157: Grifter
Grifter is a longtime hacker, DEF CON organizer, and respected voice in the infosec community. From his early days exploring networks to helping shape one of the largest hacker conferences in the world, Grifter has built a reputation for blending deep technical insight with a sharp sense of humor.
Learn more about Grifter by visiting grifter.org.
SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Support for this show comes from ZipRecruiter. ZipRecruiter has solved the hiring problem. Employers prefer it the most for so many reasons. Let’s start by telling you about their matching technology. They work hard to find the best candidates for your needs, and will instantly show you results once you post a job listing. ZipRecruiter will speed up your hiring process. See it for yourself at www.ziprecruiter.com/DARKNET.
This show is sponsored by Material Security. Your cloud office (think Google Workspace or Microsoft 365) is the core of your business, but it’s often protected by scattered tools and manual fixes. Material is a purpose-built detection and response platform that closes the gaps those point solutions leave behind. From email threats to misconfigurations and account takeovers, Material monitors everything and steps in with real-time fixes to keep your data flowing where it should. Learn more at https://material.security.
Listen and follow along
Transcript
Man, last DEF CON was wild.
It is up there.
It was like one of the top 10 best moments of my life.
And I don't think I ever told you about what happened.
See, DEF CON is an annual hacker conference in Las Vegas, and it's my favorite conference in the world.
It's just so inventive and fun and brilliant and weird.
DEF CON is just built different.
Like, of course, there's talks and places to get hands-on doing hacking, but at night, most conferences just shut down.
Not DEF CON.
DEF CON goes all night long.
At night, they clear out the chairs and the lecture halls and they turn them into party spots.
And there's not just one party going on.
There's like a DJ in track one and there's an arcade set up in track two and there's nerdcore rappers on stage live in track three.
Keep walking and you'll find even more parties around the conference.
It's an adventure to find all the things happening.
And that's just at DEF CON.
There are literally dozens of other parties all over town too.
Hotel room parties, bar meetups, pool parties, and vendor parties.
The vendors sometimes spend over $100,000 on a party by renting out a whole nightclub and giving up free drinks and food to their customers.
With all these parties, I got to thinking, you know what?
I should throw a party.
A darknet diaries party.
Now you might be wondering, Jack, I heard you're a private person and nobody really knows what you look like.
That's true.
Well then, how do you go to these conferences and meet people?
Ah, here's my secret.
I wear a disguise.
I put on a big black hat, dark sunglasses, and a bandana over my face.
I kind of look like an old-time bandit in this costume, and it's perfect.
Nobody knows what I actually look like, and I can still meet hundreds of people if I want.
In fact, I've worn this costume so much that everyone seems to know me when I wear it.
It's my brand.
It's my look.
And when it's on, people stop me all the time and say hi and talk with me.
It's great.
I love that.
I can't walk 10 feet in DEF CON without someone shouting my name and saying hi.
But when I take that costume off, nobody knows it's me.
And suddenly, I'm an anonymous face in the crowd.
And I love that anonymity is my default state.
And I can turn on the notoriety whenever I want.
I don't want people to know what I look like so that I can live a nice private life.
I love the attention I get from this show, but I also love that I can turn it off when I want.
So my big idea for this party at Last DEF CON was to step up that anonymity even more.
Everyone knows I'm the guy with the big black hat, the sunglasses, and the bandana around my face.
What if I gave everyone that same costume when they came to my party?
That way everyone is Jack Resider.
I pitched the idea to DEF CON.
They accepted it and showed me which ballroom I get.
And I rounded up 20 of my friends and we had it all planned.
We had four DJs, two video DJs, and so much more.
It was great.
I ordered 800 black hats, sunglasses, and bandanas and the party got underway.
The room filled up instantly.
400 people came pouring in through the door and they were all given these costumes and they put it on.
They played the game.
But the real test was, could any of them find me in this crowd now where we're all wearing the exact same costume?
Amazingly, no.
I was extremely hard to find.
Actually, some people came in, looked all over for me, couldn't find me, and then left, and then tweeted, I just went to Jack Resider's party.
He wasn't even there.
And I was going up to people and I was asking them, hey, where's Jack?
And nobody knew.
I tried to convince a bunch of ladies, like, hey, I'm actually the real Jack Reesider.
And they just laughed at me and walked away.
It was amazing to have all these people come to my party, but I just had this very calm and happy and serene kind of experience to it because I could just float through the crowd and enjoy it without being mobbed by everyone that usually happens.
And I wasn't even maskless.
This is my party and no one can find me.
It was hilarious to me, but it didn't stop there.
I thought, you know what?
I want to put my fans to the test.
I believe that my fans, you, the listeners of this show, are the best, sweetest, nicest people in the world.
And I want to prove that.
I want to somehow be vulnerable to them.
to give them a huge amount of power over me and to see how they react to to such power.
I want to give them so much power that they could ruin me.
And I want to see if any of them abuse it.
And so I thought, okay, I'm here at DEF CON.
What's the worst idea I can come up with to do in this party?
And it hit me.
Let the party attendees control my Twitter account.
Sheesh, if everyone looks like me already, might as well be able to tweet as me too, right?
So I set up this if this and that trigger so that when you text a phone number, it automatically tweets what you texted it no moderation no filters just trust well i i couldn't figure out how to get photos to work so it was just text and i did block urls kind of the one thing i blocked and yeah we set up a projector on the wall and we had a live feed of my twitter and it said text this number and it will tweet as jack and people texted Holy cow, dozens of texts started flying in, but the automation kept up and it just tweeted everyone that it got.
People were testing it at first, just seeing if it it was real.
Like someone said, meow, and someone said, does this work?
And then people started writing their names up on there.
David was here and I love you, Andrea.
And then ASCII art started showing up and memes started getting posted.
I was real nervous watching the screen, but a bunch of people were standing around watching the tweets come in with me.
They had no idea it was even me.
And they couldn't believe that Jack was so stupid enough to hand over his Twitter to DEF CON.
I mean, they're right, you know?
Of all the places to do that, DEF CON is the worst.
These hackers deface anything for fun and delete and destroy stuff.
This is a terrible idea.
I'm going to get canceled.
Something is going to be posted that is going to be absolutely awful for me.
But like I said, it was a test to see how awesome my fans are, to be vulnerable with them and to see if they abuse that power.
And you know what?
They didn't disappoint me.
I think the spiciest tweet I saw was, I'm so horny right now.
But after a couple hours and hundreds of posts to Twitter, Twitter rate limited me and they ruined the fun.
They busted the party and blocked me from tweeting for like 24 hours, which I think is a fitting way of ending that whole experience.
Like it went out nicely.
I didn't get banned.
I just got rate limited.
But by that point, the place was packed and word got out of which one was me.
And I was just surrounded by people and it was great fun.
We were having a blast.
But what I didn't know is that there were another thousand people in line trying to get into this party.
And I know it was a thousand people because someone grabbed a box of pencils.
I had a thousand pencils in the box and handed one to each person in the line.
And they ran out of pencils by the end.
We ran out of everything, hats, bandanas, stickers, sunglasses, bracelets.
I think I met 1,500 people total in that weekend because I brought 1,600 bracelets and I gave them all away.
DEF CON is known for long lines, but there were so many people in line from my party that even DEF CON told me they have never seen a line that long for a party ever.
And that line was possibly the longest line of the whole conference that weekend, barely being longer than the merch line, which is always super, super crazy.
We eventually couldn't hold them back anymore.
We just opened up the doors and let it rip.
And it was a madhouse in there.
And I think the party went on for like six hours, all night long.
And I used every drop of energy I had.
But man, was it worth it?
That was the best time I've ever had at DEF CON.
And you know, to this day, I still get people sliding into my DMs on Twitter asking, why did you say this tweet, man?
And they're mad at some like hot take I had or something.
And when I look at the tweet and I wonder, I don't remember ever saying that.
But then I look at the date and I see that it was posted on August 10th, 2024.
And that was the night I will never forget.
And it always puts a big smile on my face whenever I see a tweet from that day.
This is Dark Knight Diaries.
This show is sponsored by DeleteMe.
DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.
DeleteMe knows your privacy is worth protecting.
Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.
DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.
They're even on the lookout for new data leaks that might re-release info about you.
Privacy is a super important topic for me.
So a year ago I signed up.
Delete me immediately got busy scouring the internet looking for my name and gave me reports of what they found.
Then they got busy deleting things.
It was great to have someone on my team when it comes to protecting my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com slash darknet diaries and use promo code DD20 at checkout.
The only way to get 20% off is is to go to joindeleetme.com slash darknet diaries and enter code dd20 at checkout.
That's joindeleatme.com slash darknet diaries code dd20.
This episode is sponsored by my friends at Black Hills Information Security.
Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.
Through their anti-siphon training program, they teach you how to think like an attacker.
From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.
Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.
For hackers.
But do you need someone to do a penetration test to see where your defenses stand?
Or are you looking for 24-7 monitoring from their active SOC team?
Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle-ready all the time.
Well, they can help you with all of that.
They've even made a card game, it's called Backdoors and Breaches.
The idea is simple: it teaches people cybersecurity while they play.
Companies use it to stress test their defenses, teachers use it in the classroom to train the next generation.
And if you're curious, there's a free version online that you can try right now.
And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head-to-head hacking and defending just like the real thing.
Check it all out at blackhillsinfosec.com/slash darknet.
That's blackhillsinfosec.com slash darknet.
Grifter.
How'd you get that name?
So
I always cringe a little bit when someone asks me this question because
like many nerds out there, I used to read the dictionary as a kid.
I look for interesting words, words that I liked, and the definition that I came across of grifter was a person at a circus or carnival who runs freak shows or games of chance.
And I was like, ooh, that's badass.
And then it said, again, also the more widely known, a con artist.
And I was like, also cool.
I'll take it.
So yeah, so I started using it for names on like video games.
I would put in Grifter.
You grew up in New York?
Yeah, Long Island.
And what was computers like for you growing up?
I was, you know, I grew up part of the Nintendo generation.
So I was really into video games.
And my parents are divorced.
My dad and live with his brother.
And so his brother, my uncle, was a computer tech back in the 80s.
So he had a computer.
And I have ADHD on a fantastic level.
But sitting in front of the computer or putting electronics in front of me was one of the things that could keep me still.
And so he encouraged me to do that as often as possible.
I started playing games on the computer, which eventually led to my first online experiences, which were dialing into pirate bulletin board systems to download pirated games.
Back then, you were really, really lucky if you had a computer at all in your house.
Nobody understood how they worked, and they were very expensive.
And the problem with pirated games is that they're riddled with malware and viruses.
So Grifter would download a pirated game, install it, and then suddenly his uncle's computer was all screwed up.
Of course, Grifter didn't want to get in trouble for messing up the family computer.
So he sort of had to learn by fire how to troubleshoot the problem he caused.
And this forced him to skill up at understanding computers.
He wasn't just a user anymore.
He was becoming a super user.
Yeah, I think that's the thing is like we were forced to learn a lot of different things at those ages because we had to learn a little bit of everything.
Like it wasn't just done for you.
Like even being able to get online at that time alone required a certain amount of skill, like in order to configure a modem and dial the right numbers and get everything put in correctly and connect to different PBS software required different settings and stuff.
And because it was like that, it meant that there was an assumption that if you were online, that you were an adult.
I could post things and nobody knew that I was 10 years old.
And I really liked that.
But Grifter was quite a mischievous troublemaker and he gravitated towards the darker parts of the internet.
So the pirate bulletin board stuff and posting on there eventually led to somebody on one of the BBSs saying, like, hey, just based on the stuff that you're posting, I think that you would really be interested in this other bulletin board.
And they posted a number, and I dialed it up, and it was a hacker BBS.
And
I
went crazy, basically.
I thought it was the best thing ever.
I read everything on that BBS, like all of the text files about, you know, the different systems that were out there, you know, basic commands for different things.
Like I was like fantasizing about operating systems I'd never
contacted before and being like, oh, I can, oh, I can do this.
I can do this.
And it wasn't just different operating systems.
It was, oh, the computer viruses and like how to write a virus and do all these different things.
And I was fascinated by it.
And I just loved all of it.
And that was it.
I was in.
I know exactly what he means by being in.
I got on bulletin board systems too when I was young or BBSs.
And it was strange and weird.
And I didn't get it.
So I didn't enjoy it.
But when I got in AOL, I found some chat rooms where a bunch of people were just talking all at once in real time.
And that blew my mind.
I was instantly hooked.
on chat rooms and would spend countless hours just talking with tons of people.
That's when I fell in love with the internet.
I I was in.
I soon discovered IRC after that, and I've been in ever since.
And living where I did, I thought like, okay, well, I'll probably never leave New York, right?
Like I didn't, the idea of like traveling the world and doing things like that was as foreign to me as those places were.
But a computer changed all of that.
I could dial into a system and hop from one to the next to the next across networks that were traversing undersea cables and ending up in other countries I never thought I'd get to travel to.
And I thought, well, if I access a system, let's say in Amsterdam,
I know that when I do that and I'm interacting with that machine,
the lights on the modem or network card are flashing and the hard drive is spinning up because I'm accessing files from there.
And in my 12 and 13-year-old brain, I felt like
I was there.
Like it was my way of touching a place that I didn't think I'd ever make it to physically.
Like I knew that it was in a closet somewhere and nobody could see it, but somehow and in some way, I was physically affecting that environment.
So that's what he was up to online.
But in normal life, in the meat space, he was constantly getting in trouble.
So growing up without a lot of money in an area where people didn't have a lot of money,
I would say I wasn't a good kid.
I've been trying to make up for it ever since.
But we did crime.
Like, I shoplifted like crazy.
I ran every scam you could run.
We would steal cars.
We would break into cars and steal stereos and speakers.
We would,
I lived near a marina.
We would go rob the boats.
Like, we'd break into houses.
We fought people constantly for fun.
Like, it wasn't fun.
Okay, tell me about one of these fights.
Okay, so
I like fighting.
Like I like physical fighting.
I don't know why.
I think it's just something
I enjoy it.
I know that makes me sound like a psychopath, but I like facing off against somebody else and seeing where you come out on it.
At the time, it was just we would get in
fights with either random people or people from like, you know, rival gangs, that kind of stuff, where it was just like, okay,
you're in some part of town that you're not supposed to be in.
i'd just get into fights i'd go pick a random fight i'd fight two people at once i would just i liked fighting and a lot of my friends were the same way and sometimes we would just go out and just get into as many fights as we could get in
he says the area he was in had a lot of this stuff happening and as a kid if that's all you see then you kind of assume that's what everyone's like I thought that was like normal.
When I watched TV and I saw the types of things that you'd see on like, you know, the Disney Channel or something like that, some Disney Channel original movie, I was like, that's fantasy.
Like, this is a fantasy world that people wish existed.
I didn't realize that there were people who grew up in towns that one looked like that or that people behave the way that they did.
I didn't know any different, right?
I didn't know that it wasn't normal to like walk home at night.
And if a car is coming, like, dip behind a tree or a telephone pole because you might end up hurt, right?
Like, you might end up in a bad situation.
Like I didn't know that that wasn't a normal thing.
And so it was in part survival and another part, you like make a reputation or get a name for yourself where it's like, oh, okay, well, yeah, don't get in a fight with him because you'll lose.
My thing was like, I can take a punch and I can get hit a lot and it's really hard to knock me out.
Grifter's world was rough.
And to get ahead, it felt like you had to break some rules.
There was a chain of stores that are kind of department stores, like a Kmart type of thing, actually, or something like that, where a couple of friends, we'd all go on a Saturday and we'd go out to the store and we'd do like the barcode swapping, like so sticker swapping.
So you just go out,
swap the sticker on something.
So you'd see like a crystal bowl, and then there'd be another glass bowl.
And so you'd take that and you'd swap the price tags on it.
So the glass, the crystal bowl that should be $300,
you go buy for $30.
And then you swap the tags back, and then you go return it.
And we'd just go out on a Saturday and we'd hit like seven or eight stores.
And we'd like, we'd go buy it at one store, return it to the next one, buy some other stuff at that store, go return it at the next one, go do like stuff like that.
And for a small crew of people, we were pulling in some pretty decent money.
None of my friends were into computers at all, but I was.
And so I knew how to do some things that they had no knowledge of.
Like carding is what we called it back in the day, which is basically just really identity theft and like credit card fraud.
And then order a bunch of stuff like computer parts or clothes or different things and get them shipped or mailed to abandoned houses.
I just leave a note on the door that said, like, hey, UPS guy, like not home.
Please leave the package under a a blanket.
So that was something that my friends wouldn't know how to do naturally that I kind of taught them, right?
Like, here's how we do this, and then we can make some money.
And so then we had essentially stolen goods that were sent to us.
And then we would just, some of the stuff we got that we wanted to keep and other things were things that we would then go and resell and get money that way.
He was ordering things like Tommy Hilfiger jackets, Felix shoes, and other streetwear at the the time.
So he was looking fresh everywhere he went.
And he would sell it for cheap too.
He'd be your hookup.
And of course, along with this lifestyle came drugs.
So he dabbled in that, partaking in it himself for a while.
But then he quit.
He didn't like how it was ruining his brain.
He saw his brain as a very important thing that he didn't want to lose.
But he saw that other people were doing drugs and he saw this as an opportunity to make money from it.
So he sold it.
I did all this like physical, like meat space, like crime, normal crime during the day.
Like I was like just a, like I said, kind of a kind of a shitty person, like a shit kid doing all this random stuff.
But at night, I was still completely wrapped up in the hacker world, right?
But then eventually I was just
breaking into different systems and I got into
a system that ultimately turned out to be
a large
credit card provider, a credit company.
At first, he didn't know he was in a credit card provider.
The internet's a dark place.
You don't always get to see where you're going.
And hacking back then was barely even hacking.
And that's the thing that is different about the time that we grew up in, versus I think what we have with like hackers now is that we do talk about these things like their massive achievements.
Like it's like, oh, when I was a kid, I broke into NASA.
And it's like, when you were a kid, you logged into NASA.
You just had to know an IP address or a phone number to connect to you.
And if they had security at all, it might ask you for a username, but it didn't always.
Like you could just type anything in and it might let you in or you could just wait and it might just time out and then let you in.
It wasn't hard to hack back then, but nobody knew what they were doing.
So it kind of was hard because there weren't tutorials on how to do any of this stuff.
So if you just tried enough places, you might end up finding something that did let you in.
And that's how he got into this company, a credit card provider.
And while he's in that network, he was looking around to see what files were there.
And he found some training manuals for how to process a new credit card.
So basically, after someone passes their credit check, an employee at this company needs to issue them a card.
And this training manual shows exactly how to do that.
And so here Grifter is inside the company, inside the computer that is used to internally create a new credit card for a customer.
And he has the tutorial on how to process it.
And I went looking for the database, and then when I found it,
you know, it was not too difficult to then figure out what I needed to fill in and where.
And the initial one was I was just like, I wonder if I could do this.
I wonder if I put in, if I fill in these fields, if I could get them to send me something.
And I filled out the fields appropriately and put in an address that I had been using as a drop for some of the carding stuff.
And then I waited.
And then a couple, I just watched that house and I'd check the mailbox and,
you know, every couple days or something to see if anything had been delivered.
And eventually I, one day, I opened the mailbox and there was an envelope in it from the credit card company.
And it had a card in the name that I had put.
And I was
elated and horrified in equal measure.
I was like, oh my gosh.
Like it created this kind of like excitement mixed with panic because I was like, ooh, this is,
this is real crime.
Like, this is actual, this is actual bad.
Even though all of the other stuff was real crime, something about that made it very real to me, like holding it in my hands.
And I remember running home, going into my room, opening up, holding the card in my hand, and then just being like,
oh my gosh.
He laid on his bed and just held it up, staring at it.
His very own credit card, and one he doesn't have to pay back because he put a fake name on it.
And the credit card company has no idea who he is to try to come after him.
And the letter said, there's a $5,000 limit on this card.
Wow.
After daydreaming about it for a day or two, I realized you can't ever use this.
Like, you're not going to be able to walk into a store in a mall at
15 years old
and walk up with your credit card and buy whatever.
Like it just didn't seem, I didn't realize also that people, there are kids that did that in other places in the world.
But I just thought there's no way anyone's going to believe that you should have a credit card.
So I just sat on it.
But I was, I was like, I wonder if that was a fluke.
Let me see if I can do it again.
Again, I sent another one to a different different house and again it showed up.
And I was like, okay, I've got something here.
I'm not quite sure what because I know I can't use these.
What can I do with them?
There was a guy he knew, the dad of one of his friends.
And this dad was part of a group that did organized crime.
Like in New York, fireworks were illegal, but this dad would have Grifter and some other kids go around and see who wanted fireworks, almost like they're going around selling Girl Scout cookies.
And then you put your order order in of what fireworks you want, and then a few weeks later, Grifter would come back and deliver the fireworks to you.
In fact, this guy was so into organized crime that he was often hanging out with mafia-type people and had connections to some pretty serious criminals.
Because I knew that he had some connection to like
actual criminals, like I approached him and said, Hey.
So I can do this thing where I can get access to credit cards with higher higher limits on them.
And I don't want to use them.
I don't want to be on camera in stores.
I don't want to do anything.
Is that something that you or, you know, your people would be interested in?
And he was, and he was like, yes.
Like he just said immediately, like, yeah, yeah, I would.
And I'm like, okay.
And he's like, let me talk to some people or whatever.
And he's like, what are we talking here?
And I'm like, I don't know, $5,000, $10,000, whatever, whatever.
And he's like, let me find out what I can get you.
And then he came back and said, oh, well, I need to know it's real.
Do you have, do you have something to prove it?
I said, sure.
Got him one of the cards that I'd gotten.
And I was like, that one's, you know, $5,000.
And he's like, well, I'm, I can give you 10%
for that.
And I'm like, okay,
so I get 500 bucks?
Like, and he's like, yeah.
And then he peeled off $500 bills and said,
this better work.
And I was like, it'll, it'll work.
And then I was terrified because I was like, what if it doesn't work?
Oh my gosh.
Right.
But so I was like, don't spend the money, right?
Like, don't spend the money.
But now I'd been handed money for something that I was like, okay, this is like, this is actually a little bit nerve-wracking, but it worked.
Right.
And then he came back and he was like, okay, great.
Can you do it again?
And I was like, well, I already have.
I have one right now.
He's like, all right, go get it.
Right.
And I went and got it.
And then I gave it to him.
And then he, again, he peeled off another 500 bucks.
And he's like
just come to me whenever you got it and I was like all right
so Grifter logged back into the credit card company and processed another card under another fake name and that was going to another abandoned house and this was making money for him but this guy wanted more much more and Grifter would get in arguments with him saying man if we do too much they're gonna know and they're gonna shut us down but if we take it slow we can keep things going for a while and Grifter was right he would only give himself a new credit credit card every two weeks.
And that allowed him to keep it going for two whole years.
I don't know how long that worked because I eventually just stopped doing it.
Like I,
about
17 years old, I decided that I needed to get out of my town.
Was sitting in the back of my friend's car and he said, just wait until we're like 25.
We're going to own this town.
I said, own what?
Are you kidding me?
Holy shit.
If I'm still here when I'm 25,
you guys kill me.
I was like, oh my gosh, I have to get out.
I have to get out of this town.
And so I didn't have money, right?
I didn't have a way to pay for college.
I didn't have a way out.
And a common response to that is, I went to the military.
What?
You went to the military?
Yeah.
This is a, this is a, I would not expect a life of crime, hacking, drugs, and then suddenly
military.
Yeah, this was a massive shift in my brain.
And I just said, like, I have to go and I have to do this immediately.
And while I was still a senior in high school, like signed the papers, man, and committed to go, my parents had to sign me over because I wasn't 18 and I and I went into the military when I was 17 years old.
So as soon as I graduated, I went into the Air Force.
And
that was an incredibly eye-opening experience for me as well, because right into basic training, I met people who they'd never been in a fist fight before.
Right.
And I was like, how?
Like, I just could not comprehend how.
How did you not run your mouth at some point to a level that somebody wanted to put their fist in it?
And then I'd hear the stories about how they grew up.
And I was like, what?
My mom tried to raise me like with morals and whatever.
And I did pretty good in some areas and really poorly in others.
But the Air Force core values are integrity, service before self, and excellence in everything you do.
And I took that to heart.
I didn't even really know what integrity meant at the time.
Like I'd heard the word, but I didn't really know what it meant.
And essentially to me, the way that I took it was it's like doing the right thing, even if nobody's looking.
Right.
And I was like, okay, do the right thing, even if nobody's looking.
Great.
Service before self.
Okay, so put others before you.
Always try to put others before you.
Okay, I'll try to do that.
And then like excellence in everything that you do.
That was something that my mother had already instilled in me as well, where she was like, if you're going to be, she's like, I don't care what you are, if you're going to be something, be the best at it, whatever it is.
You're going to grow up and you're going to be, you know, janitor, be the best janitor there is.
You're going to be a surgeon, be the best surgeon there is.
But if you're going to put effort into something, if you're going to spend your time on it,
be the best, right?
And so, like, those, those core values, those like Air Force core values really like took hold.
And the military was really good for me because it like forced me to be an adult.
It put me in a situation where it was like, oh, you have to, you, you can't just tell somebody what you think of them just because you think it.
You can't swing on someone because they mouthed off to you.
You have to show up here on time and you have to come ready to do the hard things and all whatever.
The military was super, super good for me.
He got stationed in Utah and in the Air Force, he was assigned to fix F-16 avionics.
He wanted to do computers, but you don't really get a choice.
They just tell you what to do.
But it was cool to sit in a cockpit and swap out instruments.
And he was even deployed to the Middle East for a while.
But after a while, the whole thing was starting to frustrate him.
If there's anything that just riles me up or a pet peeve of mine, it's like inefficiency.
And the military is really inefficient.
So I would be like, hey, if we change this process, it would save us this many hours and probably this many parts and all this or whatever.
And they would be like, just do it the way the Air Force tells you.
Like, and I hated that.
Oh, I hated it.
And then also, in a lot of cases, you get rank because you've been there longer or you test better than other people.
It's not about leadership experience.
And so you'd have to take orders from people who were making poor decisions.
And I just couldn't do it.
I was like, one, I can't keep my mouth shut.
And two, like, I, I just, I can't handle it like as a person.
And so I was like, I've got to get out.
And so when I got out of the military, I only knew how to do two things.
And it was work on F-16s or break into computers.
And so I was like, okay, well, I guess I'll go back to breaking into computers.
Stay with us.
We're going to take a quick break, but when we come back, we have to break some new computers.
This episode is sponsored by Shopify.
Starting a new solo project is really overwhelming.
When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more all alone.
And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.
For millions of businesses, that tool is Shopify.
Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the US.
From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.
And I love Shopify because of how easy it makes getting my business online.
And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.
So get started with your own design studio.
With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.
If you're ready to sell, you're ready for Shopify.
Turn your big business idea into
with Shopify on your side.
Sign up for your $1 a month trial and start selling today at shopify.com/slash darknet.
Go to shopify.com/slash darknet, shopify.com/slash darknet.
Now, Grifter was stationed in Utah, and one stayed over from Utah is Nevada, where the biggest hacker conference in the world is, DEF CON.
So I knew about DEF CON from the first DEF CON, but being poor and being like 14 years old or something when DEF CON started, I was like, well, my parents are never going to take me to Las Vegas and I can't afford to go there myself.
It was like a month or two months before I was separating from the military.
DEF CON 8 happened in 2000.
And I was like, screw it.
I'm going.
Military be damned.
I'm going to go.
And so I did.
I went out to DEF CON and, you know, met my people, essentially.
It was great.
It was incredible experience.
What makes you connect with the people at DEF CON?
So, yeah, I'd been to small hacker meetings before, but going and, and at the time, it was probably, I don't know, there might have been a thousand of us or something like that at DEF CON 8,
if that.
I love the fact that you could just, anybody could be talking about anything.
You could walk up to somebody and be like, what you guys talking about?
And they'd start talking about something.
And whatever it was, it was interesting.
Like, you know, there was something interesting.
Or there'd be people crowded around a table with like computers and like some electronics or something or whatever.
And they're like, oh, we're trying to get this thing to do this.
Like, I had this idea in my head that I was like, oh man, if we could actually take all these people and like stick them them on an island and just be like, here's the problem that we have.
Can you solve it?
That there was like nothing that couldn't be solved.
And so I knew, like, I knew from that first time I went that I would always go to DEF CON, that that would be it.
I felt the same way.
The first DEF CON I went to was DEF CON 17, and that was back in 2009.
And yeah, the place feels magic.
It's electric.
It's amazing.
And I was hooked from that first visit.
And I've been going for 15 years now.
At DEF CON 8, a buddy of mine had brought 20 t-shirts or something that he had brought.
And I was like, what's the t-shirts for?
And he said, oh, I'm going to sell the t-shirts when we get there.
And we road trip down, right?
So he was like, I'm going to sell the t-shirts when we get there.
20 bucks a piece and that will fund my weekend.
So it'll pay for the hotel.
I'll get to eat really good, all whatever.
It'll pay for DEF CON.
And I'm like, oh, what a cool idea.
So the next year, I decided I was going to make t-shirts, but I don't do anything halfway.
And so I was like, okay, well, I'm going to get a table in the vendor area.
I'm going to make a t-shirt.
And I got a, I had a really nice design put together and I ordered 320 t-shirts, 20 to trade to friends and to other t-shirt vendors and 300 of them to sell.
So I took them down and we sold them all in the in the vendor area.
It was a really nice design.
So they were gone.
And I was like, sweet.
Like I just made a bunch of money like off of selling t-shirts.
And then I met Russ Rogers.
Russ Rogers is one of the conference organizers and asked Grifter to goon next year, which basically means to volunteer to help with the conference.
There's a lot of different types of goons.
There's crowd control goons, speaker assistance, technical support, and other things like helping with the vendors or contests.
But at the time, everyone had to start at security, which is like crowd control and checking badges.
And there are massive lines at DEF CON, and someone has to keep them all in check.
So he took the role of goon and was part of the DEF CON staff.
At DEF CON 10, I was a security goon.
And then at DEF CON 11, I went and I was a vendor goon.
And yeah, and then I've been a goon ever since.
So from DEF CON 10 till now this year will be DEF CON 33.
Gosh, that's 23 years of being with DEF CON at this point.
And because of his attitude of being excellent in everything he does, he quickly started taking on more responsibility at DEF CON.
I started doing things like I ran the DEF CON forums with another guy who went by Null Tone.
The two of us were the administrators for the DEF CON forums.
At the same time that I was gooning, I was a vendor as well.
I never stopped selling t-shirts.
So I was a goon, a vendor.
I was an administrator for the DEF CON forums.
I ran the DEF CON scavenger hunt.
Oh, and then starting at like DEF CON 10, I started speaking.
So I spoke at DEF CON 10, 11, 12, 13, or whatever.
And so I was busy, right?
And then somewhere in there as well, I eventually started running all the technical operations for Black Hat.
Black Hat is another hacker conference in Vegas and it's happening the same week as DEF CON and they're both started by the same person, Dark Tangent.
But Black Hat has an entirely different vibe over there.
It's more professional and corporate compared to DEF CON.
I describe it as at Black Hat there are tons of companies all there saying, hey, if you buy our products, it'll make your company safe and secure.
Well at DEF CON, the overall message is everything is vulnerable.
Nothing is safe and secure.
And here's how to hack anything.
So Black Hat, you see more people wearing collars and even ties.
Well, at DEF CON, everyone just wears all black.
Cargo pants are common, mohawks are common, and wires and antennas are sticking out of everyone's backpacks.
So, Grifter started volunteering at both conferences.
I got busy fast, right?
And then I had a day job on top of it.
I did become, I guess, part of what would be considered to be like the DEF CON inner circle, right?
Like, where it's like, okay,
we need to decide what DEF CON's vision is going to be, what direction are we going to go go in?
What are we going to like coming up with new ideas to keep DEF CON fresh?
Like, I came up with the idea for DEF CON groups.
So, DEF CON groups is hacker meetups that happen in different cities and different countries all over the world.
They are very similar to the 2600 meetings that I used to go to when I was younger.
And the reason that we kind of departed from 2600 was
because they started to get political and kind of let their politics get involved and like they were like telling hackers like you should vote for this person or vote for that.
And I didn't like that.
I didn't like the idea of saying like, yeah, vote this way.
And so I approached
dark tangent Jeff Moss and said like, hey, I don't like this about the way that 2600 is going.
DEF CON has a lot of cloud.
You know, we could probably do something like that and we'll do it by area code and we could just, you know, we'll come up with a name for it or whatever.
And he's like, I love it.
love the idea.
Talk to Russ, again, Russ Rogers.
And he's like, yeah, let's do it.
We came up with all the like ground rules and concept and all whatever and the structure for it.
And then we started running DEF CON groups, our meetups.
I think it was February of 2003, I want to say.
And it was Salt Lake City and Colorado Springs, which is where Russ is from.
So we had DC801 and DC719.
And those were the first two DEF CON groups.
And we ran them until DEF CON.
And then we announced DEF CON groups at DEF CON and it spread like wildfire.
DEF CON Groups has grown to over a hundred chapters worldwide and they're typically really cool people go to these things.
A lot of people ask me, hey, how do I get started in cybersecurity or where can I find a mentor?
And I always recommend them to look to see if there's DEF CON groups in your area.
It's a great way to meet people who are super passionate about cybersecurity.
And I attended one just the other day and it was great.
I met so many cool people.
I mentioned all of the stuff that I did previously, right?
So it was like DEF CON administrator, vendor, goon, running the DEF CON scavenger hunt.
Oh, we also ran the DEF CON movie channel.
Like it was a lot.
I was doing a lot.
And I said to DT after DEF CON 13, I was like,
I'm going to stop gooning.
Like, I,
it's just too much.
It's too much.
And he was like, please don't.
You know, he's like, don't, don't stop.
Like, what's the problem?
I was like, I'm just burning out.
I'm like, I can't run all of these things.
He was like, okay, well, how about this?
He's like, we're moving moving to a new venue next year.
And it's going to be at the Riviera.
And he's like, and there's this space that are, there are these sky boxes that overlook the convention floor.
And he's like, I think, you know,
what if you were like in charge of what, like, whatever we put in that space?
Like, you can just, it'll be a small portion of the conference.
You can do whatever you want with it, like come up with something cool that people will want to do.
And I was like, okay.
He's like, I'm sure people wanna have parties or whatever.
And I'm like, okay, great.
So he goes to the Riviera, the place where DEF CON's gonna be held that year.
And he looks at the space and tries to decide what to do with it.
It's a cool set of rooms.
They're up high and they overlook the whole conference.
And like I was saying in the intro, DEF CON has a lot of parties.
Conference goes on all day and parties go on all night.
In fact, there's so much going on at DEF CON, it's actually hard to remember to eat and shower and even sleep.
It's the best conference in the world.
So, of course, these skybox rooms are perfect party rooms, but that's a nighttime thing.
What do you do in them during the day?
And which parties are going to be up there?
And that's when Grifter got the idea.
He posted on the DEF CON forums, we have a place for you to host a party.
But if you want the space, you have to fill the room with something cool during the day.
You can't just come party at night.
And the first ones to say, okay, we'll do it, was Tool, the open organization of lockpickers.
And they were like, we want one of those skybox spaces so we can have a party.
And we'll come in and we'll put out tables and we'll put a bunch of locks on the tables and we'll teach people introductory lock picking and we'll bring all kinds of examples of things to bypass and we'll just we'll show people how to do it.
And I was like, great, that sounds awesome.
And then it was, again, it was Russ who said, hey,
I'll get some folks and we'll set up a hardware hacking like area and we'll have people come in and they can like learn how to solder and learn how to like do basic electronic stuff and we'll teach them how to do that.
And I was like, great.
303 was like, we'll do talks, but we're going to do talks that aren't allowed to be recorded, that you can't have your like phone out, that you can't, nothing, like nothing can be, like, it doesn't exist, right?
Type of thing.
And I was like, that sounds cool.
Let's do that.
And so that's how the villages started was the first ones to call themselves a village was the Lockpick Village.
Not only is that where DEF CON Villages was born, but it's also where Sky Talks was born.
That name came to be because there were talks in those sky boxes at the Riviera.
Because all the DEF CON talks are recorded and posted to YouTube, but Sky Talks is where no recordings are allowed, which allows people to give talks that are more secretive or maybe even incriminate themselves.
I've probably been to a dozen of these Sky Talks and I've heard some pretty wild stories.
But what's more is Sky Talks has kind of made its way into many other conferences where there's a smaller room off to the side and no video or recordings are allowed in there.
So that idea also has stuck and spread.
So the next year when it came around, the hardware hacking people called themselves the hardware hacking village.
They adopted the name village from the lockpick village.
And then another group started the Wi-Fi village and they just immediately adopted the name village with theirs too.
So they started calling themselves the Wi-Fi village.
So the second year, so DEF CON 15, we had the Lockpick Village, the Wi-Fi Village, and the Hardware hacking village.
And then that concept of like having these broken out areas like spread to other conferences.
Like people are like, oh, we're going to have a lockpick area.
Oh, we're going to have whatever.
And they started calling them villages.
And so like the village concept or like those little community areas that you see at all of these other Infosec and conferences and stuff all came from people wanting to throw a party in a skybox at DEF CON 14.
And then the villages were born.
Now, when Grifter first started getting involved with DEF CON, everyone only knew him as Grifter.
And that's the thing about this conference is it's not unusual that people just know you as your alias or your hacker name, and nobody even questions it.
If you say you're Grifter, then you're Grifter.
Nobody's going to be like, oh, that's funny.
What's your real name, though?
No, DEF CON folks are different.
They get it.
Privacy is important for all of us.
I had been Grifter,
like I said, basically, I picked that name when I was about eight years old and I used it in the hacker community and nobody knew my name.
When I went to hacker meetups, 2600s, when I, anything I did, no one knew my name.
I had no online presence at all and I was proud of that.
People didn't know who I was.
And then at DEF CON 9, my wife at the time, my ex-wife, she, she came with me and I had said something to her and she was selling t-shirts.
And I said something to her and I was like, all right, I'll be back in a little while.
And I walked away and I started walking away and I got a few tables away and she said, Oh, wait, Neil.
And I was like,
Like it, like, oh.
And I turned around, and the look on my face must have just been like, Oh my gosh, like, are you kidding me?
And then she, and I'm like staring at her, and she goes, Oh, sorry, grifter.
And I was like, Oh my gosh, because now even people who weren't looking like turned their heads and were like,
What?
Like, and then there were, there were guys that I'd known seven, ten 10 years, and they were like, your name's Neil?
And I was like, yeah.
They're like, huh, you don't look like a Neil.
I'm like,
cool.
Like, I was like, oh my gosh.
So that
anonymity, like to some degree, like, it flew out the window.
So after a while, Grifter got put in charge of running the Wi-Fi and network at Black Hat, that other conference that's happening in Vegas the same week as DEF CON.
They call it the Black Hat Knock, which stands for Network Operations Center.
And I should say, even though Black Hat and DEF CON happen the same week, they don't actually overlap.
Black Hat is like Monday, Tuesday, Wednesday, Thursday, and DEF CON is Friday, Saturday, Sunday.
And I should also mention that there are many other conferences happening that same time as well.
Like there's B-Sides, which is a big one, and it's on Wednesday and Thursday.
And there are other ones happening around town.
Like there's Toxic Barbecue, which is where a bunch of people meet up in a park and barbecue.
And there's a DEF CON shoot, which is where people go to the desert and shoot guns.
And there's just meetups like all over the place, like Diana Initiative and QueerCon.
At any given moment during that week, there are 50 things happening.
And it's overwhelming and awesome.
So anyway, Grifta was tasked with setting up the Wi-Fi at Black Hat, which you can imagine trying to get a Wi-Fi network up and usable at a hacker conference is challenging.
Yeah, it is.
It's actually incredibly difficult, but it's also super satisfying to do it.
It makes it fun.
You're going up against multiple different types of attacks ongoing throughout the conference at different times, trying to hit you in different ways.
People learning new things and getting creative.
Like, we've had stuff where, like, somebody discusses a vulnerability for a piece of equipment that we're using at the conference, and we've got a scramble to try to make sure that the network stays up because they just told 500 people in a ballroom how to do something against a piece of equipment that we've got running in the knock.
We call it the Black Hat NOC because it is a NOC.
Like, it is
we replace every router, every switch, every firewall, and every access point at whatever venue we go to.
So now that's Mandalay Bay.
It's the Marina Bay Sands in Singapore, and it's the Excel Center in London.
But we bring all of our own equipment because it allows us to
have control over the environment, mitigate attacks if they come.
We can't be opening a support ticket.
Oh, yeah, the hotel would now have a chance against this, would they?
Not a chance in hell.
What do you tell them?
Just shut it all down while we're here?
Yeah, we actually do.
We just say, please shut the Wi-Fi in these areas.
And so,
yeah,
it's an interesting thing.
Do you think that they'd want to hire you to set up their Wi-Fi to be resilient against stuff like this and say, wait, just leave what you have here because we'll just use it from now on?
Yeah, they're getting better.
Again, that's like years have gone on and stuff, they're getting better, not to the point that we're willing to let them run things.
Because, again, like, well, one, we call ourselves a NOC, but we are a full-fledged SOC.
We have every piece of equipment that a modern day security operations center has in there.
And when we initially started out, we were running everything with like open source, you know, hardware, open source scripts and software and
commercial stuff that you could just buy at like Best Buy, right?
Yeah, their budget was very small at the beginning.
But if you go to Black Hat, one thing you won't miss is the Expo floor.
I went last year and I was blown away at how big Ed has grown.
This is a room where if you're a cybersecurity vendor, you can set up a booth there and pitch your products to people who are walking through the conference.
I walked through and it took me hours and hours to just try to walk past every booth and just read their name.
It felt like it went on forever.
Every cybersecurity company in the world seemed to be there and there must have been hundreds.
So as this black hat knock grew, it needed more sophisticated equipment and Grifter wondered, with all these vendors here, would any of them let us use their gear?
Like, just for the week?
And so we were like, well, what if we went down to the expo floor and we approached some of the vendors and we say, hey, if you'll let us use your equipment or your, give us a software license, we'll put your logo like in the program that says like you help like.
partner with the the black hat knock we go up to the first like vendor that we wanted to talk to they're like yeah oh absolutely and they were like when Like now?
Like, do you want equipment?
Do you need people?
Like, and I was like, this response was like on a level that I wasn't prepared for.
And so I was like,
I was like, I think we might be onto something here.
You know, and they were like, we'd love to help support it.
We'll like, we'll give you whatever you need.
And I just looked at Bart and I was like, let's go shopping.
So him and Bart, the other guy who runs the knock with him, realized that every vendor would love for them to use their equipment for free because each vendor would love to be able to say, we're trusted by Black Hat.
If a hacker conference uses our equipment, surely that's got to mean something.
And this made building the Black Hat knock even more fun, knowing that they could just walk down the hall and get any equipment they wanted to help secure this network.
That's cool.
And once vendors heard that Grifter was doing this, they started begging him to use their equipment.
We've been offered money from vendors before where they're like, we'll cut you a check, like personally, not to Black Hat, like they're like, hey, Grifter, I'll cut you a check for a hundred grand if you'll put our stuff in the knock.
And I'm like, why don't you take that $100,000 and invest it in your product and make it better?
And maybe I'll choose it.
And I say that for two reasons.
One, because I'm a dick, but two, because
integrity, right?
Like I mentioned that earlier is it's like, no, like you can't buy my like, you know, influence in this space, right?
Like it's like, I choose what I believe are the best technologies to go in here to do the job.
And if you want to be in here, be better.
And then maybe you'll be in here.
Of course, Grifter sees tons of crazy things on the Black Hat network.
Like speakers might be on stage demoing an exploit and it'll trigger all kinds of alerts and knock.
A normal knock might freak out seeing that kind of stuff coming from inside their network, but Black Hat realizes, oh, that's fine, since the speaker is just demoing the exploit on stage.
Or sometimes you'll see a vendor release a patch and attendees are trying to reverse engineer what was fixed in the patch and they'll find a new vulnerability and they'll start attacking with it the same day the patch is released.
So they've got to hurry up and patch everything as soon as a new patch comes out.
Or sometimes they see students in classes doing illegal things on the Wi-Fi and of course Grifter will go in there and warn them, hey, you shouldn't be doing that stuff.
And then there are things where it's just folks who are, they think they're secure and they show up to Black Hat already compromised.
And we look for stuff like that.
Again, it's an incredibly modern security operations center.
People will get on the network and they're immediately beaconing out to known C2 or they're hitting malicious sites or doing whatever.
And we will go and look and be like, okay, is this something that looks like it's part of a lab?
Is this something that happened when they first got on?
And so people will often say, oh, don't get onto like the Black Hat network because you'll get attacked.
When I honestly think in reality, more people leave secure than they do compromised from Black Hat because we're looking for it.
And if we see any kind of communication to known C2, if we see crypto mining activity or we see clear text credentials coming from a device, we send a captive portal to that device that is doing it.
They'll get a pop-up the next time they go to browse to something that will say, hi, this is a message from the Black Hat NOC.
This device is showing signs of communication to known command and control servers.
Like if this is expected behavior, you ignore this message.
If not, please stop by the knock for more information.
And they'll come by and we can show them packets or logs or whatever they need to let them know, like, hey, you actually showed up compromised.
We've even seen speakers on stage who are showing signs of infection on their laptop.
And then they have to go and wait for the speaker to come off stage and then say, by the way, your computer is very infected.
Okay, I'm going to ask you some stories about DEF CON.
Is it true that someone rappelled off the roof to try to sneak into a party at DEF CON?
What happened was that year at the Riv, the year of the sky boxes, we had different parties and different sky boxes.
And at some point, one of the organizers of the party actually, like, he,
he came up to me and he was like, hey,
so we picked the lock on the closet and there's a panel in there.
And if you open that panel, we can get on the roof.
And I was like,
I don't want to hear about it.
Like, I was like, all right.
And then I left.
And then a bunch of people went up on the roof, and they basically like extended the party up onto the roof of the Riviera.
And there was a whole bunch of folks hanging out up there.
And this was just the conference center, so we're not talking like 20 floors up, they were probably 30, 40 feet up, whatever it was.
And some people were going in and out and all whatever.
And then at one point, security showed up.
The way that I understand it is somebody went off the roof in order to avoid security.
Multiple people got caught by security, though,
and they were asked to leave the property.
They got 86 on Saturday night.
Is it true that people will put malicious ATMs around DEF CON to steal people's money?
It has happened.
I don't know how often it happens, but it has happened.
Somebody brought an ATM in on a dolly.
Like they rolled it in on a dolly and set it up like in the like lobby area of the convention space, like trying to get DEF CON attendees.
That was also at the Riviera.
Is it true that there was
a federal agent who was there to try to
arrest hackers or spy on hackers or learn from hackers, whatever, but got so impressed by what they were doing that he quit his job as a federal agent and switched to the dark side?
Oh, actually, I haven't heard that one.
So you're going to have to tell me that.
That's wild.
Is it true that there's a secret room at DEF CON where you can buy zero days?
I don't think there's a secret room.
Maybe that was true in the past.
And
it wouldn't have been a secret room.
It would have just been like, you can talk to this person and I know who the person is, but I won't mention their name.
I'm sure those kinds of things still go on.
Everybody could get together and have a a conversation in a place that was kind of like a demilitarized zone for hackers.
Yeah.
Yeah.
Demilitarized zones for hackers.
That's a really interesting way of putting it.
I agree.
Yeah.
Is it true that every year hackers take over an elevator at some hotel and trap someone in it?
I don't think they trap people in it.
We have definitely taken over elevators all the time.
I actually got a talking to from.
this is at this actually happened at Black Hat.
It was right after the Mandalay Bay had installed the card reader so that then you had to tap your room key to go to your floor.
I was messing with it because that's what we do.
And I knocked the cover off of it.
And underneath it was there was an open like pin out.
But I was like, oh, cool.
We could probably connect to this and like get to any floor we want.
I'm like, that's wild.
And then I ran my thumb across the pins and it shorted out and the light blinked green and I could tap any floor.
And so
I took a video with my phone really quickly where I just ran my thumb across it.
It blinked green.
And then I tapped like four different floors.
The video was probably six to eight seconds long.
I mean, super quick.
And I just posted it to my Twitter and said, like, oh, solid whatever system they've got going on in the elevators.
And
seriously, within five minutes, my phone rang.
And it was the head of security for Mandalay Bay, who we work with because we're in the SOC and stuff.
So we have meetings with them and tell them the type of stuff we're seeing and all whatever.
And he's like, Grifter.
And he's like, you're supposed to be on our side.
And he's like, will you please take that down?
And I was like, I can't.
And he is like, no, please take it down.
And I was like, I'm sorry.
I can't.
I've already posted it.
It goes against everything.
Like, I believe as far as
it should be better, then you should call whoever installed that system on the elevators and make it better.
And he was like, oh, and then he hung up and he called me back.
And he was like, okay, look, I talked to this person, blah, blah, blah.
Would you be willing to take it down for X amount of time?
And then he said the words I didn't want to hear, which he was like, Under responsible disclosure, you have now let us know that a vulnerability exists.
Please give us time to fix it.
And I was like, damn it.
So I deleted the tweet.
He played your game.
He totally did.
He totally did.
And then, and so, yeah, so I took it down and they fixed it.
Is it true that someone set the pool on fire one year?
Set the pool on fire.
Yeah, like there was smoke coming off.
Oh, no, no, no.
It wasn't fire.
It was a massive amount of liquid nitrogen.
So it was at DEF CON
eight, nine, or ten, somewhere in there.
It was at the Alexis Park.
It was pool two.
And the beverage cooling contraption contest had done their
cooling contest out by the pool earlier that day.
And a lot of people had liquid nitrogen.
Like, they just like that was the go-to, like, how they're going to make it cold fast.
And then they took all the containers of the stuff that was left over and put them in the little pool house area that was next to the pool just for storage.
And then when it was at night, there was like a party going on out there, and like one of the guys was like, oh shit, we've got all this liquid nitrogen.
Let's let's see what happens.
And they just dumped like gallons and gallons of liquid nitrogen into the pool, and it it was it was awesome and it made this cool like steam like effect.
There's some pictures of it out there somewhere.
Like another year, then the next year they did it again, and a bunch of people threw blocks of dry ice in to try to like, you know, increase it.
Like, of course, like everything we'll try to one-up ourselves every time
After decades of going to hacker conferences, there are hundreds of stories like this that Grifter has.
It's truly a unique experience, and you never know what to expect when you go.
I once saw Will Smith at DEF CON and Dead Mouse was just there last year, just walking around checking the place out.
I am what I consider or what I define myself as as a high-functioning introvert.
So
I can get on stage in front of 10,000 people and crack jokes and have a good time and all whatever, and it's fine.
I can go out into the hallway and have an inflatable dinosaur battle with my friends and have a blast.
I can act like a complete lunatic for the entire time that I'm in Vegas with my friends and it's great.
But then I crawl into a cave and recharge for weeks afterwards or I go back to my hotel room.
Even during DEF CON, I did it a couple of times this year where it's like, I'll just go to my room and lay on the bed.
I actually did that right before your party this year, where I was like, I'm just going to go back to my room.
I'm going to take a shower.
I'm going to lay on the bed and play a game for a little bit.
And then I'll go out and be social.
Black Hat used to have a thing they called the gala reception, which was basically just drinks.
And it was like an open bar, and it was a couple of hours.
And all the attendees were invited, and you'd just hang out and chat.
And I was in my room after like, you know, volunteering all day.
And I was like, oh, I don't want to go to this thing.
I forced myself to go.
And I walk into the reception and I hear some guys that are near me mention a book that I had just read.
And I stopped and I was like, oh, that book sucks.
And like, and the guy kind of chuckles and he was like, oh, yeah, why?
And I was like, okay, well, the structure of it is this.
It's lacking this.
It doesn't talk about these things.
Blah, blah, blah, blah.
This book is better if you're looking at that topic.
And he's like, oh, okay.
So I was like, hey, it's been a pleasure chatting with you guys.
You know, it was nice to meet you.
And the guy was like, wait, let me give you my card.
And he hands me his card.
And he was the vice president of the publishing company whose books I had just been eviscerating for the last 45 minutes.
And I just looked at him and I was like, oh, and he was like, oh,
and he's like, hey, look, man, I really appreciate all the candid feedback.
And he's like, like, I want to put you on a list that I have where like, when we put out a new book, we'll just automatically send it to your house.
You let me know what you think of it.
Oh, whatever.
That's like, would you be, would you be down to do that?
And I was like, absolutely.
Well, that relationship grew stronger between Grifter and this publisher to the point that the publisher asked Grifter, hey, if you you were to write a book, what would you make?
And Grifter said, there should be a book on how to defend your network by attacking back at the people attacking you,
which I think is ridiculous.
Defenders can't be on the offense.
They can't be aggressive.
But he was pitching this idea and the publisher was liking it.
And I was like, look, dude, I don't know how to write a book.
I don't know how to do that or whatever.
And he's like, that's fine.
We got editors.
We'll teach you.
He's like, why don't you do it with like a few other authors?
Just co-author it.
Then you can break it up into chunks.
You'll act as the technical editor and make sure that everything is legit.
And I said, yeah, I'd like to do that.
Fine, let's do it.
And then I picked a few of my friends that I wanted to do it with me.
And when I gave him the list of friends, he was like, these are some pretty heavy hitters.
So are we going to get these people?
And I'm like, they're just my friends.
Like, I don't know.
And so it was like Dan Kaminsky, Bruce Potter,
Pyro, like, you know, Chris Hurley.
He's like, all right, let's see what we can do.
And all of them agreed to do it.
And then we put out a book.
But that was the thing about putting out a book: I was like, am I really just going to put Grifter on the cover of this thing?
I was like, I cannot publish a book and not put my name on it.
For me personally, it was like, I want to see it on the shelf in a library and be like, that one's mine.
So I made the decision that I was going to put on there Neil Weiler, aka Grifter.
And that was,
that was it, man.
The cat's out of the bag.
So the book is called Aggressive Network Self-Defense.
And
for 10 years, I was a network security engineer and I had read quite a lot of books.
And this one, this one never showed up on my desk.
And I think it's because I wasn't interested in aggressive self-defense
network.
This is crazy.
This is a crazy book.
Aggressive self-defense network style.
Yeah, but what is in this book?
Well, it was essentially like there's this thing that we deal with as defenders, like every day within these companies we work for and as individuals, where you're being attacked constantly, right?
And you're like, when do I get to swing back?
And because of my upbringing, right?
Because of the way that I was, I wanted to swing.
Right.
And so I didn't like the idea that we were in this defensive position where somebody could not just poke us in the chest, because like getting port scanned was like getting poked, right?
It was not a big deal.
Somebody looks at you sideways, gives gives you a dirty look.
But it's not just getting poked.
They're full on attacking you and you just have to go, well, how do I block that?
How do I make that stop?
How do I do whatever?
Or they break in and you just go, oh, I've got to get them out.
And in my head, I was like, stop them for good.
Like,
like, you know, cut them off at the knees.
Attack what they're attacking you with.
And like, and I would get so much heat from people about that because they were like, well, you don't know if you're actually attacking some grandma's computer computer because it's not, you know, it's a jump box.
It's not likely that the person that you're attacking is that that's their machine.
And I'm like, yeah, but then let's, let's get rid of their resources then.
If we, if we knock the machine that's doing the attack offline, then the attack stops.
And that's, that's what I'm concerned about because they're costing us money by launching these attacks against it.
They're costing us time.
They're costing us stress and all these other things.
So
if I don't care if it's, if it's some grandmother's computer, I need it to stop attacking my network because it's eating up bandwidth, it's eating up cycles of my analyst, it's eating up all this stuff.
It's like, okay, you've lost control of your machine and I need that machine to stop attacking me.
So I'm going to send it to the bottom of the digital ocean.
That book is 20 years old at this point, so
it's useless, but it was fun to do.
All this experience running the Black Hat Nock has given him a very sharp skill set to be able to detect and stop some of the most crazy attacks ever.
Volunteering there gave him fantastic experience, which gave him great opportunities in his career.
So, now
I recently took a position at a company called Coal Fire as the VP of Defensive Services.
Prior to that, I was with IBM's X-Force for three years running their global threat hunting program.
Prior to that, for the seven years before that, I was at RSA Security, where I started and ran their threat hunting program around the world.
So I spent a lot of the last over a decade at this point really focused on threat hunting, on going in and finding attackers when they've already bypassed your security and they're in the environment.
So I would go into a company and I'd sit down with their security team and I'd be like, tell me about your environment.
And they'd be like, well, we have these technologies.
They're deployed in these ways.
Our network's set up this way.
This is how we do these things.
It's segmented this way.
We have this.
We we do this, blah, blah, blah, blah, blah.
And I go, okay, great.
If it was me attacking you, I would hit you here, here, and here.
So let's go look and see if somebody did that.
And then we go and see if they
were attacked somewhere or got breached somewhere.
And in the decade plus that I've been focused on hunting, we always find something, whether it's an active attack or it's evidence of a previous attack or it's an employee who's doing something outside of policies or or whatever.
Of course, I wanted to hear a story about a threat he found in the network.
We were doing an engagement where we were asked to come into
a really large financial organization and myself and another hunter, Pope.
You know, Pope.
Pope and I went out on this hunting engagement.
I do know Pope.
He's the organizer at St.
Con in Utah.
Fantastic conference.
You should definitely go if you're in Utah.
So him and Pope go to this client.
It's massive.
And they have huge security teams there.
No expense spared to keep this place secure.
Which has to be stressful, you know, to walk into a company with this level of security and you're expected to find things that they didn't already find.
And so he sits down with their director of security and starts looking through the traffic.
He's looking for protocols that shouldn't be there or outliers.
And he sees FTP traffic in there.
FTP is the file transfer protocol.
It's just a way to move files from one place to another, but it's insecure and has mostly been replaced by more secure secure protocols now.
Like there's a really low number of FTP sessions, so we could go through those fairly quickly.
And he goes, oh, we don't use FTP.
And I was like,
well, great.
Like this is a good example then because we can
go through this really quickly.
And he was like, no, you don't understand.
We don't allow FTP.
There are no clear text protocols.
And I was like,
okay,
well, that's great, but it's here.
Like, I can see it's here.
I can see it.
And I was like, so why don't we just look at it?
And he's like, all right.
And we look and it's FTP traffic going to a host name, not even an IP address, but a host name that ends in.ru.
I mean, we're not even trying to hide, right?
And
I was like, is that normal?
He's like, no.
And I'm like, okay, well, let's see what's happening.
And it's like, okay, it looks like it's sending out these files at like one o'clock in the morning.
Do you want to see what it's sending?
And he's like, yeah.
And so we just did file file extraction.
Like, it's a zip file, even like
not an encrypted container in kind of just a zip file.
I'm like, well, I can't open it because it's not my company, but you can open it if you want.
So he opens it, he opens it up, he looks at the document, and then it sounded like somebody punched him.
Like this sound came out of him like this,
like the wind just got knocked out of him.
And then he closed it.
And he goes, you didn't see that.
And I was like, okay, well, just out of curiosity, what didn't I see?
And he was like, that is every financial transaction and trade that we've made in the last 24 hours.
And I was like, oh, so
bad.
Like, and he's like, how long?
How long has that been going on?
And I was like, okay, let's take a look, you know, and we start digging into the logs and they only had six months worth, which was wild.
That connection to an FTP server in Russia, the IP address was also geolocated to Russia.
Like, so we're like, okay, like, it looks like that's where it's going.
That happened every night at one in the morning for six months.
And that's as long as we had logs for.
So we were like, who knows how long that's been happening?
And this is an organization that has hundreds of people on their security team, 30 plus people actively working in a SOC just down the hall, all of the different technologies that you could possibly ask for.
But they had tunnel vision because they were like, we don't use that.
So we don't even look.
Now, you would think that if something like FTP is not allowed in their network, that there should be a firewall rule blocking it.
I mean, that's exactly what a firewall's job is, to block network traffic that shouldn't be allowed.
And who knows, maybe they did put a block in at some point, but it wasn't blocked now.
Maybe a new rule superseded the FTP block rule, or maybe someone accidentally took out that FTP block rule.
These firewalls can sometimes have hundreds of rules of what's allowed or not allowed, and it's confusing to know exactly what it's doing sometimes.
But what's more is how did these file transfers get triggered?
It must have meant that someone got in this network and set up an automatic script to scrape the data and send it out.
That's scary to realize that someone did that in their network right under the nose of their 30 engineers all looking for that threat.
How did this hacker get in and how do they get them out?
There's millions of things to do once you discover something like this, and it feels devastating to experience it.
It really does feel like you're getting punched in the gut.
And you know, as I think about this story,
this is one of these typical I heard at DEF CON stories, which here's Grifter's telling me.
So it practically is like something I heard at DEF CON, but it's one of these stories that I hear that was never told publicly.
You know, a major finance company was hacked and every financial trade was being spied on by some foreign entity.
That sounds like a big deal.
And I wonder what the fallout would be if that story were to go public, you know?
Like, would there be lawsuits?
Would the government slap fines on them?
Or to think, how bad does that company not want that story to go public?
At what drastic lengths might they take to hush it up and keep it quiet, you know?
I have a dream about this show that one day someone will tell me a banger level story that would be huge news when it gets published.
Some wild whistleblower type thing.
That would be fun, wouldn't it?
I mean, I've heard some pretty insane stories that would be really big news stories if they came out.
But
the people who told it to me, I promised I wouldn't ever repeat it.
But I think it's just a matter of time, though, that a story does come across this show that
really makes some waves
someday.
But it, like, the threat hunting thing was great.
Like, I, I ended up, I wrote a framework with a friend, and that created some really cool opportunities.
Like, we, you know, consulted you know congress and like nato like i've gotten to consult foreign governments some of the largest companies in the world it's a strange space this uh infosec space because we're like hanging out with criminal hackers like you were a criminal hacker And then you become this consultant for Congress and governments, and you're there to stop the bad guys, and you're there
stopping threats.
But at the same time, you're going to DEF CON, which is where you're meeting even more hackers and more criminals, hackers.
And it's, and I don't know of any other thing that it, it, it, it, we're just as friendly with the bad guys as we are with the good guys, as it is with cybersecurity.
Yeah.
It is kind of a, it is a weird world that we live in.
And I think ultimately the thing that ties it all together is that we,
we like to learn.
We like the chase.
We like the hunt.
Cybersecurity is an incredibly stressful field to be in, but it also is incredibly satisfying as far as like the cat and mouse game that we play, about the opportunities to learn new things, about how one day you wake up and everything is fine, and the next day a vulnerability drops and somebody has exploit code for it within hours, and you're, and everybody's hair is on fire.
And when those things happen, when those moments come and everyone's freaking out, I don't know, something about that situation, it just makes me go, all right, game on.
I got really, really lucky that a thing that I started doing when I was 11 years old, because I thought it would would be cool turned into a career that allowed me to you know put food on the table for my kids put a roof over their heads and has allowed me to travel to all of the places that as a kid i used to go to only digitally because i thought i would never get to go there
A big thank you to Grifter for being so gracious and kind to give me his time and his busy schedule and to talk with us like this.
He has so many more interesting stories and I feel like we barely got started with him.
I mean, I've had dinner with him a few times and I've heard so many more and they are hilarious.
I mean, you can imagine all the shenanigans going on at DEF CON and Black Hat every year.
And he's given a ton of talks at conferences.
So if you want to hear more from him, just go to grifter.org and you'll see tons of stuff that he's done.
Real quick before you go, do you know that you could have 11 bonus episodes of this show in your ears right now?
Yeah, 11.
All you got to do is support the show.
I did the math.
Less than 1% of you support the show.
And that's cool.
No shade.
Because I love making stuff and giving it to you for free.
So I'll keep doing what I love.
But man, when people do pitch in and give me a little something back, it feels damn good.
It's like one of those hugs that feels extra genuine and you can feel it long after it's over.
So please consider supporting the show.
Visit plus.darknetdiaries.com.
I'm just asking for you to buy me a cup of coffee once a month.
Actually, I switched to matcha, but you get it.
This episode was created by me, the space bar, Jack Reed Sider.
Our editor is the key master, Tristan Ledger.
Mixing done by proximity sound, and our intro music is by the mysterious breakmaster cylinder.
My girlfriend, she said she needed more space, so I got her a four-terabyte drive.
This is Darknight Diaries.