Darknet Diaries - 161: mg

Episode Date: July 15, 2025

In this episode we talk with mg (https://x.com/MG), the brilliant (and notorious) hacker and hardware engineer behind the OMG Cable. A seemingly ordinary USB cable with extraordinary offensiv...e capabilities.Learn more about mg at: o.mg.lolSponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Transcript
Discussion (0)
Starting point is 00:00:00 Hey, hey, it's Jack, host of the show. I am feeling good. I am feeling healthy, strong, fit. I'm in the game. And so I'm coming at you with a second episode this month. Let's go. DEF CON is coming up in a few weeks. I'll be there.
Starting point is 00:00:14 I wouldn't miss it. You know me. And if you don't know, it's the premiere hacking conference in Vegas. And I love going because every year something crazy happens. You don't always know what it'll be, but you know something is going down somewhere. Like maybe someone will drop a zero-day live on stage, which will suddenly make us all panic and call home, shut everything down.
Starting point is 00:00:34 Or maybe the FBI breaks into someone's hotel room and arrests someone who they've been chasing for a decade. Or maybe someone gives a talk that makes history. I mean, Julian Assange once gave a talk at the chaos computer camp in Germany To announce WikiLeaks lots of people come to drop big ideas at hacker conferences And if there's a talk that makes history, I want to be there for that moment. I want to be in the room where it happens Anyway, I'm not planning any party or anything this year I'll I'll just be floating around like all over the place
Starting point is 00:01:04 But check my discord or Twitter for like anything this year. I'll just be floating around, like, all over the place. But check my Discord or Twitter for, like, live updates on where I'll be, though. And if you see me, please say hi, because I love meeting you. It's your energy that gives me the fuel to fly this thing to the moon. Oh, and if you don't know what I look like, I wear a big black hat, and I cover my face entirely
Starting point is 00:01:22 with a bandana. I look like a bandit. All right. I promise I'll bring you back some stories. These are true stories from the dark side of the internet. I'm Jack Reisider. This is Darknet Diaries. This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats.
Starting point is 00:02:14 That's the power of the ThreatLocker Zero Trust Endpoint Protection Platform. Robust Cybersecurity is a non-negotiable to safeguard organizations from cyber attacks. ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least-privileged strategy mitigates the exploitation of trusted applications and ensures 24-7, 365 protection for your organization. The core of ThreatLocker is its Protect Suite, which includes application allow listing, ring fencing, and network control. Additional tools like the ThreatLocker Detect EDR, storage control, elevation
Starting point is 00:02:53 control, and configuration manager enhance your cybersecurity posture and streamline internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit ThreatLocker.com. That's ThreatLocker.com. This episode is brought to you by Exonius, transforming asset intelligence into intelligent action. You've got tools for endpoints, tools for cloud,
Starting point is 00:03:25 identity, SaaS apps, but when you start asking questions across the global attack surface, good luck getting a straight answer. And that's where Exonius comes in. They connect the dots to rise above the silos and fragmentation, every asset, every identity, every exposure, all in one place, and they don't just show what's broken.
Starting point is 00:03:43 They help you fix it right from the platform. With over 1200 bi-directional integrations, Exonius works across your entire stack without adding friction. You get full visibility and the ability to act on it where it matters most. If that sounds a lot like what you've been hearing around CTAM or exposure management, you're spot on. Check out what Exonius is doing to drive proactive cyber resilience with actionability. Visit Exonius.com. That's spelled A-X-O-N-I-U-S. Exonius.com.
Starting point is 00:04:14 I guess we're going to call you MG in this. Is that what you want to be known as, is MG? Perfect, yeah. Yeah, I like MG because I didn't know for the longest time if it was milligram or... It's great. Megagram. It's got so many things it could be. That initial mystery, I think, is what intrigued me about MG.
Starting point is 00:04:36 He had this raw type of energy to him. He's always building. He goes hard on hacking. He's always in the zone. And he seems like he's part of the counterculture. Like, he's probably got stories, right? And people kept telling me, you should get MG on the show. So here we are. Color Me Intrigued.
Starting point is 00:04:52 He tells me MG is just his initials. And he started using that name when he signed up for Twitter back in 2008. His Twitter name is underscore MG underscore. Nice and simple. I grew up in Wisconsin. Both of my parents were in medicine. And I guess like a big thing that I learned growing up with them is you can pretty much DIY anything. And also DIY and stuff is a great way of having control, stretching the value of what you
Starting point is 00:05:19 have and things like that. So they designed and built their house from the ground up, like every aspect of that. And this was, you know, while they were working full time in medicine, and of course, you know, raising me and my sister, I think the house started around when I was like in first grade, roughly. So I was just constantly around raw materials, DIY, just tools everywhere. Yeah. Yeah. Yeah, but didn't you get into magic also when you were young? Oh, I mean, what kid didn't, right?
Starting point is 00:05:50 But no, once I got into, I don't know, roughly middle school, got into magic, sleight of hand, just deception and all that cool stuff. Also got into trouble doing that. Brought a prop cigarette to school, got suspended for not taking it seriously enough. You took a cigarette to school? A fake cigarette and they suspended you over it? Yes, they did. I mean, there's even more to that story.
Starting point is 00:06:16 So yeah, I mean, it was a really believable one. It looked like the tip was glowing and you blow on it and like some talc powder comes out, makes a nice cloud. So it was kind of believable. The teacher was like, whoa, what is this? And so confiscated it. But then they were holding it and like some of the talc came out of it
Starting point is 00:06:30 and they're like, oh, white powder. Uh-oh. So they called the cops, had them like drug test it. My buddy at the time decided to say, that's not even how you'd smoke cocaine. Did not help the situation at all. But yeah, I think we both got suspended and mine was specifically for not taking
Starting point is 00:06:51 these situations seriously enough. And you know, it was kind of the start of my conflicts with authority. We'll just leave it at that. As MG grew up, he got influenced by his parents being in medicine and was gravitating towards biology. But the seductiveness of computers and technology would ultimately change his direction. I was really into biology until Quake. Quake came out and that changed everything for me
Starting point is 00:07:19 about computers. You had to learn how they work to play Quake, especially multiplayer. Like, first of all, you don't just run an app on your machine. Back then, you're at least rebooting the Windows machine up into, you know, DOS mode. Oh, you want to connect with people? Cool. You're going to have to learn how your modem works and dial-up works and peer-to-peer connections work. All these other things. And eventually that would migrate into modifying the game environment to play Team Fortress, a modification to Quake itself, and then you've got multiplayer lobbies and all this other stuff starts happening.
Starting point is 00:07:56 And it's like, wait a second, the computer does all these things. You can mess around with this. You can start breaking stuff. They weren't checking client-side content, so you could modify player skins to be way bigger, or have an X, Y, and Z axis sticking way farther out than the actual player was. You can see them coming around corners. You can add a fluorescent coloring to the skin to make them stand out in the dark.
Starting point is 00:08:20 That's really cool to me. Oh, that's brilliant. So if you make the enemy model extra big, then you can see them coming and you have the big advantage over it. That's amazing that you thought of that. Or the skins of the walls and stuff like that. You can set them to partial transparency and see through those walls. Most video game players at some point wish they had a faster computer.
Starting point is 00:08:47 So a lot of gamers get into overclocking. They force their computer to run faster than it's designed for. But when you overclock your CPU, you run the risk of your CPU overheating and can get really hot and melt, which means you need to have a better cooling system. Water cooling is a pretty effective way to cool your CPU.
Starting point is 00:09:06 But it requires all this extra hardware. You need tubes and reservoirs and pumps. But when MG heard that people were putting tubes and pumps inside their computers to cool them better, he was in. That sounded great. If you get a pond pump, you get a heater core from a car, you go on McMaster Car, first of all you learn what McMaster car is, and you're like, well, I can just buy chunks of metal pre-cut. Awesome. I'm going to drill
Starting point is 00:09:30 these out in my basement and plug them and create all these water channels inside the blocks, strap that to the processor, the graphics card, just start cooling everything down in the computer. And it just kind of escalates and you're like and that was actually a really good example of merging non-traditional computer skills with computers it's like okay we're gonna we're gonna merge shop class here or auto skills when you're you've got this liquid moving through a multi metal loop you're gonna get corrosion unless you understand the chemistry of how to block that with some additives so lots of really cool stuff to just pick up and learn.
Starting point is 00:10:06 Man, I'm the same way. I truly believe that getting hands-on experience is the best way to learn. For me, when I was young, that was looking for cheap or free computers to just play around with like a sandbox and build without the fear of breaking them. Having a playground to try out random things was very helpful to me. Like what happens if you don't put RAM in the computer? Are the fans actually needed? What happens if you disconnect the hard drive mid-boot up?
Starting point is 00:10:32 Or take out a thumb drive while you're trying to write to it? What if you try to delete all the files? I wanted to see all those things and I tried them all because this is the stuff that was interesting to me and I wasn't finding it in textbooks. And it vastly brought in my understanding of how all this operates. I tried them all because this is the stuff that was interesting to me and I wasn't finding it in textbooks. And it vastly brought in my understanding of how all this operates. MG's first IT job was at a help desk, fixing people's PC problems.
Starting point is 00:10:54 But one of his buddies moved out to San Francisco and started working on the 10,000 year clock. It's a fascinating project that simply asks, can we build a clock that'll last for 10,000 years? Clocks live a long time without an issue. Surely that can't be that hard. But when you lean into the problem, it starts to get really tricky. First, it raises the questions, wait, are humans even going to be here in 10,000 years?
Starting point is 00:11:16 That's not a given. So if you're going to build a clock that's going to last that long, it kind of needs to function all on its own without humans around to help it. So where does it get its power from? That's an interesting challenge by itself. But then you think about the pieces and parts that it has to be made of. Everything must have extreme longevity. Like, it's got to be entirely made of metals or ceramics. Plastics
Starting point is 00:11:38 and rubber is just going to wear out too easily. MG got fascinated with this idea and decided to join his buddy out in San Francisco to see what was going on with that project. And immediately, he was amazed at the DIY culture out there. He met people from Burning Man who were creating art for art's sake. He visited the Maker Faire, which is a really cool place where people show off their projects that they're building. It's so inventive and clever and inspiring.
Starting point is 00:12:03 It was like everyone around him there was big into building things themselves or tackling really interesting problems or just had a really unique way of seeing the world. MG found his new home. The 3D printed gun movement, that added a new layer to the whole thing. Let's see, that was defense distributed, I think it was like 2013, where they started showing off the first 3D printed guns that were, you know, there was a whole community that was working on these at the time, but Defense Distributed showed these off to the world and with like so much
Starting point is 00:12:35 bravado that it was impossible to miss. So everybody took note and it had this interesting tone to it. And this message that I was picking up, which is like creation can also be power and like politics like You can't take something back once you put it out into the world So you've got to be thoughtful on how you do it. But also you can't take it back. Nobody can take it and make it go away uh that it and make it go away. That, regardless of what you think about, you know, that specific topic, just the larger power and political nature of it was just fascinating to me. Yeah, that was an interesting time. The US government has
Starting point is 00:13:14 always tried to regulate guns by acting as a gatekeeper, controlling who can sell them, trade them, or move them across state lines. That's where most of the laws live. Not at the moment that the gun is used, but it regulates the system that makes it and delivers it. But the 3D printed guns changed all that. It didn't need to be bought or sold or registered or traced. It didn't pass through any of the traditional checkpoints. Suddenly, most of the regulations became powerless
Starting point is 00:13:43 because you could just print one at home and no one would ever know. That kind of knowledge fascinated MG. There are certain technologies that once released, changed the power dynamics of the world. It changes who's in control. New types of technology allow you to completely sidestep outside the system that was supposed to be there to control and shape you?
Starting point is 00:14:09 And yeah, that sort of thing intrigued him. That was also around the same time as Bitcoin was taken off, and I was also into that, and I really liked it at the time and the concept of it to just changing and decentralizing power. And it was really sticking with me. This was also at the same time that the Snowden leaks happened. I didn't know at the time what it would be, but I just I really wanted to participate in that type of creation, right?
Starting point is 00:14:36 I didn't know what it was. So you know, join some of these groups and just kind of help them like, hey, I do IT. Maybe I could help with some of your stuff or I do security. Let me help you. And you can kind of see how like, hey, I do IT, maybe I could help with some of your stuff, or I do security, let me help you. And you can kind of see how the artist works, right? And that's kind of where I was at for a while. So you worked at Defense Distributed? Let's just say volunteered. Another thing that sort of shocked the world was the Ant catalog, which came out in 2008.
Starting point is 00:15:01 This was some leaked NSA documents which showed different types of devices and Technology that the NSA had in its possession and could use for missions if you were in the NSA Yeah, so the ant catalog this was commonly misattributed to Snowden I believe officially it's just another leaker around that time But the NSA ant catalog had this just catalog of all this cool espionage tooling hardware The NSA Ant catalog had this just catalog of all this cool espionage tooling hardware software Just so many cool things like if you ever saw the back of a magazine with the spy catalog stuff back there
Starting point is 00:15:34 Disappearing ink and you know, whatever it may be This this was that time just with much higher budget. So one of the things in there was a malicious cable Called the cotton mouth. It had multiple one of the things in there was a malicious cable called the Cottonmouth. It had multiple layers of PCBs inside there. It looked really big and chunky, really complicated to make, but it also cost... you had to have at least a million dollars to afford this and for like the NSA customer population of their own department. But yeah, you had a million dollars just to get 50 cables,
Starting point is 00:16:08 so that's 20 grand each. And it was just cool seeing all of these things. Okay, so this cotton mouth cable that the leaked NSA docs showed was wild. It looked like a regular USB cable, but somehow it had the ability to install a Trojan horse on a computer wirelessly? So like if your enemy plugs in this cable to their computer, you
Starting point is 00:16:31 could somehow get into that cable and infect their computer with malware. Now for most of us at the time, we were blown away by the technology in this catalog. How was it possible for a USB cable to function both as a regular USB cable, but also have the ability to infect a computer? We were all wondering how it was possible, but MG was actually trying to figure it out. He was tinkering with hardware, building 3D projects, helping out at the Maker Faire, and building random things. And around 2017, he got an idea.
Starting point is 00:17:02 There's this device called a USB rubber ducky, which looks like a USB thumb drive, but when you plug it into a computer, it'll automatically run a script that could infect your computer with malware. Basically, the rubber ducky was already terrifying, but MGE wondered how he could make it even worse and thought, what if he took the USB rubber ducky thumb drive and made it explode when you put it in a computer? I kind of spent a while making exactly that an exploding thumb drive. Yes, so I'm a big nine-inch nails fan. So naturally I call this mr. Self-destruct and so the the why this is important here is because there's not much space in a USB rubber ducky.
Starting point is 00:17:49 It's all PCB and components. So I needed to figure out how to make space inside of a thumb drive while retaining ducky functionality to an extent. I had a really limited version of it. So I shrunk it down to I think what was ultimately like an 8x12mm PCB with a couple really limited components on it. Just enough to run a tiny payload that can maybe open up a browser to a specific site. Good enough. And then it could also trigger an electronic detonator to then fire like a firecracker or something like that and have a bunch of confetti in there. I was doing this all with the idea of this is gonna be just like art
Starting point is 00:18:32 I'm gonna present to the world and like a video forum and hey, everybody can just look at it, right? So the payload was you plug it in a computer It opens up the browser goes to a video of a Jack in the Box animation. Jack in Box is cranking the box for an awkwardly long amount of time to build up tension and then the explosion happens. Confetti goes everywhere. Pop! And that was great. That's just ridiculous project, but I love it. Since that's happened, there's been evidence of exploding thumb drives shipped to journalists and stuff like that that had RDX in it. That would do a lot of damage, and it's exactly why I did not productize that despite many
Starting point is 00:19:21 people asking for it. I was just thinking of the Hezbollah Pages at this point. Did those people see your presentation somewhere and be like, oh, that's great? Oh, God, I hope not. So he's tinkering around with these USB drives that will physically self-destruct, and his buddy is like, hey, you should take those things to DEF CON.
Starting point is 00:19:40 I think it was around 2013. I finally made my first DEF CON before wanting, you know, I had been wanting to go for years, but 2013 was the first time. And that's where I linked up with a long time online buddy, Whitey Cracker, Bryce. And he kind of just introduced me to more stuff and showed me around the security space. And it was, it was very helpful for me at the time, just learning and meeting more people. And yes, so at DEF CON, I would absolutely make little devices that were just highly
Starting point is 00:20:12 custom one-offs or two-offs, maybe five-offs to people who wanted like a custom thing. You had to know me. And yeah, back alley deals at DEF CON. Oh, man, the back alley deals at DEcon. Oh man the back LED deals at Defcon are always very interesting to me. The first time I went to Defcon someone told me I should try to find and buy some rainbow tables. This is a list of hashes and passwords. You could download it back then but it was a lot easier to just get it on a stack of CDs if you knew someone. And the point of it is that it makes
Starting point is 00:20:43 cracking passwords a lot faster. So I went to Defcon and I started asking vendors, hey, do you have any rainbow tables for sale? They all said no. What? LOL. And then eventually someone was like, hey, wait, you said you wanted some rainbow tables? I was like, yeah. And he said, you should go ask Paul.
Starting point is 00:20:59 And I'm like, who the hell is Paul? They showed me where Paul hangs out. It turned out to be Paul Ascadorean. And when I met him, I asked him, hey, do you have any rainbow tables? And he's like, oh, I just ran out. And I was like, oh, man. He's like, I brought a bunch last year for DEF CON, but there wasn't many people who really wanted them.
Starting point is 00:21:14 So I only brought a few leftovers this year and just ended up giving them away. So that hunt to find secret stuff at DEF CON is real and it's exciting. And I've been properly blown away at some of the secret things I've seen people bring to DEFCON. So MG fell in love with DEFCON. These people were just like him, building cool stuff, subverting the gates of power and using technology to reinvent new things. And a lot of people at DEFCON are building just for the fun of it. The endless curiosity cannot be tamed in some people.
Starting point is 00:21:45 And it sparked a whole lot of new energy and ideas for MG. Around that time, the whole world was shrinking at a rapid rate. Like for the longest time, we only had USB type A cables, the big wide ones that it takes you three tries to plug in, right? But then suddenly those shrank and then we got mini USB cables and then micro USB cables. Computers used to be big and clunky, right? Desktops, of course, but even small laptops, you couldn't fit those in your pocket. But then the iPhone came out and you had a whole computer in your pocket.
Starting point is 00:22:15 And this brought forth a whole bunch of smaller computers like Beagle Boards and Gum Sticks and Raspberry Pis. Tiny computers that you could fit into your pocket, but were also pretty powerful. And so while the NSA's version of this malicious cable cost them $20,000 to make, with all the miniaturization of electronics hitting the market, MG was wondering if it was feasible to build one himself for a far cheaper price.
Starting point is 00:22:42 Yeah, exactly, right? And the miniaturization of microcontrollers and other things like that certainly opened some doors for me in which I could experiment and play. You know, it's actually important to mention right around this time is also when I met Darren Kitchen from Hack5. Darren Kitchen was already making malicious devices like the rubber ducky and Wi-Fi pineapple. I was also making YouTube videos through a channel called Hack 5 to teach people how to hack.
Starting point is 00:23:10 First of all, what a rubber ducky is, does keystroke injection. What that means is it emulates a keyboard and will very rapidly type those keystrokes. So I think the ducky is doing like 150, 200 keystrokes a second. So, you know, anything I could do at your keyboard, the dockie can do for me. You know, great for IT sysadmin automation, but also, you know, maybe some nefarious stuff too. And if you don't care about speed, payload size, you don't care about all of these nice product aspects, you can totally compromise and get something barely usable in return for making it much smaller. And that's effectively what I did.
Starting point is 00:23:57 I compromised on a lot of things. Like even some like basic electrical safety things, I ended up compromising there because, hey, I mean, this thing's gonna blow up what's it matter right so to make his exploding thumb drive he basically had to make a smaller version of the rubber ducky and this gave him an idea what can you do with a super tiny keyboard connected to a computer and so he decided to make his first malicious USB cable it's identical to the mr. self-dest, except it didn't explode,
Starting point is 00:24:28 and it was inside of a cable instead. So basically to put a payload onto this, you had to have physical access to the cable. You program it, and you know, it's gonna delay however long you tell it before running the payload after it gets plugged in. Like the end, right? Basically, imagine what someone could do if they had access to your keyboard. however long you tell it before running the payload after it gets plugged in. That's like the end, right? Basically, imagine what someone could do if they had access to your keyboard. That's what this cable did. It acted like a pre-programmed keyboard. If you plugged it in, whatever it was programmed to type, it would type. So you could do some basic key stereo conjection attacks,
Starting point is 00:25:01 which, you know, open a browser, open a reverse shell, you can do a lot of stuff, but it wasn't this, like, this tool I knew it could be. He was posting about this online and stuff, making a handful of them and selling them in the corners of rooms in DEFCON. But the first version was lacking features and really buggy. From his visits to DEFCON, he met a guy named Fuzzy Knob, who got MG a job red teaming for a Fortune 500 company, which was MG's first cybersecurity job. Specifically, hacking into places to test their security. How cool is that? But while he was at work
Starting point is 00:25:35 doing his red team stuff, he just kept thinking about, how can he make this little device better? So, obviously, the next step is, well, what could that product actually be? And the next time I had vacation, which was actually in between jobs. So I had, I think it was six weeks between my first Red Team job and when I was leaving an IT role. So six weeks in between, I'm like, you know what? I have not figured out how to like design PCBs yet so I'm
Starting point is 00:26:05 gonna get a mill. PCB is printed circuit board it's typically a green board inside an electronics device that has the capacitors and resistors and they're soldered onto it and a mill is a way to create one of those PCBs yourself making the traces and drilling holes for the components so he spent six weeks learning how to design PCBs and created them on his mill. The cool thing about a mill is that you get rapid iteration. So with software, you can just change some code, save it, hit compile, seconds later you can test the output. When it comes to a PCB, it's usually weeks. You gotta design it, send it off to a fab, wait for it to come back,
Starting point is 00:26:45 then you assemble the components on it, then you test it and debug it, before you can even get a change you want to make to test it over. But with a mill, you can do some primitive stuff. I can't get super advanced here, but you can test some basic things. You do it in the span of a few hours and make a revision, kick it out again, and just maybe go through two, three revisions in a day easily, depending on how complex it is. And that allowed me to level up really quickly.
Starting point is 00:27:15 So he spent a lot of time in his home lab trying to jam more features into this cable of his. But one thing bugged him about this cable, you have to physically take control of it to program what keys it will type. It would be way better if you could plug the cable into your target and then tell it what to type remotely. So he was fiddling around trying to figure out how to give this thing an antenna or something, maybe Wi-Fi in the smallest way possible the Wi-Fi radio allowed it to connect to networks or you with like a phone to connect to it and There was no need to get access to the cable to update a payload on it or to trigger a payload
Starting point is 00:27:56 So that that changed the entire value of this Being able to dynamically change what it did value of this, being able to dynamically change what it did while it was in play. Ah yeah, so instead of blindly hoping your cable is typing the right keystrokes that you pre-programmed it to do, now with Wi-Fi, when this cable connects to a computer, it's almost like it turns into a wireless keyboard. Whatever you type on your phone, those keystrokes would show up on the computer it was plugged into. But it didn't look like a keyboard, of course. It looked like a regular USB cable that you typically have hanging off your computer anyway. This made it a very spooky cable.
Starting point is 00:28:32 Suddenly, USB cables were no longer safe. And this malicious cable was starting to finally look promising. The first version didn't have a lot of functionality, but this one? This one's starting to look sharp. So he came up with a name for this cable, the OMG cable. It works for so many reasons, but since his initials are MG, then OMG is a nice fit. And that took off. Then Defqon was coming up, August 2019, and I'm like, okay, this is getting a lot of traction. So by August, I wanted to have some of these things
Starting point is 00:29:06 to actually sell. Now I was making them still from the ground up in my kitchen, basically. It took me eight hours per cable on average to make these. And the components were so fiddly and tiny that 50% of them were failures. I would throw out 50% that that turned into, if you do the math on that, that is 16 hours of work per viable cable. Really not scalable but you know what I just wanted as money as I could for Defqon, right? So I just focused entirely on this in my free time while still doing my Red Team role full-time. You have to think he's trying to fit a microcontroller
Starting point is 00:29:46 inside a USB cable so that nobody thinks there's a microcontroller in it. He's working with incredibly small components, soldering under a microscope, sometimes with exposed silicon with almost no room for error or it won't fit in there. So he makes as many as he can and brings them all to DEF CON to sell. He's leveled up from the back alley deals by this point and Darren from Hack 5 was letting
Starting point is 00:30:07 him sell them out of the Hack 5 booth. They sold out. Everybody wanted them. And they sold out fast. So Darren was like, why don't you bring more? And MG was like, because they take forever to make. So Darren started teaching MG about mass producing electronics. Okay, let's learn how to do manufacturing. Find somebody who can do certain steps.
Starting point is 00:30:28 So, you know, we got one factory who creates the raw PCB. Another factory who assembles the components, solders the components to the PCB. And another factory who integrates those PCBs into a cable. And even at that point, there was still plenty that I had to do after receiving them. Final assembly, putting the hoods on, gluing the hoods on, running QA, calibrating them, running, putting firmware on them, packing them,
Starting point is 00:30:56 shipping them off to the warehouse, all that stuff. But anyway, doing any of this outsourcing would have been a huge help for me, and that's what the goal is. So it took about five months of back and forth teaching this shop how to do what I needed. So I get the first batch. This was like the tail end of 2019.
Starting point is 00:31:15 I finished the assembly. I do some basic tests. I flash them, pack them, and I send them off to the Hack 5 warehouse. And I think it was January 1, 2020, start the online sales. This is where I quickly learned it was going to take a lot more work to have a manufacturer do what I needed. Customers started having issues. It was all over the board. Like there was no obvious pattern. So I had to do a lot of investigating to discover you discover what was really going on here. Just really weird problems.
Starting point is 00:31:47 It was probably an upstream manufacturing problem, but I couldn't think about the upstream manufacturing. I had mostly finished product currently in hand. And if I couldn't sell that, that was a gigantic loss. Like financial loss. Like mortgages to house level loss. That was a little bit scary. There were enough issues happening with customers that I just decided to pause the sales and figure out what was going on.
Starting point is 00:32:21 He analyzed the cables coming back from the factory and found that on the power supply, inside the cable was a tiny microscopic crack. And to his horror, it was on over half the cables. Which meant his first batch of cables, half of them had to be thrown out. A huge financial loss for him. He had to teach the manufacturer how to test for quality at every stage of the build process in order to find exactly where the cracks are coming from. And he discovered at some point the manufacturer would throw all the finished components into
Starting point is 00:32:51 a bag to give to the next build stage and when they were getting all jostled around in the bag is when the cracks would show up. Typically that may not be a problem but since he's working with such small components where silicon is exposed in some areas, then it was damaging the circuitry. So he got that fixed, was back on track, and he was back to selling the OMG cables to whoever wanted them online through the Hack 5 shop. And these cables look amazing. They look exactly like a normal USB cable, one that you would charge your phone with,
Starting point is 00:33:20 and you would never be able to tell that it's a malicious one. It's supposed to be able to tell that it's a malicious one. It's supposed to be stealthy like that. One of my manufacturers lost an entire box of cables, could not account for it. So the way the cables are configured they're not very useful. Luckily they're not hot so to say, but there's a good chance that this box just got shipped to one of their customers. He was expecting totally normal USB cable. So there is absolutely a chance that there are some O.M.G. cables just floating out there.
Starting point is 00:33:53 I forget the exact number is like a hundred or so, which is kind of scary. M.G. strikes me as someone who just obsesses over making his cable better and better. And it's amazing how he's constantly improving the manufacturing process and the functionality and the build quality of the whole thing. For the first several years, I wasn't trying to focus on profit here. I was just, every dollar that we ended up getting that turned into be profit, I put it right back into just improvements, R&D, because it was a passion project, and I mean it still is, right?
Starting point is 00:34:27 But that just allowed me to focus on so many trivial things. The cable clips themselves. So people would routinely like lose their cables. So we started creating these fluorescent clips that we would include with the cables to prevent that, right? And you can take them off if you don't want it or just keep it on, whatever. But, you know, this is a... I'll make this one short, but it's another example of scale in a hilarious way.
Starting point is 00:34:53 It's so simple. So, you know, I'm 3D printing all of these little clips, these fluorescent clips, and they're great when you got a few of them, but when you got a hundred or a thousand in a bag, they start getting tangled So that's really annoying to pull up tangled clips when you're trying to pack envelopes So, you know redid the design, you know, okay Now I've gotten a tangle free clips and you know And we got the the woven cables are more snag less and things like that And how can I speed it up so I can get a bed of you know?
Starting point is 00:35:24 600 clips on a single 3D printed bed without it cascading and falling apart. How can I improve the labeling process from a handheld labeler to an automated machine done labeler? Probably doesn't make financial sense to do it, but it's fun to automate and obsess. So yeah, point being, I have the opportunity of obsessing at the sacrifice of profit. Now, over time, his cables have gone through many revisions, a lot of feature upgrades too.
Starting point is 00:35:57 So if you were to buy an OMG cable today, here's what it can do. It comes in all types of different forms, whether it's got a USB-A or USB-C active end, you know, on the passive end it'll have like lightning, micro, USB-C, usually meant to emulate the aesthetics of exactly the common cables that are out there. It acts exactly like a normal USB data cable, right? But it's got an implant inside, as you could probably
Starting point is 00:36:26 deduce by now, that thing stays dormant, but an attacker can remotely connect to it via Wi-Fi nearby, or they can have the cable connect out over the internet to a server you control anywhere. It can also do some autonomous things like geofencing and triggering things automatically based on wireless networks it does or doesn't see, right? Okay, cool, but what does that do? So you get a whole web UI on a phone or laptop, whatever it is, that gives you full control over this cable.
Starting point is 00:36:57 We already talked about keystroke injection payloads, you know, emulating a keyboard. We cranked up the speed at which these things can run to nearly a thousand keystrokes a second. Added some mouse injection as well, so you can navigate a mouse around the screen, click on stuff. Expanded the capacity of these things to store hundreds of individual payloads if you want,
Starting point is 00:37:19 or just really giant payloads. Name of the game is always just flexibility. So if you want one giant payload or 200s tiny ones, cool, you can do that for your need. We added USB key logging a while back. So if you deploy a cable between a keyboard and a desktop or a laptop, which happens a whole lot in corporate spaces,
Starting point is 00:37:40 you can log those keystrokes if it's a full speed keyboard. Most recently, we added kind of a novel communication link. So we're calling it HIDX Stealth Link. And what it does is imagine network interface that looks like a keyboard to the host. So it says, I am a keyboard, and it looks like a keyboard if you open up Device Manager, but it's got a bi-directional raw data link.
Starting point is 00:38:03 So if you ever use Netcat or something like that to create little tunnels for data, same concept. So you can have a remote shell running on the target that's on a completely air-gapped machine. It doesn't even have a network interface. So very cool. And I had also mentioned a lot of these other types of features, like the ability to run self-destruct,
Starting point is 00:38:24 the ability to do geofencing, and the self-destruct specifically is to wipe the data. So if you've got some proprietary malware on there, you don't want to be phoned. If it gets lost, we can help wipe that. If you've got key logs on there with sensitive data, like I don't know, passwords or whatever it may be, cool, we can wipe that that can also disable the cable so that it just stops acting like
Starting point is 00:38:50 a cable and hopefully that'll encourage your target to throw the cable away and get it out of play and that's kind of just a high level of all the different things it can do yeah this thing is pretty scary and it's one of those things that now that you know a normal looking USB cable can be an evil thing, it makes you distrustful of all USB cables. Like if you see a random USB cable sitting around, it might be some sort of trap that someone left for you, hoping that you'll plug it into your computer so that they can get into your computer.
Starting point is 00:39:23 I've got it in my hand here and I'm looking at it compared to another cable I have and it is identical. It's crazy how... Nice. Which one is it? iPhone one. Lightning. C to Lightning or A to Lightning?
Starting point is 00:39:36 C to Lightning. Oh, nice. So funny story about that one. If you hold up the type C ends and look at the white hoods, I delayed that cable by, I think it was a couple months, because it was 0.3 millimeters longer than the actual thing. So I was just like, oh man, it matters. It didn't really matter. But at the same time, the guy who does the front end work
Starting point is 00:40:03 for us is blind. He was a customer originally when we released the keylogger edition of the cable. And he came to me, he's like, dude, I'm feeling these two cables side by side and I cannot tell the difference. So that was amazing to me. Yeah, it is remarkable. And going back to the Ant catalog and Cotton Mouth, I wonder if the NSA has bought like 1,000 of these to be like, oh, this is so much cheaper than the $20,000 per unit we have, and it has way better features,
Starting point is 00:40:37 and we don't have to run the R&D and all that sort of thing. You have any idea? I mean, I've heard some whispers that I probably shouldn't talk about, but I'll say this, is that there's many reasons why that could occur, which I mean, sure, price point. Yeah, absolutely. Maybe ease of use.
Starting point is 00:40:54 Like, I can't really speak to what the product experience is of their stuff, but I can suspect. But here's another thing, is deniability. Like, if you find a cotton mouth cable, you're going to know where that came from, right? Or especially if you're certain intelligence services, you're going to have a good idea of like who made this highly custom hardware. But if you're seeing something off the shelf, there's some deniability in there for, you know, NSA as an example right like oh where that came from that's just off
Starting point is 00:41:26 the shelf OMG cable right so I would imagine yeah I have certainly talked with numerous people who are in that space whether directly or kind of third parties employed by them to do tests and stuff like that where these are absolutely in a whole lot of those types of environments for various needs, whether it's testing, third party assessments, like red teaming, stuff like that. I've talked to police departments, stuff like that, who are using it's that interesting aspect of circumventing things, right? So before, Cotton Mouth was only available to US intelligence agencies and maybe Five Eyes. But now, the OMG cable is available to the world. So all of NSJ's adversaries also have this. And that is interesting, that
Starting point is 00:42:32 the technology isn't only in one person's hands now, but that there's a level playing field of like, no, we've got that too. Yep. I mean, at the same time, I think it should be. Like, if I could have made that the way I did, I feel like others can make that. And therefore, you know, it was just a matter of time. Whether or not we heard about it in public was probably the only question there. Oh, that's an interesting way to look at it, right? It used to be that only an exclusive group of people
Starting point is 00:43:02 could get their hands on such a thing. And now anyone can. And yeah, that's scary that this thing could be anywhere now. But maybe the bigger danger here isn't when the cable went public, but when it was kept secret. When the only ones who had it were shadows. People who didn't want you to know they had it. People who didn't want you to know they had it. People who didn't want you to know this existed.
Starting point is 00:43:28 People who didn't have to follow the law. I mean, compare it to smallpox. For centuries, people died of smallpox and we had no idea why. But then we discovered what it was and we learned how to contain it. And then we learned how to fight it. And then we learned how to defeat it. But in that process, we learned how to contain it, and then we learned how to fight it, and then we learned how to defeat it. But in that process, we learned how to weaponize it. And that's the double-edged sword of knowledge.
Starting point is 00:43:51 We're in danger without it, but we're dangerous with it. We're going to take an ad break here, but stay with us, because when we come back, MG's going to tell us stories about how this cable is used in the wild. This episode is sponsored by DeleteMe. Right now the headlines are chock full of data breaches and regulatory rollbacks, making us all vulnerable. But you can do something about it. DeleteMe is here to make it easy, quick, and safe to remove your personal data online.
Starting point is 00:44:21 And just as well because I keep hearing about data breaches in the news. Since privacy is a really important topic to me, Delete Me is part of my internet hygiene routine. When I signed up, Delete Me immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things. It's great to have someone looking after me.
Starting point is 00:44:40 Plus, Delete Me was recently ranked as the top data removal service by Wirecutter. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners, get 20% off your Delete Me plan when you go to joindeleteeme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries, code DD20. So over the years, people have shared stories with MG about how they're using his cable
Starting point is 00:45:26 and have asked for some really interesting feature requests. One story he was told was from someone who's a red teamer for the DOD, the Department of Defense. That is, his job was to try to hack into the US government's networks to test their security. This team posed as an Xfinity tech via email and phone. So they got a legit Comcast.net account which literally every Comcast customer gets. But you know you got username at Comcast.net and they're just like you know what we can pretend to be a Comcast employee with that and I bet it'll pass.
Starting point is 00:46:00 And it did. So after some back and forth with this target, they set up an appointment. They found some Comcast slash Xfinity clothing at a thrift store, stuff like a hat and jacket. They did some OSINT, found some fake IDs, printed those out. They show up. They say, hey, we only need access to the empo, empo is a main point of entry. So that's like where the line comes into the building, typically like the basement or something like that, tends to be a lower security area compared to like the server room. So they're given access and they install a small device that allows them to remotely disrupt that line, the main line of the ISP in the future.
Starting point is 00:46:51 So they leave, they wait a few weeks, but everything kind of just settle and then they start causing disruptions. They return on site. They ask to look at the impo first, which lets them reclaim that remote device that they had planted they say ah it's not fixed i see you're having issues but uh we're gonna need to find the other end of this cable where's this go and you know they knew that's going to be going
Starting point is 00:47:17 up to the server room typically so they brought them up they brought two supposed xfinity attacks So they brought them up. They brought two supposed Xfinity techs up. There was a camera in the server room. So, you know, they had two techs. One tech would strategically block the camera with their back each time the other needed to deploy a piece of hardware. So at first they deployed two different malicious network devices, two different types of things. But then they see a server with a monitor and a keyboard hooked up. And there's a USB cable hanging off of it. I think it was an 8M micro. It seemed to be for charging a wireless mouse, right?
Starting point is 00:47:57 And there was a wireless mouse nearby it. I was just like, dude, that is the perfect spot for an OMG cable. I think we got a perfect match in the kit. So they pull it out. They noticed, oh, this, this cable even has like a very distinct scratch on it. You know, scratch this cable, make it look perfect. Right. They were obsessed with the details.
Starting point is 00:48:15 The cables already configured to connect to their guest wifi and then call back to a C2 server. They wait for an offsite teammate to confirm that the cables now connected not only to that, but back to their C2 server. They wait for an off-site teammate to confirm that the cable is now connected not only to that but back to their C2 server. That means you know they got full remote connection from anywhere. They were left unattended in this room for a little bit so they call the target back. They're like hey think the Internet's fixed can you check it out and they use that same server that they were eyeballing to, oh yeah, looks like internet's good,
Starting point is 00:48:48 which gave them a little bit more insight into what's running on that server. They leave and kind of start their initial work. They've got these tools in play. Now, like within a day, the target knew something was up. They found at least one of those malicious network devices, which immediately led them to the next network device that was in there got cleaned out everything's fine What was that malicious network device? It's not the OMG cable. It's it's not yet other other hardware that is not as physically stealth
Starting point is 00:49:18 Okay, so they left it there as like drop boxes kind of thing. Yeah, so something like drop box Yeah, it was slightly disguised, but it's like it's visibly there. It drop boxes kind of thing. Yeah, so something that drop box, it was slightly disguised, but it's like it's visibly there. It's like a new thing. So they picked up on that and immediately, okay, we got out. There's an issue. We don't know how this got here. Sweep the room.
Starting point is 00:49:37 Okay. And this is kind of how it has to go. It's like, let's go at stages, right? Let's first see if we can be super stealthy and then if they didn't catch us, we'll be a little bit more sloppy. And if they don't catch us, we'll be overtly breaking rules.
Starting point is 00:49:52 And if they still don't catch us, then they've got a lot to explain and we can try stealing company cars or something and what is the next step, right? So I've heard these stories before and it sounds like that's what they were doing. Like we're gonna put a super stealthy thing in, a medium stealthy and a very obvious this thing shouldn't be here
Starting point is 00:50:06 Yeah, but the funny thing is they did a whole like remediation sweep and they didn't catch the omg cable Like it's still it was still in play After like hey red alarms something happened here sweep it we found two malicious devices But the thing is that the cable was dormant. Like it hadn't run anything, it was just sitting there connecting to their guest Wi-Fi waiting. So yeah I mean it what would have triggered the other device discoveries? Were they doing stuff? Yeah they were more active, so definitely good looking, but you know it depends what would you assume if you're like oh
Starting point is 00:50:44 there's malicious hardware in here. What level of sweep do you need to do to that room and how thorough does it have to be? But hey, OMG Cable survives an active sweep. So the server had some constraints that made things a little bit difficult, which is probably why they're a little less thorough, which was, A, they had some EDR on there,
Starting point is 00:51:08 Endpoint Detection and Response Tooling, that would have detected any form of malware persistence. So they could run a payload on this and deploy some malware that would just live until the server rebooted. Also, the entire OS was just completely wiped about once a week. So even if you did have persistence, that's still getting wiped.
Starting point is 00:51:30 So it's a pretty locked down environment, right? But since they had a cable attached physically at all times, that was the persistence. So any time they lost the Meller connection, they would just rerun that payload. Boom, they're back in. They changed the payload over the times, but ultimately this allowed them to run and just were completely undetected for what turned into a six-month period of time. The only reason the exercise ended was because the contract came to an end and they needed to wrap things
Starting point is 00:52:05 up to explain the full processes and procedures they were using for the op. Yeah, I mean, is this kind of what you were hoping to like, this is exactly the story that I was wanting someone to do this with is stick it into place, have it be there forever. You can get in there whenever you want, have your remote persistence, trigger payloads, get into systems, and no one's gonna detect you forever I mean that's got to be exactly what you were hoping right? Oh, absolutely There's just so many like oh, yes You used a lot of the features to just really push this and it makes me happy because it's you know
Starting point is 00:52:38 Are we doing Rick rolls? Are we really pushing the boundaries and improving environments and just doing some really cool James Bond shit? Yeah, that's that's I love that Because mg has brought this cable into the world He's met some very interesting people from all around the world and heard some wild stories Like there was this one person who was telling him how he used the cable to get into an air gapped computer That is there's no way possible to hack into it from outside. And the reason why this computer was air-gapped is because it was part of a digital forensics lab. It was collecting evidence and looking at computers without the risk of any of that data getting out.
Starting point is 00:53:19 This group was hired to audit an entire security policy, including the physical security of the building. So they monitored 24-7 with a whole bunch of cameras at all sides of this building that they had deployed and it was really heartening. There were guards present just constantly 24-7. Everything was fully access controlled, it was all logged, it was all audited. How are they going to do this? And of course the goal was to gain access to that evidence computer, which was AirGat. It had access to that large SAN for storage via network.
Starting point is 00:53:59 After a whole bunch of discussion, they decided, you know what, we're going to use an OMG cable. Their first idea was to submit a hard drive that needed to be forensically analyzed by that computer, but then throw an OMG cable in the package and hopefully the tech opens it up and pulls out the cable and says, oh, I'll use this to plug something in. But they thought, no, that might not work. They probably have their own USB cables in the lab,
Starting point is 00:54:25 and they're not going to use the one in our package. So they decided to get a USB external hard drive. You know the ones where there's a hard drive with a little USB pigtail coming off of it, and you just plug it in your computer and you can see it as an external drive. Well, they cut that little USB pigtail off, and then snipped off the end of the OMG cable
Starting point is 00:54:43 and soldered it onto this hard drive. Because the OMG cable only has one active end and the other end it really isn't needed for anything. So they just took the end with all the functionality and stuck it into this hard drive so that when the forensic tech opened it up they'd have no choice but to plug in this USB hard drive into the computer. Now it's integrated to that drive and the drive looks like totally normal drive and it's the cable of that drive that suddenly is the problem and it stays dormant. So yeah, put all these different payloads on there in advance. Most important note, they ran a boot payload. So boot payload on this thing is it runs on an omg cable. It runs every single time
Starting point is 00:55:22 the cable powers on, so when you plug it in right so they included geofence that would check to make sure it's in bounds it's like it's at this evidence computer which you know they were given some insider info on this one to make it safe they're like okay here's the network that you should use to keep this in play basic checks to ensure it only ran on that evidence system. So something, you know, an actual adversary wouldn't do, but when you're a third party trying to keep everything safe, you do a little extra. So they placed the hard drive in an envelope with the, let's just say, required labeling that they were able to find via some public record requests. Say, Hey, this, this is probably what this envelope
Starting point is 00:56:06 should look like to make it believable. So they turned it in at the front desk via a courier service, which was totally not a courier service, it was them. They advised, hey, this is for an active thing. It's needed for legal discovery, probably needed soon. Done, right? Now the drive sat for two weeks, probably needed soon. Done, right? Now the drive sat for two weeks, unplugged, just waiting, right?
Starting point is 00:56:30 But then it got plugged in. Once it was, they got a notification, they had kind of detected when it would come up, and they left it plugged in for six days to do a full image of this drive. So they had intentionally kind of downgraded the speed to USB 2 to get like a USB 2 connection on a 4 terabyte drive. So they were imaging this thing for like six days, which means six days they had an OMG
Starting point is 00:56:55 cable plugged into the evidence computer. Now they could have set up a bunch of automated payloads and stuff like this, but for damage control they decided to keep an active human in the loop for this whole thing. So when it got plugged in, they got the alert, they returned and accessed the cable from basically the lobby or the parking lot, right? One payload allowed them to create and modify files on both the local system and more importantly, the SAN. That's just where all the evidence is, right?
Starting point is 00:57:26 You can manipulate the evidence. They have just proven that. Evidence is supposed to be just pure and untouched. Then they noticed that, okay, yeah, obviously this SAN, you need a network to connect to it, so it was connected via ethernet from this machine. But they learned that while the evidence machine was supposed to be air-capped, it was only by DNS. So like, instead of doing a domain name connection out, you just connect out via IP address and suddenly, hey, it's working. You can connect out to the internet by just going direct VIP. Boom. Now they got the ability to exfil evidence from the
Starting point is 00:58:09 storage device out over the internet. Like, I think you could immediately assume some terrible scenarios where that's that's like a big problem. How prolific is this cable? How many companies out there are using it? One day I'll probably find a way to disclose that, but basically I don't know many places that don't have one. What?
Starting point is 00:58:40 Yeah, I'm continually amazed. I learn about new places that I didn't even know exist. Like wait, A, you exist. That's crazy. B, you got my stuff? What? Okay, cool. It's a wild ride going from I'm just making something that I thought was borderline art
Starting point is 00:58:59 in my kitchen to all of these types of stories I am telling you. It's a little hard to digest sometimes, but at the same time, I'm trying to take it very seriously. Yeah, but I mean, Hack5 or even your own website could be like, used by these companies if you do know which ones. Oh yeah, I mean, yeah, I think that would be bad form. There's a lot of companies who probably don't want that info out there I think I five will list the
Starting point is 00:59:28 Media that has been seen on like cool, you know nap geo and stuff I just saw the OMG cable in a Netflix episode apparently of was zero day and they're talking I think it was a Robert De Niro Talking about the OMG cable on screen and I think Jesse Plemons face was in there like, what? That is wild. Okay, so hack five is who sells these things. Is there anyone they don't sell to? Yeah, so absolutely. There are a couple of ways to think about this. And, you know, I'm going to just generalize it here a little bit to make it easier to understand but basically you can kind of think of three
Starting point is 01:00:07 categories of countries first being countries who are explicitly allowed and you could kind of think of those as like friendly NATO countries and Five Eyes right then second category would be countries who are explicitly disallowed. So think sanctioned countries like Iran and North Korea. But then you get this third category is countries who are on neither of those lists. So if the goal was to make as much money as possible, you'd be selling to that third group. But if you're trying to do more than like the legal minimum,
Starting point is 01:00:47 you might avoid selling to that third group, especially if you're operating in space that many people perceive to be a gray area. Even if it's not a gray area, you know, perception still matters. But Hack 5 only sells explicitly to the allowed countries and, you know, skips over that third group. It's a voluntary decision on their end, but it's also a factor of kind of having to be more diligent when you have tools that are more capable. So, you know, toys versus professional tools kind of steps up the level of, you know, attention to following the rules and kind of going a little bit over the minimums, right? Yeah.
Starting point is 01:01:30 Those rules fascinate me. It's really export controls that the US government has set up where certain electronics can't be sent to certain countries. And the classic one that just came to mind because of recent events was the DeepSeek surprised us all with their AI abilities. And then it turns out that they had tens of thousands of Nvidia cards, which I believe is against the export control rules. Nvidia is not allowed to send tens of thousands of these cards to China. And so it's just like, well, how come Nvidia didn't get shut down or fined or slapped on the wrist by the US government for selling so many of these?
Starting point is 01:02:14 Like at some point, there's got to be like, okay, we need more, we need more. Okay, who are you distributing this to? Oh, don't ask. Okay. So I don't know. I just wonder if these export control rules even matter or if they have teeth or if anyone follows them. Because honestly, I've filled out forms before and sometimes it's just a checkbox. Do you live in any of these countries? No? Okay, good. We'll send it to you then.
Starting point is 01:02:40 Right. I think the Nvidia one's a pretty good example. I don't think all of their products are export controlled. So this probably goes back to the capabilities, the toys versus the upper end stuff, and can you do good or bad things with them, and almost dual use kind of territory. And ultimately any restriction, as what you were getting at, can be bypassed. but introducing any degree of friction generally is good if you're trying to stop a certain activity. Perfect controls are hard, and it's a balancing game,
Starting point is 01:03:16 much like almost all security defenses, right? We often get that wrong in the security industry, it's like, oh, it's not perfect, so it's not worth doing. It's not necessarily, like, speed bumps help to some measurable degree in a large scale. But it's worth reminding again, hack five is the only entity I sell to. But it and like as much as I love not having to worry about it for my own stuff, I absolutely love like supply chains in general, especially when you look at them from like the expensive security mindset So I'm totally with you in terms of being fascinated. I think that stuff gets like way too little attention and
Starting point is 01:03:54 If you if you focus on it, you can wield like crazy amounts of power if you understand it. So Yeah, okay. So you've told us a few stories of your cable being used for good. Do you know any instances of it being used for bad? Does anyone tell you about those stories? So I don't know of any stories specifically for my stuff, but Hack 5 actually had a semi-recent example that was super applicable here with their Wi-Fi Panapple and the Russian GRU. So let's, what was this? So the Wi-Fi Pan Apple, it's specifically designed not to be perfect.
Starting point is 01:04:32 Like this is for doing security pen tests, right? Not for evading. That's the product design. So simple things like MAC address randomization are omitted. What else? There's like a certain way it sends management frames that could make it harder to fingerprint if they modified how that works, but they don't. It's intentional, because the product is meant to enable pen testers to do, you know, Wi-Fi audits where they've got permission not to evade the detections. So anyway, late 2018, Russian GRU was caught in Brussels,
Starting point is 01:05:06 targeting, I believe, UN facilities, right? Not the place, you know, if you're making this, that you kind of want to see your stuff showing up, but the WiFi pineapple was being used in the trunk of a car. And that explicit choice to not make the device super stealthy definitely helped law enforcement track this down and figure out what was going on probably a lot faster than if they made other choices in
Starting point is 01:05:29 their product design. Well, I'm surprised there's not more malicious intent stories because, you know, I just go to a grocery store today and the cash register, I could see the back of it. Like I can plug something into the back if I wanted. And there's so many other restaurants and stuff where I've seen a computer exposed. At the bank, I was at the bank and the back of their computer was easily there
Starting point is 01:05:56 that I could just pull a cable out of my backpack, shove it in, and they wouldn't know. And I'm surprised there's not just stories of people using this to rob grocery stores. I mean, behind the scenes, and I don't think a lot of people see it, I put a lot of work into just gaming out all of the potential risks to minimize that. And it's not perfect. It's totally possible that bad things will eventually happen.
Starting point is 01:06:23 There will be a new story, but I think over the last five to six years it's been sold, I personally cannot point to any new stories where a bad thing happened. Whereas if you compare it against other peer devices, to say that in the field, I think there's quite a bit more new stories, just comparatively, if we're taking a sampling. So that track record I'm just very happy with so far. I mean, you can, I assume that people are buying this and using it for malicious intent. I mean, you self-describe the thing as a malicious cable, right?
Starting point is 01:06:59 So we can assume that people are going to do bad things with it, but I worry about your liability here because if you're saying, I have a malicious thing, this thing's very dangerous, you could do this and this and this with it. So I was like, great, I'm going to go do that with it. But it says here, I have the package in front of me and it says Like do not use this unless it's on You know a network that you have permission to use and such like that. I wonder if that's enough To you know make you not liable for people actually using this maliciously
Starting point is 01:07:38 Yeah, so because I mean the thing is is that you've got people who are malware creators out there bot botnet creators, they don't unleash it to the world, they don't spread it, they don't infect people, they just make it, and then they're the ones who are going to jail for this. Yeah, there's definitely some differences there, but just is that legal message enough? Like, absolutely not, not for me. When you're in the gray areas, you can't just do the minimum. And it's also important to point out that legal is not the same thing as ethical, which is again why it's not enough for me. Product design, like I mentioned, detectable defaults.
Starting point is 01:08:16 They're not legally required, but I think they're critical in terms of reducing harm. Community management, like, you know, not just dropping a tool and then letting Lord of the Flies happen, for instance, right? Like, we're talking about a lot of nuances. You and I right now are talking about a lot of nuances that a lot of people haven't spent the time thinking about. So I think it's good to try and share those nuances and just generally keep things from going off the rails within those communities because this again helps the outcomes. And it's kind of sort of like open source. A lot of people will just drop code and call it done, but it takes a lot more work, in my opinion, to do it responsibly. You got a, you know, like real open source is code that you've cleaned up,
Starting point is 01:09:00 that you've maintained, and then community around it is maintained too. It takes work and effort. Um, but it's also important that, you know, this isn't just about like, uh, self preservation, which is kind of, you know, the topic here, it's, it's about kind of community preservation as well, which is really important. So one entity just being too reckless is basically all it takes to ruin it for everybody. And there's tons of examples of that type of thing happening. Obviously, if my goal was to push the limits of the law, then sure,
Starting point is 01:09:31 my answers would be different, but my goal is to push the limits within security. And I guess, you know, that I want to keep focusing on that. And that's why I spend tons of time thinking about all the ways I can reduce harm and risk in all the other areas. Like this this cable started off as just a one-off, a proof of concept, but it moved over time into large manufacturing, sales, and the way I think about the risks has evolved along the way right alongside that. Yeah, So you talk about, you know, supporting the community. I assume that's the ethical hackers, the white hats of the world that have permission. Yeah.
Starting point is 01:10:13 But, and, and that's great that that's your intent to help, to help, uh, improve security for networks, to help people, um, test it ethically. for networks to help people test it ethically. But that intent, I think, is what matters in the eyes of the law in a lot of situations. And I mean, you just told us that you've sold these things in the back alleys of DEFCON, in its hard corners. And I mean, DEFCON in general is a place that has malicious actors and criminals. We've seen people get arrested there and such like that. And so I wonder if there's any sort of, you know, if that's proof enough just to be like, no, this guy sells it at DEFCON.
Starting point is 01:10:58 Of course he's got malicious intent. There's no way he's doing it. Like, he would be selling it at a legit. That's just all about securing and not hacking. This is a hacker conference. There's just something there that, I mean, and not just that, there's like, you know, people might come to you and they're like, hey, I want this feature.
Starting point is 01:11:18 And you're like, oh, that's a good idea. And you add that feature. And like, maybe maybe you judge them first and be like, wait, hold on, who do you work for? Do you have permission? Or do you hear people be like, man, I keep plugging it into the bank and the bank keeps popping me,
Starting point is 01:11:34 I need a feature to be more stealthy. And then you're like, wait, hold on, I'm not gonna help you. There's gotta be this world of who you actually do business with and who you don't, or who you help and who you don't. Because again that intent matters and if there's a criminal coming to you and saying, hey I need this for criminal reasons, what do you do there? Because that's where the intent comes in, right?
Starting point is 01:11:57 Yeah, I mean so helping could be anything, right? It could be operational advice for running an op, could be feature changes or additions, could even be custom hardware. I've been offered 30 grand for a cable and I have turned it down because it's like, hey, this could risk just the future. But there's also other things like people will come in, they're clearly not in the space of, you know, information security and they're trying to in the space of information security and they're trying to do some like spouseware stuff. And I'm like, as soon as I get a hint of that, it's like immediately know also what you're doing.
Starting point is 01:12:31 I just have tons of issue with, like you need to redirect this. So spend your money on like couples therapy or something. This cable is not, it's not a marital aid. Well, yes, see, this is what I imagine, right? So there's these privacy phones of the world and they specifically wanted to help criminals, right? And so they would entertain, they would get them in the hands of, you know, drug dealers and such and say, what can we do to make these phones more private? You know, what features do you want? And that's what made the people
Starting point is 01:13:03 who made the privacy phones go to prison. I mean, we have phones that are secure, like even the iPhone, right? It's secure to some degree. And you don't see the Apple team going to prison because they're making things private or secure. But it's the fact that all those other privacy phone creators
Starting point is 01:13:19 were doing things to work with criminals. And so I imagine some, I don't know, street hacker gang being like, all right, MG, we got all these cables, but we need it to be one step better here. We need you to put this in. I just imagine this world where people are approaching you and you've gotta be like, sorry, we'll probably go to jail if I help you, so no.
Starting point is 01:13:43 Again, like kinda like as you were pointing out there, I don't do this for just anyone. I get to know who they are, who I'm giving custom help to. Actually, so the operational stories I'm sharing with you were from those relationships. You know, ultimately, you need to do some due diligence, kind of like you were saying contact. The entity being targeted, verify a contract for offensive work is in place with the other person asking for help. Simply verifying the identity of the entity asking for help to ensure they're legit. Definitely not just offering it up to anybody. I have turned down very large offers of cash because it wasn't exactly where I wanted it to be. This episode was created by me, your pseudo mama, Jack Reciter, our editor, is the last
Starting point is 01:14:45 JPEG, Tristan Ledger, mixing by proximity sound, intro music by the mysterious Breakmaster Cylinder. Sometimes I feel like the biggest cybersecurity threat to myself is my future self, that version of me who forgets to update software, reuses a password, or falls for a phishing email. So to stay safe, I started locking myself out of my own accounts. Let's just say future me and past me now officially hate each other. This is Darknet Diaries. [♪ OUTRO MUSIC PLAYING FADES out...]

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.