Darknet Diaries - 134: Deviant
Episode Date: June 6, 2023Deviant Ollam is a physical penetration specialist. That means he’s paid to break into buildings to see if the building is secure or not. He has done this for a long time and has a lot of t...ricks up his sleeve to get into buildings. In this episode we hear 3 stories of him breaking into buildings for a living.You can find more about Deviant on the following sites:https://twitter.com/deviantollamhttps://www.instagram.com/deviantollamhttps://youtube.com/deviantollamhttps://defcon.social/@deviantollamhttps://deviating.net/SponsorsSupport for this show comes from ThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthen your infrastructure from the ground up with a zero trust posture. ThreatLocker’s Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more at www.threatlocker.com.This show is sponsored by Packetlabs. They’ve created the Penetration Testing Buyer’s guide - a comprehensive resource that will help you plan, scope, and execute your Penetration Testing projects. Inside, you’ll find valuable information on frameworks, standards, methodologies, cost factors, reporting options, and what to look for in a provider. https://guide.packetlabs.net/.Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.
Transcript
Discussion (0)
Antwerp is a town in Belgium.
What comes to mind when I say Antwerp?
To me, at least, it's diamonds.
It's the hub of the world's diamond trade.
Well, I imagine if the town is bustling with diamonds,
then it's probably also attracting some criminals
wanting to steal those diamonds, right?
In 2019, a robbery occurred
that really took things to the next level.
It was actually a bank, and it was situated in the Diamond Trading District in Antwerp.
Monday morning, bank employees came to work and checked out the vault,
but something was wrong with the vault,
and they called the police, who had to force their way into the vault,
only to find that the place had been robbed.
How, though?
The bank had all the right security measures.
Cameras watching the bank doors, motion sensors in the bank, and sensors in the vault doors
themselves. And everything was secured tight. So how did they get into the vault? They went through
the like probably six to eight foot thick concrete wall. They just boreholed. You can actually see
three slightly overlapping,
kind of like MasterCard logo interlocking circles,
boreholes of about a 12-inch diameter maybe.
And they just chewed through it over time,
getting through the wall.
And they crawled all the way through,
did everything they did, and crawled all the way out, just kind of army crawled through this sandwich-shaped hole.
Wow. Drilling through a six foot concrete wall. That must have taken a very long time. In fact, the criminals spent
all weekend down there while the bank was closed so they can make a lot of noise without getting
caught. And it really goes to show that if everything is, because the vault had basically
been protected to oblivion on the door. And if anyone messed with that door, tampered with that
door, tried to torch cut, whatever that door, that was where the alarm was. That was where all the
sensors were. All the investment was in the door because they said, well, what do you do with walls?
I mean, there's only so much you can do with walls. But you can believe that at least a few bank vaults in Antwerp
started looking at their diamonds and they said,
is concrete the only thing that's protecting us?
Because we got to at least get some shake sensors in these walls
or put one or two cameras in the vault.
Because if somebody goes in the concrete
and they're in there all weekend, well, that's a problem.
It reminds me of that Bob Dylan song.
You know the one.
Lily, Rosemary, and the Jack of Hearts.
It's a nine-minute long song,
and it's an epic narrative ballad.
The story summed up is that Jack had his gang
try to drill through the wall into a neighboring bank,
while Lily and Rosemary distracted the bank owner, Big Jim.
And the whole thing takes place in this cabaret.
Lily and Rosemary got the judge and the bank owner drunk
while the boys made their way through the wall.
And they cleaned out the safe and took off with the Jack of Hearts.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers websites and continuously
works to keep it off. Data brokers hate them because Delete.me makes sure your personal
profile is no longer theirs to sell. I tried it and they immediately got busy scouring the
internet for my name and gave me reports on what they found. And then they got busy deleting things. It was great to have someone on
my team when it comes to my privacy. Take control of your data and keep your private life private
by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today,
get 20% off your Delete Me plan when you go to joindeleteme.com slash dark net diaries and use promo code dark net at checkout.
The only way to get 20% off is to go to join delete me.com slash dark net diaries and enter
code dark net at checkout. That's join delete me.com slash dark net diaries. Use code dark net.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses
secure. I know a few people who work over there, and I can vouch they do very good work. If you
want to improve the security of your organization, give them a call. I'm sure they can help. But the
founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can. Black Hills believes that great intro security classes do not need to
be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Okay, so who are you and what do you do?
My name is Steven Olaf, and I am a physical penetration specialist.
I have been involved in lockpicking, safe manipulation, physical entry, physical bypass,
and teaching about covert entry tactics for, well, well in excess of 10 years at this point.
We'll say it that way. Much longer.
Okay, so Deviant is a very well-known physical
penetration tester. And we're going to hear three stories about how he's broken into buildings in
this episode. And the third one is my favorite. So stick around for that. But I want to first
quickly catch up about how he even got to this point. I was a network person. I was a computer
person. I was like a lot of people in the tech world, mostly making my living on a keyboard.
And I liked locks
and lock picking and door bypassing. I knew about these tactics. It's a very common hobby, but that's
your avocation. But I had clients. There was a law office in town. The law office had a sysadmin,
small to medium business, one-stop shop, single guy in an office. He ran the show with the IT.
And he just sort of rage quit one day, just table flip, I'm out of here, and slammed his office
door. And it was a pretty crappy law firm, so I'm not surprised. But when he left, the staff kind
of looked at each other, I don't know if he's coming back. Are we supposed to do something if
that happens? Because he's got all the passwords. He's like, what are we doing here?
And of course, you do need to put a plan into place.
They just didn't have one.
So they called up Deviant to come help recover the network.
And he went down there, but the network room was locked
and nobody could find the key to get in.
So they called a locksmith to come try to get the doors open.
Now, because Deviant had a little practice picking locks by that time,
he took a look at the door.
I'm looking at just your standard office, standard, you know,
standard regular building, and I'm looking at the doors
and the little badge readers, but nothing serious.
And we get to this windowless door at the end of the hall,
you know, sysadmin, IT room, some network, whatever, name badge on the door,
but it's just a regular door, little badge reader on the wall.
And I said, this is, so it's not like a data center door. This is just a regular door. And they said, yeah,
but you know, none of our badges work on the door. And we don't like the, we don't apparently even
the head, you know, partner doesn't have a key. His key, we thought it was supposed to work. We'll
have to talk to building management about that. And I said, okay, well, can I try something for
a second? I mean, I'm looking at your doors and I pick up the equivalent of a TPS report
and just kind of rip the cover off of that.
And I said, well, here, if I kind of,
and I just shoved a, you know, I shimmed the door.
I just popped it in, slid,
the door popped open.
And I was like, well, all right, cool.
Well, cancel the locksmith, I guess,
save you a couple bucks there.
And I just breeze on into the room.
I'm sticking flash drives in
and the old Pnordal NT boot tool. I'm rebooting machines and getting, you know, restoring local
admin access. Okay. Resetting passwords. I mean, what was his name? Okay. So I see his user. I'm
just going to kill his user. There might be maybe backup accounts he made for maintenance, but I
don't see immediately a way that he's getting in. You're probably fine. I'll send you a bill.
We're pretty good, man.
And I hand, you know, here's your piece of paper.
So here's your new root passwords.
And the guy, you know, the keys to the kingdom,
he takes it, he goes, yeah, yeah, sure, root password, sure.
And just kind of puts it in his breast pocket.
What'd you do to that door?
And I was like, oh, yeah, your doors are all installed
with these electronic strikes.
They're actually, it's a super common vulnerability.
You can speak to whoever your integrator was about that.
And, you know, he's, hey, Steve, he brings this guy.
Come here.
Can you show him what you did to that door?
And I was like, yeah, do you want to show it on your office?
I'll pop your office.
So I'm just popping doors open.
And it bugged him out.
And they said, oh my God.
And that became the story of the day, the office,
not the sysadmin who quit,
but this kid who came in and opened all the law partner's doors.
This resulted in them calling him back to the office to do a full penetration test.
This law firm did not like that those office doors could be opened with just a basic folder,
but just shimming it in between the latch and the door.
And they wanted to know what else in this building was not secure.
And this got Deviant even more into bypassing doors
and picking locks and breaking into rooms.
Deviant was good friends with Dark Tangent,
who's the organizer of the hacker conferences Defcon and Black Hat.
And Dark Tangent told him,
this lockpicking thing is really catching fire.
You should do a training at Black Hat.
I want you to propose a Black Hat training about lockpicking.
And I was like, no one's going to pay money for that. He said, no,
trust me, trust me. You know, I think it'll be hot. You should do it. And yeah, so that became my career was a law firm who quit and a dear friend who said, hey, people pay money for this
knowledge. Those two forces together really kicked off the idea of doing physical security
consulting for me and
my main colleague through all this has been Babak Javadi. He and I have more than one company at
this point doing training, consulting, advising, and I get to break into safes on army bases. It's
quite a career, all from a few little things that you trip over as opportunities. The first DEFCON
I ever went to was DEFCON 17 in 2009 at the Riviera.
And that's where I went up into the lockpick village and saw Deviant demonstrate how the inner mechanics of a lock worked.
And he put a right contention bar in my hand and had me practice how to get a lock open.
I was fascinated by what he taught me that day.
And that's where I bought my first lockpick set.
And the lockpick village has grown since then.
I also remember a contest that year, which had people try to escape from jail.
The premise is that you woke up in a jail, but you had your lockpicks with you.
So you have to first undo your handcuffs and then pick open the cell door and then pick pocket the guard and then get the lock open to the jailhouse.
It was hilarious.
And there are a million ways to get a locked door open.
You don't always need to pick it. In that law firm, it seemed that the latches in the door were installed
incorrectly. And by putting a piece of plastic between the door and the frame, you could shim
it open. I've also seen whole doors installed backwards where the hinges are on the outside.
So you could come in with a hammer and nail and just pop the hinges off and take the whole door
off without having to touch the lock at all.
And so throughout the years, Deviant has been getting better and better at understanding locks and doors and physical security measures.
And I consider him one of the masters in this space.
In fact, I'm willing to bet that Deviant has actually given more talks at security conferences than anyone else. Someone did the math, and I
think they said one of the few people who's talked more than I was the late and wonderful Dan, Dan
Kaminsky. But again, I just would say yes to everything, and I would drive or fly just because
I love talking about this. So yeah, it's well in excess of 300 or 400. That was the last time we checked, and that was years ago.
300 or 400 talks about physical penetration testing.
Yowzers.
How in the world am I going to fit all that information into a one-hour episode?
Hmm.
All right, I got a plan.
I think I'm going to take a break, play Elden Ring for like 200 hours,
and then listen to like as many of his videos and then come back later.
Okay, that was fun.
And through the magic of editing, I'm back.
And there's some good stuff that he talks about there.
My favorite talk of his is this one.
So yeah, this is the elevator hacking talk.
This is the talk that we were told had to be on Sunday.
Because reasons.
Because here's the thing. This is a full one-hour talk of him and his friend Howard Payne going over so many ways that you can take over an elevator,
hack an elevator, and make it do stuff that you shouldn't be able to do. But since this was a
talk in Las Vegas where there are a lot of elevators, DEF CON was a bit worried about what
people would do
with this information. So they pushed the talk back to be on the last day and the last talk of
the last day when people were flying home. So it was kind of a hidden talk where most attendees
had already gone. But it's the most watched video of all of DEF CON's videos on YouTube.
And so it's no secret anymore.
And I think you should watch this video too on elevator hacking.
It'll make you think differently about elevators
after you see it.
Like for instance, you may have been in an elevator
where you couldn't get to certain floors
unless you scan a key card.
Deviant can bypass that.
He can get on an elevator
and then get it to go to whatever floor he wants.
He shows you that there are some common keys
that a lot of elevators use, and they aren't hard to get.
So elevators aren't as secure as you think.
You should probably consider them to be like doors,
where you really should test the security of them,
and not like an elevator,
which is just some mysterious box that goes up and down
that only the elevator technician knows how to control.
It's one of those things that I just never thought about,
that's something you need to secure
in your building or office. And that's what's fun about Deviant, is how he
has all this knowledge of bypassing physical security measures, and then he loves teaching
that to others. I just imagine you at this point having, I don't know, some sort of matrix-style
view into locks and security mechanisms
that you see like when you pop into an elevator,
you just immediately start looking at
what kind of key is in this elevator,
how can I turn it on off,
any door that you look at.
Is that true?
Are you just kind of like zoomed in on any lock you ever see?
It sounds silly, but I love that you said it, not me.
But it's true.
There's even a talk I made about this phenomenon.
I call it Eyes of a Thief.
And corporate audiences kind of like that one
because you walk them through just galleries of images and videos.
And I say, well, here's what you see.
Now here's what I see.
And I zoom in and I say, here's this exploit, that exploit,
bang, bang, bang, bang, bang.
And my wife is very used to the phenomenon of us walking down a city street.
And she'll be talking, she'll turn and I'm two steps back because I paused to pivot and take
one picture of this building or that car or this fixture or this device. And I'm, oh, that's going
in the slides. There was a strange paradigm shift when it was you who taught me how to pick a lock
for the first time, right? And I brought it home and I showed my friend and it just so happened that my friend's mother
was a locksmith.
And she's like, you are not allowed to know this.
Like I asked her in the past, like,
hey, can you teach me how to pick a lock?
She's like, nope, I'm not allowed.
I got like a locksmith code.
I can't show you.
Like, it's just, sorry.
And so when I came home and I said,
here, let me try opening your front door.
I want to see if I can do it.
And she saw the tools that I had.
She was just flabbergasted by it.
And it gives me this kind of weird thing of like, this is kind of sacred knowledge.
Why don't locksmiths, why aren't they physical penetration testers?
Like, how come that wasn't just an easy, hey, like you said, on that job you had, we need a locksmith here.
They didn't think, well, let's said, on that job you had, we need a locksmith here. They didn't think,
well, let's get a physical penetration tester here. And a locksmith doesn't consider themselves a physical penetration tester. So why is there a gap there? Why isn't it all blend together?
Do you have any thoughts on that? Yeah, I think the real thing there that you hit on perfectly
is the guardedness of knowledge in the old world of
the trade of locksmithing. If you're doing a physical penetration test, the value isn't in
the success of the tester. It's in the deliverable. It's in the report, the knowledge that they will
give you. And giving out that knowledge, physical pen testers, yes, we are many times locksmiths,
but much like Penn and teller are
magicians, but part of their whole shtick over the years has been showing the audience how they did
the trick. And there are some magicians that think that ruins it, that it takes all the shine and
polish off of it and the magic is gone. But I think that showing the execution, if it's elegant
and well done and impressive, it doesn't take away.
In fact, it enhances the audience's appreciation for, wow, I would not have been able to, like, even knowing how it works, I would take five years to learn how to do that trick properly.
Same thing with us.
I can show you how it works, but it's not really taking money out of my pocket or opportunity out of my colleague's portfolio.
If people know how my job functions, they're not all going out immediately trying to do
this job.
There's, as you say, that sort of comprehensive knowledge of being able to walk through a
space and instantly look and recognize every little detail that comes with years of experience.
So I'm not surprised at your friend's mother.
I'm not even disappointed. For the longest time, that was just part, I was deeply ingrained in the
trade. And why aren't locks, even now as knowledge is opening up, why aren't they getting into
penetration testing? A lot of them, even with their knowledge as locksmiths, they can't quite
do what we do. And they're frankly making far,
it's a very different business model.
They're making far too much money.
That's really interesting to me.
If you want someone to break into a place for you,
call a locksmith.
If you want someone to break into the place
and then show you how they did it,
call a physical penetration tester.
And while that skillset of both roles
overlaps in many areas,
it's just two different mindsets, really. What is your percentage on, like when you're
going on physical assessments, percentage of getting into a building?
We've never not gotten in. You're always going to get in. The question is-
100% success.
100% success in terms of entering the building. Yes, every building we've ever seen,
we've been able to enter, sometimes quickly, sometimes it takes a while. The question is, are we detected? Is there
a response? How competent is that response? Can we talk our way out of it? I've interfaced with
guards and had a good story, had an excuse for being there. Okay, thank you for your time. All
right, sorry. Well, next time, have an escort when you're in this area. I said, okay, guards. I want to hear these stories about
guards catching him. From scouring his videos, I found three stories he has that I think are great.
So let's get into them. So this first story starts out where Deviant was hired to break
into a building to test its security. Their objective was to affect network access
either externally from the parking lot, you know,
a cantenna where nowadays, you know, we're not poor hackers anymore,
you get a nice Yagi, but trying to pick up on, you know, the building's Wi-Fi.
They said, did we, does the Wi-Fi leak?
Or you can try to make internal, you know, connections.
But it wasn't the company itself that hired Deviant.
It was another penetration testing company that got this job.
But what they were good at was hands-on keyboard type of activities.
And what Deviant is good at is physically getting into buildings.
So this other pen test company hired Deviant
to essentially team up with their computer guy
to get him into the building to plant computers
in the network and gain remote access to this building. So he was going to get in the building
with me, find an unused network port or compromise a network port in a conference room. And then
basically just do they have Mac filtering? Do they not? Can I get a device to connect to the network?
Can I not? Let me see if I can get this little Dropbox headless computer, and then it would backhaul off-site.
So he didn't have physical access experience, that was your job to get him in,
and then once you get him in, you're going to keep watch, distract people, stall,
whatever you need to do to let him do his job.
Yeah, yeah.
It sounds like a good crew there.
It's great.
Like two high skill sets together. And it like a good crew there. It's great. Like two high skill sets together.
Okay.
And it's a mutually beneficial relationship.
It allows us to specialize only in what we're good at,
because I am, again, not a keyboard jockey these days.
And it absolves a lot of headache and liability from the primary consultant team.
They say, I don't want to touch that elevator.
I'm not qualified.
I say, well, I'll touch the elevators.
So what do you bring to this engagement?
So I had kind of a little field bag on me
of some bypass tools, some lock picks.
I did have my elevator keys.
I'll have an under door tool.
I'll have door shims, a mini knife,
kind of your typical kit.
Deviant checked out the building
just to get a good understanding of what's there.
Just driving around into the parking lot
and sitting with his car
and watching what the building is doing. Like, okay, there are security guards there, but they never go outside
to patrol anything. They just sit at the front desk all day. On top of that, the building was
very quiet. Not many people at all are coming and going. And this made him think that they probably
put all their security at one single point of entry, and they may not have secured the back doors very well.
So after monitoring the place for a while,
it was go time.
Deviant and the other computer guy
go up to the building in the middle of the day.
They wanted to find a way in.
The two of them started looking around the building
for a way in.
They found some side doors,
but they were locked tight. No clear vulnerability either. Deviant might have been able to bypass
those doors, but he wanted to find an easier way in. You know, that demonstrates a simpler technique
that lets just anyone walk right in with like maybe no tools at all. So he kept looking around
the building, but was having a tough time finding an easy way in.
All the doors were locked tight.
No windows were open.
No poorly installed door or anything.
So he goes back to that side door he saw earlier,
and he wanted to take another look at it.
Maybe there's something there.
Now, this side door was a double door.
Like, you first enter one door,
and then there's a little room, a vestibule,
and then there's a second door that you need to get through
to get into the building.
And when he looks for a way to get in through a locked door,
he has a little checklist in his head that he runs through.
It's not like he has some magic tool
that he just puts in the lock,
and the door immediately opens like on TV.
He first analyzes the door and looks it over.
He'll first just tug on the handle
and see if it's unlocked.
Then he'll look at the hinges. Maybe it was installed backwards. Then he could just unscrew the door, and looks it over. He'll first just tug on the handle and see if it's unlocked. Then he'll look at the hinges.
Maybe it was installed backwards.
Then he could just unscrew the door.
Then he'll look at the gap between the latch and the strike plate.
If this is too wide or missing parts or installed wrong,
he can use tools to get in there and open the latch
from between the door and the door frame.
In fact, any gaps at all between the door and the frame can be exploited.
But this door
had no clear vulnerabilities like that. So then he starts looking at the whole thing backwards.
Instead of getting into this door, how do people get out? Is there a crash bar that you just push
from the inside, which unlocks the door and opens it? Well, he looked through the window, but he
didn't see that. He didn't see a handle on this door that you could turn or unlock either,
which made him realize what kind of lock he's dealing with.
It wasn't a mechanically released door.
It was electronically locked.
And you can also tell if you're yanking on the door,
and it's very clearly being held shut maybe at the very top,
but the bottom of the door is wiggling by a quarter inch, half inch.
You're like, all right, that's a mag lock.
That's a magnetic lock at the top of this door.
I'm pretty sure we electronically
can release that mag lock
either looking around,
you don't see any push to exit buttons
through the windows, no.
It's gotta be looking through the window some more.
It's gotta be a sensor somewhere.
Where is that rec sensor?
Normally it's right above the door.
And eventually we had to look through another window from the side. And my buddy I was with,
he's like, oh my God, is that it? Is that it? Where the heck? It's almost like down and to the
right. I said, by the other door? Oh my God, yeah, that's where they put it. Okay. Okay,
so there's a motion sensor. If Deviant can trigger that, it'll unlock the door.
But it's a good 10 feet inside the door.
So how?
It has a request-to-exit sensor, or REX sensor.
These are sensors that are very common in physical access control environments,
which will detect egress events, impending egress events, and they do it through
motion sensors. Most of these are infrared, simple passive infrared sensors. If they sense
a change in temperature, they presume that must be an individual making their egress from the
building. Okay, no problem. So how can you exploit this? If you're on the outside of the building,
do you, what do you throw a
fire stick under the door, like a road flare, make it hot? Well, you don't have to do anything
quite like that. What you can do is take a can of compressed air, or if you're very fancy,
you go to a scientific supply shop and you get a can of like tech spray or freeze spray.
The idea being, if you spray into the air a little cloud of propellant, a little refrigerant cloud, it will boil off in the atmosphere and make a very cold patch of air.
You can do this to open doors.
You stick the little straw through the door crack, blast, and all of a sudden you hear a click.
Oh, that's the lock.
Okay, the lock is released.
Open the door.
This was like that, although the position of the sensor was much further down in the vestibule.
It was a double vestibule kind of door.
And I said, oh, man, I'm trying to spray the air, spray the air.
And we literally killed one can of propellant.
I said, oh, man, we're going to go back to OfficeMax or something.
Eventually, I was able to rig up a long, skinny straw that I could feed all the way through,
kind of snaking it down this vestibule,
and almost like a wacky, waving, inflatable arm,
flailing tube, man.
It's looking way down at the end of the vestibule.
You see this straw spinning its way all through the floor
and this cloud going everywhere, and the door finally popped open.
And that was on the floor.
You went under the door.
We had to go all the way under to keep it as straight as I could on the floor.
And it wanted to curve around.
But eventually I got this door to release.
So you hear a click and then you know the door's unlocked.
Thank goodness, too.
Because this was a good 45 minutes of poking and prodding, going back to the shop.
Okay.
Okay, so they successfully made it into the building.
Now they need to find an open network jack for the other guy to plug his computer into
to try to hack into the network.
And we find a little conference room thing.
And I said, okay, look at the, oh, cool,
Polycom phone system.
And there's an RJ45 connector.
I said, do you want to try this jack?
And he looks in his backpack,
and he goes, oh, no, I didn't bring the Dropbox.
A Dropbox, in this case, is a little computer that you can just plug in
and leave behind and then try to access it from somewhere far away, like back at the hotel.
But this guy forgot it. I guess he was configuring it the night before and just forgot to repack it.
And it's back at the hotel. He said, well, go back. You go back. You take the keys. Here you go.
Take the car. Go back to the hotel, I'm not leaving
the building, we took so long farting around with that door, I'm gonna stay in this building, I can
just let you back in when you get here, and he's like, man, I mean, the hotel's 10 minutes away, and I
gotta get the thing, come back, that, I could be gone half an hour, you're just gonna sit in this
conference room, and I said, no, I'll find somewhere to hide, so what I did is I chose to look around a
little bit, and I was looking for kind of an empty office
or maybe a janitor's closet.
Those are nice.
If the janitor's not around,
you can break into the janitor's closet
and just sit in there silently
because the guards aren't going in the janitor's closet.
The staff aren't going in the janitor's closet.
If a janitor comes along, you gotta say,
I just had some anxiety.
I work here.
I needed a place to chill.
Or pretend you're doing drugs.
I don't know. And you say, I promise I'm going to rehab. Don't work here. I needed a place to chill. Or pretend you're doing drugs. I don't know.
And he said, I promise I'm going to rehab.
Don't tell me.
Don't narc on me, buddy.
But no, I didn't find any good closets or anything.
I found an elevator.
And I said, okay, well, we got an elevator.
It's got no windows in the elevator cab.
No, he didn't see any cameras.
I'm just going to stay here, bro.
And he's like, really?
I said, yeah, I'm going to put the elevator on independent service,
which is like a local admin mode
that removes it from general dispatch demand around the building.
So this elevator cab will not answer hall demand
that other people might be registering, placing calls.
I said, I'll just stay in the elevator.
There was even a little locked panel that I popped open.
And I said, there's even a little power plug in here.
I can plug my phone in.
I'm just going to hang out.
I could just scroll Twitter, read posts on the internet.
I said, you go to the hotel, get what you got to get.
Message me when you're on your way back.
I'll let you in.
I thought this would be half an hour of me just getting paid for free.
It turned into hours.
And I was messaging him like, hey, man, did you get to the hotel?
Did you go to the wrong hotel?
What is happening?
Are you, did you fall into a bathroom?
Do you have some bowel distress?
And so I'm thinking, what is going,
finally, I get an answer where he's like,
yeah, it's not going well.
And I said, what's not going well?
And he's like, I'll tell you when I get there.
He was found a little frustrated.
I said, hey, I'm getting paid by your company either way.
I'm on the clock.
Back to Twitter.
Two hours go by.
Deviant keeps messaging the guy.
What's going on?
He says he had to finish setting up the Dropbox,
but he couldn't get the keyboard to work to configure it.
So he was trying to use the on-screen keyboard
and use a mouse to type out every command,
and it was just taking a super long time. So Deviant continues to just sit and wait.
Then suddenly, I hear this really, you know, boom, boom, boom, boom, boom. There's this pounding
noise. Sounded like it was on the hoistway doors, just someone banging on the doors of the elevator.
And I went, holy crap. Do they know I'm in here? Have they spotted me?
And I'm looking, maybe there is a hidden camera.
What's going on?
And I said, no, calm down, calm down.
It's like if you're camping,
everything sounds loud in the woods.
A deer could walk through your camp at night
and you think it's a bear.
But I said, no, all right.
I look at my phone.
All right, it's like after five at this point.
This has got to be the cleaners.
They must be, I don't know,
getting fingerprints off of the hoistway door chrome
or something, I don't know.
But I just said, no, it's fine.
And I stayed in there a little longer.
I really wanted to start to use the bathroom.
Thank goodness my buddy's like,
all right, I'm coming back to the hotel.
I'll be there in a minute.
Okay, elevator back to automatic.
Go back to the lobby, open the doors.
And I said, I'm right near the vestibule.
I'm going to head toward it.
But just, I don't know what made me turn and look
as the elevator was shutting itself automatically.
I noticed that there was literally a notice
that somebody had taped on the doors.
Because I had been sort of in between two floors.
I'd been a little bit off platform,
but I could hear, I was right near the lobby level.
They were in fact hitting that door,
but they were, it was a security guard taping a notice that said, this elevator out of service.
Yes, we're aware of it. We're looking into it. Please use, you know, elevators on north bank
of the building. And I went, oh man, somebody noticed I was in there. Just thank goodness
they didn't think I was there. I let my friend in. He's in the building now. Thank goodness we
didn't have to fight with the long straw.
All right, back to the conference room, back to the conference room.
Okay.
And we barely got six or seven steps down the hall.
When around the corner, we see a guard.
Because now we're the only ones, now it is a little weird.
At this point, yeah, what are you doing?
It's after five, this place is dead.
And the guards look at him, look at me,
walked in and my friend is like,
oh, what's gonna happen here?
The guard immediately saw that I had,
because I was in the elevator for so long,
I had put a little badge on that just said Otis.
I have a variety of little badges in my kit.
And he went, looked at me,
looked at my Otis badge and he went,
oh, you guys got here fast.
And I was like, yeah, I heard there was a report.
And I, you know, I just, I lie for a living. I just dropped into it. My friend, I don't know
if he was nervous or not, but I said, yeah, I heard you had a problem with one of your passenger
elevators today. They pulled us off of some other job because you're paying for this elite care
service. You've got a good tier of service package with us here at Otis. Point me at the problem.
Let's get you squared away. And he proceeds to lead us right back to that elevator where I had been with the notice still taped on the, you know,
the door. And he's like, this frigging thing, I got calls all afternoon. So now I like this. I
like that this guy, he's invested in the problem. He's invested in it being solved. And I said,
oh man, that's, and it's only the only elevator in the bank. You don't even have other cabs that
you must've been, your phone must have been ringing nonstop.
He's like, oh, well, there's not a lot of people in here,
but they still let me know about it.
I said, well, let me see what I can do, sir.
I pull out my keys.
I still have my keys.
The keys will turn, obviously, in all the key switches.
So I have the trappings of legitimacy
where I, A, look like I have credentials.
B, I'm sympathizing with his problem,
I can express familiarity with his problem,
and then C, I am pulling,
casually pulling implements out of my pockets
that clearly work in the system.
If you were in a parking lot
and you saw somebody with a red blazer
and you thought they might be a valet
and they say, oh, is it really busy
in the restaurant tonight, sir?
And then they are holding a key that opens a car door. Well, that's gotta be a valet and they say, oh, is it really busy in the restaurant tonight, sir? And then they are holding a key that opens a car door. Well, that's got to be the valet.
They're doing all the things that I've seen valets do. So this guy just thought, well,
he's obviously the Otis guy. And I'm rattling off some techno jargon and I'm turning key switches
that don't do much, but I'm claiming, oh, I'm resetting the door sensors. Now this will reboot
the door operator if we hold it for three seconds. Here, let's everyone step into the cab for a second. Let's let this
door close. So now we're bringing the guard with us and the doors close. And I say, all right,
well, that's good. Let's try door open. No, we're still level. We're not misleveled. Sometimes a
mislevel event can cause the doors to jam. Let's try to go up a few floors. So he just starts
taking us up to other floors, floors that I didn't have credential access to.
But he's going up floors
and we're stuck in platforms pretty well.
I'm pretending to measure the platform leveling.
Because again, I have just enough industry knowledge
to speak to what you're expecting a technician to do.
I'm actually, you know,
I'm a trained life safety fire door inspector.
Not because I do that for a living,
but because I can walk around a building,
if anyone catches me and say,
what are you doing in here?
I can say, what are you all doing in here?
Because these fire doors are not to code.
And I can rattle off all the different,
the signage is wrong, the glazing is this,
you can't have appurtenances that interfere with that.
So I look like a technician, we're getting up,
we finally get to the top floor,
which is a really juicy floor in this building.
And I say, let's walk around for a minute here. I think this one, you said there's another elevator.
I'm pretty sure this one's fine, but let's try the South Bank elevator, the North Bank elevators.
And now the guard is so used to being in our company that even anyone else who's in the building who sees us on camera or in person,
well, this guy has been with the guard, so he must belong here.
And I start spinning a story about,
do you have a room with a bunch of computers in it?
Because your elevator controller would be in that room.
It would not be in that room.
So, but where's the elevator?
I can look for the error log data on the elevator controller.
We can try to troubleshoot it
because you don't want to have us, you know,
coming out here again and again.
Those stoppages, that was no fun for you.
So yeah, the guard took us to,
he's like, well, I walk around every night
and this is the one room,
it's got all these fans in here.
So he takes us and he,
I think my badge works, boom,
and he badges us into the server room.
And I say, all right, well, you help me look.
There's going to be a bright, you know,
neon green server,
which is, again, I'm making that up,
but I'm giving him a wild goose chase.
Do you turn to your buddy and be like,
this is the moment, You need to go now.
He was tracking at that point.
He knew what was up. He was amazed
that it was working so well.
But he was ready to go.
A good friend will see you lying
and it's all improv. It's all yes and.
You just go with it. You build the world
with them that they're trying to build.
So my buddy, he had the Dropbox
kind of under his arm like it was a multimeter ready to plug into something.
And the guard goes down one aisle.
I go down another aisle.
Do you see it over there?
And my buddy, of course, he's plugging stuff in.
He's plugging in flash drives, watching, documenting.
And the guard eventually says, well, I can't find it.
We can't find it.
I said, all right, that's all right.
It's working for now.
I'm going to write it up.
I'm going to write it up as a priority ticket. We'll get you squared away. Uh, what was your name again?
And he gave us a name. I said, okay, well, we're going to walk around, just check. There's a few
other lifts and other buildings. Uh, if anyone else is on premises and they ask what we're doing,
I'll just tell them to talk to you. Uh, but thanks for all your help. It's all good. And he was so
happy that, yeah, we, we stuck around, even though we were done, we stuck around and went into a few other spaces just in case we got challenged.
Because you want to give the client a win.
You want to try to see will anyone push back on you.
It's not about getting away so clean and so –
If you work for the government and you're spying on a foreign adversary, sure, you want to get away and not experience a mortuary event.
But if you're doing a corporate test,
you want to see what their reactions are.
If this staff didn't catch you,
interface with a different staff member.
If this building didn't stop you,
try a different building.
Where are the good as well as the bad
in their security posture?
But yeah, we wound up walking everywhere
for quite a long time.
We got into everything at that facility
at the end of the day,
and digitally and mechanically and physically, yeah.
There are three things to test when testing a company's security.
You can test the physical building itself.
You can test the people in the building.
And you can test the electronics.
This one tested all three.
But there's kind of a moral code that Deviant has when testing people,
or otherwise known as social engineering.
I mean,
here he tricked a guard into making him think he worked for the elevator company,
but he also gave the guard many opportunities to check his credentials or verify who he is.
Gosh, even if just the guard decided to give him a visitor's pass and took their names down,
that would be better than nothing, right? So there were lots of training opportunities for this guard,
but bad guys don't really have these moral codes. They might wrestle the guard to the ground, tie him up in the elevator,
or break some windows to get in. I mean, it's possible to figure out where the owner of the company lives and kidnap their kids, holding them for ransom for some company data. But as a social
engineer, you really want people that you trick to feel better for having met you instead of feeling awful because you screwed them over so bad.
But where exactly that line is, it's hard to say, though.
We're going to take a quick break here, but don't go away.
We have two more stories from Deviant when we come back.
This episode is sponsored by Vanta.
Trust isn't just earned, it's demanded. Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program,
proving your commitment to security has never been more critical or more complex.
And that's where Vanta comes in.
Businesses use Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001, centralized security workflows,
complete questionnaires up to five times faster, and proactively manage vendor risk.
Vanta helps you start or scale your security program by connecting you with auditors
and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back
so you can focus on building your company. Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to
manage risk and prove security in real time. For a limited time, listeners get $1,000 off Vanta
at vanta.com slash darknet. That's spelled V-A-N-T-A, vanta.com slash darknet for $1,000 off.
Deviant's Olive breaks into buildings for a living.
He's well known for it.
So a company in Kansas heard about him
and hired him to come out to test the security of their building.
And it was a small town, man.
It was a small town.
So this was a company doing large sort of,
you know, blue collar industry in a small town
where I'm not from.
And the only thing I got going for me
is that I'm a middle-aged white dude.
And that's where my flex ends
because I don't know people in this town.
I can't speak to the widgets and wonkets
that they pack into boxes and parcels
and drive out on a big rig.
I was going in.
Oof, we'll see how this goes, boys.
Being so far away, he had to fly out and rent a car and then drive to this town.
And he didn't go alone, of course.
He had two others with him who also worked at his penetration testing company.
And one of his teammates brought his dog with him.
She's a search and rescue dog. She's amazing. She's so perfectly trained. You could let her
off the leash and she knows commands where she could run and just kind of be hidden in the woods.
So now he's a guy walking around with a leash. And who doesn't want to help a guy with a dog
leash? Of course, you got that beautiful dog of mine. So eventually, she'll come running out.
If he gets challenged by, oh, here's my dog. Thank goodness.
Holy cow, the dog is a social engineer too.
It's part of the act.
Go hide while I pretend to look for you and wait for me to give you the secret command
before you come.
Oh man, I never thought of packing a dog
in a physical penetration testing kit,
but they're going to need it
because this place looked really hard to get into.
The goal was to demonstrate access to, quote, sensitive areas.
We had a list of sensitive areas, manufacturing areas,
certain people's offices that were in charge of critical functions.
If we could demonstrate, we could tamper with end product
before it goes to market, that would be bad.
You just tamper.
It means you touch hands on this one machine or this one package
and take a picture.
Why don't you think you can get in?
What's the thing there that you're like, ugh?
It was a small crew.
I mean, it was maybe a dozen employees on any shift,
and everyone knows each other.
And it's not an environment that was open to the public,
so it's not like customers or visitors were coming and going,
which is much more common in offices.
Yeah, if we were on site, not to mention, customers or visitors were coming and going, which is much more common in offices, you know.
Yeah, if we were on site, not to mention we had to read all their briefing materials on their OSHA regs and their best industry practices. So if you're in a production environment,
you've got the hard hat here, you've got this, you've got the earplugs. Otherwise,
the foreman will be saying, who is that person? Who let you in here, Jagoff?
So we wanted to minimize contact with humans.
We would go at night, we said,
and we would try small town America.
You play to what you think is going down.
You say, it's either gonna be Saturday night football
or Sunday, everyone's maybe at church, I don't know.
So Saturday night, we started to weaken the target.
So we'd approach,
we would remove card readers from their mounts. So it turns out there
was an open campus. You could walk onto the grounds. There were no fences, but we would
remove card readers from the wall. We would install little interception devices behind the card reader,
put them back on the wall. It's a device called an ESP key. Like, all right, we're going to check
a few doors. The doors are all tighter and all tight as a drum. We'll compromise the card readers.
Hopefully, somebody coming or going on a late shift, because they worked in three shifts,
maybe someone's going to use a door and we'll be able to compromise the credentials when we come by tomorrow.
Sunday, we asked, do you have any hours on Sunday?
They said, no, it's pretty thin on Sunday.
Okay. I mean, production environment, the actual factory was running, but the have any hours on Sunday? They said, no, it's pretty thin on Sunday. Okay.
I mean, production environment, the actual factory was running, but the offices were dead on Sunday.
We said, okay.
Come by Sunday morning, and we drove by the parking lot, just pulled in and pulled out enough that I could dump the remotely.
I could radio into the interception devices.
I got some credentials.
Good.
You caught all that, right? There are RFID key cards that employees use to unlock doors to get into the building.
Deviant installed a card sniffer behind the real card reader,
and someone badged in during the night, and his sniffer caught that.
And now he has that data and can write that onto a blank key card,
which would give him access into this building.
Now, while he was doing that, another one of his teammates was hiding out, watching the building from a distance, taking pictures of people
coming and going. And this guy had a camera with a long range zoom lens. So he was out there taking
photos of what badges looked like for people who work there. He couldn't get high quality close-up
photos of the badges being that far away, but it was enough to allow them to replicate it in Photoshop
so that if someone is walking by or from a distance,
they wouldn't know the difference.
So the team all met up at a coffee shop to put the right logo on the badge
and to write the data onto the key card.
And as we're there, my buddy, the guy who has the dog,
he didn't have the dog at this moment, but that one partner, he's like, I'm just going to take one more walk around, just kind of see the factory.
Let me get myself a little coffee or something.
And he comes back to where we were as I'm making these badges.
He comes back 20 minutes later.
He's like, this is going to be interesting, man.
I just stuck my head in at the post office.
Everybody knows.
Hey, Frankie, Sally, how you doing, Bobby?
It's like if we run into anybody, it's going to be a record scratch.
It's going to be weird, man.
But we said, all right, we've done this.
We've been in hard jobs before.
Let's go, everybody.
We pull into the parking lot.
We had some PPE and hard hats kind of with us,
looking vaguely factory-ish.
So you were looking like employees that should be there or technicians visiting?
Just looking like employees.
If anybody literally, like if a town cop was going by,
we're like, they'll think we must work here.
We look like blue-collar workers.
And sure enough, no police.
It was right on Main Street.
It was a tiny, tiny town.
But this factory was right in the middle of town.
It was the only thing in the damn town, honestly.
So, boop, card reader works.
Okay, we get in one building.
Thank goodness we're inside.
We're walking around.
Once you're inside, a lot of buildings, security is a little weaker on the inside.
You can get into offices.
You can slip a latch. You can pop a drawer open. We've found a company trucker cap. Somebody took a
company jacket. Again, just you're looking a little more like you belong there. And the thing
is the badges we made, we had seen long distance photos of their badges. So I had pre-printed these
badges with their logo and everything in roughly the right place to look. The badges look the part and the badges are open indoors.
But within maybe half an hour, we hear one of my teammates come around.
He's like, hey, man, someone just pulled into the parking lot, not to the factory.
Somebody pulled in and they're coming into this office building,
which no one is in this office building at this Sunday.
And we're like, oh, well, we just look like we're working here.
We sat kind of in the break room area.
And this guy comes in.
He must have been 56, 57 years old.
He's like, how do you do, gentlemen?
I said, hey, how's it going there?
Can I ask what you're doing in the office today?
And the vibe was instantly off.
We said, oh, you know, we're just checking a few.
We had a story.
I think we said we were doing an environmental audit.
We were checking door seals.
He was in the building?
He was already in the building.
How did he get in?
So he clearly worked there.
We could see on his hip he had a badge.
And we said, no, we're just checking some door seals.
There were some door closure issues.
And for regulatory compliance, you have to keep products separated, blah, blah, blah.
We had a bit of a story.
And we said, we'll get out of your hair.
We're just leaving this building anyway.
And we kind of left the building.
And the guy, he didn't quite vibe on that.
He was looking at us a little weird.
Well, this was mostly a success.
They needed to demonstrate access to sensitive equipment
in areas that they were able to get into the building
and take pictures of them touching this equipment
and stuff they just shouldn't be able to get to.
But since this guy really wasn't buying their story, they decided to leave. Because as a
penetration tester, when you get caught, you want to see if you can get out of that situation.
Try to leave and get out of there. See what happens. Is this guy going to stop them from leaving?
So they walked out and got to the parking lot. And they could get in their cars and go,
but there was another building in this parking lot that they also needed a test.
So might as well walk over to that and see what happens.
They thought this guy might be watching them, though.
So they walked across the parking lot to the other building
and made it very clear in case he was watching them
that they had badges that they
were using to get in the building. These were working badges. And if the guy was watching them,
he could see they had valid key cards to get in the building. Don't forget on top of that,
they have a jacket and a hat with the company logo on it. And then we in the new building,
we're like peering out the windows through the blinds. And this guy walks to the parking lot where the guy is going to get in his car.
Nope.
Walks by all the cars, walks to the building we just got in.
We're like, oh, my God.
And we hear him start walking around this building.
And at this point, we're pretty sure we're roasted here.
Two of us break off.
One guy goes.
He meets two of the guys in some other hall.
He's like, excuse me, gentlemen.
I'm going to ask the same question I asked before.
What are you doing in this building?
And we said, well, we're doing this.
He's like, no, no.
Who hired you to do this job?
And we said, well, it was, you know, Francis.
Francis in HR.
She brought us.
He's like, I don't know if Francis would have brought you on.
I'm going to have to try to call Francis.
And he couldn't reach her.
And he's like, no, no, come on. Was Francis a word you made up? No, we knew, we checked their staff. We knew some staff. We said, no, Keith at the,
at the, you know, the Wyoming plant, Keith knows that we're here. He's like,
I've been working with Keith for a long time. Keith might've said something about new folk.
I haven't heard that. I can call Keith. So we're like, oh my God. And eventually after he's getting, he keeps trying to dial phone numbers on Sunday.
And we realized if he's not going to reach anybody, he's going to just call law enforcement.
This was not going to fly. Deviant and his crew were caught. All the windows of opportunity to
lie their way out of it were closed. The game was over. So time to come clean and show the get out of jail free card. See,
here's the thing. When you're paid by a company to break into their building, it's possible it
could all go wrong. So you need a letter of authorization from the company, preferably
someone real high up that can vouch for you, that when you call them, they will say, yes,
we did hire them to do a security test on the building.
And you print this agreement out and put it on a piece of paper and carry it with you at all times when you're doing a physical penetration test like this.
And this is what's known as the get out of jail free card.
Now, what some penetration testers do is they print off a fake one.
It's got the right name of the head of security,
but with a phone number to someone
waiting in the parking lot who would act like that person if they got called. Deviant saw that this
guy had everyone's number in his phone already and thought the fake get out of jail free card
isn't going to work here. So he gave him his real one. And this was the first and only time
Deviant has ever been caught to the point that he had to
show this paper and come clean like this. He said, I know that person, but I'm going to call her
cell phone and not the number that you've printed here. So as it turns out, and we spoke to him,
he said, okay, all right, well, if you say so, all right, Susan, you know, brilliant. He did not
trust the number on the paper that Deviant handed him. Instead, he looked up the name's number himself. And this was the right thing to do. And sure enough,
the head of security vouched for them and said, good job catching them. And yes, we did hire them
and they are supposed to be there. So now that he knows the real reason Deviant and his crew were
there, Deviant had to ask, how did you catch us? But's like well i was driving by he wasn't even on site
that day but i was driving by and i saw a couple of you boys entering the building just as we were
just getting into a door he's like it didn't feel right so i got a minute block or two down the
street and i turned around and came back who the hell gets past their office and has that much
emotional investment to go, I should go
back to the office and see what's going on. He drove all the way back in, parked, and started
checking around buildings till he could figure out why were these fellas he didn't recognize
from 200 yards away. Why are you in my building? He had worked for this company for something like
38 years. And he had emotional investment in the company. The company
mattered to him as a person. And he was not going to take anybody giving him a line. He said, no,
I want to know what you're doing. It felt like if someone was in your backyard and they said,
well, I'm just trimming your trees for your neighbor. But they kept kind of walking through
your backyard. You might be like, I'm going to knock on my neighbor's door.
Why is this person in my backyard?
So that's what happened.
And that was the first time we ever had to show the action.
And we knew we could have had a fake letter,
but we're like, that's not going to fly.
This guy, he is switched on, he is sharp.
And he got quite a little kudos out of that.
And he was professional the whole time.
Didn't try to tackle us, didn't make threats,
just kind of slowly plotted after us.
Okay, so they were caught.
That's that, right?
No, they said, hey, good job, you caught us,
but don't tell anyone else
because we're gonna go and come back again later
and try to see if anyone else will catch us.
We left for a few hours.
We went to have lunch.
We did come back and we only made it in again,
gosh, 45 minutes, an hour,
until we ran across some other person.
And I didn't even interact with this person.
This was just in a production event.
We just kind of walked past them
and they almost on their heels turned and spun
and said, hi, can I help you?
What are you doing in this space?
And we were like, son of a bitch.
But that was a great day because this little Nowheresville facility,
they had a really sharp head of security
who had been coming to DEF CON and Black Hat,
watching talks like mine,
really investing and upgrading their locks
and their access control credentials.
And even after that, he's like, oh, you did clone,
you made the ESP key,
we're going to revamp our backhaul protocols for a little nowhere factory nowhere, nowhere, not subject to threats and not subject to robber. The most threat they probably have is people trying to break in and, I don't know, steal copper or something, you know, like rural threats are not the same as an urban environment where you have a lot more potential risk of different kinds.
But no, this one guy, he was really all about it.
And he took it to heart.
He had a lot of buy-in from management.
And everyone was just, they were pleased and proud of their people.
We told them, keep investing in your people.
They like it here.
Make sure they keep liking it here because they are the best line of defense that we've ever come across.
You were caught.
Do you consider this a caught?
Do you consider this a fail?
Is this the only time you've ever been caught? Or have you been caught before? I will consider it a caught. Do you consider this a caught? Do you consider this a fail? Is this the only time you've ever been caught
or have you been caught before?
I will consider it a caught.
I won't consider it a fail
because if you're doing your job right,
this is the best success you could have.
We got caught for all the right reasons
and I'd like to get caught like that
much more in the future
by companies that have employees
that actually care about what's going on.
The only way you get that is if you have a real nice environment where you're treating people well,
not just as meat grinding through the mill, right? You actually have to make people
want to work there by rewarding them, by paying them properly, by giving them real benefits.
That's the only time we've been caught and didn't bluff our way out of it, you know,
talk our way out of it, you know, talk our way out of it.
Okay, let's hear one more story of deviants breaking into buildings.
And this one's my favorite.
This one is against a critical infrastructure type company.
Think utility company.
If someone were to get in and cause harm, it could be ruinous for
like the whole town. Most of our jobs, we get a list of sensitive assets or sensitive areas from
the client. And we say, well, you know, would accessing this asset or being in this space
represent a severe breach? Would a bad actor in this space have the ability to severely compromise operations or cause severe impact?
Once you have that list of assets, you formulate a series of attack chains.
You sit with your team after a lot of recon, and you say, all right, so do we think it's smart enough to go to this one first, or should we try to go through this one?
We've identified where these assets are, which parts of the buildings and the grounds.
Okay, so which team is best suited to position here, here, here.
And you come up with a plan.
And if one team gets burned, you'll say,
okay, well, that team is, all right,
they might've gotten noticed, might've not.
Let's pull them back.
Let's get off campus.
They just became Overwatch.
They're running a drone.
They're running long range cameras.
They're back at the base on radios.
Let's put another team in. We do a lot of rotating out of rental cars
where you go back to Hertz or National or somebody. You say, oh, this car's pulling
to the left a little bit. They say, we have another one. We said, do you have a different
model? Maybe a really different color because if somebody's seen that weird car in the parking lot.
So there was a job like that. It was meticulous. And we had, it was a
large job. There were probably three or four different field teams at any given time of pairs
of people. Okay, wow. This is a big job. And if you remember from other stories, Deviant likes to
be prepared and bring a big kit of things. Anywhere from having lock picks and keys to the Otis This job was the kitchen sink, man.
This job had case upon tons of Pelican cases shipped in.
It was close enough that I could,
it was many states away from where I was at the time,
but I was living in Montana. I just said, I'll drive. If the budget's there for me to drive, I'll make it a couple day
drive. And my truck was, I mean, we brought the works, man. We had a 3D printer in the Airbnb.
We had a couple of our really large key machines, our exotic key machines, just in the Airbnb on the
living room table. We were ready for as much as we could be.
Okay, so when you have a job this big, it'll help if you have a few extra people. Of course,
Deviant drove out for this, but a half dozen other people came out too. Bobbik was also there.
We're all across discipline. Bobbik is very electronic focused. Of all the team members,
he is the highest strength among us in the electronics department, especially as it relates to access control technologies, credentialing technologies.
He gets good information from a lot of the industry sources and partners where he'll get the new badge printer that somebody's just pioneering, and he'll get a sample model of that, and we'll try it out.
Drew came along for this one.
Drew is our main surveillance person.
Drew is an incredible person with camera glass, drones, you know, ultralight aircraft. He is the eyes on the ground and in the sky. They called in Sophie too. Sophie is a devastating social
engineer. Robert was another key player here. Robert is an incredible physical tactician
along with being personable with people to the drop of a hat.
I mean, he used to be a cop, right?
So he can lie through his teeth with a smile on,
and his job is to manipulate you as a human
because he's going to get what he needs,
and he's going to get it out of you for information,
or he's going to get out of your sights because he wants to move.
He can be front and center, or he can going to get out of your sights because he wants to move. He can be front
and center or he can be a ghost. Imagine being called a physical tactician. That's quite the
title, isn't it? Drew and I reached out to an old colleague of mine named Laz, who was back east.
We brought Laz in. We had a couple of interns at the company who wanted to get some exposure to
field work. And a lot of times jobs just aren't big enough, but this was great.
So yeah, they'd bring the interns.
So we had quite the cadre of people.
And we actually had two Airbnb units right next to each other.
We had so many people.
It was these two little cabin-type houses on some park somewhere.
Gosh, they rounded up the whole Ocean's Eleven crew for this job.
And so they all met at the safe house and started on phase one, surveillance.
That was almost a week of recon.
Yeah, that included driving by for the first few days,
just a lot of long-range camera work in cars,
which led to then hikes through fields,
where it was a lot of Drew and Robert just in, like, I mean, they're in hunter's camo. They're hunters and stuff, right? So, like, they're going to crawl through fields where it was a lot of Drew and Robert just in, I mean, they're
in hunter's camo. They're hunters and stuff, right?
So they're going to crawl through fields.
They were first walking and then they were low crawling
to get really up close to the buildings.
See, I don't quite get this, right?
Some engagements
you're just like, let's see
if we can walk in through front door. Let's go.
And then some engagements you're like,
okay, you feel like getting muddy.
Oh, yeah.
You feel like getting the special equipment out.
I mean, there's work to that.
Like, dude, really?
You really want me to crawl through the mud
so I can get a good photo?
Yeah.
Yeah.
Go under the fence there.
Do it at night.
And we were all about it.
Who gets to do this
and not ever really risk getting hurt for it?
I think it's a great thing to get to do it.
Okay. I just don't know. I think it's a great thing to get to do it.
Okay. I just don't know. I guess I don't understand the level of like, okay, let's really start light and see how much we can get without even getting a foot on campus.
And some of that is spoken to in terms of the client's willingness to have a more
involved job.
I mean, that's labor is cost, right?
So time is money and they provisioned,
they said, no, they were really serious about,
they're targeted by foreign adversaries.
They are targeted by real threat actors at that point.
And an actual threat actor would not think twice
about spending an entire night
just in belly down in the dirt with long range glass,
learning which employees go through which doors
at which times and when the security patrols come around
and when they don't.
Okay, so another thing to think about here
is this company invested a lot into security.
Cameras all over the buildings, inside and out,
trip sensors, security teams.
They really,
really wanted to detect and stop any sabotage or intrusion or disruption against this facility.
And they did everything they could to stop this. In fact, this company had its own red team,
who just attacks their own company looking for weak points and vulnerabilities or whatever they
could find that an adversary might exploit. They're on the offense, which makes them a red team. The defense team is known as the
blue team. But it was the head of the red team that hired Deviant and his crew. So he could
communicate and confirm certain things with the customer, the head of the red team. Like for
instance, as they were doing their recon, they noticed something that looked like a radar system
to detect intruders.
So he messaged the client and asked things like,
Keith, are they using spotter RF?
He's like, yeah, yeah, you spotted the spotter.
Cool, yeah, we have it pretty masked,
but you must, he's like, you must have been really close.
I was like, yeah, we were right up against that fence line.
He's like, okay, yeah, you know, you got it, you got it.
Don't approach from the west side, you spotted that one.
Because again, let's say you're the Chinese government
and you got a guy laying in the dirt,
crawling up to a fence line,
and then this guy takes some pictures
and you say, well, look at those technology.
Are they using, oh, oh, that's RF.
They're using spotter RF.
It's a way of looking for motion sensing in a field.
And if it's the Chinese government,
they would then back off and they would say, okay, let's spend another two weeks figuring out who sold it to them. Let's figure
out which version they have, what its coverage is. Whereas for us, we just signal message. We said,
hey, I found this. Is this what I'm seeing? They say, no, yeah, yeah. We're not going to make you
charge us another week's worth of effort to go get a sample unit, you know, and set it up in a lab
and figure out the exact distance
and range that it covers. It doesn't match the manufacturer spec. So it's a week of that. It's
a week of getting close, taking pictures, coming back to the Airbnb, analyzing who's this guard.
Is this mobile too? No, he was, well, he was on foot yesterday. No, the guy on foot was in a,
okay, no, this is the guy in the truck. I got, let's make a name for him. You make up names.
You got, it's like a pinboard, like out of a detective show, right? You got a wall of
people. And one really great photo of a guard looking at us through these binoculars. Yeah,
that guy, we printed that photo out a lot, put it around the Airbnb. So there's some of those guards
are really switched on. Well, cause he couldn't see us, but he saw something and he was like,
what's that? And Rob
and Drew just stood stock still in the dirt in their ghillie suits for like an hour. Ghillie
suits? Those are the big camouflage suits that you see like military use where they have like
tree branches and leaves sewn into the suit so that you look just like a bush when you're holding
still. Crazy. Now, of course, they aren't just casing the place physically.
Sophie is also trying to infiltrate the people inside.
She's trying to get pieces of information that could help her know more.
She created a fake social media profile
and started trying to connect with people who work there.
The work involved in setting up a fake profile is non-trivial.
It's really hard to create like a fake LinkedIn or a fake anything these days that looks legit.
I mean, you need to have history there. You need to have connections. It's like planting crops.
You have to create these profiles and then you water them. You come back and you connect and
you make posts and you connect to this people and you endorse that person.
At years later, months and years later,
these are now fully formed and you can maybe use one of them on a job
to connect to other people and try to,
but if you get burned, well, that's all right.
There's a year and a half of work that that profile is roasted.
So the fact that she has access to these
and she made those connections to find out what was going on
and can I share your profile so I can see your photos from the job?
Okay, now you got the access to the private photos.
Oh, that's the company's having a pizza party on Friday, that kind of thing.
Okay, so after almost a week of watching this high security building from the outside,
they determined this place is completely secure.
They found one little area that they could access,
but it was kind of an insignificant finding.
So we determined that it was feasible to get through the fence line.
In fact, as a proof of concept one night, a small team did that.
They crawled up to the dirt berm where the earth had
been compacted, but not quite enough in one spot. And they trenched under the fence. They just dug
and dug with hand, like small entrenching tools, and they're pulling out rocks. And they proved
you could slip under the fence. And they just took a picture of one guy on the other side of the fence
and then came back. That's not super practical. We knew this was
still a site that was being built out. And we told our point of contact, we said, hey, just so you
know, we proved we did this. The shake sensors in the fence didn't catch us. He said, nope, I bet I
can tell you which you probably on the north side, that's all going to be concreted in. The footer of
the fence, that's still being built. We said, okay, well, it's a data point for the metrics. But we're not going to treat that as a standard entry point.
So the only way to get into this place was going to be where everyone gets in,
through the vehicle checkpoint.
This place had high fences, barbed wire, cameras, shake sensors, radar.
It wasn't kidding around, and that's just to get on the property.
It's like visiting. It was non-military. It was a civilian compound, but it's like a military base,
right? If you have a working credential, you drive up to the vehicle checkpoint, they see it,
you boop it, and you go. If you don't have credentials, you're going to the visitor's
building, the tiny shack, and someone is coming out and dealing with you. And without a credential,
you're not getting in. But there's always some exploits here, right?
There was some construction going on,
and Deviant was able to drive into the construction area
just to do some surveillance on the front gate.
He got some good video footage
of exactly how the vehicle checkpoints work.
And we learned, we said, okay, this is interesting.
This is interesting.
Look at this.
Let's look at what happens here. You drive up and staff were holding their,
their badge up at like the, clearly they're presenting a badge to the guard who visually
kind of would nod at it. Then they would drive further down a good 10 yards past the little
overhang. And there was a badge reader sitting out in the middle of
the, just like unattended. There's just a big badge reader on the, and they would, boop, they
would badge that. And then a vehicle gate, a gate arm would, would open up. So that's, that's an
interesting thing. That's an odd thing. Then we said, well, look at that gate arm. Look at that
gate arm. Many gate systems will use ground loop sensors, much like when you pull up to a stoplight,
it knows your car is there because it can detect the metal of your vehicle and it'll cycle the
light. A lot of gate systems use these. A very typical configuration would be, the most common
one is a stop or safety loop. Right in where the gate arm is. If a vehicle stalls out and sits there for some
reason, the gate arm won't come down and hit the vehicle. You don't want to damage anything. That's
typical. You might have an entry loop so that once you pull up, the gate arm just doesn't operate
unless somebody boops their car. You, you can't walk in on foot.
Like, this is not a pedestrian entrance. I'm sorry, you need a car. If you're a pedestrian,
go to the pedestrian entrance. It's around the fence over there. This is a very common problem
for certain motorcyclists or bicyclists. People on bikes sometimes don't have enough metal to trip
the ground loops, depending on how they're built. But the real one, and this is the one that a lot
of buildings do not use, you got an entry loop, you got that stop. But the real one, and this is the one that a lot of buildings do not
use, you got an entry loop, you got that stop loop, the safety loop. There's also sometimes a clear
loop. Clear meaning you have cleared the checkpoint, bring that arm right down. It costs money to
install these. You got to cut into the asphalt and you're doing, you know, everything's money.
A lot of installations, this one included, chose to configure it. Well, we don't need a clearage loop. We'll just, the arm goes up,
there's a dwell time. And after that, it'll just drop down unless there's somebody stalled out.
So they were using a dwell time and the dwell time was set to like, gosh, it was like 20 seconds.
It was long. We're like, okay, this is news we can use.
So our plan was we're going to tailgate in.
We're going to tailgate in behind what we think is a real vehicle because it was a long entrance road off the main road
to get even to the vehicle checkpoint.
Our plan was you're going to tailgate in.
We're going to give Sophie in the front seat of the car
who looked businesslike,
we'll give her a badge that
looks like their badges. We knew what their badges look like. It's a multinational company. We've seen
their badges in other facilities. We don't have their badge technology. They were using private
keys on their credentials, so we couldn't easily clone their badges. But Sophie could pull up and
smile at a guard and hold up a badge. Then, she's tailgating behind someone's vehicle, literally
tailgating. As that person
boops the reader and goes through,
Sophie would pull up, pretend
to boop the reader. Again,
that's 10 yards away from the guard shack.
They can't hear a beep noise.
And then before that dwell time finished,
she would hightail it through.
And if a guard was really sharp,
they might be like, oh, that gate came down kind of quickly after that car.
But nobody's going to be that sharp, we said.
All right.
Now, the critical thing, we said, we need about three or four, we need different ways to have you peel off if there's a problem.
The first thing is there's that construction lot, right, where I parked to get the footage.
We said, if for some reason the car you're tailgating
isn't a regular employee if anything goes wrong if they ask for directions their law who the hell
knows just pull into the construction lot k turn and get out of there it's a little weird but who
cares we'll roast that car we'll switch the car out we we'll regroup. Let's say you're fine. Let's say you get
passed, like you hold your thing up to the guard, and the guard looks at you and says, hey, you know,
do you work here? Do you not work here, etc. You say, no, I'm new here. So if you're bad, you know,
you can social engineer that if you had to. If you say, you know, oh, I'm lost, or is this not the main edge of the
visit? No, I just started. Okay, we'll pull over there. Okay, figure that one out. The last one
was a really slick one. We said, if for any reason you get trapped at the gate, like let's say the
arm starts coming down, and you're like, oh, shoot, I can't tailgate in. We had printed a nearly identical badge.
It looked very similar, but the logo was another company in town.
It was out in a rural area, but it was another big firm
that had a warehouse or something, a fulfillment warehouse in town.
And we said, pretend to boop and say, my badge isn't working, my badge,
and make the guard get out of the shack and walk over,
but she would switch the badge.
And it was on this red lanyard, and she, it's like, my badge isn't,
and so the guard would go, oh, oh, is this the badge you just showed me?
No, I'm sorry, ma'am, this is not, you've got to go down the road another few miles.
You're in the wrong, oh, I just started, duh, sorry.
So we had all these, we had all these little outs.
Okay, this is a lot of work.
Just to get into the parking lot,
Sophie's going to try to drive in.
And it was important that she'd be the only one in the car.
That way the guard doesn't start asking for passengers
to present their badge and get curious
and interested in what's going on.
But through their surveillance, they
noticed the guards never check the trunks of the cars. It wasn't just her in the car. It was Robert
and I were wedged into the trunk of this car because we wanted to get as many people as we
could onto the corporate campus if we could get this to work. So they load up their gear, jam
themselves in the trunk, and off they go, driving towards the facility.
And all we could feel was just the car kind of rocking back and forth. And we judge, okay,
there's some rough bumps. Those are the speed bumps. Okay. And now we stop for a sec. That
must be the guard. Oh, we're moving again. The guard didn't stop her. Okay. And then, okay,
we slowed down a little bit. Oh, we're really moving now. That must didn't stop her. Okay. And then, okay, we slowed down a little bit.
Oh, we're really moving now. That must be the gate arm.
And we're really, we're jitterbugging along for 10 seconds, 20 seconds.
We're like, we got to be through that gate.
We got to be through. I know we're through that gate.
And we eventually hear Sophie's voice like,
it's Hollywood. We're through that gate, boys.
Sophie pulls down the back seat so the guys can climb through the car,
which will take a while.
It's a tight space.
And this is where they split up, though.
Sophie goes right to the front door of the building to try to use her social engineering skills to get into the building.
She was just charming.
She just said, I'm new.
She followed a group of people.
I'm new here.
I just started this week.
Oh, did you get the tour?
She said, no, there was a tour.
We knew that there was a company tour
that somebody posted on social media.
I was like, well, I didn't get the tour last week.
I heard about that.
And this guy who was like,
well, I'll give you the tour, little lady.
So yeah, I mean, he's like,
you should check this out.
He's taking her to place.
And there were a couple other employees,
one of which even turned and looked at her and went, hey, I know it's a tour, but you can't tailgate. You have to use your
badge. And she goes, oh, you're right. And just kind of pretended to boop her badge. And it's not
making a sound, right? We have little, we've have, you know, beep, beep, like on our phones. So if
you need to, everyone's on their phones and you're just kind of,, yeah, beep, beep. And just, okay, then you walk in.
But yeah, one woman literally said, are you trying to tailgate?
And she says, oh, you're right, you're right.
They told us this in orientation training.
But yeah, they took her into the heart of the beast, right?
She was sending signal messages to all of us like, I am in this thing.
With pictures.
Oh, with pictures, day one.
Okay, so while she's making her way into different rooms
and getting a solid lay of the land,
Deviant and Rob climb out of the trunk of the car
and come out of the car.
Climbing out of the trunk directly would be weird,
so they had to sneak through into the car
and then exit through the regular doors to look normal.
Robert and I looked like construction workers.
I mentioned there was construction ongoing at the facility.
So we had our sort of jeans and steel cap boots. We had some high-vis. We had, you know, the helmets
kind of clipped to our belts. If you want to throw a helmet on, you can. And we had tools. We had
workers' tools on us and more in the trunk too. So we just kind of walked around the building
and started, quote, checking doors. You know, checking the handle.
Is this door really locked?
But also there's a little door gap checker.
It's used when I do fire door stuff.
You can, there are tolerances.
This is a quarter inch, eighth inch.
How much tolerance is this door?
You can check it.
The door jams in the top of the door
and the bottom of the door.
So we're just, quote, checking doors
and pretending to take notes on a tablet.
And we're going around
and seeing if anybody left the door open
or could we tailgate in.
And eventually we did.
We tailgated in.
We walked through some spaces.
And between us and another team,
we were able to exploit a similar path.
Now that we know, we're like, well, Sophie got in.
Maybe Drew can do it.
Drew is not quite as charming as Sophie,
but Drew can drive through a checkpoint.
He did.
And Drew was able to tailgate
into the building too. This is where he just waited near a door until someone was going in or out.
And then he just went in after them without having to use a badge. Day one was a success. All three
teams got into sensitive areas and showed their contact how they got in. They took photos and
were able to leave without being detected or caught. So they decided to do
it all again the next day, but this time be a little more sloppy, you know, like standing near
a locked door a little more obviously and actually looking like you're waiting for someone to come
open it for you. And sure enough, somebody did come open it and didn't challenge them and held
the door open for them. Or they might have shouted at someone,
hey, can you hold that door open for me? Thanks.
It was shocking how once we got past that fence line,
we started realizing that no one really challenged us.
Their outer perimeter was very secure,
but it seemed like that was the main layer of defense.
To properly secure a building, you want to do defense in depth
and not just one gate at the front,
but many gates the deeper you're going.
And they didn't encounter that.
So now that they've accomplished all their objectives
by getting into all the sensitive areas that they were tasked to get into,
it was time to step it up a bit or step it down,
depending on how you look at it. We said,
let's just try to be sloppy. Let's just try to like, hey, buddy, hold that door. And, you know,
don't be polite about it. And we're like, man, we just keep getting in everywhere. And we kept
getting into so many sensitive rooms. We're messaging our contacts and we're saying, hey,
you know, we're in here today. You want us to try the third where you want us to try the
this generation building? Okay, try to get in that building. And we're really not getting challenged.
So by the end of the week,
you're like,
we really want to give you
some wins here.
Do you want us to just start
doing stupid shit?
Trying to see what level of noise
it would take to make the employees
at the customer site say,
hey, that's not right.
I should report this to security.
And we were setting off
alerts and alarms at that point.
We were propping doors open with doorstops
that you're not supposed to do.
And if it's held for more than 30 seconds,
then a guard has to come out and go,
why is there a doorstop here?
At this point, we had literally caused headache
on the part of the guards
because we had been putting doorstops in
and holding doors open
and just really kind of, they were like,
what's going on?
Why are the employees being such a pain
these last 24 hours?
This day, at one point, I think I took caution tape
and I propped the door open
and put caution tape all around the door.
And like, do we take the tape off?
Do we not?
What are they working on?
I put a work order on it that's, you know,
because we'd seen other work orders in maintenance areas.
An exit door?
No, this is an internal door to a sensitive machine room.
And the guards were like, do we...
And they had to escalate to a supervisor and say,
no, take the tape down and we'll figure out who left that there later.
And we're still not getting quite caught, right?
We're still...
We were interacting with some guards.
I said, hey, who took the tape off this door?
That kind of, you know.
But they kept seeing our badges.
Okay, so finally we said, what do you want us to do?
We're on a quick three-way call with a customer.
What do you want us to do here, man?
We're really trying.
We're trying to, we're walking up to people saying,
hi, I'm not from this department.
Can you tell me where to go?
No one asked, why are you in here?
And they said, well, you said something once about destructive attacks. You can go destructive.
What can you do there? You said, could you like, could you like drill a door or something?
I was like, I mean, yeah, there are, there are plenty of things we show to other types of entry
trainings we do for first responders or for military. We say, yeah, I mean, we could drill
a cylinder out of the door and then you take the cylinder out and then you can pop the door, I mean, we could drill a cylinder out of the door, and then you take the cylinder out, and then you can pop the door.
I mean, we can do that.
It'll be noisy, and it'll cause some damage.
And they said, yeah, yeah, yeah.
I mean, we'll budget it.
We'll say, here's how much you're allowed to damage,
and try to keep it under that amount,
and let's try it on a door or two if you want.
We'll pay for it.
I said, okay.
So we got out a giant, you know,
I actually went to Home Depot or Lowe's or something, and I bought a big old blue Makita hammer drill with a big handle off the side, and I bought some high-speed steel bits.
And there's footage, there's actually footage that Robert shot with his cell phone of he and I in our high-vis just carving away at this lock in this door.
And our point of contact was really trying to give his people a win.
He's in the sock, and he's watching.
He's watching. He's looking at his people. He's watching.
He said, hey, Chris, can you pull up monitor 17?
Can we center stage that?
And this big scream.
He's like, what's
going on outside building
six? Do we have Sheridan
here? Did you see a work order? Are we
service indoors or something
on building six today? I thought that building was already
stood up. And
you hear the rustling of papers
and people are like, I thought
they had so much work going on from
so many contractors. They were growing so much at this site that someone's like, I thought they had so much work going on from so many contractors.
They were growing so much at this site
that someone's like,
I swear I saw something about that
on the pass off notes.
I think we're doing doors.
I think we're doing doors today.
And he's like, okay.
And he kind of stepped back and messaged us
and said, no, man,
they're looking at you on camera
and you look the part.
What are you going to do?
So yeah, I just kind of dropped the drill where it was, left the door, set off an alarm and I just left the alarm going.
I just walked through, but we were trying everything. We're just setting off like a chain
of alarms until guards eventually came to us and they said, Hey, you know, fella, you know,
stop what you're doing for a second. I was trying to underdoor tool a door and not hiding it at all.
Just Robert, I stand up and I say, so what are you guys doing here?
And they're like, were you working on the side of that building six?
I'm like, yeah, yeah.
There was like an alarm.
That was really loud.
Like, yeah.
So what are you doing?
What are you doing here, guys?
And Robert, again, like back back pocket kind of hand on the letter
thinking this has got to be our ticket is up
and I just
hail married I said what does it look like we're doing
and that broke the
guard's brain he went well
it looks like you're working on
it looks like you're trying to get open this door
here but you
have badges and Robert's
hand kind of comes off the letter. Let's see where
this, the guy's like, yeah, I mean, you work here. You're obviously on the contract team,
but you have a radio because Robert had stolen a radio from a truck. He's like, you can, you know,
you can just call for remote unlock. You don't have to have us come all the way out here and
bother with it. We came all the way from the other side of the thing. So he's like, yeah,
yeah, no, it's the Sheridan guys.
I'm here.
Yeah, yeah, warehouse.
Yeah, can you open the east side warehouse?
The door goes green.
He opens the door.
He's like, yeah, see?
I mean, you can just do that, man.
You must be, you know, don't worry about it.
But like next time, just call, man.
We didn't know what was going on with all these alarms.
He said, oh, thank you.
Yeah, the story continues to get crazier and crazier.
I eventually took a bike because they had corporate,
they had a couple of people who biked into the corporate office.
I took someone's bike and just biked it around the parking lot,
hoping that someone would report a stolen bike.
I took a golf cart and started driving that around.
And they eventually, because again, we had radios,
someone's like, okay, Deve, they're finally onto you.
You're going to have some attention soon.
And I saw these white pickups with guards start trying to find me in parking lots.
They thought I was like a mental case.
They were like, is that the same guy?
No, he's not wearing the high-vis anymore.
Who is that guy?
And I was just, I was rolling around
and there's like, yeah, yeah, crazy guys on a bike.
No, no, no, no, wait, crazy guys in one of our carts.
But it distracted them so badly that I had, it was like, it was like an OJ Simpson pursuit.
I was pursued by these flashing light vehicles.
They couldn't, what are they going to do?
Knock me off a bike?
Try to ram into a golf cart?
You can't cause injury.
So, and a bike can go places that trucks can't.
I would just cut through bushes or cut in between buildings
and then they would have to like spin around
and go driving around the other side
and while I was doing that,
the other teams knocked down every target
again and again and again
and they took pictures with, you know,
standing in all the sensitive rooms
because everyone's eyes was suddenly on crazy guy.
Yeah, at this point,
nobody cared about trying to mask door sensors. We were, it was so many alarms that it eventually was a supervisor who was off site that
day. It was his day off and his phone, his work phone was like lighting up with a light and he
went door 21, door 17, door 17, again, door 17, again, door 55, roll up door seven, six. He's like, what is going on? And he tried to call,
no one would answer. He drove in, he lived in a town over. He drove in, kind of burst through the
doors of the security side. He said, what is going the F on? And he's got a bunch of guys
looking at this, this crazy guy's on a bike, sir. He's like, I don't give a damn about that guy.
Is he at a parking lot? What's all this? And he's looking at all the alerts who's on a bike, sir. He's like, I don't give a damn about that guy. Is he at a parking lot?
What's all this?
And he's looking at all the alerts.
And they go, oh, really?
Something going on?
He's like, look at your screens.
There's all these red entries in Linnell Access.
There's all these failed events.
There's all these door entry events.
He's like, so we heard squawks on the radio start going out that said,
Mobile 6, you watch Bike Guy.
Everyone else, return to your guard tours,
cancel all superfluous business,
challenge all unknown parties,
figure out what, there's more afoot here.
Some guy even said Bike Guy may be a distraction.
And that's what it took.
That's what it took to finally get them
to start challenging our teams.
And that was, at the end,
I just kind of got off the bike at one point
and now these like, all these trucks pull up
and they all jump out and like,
what are they going to do?
Again, they're not cops.
They're not allowed to shoot you or go hands on.
And they went, sir, could you please stop?
And I'm like, I'm stopped.
I'm perfectly fine.
What's going on, fellas?
Having a good day?
And they asked me to sit down.
They don't all have a seat by the curb.
And I said, this might explain it.
And I hand them a letter.
And then some of the guys were former service members. And they said, oh, all right. It's an
exercise, boys. Look. One of the other teams just got in their car and left. And then security caught
the third one and just asked them, are you supposed to be here? And they said, no, thanks for asking.
I've been here all week and nobody's asked me that. With that, their engagement with this client
was over. The client loved hearing all the different ways
that they were able to defeat security that week.
And they worked with security to fix all the things
that they noticed in their assessment.
It was a great training exercise
for everyone involved at the facility.
Wow, so thank you so much for sharing with us
the way you see the world.
Yeah, hopefully some people out there
start seeing it this way too.
It's not a bad way to be.
You don't have to live in fear.
You just live in awareness.
I'm a fan of Amanda Palmer.
She's a cool musician and poet.
And she talks about how it's not the job of the artist
to make you feel joy all the time.
It's actually the job of the artist to take you into the darker places.
And if you've ever heard her music,
she's good at that.
But darkness isn't scary because it's dark.
It's scary because you're alone.
And I like to remind people
that if we go into these dark places in our world
with friends and allies and peers and loved ones,
you realize that the dark isn't that scary because
it's dark. It's just because you didn't know what was in there. And that's why I like to bring people
into the darkness with me and realize it's not that scary and they can learn from it and they
can be improved by it. A big thank you to Deviant Olive for coming on the show and sharing these stories with us.
You should be able to easily find him online by just searching his name pretty much anywhere,
Deviant Olive, which is spelled O-L-L-A-M.
He's on YouTube, Instagram, Mastodon, Blue Sky, and Twitter.
Or you could just look on his own website, which is deviating.net.
I'll have all these links in the show notes.
Just check the description of this episode. The show is made by me, The Tarnished, Jack Reciter. Editing and
assembly by The Omen Killer, Tristan Ledger. Mixing by Proximity Sound. And our theme music
is by the dreamlike Breakmaster Cylinder. And even though the only dates I get are updates,
this is Darknet Diaries.