Darknet Diaries - 83: NSA Cryptologists
Episode Date: January 19, 2021In this episode we interview two NSA Cryptologists, Marcus J. Carey and Jeff Man. We hear their story of how they got into the NSA and what they did while there.To hear more stories from J...eff tune into Paul’s Security Weekly where Jeff is a regular co-host and shares a lot of stories and insights.Marcus has written several books on security. They are Tribe of Hackers, Tribe of Hackers Blue Team, Tribe of Hackers Red Team, Tribe of Hackers Security Leaders, Think in Code, and a childrens book called Three Little Hackers.Also check out the Tribe of Hackers podcast to hear interviews with all these amazing people!SponsorsSupport for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.View all active sponsors.
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
Did I ever tell you about the time I tried to sneak into the Pentagon?
Yeah, after college I took a trip to Washington, D.C. all by myself.
I like traveling alone, I guess.
There's a certain kind of freedom I like about it, which allows me to reinvent myself on trips.
Anyway, there's this metro, a subway, that goes underground through Washington, D.C.
I jumped on it just to see where it would go.
And one of the stations it took me to was the Pentagon. I'm like, alright, this sounds cool. So I jumped on it just to see where it would go. And one of the stations it took me to was the
Pentagon. I'm like, all right, this sounds cool. So I jumped off and somehow ended up at like the
employee entrance to the Pentagon. There were like no visitors allowed in this area for sure.
So I stood and watched how people were getting in and out. Out were one-way turnstiles. In,
everyone was scanning their badges and went
through like a metal detector. I decided to try to do a fake badge scan and see if I could just
walk on in. I saw some guy walking up, so I followed him and did exactly what he did. He
leaned over, scanned his badge on the reader, and then walked through. I leaned over, waved my hand
over the reader, and walked through too. Immediately,
two security officers stopped me and didn't even ask what I was doing. They simply turned me around
and sent me right back out. They knew exactly what I was up to and must have spotted me like a mile
away. I've never been shut down so fast or kicked out of someplace that quickly. No words were even
spoken. They just blocked me, wouldn't let me go any further,
and pointed me straight to the exit.
It's funny what we remember on our trips, isn't it?
Anyway, this episode, I interview two different NSA agents.
I really like both of these guys, and I think you will too.
And what's common between them is that they both started something at the NSA,
which still goes on today.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our
personal information is all over the place online. Phone numbers, addresses, family members, where you
work, what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need
to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy
scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team
when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com
slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, Thank you. That's BlackHillsInfosec.com. BlackHillsInfosec.com. by asking him where he grew up. And he said, in a small little country town in Texas and had horses and stuff,
which sort of shocked me because I thought,
actually, I don't even know what I thought.
Hey, man, hey, ask me any question you want to
because this is going to make,
this is quite funny to me.
I can explain the country slash hood paradigm.
Yeah, I mean, all right, let me hit record again.
We're going to have some fun, man.
Okay.
I don't want to be embarrassed here with my wrong questions, so.
No, you can't embarrass me.
So you shouldn't feel, I feel totally comfortable
with any question you can ask.
Well, I mean, I'm picturing Lil Nas X at this point,
the black country singer.
Basically, yeah.
I mean, like, I'll explain this to you, man.
This is a crazy story.
My dad's actually originally from L.A.
Before I was even conceived,
my dad moved from L.A. to my small little country town
because his uncle was there, my uncle too, right?
So he was in LA and his vision
of what Texas was, was cowboy boots and all that stuff. So before he came to Texas, he had bought
all this cowboy gear to wear. This was like in the seventies, right? So he came to Texas, he dressed
up like a cowboy. But when he went out to meet other people they were dressed like they were from la like
shaft or something you know like black panther party so he's like but but people thought he was
cool because he was from la now and then people where i'm from my little small texas town they
started dressing like cowboys other black people so it's this is the world is crazy, man, how we all fit in and stuff.
And yeah, so that whole, I really feel that whole Lil Nas X thing.
Yeah, for sure.
I mean, heck, I got some cowboy boots still to this day.
I got some nice cowboy boots.
But even though he was outside wrestling pigs, chasing chickens, he was still drawn to computers.
Yeah, computers has been my love since I saw war games.
I saw war games when I was young.
Captain, he's got the code, he's going to launch.
And I've been absolutely fascinated with computers and playing with them.
So that was my introduction to, wow, I need to get one of those things.
But his family wasn't able to get a computer for their home.
So the only way he could really learn on it was at school or a library or other people's computers.
In high school, I took Pascal. I also took basic and elementary. So it was something that I was
always interested in. I just didn't have the financial means. So one day a Navy guy was
walking on campus. I didn't I didn't I didn't have money because I grew up poor. I didn't have money
to go to college and I didn't know about any grants or anything. And I ended't have money because I grew up poor. I didn't have money to go to college.
And I didn't know about any grants or anything.
And I ended up scoring how my military entrance exam.
And I was like, I want to work with computers.
And it's like, all right, we have this thing called cryptographic communications.
We don't know what that is because it's classified.
Do you want to do that?
And I was like, yeah, sure, I'll do that.
So he joined the Navy. But no matter what you want to do in the Navy,
everyone first has to go through boot camp.
I'm a steamroller, baby.
Where you get fit.
Steamroller, baby.
Just a rolling down the line.
Learn combat techniques.
Just a rolling down the line.
I'm a steamroller, baby.
And learn how to follow protocols.
Just a rolling down the line. Just a rolling down the line. And learn how to follow protocols.
Marcus graduated and became a sailor.
And after that, he went on to study cryptography. Yeah, so basically you go to a quarry station and you become,
they teach you about signals intelligence and cryptography and all kinds of crazy stuff.
I was born in a small town.
I graduated from Waco High and then I immediately go into like,
get a top secret clearance and all this other crazy stuff.
So within like, I'm poor, homeless pretty much in high school and moving around a little
place until I moved to, you know, I'm on this military base and I get this top secret clearance
and I start learning all this crazy stuff. It was a, it was, it was absolute night and day
experience. It was the craziest thing ever. He was taken care of in the Navy. Always had food,
medical checkups, clothes, a place to sleep? My family, though, were still struggling and all that stuff. And psychologically,
that was tough because I was doing fine, you know, myself personally, but I had a family still
back in the hood struggling.
Back in, is it really, do you really call it the hood in the country?
So let me explain that to you. So 100%, the black side of town, the poor side of town, definitely down south, is the hood.
It doesn't matter how big the town is.
So absolutely, certainly hood.
All right.
So can you tell me some of the training you did in cryptographic communications?
Was that what it was?
Yeah, yeah.
So basically, like when I went, the Navy taught me crypto systems.
Basically, the Navy has these ridiculous crypto systems that secure communications.
So I had to learn how to operate those.
And I had to learn communications techniques that were specific to the Navy.
And some of that stuff is still classified like a mug.
But you learn particular protocols and things that you how to communicate from ship to ship, from ship to, you know, the White House even.
So you learn how to do, you know, these communications protocols.
And, yeah, so like it was it was pretty cool.
I mean, I went from wanting to work computers
to be fully immersed with computers.
And in a couple of weeks, it was crazy.
Did you do much time on a ship?
Yeah, I did three years on a ship.
And while you were on that ship,
were you handling the communication aspect of it?
Yeah, on the ship, my whole job in the military was you're pretty much an attache or an asset for NSA.
So the whole time I was in, I was kind of like a spy.
It was the craziest thing, man.
And so, yeah, you do serious, you know, collection work and all that stuff.
So you're tasked by NSA to do what you do.
It was a crazy experience ever, man.
Hmm. Secret missions, huh? This is fascinating to me because I thought the NSA was like their own
separate group. But yeah, if there's a Navy ship positioned in a place the NSA has no eyes or ears
on, then sure. Utilizing the cryptographic capabilities of the ship and crew makes sense. Yeah, so people don't realize that the NSA is Department of Defense asset.
So the whole NSA supports the military.
And so they have in each service, you know, Navy, Army, Air Force,
all of us had our own intermarines, had their own little signals group, you know what I'm saying?
Like that supports the mothership.
The mothership is NSA.
So pretty much even though you're a Navy sailor, you belong to your intel asset.
I don't know if that makes sense.
But that whole time.
And you can get stationed at the mothership too.
Interesting.
So the DOD, or Department of Defense, is the department that the military falls under and the NSA.
So I guess it does make sense now that they share resources sometimes.
And Marcus himself was that shared resource.
Sometimes he would do missions for the Navy.
And sometimes he would do assignments for the NSA.
Definitely geographically specific stuff that you could do to be helpful.
And there was stuff that we did.
We helped find people.
Like if there was a ship that was lost, we could help find that.
If there was a pilot shot down, we could help find them,
or if there was some kind of incident.
So the tools that we had could be used for a lot of different things.
And it was cool doing it.
And it was great being out there on the front lines doing that work.
It was dope.
Back in 1969, a Navy patrol plane was shot down in the Sea of Japan.
And there wasn't a good method for handling all the real-time communications that were needed to help rescue them.
So after that, an operations center was constructed in order to get real-time updates from any ship, plane, or base nearby.
Now, Marcus really took his job seriously
and really sunk his teeth into the computers that were on this ship,
learning about servers and networking and wireless technologies,
cryptography, security, programming, and command line tools.
There was also HF communications, UHF, all the different stuff, SATCOM.
So I learned all kinds of communications in the military.
And so that made me pretty thorough at understanding how radio frequencies work and all that stuff.
So definitely you did a lot of communications training.
It didn't include internetworking.
Now, while you're on the ship, you're doing more training, right?
Like you're learning more about programming or cryptanalysis or something? I mean, the Navy
is full-time education. You're always learning. You're always doing OJT is what we called it,
on-the-job training. So you never stop learning in the military. And that's what I think the
military, just like college, it teaches you how to learn. And since being in the military. And that's what I think the military, just like college, it teaches you how to learn.
And since being in the military, that helped me be able to put my hand to anything.
So, yeah, I learned coding in the military.
I learned internetworking.
I was a CCNP when I was in the Navy.
So, mad certifications.
And definitely being an affiliate with NSA. I got any training
I want to. When I was there, I got well over $100,000 worth of training and I did a master's
degree too. So, it's like, I tell people it's like being like, you know, Jason Bourne of
IT or technology.
You got your bachelor's and master's in the Navy?
I got my bachelor's in the Navy, and I got my master's as soon as I got out.
And I was still working around that stuff.
But I got a free master's degree.
I didn't have no college debt or anything.
Because the Navy paid for it.
The military paid for it.
And I went in with no college or nothing like that.
But after eight years, I had a bachelor's degree.
And like three years after that, I did my master's degree.
So that's the good of the military.
He spent four years in the Navy.
And during that time, he somehow met his wife and got married.
And they had two kids.
And because of this, he decided to spend another four years in the Navy.
It was good job security.
So after eight years of being in the
Navy, he then went to Fort Meade. I didn't want to go to Fort Meade, but I ended up, you know,
pretty much I had two options. I had Washington State, and I was like, I don't want to go to
Washington State. And they said, or Fort Meade. We got a couple of places, a couple of jobs at
Fort Meade that you can do.
And I was on a ship, so, and you had to be like,
okay, you had to pick it right then and there.
Military has these people called detailers that send you places.
So if you haven't guessed, Fort Meade is where the NSA headquarters are.
Marcus went to work for the NSA,
but he was still in the Navy and sort of on loan to the NSA.
It's called Augmented Staff. So initially there I was I was doing communications.
It was proprietary communication systems that the military and DOD used.
But what's cool about that, I kind of worked at a NOC.
And the NOC also had like all kind of other cool stuff.
Like they had a heavy Cisco.
They had heavy Cisco stuff back then.
And I learned that's how I started getting to the CCNA.
And so I became a beast at Cisco stuff.
So I ended up getting promoted to an engineering team of network engineers. And I got to manage the whole NSA's network.
So I started off doing a crappy job at Fort Meade and then
the certifications allowed me to ascend to like top teams there. And that was like during my day
job. My day job, I was Navy. At nighttime, I took, I had a part-time job with a DOD contractor. So I
was like doing a night job since I had a clearance. I ended up helping build up the NSA SOC. It's
called NISRC. I ended up helping build that the NSA SOC. It's called NISERT.
I ended up helping build that out. I wrote like stuff like SIMS and all that stuff. So I started
coding heavy as well. So and I made as much on my nighttime job as I did with my Navy salary.
And I was like, man, I got to get out. I got to get out of the Navy and make this money.
All right. So two words in there you may not know. NOC and SOC. This stands for Network
Operations Center and Security Operations Center. This is a place where people watch the network for
any kinds of problems. So there are typically multiple monitors on everyone's desks and even
a big screen in front of the room which monitors all the networks. The NOC typically looks for
network-related faults. A router that went down, a switch went down, some office lost internet connectivity,
and that sort of thing.
And a SOC watches out for security incidents
and responds to threats.
But both the NOC and the SOC
are monitoring NSA's network itself,
looking for any threats that have targeted the NSA.
Oh, 100%, man.
NSA is probably one of the most attacked organizations in the world.
So absolutely crazy amount of attacks that go on there.
And that SOC has to manage all the network.
What they're doing is they there's all kind of different levels, like high side networks and medium tier networks.
And then there's unclassified networks.
So you have to
defend all three of those or however many there are. There's like all kind of and then there's
interagency networks. And nobody trusts nobody. So it's crazy. Now, of course, I'm super interested
to hear what goes on in the NSA. What kind of detection capabilities do they have and what
offensive tools are they using? But I can't ask any of that to Marcus, because they're not allowed to share means and
methods of how the NSA operates. You don't want people knowing how you collect information.
I'll give you a good example. A couple years ago, I don't know if you remember this, but
supposedly Ben Lawton was using satellite phones to communicate.
So basically, Orrin Hatch, he was a Republican senator from Utah.
He came out of an intel brief, and they're like, oh, don't worry about Ben Lawton.
We're tracking him on a satellite phone, right?
Orrin Hatch said that out of the intel committee.
And so that's a means and a method right so the method we were
tracking this number one terrorist in the world was satellite phone so what happened is that burnt
all that burnt that method you feel me like now we now all the criminals that were using satellite
phones and stuff they now knew that that know, that was something that was being tracked.
And so Ben Lotton went silent, and that's why it took so long to find him.
So when it comes to intelligence, how we collect the data is what matters.
Now, as far as, like, securing data, securing data is just like any other thing.
Matter of fact, like NSA and NIST, they work hand in hand to try to help all American businesses stay secure as well.
So as far as like what NSA is doing on the defensive side, you just look at what NSA tells people to do.
And most of that stuff is public.
So being, you know, good defense is public. It's the offensive means and the way that people, how they collect information that's really secretive.
And so I would never talk about how we collect information.
Yeah, it's odd to me because there are publications that the NSA puts out like best practices for keeping your home network secure or securing the teleworker.
And they even have configuration recommendations for securing certain systems. But at the same time, the NSA loves the
ability to collect data on their targets. So if you follow the guidelines, then it makes it harder
if the NSA were to target you. That's not true, though. So NSA's core mission is to protect U.S. communications and assets.
That's like the core mission.
People don't understand that.
So a lot of the crypto research and breaking crypto and all that stuff,
and even exploitation, that stuff is,
the core mission is to protect U.S. assets and interests.
Because what happens is all these American companies that go overseas That stuff is, the core mission is to protect U.S. assets and interests.
Because what happens is all these American companies that go overseas to do business, they're being spot on by foreign intelligence.
Hey, foreign intelligence hire people to work in these big companies, by the way.
Like, you know, all these big companies that you can think of, they have IP. I can guarantee you if they're either paying an employee or they have moles inside of them stealing information and sending it over to their countries.
And I mean friendly countries too.
Think of a friendly country, they're spying on us too, right?
So what the agency's core mission is to do all this crypto research and all that stuff is to protect our interests
that's part of the mission and people don't think about that piece and it's a serious mission and
people take that seriously uh so um yeah the other side of it go ahead well my counter argument
there is if they're if they want you know the u.s to stay secure, how come when they find zero days on things like Microsoft or Google products, they don't just tell Microsoft and Google, hey, there's a bug in your code?
You know what's funny, though?
Because you know that people say this all the time.
I mean, there's nothing new under the sun.
I can guarantee you if we find an exploit, somebody, some other country or some
other person on the market somewhere found that exploit. So I don't, I think that, I think that
they should disclose everything. That's not my decision to make. But the reason why though is so,
is to help out our country. I totally believe, I 100% believe that the folly on their part
is the thinking nobody else has the zero day.
Because I think that if you have it, somebody else has it too, right?
That's the folly.
But the reason why they try to protect that method
is so they can help out the country.
This is obviously
a complicated topic that we're not going to solve here. NSA has made many mistakes, but at the same
time, they've saved many lives. That's a hard line to walk for anyone. But because it has some of the
most advanced technologies, Marcus was having a blast working there. I loved it. It was so much
fun, so much like leading edge technology.
Like I said, their NSA put like hundreds of thousand dollars into my education.
NSA has his own training environment as well. So they train you their stuff. And then you get to pick a list of like what class I want to go to. Do I want to go to SANS? Do I want to go to the
Cisco course? Do I want to do this? And you get to take whatever you want to. Oh, do I want to take this course at the community college here?
And so it was like I worked two or three weeks and then I was off for training for a week.
It was like every month I was training. And so it really was so crazy as far as the educational benefits.
And that's what you're dealing with there. And I would say that our foreign adversaries,
those people are well-trained too, right? So basically, it's a lot of really smart people
fighting this, you know, this little behind-the-scenes battle. It's crazy.
And for a while, he was working for the NSA while still in the Navy, building out their network.
And at night, he was a contractor
and helped build NSA's SOC, which is pretty cool because the SOC is still up and operational today,
and Marcus is the one who built it. And once it was built, he was using it to defend NSA's networks.
But after a few years of that, he got out of the Navy and went to work for the Department of Defense
Cyber Crime Center. The Defense Cyber Crime Center does all the forensic investigations and things of that nature
for the DOD. They're like cyber command. So basically, the DC-3 was the lead on all the
investigations until they created cyber command, essentially. So the DC-3 still exists. It has
this thing called DCFL. They do forensics. It's a forensic laboratory. And they do a lot of
forensic investigations. They do a lot of high profile investigations that you've probably heard
of on the news before. So I worked for CSC. And at the time, CSC had the contract to help train federal agents and all the DOD agents on how to do forensics.
So it was a pretty cool curriculum.
They started from, like, you know, log analysis, Windows forensics, Linux forensics, Macintosh forensics.
So we teach these federal agents all these different forensic techniques, working with the best of the best software back in the day. And, you know, they still do it today.
So the agents would get to use NCASE and all these different open source tools and
all these different forensic things. But what was cool is I got a chance to build up
a cyber range. The cyber range had, it was a complete mock-up of a corporate network.
I mean, this is before cyber ranges were cool. This is over 10 years ago. Do you know what a cyber range is?
Let me tell you a story. Before I was podcasting, I was working in a sock myself, watching the
network for security incidents. And I saw one of my coworkers' computers lighting up my screen.
It was triggering alerts telling me that this co-worker's computer was actively trying to hack itself.
And to me, it looked like maybe someone took over his computer and was trying to get more access or something.
So I went over to his desk and I said, hey, everything okay?
And he's like, yeah, what's up?
I said, I'm seeing some alerts that some pretty nasty PowerShell commands are being executed on your computer.
And he said, oh, yeah, I downloaded a PowerShell tool to see if it actually works.
And I said, this is not a safe environment to be running random hacking tools.
Please stop that. Delete it and run an antivirus scan right away.
But see, the thing is, we didn't have a safe environment to try hacking tools like that.
So this is what a cyber range solves.
It's a separate network with all kinds of servers and computers to attack,
as well as a whole range of nasty weapons to launch attacks with.
And a cyber range is great because you can really go nuts.
You could try to exploit anything you want,
and you don't have to worry about any vulnerability or virus or worm
escaping and hitting production equipment.
On top of that, defending teams can use the cyber range to see if they can detect and defend against
such attacks. It's a great place to practice network and system security. Yep, you can use
them to detonate malware, all kinds of different things of that nature. Usually, some companies are trying to mock up their corporate network,
almost like a development play,
where I used to have dev environments and production environments.
Well, Cyber Range is like that kind of thing,
but it's used for cybersecurity testing.
What does it look like?
Because I'm trying to picture it.
Do people go into a classroom,
and then there's like a server in the middle of the room,
and that's where the range is, and everyone tries to connect to it or is it all remote oh so our range was the thing
that we built was ridiculous so we had a complete we had a a nice size network room like picture
like six or seven stacks of devices cisco devices windows servers servers, Linux servers, you're talking about DNS, firewalls,
IDSs, switches, routers, the whole complete corporate network.
And we had physical gear back then.
Everything was physical and real devices.
And so in another room, there was a classroom environment, but it was networked to be into all this gear.
And why this was important is because it allowed the investigators to actually interact with real stuff.
So they could come in and physically put a USB drive and collect information off of a server.
Or they could go into a Cisco switch and they could do a span port on it.
Well, a lot of cyber ranges now are virtual,
but this was like a physical representation
of a real corporate network, and it was dope.
So him and another guy named Johnny Long
set up this cyber range to teach federal agents
how to react to cybersecurity incidents more effectively.
So we had a complete network, corporate network set up.
And funny enough, I worked with Johnny Long at the time.
Johnny Long is my buddy.
And Johnny Long would come up with scenarios where we had to attack,
and the federal agents would have to find us on this network that we built.
So since Johnny was always gone a lot, I ended up taking over all the
offensive scenarios. And so I became the bad guy. But these fellow agents were like forensics gurus.
These guys, some of these, it was like the capstone course. And they were beasts at forensics
and stuff. Many of those people have gone to work for places like Mandiant and
CrowdStrike and all that stuff. It was like a CTF, but I was playing against professional
people that catch bad guys on the network. It was pretty dope.
What happens is people don't know how to respond to an incident live on the fly. Usually when
incidents are happening, they happen way before time. But if you were to drop people in, how do they respond live on the fly?
And so that's why we built this course.
And so basically we taught them how to collect live information.
We taught them how to set up intrusion detection system on the fly, do packet captures on the flies, you know, like setting up those span ports.
So it was like super intense, man. It was dope. And it was like an immersive course. And they got a lot out of it.
Well, yeah. I mean, this is exactly what I picture when somebody goes into training at the NSA,
right? Because like, if you say, oh, no, I just sat in a classroom and they taught me Pascal or
something like that, that's kind of boring.
You sit at a terminal with a bunch of other people and you just work on your own little thing and whatever.
But going into an entire organization, like a full campus network, and getting access to all these things,
and you're running around plugging USB drives in or span ports and configuring things
and putting collectors physically in the network to get off those span ports and configuring things and get, you know, putting collectors in like physically in the network to get off those span
ports and stuff. That's so much. Yeah. Like you said,
it's immersive and that sounds like the training I think everyone wants.
Yeah, man, it was crazy. And they spent a lot of money on it.
That's the thing about working with the DOD, bro. Money's not a problem.
So, and, and we got to do pretty cool stuff like that man and come up
with different scenarios and
you know we
had like live Chinese malware
on that network bro
and I was doing command and control for it
so it was like real
attacks. Like zero day malware
I bet too like stuff no one knows
about. We would grab stuff off
we would grab stuff and put it on there.
And they would have to figure it out.
Marcus took what he learned at this place and started his own company,
creating threat scenarios and doing more cyber range and tabletop exercises.
He called it ThreatCare.
But ThreatCare was acquired by a larger company
called ReliaQuest, which is where Marcus works now. But Marcus likes giving back to the community,
so he wrote a book, and it's called Tribe of Hackers. The book interviews a bunch of notable
people in IT security and tries to distill meaningful advice from them. And when the book
did well, he wrote another, and then another. So now there's Tribe of Hackers Red Team Edition,
Blue Team Edition, and Tribe of Hackers Red Team Edition, Blue Team Edition,
and Tribe of Hackers Security Leaders.
I'll have links to all these books in the show notes.
I own three of them so far, and I find these books super informative to me for finding
interesting guests for this show.
Yeah, so basically the first
edition of that book, we
happened to be able to give
a lot of donations
to a lot of different organizations.
Rainforest Project being one of those things.
We also donated a thousand dollars to hackathons for kids.
Just all kinds of different organizations we've been able to give money to from those books.
Also, by partnering with Wiley, we're also raising additional money
with the new books
during the Humble Bundle program.
And so I'm just continuously
finding ways to try to give back
to the community.
And what's cool about the first book,
we gave away that book for free too.
And so we had thousands
and thousands of downloads
for people that got that book too.
So it was definitely well received and helped a lot of people.
On top of all that, Marcus has even written a children's book about security.
There's a lot of people out there that once they figure something out, they're afraid to teach others because they fear someone else will learn it and get better than them.
Marcus is the opposite.
He knows that the more he teaches, the better he becomes. And I just love it when people out there are sharing all their skills and knowledge with anyone interested in learning.
Here's the deal, man.
Work hard.
And I tell people, be so good that they can't ignore you.
And another thing that I find in life, if you self-train yourself, if you learn, the more you learn, the more people are going to give you.
Oh, and of course, one of the people he teaches the most is his son, who is also into technology.
Yes, certainly.
And this is the story about my son.
It's a funny story.
When he was 11 years old, he hated doing his homework.
And so what I did is I, my son has been super spoiled.
My son had every iPhone that ever existed when he was growing up.
He's 24 now, so he's at the house.
And he's, you know, definitely doing well for himself.
But he had the first iPhone.
He had a MacBook, the whole nine, like when he was like 11.
And so he used to jailbreak iPhones all day.
He was a jailbreak dude at school.
And so he didn't like doing homework so i was like hey uh let's we can
actually do code and your code can do your your uh your work so uh so we used to write the math
formulas in pearl all the algorithms and it would it would give him the answers and we programmed
it to give him the work too so you know he could work work out the work so he used to do 11 years old he was writing
programs to do his math uh for fast forward 10 he's like 15 16 he's like i want to be a video
i want to make video games and so uh i was like all right cool so i did the front end uh ui stuff
for him and and and he wrote all the back end code and objective-C, and he did six iPhone apps.
He also wrote, this is crazy, he wrote a Metasploit frontend on iPhone.
So you can connect to the Metasploit API, and you control it from your iPhone.
This is when he was like 16 or something like that.
And so Rapid7 saw it.
I worked at Rapid7 at the time.
But they was like, holy crap, this 16-year-old kid, he was my kid.
But he wrote it all himself, and he could pop shells from his iPhone.
Rapid 7 is a security company that's known for creating a vulnerability scanner and owns Metasploit, which is a very popular hacking framework.
Rapid 7, he started interning from the moment he was 16,
and then he did another internship when he was 17. He graduated
high school at 17, and then
he's like, hey, I don't want to go to college, and then
RAP7 gave him a full-time offer.
And now he's been working there for like five years,
and he's a software engineer.
And he's got his own team.
He's nuts, bro. He's a phenom.
And Rapid7 is lucky they got him.
This episode is sponsored by Vanta.
Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit
or a seasoned security professional scaling your GRC program, proving your commitment to security has
never been more critical or more complex. And that's where Vanta comes in. Businesses use Vanta
to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001,
centralized security workflows, complete questionnaires up to five times faster,
and proactively manage vendor risk.
Vanta helps you start or scale your security program
by connecting you with auditors and experts
to conduct your audit
and set up your security program quickly.
Plus, with automation and AI throughout the platform,
Vanta gives you time back
so you can focus on building your company.
Join over 9,000 global companies
like Atlassian, Quora, and Factory
who use Vanta to manage risk and prove security in real time.
For a limited time, listeners get $1,000 off Vanta at vanta.com.
That's spelled V-A-N-T-A, vanta.com.
For $1,000 off. The other guest we have on today is the wonderful Mr. Jeff Mann.
So I'm happy to start.
Do you want me to just ramble or do you want to just start with questions?
Yeah, I mean, I'll just kind of lead you through where I want with the questions and then you can go from there.
So yeah, start right where you wanted to start.
How did you get into the NSA?
Okay, so it all started when I was a small child.
I've essentially been a hacker my whole life.
I've had the hacker mentality my whole life.
I wouldn't necessarily have called it that.
So you say you call yourself a hacker mentality. Now, I think a lot of listeners might think,
oh, that's, you know, the hoodie and, you know, causing chaos at school and
getting on the dark web and doing stuff. Is that what you mean or something else?
Fair question. When I say hacker mentality, I sort of equate a lot of critical thinking skills and a lot of curiosity about how things work and wanting to learn, but wanting to do it probably at a faster pace than the general population, the general classroom. I remember being a child, being bored in most of my classes because I either did the
work really quickly or, you know, it was just boring to me. I had already read up on the topic
and knew what I wanted to know. And so, you know, I was a bored student most of the time. Therefore,
I looked for things to do to entertain myself. And it was nothing necessarily extremely malicious.
I was known as the class clown or the class cut up.
His dad was a physicist, worked for the DOD.
He was in the Pacific on a ship and got to witness the detonation of the first hydrogen bomb.
So I went through college and I went through five
majors when I went to college. And I was basically looking for the major where I had to do the least
amount of book work. He ended up graduating with a business major. So I was working for a naval
organization, Naval Surface Warfare Center, because my mom was in HR there and she was able to get me a job. So
it was a low level clerk typist type position. And it was a way to earn some money while I was
looking for what I wanted to do with my life. And she had a friend within HR whose daughter,
I think, had gotten a job at NSA. And this was in the mid 80s now. So she thought, well, you should apply. And I
was born and raised in Maryland, which is where NSA is located, Fort Meade, Maryland. I'd never
heard of NSA. Back in the day, NSA was no such agency. It was a super big ultra secret that the organization even existed. Unmarked fenced buildings
off the Baltimore-Washington Parkway in Central Maryland, a little bit between Baltimore and DC.
Filled out the government application, sent it in and heard back from them. And they eventually invited me up to take a couple days' worth of various aptitude and skills qualification tests.
And at the end of the day, I scored well enough that they offered me a job.
And what was weird at the time, and I still think it's kind of weird, was they kind of hired me because I had potential.
I didn't actually have a job when I went to work for NSA.
Right.
So Jeff started working at the NSA in the fall of 1986.
And oh, how different the world of technology was in 1986.
And to actually start working at the NSA, he had to pass a fairly rigorous background check.
They focus on several different areas.
They want to know where you lived in the past 10 or 15 years.
You had to list neighbors of all the different places you lived, friends, people you had contact with, social and beyond, which when you're a young kid is pretty much your whole life.
They asked all sorts of questions about your political affiliations, your political leanings. They were trying to find out things about you
that had been used against people in terms of like blackmail or were motivations of people
that they had encountered that had basically had committed espionage and become traitors.
So, you know, lifestyle questions back in the day, you know, if you happen to be a
homosexual or have, you know, some sort of alternative lifestyle, it wasn't so much an
issue. They wouldn't hire you if you were like that. They just wanted to know about it so that
somebody couldn't blackmail you into giving away secrets because somebody had and that had happened.
They wanted to know about your financial records so that you weren't, you know, they wanted to know if you had a gambling
problem and had huge debts, which would be, again, a way that somebody could motivate you to steal
secrets and they could pay things off. Or they're the people that you became indebted to and that
was your way of repaying.
And this process took weeks since they needed to visit all his neighbors and friends
to see if all this information he gave them checked out.
So while he's waiting for his clearance, he tries to figure out what he's going to do at the NSA.
So he starts shopping around, looking for a job there,
meeting people at the NSA to learn what they did.
And going out on these essentially job interviews that were really more like,
as it turned out, it wasn't so much a job interview as a sales pitch of,
oh, we want you to come work for us.
And one of the first interviews that I went on happened to be on the defensive side of the house.
Back in those days, NSA was operations, which is what
most people know NSA for, you know, intercepting communications, stealing all the secrets of
the rest of the world, our enemies. And then there was also the defensive side, which was called
information security or InfoSec. I happened to, my first interview was on the InfoSec side.
It was an office that was responsible for manual or paper crypto systems.
And they were looking for someone to do a cryptologic, cryptographic review of all the manual paper crypto systems that were currently deployed. They needed a cryptographer, and nobody at the NSA seemed to want to step into that role
and help that particular office out.
So they thought, well, the next best thing is let's grow one.
So let's hire somebody off the street.
We can go to the pool of people that are out there and train somebody up and train them
to be a cryptographer and then have them do the review.
So he took the job as a cryptographer.
So I ended up going to work in InfoSec
and working for what was known as the Manual Crypto Systems branch.
And my job was to do cryptographic reviews of the systems that were being used at the time.
So at this point, he had to learn what cryptography was and get good
at it. NSA ran its own cryptologic school. They had 100, 200, 300, 400 courses, dozens of courses
that you would take on various aspects of cryptography. So I basically went back to school
and took a lot of these training courses. And what was interesting was I was learning a lot of classic manual cryptography
on back to the ancient Greeks and Romans and how all the crypto systems were used over time
and how they evolved and all that type of thing. Which was perfect because this was the same stuff
he was tasked with reviewing as a cryptologist. One of the things he learned about is what a one-time pad is.
So a one-time pad is, the name implies, it's a pad of paper, usually 40, 50 pages.
And on each page, there is printed out random characters.
But it was essentially key.
And, you know, the very basic form of encryption is you take your message, what we would call plain text.
You would write that message out one letter at a time over or above the letters that were printed on the pad.
So you have plain text and you have the key pre-printed.
And you would go through some sort of cryptographic algorithm to produce a third letter,
which was the message, the encrypted message or what we called the cipher.
So quite simply, the way a one-time pad works is you use some sort of substitution algorithm
to produce that third character that's reversible. The beauty of it is that if,
you know, there's obviously two copies of the pad, but if those pads are kept secret and nobody can see them and nobody steals them, there is no cryptographic solution.
If you intercept the cipher, you can collect it all day.
There's no way to break the underlying key because it's random.
And therefore, there's no way to break back what key because it's random, and therefore there's no way to break
back what the actual message is. And it's called a one-time pad because you use the key one time.
So you write a message down on a page or two pages if it takes two pages, and as soon as you
do the ciphering and transmit it, you destroy the pages. These one-time pads were often used by spies,
like when a handler needed to talk to an asset,
they would encrypt messages by hand using this method.
And then the receiver would have to spend a while decrypting the message.
But a lot of the times, spies didn't want to lug around big pads of paper,
so they shrunk the one-time pad down to like an inch or two wide,
so it can be transported in a shoe or rolled up into a pen.
And in fact, some of them were printed on rice paper
because you needed to destroy the pad after you used it.
And some spies would destroy it by chewing it up and swallowing it.
But there was a run one time, a production run made one time
of a set of one-time pads where they printed them on rice paper, but for some
reason they didn't take into account what type of ink that they were using. And they used some,
I don't know if they got a deal on some different kind of ink, but the ink that they ended up using
was toxic. So our loyal spies that were sharing secrets with us in the field were getting sick.
So now that he was getting up to date on all this cryptography, it was time for him to start using it on the job.
So my first assignment was, you know, we were approached by, I'll just say customer generically, that was working with people in the field. And they were having these people report back to them
on a rather regular basis,
reporting information, data, secrets,
things that they were observing.
And they were lamenting that it sometimes took them hours
to do the decryption of these messages
that were being sent to them.
And they asked the
question, you know, we've got this newfangled, you know, IBM PC on our desk. Is there any way
that we could do this encryption and decryption on the computer and just speed things up?
And my naivete, because I wasn't experienced in the workings of NSA and in particular the InfoSec organization.
I thought, yeah, that seems reasonable.
Why not?
So I set out to try to figure out
how to get a computer program written
that could be performed on the PC
and then how to get the one-time paper pad into the PC,
which the option available at the time was on a floppy disk.
Now, remember, this is 1987 at this point. Windows wasn't a thing yet. So everything he was doing
was on the command line. So did you understand software or programming or anything at the time?
No, not really. And what I set out to do was I went and started asking questions
about all the different groups within InfoSec of how do you do this? Because, I mean, InfoSec
had a production facility that would actually print these one-time pads. We had an office that
would generate the key and that they had a way of generating random key that could be used to
put on the one-time pads. And there was other
uses for keys. There was a lot of machine-based cryptographic systems available that was much
more prevalent at the time. So I kind of set out to like, well, how do you do this? You know,
how do we design something and produce something? And that certainly wasn't something that was
ordinarily done within the manual crypto systems shop. But, you know, we had to design something and produce something? That certainly wasn't something that was ordinarily done within the manual crypto systems shop.
But we had to design something and how's it going to work?
So we need to have a computer program
and the program needs to be written securely.
If we're going to put the key on the floppy disk,
how do we emulate pages of key?
And especially, how do we emulate the destruction
of a page of key? At some point, Jeff starts to think, surely there's got to be a standard in the
NSA for how to secure software like this. Like if you're transporting keys on a floppy, what
encryption do you use? And so on. So he looked around for such a standard, and he found one.
It described how to secure a cryptographic device.
And this is where it started getting interesting, because it was written for hardware.
And there was no concept of doing anything cryptographic in terms of software back in the late 80s.
And I say this, I'm in contact with fellow alumni from the InfoSec organization
and people that were there years before I was. And I've asked, and to the best that I have been
able to figure out what we ended up producing, which was half paper pad, half key on a floppy
and a computer program that would do the encryption and decryption. That was the first foray into software-based cryptography that NSA produced.
Now, hold on.
It wasn't that easy.
Any cryptographic-based hardware that was made had a strict review process.
And so he had to submit this software to a few departments to get it approved for use
in the field.
And they had some pushback and questions on the software.
So I had to go through several iterations of presenting to senior management.
They gave me the initial blessing, came back, here's all the security concerns, go address them.
I came back, addressed them.
They ultimately said, all right, we'll let you do it, but don't do this again.
Like most government agencies, the NSA was resistant to change. They weren't entirely
sure if this new fangled computer thing was the direction they wanted to go in yet.
So that's why they were hesitant with this whole thing.
And so we produced what, to my knowledge, the best have been able to figure out
the first software-based system that NSA produced. Now, years later, I'm a hacker. I've done all the
hacking, pen testing things. I look back and say, I hacked NSA. I did something that wasn't supposed
to be able to be done. I didn't take no for an answer. I figured out a way to hack the system,
hack the process, and I got through it.
Not saying I would have been successful at any other time and certainly wouldn't have recommended the solution in a networking world, but for the time it worked and it was revolutionary
in terms of being the first foray into software.
My career at NSA was roughly three different tours of duty or three different assignments.
This initial assignment where I did the work
with the manual crypto systems,
produced the first software-based manual crypto system.
That ended and I became a cryptanalysis intern. And the intern programs were special programs that were designed to get you the training, the diversity of experience in higher education to advance you to higher levels of your career field, in this case, cryptanalysis. So what it meant was essentially that I jumped
from InfoSec over to the operations side. So then I was actually on Fort Meade and a couple of my
six-month tours as an intern were in one or more of those. There's actually two of those big black
buildings beyond the four-story structure. So I was all over that, which most, if you've seen the aerial
photos of NSA, I was in those buildings. So he went to work in another department,
and that department was in the middle of looking for how you can crack encryption or exploit
systems if they weren't using best practices and securing their stuff properly. Like, for instance,
remember that one-time pad and how each page of the pad was only good once and then you had to use a different piece of paper for the next message?
Well, suppose someone doesn't do that.
Suppose they use the same pad over and over.
Does that make it weaker?
People were doing exactly that.
They would take a one-time pad sheet of key and they would use it for 30 days.
So we could amass dozens or hundreds of messages that we knew had the
same key on the bottom. And you can cryptographically break that and figure out what the message
is. Or if it was any kind of machine system, a cryptographic radio or transmitting device,
there's things that you can do to bypass the security or shortcuts to get the message through
that you think you're doing it in a secure manner
but sometimes you're not
and so somebody figured out, some group figured out
okay, if the bad guys or the adversaries
the rest of the world doesn't use the crypto correctly
and we're producing all the crypto
that the US uses, the DO correctly and we're producing all the crypto that and that the u.s
uses the dod and you know everything u.s related and we we produce the best crypto in the world and
it's tested and you know tires are kicked on it and everything and it has to be rated to be secure
for however long it needs to be keeping the data secure. How do we know that our people that are in the field
are using it the way that it's been designed in the lab in the pristine condition?
It's a great question to ask. If the NSA can crack codes because someone isn't using best
practices in security, is the NSA guilty of not following those best practices themselves?
And so his task was to go around and look at servers and computers
in the NSA to make sure the NSA itself was secure. To make sure not so much that they were designed
correctly, that was sort of assumed, that was a given, but that they were being used correctly,
that they were being implemented correctly. Jeff was there in the NSA in 1993. And what's
so important about 93? Well, that's when
the first web browser was created called Mosaic. And so this is where the web and HTML sprang out
from. And once they saw people were using this more commonly, this gave them a new idea. That's
when the focus within this office for a small group of us started to be, hey, why don't we start doing that hacking thing that we've seen in the movies
and start doing that and start coming up with a methodology of looking into how do you break
into networks and computers, this whole internet security thing. So that's what I and a small group
of us gravitated to within this office. When browsers reshaped how the internet looks and feels, it brought tremendous growth to
the internet, which caused a sea change at the NSA.
And in fact, around this time, the U.S. created the fifth domain of warfare.
Historically, they had land, sea, air, and space.
But in 1995, they added cyberspace as a domain of warfare.
And Jeff was right there at the dawn of when the NSA really started the internet hacking that it does today.
You know, all the really smart people, the suits, as I and many of us used to call them,
they got together and decided to reorganize.
And so they set up what became known as the System and Network Attack Center.
And it was billed to be the, again, we didn't use the term cyber,
but it was supposed to be a center of excellence
for everything computer and network security related.
And essentially, a lot of the InfoSec side of the world
was a research organization because we were designing and building things.
So they set it up like that.
So there was a design and a research arm
and a couple other variations of the theme.
One group was supposed to look at networks. One group was supposed to look at operating systems.
And the intent was to do a lot of research, dig into them and produce standards and guides on how to secure them.
Jeff and the people in his team really wanted to embody the hacker culture within the
NSA and learn how to break into systems remotely over the internet and stuff. This small group
of guys that had gotten together originally in this branch that was focused on fielded systems,
we got swept into this reorganization and moved to a different building. We were moved off Fort
Meade to one of the satellite locations. And we were given our own office and we were given license to keep doing what we were doing.
Everybody was happy with it, although they didn't necessarily understand it.
But we were testing the security mostly of NSA networks and domains within the NSA proper, as well as other DoD customers, let's just say.
And, you know, things were bopping along nicely.
Okay, this sounds like a good place to start.
Learn how to hack stuff, then test your hacking ability on the NSA itself.
And we nicknamed our office The Pit.
And we referred to our little hacker hangout, as it were.
Although, again, we didn't call it that at the time,
but that's essentially what it was.
We called that The Pit.
We decided we wanted to have our space and give it an identity.
And one of the members of the group said,
we should give it a name.
And a popular show at the time was a show called MASH.
And the irreverent doctors in the show MASH,
their tent that they lived in, they called the swamp.
So they said, well, let's do something along those lines,
like the swamp.
And we didn't want to call it the swamp
because that had been used.
Somebody came up with pit and it stuck. So within our little office, which we came to
call the pit, we had to get special permission to get a little mini fridge installed in it.
And we filled it up with Mountain Dew. That was the beverage of choice for the hacker culture
in the early to mid nineties. Initially, there was four of us in terms of our background.
I mean, I was the business major,
so I sort of gravitated towards sort of the business side of things,
finding customers to do this.
I think most, if not all, the other guys were computer scientists
in terms of their academic training.
This pit, as they called it, was part of SNAC, the System Network and Attack Center.
And they were certainly participating in the attacking part of that.
They were learning how hackers operated by reading hacker magazines and forums.
And they would try these attacks out on some practice computers.
And they were also doing their own research and generating their own exploits.
Back in those days, we weren't relying as much on, in fact, we didn't even have the term yet, zero days or O days.
We were basically learning how the operating systems worked and learning about all the hidden or undocumented features of the operating systems at the time
that could get you root privileges.
And so we were learning a lot of the tricks and the trades.
Now, there were some exploitation types of things.
And again, this is where I like to caveat.
These are the types of things that were done at the time.
I'm not saying that we necessarily did any of these.
Use your imagination.
But again, everything that we did against a classified system
was labeled classified.
So technically, if I tell you that I was doing something
to a classified system, I would be sharing secrets.
So with that caveat, what was commonly done back then
to break into Unix systems and Unix networks was, you know, there was password guessing.
Oh, yeah.
According to Rapid7, the oldest vulnerability discovered in 1970 were computers using the username admin and the password admin.
I think it's really embarrassing that 40 years later, we still battle with the same vulnerability. Everybody was getting a Unix workstation and getting a network credential.
Not everybody wanted to get on that newfangled computer.
So very often, everybody was set up with accounts, but they hadn't actually been used yet.
And the way that they were typically set up was everybody would get an account, but until you logged into it, you wouldn't set a password.
So there would be idle accounts that were just sitting out there. And if you could identify the
username, guess the user ID, you could get in without a password and set it and it would become
your account. You know, back in those days, the password hashes were in Etsy password files that
were world readable. So you could just copy them and run crack programs like crack or John
the Ripper. So Jeff and the team in the pit were doing internal penetration testing, red teaming.
But at the time, these sort of terms just didn't exist yet. And it's typical that when you're in
government and you're helping other government offices, you call them your customer. So they
would find a target, which was just another office or department, and that's their customer.
If we wanted to do an attack and we had a target, we had a customer, and let's say it was an internal customer, we had to get permission to do what we wanted to do.
In order to get that permission, we had to get management sign off.
It had to go up our management chain across sort of the executive suite and down the management chain of our potential target or customer.
And because it was getting physical signatures or initials on a document from 10 or 12 or 15 people sometimes,
that could take weeks or months.
It was frustrating because, you know, being able to break into a network, being able to break into a computer,
you kind of know what you want to do, you know what's going to work,
you think you know what's, you're ready to do it,
and to sort of develop the methodology which was required in this form
without actually executing the methodology.
So you sort of get right up to the edge
and then get told to stand down for a month until you get permission to do it.
That wasn't cutting it with us.
Yeah, I've heard this from other hackers in the NSA too,
that they have a target they want to hack,
but first they have to get approvals for what they'll do.
And they don't know exactly what exploits they'll use
until they get inside that network to see what they have.
It's still a problem today in the NSA, actually.
And the only way they've been able to solve this
is to do as much open source intelligence gathering on your target as you can to know what to expect once you get in there so that you can get approvals for your mission.
We try to learn as much as we could about the target from a benign perspective.
You know, what kind of information is out there?
Who are the people involved?
Can we identify what their user IDs naming convention is? We can start to guess account names. What can we learn about the people involved? Can we identify what their user IDs naming convention is? We can start to
guess account names. What can we learn about the people, their interests, their hobbies, their,
you know, their birthdays and anniversaries and pets names and kids names, because these were all
very probable password possibilities when we were just trying to guess passwords.
So we would do that sort of open reconnaissance,
which was very rudimentary back then.
We didn't have Google back then.
We didn't have LinkedIn.
We didn't have all this stuff that was so readily available like it is today.
But there were ways.
So it sounds to me that Jeff helped start the very first red team in the NSA,
which is quite remarkable seeing what the NSA has become.
Now, this term red team, it actually comes from the military.
The red team was someone who acts like an adversary to test your defenses.
They think like the bad guys.
And the blue team is someone who defends against red team attacks.
A couple of years ago, a book was published called Dark Territory by a gentleman named
Fred Kaplan.
And in that book, in the fourth chapter, which is
entitled Eligible Receiver, there is a paragraph that talks about NSA's super secret red team
was called the pit. Now, none of us that were the original members of the pit have any idea how the
folklore grew to the point where it was included in this book. But when one of us
got a copy of the book and read it, we all got very excited. It's like, hey, we're all in a book.
So apparently, you know, what we did in the early days in our office called The Pit came to be known
as the NSA Red Team and The Pit. So they were doing pretty good, making a good name for themselves
and The Pit and helping out a lot of customers. But everything they had worked on so far was attacking and securing classified networks.
But that was about to change when the DOJ heard about them.
Because the Department of Justice had heard that NSA had this, you know, crack team of, you know, hackers, pen testers that would test the security of networks.
And they wanted to have that too.
So when I first found out about that, I had to go to the lawyers and say, can we do that?
We went to the lawyers, or the lawyers, you know, got wind of the fact that, you know,
an unclassified network organization was asking us to do the work. And we're like, sure, you know, they're a customer. Let's do it. The lawyer's like, well, hold on a minute. The general counsel said, you know,
let us educate you a little bit on how things work here.
The lawyers explained to him that while the NSA is responsible for protecting classified networks,
another department, NIST, is responsible for protecting unclassified networks. And so it's
not the NSA's jurisdiction to help the DOJ in this situation,
since they wanted Jeff to test their public-facing website.
While NIST was responsible for unclassified networks, it was fairly well acknowledged back
in those days that they had no capability. And this is all I'm learning from the general counsel.
So what effectively happened was sort of a nod and a wink handshake agreement where NIST would be responsible, but they would very quietly sort of pass it we want you to come do your thing, went to the general council and
they said, well, there's a way that you have to do this and you sort of have to just follow the
rules. So we proceeded, I proceeded to start following the rules. The first thing they said
was, well, this is sort of half, this sort of has to be a cabinet level, you know, favor that's
being asked by one cabinet member to another. So the request to do
this work has to come from the attorney general to the secretary of defense. So I worked with the
DOJ people to generate a letter that was ultimately written by, signed by the attorney general, who at
the time was Janet Reno, asking NSA to do that thing,
that vulnerability threat assessment thing that you guys do.
We'd like you to do it to this particular, you know,
internet-facing, public-facing aspect of the DOJ.
And, you know, so that took a little while to get going.
And the director of NSA had to respond officially back saying, yes, we would be happy to do that for you.
That letter going back to the attorney general.
It was like a three-month process. negotiation. We were down to the letter had been actually drafted, signed by the director of NSA,
who at the time was General Minahan. He was an Air Force general who his previous tour of duty
had actually been down at AFWIC. So he came to us from AFWIC. Right before the letter could be
delivered, I came in on a Monday morning and I got a call from my point of contact at the Department of Justice saying, help, our website was hacked over the weekend.
Oh, wow. The very website that Jeff was supposed to run a security assessment on had been hacked.
But Jeff didn't have all the approvals yet to help out the DOJ, so he just
couldn't do much. But Jeff asked for more details. And what happened became actually pretty big news.
On August 16th, 1996, a hacker broke into one of the DOJ's websites and replaced the picture of
Janet Reno, who was the Attorney General, with a picture of Adolf Hitler. They changed the name of
the website to Department of Injustice
and replaced the seal with a Nazi flag.
Lucky for them, it was a somewhat benign defacement attack
and didn't go much further than that.
It was the first hack of any government installation facility website.
It was the first time the government had been publicly hacked, compromised.
Everybody was paranoid about it.
Everybody was very reactionary.
Crap, we got to do something.
And it became very public very quickly.
And I find this ironic because just before this,
Janet Reno approved Jeff's team to pen test that website.
And now her picture is what got defaced.
But the DOJ still wanted the team in the pit to come help and take a look. But I said, well now her picture is what got defaced. But the DOJ still
wanted the team in the pit to come help and take a look. But I said, well, let me see what I can do.
Knowing that ordinarily to engage them is a three month process. So I hung up with them. I got on
the phone with the general counsel's office and I said, you know, this is what's happened. We're
this close to being legal, engaging with them
anyway. You know, the last letter has been signed. It just hasn't been delivered yet.
You know, what do I have to do to get a team on site tomorrow to help them out? They talked about
it and they got back to me and said, well, have them make the request in writing, get it written
down. So I ended up having them do that.
And they said, don't go on your own.
Make sure it's a group and have your management send you.
Don't go on your own authority.
Have somebody tell you, go ahead and go.
Somebody in the management chain.
So I was like, okay, that's easy.
So I followed all those steps and I assembled a team and three or four of us went down to the DOJ office in Washington, D.C.
And we were there Tuesday, Wednesday, Thursday morning. We're down there for the third day.
And I get a phone call from somebody that was still back at the pit.
And they said, dude, the shit's hit the fan.
You guys got to drop what you're doing and come back now.
And I was like, okay.
So we did.
So, you know, it took us a couple hours to get back to the office. When we got back to the office, we were escorted into the executive conference room
for the deputy director of InfoSec. And, you know, waiting for us there
was the same general counsel, the same lawyer that I'd been working with for, you know, the last
several months. And he's an Irish guy. And he was mad. And he was red in the face. And he was reading
us the riot act about how what we had done was illegal. Didn't we know that it was illegal?
Didn't we know that we could not only get the director fired, but possibly go to jail?
Don't you know that you could go to jail?
And for the first time in my life, I was introduced to what was known as the church proceedings.
He asked us, haven't you ever heard of the church proceedings? And of course, no, I hadn't known as the church proceedings. He asked us, haven't you ever heard
of the church proceedings? And of course, no, I hadn't heard of the church proceedings.
So he had to learn that in 1975, there was a Senate subcommittee led by Idaho Senator Frank
Church to review whether any of the intelligence agencies had abused their powers and what it would
look like if they did overreach and abuse their power. The essence of the findings was these organizations have a lot of power and a lot of capability and a lot of potential.
But they don't have much oversight officially.
How do we know that they're benevolent and going to do all the things that they do to the bad guys and not U.S. citizens.
So one of the outcomes of the church proceedings was what came to be known as the NSA charter,
which is a classified document, but it essentially says that NSA can only do what NSA does to foreign nationals, anybody other than U.S. citizens. And NSA may explicitly not do what NSA
does to U.S. citizens. Well, you can imagine that in terms of ethical hacking, white hat hacking,
breaking into U.S., what's effectively U.S. systems and networks, sort of flies in the face of the NSA charter.
Now, we had never really confronted that explicitly in all the negotiations with the lawyers for the
months or years that we were working with them to do our vulnerability and threat assessments,
but they certainly had it in mind. It just came to a head when, for whatever reason, somebody decided that we had not followed the right procedures to go down and help the DOJ out with their forensic exercise.
So it was a big deal.
Well, at the time, we didn't think it was a big deal.
We thought it was overblown.
But because I was sort of the project leader, I was the one that was thrown under the bus.
I was put on probation.
I had, you know, my clearance was pulled. The NSA did an investigation on Jeff,
and they called him back into the office for a chat with the director.
New rules were laid down, which the people in the pit had to follow from then on. But this
whole incident just took the wind out of the sails for the people in the pit.
Their energy and passion was sapped, including Jeff's.
At this point, Jeff was with the NSA for 12 years, and he had built up quite a lot of skills there, even getting his bachelor's degree in computer science.
So he looked at the private sector for jobs, and sure enough, jobs for him were available and paying a lot more.
So he quit the NSA shortly after this incident. And after that, three more people from the pit
quit too. That I started a week later that I think initially was a 50% pay increase. So
from a strictly economic perspective, it wasn't a difficult decision to make.
But if things hadn't have gone south like that, a lot of people ask me, why do people work at NSA?
And so because they really are patriots and they really are loyalists and they really believe in the mission.
And I probably would have stayed there.
The following year, in 1997, the NSA launched Operation Eligible Receiver.
This was a no-notice training attack that the NSA would simulate on the U.S. government and military.
They were actively conducting DDoS attacks and using open-source intelligence to figure out ways to infiltrate different military bases and networks.
The NSA had built a red team and were hacking into the U.S. government networks.
I found an old video of a Navy captain who worked at the NSA and was part of this exercise. Planning for eligible receiver at the National Security Agency began in 1996.
A small handful of people who were appropriately cleared into the program at that time
began laying the groundwork for the IW campaign in support of JCS objectives.
Jeff quit the NSA in 96. I believe that guy was taking notes from the team in the pit.
I'm like, I remember when they used to visit us all the time and a very congenial fellow,
and he always had a clipboard and he always was asking lots of questions and taking lots of notes
and putting two and two together, looking back on it. I'm like, damn it. He was, he was asking his questions because he
was working on putting together eligible receiver, but we were not, we were not ever planned to be
part of eligible receiver because they didn't want to put the A team out on the, on, on the job.
They, they were, they were recruiting people and training people up to be lower level hackers.
What they referred to as the B team to actually execute the exercise.
Yep. So yes, I was involved. I didn't know it at the time.
So eligible receiver, this exercise that the NSA was doing to hack into the US government
wanted to use the B team because they didn't want the best, most elite hackers trying this.
Those people were busy anyway.
They wanted a little less sophisticated team to try this,
and all with off-the-shelf tools, nothing super advanced.
We were faced with a very interesting situation.
That is, there was a no-notice exercise
that had not even been announced yet that it was coming.
And yet we were required to do reconnaissance of both
the MilNet and the SIPRNet ahead of time to be able to characterize our attack for approval.
This required us to actually conduct reconnaissance in such a way that we looked as if we were real
to the outside world. This was done with commercial internet service providers, and it was from
those providers that we touched military sites in the Navy and in the Air Force and so on
in order to gain our information, to do our open source research, to do our web surfing
on the internet and move off from there. How we went about doing the reconnaissance
was we looked for access points, ways to get into the DII or the
dot mil domain, better known as milnet or nippernet. We needed to get in. Chunks of this video are just
redacted, but it became clear that the U.S. military wasn't securing their networks as good as they
should have been. They were allowing 14 days. They had to call it off after like two or three days
because somebody on a naval vessel noticed something weird going on with the network,
and they pulled the alarm, which started kicking in the whole DEFCON escalation thing.
And they wanted to stop it before real shots were fired.
The most important lesson that we learned on the Red Team,
given how we approached the U.S. as a target,
on open source alone, no insider information,
is that we know quite clearly how to take the DII down
and how to attack the United States in an information warfare campaign.
Wow, that is scary stuff.
To think that a B-team of hackers with off-the-shelf tools
using commercial gear and conducting open-source reconnaissance
was able to successfully access so much stuff.
Well, I'm glad this exercise was conducted to help secure the whole network,
but again, I feel like Jeff and his team in the pit.
It's who created the original red team at the NSA,
a ragtag group of six hackers all hopped up on Mountain Dew.
And it seems like if that team didn't exist,
then Operation Eligible Receiver may not have happened
or would have happened years later.
And this also speaks to the importance of conducting red team assessments.
If you need to protect important data or valuable assets in your network,
it's probably a good idea to hire an ethical hacker to see if they can get into your stuff.
And hey, if it's what the NSA has been doing since the 90s, it's probably good enough for
your company to do too. And it's not impossible to defend against cyber attacks.
Often it's just a couple of misconfigurations that can easily be fixed.
So it's good to run a self-check sometimes.
I have one more conspiracy question at the end here.
I'll try.
Bitcoin uses SHA-256 as its private public key mechanism thing.
SHA-256 was made
by the NSA.
Does this mean the NSA has
a backdoor into all Bitcoin wallets?
Well,
as a cryptographer
happened to be NSA trained,
if I knew the answer, I couldn't tell you.
My opinion is all the descriptions of backdoors
or all the conspiracy theories that I've heard about backdoors
are essentially, depending on how you define backdoor,
I don't see having a master key as a backdoor,
but call it that if it's what you will.
I don't know how you would do that with a hashing algorithm. I suppose it's possible.
So I'm going to say no, I don't think so. That's my final answer. A big thank you to Marcus J. Carey and Jeff Mann,
two excellent people who work hard at giving back to the community
and making us all better.
I'll have links to both of their stuff in the show notes,
but you can check out Marcus's book.
The title is Tribe of Hackers.
And again, that book has brought value to me
by helping me find guests for the show.
So thank you, Marcus.
You've helped make
this show better in some ways. And if you want to hear more stories from Jeff, tune into the podcast
Paul's Security Weekly, which is a podcast that goes into security news every week. And it's a
great show that has lots of really cool, amazing guests too. And I've enjoyed many episodes of it.
If you want to hear more about the NSA, I've made quite a few other episodes about this,
interviewing people from there even. Check out episode 53 called Shadow Brokers, episode 50 called Operation Glowing Symphony, or episode 29,
Stuxnet. So not many of you stick around this far into the episode. I've watched the stats,
I know how many of you have dropped off by now. But if you're the type of person who's still here
with me, I can tell you really like the show and want more of it. And the best way to help support
the show is to donate to it through Patreon.
This helps keep the mic powered up and the wave files flowing.
Please consider donating at patreon.com slash darknetdiaries.
Thank you.
The show is made by me, the irate monk, Jack Recider.
Editing help this episode by Cottonmouth Damien.
And our theme music is by the howler monkey, Breakmaster Cylinder.
And even though I don't back up my data, because I know the NSA does it for me, this is Darknet Diaries.