#164 Mike Grover - How Hacking Tools Are Changing Cyber Warfare

This episode is brought to you by LifeLock.

It's tax season, and we're all a bit tired of numbers.

But here's one you need to hear.

$16.5 billion.

That's how much the IRS flagged for possible identity fraud last year.

Now here's a good number.

100 million.

That's how many data points LifeLock monitors every second.

If your identity is stolen, they'll fix it.

Guaranteed.

Save up to 40% your first year at Lifeelock.com slash ready for the next game. Talking to my doctor about a pill was a total game changer.
Don't use Otesla if you're allergic to it. Get medical help right away if you have trouble breathing or swallowing,

swelling of the face, lips, tongue, throat, or arms.

Severe diarrhea, nausea, or vomiting, depression, suicidal thoughts, or weight loss can happen.

Tell your doctor if any of these occur and if you have a history of depression or suicidal thoughts.

Live in a moment.

Ask your doctor about Otesla.

Call 1-844-4OTESLA or visit Otesla.com for prescribing info, info about cost, and more. Mike Grover, welcome to the show, man.
Thanks. Thanks for having me, dude.
We just knocked out one of the most fascinating everyday carry pocket dumps I've ever seen. And the fact that you designed all that hardware is just astounding.
It's awesome. So we got connected through mutual friend Bryce Case Jr.
Yeah. And thank you, Bryce.
And man, we've been trying to make this happen for, I think, a year. Yeah.
Over a year. Yeah, over a year now.
So, yeah, because I interviewed. He was last year's Thanksgiving episode.
Yep. And we got connected right after he told me about the OMG cable, which you developed.
And we'll get into that. But real quick, let me kick it off with an intro here.
Sweet. So Mike Grover, a.k.a.
MG, you're a hacker, red teamer, entrepreneur, artist, security researcher, and educator. You work for Fortune 500 companies conducting red team operations to test and enhance their security.

You design and build covert hardware implants that bypass and challenge computer security. You also run a business that manufactures and sells your hardware designs, which are now used by countless companies and governments to strengthen their own security.
The most well-known hardware design is the OMG cable, a malicious USB cable. They're also a husband and a father.
And I'm sure I'm missing a whole slew of stuff, but at least that paints the picture. Thanks, man.
But, you know, I want to do a life story on you, you know, some of the things that you have developed.

And then probably go down some rabbit holes with cybersecurity.

Maybe I love knowing what China and Russia are up to,

if you have any insight into that.

But before we start anything, everybody gets a gift.

So.

All right. so alright ooh guys they don't sleep gummy bears so made right here in the USA legal in all 50 states alright so I know you guys got some fun gummies down there in California but this is just candy candy.
I'm going to eat some now, man. Go right ahead.
Want some? Yeah, I'll take some of those. Thank you.
I'll see if I can not eat these by the end of the show. Good luck.
Nice. Those are good.
Not bad, sorry I'm going to talk with my mouth full Mike I got a so I got a Patreon account it's a subscription account they were a major we were just talking about about before, right before we kicked this off about starting businesses and how this started in my attic, and we're both entrepreneurs. So developed a Patreon very early on.
They have been the key component to how I've built my business. And a lot of them have been here since the very beginning.
So one of the things that I do is I give them the opportunity to ask each and every guest a question. And so this is from somebody anonymous.
What's the simplest trick hackers use that 99% of people still fall for every day? asking. Just ask him.
Ask him for access.

Granted, you've got to kind of cloak it a little bit, but you pretend to be somebody you're not. And for instance, like, I'm your IT department.
I'm your HR. You call them up, you email them, and you say, I need you to do a thing real quick.
And that process will generally have them maybe entering their password, for instance. Except it's into something you control.
And at that point, you've got their password. That is a method that is still heavily used and constantly works.
No kidding. That actually happened to us here.
Oh, yeah. Yep.
Yep. We had to have Brian Montgomery jump in and save the day.
But, yeah, we got an email saying, we want you to be on this podcast. Yep.
And I thought it was bullshit. We had a staff member that kind of like pushed me to do this.

And of course, everything was in a rush.

And boom, we saw that.

Then my guy, they got into our Facebook

and almost hacked everything.

Yep.

Took it all.

And Ryan was able to jump in

and save the day kind of last minute there. Nice.
Thank you, Ryan. But what else? What's another one, though? I mean, that is like the go-to, right? I mean, you can walk into a building, but why do that when you can just ask from halfway across the world, right? Yeah.
I mean, most companies, you'll still be able to walk in and do all that stuff. It's just not worth the risk unless they've got that level of security locked down where it's like, okay, you can ask anybody in the company for their password, they can give it to you, but you can't do anything with it because we've got two-factor turned on or stuff like that.
Different security controls and detections that suddenly requires physical access. You have to take more risks to do that.
And that's a lot more skill, a lot more work to make happen. Interesting, interesting.
Well, I had a little chat with Bryce before he got here today. And we were talking.
And the way have you ever seen if you ever seen that

video of him at the dead mouse concert he's he's up there he's rapping and falls off the stage i gotta roll this clip at least you've a little uncomfortable but i gotta ask it and uh and i think it's a good question because it sets the stage for the entire interview and everything we're going to talk about. But he says,

in case he chickens out,

ask Mike about his

design being so good that they

were copied by the

most well-known hacker of all

time, Kevin

Midnick, also known as

Condor. So...

I got to hear about this, man. Is this the OMG cable? Predecessor, right? So I had been doing lots of designs of malicious cables, right? And I had some really early proof of concept just to show it's possible.
No wireless connection, really tiny payload capability, a few dozen, maybe 100 keystrokes. It really limits what you can do.
It's really slow. We're not hitting that 1,000 keystroke per second thing, or maybe a dozen.
Really slow, but it worked. You can't remotely update it, you can't do anything, but it worked.
I want to show the world, because a hacker, you want to share the information stuff and work with other people. I didn't see it as a product.
It was just more like a project, more like art. Like, hey, cool, look at this thing.
He reached out and wanted to collaborate and have me build one for him. I started on that process, but I didn't have enough time to complete it with his work constraints as well, because he didn't have time and stuff.
And eventually what happened, I didn't have enough time to complete it with his work constraints as well

because he didn't have time and stuff.

And eventually what happened, I didn't know about it,

but he went to someone else and said,

make this for me.

Oh shit.

I didn't know about it until it came out.

And the thing is, it wasn't very good.

And I was just like, dude, first of all, it's not very good. This sucks.
I was making this a proper product, but also I was like, hey, if you had the resources, I could have used that. Because I was just doing this on the side.
But we have solved things since then. I think there's certain levels of communication and misunderstanding, so I don't want to be like, oh, he's the worst.
Lessons learned as well. If it's something you can turn into a product, maybe wait until it's ready.
Things like that. Which is exactly what I did with the OMG cable.
That's where it's thousands of times better. I mean, is enraging, as I'm sure that was,

it's also pretty flattering.

Oh, yeah.

Is he really the world's most renowned hacker?

I mean, well, so RIP, he's no longer around.

Oh, really?

Yeah, exactly.

But yeah, the way he would be introduced,

but it was always the world's most famous hacker is the tagline that was used. What made him so famous? Well, he, God, I need a refresher on this, but basically he had gotten the attention of the FBI, and they were hunting him down for getting into various places.

A lot of social engineering tricks and stuff like that.

Kind of a cat and mouse game.

There's a movie called Takedown, right?

Good movie, check it out.

But he went to prison then

and was pretty unfairly treated.

There was a whole free Kevin movement

where they were doing, I think they put him in solitary or something because they thought he could like whistle

into the phone

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle

and he would

like whistle and he would like whistle and he would like whistle and he would like whistle And was pretty unfairly treated. There was a whole free Kevin movement where they were doing, I think they put him in solitary or something because they thought he could whistle into the phones and launch ICBMs or some shit.
Oh my gosh. This is back when everybody was like, oh my god, hackers, just evil wizards.
It's still like that today, but it was much worse back then. They had no idea what was even possible.

So, yeah,

he was held for much longer.

I don't think, yeah,

I don't want to misspeak here because I don't remember the particulars, but he

was held for a very long time,

pretty unfairly, eventually got

out and

then went into InfoSec as

like a profession using that. And then tried to take your own G-Cable.
I mean, I guess he knew it looked good. He's good at that.
Hey, you got the world's most renowned hacker taking your stuff. That's pretty cool.
Sounds like everything worked out today. Oh yeah, definitely.
Just for the record, he got a pretty unfair shake at life. I think he got pancreatic cancer.
And he died before his first kid was born, which is just fucking terrible. I've since met up with his wife and cleared the air.
We're good. Good for you, man.
Well, let's get to you. Like I said, I want to do a life story.
We've got to get into the OMG cable stuff and all the other stuff that you're designing, some red team stuff. But actually, in your bio, I know what red team operations are, red cell operations.
But could you explain that to the audience? Yeah, definitely. It depends where we're talking about red teaming, because there's military red teaming, which I would love for you to give me a couple stories on.
I'm sitting in a room with a guy who probably knows that really well, way more than me, so it would be a little ridiculous for me to explain that to you. But red teaming in terms of corporate cybersecurity is a subset of pen testing.
Pen testing is find the holes. Tell us the holes.
That's cool, but it doesn't quite test how someone responds. I think there's this, I think it's a Mike Tyson quote, where everybody has a plan until they get punched in the face.
It's like, okay, well, maybe a little aggressive in context of cybersecurity, but how do you solve that? In boxing, you train, you get punched in the face. And then, well, okay, now it's not going to be new when it happens.
So you might have a plan, but are you going to execute on the plan? Are you going to miss some steps? Is motion going to get involved? Also, I can find holes at different layers, but red taming is going to be repeating exactly the entire chain. It's often called a kill chain, where you're connecting all of these different vulnerabilities to go from completely outside to completely to the crown jewels, take them out and succeed.
And then you show how you did it after the fact. How'd you get into that? Good question.
So kind of almost don't even know, but over the course of just life and I started off as just help desk IT sysadmin where you learn

a lot of things and at the time I didn't think it was very

applicable but like those

are all the systems and the nuances

and like just the weird compromises

you learn like oh I don't have enough budget

so I'm going to do it this way or you learn

about the end users that you're supporting

as help desk and all the

problems they run into

and oh they're running into like policy

that stops them from working so

they're going to do this that's going to

Thank you. help desk and all the problems they run into and, oh, they're running into policy that stops them from working, so they're going to do this.
That's going to cause a degradation in security, but it's really common. You know that, having been in help desk and sysadmin, so you start to connect these things together and it becomes this really valuable bucket of information for, oh, how would I get into the company using that? And I've got really into security for a while.
It's also a piece of that role. You're going to run all the systems for IT, you've got to keep them secure too, especially in small companies where you don't have dedicated security.
It's like, no, you are the security. So you've got to learn it that way, which requires you to think also, how does an attacker do it? Because you've got to defend against that, right? So eventually, I just kind of got bored of doing IT and made the jump into security.
Started learning, actually, Bryce. It's a good connection on this as well.
So I had known Bryce for a long time.

And I think it was like 2013,

first time I went to DEF CON,

Hacker Security Conference,

biggest one in the world in Vegas every year.

And I decided, oh God, what was this?

So there's these unrecorded talks they also do

in certain areas. He was on stage, I think he was doing something with Bitcoin at the time, and he had this telepresence robot on stage for a guy who was on house arrest.
He couldn't come, so he brought a telepresence robot to be Bryce's partner on the stage. And it was just wild watching this.
So I'm in the audience, and I'm just like, oh yeah, Bryce, I don't like it, I'm going to go see what he's doing. And then he gives us a talk, and after it's done, I'm like, hey, yo, what's up? Never met you before.
But from that point on, our relationship grew, got to know him a lot better. But he also DJs, as you know.
And he was DJing for a guy called Fuzzy Knop. Sorry, flip that around.
Fuzzy Knop was DJing for him because he also emcees and sings songs. So he needs someone to play that.
So Fuzzy Knop was DJing for him on a lot of his shows. So I met him.
And well, he is the one who had built out a red team for a new company. Not a new company.
New red team for a company. Large company.
And he ended up pulling me over into that team. Oh, cool.
I love that guy, man. Bryce is great.
I love that guy. The second half of basketball season is here, and the race to the playoffs is heating up on PrizePix.
With over 10 million members and billions of dollars in awarded winnings, PrizePix has made daily fantasy sports more accessible than ever. It's simple.
Get the app, pick two or more players across any sport, pick more or less on their projection, and you could win up to 1,000 times your money. Don't miss your chance to cash in as the league's best fight for playoff positioning.
Join PrizePix, America's number one daily fantasy sports app available to play in more than 40 plus states, including California and Texas. Download the PrizePix app today and use code SRS to get $50 in bonus promo funds instantly when you play $5.
That's code SRS on PrizePix to get $50 in bonus promo funds instantly when you play $5. Win or lose, you'll get $50 bonus credit just for playing, guaranteed.

PrizePix. Run your game.

Must be present in certain states. Visit prizepix.com for restrictions and details.

Part of the reason I do what I do is for my family.

I want to leave them a better country than the one I was born into. I also want to make sure they are taken care of financially, and that's why I make it a priority to help protect the money I've worked so hard to earn and save.
And one of the ways I do that is by diversifying into gold and silver. Precious metals have been a store of value for thousands of years, and they are known as a hedge against market risk and inflation.
If you're interested in learning about how precious metals can help you, you should reach out to my partners at Gold Co. They're an amazing company, they support this show, and I trust them.
Right now they're offering a free gold and silver kit. All you have to do is go to seanlikesgold.com.
You'll also learn about a special offer to get up to a 10% instant match and bonus silver for qualified orders. So go to seanlikesgold.com.
That's seanlikesgold.com. S-H-A-W-N likesgold.com.
Make sure you do everything in your power to help protect what's yours. Well, let's, took a little sidetrack there, but let's get to you.
And let's get to your child. I'll let you get there eventually.
Where'd you grow up? All right. So I grew up in Wisconsin.
Brothers, sisters? Yeah, I got a younger sister, four years.

You guys tight?

Yeah, we don't keep in touch as much.

We're both super busy, but we could definitely be a lot closer.

Is she a hacker too?

No, she's culinary.

Culinary.

Yeah, I picked that up for my dad as well.

So my dad, he was in the Navy as a corpsman for a while.

I think it was like four years, submarine stuff.

But medicine, both my parents were in medicine,

and they did a lot of DIY stuff.

So they built their house from the ground up,

designed it from the ground up.

So I was in that kind of raw materials environment.

The house never actually fully got completed, which is actually kind of cool because there's constant tools, raw materials around growing up. I thought that was an amazing experience.
Dude, I remember shoveling out the house because it snowed before we got the roof on. No kidding? Yeah, it was pretty cool.
I was pretty young at that time, but it was still impacting.

Like, oh, look,

you can just do stuff, right?

That wasn't their profession,

but they just picked it up,

learned it,

how to design it,

built nearly everything.

I think they didn't do,

what is that?

The masonry for the basement

because, yeah,

the trusses.

And then they were rushed

with the weather to get the drywall up. So they paid for that.
Everything else they did by hand. Wow.
Pretty cool. Culinary, right? That's going back there.
Yeah, he's really into he was really into just cooking and really, really good at it.

Both my parents were doing barbecue competitions for a while as well.

Jack of all trades.

Yeah, just get into it and go.

I think that was a pretty good learning experience.

Obviously, that had an impact on my sister who got into culinary as well and did some great stuff there. I didn't pick that skill up.
So what were you into as a kid? Oh, God. Definitely electronics-type stuff.
So it just depends on the stage. Video games first.
Lots of video games. What video games? What platform? I guess it depends over time.
There was the console stuff like Nintendo, etc. So let's go all the way back.
So Atari. And this is kind of like the first hardware hack, actually.
My dad... So if you remember the Atari joysticks, it's a joystick and a single button, right? That's controller.
We were playing the game Tank. You just move around like you're in a tank and you fire at stuff.
My dad took some speaker wire, a tongue depressor medicine, and ran a button probably from Radio Shack and just taped it to a stick to the tongue depressor, ran the wires off and soldered it to the controller so that I could have access to my own little button when I was four or something. So I could fire the tank while he steered it around.
I thought that was pretty cool, and it kind of stuck with me. You just modify stuff, like hack and stuff.
Very simple, but that was the first video game, first hardware hack, right? That I was kind of exposed to. Spent lots of time on Nintendo, Super Nintendo.
Then I got into Quake. Quake was extremely impactful for me.
That's where I went from consoles to the computer in the house that we had. I used it for encyclopedia.
You could chat with people online. Cool, but it's more just a tool.
Then Quake. You got to start learning things back when Quake came out.
It was late 90s. You got to learn how dial-up works, how to connect to other people so you could do multiplayer.
That wasn't just a button or two. You've got to learn stuff.
Even running Quake, it's like,

you just don't launch it.

Reboot the computer in DOS mode and stuff like that.

You're learning how a computer works,

but that's where we get into hacking as well.

That's the inflection point of a lot of things.

Also, Nine Inch Nails was built into that game.

They did all the sound effects.

You can see the Nine Inch Nails logo on the crates of nails as well

if you look in there.

But yeah, that was also kind of impactful for me

with their stylistic stuff and the art.

Damn, so you started the hacking stuff at like,

how old were you?

We were the same age.

That was high school.

Atari was high school? No, Atari, oh God, I don't even know when that was. Yeah, I mean, just really.
It was like five or six? Yeah, I don't even know. Damn.
It was the 80s. I don't know.
But yeah, Quake was high school. Right on, right on.
Let's fill in the gaps.

Were you into anything other than electronics or was it always just

electronics? I shouldn't say

just. Was it always electronics?

It's all connected in some way.

I was into cars as well.

Part of it was just

making the car

continue to run, but also

let's add sound systems to the cars and learn how that works, which is electronics in some way. Also got into water cooling the computer to overclock it, but that required learning.
Water cooling. Yeah.
So these days you can just buy a kit and install it, right? But most computers are air cooled. You've got a little fan in there blowing out the heat, right? If you overclock a computer, you can get a lot more power out of it, especially back in the 90s, early 2000s.
But it would dump a lot of heat. Lots more heat, and air-cooling couldn't keep up with that.
So what you do, you take little water blocks basically, like a little piece of copper, strap it to the processor, the video card, and run water loops through it. Kind of like a, I don't know how to better explain that, but it's like a little maze that the water would take through the channels on this block.
And it would pull the heat out, and you would dump it. And at the time,

it was a Chevy Chevelle heater core

that was just the perfect size.

You could use that as a radiator with a larger fan on it.

So instead of using the small fans

that you'd find on laptops or even desktops

that maybe is that big,

you can just fan that big.

And it keeps it quieter while dumping heat,

and you can just run these things really hot.

And yeah, I had to learn how to make those things, right? So you get a pond pump from a fish store, you get the Chevelle heater core, get all the tubing wire together. But I had to mill out.
I didn't mill it, I drilled it. I used a drill press, because I could not afford access to that.
It was like a $100 drill press at the time. You just do cross drilling through all different directions, plug it up and get this cool spiral pattern where the water would go through it and pull heat out of all your devices.
You've got to learn about things like corrosion. You've got copper and brass and aluminum.
These things are going to start to corrode. You learn the chemistry behind how to prevent that from happening

because you don't want corrosion because then your

computer's going to have water all over it when it leaks.

Just for example.

Wow.

You're like a jack of all trades.

Yeah.

You like taking stuff apart, putting it back together,

figuring out how it works, how to fix things

at a very young age,

and it just exploded into what you're doing now.

How'd you get into hacking?

So I'm going to put that on Quake as well.

So you're playing online games, right?

And you learn, you can do interesting things.

You start controlling things in weird ways,

and it kind of escalates.

You're like, wait a second. At the time, there was no what we call client-side security or client-side integrity checking.
The game files I had on my machine were unique to me. You would download them from the author.
At this time, we were actually installing it from CD drives. And you just expected to not mess with that.
But nobody's stopping you. You can go and mess with the player models, for instance.
And you can add a really large cross that goes 10 feet above, below, and all sides to this person. So now you can see them running around a corner because this post is sticking out them, and you see them coming from the corner.

They don't know that, but that was a good approach.

Or a lot of dark spaces, right?

You can't really see people in the dark.

You're like, cool, I'm going to add a fluorescent color to their skin.

There they are.

They're glowing in the dark, right?

See through walls, right?

You've got these textures that would go in the walls, and they're opaque, but they don't have to be. You just set them to transparent and suddenly you're seeing through the walls.
That type of stuff was... I had more fun figuring out how to do it than actually doing it, but that kind of just opened the door of like, there's rules and there's expectations, but there's also not many people checking.
Best way to kind of, God, I don't want to get into philosophy here, but there's this kind of beautiful, I think it's Jacques Ranciere, who defines police politics as, you got a road, right? And it's painted. There's lines, and everybody just obeys those, right? And he connects that back with politics of how you're told to vote and do all these things.
It's like, okay, but what if you don't follow the paint on the road? What if you go off the road? What if you get really close to the edge? Most people, they see those lines are going to get right in the center of the road because that's what you're supposed to do. It's like, what happens if you don't? That's interesting to me.
That's where weird things start to show up, like unintended designs, unintended powers and capabilities, just unintended failures, unexpected failures. It's really fascinating to play with that.
Play on the edges, see how close you can get. And I guess now that you make me kind of say this, that's probably a good descriptor for how I think about a lot of things, like art, everything across the board.
It's find the boundaries and what happens if you go on either side of it. Interesting.
Interesting. Did you get involved in any of these hacking-type communities?

Oh, yeah.

So late 90s, more early 2000s,

there's a lot of online communities.

Some are big.

I think the really big ones you would know of,

that most people would know of,

like 4chan and something awful.

Big places that had the bigger names at the time.

but there were also a

Thank you. know of, that most people know of, rather, like 4chan and something awful, right? Big places that had the bigger names at the time.
But there were also much smaller, specific topics. Water cooling, right? There was a water cooling, there was a bunch of them.
But there would be water cooling communities where people just share their techniques and stuff, so they could all just improve upon it. And yeah, there were also hacking-themed ones.
So Bryce and Digital Gangster was one of those. That was one of the several communities I have known him from.
And yeah, there's, this was also at a time where online space and meet space were very separate, right? Like online dating, for instance. That was like, what? Now it's like, that's all the kids do these days.
It's really weird. But I met my wife from one of those online communities.
But eventually those worlds start to blend together when you spend more time in there. And you're spending most of your time in there and just talking to these people.
Eventually, I mean, it depends on the community. Maybe not so much like Digital Gangster, where it's raw crime happening.
It's maybe not the best idea to meet up for many reasons. But certain lesser criminal communities meet up with people and those worlds start to blur together.
It's a little bit different than 2024 is where everything is just mixed together now. Yeah.
How'd you meet your wife? We posted on one of so we posted on some of one of the communities out there.

I think it was like from hardware overclocking.

Yeah, I can't remember exactly what it was, but we, I moved out to California.

That's its own story we can go into.

But when I moved out, I think it was like the first week, I'm just like, hey, anybody in this community around want to hang out, show me around the town? She was one of those people. I just kind of grew from there.
Is she a hacker too? Not a hacker per se. Gamer, photography, art.
Cool. How long have you guys been married? Sorry to put you on the spot with that one.

What year is it anymore?

14 years?

It's 2009.

15 years?

2009.

14.

Yeah, so almost 15.

15 years.

Yeah, that's crazy.

I haven't known her since 2004.

What do you think the secret to a successful marriage is? Oh my God. But you weren't expecting that one.
No, I was not expecting that one. I'm going to have to think about that one, man.
I don't know, man. I guess I can connect this back with everything.
Understanding, humans are a mystery to me, me but at the same time there's so much complexity and it creates everybody's different. Everybody wants to put everybody into a bucket.
There's us and there's the other but humans are messy and complicated unique, and understanding that helps a lot with everything,

whether it's being in a marriage or attacking somebody to get into a company.

It's like, yeah, same thing, right?

Like understanding, but, you know,

very different motives and goals.

Behind that one is just truly understanding the person

and working with them,

and, you know, the other is kind of the inverse of that.

Right on, right on.

Let's talk about some of the stuff that you did.

What are some of the big hacks?

Were you involved in any big hacks?

Not like hands-on keepers.

I like to watch those.

So for most of my time,

any of the hacking stuff,

that was me.

I kind of viewed it as entertainment.

It wasn't power, money,

or anything like that for me.

It was just like,

let's just have some fun, right?

Yeah, you can mess around.

I would do stuff

in some of the communities as well. I knew the people who would run the servers, so you can mess around in there.
What kind of stuff? Okay, for instance, I've got to remember all the complexities here, but this community was very liberal with temporary bans and stuff like this. I got myself banned, and I'm like, get around that, right? And then they could not get me banned in this environment because they had some add-ons that they were using for this Bebolton.
I think it was Bebolton. It might have been PHP BBB.
PHP BBB. Anyway, one of the large platforms at the time just had a lot of plug-ins that just gave me raw write access to the database effectively.
And I could post through that. And they had a lot of fun chasing me down in that situation.
Just like, how are you still here very light hearted

in that instance

they were more

interested in how it was done than like

oh you're breaking into my stuff

so yeah

right on

well let's move into

I don't know

a whole lot about hacking

so I would love for you

to expound on

how you got into it

Thank you. I don't know a whole lot about hacking.
Yeah, yeah. I would love for you to expound on how you got into it.
Or not how you got into it, but some of the things that you just found fascinating that kept you going all the way up until building your own hardware. Yeah, definitely.
And actually, going back into the youth for a little bit, something probably important, I had a phase where I was really into magic. Sleight of hand, deception, that type of stuff.
I think that was middle school. I actually got my first taste of authority not being super ideal for me.
Brought in a fake cigarette to middle school. The peak of the dare situation, right? It looked perfect.

It looked like it was actively lit, and you blow on it, and talc, I think, powder came

out, but it looked like smoke.

That got confiscated.

We got, a friend and I got pulled down to the principal's office.

I don't know.

I think I got suspended for not taking the situation seriously enough.

I'm like, how are you going to take this seriously?

It's a fake cigarette.

But I think my friend pointed out,

oh yeah, that's right, they brought on the cops

to test it because some of the talc powder came out

and they're like, that might be cocaine.

And my friend made

probably an unhelpful comment

of like, that's not even how you would smoke cocaine.

But yeah, anyway, sleight of hand. That gets into like deception and the human aspect, which is often forgotten a lot in hacking.
People are like, oh yeah, it's just knowing computers really well. Definitely a huge piece, but it's people as well that have to be manipulated.

You've got to understand them. You've got to convince them to do things, which is the most

common way of getting into

so many systems. You say, hey,

I'm from your IT department. Let me

in. And you've got to know how to make that sound

legit. And if somebody's like,

I don't know,

okay, let's use some urgency to

make them panic a little bit where

their decision-making goes down.

And they're panicking, and they're like, oh,

He's just got to do the thing, or I might get fired, or this bad thing's going to happen. There's so many different psychological triggers that come into play and create this misdirection.
Interesting. And you're like, oh, it's like sleight of hand for psychology, right? So you push people into different directions and you get them to reveal their password or run an application on their computer that gives you access to everything.
And that overlaps with the technical and the hardware and all these other things. And just, I guess, being a generalist, now that you make me think about it, it just allows you to glue all of those things together.
I guess, yeah, at the time before I officially got into paid security, I always thought that was a weakness. I've never specialized in anything.
I couldn't possibly keep up with people who did specialize. That is true.
Every person I work with that specializes, they go so far into just absolute wizardry. That amazes me, and I can never keep up because I just cannot sit down and focus and be like, I'm going to do this thing, and that's all I'm going to do.
I get 80% of there, and I want to go play with another thing. But it worked out.

It's great for the entrepreneur-type perspective as well.

We're going to take all the things.

It keeps you busy, right?

Yeah.

Well, Mike, let's take a quick break.

And when we come back, I want to get into some of the hardware that you've made.

Yeah, absolutely.

And how that happened, and who's using it, what governments, all that kind of good stuff. See what I can say.
Rates have dropped and it's time to take advantage. A lot of us are struggling to keep up with everyday bills and you're reaching for the credit cards to pay for all of it.
But homeowners, listen up. Interest rates have fallen into the fives.
That's nearly a quarter of the average credit card rate. American Financing is helping homeowners like you save an average of $800 a month by tapping into your home's equity and wiping out high interest debt.
And the best part is there are no upfront fees to get started. Credit card rates are insane.
And if you're carrying a balance every month, you're stuck in an endless cycle. Break free today, call American Financing, and see how much you can save.

And if you start now, you may even delay the next two mortgage payments. Call American Financing

today at 866-781-8900. That's 866-781-8900, or go to AmericanFinancing.net slash SRS.

When was the last time you checked on your home title?

If you're like me, the answer is never.

There's a growing real estate scam targeting American homeowners and their home equity.

Criminals forge your signature on one document, use a fake notary stamp, pay a small fee, and file with your county. Boom! Your home title has been transferred out of your name.
Then they take out loans using your equity or even sell your property. You won't even know it's happened until you get a collection or a foreclosure notice.
Stop what you're doing and find out today if you're already a victim. Use promo code SRS at HomeTitleLock.com and you'll get a free title history report to find out if your title is still in your name.
When you sign up, you'll also receive a free 14-day trial of their million-dollar Triple Lock Protection. That's immediate 24-7 monitoring of your property's title, urgent alerts if there are ever any changes,

and if fraud should happen, their U.S.-based restoration team will spend up to $1 million to fix the fraud

and restore your title at no additional cost.

Your satisfaction is guaranteed, and you can cancel at any time.

Get peace of mind now at HomeTitleLock.com, promo code SRS, or click the link in the description.

All right, Mike, we're back from the break. I missed a couple of things in our outline here, so I'm going to have you pick it up.
We're always going to start with 2,600, whatever the hell that means. Oh, yeah, yeah.

So all the security stuff I was doing,

the time... whatever the hell that means.
All the security stuff I was doing, the times I was doing helpdesk and stuff like that, security, for the most part, anything security connected, was a hobby. Even the overclocking and water cooling I was a hobby too.
But 2600 is kind of a hacker zine, I think they're quarterly. Lots of people writing in to show tricks they've done, whether it's with pay phones, phone freaking.
Wait, so what is 2600? It's a hacker zine, basically. Like a magazine? Yeah, like a little magazine.
You can go to Barnes & Noble and get it. Okay.
So what is it? Is it a book? I think it's quarterly, where they will just publish a new set of little articles written by different people that talk about how to hack something, how they hack something, just cheats on systems, just sometimes politics, just hacker-minded stuff. Gotcha.
It's pretty cool. But that was also, when I first got into that, phone freaking and stuff was more popular then as well.
What is that? Yeah, so that's hacking with phones, basically. So this goes back way, way long ago.
God, I think the guy's name was Joy Bubbles, actually. Deaf guy.
Sorry, not deaf. That wouldn't make any sense.
Blind. And he noticed that there were tones on a phone when connecting to overseas and stuff.
This is way back when you had to pay long distance and stuff like that, right? Phone calls cost a lot of money. But he noticed they made certain tones and stuff, so he had perfect pitch, and he would just whistle them back.
And he noticed the phone network would do stuff when you did that. So, yeah.
This is what we call in-band signaling. When you can hear the signal at the other end, there's the switch panel of the phone networks hear these tones, and it's like, you know, when you push numbers on the keypad, they make a tone, right? If you do it in a certain sequence, it's like, oh, it hears that.
There's other tones that the keypad doesn't make that tell it to do other things. It's where the 2600 comes from, actually 2600 hertz.
I can't remember what that does at the moment, but it would allow certain administrative type functions. And it's like routing around, like, oh, you paid, and now you can route long distance or something like that, right? No shit.
So hold on, hold on. So it actually has nothing to do with the keys that you're pushing? It has to do with the tone that they're programmed to make? Yeah.
I mean, at least at the time. Things have changed since then.
But yeah, it was just the tones. You could literally whistle those tones or hum them or whatever.
So blue boxing was the other thing it's called. There's many boxes, many colors, but blue boxing just replicated that.
You could literally quickly dial a number or whatever you wanted to do, do the administrative codes, play it right into the mouthpiece, and you would dial and do all these things. Holy shit, I had no idea.

Believe it or not, that's how Apple started.

Woz and Jobs made some of their first money

selling blue boxes.

What is a blue box?

It's the device that would allow you to

more or less get free phone calls

in the age of having to pay for long distance and stuff.

Go to a pay phone, just pull out your blue box, hold it up to the mouthpiece, press some buttons, make it do what you want, call whoever you want. It was illegal at the time.
There was a magazine I got into by a guy named Cap'n Crunch at the time. He got that name because there is a whistle

inside of the Cap'n Crunch cereal

that just happened to make that 2600 tone

when you blow it.

So he didn't have perfect pitch like Joy Bubbles did,

but he had the whistle.

So you just blow that into the phone,

then you open up certain access with Cracker Jack.

Not Cracker Jack, but Cap'n Crunch-style toy, which is really cool. But yeah, you can electronically reproduce those sounds, and that's what they were doing with the blue box.
There was like red boxes and rainbow boxes. There was so many different boxes that would do different things that people would figure out, and they would share that with each other.
And yeah, it was technically criminal, but a lot of people did it at the time. And yeah, Woz and Jobs took that money and started Apple with it.
No kidding. That's pretty cool.
I had no idea. Very cool.
And Woz, I would love to meet that guy one time, but he's a great example of the old school hacker that was way more about mischief and just figuring out how things work. Not necessarily anything criminal.
Interesting. Great example.
Interesting. So you were working at this magazine? Yeah, so I wasn't working there.
I was just enjoying it. And there were a lot of different cities would have meetups.

Like, hey, 2600 meetup.

And you go and meet people that are into that stuff.

Really tiny where I was from,

so I didn't really go anywhere.

But that was cool.

It would get you into just more like,

hey, here's other ways of hacking

that you didn't know about.

And just gets you to think,

wait, if I can do that,

if they did that,

what else can you do? Let's play. It's all about exploration, experimentation.
It's a frontier, too. There's just unexplored space.
What else can you do? Outside of 2600, there's all the tools that people knew of the early online days, like Sub7 or Netbus.

What's that?

Kind of like a software Trojan, more or less.

Basically, you get somebody to run it,

or you run it on their computer,

and it gives you remote access.

You can fully control those machines over the internet.

Open up the CD trays, close it up. Just all kinds of wonky stuff that could be for pranks or could be criminal.
Okay, there reminds me of one of the ways we used it. So again, I was way more about just pranking and having fun.
My friend in high school, her name was Heather, she was really into spiritual stuff. She thought spirits were in her house and stuff like that.
It was a phase, right? A friend and I had that running on our computer and you could play noises in the middle of the night and shit.

It was terrible.

It was so bad.

The CD drives would open.

She was terrified at the time,

but later on thought it was funny.

For an example, you can just have fun.

You can play with people.

You don't have to actually straight up do crime.

Crime does occasionally pay, though.

Some people would get into that. How would they use it? For criminal? Yeah.
God, this goes way back. I mean, we're talking like over 25 years ago, so I'm not 100% remembering this,

but it would have been,

you can do file system modification,

stuff like that.

So you can get access to cookies that will contain login information.

You can just get into people's accounts,

send mail as them.

So spamming was a huge thing back then.

I mean, this is where Bryce

has gotten a lot of reputation from from those early days, spamming. My friend at the time paid for his first computer by spamming for a porn company, actually, which is funny because he's cashing a check, a sizable check, for a porn company.
And he's like, I don't know, he was probably like 14 or something at the time getting like weird eyes from the bank

he's like

so yeah that happened but

what else? Yeah I mean

Did you ever do any

did you ever do anything illegal that's passed

the statute of limitations

that you can share? So a common

misunderstanding about the statute of limitations

is it's not just about the time

in which has passed

Thank you. the statute of limitations that you can share? So a common misunderstanding about the statute of limitations is it's not just about the time in which has passed since you committed the crime.
It depends on the crime, but many times, the clock starts from discovery. Interesting.
It's a common misconception that is good for a lot of hackers to realize. But, I mean, I'm sure...
So the CFAA, Computer Fraud and Abuse Act, literally any access to any electronic interface that is not explicitly allowed, that's a federal crime. So literally what I described, getting onto my friend's computer, that's a federal crime, even though they're cool with it and all this stuff.

Gotcha.

So literally any of those things can be heavily punished.

Gotcha.

So yeah, it's tricky.

Well, let's get into your first job.

Yeah, so first job, IT.

Again, security was not really a huge thing for the most part. All that was side stuff, but you still have to be conscious of secure design.
My coworker was kind of my mentor at the time. He was ex-DOD, ex-Navy.
Had a lot of fun stories,

but also got me more into security.

We actually did our first security presentation for the company,

kind of using some classics here.

So the movie Sneakers,

amazing movie, still holds up today.

If you haven't seen it, go watch Sneakers.

It's awesome.

But they did a lot of physical security stuff.

If the door's got the hinges

on the inside, you can kick it open.

If it's on the outside, then you get to do

something different. But what else?

There's the social engineering aspect where

they wanted to get through

a front lobby attendant who had to buzz

them in. So they had someone else come

in with like,

I think it was like a delivery, just creating a lot of stress. So one guy's like, yo, I got this delivery.
Other guy's like, hey, I got my cake and my balloons. Can you just ring me up? And it just goes and escalates until he's like, ah, just pushes the button and gets in.
Right? Of course, you know, he didn't have a cake or anything like that. The balloons were to cover the camera.
And the cake was, I think it was like a briefcase of some hardware that he had to infiltrate into the company that would go attack things. Great demo.
We used that, like, hey, here's some physical security things, get you to think about it, catch me if you can. Another thing where it's social engineering was used.
And believe it or not, that movie based on Frank Abagnale, most of the stuff he said is actually made up. It was like the con on the con.
But anyway, yeah, that was kind of a classic thing that still a lot of security presentations today will still use those. Anyway, long story short, kind of got me into the idea of educating on security instead of just playing and having fun and just the entertainment values.
Like, oh, you got to actually teach people. There's a responsibility here.
Teach people how to not fall victim. Also did some live password cracking.
Back in the day, people were using real terrible passwords. So just adding some extra characters and stuff.
We were able to do password cracking just in the middle of this presentation. Like, hey, this password you can get in 15 seconds.
This one's going to take us 10 hours. How do you begin to crack a password? Basically, there's a lot of different ways.
The way we were doing it was just brute forcing, being able to have the ability to just retry word sets, like common password sets. You can just get those.
There's a lot of password lists, what we call them, that will, when you're going to brute force and you just want to try them, well, hey, we know these are the common passwords. We know these are passwords from leaked breaches.
Just shove them all together. Good chance somebody's reusing that somewhere.
Good approach. There's cryptography and stuff.
Do you use a password manager? Oh yeah, definitely. Highly recommended.
Which one? 1Password's pretty good. There's different ones depending on what you need.
Is Keeper any good? I haven't looked too heavily into that one. I know somebody who's very into that space that speaks fairly highly of 1Password, but it's been a while, so I wouldn't want to be like, this is the one, because that space is always changing.
What constitutes a good password? One that you don't know. So password manager.
Exactly. So if you don't know your password, it should be unique per site and as long as hell.
And that means you're going to have to use your password manager to autofill that or copy, however you're going to do it, you're going to need the password manager to feed that back and log into the site. That combined with proper two-factor, which is going to secure so much when it comes to you being compromised by social engineering and phishing.
Okay, that's good to know. Let's move on.
Yeah, yeah. After that job, I was kind of bored of Wisconsin.
And my friend at the time, the one who made the money spamming, he moved out to San Francisco a year earlier and worked for a company called Long Now. They're the ones doing the 10,000-year clock that a lot of people are associated with.
I think Bezos is on there. Stuart Brand.
Hold on, what's the 10,000-year clock? Yeah, so it's this idea. I don't think they've built it yet, but still working on it.
But the idea is that they're going to put a clock, like an analog clock in a mountain that stays accurate for 10,000 years. It's really to get people to think really long-term.
What do you mean? Just like, who's really, it's hard for people to think more, even like one election out of consequences, right? Like four years, ten years, maybe you think as far as your kids, okay, cool, well, how about a thousand years? How about ten thousand years? Like, it just changes how you think about the future and what you do, what matters, what doesn't. It's almost like a thinking prompt for people.
Nobody does it, start doing it. This was also, I think it was formed shortly after the Y2K bug, which was hilarious because a lot of the systems at the time were kind of birthed in the 70s, and they had two digits for the year, like the last two.
So 78, 79, eventually what happens when you get to 99 and it rolls over to 00? Is that 1900? Is that 2000? I don't know. Neither did the computers, right? But people were only thinking, you know, a couple decades.

That's enough. Somebody's going to rewrite my software.

No, we're still using that software today.

So that's where the Y2K bug came from.

And it's like, cool, you need to at least think, you know,

the thousand-year scale so you can have four digits of space for your years.

That was the entire Y2K bug.

But I believe that was kind of around the same time that, okay, 1,000 years, what about 10,000?

It's probably where that came from.

So hold on.

They want to make a clock.

Yeah.

That's accurate for 10,000 years and put it in a mountain?

Yes, basically.

The mountain, I think, is to keep it safe.

They have to, like keeping time for that period of time time, you can't use any other timekeeping system. Atomic clocks and stuff like that aren't accurate over that time span.
So you have to account for orbit variation, shift in the poles of the Earth, and all of these other things. They have a whole cam system that readjusts the calibration of where that clock will be in X years over that span.
It's absolutely crazy to engineer with that in mind. Nobody thinks about orbit variance over time of the earth or the poles shifting for the clocks they use.
It's just not a factor. But what if you had to? I think it's really cool.
Interesting. Yeah, my buddy got a job just doing system for them and web development.
And he's like, hey, if you want a few weeks on my couch, go for it. I'm like, you know what? I'm going to take you up on that.
I'm going to use that to just move out there. I had no plan.
I brought three suitcases. No plan.
No plan. I'm just going to do it and figure it out.
Which I guess is a very red team approach too. It's like you can't plan anything.
You're just going to move and figure out what's in your bag of tricks as you go and work around the problems. But yeah, I'm going to bring three suitcases.
I prioritized one of them. It was my gaming system.
A whole suitcase was dedicated to just a computer. I don't know what I was thinking.
But yeah, that was 30% of my luggage when I moved out. I stayed out of his cash for a bit got some random odd jobs doing like audio qa testing and stuff like that just to make it and uh eventually got into the game industry doing sysadmin it help desk stuff um it just kind of grew from there and yeah i stayed there for like i don't know 15 years in the.
But on the side, being in San Francisco gave me a lot of unique perspectives. So first of all, Stuart Brand is kind of the guy that was running the show over at Long Now.
Stuart Brand is one of the original people on the hippie bus with like Timothy Leary and all this other stuff, right? Going around the country doing the acid tests and stuff like that. But lots of just divergent thinking coming from that.
And that was interesting just to kind of see, like I didn't get that in Wisconsin. This is also kind of where like, you know, the PC revolution came from that type of people, right? Or just divergent thinking, what can we do?

What mischief can be made?

All this stuff.

The maker space,

maker fair, was out there as well.

So this is just,

this is more like hands-on

hardware hacking, not like

security hacking, just like

hobbyist hacking, like 3D printers.

Let's just build some stuff. The kind of stuff you find at Burning Man, right? Like the art, where you start mixing all these things together.
That opened my eyes to just different focuses and aesthetics. There's a really good point to kind of deviate here.
Something called BeamBots. Actually, I'm going to pull up this laptop here to show you a picture because it makes way more sense when you see it.
BeamBots. Yes, you're like, what? So BeamBots, B-E-A-M, biology, electronics, aesthetics, mechanics.
It's just a kind of a design philosophy around building little robots.

So I just kind of had to show it

because you're probably picking up

a bit of an insect vibe from this,

I would assume, right?

So it does a couple of things.

First of all, there's no PCB on here.

It's just freeform soldering.

And all of these components,

there's nothing extra for the aesthetics. It's all functional.
So on the back, you've got a solar panel soaking up energy. It's like thorax here.
That's holding the charge from it. And then these, this is really cool.
These are LEDs. But LEDs, when you shine light on them, they actually emit a little bit of energy on the lines, like a reverse solar panel, right? They're an inefficient solar panel.
But you can literally use them as eyes for this. So depending on what direction it's facing, one eye is going to see more light than the other.
That's where the light source is coming from. And there's a really tiny brain in the middle.
It's literally four logic gates, which is tiny. Your phone has millions of logic gates in it.
A calculator. My cable has hundreds of thousands of logic gates.
This thing has got four. What is a logic? What do you call it? A logic gate.
Basically, all computing comes down to the concept of binary, on or off. Think of it like a light switch, right? It's on or off.
You can do math with that. Let's go through it real quick, actually.
We got three light switches, right? Yeah. Got to think which direction we're going here.
So we got one on, two off. That can give us a one.
Turn them all off, that's a zero, right? Easy. Now we put two in the picture.
You turn two on, you basically double the last one. So if two are on, that's going to be three.
Basically, the first switch is the value of one or zero. The next one is two or zero.
And then the next one will be four or zero. Next one is eight or zero.
That's binary math, right? Okay. And all decision-making can kind of be based on this.
So in this sense, it's very analog, but basically this will eventually fill up and have enough energy charged that these four logic gates are suddenly making a decision. Like, this side's filled.
Which eye is sensing the most light? And at that point, it's going to fire the opposing leg with all the energy it's gotten here to steer towards that. So you have this little bug-looking thing that walks, right? And it just constantly steers towards the light source.
And to me, I thought that was really cool because A, it focuses on aesthetics, which is not super common. And B, it uses really cool hardware hacks, like I said with the lights here.
Normally it's for emitting light, but no, you can reverse that and use it in an unintended way. And you can use really minimal logic to do what you want.
And I've applied some of that to my cables as well. Not this specifically, just the mindset of you don't need 10 things in this cable.
You can strip it down to one if you're really creative. Wow.
That's how you shrink things. That's kind of where that connects.
Like, hey, let's focus on aesthetics, but also minimizing and just using things

in unintended ways to get more out of it.

So that was kind of a good point

in which it kind of just opened my eyes to,

also soldering and electronics,

but also the art of it and all that.

So, yeah, BeamBots, that was a good pausing point for my many hobbies that I would pick up over time that eventually led into what would become the OMG Cable. I know everybody out there has to be just as frustrated as I am when it comes to the

BS and the rhetoric that the mainstream media continuously tries to force feed us. And I also know how frustrating it can be to try to find some type of a reliable news source.
It's getting really hard to find the truth and what's going on in the country and in the world. And so one we've done here at sean ryan show is we are developing our newsletter and the first contributor to the newsletter that we have is a woman former ca targeter some of you may know her as sarah adams call sign super bad she's made two different appearances here on the sean ryan show and some of the stuff that she has uncovered and broke on this show is just absolutely mind-blowing.
And so I've asked her if she would contribute to the newsletter and give us a weekly intelligence brief. So it's going to be all things terrorists.
How terrorists are coming up through the southern border, how they're entering the country, how they're traveling, what these different terrorist organizations throughout the world are up to. And here's the best part, the newsletter is actually free.
We're not going to spam you. It's about one newsletter a week, maybe two if we release two shows.
The only other thing that's going to be in there besides the intel brief is if we have a new product or something like that. But like I said, it's a free CIA intelligence brief.
Sign up. Link's in the description or in the comments.
We'll see you in the newsletter. Let's move into defense distributed.
Yeah, so I think this was about 2013.

So first, Defense Distributed.

It's the company behind the Liberator,

which is a 3D-printed gun,

and also the Ghost Gunner, which is a mill, desktop mill,

that you can mill out a lower receiver.

AR-15 platforms was the first commonly.

You're the one that did that?

I did not, no.

So I got very interested in that.

That was done by Cody Wilson.

So let's crack that whole topic open a little bit more.

So I think it was 2013.

There was a lot of experimentation in the 3D printing space with firearms. Cody introduced it to the world.
He basically inflicted this idea upon the public psyche in this amazing way that just caught my attention in a couple ways. First, it's this approach of like, hey, we're going to give this to the world in a way that is irrevocable.
Like, going back to that, like the police politics concept I was mentioning, it's just like, okay, what if you create something, like there's voting and opinion having, but you create something and put it in the world that nothing can change that at that point. I just thought that was just amazing from like the political standpoint, regardless of what topic or what, what opinion you may or may not have on firearms, the politics of it and the power of creation was amazing to me.
and he did it with like level of art and bravado that was just perfect for the delivery of this. So what you're saying is bringing something to the world that cannot be taken back, like Bitcoin.
Yeah, another great example of no opinion on that is going to change its existence. It exists.
And if you're thinking about real politics and participating, creation is one of the most powerful things you can do. And that's what I kind of learned from watching that.
But yeah, I decided like, hey, I want to know more what they're doing. And I've helped out with security and just computer stuff in general.
Used what I had. Like, hey, can I help? To a lot of different places, whether it's like Nine Inch Nails communities, just to get more insight of how the artistic process works there.
Or in the case of Cody, just helping out with the security of that, just to kind of see how they work. A bunch of anarchists getting together, building a company, and just the whole fight that they were in.
It was very fascinating to me just to observe that, and that kind of stuck with me, both the creation, the power of creation, and the artistic approach they took to it. That was one of the things I kind of had in mind when I first created the OMG cable.
It's like, hey, at the time, I thought I was just going to open source this thing and put it out there. That ended up not making sense because it was really hard to make.
You can't just DIY it. But yeah, it was one of the motivators in my head at the time when I was first kind of putting it out into the world.
So yeah, one of the many things is just like, hey, this is a fixation. I want to know more and I'm just going to focus on it for a while.
So yeah,

they're still doing their thing.

So what did you do there?

I just helped out with some security stuff.

What kind of security stuff?

Network and IT.

Every company has got to have that, right?

So I'm like, hey, you're probably a small shop,

probably don't have the level

of security understanding

for your systems,

but I don't know, maybe I can help.

So it just helped out and it allowed

the I probably don't have the level of security understanding for your systems, but I don't know, maybe I can help. So it just helped out, and it allowed me to get more insight into how they run things and just more exposure to how the artist works.
Because that allows me to just kind of figure out... There's a lot of things I would experiment with, but I never found my medium as an artist.
I've gotten music. I'm not that great with music.
Visual arts, not that great with that. I mean, 3D printing's everywhere now.
Yeah. So you were at the forefront of this? You were on the, I mean.
So I wasn't doing anything besides like the security for them. It's just kind of, even if I didn't do any work for them, just that.
Just being a small part of it. Yeah, exactly.
But even just seeing it happen would have been enough for me to kind of kickstart some things. How did that come across your radar? I mean, it was everywhere at the time.
It was like in Wired and all these other places. 3D printed gun, firing.
Everyone can print a gun now, regardless of laws. And that was kind of the message going around in the press.
This was also kind of another pivotal time when the NSA Ant Catalog. So Snowden happened around the same time.
This is often incorrectly misattributed to him, but there were a lot of leaks that happened around that time, both with and without Snowden, that kind of opened my eyes to the level of games and just technology happening in computing.

Yeah, I mean, I already knew a decent amount of it,

but the Ant catalog, man, that had, it was just like,

you know when you're growing up and there's like the spy tools

in the back of the magazine on disappearing ink

and all those things.

This was like that on crack, dude. It was like, they had a malicious cable in there.
This, hey, when was it? It was leaked in 2013. The catalog was dated 2008, and they were announcing in 2009 they would have these cotton mouth cables

available for purchase

to their ecosystem of whoever they sell to

in the NSA.

The price on those, I think it was a minimum

order quantity of 50

with a $20,000 per cable price tag.

It's like, wow, amazing. But it had all these electronics inside, a radio inside, and that was cool.
And actually, yeah, I'll pull this up again. Cottonmouth.
This is the page out of the catalog where it shows a really chunky cable, really thick hood, but they sandwich a whole bunch of different PCBs inside of this thing. That stuck in my head, obviously.
So what does that do? They weren't super specific about the exact capabilities, but it had a radio. It had some ability to manipulate USB.
Based on all of my reading in here, the latest generation OMG cable is basically a dead match to its capabilities from what can be deciphered from this page. So all the way down to covert exfiltration and stuff like that.
What were they using it for? That's a good question. What does the sheet say? It's more of a capabilities thing, like getting through and breaking security effectively.
I would imagine this gets implanted into spaces that are higher security. If you can't just walk in and do stuff, if you can't do the easy things, you're going to start having to use these types of tools to get into a place, have somebody plant a cable,

and then you've got remote access.

There are a lot of other tools in this

space.

Like

implanted video

cables that you would implant on a monitor

so you could remotely

read what's being displayed on the

monitor. Lots of cool tricks

like that. Some were long range, some were-range, but all kinds of crazy spy gear that would allow impressive capabilities that very few people in the private civilian space even consider defending against.
Interesting. Yeah.
So what is the Ant Catalog? Yeah, I forget if there was ever a mention of what Ant stands for, but it was just this leaked catalog with all of the different... It was a leaked catalog.
Yeah, somebody leaked it. A lot of people say it was from Snowden, but if you actually trace it back, it wasn't.
It was never at least attributed to Snowden. Yeah, that just came out, and you get to look at the amazing spy gear that is out there.
What's some other stuff that caught your eye? Definitely those video cables. I'm trying to remember all the different things.
You can pull it up, actually. But, yeah, you want to pull it up right now? I can pull it up on the internet.
Pull it up. Sweet.
All right, cool. So, yeah, let's go through just a few of the pages of the Ant catalog.
I haven't done this in a while, so I'm a little rusty. But yeah, so let's look at just the hardware stuff.
We got, let's see, what is this? This is a short to medium range implant for RF transceiver. This is a component that adds RF to one of the other pieces they have in here, which they call a digital core, to provide a complete implant.
So it's kind of like a customizable build-your-own, what kind of implant do you need? They put this into various pieces of hardware. There's actually, I think it's over here, here's kind of another implant.
They call this the LuxRabbit. It's a hardware implant designed specifically for Dell PowerEdge servers, like a specific one, hooks to, it's called a JTAG debugging interface.
Basically, a lot of hardware has a debugging interface. If you get access to that electrically, you can do a whole bunch of stuff.
You can implant things at a really low level on that machine. They give you all kinds of access.
It gives you lots of data. If you've got an implant that goes into there and hooks up to it, you've got permanent access.
Similar to what I was describing with the USB cable, with that covert exfiltration mechanism. But this is baked into the machine.
So I would imagine the way this happens is during mailing interdiction. So Dell ships a server over to the customer, right? And our government knows this is happening.
They grab it in the mail, crack it open, put one of these inside, close it back up, send it off to the intended target, and now they've got long-term access inside there. Even if they wipe everything down to the hard drives, put new hard drives in, you can still get right back in.
They would have to crack everything open and look at all the hardware to find this type of stuff. Really cool.
Really cool types of implants. Wow.
And there's no way to know that. I mean, there are ways.
Yeah. You got to know what you're looking for, basically.
Do you worry about that stuff at all? I mean, it depends. Me personally, no.
I know the types of targets that this is destined for. I'm not one of those targets.
What kind of targets is that destined for? Well, I mean, the Israeli pager situation. Great example of like, do I worry about my pager exploding? I'm not Hezbollah, so no, I'm not worried.
Just for example, just to put a very pointed answer to a very current topic, for instance, right? Now, there are certainly lots of gray area. We've seen lots of gray area where it's like, wait, you're doing surveillance on U.S.
citizens? And that generally isn't happening with hardware implants and stuff like that. That's access to telcos, internet providers.
And yeah, I operate very openly, so it's not... I'm a little less concerned, but it's more of a political and philosophical, like when nobody's got privacy, it changes society in ways that aren't very good.
That's where I'm more worried. How often do you think the U.S.
was used on its own citizens? I mean, this specifically, I would suspect... These types of things.
Well, hardware implants. Let's go with hardware.
I don't know how often hardware implants would be used. That tends to be super targeted.
And super targeted also generally, I would assume, I would hope, means significant more legislative, not legislative, legal oversight, where you're getting the warrants and all these other things. Whereas these really wide net things, which hardware is much harder to make wide net.
Wide nets where you can collect all the things because you've got access to telco, phone, internet type providers, and you're just slurping everything up. Yeah, everybody would then be pulled into that.
That's the kind of stuff that Snowden showed, right? That's a different story. Everybody gets pulled into that one way or the other type problems that occur.
So do you have to worry about people breaking into your network and just causing problems in your life that's a complicated topic it's more privacy invasion at that point what are we worrying about are we worrying about our personal safety our personal freedoms society as a whole and the health of it and a a free press. Yeah, it's a very large, complicated topic.
Do you think China's putting this stuff into the electronics that we're buying from them? I mean, not in the sense of consumer levels. I mean, it depends, right? Could it be access from that far away? If they wanted to, anyone.
wanted to do that, yes. But the thing is, doing it to just off-the-shelf consumer stuff is a lot harder to do in terms of hardware implants.
If you wanted to do it that way, that's where we get more into the software level, like software backdoors, which we've seen in things like cryptography, right?

It's posited that a lot of cryptography

backdoors were put in

by cooperation with the NSA

for example. I'm a little

rusty on this stuff, but basically

that becomes very valuable

when you're slurping up all the

internet data, and a lot of that's

encrypted, but if you know how to quickly break the encryption, well, encryption, you can see the contents. And that's where that comes in.
And yeah, it's tricky. A lot of people say that that kind of hardware is installed into our power grid.
Depends, I would say. Well, God, I have forgotten.
I think China makes a lot of our power transceivers and stuff. You make a ton of it.
Honestly, from what I've seen and the people I talk to that work in all this stuff, I don't think physical implants are quite needed. Things are just not secure remotely, like externally.
Literally, I think it was yesterday, maybe. I don't know.
It's something that news that has come out over the last few weeks where our own government is saying everyone, I think it was actually to their own government employees to use Signal, use iMessage, use encrypted chat. Do not use text messages because China, they're just in all of the telco systems right now, which means they would be able to read the text messages, right? They didn't need hardware implants that I know of to do this.
Maybe they did that to get in, But now they're in that system, right? I mean, I've helped in environments that a foreign adversary had gotten into, and it took a bunch of time to evict them and find where they are. And that was done all remotely, right? A lot of this stuff doesn't require the James Bond-type hardware to get in.
Interesting. Yeah, that's a tricky topic.
Interesting. Do you worry about it? I mean, there's so many things to worry about, though.
Yes, kind of. Once you've seen enough horror shows, though, you're like, wow, everything's just broken.

Society as a whole,

it's amazing that it operates.

Just levels of trust.

One person

is all it takes.

Enough well-placed damage.

Whether it's security

or just electrical power grids,

all these things,

all of it can just tip over, right? With just enough of a push. And like everything's that way.
It's not just security. Yeah, so I don't know.
I kind of just lump it all together of like, this is a really good experiment for humanity. I mean, humans have been, what, on this planet for, some say 300,000 years, right?

Like, we're living in the best time.

I don't think there's a single person alive today who would be like, yeah, bring me back at random

more than 100 years ago.

Sign me up.

Like, that's not a good, the odds are not good, right?

Like, we're the most comfortable we've been,

most well-off, on average,

across the earth in this last hundred years.

It's a good experiment,

and things are volatile.

That's the consequence of freedom, too.

The people have to maintain it.

What text messaging app do you use? I like Signal. Signal's great.
There's a lot of rumors that the CIA created Signal. I'm sure they did.
I think they helped fund it, actually. But they helped fund a lot of things, in many ways.
But Signal is an amazing tool if you're an agent as well. You're going to be overseas in hostile environments

and you need to communicate

how you're going to do that securely.

Are you going to use a secure tool that stands

out like a giant red flag

because nobody else is using it?

Probably not the greatest

thing. It's like, hi, I'm an agent.

I don't know what you're saying, but

there's an agent right there, right?

I mean, obviously there's answers to that and stuff, but it's valuable as like, oh, that's just the tool everybody uses. Everybody's got that.
That's valuable. Obviously, there's always trade-offs.
It can be used for bad, it can be used for good, and who's bad and who's good and whose perspectives. Yeah, that's how we communicate via signal.
Yeah, exactly. Is that how you communicate with everybody? A lot of people, yeah.
I'll meet them where they're at. My manufacturers and stuff don't use Signal.
They've got different governments over them, things like that. It's interesting.
Whatever you use, I'll meet you there. Contextually, it matters.
Okay, I'm on this platform, which can be seen by these adversaries. Cool, noted.
I'll make sure I keep that in mind. Which is kind of the whole point of the psychology.
When you know you're being watched, changes how you behave in ways that can be negative. If you're always being watched by somebody, what does that make you? How does that make you behave? Different.
There's lots of other cool things in this catalog, like record reflect so this is for picking up uh audio this is standard audio bugs right like you know spying on what's happening in the room uh what else we got lots of um cellular based stuff now this is like 10 years old at this point So a lot of this stuff is well-known. Really tiny implants.
So this is probably a VGA cable here for an older monitor, which made more sense back in 2008. Really tiny implant into that cable tapped to one of the color signals, and it would allow somebody to kind of energize it with like a radio pointed at it, more or less, and then receive the signal bouncing back with the video signal encoded in the bounce.
Interesting. So then you'd be able to see what's on their screen.
Wow. Really cool stuff, right? What do you think was in the spy balloon that was traversing the...
I don't know. I haven't studied those well enough, but I mean, there's a lot of amateurs that just do that.
They'll just set up a balloon, and it's kind of like the ham radio space kind of in a way where they're just like, oh, we can track it, and there it goes. It goes around.
Let me rephrase that question. What could it have been? I mean, I don't know, man.
That's probably outside of my skill set and awareness and research, but I mean, it could be used like a balloon. I mean, I'd probably be using a drone more because the problem with balloons is that they're much more higher altitude, which causes problems for a lot of electronic circuitry because it gets really cold and stops functioning.
Also, you've got power that you've got to deal with. So the best you can get is batteries.
Batteries also start to fail at that level of cold. So you need special batteries, something to keep it warm, which means more energy.
So you get in from solar power, probably. This is really low power stuff, right? Like, I don't know.
Maybe just the value of how does someone respond to putting something in their awareness, which is absolutely a thing, right? How does someone respond? Which, I don't know, similar to the drones that are popping up in the news. I don't know where that's coming from.
Jersey had one recently, but there's lots of drones in the sky. I'm like, I don't know what that is, but I would love to find out.
And is it collecting data, or is it just seeing how people respond to unknown, unreported drones in the sky for tactical knowledge in the future? All right, Mike, let's get into some of the stuff that you make. I know you have exploding hard drives.
You got the OMG cable. You're making all kinds of just crazy wazoo wizardry gadgets that I am just fascinated with.
And so where did this kind of start? Did it start with the exploding USB drives? Yeah, I mean, kind of. I had always been tinkering with things like those beam bots, right? But, yeah, so I think it was on Twitter or something.
I saw just a picture of somebody with a USB drive. The shell was open, and there's just like a firecracker sitting inside of it.
No idea if it worked or not, but I'm just like, everybody has the same visceral response to seeing that. Oh shit, exploding thumb drive.
I'm like, you know what would be cool? As if it was worse. So, USB rubber ducky.
Got to explain what that is first for this to make sense. My now business partner, Hack5,

invented the USB rubber ducky, I don't know,

like 15 years ago now, something like that.

It does the same basic keystroke injection

that I had demoed with the cable, right?

Where you plug it in, it types something really fast,

whatever you want to control a computer,

whatever you want, right?

I wanted one of those that also exploded. So first thing I had to do is if you open up a rubber ducky, there's not much space in there.
It's all electronics. I'm like, okay, how can I shrink this really tiny so I have space for something that goes boom? So I spent a lot of time playing with that, right? Now, I didn't recreate a rubber ducky exactly.
Like, it's a really, really limited version, like a few hundred keystrokes, really slow, done, right? That's it. Really hard to use, but it was tiny.
And I shrunk it and shrunk it and shrunk it and shrunk it. And it's just, I don't know, I think it was like eight by 10 millimeters when I was done, like a pill, basically.
That left the rest of the thumb drive empty that I could hook up with a little mini detonator and maybe a firecracker or two, and a bunch of confetti. And I rigged this up to a keystroke injection payload that opens a browser to an animation of a jack-in-the-box.
And he's cranking it on the screen. Except it goes for an awkwardly long amount of time to build up tension.
And it's going, it's going. That's what shows up on the screen? Uh-huh.
So you're watching that. And then, pop! The drive blows up, confetti goes everywhere.
And I'm like, yeah, that was cool. I just viewed that as fun.
Another type of art or something like that. Put it out on the internet and it was like, that's crazy.
A lot of people asked me to sell that. Now, no, that's a terrible idea for so many reasons.
Liability, et cetera. When you put something into the world that can be used negatively, it's always worth gaming out.
How bad can it go and can you prevent some of it? Which I've done a lot with the cable. But in this case, it was just something I wanted to put out there.
But at that point, I had a really tiny ducky that I could, maybe I could put it in other things. And eventually, I got the idea, probably like doing my IT job, looking on Amazon for spare parts for hardware and stuff.
I noticed there were like USB cable repair ends and boots. I'm like, wait, what? Just get those? You know, at the time, I didn't know much about manufacturing, manufacturing.
Got some of those and realized there was enough space

in them for the cables and

this really tiny

fake ducky.

Shove it in there, and

I get the very first proof of concept of

a malicious USB cable.

Yeah, I put that out,

and I already told the story about

that one where it gets out there, and a lot of people like it, and a lot of people wanted it. I think it was

a year ago

it was about

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was

a year ago

I think it was a year ago I think it was story about that one where it gets out there and a lot of people like it

and a lot of people wanted it.

I think almost a year goes by before I'm like,

you know what, I could make that way better.

That was a toy.

This is a cool gimmick to show a very basic prank,

barely even worked for that.

What would a proper tool look like?

I was getting way more into the concept of I want to do red teaming as well, so I'm combining those things. I need Wi-Fi, I need remote control to update payloads after it's already in play because the idea is you can either deploy a cable, physically get in sight, or you could just leave it in somebody's bag, just leave it around.
And eventually, people are going to take a cable, sometimes, and they'll bring it in with them to the secure space. Like, cool, I didn't have to even go in.
Great. Which creates some interesting legal problems, which we can get into, that I've also solved.
But, yeah, that kind of is just how it kept evolving.

And then at that point, it's like, okay, this is a real tool.

At the time, I was thinking I should do this in a way

that I just make it open source and everyone could make their own.

Are we still talking about the USB?

Yeah, the USB cable.

Okay.

And that's, I thought about that, right? Like, I was prototyping this cable, this new one, like on a desktop mill for cutting PCBs, right? Like, I was pushing the limits on this machine where you can mill a PCB. So the PCB, actually, I got a little problem for this.
So a PCB, like, here's a complete product. This is a Raspberry Pi, right? When I say PCB, I'm talking about just the green part here.
Okay. That's just, it's basically a fiberglass and epoxy with a thin layer of copper on it that gets turned into traces and that connects all of these components.
The black thing there, that's a component. And all the little things you see on there, they're soldered on.
It's components with copper traces connecting them together electrically. Oh, good.
So I used a mill to kind of cut out the copper traces. And I would assemble in my garage lots of different test versions of what this cable could look like.
And I got the idea, kind of going back to the defense distributed concept, where open source is this, people can make it on the desktop mill, go that direction. What I learned over the 12 months of revising and revising is it's really hard to do this.

Like DIY was just not in the cards.

Nobody was going to be able to do this.

I'm like, okay, well, let's throw out the DIY.

I can just turn up the complexity.

There's PCBs with two layers,

like copper on each side, right?

That's the common one.

I can make those in my garage, but okay,

what if I want eight layers or something like that?

That gets really expensive.

We're talking every time I want to do

a run of an eight-layer PCB,

six-layer PCB, it's a minimum of $1,000.

Okay.

I have to send that off to a factory.

They're using lasers and all kinds

of crazy x-ray inspections and stuff to do this. So I'm like, okay, if I can use that, how far can I go? And that kind of is how I evolved into making a more and more and more complex cable that is like the latest generation OMG cable that does all of these different things.
And yeah. Very interesting.
Very interesting. So how did you go? So you went from the exploding USB to the, what do you call it? What do you call the USB? The exploding USB? The other one.
The OMG cable? Yes. But there was a USB cable

that did what the USB drive did.

I guess I just kind of call it

early prototype tests.

I was referring

into it at the time as bad

USB cable, which is not an accurate

description. It was more of a nod to

some research at the time that was

called bad USB. That's where you would

take an actual thumb drive.

There's a few old, old thumb drives

that you could take and reprogram the controller on it

and actually do keystroke injection,

among many other things.

It was also a worm that would replicate

to other thumb drives you would plug in.

Cool concept, but...

What was the first product you took to market?

OMG Cable, definitely.

The OMG Cable?

So here's the thing. I was making a lot of these things for personal use, but I would also sell them to friends and stuff.
It's kind of like the back alleys of DEF CON type situation. I wasn't advertising this, but if you know me, I know you, I'll give you some of these things.
But it became clear I had to start scaling up. The first batch of prototype OMG cables, I think it was 2019 I brought as many as I could.
They took me, it was like 8 or 16 hours per cable, and 50% of them were failures, which is terrible. When you make something, like an electronic product, usually you get like 95%, 99% yields, which means 1% to 5% are failures that you throw away.
These things were so hard to self-assemble that I was throwing away 50% of what I made. So that automatically doubles the amount of time invested to make a cable.
So I'm doing like 16-ish hours per cable to make them. Wow, 16 hours of cable? Silly.
So yeah, I was kind of hitting my limit of what I can accomplish with the time I had. And it to learn how to delegate this outsource manufacturing assembly.
I was also doing this hand-placing things. You go to an assembler.
There's a couple steps here. I'm going to run you through basically the manufacturing pipeline that I slowly learned is important here.
But first, Hack5. It's really important to mention Hack5 here.
So I'm going to run you through basically the manufacturing pipeline that I slowly learned is important here.

But first, Hack5.

It's really important to mention Hack5 here.

So USB rubber ducky, I already mentioned.

That's Darren.

Darren Kitchen is founder of Hack5.

That was his baby invented about 15 years ago.

He's got so many other things like the land turtle,

the Wi-Fi pineapple, just packets. What is this? What are these? They're similar to the AntC many other things like the land turtle, the Wi-Fi pineapple, just

packets. What are these?

Similar to the AntCab.

What's the land turtle?

All of these are different hardware implants

or hardware tools for

they're multi-purpose but often used

for offensive security.

The land turtle

is a network implant

that can control a computer but also sniff up network data or just do malicious network stuff. What else? Wi-Fi pineapple.
This is a little box with antennas on it that allows you to do network attacks. Really cool stuff.
Network what? Network-based Wi-Fi attacks. You can break into Wi-Fi.
They call them man in the middle concept. I like to refer to it as mischief in the middle.
But basically, you've got your device here and the wireless access point here. They're talking.
But you bring in a Wi-Fi pineapple, and it can kind of intercept in between. There's so many different ways you can do this.
There's no one single way. It's lots of Wi-Fi-based tooling.
Another example, it's not so much relevant these days, but you know when you connect to your free Wi-Fi access points, coffee shops and stuff? Your phone remembers that. Typically, you've told it to remember that usually.
So next time you arrange, it's going to automatically connect, right? The Wi-Fi pineapple, for instance, can say, guess what? I'm that Wi-Fi too, right? So if I pull up one right here and put it next to you or just anywhere, your phone's going to be like, oh, I know that, I know that one. Let me connect to it.
So that type of stuff, there's just so many different attacks that I couldn't possibly run through all of them. But just as an example, there's so many different approaches to security.
We think about computers and plug in USB in, but yeah, there's other things. There's the network, there's the wireless,

there's near-field communication

with badges and things like that.

Totally different tools,

totally different specialties

and focuses.

The badge readers you don't think of

as computer security for the most part.

It's just building access, right?

But that's all one

whole thing. Interesting.
When you're doing proper, complete security awareness and testing. Well, let's take a quick break.
Yeah. When we come back, I want to get into what is the actual OMG cable.
Oh, yeah. Good point.
Perfect. I'm always looking for ways to make sure I feel comfortable in what I wear through the whole day.

That's even more important when the weather is changing from winter to spring, and True Classic helps make it easy. Their active wear is moisture wicking and quick drying.
And for spring, they have short-sleeve comfort knit button-ups that look as good at the gym as they do in meetings. True Classic makes premium clothes at an affordable price with shirts designed for your best features with a perfect fit.
Their best-selling t-shirts and more come in three, six, and nine packs. The more you bundle, the more you save.
Plus, you get free shipping on all orders, a 100% perfect fit guarantee, and easy returns so there's no risk. Whether you're bundling up for the cold or getting ready for spring, level up your style with the clothes that actually fit right.
Just go to my exclusive link at trueclassic.com slash SRS to save. That's trueclassic.com slash SRS.
Shop now and elevate your wardrobe today. Hillsdale College is offering more than 40 free online courses.
That's right, more than 40 free online courses. Learn about the works of C.S.
Lewis, the stories in the book of Genesis, the meeting of the U.S. Constitution, the rise and fall of the Roman Republic, or The History of the Ancient Christian Church, with Hillsdale College's free online courses.
I've talked pretty openly about my return to faith on the show, and Hillsdale offers some incredible courses to help discover the Bible's profound lessons about fatherhood, the nature of sin, and the consequences of sin on both a family and a nation.

Their online courses are self-paced so you can start whenever and wherever. Go right now to

hillsdale.edu slash srs to enroll. There's no cost and it's easy to get started.
That's

hillsdale.edu slash srs to enroll for free. hillsdale.edu slash srs to enroll for free hillsdale.edu slash srs going online without expressvpn is like not having a passcode on your phone you're just making it insanely easy for anybody who steals your phone to also steal your whole digital life every time you connect connect to an unencrypted network, like in a hotel, your online data is not secure and hackers on the same network can try to steal your personal data, like your passwords.
ExpressVPN stops hackers from stealing your data by creating a secure tunnel between your device and the internet. ExpressVPN is so easy to use and super secure, you just need to fire up the app and click one button to get protected.
And it works on all devices, your phones, laptops, tablets, and more. I know for me, helping to protect myself from hackers is a top priority and I really like that ExpressVPN can be used and trusted when I'm on the go or in the studio.
Secure your online data today by visiting expressvpn.com.srs. That's E-X-P-R-E-S-S-V-P-N.com.srs to find out how you can get up to four extra months for free.
ExpressVPN.com.srs. us srs all right mike we're back from the break we're talking about the omg cable but you know we need to i want you to discuss and talk about exactly what what it is that the omg cable does and uh and show us an example and and for those that are listening, if you go to Mike's Everyday Carry, he does a phenomenal job at actually showing what it does real-time on computers, on phones.
It's fascinating. But go ahead and give us the, you know, show us what it is and walk us through what exactly it does.
Yeah, definitely. Let's pull one off.
It's a visual. There's a good one.
So, OMG cable, right? Looks exactly like one of the many USB cables you've got. And if it doesn't, I got a whole bunch more here to guarantee it does.
Yeah. Hold that.
Let me see that. Yeah, so it's got a whole line of them.
Yep. And I got the complete set.
Yeah, you did. Watch out.
But yeah, so each one of these fit a different phone and or USB drive? Yeah, I mean, so basically think about like... I should say.
Yeah, I mean, think about all the different... Think of it as camouflage, basically.
It's like, what's the environment? Do they use white cables? Do they use USB-A, USB-C? Is it a Mac shop? Cool, they're going to have lightning on one end, maybe, if they've got the older phones. If it's phones, cool, and USB-C.
And it's really about blending in to fit what's already in place. So you could swap it out, or you can do other things.
There's a lot of different approaches and techniques you can have when you have a device that is physically invisible and just hiding in plain sight. So that's the physical aspect of it.
And that took me a huge amount of time of shrinking down the components, which I will describe in just a second. But shrinking it down, it just took absurd amounts of time just designing the PCB that goes in here.
And then beyond that, just the entire process of integrating the PCB into a cable. That just took like a year, basically.
Well, before we get into how you manufactured it, let's talk about what it does. Yeah, exactly.
So the PCB inside of here, what it does is when you plug it into a, it's primarily targeting laptops and desktops. It's got a PCB that will wirelessly kind of light up,

and it'll connect back to you.

There's so many different ways you can configure it,

but this wireless connection allows remote connection into the cable,

a full web UI in your web browser, right?

Whether it's on your phone or laptop.

It can even connect out to the internet,

and you can connect to this thing from anywhere on Earth, if you do it that way. What's it do though? You've got control of this wirelessly.
When you say it can connect to the internet, does it bypass passwords? No. You've still got to have a wireless network it can connect to or you bring one in.
If I open my phone right now and looked at all the wireless networks, I bet there's probably one in there I could connect to. If not, are you going to notice a free coffee shop Wi-Fi nearby? No.
For instance, flexibility is the name of the game with this. There's no one way to use it.
There's so many ways, because in a red team scenario, you don't know what you you're up against and you're going to need some options to circumvent a problem. But yeah, still, what does it even do? You're connected to it, but it primarily emulates a keyboard.
It says, I'm a keyboard, and it types really fast. So what does that do? Literally anything I could do sitting at the computer at the keyboard.
So whether that's implanting malware or whatever it may be, right? That's kind of the basic functionality of it. But, I mean, it's not it.
USB cables can often connect a keyboard to a computer. You're sitting at a desk.
Swap out that cable, and this can now intercept the keystrokes, which is really good. Just like one classic use case is, if the machine is locked, you can type all you want, but you're at a lock screen.
You need to get past the lock screen. What do you need to get past the lock screen? You need the password, right? How do you get the password? In a lot of ways.
I mean, you could call up the person and effectively ask them for it by saying I'm IT or something like that. But if you're deployed between a keyboard, you can just pull it right off the lines.
They're going to type that password every single time they log into the computer. You remotely see that.
You rebuild a new payload that maybe when they go to lunch in the evening when you know they're not at the machine anymore, it's just going to type in that password, automatically unlock the machine, and then do all the nefarious things you want it to at that point. So you just have full access to the computer? Yeah, at that point, yeah.
You can see everything, you can access anything so long as you capture the password from the keystrokes. Yeah, not so much seen.
There's a lot of, it depends, right? Is it like a screen share, like that team viewer thing? Not at this stage. At this stage, we're just blindly sending keystrokes in.
So as long as you know what OS it is or something like that, that's all you need on a desktop. I know if I hit command space, it's going to open up Spotlight on a Mac, and I can open up Chrome and then go to the address bar, do some things, for example.
That's a very repeatable series of keystrokes, and you can do them really fast once you know it, just for an example. Okay, all right.
So that's the basics of the very core functionality. And then you combine that with key logging, and suddenly you're getting a bigger picture here.
But there's also other... Hold on, I want to go down.
Yeah, yeah, totally. I'm a dummy once and shit.
Yeah,'s go deep. So now, I didn't even understand that, to be honest, when we did the EDC pocket dump.
So basically, in that little window, you said there will be a window that might pop up for a second. Oh, yeah, so you see a little window blink, right? That's basically your terminal.
In that case, there's a lot of things I could do. But in that case

on that, I think it was...

So you could

put some type of a Trojan

horse or something in there

and implant it in the

computer like very... Exactly.

Right. Through a series of

keystrokes. Exactly.
And then

if you detect

the Trojan on there and you remove it and the cable's still in play, which it's designed to be, just put it right back on. No shit.
Which is absolutely a thing that has happened with a bunch of my customers. They have told me that they did an engagement with a very high-profile client.
We can go into these types of things, but that reinfection vector is exactly what they used. Do you prompt it, or does it just automatically do it when you put it in the computer? Either or.
So all about flexibility. So you can program this a couple different ways.
So what I showed was me remotely connecting to it, and I hit go. But, this can be configured that when it powers up, when it gets plugged in, it powers up.
It can immediately run a payload.

It can wait a series of however long you want

and then run a payload.

Is the payload the actual keystroke?

Yeah, exactly.

When I say payload, it's the series of keystrokes

that gets run.

And the malware or the Trojan horse or whatever?

You can.

There's ways of typing out.

If you've got a small executable that you want to transfer over, there's a couple of ways to do that. You just use the keystrokes to download it, right? You can download stuff from the terminal, for instance, or I could use Chrome and download it there and go to the downloads folder and open it up there.
Through keystrokes. Yep.
I can navigate everything with keystrokes. So you could...
I have no idea what the hell I'm doing with this shit, but I'm learning. We can do some fun stuff.
So you could send somebody an email with a downloadable whatever. Yep, that's one way.
And then plant that cable on them. They plug the cable in.
It does the keystrokes automatically to open Chrome, log into their email, download the thing. Yeah, that's one way.
Go to the downloads folder, download it, then you're in. And it all happens within a couple of seconds.
Yep, that's one way. I mean, I probably wouldn't email it to them because if I was going to email it, I'd probably include an email that convinces them to just run it for me.
But if I'm up against a hardened target where they're not susceptible to that, they're unlikely to do it, I'm like, okay, let's get a cable that'll do it for me. As an example.
This can also do mouse movements too if we need. Lots of control there.
And yeah, you can also... The malware, right? You can download and yeah you can also

the malware

you can download that

you can also type it back out

it's called

base64

it looks like random garbage characters

if you open

an executable with

notepad roughly

staying high level here

you're going to see a bunch of garbage text

you type that same text

out in the Notepad and save it, it's that executable. So I can type that back into the computer, and boom, there's the executable, which is something we've done quite a bit in environments where they're checking what is being downloaded from the internet.
I'm like, okay, you're looking at the internet, cool. I'm going to type this little piece of malware back into the computer.
Lots of cool tricks you can do like that. Wow.
It's fun. And so there's other aspects of this too.
So keystroke injection, mouse injection. I showed you the key logging.
Oh, you were asking about the ways of triggering it. So I showed you remotely, I can click go.
We can have it boot up and go. There's also what I refer to as geofencing.
Basically, it's got wireless in there, so it can just look at the nearby networks and figure out where it is and where it isn't. And you can trigger or block things on that.
And there's a self-destruct function where it'll erase everything on it. Now, it sounds super nefarious, but it's actually prompted by legal.
A lot of places have strict controls. So with the USB rubber ducky, does the keystroke injection.
It looks like a thumb drive by Hack5. That's my business partner.
They invented that 15 years ago-ish. What they would do is you could put like salaries.xls on it.
So it's like, oh, that must be the company's salaries and litter it in the parking lot, right? That's one way that people would be convinced to pick it up in the parking lot, bring it inside, plug it in, see what's on it, right? And boom, they've just infected themselves with malware, right? There's a downside to that, which is depending on how bad that payload is, if you're a red team, you're an employee of this company, right? You've got malware sitting on a loose object that anyone could pick up and bring it home, bring it into another business, and now you have just infected another business. That's not ideal, right? So certain environments, their legal team is like, no way.
You put geofencing on this, you have a payload where it boots up and it just says, am I in the office? Is the corporate Wi-Fi present? Cool. If not, completely wipe everything.
Are you shitting me? Wow. Wow.
So it knows where it's at. Yep.
And where it isn't. Holy shit.
So this scan right right here this was done by

LumaField

they've got a

CT scanner

which is basically

an x-ray scanner

that takes a lot of x-rays

little slices

across a product

and then

assembles it

into a

3D object

so LumaField

I actually just did some work

with them

to you know

sit down and talk about

their machines

they use for all kinds of things

manufacturing inspection

but also

starting to get into

like security stuff where you can literally see inside. This is a scan of the end of one of my cables.
So right here is the connectors, USB connectors. And over here, we've got the components.
So this is the main processor. And this little thing over here is the antenna.
You can kind of see the USB wires run out the bottom there. Wow.
And the cool thing is, let's see if I can turn this. There it is.
That is the whole internal. And lots more components kind of on the back.
You can use this to step through every layer and just see literally every little detail about something. So if you got untrusted hardware, for instance, that scanner would reveal all of the internals.
In this case, it's just really cool, and it shows off. Here's what's inside my cable that's giving all the magic.
You got to get that framed. I think I'm going to.
It's a beautiful scan.

That is very cool.

Yeah.

They have done a lot of work to kind of democratize the access to CT scans. CT scanning machines are normally this industrial machine that's really hard to use and really expensive.
We're talking like a million plus dollars for machines, roughly. they do a subscription

where it's like the cost

of a

maintenance contract. And they did some amazing stuff to make it super usable.
Like you can see me turning this. It's super easy to use the outputs and set it up.
And they did something magic. And I don't know that they communicate this, but the sensor in an X-ray machine normally decays and you have to replace it.
They've somehow made an eternal scanner, so it reduces the cost as well. I don't know.
I'm completely obsessed with their technology right now. Sorry for the momentary splurge on that.
Oh, that is super cool. Super cool.
Good stuff. Who are your customers? Everyone got everyone, basically.
Here's the thing. Me, personally, I've got one customer, Hack5.
We can probably go into the story about how we met. But basically, when I was making these things by myself and I needed to take the jump into manufacturing, I had a lot of bad experiences, but Hack5 was amazing.
They're like, let me just show you the ropes. Manufacturing, running a business, all this stuff.
Darren has been great to me. I sell all of my stuff to him, and all of my products are available on Hack5 as a result.
They take care of who gets it. They have very tight expert controls.
There's a lot of countries they just will not ship to. Can I just go on there and buy it? Yeah, you can.
You're not in a prohibited country. Wow.
So yeah, you can just go on there and buy it and hobbyists can use it. Security researchers, awareness training, so that's where you go on stage and kind of just show off concerning things so that people will change their behavior, and primarily red teams.
There's lots of red teams in the private space, Fortune 500s, military, industrial, government, all have their own equivalencies to that. And again, the red team is where you are emulating what an actual attacker does from end to end, penetrating to the company, getting into the company, and the entire chain of hopping around and getting to the crown jewels, pulling those back out, that is red teaming, and this is used a lot there.
I have a lot of customers who will also reach out just for advice on how to use the cables or maybe they've run into a situation like that legal constraint. Like, hey, this is cool, but like, oh yeah, cool.
Let me just fix that and solve that legal problem. Now, I don't know the full scope of what they're doing, but it's like, oh, here's a problem.
I can solve that for you. There's, yeah, every...
They are the people I've talked to and now I've, I know a lot more than I can talk about here, but there are plenty of people who have said, yeah, you're going to Sean Ryan, go ahead and you can talk about it this way. A couple people.
Who are those people? Yeah, so, Is it my former employer?

I mean, possibly.

I don't know that level of detail and don't really want to,

but as long as they're part of the okay entities... Are there any okay entities?

Yeah, I know exactly right.

That's a whole other podcast.

This is going to be defined on who is or isn't going to put me in prison.

So that's my definition of good in this scenario, is keeping those people happy. But to be clear, there's another advantage here, which is some of these places are critical infrastructure that they work at or are tasked with securing or improving the security.
So we all benefit from that. I don't want a place that has some form of nuclear material in it getting compromised, because the people who want to compromise those places are probably looking to hurt me in some way, right? So let's help them.
So the other feature added to these cables recently is we call it HIDX Stealth Link. It's the branding of it to explain what it is.
Ultimately, still acting as a keyboard, but now it's got bidirectional data transfer. So like a network interface, but without ever showing as a network interface, you can send data back and forth between the computer, and it just looks like a keyboard to the target system.
This was used for quite a few people in a lot of environments, but in this case, the critical infrastructure was not looking for this type of exfiltration technique, and it worked really well. Got them in, and they achieved their objectives with this critical infrastructure, and got it fixed.
I was told that my name got put into a report that I will never have access to, but that's extremely cool. It's like, cool, I got my name into a report to fix some critical infrastructure with a technique that we developed with my team.
And honestly, I'd love to pause and even talk about that team because while I make the hardware and the manufacturing to run the business, all the tricks this does heavily about the actual firmware that runs on this and that requires multiple people to pull off. Let's talk about your team.
Yeah, so there's a couple pieces of this. But one guy's retired and just loves working on hardware.
Prior to this, he did a lot of things, but prior to this he was working on the firmware for police body cameras. Very interesting background there.
Another guy is blind, and he does the UI you see. It's kind of poetic.
The blind guy is in charge of the UI. He's got a lot of experience.
What is UI? Yeah, so the visual interface. When you open it up in the control panel and you've got all the buttons and stuff in there.
Are you... Hold on.
Pick that cable up. Yeah, yes.
When you open that thing up and look at the control panel, the buttons... Wirelessly.
So when you connect to it wirelessly and then you open your web browser

and then connect to the IP address,

you get a web page, right?

Okay.

With all the buttons on it that give you the controls,

you can view the key logs,

open the hundreds of payloads you can save on here

and run them, all that's purely visual.

Okay.

Click on stuff.

It doesn't have to be, you can automate it. But yeah.
It's primarily visual and it allows all the cool controls to happen. Got another guy in education and a lot of them are familiar with the government contracting spaces as well.
Fairly small team, but they've been along for the ride the whole time and just constantly interested in picking up challenges. And the way the keylogger works on here is like, that's not supposed to be possible.
How did you get this word out? How are you marketing this? That's a really good question, actually. I have not done any marketing yet.
This thing kind of has its own legs. I mean, I could imagine, but I mean, what was the first thing? I think I just put a video out.
A video of like, hey, I made this with my mail, check it out, here's what it can do. Excuse me.
Here's what it can do, and then it just took off. That was mostly in the InfoSec space.

It went around the hacker community

and the security professionals.

At some point, it just goes outside that bubble

because it gets enough traction.

Vice took it, Forbes took it.

There's so many different high-profile... This has been in Forbes? Oh yeah, this has been in Forbes a couple times.
Look mom, I made it to Forbes! Yeah, it's been pretty wild. I am at the point though where I am starting to think about focusing purely on this, because it's just become this awesome monster that takes a lot of my time, as well as running Red Team as well.
So that's probably something I'm going to be pivoting into very shortly, and focusing on that, helping the team, and seeing what more we can do.

Probably going to relax for a bit, though.

Good for you.

I'm tired.

How is business? Is it going well? It's very good.

So I'm probably long overdue to jump.

What do you think you'll grow into with this?

I have no idea.

So I've never had a plan ever on any of this.

It's just what's the thing and the opportunity at the moment and how can I play with that in an interesting way? There's a lot of things why you would want to plan in business, but I don't know, maybe eventually I'll have a plan. Do you have any fear about this, being on the market so available? I mean, it's been five, six years now and I'm very proud of the results of it with all the places where it's been fixed and the very low abuse scenarios.
We're very intentional when we think about okay, let's add a feature to this but let's figure out who wants this feature, who's going to make use of it. For instance, the number one that I want to avoid is stalkerware, spouseware stuff.
People look at this and they're like, oh yeah, I need that for that. I'm like, no.
I'm going to make that hard. That's not as valuable to a red team professional.
We're trying to get into corporate infrastructure. We're trying to do Ocean's Eleven shit on Fortune 10 or something like that.
This would be so easy to plant in any government facility. Yeah.
I shouldn't say any government facility, but it might be, it's been a while since I've been to a SCIF, but they seem to have a pretty good gauge on what's going on. But I'm talking like D.C., Congress, Senators, politicians.
Those types would be a fucking joke. You could hand them out.
Yeah. Here's the thing, though.
That's the other aspect. There's a lot of very detectable defaults.
You have to really know how to use the tool to work around these things. But by design, it's supposed to be detectable if you're doing good security.
It's going to light up. It announces itself as an OMG cable

effectively out of the box.

Hopefully you're at least checking that.

In all of your experiences,

it is doing red cell operations.

Yes and no.

How many people do you think are testing that?

So here's the thing.

The people who are that low on the bar of security, I don't need these to get in. I just pick up a phone.
I send an email. Okay, fair enough.
That's that sweet spot where you map out all the desires, the capabilities, and the threats, and the negative consequences, and just thread the needle to get just that sweet spot. We spend a lot of time thinking about that, but right now, I just point to the last five years of the results.
I can talk all day about how much intent we put into it, but the results are far better than the intent in terms of convincing somebody.

Another thing, so I think I showed you these should actually ship deactivated for multiple reasons,

which you can imagine.

There's a little, we call it the programmer,

it's kind of a firmware tool.

So you plug this into your computer to activate it, right?

This doubles for multiple other things. So if you do like a self-destruct on it, you recover the cable with this if you wanted to.
You have to get it back out of the field. But self-destruct, we'll just put it into a neutral cable that's just not harmful at all.
Really good if you can't pull the thing back out of the field. You want to neutralize all your stuff.
However, if you're Blue Team and you found this, you can also use one of these to dump every bit of firmware that's running on here, which will include payloads and all this stuff. So as long as it hasn't been self-destructed, you can just dump that and do a full forensics on it so they get to practice as well.
We've done a lot of things that kind off the forensic capabilities and ways of approaching. It's meant to be holistic for security, not just purely offensive use.
It's really about raising the bar, basically. Interesting.
When I look at that, I've always heard RIT guys always telling us, don't be buying shit off Amazon. If you're going to get an iPhone cable, get it from the Apple store, not from Amazon.
If you're getting Wi-Fi extenders, go from the manufacturer and not some shit on Amazon. It's trying to put the shit into our ecosystem.
I doubt it. So these are highly targeted.
So it's kind of... Things like this.
Yeah, exactly. But I think it's good to think about it.
Let's step back to a different type of crime, like pickpocketing versus Ocean's Eleven bank job. This is more on the bank job, whereas pickpocketing, that's what you're more likely to experience

as just a random individual.

That's going to be more equal to phishing emails,

like really low-grade commodity malware type stuff

that's delivered over email.

The risk of physically delivering this stuff is too high.

Or in the case of,

oh, we're going to contaminate the shelves effectively. delivering this stuff is too high.
Or in the case of like,

oh, we're going to contaminate the shelves effectively,

online or not.

That's so high cost

and so easy to find.

That's like some,

you just need one person

to detect that this happened

and we'd all hear the news story.

Which kind of reminds me

of that Bloomberg grain of rice story, which was complete bullshit. My friend Joe Fitzpatrick is a great guy to talk about this.
But basically, there was this Bloomberg news story that a little grain of rice component was found implanted in a bunch of servers, right? And it just doesn't make sense, which is why that story didn't make sense because there are so many other ways of approaching that that are way less detectable. How do you control where that goes? It's very hard to control where implanted hardware goes.
And if you don't have control, anyone's going to find it. I think the closest you can get to that might be that Israeli pager story where they had to create a fake manufacturing plant to develop these things and that is how they controlled where it went.
Hold on, I'm not familiar with this. You go into this? Yeah, totally.
This is the Israeli pager story where they blew up all the Hezbollah guys. Yes, exactly.
Thousands of pagers. I think it was a batch of 5,000 and 4,000 went out.
So yeah, a lot of booms. But basically, what they did is set up a fake manufacturing company, right? And I think they had their own manufacturing plant

and everything.

They licensed a legitimate model of pager

from a legitimate company, well-known.

This is a typical relationship for a lot of hardware.

You just license it and you sell it.

And then you're like, yeah, put my name on it.

Depends on what it is.

Like, obviously Apple's going to do their own thing.

But we're talking pagers, right? This is like 30-year-old technology here. So they did that.
They even went as far as getting a bunch of random customers and gave them good pagers. But then they got their Hezbollah client.
And I'm always curious about how they did that. I have some postulations.
But they got their Hezbollah client, and they made exploding pagers for them. They put high explosives in part of the battery and a detonator in there, and basically it was configured to explode, detonate this thing after a specific message was sent to the pager.
The way pager networks work are all broadcast, so you can send one message that goes to all pagers in the network, which is probably what they did. Anyway, this was in play for, I don't know, I think it was like one or two years.
These were out there and slowly going through the IT operations of, hey guys, we've got new hardware, and slowly sending them out to the field. I think they were encrypted pagers.

It was funny, in some ways, that this

pager focus was entirely because

they knew their cell phones were compromised.

They were moving away from one comms

to another to avoid surveillance. As a result, they got explosions.
But that's the kind of level of control. If those got out to someone else, which, I mean, there's still opportunity for that.
They're not watching one pager go from hand to hand to hand. It's like, oh, we deployed it to Hezbollah, and it's reasonable to assume that this level of dissemination with this marginal error and other people touching them, and they probably did the math on that, right? I didn't.
But that's kind of a good example of how far you can go in the risks of discovery. Stuff like Stuxnet.
Stuxnet's another good example of, I think it was the Iranian enrichment facilities where, oh, I can't remember the full story here, but there was a thumb drive with a worm on it and basically it got carried into this enrichment facility and it would damage the part of the enrichment machinery, right? But didn't do it all at once. It would randomly pick one or the other because you don't want to be discovered, right? If you did it all at once, you're like, oh, something's up.
It's like, oh, one, whatever, it must be bad, right? There's like the psychology of making sure it doesn't seem like it's something to investigate. It's like, oh, bad machines, it must be bad process.
So I kept doing that. And eventually, I can't remember how it got discovered, but there was an issue where it started spreading around elsewhere, like the worm or something like that, and somebody noticed it, I think.
I can't fully remember, but there was a discovery event because it kind of got too wide. And once it's discovered, okay, now you can defend against it.
Now you can find them in the wild. The moment somebody found anything in our stuff, they're going to tell the world.
Like, hey, look at this cool thing I found. I'm a security researcher.
That said, on the flip side, there's plenty of places we don't look. Most of the stuff you find in there is just vulnerabilities.
Like, oh, I didn't think there would be a hole on whatever, some aspect of a product. Like, oh, if you just log in 10 times and do this, you get in, you bypass everything.
It's like, wait, what? You do what? That's the type of stuff that's typically, well, nobody thought to try that. So yeah, it really depends.
Physical implants are much easier to discover. I mean, they're physically there.
You can't revoke them. You can't be like, oh, self-delete.
It's there. I mean, pager situation.
It's a different type of delete. Delete in a way that doesn't leave the evidence around.
What's in your head, man? What's next for you? I don't know yet. What are you thinking about? I have been focusing more on personal stuff, just hanging out with my kids, spending more time with them while I got the time and they're growing once 14.
You can shut it off. No.
Learning how to do that is part of it. I haven't learned how to do that.
Yeah. When you do, let me know.
Dude, it's hard. Because you love this.
I can tell this is your passion. You're moving into this full-time.
This is going to be your full-time business. Yep.
Give me a snapshot. What are some of your ideas? Here's an example.
So I'm reusing the same implant in a couple of ways. So, I mean, this is an easy one.
So USB adapters. Basically a cable, right? Cool.

I had a thing where customers were enjoying the firmware so much for pay below development. They would get the cable and cut the end off.
I'm like, dude, no, that's my baby. What are you doing? So there we go.
Keychains that don't have the cable on it. Cool.
Got that. Now here's another one.
Are you familiar with USB data blockers? No. So, it's a commonly recommended secure charging mechanism.
You're like, oh, I can't trust the airport charger or something like that. You're like, well, get a data blocker.
Can you trust an airport charger? Mostly. I'm personally more concerned about the quality of the electricity coming out there frying my phone than I am about a data situation.
Because, going back to the discoverability, you put something in a wide space like that, once it gets detected, you hear about it. We've not heard about it.

And especially in a secure space like

all the airport

locations, everybody's on camera,

right? Good luck.

It would be really hard.

There's advisories that come out

and I think the FBI was doing them.

They get a lot of flack for that

because there's no proof

it existed, but

I don't know. I don't have the intelligence they have either, so there's things you could do.
I also don't consider my creativity to be all-inclusive in all ways you can do something negative. There's plenty of people with different motives and minds than me.
We'll see. It would be a cool story.
But yeah, data blockers. That's the idea.
You now have safe charging. I'm like, cool.
I'll put one of my things in a data blocker. Cat and mouse.
I just thought it was funny. But just as an example, just kind of chase that a little bit.
Go from there. I don't know.
We'll see. Do you have any wazoo crazy inventions that you're dreaming up? I've done a lot on the manufacturing side.
So I've had to invent so many tools and mechanisms, both for creating these cables, which turns into their own products. Because I'm teaching other people how to use them, and it breaks, and I've got to do support for those products.
Their own PCBs and everything. It's a hardware product with its own firmware, just to test these cables at multiple stages.
So I'm still packing these at home with the kids, and the envelopes, I've got to label those. That gets really annoying over time.
I'm like, you know, I'm still packing these at home with the kids. And the envelopes, right? I've got to label those.
That gets really annoying over time. I'm like, you know what? I'm going to create a machine to label these.
So I just keep chasing that down and seeing how much I can do. You know, there's a guy called Cliff Stoll.
He does a lot of really cool things. Science, math.
He's got a book on security, but he also makes something called Klein Bottles. Total deviation here, but you'll see why.
Klein Bottles are a Mobius strip. You take a strip of paper and you pull the ends up, rotate, tape them together.
Now you've got a 1D dimension, so if you follow it around, it depends on one-dimensional. Klein Bottle is a 3D version of that.
Anyway, I think he lives in Palo Alto, a small place. He runs distribution entirely out of his house for that.
So under his house, he has built an entire robotic warehouse system that drives the thing around, pulls the stuff out. I think that's cool as hell.
And it goes back to the old school hacker mindset of just doing that. That kind of stuff just catches me and I'll be like, okay, cool.
I want to do as much manufacturing in-home as I can. Because A, my stuff is really small.
But also, let's see how far I can take it, how much more I can optimize. This orange clip that goes on these things that I ship with, so you know which ones are bad, I've redesigned it like six times so far.
Wow. I don't know.
I just want to see how much further can I take it. Wow.
Yeah. So are you manufacturing these yourself? It's a mix.
So the process for it, I'm going to go back to this PCB as a reference here, but real quick, the process that I'm kind of taking right now is I ask one manufacturer make the raw, the PCB, the green piece here. Then that gets shipped to another place that assembles the components to the PCB.
They're basically running it through high heat that melts solder and they all get like glued to the board, right? Now you get a functional piece of...

And now,

once it's glued to the board,

here's one of my implants,

and we can get some close-ups later.

But here is...

That's one of the implants.

That's the size of it.

This is what goes in the little USB thing.

Yep, inside the boot of the cable, basically. This little bitty-ass thing connects to the internet.
Yep. Wow.
Why the fuck is my modem so big enough? Yeah, I know. Serious, man? Wow.
Yeah, there's a lot of compromises to make that happen. Look at that damn thing.
If you were not size constrained on that, that would be 10 times bigger because it would be so much easier to make with 10 components instead of two or whatever. I forget how many I have in there.
I think I got like 12. But times 10, the components, is normally what you'd see.
So that creates the need to do a lot of creative engineering to compromise and get small. But at some point, I'll show you it here.
I'll just brush these. Here is that little one with the USB-C end on it, and here is the USB-C A.
So that's kind of, you know, okay, components are on there. You know, OneShop did the green PCB.
OneSh shop put all the components on there. Cool.
Well, that's what I got right now, right? It's not cable yet. It's another shop going to help integrate that into cables.
And... So this other shop's going to integrate it into cables to some extent.
There's still unfinished work to do, unfinished testing.

Then, and if it's the woven cable,

there's another factory that has to do special cutting and crimping and searing of the ends

so it doesn't unravel.

Anyway, so three, four factories later,

it ships over to me.

I'll do the finishing work on them.

Sometimes it's closing the actual cables up,

but at a minimum, it's testing everything,

calibrating them,

putting that initial firmware on there,

tons of QA and QC work,

packaging,

shipping it off to the Hack5 warehouse.

Wow.

So where do people find this product?

Yeah, so two places, basically.

You can go to the o.mg.lol website.

That's my primary website.

Or you can go to my business partner.

It redirects to my business partner, effectively,

which is hack5.org, hack5.org, and all of my products are up on their site. Wow.
That's incredible, man. That is incredible.
Fun stuff, man. I can't believe if the agency's been in touch with you to come work with your science and technology department? I'm not sure I would know.

You would know.

Yeah.

And there's been a lot of interesting challenges too.

I mean, I'm saying,

that's actually not a joke.

Oh yeah, totally.

Very sharp guy.

Very inventive.

Very impressive.

I'm happy to help all kinds of people secure their environments. Yeah, I mean, they know where to find me.
I'm sure they do. Let's see.
Oh, you know what? Another thing that might be interesting here is this kind of kicked off right when the pandemic kicked off. It's like, you know, working with the factories, had to do all that remote, and that immediately ran into the chip shortage.
I saw that come in from like six months before everybody else did. So immediately had to figure out all the supply chain logistics, where to find chips when they are out of the market everywhere, hoarding them.
This is something I have put the first two or three years of profits entirely back into production. Whether it's improving the PCB, improving the capabilities, or storing extra components because we're in the middle of a chip shortage so I can still make my stuff.
That was a wild time. And it felt like there was just one thing after the other that was like, no, you can't sell these.
No, the market's down. No, you can't have access to the chips.
And just trying to find ways of working around that. Down to all these little tiny components come in a really long piece of tape coiled up on a reel.
I count those. I assemble those by myself as well.
So I got machines to count them and assemble them so I can just send it off to the assembler. There's so many different facets of running a hardware business that is like this that is really unexpected, and I'm just kind of learning on the fly.
So, yeah. Very impressive, Mike.
Thanks, man. Well, I think we're wrapping up the interview, but I just want to say, man, you are a super sharp, fascinating individual.
And what an amazing conversation. Thanks, man.
It's been fun. Thank you.
Thank you. And, you know, I'll be tracking you.
Where can people find you? Oh, yeah. I mean, I'm all over the place.
Definitely on Twitter,

underscore MG underscore.

Lots of other social networks starting

to form and fall apart and whatever

they may be. I'll try to keep all of that

on the contact page

of the o.mg.lol

site, though. Perfect.

Well, Mike, I wish you the best

of luck. Thank you.

I can't wait to see what you come up with next. Thanks.
All right, brother. Cheers.
Thank you. Michael Rosenbaum and his Small Bill co-stars take you behind the scenes of one of the greatest shows of all time.
We're going to watch every episode. Join us.
It's Big Talk. You remember when I had to shave my head? Oh, I think I was angry with this one.
On Smallville. Yeah, I mean, I get it.
The scene you did, and this is the one that got me fired. Okay.
What? Here we go. I love the excursions with me and welling it's everything that superman stands for it's talkville talkville we always

talk about it it's a great thing the smallville rewatch podcast follow and listen on your favorite

platform