Darknet Diaries - 166: Maxie
Episode Date: December 2, 2025Maxie Reynolds loves an adventure, especially the kind where she’s breaking into buildings (legally). In this episode, she shares stories from her time as a professional penetration tester,... including high-stakes physical intrusions, red team chaos, and the unique adrenaline of hacking the real world.Her book: The Art of Attack: Attacker Mindset for Security Professionals (https://amzn.to/4ojYSVZ)Her data center: www.subseacloud.com/
Transcript
Discussion (0)
The Cardiff Giants is an interesting story.
In the Bible, Genesis 6-4, it says there were giants on the earth in those days,
and they made it with people and created mighty men of renown.
This guy named George Hall was like, wow, there were giants on earth.
But the reverend argued with him and said, no, no, there were never giants here.
But George was like, no, no, the Bible says so.
There's got to be a way to prove it.
But George could not prove it, of course.
So he decided to fake it.
He went to a quarry and dug up a huge block.
of gypsum, then hired some stone cutters to make the block into the shape of a giant man.
They created a rough statue of a man that was 10 feet, four inches tall.
Then George stained it with acid to make it look old and put it on a train and took it to his cousin's farm in Cardiff, New York.
And late at night, he buried it on his cousin's farm.
A year later, his cousin went to dig a well and hired a crew to come out and dig the hole,
and they ran into this giant in their dig.
One of the workers immediately shouted,
This must be an ancient burial site.
And so they dug up the giant,
and the words spread that they found a buried giant.
People from all over flocked to the farm to take a look.
It was quite surprising to see a petrified giant of a man.
A lot of people believed it was a petrified human.
The Bible says so, see?
But some thought it was just a statue.
But pretty quickly, George's cousin realized how valuable this thing was.
So he put a tent over it.
It started charging people 50 cents to come in and see it.
500 people came a day to see this amazing giants.
The whole town started a profit from it.
Restaurants were filling up.
Hotels were booked.
And that's when P.T. Barnum came.
And he was like, sir, I will give you $50,000 for that giant.
What do you say?
The farmer was like, no way.
So P.T. Barnum hired someone to make a wax copy of it.
And Barnum displayed this unauthorized copy at his circus
and claimed it was the actual giant
and charged people to come see his fake replica.
A year later, George Hall came out and said
this whole thing was a hoax that he's the one who buried it there.
But while it didn't prove that giants roam the earth,
it did make his cousin pretty wealthy.
And that's how scammers would get you in the 1860s.
These are true stories from the dark side of the Internet.
I'm Jack Recyder.
This is Darknet Diaries.
your business is sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
And that's the power of threat locker, zero trust, endpoint protection platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
Threat Locker implements a proactive, deny-by-default approach to cybersecurity,
blocking every action, process, and user unless specifically authorized by your team.
This least privileged strategy mitigates the exploitation of trusted applications,
and ensures 24-7-365 protection for your organization.
The core of Threat Locker is its Protect Suite,
including Application Allow Listing, Ring Fencing, and Network Control,
additional tools like the Threat Locker detect EDR,
storage control, elevation control, and configuration manager,
enhance your cybersecurity posture
and streamline internal IT and security operations.
To learn more about how Threat Locker can help mitigate unknown threats
in your digital environment
and align your organization with respected compliance frameworks,
visit Threatlocker.com.
That's Threatlocker.com.
This episode is supported by Hymns.
According to the National Institute of Health,
as many as 30 million men in the U.S. experience ED.
It's more common than a bad night's sleep.
The good news, HIMS makes getting access to treatment simple
so you can feel yourself again without distress or awkwardness.
HIMS offers access to ED treatment options
ranging from trusted generics that cost
to 95% less than brand names to hard mints if prescribed.
This isn't a one size fits all care that forgets you in the waiting room.
It's your health and goals put first with real medical providers making sure you get what you need to get results.
Think of Hymns as your digital front door that gets you back to your old self with simple 100% online access to trusted treatments for ED and more.
To get simple online access to personalized, affordable care for ED, hair loss, weight loss, and more.
visit hymns.com slash darknet.
That's hymns spelled hIMS.
HIMS.com slash darknet for your free online visit.
HIMS.com slash darknet.
Actual price will depend on product and subscription plan.
Featured products include compound drug products,
which the FDA does not approve or verify for safety, effectiveness, or quality,
prescription required, see website for details, restrictions, and important safety information.
I want you to meet Maxie.
My name is Max Hey Reynolds.
She grew up in Scotland and had an itch for adventure when she was young.
She knew she wasn't fit for a sort of sit down, do a lot of paperwork office type job.
No, her head was always up in class, looking out the window,
dreaming of faraway lands that she could visit.
I left home at a really early age, about 15,
and I had no idea about what I was going to do, what I wanted to do.
And so I tried everything, and I was ending up working in bars and as a cleaner and all these sorts of things.
And I just thought, no, this isn't for me.
And I want a job where I can travel and see the, you know, outside of Scotland.
So I went to a university in England, which is somewhat treacherous, being a Scottish person.
And I got a degree in underwater robotics.
She was hoping this degree was her ticket to travel.
Maybe if you're going to be operating underwater vehicles, you'll get to go to some pretty faraway places.
So she started applying to every company she knew that,
used these remote operating vehicles.
I couldn't get a job, and it was because I was female.
The reason why this was a problem is because sometimes she'd have to go out to sea in small
vessels or be stationed on some kind of platform at sea, which also had small living quarters.
And the problem was that these companies required men and women to have separate cabins,
and they simply couldn't accommodate her, because a lot of these cabins had four beds in them,
and they didn't have any single bed cabins that she could be in,
and there just wasn't enough women to fill up a sleeping cabin.
So she just didn't get the job.
I was told this same story over and over.
But that didn't stop her.
She kept up lying at places.
And eventually a Norwegian company finally said yes to her.
Finally got a Norwegian company to accept me and they said,
if you get your private pilots license, we will take you on.
So I went to a bank in Scotland and asked for a career development loan and I got my private pilots license.
Well, now this pilot is different than RLV pilot.
This is airport.
Yes.
Yes, this is a small, yeah, so I can fly a Cessna, although I haven't in America, I can do that.
And so it was supposed to be quite similar.
And then I called the company back and said, hey, like, I've got this.
And it takes months.
And I was getting further and further into debt.
So I called them back and said, hey, I've got this.
And there had been this change of management.
And they were like, it's not actually, we don't know why they said to that.
It's not a private pilot's license you need for a plane.
It's we're more, like, as an ROV pilot,
it's closer to a helicopter.
So I changed my name.
I went back to the bank in Scotland,
got another career development loan,
and went back and got my PPL for helicopters.
Then I went back to them and said,
okay, I've got this, but listen,
no more surprises than can I have a job now?
And they took me on,
and it was sort of life-changing for me.
This job required her to travel a lot.
North America, South America, Europe, Asia.
She got to travel the whole world
while working as an underwater ROV pilot
and sometimes flying helicopters.
So I lived in Venezuela for a while.
I lived in Trinidad.
I have been to sort of everywhere from Nigeria to Australia,
a lot of coastlines.
I've seen a lot of water.
While she was doing this work,
she started getting more fascinated with IT.
Computers became her passion.
She was enrolled in remote learning courses
and was able to get a degree in computer science.
Then she took a month off work and landed in,
Los Angeles, California, just to take a break for a while.
But she fell in love with L.A.
And while there, she started going to a gym to exercise and work out.
One of the people that I was training with in the gym was a stuntman.
And I sort of begged him to please let me hang out with you.
Let me be cool, too.
So eventually he got me some training in stunts.
And he actually got me one of my first jobs.
She was in a few independent films, did a few stunts for them.
She got an opportunity to be in House of Cards, and she does stunt for them, but they decided not to use it for some reason.
While that was cool, it was also short-lived, because while it's exciting, she didn't see it as a long-term career.
I studied quantum computing, and it was really difficult.
It was extremely difficult for my feeble mind, but it was really enjoyable, and I loved it.
This turned her attention to new technologies and companies.
At some point, she got a job for a company in all.
Australia and move there.
My first entry point into
both social engineering really
and pen testing was in Australia and I worked
for a big company down there. They gave me a shot
on their graduation team
for cyber security.
This company had penetration testers.
People who try to break into a
building or a network to test the security
of it. She got to watch one of these
pen testers work by monitoring
their activity through cameras.
And I was
witnessing a
pen test, but with this social engineering component, and it was a guy, he was a really good
hacker, and he had gotten into the network of one of our targets, and he was opening all of
the security doors and automated doors for one of the team, the cybersecurity team, and they
were just walking through, and they were filming the whole thing, and, you know, it was being
broadcast live and back to us, and it was amazing, and I was thinking, okay, this is a good job,
this is the kind of job that I would like to do.
Being a physical penetration tester seemed like just the thing for Maxi.
Breaking into a building, acting like a spy, that seemed really fun.
She asked if she could do that.
They were like, well, your luck is in because we have to test them without these technical capabilities.
So we're just doing a physical pen test.
Would you like to be involved?
Jumped at the chance.
So they gave her an assignment, which was to try to get into a company and film what they were working on inside it.
And to start figuring out how to get in, penetration testers often use OSINT,
which is just gathering data on a target through open public searches online.
So she does a little OSINT and starts learning about the company more.
They had some very interesting IP.
They were a transport company,
and they were building some unique buses and large transport vehicles within this whole complex.
So my job was to get into their public.
past reception, past all security,
get in and look at all of the assets and the IP.
And it didn't need to, you know, hack any computers
or even plug into any computers.
It was simply to get in and to essentially have a look around.
How fun, right?
Can you get into this factory?
Take a few photos of what they're building and get out without them knowing you're a spy?
As she starts learning more about this company,
she found out that they had some big connections with Sweden,
as in some of their offices were located in Sweden.
If you squint your eyes and you were very far away from me,
I could probably pass as Swedish.
So I had decided, and no one stopped me I'd like to point out,
I decided that I was going to pretext or present myself as a Swedish ambassador for this company.
and I had the CEO's name and some other top exec's names and things like that.
She does have blonde hair, but even though she may be able to pass as Swedish looking,
there's no way she's going to sound Swedish.
Not with that Scottish accent.
So her plan was just to put yeah on the end of everything and hope they didn't notice.
No, and it gets worse because even I, because they're Australian, right?
They're not idiots, so I was thinking that will never work.
But that was her plan.
and she decided to go forward with it.
She liked the idea of acting like someone else.
So she was set on being the Swedish ambassador for this company.
Walk in, tell them she's from the Swedish branch,
and she's just flown in to inspect the building.
But in order to do that, she's got to look the part.
So she takes a trip down to a local clothing store,
buys a new outfit, something that would make her look like an executive.
I bought a clipboard, and I looked professional,
and I had, like, a little briefcase,
and I was really trying to look professional.
She's all set, ready to go in.
Outfit on, camera rolling, deep breath.
Let's go.
So I go in to reception and I approach the receptionist with a warm smile
and I'm being as nice as I can be.
I said, I'm here for this.
I'm here for disappointment and this is what I want to do and this is where I'm from.
And she said, okay.
And I was like, what?
It was that easy.
This doesn't make sense.
but you know I'm not going to get in my own way so I followed it and she took me to this little room
just sort of directly behind reception and I was created by this adorable little old lady
and there was one other person in the room but we didn't really talk so I had to present ID
which is another stumble and talk and I got to talking to them so they asked me why I was there again
and all those things and they said they weren't expecting me but it wasn't a problem
and I thought, well, this is really easy, this is great.
And I gave them my ID and I had an Australian ID at the time.
And they said, you're from Sweden.
And you've got an Australian ID and I said, yeah, and I've got a dodgy accent.
I went to school in the UK, so I tried to get around it like that.
And it works beautifully and I don't know how.
So I got in.
Okay, at this point she's doing pretty good.
Passing as this Swedish person from another office,
she got into the building, check, passed reception, check,
and passed the two people that.
that she was handed off to. Check, check, check. Now she's in. And she's trying to film things,
take pictures of what's going on. There's an engine room. That looks interesting. Film that.
So she goes in closer to take a look. And I was walking towards one of these large engines.
And this man was walking towards me with, I think it was like two of their men. And he stood out.
He had this beautiful blonde hair and these big blue eyes, like completely stereotypical.
Nordic look
and he
came up to me and he
said something in a language
I don't understand but immediately
guessed correctly
this is Swedish I'm supposed to be
Swedish I don't know any Swedish
so I'm racking my brain for the limited
amount of Norwegian that I know
and
whatever he said
I kind of just looked and I felt
my body get tense and I
felt like my
my brain say, get I'm to open up, like, let me cannonball into hell. This is torture, please
no. And so I said, yeah? And he looked at me like, okay, maybe that doesn't make sense,
but okay. And then he repeated it. And so I tried the one word I could remember in Norwegian,
which is nigh for no, because if yes didn't work, then maybe no word, which was maybe one of my
dumbest moments.
But, so then he quickly just understood, like, this isn't right.
And then security was called.
They had a very prompt security team.
They came.
I was detained.
Oh, no.
She was caught.
This is every pentester's fear.
But just because she's caught doesn't mean it's over.
Maybe she can somehow get out of trouble, convince security that everything's fine,
or at least just try to leave the building without being caught more.
She tried to change the story.
No, I'm not from Sweden, I'm just working with the Swedish team.
I'm based in England.
So they asked to see her ID again, and it just wasn't checking out.
They were very confused by the whole thing.
At that point, she just couldn't see any way out of it.
So she pulled out her get-out-of-jail-free letter.
This is a letter that all penetration testers have
that gives them authorization to do what they're doing.
It has a phone number on it,
which is typically the head of security and says who actually authorized her to sneak in.
So they called a number on it, and the head of security says,
yep, this is all a plan test.
Good job for catching her.
We had this sort of laugh after it,
and even the security guy was like,
why would you pretend to be Swedish?
I said, I don't know.
I'm Scottish.
She's like, I can tell and you don't look Swedish.
I was like, I know.
That was Maxie's first pen test,
where she tried to break into buildings.
But she loved it.
This was adventurous.
Adrenaline fueled.
You need to keep your wids, be quick on your toes,
and know all about computers all at once.
She felt like this is where she was meant to be.
This was cool and decided to pursue a career in pen testing.
She did a number of penetration testing engagements while in Australia,
learning new techniques and getting official training on how to get better,
reading a bunch of books on how to improve.
And one of the things that intrigued her was thinking like an attacker.
That attacker mindset was something she spent a lot of time thinking about.
How do people with bad intentions act?
Soon it was time for another penetration test.
Still while she was working for a company in Australia,
The company I worked for was working with the local government in the city that we were in.
And I won't say the name because I don't want any further environment.
Now, penetration tests are not always physical.
In fact, I'd say most of them are just done over a computer.
Like, the penetration tester might be outside the company and just trying to hack their way into the company through the internet.
Or sometimes companies will just invite the penetration tester right into the building and give them a desk and a network jack and say, go for it from the inside.
because even if you get into the network,
there should be layers of security
which should still keep you from getting into important things.
That's called defense in depth.
So this was a pen test on a local government office.
And with this one,
they invited her to come into the building
and plug into a port
and see what vulnerabilities she could find
from within the company.
She wasn't alone on this one, though.
There were two other people with her.
And the two other people were very experienced
network penetration testers.
And she was still learning how to do this,
So she was shadowing them and watching what they were doing.
So I wasn't a noob, but I was, this was my first job in cybersecurity.
I have a very technical background, building ROVs, flying them or steering them, I suppose.
That's all technical, even stunts are technical to a certain degree.
This was a step further because there are no physical components to it.
That's why it was so difficult for me.
It's all on screen and Linux is its own beautiful, scary world for me.
So I was still getting to grips with this whole world
and all of the commands and what these things meant and how to undo things.
And they all sat down, pulled out their laptops,
and plugged into the network.
She starts by firing up a network vulnerability scanner.
I got to run the nests scan, which was...
not the most technical job in the world, but it felt good at the time, and I got to look at what
vulnerabilities were there, and I got to go and see exploits for those, and I got to, like, run
EnMAP. These are fine basic tools to start with. It'll scan the network for known vulnerabilities.
They're easy to use, and typically benign, as in they're not going to cause any trouble on the network
just by running them. When you run these tools, it's not hacking. It's just to try to find what's hackable.
And she wasn't exactly sure how to hack into this company.
When you're around the experience pen testers who loved their job
and these two loved everything, every line they wrote was sort of like a piece of art for them.
They loved it and they really got this high out of it.
And that's contagious.
So I started to think, like, this is amazing.
This is so cool.
Look how far we ran.
And one guy, one of the guys that I was there with got a call from.
one of our points of contact, and he was saying,
I can see you in the network, and it was this big game,
and it was fun, and it was interesting,
and I got caught up in that.
So after seeing all the cool things that those other penetration testers were doing,
Maxie wanted to have some fun, too.
How far could she get into this network?
She saw there were vulnerabilities on certain systems, on her scan.
She tried to exploit those vulnerabilities and get into those systems,
because there's a sort of high you get from getting into a computer
when you shouldn't be able to, and she was making progress.
She got into a few systems, and she was looking around, making notes on how she got in.
She would look over her shoulder and always see those other penetration testers, many steps ahead of her.
So she kept looking around to see what else she could get into.
I found my way to some internal environment, and I hit the kill switch on a city's workshop play.
She accidentally typed the wrong command into the wrong computer.
which controlled the flow of water to the whole city.
The person I was with immediately saw within the network that, wait, that wasn't right.
I will assume that he was sort of with me, like following me throughout the network
and can see a lot of what I was doing.
And then I was thinking, yeah, this isn't, I don't think that was maybe good, right?
And so I looked at him and I could sort of see on his face and he comes over to me and he says,
like, what did you do? And I, you know, you can look at your history quite quickly and I still
had quite a lot on screen. I showed him and he put his head in his hands and I was like, what is it
really bad? It was really bad. Shutting off the water to the whole city, showers, faucets, sinks,
even toilets were not functioning citywide. Her two other penetration testers immediately tried to
figure out ways to fix the issue. One was looking at how the system operated and if it was possible
to just turn it back on, but you don't want to just do that if it's going to cause a problem.
The other pentester immediately phones the point of contact, letting them know this is a major problem.
Maxi was sort of in shock and incredibly embarrassed.
She took her hands off the keyboard and just waited.
I was detained by security guards, and they were not very pleased.
Now, this is a completely different situation from the last time she was detained by security.
The last time she had a get-out-of-jail-free card, this time they knew.
that she was supposed to be there. In fact, it was her point of contact that called security on her.
She was authorized to be there and do this, but this was not supposed to be disruptive to the
organization. Not only was it disruptive to the organization, but it was disruptive to the whole
town. So they wanted to at least get her recount of the matter recorded, so they had it for later.
I go down to a window this room, and I'm questioned. And all of a sudden, one of the sort of
accusations, if you want, was that I was a Russian spy.
I was thinking, how did we get there so quickly?
Like, what happened?
Apparently, she spoofed her IP at one point to make herself look like she's coming from Russia
to try to test to see if they could detect that.
But that was just very brief.
And she was definitely not a Russian spy.
But this was becoming scary now because it wasn't just a confession of a mistake she made.
It was like they were treating this more like an investigation.
So I was held there for like a couple of times.
of hours and of course the police were called. The police had to be called. I didn't have any
idea on me. I had my work card, but that doesn't really matter because it's just a photo I could
have printed it myself. And I kept saying to them, you know, if you let me go back to my apartment,
I can get my passport for you. I'm British and I'm not a spy and you can contact my employer
and I'm actually here with two people and I kept going and they didn't want to hear it and that's
okay, that's kind of their job to do, to not believe me and to, you know, look for the worst
because they've got to protect themselves against the worst. And eventually that at some point
I said to them, like, I need a kind of a glass of water and the look would have been enough
to like, you know, turn most people to stone. And I was not an ideal question. And then
eventually my employers at the time called in.
and it did get sorted and I narrowly escaped essentially what I think you would call it
prosecution. I escaped any legal action because of that and I was on the graduation team so that
lent me some credibility in the fact that okay she doesn't know what she's doing and it's okay
and my employer didn't fire me and I will be eternally grateful for that.
She doesn't know how long the water was out that day.
It could have been hours, minutes, seconds.
It doesn't matter.
The fact that it could be shut off and it did get shut off
is why the police had to respond.
But she narrowly got out of serious trouble from that one.
But this sort of baptism by fire is how we learn the most important lessons in life.
I mean, knowing firsthand what kind of true power a penetration tester has is profound.
And this feeling sometimes flips back and forth too.
Sometimes you feel completely blocked with no access to anything,
and it makes you feel dumb.
In other days, you feel like with a single keystroke,
you can wreck this entire business.
It almost reminds me of visiting a barber and getting an old-fashioned shave.
The barber has this razor, and they're shaving your neck with it.
You feel very vulnerable in that situation.
I think many companies do feel vulnerable when they allow a penetration tester to come in.
Who knows what they saw or took?
In my last job, we had a penetration tester come in,
and see what they could do,
and they were able to crack 25% of all our passwords company-wide.
That's like thousands of passwords.
Of course, I read the report to see whose passwords got popped,
but it only contained statistics, not passwords or usernames.
And it made me think, you know, this pen tester is walking out of our building
with a bunch of our passwords.
I've never felt more vulnerable at work before.
We're going to take a quick ad break here,
but stay with us because Maxie's going to tell us about a penetration test story,
that changed her life.
This episode is sponsored by Rippling.
HR teams were promised modern tools
but ended up with a stack of disconnected apps.
Onboarding, payroll, benefits, compliance,
all in different places.
That's not SaaS.
That's sad.
Software as a disservice.
It's time to spend less time on checklists
and more time on strategy.
It's time to run on Rippling.
Rippling is the unified platform
for global HR, payroll, IT, and finance.
They've helped millions replace their mess of cobbled together tools with one system designed to give leaders clarity, speed, and control.
By uniting your employees, teams, and departments in one system, Rippling removes the bottlenecks, busy work, and silos your software created.
With Rippling, you can run your entire H-R, IT, and finance operations as one, or pick and choose from the products that best fill the gaps in your software stack.
And right now, you can get six months free when you go to rippling.com slash darknet.
That's Rippling, spelled RIPP.
P-P-L-I-N-G.
Learn more at rippling.com slash darknet.
That's rippling.com slash darknet for six-month-free.
Terms and conditions apply.
Making some big mistakes on past pen tests did not make Maxie back down from pen testing.
Instead, she doubled down.
She was fascinated by the power of the pen-tester.
But more so, the attacker mindset allured her.
But she had to leave Australia.
Yeah. Well, yeah. So I'd come back from Australia. My visa had run out, move back to the States. My model in life is like, if I'm free to do it and I want to do it, then I will do it. I kind of always want to be infatuated with what I'm doing and focused. And I'm okay if whatever the thing is that I want to do changes. And it has, obviously. But I want to love what I do because functionally, right, I'll live for 70 years. Maybe I'll live to 90, but functional.
I've got max 70 good years and I want to do, well we might do two interesting things a year.
So I've got 140 interesting things that I'll do in my life.
That doesn't sound like a lot.
So I just always wanted to do the things that were most interesting,
that would get me the most sort of interesting, exciting experiences.
And for her, the thing that excited her the most was red teaming, penetration testing, social engineering.
Physically breaking into buildings was just a thrill to her.
So she looked for more jobs doing that.
So I was hired on a sanctioned red team contract to test this high security logistics company,
and there were two testers that were booked.
It was a large company, but they wanted the two of them to try to get into one of their satellite warehouses.
They told her, look, there's a locked fence around this whole property.
Security alarms are on the doors.
There's security cameras watching the whole property.
There's active security patrols at night.
And they just wanted to prove that she could get to them.
They didn't want her to do anything to those machines.
And they gave her a little USB device and said,
hey, if you can actually get to it,
plug it in and take a picture that you got there,
and this will prove that you made it.
Because presumably, if somebody wanted to get a customer list
or shipment list or whatever,
it would be just as easy for them to plug in a USB device,
grab the stuff, and unplug it.
So they asked her to see if she could do that.
So her and her coworker take a drive out to this facility during the day
and just drive by, just to look at the place.
And driving by,
is too quick. You can't see anything. So they decided
to get out and just walk down the sidewalk
and go around the whole property
just to see what they can notice. Any points
of entry? Are there any areas where the
cameras aren't pointed?
When we had
kind of gone around,
the very edge
of the perimeter was like metal
fence, like chain link fencing.
So the chain like fencing had
just, it wasn't
years old, probably decades old.
And so it was a bit
rickety, so you could just kick the edge up, so we knew that.
They took some other notes and got an idea of what the place was like.
There's a two-story warehouse building with loading docks and sort of two parking lots,
one normal one with big transport trucks and cargo trucks, and a second one that had a chain link
fence around it with many more of those big cargo trucks.
We're talking eight-wheelers here, the big trucks.
This warehouse would load stuff onto them, and then they'd deliver it.
So they leave and decide to come back at 9 p.m.
But Maxie's co-worker called her up.
He's like, I'm sick.
And I was like, I hate you.
I know you're not sick.
You're hungover.
But anyway, last minute, he gets sick.
So the scope allowed for a solo run.
So I was like, I'm going to do it.
She waits until night and then drives back to the facility at 9 p.m.
By that time, the place was all closed and there should be no workers there.
And just those security patrols that she was told about.
I then parked behind a tree line outside of the logistics park.
I was keeping away from, you know, the lights.
I was staying where the shadows fell in out.
Okay, let's go time.
I like the quiet approach of being on foot myself too.
You can hide easier, change directions more quickly, be more stealthy.
So come up through a tree line, off to the side of the whole complex, moving pretty slow.
I'm far enough from the walls to see the whole facade.
I'm close enough to spot opportunities and I do the usual first pass.
I don't force anything.
I don't touch anything.
She passes by the building.
The classic first pass gives you plausible deniability, right?
If you don't touch anything or don't go on the property, you can just say you're passing by, if anyone asks.
But it's quiet.
There seems to be no signs of life inside, no noise, no doors open, no lights on.
There were a lot of trucks in the parking lot, but all of them were dark and quiet.
No regular cars there.
But surprisingly, she didn't see any security patrols.
So since she's around the back of the building, she starts jiggling doorknoves and windows to see if any of them will open.
And everything obvious that you would look at to gain entry was a no.
So doors, no, hatches, couldn't see them, ground windows.
They didn't open.
They were just double-pane windows.
So, yeah, so, you know, good security is frustrating in some sense.
But it was this like corrugated, all of the warehouses in the area where these corrugated sort of steel structures or metal structures.
And this, the warehouse I had, there was sort of this grass alley in the back, at the back of it and its neighboring warehouse.
also had stacks of palates. So there was just these stacks of palettes all the way, like through
this almost alley. And there was this high stack of palettes that kind of touched. It was within
three, four feet of a second floor window. There was just this little, it was like a little
rectangular window, but it was open. And I was like, oh, that sounds like a great way to get in there. So
kind of moved a couple of pallets
start to climb up these other
like this other high stack of pallets
and most of them
have kind of being like secured
to one another so it's
they're still a little rickety
it wasn't like I wasn't feeling very
confident that they wouldn't crash
to the ground but
they didn't I'm you know pretty light on my feet
I am built for speed and not power
so I do end up
getting to the top poke my head through
While the building looks two stories tall, it's really just a single story, but just with really tall walls.
So when she looks down, it's straight down all the way to the warehouse floor.
That's not good.
That's too high to jump down.
So she looks around and notices that the walls are made of.
Like a lockboard.
It is essentially is pegboard.
So pegboard is basically, if you aren't familiar, it's steel or aluminum, sheeting.
and it's got this regularly spaced, like square or round holes that you basically put it on walls and warehouses usually, and then you hang, like, heavy tooling on it.
So I'm looking at this lockboard, pegboard, and I'm like, all right, well, climbing down it, you know, gravity is your friend.
So it's like fingers in and got my little sneakers on, and I actually get down.
It wasn't as difficult as you think.
Okay, she did it.
She got into the building.
nice. Now her objective is to simply see if she could get into those computers in the building.
So she looks around for them. They were easy to find since the monitors were on and they were glowing in
the dark. Get to the terminals and they're all, they're all open. It was, it was beautiful. It was,
you know when in movies they're like, ah, like the heavens light. I was like, this is great.
So, yeah, they were all unlocked. And so I connected this approved device. I snapped their
required photos, you know, proof I could touch one attack I would want to touch.
And then I felt by the exit.
And I was like, I looked at the pegboard.
I was thinking, well, because climbing up is a little bit different than climbing down.
Okay, so climbing out the way she came was not going to work.
She looked around for another way out.
There are a lot of doors.
She's inside.
She could just open one up and walk out.
No, wait, hold on that.
It's not going to work because there's security alarms.
And she looked around the doors and, yes, they were armed.
Okay. Scratch that. You can't open those doors. It would trigger noises. And since she hasn't had any security on her yet, she doesn't want to get their attention now. So she looks around for other points of exit.
It was a loading door that wasn't in the best shape. So a loading door, like a dock where the truck backs in so it can get whatever the load is. It can get it into the warehouse. And you don't always need a forklift and so on so forth. So it was essentially that. So it was on a pulley system.
and it wasn't attached to an alarm, which was mental for what they, you know, for how secure they
wanted to be. So yeah, so I kind of, it was a little bit buckled at the side. And maybe that's why
it wasn't on that alarm. I'm not sure. But a little pulley system, pull the chain up, just enough to
sneak out. And I get back to my car through a forest, which is by far, by the way, the worst part of
the story for me because I
do not like insects
but um so yeah
so then I back to my car
or I think I'm roughly back to my car and I
phoned my point to contact
and I report what is
a success right like I got in
I've managed it I've got the photos I'll write
your report and he
listened and he was like
I want to
issue a scope change
a scope change this means the client wants to change
what he wants her to do
I guess he was impressed that she was able to do everything he tasked her with
and wants her to try more.
So he says to her, you know all those moving trucks in our parking lots?
See if you can steal those trucks.
And she's like, I don't know how to hotwire a truck.
And he's like, no, no, no.
See if you can find the keys to any of them.
And if so, take them.
And I was like, all right, let's do it.
Because 140 interesting things in my life, this might be one of them.
She walks back through the woods, cursing at all the spider webs that she comes across.
And then looks at the facility, there are a lot of trucks here.
And they're the big trucks, like they're long trucks.
You know, they've got 20 to 40 foot containers on the bat, and I've never driven one of them.
Some are parked inside the fenced area, and some aren't.
She starts with the trucks that aren't in the fenced area.
Step one, see if the door is unlocked.
The first one she tries, the door is unlocked.
Whoa, so she opens it, gets in the driver's seat.
She looks at the ignition.
The keys were not there.
But to her surprise, the key.
He was sitting right there in the cup holder in the center console.
A little bit of humorous.
I'm like 8 billion people on the planet.
I'm the best driver.
What I'm going to do is I'm going to move all these trucks.
I'm not going to worry about it.
Reverse in that truck.
I was like, I'm going to have to leave this here because I'm not going to be able to do this.
So yeah, so I took them up just the other end of the cul-de-sac almost.
It was like a little sort of quiet area, a little logistical parking spot, I guess.
so I just parked them all up there.
She parked at about a quarter mile away
and then ran back to get another truck.
The keys were not consistently controlled
and the fleet wasn't consistently parked
on the inside of the secure perimeter.
So basically it just became this live demonstration of risk.
One after another, she was able to find keys for these trucks.
So when a driver comes back to this area
and it's past hours,
they sometimes leave the keys,
like they'll leave them under mud flaps or just actually inside of the truck.
It was incredible how many keys she found in and around these trucks.
Sometimes they were still in the ignition, sometimes they weren't on the seat.
Sometimes they were in the, you know, the visor, the sun flaps.
Sometimes they were in the mud flaps and sometimes they weren't there at all.
Some trucks were locked and she couldn't get into or move them.
She thought about climbing back in through the window of the building and looking for the keys inside,
but she already proved she can get in there.
Maybe it's just better to try another truck instead.
after taking the ones from the unsecured parking lot
she wanted to get into the fence area
and try to take one of those.
She remembered where you can lift the fence up
and get in there, so she scurries under the fence
and looks at the trucks inside.
Sure enough, same story.
Keys were typically in and around the trucks there too.
So she hops in one, finds the keys,
starts it up, and starts to drive out,
but realizes, oh wait, this fence is locked.
She gets out, looks at the padlock.
She thinks about picking the padlock.
that did not work and I was like I bet there's a key for this someplace and I'm thinking do I go back inside
do I climb up the pallets climb down the grate in look for the keys and I was thinking you know what
this is probably proof enough this is bad enough because the report is going to say well I couldn't
break into your secure perimeter why don't you park your trucks in there by 2 a.m she had stolen a bunch
of trucks and felt like she accomplished the mission security never stopped her there was no what
around all night so she goes back to her car and calls her point of contact and says
She stole the trucks.
He's like, wow, okay, great.
Hey, can you come into the office in the morning and tell us how it went?
She's like, sure, but let me sleep first because I'm exhausted.
So she goes home, and then the workers start coming to the warehouse in the morning.
Day shift did arrive, and they didn't notice anything was wrong for, like, a fair amount of time.
When, I think, like, how I would say it maybe is it took a beat for the penny to drop for them.
And, yeah, headquarters finally called.
And my contact, I think, walked them through the findings.
And eventually we gave a report.
And, you know, where was security?
They're supposed to have 24-hour rolling security.
Where was it?
Because I didn't see them.
Like, why were their pallets?
Why were their unlocked windows?
Why weren't the loading base connected to the alarm system?
Things like that.
Like, it was, you know, treat keys, like,
this badge is not
souvenirs. Did you have to give
a debrief to that facility
and say, hey, by the way,
if you're wondering what happened, let me tell you.
Not to the facility,
so I didn't go back to that facility.
I gave it to their headquarters, essentially.
We went in and we gave a presentation
and a report
and, you know, as is
always the case, people's sort of
mouths drop, and I think their tummies
probably dropped to. They're like, how has this, how has this happened sort of thing?
Yeah, but it's another thing to be like, wait, who did this? Oh, we hired this person, Max,
to do it. This guy, Max, it must be a jerk to be breaking in and all this. And then if you were
to actually show up and be like, hi, I'm Maxie, and I'm the one who stole all your trucks.
I'm so sorry. You have to, you have to be soft with them. Like, well, maybe that's just
personality maybe that's a preference of mind but stylistically i think be soft with them they do not know
for the most part that our industry exists yes they know that there are you know bad actors out there
but they don't know that some of us are making a career out of it and you have to go in and you have
to be soft it isn't their fault there's that's what it is to run a company not everything's safe um you can
make it a little harder for people, but that's our job to tell them. And I just think,
tell them that in the most direct but soft way possible. You don't, it's not a blame game.
And so, yeah, I went to headquarters and I was like, hi, guys, it was, I think you might have
heard what happened. And like, yeah, so now on my resume, I've got, you know, expert
climber and a truck driver. She did a lot more penetration tests and got so serious about it
that she wrote a book called The Art of Attack, Attacker Mindset for Security Professionals.
Yeah, well, here's what I'd say in my book.
I'm going to explain it.
If you don't like the sound of it, just buy it for somebody you don't like.
If you do like the sound of it, it was on me.
You should buy it.
It'll be great.
No, in all seriousness, it's called The Art of Attack.
And its central argument is that in order to design defenses that truly work, security
professionals must adopt this quote-unquote attacker mindset and its basic position is that
simply focusing on tools networks or policies is completely insufficient. It's necessary but it's
not sufficient so understanding how an attacker thinks, how they strategize, manipulate, persist
is fundamental to building resilient systems and I would probably finish on it by saying
the skills of a good attacker are the same skills that, A, I want as a person going through life,
normal life. Also the things that I would teach and will teach to my children like grit, determination,
or goal-orientated, resilient, so forth, so on. They are cognitive skills that we need and how you
apply them as what matters. And that is basically the premise of the book.
Somewhere in her life, she went on a penetration test that changed the whole trajectory of her life.
It was probably the most highly strung, you know, tensioned job of my career.
It was for a company that we've all heard of and that we all use.
And we had their internal red team a company in us.
This company had a big data center.
and they wanted to see if they could get unauthorized access inside.
Now, I don't know if you've ever gone into one of these data centers,
but sometimes these things are extremely secure.
I've seen them where there's like a big fence around the company,
and just to get into the parking lot, you have to go through a gate guard,
and they'll check your ID and make sure that you're authorized to be there.
And then when you finally park your car and get to the front door of the building,
the front door is locked, and so you need a badge to get in.
Forget about any open windows.
They don't open ever.
Then upon walking in, there's a security guard watching what you're doing, but you're only in the lobby.
You're not even in the data center part of the building yet.
To get in there, you need a second key, and sometimes you do an eyeball scan to verify your identity,
and there are man traps, meaning there's only one person allowed throughout a time so they can check you.
Then, once you're in the data center, there's sometimes a cage around the server racks you need to get to.
And you might need a third key to get into those and maybe an extra form of identification, like a fingerprint scan or something.
In short, it's extremely hard to sneak into a data center.
They're actually, on this job, armed guards patrol in this perimeter,
and there are vehicles that are scanned for anomalies.
Like, it is a very, in terms of security, a very robust, comprehensive site.
And, you know, inside everything, it's a data center.
Everything is controlled, temperature, humidity, or controlled to the decimal.
The power and the fiber run through, you know,
they're redundant. There's blast proof, like conduits. Every corridor, every door, every bite is sort of like a log. But once you're in, you're in and nation state actors will get in and they're willing to do where it takes. And so that was our job.
Well, she decided to try going right in through the front gate. So she just drove her car right to the security checkpoint and acted like she was supposed to be there and talk to the guard.
Hello. Yeah, we're visitor. Yeah, like, hi. Can we, you know, we're here. You know, we're here.
here to do this. Because you're also saying can find you some of those entry points. Like,
if they're doing immersion cooling, we know there is meaning it's required on immersion cooling
for the fluid, for instance. So you go up and you're like, here, we're here to do this.
And you, you know, some sites that will work and they'll be like, oh, okay, we just tell the right
person or here, wait here. They were like, you're not on the list. You're not coming in.
Okay. So there's a list. This is a clue. Maybe she could get on that list. Who maintains that
list? What if she called acting like the maintenance team and says they have to do a fluid
change or something? And they're coming out. So we tried to get on that list. We tried to call
ahead. We tried to spoof phone calls so that it looked like we were calling from hopefully the right
point of contact. It wasn't working. There was too many checks. They were comprehensive. They were
robust. They were sharp. And so we were like, how are we going to get in here? And it's like,
you know, sort of a bit, like, they've built a wall.
Do we dig under it?
Do we go over it?
Like, it wouldn't have mattered.
It was the sensors, the security, they were on top of it.
And so we're like, all right, what do we do?
Time to step back and think about some sort of out-of-the-box way to get into this data center.
One way to try to think through something like that is just to learn more about.
this company. Maxley was curious how the building was built. So we actually went to the municipalities.
We'd gotten some, like almost you could think of them as blueprints, and we figured out that there was, in fact, a sewage line.
Sewage lines are too small and would be way too disgusting for a person to go into. However, they sometimes run through
underground tunnels that are accessible by service workers, like a smaller pipe inside a big
tunnel. So she traced where the lines leave the property.
It sat at a point where we could get to another access point through basically a junction.
Well, it's worth a shot to try. So they drive over to where they expect there to be a manhole
which is off the property. And if their calculations are right, these pipes would lead right into
the data center. But the question is, will there be a service tunnel also leading to the data
center? So they pried open the manhole lid and looked in. It was big enough to crawl down
into. So they did. And then they saw a tunnel going towards the data center. So they crawled
through it. And it's a long, shall we call it, journey from one access point, one manhole
to the other. But we have to do it. It's not glamorous. It was not enjoyable.
but we got through it.
Sure enough, it led them right to the data center.
And then make our way up into the site and then into the data center.
They got in, snapped a few photos to prove they were in there, unauthorized.
And then they called the security team to tell them they got in.
And the security came and it was like, what?
How did you get in here?
And so our report was, your guy's security is bob on.
We hate it.
It was amazing. You didn't let us in here. We weren't able to phone ahead. We weren't able to forge documents. We weren't able to do any of the things that we would try to do ordinarily. We couldn't have created a diversion to have security take their eyes off of the gates to get through whilst they weren't looking. It wasn't going to happen. We got into your data center through a manhole for a sewer line. And that was the bulk of our report. The rest of it was going.
but I kind of didn't matter to them.
They're like, yeah, but you still got in.
But this made Maxie think even more.
If a data center wants ultimate security
so nobody ever gets in,
how could they improve this?
And that's when it occurred to her.
And I was like, well, if you want to keep them that safe,
you put them underwater.
An underwater data center.
Could that even work?
Then I started to think, oh, is that?
Did I just have a good idea?
Amazing.
so I called my old boss who I used to work offshore for and with
I was like hey what do you what do you think of this and he's like
I've actually thought of something fairly similar and I had this like
auto card drawn at this point he tweaked it tweaked the design
I was like would you consider working with me here's what I want to do
I want to put data centers underwater I want to do it in a modular fashion
and I want to do it because it keeps them safe so the two of them got busy
designing and building modular underwater data centers, where you load up the servers into
what looks like a small shipping container that's watertight, and she will then drive them down
to a safe spot on the bottom of the ocean.
It's also a lot cheaper to do, so it's about 80% less expensive in terms of, in terms of
CAPEX to get compute underwater the way we do it.
I don't know anything about underwater data centers.
This is all new to me.
So I didn't even know this was possible or even this was happening.
But you're telling me this is something you've made.
This is something we've made.
This is something we've done, performed.
And now there are actually a lot of companies.
So is there like a long extension cord that goes to these things to keep them?
There essentially is.
So what's really interesting about the subsea environment,
and we touched upon it earlier, is that everything you and I use one way or another.
So there are power cards under the water.
That's how we light up oiling.
gas platforms. That's how we managed to eat on them and things like that. And there are also
countries that exports, so France exports power to Denmark. We, and that's a long go laid a cable
to do that for them. So there's actually a lot of subsea cables. There's also a lot of subsea cables
for, there's like 700 cables or something like that, maybe more now, that carry this internet
signals. So they pulse the light. So you don't have to lay your own cables. You
You could just tap off some of the stuff that's there.
Yeah, it depends.
So if we're in a port, then we might extend from an online substation.
If we're further offshore, then we'll splice the power cable, put it in wet.
So we've got offshore their wetmate, wetmate cables.
So they look like headphones with a mic jacks on them.
They look like that.
They're just really big ones of that, essentially.
We plug them into our units.
Our units look like 20-foot shipping containers.
and we put them on the subsea floor, we secure them there through guideposts, lock them in,
plug in the power wet, mate the power, and do the same for the fibre, and then it's up and running.
And we can do about three megawatts in a unit just now, which is meaningless to most people,
but that's kind of what we need just to do a small amount of compute.
And yeah, we sit them on the seafloor.
But what about maintenance and stuff?
Like you need to change out a hard drive.
Yeah, so there's a few ways that we perform maintenance.
So it's actually not that much different than online.
So what I will say is the maintenance cycles are reduced because there's no dust, right?
We've got the servers that are filled or are surrounded by this dielectric fluid.
So there's no dust, there's no debris.
there's no people jostling the cables and those are the biggest factors in maintenance that's why
compute goes down 18% of the time we don't have that then but you know it happens we do have to
maintain there's some fault so we do that a few different ways if one server fails it kind of doesn't
matter we'll load balance we'll shift the load and it'll go to some other server or some other
site that we have. If a whole rack fails, it may fail in place and again, load balance in
or if a rack fails and it's important, depending on what the client, depending on who the client
is and what the client is doing. We may have to bring the unit up and it takes, we guarantee you
can do it within about 12 hours. So we've got a vessel at site.
the vessel goes, picks the unit up with an ROV because that's my background and that's how
I knew how to do it. So picks up, put it on deck, we drain it, we do the fixes. You can also do
them remotely a lot of the time. So it really just depends but it doesn't cost any more time
and it doesn't cost any more in terms of the financials. And before people like come for me,
it does not heat the water we are not heat in the oceans so i have to say it so water war warms up
more slowly than air and it can actually hold more heat so the specific heat of water is higher than
most other substances and what that means is that it absorbs more heat before its own temperature
increases by one degree so say to another way water needs about four times as much energy to raise
its temperature by one degree Celsius as the same mass of air does. So what we've measured in our testing
is that the water heats up by about a thousandth of a degree, which is statistically insignificant.
And that's within a meter of the unit. You put a data center on land. First of all, you have to
use air conditioning to cool it for the most part. That's what people are doing. So about 40 to 50%
of all the power that that data center is pulling
is used to air condition
and then that is pushed out as heat
and then the ocean has to take that
because that's our heat sink
the ocean takes that and now you're warming the oceans
so it's like a very unintuitive
but very like scientifically proven method
of getting rid of heat put it into water
and so yeah
I imagine if someone does try to pin test this place
or break into it as soon as they open
the door, it just gets flooded and then all the computers shut off.
You can't open the door.
So it's like you would, basically, our biggest day is like a sub, you know, like a Russian
sub movie, let's see.
So what happens is you'd have, you need a sub or you need a vessel with an ROV attached.
Or maybe if we're, if we're like a shallow depth, you could use a diver, but a diver's not
going to be able to do anything.
You can't pull a door open because of the pressure of the water.
so basically you couldn't really test it without getting a vessel, an ROV or a bunch of divers
or a submarine and good luck to you. I don't even know how I would do that and if anybody's going
to pen test it is going to be me because that is a fun job but basically let's say a nation state
sub came along great it would have to connect it and it would have to pull it off of its
security mechanisms that we've got sort of fastened to the seabed. And once you'd done that,
you would basically self-destruct the data that was on the servers, because now you've ruined
the housing that is keeping them safe from the water and the pressure of the water. So
physically, they are very, very secure. Digitally, it's the same footprint. Like, you pen-tested the
see me you would any other server deus in our company incredible i think i'm stunned by that
sort of thing i mean my i my brain goes into weird directions here like um is it are there
laws offshore where you can host things that aren't legal in this country or whatever and all
this sort of stuff and now now suddenly i i like this idea of pirated websites or piracy
is there even there's piracy in the sea as well like this is my brain
it just goes in all directions here.
It's right.
Yes, there are maritime laws.
Very difficult to enforce them.
And you rely on satellites to some level.
You rely on like boats to police.
But the ocean is vast.
So it is very difficult to enforce.
So basically we're counting on people doing the right thing.
And that doesn't always work.
So what we do is we make sure that we're in the green.
So we co-locate with existing assets offshore, whether it be in national or international waters.
Every country has an easy economic zone, essentially.
And that's about, it goes from coastline to about 12 miles out.
And then just a little further out from that you start to get into what is essentially international waters.
You can do what you want inside of them.
Who's going to stop you?
but we choose not to as, you know, an American company.
And so we co-locate with other assets in the area.
Usually, like, offshore wind platforms or rigs or anchored boats.
So, yeah, I think subsea is definitely part of the future for data centers.
A big thank you to Maxie Reynolds for coming on the show and sharing these stories.
You can learn more about her underwater data center at subccloud.com.
If you want to get her book, it's called The Art of Attack, Attacker Mindset.
It's the one with the chess pieces on the cover.
If you like this show, if it brings value to you, consider supporting the show by giving directly to the show.
It helps keep ads at a minimum.
It keeps the lights on here.
But most of all, it tells me you want more of it.
Not only that, but you'll get bonus episodes.
and an ad-free version of the show too.
So please visit plus.darknetdiaries.com.
That's plus dot darknet diaries.com.
Thank you.
The show is made by me,
the packet tickler, Jack Recyter,
editing by Control Alt Delight, Tristan Ledger.
Mixing by proximity sound
and our theme music is by the mysterious breakmaster cylinder.
I have a bad habit of doom-scrolling social media,
but lately I've been trying to break it
by confusing the algorithm as much as possible.
I'll play long recordings of foghorns,
blaring or I'll watch curling matches from 2006
or I'll just search for like the most bizarre things I can think of
like can I legally marry a ghost in Ohio
or a baroque interpretations of dial-up modem sounds
can you potty train a squirrel using jazz
not because I'm interested in those results
but because I like tossing the algorithm
a bag of trail mix just watching it chew on that for a while
this is Darknet Diaries
Thank you.