, you reboot the machine, it goes into the password login prompt, and you hit shift five times.

That would then launch sticky keys, which has now been become a

command prompt instead and now you have a command screen on it and then you can run commands uh as elevated bridges it run it it run a system so you'd have elevated command so from there i exploited all the machines i dropped a flag that said i was here um and then i went into their to their stores and put flags on all those he's done it he's successfully hacked into the server's mission impossible style And so he starts to go out, but he notices something.

Those paintings.

So I proceed to go go down the staircase and i go down to the paintings i just quickly grab a sticky pad and put a little happy faces i get a little sticky page and start putting them right next to all these paintings like there's a little placard for each of these paintings tell you um essentially who made these paintings what it what it has symbolized um in some cases how much they were worth and i stick little happy faces on it that says i stole this

So it's typical for a physical pen tester to leave a token behind to prove that they were there in a server room or a desk drawer or something.

I mean, just think about how you would feel if you went to bed and then woke up and there was a sticky note on your bathroom mirror that said, Greg was here.

Just a small note like that can say a lot, can't it?

Here, what Greg was doing was proving that he had access to these paintings and he had time to go right up to them, put notes on them, and security never saw him do it.

So he wrote, I stole this on a bunch of sticky notes and just kept putting the sticky notes on painting after painting after painting after painting.

And I remember like 6.05, like I get a call, Greg, Greg.

Yeah, was this you?

What's the happy face?

What's that mean?

How did you do that?

What is

it doesn't matter.

The CEO wants to talk with you today.

Get in here like eight o'clock.

Like,

like.

He's like, I don't know, man.

He's really upset with the figure.

I was like, okay, okay.

And in the meantime, like the physical security had an issue.

Like they had a

incident because they were like, they were looking over and they were like, well, someone walked in and put all these happy face stickers on there.

And they walked out of the building.

They're like, what does this mean?

I stole this.

And I remember they are coming around.

And I get into the building.

They escort me to the like the boardroom.

And the boardroom has this massive table on it.

And me, in my awkwardness,

I remember sitting and picking the exact opposite of

where I imagined everyone, the exact corner of it.

And the physical security is like, no, get over here.

Get over here.

And first, give us your ID again.

We're going to run some background checks on you again, just to make sure.

Physical security knows to treat those paintings with a very high level of security.

So when the CEO came in and he saw his paintings had sticky notes on them, he simply asked, who did this?

What does this mean?

And when security had no idea then the ceo is like okay we'll find out and then when security looked at the cameras they saw they were glitched out during that time and they had almost no evidence of who did it This made the CEO furious.

What do you mean?

No security footage.

Find out who put these sticky notes on this.

And the cameras around the building were just all black or white because Greg hacked into them to prove he could sneak into the building late at night with nobody noticing.

The VC came in.

The VC CEO came in and was like, what the fuck?

What is this?

You know, who's like, what do you mean stole my paintings?

And little happy faces on them.

And that's what kicked off the security team alert.

And

I remember I was sitting there and then my contact leans over to me and he's like, look,

again,

I have never seen him cancel meetings and move someone to see someone like this.

So I don't think it's going to go well.

And then I look over to Brando and Brando is just like,

you know, he's like, maybe we flow a little bit too close to the sun here, a little icaristus, a little hard, but, you know, whatever.

So CEO comes in with his single security team.

They hand me back my ID and

he looks at me.

And

you can tell the thoughts of this goth kid in his boardroom

is

not what he expected and not what he was expecting to meet for when he and he looks over and he's like you hired this guy and my contact who worked at the company was just like yeah you know like looking at him he's like all right and he's like

so walk me through what you did

and for the next 10 minutes i retell him the story of exactly how i did and this vc previously had been very technical he was a code developer he worked on software and so he starts going and he starts asking me very intelligent questions about we start having a back and forth about oh okay so why does this all right

and he's like so

two questions for you

first

what were you gonna do with the paintings and I was like oh I was dating a girl out of Brooklyn at this time and I was like you know I was thinking about taking him to Pratt University and maybe you know fencing him at the university there that it's got to be someone who knows like some weird connections at the Pratt Art you know Pratt Institute of Art and he starts laughing he's like all right um

she had a plan and I was like okay and

and he's like I really like those paintings And I was like, I can't believe you, you know, like you, you know, so I was like, yeah,

I absolutely would have stole right out the front of nothing to do.

And he's like, all right.

So then he's like, all right.

So my next question is, what are you doing next year this time?

And that's how I became their reoccurring red teamer for four years until they got tired of me breaking into the buildings and doing all the things and hired me as full-time.

So after this, I got introduced to a lot of the various levels of executives for this, and I got to pen test all their personal houses and got to show them how why physical security is important.

Getting access to all their penthouse suites, all their large houses, I did that for quite some time afterwards.

A big thank you to Greg Lanairez, aka Laughing Mantis, for coming on the show and sharing these stories with us.

Please consider supporting this show by visiting plus.darknetdiaries.com.

If you do, you'll get 11 bonus episodes and an ad-free version of the show.

By becoming a supporter is the most direct way that you can help make sure this show continues running and delivers you more episodes.

Please visit plus.darknetdiaries.com.

This episode is created by me, CAPTCHA America, Jack Rey Seider.

Our editor is the super subnetter Tristan Ledger.

Mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder.

I've been working on a new dance lately.

It requires the most efficient use of muscle memory in order to spin at the perfect RPM.

I call my dance the algorithm.

This is Darknet Diaries.