This is Hacker Public Radio Episode 3,642 for Tuesday the 19th of July 2022.
Today's show is entitled, Interview with a Hacker Lightly.
It is hosted by Operator and is about 99 minutes long.
It carries an explicit flag.
The summary is, we go back.
Way back to Golden Days of Hacking.
I'm here with Tally and I don't remember your last name.
What are we talking about?
Tally Kay.
Let's go with that.
It's got a lot of consonants, right?
Yep.
Yeah, I usually try to avoid mentioning my last names, even when it's trying to get food picked
up or something.
Just go with the first name.
That's usually enough.
It's unique enough.
Well, let's start out with kind of how we know each other where we met and show that.
Sure.
Well, since I am the one with a better memory, I guess.
As you mentioned, you don't remember too much of the good old days.
So we met back in, I believe it was like 2012 when I was, that was my first internship
at a college with the big four company and I was a total of noob that only had basic experience
with playing with VMs and just got my CH, which back in the time of CPU is still pretty
near.
That was kind of the thing to go for, I guess, at the time, but I think the first encounter
was first real, like, person, like, physical meeting other than phone calls and meetings
and that sort of, I think was a California I believe.
That's when we had our, like, engagement across the US when we traveled and did a bunch
of the locations for the same client, but they were located, like, four different states.
Okay.
So, that's, I think that was kind of, I guess, what we first met, but then I think the first,
I guess, before meeting in person, I think the first time I, I called you was actually
on my, my first ever pen test, which was, I think, our manager called it popping the
cherry.
I know.
But that was even, I think I was still an intern, but either way, that was my first corporate
level pen test.
And I was stuck at, I got the first shell because there was the full crowds on a
mescicle server.
Totally remember that because it belonged to a security company.
And I was the one with the, all the HID badges and slaps.
Nice.
And the, the password just still did, to this day, I still remember it was, I say, as I
say, I was just like, yes, I got the first, I say, you're blank, even.
Yeah, dude, that still works.
And I got on the box, it was like a 2003 server, 2008 server or whatever, and I had
like the difficulty of moving around, even though it was on the domain because I had no
experience with corporate networks.
And somebody was like, yeah, dude, give, give Rob a call.
I'm like, all right, I got on the phone with you and you're like, yeah, dude, just look
at the tokens that the Windows tokens and like the impersonation, delegation, all that
good stuff.
And this is, you're telling this to a guy who never heard of in Cognito.
And like, didn't understand about Windows tokens and like Windows AD in general at the
time.
So that was, that was my first like jumping into AD and like figuring out, you know, back
in a day was a little easier with Metaspo using Cognito, I think.
But it was like, what are these tokens?
And, but yet, to this day, man, dude, I still, I still always look for that stuff where
service account runs somewhere, you know, with enterprise or DA privileges.
And it's a pretty good lateral movement threat to this day.
And I don't think a lot of people still rely on it because they use other tools that don't
necessarily always look at tokens, but the tokens, that was my first ever pen test.
I don't know, that's how I got DA because they ran a service account.
And so this day, that's how I remember that story very clearly, you know, that's the time
that I popped my pen test, Sherry, with the help of Rob.
Yeah, I mean, I was in the same boat, too, like, you know, I get, you know, a lot of people
can get that first initial shell, but they don't know how to, you know, root and, you
know, loot and pillage, whatever host it is to get, you know, escalated privileges and
or get credentials or whatever else is juicy on a computer and move from there, you
know, like, oh, I got access to this one machine and that's it, like, no, like, once
you have access to one machine, like, it's generally downhill from there, especially if
it's admin access or escalated, whatever, but I was the same way.
I was like, you know, I have a shell, but I don't know what else to do.
And they're like, oh, well, you can look at the P.S. tree and like inject yourself
within any process that's like escalated or admin or, like, a domain, and that's when
it's like, you know, I was finding out, you know, you could just, you know, inject yourself
into a domain admin process and then from a root computer running as a domain admin,
you can just add yourself as a domain admin, like, just, just like that.
And then very few, like, once did I run into where you had to be on the domain controller
to add a domain admin, which I thought was interesting, because it was like, you cannot
run that domain remotely and it's like what?
So I had to like find the domain controller and I think take the credentials or the hash
to the domain controller and then log in to the actual domain controller to run that
command to create, you know, a new global admin or whatever, but yeah, there's always
something fishy about, you know, however, that's, you know, network is set up or AD is set
up, though, where you had to like do something different and a lot of people just don't
understand Windows enough to be able to move around or work around whatever, you know,
security controls or AD, you know, OU policies, you know, got pushed down that are like
wonky.
Yeah, I think a lot of, sorry, if I interrupt it, but a lot of like, I think guys just
started in the field, I mean, I can use myself even as an example, I mean, I did all
the stuff that I could as basically, you know, play around with VM set up your environment
and even nowadays, I think people have that difficulty of, um, I guess like, um, picking
up skills and mostly what's what I would consider like Windows AD related, I think on
markets more like Altape and whatever other variants that they use, but it's mostly Altape
and AD, which AD incorporates all that, but I think everybody has that knowledge of like
getting that shell and then, you know, that's how CTF's work, that's how even it was C.P.
Works.
I don't know, I think it's been updated to include some of that lateral movement stuff,
but I think back in a few years ago, it was still just very focused on like, okay, get
this web shell, you know, get this system shell house, however you got that shell, that's
how that's, you know, that's the key.
And it is important, you know, that's how you get your entryways and a lot of environments
you find Jenkins, you find Tom Cat, you get the first shell uploaded, cool, you're on
the domain box somewhere, all right, but what do you do next?
And that's, I think, a lot of people always like struggle with that, and there's definitely
been recently that I've seen, like, a more, uh, more trainings in terms of AD from, like,
Pentester Academy in some other places where they literally pop, pop you in through an
environment and show you how to, you know, use Windows ACLs for permissions, do the
curb roosting, the ASP roosting, all kinds of different attacks, whether it's
old app or curb roost related or AD permissions and all that cool stuff.
So I, like, a few months ago, I took one just as a refresher just to see if there's, you
know, anything else that came up that was new and I think one of the areas that I
still find myself that I haven't used a lot in my Pentester thing days was like, ACL
permission to be used.
When you're in certain groups and stuff like that, you can do certain things, like,
you know, there's like a DNS related group that you can escalate through
and stuff like that, but I just didn't have a lot of hands-on experience, and I think
that's what I think helps people kind of solidify their skills as just doing it, you
know, just going and doing it, whether it's in your own environment, it's good, but, like,
actual production environments, not exactly a playground, but, you know, it's definitely
learning slash proving grounds for you of testing out the technologies.
Yeah, that's really the only way to really learn it, like, there's no, there's no lab
that has every possible combination.
Exactly.
This fit, misfit networks, like, they're all, they're all whack-a-do, you know, there's
always some weird control somewhere, and then something else is completely wide open,
you know, it's like, it's like a big mansion with like a million doors and windows and,
like, some of them are locked, and some of them are open, and some of them, you know,
you can open it with a paperclip, and it's like, why, why is this door over here, like,
super secure and, like, fingerprint locked to F.A. And then, like, two feet away in the same
room, there's a door that's like, you can open it with a paperclip, it's like, so, you
know, seeing those connections, like, between, between how you can work around some kind
of controls is, like, that's, that's part of how you learn and all that, but, so what
about, um, like, where'd you go to school, like, hometown, like, your family influences? So,
I'm actually, uh, I immigrated to the US in 2002 from Ukraine, um, so I was born there
in 1990, so gonna hit 30 this month. So, woo, woo, I know, right? I got 10 on you.
I got 10 on you. That's why I, I do. I'm catching up. Well, catching up, you know, well,
I'm gonna get to the same point, I'm actually, but, um, so I'm over here in 02, um, and
I've been living kind of like in the Philadelphia and a suburb area, I guess, since mostly
we've been fully until about five years ago, where I, you know, I'm not a huge on the
city of, in terms of parking and noise and all that good stuff. So, I'm more of a
bird's guy because it's quiet, it's green, it's nice, even though I'm not a nature
person, I kind of just enjoyed the peace and quiet that's outside. And I never have to
worry about parking. Um, so I went to the local middle school, Baldi Middle School,
then George Washington High School, again, if anyone listens to the ever went there, woo,
but after that, I was kind of, you know, interested in a 19 general in high school, I was like,
hey, the only thing we have that was like close to IT related stuff was kind of a
design and I would say just basic programming courses, right? So, like sweet, I took those
and I'm like, listen, I look at people and I'm like, what do I want to do for a living
thing? And I was like, I definitely don't feel like I'm an interactive, well, quote unquote
interactive with just like general population. So, I'm not, I'm not good with like math
stuff, so you're definitely not accounting or finance. Yeah, you know, I like history, but
that's not really going to make you money. So, I'm like, you know, IT seems like, you know,
I can, you know, stay behind the screen and do all my stuff and, you know, deal with switches
or whatever, deal with just hardware instead of people. I felt like that was kind of like my,
appropriate for me, you know, avoiding people for the most part. So, I was going to
looking at college, I was looking for just IT programs in general, but I wanted to go to like,
not a, I guess, a vocational school or a technical college, that was kind of like the backup.
I want to go to the regular one, just kind of have the more, get my idea, it was just to get like a
more known brand quote unquote diploma, if that makes sense. But just basically something like,
oh, you went to this school like, oh, at least third of it, yeah. So, I, in the end, I got some
acceptances, but I picked Penn State just because they gave me a pretty good, like financial
package deal and I was like, cool, you know, and it's located in, you know, the middle of Pennsylvania
so it's a pretty nice place and I decided that I wanted to kind of like get away from home and just
live like away for a few years on campus and as I accepted, I got actually accepted, I believe,
into a campsite program because I didn't do my research well enough and I didn't realize that
they had a separate program for information sizes and technology with different majors, including
one that was specifically for security. Oh, wow, before, when was this? This was 2009.
Yeah, I mean, yeah, you're starting to see stuff like that, start to pop up. Yeah. Now, did you
move, were you in Philly for your, were your parents work or why were you there? Oh, so we moved
to Philly because some of my family actually lives on the East Coast and some lives on the West
Coast. So originally when we were moving, my West Coast family filed old like the paperwork,
so it was my dad's side of the family and before that happened while that was all going on,
my sister moved here with her husband because his family lived here and when we were moving
at the time, my mom was like, hey, she, she just had a kid and, you know, she wanted to help,
so she moved to the East Coast and said to the West Coast, you know, I kind of kind of regret that
this into this day a little bit, you know, a little bit salty about it, but my family still lives on
the West Coast for the most part like Washington and California and then some of, I guess,
and more extended family lives on the East Coast, but we ended up here just because of my sister,
what I'm good. Okay, mom. So, but yeah, before I started the semester, I kind of
looked at my coursework and I was like, there's no way I'm taking these courses because there were
like physics and cowl can stuff and I was like, this is not what I sign up for, like, I honestly
wanted to have more like technical courses and less of these, you know, more conceptual stuff that
I don't think I would find useful in everyday like work life. So, I looked around and I was like,
okay, I ST like, what do they do and I had two programs, which was general IT stuff,
which had like different tracks, which is like project management, more business or development
track and then they had security and risk analysis, which was, oh wow, yeah, pretty cool program
again, not, not exactly the way I would envision it, but for the time I thought it was, you know,
it was pretty good for what was, right? And it was hard to find those types of programs back in
a day. So, hopefully that changes over time since we kind of lack people in the industry.
According to the news, you know, there's not enough people. So, I saw the opportunity, I was like,
okay, security and risk analysis. I'm like, I always, I honestly don't remember how I heard that
and testing was a job, but I was like, wait a minute, you get paid to hack into places,
legitimately, like they give you like, you know, get out of jail, free card and you get to hack,
like, have fun on their environment, basically at their own expense and you get paid.
Basically when I found those, yeah, and I was like, wow, signed me up. So, I picked the
court, the cyber security stuff because I was like, man, that does sound cool and I deal mostly
with computers. I didn't realize, you know, beforehand that I'll kind of enter through
consulting, which is more client-facing, but I feel like if you're talking about kind of like,
what you're interested in in your area of expertise is not that, you know, hard to do.
Even as you, as you progressed, like, even initially when I was like, the consultant for the first
year, I mean, I didn't find it like too stressful. I mean, initially, yes, because you're like the
young kid and everyone's like, hey, you know, do you actually know your stuff, but if it's like
something you're passionate about and like you, that's kind of like what you play around with all the
time, you know, and learn all this stuff, it's like, yeah, I can speak comfortably to it, you know,
I'm not afraid to voice my opinions or disagree on certain things. So when you came, you see,
were you still in school when you were with me or was, or how do you guys did? I interned, I was still
interned, okay. Yeah, I interned, that was when I first realized that was, yeah, that was 2012, I interned
on then 2013, I started full time. But yeah, that was the first meeting was in 2012, if I'm not mistaken.
Yeah. That's a good way to get in, you know, I had to do, you know, well, that was before I T,
or before security started getting popular. So it was like, there wasn't really a security role.
It was more like, you were IT or like a network admin, and that was, that was fantastic.
Yeah, there was no, like, interest. It was like, either help desk or your IT admin.
It was like, well, yeah, I'm IT admin, but I'm also like, know everything about, you know,
how to keep up system from taking a shit. And that's really kind of how it all turned out, right?
Like, you know, you start out in IT and, you know, as well, I tell people, when they ask questions,
they say, you know, what do you do? It's like, well, you basically it's IT been helped us, but backwards.
So instead of trying to fix stuff and trying to fix AD or trying to fix it, so you're like,
you're trying to unfix it and make it. So it's supposed to do stuff that you don't want it to do,
or let's not intended to do. So, but yeah, that's pretty, that's pretty, that's pretty good
that you're able to, you know, get that opportunity and then extend from there and just say, boom,
I'm done, like, up at a done consulting and whatever, and you can move from there, but
so like, did were your parents like supportive, or were you just kind of on your own or,
I mean, I think to this day, if anybody asks my family, what does it tell you? They're going to be like,
God, that's computer things, computer stuff, computer things, yeah, computer things,
I mean, I clarified it a little bit for them. I think at one point, my sister thought what I was
doing was illegal, because she was actually scared a little bit until I kept explaining to her, I'm like,
don't worry, they like, sign papers. This is like, you know, she doesn't understand. She's like an
artsy type person, so like, you know, actually it's a older sister. Yeah, dude, I have three older
sisters. I'm just one. So yeah, so if you're young, they forgot about you. Your parents forgot
about you anyway, so the young, the last one's always the one, they're like, oh, we find,
yeah, he's like, he played with the lightsockets. Yeah, they kind of just like,
I mean, they couldn't help much once we moved, so like when I was kid on elementary school,
yeah, they can help out with school work and stuff, but like once we moved to the U.S.
they're, you know, they're supporting financially, of course, they're trying to do the best with that
part, but I don't think they could help me with, you know, determining my college or any of that stuff.
Like, they're, you know, they were closer to a retirement age at that point, so it's like, yeah,
I'm not going to expect you to, you know, help me out with that stuff, so I kind of just took my own
thing and like, you know, it sounds like a good career opportunity, because I like this stuff,
plus it seems to be like a fairly lucrative field, so I think a lot of times nowadays, a lot of people
just choose it because it is a lucrative field and that's kind of annoying because you run into
people that are like, quote unquote, you know, it pertains to us. They pretend they're passionate,
but they're not really. It's like you can actually like kind of sense it, you know, because you talk
about stuff and you're just like, yeah, it's like, oh, okay, all right, you're not really
like, it's not that I blame them for it, you know, like everybody needs a job, so I don't blame them,
but it's hard to like have, you know, peers that you can kind of just like bounce like the
years off of and stuff, it's just kind of do, you know, the nine to five type of deals, so they're not
like the hooded people awake at three. Yeah, I mean, you know, that's like, that's guys. That's
what I was working doing management for a little while. It was, it was that same sort of thing.
I started to realize, you know, there's like 2% of the population is that one that will, you know,
lose time and stay up till 4 in the morning, like messing with something secure. Yeah,
I was just, and there's like, whatever. Yeah, there's like your, there's like your nine to five
person that like knows what they're doing, but they do it nine to five. And then there's your like
person that says that they're passionate about something and they're interested about doing
whatever it is, but they don't take it home and they don't, you know, go above and beyond, so they're
just kind of like nine to five, but they try to be like they're going to do something else. Yeah.
And then you've got your, you know, your, your nine to five people and then they, you know,
they're passionate and their hobby is some of their hobby is to do this type of stuff and learn
new things and teach people new stuff. So, like, how did you, how did you, how did you find out
about the KPMG business, and was it from, from cold field, or did you just know somebody here?
So, again, I'm not the most, I guess, social person in terms of going out to places like
bars or meet-up events of any sort, but I believe they had these like career fair type
opportunities in college, which I would always, you know, encourage anybody who is, you know,
open to that to go to those. You don't necessarily maybe find what you're looking for,
but you definitely get experience of talking to people and just kind of get people to sell it.
Yeah. Yeah. What type of opportunities are out there and then run into random people? So, I
actually just ran into one person I talked to and, you know, I was like, oh, okay,
KPMG, whatever, like, they didn't say anything about security to me. So, I was like,
cool, probably not going to be interested. And then I learned through actually my friend
who, in turn, they're earlier, they're like, oh, yeah, they do have a security team and they
could start from this guy. This one guy. Yeah, this was Robert Guy. It was like, wait a minute,
and I was like, what does he look like? And he's like, oh, I think I saw him, but I didn't talk
to him at the career fair. And they're like, oh, yeah, they're doing some event with like,
I guess it was like a, like a food place or something, like just like a get together social
thing. And I was like, yeah, you should come and talk to him. That's what I did and they're going.
And he's like, yeah, we are actually hiring. And he was surprised that the person like that
when I talked to them, they're looking for more like audit folks and like, um, I guess not just
not security, you know, related. And he's like, yeah, we totally are looking for at least like one
or two people. And I was like, oh, cool, you know, like sign me up, you know, so I believe,
I believe. Who's, what was, you know, it was, it was, it was Mark. His first name was Mark. I honestly
don't remember the last name at this point. It's been a while. Um, but he, yeah, he, he set up the interview.
And he did quiz me quite a bit on like met a split and end map. Like he asked me like, you know,
to this day, I remember like, what will be the quietest type of end maps can? And you know,
with people will be like, sin scan. But actually that's stealthy as something like what degree,
you know, it's like, do you, do I not want to be traced back to that? And I was like, you know,
that's, that's what I would consider stealth not that the amount of noise it causes like a sin scan
versus like a full scan. Yeah, I was like, you know what, do it like a zombie idols scan.
And the only reason I heard about that one is because I actually read like an end map cookbook
think. Yeah, the whole, the whole cookbook. Yeah. Yeah, like the metastroid intro book, like this was
back in the day. I mean, metastroids still still around. Honestly, like you can still get your payloads
like to connect back. It's a little bit trickier with like modern AV and EDR, but still works
because definitely proved that a few months ago with like, uh, forget what they were using.
I'm not going to mention any products here. You know, it's a kind of shame. But we totally
ran like a interpreter payload after we got the shell like the initial access. And it was
way easier to do certain things like incognito and on some of the other stuff that's like baked
in kind of like a cobalt strike. But I guess if you're looking at more open source on Metastroids,
yeah, go to still more or less outside of like an empire and some of the other C2s. Yeah,
he's actually had a post. I don't know if he's fixed it or changed it, but people kept taking,
you know, pirating a software and then selling it, you know, reselling it. Yeah,
cobalt. Yeah. So we did a whatever the mud check is just very, very much just to
write it or at least back then it was mostly him. And he wrote it like a blog post on how to
hire his own software, which was that was pretty bendable. Well, yeah, it's missing. So if you don't
have the legit license, you can't get certain features for it, which are like the important
like malleable C2 profiles and all that good stuff. I think it doesn't work if, um, I don't know.
It fits the free one. Yeah. Or even the crack one. If you crack it, it like you can't download
whatever those additional things that are highly useful for like red team operators, which is,
I guess it's what's must to use for, but I mean, it still works. I mean, crack stuff,
so it works. But yeah, I totally remember the blog that he posted. It's like, yeah, here.
And don't forget, people can back door that stuff too. So when you run your OCT2,
you know, you might be popped already. So it's always, always easier than it will be for
using cracks software. Nice. Oh, let's see. What is the mother? It's going to the last
year. Um, what is a story that you can tell of your, either like a hacking story or even just an
IT story in general. I can't start. I mean, it doesn't have to be with me. You probably have
better strategy since you started. I got a few examples. I think that the best one for people who are
not in the field is like, you know, your typical like Mr. If you've seen Mr. Roba, right? That's
probably the better example. Like the, the prison hacking scene. Yeah. You've seen that
so, but um, they did it over like Bluetooth or whatever, like he hijacked the dude's laptop.
And then he did all this fancy stuff. The closest thing of a hacking story that I can tell people
in terms of like movie level shenanigans is, um, I was on Chicago. This was probably circa 2015,
2015, 2015, 2017 somewhere there. And, uh, I had this client, the, um, their physical security,
as well, but they looked pretty like locked down that couldn't easily piggyback. And I was like,
you know, let me see what can I, what can I do from the outside? So I pulled up in the rental car
and I parked right outside the windows of like the cubicles, right? And, uh, what I had on me was
all my wireless gear, which was, you know, the alpha cars from the good old days. Yeah. Like,
well, the other cars that do the packet injection and all that stuff. So I was trying to get in on
the Wi-Fi to see if I can, in any way, try to get and do some of that stuff before I do the physical
on trying to do the internal, you know, the usual pen test shenanigans. So I was like, you know,
let's, let's, let's make it more interested. Um, so I pulled up in my car, so my Wi-Fi stuff,
but I also had, um, I don't know if you heard of Mouse Jack, the thing that hijacks here. Yeah.
The HID receiver stuff. Yeah. So I had two of those, plugged those in and just started scanning
it background. And it found a couple, uh, I believe it was like one Logitech device and one, uh,
Microsoft device that I looked up and they're like, okay, these are vulnerable. Yeah.
But I don't know what devices they're connected to, but I assume windows, you know,
like, much more pretzels. However, it doesn't matter because it works on Linux Mac or Windows.
You just have to make sure your devices are different. Yeah. Yeah. So what happened was,
I said a payload to do a reverse like empire shell to me, um, to one of our like C2 things.
And I just had it, and I was like, and what I got was actually one of the IT guys, um, computers
has desktop executed that stuff while he was like, oh, he was the way, but his screen wasn't locked.
Like he was still locked in because he was like an enclosed office, so he didn't feel the need to
lock his screen because he wasn't in a, like, a public space. So it executed and I got a shell back
and I'm like, who am I? And it's like, oh, that's like an IT guy. But I mean, yeah.
Yeah. So I'm sitting in my car, basically. And that's how I popped in was literally through
his like mouse receiver. Um, I think he had a like a logic tech mouse at the time. And I was able
to actually do some of, um, like, recon and actually do some of the escalation just sitting in my car,
but then I kind of had to go in and can introduce myself because I was like, time, you know,
for a meeting. And I was like, hey, guys, um, so I'm actually on your network already. What?
That's like, yeah, I was sitting in the car. I actually popped one of your computers and I
actually tracked them back to one of the guys. It wasn't on our contact, but it was like one of the
IT guys. And he was just like, what? He did what? There was always a fun, like, I always have fun,
like, just explaining him, like, try to put in simple terms, like, yeah, there was a flaw that
basically, like, I can emulate, like, a keyboard input, basically, and send it over. And it's just
going to try to do what the keyboard functions do on your machine without you, right? That's just
signal. And it was kind of cool to just showcase some of this stuff because it's not necessarily,
you know, like, oh, it's a high-risk finding, but, you know, for me, it was like, hey, this is just,
if I'm in the air, you know, like, I can't be a remote attacker. I have to be at least with
another vicinity of this, like, kind of like, for wireless, I have to be there. But it was totally cool.
It was just, you know, in the Mr. Robot scene where they poke into the prison, I was like,
kind of the same type of feel. He just popped up in the car, popped up the corporate stuff,
and that was able to kind of get a gain access to persistence and lateral movement just by sitting in
my car outside, which was really fun. I mean, you can do the same things through Wi-Fi, but this
was slightly different, and just kind of more interesting to kind of explain to them and
like, just, like, what? And to top that off from towards the end of the engagement, he since I actually
for the physical, I cloned their badges. So I was just standing out there, like, hanging out,
pretending to be on the phone, and I got, like, two employees, I think, that were close enough,
because I had one of those giant cleners that are, like, just put it in one of those, um,
messager things. Okay, yeah. And just kind of walk next to somebody, yeah.
Yep. Did you buy the, did you buy the, whatever it's called, ProxMox?
Three. So I don't have ProxMox, but I don't use that. The build your own.
Yeah, I used the build your own things, so that has higher range. ProxMox is useful for actually building
this, like, we're dumping the data and, like, writing it, but definitely the big thing was, like,
the range was, we gave him the most of the success. And I was explaining that, and he's like,
hey, can you actually clone a card for, um, for his dad, because his dad lives in an apartment complex,
where he charges all hundred bucks to make a copy of a freaking, like, fobky. And I was, like,
okay, yeah, I have, like, um, black art. And by the milk rate, I was like, cool, yeah, let me try.
I mean, I don't know if it's the, it's gonna work, but I gave it a shot, I gave him, like,
he just says, like, two or three copies. You know, see if it works. And, like, before I left
these, like, yeah, do it totally works. So you just saved, like, three hundred dollars for my dad.
He goes, like, sweet. So just, like, knowing little things, like, you know, they're charging you
for a freaking HID, like, cloning, like, as Keith, you can actually just make a copy for yourself,
save some money. I mean, I think the supplies for it to make a copy are not, like, uh, that
difficult. They sell, like, the little devices that are, like, I don't know, like, 50 bucks.
Not that you don't even need a ProxMark. I think nowadays, like, they sell, like,
little portable, like, read, and I'm right. So yeah, I'm sure it's all, it's all kind of
commoditized and what cheaper now. Yeah. Even the, the USB disease, you can, the, I've been buying
these little two, it's, like, two dollars of 50 cents, like, USB cookies. Um, so if you do, like,
it's like, it's on Hackaday, and you just Google, like, I don't know, USB, Duckie, DIY, or something.
So instead of paying the $30 or whatever for the Duckie, that you just buy these, like,
$3. Um, and little, um, $3 things, it will, will do basically the same thing, but it's through
our, do we know? And you have to, like, re-encode it using, like, this Duckie to,
our, do we know payload and coder thing? But, so I, I get a bunch of those. I've got a bunch of those,
and I was going to hand them out during the class, but that was before COVID hit and everything would
hit. But, yeah, that's, that's pretty fun. I've got to have a similar similar experience with
the client that, like, kind of didn't want me there yet, and they, they, they, the, my management
didn't notify the, that particular site that I was going to be there. So they, like, they're,
like, you know, you can't, you can't, you can't be here. And I was even waiting in the, like,
the waiting room, and they're, like, the hallway, and they're like, oh, you have to, like,
we eat the building. So they ejected me, like, from the building. Um, and I did the same similar stuff.
I was kind of rumbling around the Wi-Fi, and I had gotten access to an old network that didn't
have anything on it. Um, it was, like, a legacy network that was using the old, old style keys,
the, the, the, the web, the web crap. Um, and it was, there was some stuff on there, but it was,
there was nothing for, like, pivot to on that network. It was all just, like, itself. And it was, like,
some other, a few other devices that weren't, like, on the domain or anything. Um, and then, like,
two or three days later, I'm still on site trying to wait for the okay from the client to be there.
And she calls me back and she's like, yeah, I'm still just, you know, I have some concerns about
you walking around our facility, blah, blah, blah. And I was like, well, I mean, to be honest,
I mean, I do this for a living, and I'll actually physically have to be there. I can just
do it from the parking lot. If you, that's, that's kind of my job. So, like, if you want,
I can just keep doing the work from the parking lot and with what the client know and the
stakeholders know that, you know, you weren't able to, you know, let me end the building because
you weren't nervous about it or which, you know, on to her point, like, you know, some guy comes
out of let field. And she has no idea. Nobody told me he was going to be there. I'd be the same way.
I'd be, you know, whatever. She's just doing her job, right? But I'm seeing kind of thing where I was,
like, kind of rummaging around without their permission from just the parking lot and outside the,
on outside the building. Oh, let's see. Let's see. Let's see. Current projects work or personal
doesn't have to be IT related. So, you talk about playing around with crowds,
affect a little bit, and you're pretty heavily involved in a car rev like response still. So,
like, you got any other interesting projects? Yes, I do. So, I would say, I mean, for, for kind of,
my Zen period of, like, not do much, I probably just do a lot of stuff. So, the media is fair.
I mean, that's, you actually got me into it as well. And I fed you back in the second, like, 2013.
So, thank you for that, because I'm a huge fan of it. And I've built my own media library with, like,
all the security videos from all the, all the cons along with, you know, you know, update media from the internet.
Yeah. Definitely, it's grew to, like, about, I think almost a hundred different,
but it's in size at this point. So, I'm looking to upgrade it to a, uh, like, a server chassis,
because I can't accommodate anymore. Rives in the old case. Oh, wow. So, that's kind of,
I kind of like, clean it up and, uh, do some, uh, storage configuration at a type of stuff,
but it's just, it's a lot of, like, terrible, a lot of stuff. I put thinking for me, I don't know,
thinking a lot of people do other, better things, but to me, it's just something to throw
at some things and clean up some things. I don't know. It's a, like, clean,
evening, as a little, like, grass, nature, and cool thing. Me, yes, I'm, now, uh, uh, no, uh,
well, you're kind of, you're kind of chopping up holdings. So, this is like a, uh,
waxing thing. Yep, no brown. Uh, when, uh, he's hearing, you good? Testies?
Hmm, it might be me. I don't know.
Uh, I can hear you. Oh, you're, you're, you're good now, more or less. Say something.
More or less? Yep. Yep. Hello. Testies? Yeah. It might just be a connection from
Microsoft's infrastructure. Yeah, they got, like, 15 million people I know.
Oh, maybe, let me, let me, let me call back.
Diggeredation. Sure. Yeah, let me call back. Oh, oh, oh, oh. Alas, mama, link here. Sorry.
Uh, uh, uh, uh, uh.
Copy link address.
There we go.
Welcome back.
Any better?
Sounds like it.
Yeah, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no.
Yeah, I didn't see any like signal errors or anything like that.
Yeah, it's probably not a similar.
No, I'm going to go over my project stuff.
Yeah, IT or non-IT related.
Yeah, yeah.
Either way.
So it's like half an IT half another IT.
So I'm using my favorite area of it like scoping out your target and like finding out info
That's not always necessarily public, but it is there.
So having that in a background.
It's a lot of breaches that happen right now.
The data dumps on the web, they kind of end up with some place to the stand-ups, some place to sell access to the data as well.
But after I took this one class with forget the gentleman's name, but he publishes a lot of people.
Well, forget the guy's name, but he has a lot of books on Amazon.
You can probably obtain or a gold mine in terms of like trying to track people down.
And because you can search for very, very interesting things in those data dumps.
So you have the emails, user names, passwords, and a lot of other stuff at time.
The P's, data birth, and all that good stuff, right?
So what he did is he combined all these things in a pretty, you know, rudimentary way.
He ended up as text files, and then he was using rip grip, I believe, to do just grabbing for things to find things, right?
Well, that got to my, what that caught my attention a little bit, because I was like, hey, I can use elastic search and kibana.
So like an open source, SIM type of thing, basically, to import all the breaches, right?
And actually do correlations.
So if I find, let's say, a unique password, right?
I want to see if there's any emails or user names correlated to that specific password.
So like reverse searching, not just by searching the email, but by searching the hashes or the password themselves or any other input points.
And to that degree, you can also add a lot of like voting databases and other stuff, which contains people's names and numbers and addresses and stuff.
So like you can build this like giant web of just for data mining.
And I don't mean it in like any nefarious purposes necessarily only can use it for that.
For any kind of recon that we do, I can always look at, you know, has this org like duty users and this org have been in data dumps before.
Like, has there any other creds have been compromised?
Can I see what kind of creds they use?
If we want to do phishing, you know, on the specific user, if you want to target a phishing attempt, you can kind of tailor it to them based on like, okay, they use this service before, right?
They use Dropbox, okay?
We can customize it from Dropbox, you know, and stuff like that.
So you can do a lot of cool digging up and kind of connecting the dots to see if the same person, if you're tracking down a person for whatever reason, you know,
not recommending stalking anybody, but if you're tracking down someone, let's say, you know, somebody pissed you off online with a certain user name.
You're like, okay, who is this guy?
You know, want to send him a nice word of email for the sake of the example.
Um, how would you find this person, right?
So these data dumps are really good and not just by looking at the email.
Again, you can track down unique passwords that are tied to other users.
You can also track IPs tied to users depending on the data dumps and stuff like that.
So it gives you, like, those basically web of just stuff that you can correlate to individual users or individuals, right?
And that was like, yeah, you know, I want to be the freaking mini NSA here, you know?
So that's my, like, current one that's kind of progressing slowly because it takes a little bit of time to standardize the data before you kind of shove it into a elastic search.
Yeah.
But I wouldn't even consider it like more IT.
It's more just like, okay, I'm interested in all these breaches.
And I want this data to be mapped and you can use it for all kinds of purposes, whether it's security related or just for funsies, like I do.
So I how much how much data because I know there's like the collection, there's like the collection too, which is big one bites.
Yeah, there's terror bites of it.
And you can dedupe it and stuff, but like, it's, yeah, it takes space.
Yeah.
So like my plug service, like a hundred terror bites, that thing is probably going to be like at least 25, 30 or more.
Like if you actually do all of them, and I mean, like all of the public big ones, like they add up over time.
Like you'll definitely need like at least 10 to start with a good amount of them.
Like LinkedIn, drop box, you know, actually Madison, whatever it was called, like there's a lot.
And they happen every day.
So you just keep dumping them from different forums.
You can, you know, if you want to spend some, some Bitcoin, you can get them on some of the markets that are still alive that the feds haven't taken down on tour.
Yeah.
But again, most of the ones I find are still on like the forums, so you don't need to go on the dark web.
Most of the stuff is literally floating on like non-English speaking forums, hint hint, you know.
Yeah.
Or like, that helps.
Yeah.
It's like some torrent magnet link somewhere.
Yes.
Yes.
So you can find a lot of them also on like the pirate bay.
I'm pretty sure it has them indexed, for at least some of the bigger ones.
You used to be a guy that published them on Twitter, but I think you kind of stop because I think people were like,
I got out of them.
Yeah.
Yeah.
What I was doing, like, there was, like, since it was like, since it's before it was since it's IO, but it's like since it's IO now.
And for a while, when it first started out, you could, it was all free.
It was like basically, it was, what's the one that, the internet scan database that everybody uses?
Ah, you showed in.
Yeah.
It was like, and it was like, showdown, but free, and it wasn't really geared towards necessarily like,
here's all the webcams or whatever.
It wasn't more, it wasn't really the stunt and hacky stuff that showdown is.
It was more of just like, here's all the top portion or whatever.
But it was, it was free.
You signed it for account.
And then you could get the links to the, um,
a Google Drive.
And they're like, like, like I said, be like the terabyte or two or three terabytes for some of the big ones.
Um, and you could download them for free, and you could download it at ludicrous speeds,
because it's all on Google Drive stuff.
Um, so you get like multi thread download these basically build your own showdown for, for free,
and like, riddic of the speeds.
And I would do stuff like once I got it, it would be like three or four, you know, terabytes or whatever,
or gigs.
It'd be like three or four gigs of stuff.
Um, and then I would zip it up.
Basically use, um,
I would call it squash FS.
It's what I was using to try to make keep everything small.
But apparently you can like mount,
beesip or something.
You can, so there's like a beesip type of way you can mount.
Um, there's, there's other ways to mount like higher compressed, uh, higher compressed stuff.
Um, let me get some messages here.
Hold it.
Yeah, no problem.
Um,
Yeah.
So,
let's see, what else?
Where are we yet?
You were talking about, uh, kind of what stuff you've been playing around with.
Now, what do you have you been confronted by anybody, like, at work or personal that, like,
around the locality of it and say, oh, you can't do that because it's a legal type of thing.
I've had some clients say, you know, we've given them information about, like,
some of the security issues they have from like public data.
And I've heard people say that, oh, you know, you're not supposed to be looking at that stuff,
blah, blah, blah, blah, blah, blah.
I'm like, well, it's public.
It's basically public information.
If I can get it, it's public information.
So, that means everybody else knows what it is.
So, I'm just, I'm just helping you, like, you don't have to be,
I'm not malicious about it.
And if I were to be, you wouldn't know anyways.
So, who cares?
Right.
Yeah.
So, I definitely experienced that where people would always want to take,
you know, they just don't want to fix things most of the time.
That's why, like, they don't want to work basically, right?
Yeah.
You just tell them something's wrong.
It's like, oh, why did you bring this up, right?
You know, ignorance is bliss, right?
But I feel like, as an individual, right, if you were to report something,
I think companies have gone better with, especially with, like,
bug boundaries, like, uh, the crowdsource type ones, like hacker one,
or, um, let's say other one, bug crowd.
So, you can definitely go through some, like, more legitimate channels
to kind of be, like, 100% sure you'll get out of the response you're looking for
and when you're reporting things, like, hey, you have, you know,
your AWS bucket key is chilling on your GitHub account,
or you have, I don't know, exposed Tomcat with the full credential.
Something's silly, right?
But there are places that are definitely going to have that shitty response
of, like, oh, that's illegal or something.
And that's, that's shitty, but it is reality, right?
You will, hmm, excuse me, you will run into those here and there.
They're not very common, I would say, um, but they do happen.
And if they do, they'll let them, like, discourage you from trying to help
folks out, right?
It's not, like, don't report very silly things, like, hey, you have,
I don't even know what was silly thing would be.
Like, uh, some example, one of the, like, all of these, like,
there's a lot of people that actually do submit some, like,
you have, you know, a port, uh, you have port 3389 open,
which is like, RDP.
It's like, yeah, you shouldn't have that, but like,
that is not a direct, like, risk event.
If you have student credentials on it, then yeah,
it becomes an actual risk, but like,
maybe you're missing a patch, like, if you're missing a patch,
depending on what the patch is, like, if you have
pulse security, pan exposed, right?
And you have that RCE thing still on it,
where anybody can get in and just get all the credits off of it.
Yeah, if you report that, I feel like that's awesome.
But if you report, like, oh, you're missing, like,
some silly patch that's, like, low risk,
cause nothing to do with anything.
Like, oh, you should, you need to patch it.
And you tell them, someone will be like,
and that's why some things get, like, diluted and value, right?
If they get too many people telling them things
and they're like, yeah, it's another crappy report,
but in light of actually that I'm looking at it,
they might realize, like, oh, it's actually, you know,
I don't think they mean any harm, and I would say,
you know, just if you want to be safe,
just go through the legit bug crowd source stuff,
bug boundaries type things, and you can get paid.
Even if you don't, I mean, you'll help out folks
and just submit them the reports.
They at least will look through them,
and you'll have, like, a man quote on quote
in the middle where you're not going to get the,
it goes through the service, right?
It's not, like, you're not doing anything gray area.
Yeah.
There was a brief area where I had, you know,
I had, like, a tour set up where I had an email account
and, like, of an SMS phone number to do that type of stuff
and, like, responsible disclosure,
but I was doing it as anonymously as I could.
And I did, like, two or three of them,
and, like, one of them was substantial.
Like, a substantial remote internet facing thing.
But I never once got a response back from anybody.
So I don't know if, like, I was doing it wrong or whatever.
And I even asked somebody on a podcast about it and they're like,
oh, well, you know, just goes to certain and then certain will take it
and, like, in theory, make the proper connections or whatever.
But, like, I never really got any, like,
like, response back from any of those clowns.
Like, I guess, it just, because the way I do it is, like,
you know, I try to find, like, admin, whatever.
And I just, like, bomb everybody that's on there.
Or, like, send four, five emails to, like,
four, five different random people.
Because, you know, it's hard to find a contact for,
like, to disclose security stuff.
People don't even understand what IT is much less IT security.
So, I guess that was probably most of what my problem was
because I never got a response like for anybody.
Like, if I saw something in my mailbox and I was, like,
you know, Jane, the idiot, and I had no idea.
And it's like, that's something about security and whatever.
Like, I would be, I would probably reach out to somebody and escalate,
but I don't know.
At least I forward it to the right source.
But yeah, I don't necessarily see that all the time.
Yeah, kind of gave up on it.
And if it's something silly, I'll just put it on, like,
full disclosure or whatever.
And it'll be, like, something, something not, like,
bad, like, super bad.
It'll be like, you know, how to get something, how to get something.
It's either not this free or try to change something to make it better,
whatever, but I've never really done anything like malicious or whatever.
But usually the silly stuff I'll put on, like, full disclosure,
if it's something stupid, like, how to get unlimited tokens
for some time game or something.
I just don't have the time for a lot of that anymore.
But, yeah, you mentioned projects, you know,
kind of your favorite projects or, like, the black stuff.
It's most of the stuff you have on there, like movies and TV,
or, like, you said, is it what percentage of it is, like,
like, what are your other favorite projects?
Like, like, do you have any other favorites?
I guess, again, project really is usually, like,
tech related stuff.
I mean, like, the last time I've done anything,
hardware related has been a while.
But it's just, like, you have to get a feel for it, you know?
I haven't been, excuse me, working anything outside of those,
like, data dump indexing and correlation.
Yeah.
And, like, flex is kind of probably the only two things
that I would consider projects, right?
Everything else is kind of just leisure activities
that I wouldn't say, like, are hobbies, quote-unquote.
I mean, you can call them hobbies, like, you know?
Good old new games and some anime, you know?
Yeah, you did, but you did consulting for, like,
how long do you think you did consulting?
Because you were kind of doing it,
and then you got to switch, right?
Yeah, I did consulting for probably, you know,
it's, say, five years, like, solid five years?
Yeah, okay.
That's about what I ended up with, like,
and when I started out, you know,
those soft skills were the part.
And that's one of my questions is, like,
what are you not very good at?
And you mentioned just, like, people and,
and not being comfortable around, you know,
people in general and just doing all that.
And I think, you know, working for an accounting firm
and doing, like, client-facing stuff,
helped me pretty pretty well in that area,
because it's your job, your force to, like,
talk to people and, like,
you know, really get an understanding of, like,
you know, it's not about just explaining the technical details
around something and making it, you know, understandable.
It's about, like, okay, how does this,
how does this person communicate?
How do they communicate effectively?
Like, what is, you know, they, like,
phone calls or do, like, in person?
Like, whatever, and I learned a lot in those six years,
like, you know, how to get people to these,
like, understand what you're saying and, like,
care, and try to get them to care about what you're talking about.
But, um, yeah, is there anything else you could say
that you're not good at, that would, that would,
you would like to disclose?
Not good at, no, I mean, there's a lot of things
that I'm not good at.
I mean, I mean, definitely not our,
artistic or musical at all whatsoever.
I learned things here and there, but never worked out.
I mean, all my art homework.
I mean, I think it's been well enough past my school time
that I can easily say that most of that,
my sister kind of drew for me, you know?
Anything are related, I'd be like,
can you help?
Because my stuff looks like,
it's just, you know, out of the nightmares.
So, um, yeah, I'm definitely the analytical kind,
I'm preserved, you know, personalities,
so not the outgoing type.
Even though I can talk fairly easily about the topics
that I know, or to people that I know,
but like, I mean, I say hi to strangers, right?
But, um, working that consulting gig definitely helped me
like break out of that shell and kind of,
exactly.
Build, build up that, um,
what I would call like, um,
the rapport, or just the softness, yeah.
Yeah, is, yeah, people call this soft skills,
but they put it in, like, actual, like,
words I would say, I can,
I can talk to, like, the C suite board people
without a problem.
I'm not going to talk the same way, you know,
as, as plainly as I do right now,
but I wouldn't, I don't use business, like,
nonsense terms, like, you know,
everyone's favorite, you know?
What's the synergy in all that crap, you know?
Like, people use fancy words and stuff,
like, I always kept what I learned is,
like, keeping things fairly simple,
helps it kind of get across different kind of audiences, right?
So I'm, I don't, I don't try to tell them,
you know, I don't throw, like,
cobalt strike in their face, like,
oh, yeah, we use this software, right?
Like, you something simple that they can kind of understand,
like, helps you connect remote,
you know, get a remote connection
establish instead of C2, right?
So if you keep it simple and, like,
keep things, you know, comfortable,
I think it kind of helps just,
in interaction with kind of anybody.
And I'm very open to explaining exactly what I'm doing
at any point.
Like, they can, they can shoulder surf me if they really care.
You know, they're going to see a lot of just terminal commands,
but if they're curious, they can always look like,
I learned to be very open during my consulting,
to just, like, hey, guys, like,
you want to see how this is done,
like, this is a clone of a card,
and I can, like, demo that.
Yeah.
It just helps, like,
make it more just, like,
easier to deal with instead of just, you know,
being a very, you know,
rigid kind of businessy approachy person.
Yeah.
That industry in itself is kind of weird,
because, like,
like, most of the people that are in,
you know, in security,
or at least, you know,
in heavy IT or security stuff.
Like, they're generally want to be helpful.
I don't know where it comes from,
but like, most people in IT or, like,
in security kind of want to be helpful
and want people to learn stuff and whatever,
but it's like, it's, it's not about countering
to, yeah, it's counterintuitive,
because, you know,
you try to get, you try to teach people stuff
and either they don't care,
or don't understand,
or don't want to know,
or, you know, kind of they fear
what they don't understand,
quote, like, you know,
they try to control it,
and if they can't control it,
then they make it go away.
I mean, I've had my previous employer
was kind of that way,
where, you know,
you never got the warm fuzzies from them,
and they never gave you the warm fuzzies,
or they never gave them the warm fuzzies.
So, I felt like I was just, like, a threat
to them the whole time I was working there,
and, like, you know,
when you did hire specifically
do pen testing for an employer,
like, there's a certain level of trust
that has to be there,
and it's kind of one of those things
where, like,
it felt weird,
and like, I'm sitting there trying to
establish relationships with people,
and like, everybody's very shifty,
and like, oh,
what's wrong with doing over there with that?
You know, like you said,
the console window,
and like, people kind of see that stuff,
and they get instead of asking questions,
they just like, oh,
doing something bad, or malicious, or whatever,
and I'm like, no,
I mean, if I was going to do something malicious,
it'd be, you know,
from a, you know, from a,
from a yacht in Guam,
or whatever,
like, do bad things sitting at my employer,
like, idiot, like,
that's how you end up in the news,
or whatever, but,
let's see, what else we got?
Favorite website?
Do you have a favorite website?
Let me, let me think for a second,
like,
I mean,
I would honestly,
I think the site that's open,
like,
the tab that I would say that's open the most,
actually,
YouTube for me.
And it's not necessarily,
like,
learning,
or entertainment specific,
I think it's a mix of everything.
I mean,
you can say about Twitter the same,
it's like entertainment,
but also like,
good bits of,
like,
tits and, you know,
bits and pieces of stuff.
Yeah.
So,
I would say YouTube,
just because I always have music playing,
like,
24,
7,
basically,
whenever I'm doing it,
it's just hosting a concentrate.
It's been like that since,
like,
high school,
I think,
for me,
and it just keeps going.
Yeah,
I'm the same way,
like,
if I'm working,
working,
I have to have music in the background.
So,
I've been experimenting with,
um,
band camp,
a few,
yeah.
Yes.
Yes.
But then before,
so I got a bunch of stuff on my wishlist
from band camp that,
I'll go through and buy,
you know,
if I get bored of music.
So,
I,
I blow through music like crazy,
and band camps,
one of those kind of off,
off beat sites,
where you can find music that you like,
that's not like mainstream.
That's not on Spotify,
yeah.
Yeah.
That's why I'm using YouTube.
No.
Yeah.
That's like all these mixes and stuff,
and stuff.
People just dump up there, yeah.
Yeah.
Yeah.
I like that it's not as like,
rigid as Spotify,
I mean,
like,
I used Spotify before,
but I think YouTube is like,
one minute,
I'm like,
I have music playing in one tab,
but then I can open another one,
and like,
look up at the tutorial for something,
like,
an example recently,
like,
since COVID,
I live in an apartment complex,
but they usually send people out,
right,
to fix things.
Um,
but they're like,
yeah,
we only do emergency,
like maintenance now.
And my toilet thing was flushing,
like,
on its own,
every like,
I don't know,
15,
30 minutes.
It's like,
yeah.
I don't know.
Yeah.
I like,
all right,
how do I fix this?
And they're like,
could be a flap,
tried to flap,
not to flap,
like,
you're supposed to replace the,
the seal,
whatever.
Yeah.
Like,
oh,
okay,
oh,
so I just ordered the stuff,
watch the YouTube video,
and,
when it fixed my toilet,
you know,
it's like,
it's kind of like a learning platform,
but also entertainment,
and it's like,
nicely mixed.
So again,
similar to Twitter,
but I kind of like,
usually try to stay off social media for sanity.
Yeah.
So.
Oh,
let's see what else we got here.
On a scale of one to ten,
how weird are you?
That's a weird question.
Ah,
yeah,
it is a weird question,
but if I had to put myself on a number,
I would say like an eight.
I don't think people like freak out on the see me.
I am like six foot four,
but I feel like that's probably the,
the intimidating factor for people,
but I'm like,
I'm kind of like a,
anime-loving person,
so that kind of like,
oh,
what do you collect like figures and stuff,
and,
mostly,
I have like weird music tastes,
like I can listen to like,
happy hardcore and night core and like,
just like super fast,
chip monkey sound stuff,
but also like,
metal,
right next to something like,
I don't even know.
Like,
it's very all over the place.
Yeah.
I'm the same way I've got stuff all over.
So I'll send you a few,
I'll send you a few links to some different stuff that you might,
and may or may not,
may or may not,
like a,
once a gangster grass,
it's the name,
that's the name of the group.
It's like gangster music and blue grass,
mixed together,
and then,
yeah,
couple is several months ago.
I got into like,
like,
uh,
I want to say it's,
I don't know what's called,
but it's like,
the music that's in,
um,
Vikings,
I don't know what they,
I don't know what they,
I don't know what I actually called the playlist.
Um,
I don't know,
genre is very well.
Let's see,
playlist.
Folk metal is what kind of what it's called.
So it's like,
heavy metal,
but it's like folk music,
and they might have like weird instruments,
or like,
like an allie and throat singing,
or something in there,
but not to,
I don't have this any,
some of that.
Futur wave,
dart wave,
outrun,
stuff.
yeah, yeah.
Swing,
type of stuff.
Like,
my wife can handle any of it,
she's fine with listening to like,
Lincoln Park from 2009,
or whatever,
hundred years ago,
and I have,
oh my god,
I can't listen to this song anyway,
Yeah, let's see no red box because my wife would probably kill me if she had to listen to my music
I'd be like DJ Cerro right next to some visual K from like Japanese metal and be like what
It's like I don't know the brain's happy, so here I am
Thanks you to tell me something that that's true that almost nobody agrees with you on
Something that's true that nobody's agrees with me on
Hmm
Hmm
I would say let's see what I would say I would say I think like people will spend
What would people agree with me on?
Feel like people spend like too much time like listening to the news and using social media like just cut it off
And I feel like you'd be a happier person like I've uh, I kind of I mean I have Facebook right and
I used to have Twitter. I just kind of disabled it Facebook. I didn't like rarely check just in case somebody messages me, but like
Like you can read news, but like tailored news like I read like techie news and like
Featuristic development news, you know, like good stuff like I like tech so that kind of news
But like general like just if you avoid everything like the world becomes like a better place
Like you don't even know 2020's gone and like 2020's going on, you know like it's just like
Helps you just like relax and think about your own things. Yeah focus on people. It's really important because there's
Yeah, there's a lot of people I think that like they either have the need to check or the need to respond to people on comments
Everyone's just like guys like
Forget this ever existed like I kind of missed the early 2000s and like the 90s
Like I was like happier as a kid just not having some of this stuff. I don't know
Yeah, it's the like what's the term I've heard doomsgrowing where like it's the COVID thing where you're just looking for stuff and you can't get enough input of
All that all that mess. We don't have cable. We will watch Kathy will watch
Over the air stuff every once in a while
And that's where I get my news is from Kathy or
Maybe if it bubbles up to you know something
I mean, I was actually on site at one point in time. This was when I was doing consulting years ago
And there were some hurricane coming through somewhere in like they were talking about the name of it
And I was like what whatever the name of that hurricane was and I don't even know what they were talking about because I don't watch the news
Just because it's so toxic and just just awful
Just positive news is rare. Yeah, that's that's the thing is it's like they all
Operate on fear and all that silly stuff and it's just like look I've seen a thousand times
It's the same thing over and over again
You know not only is it just depressing. It's just
boring because you the same story over and over again about
Somebody getting shot about something so yeah, so I feel like people would totally disagree with me that you should kind of you know like put your
Put your head in a whole kind of like an ostrich or whatever kind of metaphor thing
But it's like I'm not telling like people like really cut it off
But it's like helps and it's like detox basically for people over like just stuck to the computer
And I mean, I'm I'm I'm pretty stuck to like a computer based on all of all I do
But I feel like we all deserve to just like even if you sit on the computer
Helm just just watch some Netflix or whatever just go away from that stuff and it kind of helps you just kind of clear up and just think about yourself
Man thing by family just
You know just get down to earth and just stop worrying about all these internet strangers or internet friends or whatever
Yeah, I don't know the political whatever of the guy on hack a public radio, but yeah
His name's Ahuka a H-U-K-A and he'll do some interesting stuff around like COVID and it's very like
To me it feels like it's less noise and more signal so
Who you know every month or so will put up a new podcast about COVID and it there's actually useful stuff in there
It's like okay if you want to follow these websites these are like the the dirty, you know
The meat of everything that's going on instead of like people going fear and
Run around so fear munkering is real
Yeah, so he helps kind of filter out some of that stuff
And he talks about health and stuff with a health care and and how all that stuff is a mess and his
His thoughts and opinions, but I you know, it's it's uh for me it's not like a political thing
It's more like a skimmy information about
Right current events that's not like
You know Fox news for Christ's sake or something so like I'm just not just a mess. Yeah
My opinion is it like we have so much information
I feel like it's hard to pick like what to focus on or what's good, you know
It's just an overload of data like you just open up and it's just like
And less scrolling of stuff, right? So I feel like we've gotten to that point where yeah
We're just kind of almost I would say like we take whatever's at the top kind of deal
And not really dive into things like oh, is this you know who posts like what's the source of this stuff like we kind of don't really even check on you
That it's just kind of
Top post you know whatever's trending whatever's people are talking about the the popular hashtags and all that good stuff and it's just like
I don't know just be keen kind of funny looking at it like if you step away from it
It's like it's kind of sad but whatever, you know
Just do what you got to do but again, I would just recommend people and especially this year just kind of
Hang back from all that stuff like just take it easy man go do some good do some home improvement
I know COVID kind of real people to do that, you know focus on some other things just kind of
Step away
So you you were I know you're doing the consulting stuff for like five years and then you did some like
You know kind of red teamy pintest stuff and now you're kind of on the defense side and then you do the the
Pintesty stuff kind of
Forger internal employer or so like would you say you're kind of moved from
You moved from the red red team's last Pintesty side to more of like the defense side or you just kind of all over the place
So what happened was
Back in like 2018 I think I was like hey listen guys
Um, this is a benefit of working for a smaller company is you kind of can interact with pretty much everyone, right?
So I was like hey
Do do you mind if I like rotate out of consulting like I'm just kind of getting burned out by it and I want to try a little bit
Helping you out on the other side of the house, which is your sim platform which includes basically the analyst and that team
And I was like a lot of purpose to you is I can help you improve a lot of this stuff because I know you guys have been
Trying to keep up with it, but like
I feel like my experience of just breaking all the things and how to get into places is going to be very useful and
You know identifying our weak spots and kind of creating alerts around that
So
That's how I kind of I portrayed it and they were totally on board with it because they didn't have anyone
That was like kind of like dedicated to helping out with that stuff. They just had analysts and then um
the developer and the
The maintenance team I guess were also helping out with alert so it's kind of just there wasn't anybody dedicated in that role
So what I became is kind of like a little bit of everything. I
My responsibility is doing include helping out the blue team and creating some of these alerts
Um, but that was kind of said for the kind of start of the role later on the role is a little bit more mixed
So once I'm done with kind of solidifying some of the alerting and while I do that
I all most of it is based on off-sec research, right? So I still play around and do training on red team stuff
I don't do blue team training because I think they're hilarious. Backwards. No offense then. It's a little backwards. Like
Yes, you learn way better stuff on the offense because you understand exactly what's happening
All like all the AD weaknesses like okay office just 65 legacy protocols like how do they attack it okay
The user ruler. What does that look like and you you can test that out and you can test your defenses pretty easily
Right once you know how to do it. So that's my approach to it is like understanding
What do people attack how do they attack it and then focus our defenses and detection on that stuff for our clients
And that's kind of where I do the development, but I mostly do it through red teams learning and testing if that makes sense
Yeah, it's pretty it's it's it's I mean it can take some time
But it sounds like you had the right amount of support and whatever to like get there pretty quickly to build out those
Singers at least within within carbon black response that are actually you know trigger pretty cool stuff, right?
Yeah, it was a little bit of time to definitely you have to again learn different things, right?
As a as a I guess red team or pen test operator do you are
Learning all the tools and TTPs you know tools technique procedures for getting in
Getting out all night getting out, but you know for persistence if you need that, but
Mostly is just about all about getting in so when I came to the
Help out the fence I had to learn about you know, okay, let's let's do an in-depth and in-depth kind of analysis of our windows logs
Like what do we get where do we get all our logship from what kind of devices have that and what kind of logs do we collect right
Based on that what can we identify do we can we identify stuff like curb roasting or anything like that cool
Let's do all learning on that you know office 365 logs like what does they look like you'd be surprised how how much of
Documentation is lacking in 365. There's so many
Responses or status codes that are not documented that it's hilarious for successful logins
Specifically or failed logins, so there's like token block or something mismatch and like you look it up
You're like okay, this I can't even find this on Google like what is this mean you know what I mean?
So um you do run into things like that, which is pretty funny because you think office
Just 65 would be pretty well documented because it's Microsoft, but yeah, well that's how they do their AD stuff like just
What does it like that AD guy AD wizard dot com or whatever his name is and like just just like Microsoft is real big into like they don't make a thing
And then they're like here's our thing and they don't tell people
Like what the impact of it is it could be and like how useful it is there just like here's our thing
We use it if you want to use it go go go forth and use it
And they don't actually explain you know how useful something really is and be like okay
You need to take heed, you know, this is like all your AD problem solved
Use this one you know policy for whatever and it like you said it ends up being like
You know you pop a log somewhere or you see an event and you're like oh
Oh, so that's what this means the only reason you know anything about windows is by like whatever log it
Pushed out or whatever error popped in you're just like oh, okay. I know how to do
Look for X or figure out this but like you said you you can find sparse
Through lucky you can find one or two posts about whatever you're trying to figure out, but
Yeah, a lot of Microsoft stuff was just kind of hidden and like there's not any documentation out there and like the people that do it they do it and
You know, maybe there's just that gap that's too far for like understanding AD is like it's own
You know, neither one of us or AD masters and like understanding windows AD is like it's its own, you know
I don't even understand hold the whole relationship force trusting and like how all that crap works
Like I've been used the tools. I'm pretty much a skitty when it comes to anything AD based
But like just understanding how all that works is one of those things like I wish I could like I wish I was that AD wizard guy
Calm they like he knew knows everything about AD and like that would be to use that like to have his brain for
Pintesting would be like
Basically having like you know knowing everything you would need to know for windows like
Move laterally or escalate or figure out how stuff is stuff is working, but
Yep
That's cool. I was like hybrid Azure stuff nowadays as well. It's kind of like hybrid AD
Yeah, we have kind of that mix approach to I we have I think we're not a hundred percent
Hundred percent Azure so we have like a hybrid mixed environment and you know to go one way or the other
Or it's too expensive so we're kind of like doing some stuff
Kind of cracker Jackie
And just getting logs from that stuff
trying to look into the Azure
Um Azure events and and like you said just doing like basic stuff figuring out
You know what what's going on
I haven't even looked at you know we use minecast so I haven't looked at
Looked at any of that stuff their API is kind of weird and their web interface is kind of weird and like
There's so many things to look at in that in that regard, but like it's if they there's just no documentation for it or if the if they have an API
You have to build your own because their API is like total garbage, so but um that's pretty much it
Do you have any other questions or comments?
Questions or comments? I don't know I guess if folks are interested in I get a lot of questions that are like our analysts are incoming for the blue team
A lot of them are interested to eventually get on the red team right because that's like the hotness, you know
It's the one job. I mean to be honest
Um at heart and in my mind still the pen tester type right the breaky stuff type
Definitely not like defense is is rewarding when you catch stuff, but it's it's pretty annoying to be honest because you're looking like
Pernedals and hey stack all the time right there's a lot of events that happen that just trigger all kinds of noise and yeah
We do a pretty good job on eliminating that noise, but there's still like
You constantly get like all the stuff that you look through and that's like okay
To me it's it's not my thing again. Yeah, but it's it is like a starting role for a lot of folks in this industry right and like a lot of people ask me the question of how well like how do you make the transition or jump to
Somewhere in and basically consulting or internal shock. Yeah, yeah from sock to we're threat ops to red team
Slash consulting so that's meant to sound like good stuff and and I think that's the the question I guess the most so my recommendation is is again
People are like okay, what should I do is any search first people, you know the alphabet soup because alphabet soup is just your
It's like an HR filter more or less right for applying to places. They just like oh they prefer this so they want this
So I would say
Um, definitely could you give me one second need to take a real quick one second
Could you give me one moment I need to grab a package outside. They just call me to pick it up
I'll be back
All right, I am back. Sorry about that
No problem. We're pretty much kind of wrapping things up and in like yeah for moving
You know from the the the offensive side the defensive side
So the difference there is like for me. It's like
When you're doing the offense, you can kind of do your own thing. You don't have to like
Talk to another group like you're just you're usually kind of on your own right here
Yeah, and you can do whatever you want to do and you don't have to worry about people being like
Part of the you know being a stakeholder and whatever you're doing like you just kind of do whatever you do
Whereas you're on the defense side you you come up with a thing or you come up with an idea or a
Process or a tool or technology or whatever you got to sit there and like
Convince peers and management and other people that that thing is good or that you should keep working on that thing
Um, and that's kind of frustrating, you know, not not to mention you said like the needle in the head at haystack stuff
But like you know trying to get the buy-in like hey, you know
I've been using the analogy lately. It's like, you know like like everybody at the table is eating like chicken wings and pizza
And they're all stuffed and they've had plenty of to eat and whatever
And I come over with like this beautiful salad and like all these healthy foods and they're like
Yeah, I don't want to eat any of that. It's like I'm full
Like well, I know you're full, but like this is a beautiful salad
We should probably start talking about you know eating some healthy salad with our meals instead of like chicken wings every day
And like the mundane stuff that like you're eventually you know gonna get your
Self and others like popped because you're not you know focusing on like improving the program and stuff
So it's it's slow going for me like I think a lot of it is just kind of like future state stuff that I'm
I'm trying to build out
And it's frustrating to get like the buy-in from the rest of the
From the rest of the the the the group and like peers and I have to like work extra hard to like
Tell people and show people hey, this is the thing. This is the new thing I created that people should care about
Whereas like if you're doing your own thing you just get on GitHub and look at it and look at the source code
Figure it out and like run it like you don't have to like
Get anybody's buy-in to like learn a new thing or use a new tool or whatever
Whereas if you want it to be incorporated into the you know the blue team process or the sock
You have to sit there and convince people that you know what you're doing is
Is not like that complicated. I mean a lot of it is just I've noticed it's like people or
You know confused or don't really understand what I'm trying to do
So they just kind of like a that's Robert doing Robert stuff. I'm not gonna try to bother to figure out what
How he's actually doing it and how useful it could be so I'm trying to focus more on like just taking a few steps back
I mean more
Like more descriptive and slower about people opting so I got you know four five projects going on
So instead of like trying to explain all four five projects
I'm just trying to like be like okay, let me take the first thing
You know the first use case. It's blatantly obvious and try to like get that past and get people to understand that and then start working on other stuff
But I struggle because I'm like oh, I want to like like
What do you call it? I want to correlate this so I want to correlate that and then I want to launch this with that and then like if this happens
I want to do all this stuff and people are like what and start drooling and like no, I don't know like I'll boss to you. So
Yeah, I think when you're talking to like even folks in IT
I think it's like from individuals and individuals not everyone like can follow along
Especially if you're like more technical and passionate people tend to be like descriptive
Especially with technical things like they you know want to they want to explain to you
And be specific about what they're doing and they use like technical terminology and stuff like that
And that's like sometimes it's just like too fast or too, you know too low level for whoever you're talking to
But yeah, I was just talking in general for
People like interested to hop you know from one team to the other
I mean there's always downsize to each team like I know you said like blue team you kind of have to play the game of
Selling you're basically your projects to the stakeholders not literally selling but you know
Convincing folks that it's important to do certain things as a red teamer or a pen tester
Yeah, you're more of a free you know free roaming bird but people usually don't like you around having you around quote unquote
And you're a consultant not everything. I'm not gonna say everyone but a good percentage
I think there is going to be like always either part of the audit or whatever like how we need to do this
But there's definitely a lot of companies that are you know more interested in
Having you because they're pretty like excited about certain security stuff. We're just kind of cool to see those types of people
But yeah, you popped in like it like a really good time because
Because before like when we first started you know it was the stigma was like oh the scary hacker guys at the company and like
You know everybody was
Scared of you know pen testers the red teamers now. It's just like
You know it's on the news so much and people are so used to get and you know
old scans and pen tests that like every company said these tad and theory some kind of pen tests
On purpose or not like they understand that you know they understand that it's like
You know pen testing or somebody coming in and doing security stuff is something you should try to be on board with
I don't know if you've noticed the stigma kind of kind of slowly evaporating to that whole
Thing but I've noticed where people are a lot like towards the end of consulting with with KPMG it was kind of like that
You you know a large for larger percentage of the people you soak on site and they're like ooh
I've got the hacker. I'm so excited like before it was like
I don't know you get away from my computers like don't touch anything and I think now people are like okay
Why I'd rather you mess with my stuff and figure all my stuff than like China or whoever else is gonna come and run around around my network
All right, yeah, for me. I remember everybody's like oh you're part of the audit like I don't think I'm an auditor like
I am in no way sheep form or you know whatever auditor like I have nothing to do with audit
Yeah, our report is like somehow tied to it and then that's how they always connect it us, but um since I kind of moved to
Not audit-related firm, you know not accounting
Because the first two jobs that I had you know even the one after KPMG was still a consulting firm that was primarily, you know like okay
Audit. She's already in audit. It's like dude as soon as I went to
Somewhere that's just security like that's our bread and butter and not audit and any of those stuff
Clients were so much easier like nobody ever said the word audit to me, you know in terms of when I was testing like I was a testing guy
And like yeah, that's slowly faded away. I think from my experience in terms of moving from
Kind of organization where the security as a you know from a service provider organization where you're providing services to others
If the organization is not you know security focused it's your kind of the appendix and I feel like
The sort of like what they deal with is kind of like get kind of
Police not you a little bit, so but that kind of war off over time and definitely
When you're doing you know work for just security related work people are
Extremely knowledgeable about like oh okay, you're doing pentast cool like EIPs you need me to wait less than anything like people are
Very welcoming nowadays instead of like back in a day or it was kind of very tough to get anything out like and I've learned like
I do my recon beforehand like before the first meeting and I like after the first meeting I just send them like a nice little PDF
Like here you go, this is like your external stuff like just confirm it for me. I'm not going to ask you too much more
And you know the response rate for that stuff is pretty quick, but like clients will always be clients
So if you're in consultant service service providers, you know, I was gonna get the greatest response times and speeds
Or you'll get you know, you'll send them a list of like targets scope and they'll be like yeah, that's it. That's fine
Oh, whatever and then it's not I'm not actually them like it'd be like someone who's completely different
Yeah, that's the truth. So don't always double check your work
Yeah, I've had that happen several times and you know scan something or do whatever it is and and then like
I don't know if I told you the story about that like I brought like pivoted to a computer and it had like all the security stuff on it
And like it was another AD and I was like rummaging around and I was like dumping I was trying to crack the
What do they call it the windows? It's like a different kind of windows. Oh, it's like something to like
I don't know it's it was some windows has that I was trying to crack on and then I talked to the vendor or the the stakeholder guy
He's like oh, yeah, that's a security vendor and I was like oh my god, look my white face turn white and I like
Started freaking out
Yeah, basically I don't know that
Do you remember who's you don't remember who's network? It was dude. It was a nuclear facility
Yeah, that's why they were like freaking out because it was a 2003 box that you popped with MSO 8
I remember that call because I was on it and
And I think it was Alex with us in Alex was just like you're not gonna believe this
I was like what things like Robert did this what yeah, the manager thought it was hilarious in the client
Thought it's hilarious. I was like scared to death like
You know, I think it was like not intentionally you're just like accidentally popped the the sock
Yeah, like the third party provider sock of the client. Yeah, I'm like hey, well, you know
It's on the network. It's it's it's in scope, right?
Like the whole internet. Yeah, and once it's dude the whole internet is in scope once it's once you connect a computer to the internet, right?
That's how that works
Yeah, I definitely remember that story because I think our manager
Is it reassured at the times? Yeah, I think yeah, he was like he was like
Rob did what
He was the best because he just feel like one point time
We did one where we were just like sitting outside a Starbucks waiting for the engagement letter to be signed and
And like you know, basically told me where to go and like where to show up and what what what what what I was doing and what the scope was and that's all he did is like
Like well, how did you convince these people to let me go like full-blown McCurdy on them like most people?
They're like super scared
And I think he was able to just convince them. It's like yeah, we got this guy Rob and you know, we'll do some stuff and
Wouldn't actually explain like the risk of what I was doing because you know in the wrong hands, you know
I could put up pretty pretty crazy pretty quickly. So like yeah, he would always get these you know full-blown
You know unhinged
McCurdy released the crack and engagement so it's like, dude, how did you get these people to sign up for like a zero
Open scope which is what you want it and half the time, you know
That's what you want it, but yeah people restrict a lot of things and it's like dude the attacker is not gonna stop
Just because he told me to only test the slash 24 when you have these other like 10 networks available like
It's uh, yeah, and I definitely remember the full-blown McCurdy phrase because I'm pretty sure either Richard or Alex mentioned that and like they you know
He went full-blown McCurdy
So there's a go never go full retard to go full retard
Yeah, that's it that's the part I miss you know the consulting part is doing that type of stuff, but I still
Sent 10 defined stuff through like just playing them around with the Android you know Android games and just the way people are writing
Poor bull apps again, but they do it for the mobile platform
I don't know if you've looked at any of that stuff, but that's that's fun to look at
Over the weekends and in during spare time, but
Yeah, there's you know, there's always those stories of you know like
Pivoting around or something getting into something and lawyers getting involved have got had one of those once where I was
Working with you know working with a manager and you just like drop the mic on like the client in the middle of the first
You know the first thing and didn't tell them didn't give him a heads-up that I had completely owned them sideways and
You know lawyers got involved and people were like flipping out and I was told to like delete everything and like
So like well if I delete everything and somebody wants evidence. I'm pretty sure like there's the whole you know
Preservation notice type of thing so like we get sued and I was told by management and the client to like delete all my stuff
You know, that's probably not the best thing to do like
But I did it anyways just because you know the manager told me to and the client told the manager to like
I don't know if I told you the story but like they that same client was like oh yeah, we want another pin test
But don't bring Robert
That's like that's the best phrase any client has ever given me where they're like oh, yeah, we want another tint test
But don't send that rubber guy
You just know about
Yeah, that's great. Yeah, that's how you know you've you've created some notoriety
Yeah, yeah, I mean you never yeah, like some clients just a little update about certain things so they don't understand some of the technical aspects
And my my one one one more
My goodness, I'm like slurring words my at least favorite thing is definitely whenever you're on site or doing any kind of external testing
Even and is if anything goes wrong you will always be the first like victim
Oh, yeah, yeah, you will like anything happens like unrelated, you know media or hit their freaking
Headquarters did you do it, you know like that's the first question they ask you and it's just like what I had one like that was
I think there's the end of when I was like rolling out of consulting
I I was I told them like oh, yeah, I'm gonna start testing Monday, but like I don't I don't suppose of any time frame
Like I can sign a evening if I want to write 11 59 on Monday PM, right? So still counts so I'm kind of loose with my terminology and apparently during a day
That was some kind of for Connecticut work outage and they're like stop whatever you're doing like
I'm eating lunch like what are you talking about like I haven't like touched your network at all
What's whatever and like they thought it was me scanning them externally, but apparently was some
High SP issue or whatever that was like causing some kind of outage and it's just like it's always you
So just be aware like you know if you're doing this type of stuff just
Relax, you know that's it's it's it's super common and just be like
Okay, this is what I'm doing
I mean here's proof. I mean I always kept like kind of just like a loose
Log type thing with just like timing is on my IPs and max just to be like hey just in case you know anybody like did you
Do you warp spoof something like nope?
Did not do such thing
So that's even if they can understand what ARP is and how ARP isn't even worse
Gotta gotta have some leaps of faith here that people would understand stuff like that, but yeah, there's
Definitely running to people that are like you're a network admin and you don't know like this term like
Okay, that's like a basic networking term, you know, like
Yeah, I got to where I had like a little
Everywhere I've ever worked when people complain about something going down or something not working
I have like a little
Template that's like you know what's the source of what's the source IP what is the service?
What course is the service running on like when did it happen not when
Jane came in at 930 on a Wednesday and figured out that the service was down when did the service actually go down?
Oh, well it went down at you know
Six o'clock in the morning on a Saturday and nobody noticed till Wednesday
Okay, well, that's not when it went down
That's when somebody said it went down so I had like
Stupulations in there like when did it actually go down not when it was reported
But when did the service actually go down and like when then the course they never give you any of that information
They always like it's broken and it's not working and then you know
We come back a day later and they're like oh, it's it's fine. It's don't worry about it
It's it's not a problem. It's like they never tell you
The root cause of anything and they're just like well, it's working now move on like okay
So either you're stupid and it had nothing to do with me
You don't want to tell me that or you know whatever it is to win away and magically fixed itself like
Most of this stuff does you know stuff dies and restarting whatever
Nobody knows why I died or nobody cares to figure out why I died
They're just like I don't want it to die again. Yeah
So definitely meet some interesting books my one favorite statement that I've heard from a
client was
They're like we are experiencing an internal denial of service attack. I was like
Like say that again and like we think there's someone inside the network and duck thing at DOS
I'm like I mean
They're critically possible correct man. They're critically possible but like I'm pretty sure it's something stupid
And like two hours later like oh, yeah, you were right. It was our course which didn't go
And down it's like oh, yeah, okay
Because we haven't patched it for whatever vulnerability scanner you're using in like 18 years
So it like we sent it a UDP packet with like some weird length and it like falls over on its face when it gets more
than it happened. But it's just amazing that people's first idea not to check like they're not working stuff
You know don't do some trace routes stuff that could easily tell you that you know something's dropping or just
If you have some kind of monitoring thing that would tell you like this this thing is down
They assume it's the worst and the craziest thing you can think of or see you. So it's like okay
Yeah, I have learned to like
See some of that side of it because like a lot of the times stuff I learned one of one of some management is like
Just talking to people sometimes is the easier thing to do slash the better thing to do so like
You know instead of trying to solve people problems with technology sometimes
It is easier to just walk up to somebody and ask them hey do you have a problem with this or you know whatever the thing is it's like
Yeah, it's easier for us to use technology to answer questions and like solve problems but
I've learned now to like think about the person part of it because that's you know
Like I've heard quote like like there's no there's no like technical problems like all problems are
Really people problems at the end of the day. It's not really technology that's the problem. It's
The person that owns the technology or supports it or whatever has some kind of
Pre-conceived something or other that's causing the issue and it's like
Half the time it's a people problem and not like technology focus, but
Good times good times, but yeah, I appreciate you and um, you know
Three shades of time and in what night
Yeah
Anytime you want to ramble or talk about nonsense
Yeah, yeah, I'm down. If you want to come up with some like you know hacker stories would be something interesting
for us to do um, I don't remember any of mine. I have some old recordings of
One said I did but it's been so long now that I don't even remember
Any of my stories and they're all kind of outdated now, but people tend to like those so
If you want to write down like some little notes for yourself and if you're interested in doing that
We could definitely do some stories and it might bring up a story on man. Yeah, there's a why you just got to remember
Yeah, I got a I haven't archived of like the last five years that I can dip into just looking at the reports
I can tell you the like stories. Yeah, um, an example would be
During my escalation excavates some of the passwords that I've seen are definitely some of the best like
Like spelling and in lead, you know for money signs for essays and stuff like that
Balls deep and salsa was still my favorite
That was a essay password for a database and production for one of the clients
It's like who did this but whatever
But yeah, from the hacking perspective. Yeah, definitely. There's also some blue stuff too like blue team stories like
Some of the events that we like discovered were hilarious like someone's home router getting compromised and then that stuff was like pinging their
Pinging their like
Corporate network because the guy was on the VPN so like his home stuff got compromised and then that resulted in like
The corporate that we're getting hammered and we're getting the alerts and we're like no, I mean from
Yes, but yeah, definitely definitely down for that. I mean, I did like kind of sort of a
Personal
Incident response sort of thing for a friend. We could talk about and like I said like you like I just have to keep a note of kind of go through my history and like
Linked in stuff to keep a note of like what I've been working on and we can
When come up some puts with some stories or something to talk about because like you said
I'm always kind of doing something little
Something funny or something weird or quirky to play with that might not be security related
But it's usually something IT related or whatnot, but cool cool man. Well, I appreciate and
You know, I find and I'll send you the the the final thing before I posted that way if you want to listen to it and like say
You know remove this or add that or whatever
Give you to make this to say some
McCurdy edit eight out of ten weird
That's right
We'll have a good one. Talk to you later. Thanks for having me dude. No problem. Catch you later. Bye. See you
You have been listening to hacker public radio as hacker public radio does a work today
Show was contributed by a HBR this night by yourself. If you ever thought of recording podcast
Click on our contribute link to find out how easy it means
Hosting for HBR has been kindly provided by an onsthost.com
Internet archive and our sing.net
On the satellite stages they show is released on our creative comments attribution 4.0 international license