The Jordan Harbinger Show - 851: Ryan Montgomery | The Hacker Who Hunts Child Predators Part One
Episode Date: June 27, 2023Ryan Montgomery (@0dayCTF) is a professional cyber security specialist, the founder of Pentester (JORDAN15), and an ethical hacker known for exposing online predators. [This is part one of a ...two-part episode. Watch this space for the second part later this week!] What We Discuss with Ryan Montgomery: What kind of background creates an ethical hacker? For that matter, what is an ethical hacker? What is the difference between white hat, gray hat, and black hat hackers? Do ethical hackers make more money than hackers who are less than ethical? What is a Flipper tool, and what can it be used to hack? And much more... Full show notes and resources can be found here: jordanharbinger.com/851 This Episode Is Brought To You By Our Fine Sponsors: jordanharbinger.com/deals Sign up for Six-Minute Networking — our free networking and relationship development mini course — at jordanharbinger.com/course! Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
Coming up next on the Jordan Harbinger Show.
And the 90% of the people listening to this right now
that are using an exclamation point as the symbol that was required in their password,
that's something that hackers think of.
You know, it's the first symbol on your keyboard with a digit, with a number.
Welcome to the show. I'm Jordan Harbinger.
On the Jordan Harbinger Show, we decode the stories, secrets, and skills
of the world's most fascinating people
and turn their wisdom into practical advice that you can use to impact your own
life and those around you. Our mission is to help you become a better informed, more critical
thinker through long-form conversations with a variety of amazing folks, from spies to CEOs,
athletes, authors, thinkers, and performers, even the occasional former cult member,
arms dealer, rocket scientist, or Russian chess grandmaster. And if you're new to the show or you
want to tell your friends about the show, our episode starter packs are a great place to begin.
These are collections of our favorite episodes organized by topic that will help new listeners get a
of everything we do here on this show.
Topics like persuasion and influence, abnormal psychology,
China, North Korea, crime and cults, and more.
Just visit Jordan Harbinger.com slash start
or search for us in your Spotify app to get started.
And hey, by the way, everybody, we just started a newsletter.
Many of you are getting it already,
but if not, go to Jordan Harbinger.com slash news to sign up.
Every week, the team and I dig into an older episode of the show
and dissect the lessons from it.
So if you're a fan of the show,
You want a recap of important highlights and takeaways, or you just want to maybe know what to dig into the feed and listen to next.
The newsletter is a great place to do that.
We've got a lot more ideas in store for the newsletter as well, none of which includes me asking for your credit card number to spam you with crap.
Jordan Harbinger.com slash news would love your feedback on it because it's new.
I don't really know what the hell I'm doing.
I'm just trying to write good stuff that's useful and valuable, and I need you to tell me whether or not that's the case.
Today on the show, definitely no kids or no young kids in the car for this one.
Very explicit graphic detail in some of the posts and messages we're talking about today
because our guest today, Ryan Montgomery, friend of mine, great hacker, social engineer,
been doing it for a long time, long time in the game, professional level hacker,
has uncovered a lot of pedophilia, child abuse, and message boards where people share
this kind of child sexual abuse material.
we talk pretty openly and graphically about this stuff.
You have been warned.
That said, it's also a conversation about social engineering, persuasion, hacking,
the dark web, the underside of the underbelly anyway, of the internet.
I think it's a very interesting conversation.
We went long because we're buddies and we can't shut up.
I think you'll enjoy this conversation.
I certainly enjoyed having it, even though it's a dark topic.
Here we go with Ryan Montgomery.
I don't know you that well, but I know a lot of hackers, and I got to say,
I was into freaking, right?
So phone hacking.
Yeah.
You just don't get into that stuff
in the 90s or early aughts
when you're like a well-adjusted kid
playing after-school sports most of the time.
Right.
So let me first, you know,
just to address the freaking thing,
let me show you a pay phone that is...
Oh, yeah.
Yeah, that is fully active and working.
How do you even...
If you're watching on YouTube,
he just rotated the camera to show a payphone.
How do you even get a pay phone now
in a private premises?
Do you call the phone company
and be like, I'd like a pay phone?
here? No, so that pay phone, I purchased it off eBay. Okay, that makes sense. It was a refurbished 1990
pro tell. I didn't activate a line, like a landline. I routed it to an asterisk server and now,
you know, without skipping all the technical details, it receives and sends, receives and transmits
phone calls. Got it. Okay, so you didn't have to like dupe the phone company to be like,
this is a high traffic area where people might use pay phones. No, no, I mean, that would have been a
a lot cooler of a story. It makes sense you buy it and then you turn it into like a VoIP thing and it
it doesn't need coins. I thought you literally had a coin operated phone in your house. I could make it
coin operated right now. It's free. I have the keys and everything came with it, you know, when I
purchased it. So I could activate it and, you know, there's a service menu on there where I could
charge myself to make calls. Payphones, man, I spent dozens of hours messing with pay phones. And this is
probably a different show. I don't want to get off too much of a tangent. But suffice to say, in my area
They had to change the firmware or software or whatever they were doing because of the crazy amount of red boxing that me and my friends were doing.
Oh, yeah.
Yeah, well, if people want to hear it, I can actually, I have some cool stuff.
Let me, because there'll be people listening on a podcast and on YouTube.
Absolutely.
So, Red Box, here's what a nickel sound like.
This is a dime.
This is a quarter.
And then in Europe, this is 10 pence.
50 pence.
that was a red box
and then there was the famous
2,600 tone which was this
and I don't know
if you recall that.
For people who don't know,
Red Box was a device
that would emulate the tones
that a pay phone would quote unquote
hear when you dropped in a coin.
So when you dropped in a coin,
there wasn't like digital communication
between the payphone and the phone company.
The payphone would just broadcast a tone
onto the phone line that said
six quarters were dropped in here,
now this dumb kid
can call Japan for two minutes.
So we went to Hallmark and got those recordable cards the day they came out where you could
be like, hi, grandma, and it would say that in your voice when they opened the card.
And I thought, this is great because in Michigan, people used to use mini cassette recorders,
which were one, super expensive.
Two, if it got too cold, it changed the tape.
It wouldn't sound right because it was too damn cold.
If it was too hot, which it often was as well, it would change the tape.
And the tone changed just a little bit.
but 2,600 hertz works, maybe 2,700 hertz kind of works,
28, 29 doesn't work at all, right?
So you had this big problem.
Well, digital, that little 10-second or five-second recorder in the Hallmark card,
that thing was digitally perfect reproduction every single time.
So you just put in a quarter on a phone that wasn't working totally correctly.
You'd hear the tone in the speaker.
You'd record that thing or you use a computer to emulate it.
Suddenly you've got a thing that's like this big, you know,
the size of a child's fist and flat,
and it makes tone sounds, and all I did was call Japan nonstop all day, every single day,
for weeks at a time, and every country that I could find.
Oh, yeah?
I remember an operator being like, you have to stop doing this,
because I would call the operator and ask them to connect me to something in another country,
and they'd be like, okay, you need to put in $3.50, whatever.
And I'd just do the quarter tones, and she'd go, okay, and connect me.
And then there must have been something printed out on their dot matrix printer that said,
if a kid calls asking you to connect them to another country from a pay phone,
I don't know, run it by a supervisor or you know, ask a question.
Double check this one.
Right.
And so, and then they did something where they modified all the phones,
at least the ones I was biking to,
where then you couldn't make a tone into the mic before you put a coin in,
and that would stop the red box or so they thought.
So then I started putting a nickel in.
It would turn the mic back on,
and then I could use quarter tones after that.
And I was thinking, how did you guys not think that this would happen?
This is the obvious next step.
That is, I mean, that's the hacking mentality.
So a lot of people think, you know, and I'll keep this one short as well.
You know, teaching somebody how to hack is such a broad thing to ask.
You know, teach me how to hack a computer.
Teach me how to hack an account.
There's no cookie cutter method on being a hacker.
It's a mentality.
And like you just said, they put a protection in place to stop you from transmitting a tone into the microphone
and you put a nickel in and figured out that there was some time that elapsed
where you could play additional sounds.
and add more money to the phone,
that is a mental advantage that you had and still have.
And you'll always have that.
And it's something that I believe can't be taught.
So it's interesting you say that.
And the reason I told that story,
because people are like, shut up, Jordan,
interview the guy already.
I'm glad I was able to sort of tease that out of you
in a way that makes sense because you're right.
There's like hacker mentality, hacker mindset,
where it does show up in other areas of life
from a restaurant where I ordered two lunch specials
and they were like, well, I guess you can do that.
And it was like still more meat than you get at the other price
and you're just like the way of the system is not meant to be used.
But even things like the bar exam, I mean, not cheating on the exam itself,
but the prep course, I've told the story on the show,
so I'll keep it super, super short.
They won't allow you to take the lectures with you digitally.
They want you to show up to a testing center
and watch lectures every single day, take notes and study.
And I was like, that's BS and it's a grift.
So I said, I want the iPod version.
of these. I know it has to exist for people that can't get to a testing center. And they were like,
you can't be in America because you're too close to all of our testing centers. You have to
travel to one. And I was like, fine. I won't be in America for a certain amount of time. And they're
like, we want to see your airline tickets. And I was like, okay, so I booked airline tickets
that were refundable. And then they would come back with another request. And then finally
someone was like, we know you just want this. Okay. But if you copy it, we're going to sue you.
And you're going to sign this thing that says you understand that. And I was like, fine, I don't
need a copy it, just don't want to go to the damn thing.
So it's like you're always kind of playing checkers or chess, I guess you would say,
with a system.
The opponent is not a person necessarily.
It's a freaking system.
That's exactly right.
And it is evolving every single day on the defense and the offense.
Like I said, not a cookie cutter thing.
If you're interested in cybersecurity, you know, that's just one aspect of hacking.
Hacking can be hacking people, social engineering.
it can be, you know, I guess a good social engineering example is convincing, you know, whether it be lying or whether it be manipulating your way to get something that you want, you know, and just a simple form like you get on a bus every day and you tell the driver, oh, I thought I had my bus card and you do it in a convincing enough way to where they let you on the bus. I mean, it's such a, you know, a simple, simple thing, but it's hacking, it's social engineering. And that can get more extreme where you could call a phone company and say, hey, I need to
speak to your manager, you speak to the manager, you ask them for their representative ID,
and you call them back, you tell them the transfer in-house, and then you say that you're the
same, that representative you just talked to, and now you're saying you're on the phone with a customer,
and that customer's having problems, but the call disconnected, and you have a rep ID that validates
that you work at that company, and you know a little more about their system, and you can
know, ex-filtrate data out of their account or, you know, make changes to their account,
and it could be something, like I said, as simple as getting on a bus for free, or it could be
taking over somebody's entire identity, all with your voice.
You are reminding me of the reps some of this takes.
And I know that you didn't go to college, finish high school,
and I think it's important to note that because I think people go,
oh, hackers are like super genius guys that have PhDs in computer engineering.
And it's actually, like you said, it's kind of the opposite.
A lot of it is kids who had the mindset, but also went through the reps.
And what I mean by reps, man, and this will sound super familiar to you as well,
I'm getting nostalgic over here.
I remember calling a phone company, like you said,
get some kind of ID or system or term,
and they'd go,
is this system ESS7 or ESS5 or whatever it is?
And you go, oh, crap, I don't know what that is, right?
So then you're in the IRC channel and you're like,
what is ESS7 and ESS5?
And if nobody answers in time,
you have to like hang up and call back, right?
Or you hang up and go, sorry, we got disconnected.
Yeah, I actually don't know the versioning on this.
And they're like,
versioning because that's like the wrong term and then they go do you mean the install whatever and you're
like that's intel right and you write that down and you're doing this like maybe a hundred times a day
for like your entire spring break because you're a loser with no friends sorry i'm getting very personal
myself yeah listen i've been i've been doing it uh you know when i was a kid for a long time and uh and you
I would learn these companies inside and out.
And I'd know exactly, for example, AT&T,
I would know exactly what system that agent was going to be using,
exactly the error messages that they would receive when a problem would happen,
and exactly what type of rep ID they would be using,
the amount of digits, whether it be, you know,
starting with a prefix of letters or ending with a suffix of letters.
You know, there's so many variables to it.
But once you gather, like you said, all of those bits of information,
you can construct that into a very convincing phone call
that appears to be internal, and it still works to this day.
I mean, I wouldn't recommend anybody do it.
It's illegal, but it's still, you know, people are the biggest vulnerability.
The systems are not.
Your employees, your people around you are your biggest weakness.
It's funny because I didn't mean to go into like how to protect yourself from cyber,
but people are always like, oh, I need the antivirus program that you use, right?
I want to know how to lock down the open ports on my company's computers.
And I'm like, the problem is none of those things.
Yeah, you should update your work.
WordPress site so you don't get like script kitty malware attacks. The problem is the intern who
you just shared your password with, you don't think it's a big deal because that's just your
Salesforce install. But what's your banking password? Oh, it's the same thing but like has two
numbers at the end of it or not even that different. And you just assume that your intern doesn't
know that you bank a chase and you don't realize she wrote that on a post-it note and left it on her
desk in the top of her laptop, which she just took to a Starbucks and opened for three hours.
Exactly. And the 90% of the people listening to this right now that are using an exclamation point
as the symbol that was required in their password, that's something that hackers think of.
You know, it's the first symbol on your on your keyboard with a digit, with a number.
They're like, wait, so my last name with an exclamation point on then, or like, you see that
video where they're interviewing some gal on Hollywood Boulevard? And they're like,
Do you use the internet? Yes. What sort of password do you use? Oh, it's the year of my graduation
and my pet's name. And they're like, oh, okay, how long have you been in California?
And she's like, uh, three, three weeks, what are you doing? Go, I'm going to Universal Studios.
Do you have any pets? Yeah, what kind? A dog. What's his name? I don't know.
Fruffy. Cool. All right. Do you go to high school? Yeah, where'd you go to high school?
Oh, St. Augustine? Well, wouldn't you graduate?
1999? And then it's like, so it's frufey 1999. It's just the guy does it in like 42 seconds and she just
doesn't see it coming.
No, no, anyone can look it up.
Look up, you know, password interview on YouTube.
You'll see that video.
I know exactly what one you're talking about.
Yeah.
People are like, this is fake.
And I'm like, even if this is fake,
the whole thing that that person just did is definitely not fake.
Not even close to fake.
Social engineering is huge.
And pen testing companies, cyber security companies,
still to this day, you know, I believe, you know,
most of them, the first engagement is social engineering.
If an employee gives you access, why break in?
You know, they're just going to,
they're going to give you the key.
When I went to DefCon, which is a hacker conference for people who don't know,
a long time ago, there's a social engineering village or whatever they call it,
and there was a sound booth, it's a brilliant idea,
is a sound booth, and they'll just let people take a crack at calling,
you know, Windows tech support, whatever, at Microsoft,
and they have a speaker outside the booth,
so an audience can listen to a social engineer or whoever's in the audience
take a crack at trying to get as far as they can.
And it was really impressive,
like very few of these Microsoft employees were like,
like, I probably shouldn't give you that information.
It was rare.
Yep.
And the booth was a soundproof booth and you would just sit.
You'd sit in there and there and there'd be people going in and out, in and out, in and out.
Yeah.
Just gathering as much intel.
And then all the people listening are gathering intel as well.
Like if you go first, people clap more, right?
Because if you're the fifth person, you correct all the mistakes the other person made.
Exactly.
It's like walking through a minefield, I guess, figuratively.
It's a cool little world.
It is.
It is a cool little world.
And I want to know how you got into it.
because, again, I know a lot of folks that really spent a lot of time doing that,
and I was probably the most well-adjusted of my hacker friends by about 100 miles.
Yeah, likewise, I grew up in, you know, not the best area in the world.
And, you know, a lot of people I grew up with, you know, doing the wrong thing, doing drugs.
And, you know, none of them were on a computer.
None of them knew how to use a computer.
I was kind of a lone wolf there.
And my dad's side of the family had some serious drug problems, still is going through them.
And my mom's side of the family, which, you know, have been amazing.
They don't have that issue.
But, you know, I was in a contamination between the two.
So, you know, I didn't come from a lot of money on my mom's side.
We didn't grow up in the best area.
But, you know, it was a lot worse on my dad's side.
So being back and forth between those, they introduced me to some people that I shouldn't have been around at the ages that I was around.
And it got me into some bad stuff, you know, outside of computers with, you know, with drugs and, you know, stupid, petty crime and stuff like that.
computers were always my passion.
I don't know how to explain in conjunction
with the drugs and the petty crime outside of computers,
but there was always my passion outside of that.
None of my friends could relate.
They just knew Ryan's the guy that's good on a computer.
Ryan's the guy that I'm going to call when I have something wrong with this
or somebody that's not knowledgeable with computers
just thinks I could do anything.
This guy can take over the planet with his computer.
I was a little kid at that time,
But I spent a lot of time around older people.
Sure.
And some people might say, well, maybe you grew up fast, you learned a lot.
And then other people would say, well, the people I was around that were older,
that did teach me things.
And I did learn fast from them.
They weren't the best influences.
And I didn't carry over that knowledge into my adult life by any means.
But I definitely had to grow up fast.
And I definitely did a lot of things at a very young age that most kids haven't seen.
I remember my parents being kind of worried.
they didn't know the half of it, but they were kind of worried that, and I look back and I'm like,
they were definitely right. There would be, like, one of my friends when I was probably 13 or 14 years
old was 20, which, like, that's weird. He was in college. Yeah, it is weird. And I was in middle
school, right? That's weird. And there were guys older than him that we hung out with. He would come
pick me up from Detroit, which is not that close to where I live. I mean, it's, I live in the suburbs.
and we'd drive down to another place like Southfield, which is another suburb, and we'd be dumpster diving in a cell phone store parking lot.
And I'm like, wait a minute, these guys are like 40 years old, late 30s, they're hanging out with me.
I'm 14.
There were other kids there that were like 17, 18.
It's odd.
And granted, we were in a very niche, very niche hobby, right?
Freaking and phone hacking.
It's still freaking weird.
I would have been like, yo, leave the kid, the literal child at home.
because if we have to go somewhere,
run from the cops,
was he going to just hop in my car?
That's not odd looking.
Yeah, and not only that,
but, you know,
even if they didn't have any, you know,
intentions on the,
you know,
on the creepy side,
they would get child endangerment charges.
Totally.
Yeah.
These guys, like 2020 hindsight,
there was never anything even remotely like that.
They were just geeky, weird dudes,
but you would think they would have,
they should have had better judge.
These criminals that I hung out with
should have had better judgment.
Right, right.
Well, I guess the difference between your story,
in mind was I wanted to, you know, I was a kid. I was making dumb decisions. So I wanted to hang out
with the older people and I got along with them better. I don't know why. And, you know,
everybody just told me on an old soul or whatever, whatever that means. But I always wanted to be
around older people. I've always dated when I was younger. When I was younger, when I was younger,
when I was younger, when I was younger, when I was like, 12, 13, 14, I was telling people I was
18, 19. And it was actually brings up a point that I actually wanted to address anyway. You know,
when I was 13, 14 years old, I looked actually, you know, a lot older than I do now, which is
surprising because I was whacked out on drugs. And I had long black hair and piercings and tattoos and,
you know, all these things, you know, that a normal, normal child wouldn't have. When I did the,
you know, another podcast before this, somebody looked into me and I guess read it and started
looking into me and they found that I used this name. Do you remember the MySpace days?
when everyone was like the scene kids and emo kids.
Sure.
Well,
I was definitely a part of that back then.
And I had, you know,
the long hair with the double Monroe piercings on your lips.
And,
you know,
and I used a stupid edgy name as a kid.
Sure.
And people were bringing that up,
you know,
like trying to discredit me for all the things that I'm doing.
And it's like,
if they would just look at the date and they see,
you know,
I'll be 30 in July.
If you look at the date,
you're posting pictures of me as a 14-year-old
and, you know, judging me for it.
And I just thought to myself,
and it's pretty obvious, you know, even if you go back five years in your life and you read
something that you said on social media or you read an email or a text message to somebody and
you don't cringe at that. Yeah. And you have not grown. And I'm looking back 15 years ago and it's
like they're bringing to light some things. There's nothing there that's like, you know, bad. It's just
yeah. It's cringe. Yeah, it's cringe. Yeah, leave me alone. You know, I'm trying to do something good
with my life and I have been for a long time. Just leave me alone. You know, I went through a phase as a
kid and I look like a weirdo. I get it, but whatever. Leave me alone.
You're listening to The Jordan Harbinger Show with our guest, Ryan Montgomery. We'll be right
back. If you're wondering how I managed to book all these great authors, thinkers, and
creators every single week, it's because of my network, and I'm teaching you how to build
your network for free over at Jordan Harbinger.com slash course. This course is about improving
your relationship skills and you're inspiring other people to want to develop a relationship with you.
It's not cringy. It's down to earth. It's not awkward. It's not cheating.
easy, just a lot of practical stuff that's going to make you a better connector, a better colleague,
a better friend, a better peer. Six minutes a day is really all it takes. Five really, but five
minute networking was taken. And many of the guests on the show, subscribe and contribute to the
course. So, hey, come join us. You'll be in smart company. You can find the course at Jordan
Harbinger.com slash course. Now, back to Ryan Montgomery.
Dude, I am not a celebrity by any stretch, but there's enough internet stuff that sort of puts me
in a public eye, there's a Google talk where I'm just like a fat slob with a terrible haircut,
and I can't do anything about that at all.
Understood.
Right?
Yeah, but that's you.
And this is worse.
This is worse, though.
It's, I mean, hey, man, it's a, it didn't bother me in the slightest bit because it's,
it'd be one thing.
It's like they pulled something off the internet, and it was like, this guy is trying to
help save kids is actually this secret horrible person that, uh, that does all these horrible
things.
Like, there's no secrets in this stuff that's out there publicly about me.
Like, I told people, yes, I did drugs.
Yes, I committed crimes as a kid.
You know, I did stupid things that kids would do.
Yeah, I used a stupid name.
Like, I was, you know, I'm pretty public about the dumb stuff I did as a child.
You know, if you have a problem with that and that hinders your thought or your opinion.
Your opinion.
Yeah.
Manipulate your opinion on me helping children or attempting to help children.
Then I apologize.
But, you know, I don't.
know what to tell you. These are the same people whose parents wore, you know, polyester bell bottoms and
probably met at like an orgy in the 60s. And they're like, how dare this guy, Ryan, like, emo
music that I hate. Yeah, well, it was more so that the edgy name. And I would assume that, you know,
and, like, back in the day, there was like Zoe suicide and Carla Curbstomp. And, you know,
like those crazy names. If you Googled scene names, you would see. But you've done some other incredible
stuff that should easily outweigh it. I mean, he started a rehab at
By the time, most people were having their first beer.
You founded a rehab center, essentially.
Is that accurate?
That is accurate.
So long story short, I was dating a girl named Angelica, and I knew her since I was a kid as well,
actually.
He ended up in Florida for her own personal reasons, and I was still living in Pennsylvania
at this time, and I was flying back and forth to see Angelica.
It was like one week out of each month, and I would fly back and forth to Florida, and I'd see
her, and she lived right near a Starbucks.
in South Florida.
And, you know, every time we'd go to the Starbucks,
it would be packed with a ton of these people.
And I would see the same people every time.
And they'd all be talking about drug rehab.
And they'd be talking about saying,
hey, if you know anybody in Pennsylvania that needs treatment,
you know, we'll pay you this, you know,
it was a pretty significant amount of money per person
that you can send to rehab.
I asked her about that.
I was like, why are all these people bringing up,
you know, they'll pay me to put people in rehab.
I never heard of anything like that before.
because every rehab I ever went to as a kid was all government, you know, subsidized and Medicaid.
Yeah, a judge sends you there. Yeah, a judge sends you there where, you know, their Medicare, Medicaid facilities.
So all these people, they're driving around in Mercedes and BMWs, they got nice watches.
They look like they just got clean a couple weeks ago, you know, and they're talking about, you know, a couple thousand dollars per person.
And I, you know, I found out from my ex-girlfriend that that's the thing called patient brokering, which is a felony.
Oh, it is.
Yeah, so you can't, there's no such thing as giving a kickback in the health care.
face, you're brokering human beings.
I see.
I mean, that sounds fair now that you explain it.
Yeah.
Because to me, I'm like, oh, lead generation.
Oh, maybe this is a little gross.
So, you know, I'll go into that too because, you know, after I found out it was illegal,
which I never ended up doing it.
I didn't know anybody that had private insurance in the first place to get them to travel
to Florida, even if I did want to make that decision.
But I went, you know, I did my research.
I had a background on internet marketing as, you know, as well.
And I did some research and I found it was a lot of treatment marketing companies out there.
I would call them up.
They were running PPC campaigns on Google, just paper-click.
And when they would pick up the phone, it would sometimes be one facility and then another time
it would be a different facility where then other call centers, it would be the same guy picking
up.
But depending on what type of health insurance you had, they would send you to whatever facility
paid, you know, that insurance company would pay the highest for.
The problem there is a lot of the facilities, including mine, are dual diagnosis.
they change it from substance abuse to substance use.
So it's dual diagnosis, substance use, and mental health disorders.
And let's say somebody who has a severe eating disorder,
but they're also addicted to some type of narcotic or drug.
They call a treatment marketing phone number.
And they get in touch with some guy.
They say they have a, let's say, Blue Cross Blue Shield PPO that has a low deductible,
and they know it's going to pay very high.
That person with an eating disorder needs to go to an eating disorder
clinic that also helps people with drug addictions. But instead, these marketing companies were sending
people to whatever places were going to be paying them the most money. And that didn't sit right
with me. And I thought, okay, well, I can do these same things. I can run the same campaigns,
but I can work with the right facilities and send them to the right places. So I started a company
called the Treatment Source.com, which was just basically a landing page on a website. And I did some
very targeted Facebook campaigns. And I didn't have the budget behind.
me in the beginning of this project to do what a lot of those marketing companies were doing.
But the campaign started to work very well, and I was putting people into treatment, but wasn't
making a ton of money at that moment.
Once some rehabs found out that, hey, this guy can get people in, and he's doing it through,
you know, the legitimate routes and they're, you know, they have private health insurance,
and you can't do like a cost per acquisition or a cost per client because that's where the
patient brokering comes in, but you can pay somebody, you know, a flat fee.
for their services. So I would go to these facilities while I was still dating this girl,
flying back and forth, I'd show up at these rehabs and say, hey, here's my site. This is how many,
you know, leads on average that we're bringing in, which when I say we're, I'm talking about myself,
but, you know, they didn't know that at the time. Yeah, me, myself and I, the three people that
work at my company. Exactly. Exactly. This is right in the beginning of the treatment source,
which was, you know, very short-lived, actually, but it worked. And I talked to a bunch of treatment
centers, and they all threw up money separately. I had contracts with each one. And I had contracts with
each one. I could not put a number of clients on that contract because the second you put a number
in association with the dollar amount, it becomes a crime. Right, because you can break it down and do a
per client price. Yeah. Exactly. Gotcha. So, you know, I did a good job in that area. I made sure that
the people that needed help were getting the right help that they needed. And I ran into a guy who
got along with better than the other facilities. I don't have a problem with anybody, but we became
friends pretty quickly. And he stayed in touch with me. And one day he calls me. And he calls me. And he
I still live in PA at this time in Pennsylvania.
And he says to me,
hey, you won't come to the Fort Lauderdale airport right now.
Like, just joking with me.
And I'm just waking up.
And I'm like, yeah, okay.
And then I end the call.
I book my flight within three hours.
And then I call him maybe, I don't know if it was a couple hours after that or not.
But the same day, I call him and I say,
hey, I'm at the Fort Lauderdale Airport.
And he's not believing me.
Like, you know, I genuinely got on a plane and flew that same day.
Wow.
I went and met up with him.
Pick me up at the airport.
and I went back to his house.
I stayed with him for about a week.
We discussed some marketing ideas.
And at that point, I had a contract with a facility he owned prior.
I had no ownership in that facility.
So after that week was up, you know, I decided, well, if I can stay with him until I find
a house to buy in Florida or somewhere to stay or get my own place, I'll do that.
He offered to let me stay with him.
So I did.
I flew back to Pennsylvania.
I got a U-Haul, put my car on the back of it with a trailer, drove down to Florida,
and stayed at his house.
and I convinced him, and, you know, he also had part in this decision, but to sell his shares and his
rehab and to start one with me. So I dropped all my contracts with all the other facilities and did all
of the marketing from my own facility that started the first one. And I filled that one with the
marketing campaign itself. The treatment source was gone. We did the marketing for the facility
directly. And that turned into a partial hospitalization, intensive outpatient and outpatient facility.
but we didn't have any medical detoxes, so we would have to send them to other facilities.
You know, I'd say someone's going through withdrawal from whatever drug or alcohol,
they would have to get detox medically, and then they'd be sent to us for their treatment.
We thought that, you know, after, you know, we brought in some money and things were going well,
we provided great quality care, which I can get more into that if you're interested.
We opened two detox facilities as well.
So I ended up having three facilities with 144 beds, 120 employees, and I was the CEO of that facility.
So it was an honor.
I was able to help a ton of people and, you know, start a cool scholarship program for people that were just like me that didn't have money, didn't have insurance.
It needed help and didn't have a three-month wait, you know, where these other facilities have three-month waiting lists.
Oh, man.
Imagine being an addict.
You decide to get clean and they're telling you, sure, in 90 days you can come in.
I mean, you could be dead by then if you're that far down there.
Yeah, that's exactly the point.
It's, you know, you can't tell an addict to wait three months.
No.
They don't have three months, especially now in 2023.
It's the number one leading cause of death, 18 to 49 years old for the last two years.
And, you know, an addict doesn't have three months to wait.
And so I started that scholarship program, which meant, you know, you come to treatment, you fly to Florida,
and you stay for as long as it takes until the clinicians say that you, you know, you're ready to go or you walk out of the door on your own.
But I did that.
And, you know, that was super successful, in my opinion.
It wasn't profitable, but it felt good.
and I feel that I help a good amount of people that way.
So heart disease and cancer don't kill more people than what, is it, fentanyl now?
Yeah, I mean, I can double check the statistic.
Let me see.
Or maybe it's the age group, right?
Because maybe cancer and heart attacks are above.
I guess there's a debate on it, which I didn't know that here.
I watched something yesterday, jelly roll, I think it was, on Joe Rogan.
And I think he said it was an opiate overdose every 11 minutes with death.
But yeah, maybe this is fake.
So I'm looking at the fact check on that.
And it says,
bettinol is not the leading cause of death for adults in the U.S.
and the CDC data from 2020.
Okay.
The top three causes listed are heart disease cancer and COVID.
Well, we'll find out in a couple of years.
Yeah, let me know if you find out otherwise,
but I definitely heard it many times.
So I know that it surpassed 100,000 in 2021.
I think we can safely say either way that if you are already addicted to something,
you have a great chance of dying,
especially if it's an opiate, so we don't have to split hairs on.
It doesn't matter.
Yeah, but don't discount.
you know, the Xanax, the Coke, all the new things.
People are dying from them, too, with fentanyl, you know, this fentanyl's and everything,
all the different types.
I hadn't thought about that, but you're right.
There's people, friends of friends who, like, went to a party and tried cocaine and it was
lace with fentanyl and they're dead.
And it's like, back when I worked on Wall Street, people would be like, hey, you look tired.
And I'm like, yeah, I need a red bill.
And they're like, forget that crap.
Come into my office.
You know, and you're like, oh.
But now it's like you could just die from that because you just bought it and hasn't tried it or has
a higher tolerance.
That's just reminding me too.
Like, and this sounds absolutely insane.
I know before I'm saying it, but, you know, back when I was a kid,
heroin was like a thousand times safer than it was today.
I stopped using drugs around 17.
Oh, I knew of one person that died of an opiate overdose,
and it was mixed with other things.
And now, almost everyone I grew up with is dead.
Oh, my God.
A couple of my family members are dead.
There's a story I think I talked about it on another podcast,
you know, how I found my best friend dead.
You know, he did well for a year straight.
and I walked in and found him, you know, in his bathroom, you know, he was gone.
And he made the mistake one night.
He was completely fine.
He just made, he had one slip up and he was gone.
I just can't imagine why people would want to do that.
But I guess, you know, I can understand being an addict and not being able to stop.
I don't know.
I don't associate with that completely as being an addict for life.
I don't believe that I am personally, but I do definitely know that some people are.
It's hard for me to understand everybody's opinion on it or everybody's,
everybody's mindset on it, especially for my best friend.
He was just like you and I, you know.
He just made a mistake one night, and that was it.
Sorry to hear that.
Yeah, I mean, I'll save all the details for the story of the story because it makes me
upset to talk about.
Yeah, you don't have to relive that gruesome devastating moment for sure.
It's just, I think it makes a lot of sense.
It illustrates the way that you grew up and how that informs your rehab.
practice and that all sets a good baseline for, okay, I'm an entrepreneur, obviously I'm a doer.
You dropped out of high school and started a business by age 22 that most people would be
lucky to have in their 40s. And it was based upon helping people, but also making money. And I know
you do things like you're an ethical hacker, which, well, first of all, tell us what that is
because a lot of people have never heard those two words put together. Gotcha. So an ethical hacker is,
I like to call myself a cybersecurity professional, but an ethical hacker is somebody that, there's
three different types of hackers. There's a black hat, a gray hat, and a white hat. Black hat is somebody
that commits crimes. Gray hat, someone kind of in between where, like, you know, they'll hack your
website. They'll send you an email saying, hey, I found a vulnerability in your site. You should probably
fix this without permission. And then a white hat hacker would be, you know, let's say Jordan
contacted me and said, hey, I want you to test my site. You know, we have rules of engagement.
We have scope. And we do something with his full permission. That's like a 30,000 foot view of what
that means. But that's something else I wanted to talk about is there's some titles online saying
number one ethical hacker does this, does that. And I'm not a self-proclaimed number one ethical
hacker. The reason why that title became, you know, a thing is because there was a website out
there for, you know, there's some training stuff there and there's some competitive stuff.
And I'm number one. I found that. Because I was like, number one, how does he rank? And then I was like,
oh, here's where he's ranked on this training site for being like in the leaderboards. Okay.
Yeah. So it wasn't always a training.
site. So half of the site is training. So if you don't know anything at all, you can learn on there. And then the
other side is competitive. So if you end up solving these simulated challenges, which are just like real
life environments, most of the time, if you solve them first, you get extra points. And those points will
allow you to move up on a leaderboard. And since there's two million users on this website almost,
I think it's just shy of two million, being number one on there was very difficult for me to get.
That doesn't mean I'm the best hacker in the world. That just means that I worked very hard to get to
where I was at. And, you know, I wanted to make it clear that I'm not a self-proclaimed best hacker,
like Kevin Mittnick or somebody like that. I think Kevin Mittnick did say he was the best hacker. I could
be wrong on that. Yeah, well, he would say that. And also, I'm not sure everyone else agrees with
him, but we'll leave that. I don't agree with him. I do not agree with him. You're probably a
phone freaker than Kevin Mittnick. I won't say that, but I will let other people say that. And I will,
and I've, look, he was nice to me, and I will say this, but his modesty does not comport with
the, hold on, how do I phrase this?
His opinion of himself may be
slightly different than his skill level
reflects. Anyway.
Yeah, I understand where you're going with that one.
I got you. Yeah, that happens to people. Whatever.
Not a big deal. So, ethical
hacking, penetration testing,
when I was doing the social engineering stuff, I worked
with a lot of pen testers. I know you run
pentester.com, which will link in the show notes.
Oh, thank you. This is like, so just
I'll save you a second here, the
difference between white and black hat hacking
is kind of like, if I want to
test if my store is secure, I might hire somebody to break in. And I'm standing there watching them
pick the lock and then go to the cash register and pry that thing open and get through the
little gate I have to the office. And I go, okay, I need a stronger lock, a stronger door. I need
a little metal grate. Thank you. And they say, no problem. The black hat version, the guy just
breaks in and robs me and then says, if you want your stuff back, you could, or if that, maybe I just
get robbed. Or if I'm lucky, they say, if you want your stuff back, send me 10 grand and Bitcoin,
and I'll return the computer
so I stole from you.
Yeah, they ransom you.
Right.
And then the gray hat in between, I would say,
is the guy that comes into your store.
He steals all the money out of your cash register,
but before he walks out,
he shows you how he did it,
and then hopes you don't call the cops.
Right.
And says, I'll give you this back,
but there's more holes in your business
that you're going to want to pay me to find.
Exactly.
I wouldn't recommend black hat or gray hat to anyone,
you know, if you're going to do this,
do it the right way.
There's a lot more money doing this the right way than the wrong way.
Trust me.
I wanted to ask about that because I know some cybercriminals
and many of them have gone to jail,
I wonder when you did the calculation,
like, okay, I can do some bad stuff and make money,
but there's more money in legitimate business, period.
And we see this pretty much universally.
Even the Italian mafia now just owns legitimate businesses
for the most part,
even if they muscle some contract here and there on sanitation,
according to some people.
It's like there's still more money
just owning a building in Manhattan
than trying to extort immigrants or whatever.
Right. So I guess for me,
it wasn't really a turning,
point type of decision. It was more of a, you know, once I stopped being an idiot kid and I stopped
using drugs and I started the rehab at such a young age, I didn't have time to be an idiot like that.
And, you know, I was doing well financially. So I think it was just kind of the way that God pushed me in my
life. I can't give you like a turning point because I was never like arrested for a federal
crime or anything of that sort that changed me. I don't know, man. I think I was just,
I was just very busy. I was doing well financially and I didn't need to break the law to do
that. I love that. But I also, of course, want to hear about some of the black cat stuff you've done
because I can't be the only one admitting crimes. And the statute of limitations has long since
passed. Yeah, I understand. And, you know, I can only get into certain things because of some,
I guess, credibility and some of the nonprofits that I'm going to be working with that also work
with federal government. And I want to make sure that I'm a credible person. Yeah, of course.
But, you know, one thing I did talk about was it was a Bitcoin mining botnet. And, you know,
It was something I did as a young kid because, you know, I believe that was back 2013 or 14, maybe 12 or 13.
I'm not entirely sure.
You know, it was one of those three years.
There was these things called Java drivebys.
And have you ever heard of a Java drive-by?
No.
browsers used to have Java applets that you could run, you know, applications in your browser that were Java.
You'd get a message at the top of your screen and it would say run once or run always.
And there were, you know, some exploits out there called Java drivebys.
Some would mean, you know, you would have to click a button to allow the Java applet to run,
and then others would be, you know, zero clicks.
So they would go to your website and they'd get infected.
They don't exist anymore because browsers don't support Java applets.
But I had this website, which I won't name the domain name, but I had the website,
and, you know, it looked like they could mine Bitcoin in their browser.
And there was a popular Bitcoin forum back then where if you signed up, you know,
you'd be considered a newbie member.
So anything you said nobody was going to take seriously.
but if you were on there for a while, you had a senior member title.
And I wanted to see like, okay, if I can get into one of these senior members' accounts,
I can post this website, infect these computers, which I know if they're all into Bitcoin
and like when they probably have good computers, because that's a big factor when it comes
to mining.
If you have good hardware, your computers are probably going to be good.
You know, I took over a couple of these senior accounts, said that this website was legitimate,
and, you know, that botnet spread into Bitcoin community.
its sole purpose was to mine Bitcoin in a pool.
It was not like your average Trojan where I was looking through webcams or taking over control of your computer or reading, you know, obviously I could update the file in case I needed to bypass some sort of...
You just wanted processing power.
Right.
So, you know, there was more to the story, but, you know, it was a stupid thing that I did.
It was, you know, luckily it is past the statute of limitations.
It's long gone now.
I didn't hurt anybody, if anything, I, maybe I increased their power bill by it.
a couple pennies.
You know, that's, you know, a little story from my past.
But, you know, a lot of the dumb stuff was before that, even on AIM.
Sure.
And Digital Gangster was another site that I was a big member of.
And there's a lot of those stories.
When you say AIM, are you talking about AOL Instant Messenger?
Yep.
You admit a crime.
So I used to this, I probably shouldn't say when this is.
Ah, screw it.
Yeah.
Law school.
I was like, oh, everyone uses AIM.
And everyone, it was like,
the first year people use laptops. And you're in a law lecture. I was like, what are they talking about?
What is everybody talking about? Everyone's using AIM right now. And so I got a Linux partition on my
laptop hard drive and I got some PCMCAA card that I threw a good Wi-Fi card in there.
And I got something called like, the logo was a pig. It was like air oink or whatever. I can't
remember the dang thing. Air snort, maybe. And you ran the card in promiscuous mode and it would
just grab all the traffic off the network.
Yeah, it was air snort, and it would put the card in monitor mode, and they used to call it promiscuous mode, I believe. Yeah. Yeah. It was a wireless cracking utility. And back then, I believe it was WEP keys, which were cracked in seconds.
Seconds, yeah. Yeah, nowadays, it's a little different, but it's still easy to capture a handshake. And the world hasn't changed much. It's just the technology has gotten more advanced.
So essentially, I was running like a man in the middle attacks on my classmates, which is, and I'll leave it here, a great way to find out how,
little people think of you when you can hear their,
we see their private conversations.
Like, I apparently didn't learn my lesson from the phone calls
and just started eavesdropping in my classes.
And you won't unsee the unvarnished communication between your classmates
about how much of a POS or dork or whatever they think you are.
Because you know there was no agenda other than just like pure truth bomb.
And they would never tell you that to your face.
So I don't recommend that course of action.
No.
It's not good.
It's not good for the ego.
I deserve to get knocked down a peg.
There's a part of me where I was like,
this is the universe being like,
hey, you want to do this kind of crap?
Fine, have a little dose of this.
And it's like, ugh.
No doubt.
Maybe I should stop.
So, all right, bug bounties.
I used to just get in trouble
for finding bugs in software,
but you used to get paid.
Tell me how that works.
Bug bounties are kind of a blessing
for a lot of hackers out there
because most large companies now have programs
where they'll pay for you to find vulnerabilities.
They'll tell you the scope,
you know, what's in scope,
what's out of scope, you know, meaning like what not to touch, what to touch.
Depending on the company, they'll pay out for, you know, big amounts of money for certain
criticalities.
So if it's something low informational, it might be $100, where if you find something that could
damage the company, it could be $30,000, $100,000, a million dollars in Apple's cases.
You know, if you find a zero day in an iPhone, it's a million dollar bug bounty.
I think it has to be considered a zero-click exploit, meaning no interaction from the user.
But, you know, that's a million dollars, whereas a couple years or maybe 10 years ago,
that type of thing would get you put in prison just for putting it on the internet.
This is the Jordan Harbinger Show with our guest, Ryan Montgomery.
We'll be right back.
If you like this episode of the show, I invite you to do what other smart and considerate listeners do,
which is take a moment and support our amazing sponsors, all of the deals,
discount codes and ways to support the show.
Those are all on one page, Jordan Harbinger.com slash deals.
and you can always search for a sponsor using the AI chatbot on the website as well,
Jordan Harbinger.com slash AI.
It's not always right.
It did tell a few people myself included that my mom was racist,
but otherwise it's quite useful.
Jordan Harbinger.com slash AI is where you can find it and check it out.
Thank you for supporting those who support the show.
Now for the rest of Part 1 with Ryan Montgomery.
Yeah, like I would crash a BBS, and I remember if I liked the board
and I crashed it maybe by accident by finding a glitch,
I would call the sysop.
And I remember one guy called the police
instead of just being cool.
And I was like, dude, I called you to tell you
I found a bug and you just try to get me in trouble.
Fine.
Someone else is going to find the bug and trash your site.
And the cops didn't do anything
because they were like,
uh,
so you turned off his computer over the phone?
Like, uh,
don't do that kid.
Right.
They don't care.
Yeah,
they don't care.
And then I was like,
oh,
well,
I'm,
now I'm what I'm going to do is post the bug
on a bulletin board system full of hackers.
and I'm going to put your number to your BBS and be like,
go ahead and try the bug.
It's on this website.
You can go ahead, or not website.
It's on this bulletin board.
You can just log in with a new account
and try the color works bug right now,
and it'll crash the whole site.
And they had to uninstall that because they were down for days and days
because he didn't know it was crashing it.
Every time you would just boot up again,
somebody would log in five minutes later and crash it.
And I just thought, you know, like never piss off hackers,
even though that was a script kitty thing that I had.
But like, why do that?
Just be cool.
They're trying to help.
We're trying to help sometimes.
100%.
Yeah, and yeah, whether it's script kitty or not,
it's denial of service attacks that would be considered as,
you know, even if it is the most script kitty attack that I can think of,
it's one of the most damaging because it makes your website,
your business, your product, unusable,
until that person decides to stop.
Yeah, exactly.
I didn't think of it like that.
But yeah, they had to, like, uninstall that.
And the vendor of that, it was Asky Colors.
And the vendor of that Asky Colors program had to write a patch,
which they didn't do overnight, right?
So they lost.
And it's all because some Sissop neck beard guy
wouldn't just be like, oh, cool, thanks bro.
I'll disable that for now.
Yep, egos.
You got to let the ego go.
Totally agree with you.
Now, though, we have the dark web.
And can you explain this a little bit?
Because I try to explain onion routing
and I just sound like a complete dork.
Basically, and correct me where I make a mistake here,
but basically the military, I think it was,
set up a browser that they allow the public to use
because the military also uses some of the layers
of this network to communicate or get intelligence or whatever.
And the more people using it, the more noise there is.
And it's essentially all encrypted.
And so they want a lot of noise from people who are not doing top secret things.
And they want it all heavily encrypted so you don't essentially know what is going on
on that internet connection.
And then, of course, on top of that, you use a VPN to mask your location, ideally.
Oh, definitely.
I always recommend using a VPN on top of tour and disabling JavaScript if you're using
for any reason, even if you're just trying to be anonymous.
You don't have to be a criminal to want to be anonymous.
Right.
Tor is the web browser that uses, quote, unquote, dark web, which uses something called
Yeah, I hate the terminology.
I genuinely hate the dark web, but the terminology called dark web, because it is the
onion router.
That is, it's an open source project that was made for anonymity.
That's what it was.
Criminals exist on the clear web as we're going to get into, and they exist on the dark
web, quote, unquote.
The reason why I bring this up is, I did it at a very important.
episode a while ago about the Silk Road with an author who wrote a book about the guy who founded
the Silk Road, which was essentially a dark web. The way they explained it is not going to be accurate,
but it's like Amazon for illegal stuff. And it was like hitmen, drugs, psychedelics, stolen
whatever's, stolen IP, stolen actual stolen merchandise, stuff like that. It was just a place
where you could buy illegal things using Bitcoin. Yeah, Ross Oldberg. Yeah. I actually know Ross's mom.
You know, I don't know anything like I told you before. I don't know much about politics. But when Trump was
trying to, I think, get reelected.
She was trying to get a pardon for,
like, I think, is it a pardon when they released people from prison?
Yeah, or clemency, maybe.
Yeah, clemency, that's what it was.
So she was, she was traveling around the country,
wherever Trump was having rallies,
she was getting all these people out, you know,
trying to get Ross out of prison.
I never met Ross.
I just, I just ran into his mom.
And, you know, she swears up and down that he never,
never hired Hitman or anything like that.
He also got robbed by, I think the Secret Service.
They took his Bitcoin, didn't they? And that guy got caught and fired.
Some government agency stole money in the middle of the investigation. I believe one of them is still
locked up to this day. And Ross got two life sentences. All of his appeals exhausted,
and he's in no parole. Yeah, it's, well, I'll save my opinion, but I think it's a little bit
heavy-handed for what actually happened, according to the book anyway.
Yeah, well, I mean, I've been on the Silk Road. I didn't purchase anything on it, but I've been
on Silk Road. I've seen how the site works, and I understood.
the concept behind it. He might have been a very intelligent guy. I don't know if it was just
him as like the administrator. He went by Red Pirate Roberts. I don't know if it was just Ross by himself
or if it was a bunch of people. The idea was great except he let people control what was put on the site.
He was specifically, you know, you can't sell weapons here. There were not hitman services on his
site, but he was accused of hitman stuff outside of it and no child pornography. There were some rules
but a lot of stuff on there.
And mostly drugs and fake IDs, hacking services for hire,
whether they were real or they were fake, they were there,
a lot of stuff like that.
There are other marketplaces out there.
I don't know all of them,
but I know there was another one called Alpha Bay.
And the owner of that one got arrested,
and he didn't get a life sentence
because he didn't make it that far.
I believe it was the first night
or somewhere near the first night.
He hung himself in his cell.
Oh, man.
Yeah, yeah.
The guy was living large,
in some Asian country.
And I think he had a couple of Lamborghinis
and a couple houses.
And, you know, he wasn't very smart
about making money that way.
But he unfortunately killed himself.
And he probably did
because he knew that there was no chance
he was ever getting out.
It's interesting to see a pedophile
get a certain number of years
or somebody who's done,
maybe killed someone with actual malice.
And then you find somebody
who facilitated the selling of mushrooms
and other things online.
Granted, maybe a lot of times
and ends up with a life sentence
and dies and prison.
It's just a little bit like, all right,
what are we doing here, folks?
Yeah, I can, I mean, look, I'm no lawyer,
I'm not the law, and I don't advocate
for anybody using substances, you know,
but people are going to do what they're going to do.
People are going to use drugs,
whether they're illegal or they're not illegal.
Yeah.
And if I was still a child doing drugs,
and I had a choice between buying drugs from
Tommy on the corner
or buying drugs from somebody
where I could read reviews from 10,000 customers.
Right.
I think I'd pick the one where I knew what I'm getting, you know,
and I'm not saying that what he was doing is all right,
but I agree with you.
I had to choose between the two.
I'd pick his service.
Yeah, I agree.
It's a totally different show about law and public policy
and, you know, misuse or misuse of the internet.
But the moral of the story is make your own fake ideas.
Don't buy him on the dark web.
Don't do that.
I'm kidding.
Man, there's so much to talk about that I just,
we'll have to get to some of your hacking tools in a little bit.
Actually, you know, it's great.
I want to hear about, you showed the Flipper X on a YouTube video
and how it works where you're sort of using this little device
to create men in the middle attacks.
You had another device that was a radio hacking device.
So the Flipper Zero and the hack R.S.
Oh, Flipper Zero.
Yeah.
Yeah.
I don't have them in my pocket.
Oh, no, actually, I do have a flipper in my pocket.
Happy to be carrying that with you?
That's normal.
Yeah, I'm a normal guy.
Tell us a little bit about that thing.
You don't have to demonstrate anything, but I'm curious.
I think a lot of people are going, wait, you have a hacking device that just happened?
You're at home and it's in your pocket.
It must be useful.
It intrigued me because it did a lot of things in a small package.
Yeah, anyone right now can purchase one.
The thing is that they're going to be disappointed when they buy it because it's limited, you know, to what software you're running.
And if you don't know which type of software and which type of files to load this thing up with, you know, you're very limited to what you can accomplish with it.
I'll go through with the protocols.
So it has NFC, which is going to be access control or doors.
It could be key fobs, yeah.
Think key fobs and other things like that.
Keyfabs as well as your credit cards and debit cards.
If they're tapped to pay, they have EMV, which is, this can read your credit card
and give me your entire credit card number and expiration date just by waving it across your pocket
if you don't have an RFID blocking wallet.
You know, it does NFC, it does RFID, which is similar to NFC in regard to the access
control and it's more widely used for access control than NFC. NFC could do more than that.
RFID, I believe, is also what's in your dog, if you have a chip-ed dog.
I think most key fobs, at least the ones that I've used, are also RFID, those little gray things
you use to get into your apartment or whatever. Exactly. Yeah, they'll look like a credit card,
but they'll be blank. And it's access, you know, it's a fob to get into your building or into,
you know, office. It has the functionality to not only read them, but to emulate them. So if I go up
to you, let's say you have a fob that gets into your office, and I copy that fob with the
flipper, I can then emulate that same fob at your office and your door will think I'm you.
It's a very low-scale attack, but this device is widely available.
And you're as dangerous as the software that you install on it.
So you have those two things, and you have sub-giggahertz, which is, I believe it's with
the firmware that I'm using, it's 300 megahertz to 900 megahertz, which is enough of a range
to do car key fobs, garage doors, gates,
you know, even intercoms at Walgreens, CVS, lows.
Oh, really? Intercoms? I didn't think about that. That's funny.
Well, you know, the buttons in the aisles where you're requesting assistance.
Oh, yeah. Sure.
You would capture the frequency with this device.
Basically, you're recording it almost like it's a, like it's a microphone for radio.
You're recording that signal and then you're replaying it later on.
And if it's a static signal, like it is at it, let's say, a CVS and the Coff and Cold Department,
I got a cold right now.
So that's where I'd be going.
I'd click the button.
I'd ask, you know, and then someone would come.
But the intercom would say assistance needed in the cough and cold department.
But at that time, I'd be holding the flipper up to that device.
I'd capture the signal and replay it.
And then the intercom would do the same thing as if I press the button.
That's funny.
So you just walk into CVS and you're like, I know I'm going to need them to unlock the cold medicine.
So as soon as you walk in, you hit the thing in your pocket and stroll right over there.
And the guy's waiting for you.
Exactly.
Or, you know, there's some files out there.
Like, you know, if you want to be like a nuisance,
There's CVS chaos, Walgreens chaos, lowest chaos,
where it takes every single button in the store
and some that don't even exist at certain locations.
And the intercom just goes, da-ding, do-ding, do-d-ding, the ding, the ding, the ding.
And some of the buttons, they can't go over to deactivate
because the buttons don't exist in the store.
Oh, no.
It's right.
It's in the system that they have, but the button's not active,
but it still can take a signal.
Oh, God.
Yeah, so the employees are like,
we don't even have a cosmetics department in here.
Like, why?
I don't know how to turn it off.
so then they probably have to go into the back to turn it off.
It does that.
It does infrared, which, you know, it'll get TVs and air conditioners,
sound bars, BSLR cameras, anything that uses infrared,
which you'd be surprised.
A lot of things do.
It can not only read and copy an infrared remote,
but replay the signals a lot stronger than your average remote.
So it does that as well as other access control stuff.
Do you remember the TV?
There was a device not quite like this,
but there was a device.
If he'd be gone.
Yeah, that's funny.
You'd read my mind.
Wow, that device really can do a lot of things.
No, that the TV be gone.
Yeah, you'd push the button and it would just send like a universal,
it would, I guess, cycle off for 500 different TV models
and turn off all the TV.
And so does this.
Even if you buy this out of the, you know, off the website,
you leave it with the stock firmware on it.
It does have a universal TV remote where it cycles through all the major brands
and you could turn the TV off, go through the volume,
mute the TV, change the channel.
It has that built into it by default.
Yeah, sports bar chaos.
Yeah, sports bar chaos.
But when you start to put custom firmware,
I'll give you one example.
There's a specific type of firmware you can put on here that...
By the way, firmware is software for chips like semiconductors.
So people are like, what is that?
But just think software and you'll be fine with the following the conversation.
It's ones and zeros.
The correct amount of ones and zeros goes into this device.
And then there's a version that, you know,
if you press your garage door opener,
normally that code would be a rolling code.
A rolling code changes every single time that you press the button.
So your garage door is expecting that next code.
So let's say you're in your driveway, press your garage door button.
And the code is 1, 2, 3, 4, 5, 6.
The garage door says, okay, that's a valid code.
I'm going to open.
And now 1, 2, 3, 4, 5, 6 is no longer a valid code.
1, 2, 3, 4, 5, 7 is a valid code.
And that's the next one in the sequence.
But, you know, it's a little more complex than that.
But if you get my point of changes every time you press that button.
Cars use that and stuff now, or either they're supposed to.
Exactly.
Some key fobs do that and garage doors do that.
And many things use rolling code systems.
But a few of the major brands, like Security Plus, I believe, 1.0, 2.0.
And I think it's Kame, C-A-M- have been broken by some firmware on this device specifically.
So if I capture one of your garage door attempts, one of you press the button, I capture it.
I now know the next sequence.
you know, forever, I can continue to open your garage over and over and over again with just one
capture. The way that you would kind of know somebody's doing that to you is if they open your
garage door and you click your button, your garage door doesn't open, you know that it's out of sync
by one. You click it two times, then it starts to work, then you know that it's out of sync
by two. If I open your garage door five times with this device, then you've got to click your
garage door opener six times for it to be back in sync. That's very interesting. I know back when I
lived in Hollywood, there was a notice kind of going around. We didn't have next door or whatever,
but there was a Facebook group and it was like, hey, don't park your car in your driveway,
which is impossible because people don't have big garages, especially in the Hollywood Hills.
But there was this gang of, it turned out to be like Russian gangster kids. They would ride
around in range rovers. You'd see them on surveillance cameras. They would stop and park and suddenly
like a BMW door trunk, whatever would open. And the guy would run in, ransack the car and leave.
there was somebody in the car with a laptop or whatever,
some sort of device that would just go through
and try every possible code for the FOBs,
whatever, the RFID, whatever it was using.
That would be considered a brute force attack.
Yeah, it was a brute force attack, yeah.
They would know the right frequency to send.
You know, they would know exactly what to send
and then they would loop through.
Let's just say it was an 8-bit code,
and they would just go through each one until it opens.
And there's a more advanced way of explaining it.
There's a thing called like a DeBroid sequence.
you know, would make that time a little bit fast, well, a lot faster than going just one, two, three, four.
You know, that's a little more technical.
If you're interested, look into roll jam attacks, which is how you can abuse rolling codes without having to actually crack the rolling code.
They're called roll jam attacks.
And if you're interested in the DeBroin sequence, there's something cool by a hacker Sammy Camcar who made this awesome kids toy into a garage door opening machine.
That's funny.
It's super interesting stuff.
you should check it out.
Hackers, man, are so interesting.
I remember one of the talks at DefCon, again,
it was probably like almost 10 years ago now,
maybe even more.
There was a guy who had a similar looking radio device,
and it could broadcast aircraft IDs.
Well, it could read and broadcast aircraft IDs.
Yeah, so my Hacker Ruff does the same thing,
and that's called an ADSB.
So ADSB is what you would be receiving on,
and it will give you the call sign of the airplane.
It'll give me their altitude.
it'll give you the location on the map.
And there's an option as well to transmit ADSB, which is not legal, I'm guessing.
It's definitely not legal whatsoever because you could represent to, let's say,
I live near an airport.
So a small plane could believe that you are at whatever altitude with this call sign going in this direction.
And you could cause a problem.
You know, that's kind of dangerous.
But it's something like that is available for anybody to do if they have the right knowledge
or they spend some time trying to learn how to do that stuff.
So one of the talks at DefCon was a guy who, a hacker, saying,
hey, we got to be careful because I got an antenna in this device and this,
I don't know, is it like he laid up on top of Google Maps or MapQuest or whatever
was available at the time.
And he's like, look, here's all the planes in the area.
And he's like, what if we simulate by spoofing two or three or 23 planes that aren't there
and we put them near an airport?
It's pure chaos.
What happens if we do that and we put them near buildings?
This is after September 11th, of course, you cause massive terror.
Okay, now what happens if I put them heading towards the White House?
And it's like, now we have a military response potentially,
or at least they're going to have to make sure that that's an error
and those aircraft are not actually there.
But talk about terrifying huge numbers of people.
Yeah, you could cause mass panic with such a small, simple, easy to set up.
that a consumer can buy, you know, it's not really talked about often,
and I'm not going to explain how to do it either.
But, you know, it is scary to know that there is criminals out there that don't know
much about computers and can take this interview.
They'll do this at their own research.
And I hope that they, you know, that they don't figure out how to do stuff like that.
Yeah.
I'm thinking, look, most of the people who are creative, smart enough to figure reverse
engineer what we're talking about are people who could either figure it out on their own
or are going to have better things, hopefully better things to do than that?
I would hope so, yeah.
I would hope so.
I believe that you're right there too.
I mean, most of the time, the smartest people that I know are not criminals.
No, there's more money to be made in legitimate operations.
And if you really want to be kind of criminal, join the freaking NSA already.
Yeah, get permission.
Right, you get permission.
At least you won't go to prison.
I've got some thoughts on this one.
But before I get into that, I wanted to give you a preview of one of one of my
favorite stories from an earlier episode of the show. Megan Phelps Roper, she used to belong to one of
the most hateful religious cults in America, the Westboro Baptist Church. She was born into this
church and she later escaped. To hear her tell the story firsthand, it's really incredible.
I started protesting when I was five years old, but even at that first picket, there was a sign that
said, gays are worthy of death. So God hates facts is what Westboro's message that we became known
for. We were the good guys, and everyone outside the church was
evil and going to hell and we had the only message that would bring the world any hope.
We had to go and warn people.
These terrible things are happening.
And if you want this pain to stop, then you have to change because God isn't going to change.
After the September 11 attacks, we had the sign that said, thank God for September 11.
What were we thinking?
This massive crowd comes down.
We were at this corner of this intersection of these three streets.
By the time they actually reached us, we're just enraged.
There was no space between us and them.
It got really dicey.
One of my cousins gave his signs to somebody else and started standing on top of a trash can,
pretending like he wasn't with us.
They were, again, incredibly intense because obviously the circumstances are so sobering.
It brings me incredible sadness to think about now.
I can't do this forever.
My family, they would refuse to have any contact with me at all once I left.
somebody that we had confided in, sent a letter to my parents and told them that we were planning
to leave. And then that email came in and we left.
For more with Megan, including the details of her harrowing experience and escape,
check out episode 302 of the Jordan Harbinger Show.
All right, that's it for part one. Part two coming in just a few days, if it's not already
out by the time you hear this. All things Ryan Montgomery will be in the show notes at
Jordan Harbinger.com or just ask our super smart, all-knowing AI chatbot, transcripts in the show notes,
advertisers, deals, discounts, ways to support the show, all at Jordan Harbinger.com slash deals.
I've said it once, but I'll say it again. Please consider supporting those who support the show.
And yay, newsletter folks, highlights takeaways from the most popular episodes of the show going all the
way back.
Jordan Harbinger.com slash news is where you can find it. And I will reply to you if you reply to me there.
so you can send me snarky comments and passive aggressive feedback,
Jordan Harbinger.com slash news.
And don't forget about six minute networking,
also at Jordan Harbinger.com slash course.
Basically everything's on the website.
I'm at Jordan Harbinger on both Twitter and Instagram,
or connect with me right there on LinkedIn
where all the not crazy people are
because you can see their names.
That's got to be it, right?
Twitter, crazy, Instagram, crazy, LinkedIn.
People behave because you can report them to their boss.
At least that's my running things.
theory, and it's why it's one of the only acceptable places to even have a conversation online
these days, unfortunately. This show is created an association with podcast one. My team is Jen Harbinger,
Jace Sanderson, Robert Fogarty, Millie Ocampo, Ian Baird, and Gabriel Mizrahi. Remember,
we rise by lifting others. The fee for this show is you share it with friends when you find
something useful or interesting. The greatest compliment you can give us is to share the show
with those you care about. If you know somebody who's interested in the dark web, hacking, social
engineering or just needs a wake up call about what kind of gross people are out there predating.
Definitely share this episode with them. In the meantime, I hope you apply what you hear on the show
so you can live what you learn. And we'll see you next time. This episode is sponsored in part by
What Was That Like Podcast. If you're looking for a new show to add to your rotation, something
that'll make you stop mid-dishwashing and go, wait, what that actually happened? You got to subscribe
to what was that like. It's real people telling the most surreal moments of their lives, and
they're not just giving you the highlights. They're walking you through it from the inside as a
person who actually lived it, which means you're basically getting a front row seat to the chaos.
One episode is about Scott getting locked up in a foreign jail for a crime he didn't commit.
Sure, Scott.
Another is Sue's parachute failing.
Wow, I'm surprised she was around to tell that story.
And then there's Michael who was stabbed on a bus, which makes your commute instantly feel a little bit more relaxing.
Do you anything you think?
So if you want to hear some wild and inspiring firsthand stories, I invite you to check out what was that like.
Every story is verified.
Their site even has photos so you know even the most bizarre stuff you're hearing is somebody's
real life. Listen to what was that like on Apple Podcasts, Spotify, or whatever app you're using
right now. This episode is sponsored in part by Something You Should Know podcast. Finding a new great
podcast shouldn't be this hard, so let me save you some time. If you like the Jordan Harbinger show,
you'll probably like Something You Should Know with Mike Carruthers. It's one of those shows
that makes you smarter in a practical, useful way. Same curiosity vibe we go for here, just in a fast,
focused format. Mike brings on top experts and asks the exact questions that you'd want to ask,
and the topics are all over the place in the best way.
Recently, they've covered things like
why we care so much what other people think,
the benefits of laughter, why sports fans get so invested,
and what makes people like you or not.
The through line is always the same.
Smart ideas you can actually use in real life.
Something you should know has been featured in Apple's shows we love,
and it's got thousands of five-star reviews
because it's consistently interesting.
So if you want another show that scratches that,
I want to understand how people in the world really work,
itch, search for something you should know
wherever you get your podcasts.
Look for the bright yellow light bulb and start listening.
You can thank me later.
