Darknet Diaries - 157: Grifter
Episode Date: April 1, 2025Grifter is a longtime hacker, DEF CON organizer, and respected voice in the infosec community. From his early days exploring networks to helping shape one of the largest hacker conferences in... the world, Grifter has built a reputation for blending deep technical insight with a sharp sense of humor.Learn more about Grifter by visiting grifter.org.SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from ZipRecruiter. ZipRecruiter has solved the hiring problem. Employers prefer it the most for so many reasons. Let’s start by telling you about their matching technology. They work hard to find the best candidates for your needs, and will instantly show you results once you post a job listing. ZipRecruiter will speed up your hiring process. See it for yourself at www.ziprecruiter.com/DARKNET.This show is sponsored by Material Security. Your cloud office (think Google Workspace or Microsoft 365) is the core of your business, but it’s often protected by scattered tools and manual fixes. Material is a purpose-built detection and response platform that closes the gaps those point solutions leave behind. From email threats to misconfigurations and account takeovers, Material monitors everything and steps in with real-time fixes to keep your data flowing where it should. Learn more at https://material.security.
Transcript
Discussion (0)
Man last Defcon was wild it is up there
Was like one of the top ten best moments of my life, and I don't think I ever told you about what happened
See Defcon is an annual hacker conference in Las Vegas, and it's my favorite conference in the world
It's just so inventive and fun and brilliant and weird
Defcon is just built different like of course there's talks and places to get hands on doing hacking.
But at night, most conferences just shut down.
Not DEF CON.
DEF CON goes all night long.
At night, they clear out the chairs and the lecture halls and they turn them into party
spots.
And there's not just one party going on.
There's like a DJ in track one, and there's an arcade set up in track two, and there's
nerdcore rappers on stage live in track 3
Keep walking and you find even more parties around the conference
It's an adventure to find all the things happening and that's just at Def Con
There are literally dozens of other parties all over town to
hotel room parties bar meetups pool parties and
Vendor parties the vendors sometimes spend over $100,000 on a party by renting out a whole nightclub and giving out free drinks and food to their
customers. With all these parties, I got to thinking, you know what? I should throw a
party. A dark net diaries party. Now you might be wondering, Jack, I heard you're a private
person and nobody really knows what you look like. That's true. Well then, how do you go to these conferences
and meet people?
Ah, here's my secret.
I wear a disguise.
I put on a big black hat, dark sunglasses,
and a bandana over my face.
I kind of look like an old time bandit in this costume,
and it's perfect.
Nobody knows what I actually look like,
and I can still meet hundreds of people if I want.
In fact, I've worn this costume so much that everyone seems to know me when I wear it. It's my brand. It's my look.
And when it's on, people stop me all the time and say hi and talk with me. It's great. I love that.
I can't walk 10 feet in DEF CON without someone shouting my name and saying hi. But when I take
that costume off, nobody knows it's me. And suddenly, I'm an anonymous face in the crowd, and I love that anonymity is my default
state, and I can turn on the notoriety whenever I want.
I don't want people to know what I look like so that I can live a nice private life.
I love the attention I get from this show, but I also love that I can turn it off when
I want. So my big idea for this party at last DEFCON was to step up that anonymity even more.
Everyone knows I am the guy with the big black hat, the sunglasses, and the bandana around
my face.
What if I gave everyone that same costume when they came to my party?
That way everyone is Jack Reisider. I pitched the idea to Defcon. They accepted it and
showed me which ballroom I get. I rounded up 20 of my friends and we had it all planned. We had
four DJs, two video DJs, and so much more. It was great. I ordered 800 black hats, sunglasses,
and bandanas, and the party got underway. The room filled up instantly. 400 people came pouring in
through the door, and they were all giving these costumes, and they put it on. The room filled up instantly. 400 people came pouring in through the door
and they were all given these costumes
and they put it on, they played the game.
But the real test was, could any of them find me
in this crowd now where we're all wearing
the exact same costume?
Amazingly, no.
I was extremely hard to find.
Actually, some people came in, looked all over for me,
couldn't find me, and then left, and then tweeted,
I just went to Jack Reisider's party, he wasn't even there.
And I was going up to people and I was asking him,
hey, where's Jack?
And nobody knew.
I tried to convince a bunch of ladies, like, hey,
I'm actually the real Jack Reisider.
And they just laughed at me and walked away.
It was amazing to have all these people come to my party,
but I just had this very calm and happy and serene kind of
experience to it because I could just float through the
crowd and enjoy it without being mobbed by everyone.
That usually happens.
And I wasn't even maskless.
This is my party and no one can find me.
It was hilarious to me.
But it didn't stop there.
I thought, you know what?
I want to put my fans to the test.
I believe that my fans, you, the listeners of this show,
are the best, sweetest, nicest people in the world.
And I want to prove that.
I want to somehow be vulnerable to them,
to give them a huge amount of power over me,
and to see how they react to such power.
I want to give them so much power that they could ruin me, and I want to see if any of
them abuse it.
And so I thought, okay, I'm here at Defcon.
What's the worst idea I can come up with to do in this party?
And it hit me.
Let the party attendees control my Twitter account.
Sheesh, if everyone looks like me already, you might as well be able to tweet as me too,
right?
So I set up this if this and that trigger so that when you text a phone number, it automatically
tweets what you texted it.
No moderation.
No filters.
Just trust.
Well, I couldn't figure out how to
get photos to work, so it was just text. And I did block URLs, kind of the one thing I
blocked. And yeah, we set up a projector on the wall and we had a live feed of my Twitter
and it said, text this number and it will tweet as Jack. And people texted, holy cow,
dozens of texts started flying in, but the automation kept up and
it just tweeted everyone that it got.
People were testing it at first, just seeing if it was real.
Like someone said, meow, and someone said, does this work?
And then people started writing their names up on there.
David was here and I love you, Andrea.
And then ASCII art started showing up and memes started getting posted.
I was real nervous watching the screen, but a bunch of people were standing around watching
the tweets coming with me.
They had no idea it was even me.
And they couldn't believe that Jack was so stupid enough to hand over his Twitter to
Defcon.
I mean, they're right, you know.
Of all the places to do that, Defcon is the worst.
These hackers deface anything for fun and delete and destroy stuff.
This is a terrible idea.
I'm gonna get cancelled.
Something is gonna be posted that is going to be absolutely awful for me.
But like I said, it was a test to see how awesome my fans are, to be vulnerable with
them and to see if they abuse that power.
And you know what?
They didn't disappoint me.
I think the spiciest tweet I saw was, I'm so horny right now.
But after a couple hours and hundreds of posts to Twitter, Twitter rate limited me.
And they ruined the fun.
They busted the party and blocked me from tweeting for like 24 hours, which I think
is a fitting way of ending that whole experience.
Like it went out nicely.
I didn't get banned.
I just got pretty limited.
But by that point, the place was packed.
And word got out of which one was me, and I was just surrounded by people, and it was
great fun, we were having a blast.
But what I didn't know is that there were another thousand people in line trying to
get into this party.
And I know it was a thousand people because someone grabbed a box of pencils, I had a
thousand pencils in the box, and handed one to each person in the line
and they ran out of pencils by the end. We ran out of everything. Hats, bandanas,
stickers, sunglasses, bracelets. I think I met 1,500 people total in that weekend
because I brought 1,600 bracelets and I gave them all away.
Defcon is known for long lines but there were so many people in line for my party that
even DEFCON told me they have never seen a line that long for a party ever.
And that line was possibly the longest line of the whole conference that weekend, barely
being longer than the merch line, which is always super, super crazy.
We eventually couldn't hold them back anymore.
We just opened up the doors and let it rip and it was a madhouse in there. And I think the party
went on for like six hours all night long and I used every drop of energy I
had. But man was it worth it. That was the best time I've ever had at
DovCon. And you know to this day I still get people sliding into my DMs on
Twitter asking,
why did you say this tweet, man?
And they're mad at some hot take I had or something.
And when I look at the tweet, I wonder, I don't remember ever saying that.
But then I look at the date and I see that it was posted on August 10th, 2024.
And that was the night I will never forget.
And it always puts a big smile on my face
whenever I see a tweet from that day.
This is Darknet Diaries. This episode is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving
your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of ThreatLocker's Zero Trust Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyberattacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every
action, process, and user unless specifically authorized by your team.
This least-privileged strategy mitigates the exploitation of trusted applications and ensures
24-7-365 protection of your organization.
The core of ThreatLocker is its Protect Suite, including application allow listing,
ring fencing, and network control.
Additional tools like the ThreatLocker Detect EDR,
storage control, elevation control,
and configuration manager enhance your cybersecurity posture
and streamline internal IT and security operations.
To learn more about how ThreatLocker can help mitigate
unknown threats in your digital environments
and align your organization
with respected compliance frameworks visit threat
locker.com that's threat locker.com
this episode is sponsored by zip recruiter speed dating it's not something
I've done but I can see the appeal right you turn up talk to a bunch of
interesting people and decide after if anybody really
caught your eye.
And if you're a business owner, you might wonder if you could set up the same kind of
thing only for hiring.
You get to meet interesting people, qualified candidates all at once at a time that suits
you.
What good news?
You can!
And it's Zip Intro from Zip Recruiter.
You can post your job today and start talking with qualified candidates tomorrow.
Try ZipIntro for free at ziprecruiter.com slash darknet.
ZipIntro gives you the power to quickly assess excellent candidates for your job via back-to-back
video calls.
Simply pick a time and ZipIntro does all the work finding and scheduling qualified candidates
for you.
Then you can choose who you want to talk to and meet with great people as soon as the next day.
So easy.
Enjoy the benefits of speed hiring with new Zip Intro,
only from Zip Recruiter, a top hiring site based on G2.
Try Zip Intro for free at ziprecruiter.com slash darknet.
Again, the website is ziprecruiter.com slash darknet.
Zip Intro, post jobs today, talk to qualified candidates tomorrow. Again, the website is ziprecruiter.com slash darknet.
Zip intro, post jobs today, talk to qualified candidates tomorrow.
Grifter, how'd you get that name?
So I always cringe a little bit when someone asks me this question because like many nerds
out there, I used to read the dictionary as a kid.
I looked for interesting words, words that I liked, and the definition that I came across
of Grifter was, a person at a circus or carnival who runs freak shows or games of chance.
And I was like, ooh, that's badass.
And then it said again, also the more widely known, a con artist.
And I was like, also cool, I'll take it. So yeah, so I started using it for names on like video games.
I would put in Grifter.
You grew up in New York?
Yeah, Long Island.
And what was computers like for you growing up?
I was, you know, I grew up part of the Nintendo generation.
So I was really into video games
and my parents are divorced.
My dad and live with his brother.
And so his brother, my uncle, was a computer tech back in the 80s, so he had a computer.
And I have ADHD on a fantastic level, but sitting in front of the computer or putting
electronics in front of me was one of the things that could keep me still and so he encouraged me to do that as often as possible.
I started playing games on the computer which eventually led to my first online experiences
which were dialing into pirate bulletin board systems to download pirated games.
Back then you were really, really lucky
if you had a computer at all in your house.
Nobody understood how they worked,
and they were very expensive.
And the problem with pirated games
is that they're riddled with malware and viruses.
So Grifter would download a pirated game, install it,
and then suddenly his uncle's computer was all screwed up.
Of course, Grifter didn't want to get in trouble
for messing up the family computer,
so he sort of had to learn by fire how to troubleshoot the problem he caused.
And this forced him to skill up at understanding computers.
He wasn't just a user anymore.
He was becoming a super user.
Yeah, I think that's the thing is like we were forced to learn a lot of different things
at those ages because we had to learn a little bit of everything.
Like it wasn't just done for you.
Like even being able to get online at that time alone required a certain amount of skill,
like in order to configure a modem and dial the right numbers and get everything put in
correctly and connect to different, BBS software required different settings and stuff.
And because it was like that, it meant that there was an assumption that if you were online,
that you were an adult.
I could post things and nobody knew that I was 10 years old.
And I really liked that.
But Grifter was quite a mischievous troublemaker,
and he gravitated towards the darker parts of the Internet.
So the pirate bulletin board stuff and posting on there
eventually led to somebody on one of the BBSs saying like,
hey, just based on the stuff that you're posting,
I think that you would really be interested
in this other bulletin board.
And they posted a number and I dialed it up
and it was a hacker BBS.
And I went crazy, basically. I thought it was the best
thing ever. I read everything on that BBS, like all of the text files about, you
know, the different systems that were out there, you know, basic commands for
different things. Like I was like fantasizing about operating systems I'd
never, you know, contacted before and being like,
oh I can do this, I can do this. And it wasn't just different operating systems,
it was, oh the computer viruses and like how to write a virus and do all these
different things and I was fascinated by it and I just loved all of it and that
was it, I was in. I know exactly what he means by being in. I got on bulletin board systems too when I was young,
or BBSs, and it was strange and weird,
and I didn't get it, so I didn't enjoy it.
But when I got in AOL, I found some chat rooms
where a bunch of people were just talking
all at once in real time, and that blew my mind.
I was instantly hooked on chat rooms
and would spend countless hours just talking
with tons of people.
That's when I fell in love with the internet.
I was in.
I soon discovered IRC after that,
and I've been in ever since.
And living where I did, I thought like,
okay, well, I'll probably never leave New York, right?
Like I didn't, the idea of like traveling the world and doing things like that was as foreign to me where I did, I thought, okay, well, I'll probably never leave New York, right?
The idea of traveling the world and doing things like that was as foreign to me as those
places were.
But a computer changed all of that.
I could dial into a system and hop from one to the next to the next across networks that
were traversing undersea cables and ending up in other countries
I never thought I'd get to travel to and I thought well if I access a system
let's say in Amsterdam I know that when I do that and I'm interacting with that
machine the the lights on the modem or network card are flashing, and the hard drive is spinning up because I'm accessing files from there.
And in my 12 and 13-year-old brain, I felt like I was there.
Like it was my way of touching a place that I didn't think I'd ever make it to physically.
Like I knew that it was in a closet somewhere and nobody could see it, but somehow and in some way, I was physically affecting that environment.
So that's what he was up to online.
But in normal life, in the meat space, he was constantly getting in trouble.
So growing up without a lot of money, in an area where people didn't have a lot of money,
I would say I wasn't a good kid.
I've been trying to make up for it ever since. But we did crime. I shoplifted like crazy. I ran
every scam you could run. We would steal cars. We would break into cars and steal stereos and
speakers. I lived near a marina. We would go rob the boats. Like, we'd break into houses.
We fought people constantly for fun, like it wasn't...
Okay, tell me about one of these fights.
Okay, so I like fighting.
Like, I like physical fighting.
I don't know why. I think it's just something...
I enjoy it. I know that makes me sound like a psychopath,
but I like facing off against somebody else and seeing where you come out on it. I know that makes me sound like a psychopath, but I like facing off against
somebody else and seeing where you come out on it. At the time, it was just we would get
in fights with either random people or people from like, you know, rival gangs, that kind
of stuff where it was just like, okay, you're in some part of town that you're not supposed
to be in. I just get into fights. I'd go pick a random fight.
I'd fight two people at once.
I would just, I liked fighting.
And a lot of my friends were the same way.
And sometimes we would just go out
and just get into as many fights as we could get in.
He says the area he was in had a lot of this stuff happening.
As a kid, if that's all you see,
then you kind of assume that's what everyone's
like.
I thought that was like normal. When I watched TV and I saw the types of things that you'd
see on like, you know, the Disney Channel or something like that, some Disney Channel
original movie, I was like, that's fantasy. Like this is a fantasy world that people wish
existed. I didn't realize that there were people who grew up in towns that one looked
like that or that people behave the way that they did. I didn't know any different,
right? I didn't know that it wasn't normal to like walk home at night and if a car is
coming like dip behind a tree or a telephone pole because you might end up hurt, right?
Like you might end up in a bad situation. Like I didn't know that that wasn't a normal thing. And so it was in part survival. And another part you like make a reputation
or get a name for yourself where it's like, oh, okay, well, yeah, don't get in a fight
with him because you'll lose. My thing was like, I can take a punch and I can get hit
a lot. And it's really hard to knock me out.
Grifter's world was rough and to get ahead it felt like you had to break some rules.
There was a chain of stores that are kind of department stores like a Kmart type of thing
actually or something like that where a couple of friends we'd all go on a Saturday and we'd go out
to the store and we'd do like
the barcode swapping, like so sticker swapping. So you just go out, swap the sticker on something
so you'd see like a crystal bowl and then there'd be another glass bowl and so you'd
take that and you'd swap the price tags on it. So the glass, the crystal bowl that should
be $300, you go buy for $30,
and then you swap the tags back, and then you go return it.
And we'd just go out on a Saturday,
and we'd hit like seven or eight stores,
and we'd go buy it at one store, return it at the next one,
buy some other stuff at that store,
go return it at the next one, go do stuff like that.
And for a small crew of people,
we were pulling in some pretty decent money.
None of my friends were into computers at all, but I was. And so I knew how to do some things that
they had no knowledge of, like carding is what we called it back in the day, which is basically just
is what we called it back in the day, which is basically just really identity theft and like credit card fraud.
And then order a bunch of stuff like computer parts or clothes or different things and get
them shipped or mailed to abandoned houses.
I just leave a note on the door that said like, hey, UPS guy, like not home, please
leave the package under a blanket.
So that was something that my friends wouldn't know how to do naturally
that I kind of taught them, right?
Like, here's how we do this, and then we can make some money.
And so then we had essentially stolen goods that were sent to us,
and then we would just...
Some of the stuff we got that we wanted to keep and other things
were things that we would then go and resell and get money that way.
He was ordering things like Tommy Hilfiger jackets,
fearless shoes and other street wear at the time.
So he was looking fresh everywhere he went.
And he would sell it for cheap too.
You'd be your hookup.
And of course, along with this lifestyle came drugs.
So he dabbled in that, partaking in it himself for a while.
But then he quit.
He didn't like how it was ruining his brain.
He saw his brain as a very important thing
that he didn't want to lose.
But he saw that other people were doing drugs
and he saw this as an opportunity to make money from it.
So he sold it.
I did all this like physical like meat space,
like crime, normal crime during the day.
Like I was like just a, like I said, kind of a,
kind of a shitty person, like a shit kid
doing all this random stuff.
But at night, I was still completely wrapped up
in the hacker world, right?
But then, eventually, I was just breaking
into different systems, and I got into a system
that ultimately turned out to be a large credit card provider, a
credit company. At first he didn't know he was in a credit card provider. The
internet's a dark place. You don't always get to see where you're going and
hacking back then was barely even hacking. And that's the thing that is
different about the time that we grew up in versus I
think what we have with like hackers now is that we do talk about these things
like they're massive achievements. Like it's like, oh, when I was a kid,
I broke into NASA. And it's like, when you were a kid, you logged into NASA.
You just had to know an IP address or a phone number to connect to you.
And if they had security at all, it might ask you for a username.
But it didn't always.
Like, you could just type anything in and it might let you in.
Or you could just wait and it might just time out and then let you in.
It wasn't hard to hack back then.
But nobody knew what they were doing.
So it kind of was hard because there weren't tutorials on how to do any of this stuff.
So if you just tried enough places, you might end up finding something that did let you
in.
And that's how he got into this company, a credit card provider.
And while he's in that network, he was looking around to see what files were there.
And he found some training manuals for how to process a new credit card.
So basically, after someone passes their credit check, an employee at this company needs to issue them credit card. So basically after someone passes their credit check,
an employee at this company needs to issue them a card.
And this training manual shows exactly how to do that.
And so here Grifter is inside the company,
inside the computer that is used to internally create
a new credit card for a customer.
And he has the tutorial on how to process it.
And I went looking for the database,
and then when I found it, you know,
it was not too difficult to then figure out
what I needed to fill in and where.
And the initial one was I was just like,
I wonder if I could do this.
I wonder if I put in, if I fill in these fields,
if I could get them to send me something.
And I filled out the fields appropriately.
I put in an address that I had been using
as a drop for some of the carding stuff.
And then I waited and then a couple, I just watched that house and I'd check the mailbox
and you know, every couple days or something to see if anything had been delivered.
And eventually, I one day I opened the mailbox and there was an envelope in it
from the credit card company
and it had a card in the name that I had put
and I was elated and horrified in equal measure.
I was like, oh my gosh,
it created this kind of excitement mixed with panic
because I was like, ooh, this is real crime.
Like this is actual bad.
Even though all of the other stuff was real crime,
something about that made it very real to me,
like holding it in my hands.
I remember running home,
going into my room, opening up,
holding the card in my hand,
and then just being like,
Oh my gosh.
He laid on his bed and just held it up staring at it.
His very own credit card and one he doesn't have to pay back because he put a fake name on it.
And the credit card company has no idea who he is to try to come after him.
And the letter said there's a $5,000 limit on this card. Wow. The card company has no idea who he is to try to come after him.
And the letter said there's a $5,000 limit on this card.
Wow.
After daydreaming about it for a day or two, I realized you can't ever use this.
Like you're not going to be able to walk into a store in a mall at, you know, 15 years old and walk up with your credit card and buy whatever.
Like it just didn't seem, I didn't realize also that people, there are kids that did
that in other places in the world.
But I just thought there's no way anyone's going to believe that you should have a credit
card.
So I just sat on it.
But I was like, I wonder if that was a fluke, let me see if I can do it again. Again, I sent another one to a different house and again it showed up.
And I was like, okay, I've got something here, I'm not quite sure what,
because I know I can't use these. What can I do with them?
There was a guy he knew. the dad of one of his friends.
And this dad was part of a group that did organized crime.
Like in New York, fireworks were illegal,
but this dad would have Grifter and some other kids
go around and see who wanted fireworks,
almost like they're going around selling Girl Scout cookies.
And then you put your order in of what fireworks you want.
And then a few weeks later, Grifter would come back and deliver the fireworks to you.
In fact, this guy was so into organized crime
that he was often hanging out with mafia type people
and had connections to some pretty serious criminals.
Because I knew that he had some connection
to like actual criminals,
like I approached him and said, like,
hey, so I can do this thing where I
can get access to credit cards with higher limits on them and I don't want to use them.
I don't want to be on camera in stores.
I don't want to do anything.
Is that something that you or, you know, your people would be interested in?
And he was, and he was like, yes.
He just said to me, yeah, yeah, I would.
And I'm like, okay.
And he's like, let me talk to some people or whatever.
And he's like, what are we talking here?
And I'm like, I don't know, $5,000, $10,000,
whatever, whatever.
And he's like, let me find out what I can get you.
And then he came back and said,
oh, well, I need to know it's real.
Do you have something to prove it? Da, da, da, da. and said, oh, well, I need to know it's real. Do you have something to prove it?
I said, sure.
Got him one of the cards that I'd gotten.
And I was like, that one's $5,000.
And he's like, well, I can give you 10% for that.
And I'm like, okay.
So I get 500 bucks?
And he's like, yeah.
And then he peeled off $500 bills and said, this better work.
And I was like, it'll work.
And then I was terrified because I was like, what if it doesn't work?
Oh my gosh, right?
But so I was like, don't spend the money, right?
Like, don't spend the money.
But now I'd been handed money for something that I was like, okay, this is like, this is actually a little bit nerve wracking, but it worked. Right. And then he came back and he was
like, okay, great. Can you do it again? And I was like, well, I already have, I have one right now.
He's like, all right, go get it. Right. And I went and got it. And then I gave it to him. And then
he, and he peeled off another 500 bucks. And he's like, just come to me whenever you got it.
And I was like, all right.
So Grifter logged back in to the credit card company
and processed another card under another fake name,
and that was going to another abandoned house.
And this was making money for him.
But this guy wanted more, much more.
And Grifter would get into arguments with him saying,
man, if we do too much, they're gonna know and they're gonna shut us down but
If we take it slow we can keep things going for a while and grifter was right
He would only give himself a new credit card every two weeks and that allowed him to keep it going for two whole years
I
Don't know how long that worked because I eventually just stopped doing it. Like I, about 17 years old, I decided that I needed to get out of my town.
Was sitting in the back of my friend's car and he said,
just wait until we're like 25.
We're going to own this town.
They said, own what?
Are you kidding me? Holy shit. If I'm still here when I'm
25, you guys kill me. I was like, oh my gosh, I have to get out. I have to get out of this
town. And so I didn't have money, right? I didn't have a way to pay for college. I didn't
have a way out. And a common response to that is I went into the military. What?
You went to the military?
This is a, this is a, I would not expect a life of crime, hacking, drugs, and then suddenly
military.
Yeah, this was a massive shift in my brain and I just said like, I have to go and I have
to do this immediately.
And while I was still a senior in high school, I signed the papers, man, and committed to go.
My parents had to sign me over because I wasn't 18.
And I went into the military when I was 17 years old.
So as soon as I graduated, I went into the Air Force.
And that was an incredibly eye-opening experience for me
as well, because right into basic training,
I met people who they'd never been in a fist fight before. Right? And I was like, how? Like, I just,
it could not comprehend how. How did you not run your mouth at some point to a level that
somebody wanted to put their fist in it? And then I'd hear the stories about how they grew
up and I was like, what? My mom tried to raise me like with morals and whatever.
And I did pretty good in some areas
and really poorly in others.
But the Air Force core values are integrity,
service before self and excellence in everything you do.
And I took that to heart.
I didn't even really know what integrity meant at the time.
Like I'd heard the word,
but I didn't really know what it meant.
And essentially to me, the way that I took it
was it's like doing the right thing,
even if nobody's looking, right?
And I was like, okay, do the right thing,
even if nobody's looking, great.
Service before self, okay, so put others before you.
Always try to put others before you, okay,
I'll try to do that.
And then like excellence in everything that you do,
that was something that my mother had already instilled
in me as well, where she was like, if you're gonna be, she's like, I don't care what you are, if you're
going to be something, be the best at it, whatever it is, you're going to grow up and
you're going to be, you know, janitor, be the best janitor there is, you're going to
be a surgeon, be the best surgeon there is.
But if you're going to put effort into something, if you're going to spend your time on it,
be the best, right?
And so like those like those core values,
those like Air Force core values really like took hold
and the military was really good for me
because it like forced me to be an adult.
It put me in a situation where it was like,
oh, you have to, you can't just tell somebody
what you think of them just because you think it,
you can't swing on someone because they mouthed off to you.
You have to show up here on time and you have to come ready to do the hard things and all whatever.
The military was super, super good for me.
He got stationed in Utah and in the Air Force he was assigned to fix F-16 avionics.
He wanted to do computers, but you don't really get a choice. They just tell you what to do.
But it was cool to sit in a cockpit and swap out instruments and he was even deployed
to the Middle East for a while but after a while the whole thing was starting to
frustrate him. If there's anything that just riles me up or a pet peeve of mine
it's inefficiency and the military is really inefficient so I would be like
hey if we change this process it would save us this many hours and probably
this many parts and all the sort of ever and they would be like, hey, if we change this process, it would save us this many hours and probably this many parts and all this sort of whatever.
And they would be like, just do it the way the Air Force tells you.
Like, and I hated that.
Oh, I hated it.
And then also, in a lot of cases, you get rank because you've been there longer or you
test better than other people.
It's not about leadership experience.
And so you'd have to take orders from people who were making poor decisions.
And I just couldn't do it.
I was like, one, I can't keep my mouth shut.
Two, like I just, I can't handle it like as a person.
And so I was like, I've got to get out.
And so when I got out of the military, I only knew how to do two things and it was work
on F-16s or break into computers.
And so I was like, okay, well, I guess I'll go back to breaking into computers.
Stay with us, we're gonna take a quick break,
but when we come back, we have to break some new computers.
This episode is sponsored by Material Security.
Your cloud office is the heart of your business,
but it's still protected by a patchwork of point solutions
and manual workarounds.
Yet while other critical assets have purpose-built security, your cloud office remains exposed. It's time to protect
this system your business relies on with dedicated security built for cloud workspaces.
Material Security is a detection and response platform, purpose-built for protecting your
Google workspace and Microsoft 365. Siloed point solutions might stop some threats at the gate,
but leave massive gaps between tools.
Sophisticated email attacks, risky misconfigurations,
shadow IT, account takeovers.
Material not only monitors everything continuously,
it applies fixes and steps in to make sure information only flows
where it's supposed to go.
So if you're ready to stop trying to fill the gaps
and start getting ahead of threats, check out Material Security. Learn more at their website, material.security. The website
is material.security.
Now, Grifter was stationed in Utah. And one state over from Utah is Nevada, where the
biggest hacker conference in the world is DEFCON.
So I knew about DEFCON from the first DEFCON, but being poor and being like 14 years old
or something when DEFCON started, I was like, well, my parents are never going to take me
to Las Vegas and I can't afford to go there myself.
It was like a month or two months before I was separating from the military.
DEFCON 8 happened in 2000 and I was like, screw it, I'm going. Military be damned, I'm going to go.
And so I did. I went out to DEFCON and, you know, met my people. Essentially, it was great. It was
incredible experience. What makes you connect with the people at DEF CON?
So yeah, I'd been to small hacker meetings before but going and and at the time it was probably I don't know there there might have been a thousand of us or something like that at DEF CON if that.
I love the fact that you could just
anybody could be talking about anything you could walk up to somebody and be like what you guys talking about and they'd start talking about anything, you could walk up to somebody and be like, what you guys talking about? And they'd start talking about something and whatever it was, it was interesting. Like,
you know, there was something interesting, or there'd be people crowded around a table
with like computers and like some electronics or something or whatever. And they're like,
oh, we're trying to get this thing to do this. Like, I had this idea in my head that I was like,
oh, man, if we could actually take all these people
and stick them on an island and just be like,
here's the problem that we have, can you solve it?
That there was nothing that couldn't be solved.
And so I knew, I knew from that first time I went
that I would always go to DEF CON, that that would be it.
I felt the same way.
The first DEF CON I went to was DEF CON 17, and that was back in 2009. And yeah, the would be it. I felt the same way. The first Defcon I went to was Defcon 17, and that was back in 2009.
And yeah, the place feels magic.
It's electric.
It's amazing.
And I was hooked from that first visit, and I've been going for 15 years now.
At Defcon 8, a buddy of mine had brought 20 t-shirts or something that he had brought.
And I was like, what's the t-shirts for?
And he said, oh, I'm going to sell the t-shirts when we get there.
And we road trip down, right.
So he was like, I'm going to sell the t-shirts when we get there.
Twenty bucks a piece.
And that will fund my weekend.
So it'll pay for the hotel.
I'll get to eat really good or whatever.
It'll pay for DEF CON.
And I'm like, oh, what a cool idea.
So the next year I decided I was going to make t-shirts, but I
don't do anything halfway.
And so I was like, okay, well, I'm going to get a table in the vendor area.
I'm going to make a t-shirt.
And I got a, had a really nice design put together and I ordered 320 t-shirts, 20 to
trade to friends and to other t-shirt vendors and 300 of them to sell.
So I took them down and we sold them all in the in the vendor
area. It was a really nice design so they were gone and I was like sweet like I just made a bunch
of money like off of selling t-shirts and then I met Russ Rogers. Russ Rogers is one of the
conference organizers and asked Grifter to goon next year which basically means to volunteer to
help with the conference. There's a lot of different types of goons.
There's crowd control goons, speaker assistants, technical support,
and other things like helping with the vendors or contests.
But at the time, everyone had to start at security,
which is like crowd control and checking badges.
And there are massive lines at DEF CON,
and someone has to keep them all in check.
So he took the role of goon and was part of the DEFCON staff.
At DEFCON 10, I was a security goon,
and then at DEFCON 11, I went and I was a vendor goon.
And yeah, and then I've been a goon ever since.
So from DEFCON 10 till now this year will be DEFCON 33.
Gosh, that's 23 years of being with DEFCON at this point.
And because of his attitude of being excellent
in everything he does, he quickly started taking on
more responsibility at Defcon.
I started doing things like I ran the Defcon forums
with another guy who went by Nulltone.
The two of us were the administrators
for the Defcon forums.
At the same time that I was gooning,
I was a vendor as well.
I never stopped selling T-shirts, so I was a goon, a vendor.
I was administrator for the Defcon forums. I ran the selling t-shirts. So I was a goon, a vendor. I was administrator
for the DEF CON forums. I ran the DEF CON scavenger hunt. Oh, and then starting at like
DEF CON 10, I started speaking. So I spoke at DEF CON 10, 11, 12, 13, or whatever. And,
and so I was busy, right? And then somewhere in there as well, I eventually started running
all the technical operations for Black Hat.
Black Hat is another hacker conference in Vegas, and it's happening the same week as Defcon.
And they're both started by the same person, Dark Tangent.
But Blackhat has an entirely different vibe over there.
It's more professional and corporate compared to Defcon.
I describe it as, at Blackhat, there are tons of companies all there saying,
hey, if you buy our products,
it'll make your company safe and secure.
Well, at DEF CON, the overall message is, everything is vulnerable, nothing is safe
and secure, and here's how to hack anything.
So Blackhat, you see more people wearing collars and even ties.
Well, at DEF CON, everyone just wears all black.
Cargo pants are common, mohawks are common, and wires and antennas are sticking
out of everyone's backpacks. So Grifter started volunteering at both conferences.
I got busy fast, right? And then I had a day job on top of it. I did become, I guess, part
of what would be considered to be like the Defcon inner circle, right? Like where it's
like, okay, we need to decide what Defcon's vision is gonna be,
what direction are we gonna go in,
what are we gonna, like coming up with new ideas
to keep Defcon fresh.
Like I came up with the idea for Defcon groups.
So Defcon groups is hacker meetups that happen
in different cities and different countries
all over the world.
They are very similar to the 2600 meetings that I used to go to like when I was younger and
the reason that we kind of departed from from 2600 was
because they they started to get political and kind of let their
politics get involved in like they were like telling hackers like you should vote for this person or vote for and I didn't like
that I didn't like the idea of of like, yeah, vote this way. And so I approached Dark Tangent, Jeff Moss, and said, like, hey, I
don't like this about the way that 2600 is going. Defcon has a lot of clout, you know,
we could probably do something like that and we'll do it by area code and we could just,
you know, we'll come up with a name for it or
whatever."
And he's like, I love it, love the idea.
Talk to Russ, again Russ Rogers, and he's like, yeah, let's do it.
We came up with all the like ground rules and concept and all whatever and the structure
for it.
And then we started running DEF CON groups, our meetups, I think it was February of 2003,
I want to say.
And it was Salt Lake City and Colorado Springs, which is where
Russ is from.
So we had DC-801 and DC-719, and those were the first two DEFCON groups, and we ran them
until DEFCON, and then we announced DEFCON groups at DEFCON, and it spread like wildfire.
DEFCON groups has grown to over 100 chapters worldwide, and they're typically really cool
people who go to these things.
A lot of people ask me,
hey, how do I get started in cybersecurity?
Where can I find a mentor?
And I always recommend them to look to see
if there's DEF CON groups in your area.
It's a great way to meet people who are super passionate
about cybersecurity.
And I attended one just the other day and it was great.
I met so many cool people.
I mentioned all of the stuff that I did previously, right?
So it was like DEF CON administrator, Vendor, Goon,
running the Defcon Scavenger hunt.
Oh, we also ran the Defcon Movie Channel.
Like it was a lot, I was doing a lot.
And I said to DT after Defcon 13, I was like,
I'm gonna stop Gooning.
Like, it's just too much, it's too much. And he was like, please don't, you know, he's like, don't,
don't stop, like, what's the problem?
I was like, I'm just burning out, I'm, like, I can't run
all of these things.
He was like, okay, well, how about this?
He's like, we're moving to a new venue next year, and it's
going to be at the Riviera, and he's like, and there's this
space that are there,
these skyboxes that overlook the convention floor.
And he's like, I think, you know,
what if you were like in charge of what,
like whatever we put in that space?
Like you can just, there'll be a small portion
of the conference, you can do whatever you want with it,
like come up with something cool that people will want to do.
And I was like, okay.
He's like, I'm sure people want to have parties
or whatever, and I'm like, okay, great.
So he goes to the Riviera,
the place where DEF CON is going to be held that year.
And he looks at the space
and tries to decide what to do with it.
It's a cool set of rooms, they're up high
and they overlook the whole conference.
And like I was saying in the intro, DEFCON has a lot of parties.
Conference goes on all day and parties go on all night.
In fact, there's so much going on at DEFCON, it's actually hard to remember to eat and
shower and even sleep.
It's the best conference in the world.
So of course, these skybox rooms are perfect party rooms.
But that's a nighttime thing.
What do you do in them during the day?
And which parties are going to be up there?
And that's when Grifter got the idea.
He posted on the DEFCON forums,
we have a place for you to host a party,
but if you want the space, you have to fill the room
with something cool during the day.
You can't just come party at night.
And the first ones to say, okay, we'll do it,
was TOOL, the open organization of lockpickers.
And they were like, we want one of those skybox spaces so we can have a party.
And we'll come in and we'll put out tables and we'll put a bunch of locks on the tables and we'll teach people introductory lockpicking
and we'll bring all kinds of examples of things to bypass and we'll just we'll show people how to do it.
And I was like, great, that sounds awesome.
And then it was, again, it was Russ who said,
hey, I'll get some folks
and we'll set up a hardware hacking area,
and we'll have people come in
and they can learn how to solder,
and learn how to do basic electronic stuff,
and we'll teach them how to do that.
And I was like, great. 303 was like was like we'll do talks but we're gonna do talks that
aren't allowed to be recorded that you can't have your like phone out you
can't nothing like nothing can be like it doesn't exist right type of thing and
I was like that sounds cool let's do that and so that's how the villages
started was the the first ones to call themselves a village was the lockpick
village. Not only is that where Defcon Villages was born, but it's also where
Sky Talks was born. That name came to be because there were talks in those skyboxes
at the Riviera. Because all the Defcon talks are recorded and posted to YouTube,
but Sky Talks is where no recordings are allowed, which allows people to give
talks that are more secretive or maybe even incriminate themselves.
I've probably been to a dozen of these Sky Talks and I've heard some pretty wild stories.
But what's more is Sky Talks has kind of made its way into many other conferences
where there's a smaller room off to the side and no video or recordings are allowed in there.
So that idea also has stuck and spread.
So the next year when it came around, the hardware hacking people called themselves
the hardware hacking village.
They adopted the name village from the Lockpick village.
And then another group started the Wi-Fi village,
and they just immediately adopted the name village
with theirs too.
So they started calling themselves the Wi-Fi village.
So the second year, so DEFCON 15,
we had the Lockpick village, the Wi-Fi village, and the
hardware hacking village.
And then that concept of having these broken out areas spread to other conferences, people
were like, oh, we're going to have a lockpick area.
Oh, we're going to have whatever.
And they started calling them villages.
And so the village concept or those little community areas that you see at all
of these other InfoSec and conferences and stuff all came from people wanting to throw
a party in a skybox at DEFCON 14, and then the villages were born.
Now, when Grifter first started getting involved with DEFCON, everyone only knew him as Grifter.
And that's the thing about this conference is it's not unusual that people just know you as your alias
or your hacker name.
And nobody even questions it.
If you say you're Grifter, then you're Grifter.
Nobody's going to be like, oh, that's funny.
What's your real name, though?
No, Defcon folks are different.
They get it.
Privacy is important for all of us.
I had been Grifter, like I said, basically,
I picked that name when I was about eight
years old and I used it in the hacker community and nobody knew my name.
When I went to hacker meetups, 2600s, when I, anything I did, no one knew my name.
I had no online presence at all and I was proud of that.
People didn't know who I was.
And then at Defcon 9, my wife at the time, my ex-wife, she came with me and I had said
something to her and she was selling t-shirts.
And I said something to her and I was like, all right, I'll be back in a little while.
And I walked away and I started walking away and I got a few tables away.
And she said, oh, wait, Neil.
And I was like, oh, like it like, oh, and I turned around and the look on my face must
have just been like, oh my gosh
Like are you kidding me? And then she and I'm like staring at her and she goes, oh, sorry
Grifter and I was like, oh my gosh cuz now even people who weren't looking
like turn their heads and we're like
What like and then there were there were guys that I'd known seven ten years and they were like, what? Like, and then there were guys that I'd known seven, 10 years
and they were like, your name's Neil?
And I was like, yeah.
They're like, huh, you don't look like a Neil.
I'm like, cool.
Like, I was like, oh my gosh.
So that anonymity, like to some degree,
like it flew out the window.
So after a while, Grifter got put in charge
of running the WiFi and network at Black Hat,
that other conference that's happening in Vegas
the same week as DEF CON.
They call it the Black Hat NOC,
which stands for Network Operations Center.
And I should say, even though Black Hat and DEF CON
happen the same week, they don't actually overlap.
Black Hat is like Monday, Tuesday, Wednesday, Thursday, and Defcon is Friday, Saturday, Sunday.
And I should also mention that there are many other conferences happening that same time
as well.
Like there's B-Sides, which is a big one, and it's on Wednesday and Thursday.
And there are other ones happening around town, like there's Toxic Barbecue, which is
where a bunch of people meet up in a park and barbecue.
And there's a Defcon Shoot, which is where people go to the desert and shoot guns.
And there's just meetups like all over the place like Diana Initiative and QueerCon.
At any given moment during that week, there are 50 things happening and it's overwhelming
and awesome.
So anyway, Grifter was tasked with setting up the Wi-Fi at Black Hat, which you can imagine
trying to get a Wi-Fi network up and usable at a hacker conference is challenging.
Yeah, it is. It's actually incredibly difficult, but it's also super satisfying to do it.
It makes it fun. You're going up against multiple different types of attacks ongoing
throughout the conference at different times, trying to hit you in different ways,
people learning new things and getting creative. Like we've had stuff where like somebody discusses
a vulnerability for a piece of equipment
that we're using at the conference
and we've got to scramble to try to make sure
that the network stays up because they just told
500 people in a ballroom how to do something
against a piece of equipment that we've got
running in the knock.
We call it the Black Hat Knock because it is a knock.
Like it is, we. Like, it is...
We replace every router, every switch, every firewall,
and every access point at whatever venue we go to.
So now that's Mandalay Bay.
It's the Marina Bay Sands in Singapore,
and it's the Excel Center in London.
But we bring all of our own equipment
because it allows us to have control over the environment,
mitigate attacks if they come.
We can't be opening a support ticket.
Oh yeah, the hotel would now have a chance against us,
would they?
Not a chance in hell.
What do you tell them, just shut it all down while we're here?
Yeah, we actually do.
We just say, please shut the Wi-Fi in these areas.
Yeah.
And so, yeah, it's an interesting challenge.
You think that they'd want to hire you
to set up their Wi-Fi to be resilient against stuff like this
and say, wait, just leave what you have here
because we'll just use it from now on.
Yeah, they're getting better.
Again, it's like years have gone on and stuff.
They're getting better, not to the point
that we're willing to let them run things.
Because again, we call ourselves the NOC,
but we are a full-fledged SOC.
We have every piece of equipment
that a modern day security operations center has in there.
And when we initially started out,
we were running everything with like open source,
hardware, open source scripts and software
and commercial stuff that you could just buy it,
like Best Buy, right?
Yeah, their budget was very small at the beginning,
but if you go to Black Hat,
one thing you won't miss is the expo floor.
I went last year and I was blown away
at how big it has grown.
This is a room where if you're a cybersecurity vendor,
you can set up a booth there and pitch your products
to people who are walking through the conference.
I walked through and it took me hours and hours to just try to walk past every booth
and just read their name.
It felt like it went on forever.
Every cybersecurity company in the world seemed to be there and there must have been hundreds.
So as this black hat knock grew, it needed more sophisticated equipment.
And Grifter wondered, with all these vendors here, would any of them let us use their gear
like just for the week?
And so we were like, well, what if we went down to the expo floor and we approached some
of the vendors and we say, hey, if you'll let us use your equipment or you're give us a
software license, we'll put your logo like the program that says you help partner with the Black Hat Knock.
We go up to the first vendor that we wanted to talk to.
They're like, yeah, oh, absolutely.
And they were like, when?
Like now?
Do you want equipment?
Do you need people?
And I was like, this response was on a level that I wasn't prepared for.
And so I was like, I think we might be onto something here.
And they were like, we'd love to help support it.
We'll give you whatever you need.
And I just looked at Bart and I was like, let's go shopping.
So him and Bart, the other guy who runs the knock with him,
realized that every vendor would love for them
to use their equipment for free, because each vendor would love for them to use their equipment for free
because each vendor would love to be able to say,
we're trusted by Blackhat.
If a hacker conference uses our equipment,
surely that's got to mean something.
And this made building the Blackhat knock even more fun,
knowing that they could just walk down the hall
and get any equipment they wanted to help secure this network.
That's cool.
And once vendors heard that Grifter was doing this,
they started begging him to use their equipment.
We've been offered money from vendors before where they're like,
we'll cut you a check, like personally, not to black hat.
Like they're like, hey, Grifter, I'll cut you a check for 100 grand
if you'll put our stuff in the NOC.
And I'm like, why don't you take that $100,000
and invest it in your product and make it better and maybe I'll choose it
and I say that for two reasons one because I'm a dick but two because
Integrity, right? I mentioned that earlier as it's like no like you can't buy my like, you know
Influence in this space right like's, like I choose what I believe
are the best technologies to go in here to do the job.
And if you want to be in here, be better.
And then maybe you'll be in here.
Of course, Grifter sees tons of crazy things
on the Black Hat network.
Like speakers might be on stage demoing an exploit
and it'll trigger all kinds of alerts and knock.
A normal knock might freak out seeing that kind of stuff coming from inside their network,
but Black Hat realizes, oh, that's fine, since the speaker is just demoing the exploit on
stage.
Or sometimes they'll see a vendor release a patch and attendees are trying to reverse
engineer what was fixed in the patch and they'll find a new vulnerability and they'll start
attacking with it the same day the patch is released.
So they've got to hurry up and patch everything as soon as a new patch comes out.
Or sometimes they see students in classes doing illegal things on the Wi-Fi and of course
Grifter will go in there and warn them, hey, you shouldn't be doing that stuff.
And then there are things where it's just folks who are, they think they're secure and
they show up to Black Hat already compromised and we look for stuff like that.
Again, it's an incredibly modern security operations center.
People will get on the network and they're immediately
beaconing out to known C2 or they're hitting malicious sites
or doing whatever and we will go and look and be like,
okay, is this something that looks like it's part of a lab?
Is this something that happened when they first got on?
And so people will often say,
oh, don't get onto like the Black Hat network
because you'll get attacked. When I honestly think in reality, more people leave secure
than they do compromised from Black Hat, because we're looking for it. And if we see any kind
of communication to known C2, if we see crypto mining activity, or we see clear text credentials
coming from a device, we send a captive portal
to that device that is doing it.
They'll get a pop-up the next time they go to browse to something that will say, hi,
this is a message from the Black Hat Nock.
This device is showing signs of communication to known command and control servers.
Like if this is expected behavior, you ignore this message.
If not, please stop by the knock for more information
and they'll come by and we can show them packets or logs or whatever they need to let them
know like, hey, you actually showed up compromised.
They've even seen speakers on stage who are showing signs of infection on their laptop
and then they have to go and wait for the speaker to come off stage and then say, hey,
by the way, your computer's very infected.
Okay, I'm going to ask you some stories about DEFCON.
Is it true that someone rappelled off the roof to try to sneak into a party at DEFCON?
What happened was a year at the RIV, the year of the skyboxes, we had different parties
in different skyboxes.
And at some point, one of the organizers of the party actually like he
He came up to me and he was like hey
so we picked the lock on the closet and
there's a panel in there and if you open that panel we can get on the roof and
I was like I
Don't want to hear about it
I don't want to hear about it. I was like, all right, and then I left.
And then a bunch of people went up on the roof and they basically like extended the
party up onto the roof of the Riviera.
And there was a whole bunch of folks hanging out up there.
And this was just the conference center.
So we're not talking like 20 floors up, they were probably 30, 40 feet up, whatever it was.
And some people going in and out and all whatever and then at one point security showed up.
The way that I understand it is somebody went off the roof in order to avoid security.
Multiple people got caught by security though.
And they were asked to leave the property.
They got 86th on Saturday night.
Is it true that people will put malicious ATMs around DEF CON
to steal people's money?
It has happened.
I don't know how often it happens, but it has happened.
Somebody brought an ATM in on a dolly.
They rolled it in on a dolly and set it up
like in the like lobby area of the convention space,
like trying to get DEF CON attendees.
That was also at the Riviera.
Is it true that there was a federal agent
who was there to try to arrest hackers or spy on hackers or learn from hackers, whatever, but got so impressed by what they were doing
that he quit his job as a federal agent and switched to the dark side?
Oh, I haven't heard that one.
You're going to have to tell me that.
That's wild. Is it true that there's a secret room at DEF CON where you can buy Zero Days?
I don't think there's a secret room.
Maybe that was true in the past.
And it wouldn't have been a secret room.
It would have just been like, you can talk to this person.
And I know who the person is, but I won't mention their name.
I'm sure those kind of things still go on.
Everybody could get together and have a conversation in a place that was kind of like a demilitarized zone. person is, but I won't mention their name. I'm sure those kinds of things still go on.
Everybody could get together and have a conversation in a place that was kind of like a demilitarized
zone for hackers.
Yeah. Yeah. Demilitarized zone for hackers. That's a really interesting way of putting
it. I agree. Yeah. Is it true that every year hackers take over a elevator at some hotel
and trap someone in it? Um, I don't think they trap people in it.
We have definitely taken over elevators all the time.
I actually got a talking to you from this is that this is actually
having a black hat.
Um, it was right after the Mandalay Bay had installed the card reader.
So that then you had to tap your room key
to go to your floor.
I was messing with it, because that's what we do,
and I knocked the cover off of it,
and underneath it was, there was an open pin out.
But I was like, oh cool, we could probably connect to this
and get to any floor we want.
I'm like, that's wild.
And then I ran my thumb across the pins,
and it shorted out and the light blinked green
and I could tap any floor.
And so I took a video with my phone really quickly where I just ran my thumb across it,
it blinked green and then I tapped like four different floors.
The video was probably six to eight seconds long, I mean, super quick. And I just posted it to my Twitter and said like, oh, solid whatever system they've got
going on in the elevators.
And seriously, within five minutes, my phone rang.
And it was the head of security for Mandalay Bay, who we work with because we're in the
sock and stuff.
So we have meetings with them and tell them the type of stuff we're seeing and
All whatever and he's like grifter
He's like you're supposed to be on our side
And he's like will you please take that down and I was like I can't
And he is like no, please take it down and I was like, I'm sorry. I can't I've already posted it
it goes against everything like I believe as far as like, it should be better than you
should call whoever installed that system on the elevators
and make it better.
And he was like, ah.
And then he like, he hung up and he called me back.
And he was like, OK, look, I talked to this person
mobile a lot.
Would you be willing to take it down for X amount of time?
Oh, and then he said the words I didn't want to hear, which he
was like, under responsible disclosure, you have now let us know
that a vulnerability exists, please give us time to fix it.
And I was like, damn it.
So I deleted the tweet.
He played your game.
Yeah, he totally did, he totally did.
And then, and so yeah, so I took it down and they fixed it.
Is it true that someone set the pool on fire one year set the pool on fire?
Yeah, like there was smoke coming off. Oh, no, no, it wasn't fire
It was a massive amount of liquid nitrogen. So it was at Def Con
Eight nine or ten somewhere in there. It was at the Alexis Park this pool two and
the beverage cooling contraption contest
had done their cooling contest out by the pool
earlier that day, and a lot of people had liquid nitrogen.
They just, that was the go-to,
how they're gonna make it cold fast,
and then they took all the containers of the stuff
that was left over and put them
in the little pool house like area that was next to the pool just for storage and then
when it was at night there was like a party going on out there and like one of the guys
was like oh shit we've got all this liquid nitrogen let's see what happens. And they just dumped like gallons and gallons of liquid nitrogen into the
pool. And it was awesome. And it made this cool like steam like effect. There's some pictures of
it out there somewhere. Like another year, then the next year they did it again. And a bunch of
people threw blocks of dry ice in to try to like, you know, increase it. Like, of course,
like everything will try to one up ourselves every time.
After decades of going to hacker conferences,
there are hundreds of stories like this that Grifter has.
It's truly a unique experience,
and you never know what to expect when you go,
I once saw Will Smith at DEF CON,
and Deadmau5 was just there last year,
just walking around, checking the place out.
I am what I consider, or what I define myself as, as a high-functioning introvert.
So I can get on stage in front of 10,000 people and crack jokes and have a good time and all whatever,
and it's fine. I can go out into the hallway and have an inflatable dinosaur battle with my friends
and have a blast. I can act like a complete lunatic for the entire
time that I'm in Vegas with my friends and it's great. But then I crawl into a cave and recharge
for weeks afterwards or I go back to my hotel room. Even during DEFCON, I did it a couple times this
year where it's like, I'll just go to my room and lay on the bed. I actually did that right before
your party this year where I was like, I'm just going to go room and lay on the bed. I actually did that right before your party this year,
where I was like, I'm just gonna go back to my room,
I'm gonna take a shower, I'm gonna lay on the bed
and play a game for a little bit,
and then I'll go out and be social.
Black Hat used to have a thing they called
the gala reception, which was basically just drinks,
and it was like an open bar, and it was a couple of hours,
and all the attendees were invited,
and you'd just hang out and chat.
And I was in my room after like, you know, volunteering all day and I was like, oh, I
don't want to go to this thing.
I forced myself to go and I walk into the reception and I hear some guys that are near
me mention a book that I had just read and I stopped and I was like, oh, that book sucks.
And like, and the guy kind of chuckles and he was like, oh, that book sucks. And like, and the guy kind of
chuckles and he was like, oh yeah, why?
And I was like, okay, well,
the structure of it is this, it's lacking this,
it doesn't talk about these things, blah, blah, blah.
This book is better if you're looking at that topic.
And he's like, oh, okay.
So I was like, hey, it's been a pleasure
chatting with you guys.
You know, it was nice to meet you.
And the guy was like, wait, let me give you my card.
And he hands me his card and he was
the vice president of the publishing company,
whose books I had just been eviscerating for the last 45 minutes.
And I just looked at him and I was like, oh, and he was like, oh, and he's like,
hey, look, man, I really appreciate all the candid feedback.
And he's like, like, I want to put you on a list that I have where like, when we
put out a new book, we'll just automatically send it to your house.
You let me know what you think of it or whatever. That's, you like, would you be, would you be down to do that? And I, like, when we put out a new book, we'll just automatically send it to your house. You let me know what you think of it, or whatever.
That's, you know, would you be down to do that?
And I was like, absolutely.
Well, that relationship grew stronger
between Grifter and this publisher,
to the point that the publisher asked Grifter,
hey, if you were to write a book, what would you make?
And Grifter said,
there should be a book on how to defend your network
by attacking back at the people attacking you.
Which I think is ridiculous.
Defenders can't be on the offense.
They can't be aggressive.
But he was pitching this idea and the publisher was liking it.
I was like, look, dude, I don't know how to write a book.
I don't know how to do that or whatever.
And he's like, that's fine.
We got editors.
We'll teach you.
He's like, why don't you do it with like a few other authors, just co-author it,
then you can break it up into chunks. You'll act as the technical editor
and make sure that everything is legit. And I said, yeah, I'd like to do that. Fine,
let's do it. And then I picked a few of my friends that I wanted to do it with me.
And when I gave him the list of friends, he was like,
these are some pretty heavy hitters,
are we going to get these people?
And I'm like, they're just my friends, like, I don't know.
And so it was like Dan Kaminsky, Bruce Potter,
Pyro, like, you know, Chris Hurley.
He's like, all right, let's see what we can do.
And all of them agreed to do it.
And then we put out a book,
but that was the thing about putting out a book,
was I was like, am I really just gonna put Grifter
on the cover of this thing?
I was like, I cannot publish a book
and not put my name on it.
For me personally, it was like,
I wanna see it on the shelf in a library
and be like, that one's mine.
So I made the decision that I was gonna put on there
Neil Weiler, AKA Grifter.
And that was it, man. The cat's out of the bag.
So the book is called Aggressive Network Self-Defense.
And for 10 years, I was a network security engineer and I had read quite a lot of books.
And this one never showed up on my desk.
And I think it's because I wasn't interested in aggressive self-defense at the network.
This is crazy.
This is a crazy book.
Aggressive self-defense network style.
What is in this book?
Well, it was essentially like there's this thing that we deal with as defenders, like
every day within these companies we work for and as individuals, where you're being attacked
constantly, right?
And you're like, when do I get to swing back?
And because of my upbringing, right?
Because of the way that was, I wanted to swing, right?
And so I didn't like the idea that we were in this defensive position where somebody
could not just poke us in the chest, because like getting port scanned was like getting
poked, right?
It was not a big deal, somebody looks at you sideways,
gives you a dirty look.
But it's not just getting poked,
they're full on attacking you,
and you just have to go, well, how do I block that?
How do I make that stop?
How do I do whatever?
Or they break in and you just go,
oh, I've got to get them out.
And in my head, I was like, stop them for good.
Like, cut them off at the knees.
Attack what they're attacking you with.
And like, and I would get so much heat from people
about that because they were like, well, you don't know
if you're actually attacking some grandma's computer
because it's not, you know, it's a jump box.
It's not likely that the person that you're attacking
is that that's their machine.
And I'm like, yeah, but then let's get rid
of their resources then.
If we knock the machine that's doing the attack offline,
then the attack stops.
And that's what I'm concerned about
because they're costing us money
by launching these attacks against us.
They're costing us time, they're costing us stress
and all these other things.
So if I don't care if it's some grandmother's computer,
I need it to stop attacking my network because it's eating up bandwidth, it's eating up cycles
of my analysts, it's eating up all this stuff. It's like, okay, you've lost control of your
machine and I need that machine to stop attacking me. So I'm going to send it to the bottom of the
digital ocean. That book is 20 years old at this point, so it's useless, but it was fun to do.
All this experience running the Black Hat Knock
has given him a very sharp skillset
to be able to detect and stop
some of the most crazy attacks ever.
Volunteering there gave him fantastic experience,
which gave him great opportunities in his career.
So now I recently took a position at a company called Coalfire as the VP of Defensive Services.
Prior to that I was with IBM's X-Force for three years running their global threat hunting program.
Prior to that for the seven years before that, I was at RSA Security, where
I started and ran their threat hunting program around the world. So I spent a lot of the
last over a decade at this point really focused on threat hunting, on going in and finding
attackers when they've already bypassed your security and they're in the environment. So
I would go into a company and I'd sit down with their security team and I'd be like,
tell me about your environment. And they'd be like, well, we have these technologies
that are deployed in these ways. Our network set up this way. This is how we do these things.
It's segmented this way. We have this, we do this, blah, blah, blah, blah, blah.
And I go, okay, great. If it was me attacking you, I would hit you here, here and here.
So let's go look and see if somebody did that.
And then we'd go and see if they were attacked somewhere
or got breached somewhere.
And in the decade plus that I've been focused on hunting,
we always find something, whether it's an active attack
or it's evidence of a previous attack
or it's an employee who's doing something outside of policies or whatever.
Of course, I wanted to hear a story about a threat he found in the network.
We were doing an engagement where we were asked to come into a really large financial organization
and myself and another hunter, Pope, you know, Pope.
Pope and I went out on this hunting engagement.
I do know Pope. He's the organizer at St. Con in Utah. Fantastic conference. You should definitely go if you're in Utah. So him and Pope go to this client. It's
massive. And they have huge security teams there. No expense spared to keep
this place secure. Which has to be stressful, you know, to walk into a
company with this level of security and you're expected to find things that they didn't already find?
So he sits down with their director of security and starts looking through the traffic.
He's looking for protocols that shouldn't be there, or outliers.
And he sees FTP traffic in there.
FTP is the file transfer protocol.
It's just a way to move files from one place to another, but it's insecure and has mostly been replaced by more secure protocols now.
It's like there's a really low number of FTP sessions, so we could go through those fairly
quickly and he goes, oh, we don't use FTP. And I was like, well, great. Like this is
a good example then because we can go through this really quickly and he was like, no you
don't understand, we don't allow FTP, there are no clear text protocols.
And I was like, okay, well that's great, but it's here, it's here, I can see it.
And I was like, so why don't we just look at it and he's like, all right.
And we look and it's FTP traffic going to a host name,
not even an IP address, but a host name that ends in.ru.
I mean, we're not even trying to hide, right?
And I was like, is that normal?
He's like, no.
And I'm like, okay, well, let's see what's happening.
And it's like, okay, it looks like it's sending out
these files at like one o'clock in the morning.
Do you want to see what it's sending?
And he's like, yeah.
And so we just did file extraction. Like it's a zip file even like,
not an encrypted container, just a zip file. I'm like, well,
I can't open it because it's not my company, but you can open it if you want.
So he opens it, he opens it up, he looks at the document,
and then it sounded like somebody punched him.
Like this sound came out of him like this,
like the wind just got knocked out of him and then he closed it. And he goes, you didn't see that.
And I was like, okay, well, just out of curiosity, what didn't I see?
And he was like, that is every financial transaction and trade that we've made in the last 24 hours.
And I was like, oh, so bad.
And he's like, how long has that been going on?
And I was like, OK, let's take a look.
And we start digging into the logs.
And they only had six months' worth, which was wild.
That connection to an FTP server in Russia, the IP address
was also geolocated to Russia.
So we're like, okay,
it looks like that's where it's going. That happened every night at one in the morning
for six months. And that's as long as we had logs for. So we were like, who knows how long
that's been happening. And this is an organization that has hundreds of people on their security
team, 30 plus people actively working in a sock just down the hall,
all of the different technologies that you could possibly ask for,
but they had tunnel vision because they were like, we don't use that, so we don't even look.
Now you would think that if something like FTP is not allowed in their network,
that there should be a firewall rule blocking it.
I mean, that's exactly what a firewall's job is, to block network traffic that shouldn't
be allowed.
And who knows, maybe they did put a block in at some point.
But it wasn't blocked now.
Maybe a new rule superseded the FTP block rule.
Or maybe someone accidentally took out that FTP block rule.
These firewalls can sometimes have hundreds of rules of what's allowed or not allowed.
And it's confusing to know exactly what it's doing sometimes.
But what's more is how did these file transfers get triggered?
It must have meant that someone got in this network and set up an automatic script to
scrape the data and send it out.
That's scary!
To realize that someone did that in their network right under the nose of their 30 engineers
all looking for that threat?
How did this hacker get in and how do they get them out?
There's millions of things to do once you discover something like this and it feels
devastating to experience it.
It really does feel like you're getting punched in the gut.
And you know, as I think about this story, this is one of those typical I heard at DEFCON
stories, which here's Grifter's telling me,
so it practically is like something I heard at DEFCON.
But it's one of these stories that I hear
that was never told publicly.
A major finance company was hacked
and every financial trade was being spied on
by some foreign entity.
That sounds like a big deal.
And I wonder what the fallout would be
if that story were to go public, you know?
Like would there be lawsuits?
Would the government slap fines on them?
Or to think, how bad does that company not want that story to go public?
And what drastic lengths might they take to hush it up and keep it quiet, you know?
I have a dream about this show that one day someone will tell me a banger level
story that would be huge news when it gets published.
Some wild whistleblower type thing.
That would be fun, wouldn't it?
I mean, I've heard some pretty insane stories that would be really big news stories if they
came out, but the people
who told it to me I promised I would have never repeat it but I think it's
just a matter of time though that a story does come across this show that
really makes some waves someday.
But it like the threat hunting thing was great like I ended up I wrote a
framework with a friend and that created some really cool opportunities.
Like we, you know, consulted, you know, Congress and like NATO.
Like I've gotten to consult foreign governments, some of the largest companies in the world.
It's a strange space, this Infosec space, because we're like hanging out with criminal hackers.
Like you were a criminal hacker and then you become this consultant for Congress and governments, and you're there to stop
the bad guys, and you're there stopping threats.
But at the same time, you're going to DEFCON, which is where you're meeting even more hackers
and more criminals, hackers.
And I don't know of any other thing that it, we're just as friendly with the bad guys as
we are with the good guys,
as it is with cybersecurity.
Yeah. It is kind of a... It is a weird world that we live in.
And I think ultimately the thing that ties it all together is that we like to learn,
we like to chase, we like to hunt.
Cybersecurity is an incredibly stressful field to be in,
but it also is incredibly
satisfying as far as like the cat and mouse game that we play, about the opportunities
to learn new things, about how one day you wake up and everything is fine and the next
day a vulnerability drops and somebody has exploit code for it within hours and everybody's
hair is on fire. And when those things happen, when those moments come and everyone's freaking out,
I don't know something about that situation
and just makes me go, all right, game on.
I got really, really lucky.
The thing that I started doing when I was 11 years old
because I thought it would be cool,
turned into a career that allowed me to, you know,
put food on the table for my kids,
put a roof over their heads, and has allowed me to travel to all of the places that as a kid
I used to go to only digitally because I thought I would never get to go there.
A big thank you to Grifter for being so gracious and kind to give me his time in his busy schedule
and to talk with us like this.
He has so many more interesting stories and I feel like we barely got started with him.
I mean, I've had dinner with him a few times and I've heard so many more and they are hilarious.
I mean, you can imagine all the shenanigans going on at DEF CON and Black Hat every year.
He's given a ton of talks at conferences.
So if you want to hear more from him, just go to gr grifter org and you'll see tons of stuff that he's done real quick before you go
Do you know that you could have 11 bonus episodes of this show in your ears right now?
Yeah, 11. All you got to do is support the show
I did the math less than 1% of you support the show and that's cool
No shade because I love making stuff and giving it to you for free.
So I'll keep doing what I love. But man, when people do pitch in and give me a little something
back, it feels damn good. It's like one of those hugs that feels extra genuine. And you can feel it
long after it's over. So please consider supporting the show. Visit plus.darknetdiaries.com. I'm just
asking for you to buy me a cup of coffeenetdiaries.com. I'm just asking for
you to buy me a cup of coffee once a month. Actually, I switched to matcha, but you get
it. This episode was created by me, the space bar, Jack Reisider. Our editor is the key
master, Tristan Ledger. Mixing done by Proximity Sound and our intro music is by the mysterious
Breakmaster Cylinder. My girlfriend, she said she needed more space, so I got her a 4TB drive.
This is Dark Knight Diaries.