Darknet Diaries - 161: mg
Episode Date: July 15, 2025In this episode we talk with mg (https://x.com/MG), the brilliant (and notorious) hacker and hardware engineer behind the OMG Cable. A seemingly ordinary USB cable with extraordinary offensiv...e capabilities.Learn more about mg at: o.mg.lolSponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.
Transcript
Discussion (0)
Hey, hey, it's Jack, host of the show.
I am feeling good.
I am feeling healthy, strong, fit.
I'm in the game.
And so I'm coming at you with a second episode this month.
Let's go.
DEF CON is coming up in a few weeks.
I'll be there.
I wouldn't miss it.
You know me.
And if you don't know, it's the premiere hacking conference
in Vegas.
And I love going because every year something crazy happens.
You don't always know what it'll be, but you know something is going down somewhere.
Like maybe someone will drop a zero-day live on stage, which will suddenly make us all
panic and call home, shut everything down.
Or maybe the FBI breaks into someone's hotel room and arrests someone who they've been
chasing for a decade.
Or maybe someone gives a talk that makes history.
I mean, Julian Assange once gave a talk at the chaos computer camp in Germany
To announce WikiLeaks lots of people come to drop big ideas at hacker conferences
And if there's a talk that makes history, I want to be there for that moment. I want to be in the room where it happens
Anyway, I'm not planning any party or anything this year
I'll I'll just be floating around like all over the place
But check my discord or Twitter for like anything this year. I'll just be floating around, like, all over the place.
But check my Discord or Twitter for, like, live updates
on where I'll be, though.
And if you see me, please say hi, because I love meeting you.
It's your energy that gives me the fuel
to fly this thing to the moon.
Oh, and if you don't know what I look like,
I wear a big black hat, and I cover my face entirely
with a bandana.
I look like a bandit. All right. I promise I'll bring you back some stories.
These are true stories from the dark side of the internet.
I'm Jack Reisider. This is Darknet Diaries.
This episode is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day
exploits can strike without warning, leaving your business's sensitive data and digital assets
vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of the ThreatLocker Zero Trust Endpoint Protection Platform.
Robust Cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every
action, process, and user unless specifically authorized by your team.
This least-privileged strategy mitigates the exploitation of trusted applications and ensures
24-7, 365 protection for your organization.
The core of ThreatLocker is its Protect Suite, which includes application allow listing, ring fencing, and network control.
Additional tools like the ThreatLocker Detect EDR, storage control, elevation
control, and configuration manager enhance your cybersecurity posture and
streamline internal IT and security operations. To learn more about how
ThreatLocker can help mitigate unknown threats in your digital environments and
align your organization with respected compliance frameworks, visit ThreatLocker.com.
That's ThreatLocker.com.
This episode is brought to you by Exonius, transforming asset intelligence into intelligent
action.
You've got tools for endpoints, tools for cloud,
identity, SaaS apps, but when you start asking questions
across the global attack surface,
good luck getting a straight answer.
And that's where Exonius comes in.
They connect the dots to rise above the silos
and fragmentation, every asset, every identity,
every exposure, all in one place,
and they don't just show what's broken.
They help you fix it right from the platform.
With over 1200 bi-directional integrations, Exonius works across your entire stack without
adding friction.
You get full visibility and the ability to act on it where it matters most.
If that sounds a lot like what you've been hearing around CTAM or exposure management,
you're spot on.
Check out what Exonius is doing to drive proactive cyber resilience with actionability. Visit Exonius.com. That's spelled A-X-O-N-I-U-S.
Exonius.com.
I guess we're going to call you MG in this. Is that what you want to be known as, is MG?
Perfect, yeah.
Yeah, I like MG because I didn't know for the longest time
if it was milligram or...
It's great.
Megagram.
It's got so many things it could be.
That initial mystery, I think, is what intrigued me about MG.
He had this raw type of energy to him.
He's always building.
He goes hard on hacking.
He's always in the zone.
And he seems like he's part of the counterculture.
Like, he's probably got stories, right?
And people kept telling me, you should get MG on the show.
So here we are. Color Me Intrigued.
He tells me MG is just his initials.
And he started using that name when he signed up for Twitter back in 2008.
His Twitter name is underscore MG underscore.
Nice and simple.
I grew up in Wisconsin. Both of my parents were in medicine.
And I guess like a big thing that I learned growing up with them is you can pretty much DIY
anything.
And also DIY and stuff is a great way of having control, stretching the value of what you
have and things like that.
So they designed and built their house from the ground up, like every
aspect of that. And this was, you know, while they were working full time in medicine, and of course,
you know, raising me and my sister, I think the house started around when I was like in
first grade, roughly. So I was just constantly around raw materials, DIY, just tools everywhere.
Yeah. Yeah.
Yeah, but didn't you get into magic also when you were young?
Oh, I mean, what kid didn't, right?
But no, once I got into, I don't know, roughly middle school, got into magic, sleight of
hand, just deception and all that cool stuff.
Also got into trouble doing that.
Brought a prop cigarette to school, got suspended for not taking it seriously enough.
You took a cigarette to school?
A fake cigarette and they suspended you over it?
Yes, they did.
I mean, there's even more to that story.
So yeah, I mean, it was a really believable one.
It looked like the tip was glowing and you blow on it and like some talc powder comes
out, makes a nice cloud.
So it was kind of believable.
The teacher was like, whoa, what is this?
And so confiscated it.
But then they were holding it
and like some of the talc came out of it
and they're like, oh, white powder.
Uh-oh.
So they called the cops, had them like drug test it.
My buddy at the time decided to say,
that's not even how you'd smoke cocaine.
Did not help the situation at all.
But yeah, I think we both got suspended
and mine was specifically for not taking
these situations seriously enough.
And you know, it was kind of the start of my
conflicts with authority.
We'll just leave it at that.
As MG grew up, he got influenced by his parents being in medicine and was gravitating towards
biology. But the seductiveness of computers and technology would ultimately change his
direction.
I was really into biology until Quake. Quake came out and that changed everything for me
about computers. You had to learn how they work to play Quake, especially multiplayer. Like, first of all, you don't just run an app on your machine.
Back then, you're at least rebooting the Windows machine up into, you know, DOS mode.
Oh, you want to connect with people? Cool.
You're going to have to learn how your modem works and dial-up works and peer-to-peer connections work.
All these other things.
And eventually that would migrate into modifying
the game environment to play Team Fortress, a modification to Quake itself, and then you've
got multiplayer lobbies and all this other stuff starts happening.
And it's like, wait a second, the computer does all these things.
You can mess around with this.
You can start breaking stuff.
They weren't checking client-side content,
so you could modify player skins to be way bigger,
or have an X, Y, and Z axis sticking way farther out than the actual player was.
You can see them coming around corners.
You can add a fluorescent coloring to the skin to make them stand out in the dark.
That's really cool to me.
Oh, that's brilliant.
So if you make the enemy model extra big, then you can see them coming
and you have the big advantage over it. That's amazing that you thought of that.
Or the skins of the walls and stuff like that. You can set them to partial transparency and
see through those walls.
Most video game players at some point
wish they had a faster computer.
So a lot of gamers get into overclocking.
They force their computer to run faster
than it's designed for.
But when you overclock your CPU,
you run the risk of your CPU overheating
and can get really hot and melt,
which means you need to have a better cooling system.
Water cooling is a pretty effective way to cool your CPU.
But it requires all this extra hardware.
You need tubes and reservoirs and pumps.
But when MG heard that people were putting tubes and pumps inside their computers to
cool them better, he was in.
That sounded great.
If you get a pond pump, you get a heater core from a car, you go on McMaster Car, first
of all you learn what McMaster car is, and
you're like, well, I can just buy chunks of metal pre-cut. Awesome. I'm going to drill
these out in my basement and plug them and create all these water channels inside the
blocks, strap that to the processor, the graphics card, just start cooling everything down in
the computer. And it just kind of escalates and you're like and that was
actually a really good example of merging non-traditional computer skills
with computers it's like okay we're gonna we're gonna merge shop class here
or auto skills when you're you've got this liquid moving through a multi
metal loop you're gonna get corrosion unless you understand the chemistry of
how to block that with some additives so lots of really cool stuff to just pick up and learn.
Man, I'm the same way.
I truly believe that getting hands-on experience is the best way to learn.
For me, when I was young, that was looking for cheap or free computers to just play around
with like a sandbox and build without the fear of breaking them.
Having a playground to try out random things was very helpful to me.
Like what happens if you don't put RAM in the computer?
Are the fans actually needed?
What happens if you disconnect the hard drive mid-boot up?
Or take out a thumb drive while you're trying to write to it?
What if you try to delete all the files?
I wanted to see all those things and I tried them all
because this is the stuff that was interesting to me
and I wasn't finding it in textbooks.
And it vastly brought in my understanding of how all this operates. I tried them all because this is the stuff that was interesting to me and I wasn't finding it in textbooks.
And it vastly brought in my understanding of how all this operates.
MG's first IT job was at a help desk, fixing people's PC problems.
But one of his buddies moved out to San Francisco and started working on the 10,000 year clock.
It's a fascinating project that simply asks, can we build a clock that'll last for 10,000 years?
Clocks live a long time without an issue.
Surely that can't be that hard.
But when you lean into the problem,
it starts to get really tricky.
First, it raises the questions,
wait, are humans even going to be here in 10,000 years?
That's not a given.
So if you're going to build a clock
that's going to last that long,
it kind of needs to function all on its own
without humans around to help it.
So where does it get its power from? That's an interesting challenge by itself.
But then you think about the pieces and parts that it has to be made of. Everything must
have extreme longevity. Like, it's got to be entirely made of metals or ceramics. Plastics
and rubber is just going to wear out too easily.
MG got fascinated with this idea and decided to join his buddy out in San Francisco
to see what was going on with that project.
And immediately, he was amazed at the DIY culture out there.
He met people from Burning Man who were creating art for art's sake.
He visited the Maker Faire, which is a really cool place where people show off their projects
that they're building.
It's so inventive and clever and inspiring.
It was like everyone around him there was big into building things themselves or tackling
really interesting problems or just had a really unique way of seeing the world.
MG found his new home.
The 3D printed gun movement, that added a new layer to the whole thing.
Let's see, that was defense distributed, I think it was like 2013, where they started
showing off the first 3D
printed guns that were, you know, there was a whole community that was working on these
at the time, but Defense Distributed showed these off to the world and with like so much
bravado that it was impossible to miss.
So everybody took note and it had this interesting tone to it.
And this message that I was picking up, which is
like creation can also be power and like politics like
You can't take something back once you put it out into the world So you've got to be thoughtful on how you do it. But also you can't take it back. Nobody can take it and make it go away
uh that
it and make it go away. That, regardless of what you think about, you know, that specific topic, just the larger power and political nature of it was just
fascinating to me. Yeah, that was an interesting time. The US government has
always tried to regulate guns by acting as a gatekeeper, controlling who can sell
them, trade them, or move them across state lines. That's where most of the
laws live. Not at the moment that the gun is used,
but it regulates the system that makes it and delivers it.
But the 3D printed guns changed all that.
It didn't need to be bought or sold or registered or traced.
It didn't pass through any of the traditional checkpoints.
Suddenly, most of the regulations became powerless
because you could just print one at home and no one would ever know.
That kind of knowledge fascinated MG.
There are certain technologies that once released,
changed the power dynamics of the world.
It changes who's in control.
New types of technology allow you to completely sidestep outside
the system that was supposed to be
there to control and shape you?
And yeah, that sort of thing intrigued him.
That was also around the same time as Bitcoin was taken off, and I was also into that, and
I really liked it at the time and the concept of it to just changing and decentralizing
power.
And it was really sticking with me.
This was also at the same time that the Snowden leaks happened.
I didn't know at the time what it would be, but I just I really wanted to participate
in that type of creation, right?
I didn't know what it was.
So you know, join some of these groups and just kind of help them like, hey, I do IT.
Maybe I could help with some of your stuff or I do security. Let me help you. And you can kind of see how like, hey, I do IT, maybe I could help with some of your stuff, or I do security, let me help you.
And you can kind of see how the artist works, right?
And that's kind of where I was at for a while.
So you worked at Defense Distributed?
Let's just say volunteered.
Another thing that sort of shocked the world was the Ant catalog, which came out in 2008.
This was some leaked NSA documents which showed different types of devices and
Technology that the NSA had in its possession and could use for missions if you were in the NSA
Yeah, so the ant catalog this was commonly misattributed to Snowden
I believe officially it's just another leaker around that time
But the NSA ant catalog had this just catalog of all this cool espionage tooling
hardware The NSA Ant catalog had this just catalog of all this cool espionage tooling hardware
software
Just so many cool things like if you ever saw the back of a magazine with the spy catalog stuff back there
Disappearing ink and you know, whatever it may be
This this was that time just with much higher budget. So one of the things in there was a malicious cable
Called the cotton mouth. It had multiple one of the things in there was a malicious cable called the
Cottonmouth. It had multiple layers of PCBs inside there. It looked really big
and chunky, really complicated to make, but it also cost... you had to have at
least a million dollars to afford this and for like the NSA customer
population of their own department.
But yeah, you had a million dollars just to get 50 cables,
so that's 20 grand each.
And it was just cool seeing all of these things.
Okay, so this cotton mouth cable
that the leaked NSA docs showed was wild.
It looked like a regular USB cable,
but somehow it had the ability to install
a Trojan horse on a
computer wirelessly? So like if your enemy plugs in this cable to their computer, you
could somehow get into that cable and infect their computer with malware. Now for most
of us at the time, we were blown away by the technology in this catalog. How was it possible
for a USB cable to function both as a regular USB cable, but also have
the ability to infect a computer?
We were all wondering how it was possible, but MG was actually trying to figure it out.
He was tinkering with hardware, building 3D projects, helping out at the Maker Faire,
and building random things.
And around 2017, he got an idea.
There's this device called a USB rubber ducky, which looks like a USB thumb drive, but when
you plug it into a computer, it'll automatically run a script that could infect your computer
with malware.
Basically, the rubber ducky was already terrifying, but MGE wondered how he could make it even
worse and thought, what if he took the USB rubber ducky thumb drive and made it explode when you put it in a computer?
I kind of spent a while making exactly that an exploding thumb drive. Yes, so
I'm a big nine-inch nails fan. So naturally I call this mr. Self-destruct and
so the the why this is important here is because there's not much space in a USB rubber ducky.
It's all PCB and components.
So I needed to figure out how to make space inside of a thumb drive while retaining ducky functionality to an extent.
I had a really limited version of it.
So I shrunk it down to I think what was ultimately like an 8x12mm PCB with
a couple really limited components on it. Just enough to run a tiny payload that can
maybe open up a browser to a specific site. Good enough. And then it could also trigger
an electronic detonator to then fire like a firecracker or something like that and have a bunch of confetti in there.
I was doing this all with the idea of this is gonna be just like art
I'm gonna present to the world and like a video forum and hey, everybody can just look at it, right?
So the payload was you plug it in a computer
It opens up the browser goes to a video of a Jack in the Box animation. Jack
in Box is cranking the box for an awkwardly long amount of time to build up tension and
then the explosion happens. Confetti goes everywhere. Pop! And that was great.
That's just ridiculous project, but I love it. Since that's happened, there's been evidence of exploding thumb drives shipped to journalists
and stuff like that that had RDX in it.
That would do a lot of damage, and it's exactly why I did not productize that despite many
people asking for it.
I was just thinking of the Hezbollah Pages at this point.
Did those people see your presentation somewhere
and be like, oh, that's great?
Oh, God, I hope not.
So he's tinkering around with these USB drives
that will physically self-destruct,
and his buddy is like, hey, you should take those things to DEF CON.
I think it was around 2013.
I finally made my first DEF CON before wanting,
you know, I had been wanting to go for years,
but 2013 was the first time.
And that's where I linked up with a long time online buddy, Whitey Cracker, Bryce.
And he kind of just introduced me to more stuff and showed me around the security space.
And it was, it was very helpful for me at the time, just learning and meeting more people.
And yes, so at DEF CON, I would absolutely make little devices that were just highly
custom one-offs or two-offs, maybe five-offs to people who wanted like a custom thing.
You had to know me.
And yeah, back alley deals at DEF CON.
Oh, man, the back alley deals at DEcon. Oh man the back LED deals at Defcon are
always very interesting to me. The first time I went to Defcon someone told me I
should try to find and buy some rainbow tables. This is a list of hashes and
passwords. You could download it back then but it was a lot easier to just get
it on a stack of CDs if you knew someone. And the point of it is that it makes
cracking passwords a lot faster.
So I went to Defcon and I started asking vendors, hey, do you have any rainbow tables for sale?
They all said no.
What?
LOL.
And then eventually someone was like, hey, wait, you said you wanted some rainbow tables?
I was like, yeah.
And he said, you should go ask Paul.
And I'm like, who the hell is Paul?
They showed me where Paul hangs out.
It turned out to be Paul Ascadorean.
And when I met him, I asked him, hey, do you have any rainbow tables?
And he's like, oh, I just ran out.
And I was like, oh, man.
He's like, I brought a bunch last year for DEF CON, but there wasn't many people who
really wanted them.
So I only brought a few leftovers this year and just ended up giving them away.
So that hunt to find secret stuff at DEF CON is real and it's exciting.
And I've been properly blown away at some of the secret things I've seen people bring to DEFCON.
So MG fell in love with DEFCON.
These people were just like him, building cool stuff, subverting the gates of power
and using technology to reinvent new things.
And a lot of people at DEFCON are building just for the fun of it.
The endless curiosity cannot be tamed in some people.
And it sparked a whole lot of new energy and ideas for MG.
Around that time, the whole world was shrinking at a rapid rate.
Like for the longest time, we only had USB type A cables, the big wide ones that it takes
you three tries to plug in, right?
But then suddenly those shrank and then we got mini USB cables and then micro USB cables.
Computers used to be big and clunky, right?
Desktops, of course, but even small laptops, you couldn't fit those in your pocket.
But then the iPhone came out and you had a whole computer in your pocket.
And this brought forth a whole bunch of smaller computers like Beagle Boards and Gum Sticks
and Raspberry Pis.
Tiny computers that you could fit into your pocket, but were also pretty powerful.
And so while the NSA's version of this malicious cable
cost them $20,000 to make,
with all the miniaturization of electronics hitting the market,
MG was wondering if it was feasible to build one himself
for a far cheaper price.
Yeah, exactly, right?
And the miniaturization of
microcontrollers and other things like that certainly
opened some doors for me in which I could experiment and play.
You know, it's actually important to mention right around this time is also when I met Darren Kitchen from Hack5.
Darren Kitchen was already making malicious devices like the rubber ducky and Wi-Fi pineapple.
I was also making YouTube videos through a channel called Hack 5 to teach people how
to hack.
First of all, what a rubber ducky is, does keystroke injection.
What that means is it emulates a keyboard and will very rapidly type those keystrokes.
So I think the ducky is doing like 150, 200 keystrokes a second. So, you know, anything I could do at your keyboard,
the dockie can do for me. You know, great for IT sysadmin automation, but also, you
know, maybe some nefarious stuff too. And if you don't care about speed, payload size, you don't care about all of these nice product aspects,
you can totally compromise and get something barely usable
in return for making it much smaller.
And that's effectively what I did.
I compromised on a lot of things.
Like even some like basic electrical safety things,
I ended up compromising there because,
hey, I mean, this thing's gonna blow up what's it matter right so to make his exploding
thumb drive he basically had to make a smaller version of the rubber ducky and
this gave him an idea what can you do with a super tiny keyboard connected to
a computer and so he decided to make his first malicious USB cable it's identical
to the mr. self-dest, except it didn't explode,
and it was inside of a cable instead. So basically to put a payload onto this,
you had to have physical access to the cable. You program it, and you know, it's gonna delay
however long you tell it before running the payload after it gets plugged in. Like the end, right?
Basically, imagine what someone could do if they had access to your keyboard. however long you tell it before running the payload after it gets plugged in. That's like the end, right?
Basically, imagine what someone could do if they had access to your keyboard.
That's what this cable did. It acted like a pre-programmed keyboard.
If you plugged it in, whatever it was programmed to type, it would type.
So you could do some basic key stereo conjection attacks,
which, you know, open a browser, open a reverse shell, you can do a lot of
stuff, but it wasn't this, like, this tool I knew it could be.
He was posting about this online and stuff, making a handful of them and selling them
in the corners of rooms in DEFCON.
But the first version was lacking features and really buggy.
From his visits to DEFCON, he met a guy named Fuzzy Knob, who got MG a job
red teaming for a Fortune 500 company, which was MG's first cybersecurity job. Specifically,
hacking into places to test their security. How cool is that? But while he was at work
doing his red team stuff, he just kept thinking about, how can he make this little device
better?
So, obviously, the next step is, well, what could that product actually be?
And the next time I had vacation, which was actually in between jobs.
So I had, I think it was six weeks between my first Red Team job
and when I was leaving an IT role.
So six weeks in between, I'm like, you know what?
I have not figured out how to like design PCBs yet so I'm
gonna get a mill. PCB is printed circuit board it's typically a green board inside an electronics
device that has the capacitors and resistors and they're soldered onto it and a mill is a way to
create one of those PCBs yourself making the traces and drilling holes for the components
so he spent six weeks learning how to design PCBs and created them on his mill.
The cool thing about a mill is that you get rapid iteration. So with software,
you can just change some code, save it, hit compile, seconds later you can test the output.
When it comes to a PCB, it's usually weeks. You gotta design it, send it off to a fab,
wait for it to come back,
then you assemble the components on it, then you test it and debug it,
before you can even get a change you want to make to test it over.
But with a mill, you can do some primitive stuff.
I can't get super advanced here, but you can test some basic things.
You do it in the span of a few hours and make a revision,
kick it out again, and just maybe go through two, three revisions in a day easily,
depending on how complex it is.
And that allowed me to level up really quickly.
So he spent a lot of time in his home lab trying to jam more features into this
cable of his.
But one thing bugged him about this cable, you have to physically take control of it to program what keys it will type.
It would be way better if you could plug the cable into your target and then tell it what
to type remotely.
So he was fiddling around trying to figure out how to give this thing an antenna or something,
maybe Wi-Fi in the smallest way possible the Wi-Fi radio allowed it to connect to networks or you with like a phone to connect to it and
There was no need to get access to the cable to update a payload on it or to trigger a payload
So that that changed the entire value of this
Being able to dynamically change what it did
value of this, being able to dynamically change what it did while it was in play. Ah yeah, so instead of blindly hoping your cable is typing the right keystrokes that
you pre-programmed it to do, now with Wi-Fi, when this cable connects to a computer, it's
almost like it turns into a wireless keyboard. Whatever you type on your phone, those keystrokes
would show up on the computer it was plugged into. But it didn't look like a keyboard, of course.
It looked like a regular USB cable that you typically have hanging off your computer anyway.
This made it a very spooky cable.
Suddenly, USB cables were no longer safe.
And this malicious cable was starting to finally look promising.
The first version didn't have a lot of functionality, but this one?
This one's starting to look sharp.
So he came up with a name for this cable, the OMG cable.
It works for so many reasons, but since his initials are MG, then OMG is a nice fit.
And that took off. Then Defqon was coming up, August 2019, and I'm like, okay, this is getting a lot of traction.
So by August, I wanted to have some of these things
to actually sell. Now I was making them still from the ground up in my kitchen, basically.
It took me eight hours per cable on average to make these. And the components were so fiddly and
tiny that 50% of them were failures. I would throw out 50% that
that turned into, if you do the math on that, that is 16 hours of work per viable
cable. Really not scalable but you know what I just wanted as money as I could
for Defqon, right? So I just focused entirely on this in my free time while
still doing my Red Team role full-time. You have to think he's trying to
fit a microcontroller
inside a USB cable so that nobody thinks
there's a microcontroller in it.
He's working with incredibly small components,
soldering under a microscope, sometimes with exposed silicon
with almost no room for error or it won't fit in there.
So he makes as many as he can
and brings them all to DEF CON to sell.
He's leveled up from the back alley deals by this point and Darren from Hack 5 was letting
him sell them out of the Hack 5 booth.
They sold out.
Everybody wanted them.
And they sold out fast.
So Darren was like, why don't you bring more?
And MG was like, because they take forever to make.
So Darren started teaching MG about mass producing electronics.
Okay, let's learn how to do manufacturing. Find somebody who can do certain steps.
So, you know, we got one factory who creates the raw PCB.
Another factory who assembles the components,
solders the components to the PCB.
And another factory who integrates those PCBs into a cable.
And even at that point, there was still plenty that I had to do after receiving them.
Final assembly, putting the hoods on, gluing the hoods on,
running QA, calibrating them, running,
putting firmware on them, packing them,
shipping them off to the warehouse, all that stuff.
But anyway, doing any of this outsourcing
would have been a huge help for me,
and that's what the goal is.
So it took about five months of back and forth
teaching this shop how to do what I needed.
So I get the first batch.
This was like the tail end of 2019.
I finished the assembly.
I do some basic tests.
I flash them, pack them, and I send them off
to the Hack 5 warehouse.
And I think it was January 1, 2020, start the online sales. This is where I quickly learned it was going to take a
lot more work to have a manufacturer do what I needed. Customers started having
issues. It was all over the board. Like there was no obvious pattern. So I had to
do a lot of investigating to discover you discover what was really going on here. Just really weird problems.
It was probably an upstream manufacturing problem, but I couldn't think about the upstream
manufacturing.
I had mostly finished product currently in hand.
And if I couldn't sell that, that was a gigantic loss.
Like financial loss. Like mortgages to house level loss.
That was a little bit scary.
There were enough issues happening with customers that I just decided to pause the sales and
figure out what was going on.
He analyzed the cables coming back from the factory and found that on the power supply,
inside the cable was a tiny microscopic crack.
And to his horror, it was on over half the cables.
Which meant his first batch of cables, half of them had to be thrown out.
A huge financial loss for him.
He had to teach the manufacturer how to test for quality at every stage of the build process
in order to find exactly where the cracks are coming from.
And he discovered at some point the manufacturer would throw all the finished components into
a bag to give to the next build stage and when they were getting all jostled around
in the bag is when the cracks would show up.
Typically that may not be a problem but since he's working with such small components where
silicon is exposed in some areas, then it was damaging the circuitry.
So he got that fixed, was back on track, and he was back to selling the OMG cables
to whoever wanted them online through the Hack 5 shop.
And these cables look amazing.
They look exactly like a normal USB cable, one that you would charge your phone with,
and you would never be able to tell that it's a malicious one.
It's supposed to be able to tell that it's a malicious one. It's supposed
to be stealthy like that. One of my manufacturers lost an entire box of
cables, could not account for it. So the way the cables are configured they're
not very useful. Luckily they're not hot so to say, but there's a good chance
that this box just got shipped to one of their customers.
He was expecting totally normal USB cable.
So there is absolutely a chance that there are some O.M.G. cables just floating out there.
I forget the exact number is like a hundred or so, which is kind of scary.
M.G. strikes me as someone who just obsesses over making his cable better and better.
And it's amazing how he's constantly improving the manufacturing process and the functionality
and the build quality of the whole thing.
For the first several years, I wasn't trying to focus on profit here.
I was just, every dollar that we ended up getting that turned into be profit, I put
it right back into just improvements, R&D, because it was a passion project, and I mean it still is,
right?
But that just allowed me to focus on so many trivial things.
The cable clips themselves.
So people would routinely like lose their cables.
So we started creating these fluorescent clips that we would include with the cables to prevent
that, right?
And you can take them off if you don't want it or just keep it on, whatever.
But, you know, this is a... I'll make this one short,
but it's another example of scale in a hilarious way.
It's so simple. So, you know, I'm 3D printing all of these little clips,
these fluorescent clips, and they're great when you got a few of them,
but when you got a hundred or a thousand in a bag, they start getting tangled
So that's really annoying to pull up tangled clips when you're trying to pack envelopes
So, you know redid the design, you know, okay
Now I've gotten a tangle free clips and you know
And we got the the woven cables are more snag less and things like that
And how can I speed it up so I can get a bed of you know?
600 clips on a single
3D printed bed without it cascading and falling apart.
How can I improve the labeling process from a handheld labeler to an automated machine
done labeler?
Probably doesn't make financial sense to do it, but it's fun to automate and obsess. So yeah, point being, I have the opportunity
of obsessing at the sacrifice of profit.
Now, over time, his cables have gone through many revisions,
a lot of feature upgrades too.
So if you were to buy an OMG cable today,
here's what it can do.
It comes in all types of different forms,
whether it's got a USB-A or USB-C active end,
you know, on the passive end it'll have like lightning, micro, USB-C, usually meant to
emulate the aesthetics of exactly the common cables that are out there.
It acts exactly like a normal USB data cable, right?
But it's got an implant inside, as you could probably
deduce by now, that thing stays dormant, but an attacker can remotely connect to it via
Wi-Fi nearby, or they can have the cable connect out over the internet to a server you control
anywhere. It can also do some autonomous things like geofencing and triggering things automatically
based on wireless networks
it does or doesn't see, right?
Okay, cool, but what does that do?
So you get a whole web UI on a phone or laptop, whatever it is, that gives you full control
over this cable.
We already talked about keystroke injection payloads, you know, emulating a keyboard.
We cranked up the speed at which these things can run
to nearly a thousand keystrokes a second.
Added some mouse injection as well,
so you can navigate a mouse around the screen,
click on stuff.
Expanded the capacity of these things
to store hundreds of individual payloads if you want,
or just really giant payloads.
Name of the game is always just flexibility.
So if you want one giant payload or 200s tiny ones,
cool, you can do that for your need.
We added USB key logging a while back.
So if you deploy a cable between a keyboard
and a desktop or a laptop,
which happens a whole lot in corporate spaces,
you can log those keystrokes if it's a full speed keyboard.
Most recently, we added kind of a novel communication link.
So we're calling it HIDX Stealth Link.
And what it does is imagine network interface
that looks like a keyboard to the host.
So it says, I am a keyboard,
and it looks like a keyboard if you open up Device Manager,
but it's got a bi-directional raw data link.
So if you ever use Netcat or something like that
to create little tunnels for data, same concept.
So you can have a remote shell running on the target
that's on a completely air-gapped machine.
It doesn't even have a network interface.
So very cool.
And I had also mentioned a lot of these other types
of features, like the ability to run self-destruct,
the ability to do geofencing,
and the self-destruct specifically is to wipe the data.
So if you've got some proprietary malware on there,
you don't want to be phoned.
If it gets lost, we can help wipe that.
If you've got key logs on there with sensitive data,
like I don't know, passwords or whatever it may be,
cool, we can wipe that that can also disable the cable so that it just stops acting like
a cable and hopefully that'll encourage your target to throw the cable away and get it
out of play and that's kind of just a high level of all the different things it can do
yeah this thing is pretty scary and it's one of those things that now that you know a normal looking USB cable can be an evil thing,
it makes you distrustful of all USB cables.
Like if you see a random USB cable sitting around,
it might be some sort of trap that someone left for you,
hoping that you'll plug it into your computer
so that they can get into your computer.
I've got it in my hand here and I'm looking at it compared to another cable I have and
it is identical.
It's crazy how...
Nice.
Which one is it?
iPhone one.
Lightning.
C to Lightning or A to Lightning?
C to Lightning.
Oh, nice.
So funny story about that one.
If you hold up the type C ends and look at the white hoods, I delayed that cable by, I think it was a couple months,
because it was 0.3 millimeters longer than the actual thing.
So I was just like, oh man, it matters.
It didn't really matter.
But at the same time, the guy who does the front end work
for us is blind.
He was a customer originally when we released the keylogger edition of the cable.
And he came to me, he's like, dude, I'm feeling these two cables side by side
and I cannot tell the difference. So that was amazing to me.
Yeah, it is remarkable. And going back to the Ant catalog and Cotton Mouth, I wonder if the NSA has bought like 1,000 of these
to be like, oh, this is so much cheaper
than the $20,000 per unit we have,
and it has way better features,
and we don't have to run the R&D and all that sort of thing.
You have any idea?
I mean, I've heard some whispers
that I probably shouldn't talk about,
but I'll say this, is that there's many reasons
why that could occur, which I mean, sure, price point.
Yeah, absolutely.
Maybe ease of use.
Like, I can't really speak to what the product experience is
of their stuff, but I can suspect.
But here's another thing, is deniability.
Like, if you
find a cotton mouth cable, you're going to know where that came from, right? Or especially
if you're certain intelligence services, you're going to have a good idea of like who made
this highly custom hardware. But if you're seeing something off the shelf, there's some
deniability in there for, you know, NSA as an example right like oh where that came from that's just off
the shelf OMG cable right so I would imagine yeah I have certainly talked with numerous
people who are in that space whether directly or kind of third parties employed by them
to do tests and stuff like that where these are absolutely in a whole lot of those types of environments for various needs,
whether it's testing, third party assessments, like red teaming, stuff like that.
I've talked to police departments, stuff like that, who are using it's that interesting aspect of circumventing things, right?
So before, Cotton Mouth was only available to US intelligence agencies and maybe Five
Eyes.
But now, the OMG cable is available to the world. So all of NSJ's adversaries also have this. And that is interesting, that
the technology isn't only in one person's hands now, but that there's a level playing
field of like, no, we've got that too.
Yep. I mean, at the same time, I think it should be. Like, if I could have made that the way I did, I feel like others can make that.
And therefore, you know, it was just a matter of time.
Whether or not we heard about it in public
was probably the only question there.
Oh, that's an interesting way to look at it, right?
It used to be that only an exclusive group of people
could get their hands on such a thing.
And now anyone can.
And yeah, that's scary that this thing could be anywhere now.
But maybe the bigger danger here isn't when the cable went public, but when it was kept
secret.
When the only ones who had it were shadows.
People who didn't want you to know they had it. People who didn't want you to know they had it.
People who didn't want you to know this existed.
People who didn't have to follow the law.
I mean, compare it to smallpox.
For centuries, people died of smallpox and we had no idea why.
But then we discovered what it was and we learned how to contain it.
And then we learned how to fight it.
And then we learned how to defeat it. But in that process, we learned how to contain it, and then we learned how to fight it, and then we learned how to defeat it.
But in that process, we learned how to weaponize it.
And that's the double-edged sword of knowledge.
We're in danger without it, but we're dangerous with it.
We're going to take an ad break here, but stay with us, because when we come back, MG's
going to tell us stories about how this cable is used in the wild.
This episode is sponsored by DeleteMe.
Right now the headlines are chock full of data breaches and regulatory rollbacks, making
us all vulnerable.
But you can do something about it.
DeleteMe is here to make it easy, quick, and safe to remove your personal data online.
And just as well because I keep hearing about data breaches in the news.
Since privacy is a really important topic to me,
Delete Me is part of my internet hygiene routine.
When I signed up, Delete Me immediately got busy
scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It's great to have someone looking after me.
Plus, Delete Me was recently ranked as the top
data removal service by Wirecutter.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners, get 20% off your Delete Me plan
when you go to joindeleteeme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com
slash darknetdiaries and enter code DD20 at checkout.
That's joindeleteme.com slash darknetdiaries, code DD20.
So over the years, people have shared stories with MG about how they're using his cable
and have asked for some really interesting feature requests.
One story he was told was from someone who's a red teamer for the DOD, the Department of
Defense.
That is, his job was to try to hack into the US government's networks to test their security.
This team posed as an Xfinity tech via email and phone. So they got a
legit Comcast.net account which literally every Comcast customer gets.
But you know you got username at Comcast.net and they're just like you know
what we can pretend to be a Comcast employee with that and I bet it'll pass.
And it did. So after some back and forth with this target, they set up an
appointment. They found some Comcast slash Xfinity clothing at a thrift store, stuff
like a hat and jacket. They did some OSINT, found some fake IDs, printed those out. They
show up. They say, hey, we only need access to the empo, empo is a main point of entry.
So that's like where the line comes into the building, typically like the basement or something
like that, tends to be a lower security area compared to like the server room.
So they're given access and they install a small device that allows them to remotely disrupt that line,
the main line of the ISP in the future.
So they leave, they wait a few weeks,
but everything kind of just settle
and then they start causing disruptions.
They return on site.
They ask to look at the impo first,
which lets them reclaim that remote device that
they had planted they say ah it's not fixed i see you're having issues but uh we're gonna need to
find the other end of this cable where's this go and you know they knew that's going to be going
up to the server room typically so they brought them up they brought two supposed xfinity attacks
So they brought them up. They brought two supposed Xfinity techs up. There was a camera in the server room. So, you know, they had two techs.
One tech would strategically block the camera with their back each time the other needed to deploy a piece of hardware.
So at first they deployed two different malicious network devices, two different types of things.
But then they see a server with a monitor and a keyboard hooked up.
And there's a USB cable hanging off of it.
I think it was an 8M micro.
It seemed to be for charging a wireless mouse, right?
And there was a wireless mouse nearby it.
I was just like, dude, that is the perfect spot for an OMG cable.
I think we got a perfect match in the kit.
So they pull it out.
They noticed, oh, this, this cable even has like a very distinct scratch on it.
You know, scratch this cable, make it look perfect.
Right.
They were obsessed with the details.
The cables already configured to connect to their guest wifi and
then call back to a C2 server.
They wait for an offsite teammate to confirm that the cables now connected not only to that, but back to their C2 server. They wait for an off-site teammate to confirm that the cable is now connected not only to that but back to their C2 server. That means
you know they got full remote connection from anywhere. They were left
unattended in this room for a little bit so they call the target back. They're
like hey think the Internet's fixed can you check it out and they use that same
server that they were eyeballing
to, oh yeah, looks like internet's good,
which gave them a little bit more insight into
what's running on that server.
They leave and kind of start their initial work.
They've got these tools in play.
Now, like within a day, the target knew something was up.
They found at least one of those malicious network devices,
which immediately led them to the next network device that was in there got cleaned out everything's fine
What was that malicious network device? It's not the OMG cable. It's it's not yet other other hardware that is not as physically stealth
Okay, so they left it there as like drop boxes kind of thing. Yeah, so something like drop box
Yeah, it was slightly disguised, but it's like it's visibly there. It drop boxes kind of thing. Yeah, so something that drop box, it was slightly
disguised, but it's like it's visibly there.
It's like a new thing.
So they picked up on that and immediately, okay, we got out.
There's an issue.
We don't know how this got here.
Sweep the room.
Okay.
And this is kind of how it has to go.
It's like, let's go at stages, right?
Let's first see if we can be super stealthy
and then if they didn't catch us,
we'll be a little bit more sloppy.
And if they don't catch us,
we'll be overtly breaking rules.
And if they still don't catch us,
then they've got a lot to explain
and we can try stealing company cars or something
and what is the next step, right?
So I've heard these stories before
and it sounds like that's what they were doing.
Like we're gonna put a super stealthy thing in,
a medium stealthy and a very obvious this thing shouldn't be here
Yeah, but the funny thing is they did a whole like remediation sweep and they didn't catch the omg cable
Like it's still it was still in play
After like hey red alarms something happened here sweep it we found two malicious devices
But the thing is that the cable was dormant.
Like it hadn't run anything, it was just sitting there connecting to their guest
Wi-Fi waiting. So yeah I mean it what would have triggered the other device
discoveries? Were they doing stuff? Yeah they were more active, so definitely
good looking, but you know it depends what would you assume if you're like oh
there's malicious hardware in here.
What level of sweep do you need to do to that room
and how thorough does it have to be?
But hey, OMG Cable survives an active sweep.
So the server had some constraints
that made things a little bit difficult,
which is probably why they're a little less thorough,
which was, A, they had some EDR on there,
Endpoint Detection and Response Tooling,
that would have detected any form of malware persistence.
So they could run a payload on this and deploy some malware
that would just live until the server rebooted.
Also, the entire OS was just completely wiped
about once a week.
So even if you did have persistence,
that's still getting wiped.
So it's a pretty locked down environment, right?
But since they had a cable attached physically at all
times, that was the persistence.
So any time they lost the Meller connection,
they would just rerun that payload.
Boom, they're back in. They changed the payload over the times, but ultimately this allowed them to run and just
were completely undetected for what turned into a six-month period of time.
The only reason the exercise ended was because the contract came to an end and they needed to wrap things
up to explain the full processes and procedures they were using for the op.
Yeah, I mean, is this kind of what you were hoping to like, this is exactly the story
that I was wanting someone to do this with is stick it into place, have it be there forever.
You can get in there whenever you want, have your remote persistence, trigger payloads,
get into systems, and no one's gonna detect you forever
I mean that's got to be exactly what you were hoping right? Oh, absolutely
There's just so many like oh, yes
You used a lot of the features to just really push this and it makes me happy because it's you know
Are we doing Rick rolls? Are we really pushing the boundaries and improving environments and just doing some really cool James Bond shit?
Yeah, that's that's I love that
Because mg has brought this cable into the world
He's met some very interesting people from all around the world and heard some wild stories
Like there was this one person who was telling him how he used the cable to get into an air gapped computer
That is there's no way possible to hack into it from outside.
And the reason why this computer was air-gapped is because it was part of a digital forensics lab.
It was collecting evidence and looking at computers without the risk of any of that data getting out.
This group was hired to audit an entire security policy,
including the physical security of the building.
So they monitored 24-7 with a whole bunch of cameras at all sides of this building that they
had deployed and it was really heartening. There were guards present just constantly 24-7.
Everything was fully access controlled, it was all logged, it was all audited.
How are they going to do this?
And of course the goal was to gain access to that evidence computer, which was AirGat.
It had access to that large SAN for storage via network.
After a whole bunch of discussion, they decided, you know what, we're going to use an OMG cable.
Their first idea was to submit a hard drive that needed to be forensically analyzed by that computer,
but then throw an OMG cable in the package
and hopefully the tech opens it up
and pulls out the cable and says,
oh, I'll use this to plug something in.
But they thought, no, that might not work.
They probably have their own USB cables in the lab,
and they're not going to use the one in our package.
So they decided to get a USB external hard drive.
You know the ones where there's a hard drive
with a little USB pigtail coming off of it,
and you just plug it in your computer
and you can see it as an external drive.
Well, they cut that little USB pigtail off,
and then snipped off the end of the OMG cable
and soldered it onto this hard drive. Because the OMG cable only has one active end and the other end it
really isn't needed for anything. So they just took the end with all the
functionality and stuck it into this hard drive so that when the forensic
tech opened it up they'd have no choice but to plug in this USB hard drive into
the computer. Now it's integrated to that drive and the drive looks like totally
normal drive and it's the cable of that drive that suddenly is the problem and it stays dormant.
So yeah, put all these different payloads on there in advance. Most important note, they ran
a boot payload. So boot payload on this thing is it runs on an omg cable. It runs every single time
the cable powers on, so when you plug it in right
so they included geofence that would check to make sure it's in bounds it's like it's at this
evidence computer which you know they were given some insider info on this one to make it safe
they're like okay here's the network that you should use to keep this in play basic checks to
ensure it only ran on that evidence system.
So something, you know, an actual adversary wouldn't do, but when you're a third party trying to keep everything safe, you do a little extra.
So they placed the hard drive in an envelope with the, let's just say, required labeling that they were able to find via some public record requests.
Say, Hey, this, this is probably what this envelope
should look like to make it believable.
So they turned it in at the front desk via a courier service,
which was totally not a courier service, it was them.
They advised, hey, this is for an active thing.
It's needed for legal discovery, probably needed soon.
Done, right? Now the drive sat for two weeks, probably needed soon. Done, right?
Now the drive sat for two weeks, unplugged,
just waiting, right?
But then it got plugged in.
Once it was, they got a notification,
they had kind of detected when it would come up,
and they left it plugged in for six days
to do a full image of this drive.
So they had intentionally kind of downgraded the speed to USB 2 to get like a USB 2 connection
on a 4 terabyte drive.
So they were imaging this thing for like six days, which means six days they had an OMG
cable plugged into the evidence computer.
Now they could have set up a bunch of automated payloads and stuff like this, but for damage
control they decided to keep an active human in the loop for this whole thing.
So when it got plugged in, they got the alert, they returned and accessed the cable from
basically the lobby or the parking lot, right?
One payload allowed them to create and modify files on both the local system and more importantly,
the SAN.
That's just where all the evidence is, right?
You can manipulate the evidence.
They have just proven that.
Evidence is supposed to be just pure and untouched.
Then they noticed that, okay, yeah, obviously this SAN, you need a network to connect to
it, so it was connected via ethernet from this machine.
But they learned that while the evidence machine was supposed to be air-capped, it was only by DNS. So like, instead of doing a domain name
connection out, you just connect out via IP address and suddenly, hey, it's working.
You can connect out to the internet by just going direct VIP. Boom. Now they got the ability to exfil evidence from the
storage device out over the internet. Like, I think you
could immediately assume some terrible scenarios where that's
that's like a big problem.
How prolific is this cable?
How many companies out there are using it?
One day I'll probably find a way to disclose that, but basically I don't know many places
that don't have one.
What?
Yeah, I'm continually amazed.
I learn about new places that I didn't even know exist.
Like wait, A, you exist.
That's crazy.
B, you got my stuff?
What?
Okay, cool.
It's a wild ride going from I'm just making something that I thought was borderline art
in my kitchen to all of these types of stories I am telling you.
It's a little hard to digest sometimes, but at the same time, I'm trying to take it very
seriously.
Yeah, but I mean, Hack5 or even your own website could be like, used by these companies if
you do know which ones.
Oh yeah, I mean, yeah, I think that would be bad form.
There's a lot of companies who probably don't want that info out there I
think I five will list the
Media that has been seen on like cool, you know nap geo and stuff
I just saw the OMG cable in a
Netflix episode apparently of was zero day and they're talking I think it was a Robert De Niro
Talking about the OMG cable on screen and I think Jesse Plemons face was in there like, what? That is wild.
Okay, so hack five is who sells these things. Is there anyone they don't sell to?
Yeah, so absolutely. There are a couple of ways to think about this. And, you know, I'm
going to just generalize it here a little bit to make
it easier to understand but basically you can kind of think of three
categories of countries first being countries who are explicitly allowed and
you could kind of think of those as like friendly NATO countries and Five Eyes
right then second category would be countries who are explicitly
disallowed.
So think sanctioned countries like Iran and North Korea.
But then you get this third category is countries who are on neither of those lists.
So if the goal was to make as much money as possible, you'd be selling to that third group.
But if you're trying to do more than like the legal minimum,
you might avoid selling to that third group, especially if you're operating in space that many people perceive to be a gray area.
Even if it's not a gray area, you know, perception still matters.
But Hack 5 only sells explicitly to the allowed countries and, you know, skips over that third group.
It's a voluntary decision on their end, but it's also a factor of kind of having to be more diligent
when you have tools that are more capable. So, you know, toys versus professional tools kind of
steps up the level of, you know, attention to following the rules and kind of going a little bit over the minimums,
right?
Yeah.
Those rules fascinate me.
It's really export controls that the US government has set up where certain electronics can't
be sent to certain countries.
And the classic one that just came to mind because of recent events was the DeepSeek surprised us all with their AI abilities.
And then it turns out that they had tens of thousands of Nvidia cards, which I believe is against the export control rules.
Nvidia is not allowed to send tens of thousands of these cards to China.
And so it's just like, well, how come Nvidia didn't get shut down or fined or slapped on
the wrist by the US government for selling so many of these?
Like at some point, there's got to be like, okay, we need more, we need more.
Okay, who are you distributing this to?
Oh, don't ask.
Okay.
So I don't know.
I just wonder if these export control rules even matter or if they have teeth or if anyone follows them.
Because honestly, I've filled out forms before and sometimes it's just a checkbox.
Do you live in any of these countries? No? Okay, good. We'll send it to you then.
Right. I think the Nvidia one's a pretty good example. I don't think all of their products are export controlled.
So this probably goes back to the capabilities,
the toys versus the upper end stuff, and can you do good
or bad things with them, and almost dual use kind of territory.
And ultimately any restriction, as what you were getting at,
can be bypassed. but introducing any degree of friction
generally is good if you're trying to stop a certain activity.
Perfect controls are hard, and it's a balancing game,
much like almost all security defenses, right?
We often get that wrong in the security industry,
it's like, oh, it's not perfect, so it's not worth doing.
It's not necessarily, like, speed bumps help to some measurable degree in a
large scale. But it's worth reminding again, hack five is the only entity I sell to. But it and like
as much as I love not having to worry about it for my own stuff, I absolutely love like supply chains
in general, especially when you look at them from like the expensive security mindset
So I'm totally with you in terms of being fascinated. I think that stuff gets like way too little attention and
If you if you focus on it, you can wield like crazy amounts of power if you understand it. So
Yeah, okay. So you've told us a few stories of your cable being used for good.
Do you know any instances of it being used for bad?
Does anyone tell you about those stories?
So I don't know of any stories specifically for my stuff, but Hack 5 actually had a semi-recent
example that was super applicable here with their Wi-Fi Panapple and the Russian GRU.
So let's, what was this?
So the Wi-Fi Pan Apple, it's specifically designed not to be perfect.
Like this is for doing security pen tests, right?
Not for evading. That's the product design.
So simple things like MAC address randomization are omitted.
What else?
There's like a certain way it sends management frames that could make
it harder to fingerprint if they modified how that works, but they don't. It's intentional,
because the product is meant to enable pen testers to do, you know, Wi-Fi audits where they've got
permission not to evade the detections. So anyway, late 2018, Russian GRU was caught in Brussels,
targeting, I believe, UN facilities, right?
Not the place, you know, if you're making this,
that you kind of want to see your stuff showing up,
but the WiFi pineapple was being used in the trunk of a car.
And that explicit choice to not make the device
super stealthy definitely helped law enforcement
track this down and
figure out what was going on probably a lot faster than if they made other choices in
their product design.
Well, I'm surprised there's not more malicious intent stories because, you know, I just go
to a grocery store today and the cash register, I could see the back of it.
Like I can plug something into the back if I wanted.
And there's so many other restaurants and stuff
where I've seen a computer exposed.
At the bank, I was at the bank
and the back of their computer was easily there
that I could just pull a cable out of my backpack,
shove it in, and they wouldn't know.
And I'm surprised there's not just stories
of people using this to rob grocery stores.
I mean, behind the scenes, and I don't think a lot of people see it, I put a lot of work
into just gaming out all of the potential risks to minimize that.
And it's not perfect.
It's totally possible that bad things will eventually happen.
There will be a new story,
but I think over the last five to six years it's been sold, I personally cannot point
to any new stories where a bad thing happened.
Whereas if you compare it against other peer devices, to say that in the field, I think
there's quite a bit more new stories, just comparatively, if we're taking a sampling.
So that track record I'm just very happy with so far.
I mean, you can, I assume that people are buying this and using it for malicious intent.
I mean, you self-describe the thing as a malicious cable, right?
So we can assume that people are going to do bad things with it, but I worry about your liability here
because if you're saying, I have a malicious thing, this thing's very dangerous, you could
do this and this and this with it.
So I was like, great, I'm going to go do that with it.
But it says here, I have the package in front of me and it says
Like do not use this unless it's on
You know a network that you have permission to use and such like that. I wonder if that's enough
To you know make you not liable for people actually using this maliciously
Yeah, so because I mean the thing is is that you've got people who are malware creators out there bot botnet creators, they don't unleash it to the world, they don't spread it, they don't
infect people, they just make it, and then they're the ones who are going to jail for
this.
Yeah, there's definitely some differences there, but just is that legal message enough?
Like, absolutely not, not for me.
When you're in the gray areas, you can't just do the minimum. And it's also important to point out that legal is not the same thing as ethical,
which is again why it's not enough for me.
Product design, like I mentioned, detectable defaults.
They're not legally required, but I think they're critical in terms of reducing harm.
Community management, like, you know, not just dropping a tool and then letting
Lord of the Flies happen, for instance, right? Like, we're talking about a lot of nuances. You
and I right now are talking about a lot of nuances that a lot of people haven't spent the time
thinking about. So I think it's good to try and share those nuances and just generally keep things
from going off the rails within those communities because this again helps the outcomes. And it's kind of sort of like open source. A lot of people
will just drop code and call it done, but it takes a lot more work, in my opinion, to do it
responsibly. You got a, you know, like real open source is code that you've cleaned up,
that you've maintained, and then community around it is maintained too. It takes work and effort.
Um, but it's also important that, you know, this isn't just about like, uh, self
preservation, which is kind of, you know, the topic here, it's, it's about kind
of community preservation as well, which is really important.
So one entity just being too reckless is basically all it takes to ruin it for
everybody.
And there's tons of examples of that type of thing happening.
Obviously, if my goal was to push the limits of the law, then sure,
my answers would be different, but my goal is to push the limits within security.
And I guess, you know, that I want to keep focusing on that.
And that's why I spend tons of time
thinking about all the ways I can reduce harm and risk in all the other areas. Like this this cable started off as just a one-off, a proof of
concept, but it moved over time into large manufacturing, sales, and the way I think about
the risks has evolved along the way right alongside that. Yeah, So you talk about, you know, supporting the community.
I assume that's the ethical hackers, the white hats of the world that have permission.
Yeah.
But, and, and that's great that that's your intent to help, to help, uh, improve
security for networks, to help people, um, test it ethically.
for networks to help people test it ethically. But that intent, I think, is what matters in the eyes of the law in a lot of situations. And I mean, you just told us that you've sold
these things in the back alleys of DEFCON, in its hard corners. And I mean, DEFCON in
general is a place that has malicious actors and criminals.
We've seen people get arrested there and such like that.
And so I wonder if there's any sort of, you know, if that's proof enough just to be like,
no, this guy sells it at DEFCON.
Of course he's got malicious intent.
There's no way he's doing it.
Like, he would be selling it at a legit. That's just all about securing and not hacking.
This is a hacker conference.
There's just something there that,
I mean, and not just that, there's like,
you know, people might come to you
and they're like, hey, I want this feature.
And you're like, oh, that's a good idea.
And you add that feature.
And like, maybe maybe you judge them first
and be like, wait, hold on, who do you work for?
Do you have permission?
Or do you hear people be like,
man, I keep plugging it into the bank
and the bank keeps popping me,
I need a feature to be more stealthy.
And then you're like, wait, hold on,
I'm not gonna help you.
There's gotta be this world of who you actually
do business with and who you don't,
or who you help and who you don't.
Because again that intent matters and if there's a criminal coming to you and saying,
hey I need this for criminal reasons, what do you do there? Because that's where the intent comes in, right?
Yeah, I mean so helping could be anything, right? It could be operational advice for running an op,
could be feature changes or additions, could even be custom hardware. I've been offered 30 grand for a cable
and I have turned it down because it's like, hey, this could risk just the future. But there's also
other things like people will come in, they're clearly not in the space of, you know, information
security and they're trying to in the space of information security
and they're trying to do some like spouseware stuff.
And I'm like, as soon as I get a hint of that,
it's like immediately know also what you're doing.
I just have tons of issue with,
like you need to redirect this.
So spend your money on like couples therapy or something.
This cable is not, it's not a marital aid.
Well, yes, see, this is what I imagine, right? So there's these privacy phones of the world
and they specifically wanted to help criminals, right? And so they would entertain, they would
get them in the hands of, you know, drug dealers and such and say, what can we do to make these
phones more private? You know, what features do you want? And that's what made the people
who made the privacy phones
go to prison.
I mean, we have phones that are secure, like even the iPhone,
right?
It's secure to some degree.
And you don't see the Apple team going to prison
because they're making things private or secure.
But it's the fact that all those other privacy phone creators
were doing things to work with criminals.
And so I imagine some, I don't know, street hacker gang
being like, all right, MG, we got all these cables,
but we need it to be one step better here.
We need you to put this in.
I just imagine this world where people are approaching you
and you've gotta be like, sorry,
we'll probably go to jail if I help you, so no.
Again, like kinda like as you were pointing out there, I don't do this for just anyone.
I get to know who they are, who I'm giving custom help to.
Actually, so the operational stories I'm sharing with you were from those relationships.
You know, ultimately, you need to do some due diligence, kind of like you were saying
contact.
The entity being targeted, verify a contract for offensive work is in place with the other person asking for help. Simply verifying the identity of the entity asking for help to
ensure they're legit. Definitely not just offering it up to anybody. I have turned down very large
offers of cash because it wasn't exactly where I wanted it to be. This episode was created by me, your pseudo mama, Jack Reciter, our editor, is the last
JPEG, Tristan Ledger, mixing by proximity sound, intro music by the mysterious Breakmaster
Cylinder.
Sometimes I feel like the biggest cybersecurity threat to myself is my future self, that version
of me who forgets to update software, reuses a password, or falls for a phishing email.
So to stay safe, I started locking myself out of my own accounts. Let's just
say future me and past me now officially hate each other. This is Darknet Diaries. [♪ OUTRO MUSIC PLAYING FADES out...]