Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: [App beeping] Hey.
DAD: Man, I don’t see you.
JACK: Yeah, my tape is usually over my camera.
DAD: Why don’t I see you?
JACK: I got my tape on my camera. One second.
DAD: Ah. I can’t even hear you.
JACK: You can’t hear me?
DAD: My sound…
JACK: [Background talk] There’s a story I had that I totally forgot about but I remembered recently, and I wanted to call up my dad and walk through it again with him to try to remember how it went. DAD: Yeah.
JACK: I want to recollect the story with you.
DAD: Yes.
JACK: Because as I tell it, I don’t think people will believe it. So, I figure you can verify that this is true.
DAD: Yeah.
JACK: Alright, so, do you remember my senior year at high school?
DAD: Okay.
JACK: I had my own car then. I was mentally done with school. I did not want to go to high school anymore. I was just sick of it. I just had been there too long. I had one elective left, and I said, what is the easiest possible class I could take? Do you remember what I chose as my last elective in my senior year?
DAD: It was either welding or typing. I can’t remember.
JACK: Typing, yeah. But typing — how fast could I type as a senior in high school?
DAD: At least 99 words a minute [inaudible].
JACK: Right, right. So, choosing that as an elective…
DAD: Oh…
JACK: …that’s the easiest class ever. That would — that’s gonna be a walk in the park.
DAD: [Music] I was happy for you. Senior year.
JACK: Here’s the problem, though. The class was the first period of the day, and…
DAD: 8:40?
JACK: 8:40, yeah. So, I had to be at Typing, first class of the day. Yeah, the class was real easy. When I got there I was like, oh good, this is just a beginner typing class. I could type super fast. So, I’ll tell you what I’ll do, is I’ll finish up my lesson in like, ten minutes. I could do this whole — these — all the stuff you guys are doing today, I’ll do it in ten minutes and I’m done. So, I even worked ahead. I said, hey, teacher, can I go on to the next lesson? Sure, sure. So, I would do a whole week’s worth of work on Monday, and then I would help out some of the other students and stuff. I mean, I think I was the star student in that class.
DAD: Of course you were.
JACK: But once I got ahead enough — I mean, you know what my morning routine is. Am I a morning person?
DAD: I probably woke you up at 8:30 and said, you have ten minutes. You could not wake up.
JACK: Yeah, I had trouble waking up. So…
DAD: You had narcolepsy or something.
JACK: I did. Yeah, that was — I used to use that excuse all the time.
DAD: You did.
JACK: So, I would get to school late on this typing class. I thought, no problem, I’m a perfect straight-A student in this typing class. I’m helping the other ones. All my work is complete. I don’t think it’s gonna be an issue if I’m seven minutes late, ten minutes late. That’s fine. So, I would show up late consistently to this typing class.
DAD: Oh no.
JACK: But yeah, well, the teacher didn’t like that. She said, you can’t come in late like — I have to send you to the principal’s office if you come in late one more time. You gotta come in on time. This is like, your fifth time being late. I said, yeah, but I’m getting all the work done. What’s the problem? She said, no, no, no, if you come in late again, I’m gonna have to report you. So, the next day, I couldn’t get it together. You tried waking me up again, and I was late. She said, that’s it. You gotta go to the principal’s office. The principal didn’t want to see me, but the vice principal was there. He said, what’s the problem? I said, no problem. I’m doing well. He said, well, the report here says that you’re late, so this is — you’re a senior, you know? If you get late too many times, you’re not gonna graduate.
DAD: Oh, my.
JACK: I said, listen, I — have you looked at my grade in this class? He said, that doesn’t matter if you’re late. I said, no, it should matter. Listen, I think your priorities are all screwed up. If I’m acing this class, if I’m getting it all correct and if I’m helping the other students and I’m a value add to the class in general, not just myself, then don’t you think that I should be graduating with that sort of work ethic? He said, no, it has everything to do with being on time. It has nothing to do with work ethic. You have one more chance, and if you — I’m gonna be there tomorrow, and if you are late again this year, you are not gonna graduate. I said, really? You’re gonna hold me back just for being late even though I have perfect grades? The next day, of course, I’m late. I could not get it together. The vice principal was standing at the door when I arrived.
DAD: Oh.
JACK: He said, that’s it. You’re late. This is the last straw. You’ve failed this class. I said, how would you — why would you do this to me? It’s not like I’m struggling with this class. This class is easy. I’ve got it nailed. I’m like, three weeks ahead of every other student in the class. He said, I don’t care. You can’t come to school on time, so therefore, you fail. Fail. So, they wanted to hold me back a year, a whole year of high school, and not let me graduate.
DAD: Now, you’re only missing a half a credit at that point if you didn’t graduate. You could have went to summer school and picked up a half a credit.
JACK: That’s right, I could have.
DAD: But you did something else.
JACK: [Music] So, what I brought — when I brought this news home to you and I said, listen, I’m not gonna graduate this year, your brain started going into overtime and you started thinking up of — solutions.
DAD: Yeah, here’s a couple things. One, after you got thrown out of the class, I noticed you didn’t go to school when I’d wake you up in the morning. I’m not even sure what was going on. You’d say, don’t worry about it, dad. I can get in there. Second period I gotta be there. So, that. But third, your social engineering wasn’t 100% yet. That was your problem.
JACK: Yeah.
DAD: You should have done a lot better with the assistant principal and the teacher.
JACK: Oh yeah. But you saved me that year.
DAD: Of course I did.
JACK: I don’t know how you came up with the idea, but you found me an extra half credit.
DAD: Well, you one time switched high schools for, I don’t know, four weeks or something. You didn’t like those kids, so you went back to the original high school, which, by the way, was less than a mile from our house. I don’t know how you were ever late; less than a mile.
JACK: Yeah, it was very close.
DAD: So, I knew you were at that other school. I went over there, and one of my kinda best friends — played sports together and things — I said, do you remember my son Jack? Yeah, yeah, nice kid. Well, is he in your PE class? Yeah, yeah. I said, you never gave him credit for that. He said, oh, man, this is so hard. Credit? I said, not only do you gotta give him credit, but you gotta get it done before graduation. You got like, six days. He just said, I don’t think I can do it. I said, no; you go to the registrar, you put his name down. Well, he said, you owe me big time, and somehow magically gave you a C for PE, sent it over to your high school, and that’s really not the end of it. The end of it was graduation at your high school.
JACK: Yeah, yeah. So, that sorted it. Now I was back on track to graduate and everything was fine. I went to the ceremony, I sat in the stands, and then how did the ceremony go?
DAD: The assistant principal, your arch enemy, he’s the one handing out the diplomas.
JACK: The same guy who told me I can’t graduate.
DAD: Yeah, just six days before; you’re not graduating, and now he calls your name. You come up. He looks at the diploma, stares at you. I didn’t think he was gonna hand it to you, and then he grimaced and gave it to you. There you had the diploma with the missing half credit. I think the statute of limitations ran out on all that, so…
JACK: Okay, I won’t be kicked out of school?
DAD: Permanent record.
JACK: It’ll go on my permanent record, this one. Oh, no.
DAD: Yeah.
JACK: Yeah, so that was quite the — all because of the typing.
DAD: Unbelievable. Yeah, so, do you still know how to type?
JACK: [Laughs] Yeah, I do, but do you know how at this point?
DAD: No. I’ve never had a job in forty years where I needed a typewriter or a computer. Never needed one, or a cell phone. I’m analog all the way.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: I want you to meet Greg.
GREG: So, I grew up really, really poor. I grew up in Tucson. Fortunately my father was a avionics technician, and he was a un-diagnosed autistic. Brilliant man. He was a MacGyver. The man would just tinker and make things throughout his life. While we were poor, my father decided to dumpster dive.
JACK: His dad would find various computer parts in trash dumpsters behind buildings and bring them home. After doing that a few times, he had enough spare parts to assemble whole computers.
GREG: I had a Commodore VIC-20, I had a trash 80, and then I had an Apple IIe, all when I was born, and I always loved them.
JACK: [Music] Back then, computers were not as common as they are now. Having one in your house was a luxury. Having three, you were really fancy, and simply having these things within easy reach enabled Greg to learn tons growing up instead of maybe getting introduced to them sometime in high school if your school was lucky enough to even have computers.
GREG: That was my escape as a kid. I was a un-diagnosed autistic kid until in my thirties, and I just immediately loved computers.
JACK: Computers were a novelty for me as a kid until we got AOL. Then I became obsessed with them.
GREG: I was an AOL kid, too. Matter of fact, that’s where most of my first programs ever came around. I was one of the first to discover the 1IM exploit. That was my first vulnerability I ever discovered, was the integer overflow in the AOL client when you sent a font size with a long enough number. I remember finding that and making the 1IM punter back in the day.
JACK: I remember AOL punters. You could send someone a message but then put something in that message that when they receive it, their client wouldn’t know how to process it, and it would just crash their AOL session. So, you could come into a chat room, send everyone a message, and then see half the room suddenly disappear because their apps would be crashing, and they would disconnect. So, all this fascinated Greg, to be able to force someone else’s computer to do something it’s not supposed to. That’s cool. What else can you do? [Music] His interest in hacking took root and grew. Soon he found himself in an online group that was trying to create malware.
GREG: When I was a virus writer, my ideology — I had — I actually targeted pedophiles. Every single — every piece of malware I ever wrote was designed to target pedophiles. We ran a group in there to target people who were targeting children. The best part about targeting pedophiles is I think it’s the only case that you can say I gave malware to someone and they’re absolutely not gonna report you to the police, because what are they gonna say? I was trying to pick up this kid and they sent me a jpeg.exe to them? That was the case for many years. When I wrote viruses, that was the only people I targeted. Otherwise, for me, writing viruses, again, was the thrill of learning about polymorphism, metamorphism, and — as well as high-level, low-level code execution. I just generally loved the thrill of the knowledge of it. It was an art. I still think it’s an art form.
JACK: His specialty was using Visual Basic to code malicious macros in Microsoft Word documents. So, he would send the Word doc to someone, trick them into opening it, and if they had macros enabled, that would allow Greg to take over their computer. Now, keep in mind, he was doing all this in middle school, not even in high school yet, and middle schools back then didn’t even have computer classes. If they did, it was just to take a math quiz or something like that, not really teaching how to use them and stuff. By the time he got to high school, they were just starting to teach kids commands and certain applications on computers. So, one of the first classes he took was keyboarding, which is learning to type.
GREG: I was like, no, fuck that. I ain’t gonna type. I know how to type. [Music] So, our school worked on Excel. All the great systems were in Excel. So, I’m one of the old-school macro virus writers. I remember Colors, and back in the day, those series of Colors and Tristate, those were the areas of macro viruses I remember I started programming in. So, with Excel, I was like, I could do this. I don’t want to be in this class. I don’t want to be in this school. So, the entire grade system was in Excel, and I made a macro virus that would look for my student ID number — a trick number, identify the areas where the grades were in, take the average number of the number of the percentage, or if it was A through F, it would be — I’d make myself as a B, and it would average a number to be 87%, and gave myself 87%.
JACK: He was able to take this malicious Excel file and get it onto the teacher’s computer, and suddenly he was getting all B’s in his classes. On top of that, he made it so he had perfect attendance, too, no matter if he was there or not. So, he just stopped going to class. What’s hilarious is he did all this while in his typing class. He even coding in obfuscation techniques to avoid detection. Like, after the teacher would record his grade and then close Excel, that’s when the macro would trigger, on close. He would stage all this information in a column that he hid off to the side so you couldn’t see any of the funny business happening.
GREG: This worked really well. I was in school for nine days. That’s how long it took me to write this and then put it into the school system. Then every day I went home. I was just at home. One day my friends came over and — they came back from class ‘cause I still would hang out with them. They were like, hey, Greg, man, the computers at school are really weird. I was like, oh, what are they doing? He’s like, well, they’re crashing. Everyone says Excel’s not doing well. [Music] I remember my stomach sinking. Like, oh, what do you mean? They’re like, well, they — when they’re getting everyone ready for the finals, everything changed and something crashed. I think they’re calling McAfee over it. I was like, oh no. So, I walk — I went to school the next day, get into the school library — and I hadn’t been in school for so long that the librarian was like, who are you?
I was like, I go to this school. I promise. I’m here. She’s like, I’ve never seen you. Who are you? I was like, well — do you have a student ID? I was like, no, I don’t have a student ID. She’s like, okay, go to the principal’s office. So, the principal, they’re just like, hey, we know you’re a kid. We know your name checks out. You’re in these classes, but none of your teachers recognize who you are. I was like, oh, I’m sorry. I just kinda shut up at that point. They sent me home, and what happened was the school added a column in all the Excel sheets to calculate final grades and to do something for final grades, and unfortunately that column just happened to be where I stored the previous data of all the columns. So, the virus would restore the doc — the sheets when teachers opened up the sheets. That caused the Excel files to crash on grade, and they sent the sample to McAfee. McAfee at the time was like, yeah, this is a macro virus and it was custom-written for your school. So, the school decided to call the police. The police showed up, knocked on my door, arrested me, and…
JACK: Really?
GREG: Yeah, yeah. I mean, it’s a government — it’s a public school. It’s a public high school, so it’s technically the government.
JACK: This was real bad. He went to juvie, juvenile detention. They locked him up in a concrete room with a steel door and a tiny, little window. It’s a scary place for a teenager. [Music] So, I have a note here. It says you’re the youngest hacker to be arrested…
GREG: Youngest…
JACK: …in Arizona.
GREG: I was the youngest child to be arrested in the state of Arizona for a computer crime, for — I’m not sure if that still holds, but that was the case for a long, long time.
JACK: A politician wanted to make an example of him, saying, see? Cyber criminals are really bad and we should do more to stop them. But he caught a lucky break.
GREG: But they came back that the Tucson police failed to handle the evidence correctly and my case got dropped, luckily for me.
JACK: However, he was ordered not to touch computers for a whole year. Can you imagine no computers for a whole year?
GREG: I made a deal with the courts to say I won’t touch a computer for a year. I’ll have to get a probation officer to sit next to me when I operate computers, and then I — and after that we’ll re-evaluate the situation. So, for a year, any time I wanted to touch a computer, which was mostly the library back in the day — if you remember when libraries had the little internal library machines to go look up for books in the library — I had to go call this very large sixty-year-old man who was — absolutely had no idea what computer hacking looked like, and I remember fucking with him quite a bit and saying, oh, I’m getting into the system. He’d look at me and grab my hand and pull me away from the computer and — like, we’re going now.
JACK: [Music] What kind of person — what kind of kid were you like in high school?
GREG: Oh man, I was absolutely — I was a goth kid. I was the goth kid who wore the large — I got in trouble for wearing a black trench coat ‘cause unfortunately going to high school during the 2001 era, you come across the Combine incident.
JACK: You know, back in the nineties when I saw a goth kid, I just thought they really liked the movie The Crow.
GREG: Yeah, The Crow was a good one. My best friend at the time, his name was John Oller. John was a huge Crow fan. He actually — he kinda looked like Brandon Lee, too. So, he was a goth-of-The Crow type. I was more into the industrial music. I always loved Skinny Puppy and Suicide Commando, Velvet Acid Christ, all that — all those late-nineties industrial bands. So, I was more of a rivethead. I didn’t know at the time what a rivethead was, but I was just an industrial kid; big, stomping boots, goth, industrial music. I liked metal but I didn’t like metal so much; I like electronic music. So, when I found out industrial music, which is essentially goth music mixed with techno, I was like, this is it. This is my lifestyle.
JACK: You wear earrings?
GREG: No. I actually — well, sorry, I take that back. In high school I think I had nine piercings. I had, you know…
JACK: Did you wear eyeliner?
GREG: No, I was not a makeup goth. I was not a makeup goth. I had the dog collars, so I had the goth collars. So, I had the bondage outfits. I was one of those goths for sure.
JACK: Okay, so this just emphasizes when they’re looking for the person who did this.
GREG: Yep.
JACK: They’re just like, you’re the one…
GREG: Yeah, I’m sorry…
JACK: …who does not look like everyone else.
GREG: I’m sorry, everyone. The goth stereotype for the virus writers, that was me. That was me, everyone. I apologize. Yeah, I remember…
JACK: You started this.
GREG: I did, I did. So, my parents kicked me out of my house. I lived in a group home after being arrested. I was in a…
JACK: Wow, just because of that event?
GREG: Yeah, yeah. So, I lived in…
JACK: And you’re not normal, Greg. You’re wearing — you got too many piercings. Come on.
GREG: Yeah, I did that all myself, too. So, I got kicked out. I lived in a group home from the age of fourteen to eighteen. [Music] So, I was in and out…
JACK: That was a tough time.
GREG: Yeah.
JACK: So, at fourteen is when you got arrested.
GREG: Correct.
JACK: Then, that’s a hard time to go through an arrest. That’s scary. You don’t know what you’re facing there.
GREG: Correct, yeah.
JACK: Then to be thrown out of the house…
GREG: Yeah.
JACK: …and then like, what? I gotta do this on my own? Gosh.
GREG: Yeah. So, I lived in a group home; didn’t have access to a real computer. So, my only computers at the time were the ones in school. It was rough, man. It’s one of the big reasons why I always try to reach out to people who are kind of in rough situations, ‘cause my life has not been an easy one. It has not been easy. Living in a group home, which — the group home was — the one I got assigned to was a government group home, and it was mostly for kids who were domestic violence or runaways. So, it was a lot of violent kids in there. It was a small — it was like a small four-bedroom house, but it had — at any time it had between six guys and six girls and then staff members there. So, it was cramped. Everything was shared. It was not a good time. It was a rough life.
JACK: I think I just got some clarity on what it means to be goth just now. It’s not about the clothes and the makeup and the music. It’s about not fitting into a world that tells you to shrink and conform and smile when you’re falling apart inside. [Music] It’s about understanding that you are different and you can embrace your difference, and you gotta pay the price. Being misunderstood by your teachers, so-called friends, even your own family, can become isolating. There’s this moment I imagine that every goth must face.
You have a choice; either break yourself down into something more acceptable, force yourself into a version of normal that everyone wants you to be, or you can embrace that shadow inside you, that one that’s screaming out, wanting to be seen, wanting to be heard, but knows that it’s just too weird for people to understand. Goths choose to embrace that inner shadow, lean into their weirdness, wear it like armor, and let your darkness be your beauty. When you’re in a place like a halfway house with nowhere to go and no one who really knows you, that identity, being goth, can become more than just a style.
It becomes your anchor, because being goth means you already know what it’s like to live on the outside. You already live in the cracks of the system. So when the worst happens, when your life is shattered, being goth is a reminder that it’s okay to be on the outside of society. The music reinforces the idea that it’s okay to live outside what’s normal, and there’s a level of comfort to hear that music and to see other goths who are also struggling to fight what’s normal, those quiet rebels, the kids who find beauty in broken places. I imagine that being goth makes you more resilient to problems like this. It gives you a tribe without borders.
It gives you a sense of self when the world pretends you’re invisible. So, I imagine being goth in that halfway house was an amazingly helpful way to get through it, to self-soothe. Every time he put on dark clothes, it was like he was giving himself a hug and saying, it’s okay to be different. Don’t worry about what everyone else thinks of you. Man, to go through something like that, and goth being your anchor, that could easily make you goth for life. Man, I think I got carried away there. Okay.
GREG: So, after I get out of high school — so, I was doing music, one of the few things — so, I became — I was a musician and I was a successful musician. If you’ve ever seen The Matrix sequels movies, then you’ve heard my music. At one…
JACK: What? Your music is in The Matrix sequels?
GREG: Yeah. So, I got contacted by a company called Spiderbite Studios, and they wanted to make music for The Matrix, especially behind-the-scenes Matrix stuff. They wanted to do some music there. The big thing is they were looking for someone to make music for the trailer for the video game The Matrix Online. [Music] So, they sent me an e-mail and they were like, hey, your music sounds great. So, that was my first example of being exploited in a contract by a large company. I sold my music rights for $400 each. I think I got $4,000 total out of that deal. So, I was like, I’m $4,000 richer. That is awesome. After that, that got into — a lot of people asked me to do music and go touring. So, I did a European tour. It was all throughout Europe. I think I went to every country except for Latvia and Lithuania. Toured for a while and I came back…
JACK: What are you playing here?
GREG: Synthesizer. It was a one-man project. So, I did — I love synthesizers. At one point I owned over eighty of them. So, yeah, after that, I came back. After a long tour time, I came back to Arizona. I was homeless for a while because you only make $30,000 as a musician, average, a year at that time, especially an industrial musician. You don’t make any money. So, I came back homeless, and then I lucked out in getting a job working at Massage Envy.
JACK: Massage Envy is a massage parlor, but it’s a chain and they have over a thousand locations all over the US, and their headquarters are in Scottsdale, Arizona, and they needed someone to work on the back end of their booking system. They gave Greg a shot, and he excelled at it.
GREG: It was all vb.net and ASP code back end. So, I was coding that, and I was breaking software in the meantime. Millworm — so, I was coding exploits on Millworm and just throwing them up there, and I was literally trying to throw an exploit up there a day. I remember I got an e-mail from eEye, [music] and they were like, you’re cracked. What is going — like, what are you doing? Where do you work at? Tell us about you. I was like, well, I’m a software developer in the middle of Phoenix, Arizona. I work on Massage Envy’s back end. They couldn’t believe it. They were like, what? You’re not in security at all? I was like, no. I was just like, I just break stuff for fun.
JACK: eEye was a cybersecurity company based in California. It’s spelled E-E-Y-E, eEye. They created some tools to help people be more secure. Like, they made a vulnerability scanner, and that’s how they were able to make money. So, eEye saw that Greg was writing a lot of malware and posting it publicly, and they liked that and decided to hire him, and flew him out to California to give him a job.
GREG: Yeah, well, the team I was on, we were all about finding zero-days and finding exploits.
JACK: Yeah, but there’s no money in that.
GREG: Marketing, my friend. When you have a good research team and they’re rockstars, they’re gonna look at you and your product and think, oh man, those guys know what they’re doing. So, yeah, when I got there, the person I replaced was Barnaby Jack. I took — I actually had his desk and everything, man.
JACK: Wow.
GREG: Yeah, yeah. Lots of respect to him, man. It was — I never filled his shoes, but it was just an honor to be a part of — you know, be around him. I got to meet him multiple times. He was a great guy.
JACK: See, back then, nobody had a bug bounty program. If you found a vulnerability in some software, that company wouldn’t pay you anything. You’d be lucky if they sent you a t-shirt. There was zero money in vulnerability research then. But the reason eEye did this research to try to find vulnerabilities in software was for two important reasons. One, to earn credibility. eEye company must have some pretty sharp researchers to constantly be finding vulnerabilities in things. I bet their tools are great. It works. Two, recruitment. By making the news again and again that they keep finding vulnerabilities, top talent would want to come work there.
Now, they did follow responsible disclosure. When they’d find a vulnerability, they would do two things; first, tell the software maker and show them exactly what they found. Then they would announce publicly that they found a vulnerability in a product. They wouldn’t say what the vulnerability was, though; not until after the software company was able to fix it and patch it. So, that was the team that Greg joined, to simply find new bugs in software that nobody knows about, which is what’s known as a zero-day vulnerability.
GREG: So, I get there, and Office drops — Office 2007 drops probably about four weeks — like, within my first month of working there. We were looking at other software. We were looking at, I think, CA Arcserve Backup, if you remember that terrible product. I have — as a macro virus author and — I can look at Office — hex editors in Office; I could tell you where the blobs are in Office. I know the bit format very, very well. So, when it comes to…
JACK: So, there — your boss or someone told you…
GREG: Marc Maiffret, yes. We’ll put his name for the record here. [Laughs]
JACK: Marc Maiffret; I’ve heard that name before.
GREG: If you don’t know, Marc Maiffret got famous from MTV’s True Life of a Hacker. [Music] That’s where — that was his claim to fame. He was on that.
MARC: You know, over the last few years and basically ever since I got into hacking, it’s just been kinda like a wild ride or somewhat of a movie. After the raid, started thinking a lot different about my life and what I wanted to start doing with it and turn things around.
MTV: These days, Chameleon is living the hacker dream, creating security software for companies to protect themselves from people just like him.
JACK: [Background talk] That was a clip from the MTV show called True Life Hacker from 1999. The show follows Marc around as he hacks stuff. He was wild back then. So, I imagine it’d be really crazy to have him as a boss. So, your boss told you Office 2007 just came out. Do you want to take a look at it? It’d be great if you could find some sort of virus or bug — or, not a virus but a exploit in there, a bug that we could use for Marketing…
GREG: Absolutely.
JACK: …and make a big deal about. So, jump in there. You were assigned to do that.
GREG: Yeah, that’s exactly how it worked. Anything that came out, any big thing — we were essentially bounty hunters. We would go out and be like, yeah, let’s go break this thing. If we have…
JACK: Yeah, but there wasn’t paid bounties back then. You’d get a t-shirt if anything.
GREG: It was all about the honor of being the first. We wanted to be the first, too. That was a big deal.
JACK: Yeah, the honor was a reward.
GREG: Yup. It was be the people who first found a bug. So, I went in there and started manually fuzzing Word at the time.
JACK: [Music] Fuzzing; the first time I did fuzzing was when I was five years old and I went to the supermarket and they had a gumball machine. My mom gave me a dime and showed me how you put it in and you turn the crank and you get candy. It was awesome. For years I was drawn to them. I just had to touch them every time I saw them and check them out. I would try turning the crank on every one to see if it would just give me candy with no money in it. Nope. Unless you put money in it, the crank won’t turn. I would sometimes try to put money in it and turn it very slowly to see if I could get a little bit of candy, and as soon as I do, turn it back real quick to reset it and do it again, but that didn’t work.
I would check the dispenser chutes to see if anyone left candy behind there, and yes, sometimes they did, and that was cool, a bit of free candy. I would shake the machine sometimes to see if I could get candy to come out that way, and that did sometimes work, too. But then I was like, how does it know I put money in here? Like, how does it know what a quarter or a nickel or a dime actually is? So, I started jamming anything I could find that would fit in there; plastic pieces, metal washers, cardboard, shoelaces. I’d shove it in, I’d turn the crank, and I would see what happens. I’m telling you, from five years old all the way to fifteen years old, I was fiddling with these things every time I saw one.
That, to me, is what fuzzing is. It’s trying to use the tool or machine or application in ways it’s not supposed to be used to see if you could glitch it or somehow get it to act weird. What Greg was doing was he was opening Microsoft Word and trying to put something in a Word document that wasn’t allowed. I don’t know, maybe trying to put a Chinese letter in there or some strange ASCII symbol. Word would accept some of these characters but then just deny others. Now, if Word won’t let you input a strange character, why? Will it break if you somehow force it to take that strange character? Well, Greg wanted to try.
So, he opened up a Word doc, not in Microsoft, though; in a hex editor where you can manipulate the ones and zeros directly in the file, almost like doing surgery on the file, and he put in a character directly into the file that he knows Microsoft Word can’t accept, and then he’d save it and try to open it up in Word to see what it would do. Nothing. Okay, fine. That didn’t work. But let’s try again. This time, let’s see what the max font size is in Word. 16.38. Well, that’s pretty big. Okay, so, Word won’t let you make a font size bigger than that number. Challenge accepted. Let’s set the font to the max, 16.38, close down Word, open up the file in a hex editor, look for where that number is. 16.38, where does that show up? Ah, right there. Maybe that means the font size.
So, let’s change that to 9999 and save it and open it up in Word and be like, what now, Word? You wouldn’t let me set the font bigger, but I did. What are you gonna do? Nothing. It just reverts back to the default font size. It had some sort of logic to handle what happens with a font size that we can’t accept. That is what fuzzing is, and that’s what Greg was tasked with doing, to try to make the brand-new Microsoft Office 2007 Suite crash. It’s really a hunt to try to see if the developers at Microsoft accounted for every single problem that could possibly go wrong in Word and handle it gracefully.
GREG: So, you’re modifying these files at the lowest level possible and you’re introducing all this unexpected code, unexpected code paths. It’s parsing these files and it’s parsing these files; it’s encountering these unexpected data points. These unexpected data points are introducing areas of opportunity for you to find a vulnerability.
JACK: Basically, the goal is to get Word to execute malicious code, such as giving someone else control of that computer. But you can’t just put malicious code in a Word doc and then when someone opens it, it runs. Word doesn’t execute code like that. It just displays it as text. That’s its job. So, can you hide this malicious code somewhere in the Word document that it will also get executed when Word gets opened? No, not really that, either. Yeah, there’s macros that act like code, but that’s different. What we want is for Word to take our malicious little code and stick it into the memory of the computer. So, the goal is to cause Word to crash, but then use that crash to force malicious code into memory or a pointer that references the code into memory. [Music] Now, just opening Word is not enough to see all the stuff that’s happening. You want extra visibility on how well Word is behaving, what stuff it’s putting into memory and everything. That’s where a debugger comes in. At the time, he was using a debugger called Olly, which would show him a lot more details of what Word is actually doing.
GREG: Correct. Olly is a tool that you attach to your — any application that you want to see at low level, assembly level. You want to see what the code’s actually doing, your registers and your memory output and what’s going on with the application. You attach a debugger; that allows…
JACK: Sounds like a wrapper for the app. So, you open Olly and then tell Olly to open this, and then Olly would be like, I will watch all the memory…
GREG: Exactly.
JACK: …everything that’s happening here and tell you everything.
GREG: That is a great summary of that, and that’s exactly what it does.
JACK: It sounds a bit tedious to open a file in a hex editor, manually change one or two numbers, then close it, and then open Word up and then see how it behaves; and nothing, so just close it all and try again. So, all day he’s editing these files, opening them in Word, and then closing them.
GREG: I just really liked looking at the files in the hex editor, modifying the files, opening the file, and noticing the UI change. It would distort the — it would — if you had your Office file, if you had graphics and stuff in there, it would distort it or make it look wrong ‘cause it’s rendering improperly. So, you could actually get better feedback, I found, by doing it that way, to identify where in the file you’re affecting. So, I did this for like, two days, and all of a sudden I had a crash.
JACK: Ooh, a crash. This is what he’s been trying to create. Okay, first thing’s first; will it crash every time? Yes. Awesome. Okay, it wasn’t a fluke. Next, can he inject code into memory when it crashes? Yes. Wow, this is great. Now he has to see if he can get control of a pointer or inject some shell code into memory along with this crash. Yes, he can.
GREG: It was a classic crash at that time where you overwrote a data pointer and you could control the data pointer at that, which is — allows — that’s the basis for remote code execution.
JACK: So, what he’s discovered is he can craft a malicious Word doc so that when the user opens it, Word crashes, but then malicious code is put into memory, and now the system is severely weakened. It’s vulnerable. Wow, very cool, all within weeks of Microsoft Office coming out. Greg has discovered a pretty serious vulnerability in it, which allows arbitrary code execution. He feels great. His team is impressed. So, you tell your coworker, your coworker tells your boss, you tell your boss, whatever, and what does your company do with this?
GREG: My boss is like, awesome. He immediately starts writing all the press. Marc Maiffret is — if you know him, he’s very enthusiastic. He’s just like, oh my god, we’re gonna fuck — this is gonna be fucking awesome. We’re gonna send this to the press. We’re gonna throw this out there. So, he immediately starts writing to everyone, all these typical — you know, the tech writing — the tech writers. So, they immediately start writing, and then we report to Microsoft.
JACK: Again, they aren’t sharing exactly what the vulnerability is to the press. They’re just telling them that eEye found another zero-day, this time in the latest Microsoft Office, and of course only giving Microsoft the full details so they can fix it. Once it’s fixed, then eEye will show the world how it was done. The news spread fast. A few big tech publications were talking about this zero-day that Greg found.
GREG: Three days later we get a e-mail back from Microsoft and it says, hey, we can’t reproduce this. [Music] We’re like, this is typical. This is — we’ve dealt with this before. This is a typical Microsoft security response, response team typical action. So, they’re like, okay. So, we send them — we send the sample again and we’re like, hey, you know — we show the debug output. We show — and then another day after that, it comes back, and they’re like, hey, did you try this without a debugger attached? Marc Maiffret is like, of course we did. Then he looks over to Andre; Andre looks at me, and I’m like, I don’t think so. So, we go run it again, and there is a special trap that Microsoft added. This is — at the time, this was pretty new technology where they had debug-only routing inside Office. So, it would reach a code flow path that was only exploitable, only triggerable when you had a debug attached to the Word, meaning no one’s gonna be vulnerable to this unless they have a debug attached, unless they’re a security researcher.
JACK: Oh man. How embarrassing. The news is out there saying that eEye found a serious vulnerability, but now it turns out they don’t actually have a vulnerability. It’s because this new kid, this weird-looking goth kid, didn’t verify it all the way.
GREG: So, I remember there was yelling. There was yelling involved. I remember I was there for three weeks and I remember just — literally just staring down, being ashamed, just being like, oh god. This is it. This is how I lose my career. It was nice. It was a good couple months in security.
JACK: Okay, ‘cause the stress here is because a press release was written, right?
GREG: Yes, yes. eEye at the time was — they’re like the rockstars. This is — everyone else in the room, all those rockstars; Yugi, Derek, Daniel Soder, the brothers, everyone else in there has written vulnerabilities in a professional manner. They’ve all done this for years. They’ve found the first Vista vulnerability. They found — this is their thing. Now I’m the new guy who screwed up and made them look bad. So, behind the closed door, they were like, we gotta fire this guy. Luckily for me, I believe Andre was like, nah, dude, we gotta give him a chance. He’s gotta — we’re gonna give him a chance to make this right. So, they come out and they were like, look, man, you gotta find a vulnerability. We don’t care how you do it. It’s gotta happen. I’m like, okay.
JACK: There’s some hope still. The press release just said they found a vulnerability in Microsoft Office, which consists of Excel, Word, PowerPoint, Visio, and more. It didn’t give any details as to how the vulnerability works. So, if they can find a bug in any of these products, it’ll save the reputation of the company. But to be clear, for a young guy in his first cybersecurity job to find a zero-day vulnerability in Microsoft Office, that’s an incredibly complicated task. The entire team of coders at Microsoft worked tirelessly to prevent people like him from finding bugs like that.
So, he’s gotta find something they missed? This was a big deal for Greg. [Music] He needed to find a zero-day vulnerability in Microsoft Office or else he’s going to be fired. He calls his girlfriend and says, don’t wait up for me tonight. I am going to be working late. Sorry, I just have to do this. He just gets down right into the zone, downing energy drinks, grabbing extra monitors to be more productive, ordering pizza right to his desk. He’s fully committed to doing this. He was so committed that he was going to stay in that office until he found a zero-day vulnerability.
GREG: So, I am there twenty-four hours by myself, just manually — and I’m just like, oh god, I can’t do it.
JACK: He’s sleeping under his desk, he’s living off of donuts and coffee.
GREG: So, what happened here, man, was — so, the crew comes up to me and they’re like, dude, we’re not gonna let you do this by yourself. We got your back. So, everyone stayed in there, and we were in there for three days. Man, I — that — I remember girlfriends calling, wives calling guys and being like, are you guys coming home yet? They’re like, no, we gotta do this. This is an important thing. We ordered pizza. We had Mountain Dew. That area of the office, I remember, it was not smelling great. The other teams were like, what are you guys doing? What is going on in here?
JACK: Are you just like, opening text files in edit and then close, and then open, and then close?
GREG: We have — okay, so, I think during that time — so, there’s at least six of us. We have one guy who’s writing his own program to fuzz it. We have — I think Yugi had three screens up fuzzing data, reverse-engineering. He’s trying to reverse-engineer that. I have a program I have written running on one machine over here. I have a machine to my left. I have a machine left to me that’s running software to try to find this vulnerability. I’m in a hex editor editing files left and right. I think Derek was also editing files. Derek found — was finding something else. He found — I think he later found another vulnerability out of this, but he’s going in there editing, looking at this, and we’re all look — everything we find is really interesting stuff, which turns out it was — we found a lot of really cool stuff in Office at the time, but none of it was a vulnerability as we described. So, we are literally just sitting there geeking out and just — pizza being ordered. eEye was a wild time.
JACK: Days go by like this where all the researchers are pouring tons of time into this. Nobody was going home. People were sleeping in shifts under their desks, in the break room. The energy was amazing to have so many people come together to try to save the reputation of the company.
GREG: Day three, I was modifying a file, and all of a sudden it popped. We look at it and we’re like, oh, wait. I remember Yugi — Yugi looks at it first and he’s like — Yugi is this incredibly, unbelievably talented Japanese hacker. He’s like, oh, it looks good. When Yugi says it’s good, everyone’s like, okay. So — and the first thing that happens after that is — I remember one of the guys was like, is the debugger detached? We’re like, oh yeah, get that thing off there. So, retry it, and it happens to be in Office Visio. It was another product inside the Office suite. So, it wasn’t Word, not as sexy as Word, but, hey, we only said Office 2007. So, again, saved our butt. So — and the thing is, when Microsoft sent that e-mail, they were like, hey, man, this vulnerability occurs in this wrapper function called safent. What safent does is it prevents the integer overflow from occurring and causing that control flow, your code execution, to occur. So, it checks all the integers.
[Music] What happened with the new vulnerability we found was we happened — just happened to have found a legacy pointer for a integer that was not safented-wrapped and was vulnerable. So, they sent that e-mail out, and unfortunately, David LeBlanc in Microsoft — David, if you’re listening to this, I’m sorry, man — I think he was on vacation. He got called back. Maybe he didn’t get called back, but that’s what I heard, ‘cause he was the one who was in charge of safent. Safent was his baby, and it’s an awesome security feature. He got called back because when we sent that sample to Microsoft and it worked, that was a big deal to them. So, we are all happy. The vulnerability goes out. A couple months later it gets disclosed, and we have indeed the first vulnerability in Microsoft Office. That was the case. That was a wild time, to say the least.
JACK: He saved his butt on that one. His whole career was on the line, and he did what he had to do to save it. Being awake for so long wasn’t much of a celebration after he found it.
GREG: Dude, I crashed. I fell asleep. I remember being — just being so exhausted, I straight — at the time when I found it, I was already tired because I was half-asleep. I remember the alarm that I had for it to find it, I nearly spilled — I think I did spill soda all over the place, ‘cause I was just waking up — like, we’re all fasting out — like, we’re literally sleeping at our desk here. There’s no — we’re not sleeping on hammocks or anything. We’re just sleeping at our desk.
So, I remember it being — like, we find the — we’re like, yes, and we were all so tired to actually have a proper — I guess we did have a proper — we did yell out extremely — a malware — like, yes, we’re finally — and then immediately after — ‘cause we’re like, we’re celebrating, high-fiving, everything was like that. But man, after that, I just remember us all being like, and we’re going home. I fell asleep at the office. I didn’t even make it home at the time, ‘cause I had to — I lived walking distance. I was too tired to even walk home that day. So, I just crashed out, woke up, went home, and I remember my girlfriend just drew me — the pillow and the blanket, and I was on the couch for like a week for that one, rightfully so. She was so pissed.
JACK: But it was your job on the line. She should understand that. Like, listen, I’m gonna get fired or I could stay three days and not see you. What would you rather I do?
GREG: Oh man, I was a newly father. My kid was probably…
JACK: Okay.
GREG: [Laughs] Yeah. My kid…
JACK: Well, hold on, so you just had a kid at the time.
GREG: My kid when I started, yeah, was six months old. So, that kid was not even a year old, and colic — and my kid was extreme colic, like twelve hours a day crying. Oh man, she was so mad.
JACK: Oh, that’s — that makes it even more stressful.
GREG: Oh yeah. Oh, oh yeah. But yeah, so — oof, yeah, that was — I remember the e-mails — that was — oh, the e-mails I was getting from her was always popping up, just being like — her just getting angrier and angrier as the day is going on. She’s like, where are you? Like, I don’t believe you’re at work for three days doing this. I was like, okay, I’ll send you a picture of us. We had the team just doing random pictures. I was like, oh man, this is — this was a time.
JACK: [Music] eEye was a magic place. A lot of amazing talent worked there, and many went off to start their own cybersecurity businesses. Rumor has it that some of the anecdotes from the TV show Silicon Valley came from stories that happened at eEye. Greg learned a ton from working there for years.
GREG: So, years later — god, this is like my third year at eEye. I remember we had a honeypot system, which — it’s a system that’s designed to catch hackers and lure in individuals. We tried to — we were trying to get zero-day exploits and definitely try to lure people into attacking the system. It was one of the largest honeypots at the time. It was nearly a Class B internet group of honeypots. It was massive. I remember I was logging into one of the systems that we had maintained for that, and I see a log-in called Lfeng. I was just like, what is this? Who’s account is this? Maybe this is a new hire I just don’t know about. I walk into my boss’ office and I was like, hey, I got that all set up. However, there was someone who logged in recently, and maybe it’s someone we hired in dev ops or something. Do you know a Lfeng? I remember my boss was just typing.
All of a sudden I remember the distinct sound of him stopping and the sound of the chair creaking back and him looking at me. He’s like, you found what? Who? I was like, yeah, Lfeng. I think I looked at — the extended name was Li Feng. He was like, what do you mean you found a Li Feng log-in? I was like, yeah, it’s on the honeypot system. It was — it looks like it was a maintainer. He goes and he closes the door behind me and he’s like, alright, I’m gonna tell you a story about Li Feng. I was like, okay, let’s hear about it. So, back in the day, like I mentioned, eEye was the rockstar group for finding vulnerabilities. It was like, eEye and I-Defense. That was the two big companies back in the day for finding zero-day vulnerabilities. At one point, eEye was so good at what they were doing, Microsoft decided to hire someone in order to go work at eEye in order to get them to tell them, Microsoft, about the zero-days they found in Microsoft.
JACK: Wait, wait, what — hold on a second. You’re saying Microsoft got someone to — a job at eEye…
GREG: It was a different time.
JACK: …so that they could — but they worked for Microsoft so they could report to Microsoft what eEye is working on.
GREG: It was a different time. Yep.
JACK: This is ridiculous. You don’t hear about this ever.
GREG: It was a different time.
JACK: Did this news ever actually go public?
GREG: I don’t think so. This is…
JACK: I can’t imagine Microsoft hiring to work — getting people to work at a other company; this is corporate espionage.
GREG: That’s correct. [Music] Well, it gets even better. It gets even better after that. It gets even better after that.
JACK: Okay, so Microsoft hires Li Feng to work for them, but then plants him in eEye to go find out what they’re working on and report back to Microsoft. So, Li Feng was working at eEye for a while, but then suddenly left, and nobody really knows why. He just disappeared one day.
GREG: But then Microsoft, sometime after he left, they’re like, hey, we gotta have a talk. We gotta have a conversation. So, we’re like, okay. So, Microsoft was like, so, Li Feng, he was working for us to identify zero-days that you guys may have found.
JACK: Which had to be a bombshell for your company to hear.
GREG: I think…
JACK: They thought that must have…
GREG: I think they had suspicions that he was being a little odd, but — so, Microsoft then goes to say, so, apparently he was also working for a foreign government entity to do the same for us and you. So…[laughs]
JACK: So, someone placed him in Microsoft?
GREG: Correct, correct.
JACK: Go get a job there and…
GREG: And then he got chosen to go work for us. We hired him, and he got planted, and then he was siphoning zero-days from not only us; apparently he also had privy information at Microsoft, and that went back to his foreign government that he was ultimately working for.
JACK: Holy moly, someone planted him at Microsoft and then Microsoft planted him at eEye? That’s unreal. How embarrassing for Microsoft. It’s like being caught doing something you shouldn’t have been doing, like, I don’t know, having your pants down when the elevator door opens. They know they shouldn’t have been playing that game, but now they realized that they got played themselves. Oof. So, I really wanted to confirm this story, and I reached out to people that I know who have been at Microsoft for a very long time, and all of them said that does not sound like something Microsoft would do. So, I can’t confirm that that story is true, but I would love to know if it is or isn’t. So, if you have information about Microsoft planting people in other companies, tell me about it.
Because here’s the thing; we know corporate espionage is happening. There’s people sending secrets back and forth to tech giants all the time, but it’s a secret, so we don’t know about it. We only know about the ones who get caught. So, it seems plausible like something like that could happen. You know what? I’m curious what corporate espionage stories are out there. Taking a quick peek, there seems to be some cool ones. In fact, I think I’m gonna take an ad break and look at this a little deeper, because I’m fascinated by corporate espionage, and I might have to do a few episodes on that sort of stuff. But stay with us because after the break, Greg is gonna tell us some penetration testing stories that he’s done. After a while, Greg left eEye and started doing red-team stuff. That is penetration testing, breaking into companies to test their security.
He also does threat intelligence, which he tells me he got some really interesting contacts and worked at some very interesting places. But we’re gonna have to skip those stories because they’re too sensitive to talk about. But he is willing to tell us a few pen test stories that he did go on. The first story is about a time when he was paid to try to hack into a major tech firm which has a lot of user data. I mean, they have millions of users. But not just simple user data; they’ve collected highly personal information on their users as part of their service. So, Greg meets with the customer, and it started out weird from the get go. The customer was saying, look, we are crazy about security. We go over the top on cybersecurity because we cannot risk our user data getting out. So, we don’t think you’re going to find anything. In fact, the last pen testing company struggled so bad to try to hack us that they got arrested.
GREG: [Music] So, they use a third-party payment processing system that is not used by them, and their previous pen testers accidentally exploited the third-party payment system that was vital to them. The third-party payment system was an Oracle system and not owned by the customer at all. So, when — apparently — that’s why I heard from the customer; they were — they did their exploitation and then they said, hey, we got into credit cards and we’re gonna present it to you in the next day in a presentation. So, they got the blue team there, all the blue team, all the people, and then he presented them and said, hey, we exploited this. We exploited this IP address. We got access. We gain it. Here is your raw credit card details. As you can imagine, the team looks at it and they’re like, what IP is that? That’s not local.
That’s not — it’s a ten — it’s a local address, but that’s not ran by us. That is not. Then they found it was actually owned by the third-party payment system, and they had exploited a zero-day and that gained access to there. On top of that, the credit card details were now — it was a stream of credit card details. So, I believe it was outside of even scope for the customer. So, the customer reported them on the safety of their half ‘cause they didn’t want to think that someone on their network compromised them, and reported them to the law enforcement authorities. I believe that led to the arrest of them. Either way, that was — that’s always wonderful to hear going into a pen test. You hear, hey, the previous guys got arrested. Why don’t you guys come in here? So, great start already. Great start.
[Music] So, if you know me, I still dress like a goth kid. I’m still all black. I’m cyber-punked out. I wear Neo4ic; love them. I’ll wear everything from vx-underground, all black, anything I can. So, I show up at this facility — oh, and at this time, we also have a coworker of mine, and my — this is my coworker’s first big — real big pen test. So, he comes in, too, and I will never forget the people there because they look at me and they look at each other and they’re like, oh god, we gotta put you guys in the back room. So, they set us a separate room away from everyone else. Throughout my career, this is kinda the thing. I’m the guy in the back room. I’ve been there because of how I am. So, they sent us back there, and this is a five-day insider-threat pen test. Go.
JACK: [Music] So, his job was to simulate an employee there who had gone rogue or had been hacked. Just by being in the building, what could he do? Sniff some Wi-Fi traffic? Plug into some network ports? All that’s worth checking out, but they did give him a single user’s login, and they said, that user should be locked down so tight that you shouldn’t be able to do any harm even by knowing their password.
GREG: This customer — I’ve been red-teaming a lot of places. Their blue team, their SOC team is absolutely legit, one of the best defense teams I’ve ever had the honor of working with. So, they literally are running their own kind of built-in EDR system that they built themselves that’s tied into their SOC, going in there. We get nowhere, man. Day one; nothing. Day two; nothing. Day three; my coworker’s laptop dies in the middle of it, and he can’t even work anymore, and we had to give a report to the customer. I remember them just looking at us and being like, I think we hired the wrong people. Literally, they were like, do you — you guys want to resign and we can scrap this up, call it quits, and then we can go hire somewhere else? I was like, no, man, we got this.
[Music] Day four happens, and we — I remember it was 4:30 and we have to give — at 5:00 we have to give our meeting, and my coworker had to go to Best Buy and buy a brand-new machine. He spent the entire day imaging a machine on a red-team engagement. He looks at me; he’s like, man, I don’t know what to do. So, I was like, hey, let’s try one more — let’s do some ARP poisoning and just do one more time. I remember looking up, and that ARP poison grabbed one plain text credential that just happened to be an FTP job. We’re like, oh, we got a credential. We got somewhere. We got something. It turns out that credential was to build system process, and it allowed us to get into the build system to roll code throughout the entire thing. It just so happened at 4:30 they rolled it out to do a end-of-day lockdown and build system configuration, lock everything down so no one is doing any more builds.
We went into that meeting; said, hey, we just intercepted this. I remember them all thinking, wait a minute, that’s the old build — and that credential is still active. At that point we had a really cool exploit for that one. We got into the build system, and they had a lot of controls on the actual files in there. So, we couldn’t modify in the build files, but we could edit the command line. So, we rolled an inline assembly.net include in there to roll in, go into their portal, and steal all the customer data, who’d enter a credit card in there. We marked it in the data. We locked out that credit card, but we put a asterisk in there, stolen last four digits, and then had it sent out to them. They test it, they ran it out, and they were like, holy crap, we have not had a red team roll out code to production in eight, nine, ten years that we’re here. Come back next year. Come back next year.
JACK: Whew, talk about a Hail Mary. Not a single find all week, and then 4:30 p.m. on the last day, they catch a lucky break by sniffing a credential in the network which gave them tons of access. What a good find that saved their butts.
GREG: I come back next year, and they’re like, hey, we want you to do something kinda crazy. We want you to target DNA.
JACK: [Music] Part of what this company did was genetics studies. They had DNA data on their users, and this was regarded as one of the most protected assets of the company. So, why not hire a hacker to try to find it and steal it?
GREG: We don’t care how you get it. Any way you can get it, that’s fair game. So, I spent a week in there as a malicious insider.
JACK: He starts with a basic employee login again. It is locked down pretty tight, but it’s just enough for him to get a foothold somewhere else, and from there he finds an exploit in another system, and then he was able to pivot from there, collecting more system logins, and finally he’s able to get in a system which manages backups of machines. He can see there’s some really large files here. Maybe those are system snapshots or backups? But what system is it a backup for? No idea. But he decides to try to download it anyway to see if he can look at what’s in these files.
GREG: It literally errored out on the share size. I was like, I’ve never seen that before. I remember clicking a file, and I’m on a local network. I remember that file taking forever to get to me. I was like, how big is this? So, I grab the file and I’m on the local machine, and I remember looking at it, and it’s TCGA CT, like those letters. I was just like, I think that’s DNA. I think that’s DNA. I was like, huh. Maybe — this has gotta be — this can’t be right. So, I grab it and I cut off as much as I could. I remember — and then I sent it over — I work with a biologist. She was a very, very smart girl, and she just happened to be a biologist who was working with mice at the time. She actually knows DNA and she worked with DNA. I was like, hey, what does this look like to you?
I sent it to her and she looks at it and she’s like, oh, this is a DNA sequence mapped out by this program, and this looks like — I was like, oh, okay, cool. Then she was like, hang on, I could even tell you what kind of DNA this is. A couple minutes go by and she was like, why do you have human DNA? I was like, I gotta go. I gotta — bye! Click. So, my next task was like — they were like, you have to get the data out. You can get in; you had to get access. We had to get it out. So, at the time, again, it was ran by a very, very good SOC team. There was a lot of — the environment I was in was very, very well-restricted. The only way I got to her was through sending a picture. I remember selecting it all and then putting it into an app, sending her a picture of it. It was so bad quality, I had to send it a couple times, actually.
But so, I was like, how am I gonna get all this data? I can’t do it with a phone. I can’t do it with a picture. How am I gonna get all this data out? [Music] I was a malicious insider, so I was working as a quote, unquote, “IT member”. So, I got introduced to the IT group and they were like, oh, yeah, you’ll be working in this environment. It’s cool. So, I was like, I gotta figure out a way I can get a bunch of hard drives, and I have to get a bunch of hard drives back into the building. So, what I did was there’s printers that were scheduled for — to be — these printers were scheduled to be taken to repair. I remember grabbing one of those printers and gutting it as much as I could. Walking out, I’m going out to the front desk, going out the front door and being like, hey, I gotta send this printer to the repair shop.
It has to be done today, immediately. So, the front desk people were like, okay, just sign off work. Cool. Sign off for the printer. Load that into the — my rental car, and I go to Best Buy, and I’m like, I have to get hard drives. I have to get a lot of hard drives. So, I went by — and this is back in the day where external hard drives were those big, obnoxiously ugly-colored things, and they came in — I think 32GB or 64GB was a big hard drive at that time. So, I go through — I have a shopping cart, and I just go from the end line of these and just pull the whole thing into the shopping cart. I have a full shopping cart of hard drives.
JACK: You put your arm on the shelf and just…?
GREG: You know that meme where that guy is running around Best Buy and he’s like, all — hacked all the things, I hacked all the things? That was me except with hard drives, shoving it into a shopping cart. I remember going to Best — the front of the desk, maxing out my credit card, and then — of hard drives, and then going back into my hotel at the time and loading them all into the printer. I put the shelled out — the hollowed-out printer — I just stacked the hard drives in there and pulled it up together, and then I show up to work the next day, get the little trolley carts they have, go out and say, bring it back. I remember I’m bringing back the printer, and the front desk person was like, wait, you sent that off to be fixed yesterday. I was like, yeah.
He was like, you gotta tell me how you got those guys to fix that in twenty-four hours because, man, they are always so slow. I was like, oh shit. Well, I bought them a root beer. They’re like, oh, that makes sense. I was like, I brought them a six pack of root beer. He was like, ah, okay, good to know. So, I go back to my area of the building, putting it — and I have this printer next to me, and then I am opening up the little panel, and I am just — USB drive — literally copy, pasting, mounting, copy, pasting. I started at like, 8:15 a.m. and I am there until they kicked me out of the building at 9:00 p.m. doing nothing but moving over data. Then I leave the printer there, and for the next two days — I am literally doing this every day. Then, on my last day of the pen test, I remember I walk out and I go to the front desk, and the guy there — he’s still there.
He’s like — I was like, oh, dude, the printer broke again. He’s like, oh, don’t worry, I got something for you. He goes in the fridge, the little fridge he has, and he brings out a six pack of root beer. He’s like, give this to them and tell them I said hi. I am sitting there trying not to laugh while I’m holding petabytes of — I can imagine — I think — I don’t know how — I couldn’t get it all, but I remember I bought over eighty hard drives from Best Buy. I think I actually went back a couple days later and bought some more because I didn’t think I had enough, and put them in my jacket and my pants, and I loaded this HP printer and filled that thing up, and got to my hotel. Then at that point, had — I had a secondary laptop that I asked — I requested to prove for exfiltration. I kinda [inaudible] that laptop, I loaded it up and said, done.
JACK: So, when it was time to show him what he found, he has them go into the room where he was working in and said, open up the printer. They open it up, and when they do, a bunch of hard drives just come pouring out of it. He says, those hard drives are filled with all your DNA data.
GREG: Yeah. They later said, hey, you were the first person to do that. I worked for the red teaming for another — I think three or four more times after that. It was — after that it was a call center I attacked — targeted.
JACK: Okay, here’s the big question, though, right; the first time they’re like, you gotta go in the back office. We can’t have that. After doing it three, four times, when you’re walking through, are you feeling more confident? Like, oh, no, you can be in the front office. We don’t mind you being around here.
GREG: Oh man, I went to their barbecues. I went to their family — they were all very nice. After the first time, they were like, look, you could never meet the execs, but we will absolutely hire you every single time.
JACK: [Music] A few years go by of him doing pen tests, and he gets another job which also has an interesting story. This time, a venture capital company has hired him to try to hack them. Now, they wanted to see if he could hack into them to get data that would influence the market or something that might hurt the reputation of the company or see if he can gain information that he can be used against the company. So, Greg gets tasked with going on site to try to hack into this venture capital company, which, remember, even though he’s well into his thirties at this point, he is still dressing all goth and considers himself a goth kid.
GREG: I’m still a goth kid, man. I still dress in black. I still wear my goth — like I said, I don’t wear the colors or anything, but I still dress all black. I wear my goth outfits. I wear my vx-underground, my Neo4ic shawls and everything. I wear my goth boots. What’s funny is every single contract I’ve signed for work, I have two clauses in there. Clause number one; I will never code in Ruby. Fuck Ruby. Clause number two; I’ll never adhere to a dress code, period. Those don’t — if those two don’t happen, I don’t work there, period. So — and that goes back to — I was one of the — when I was in cybersecurity, I was one of the kids who never went to college for cybersecurity. So, all these places are like, oh, you gotta get a college degree, you gotta do all this kinda stuff, and you gotta wear suits.
I was like, no, fuck that, man. I got — if you don’t hire me for the things I know, then I don’t want to work there. That’s been a long belief and I still believe that to this very day. I told my boss, the day that my goth outfit interferes with the way I work, I will stop doing it. I still do it to this very day. It’s been twenty years. Anyway, so, they send me over, and I remember I get — they’re like, hey, we want you to meet at this outside — it’s gonna be outside the hotel that we’re all staying at. I walk up to this guy, and this guy is wearing a suit. He is wearing a suit that costs probably more than what I make in a month. He’s in there. He’s smoking a cigarette, clean cut.
The guy looks like he’s still active Secret Service. I think he even had an ear piece in. He looks at me and I was like, hey, are you this guy? We’ll call him Brando. Are you Brando? He was just like, yeah. He’s like, are you Greg? I was like, yeah, nice to meet you. I remember he takes the longest drag out of his cigarette. You know that meme from — what’s that HBO…? True Detective where the meme of looking at the phone and the guy is just inhaling the cigarette, or Matthew McConaughey, I think, is inhaling the cigarette? I got that exact look from this guy looking at me. He just tosses that cigarette and he’s like, this is gonna be a long week. He’s like, let’s go.
JACK: So, this guy is his escort and drives him to the building where he’s supposed to do the pen test. He takes Greg to the front door and he tries to go in with his escort.
GREG: I remember physical security is like, sir, who are you? What are you doing here? They literally get in front of me. I was like, no, I’m with Brando over there and I’m part of a assessment. They’re like, give us some ID. They escort me into the building, and all of a sudden I’m getting a call from my contact. He’s like, where are you? I was like, I’m being detained. He’s like, oh god, this is a great start. So, they come over and they realize that I’m supposed to be there, and then I go meet my contact, and I remember him looking at me and being like, oh, man. He’s like, alright, well, you can go work in that back room over there. We’re gonna tell everyone you’re an auditor or someone so no one bothers you. You’re gonna set up in this back room, and just don’t bother anyone. Just go there.
JACK: So, they sat him down and said, okay, hack this place. He’s like, well, can you give me a user login or something? No. Alright, can you give me the Wi-Fi password at least? No. Well, listen, I see a bunch of wireless networks, and I don’t want to accidentally hack into the wrong wireless network. So, can you at least tell me which Wi-Fi network is yours?
GREG: I could see the contact at the venture capital is like, man — it was like, he looked at me and he wanted me to be out of this building and to fail as much as possible. So, he’s like, our guest Wi-Fi ID is this. Go. [Music] That’s it. That’s all I had to go on. Nothing else. Just the guest Wi-Fi. So, I get up and I’m like, okay. So, I start walking around the building, and the security team is absolutely following me at every step of this. Brando from the other third party is like, where are you going? What’s going on? I was like, I’m looking for a Wi-Fi password. He’s like, I think — he’s like, I’m pretty sure you’re supposed to do that with the computer stuff. I was like, nah, nah, they’re gonna have this. I walk around the building and eventually I find it on a whiteboard. I’m like, bingo. So, I go back and I sit down, and now I’m on their guest Wi-Fi network.
JACK: Nice. How clever; just look around the building for the password. Alright, so now he’s connected to the guest Wi-Fi.
GREG: So, I get the password, I sit down, and from there I start scanning. The first thing I go — is I hit the Wi-Fi router. It’s a Cisco device. This team — I’ll later learn that this team is very, very good. However, again, like they mentioned, they’ve never had a full red team event. So, the router security is nowhere near where it should be. It’s actually — the router is a single router, a single Cisco device that is both the guest Wi-Fi and the internal Wi-Fi as well. So, I exploit the router, I jump on the router, and then I make the entire network flat. I bridge over everything. So, now my machine can be — can attack anything on the inside of the network. Even though I’m on the guest Wi-Fi, I can still start attacking anything on the inside network, or on certain networks. They had multiple inside networks, so I start bridging them over one by one.
JACK: How did you exploit the router?
GREG: The router didn’t have — like, a) their password was default, as — unfortunately. Number two, I was — they had a administrative password on the panel. So, the access was one password and then I brute-forced, I believe, the password of the admin panel. It was very close to standard password on there. Gained access, unfortunately.
JACK: So, the guest Wi-Fi should only have very minimal access, like just to the internet and no internal systems in the building. But when he bridged the networks, he could then access anything that other employees could access, which gives him access to a ton of internal systems.
GREG: There, I start doing man-in-the-middle attacks, and let me tell you, red teamers out there, pen testers out there, never skip out on layer two attacks. Layer two is your responders, your Cain and Abels, your ARP poisoning, your DHCP spoofing, all of those. That is gonna be your bread and butter. I promise you those vulnerabilities are still existing there. They still work. I work engagements to this very day — that is where so many places fail. So, I man-in-the-middle. Become — I start stealing credentials, and this is back in the era before SSL security was everywhere, so you could still do man-in-the-middle and downgrade websites to HTP logins. [Music] I start getting credentials to people logging into work e-mails. After about an hour, I get access to a relatively new hire. She has six months of work in her inbox.
I access her e-mail, and the first thing I do is I go all the way down to day one. What do you get in day one? E-mail. You get your employee training, you get your on-boarding information, you get your on-boarding documentation, and if you come to this building, you get your building alarm code. So, I have a physical alarm code that goes to her, and I also have her badge ID number and what she looks like and such. So, I’m like, okay, so what can I do next? I remember the — Brando, the — my — the ex-Secret Service guy looking over my shoulder and he’s like, what are you doing? He was like — I was like, okay, so, you know the card readers? Like, yeah; he’s like, we’re gonna clone one of these card readers. He’s at this point where he’s like, alright, goth guy, you’re not so bad. Okay, I like this idea.
He’s like, alright, I’m gonna work with you on this and I’m gonna — he’s like, I talked with them, and we’re gonna talk about guard shift and times to get into this building. I was like, okay. So, I tell him my plan and I was like, man, so I got a building alarm code. I’m gonna put a RFID cloner next to their badge reader, and when they badge in, I’m gonna start getting all these badges. He’s like, okay. So, a day goes by, and eventually the girl whose building alarm code comes in, badges in, and I get her — I have a Proxmark system; I keep pulling it and all of a sudden I notice her ID matches up. So, now I have her employee ID badge and her building access alarm code.
JACK: To get into this building you need to use your little badge and tap the badge reader, and the door unlocks. What Greg did is he put a little badge sniffer behind the real badge reader so that anytime anyone taps their card, he gets to see what their badge is, and that essentially allows him to clone a badge.
GREG: They gave me a tour of the building at one point, very against their will. They were kinda hushing me around. The two things I noticed when they gave me that tour was, a) there was a balcony on the second floor that had a tree next to it, and from that balcony was a straight shot into their server room. Basically you go through one room; in that room you get into — you go down one hallway and you’re in a server room, and the server room did have a badge reader on it. The second thing I notice is sort of like — almost like a spiral staircase downward, there was lots and lots and lots of paintings. I remember asking during the tour; I was like, whoa, these look like real paintings. They nodded. They’re like, yeah, CEO — well, the CEO is here; loves paintings, and this is their pride and joy.
They like to show art and they like to make sure that — and I was like, huh. That’s interesting. That’s cool. So, I remember — so, for the next couple days, I had to get a badge of an IT guy ‘cause I needed to get access to the server room, and eventually I get it. It’s through the Proxmark system as well. In the meantime, I’m doing man-in-the-middle, getting credentials, doing the traditional attacking methods, but I really wanted to focus on this whole physical element because the — Brando, working with me, he was just like, man — he’s like, we could do some Mission Impossible stuff. I was like, yeah, yeah, we could. [Music] So, the next phase was — they had cameras everywhere. They had internal cameras, sort of external cameras.
I remember doing the net — so, eventually, every day I’m folding different parts of that — of their internal networks into the guest network that I’m at so I can bridge over and start looking, and eventually I find all their camera — their camera network. Luckily for me, they are using access cameras. If anyone’s worked physical security, everyone knows there was an era of access cameras from like, 2001 to about 2008, ‘09, ‘10, where everyone had — all these places had these access cameras ‘cause they had a ton of features, they were cheap, they were Chinese-made, wonderful cameras. However, they were the worst security ever. They had so many default passwords. They had buffer overflows — in the access control systems, they had buffer overflows, and their web interface — they had a web interface that when you connected to it, it looked like GeoCities.
It was straight up like 2002 internet all over again, and that’s how you controlled the cameras directly. So, talking to Brando and he was like, okay, look, man — he’s like, I know they do a guard change around — it’s 2:30 a.m. during — around that time. He’s like, you gotta be in and out of a building around this time. I was like, well — and he’s like, also, there’s gonna be someone always watching these cameras. I was like, okay, that’s fine. He’s like, what are you gonna do with the cameras? So, I show him, and I start connecting to all these cameras, and at the time there was an access — I think they were still running firmware from 2005, and there’s an access buffer overflow that allows you to control and gain access to every one of these cameras. Still running that. They hadn’t patched them. Jump in, and them from there I can access the shitty little interface.
I show him; I was like, look what happens if I modify these two values. The values is brightness and contrast, and you can edit both of them. It’s usually for when a viewer wants to look at the camera. Oh, it’s too dark or too bright. They can edit these. In UI, you can edit them a little bit, but programmatically, you can edit them all the way from 0 to 255 values. So, you can make them go all black or all white. So, I show him. I was like, watch. We can make their cameras go boom. Watch; I show the camera. It goes distinctly black for a second, and then I undo it. He’s like, oh. I was like, yeah. [Music] He’s like, alright, goth guy, alright. I see what you’re cooking here. So, he’s like, well, how are you gonna get these into an area that — how are you gonna do this in a way that…?
You’re gonna have to be carrying a laptop with you. It’s gonna just be awkward. I was like, that’s a good point. So, in this engagement, I had a shuttle device with me, a little, tiny — computers are the size of a shoebox. A lot of pen testers use them for leave-behind devices. On that shuttle device I put a Bluetooth radio on it. So, with the Bluetooth radio, I was like, okay, I’m gonna walk around the building and I’m gonna get measurements of where I’m at with the Bluetooth. It’ll signal their noise ratio, and when I’m in front of those areas, I’m gonna map out what cameras those are at, and I’m gonna make sure that I can get access to this. So, I tested out the Bluetooth range. I had to put a big antenna on this thing to get the Bluetooth receiver on it. That worked, so I could have the Bluetooth show — I go in front of these two cameras.
The two cameras that point outside to the patio, I could have them identified. There was a camera on the inside there, and then there was a camera facing the server room. So, those are the cameras I needed to black out. So, my app sends a signal to the Bluetooth. The shuttle device would take that signal and relay it, and when I receive those, it would send the packets to those cameras to make the values, brightness or contrast, to 255 or 0. It was completely random. It’s flipped back and forth between them to make it look like a black and white screen, sort of like an effect that was like the camera was malfunctioned for a bit. So, I was like, man, I have — I could look at these cameras. I could test to see if this works. Not sure if this is really gonna work, but we’re gonna try it.
JACK: So, he set everything up to try to break into the building overnight and not be seen at all. The front door might have extra security and he didn’t want to take the risk, so his whole plan was to sneak up to the building, black out the cameras, get in, and gain access to the server room. Keep in mind, everyone already was on high alert from this kid. They thought he was very suspicious, and he was going to have to do something over the top to get in. That’s when he realized his point of entry should be the balcony.
GREG: So, that night, man, I came in, 2:30 in the morning, climbed up the tree. I get onto the balcony. I push open — they had a security door on the balcony that they would lock before you can get to the badge-reading door there. I pry that open, I hit the badge key, go into the building. The alarm starts beeping. I hit the building alarm code, and lucky for me, the girl had not changed her alarm code. I was in. [Music] I look at the cameras and I remember being so nervous about this and being like, oh man, this is — hopefully this will work or I’m gonna get tackled very soon. So, I make my way over to the server room, and my secondary badge, the other one I have from the IT guy, works for that one. Badge cloned. Got into there. Went to the server room, and from there, boot-rooted all the machines. So, if you’re unfamiliar with boot root, back in the day, this was — you plug a USB device into the machine, you turn off the server.
The machine would then boot off the USB device as a recovery device, and from here you would replace a Windows component. Sticky Keys would be a ideal favorite. So, you replace Sticky Keys with command shell, and then you reboot the machine. So, the machine — after you do that, the machine — you reboot the machine. It goes into the password login prompt, and you hit Shift five times. That would then launch Sticky Keys, which has now been — become a command prompt instead, and now you have a command screen on it, and then you can run commands as elevated privileges like you’re on a system. So, you’d have elevated command. So, from there I exploited all the machines. I dropped a flag that said I was here, and then I went into their stores and put flags on all of those.
JACK: He’s done it. He’s successfully hacked into the servers Mission Impossible style. So, he starts to go out, but he notices something.
GREG: Those paintings. So, I proceed to go down the staircase, and I go down to the paintings. I just quickly grab a sticky pad and put little happy faces, like a little sticky page, and start putting them right next to all these paintings. There’s a little placard for each of these paintings telling you essentially who made these paintings, what did it symbolize, in some cases how much they were worth. I stick little happy faces on it that says, I stole this.
JACK: Huh. So, it’s typical for a physical pen tester to leave a token behind to prove that they were there in a server room or a desk drawer or something. I mean, just think about how you would feel if you went to bed and then woke up and there was a sticky note on your bathroom mirror that said, Greg was here. Just a small note like that can say a lot, can’t it? Here, what Greg was doing was proving that he had access to these paintings and he had time to go right up to them, put notes on them, and security never saw him do it. So, he wrote ‘I stole this’ on a bunch of sticky notes, and just kept putting the sticky notes on painting after painting after painting.
GREG: I remember 6:05; I get a call. Greg, Greg. Yeah? Was this you? What’s the happy face? What’s that mean? How did you do…? What is…? It doesn’t matter. The CEO wants to talk with you today. Get in here, like 8:00. He’s like, I don’t know, man. He’s really upset. We have to figure out — I was like, okay, okay. In the meantime, physical security had — they had a incident ‘cause they were looking over and they were like, well, someone walked in and put all these happy face stickers on there, and they walked out the building. They’re like, what does this mean, ‘I stole this’? I remember they are coming around — and I get to the building. They escort me to the board room. The board room has this massive table on it. Me, in my awkwardness, I pick — I remember sitting and picking the exact opposite of where I imagine every one — the exact corner of it. The physical security is like, no, get over here, get over here. First, give us your ID again. We’re gonna run some background checks on you again just to make sure.
JACK: Physical security knows to treat those paintings with a very high level of security. So when the CEO came in and he saw his paintings had sticky notes on them, he simply asked, who did this? What does this mean? When security had no idea, then the CEO is like, okay, well, find out. Then when security looked at the cameras, they saw they were glitched out during that time, and they had almost no evidence of who did it. This made the CEO furious. What do you mean no security footage? Find out who put these sticky notes on this. The cameras around the building were just all black or white because Greg hacked into them to prove he could sneak into the building late at night with nobody noticing.
GREG: The VC came in. The VCO came in and was like, what the fuck? What is this? What do you mean, stole my paintings and little happy faces on them? That’s what kicked off the security team alert. I remember I was sitting there, and then my contact leans over to me and he’s like, look, again, I have never seen him cancel meetings and move so and to see someone like this. So, I don’t think it’s gonna go well. Then I look over to Brando, and Brando is just like — you know, he’s like, maybe we flew a little bit too close to the sun here, a little Icarus just a little hard, but whatever. [Music] So, the CEO comes in with this single security team.
They hand me back my ID, and he looks at me, and I — you can tell the thoughts of this goth kid in his board room is not what he expected and not what he was expecting to meet for when he — and he looks over and he’s like, you hired this guy? My contact who worked at the company was just like, yeah. Looking at him, he’s like, alright. He’s like, so, walk me through what you did. For the next ten minutes, I retell him the story of exactly how I did it. This VC previously had been very technical. He was a code developer. He worked on software. So, he starts going and he starts asking me very intelligence questions about — we start having a back-and-forth about, oh, okay, so why…? He’s like, so, two questions for you. First, what were you gonna do with the paintings? I was like — I was dating a girl out of Brooklyn at this time, and I was like, you know, I was thinking of taking them to Pratt University and maybe fencing them at the university there.
There’s gotta be someone who knows some weird connections at Pratt Art — Pratt Institute of Art. He starts laughing. He’s like, alright. He’s got a plan. I was like, okay. He’s like, I really like those paintings. He was like, I can’t believe you would — I was like, yeah, I absolutely would have stole them right out from — nothing to do. He’s like, alright. So, then he’s like, alright. So, my next question is what are you doing next year at this time? That’s how I became their reoccurring red teamer for four years until they got tired of me breaking into the buildings and doing all the things, and hired me as full time. So, after this I got introduced to a lot of the various levels of executives for this, and I got to pen test all their personal houses and got to show them how — why physical security is important, gaining access to all their penthouse suites, all their large houses. I did that for quite some time afterwards.
(Outro): [Outro music] A big thank you to Greg Linares, AKA, Laughing Mantis, for coming on the show and sharing these stories with us. Please consider supporting this show by visiting plus.darknetdiaries.com. If you do, you’ll get eleven bonus episodes and an ad-free version of the show. By becoming a supporter is the most direct way that you can help make sure this show continues running and delivers you more episodes. Please visit plus.darknetdiaries.com. This episode is created by me, CAPTCHA America, Jack Rhysider. Our editor is the super subnetter, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. I’ve been working on a new dance lately. It requires the most efficient use of muscle memory in order to spin at the perfect RPM. I call my dance the algorhythm. This is Darknet Diaries.
[END OF RECORDING]