166: Maxie
Maxie Reynolds loves an adventure, especially the kind where she’s breaking into buildings (legally). In this episode, she shares stories from her time as a professional penetration tester, including high-stakes physical intrusions, red team chaos, and the unique adrenaline of hacking the real world.
Her book: The Art of Attack: Attacker Mindset for Security Professionals (https://amzn.to/4ojYSVZ)
Her data center: www.subseacloud.com/
Press play and read along
Transcript
Cardiff Giants is an interesting story. In the Bible, Genesis 6:4, it says, There were giants on the earth in those days, and they mated with people and created mighty men of renown.
This guy named George Hull was like, Wow, there were giants on earth. But the Reverend argued with him and said, No, no, no, there were never giants here.
But George was like, No, no, the Bible says so. There's got to be a way to prove it.
But George could not prove it, of course. So he decided to fake it.
He went to a quarry and dug up a huge block of gypsum, then hired some stone cutters to make the block into the shape of a giant man.
They created a rough statue of a man that was 10 feet four inches tall.
Then George stained it with acid to make it look old and put it on a train and took it to his cousin's farm in Cardiff, New York. And late at night, he buried it on his cousin's farm.
A year later, his cousin went to dig a well and hired a crew to come out and dig the hole. And they ran into this giant in their dig.
And one of the workers immediately shouted, this must be an ancient burial site. And so they dug up the giant and the word spread that they found a buried giant.
People from all over flocked to the farm to take a look. It was quite surprising to see a petrified giant of a man.
A lot of people believed it was a petrified human. The Bible says so, see?
But some thought it was just a statue. But pretty quickly, George's cousin realized how valuable this thing was.
So he put a tent over it and started charging people 50 cents to come in and see it.
500 people came a day to see this amazing giant. The whole town started to profit from it.
Restaurants were filling up. Hotels were booked.
And that's when P.T.
Barnum came and he was like, sir, I will give you $50,000 for that giant. What do you say? The farmer was like, no way.
So P.T. Barnum hired someone to make a wax copy of it.
And Barnum displayed this unauthorized copy at his circus and claimed it was the actual giant and charged people to come see his fake replica.
A year later, George Hull came out and said this whole thing was a hoax, that he's the one who buried it there.
But while it didn't prove that giants roam the earth, it did make his cousin pretty wealthy. And that's how scammers would get you in the 1860s.
These are true stories from the dark side of the internet.
I'm Jack Reesider.
This is Darknet Diaries.
This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats. And that's the power of ThreatLocker, zero trust endpoint protection platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
This least privileged strategy mitigates the exploitation of trusted applications and ensures 24-7-365 protection for your organization.
The core of ThreatLocker is its protect suite, including application allow listing, ring fencing, and network control.
Additional tools like the Threat Locker Detect EDR, Storage Control, Elevation Control, and Configuration Manager, enhance your cybersecurity posture, and streamline internal IT and security operations.
To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com.
That's threatlocker.com.
This episode is supported by HIMS. According to the National Institute of Health, as many as 30 million men in the U.S.
experience ED. It's more common than a bad night's sleep.
The good news, HIMS makes getting access to treatment simple so you can feel yourself again without the stress or awkwardness.
HIMS offers access to ED treatment options ranging from trusted generics that cost up to 95% less than brand names to hard mints if prescribed.
This isn't a one-size-fits-all care that forgets you in the waiting room. It's your health and goals put first, with real medical providers making sure you get what you need to get results.
Think of HIMS as your digital front door that gets you back to your old self with simple 100% online access to trusted treatments for ED and more.
To get simple online access to personalized affordable care for ED, hair loss, weight loss, and more, visit HIMS.com slash darknet. That's HIMS, spelled H-I-M-S.
HIMS.com/slash darknet for your free online visit. HIMS.com slash darknet.
Actual price will depend on product and subscription plan.
Featured products include compound drug products, which the FDA does not approve or verify for safety, effectiveness, or quality, prescription required, see website for details, restrictions, and important safety information.
I want you to meet Maxie. My name is Maxie Reynolds.
She grew up in Scotland and had an an itch for adventure when she was young.
She knew she wasn't fit for a sort of sit-down, do a lot of paperwork office type job. No, her head was always up in class, looking out the window, dreaming of faraway lands that she could visit.
I left home at a really early age, about 15, and I had no idea what I was going to do, what I wanted to do.
And so I tried everything and I was ending up, you know, working in bars and as a cleaner and all these sorts of things. And I just thought, no, this isn't for me.
And I want a job where I can travel and see the, you know outside of Scotland so I went to a university in England which is somewhat treacherous being a Scottish person and I got a degree in underwater robotics.
She was hoping this degree was her ticket to travel. Maybe if you're going to be operating underwater vehicles, you'll get to go to some pretty far away places.
So she started applying to every company she knew that used these remote operating vehicles. And I couldn't get a job and it was because I I was female.
The reason why this was a problem is because sometimes she'd have to go out to sea in small vessels or be stationed on some kind of platform at sea, which also had small living quarters.
And the problem was that these companies required men and women to have separate cabins.
And they simply couldn't accommodate her because a lot of these cabins had four beds in them and they didn't have any single bed cabins that she could be in.
And there just wasn't enough women to fill up a sleeping cabin. So she just didn't get the job.
I was told the same story over and over. But that didn't stop her.
She kept applying at places.
And eventually, a Norwegian company finally said yes to her. Finally, got a Norwegian company to accept me and they said, if you get your private pilot's license, we will take you on.
So I went to a bank in Scotland and asked for a career development loan and I got my private pilot's license. Well now this pilot is different than ROV pilot.
This is an airplane.
Yes, this is a small, yeah, so I can fly a Cessna, although I haven't in America. I can do that.
And so it was supposed to be quite similar.
And then I called the company back and said, Hey, like, I've got this, and it took, it takes months. So, and I was getting farther and further into debt.
So, I
called them back and said, Hey, I've got this. And there had been this change of management.
And they were like, It's not actually, we don't know why they said that.
It's not a private pilot's license you need for a plane. It's we're more like as an ROV pilot, it's closer to a helicopter.
So, I changed my name.
I went back to the bank in Scotland, got another career development loan and went back and got my PPL for helicopters. Then I went back to them and said,
okay, I've got this, but listen, like, no more surprises. And can I have a job now? And they took me on and it was, it was sort of life-changing for me.
This job required her to travel a lot. North America, South America, Europe, Asia.
She got to travel the whole world while working as an underwater ROV pilot and sometimes flying helicopters.
So I lived in Venezuela for a while. I lived in Trinidad.
I have been to sort of everywhere from Nigeria to Australia, a lot of coastlines. I've seen a lot of water.
While she was doing this work, she started getting more fascinated with IT. Computers became her passion.
She was enrolled in remote learning courses and was able to get a degree in computer science.
Then she took a month off work and landed in Los Angeles, California, just to take a break for a while. But she fell in love with LA.
And while there, she started going to a gym to exercise and work out.
One of the people that I was training with in the gym was a stuntman and I was I sort of begged him to please like let me hang out with you let me be cool too.
So
eventually he sort of he got me some training in stunts and he actually got me one of my first jobs. She was in a few independent films, did a few stunts for them.
She got an opportunity to be in House of Cards and she did a stunt for them but they decided not to use it for some reason.
While that was cool it was also short-lived because while it's exciting, she didn't see it as a long-term career. I studied quantum computing and it was really difficult.
It was extremely difficult for my feeble mind, but it was really enjoyable and I loved it. This turned her attention to new technologies and companies.
At some point, she got a job for a company in Australia and moved there.
My first entry point into both social engineering really and pen testing was in Australia and I worked for a big company down there. They gave me a shot on their graduation team for cybersecurity.
This company had penetration testers, people who try to break into a building or a network to test the security of it.
She got to watch one of these pen testers work by monitoring their activity through cameras. And
I was witnessing a pen test, but with this social engineering component and it was a guy,
he was a really good hacker and he had gotten into the network of one of our targets. And he was opening all of the security doors and automated doors for one of the team, the cybersecurity team.
And they were just walking through and they were filming the whole thing. And it was being broadcast live back to us.
And it was amazing. And I was thinking, okay, this is a good job.
This is the kind of job that I would like to do.
Being a physical penetration tester seemed like just the thing for Maxi. Breaking into a building, acting like a spy, that seemed really fun.
She asked if she could do that.
And they were like, well, your luck is in because
we have to test them without these technical capabilities. So we're just doing a physical pen test.
Would you like to be involved? And I jumped at the chance.
So they gave her an assignment, which was to try to get into a company and film what they were working on inside it.
And to start figuring out how to get in, penetration testers often use OSINT, which is just gathering data on a target through open public searches online.
So she does a little OSINT and starts learning about the company more. They had some
very interesting IP. They were a transport company and they were building some unique buses and large transport vehicles within this whole complex.
So my job was to get into there past reception, past all security, get in and look at all of the assets and the IP.
And I didn't need to you know hack any computers or even plug into any computers it was it was simply to get in and to essentially have a look around. How fun right?
Can you get into this factory, take a few photos of what they're building and get out without them knowing you're a spy?
As she starts learning more about this company she found out that they had some big connections with Sweden. as in some of their offices were located in Sweden.
If you squint your eyes and you were very far away from me, I could probably pass as Swedish.
So I had decided, and no one stopped me, I'd like to point out, I decided that
I was going to pretext or present myself as like a Swedish ambassador for this company. And I had the CEO's name and some other top execs' names and things like that.
She does have blonde hair, but even though she may be able to pass as Swedish-looking, there's no way she's going to sound Swedish, not with that Scottish accent.
So her plan was just to put ya on the end of everything and hope they didn't notice. No, and it gets worse because
even I, because they're Australian, right? They're not idiots. So I was thinking that will never work.
But that was her plan, and she decided to go forward with it.
She liked the idea of acting like someone else. So she was set on being the Swedish ambassador for this company.
Walk in, tell them she's from the Swedish branch and she's just flown in to inspect the building. But in order to do that, she's got to look the part.
So she takes a trip down the local clothing store, buys a new outfit, something that would make her look like an executive.
And I bought a clipboard and I looked professional, and I had like a little briefcase, and I was really trying to look professional. She's all set, ready to go in.
Outfit on, camera rolling, deep breath. Let's go.
So I go in to reception and I approach the receptionist with like a warm smile, and I'm, you know, being as nice as I can be and
I'd said I'm here for
this I'm here for this appointment and this is what I want to do and this is where I'm from and she said okay and I was like what it was that easy this doesn't make sense but you know I'm not gonna get in my own way so I followed her and she took me to this little room just sort of directly behind reception And I was greeted by this adorable little old lady.
And there was one other person in the room, but we didn't really talk. So, I had to present ID, which is another stumbling block.
And I got to talking to them. So, they asked me why I was there again and all those things.
And they said they weren't expecting me, but it wasn't a problem. And I thought, well, this is really easy.
This is great. And I gave them my ID, and I had an Australian ID at the time.
And
they said, you're from Sweden.
You've got an Australian ID. And I said, yeah, and I've got a dodgy accent.
I went to school in the UK, so I tried to get around around to it like that, and it works beautifully. And I don't know how.
So I got in. Okay, at this point, she's doing pretty good.
Passing as this Swedish person from another office, she got into the building, check, passed reception, check, and pass the two people that she was handed off to. Check, check, check.
Now she's in, and she's trying to film things, take pictures of what's going on. There's an engine room, that looks interesting.
Film that. So she goes in closer to take a look.
And I was walking towards one of these large engines and this
man was walking towards me with i think it was like two other men and he stood out he had this beautiful blonde hair and these big blue eyes like completely stereotypical um
nordic look
and he came up to me and he
said something in a language i don't understand but immediately guessed correctly, this is Swedish. I'm supposed to be Swedish.
I don't know any Swedish.
So, I'm racking my brain for the limited amount of Norwegian that I know.
And
he, whatever he said, I kind of just looked and I felt my body get tense. And I felt like
my brain say, Grand, open up, like, let me cannonball into hell. This is torture, please, no.
And I saw I said, um,
yeah.
And he looked at me like, okay, maybe
that doesn't make sense, but okay. And then he repeated it.
And so I tried the one word I could remember in Norwegian, which is nai for no.
Because if yes didn't work, then maybe no would, which was maybe one of my dumbest moments. But
so then he quickly just understood, like, this isn't right. And then security was called.
They had a
very prompt security team. They came, I was detained.
Oh no, she was caught. This is every pen tester's fear.
But just because she's caught doesn't mean it's over.
Maybe she can somehow get out of trouble, convince security that everything's fine, or at least just try to leave the building without being caught more. She tried to change the story.
Oh, no, I'm not from Sweden. I'm just working with the Swedish team.
I'm based in England. So they asked to see her ID again, and it just wasn't checking out.
They were very confused by the whole thing. At that point, she just couldn't see any way out of it.
So she pulled out her get out of jail free letter.
This is a letter that all penetration testers have that gives them authorization to do what they're doing.
It has a phone number on it, which is typically the head of security and says, who actually authorized her to sneak in? So they call the number on it.
And the head of security says, yep, this is all a plan test. Good job for catching her.
We had like this sort of laugh after it.
And even the security guy was like, why would you pretend to be Swedish? I was like, I don't know. I'm Scotch.
He's like, I can tell. And you don't look Swedish.
I was like, I know.
That was Maxie's first pen test where she tried to break into buildings. But she loved it.
This was adventurous, adrenaline-fueled.
You need to keep your width, be quick on your toes, and know all about computers all at once. She felt like this is where she was meant to be.
This was cool and decided to pursue a career in pen testing.
She did a number of penetration testing engagements while in Australia, learning new techniques and getting official training on how to get better, reading a bunch of books on how to improve.
And one of the things that intrigued her was thinking like an attacker. That attacker mindset was something she spent a lot of time thinking about.
How do people with bad intentions act?
Soon it was time for another penetration test, still while she was working for a company in Australia. The company I worked for was working with the local government in the city that we were in.
And I won't say the name because I don't want any further embarrassment. Now, penetration tests are not always physical.
In fact, I'd say most of them are just done over a computer.
Like the penetration tester might be outside the company and just trying to hack their way into the company through the internet.
Or sometimes companies will just invite the penetration tester right into the building and give them a desk and a network jack and say, go for it from the inside.
Because even if you get into the network, there should be layers of security which should still keep you from getting into important things. That's called defense in depth.
So this was a pen test on a local government office.
And with this one, they invited her to come into the building and plug into a port and see what vulnerabilities she could find from within the the company. She wasn't alone on this one, though.
There were two other people with her, and the two other people were very experienced network penetration testers. And she was still learning how to do this.
So she was shadowing them and watching what they were doing.
So I wasn't a noob, but I was, this was my first job in cybersecurity. I have a very technical background, building ROVs, flying them, or steering them, I suppose.
That's all technical.
Even stunts are technical to a certain degree. This was a step further because there are no physical components to it.
That's why it was so difficult for me.
It's all on screen and like Linux is its own beautiful, scary world for me. So I was still getting to grips with this whole
world and all of the commands and what these things meant and how to undo things. And they all sat down, pulled out their laptops and plugged into the network.
She starts by firing up a network vulnerability scanner. I got to run the Nessus scan, which was
not the most technical job in the world, but it felt good at the time. And I got to look at what vulnerabilities were there.
And I got to go and see exploits for those. And I got to like run Nmap.
These are fine basic tools to start with. It'll scan the network for known vulnerabilities.
They're easy to use and typically benign, as in they're not going to cause any trouble on the network just by running them.
And when you run these tools, it's not hacking, it's just to try to find what's hackable. And she wasn't exactly sure how to hack into this company.
When you're rammed experienced pen testers who love their job and these two loved everything that every like line they wrote was
sort of like a piece of art for them they loved it and they they really like got this high out of it and that's contagious so i started to think like this is amazing. This is so cool.
Look how far we ran. And one guy,
one of the guys that I was there with, got a call from one of our points of contact and he was saying, I can see you in the network and it was this big game and it was fun and it was interesting and I got caught up in that.
So after seeing all the cool things that those other penetration testers were doing, Maxie wanted to have some fun too. How far could she get into this network?
She saw there were vulnerabilities on certain systems on her scan. And she tried to exploit those vulnerabilities and get into those systems.
Because there's a sort of high you get from getting into a computer when you shouldn't be able to. And she was making progress.
She got into a few systems and she was looking around, making notes on how she got in.
She would look over her shoulder and always see those other penetration testers many steps ahead of her. So she kept looking around to see what else she could get into.
I
found my way to
some internal environment and
I hit the kill switch on a city's water supply. She accidentally typed the wrong command into the wrong computer, which controlled the flow of water to the whole city.
The person I was with immediately saw within the network that, wait, that wasn't right.
I will assume that he was sort of with me, like following me throughout the network and can see a lot of what I was doing.
And then I was thinking, yeah, this isn't, I don't think that was maybe good, right?
and so i looked at him and i could sort of see on his face and he comes over to me and he says like what did you do and i you know you can look at your history quite quickly and i still had quite a lot on screen and i showed him and he put his head in his hands and i was like what is it really bad it was really bad shutting off the water to the whole city
showers, faucets, sinks, even toilets were not functioning citywide. Her two other penetration testers immediately immediately tried to figure out ways to fix the issue.
One was looking at how the system operated and if it was possible to just turn it back on, but you don't want to just do that if it's going to cause a problem.
The other pen tester immediately phones the point of contact, letting them know this is a major problem. Maxie was sort of in shock and incredibly embarrassed.
She took her hands off the keyboard and just waited. I was detained by security guards and they
were not. very pleased.
Now, this is a completely different situation from the last time she was detained by security. The last time she had a get-out-of-jail free card.
This time they knew that she was supposed to be there.
In fact, it was her point of contact that called security on her. She was authorized to be there and do this, but this was not supposed to be disruptive to the organization.
Not only was it disruptive to the organization, but it was disruptive to the whole town. So they wanted to at least get her recount of the matter recorded, so they had it for later.
I go down to a windowless room
and I'm questioned.
And all of a sudden, one of the sort of accusations, if you want, was that I was a Russian spy. I was thinking, how did we get there so quickly? Like, what happened?
Apparently, she spoofed her IP at one point to make herself look like she's coming from Russia to try to test to see if they could detect that. But that was just very brief.
And she was definitely not a Russian spy. But this was becoming scary now because it wasn't just a confession of a mistake she made.
It was like they were treating this more like an investigation.
So I was held there for like a couple couple of hours and of course the police were called. The police had to be called.
I didn't have any idea on me.
I had my work card but that doesn't really matter because it's just a photo I could have printed it myself and I kept saying to them you know if you let me go back to my apartment I can get my passport for you.
I'm British and I'm not a spy and you can contact my employer and I'm actually here with two people and I kept going and they didn't want to hear it and that's okay, that's kind of their job to do, to not believe me and to you know look for the worst because they've got to protect themselves against the worst
and eventually that at some point I said to them
like I need a
glass of water and the look is enough would have been enough to like you know turn most people to stone I was thinking yeah that was not an ideal question and then eventually my employers at the time called in and it did get sorted
and I narrowly escaped
essentially what we think you would call it prosecution. I escaped any legal action because of that.
And I was on the graduation team.
So that lent me some credibility in the fact that, okay, she doesn't know what she's doing, and it's okay.
And my employer didn't fire me, and I will be eternally grateful for that.
She doesn't know how long the water was out that day. It could have been hours, minutes, seconds.
It doesn't matter.
The fact that it could be shut off and it did get shut off is why the police had to respond. But she narrowly got out of serious trouble from that one.
But this sort of baptism by fire is how we learn the most important lessons in life. I mean, knowing firsthand what kind of true power a penetration tester has is profound.
And this feeling sometimes flips back and forth, too. Sometimes you feel completely blocked with no access to anything, and it makes you feel dumb.
And other days you feel like with a single keystroke, you can wreck this entire business. It almost reminds me of visiting a barber and getting an old-fashioned shave.
The barber has this razor and they're shaving your neck with it. You feel very vulnerable in that situation.
And I think many companies do feel vulnerable when they allow a penetration tester to come in. Who knows what they saw or took.
In my last job, we had a penetration tester come in and see what they could do. And they were able to crack 25% of all our passwords company-wide.
That's like thousands of passwords.
Of course, I read the report to see whose passwords got popped, but it only contained statistics, not passwords or usernames.
And it made me think, you know, this pen tester is walking out of our building with a bunch of our passwords. I've never felt more vulnerable at work before.
We're going to take a quick ad break here, but stay with us because Maxie's going to tell us about a penetration test story that changed her life.
This episode is sponsored by Ripling. HR teams were promised modern tools but ended up with a stack of disconnected apps.
Onboarding, payroll, benefits, compliance, all in different places.
That's not sass. That's sad.
Software as a disservice. It's time to spend less time on checklists and more time on strategy.
It's time to run on Ripling.
Ripling is the unified platform for global HR, payroll, IT, and finance.
They've helped millions replace their mess of cobbled together tools with one system designed to give leaders clarity, speed, and control.
By uniting your employees, teams, and departments in one system, Ripling removes the bottlenecks, busy work, and silos your software created.
With Ripling, you can run your entire HR, IT, and finance operations as one, or pick and choose from the products that best fill the gaps in your software stack.
And right now, you can get six months free when you go to Ripling.com slash darknet. That's Ripling, spelled R-I-P-P-L-I-N-G.
Learn more at Ripling.com slash darknet. That's rippling.com slash darknet for six months free.
Terms and conditions apply.
Making some big mistakes on past pen tests did not make Maxi back down from pen testing. Instead, she doubled down.
She was fascinated by the power of the pen tester, but more so, the attacker mindset allured her. But she had to leave Australia.
Oh, yeah, so I'd come back from Australia. My visa had run out.
Moved back to the States. My motto in life is like, if I'm free to do it and I want to do it, then I will do it.
I kind of always want to be infatuated with what I'm doing and focused.
And I'm okay if whatever the thing is that I want to do changes and it has obviously. But I want to love what I do because functionally, right, well, I'll live for 70 years.
Maybe I'll live to 90, but functionally I've got max 70 good years and I want to do, well, we might do two interesting things a year. So I've got 140 interesting things that I'll do in my life.
That doesn't sound like a lot. So I just always wanted to do the things that were most interesting, that would get me the most sort of interesting, exciting experiences.
And for her, the thing that excited her the most was red teaming, penetration testing, social engineering. Physically breaking into buildings was just a thrill to her.
So she looked for more jobs doing that. So I was hired on a sanctioned red team contract to test this high-security logistics company, and there were two testers that were booked.
It was a large company, but they wanted the two of them to try to get into one of their satellite warehouses.
They told her, look, there's a locked fence around this whole property, security alarms are on the doors, there's security cameras watching the whole property, there's active security patrols at night.
And they just wanted to prove that she could get to them. They didn't want her to do anything to those machines.
And they gave her a little USB device and said, hey, if you can actually get to it, plug it in and take a picture that you got there. And this will prove that you made it.
Because presumably, if somebody wanted to get a customer list or shipment list or whatever, it would be just as easy for them to plug in a USB device, grab the stuff and unplug it.
So they asked her to see if she could do that.
So her and her coworker take a drive out to this facility during the day and just drive by just to look at the place. And
driving by is too quick. You can't see anything.
So they decided to get out and just walk down the sidewalk and go around the whole property just to see what they can notice. Any points of entry?
Are there any areas where the the cameras aren't pointed?
When we had kind of gone around, the
very edge of the perimeter was like metal fence, like chain link fencing. So the chain link fencing had just,
it wasn't, it was years old, probably decades old. And so it was a bit rickety.
So you could just kick the edge up. So we knew that.
They took some other notes and got an idea of what the place was like. There's a two-story warehouse building with loading docks and sort sort of two parking lots.
One normal one with big transport trucks and cargo trucks, and a second one that had a chain link fence around it with many more of those big cargo trucks.
We're talking eight-wheelers here, the big trucks. This warehouse would load stuff onto them, and then they'd deliver it.
So they leave and decide to come back at 9 p.m.
But Maxie's co-worker called her up. He's like, I'm sick.
And I was like, I hate you. You're not, I know you're not sick.
You're hungover. But anyway, last minute he gets sick.
So the scope allowed for a solo run. So I was like, I'm going to do it.
She waits until night and then drives back to the facility at 9 p.m.
By that time, the place was all closed and there should be no workers there and just those security patrols that she was told about. I then parked behind a tree line outside of the logistics park.
I was keeping away from,
you know, the lights. I was staying where the shadows fell at night.
Okay, it's go time. I like the quiet approach of being on foot myself too.
You can hide easier, change directions more quickly, be more stealthy.
So
come up
through a tree line, off to the side of the whole complex, moving pretty slow. I'm far enough from the walls to see the whole facade.
I'm close enough to spot like opportunities, and I do the usual first pass. I don't force anything.
I don't touch anything. She passes by the building.
The classic first pass gives you plausible deniability, right? If you don't touch anything or don't go on the property, you can just say you're passing by if anyone asks. But it's quiet.
There seems to be no signs of life inside. No noise.
No doors open. No lights on.
There were a lot of trucks in the parking lot, but all of them were dark and quiet. No regular cars there.
But surprisingly, she didn't see any security patrols.
So since she's around the back of the building, she starts jiggling doorknobs and windows to see if any of them will open.
And everything obvious that you would look at to gain entry was a no. So doors, no, hatches, couldn't see them.
Grammed windows, they didn't open. They were just double pane windows.
So yeah, so, you know, good security is frustrating in some sense.
But it was this like corrugated, all of the warehouses in the area were these corrugated sort of
steel structures or metal structures. And
this, the warehouse that I had,
there was sort of this grass alley in the back, at the back of it, and its neighboring warehouse also had stacks of pallets.
So there was just these stacks of pallets all the way, like through this almost alley.
And
there was this high stack of pallets that kind of touched, it was within four, four three four feet of a second floor window there was just this little it was like a little rectangular window but it was open and i was like oh that sounds like a great way to get in there so kind of moved a couple of pallets started to climb up these other like this other high stack of pallets um and most of them have kind of been um like secured to one another so it's they're still a little rickety it wasn't like i wasn't feeling very confident that they wouldn't crash to the ground, but they didn't.
I'm, you know, pretty light on my feet. I'm built for, I am built for speed and not power.
So I do end up getting to the top, poke my head through.
While the building looks two stories tall, it's really just a single story, but just with really tall walls. So when she looks down, it's straight down all the way to the warehouse floor.
That's not good. That's too high to jump down.
So she looks around and notices that the walls are made of. Like lockboard.
It is essentially pegboard. So
pegboard is basically, if you aren't familiar, it's steel or aluminum sheet in.
And it's got this regularly spaced, like square or round holes that you, you basically put it on walls and warehouses usually. And then you hang like heavy tooling on it.
So I'm looking at this lockboard. pegboard and I'm like
all right well climbing down it you know gravitate is your friend. So it's like fingers in and got my little sneakers on, and I actually get down.
It's, it wasn't as difficult as you'd think.
Okay, she did it. She got into the building.
Nice. Now her objective is to simply see if she could get into those computers in the building.
So she looks around for them.
They were easy to find since the monitors were on and they were glowing in the dark. Get to the terminals and they're all
open. It was, it was beautiful.
You know, when in movies, they're like, ah,
the
like the heavens light? I was like, this is great. So they were, yeah, they were all unlocked.
And so I connected this approved device. I snapped the required photos,
you know, proof I could touch, one attack I would want to touch. And then I felt about the exit.
And I was like, I looked at the pegboard and I was thinking, well, because climbing up is a little bit different than climbing down. Okay, so climbing out the way she came was not going to work.
She looked around for another way out. There are a lot of doors.
She's inside. She could just open one up and walk out.
No, wait, hold on. That's not going to work because there's security alarms.
And she looked around the doors and yes, they were armed. Okay.
Scratch that. You can't open those doors.
It would trigger noises.
And since she hasn't had any security on her yet, she doesn't want to get their attention now. So she looks around for other points of exit.
It was a load-in door that wasn't in the best shape.
So a load-in door, like a dock where the truck backs in so it can get whatever the load is.
It can get into the warehouse and you don't always need a forklift and so on and so forth. So it was
it was it was essentially that. So it was on a pulley system and it wasn't attached to an alarm which was mental for what they, you know, for how secure they wanted to be.
So yeah, so I kind of, it was a little bit buckled at the side and maybe that's why it wasn't on the alarm, I'm not sure. But a little pulley system, pull the chain up, just enough to sneak out
And I get back to my car through a forest, which is by far, by the way, the worst part of the story for me because I
do not like insects. But
so, yeah, so then I am back to my car, or I think I'm roughly back to my car. And I phoned my point of contact, and our report was a success, right? Like, I got in,
I've managed it, I've got the photos, I'll write you a report. And he listened and he was like, I want to issue a scope change.
A scope change?
This means the client wants to change what he wants her to do. I guess he was impressed that she was able to do everything he tasked her with and wants her to try more.
So he says to her, you know all those moving trucks in our parking lots? See if you can steal those trucks. And she's like, I don't know how to hotwire a truck.
And he's like, no, no, no.
See if you can find the keys to any of them. And if so, take them.
I was like, all right, let's do it. Cause 140 interesting things in my life, this might be one of them.
She walks back through the woods, cursing at all the spider webs that she comes across, and then looks at the facility. There are a lot of trucks here.
And they're the big trucks, like they're
long trucks. You know, they've got 20 to 40 foot containers on the back, and I've never driven one of them.
Some are parked inside the fenced area, and some aren't.
She starts with the trucks that aren't in the fenced area. Step one, see if the door is unlocked.
The first one she tries, the door is unlocked. Whoa, so she opens it, gets in the driver's seat.
She looks at the ignition. The keys were not there.
But to her surprise, the key was sitting right there in the cup holder in the center console. A little bit hubris.
I'm like, eight billion people on the planet. I'm the best driver.
So what I'm going to do is I'm going to move all these trucks. I'm not going to worry about it.
Reversing that truck, I was like, I'm going to have to leave this here because I'm not going to be able to do this. So yeah, so I took them up just the other end of the cul-de-sac almost.
It was like a little sort of
quiet area, a little with just the cool parking spot, I guess. So I just parked them all up there.
She parked it about a quarter mile away and then ran back to get another truck.
The keys were not consistently controlled and the fleet wasn't consistently parked on the inside of the secure perimeter. So basically it just became this live demonstration of risk.
One after another, she was able to find keys for these trucks.
So when a driver comes back to this area and it's past hours, they sometimes leave the keys like they'll leave them under mud flaps or just actually inside of the truck.
It was incredible how many keys she found in and around these trucks.
Sometimes they were still in the ignition, sometimes they were on the seat, sometimes they were in the, you know, the visor, the sun flaps, sometimes they were in the mud flaps and sometimes they weren't there at all.
Some trucks were locked and she couldn't get into or move them.
She thought about climbing back in through the window of the building and looking for the keys inside, but she already proved she can get in there. Maybe it's just better to try another truck instead.
After taking the ones from the unsecured parking lot, she wanted to get into the fenced area and try to take one of those.
She remembered where you can lift the fence up and get in there, so she scurries under the fence and looks at the trucks inside. Sure enough, same story.
Keys were typically in and around the trucks there too. So she hops in one, finds the keys, starts it up, and starts to drive out, but realizes, oh, wait, this fence is locked.
She gets out, looks at the padlock. She thinks about about picking the padlock.
That did not work. And I was like, I bet there's a key for this someplace.
And I'm thinking, do I go back inside?
Do I climb up the pallets, climb down the grating, look for the keys? And I was thinking, you know what? This is probably proof enough.
This is bad enough because the report is going to say, well, I couldn't break into your secure perimeter. Why don't you park your trucks in there?
By 2 a.m., she had stolen a bunch of trucks and felt like she accomplished the mission. Security never stopped her.
There was no one around all night.
So she goes back to her car and calls her point of contact and says, she stole the trucks. He's like, wow.
Okay, great. Hey, can you come into the office in the morning and tell us how it went?
She's like, sure, but let me sleep first because I'm exhausted. So she goes home and then the workers start coming to the warehouse in the morning.
Day shift did arrive and they didn't notice anything was wrong for like a fair amount of time.
When I think it like how I would say it maybe is it took a beep for the penny to drop for them and yeah headquarters finally called and my contact I think walked them through the findings and eventually we gave a report and you know where was security?
They're supposed to have 24 hour roll in security. Where was it? Because I didn't see them.
Like why were there pallets? Why were there unlocked windows?
Why weren't the loading base connected to the alarm system? Things like that. Like it was you know treat keys like access badges, not souvenirs.
Did you have to give like a debrief to that facility and say, hey, by the way, if you're wondering what happened, let me tell you.
Not to the facility. So I didn't go back to that facility.
I gave it to my, like, to their headquarters, essentially. We went in and we gave a presentation
and a report. And, you know, as is all, it's always the case, people's sort of mouths drop.
And I think their tummies probably drop too. Um, they're like, How has this, how has this happened?
sort of thing, but yeah, but it's it's another thing to be like, Wait, who did this? Oh, we hired this person, Max, to do it. This guy, Max, it must must be a jerk to be breaking in and all this.
And then, if you were to actually show up and be like, Hi, I'm Maxie, and I'm the one who stole all your trucks. I'm so sorry.
You have to, you have to be soft with them. Like, well, maybe that's just personality, maybe that's
a preference of mine, but stylistically, I think be soft with them. They
do not know for the most part that our industry exists. Yes, they know that there are, you know, bad actors out there, but they don't know that some of us are making a career out of it.
And you have to go in and you have to be soft. It isn't their fault.
That's what it is to run a company. Not everything's safe.
You can make it a little harder for people, but that's our job to tell them. And I just think, tell them that in the most direct but soft way possible.
You don't, it's not a blame game.
And so, yeah, I went to headquarters and I was like, hi, guys. That was,
I think you might have heard what happened.
And, like, so, yeah, so now on my resume, I've got, you know, expert climber and truck driver.
She did a lot more penetration tests and got so serious about it that she wrote a book called The Art of Attack, Attacker Mindset for Security Professionals. Yeah.
Well, here's what I'd say about my book. I'm going to explain it.
If you don't like the sound of it, just buy it for somebody you don't like. If you do like the sound of it, it was all me.
You should buy it. It'll be great.
No, in all seriousness, it's called The Art of Attack.
And its central argument is that in order to design defenses that truly work, security professionals must adopt this quote-unquote attacker mindset.
And its basic position is that simply focusing on tools, networks or policies is completely insufficient. It's necessary but it's not sufficient.
So understanding how an attacker thinks, how they strategize, manipulate, persist is fundamental to building resilient systems and I would probably finish on it by saying
that skills of a good attacker are the same skills that A, I want as a person going through life, normal life, also the things that I would teach and will teach to my children like grit, determination, we're goal-oriented, we're resilient, so forth, so on.
They are cognitive skills that we need and how you apply them is what matters. And that is basically the premise of the book.
Somewhere in her life, she went on a penetration test that changed the whole trajectory of her life. It was probably the most highly strung,
you know, tensioned job
of my career. It was for a company that we've all heard of and that we all use.
And we had their internal red team accompanying us.
This company had a big data center and they wanted to see if they could get unauthorized access inside.
Now, I don't know if you've ever gone into one of these data centers, but sometimes these things are extremely secure.
I've seen them where there's like a big fence around the company, and just to get into the parking lot, you have to go through a gate guard, and they'll check your ID and make sure that you're authorized to be there.
And then when you finally park your car and get to the front door of the building, the front door is locked. And so you need a badge to get in.
Forget about any open windows. They don't open ever.
Then upon walking in, there's a security guard watching what you're doing, but you're only in the lobby. You're not even in the data center part of the building yet.
To get in there, you need a second key.
And sometimes they do an eyeball scan to to verify your identity and there are man traps, meaning there's only one person allowed through at a time so they can check you.
Then once you're in the data center, there's sometimes a cage around the server racks you need to get to.
And you might need a third key to get into those and maybe an extra form of identification like a fingerprint scan or something. In short, it's extremely hard to sneak into a data center.
There are actually on this job armed guards patrolling this perimeter and there are vehicles that are scanned for anomalies.
Like it is a very, in terms of security, the very robust, comprehensive site.
And, you know, inside everything, it's a data center. Everything is controlled.
Temperature, humidity are controlled to the decimal. The power and the fiber run through,
they're redundant. There's blast-proof, like conduits.
Every corridor, every door, every bite is sort of like logged.
But once you're in, you're in, and nation-state actors will get in and they're willing to do what it takes. And so that was our job.
Well, she decided to try going right in through the front gate.
So she just drove her car right to the security checkpoint and acted like she was supposed to be there and talked to the guard. Hello.
Yeah, we're visitor.
Yeah, like, hi, can we, we, you know, we're here to do this? Because your OSIN can find you some of those entry points.
Like if they're doing immersion cooling, we know there is maintenance required on immersion cooling for the fluid, for instance. So you go up and you're like, here, we're here to do this.
And you, you know, you, some sites that will work. And they'll be like, oh, okay.
We just tell the right person or here, wait, here. They were like, you're not on the list.
You're not coming in. Okay.
So there's a list. This is a clue.
Maybe she could get on that list.
Who maintains that list? What if she called, acting like the maintenance team and says they have to do a fluid change or something and they're coming out? So we had tried to get on that list.
We tried to call ahead. We tried to spoof phone calls so that it looked like we were calling from hopefully the right point of contact.
It wasn't working. There were too many checks.
They were comprehensive. They were robust.
They were sharp. And so we're like, how are we going to get in here? And it's like, you know, sort of a bit like
they've built a wall. Do we dig under it? Do we go over it? Like, it wouldn't have mattered.
It was. the sensors, the security, they were on top of it.
And so we're like, all right, what do we do?
Hmm. Time to step back and think about some sort of out-of-the-box way to get into this data center.
One way to try to think through something like that is just to learn more about this company.
Maxley was curious how the building was built. So we actually went to the municipalities.
We'd gotten some, like, almost, you could think of them as blueprints, and we figured out that there was, in fact, a sewage line.
Now sewage lines are too small and would be way too disgusting for a person to go into.
However, they sometimes run through underground tunnels that are accessible by service workers, like a smaller pipe inside a big tunnel. So she'd trace where the lines leave the property.
It sat at a point where we could get to another access point through basically a junction. Well, it's worth a shot to try.
So they drive over to where they expect there to to be a manhole, which is off the property. And if their calculations are right, these pipes would lead right into the data center.
But the question is, will there be a service tunnel also leading to the data center? So they pried open the manhole lid and looked in. It was big enough to crawl down into.
So they did.
And then they saw a tunnel going towards the data center. So they crawled through it.
And it's a long, shall we call it, journey from one access point, one manhole to the other, but we have to do it. It's not glamorous.
It was not enjoyable, but we got through it.
Sure enough, it led them right to the data center. And then make our way up into the site and then into the data center.
They got in, snapped a few photos to prove they were in there, unauthorized.
And then they called the security team to tell them they got in. And the security came and it was like, what? How did you get in here? And so our report was,
your guys' security is bob on.
We hate it. It was amazing.
You didn't let us in here. We weren't able to phone ahead.
We weren't able to forge documents. We weren't able to do any of the things that we would try to do ordinarily.
We couldn't have created a diversion to, you know, have security take their eyes off of the gates to get through whilst they weren't looking.
It wasn't going to happen. We got into your data center through
a manhole for a sewer line. And that was the bulk of our report.
The rest of it was gone, but it kind of didn't matter to them. They're like, yeah, but you still got in.
But this made Maxie think even more.
If a data center wants ultimate security so nobody ever gets in, how could they improve this?
And that's when it occurred to her. And I was like, well, if you want to keep them that safe, you put them underwater.
An underwater data center? Could that even work?
Then I started to think, oh, is that did i just have a good idea amazing so i called my old boss who i used to work offshore for and with i was like hey what do you what do you think of this and he's like i've actually i've thought of someone fairly similar and i had this like auto cadre on at this point he tweaked it tweaked the design I was like, would you consider working with me?
Here's what I want to do.
I want to put data centers underwater. I want to do it in a modular fashion.
And I want to do it because it keeps them safe.
So the two of them got busy designing and building modular underwater data centers where you load up the servers into what looks like a small shipping container that's watertight and she will then drive them down to a safe spot on the bottom of the ocean.
It's also a lot cheaper to do. So it's about 80% less expensive in
terms of capex to get compute underwater the way we do it.
I don't know anything about underwater data centers. This is all new to me.
So I didn't even know this was possible or even this was happening. But you're telling me this is something you made.
This is something we've made. This is something we've done, performed, and now there are actually a lot of companies.
Is there like a long extension cord that goes to these things to keep them?
There essentially is. So what's really interesting about the subsea environment, and we touched upon it earlier, is that...
everything you and I use one way or another.
So there are power cards
under the water. That's how we, you know, that's how we light up oil and gas platforms.
That's how we manage to eat on them and things like that. And there are also countries that export.
So France exports power to Denmark.
That's a long-o-lady cable to do that for them. So there's actually a lot of subsea cables.
There's also a lot of subsea cables for, there's like 700 cables or something like that, maybe more now, that carry this internet signals. So they pulse the light
so you don't have to lay your own cables you can just tap it tap off some of the stuff that's there yeah it depends where we're so if we're in a port then we might extend from an onland substation if we're further offshore then we'll splice the power cable
put it in wet so we've got offshore they're wet mate wet meat cables so we'll they look like headphones with the mic jacks on them like they look like that they're just really big ones of that essentially and we plug them into our units our our units look like 20-foot shipping containers.
And
we put them on the sub-sea floor. We secure them there through guideposts, lock them in,
plug in the power wet, wetmate, the power, and do the same for the fiber. And then it's up and running.
And we can do about three megawatts in a unit just now, which is meaningless to most people.
That's kind of what we need just to do a small amount of compute.
And yeah, we sit them on the seafloor. But
what about maintenance and stuff? Like, you need to change out a hard drive. Yeah, so there's a few ways that we perform maintenance.
So it's actually not that much different than
online. So
what I will say is the maintenance cycles are reduced because there's no dust, right? We've got the
servers that are filled or surrounded by this dielectric fluid. So there's no dust, there's no debris, there's no
jostling the cables, and those are the biggest factors of maintenance. That's why the compute goes down 18% of the time.
We don't have that, then, but you know, it happens, we do have to maintain.
There's some faults, so we do that a few different ways. If one server fails, it kind of doesn't matter.
We'll load balance, we'll shift the load, and it'll go to some other server or some other site that we have.
If a whole rack fails, it may fail in place. And again, load balance in.
Or
if a rack fails and it's important,
depending on who the client is and what the client is doing, we may have to bring the unit up. And it takes,
we guarantee you can do it within about 12 hours.
So we've got a vessel at site.
The vessel goes, picks the unit up with an ROV because that's my background and that's how I knew how to do it. So picks up, put it on deck, we drain it, we do the fixes.
You can also do them remotely a lot of the time.
So it really just depends, but
it doesn't cost any more time and it doesn't cost any more in terms of the financials.
And before people
like come for me, it does not heat the water. We are not heating the oceans.
So
I have to say it. So water warms up more slowly than air and it can actually hold more heat.
So the specific key of water is higher than most other substances and what that means is that it absorbs more heat before its own temperature increases by one degree.
So say it another way, water needs about four times as much energy to raise its temperature by one degree Celsius as the same mass of air does.
So what we've measured in our testing is that the water heats up by about a thousandth of a degree, which is statistically insignificant. And that's within a meter of the unit.
You put a data center on land. First of all, you have to use air conditioning to cool it.
For the most part, that's what people are doing.
So about 40 to 50% of all the power that that data center is pulling
is used to air condition. And then that is pushed out as heat.
And then the ocean has to take that because that's our heat sink. The ocean takes that and now you're warming the oceans.
So it's like a very unintuitive, but very like scientifically proven method of getting rid of heat, put it into water. And so, yeah.
And I imagine if someone does try to pen test this place or break into it, as soon as they open the door, it just gets flooded and then all the computers shut off. You can't open the door.
So it's like you would. Basically, our biggest threat is like a sub, you know, like a Russian sub, maybe, let's say.
So what happens is you'd have you need a sub, or you need a vessel with an ROV attached, or maybe if we're, if we're at like a shallow depth, you could use a diver, but a diver's not going to be able to do anything.
You can't pull a door open because of the pressure of the water. So, basically, you couldn't really pen test it without getting a vessel, an ROV, or a bunch of divers, or a submarine.
And good luck to you. I don't even know how I would do that.
And if anybody's going to pen test it, it's going to be me because
that is a fun fun job. But
basically, let's say a nation-state sub came along. Great.
It would have to connect it, and it would have to pull it off of its security mechanisms that we've got sort of fastened to the seabed.
And once you'd done that, you would basically self-destruct the data that was on the servers because now you've ruined the housing that is keeping them safe from the water and the pressure of the water.
So
physically, they are very, very secure.
Digitally, it's the same footprint. Like you pen test it the same way you would any other server, data center, company.
Incredible. I think I'm stunned by that sort of thing.
I mean,
my brain goes into weird directions here. Like,
are there laws offshore where you can host things that aren't legal in this country or whatever and all this sort of stuff? And now suddenly I like this idea of
pirated
websites or piracy.
Is there even there's piracy in the sea as well? Like my brain is just goes in all directions here.
Yes, there are maritime laws. Very difficult to enforce them.
And you rely on satellites to some level and you rely on like boats to police. But the ocean is vast.
So it is very difficult to enforce so basically we're counting on people doing the right thing and that doesn't always work so what we do is we make sure that we're in the green so we co-locate with existing assets offshore whether it be in national or international waters every country has an easy and economic zone essentially And that's about, it goes from coastline to about 12 miles out.
And then just a little further out from that, you start to get into what is essentially international waters. You can do what you want inside of them.
Who's going to stop you?
But we choose not to, as you know, an American company. And so we co-locate with other assets in the area,
usually like offshore wind platforms or rigs or anchored boats. So, yeah, I think sub-sea is definitely part of the future for data centers.
A big thank you to Maxie Reynolds for coming on the show and sharing these stories. You can learn more about her underwater data center at subsea cloud.com.
If you want to get her book, it's called The Art of Attack: Attacker Mindset. It's the one with the chess pieces on the cover.
If you like this show, if it brings value to you, consider supporting the show by by giving directly to the show.
It helps keep ads at a minimum, it keeps the lights on here, but most of all, it tells me you want more of it. Not only that, but you'll get bonus episodes and an ad-free version of the show too.
So please visit plus.darknetdiaries.com. That's plus.darknetdiaries.com.
Thank you. The show is made by me, the packet tickler, Jackery Sider, editing by Control-Alt Delight, Tristan Ledger.
Mixing by proximity sound and our theme music is by the mysterious Breakmaster Cylinder.
I have a bad habit of doom scrolling social media, but lately I've been trying to break it by confusing the algorithm as much as possible.
I'll play like long recordings of fog horns blaring or I'll watch curling matches from 2006 where I'll just search for like the most bizarre things I can think of like can I legally marry a ghost in Ohio or
Baroque interpretations of dial-up modem sounds. Can you potty train a squirrel using jazz?
Not because I'm interested in those results, but because because I like tossing the algorithm a bag of trail mix and just watching it chew on that for a while.
This is Darknet Diaries.
