Darknet Diaries - 160: Greg
Episode Date: July 1, 2025Greg Linares (AKA Laughing Mantis) joins us to tell us about how he became the youngest hacker to be arrested in Arizona.Follow Greg on Twitter: https://x.com/Laughing_Mantis.SponsorsSupport ...for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This show is sponsored by Red Canary. Red Canary is a leading provider of Managed Detection and Response (MDR), helping nearly 1,000 organizations detect and stop threats before they cause harm. With a focus on accuracy across identities, endpoints, and cloud, we deliver trusted security operations and a world-class customer experience. Learn more at redcanary.com.This show is sponsored by Miro. AI doesn’t have to be intimidating—in fact, it can help your team thrive. Miro’s Innovation Workspace changes that by bringing people and AI together to turn ideas into impact, fast. Whether you’re launching a new podcast, streamlining a process, or building the next big thing, Miro helps your team move quicker, collaborate better, and actually enjoy the work. Learn more at https://miro.com/.
Transcript
Discussion (0)
Hey.
Wait a minute, I don't see you.
Yeah, my tape is usually over my camera.
I caught my tape on my camera.
One second.
I can't even hear you.
You can't hear me?
There's a story I had that I totally forgot about, but I remembered recently and I wanted
to call up my dad and walk through it again with him to try to remember how it went.
Yeah.
I want to recollect a story with you.
Yes.
Because as I tell it I don't think people will believe it so I figure you
can verify that this is true.
Yeah.
All right so do you remember my senior year at high school?
Okay.
I had my own car then. I was like mentally
done with school. I did not want to go to high school anymore. I was just sick of
it. I just had been there too long and I had one elective left and I said,
what is the easiest possible class I could take? Do you remember what I chose
as my last elective in my senior year? It was either welding or typing, I can't remember.
Typing, yeah.
But typing, how fast could I type as a senior in high school?
At least 99 words a minute, very extreme.
Right, so choosing that as an elective.
Oh.
That's the easiest class ever.
That's going to be a walk in the park.
I was happy for you.
Senior year.
Here's the problem though.
The class was the first period of the day.
840?
840, yep.
And so I had to be at typing first class of the day.
And yep, the class was real easy.
And when I got there, I was like,
oh good, this is just a beginner typing class.
I can type super fast.
So I'll tell you what I'll do
is I'll finish up my lesson in like 10 minutes.
I could do this whole,
all the stuff you guys are doing today,
I'll do it in 10 minutes and I'm done.
And so I even worked ahead.
I said, hey teacher, can I go on to the next lesson?
Sure, sure.
And so I would do like a whole week's worth of work
on Monday.
And then I would help out some of the other students
and stuff.
I mean, I think I was the star student in that class.
Of course you were.
But once I got ahead enough,
I mean, do you know what my morning routine is?
Am I a morning person?
I probably woke you up at 830 and said you have 10 minutes.
You could not wake up.
Yeah, I had trouble waking up.
So, um...
You had narcolepsy or something.
I did, yeah, that was... I used to use that excuse all the time.
You did.
So I would get to school late on this typing class and I thought, no problem, I'm a perfect
straight A student in this typing class, I'm helping the other ones, all my work is complete,
I don't think it's going to be an issue if I'm 7 minutes late, 10 minutes late, that's
fine.
And so I would show up late consistently to this typing class.
But yeah, well, um, the teacher didn't like that.
And she said, you can't, you can't come in late like that.
I have to send you to the principal's office.
If you come in late one more time, you got to come in on time.
This is like your fifth time being late.
I said, yeah, but I'm getting all the work done.
What's the problem?
And she said, no, no, no.
If you come in late again, I'm gonna have to report you.
And so the next day, I couldn't get it together.
You tried waking me up again and I was late.
And she said, that's it.
You gotta go to the principal's office.
And the principal didn't wanna see me,
but the vice principal was there.
And he said, what's the problem?
I said, no problem, I'm doing. And he said, what's the problem?
I said, no problem.
I'm doing well.
He said, well, the report here says that you're late.
So this is your senior, you know.
If you get late too many times, you're not going to graduate.
Oh, my.
I said, listen, have you looked at my grade in this class?
He said, that doesn't matter if you're late, no, it should matter.
Listen, I think your priorities are all screwed up.
If I'm acing this class,
if I'm getting it all correct,
and if I'm helping the other students and I'm
a value add to the class in general, not just myself,
then don't you think that I should be
graduating with that sort of work ethic?
He said, no, it has everything to do with being on time.
It has nothing to do with the work ethic. You he said, no, it has everything to do with being on time. It has nothing to do with the work ethic.
You have one more chance.
And if you, I'm gonna be there tomorrow.
And if you are late again this year,
you are not gonna graduate.
I said, really?
You're gonna hold me back just for being late,
even though I have perfect grades.
And the next day, of course I'm late.
I could not get it together.
And the vice principal was standing at the door when I arrived.
And he said, that's it.
You're late.
This is the last straw.
You failed this class.
I said, how would you, why would you do this to me?
It's not like I'm struggling with this class.
This class is easy.
I've got it nailed.
I'm like three weeks ahead of every other student in the class and he said, I don't care. You
can't come to school on time so therefore you're you're fail. Fail. And so
they wanted to hold me back a year, a whole year of high school and not let me
graduate. No, you're only missing a half a credit at that point
if you didn't graduate.
You could have went to summer school
and picked up a half a credit.
That's right, I could have.
But you did something else.
So when I brought this news home to you and I said,
listen, I'm not gonna graduate this year,
your brain started going into overtime
and you started thinking up of solutions. Yeah, here's a couple of things. One, after you
got thrown out of the class, I noticed you didn't go to school when I'd wake
you up in the morning. I'm not even sure what was going on. You'd say, don't worry
about it, Dad. I can get in there. Second's the second period. I've got to be there.
So that.
But third, your social engineering wasn't 100% yet.
That was your problem.
You should have done a lot better with the assistant principal and the teacher.
Oh, yeah.
But you saved me that year.
Of course I did.
I don't know how you came up with the idea, but you found me an extra half credit.
Well, you one time switched high schools
for I don't know, four weeks or something.
You didn't like those kids,
so you went back to the original high school.
Which by the way, it was less than a mile from our house.
I don't know how you were ever late, less than a mile.
Yeah, it was very close.
So I knew you were at that other school.
I went over there and one of my kind of best friends
played sports together and things.
I said, do you remember my son Jack?
Yeah, yeah, nice kid.
Was he in your PE class?
Yeah, yeah.
I said, you never gave him credit for that.
He said, oh man, this is so hard.
Credit?
I said, I don't even gotta give him credit,
but you gotta get it done before graduation.
You got like six days.
He just said, I don't think I can do this.
I said, no, you go to the registrar,
you put his name down. Well, he said, you owe me big time.
And somehow, magically, he gave you a C for P.E., sent it over to your high school.
And that's really not the end of it.
The end of it was graduation at your high school.
Yeah, and so that sorted it.
Now I was back on track to graduate and everything was fine.
I went to the ceremony, I sat in the stands, and then what had the ceremony go?
The assistant principal, your arch enemy, he's the one handing out the diplomas.
The same guy who told me I can't graduate.
Yeah, just six days before you're not graduating. And now he calls your name, you come up, he looks at the diploma, stares at you.
I didn't think he was going to hand it to you.
And then he grimaced and gave it to you.
And there you have the diploma with the missing half credit.
I think the statute of limitations ran out and all that.
So I won't be kicked out of school
Permanent record they'll go on my permanent record this one. Oh, no
Yeah, yeah, so that was quite the all because of the typing
Yeah, so do you still not a type?
Yeah, I do but do you know know how to type? Yeah, I do.
But do you know how at this point?
No.
I've never had a job in 40 years where I needed a typewriter computer.
Never needed one.
Or a cell phone.
I'm analog all the way.
These are true stories from the dark side of the internet.
I'm Jack Reisider.
This is Darknet Diaries. This episode is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving
your business' sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of the ThreatLocker Zero Trust Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyberattacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity,
blocking every action, process, and user unless specifically authorized by your team.
This least-privile privileged strategy mitigates the exploitation
of trusted applications and ensures 24-7-365 protection
for your organization.
The core of ThreatLocker is its Protect Suite,
which includes application allow listing, ring fencing,
and network control.
Additional tools like the ThreatLocker Detect EDR,
storage control, elevation control, and configuration manager
enhance your cybersecurity posture and streamline internal IT and security operations.
To learn more about how ThreatLocker can help mitigate unknown threats in your digital environments
and align your organization with respected compliance frameworks, visit threatlocker.com.
That's threatocker.com
This episode is sponsored by Miro. Every other day there's something in the news about AI taking over everything, especially people's jobs. But Miro has a solution. Miro's Innovation Workspace.
Miro has been empowering teams to transform bold ideas into the next big thing for over a decade.
And now they're supercharging your team's potential by combining it with the power of AI.
Miro's innovation space helps teams be more effective.
It turns rough ideas, anything from loose notes to screenshots,
into workable product briefs or diagrams and minutes.
And it's way more than just a blank canvas for you to get your thoughts onto.
It will take whatever you put on there and run with it, helping you and your teams to
iterate on those ideas and see them quickly brought to life.
And you don't need to be an AI expert.
Just do the work you're already doing on Miro's canvas and you're set.
I've tried it and what I love about it are the diagram tools.
I think it's easier to organize my thoughts and convey ideas by building clean diagrams.
And Miro has a super friendly way to make diagrams quick and pretty.
Help your teams get great with Miro.
Check out Miro.com to find out how.
That's M-I-R-O.com.
I want you to meet Greg.
So I grew up really, really poor.
I grew up in Tucson.
And fortunately, my father was an avionics technician, and he was an undiagnosed autistic,
brilliant man.
He was a MacGyver, and the man would just tinker and make things throughout his life.
And while we were poor, my father decided to dumpster dive.
His dad would find various computer parts and trash dumpsters behind
buildings and bring them home. And after doing that a few times, he had enough
spare parts to assemble whole computers. I had a Commodore VIC-20, I had a Trash 80,
and then I had an Apple IIe, you know, like all when I was born, and I always loved them.
Back then computers were not as common as they are now. Having one in your house was a luxury.
Having three, you were really fancy. And simply having these things within easy reach enabled
Greg to learn tons growing up instead of maybe getting introduced to them sometime in high school,
if your school was lucky enough to even have computers.
That was my escape as a kid.
I was an undiagnosed autistic kid until I was in my 30s,
and I just immediately loved computers.
Computers were a novelty for me as a kid.
Until we got AOL, then I became obsessed with them.
I was an AOL kid too.
Matter of fact, that's where most of my first programs
that ever came around.
I was one of the first who discovered the 1IM exploit.
That was my first vulnerability I ever discovered
was the integer overflow in the AOL client
when you sent a font size with a long enough number.
And I remember finding that
and making the 1IM punter back in the day. I remember AOL punters. You could send
someone a message but then put something in that message that when they receive
it their client wouldn't know how to process it and it would just crash
their AOL session. So you could come into a chat room send everyone a message and
then see like half the room suddenly disappear because their apps would be crashing and they would disconnect.
So all this fascinated Greg. To be able to force
someone else's computer to do something it's not supposed to,
that's cool. What else can you do? And his interest in hacking
took root and grew. Soon he found himself in an online group
that was trying to create malware. When I was a virus writer, my ideology I had, I actually targeted pedophiles.
Every single, every piece of malware I ever wrote was designed to target pedophiles.
And we ran a group in there to target people who were targeting children.
And the best part about targeting pedophiles is I think it's the only case that you can say I gave malware to someone and they're
absolutely not going to report you to the police because what are you gonna
say? I was trying to pick up this kid and they sent me a jpeg.exe to them and
that was the case for many years. When I wrote viruses that was the only people I
targeted. Otherwise for me writing viruses again was the only people I targeted. Otherwise, for me, writing viruses, again, was the thrill of learning about polymorphism, metamorphism, and as well as high-level, low-level
code execution. I just genuinely loved the thrill of the knowledge of it. It was an art.
I still think it's an art form.
His specialty was using Visual Basic to code malicious macros in Microsoft Word documents.
So he would send the Word doc to someone, trick them into opening it,
and if they had macros enabled, that would allow Greg to take over their computer.
Now keep in mind, he was doing all this in middle school, not even in high school yet.
And middle schools back then didn't even have computer classes.
If they did, it was just to like take a math quiz or something like that,
not really teaching how to use them and stuff.
And by the time he got to high school, they were just starting to teach kids
commands and certain applications on computers.
So one of the first classes he took was keyboarding, which is learning to type.
And I was like, nah, fuck that. I ain't gonna type. I know how to type. So our school worked on Excel. All the great systems were in Excel. And so I'm one of the
old school Macrovirus writers. I remember like colors and back of the day, those series of
colors and tri-state, those were the areas of Macrovirus that I remember started programming in.
And so with Excel, I was like, I can do this.
Like, I don't want to be in this class.
I don't want to be in the school.
So the entire grade system was in Excel.
And I made a macro virus that would look for my student ID number,
would have a trick number, identify the areas where the grades were in,
take the average number of the percentage or if it was A through F, I
would make myself as a B, and average a number to be about 87% and gave myself 87%.
He was able to take this malicious Excel file and get it onto the teacher's computer.
And suddenly, he was getting all Bs in his classes.
On top of that, he made it so he had perfect attendance too, no matter if he was there
or not.
So he just stopped going to class.
What's hilarious is he did all this while in his typing class.
He even coded in obfuscation techniques to avoid detection.
Like after the teacher would record his grade and then close Excel, that's when the macro
would trigger, unclose.
And he would stage all this information in a column that he hid off to the side so you
couldn't see any of the funny business happening.
This worked really well.
I was in school for nine days.
That's how long it took me to write this and then put it into the school system.
And then every day I went home.
I was just at home.
And one day my friends came over and they came back from
class because I still would hang out with them. And they were like, hey, Greg, man, the computers
school are really weird. I was like, oh, what are they doing? He's like, well, they're crashing.
Everyone says Excel's like not doing well. And I remember my stomach like sinking like, oh,
what do you mean? They're like, well, they, you know, when they're getting everybody ready for,
you know, the finals, everything
changed and something crashed.
I think they're calling McAfee over it.
I was like, oh no.
So I went to school the next day, went into the school library, and I hadn't been in school
for so long that the librarian was like, who are you?
And I was like, I go to the school, I promise, I'm here.
And she's like, I've never seen you. Who are you? And I was like, I go to the school, I promise, I'm here. And she's like, I've never seen you.
Like who are you?
And I was like, well, do you have a student ID?
I was like, no, I don't have a student ID.
She's like, okay, go to the principal's office.
So principal, like they're saying, hey, we know you're a kid, you know, we know your
name checks out and these classes, but none of your teachers recognize who you are.
I was like, oh, I'm sorry.
I just kind of shut up at that point.
They sent me home and what happened was the school added a column in all the Excel sheets
to calculate final grades and to do something for final grades. And unfortunately, that column just
happened to be where I stored the previous data of all the columns. So the virus will restore
So, the virus will restore the sheets when pictures open up the sheets. That caused the cell files to crash on grade and they sent the sample to McAfee and McAfee
at the time was like, yeah, this is a macro virus and it was custom written for your school.
So the school decided to call the police.
Police showed up, knocked on my door, arrested me.
Really?
Yeah.
I mean, it's a government, it's a public school.
It's a public high school, so it's technically a government.
This was real bad.
He went to juvie, juvenile detention.
They locked him up in a concrete room with a steel door and a tiny little window.
It's a scary place for a teenager. So I have a note here that says you're the youngest hacker to be arrested in Arizona.
I was the youngest child to be arrested in the state of Arizona for a computer crime.
I'm not sure if that still holds, but that was the case for a long, long time.
A politician wanted to make an example of him saying, see, cyber criminals are really bad and we should do more to stop them.
But he caught a lucky break.
But they came back that the Tucson police failed to handle the evidence correctly,
and my case got dropped, luckily for me.
However, he was ordered not to touch computers for a whole year.
Can you imagine no computers for a whole year?
I made a deal with the with the court to say I won't touch a computer for a year.
I'll have to get a probation officer to sit next to me when I operate
computers and then I, after that, will re-evaluate the situation. So for a
year, anytime I wanted to touch a computer, which is mostly the library back
in the day, if you remember when libraries had the little internal library machines to
go look up for books in the library, I think I'll call this very large 60-year-old man
who was absolutely had no idea what computer hacking looked like.
I remember fucking with him quite a bit and saying, you know, like, I'm on it.
I'm like, oh, I'm getting into the system.
He'd like look at me and grab my hand and pull me away from the computer and like, we're going now.
What kind of person, what kind of kid were you like in high school?
Oh man, I was, I was absolutely, I was a goth kid. I was the goth kid who wore the
large, I had a, I got in trouble for wearing a black trench coat because unfortunately going to high school
during 2001 era, you come across the Columbine incident.
You know, back in the 90s when I saw Goth Kid, I just thought they really liked the movie
The Crow.
Yeah, The Crow was a good one.
My best friend at the time, his name was John Aller.
John was a huge Crow fan.
He actually kind of looked like Brandon Lee too.
So he was a goth of the crow type.
I was more in the industrial music.
I always loved like Skinny Puppy
and Suicide Commando, Velvet Acid, Cry,
all those late 90s industrial bands.
So I was more of a rivet head.
I didn't know at the time what rivet head was,
but it's just an industrial kid, big stompy boots,
goth and industrial music.
I liked metal, but I didn't like metal so much. I like electronic music.
So when I found out industrial music, which is essentially goth music mixed with techno, I was like, this is it.
This is my lifestyle.
You wear earrings?
No, I actually, well, sorry, take that back.
In high school, I think I had like nine piercings.
I had, you know, I don't know.
And did you wear eyeliner?
No, I was not a makeup goth.
I was not a makeup goth.
I had the dog collars, I had the goth collars, I had the bondage outfits.
I was one of those goths, for sure.
Okay, so this just emphasizes like
when they're like looking for the person who did this. You're the one who does not look like everyone else.
I'm sorry everyone. The Goth stereotype for the virus writers, that was me.
That was me everyone. I apologize. I remember... You started this. I did.
So my parents kicked me out of my house.
I lived in a group home after being arrested.
Wow, just because of that event?
Yeah.
And you're not normal, Greg.
You're wearing too many piercings.
Come on.
Yeah, I did that all myself too.
So I got kicked out.
I lived in a group home from the age of 14 to 18.
So I was in and out.
That was a tough time. So at 14 is when you got arrested.
Correct.
And then that's a hard time to go through and arrest. That's scary.
You don't know what you're facing there.
Correct.
And then to be thrown out of the house and then like, what? I got to do this on my own.
Yes.
Gosh. So I lived in a group home,
didn't have access to a real computer.
So my only computers at the time were the ones in school.
And it was rough, man.
It's one of the big reasons why I always try to reach out
to people who are kind of in rough situations
because my life has not been an easy one.
It has not been easy.
And living in a group home, which
the group home was, the one I always got assigned to was a government group home,
and it was mostly for kids who were domestic violence or runaways. And so it was a lot of
violent kids in there. It was a small, it was like a small four-bedroom house,
but it had, at any time, it had between six guys
and six girls and then staff members there.
So it was cramped, everything was shared.
It was not a good time.
It was a rough life.
I think I just got some clarity on what it means to be goth just now.
It's not about the clothes and the makeup and the music.
It's about not fitting into a world that tells you to shrink and conform and smile when you're falling apart inside.
It's about understanding that you are different
and you can embrace your difference
and you gotta pay the price.
Being misunderstood by your teachers, so-called friends,
even your own family can become isolating.
There's this moment I imagine that every goth must face.
You have a choice, either break yourself down
into something more acceptable, force yourself into a version
of normal that everyone wants you to be, or you can embrace that shadow inside you, that
one that's screaming out, wanting to be seen, wanting to be heard, but knows that it's just
too weird for people to understand.
Goths choose to embrace that inner shadow, lean into their weirdness, wear it like armor,
and let your darkness be your beauty.
And when you're in a place like a halfway house
with nowhere to go and no one who really knows you,
that identity, being Goth, can become more than just a style.
It becomes your anchor.
Because being Goth means you already know
what it's like to live on the outside.
You already live in the cracks of the system.
So when the worst happens, when your life is shattered,
being goth is a reminder that it's okay to be
on the outside of society.
The music reinforces the idea
that it's okay to live outside what's normal.
And there's a level of comfort to hear that music and to see other Goths who are also
struggling to fight what's normal.
Those quiet rebels.
The kids who find beauty in broken places.
I imagine that being Goth makes you more resilient to problems like this.
It gives you a tribe without borders.
It gives you a sense of self when the world pretends you're invisible.
So I imagine being Goth in that halfway house was an amazingly
helpful way to get through it. To self soothe. Every time he put on dark clothes
it was like he was giving himself a hug and saying, it's okay to be different.
dark clothes, it was like he was giving himself a hug and saying, It's okay to be different. Don't worry about what everyone else thinks of you.
And man, to go through something like that and goth being your anchor, that
could easily make you goth for life.
Man, I think I got carried away there. Okay.
So after I get out of high school, so I was doing music, one of the few things.
So I became, I was a musician and I was a successful musician. If you've ever seen
the Matrix sequels movies, then you've heard my music at one point.
What? Your music is in the Matrix sequels?
Yeah. So I got contacted by a company called Spider Byte Studios and they wanted to make music for
the Matrix, especially behind the scenes Matrix stuff. They wanted to do some music there.
The big thing is they were looking for someone to make music for
the trailer for the video game The Matrix Online. And so they sent me an email and they were like, hey, you know, your music sounds great.
So that was my first example of being exploited in a contract by a large company.
I sold my music rights for $400 each. I think I got a $4,000 total out of that deal. So I was like,
I'm $4,000 richer. That is awesome. And after that, that got into a lot of
people asking me to do music and go touring. So I did a European tour. It was all throughout Europe.
I think I went to every country except for Latvia and Lithuania. Toured for a while and then came back.
What are you playing here? Synthesizer. It was a one-man project. So I did, I love synthesizers. At one point I owned over 80 of them.
So yeah, after that, I came back.
After a long tour time, I came back to Arizona.
I was homeless for a while
because you only make $30,000 as a musician
an average a year at that time,
especially like an industrial musician.
You don't make any money.
So I came back homeless.
And then I lucked out in getting a job working at that Massage Envy.
Massage Envy is a massage parlor, but it's a chain and they have over a thousand locations all over the US.
And their headquarters are in Scottsdale, Arizona, and they needed someone to work on the back end of their booking system.
They gave Greg a shot and he excelled at it.
It was all vb.net and ASP code back end.
And so I was coding that and I was breaking software
in the meantime, Millworm.
So I was coding exploits on Millworm
and just throwing them up there.
And I was literally trying to throw an exploit up there a day.
And I remember I got an email from EI and they were like,
you're cracked. What is going on? Like, what are you doing? Like, where do you work at?
Tell us about you. And I was like, well, I'm a software developer in the middle of Phoenix,
Arizona. I work on massage and massage embodies back end. And they couldn't believe it. They
were like, what? Like you're not in security at all. I was like, no. It was like, I just break
stuff for, for fun. E.I. was a cybersecurity company based in California.
It's spelled E-E-Y-E. E.I.
They created some tools to help people be more secure.
Like, they made a vulnerability scanner, and that's how they were able to make money.
So E.I. saw that Greg was writing a lot of malware and posting it publicly, and they
liked that and decided
to hire him and flew him out to California to give him a job.
Yeah well the team I was on we were all about finding zero days and finding
exploits. Yeah but there's no money in that. Marketing my friend. When you have a
good research team and they're rock stars they're gonna look at you and
your products and think oh man those guys know what they're doing. So yeah when
I got there the the person I replaced was Barnaby Jack.
I took, I actually had his desk and everything, man.
Yeah, yeah.
You know, lots of respect to him, man.
It was, it was, I never filled his shoes, but it was, it was just an honor to be a part of,
you know, just be around him.
I got to meet him multiple times.
He was a great guy.
See, back then, nobody had a bug bounty program.
If you found a vulnerability on some software,
that company wouldn't pay you anything.
You'd be lucky if they sent you a T-shirt.
There was zero money in vulnerability research then.
But the reason EI did this research
to try to find vulnerabilities in software was for
two important reasons.
One, to earn credibility.
That EI company must have some pretty sharp researchers to constantly be finding vulnerabilities
in things.
I bet their tools are great.
It works.
And two, recruitment.
By making the news again and again that they keep finding vulnerabilities, top talent would
want to come work there.
Now, they did follow responsible disclosure.
When they'd find a vulnerability, they would do two things.
First, tell the software maker and show them exactly what they found.
Then, they would announce publicly that they found a vulnerability and a product.
They wouldn't say what the vulnerability was, though, not until after the software company was able to fix it and patch it.
So that was the team that Greg joined to simply find new bugs in software that
nobody knows about, which is what's known as a zero-day vulnerability.
So I get there and office drops, office 2007 drops probably about four weeks after,
like within my first month of working there.
And we are looking at other software.
We were looking at, I think, CA Arc served backup,
if you remember that terrible product.
I have, as a macro virus author, and I can look at Office,
like, hex editors in Office.
I can tell you where the blobs are in Office. know I know I know the bit format very very very well so I'm
gonna come so there you're your object I mean you're that your boss or someone
told you mark Mayfray yes we'll put his name for the record here mark Mayfray
I've heard that name before if you if you don't know mark Mayfray, I've heard that name before. If you don't know, Mark Mayfray got famous from MTV's
A True Life of a Hacker.
That's where, that was his claim to fame, he was on that.
You know, over like the last few years,
and like basically ever since I got into hacking,
just been kind of like a wild ride or, you know,
somewhat of a movie.
After the raid, I started thinking a lot different
about like my life and like what I wanted to, you know,
start doing with it and turn things around.
These days, Chameleon is living the hacker dream, creating security software for companies to protect themselves from people just like him.
That was a clip from the MTV show called True Life Hacker from 1999.
The show follows Mark around as he hacks stuff.
He's wild back then.
So I imagine it'd be really crazy to have him as a boss.
So your boss told you,
office 2007 just came out,
you want to take a look at it,
it would be great if you could find some sort of virus
or bug, not virus, but an exploit in there,
a bug that we could use for marketing
and make a big deal about.
So jump in there.
And you were assigned to do that.
Yeah, that's exactly how it worked.
Anything that came out, any big thing, we were essentially bounty hunters.
We would go out and be like, yeah, let's go break this thing.
Yeah, but there wasn't paid bounties back then.
You'd get a t-shirt if anything.
It was all about the honor of being the first.
We wanted to be the first too.
That was a big deal.
Yeah, that honor was a reward.
Yep, it was be the people who first found the bug.
And so I went in there and started manually fuzzing Word
at the time.
Fuzzing.
The first time I did fuzzing
was when I was five years old and I went to the supermarket
and they had a gumball machine.
My mom gave me a dime and showed me how you put it in and you turn the crank and you get
candy.
It was awesome.
And for years I was drawn to them.
I just had to touch them every time I saw them and check them out.
Like I would try turning the crank on every one to see if it would just give me candy
with no money in it.
Nope.
Unless you put money in it, the crank won't turn.
I would sometimes try to put money in it and turn it very slowly to see if I could get
a little bit of candy and as soon as I do, turn it back real quick to reset it and do
it again.
But that didn't work.
I would check the dispenser chutes to see if anyone left candy behind there.
And yes, sometimes they did.
And that was cool, a little bit of free candy.
I would shake the machine sometimes
to see if I could get candy to come out that way.
And that did sometimes work too.
But then I was like, how does it know I put money in here?
Like, how does it know what a quarter
or a nickel or a dime actually is?
So I started jamming anything I could find
that would fit in there.
Plastic pieces, metal washers, cardboard, shoelaces. I'd shove it in, I'd turn the crank,
and I would see what happens. And I'm telling you, from like five years old all the way to
15 years old, I was fiddling with these things every time I saw one. And that to me is what
fuzzing is. It's trying to use the tool or machine or application in ways it's not supposed to be used,
to see if you could glitch it or somehow get it to act weird.
What Greg was doing was he was opening Microsoft Word
and trying to put something in a Word document that wasn't allowed.
I don't know, maybe trying to put a Chinese letter in there or some strange ASCII symbol.
Word would accept some of these characters
but then just deny others.
Now, if Word won't let you input a strange character, why?
Will it break if you somehow force it
to take that strange character?
Well, Greg wanted to try.
So he opened up a Word doc, not in Microsoft though,
in a hex editor where you can manipulate the ones and zeros
directly in the file, almost
like doing surgery on the file.
And he'd put in a character directly into the file that he knows Microsoft Word can't
accept.
And then he'd save it and try to open it up in Word to see what it would do.
Nothing.
Okay, fine.
That didn't work.
But let's try again.
This time, let's see what the max font size is in Word.
1638. Whoa, that's try again. This time, let's see what the max font size is in Word. 1638.
Whoa, that's pretty big.
Okay, so Word won't let you make a font size bigger than that number.
Challenge accepted.
Let's set the font to the max, 1638, to close down Word.
Open up the file in a hex editor.
Look for where that number is.
1638.
Where does that show up?
Ah, right there.
And maybe that means the font size. So let's change that to 9999
and save it and open it up in Word and be like, what now, Word? You wouldn't let me
set the font bigger, but I did. What are you going to do? Nothing. It just reverts back
to the default font size. It had some sort of logic to handle what happens with the font
size that we can't accept. And that is what fuzzing is,
and that's what Greg was tasked with doing,
to try to make the brand new Microsoft Office 2007 suite
crash.
It's really a hunt to try to see if the developers
at Microsoft accounted for every single problem
that could possibly go wrong in Word
and handle it gracefully.
So you're modifying these files at the lowest level possible, and you're introducing all
this unexpected code, unexpected code paths.
It's parsing these files, and it's parsing these files, it's encountering these unexpected
data points.
And these unexpected data points are introducing areas of opportunity for you to find a vulnerability.
And basically, the goal is to get Word to execute malicious code,
such as giving someone else control of that computer.
But you can't just put malicious code in a Word doc,
and then when someone opens it, it runs.
Word doesn't execute code like that.
It just displays it as text.
That's its job.
So can you hide this malicious code somewhere in the Word
document that it will also get executed when Word gets open?
No, not really that either. Yeah, there's macros that act like code, but that's different.
What we want is for Word to take our malicious little code and stick it into the memory of the computer.
So the goal is to cause Word to crash,
but then use that crash to force malicious code into memory, or a
pointer that references the code into memory.
Now, just opening Word is not enough to see all the stuff that's happening.
You want extra visibility on how well Word is behaving, what stuff it's putting into
memory and everything.
And that's where a debugger comes in.
At the time, he was using a debugger called OLLI, which will show him a lot more details
of what Word is actually doing.
Correct. OLLI is a tool that you attach to any application that you want to see at low level, assembly level.
You want to see what the code is actually doing, your registers and your memory output,
and what's going on with the application. You attach a debugger that allows you...
Sounds like a wrapper for the app. So you open OLLI and then tell OLLI to open this,
and then OLLI will be like, I will watch all the memory and everything that's happening here and tell you everything.
That's a great summary of that. And that's exactly what it does.
It sounds a bit tedious to open a file and a hex editor, manually change one or two numbers,
then close it and then open Word up and then see how it behaves and nothing. So just close
it all and try again. So all day he's editing these
files, opening them in Word, and then closing them. I just really liked
looking at the files in the hex editor, modifying the files, opening the file,
and noticing the UI changes. It would distort the...
If you had your Office file, if you had like graphics and stuff in there,
it would distort it or make it look wrong because it's rendering
improperly. So you could actually get better look, you know, wrong because it's rendering it improperly.
So you could actually get better feedback, I found, by doing it that way to identify
where in the file you're affecting.
And so, I mean, I did this for like two days and all of a sudden I had a crash.
Ooh, a crash.
This is what he's been trying to create.
Okay, first things first.
Will it crash every time? Yes. Awesome. Okay, first things first, will it crash every time?
Yes, awesome.
Okay, it wasn't a fluke.
Next, can he inject code into memory when it crashes?
Yes, wow, this is great.
Now he has to see if he can get control of a pointer
or inject some shell code into memory along with this crash.
And yes, he can.
And it was a classic crash at that time where you overwrote a data pointer and you can control the data pointer at that.
Which is, allows, that's the basis for remote code execution.
So what he's discovered is he can craft a malicious Word doc so that when the user opens it, Word crashes,
but then malicious code is put into memory, and now the system is severely weakened.
It's vulnerable.
Wow.
Very cool.
All within weeks of Microsoft Office coming out, Greg has discovered a pretty serious
vulnerability in it, which allows arbitrary code execution.
He feels great.
His team is impressed.
So you tell your coworker, your coworker tells your boss, you tell your boss, whatever.
And what does your company do with this?
My boss is like, awesome.
He immediately starts writing all the press.
And Mark Mayfray is, if you know him, he's very enthusiastic.
He's just like, oh my God, we're going to, we're going to,
fuck, this is going to be fucking awesome.
We're going to send this to the press.
We're going to throw this out there.
And so he immediately starts writing to everyone, you know, all these typical tech writing,
the tech writers, and so they immediately start writing.
And then we report to Microsoft.
Again, they aren't sharing exactly what the vulnerability is to the press.
They're just telling them that EI found another zero day, this time in the latest Microsoft
office. telling them that EI found another zero day, this time in the latest Microsoft Office.
And of course, only giving Microsoft the full details
so they can fix it.
And once it's fixed,
then EI will show the world how it was done.
The news spread fast.
A few big tech publications were talking about
this zero day that Greg found.
About three days later,
we get an email back from Microsoft and says,
hey, we can't reproduce this.
We're like, this is typical.
We've dealt with this before.
This is a typical Microsoft security response team typical action.
So they're like, okay, so we send the sample again and we're like,
hey, we show the debug output.
We show like a,
and then another day after that, it comes back
and they're like, hey, did you try this
without a debugger attached?
And my bot, Mark Mafer is like, of course we did.
And then he looks over to Andre, Andre looks at me
and I'm like, I don't think so.
So we go, we go run it again.
And there is a special trap that Microsoft added.
This is at the time, this was pretty new technology
where they had debug only routing inside Office.
So it would reach code flow path that was only exploitable,
only triggerable when you had a debug attached to the word.
Meaning, no one is going to be vulnerable to this unless they're having a debug attach
or unless they're a security researcher.
Oh man, how embarrassing.
The news is out there saying that EI found a serious vulnerability,
but now it turns out they don't actually have a vulnerability.
And it's because this new kid, this weird looking goth kid,
didn't verify it all the way.
And so I remember there was yelling.
There was yelling involved. I remember I was there for three
weeks and I remember just literally just staring down being ashamed and just like, oh god,
this is it. This is how I lose my career. It was nice. It was a good couple months.
It's okay.
Because the stress here is because a press release was written, right?
Yes. And EI at the time was like, they were like the rock stars. Like this is, all everyone
else in the room, you know, all those rock stars, UG, Derek, Daniel Soder, the brothers,
everyone else in there has written vulnerabilities in a professional manner. They've all done
this for years. They found the first Avista vulnerability.
They found, you know, this is their thing.
And now I'm the new guy who screwed up
and made them look bad.
So behind the closed door, they were like,
we gotta fire this guy.
And luckily for me, I believe Andre was like,
no, we're gonna give him a chance. He no, we're going to give him a chance.
We're going to give him a chance to make this right.
So they come out and they were like,
look man, you got to find a vulnerability.
We don't care how you do it. It's got to happen.
I'm like, okay.
There's some hope still.
The press release just said they found a vulnerability in
Microsoft Office which consists of Excel, Word,
PowerPoint, Vigio, and more.
It didn't give any details as to how the vulnerability works.
So if they can find a bug in any of these products,
it'll save the reputation of the company.
But to be clear, for a young guy in his first cybersecurity job
to find a zero-day vulnerability in Microsoft Office,
that's an incredibly complicated task.
The entire team of coders at Microsoft worked tirelessly
to prevent people like him from finding bugs like that.
So he's got to find something they missed?
This was a big deal for Greg. He needed to find a zero-day vulnerability in Microsoft
Office or else he's going to be fired. He calls his girlfriend and says,
Don't wait up for me tonight. I am going to be working late. Sorry, I just have to
do this. And he just gets dialed right into the zone.
Downing energy drinks, grabbing extra monitors to be more productive,
ordering pizza right to his desk. Like he's fully committed to doing this. He was so committed that he was going to stay in that office until he found a zero-day vulnerability.
So I am there, 24 hours by myself, just like manly tricking and I'm just like, oh god, I can't do it.
He's sleeping under his desk. He's living off of donuts and coffee.
So what happened here, man, was like, so the crew comes up to me and they're like,
dude, we're not going to let you do this by yourself. We got your back. And so everyone stayed in there.
And we were in there for three days. And man, I remember girlfriends calling, wives calling guys
and being like, are you guys coming home yet?
They're like, no, we gotta do this.
This is an important thing.
We ordered pizza.
We had Mountain Dew.
That area of the office, I remember,
it was not smelling great.
Like other teams were like, what are you guys doing?
What is going on in here?
Are you just like opening text files and edit
and then close and then open and then close?
We have, okay, so I think during that time,
so there's at least six of us.
We have one guy who's writing his own program to fuzz it.
We have, I think Yuji had like three screens up,
fuzzing data, reverse engineering.
He's like trying to reverse engineer that.
I have a program I've written
running on one machine over here. I have a machine to my left. I have a machine next to me that's running
software to try and find this vulnerability. I'm in a hex editor editing files left and right.
I think Derek was also editing files. Derek was finding something else. I think he later found
another vulnerability out of this, but he's going in there editing, looking at this. And we're all
looking... Everything we find is really interesting stuff, which turns out it was like we
found a lot of really cool stuff in office at the time, but none of it was a
vulnerability as we described.
So we are literally just sitting there geeking out and just pizza being ordered.
EI was a wild time.
Days go by like this where all the researchers are pouring tons of time into this.
Nobody was
going home. People were sleeping in shifts under their desk, in the break room. The energy
was amazing to have so many people come together to try to save the reputation of the company.
And day three, I was modifying a file and all of a sudden it popped and we look at it and we're like, oh, wait.
And I remember Yuji, Yuji looks at it first and he's like, Yuji is this incredibly, unbelievably
talented Japanese hacker and he's like, oh, it looks good.
And when Yuji says it's good, everyone's like, okay.
So, and the first thing that happens after that is I remember one of the guys is like,
is the debugger detached?
We were like, oh yeah, get that thing off there.
So retry it.
And it happens to be in Office Visio.
It was another product inside the Office suite.
So it wasn't Word, not as sexy as Word, but hey, we only said Office 2007.
So again, saved our butt. And so, and the thing is,
when Microsoft sent that email, they're like, hey man, this vulnerability occurs in this wrapper
function called safe int. And what safe int does is it prevents an integer overflow from occurring
and causing that controlled flow, the code execution to occur.
So it checks all the integers.
What happened with the new vulnerability we found
was we just happened to find a legacy pointer for an integer
that was not safe, entered wrapped, and was vulnerable.
So they sent that email out, and unfortunately,
David LeBlanc in Microsoft, David if you're
listening this I'm sorry man, I think he was on vacation he got called
back maybe he didn't get called back but that's what I heard because he was the
one who was in charge of Safen, Safen was his baby and it's an awesome
security feature. He got called back because when we sent that sample to Microsoft and it worked, that
was a big deal to them. So, you know, we are all happy with the vulnerability goes out.
Like a couple months later, it gets disclosed. And we have indeed the first vulnerability
in Microsoft Office. And that was that was the case. That was a wild time, to say the least.
He saved his butt on that one. His whole career was on the line, and he did what he had to do to
save it. And being awake for so long, there wasn't much of a celebration after he found it.
Dude, I crashed. I fell asleep. I remember being like just being so exhausted.
I straight up like at the time when I found it, I was already tired because I was half
asleep and I remember the alarm that I had for it to find it.
I nearly spilled.
I think I did spill soda all over the place because I was just like waking up.
Like we're all fasting out.
Like we're literally sleeping at our desk here.
We were not sleeping on hammocks or anything.
We're just like sleeping at our desk.
And so I remember it being, like we find the vulnerable.
We're like, yes.
And we were all so tired to actually have a proper, like, I guess we did have a proper,
we did yell out extremely like a mouth, we're like, yes, we're finally, and then immediately
after, because we're like, we're celebrating, like high-fiving, everything was like that.
But man, after that, I just remember us all just being like and we're going home and
I felt stupid the office. I couldn't make it home at the time because I had to I was gonna I lived walking distance
I was too tired to even walk home at that day. So I just crashed out woke up went home and
I remember my girlfriend just threw me this like the the the like pillow and the blanket and
I was on the couch for like
a week for that one rightfully so yeah she was so pissed but but it was your
job on the line she should understand that like listen I am gonna get fired
or I could stay at three days and not see you what would you rather I do oh
man I was a newly I was a newly father my My kid was like probably like
So well, hold on so you just had a kid at the time kid when I started yeah I was six months old so that kid was not even a year old and colic and my kid was extreme colic like 12 hours a day
crying
Man, she was so mad
That that's that makes it even more stressful. Oh, yeah. Oh, that's, that's, that makes it even more stressful.
Oh yeah.
Oh, oh yeah.
But yeah, so,
yeah, that was, I remember, I remember the emails,
that was like, the emails getting from her
was like always popping up, just be like,
her just getting angrier and angrier as the day is going on.
And she's like, where are you?
Like, I don't believe you're at work for three days doing this.
And I was like, okay, I'll send you a picture of us.
We had like, the team just like doing random pictures.
I was like, oh man, this was a time.
EI was a magic place.
A lot of amazing talent worked there.
And many went off to start their own cybersecurity businesses.
Rumor has it that some of the anecdotes from the TV show Silicon Valley came
from stories that happened at EI and Greg learned a ton from working there
for years. So years like years later, this is like my third year at EI, I
remember we had we had a honeypot system which you know it's a system that's
designed to catch hackers
and lure in individuals.
We were trying to get zero-day exploits, and they definitely tried to lure people into
attacking the system.
It was like one of the largest honeypots at the time.
It was nearly a class B internet group of honeypots.
It was massive.
I remember I was logging into one of the systems that we had
maintained for that and I see a login called LFANG and I was just like,
what is this? Who's account is this? Maybe this is a new hire I just don't
know about. And I walk into my boss's office and I was like, hey, you know,
I got that all set up. However, there was someone who logged in recently, maybe it's
someone we hired in like DevOps or something. Do you know L. Fang? And I remember, I remember
my boss was just typing all of a sudden, I remember the distinct sound of him stopping and the sound of the chair creaking back and him
looking at me and he's like, you found what? Who? And I was like, yeah, L. Fang. I think I looked at
that extended name was Lee Fang. And he's like, what do you mean you found a Lee Fang login? And
I was like, yeah, it's on the honeypot system. It
was like, it looks like it was a maintainer. And he goes and he closes the door behind
me and he's like, all right, I'm going to tell you a story about Li-Fang. And I was
like, okay, let's hear about it. So back in the day, like I mentioned, EI was the rock star group for finding vulnerabilities.
It was like EI and iDefense.
That was like the two big companies back in the day for finding zero-day vulnerabilities.
And at one point, EI was so good at what they were doing, Microsoft decided to hire someone in order to go work at EI
in order to get them to tell them, Microsoft, about the zero days they found in Microsoft.
Wait, wait, what? Hold on a second. You're saying Microsoft got someone a job at EI.
It was a different time.
But they worked for Microsoft so they could report to Microsoft what EI is working on.
It was a different time.
This is ridiculous.
You don't hear about this ever.
It was a different time.
Does this news ever actually go public?
I don't think so. This is a...
I can't imagine Microsoft hiring to work...
Getting people to work at other companies.
This is corporate espionage.
That's correct.
Well, it gets even better.
It gets even better after that.
It gets even better after that.
Okay, so Microsoft hires Lee Feng to work for them,
but then plants him in EI to go find out what they're working on and report back to Microsoft.
So Lee Feng was working at EI for a while,
but then suddenly left and nobody really knows why he just disappeared one day.
But then Microsoft, some time after he left, they're like, hey, we gotta have a talk. We have to go to this conversation. And so we're like, okay.
And so Microsoft was like, so Lee Feng, he was working for us to identify zero days that you
guys may have found. Which had to be a bombshell for your company to hear. I think they had suspicions that he was being a little odd, but...
So Microsoft then goes to say, so apparently he was also working for a foreign government entity to do the same for us and you.
So...
So someone placed him in Microsoft? Correct. Go get a job there and
and he got chosen to go work for us. We hired him and he got planted and then he
was siphoning zero days from not only us apparently he also had privy information
at Microsoft and that went back to his foreign government
that he was ultimately working for.
Holy moly, someone planted him at Microsoft
and then Microsoft planted him at EI?
That's unreal.
How embarrassing for Microsoft.
It's like being caught doing something
you shouldn't have been doing.
Like, I don't know, having your pants down
when the elevator door opens. They know they shouldn't have been doing, like, I don't know, having your pants down when the elevator door opens.
They know they shouldn't have been playing that game.
But now they realized that they got played themselves.
Oof.
So, I really wanted to confirm this story and I reached out to people that I know who
have been at Microsoft for a very long time.
And all of them said that does not sound like something Microsoft would do.
So I can't confirm that that story is true.
But I would love to know if it is or isn't.
So if you have information about Microsoft planting people in other companies, tell me
about it.
Because here's the thing, we know corporate espionage is happening.
There's people sending secrets back and forth to tech giants all the time.
But it's a secret.
So we don't know about it.
We only know about the ones who get caught.
So it seems plausible like something like that could happen. a secret so we don't know about it. We only know about the ones who get caught.
So it seems plausible like something like that could happen.
And you know what?
I'm curious what corporate espionage stories are out there.
And take it a quick peek.
There seems to be some cool ones.
In fact, I think I'm going to take an ad break and look at this a little deeper because I'm
fascinated by corporate espionage and I might have to do a few episodes on that sort of stuff. But stay with us because after the break, Greg is
going to tell us some penetration testing stories that he's done. This episode is sponsored by Red
Canary. Red Canary is a leader in managed detection and response, also known as MDR. They serve
companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the Cornerstone
Security Operation Partner for nearly 1,000 organizations, they provide MDR with industry-leading
threat accuracy across identities, endpoints, and cloud, all with world-class customer experience.
For more information about Red Canary, visit redcanary.com. That's redcanary.com.
After a while, Greg left EI and started doing Red Team stuff.
That is penetration testing, breaking into companies to test their security.
And he also does threat intelligence, which he tells me he got some really interesting contacts
and worked at some very interesting places.
But we're going to have to skip those stories because they're too sensitive to talk about.
But he is willing to tell us a few pen test stories that he did go on.
The first story is about a time when he was paid to try to hack into a major tech firm,
which has a lot of user data.
I mean, they have millions of users users but not just simple user data. They collected highly personal
information on their users as part of their service. So Greg meets with the
customer and it started out weird from the get-go. The customer was saying, look
we are crazy about security. We go over the top on cybersecurity because we can
not risk our user data getting out. So we don't think you're going to find anything.
In fact, the last pen testing company struggled so bad to try to hack us that they got arrested.
So they use a third-party payment processing system that is not used by them.
And their previous pen testers accidentally exploited the third-party payment system that
was vital to them.
And the third party payment system was an Oracle system and not owned by the customer at all.
So when apparently, that's what I heard from the customer, they did their exploitation and then
they said, hey, we got into credit cards and we're going to present it to you the next day in the presentation.
So they got the blue team there, all the blue team, all the people were like, and they presented
them and said, hey, we exploited this, we exploited this IP address, we got access,
we gained it, here is your raw credit card details.
And as you can imagine, the team looks at it and they're like, what IP is that?
That's not local.
That's not like, it's a tenant.
It's a local address, but that's not ran by us.
That is not.
And then they found it was actually owned by a third party payment system and they had
exploited a zero day and gained access to there.
And on top of that, the credit card details were not.
There was a stream of credit card details.
So I believe it was outside of even the scope for the customer.
So the customer reported them on the safety of their half because they didn't want to
think that someone on their network compromised them and reported them to the law enforcement
authorities.
And I believe that led to the arrest of them.
Either way, that's always wonderful to hear going into a pen test. You hear like,
hey, the previous guy's got arrested. Why don't you guys come in here? So, great start already.
Great start. So if you know me, I still dress like a goth kid. I'm still all black. I'm cyber-punked
out. I wear Neo4k, love them.
I'll wear everything from VX Underground,
all black, anything I can.
So I show up at this facility
and at this time we also have a coworker of mine
and this is my coworker's first big, real big pen test.
And so he comes in too.
And I will never forget the people there
because they look at me and they look at each other
and they're like, oh God, we got to put you guys in the back room.
So they set us a separate room away from everyone else.
Throughout my career, this is kind of the thing.
I'm the guy in the back room.
I've been there because of how I am.
So they set us back there and this is a five-day insider threat
Pentest go
So his job was to simulate an employee there who had gone rogue or had been hacked just by being in the building
What could he do?
Sniff some Wi-Fi traffic plug into some network network ports. Well, that's worth checking out.
But they did give him a single user's login.
And they said that user should be locked down so tight
that you shouldn't be able to do any harm even by knowing their password.
This customer, I've been red teaming a lot of places.
Their blue team, their sock team is absolutely legit.
One of the best defense teams I've ever had the honor
of working with.
And so they literally are running their own kind of like
built in EDR system that they built themselves
that's tying into their sock going in there.
And we get nowhere, man.
Day one, nothing.
Day two, nothing.
Day three, my coworker's laptop dies in the middle of it
and he can't even work anymore and we had to give a report to the customer and I remember that them
just looking at us and being like I think we hired the wrong people like literally they're like
do you guys want to resign and we can scrap this up, call it quits, and then we can go hire somewhere else?"
I was like, no, man, we got this.
Day four happens and we, I remember it was like 4, 4.30 and we have to give, at five
o'clock we have to give our meeting and my coworker had to go to Best Buy, buy a brand
new machine and he spent the entire day imaging a machine on a red team engagement. He looks at me and he's like, man, I don't know what to do.
So I was like, hey, let's try one more. Let's do some art poisoning and just do one more time.
And I remember looking up and that art poison grabbed one plain text credential that just
happened to be an FTP
job.
And we're like, oh, we got a credential.
We got somewhere.
We got something.
It turns out that credential was the build system process and it allowed us to get into
the build system to roll code throughout the entire thing.
And it just so happened at 430, they rolled it out to do an end of day
lockdown and build system, the configuration lock everything down.
So no one's doing any more builds.
We went to that meeting, said, Hey, we just intercepted this.
And I remember them all thinking, wait a minute, that's the old build.
Like that credential is still active.
At that point, we had a really cool exploit for that one. We got into the build system and they had a lot of controls on the actual files in there. So we couldn't modify in the build files,
but we could edit the command line. So we rolled an inline assembly dot net include in there to
roll in, go into their portal and steal all the customer data who would enter
a credit card in there.
We marked it in the data.
We blocked out that credit card, but we put an asterisk in there, stolen last four digits,
and then had it sent out to them.
They tested it, they round out, and they were like, holy crap, we have not had a Red Team
roll out code to production in eight, nine, 10 years that we've had.
Come back next year. come back next year.
Talk about a Hail Mary.
Not a single find all week and then 4.30 PM
on the last day they catch a lucky break
by sniffing a credential in the network,
which gave them tons of access.
What a good find that saved their butts.
I come back next year and they're like,
hey, we want you to do something kind of crazy.
We want you to target
DNA. Part of what this company did was genetics studies. They had DNA data on their users.
And this was regarded as one of the most protected assets of the company. So why not hire a hacker to
try to find it and steal it.
He starts with a basic employee login again.
It is locked down pretty tight, but it's just enough for him to get a foothold somewhere
else, and from there he finds an exploit in another system, and then he was able to pivot
from there, collecting more system logins, and finally he's able to get in a system
which manages backups of machines.
He can see there's some really large files here.
Maybe those are system snapshots or backups.
But what system is it a backup for?
No idea.
But he decides to try to download it anyway to see if he can look at what's in these
files.
It literally aired out on the share size and I was like, I've never seen that before.
And I remember clicking a file and I'm on a local network and I remember that file taking
forever to get to me. And I was like, file and I'm on a local network and I remember that file taking forever to get to me.
And I was like, how big is this?
So I grabbed the file and I'm on the local machine
and I remember looking at it and it's TCGACT,
like those letters.
And I was just like, I think that's DNA.
I think that's DNA.
And I was like, huh, I don't know.
Maybe this has got to be, this can't be, this can't be right.
So I grab it and I cut off like as much as I could.
And then I sent it over.
I work with a biologist.
She was very, very smart girl.
And she just happened to be a biologist
who was working with mice at the time.
And she actually knows, and she actually
knows DNA, and she worked with DNA.
I was like, hey, what does this look like to you?
I sent it to her, and she looks at it, and she's like, oh, this is a DNA sequence mapped
out by this program.
I was like, oh, okay, cool.
Then she's like, hang on, I can even tell you what kind of DNA this is.
And like a couple of minutes go by and she was like,
why do you have human DNA?
I was like, I gotta go, I gotta buy a click.
And so my next task was like,
they were like, you have to get the data out.
We can get in, you have to get access it,
we have to get it out.
So at the time, again,
it was ran by a very, very good SOC team.
There was a lot of the,
the environment I was in was very, very well restricted.
And the only way I got to her was through,
you know, sending a picture,
like I'm selecting it all and then putting it into it,
like an app, sending her a picture of it.
And it was like so bad quality.
I had to send it a couple of times, actually.
But so I was like, how am I going to get all this data?
I can't do it with the phone. I can't do it with a picture.
How am I going to get all this data out?
I was a malicious insider.
So I was working as a quote unquote IT member.
And so I got introduced to the IT group and they're like,
oh yeah, you'll be working in this environment, it's cool.
And so I was like,
I gotta figure out a way I can get a bunch of hard drives
and I have to get a bunch of hard drives
back into the building.
So what I did was there was printers
that were scheduled for to be,
these printers were scheduled to be
taken to repair. I remember grabbing all those printers and gutting it as much as
I could and walking out and going out to the
front desk going out the front where I'd be like hey I gotta send this printer to the
repair shop it has to be done today immediately and so the front desk people
were like okay just sign off for it cool sign off for the printer. Load that into
my rental car and I go to Best Buy
and I'm like, I have to get hard drives.
I have to get a lot of hard drives.
So I went by, and this is back in the day
where those were external hard drive
for those big obnoxiously ugly colored things.
And they came in like, I think 32 gigs or 64 gigs was like a big hard drive at that time.
So I go through, I have a shopping cart
and I just go from the end line of these
and just pull the whole thing into the shopping cart.
I have a full shopping cart of hard drives.
You put your arm on the shelf and just...
Do you know that meme where the guy is running around best buying
and he's like, I hacked all the things, I hacked all the things?
That was me, except with hard drives shoving it into a shopping
cart. And I remember ever going to the front of the desk, maxing out my credit card of
hard drives and then going back into my hotel at the time and loading them all into the
printer. I put it, I shelled out the hollowed out printer. I just stacked the hard drives in there and
clued it up together and then show up to work the next day. Get the little
trolley carts they have, go out and say bring it back and I remember I remember
I'm bringing back the printer and the front desk person was like, wait, you sent that
off to be fixed yesterday?
And I was like, yeah.
He's like, you got to tell me how you got those guys to fix that in 24 hours because
man, they are always so slow.
And I was like, oh shit.
Well, I bought them a root beer and they're like, oh, that makes sense.
I was like, I bought them a root beer and they're like, oh, that makes sense. I was like, I bought it.
I brought him a six pack of root beer and he was like, oh, okay.
Good to know.
So I go back to my area of the building, putting it and I have this printer next to me and
then I am opening up a little panel and I'm just USB drive, literally copy pasting, mounting,
copy pasting and mounting, copy, pasting. And I started it, I started it like 8.15 a.m.
and I am there until they kicked me out of the building
at like 9 p.m., doing nothing but moving over data.
And then I leave the printer there.
And for the next two days,
I am literally doing this every day.
And then on my last day of the pen test,
I remember I walk out and I go to the front desk
and the guy there, he's still there.
He's like, I was like, aw dude, printer broke again.
And he's like, oh, don't worry, I got something for you.
And he goes in the fridge, the little fridge he has,
and he brings out a six pack of root beer.
He's like, give this to them and tell them I said hi.
I am sitting there trying not to laugh while I'm holding petabytes of like I can
imagine. I think I don't know how I couldn't get it all.
But I remember I bought over like 80 hard drives from Best Buy.
I think I actually went back a couple
of days later and brought some more because I didn't think I had enough and
put them in my jacket and my pants. I loaded this HP printer and filled that
thing up and got to my hotel and then at that point I had a secondary
laptop that I asked or requested to prove for exfiltration. I connected to that
laptop, I loaded it up and said done. So when it was time to show him what he
found, he has them go into the room where he was working again
and said, open up the printer.
And they open it up, and when they do,
bunch of hard drives just come pouring out of it.
And he says, those hard drives are
filled with all your DNA data.
Yeah, and they later said, hey, you
were the first person to do that.
And I worked for the red teaming for another, I think,
three or four more times after that.
And after that was a call center I attacked, Target A.
OK, here's the big question, though.
Right?
First time, they're like, we've got
to go in the back office.
We can't have that.
After doing it three or four times
when you're walking through, are you feeling more confident?
Like, oh, no, you could be in the front office.
We don't mind you being around.
Oh man, I went to their barbecues.
I went to their family.
They're all very nice.
After the first time, they're like, look,
you can never meet the execs,
but we will absolutely hire you every single time.
A few years go by of him doing pen tests and he gets another job, which also has an interesting
story.
This time, a venture capital company has hired him to try to hack them.
They wanted to see if he could hack into them to get data that would influence the market
or something that might hurt the reputation of the company, or see if he can gain information
that can be used against the company.
So Greg gets tasked with going on site to try to hack into this venture capital company.
Which remember, even though he's well into his 30s at this point, he is still dressing all goth
and considers himself a goth kid. I'm still a goth kid man. I still dress in black. I still wear my
goth like my like I'm like I said I don't, I don't wear like the collars or anything, but I still
dress all black.
I wear my goth outfits.
I wear my VX underground, like my neophoric shawls and everything.
I wear my goth boots.
And what's funny is every single contract I sign for work, I have two clauses in there.
Clause number one, I'll never code in Ruby.
Fuck Ruby. Now clause number two, I'll never adhere to a dress code, period. If those two don't
happen, I don't work there, period. So that goes back to like, when I was in cybersecurity,
I was one of the kids who never went to college
for cybersecurity.
And so like all these places are like,
oh, you gotta get a college degree,
you gotta do all this kind of stuff.
And you gotta wear suits.
And I was like, now fuck that, man.
If you don't hire me for like the things I know,
then I don't wanna work there.
And that's been a long belief and I still believe that,
to this very day.
And I told my boss, the day that my goth outfit
interferes with the way I work, I will stop doing it. Still do it to this very day. It's been 20
years. Anyway, so they send me over and I remember I get out, they're like, hey, we want you to meet
at this area, you know, meet at this outside, it's going to be outside the hotel that we're all staying at. And I walk up to this guy and this guy is wearing a suit.
He is wearing like a suit that costs probably more than than what I make a month.
And he's sitting there, he's smoking a cigarette, clean cut.
The guy looks like he's still like active secret service.
I think he even had an earpiece in there.
Like, and he looks at me and I was like,
hey, are you this guy? We'll call him Brando. Are you Brando? And he was just like, yeah.
And he's like, are you Greg? And I was like, yeah, nice to meet you.
I remember he takes the longest drag out of his secret.
Nice to meet you. I know where he takes the longest drag out of his cigarette.
You know that meme from, what's that HBO, True Detective,
where the meme of looking at the phone
and the guy's just inhaling the cigarette,
where Matthew McConaughey, I think, is inhaling the cigarette?
I got that exact look from this guy looking at me,
and he just tosses that cigarette,
and he's like, this is going to be a long week. He's like, let's go. So this guy is his escort and
drives him to the building where he's supposed to do the pen test and he takes
Greg to the front door and he tries to go in with his escort. And I remember
physical security is like, sir, who are you? What are you doing here? They
literally get in front of me. I was like, no, I'm with Brando
over there and I'm part of the assessment and they're like, give us some ID and they escort me into
the building and also I'm getting a call from like my contact and he's like, where are you? I was
like, I'm being detained and he's like, oh god, it's a great start. So they come over and they realize that I'm supposed to be there.
And then I go meet my contact.
And I remember him looking at me and being like, oh man.
He's like, all right, well, you can go work in that back room over there.
We're going to tell everyone you're an auditor or someone, so no one bothers you.
You're going to sit up in this back room.
And just don't bother anyone. Just go there.
So they sat him down and said, okay, hack this place.
And he's like, well, can you give me like a user login or something?
No. All right.
Can you give me the Wi-Fi password at least?
No. Well, listen, I see a bunch of wireless networks and I don't
want to accidentally hack into the wrong wireless network. So can you at least tell me which
Wi-Fi network is yours?
I could see the contact at the venture capital was like, man, it was like he looked at me
and he wanted me to be out of this building and to fail as much as possible. So he's like, our guest wifi ID is this, go.
That's it, that's all I had to go on.
Nothing else, just the guest wifi.
So I get up and I'm like, okay.
So I start walking around the building
and the security team's absolutely following me
every step of this.
And Brando from the other third party,
he's like, where are you going?
Like, what's going on?
I was like, I'm looking for a wifi password. And he's like, I think, he's like, where are you going? Like, what's going on? I was like, I'm looking for a wifi password.
And he's like, I think,
he's like, I'm pretty sure you're supposed to do that
with the computers stuff.
I was like, nah, nah, they're gonna have this.
And I walk around the building
and eventually I find it on a whiteboard.
And I'm like, bingo.
Let's go.
So I go back and I sit down
and now I'm on their guest wifi network.
Nice, How clever.
Just look around the building for the password.
So now he's connected to the guest Wi-Fi.
So I get the password,
I sit down and from there I start scanning.
The first thing I go is I hit the Wi-Fi router.
It's a Cisco device.
I'll later learn that this team is very, very good.
However, again, like they mentioned, they've never had a full Red Team event.
So the router security is nowhere near where it should be.
It's actually, the router is a single router, a single Cisco device that is both the guest Wi-Fi
and the internal Wi-Fi as well.
So I exploit the router, I jump on the router, and then I make the entire network flat. I bridge over everything. So now my machine can be, it can attack anything on the inside of the network,
even though I'm on the guest Wi-Fi, I can still start attacking anything on the inside network.
Or on certain networks, they had multiple inside networks, so I started bridging them
over one by one.
How did you exploit the router?
The router didn't have, like, A, their password was default, as unfortunately as it is.
Number two, I was, they had an administrative password on the panels. So the access was one password,
and then I brute forced,
I believe the password of the admin panel,
it was very close to standard password on there,
gained access, unfortunately.
So the guest Wi-Fi should only have very minimal access,
it'll like just to the internet
and no internal systems in the building.
But when he bridged the networks,
he could then access anything that other employees could access,
which gives him access to a ton of internal systems.
There, I start doing man-in-the-middle attacks.
Let me tell you, red teamers out there,
pen testers out there, never skip out on layer two attacks. Layer two is your
responders, your canine ables, your art poisoning, your DHCP spoofing, all of those. That is
going to be your bread and butter. I promise you those vulnerabilities are still existing
there. They still work. I work engagements to this very day.
That is where so many places fail.
So I man the middle, I start stealing credentials.
And this is back in the era before, you know, SSL security was everywhere.
So you could still do man the middle and downgrade websites to HTTP logins.
And I start getting credentials to people logging into work emails.
After about an hour, I get access to a relatively new hire.
She has like six months of work in her inbox.
I access her email.
And the first thing I do is I go all the way down to day one.
And what do you get in day one? Email.
You get your employee Email. You get your
employee training, you get your onboarding information, you get your
onboarding documentation, and if you come to this building you get your building
alarm code. So have a physical alarm code that goes in her and also have her badge
ID number and what she looks like and such. So I'm like, okay, so what can I do next?
And I remember the Brando, the ex-Secret Service guy looking over my shoulder and he's like,
what are you doing?
And I was like, okay, so you know these car readers.
He's like, yeah, he's like, we're going to we're going to clothe one of these car readers.
And he's at this point where he's like, all right, goth guy, you're not so bad.
Okay, I like this idea.
And he's like, all right, Ih guy, you're not so bad. Okay, I like this idea. And he's like, all right, I'm gonna work with you on this.
And I'm gonna, he's like, I talked with them
and we're gonna talk about guard shifts
and times to get into this building.
And I was like, okay.
So I tell him my plan and I was like, man,
so I got a building alarm code.
I'm gonna put a RFID cloner next to their badge reader.
And when they badge in,
I'm gonna start getting all these badges.
He's like, okay. And so a day goes by and eventually the girl who's building alarm code
comes in, badges in, and I get her, I have like a Proxmark system. I keep pulling it and all of a
sudden I notice her ID matches up. So now I have her employee ID badge and her building access alarm
code. To get into this building, you need to use your little badge and tap the badge reader and the door unlocks.
And what Greg did is he put a little badge sniffer behind the real badge reader
so that anytime anyone taps her card, he gets to see what their badge is.
And that essentially allows him to clone a badge.
They gave me a tour of the building at one point, very against their will. They were
kind of like hushing me around. The two things I noticed when they gave me that tour was,
A, there was a balcony on the second floor that had a tree next to it. And from that
balcony was a straight shot into their server room. And basically you go through one room.
In that room, you get into one hallway, and you're in a server room. In that room you get into, you go to that one hallway
and you're in a server room. And the server room did have a badge reader on it.
The second thing I noticed is sort of like a, like almost like a spiral staircase downward.
There was lots and lots and lots of paintings. I remember asking during the tour, I was like, whoa, these look like real paintings.
And they nodded.
They're like, yeah, one of the CEOs here loves paintings.
And this is their pride and joy.
They like to show art and they like to make sure that...
And I was like, huh, that's interesting.
That's cool. And so I remember, so for the next couple of days, I had to get a badge of an IT guy
because I needed to get access to the server room.
And eventually I get it.
And it's through the POCMark system as well.
In the meantime, I'm doing man in the middle, getting credentials, doing traditional attacking
methods.
But I really wanted to focus on this whole physical element
because Brando working with me, he was just like, man, he's like, we can do some Mission
Impossible stuff.
And I was like, yeah, yeah, we could.
And so the next phase was they had cameras everywhere.
They had internal cameras, external cameras.
And I remember doing the network.
So eventually every day I'm folding
different parts of that of their internal networks into the guest network
that I'm at so I can bridge over and start looking and eventually I find all
their camera network and luckily for me they're using
access cameras and if anyone's worked physical security, everyone knows there was an era of access cameras from 2001 to about 2008, 9, 10, where everyone had, all these places had these access
cameras because they had a ton of features.
They were cheap.
They were Chinese made, wonderful cameras.
However, they were the worst security ever.
They had so many default passwords.
They had buffer overflows and the access control
systems, they had buffer overflows and their web interface. They had a web interface that when you
connected to it, it looked like GeoCities. It was straight up 2002 internet all over again.
And that's how you controlled the cameras directly. So talk to Brando and he was like, okay, look, man. He's like, I
know they do a guard change around it's 2 30 a.m. between, you know, around that time.
He's like, you got to be in and out of a building around this time. And I was like, well, you
know, he's like, and he's like, also, there's going to be someone always watching these
cameras. And I was like, okay, that's fine. You know, he's like, what are you going to
do with the cameras? So I show him him and I start connecting to all these cameras.
And at the time, there's an access, I think they're still running like firmware from like
2005.
And there's an access buffer overflow that allows you to control and gain access to every
one of these cameras.
Still running that, then patch them, jump in.
And then from there, I can access the shitty little interface.
And I show him, I was like, look, what happens if I modify these two values and the values is brightness and contrast and you
can edit both of them. It's usually for you know when a viewer wants to look at the camera they're
trying to know if it's too dark or too bright they can edit these and in UI you can edit them
a little bit but programmatically you can add them all the way from 0 to 255 values. So you can make them go all black or all white.
So I show them, I was like, watch, we can make their cameras go boom.
And watch, I show the camera, it goes distinctly black for a second,
and then I undo it.
And he's like, oh, I was like, yeah.
He's like, all right, goth guy, All right. I see what you're cooking here.
And so he's like, well, how are you going to get these into an area that, you know, how are you
going to like do this in a way that you're going to be carrying a laptop with you? It's going to
just be awkward. I was like, you know, that's a good point. So in this engagement, I had a shuttle
device with me, a little tiny laptop, computers are like the size of a shoe box. A lot of pen
testers used them for leave behind devices.
And on that shuttle device, I put a Bluetooth radio on it.
And so with the Bluetooth radio, I was like,
okay, I'm gonna walk around the building
and I'm gonna get measurements of where I'm at
with the Bluetooth and signal to noise ratio.
And when I'm in front of those areas,
I'm gonna map out what cameras those are at.
And I am going to make sure that I can get access to this.
And so I tested out the Bluetooth range.
I had to put a big intent on this thing to get the Bluetooth receiver on it.
And that worked.
So I could have the Bluetooth show.
I go in front of these two cameras, the two cameras that point outside to the patio.
I could have them identified. There was a camera on the inside there.
And then there was a camera facing the server room. So those are the cameras I needed to black out. So my app set signals to the Bluetooth. The shuttle device would take that
signal and relay it and when I received those it would send the packets to those cameras to
make the values of brightness or contrast to 255 or 0 completely
random.
They flip back and forth between them to make it look like a black and white screen.
Sort of like an effect that was like the cameras malfunctioned for a bit.
So I was like, man, I have to believe like I can look at these cameras, I can test to
see if this works.
Not sure if this is really going to work, but we're going to try it.
So he set everything up to try to break into the building overnight and not be seen at all.
The front door might have extra security and he didn't want to take the risk.
So his whole plan was to sneak up to the building, black out the cameras, get in, and gain access to the server room.
Keep in mind everyone already was on high alert from this kid.
They thought he was very suspicious and he was going to have to do something over the top to get in. And that's when he realized his point of entry should be the balcony.
So that night, man, I came in, 2 30 in the morning, climbed up the tree, I get onto the
balcony, I push open the security door on the balcony that they would lock before you can get to the badge reading door there.
I pry that open, hit the badge, go into the building, the alarm starts beeping,
I hit the building alarm code and lucky for me, the girl had not changed her alarm code,
I was in. And I look at the cameras and I remember being so nervous about this and being like,
oh man, hopefully this will work or I'm going to get tackled very soon.
So I make my way over to the server room and my secondary badge, the other one I have from the
IT guy, works for that one, badge cloned, got him in there, went into the server room,
and from there, boot rooted all the machines.
Now, so if you're unfamiliar with boot root, back in the day, this was you plug a USB device into the machine, you turn off the server, this machine would then
boot off the USB device as a recovery device, and from here you would replace a Windows component.
Sticky keys would be an ideal favorite. So you replace sticky keys with command shell,
and then you reboot the machine.
So the machine, after you do that,
you reboot the machine,
it goes into the password login prompt
and you hit shift five times.
That would then launch sticky keys,
which has now become a command prompt instead.
And now you have a command screen on it.
And then you can run commands as elevated bridges.
They run in a system. So you'd
have elevated command. So from there I exploited all the machines. I dropped a flag that said I was
here and then I went into their stores and put flags on all those. He's done it. He's successfully
hacked into the server's mission impossible style and so he starts to go out, but he notices something.
Those paintings.
So I proceeded to go down the staircase
and I go down through the paintings.
I just quickly grab a sticky pad
and put us little happy faces.
I get a little sticky page
and start putting them right next to all these paintings.
Like there's a little placard
for each of these paintings tell you
essentially who made these paintings,
what it would have symbolized, in some cases how much they were worth,
and I stick little happy faces on it that says I stole this.
So it's typical for a physical pen tester to leave a token behind to prove that they were there in
a server room or a desk drawer or something. I mean just think about how you would feel if you
went to bed and then woke up and there was a sticky note on your bathroom mirror that said, Greg was here.
Just a small note like that can say a lot, can't it? Here, what Greg was doing was proving that
he had access to these paintings and he had time to go right up to them, put notes on them,
and security never saw him do it. So he wrote, I stole this on a bunch of sticky notes
and just kept putting the sticky notes on painting after painting after painting after painting.
And I remember like 605, like, like I get a call, Greg, Greg, yeah, yeah, was this you? What's the
happy face? What's that mean? Well, how did you do that? What is it? It doesn't matter. The CEO wants to talk with you today.
Get in here like eight o'clock.
He's like, I don't know, man.
He's really upset.
We had to figure out, I was like, okay, okay.
And in the meantime, physical security had an issue.
They had a incident because they were looking over and they were like, well, someone walked
in and put all these happy face stickers on there.
And they walked out of the building.
They're like, what does this mean?
I stole this.
And I remember they are coming around and I get into the building.
They escort me to the boardroom.
And the boardroom has this massive table on it.
And me, in my awkwardness, I remember sitting
and picking the exact opposite of where I imagine
everyone, the exact corner of it.
And the physical security is like,
no, get over here, get over here.
And first, give us your ID,
and we're gonna run some background checks on you again,
just to make sure.
Physical security knows to treat those paintings with a very high level of security.
So when the CEO came in and he saw his paintings had sticky notes on them,
he simply asked, who did this? What does this mean? And when security had no idea,
then the CEO is like, okay, we'll find out. And then when security looked at the cameras, they saw they were glitched out during that time
and they had almost no evidence of who did it.
This made the CEO furious.
What do you mean no security footage?
Find out who put these sticky notes on this.
And the cameras around the building
were just all black or white because Greg hacked into them
to prove he could sneak into the building late at night
with nobody noticing.
The VC came in, the VCSEO came in and was like, what the fuck is, what is this?
You know, who's, like, what do you mean stole my panties? And little happy faces on them.
And that's what kicked off the security team alert.
And I remember I was sitting there and then my contact leans over to me and he's like, look, again,
I have never seen him cancel meetings, like, and move
so in to see someone like this. So I don't think it's going to go well. And, and then I look over
to Brando and Brando is just like, you know, he's like, maybe we flow a bit too close to the sun
here, a little Icarus is a little hard, but you know, whatever. So CEO comes in with his single security, they hand me
back my ID and he looks at me.
And you can tell the thoughts of this goth kid in his boardroom is not what he expected and not what he was expecting to meet for when he...
And he looks over and he's like, you hired this guy?
And my contact who worked at the company was just like, yeah.
And like looking at him, he's like, all right.
And he's like, so walk me through what you did.
And for the next 10 minutes, I retell him the story
of exactly how I did.
And this VC previously had been very technical.
He was a co-developer.
He worked on software.
And so he starts going and he starts
asking me very intelligent questions.
We start having a back and forth about, oh, OK,
so why this, this, all right.
And he's like, so two questions for you.
First, what were you going to do with the paintings?
And I was like, I was dating a girl out of Brooklyn at this time, and I was like, you know,
I think about taking him to Pratt University and maybe, you know, fencing him at the university there,
but it's got to be someone who knows some weird connections at Pratt Institute of Art.
And he starts laughing. He's like, all right.
She had a plan. And I was like, okay.. He's like, you just got a plan. And I was like, OK.
And he's like, I really like those paintings.
I was like, I can't believe you.
I was like, yeah.
I absolutely would have stole right out the front of it.
Nothing to do.
And he's like, all right.
So then he's like, all right.
So my next question is, what are you doing next year this time?
And that's how I became their reoccurring rent teamer for four years until they got
tired of me breaking into the buildings and doing all the things and hired me as full
time.
So after this, I got introduced to a lot of the various levels of executives for this,
and I got to pen test all their personal houses and got to show them
how why physical security is important
Gaining access to all their penthouse suites all their large houses that I did that for quite some time afterwards
A big thank you to Greg Linares, aka Laughing Mantis, for coming on the show and sharing these stories with us.
Please consider supporting this show by visiting plus.darknetdiaries.com.
If you do, you'll get 11 bonus episodes and an ad-free version of the show.
By becoming a supporter is the most direct way that you can help make sure this show continues running
and delivers you more episodes.
Please visit plus.darknetdiaries.com.
This episode is created by me,
CAPTCHA AMERICA, Jack Reisider.
Our editor is the super subnetter, Tristan Ledger.
Mixing done by Proximity Sound,
and our intro music is by the mysterious Breakmaster Cylinder.
I've been working on a new dance lately.
It requires the most efficient use of muscle memory in order to spin at the perfect RPM.
I call my dance the algorithm.
This is Darknet Diaries.