Episode Show Notes

							
			
[START OF RECORDING]



JACK:	Hey, hey, it’s Jack, host of the show. I am feeling good. I am feeling healthy, strong, fit. I’m in the game. So, I’m coming at you with a second episode this month. Let’s go! Defcon is coming up in a few weeks. I’ll be there. I wouldn’t miss it. You know me. If you don’t know, it’s the premiere hacking conference in Vegas, and I love going because every year something crazy happens. You don’t always know what it’ll be, but you know something is going down somewhere. Like, maybe someone will drop a zero-day live on stage, which will suddenly make us all panic and call home; shut everything down! Or maybe the FBI breaks into someone’s hotel room and arrests someone who they’ve been chasing for a decade. Or maybe someone gives a talk that makes history.

I mean, Julian Assange once gave a talk at the Chaos Computer Camp in Germany to announce WikiLeaks. Lots of people come to drop big ideas at hacker conferences, and if there’s a talk that makes history, I want to be there for that moment. I want to be in the room where it happens. Anyway, I’m not planning any party or anything this year. I’ll just be floating around all over the place, but check my Discord or Twitter for live updates on where I’ll be, though. If you see me, please say hi, because I love meeting you. It’s your energy that gives me the fuel to fly this thing to the moon. Oh, and if you don’t know what I look like, I wear a big, black hat, and I cover my face entirely with a bandana. I look like a bandit. Alright, I promise I’ll bring you back some stories.



(INTRO):	[INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]



JACK:	I guess we’re gonna call you MG in this. Is that what you want to be known as, is MG?



MG:	Perfect, yeah.



JACK:	Yeah, I like MG ‘cause I didn’t — I never — I didn’t know for the longest time if it was milligram or…



MG:	It’s great.



JACK:	Megagram.



MG:	It’s so many things it could be.



JACK:	That initial mystery I think is what intrigued me about MG. He had this raw type of energy to him. He’s always building. He goes hard on hacking. He’s always in the zone, and he seems like he’s part of the counter-culture. He’s probably got stories, right? People kept telling me, you should get MG on the show. So, here we are. Color me intrigued. He tells me MG is just his initials, and he started using that name when he signed up for Twitter back in 2008. His Twitter name is MG. Nice and simple.



MG:	I grew up in Wisconsin. Both of my parents were in medicine, and I guess a big thing that I learned growing up with them is you can pretty much DIY anything. Also, DIY-ing stuff is a great way of having control, stretching the value of what you have, and things like that. So, they designed and built their house from the ground up, like, every aspect of that. This was while they were working full-time in medicine and, of course, raising me and my sister. I think the house started around when I was in first grade, roughly. So, I was just constantly around raw materials, DIY, tools everywhere…



JACK:	Yeah. Yeah, but didn’t you get into magic also when you were young?



MG:	Oh, I mean, what kid didn’t, right? But, no, once I got into roughly middle school, I got into magic, sleight of hand, deception, and all that cool stuff. I also got into trouble doing that. I brought a prop cigarette to school, got suspended for not taking it seriously enough…



JACK:	You took a cigarette to school, a fake cigarette, and they suspended you over it?



MG:	Yes, they did. I mean, it was — there’s even more to that story. So, yeah, it wasn’t really believable. One, a little — it looked like the tip was glowing, and you blow on it and some talc powder comes out. It makes a nice cloud. So, it was kinda believable. The teacher — like, whoa, what is this? So, they confiscated it. But then they were holding it and some of the talc came out of it and they were like, oh, white powder. Uh-oh. So, they called the cops, had them drug-test it. [Music] My buddy at the time decided to say, that’s not even how you’d smoke cocaine. Did not help the situation at all. But yeah, I think we both got suspended, and mine was specifically for not taking the situation seriously enough. It was kind of the start of my conflicts with authority. We’ll just leave it at that.



JACK:	As MG grew up, he got influenced by his parents being in medicine and was gravitating towards biology. But the seductiveness of computers and technology would ultimately change his direction.



MG:	I was really into biology until Quake. Quake came out, and that changed everything for me about computers. You had to learn how they work to play Quake, especially multiplayer. First of all, you don’t just run an app on your machine. Back then, you’re at least rebooting the Windows machine up into DOS mode. Oh, you want to connect with people? Cool; you’re gonna have to learn how your modem works and dial-up works and peer-to-peer connections work, and all these other things, and eventually that would migrate into modifying the game environment to play Team Fortress, kind of a modification to Quake itself.



Then you got multiplayer lobbies and all this other stuff starts happening. It’s like, wait a second, the computer does all these things. You can mess around with this. You can start breaking stuff. They weren’t checking client-side content, so you could modify player skins to be way bigger or have an XYZ axis sticking way farther out than the actual player was, so you could see them coming around corners. You can add a fluorescent coloring to the skin to make them stand out in the dark. That’s really cool to me.



JACK:	Oh, that’s brilliant. So, if you make the enemy model extra big, then you can see them coming and give — you have the big advantage over. That’s amazing that you thought of that.



MG:	Right? Or the skins of the walls and stuff like that, you can set them to partial transparency and see through those walls.



JACK:	Most video game players at some point wished they had a faster computer. So, a lot of gamers get into overclocking. They force their computer to run faster than it’s designed for. But when you overclock your CPU, you run the risk of your CPU overheating, and it can get really hot and melt, which means you need to have a better cooling system. Water cooling is a pretty effective way to cool your CPU, but it requires all this extra hardware. You need tubes and reservoirs and pumps. But when MG heard that people were putting tubes and pumps inside their computers to cool them better, he was in. [Music] That sounded great.



MG:	You get a pond pump, you get a heater core from a car, you go on McMaster-Carr — first of all, you learn what McMaster-Carr is, and you’re like, whoa, I can just buy chunks of metal pre-cut? Awesome. I’m gonna drill these out in my basement and plug them and create all these water channels inside the blocks, strap that the processor and the graphics card, just start cooling everything down in the computer. It just kinda escalates and you’re like — that was actually a really good example of merging non-traditional computer skills with computers. It’s like, okay, we’re gonna merge shop class here or auto skills. When you’re — you’ve got this liquid moving through a multi-metal loop, you’re gonna get corrosion unless you understand the chemistry of how to block that with some additives. So, lots of really cool stuff to just pick up and learn.



JACK:	Man, I’m the same way. I truly believe that getting hands-on experience is the best way to learn. For me, when I was young, that was looking for cheap or free computers to just play around with like a sand box and build without the fear of breaking them. Having a playground to try out random things was very helpful to me. Like, what happens if you don’t put RAM in the computer? Are the fans actually needed? What happens if you disconnect the hard drive mid-boot up or take out a thumb drive while you’re trying to write to it? What if you try to delete all the files? I wanted to see all those things, and I tried them all because this is the stuff that was interesting to me, and I wasn’t finding it in textbooks. It vastly brought in my understanding of how all this operates.



[Music] MG’s first IT job was at a help desk fixing people’s PC problems, but one of his buddies moved out to San Francisco and started working on the 10,000-Year Clock. It’s a fascinating project that simply asks, can we build a clock that’ll last for ten thousand years? Clocks live a long time without an issue. Surely that can’t be that hard. But when you lean into the problem, it starts to get really tricky. First, it raises the questions; wait, are humans even gonna be here in ten thousand years? That’s not a given. So, if you’re gonna build a clock that’s gonna last that long, it kinda needs to function all on its own without humans around to help it. So, where does it get its power from? That’s an interesting challenge by itself. But then you think about the pieces and parts that it has to be made of. Everything must have extreme longevity.



Like, it’s gotta be entirely made of metals or ceramics. Plastics or rubber is just gonna wear out too easily. MG got fascinated with this idea and decided to join his buddy out in San Francisco to see what was going on with that project, and immediately he was amazed at the DIY culture out there. He met people from Burning Man who were creating art for art’s sake. He visited the Maker Faire, which is a really cool place where people show off their projects that they’re building. It’s so inventive and clever and inspiring. It was like everyone around him there was big into building things themselves or tackling really interesting problems or just had a really unique way of seeing the world. MG found his new home.



MG:	The 3D-printed gun movement, that added a new layer to the whole thing. Let’s see, that was Defense Distributed. I think it was 2013 where they started showing off the first 3D-printed guns that were — there was a whole community that was working on these at the time. But Defense Distributed showed these off to the world and with so much bravado that it was impossible to miss. So, everybody took note. It had this interesting tone to it and this message that I was picking up, which is creation can also be power in politics. Like, you can’t take something back once you put it out into the world. So, you’ve gotta be thoughtful on how you do it, but also, you can’t take it back. Nobody can take it and make it go away. That — regardless of what you think about that specific topic, just the larger power and political nature of it was just fascinating to me.



JACK:	Yeah, that was an interesting time. The US government has always tried to regulate guns by acting as a gatekeeper, controlling who can sell them, trade them, or move them across state lines. That’s where most of the laws live, not at the moment that the gun is used, but it regulates the system that makes it and delivers it. But the 3D-printed guns changed all that. It didn’t need to be bought or sold or registered or traced. It didn’t pass through any other traditional checkpoints. Suddenly, most of the regulations became powerless because you could just print one at home and no one would ever know. That kind of knowledge fascinated MG. There are certain technologies that once released changed the power dynamics of the world. It changes who’s in control. New types of technology allow you to completely sidestep outside the system that was supposed to be there to control and shape you. Yeah, that sort of thing intrigued him.



MG:	That was also around the same time as Bitcoin was taking off, and I was also into that. I really like it at the time and the concept of it to just changing and decentralizing power. It was really sticking with me. So, this was also at the same time that the Snowden leaks happened. I didn’t know at the time what it would be, but I just — I really wanted to participate in that type of creation, right? I didn’t know what it was. So, I would join some of these groups and just kinda help them. Like, hey, I do IT; maybe I could help with some of your stuff. Or, I do security; let me help you. You can kinda see how the artist works, right? That’s kinda where I was at for a while.



JACK:	So, you worked at Defense Distributed?



MG:	Let’s just say volunteered.



JACK:	Another thing that sort of shocked the world was the ANT catalog, which came out in 2008. This was some leaked NSA documents which showed different types of devices and technology that the NSA had in its possession and could use for missions if you were in the NSA.



MG:	Yeah. So, the ANT catalog, this was commonly mis-attributed to Snowden. I believe officially it’s just another leaker around that time. But the NSA ANT catalog had this catalog of all this cool espionage tooling; hardware, software, just so many cool things. If you ever saw the back of a magazine with the spy catalog stuff back there with disappearing ink and whatever it may be, this was that just with an entire budget. So, one of the things in there was a malicious cable called the Cottonmouth. It had multiple layers of PCBs inside there. It looked really big and chunky, really complicated to make, but it also cost — you had to have at least a million dollars to afford for this and for the NSA customer population of their own department. But yeah, you had to have a million dollars just to get fifty cables. So, that’s twenty grand each. It was just cool seeing all of these things.



JACK:	Okay, so this Cottonmouth cable that the leaked NSA docs showed was wild. It looked like a regular USB cable, but somehow it had the ability to install a Trojan horse on a computer wirelessly. So, if your enemy plugs in this cable to their computer, you could somehow get into that cable and infect their computer with malware. Now, for most of us at the time, we were blown away by the technology in this catalog. How was it possible for a USB cable to function both as a regular USB cable but also have the ability to infect a computer?



We were all wondering how it was possible, but MG was actually trying to figure it out. [Music] He was tinkering with hardware, building 3D projects, helping out at the Maker Faire, and building random things. Around 2017, he got an idea. There’s this device called a USB Rubber Ducky, which looks like a USB thumb drive, but when you plug it into a computer, it’ll automatically run a script that could infect your computer with malware. Basically, the Rubber Ducky was already terrifying, but MG wondered how he could make it even worse, and thought, what if he took the USB Rubber Ducky thumb drive and made it explode when you put it in a computer?



MG:	I kinda spent a while making exactly that.



JACK:	An exploding thumb drive.



MG:	Yes. So, I’m a big Nine Inch Nails fan, so naturally I called this Mr. Self Destruct. So, the — why this is important here is because there’s not much space in a USB Rubber Ducky. It’s all PCB and components. So, I needed to figure out how to make space inside of a thumb drive while retaining Ducky functionality to an extent. I had a really limited version of it. So, I shrunk it down to I think what was ultimately an 8x12 millimeter PCB with a couple really limited components on it, just enough to run a tiny payload that can maybe open up a browser to a specific site, right? Good enough.



Then, it could also trigger an electronic detonator to then fire a firecracker or something like that and have a bunch of confetti in there. I was doing this all with the idea of this is gonna be just art I’m gonna present to the world in a video form, and, hey, everyone can just look at it, right? So, the payload was — you’d plug it into the computer; it opens up the browser, goes to a video of a Jack-in-the-Box animation. Jack-in-the-Box is cranking the box for a awkwardly long amount of time to build up tension, and then the explosion happens. Confetti goes everywhere. Pop. That was great.



JACK:	Such a ridiculous project, but I love it.



MG:	Since that’s happened, there’s been evidence of exploding thumb drives shipped to journalists and stuff like that that had RDX in it. That would — yeah, that would do a lot of damage, and it’s exactly why I did not productize that despite many people asking for it.



JACK:	I mean, yeah, I was just thinking of the Hezbollah pagers at this point.



MG:	Uh-huh.



JACK:	Did those people see your presentation somewhere and be like, oh, that’s great?



MG:	Oh god, I hope not.



JACK:	So, he’s tinkering around with these USB drives that will physically self-destruct, and his buddy is like, hey, you should take those things to Defcon.



MG:	I think it was around 2013. I finally made my first Defcon before wanting — I had been wanting to go for years, but 2013 was the first time. That’s where I linked up with a long-time online buddy, YTCracker, Bryce, and he kinda just introduced me to more stuff and showed me around the security space. It was very helpful for me at the time just learning and meeting more people. Yes; so, at Defcon I would absolutely make little devices that were just highly-custom one-offs or two-offs, maybe five-offs to people who wanted a custom thing. You had to know me, and — yeah, back-alley deals at Defcon.



JACK:	Oh man, the back-alley deals at Defcon are always very interesting to me. The first time I went to Defcon, someone told me I should try to find and buy some rainbow tables. This is a list of hashes and passwords. You could download it back then, but it was a lot easier to just get it on a stack of CDs if you knew someone. The point of it is that it makes cracking passwords a lot faster. So, I went to Defcon and I started asking vendors, hey, do you have any rainbow tables for sale? They all said, no. What? LOL. Then eventually someone was like, hey, you said you wanted some rainbow tables? I was like, yeah. He said, you should go ask Paul. I’m like, who the hell is Paul? He showed me where Paul hangs out, and it turned out to be Paul Asadoorian. When I met him, I asked him, hey, do you have any rainbow tables?



He’s like, oh, I just ran out. I was like, oh, man. He’s like, I brought a bunch last year for Defcon, but there wasn’t many people who really wanted them, so I only brought a few leftovers this year and just ended up giving them away. So, that hunt to find secret stuff at Defcon is real and it’s exciting, and I’ve been properly blown away at some of the secret things I’ve seen people bring to Defcon. So, MG fell in love with Defcon. These people were just like him, building cool stuff, subverting the gates of power, and using technology to reinvent new things. A lot of people at Defcon are building just for the fun of it. The endless curiosity cannot be tamed in some people, and it sparked a whole lot of new energy and ideas for MG. Around that time, the whole world was shrinking at a rapid rate.



Like, for the longest time, we only had USB type A cables, the big wide ones that it takes you three tries to plug in, right? But then suddenly those shrank and then we got mini USB cables and then micro USB cables. Computers used to be big and clunky, right? Desktops, of course, but even small laptops; you couldn’t fit those in your pocket. But then the iPhone came out and you had a whole computer in your pocket. This brought forth a whole bunch of smaller computers like BeagleBoards and Gumstix and Raspberry Pi’s, tiny computers that you could fit into your pocket but were also pretty powerful. So, while the NSA’s version of this malicious cable costs them $20,000 to make, with all the miniaturization of electronics hitting the market, MG was wondering if it was feasible to build one himself for a far cheaper price.



MG:	[Music] Yeah, exactly, right? The miniaturization of microcontrollers and other things like that certainly opened some doors for me in which I could experiment and play. You know, it’s actually important to mention right around this time is also when I met Darren Kitchen from Hak5.



JACK:	Darren Kitchen was already making malicious devices like the Rubber Ducky and Wi-Fi Pineapple, and was also making YouTube videos to a channel called Hak5 to teach people how to hack.



MG:	First of all, what a Rubber Ducky is — it does keystroke injection. What that means is it emulates a keyboard and will very rapidly type those keystrokes. So, I think the Ducky’s doing 150, 200 keystrokes a second. So, anything I could do at your keyboard, the Ducky can do for me. Great for IT sysadmin — IT sysadmin automation, but also, you know, maybe some nefarious stuff, too. If you don’t care about speed, payload size, you don’t care about all of these nice product aspects, you can totally compromise and get something barely usable in return for making it much smaller. That’s effectively what I did. I compromised on a lot of things. Even some basic electrical safety things I ended up compromising there. Like, hang on; this thing’s gonna blow up. What’s it matter, right? So…



JACK:	To make his exploding thumb drive, he basically had to make a smaller version of the Rubber Ducky, and this gave him an idea. What can you do with a super-tiny keyboard connected to a computer? So, he decided to make his first malicious USB cable.



MG:	It’s identical to the Mr. Self Destruct except it didn’t explode and it was inside of a cable instead. So, basically to put a payload onto this, you had to have physical access to the cable. You program it, and it’s gonna delay however long you tell it before running the payload after it gets plugged in. Like, the end, right?



JACK:	Basically, imagine what someone could do if they had access to your keyboard. That’s what this cable did. It acted like a pre-programmed keyboard. If you plugged it in, whatever it was programmed to type, it would type.



MG:	So, you could do some basic keystroke injection attacks, which — open a browser, open a reverse shell. You can do a lot of stuff. But it wasn’t this tool I knew it could be.



JACK:	He was posting about this online and stuff, making a handful of them, and selling them in the corners of rooms in Defcon. But the first version was lacking features and really buggy. From his visits to Defcon, he met a guy named Fuzzyknob who got MG a job red-teaming for a Fortune 500 company, which was MG’s first cybersecurity job specifically hacking into places to test their security. How cool is that? But while he was at work doing his red-team stuff, [music] he just kept thinking about, how can he make this little device better?



MG:	So, obviously the next step is, well, what could that product actually be? The next time I had a vacation, which was actually in-between jobs — so I had — I think it was six weeks between my first red-team job and when I was leaving an IT role. So, six weeks in-between. I’m like, you know what? I have not figured out how to design PCBs yet, so I’m gonna get a mill.



JACK:	PCB is printed circuit board. It’s typically a green board inside an electronics device that has the capacitors and resistors, and they’re soldered onto it. A mill is a way to create one of those PCBs yourself, making the traces and drilling holes for the components. So, he spent six weeks learning how to design PCBs and created them on his mill.



MG:	The cool thing about a mill is that you get rapid iteration. So, with software, you can just change some code, save it, hit Compile. Seconds later, you can test. But when it comes to a PCB, it’s usually weeks. You gotta design it, send it off to a fab, wait for it to come back, then you assemble the components on it, and then you test it and debug it before you can even get a change you want to make to test it over. But with a mill, you can do some primitive stuff. I can’t get super-advanced here, but you can test some basic things to — you do it in the span of a few hours, and make a revision, kick it out again, and just maybe go through two, three revisions in a day, easily, depending on how complex it is. That allowed me to level up really quickly.



JACK:	So, he spent a lot of time in his home lab trying to jam more features into this cable of his. But one thing bugged him about this cable; you have to physically take control of it to program what keys it will type. It would be way better if you could plug the cable into your target and then tell it what to type remotely. So, he was fiddling around, trying to figure out how to give this thing an antenna or something, maybe Wi-Fi, in the smallest way possible.



MG:	The Wi-Fi radio allowed it to connect to networks or you, with a phone, to connect to it. There was no need to get access to the cable to update a payload on it or to trigger a payload. So, that changed the entire value of this, being able to dynamically change what it did while it was in play.



JACK:	Yeah, so instead of blindly hoping your cable is typing the right keystrokes that you pre-programmed it to do, now with Wi-Fi, when this cable connects to a computer, it’s almost like it turns into a wireless keyboard. Whatever you type on your phone, those keystrokes would show up on the computer it was plugged into, but it didn’t look like a keyboard, of course. [Music] It looked like a regular USB cable that you typically have hanging off your computer anyway. This made it a very spooky cable. Suddenly, USB cables were no longer safe. This malicious cable was starting to finally look promising. The first version didn’t have a lot of functionality, but this one, this one’s starting to look sharp. So, he came up with a name for this cable, the O.MG cable. It works for so many reasons, but since his initials are MG, then O.MG is a nice fit.



MG:	That took off. Then Defcon was coming up, August 2019. I’m like, okay, this is getting a lot of traction. So, by August I wanted to have some of these things to actually sell. Now, I was making them still from the ground up in my kitchen, basically. It took me eight hours per cable, on average, to make these, and the components were so fiddly and tiny that fifty percent of them were failures. I would throw out fifty percent. That turned into — if you do the math on that, that is sixteen hours of work per viable cable. Really not scalable, but you know what? I just wanted as many as I could for Defcon, right? So, I just focused entirely on this in my free time while still doing my red-team role full-time.



JACK:	You have to think, he’s trying to fit a microcontroller inside a USB cable so that nobody thinks there’s a microcontroller in it. He’s working with incredibly small components, soldering under a microscope, sometimes with exposed silicon, with almost no room for error or it won’t fit in there. So, he makes as many as he can and brings them all to Defcon to sell. He’s leveled up from the back-alley deals by this point, and Darren from Hak5 was letting him sell them out of the Hak5 booth.



MG:	They sold out. Everybody wanted them.



JACK:	They sold out fast. So, Darren was like, why didn’t you bring more? MG was like, because they take forever to make. So, Darren started teaching MG about mass-producing electronics.



MG:	Okay, let’s learn how to do manufacturing. Find somebody who can do certain steps. So, we got one person — one factory who creates the raw PCB, another factory who assembles the components, solders the components to the PCB, and another factory who integrates those PCBs into a cable. Even at that point, there was still plenty that I had to do after receiving them; final assembly, putting the hoods on, gluing the hoods on, running QA, calibrating them, running — putting firmware on them, packing them, shipping them off to the — all that stuff. But anyway, doing any of this outsourcing would have been a huge help for me, and that’s what the goal is.



So, it took about five months of back and forth, teaching the shop how to do what I needed. So, I get the first batch. This was the tail end of 2019. [Music] I finished the assembly. I do some basic tests. I flash them, pack them, and I send them off to the Hak5 warehouse in like — I think it was January 1, 2020; start the online sales. This is where I quickly learned it was going to take a lot more work to have a manufacturer do what I needed. Customers started having issues, and it was all over the board. There was no obvious pattern.



So, I had to do a lot of investigating to discover what was really going on here. Just really weird problems. It was probably an upstream manufacturing problem, but I couldn’t think about the upstream manufacturing. I had mostly-finished product currently in hand, and if I couldn’t sell that, that was a gigantic loss, like financial loss. Like, mortgage-the-house-level loss that was a little bit scary. There were enough issues happening with customers that I just decided to pause the sales and figure out what was going on.



JACK:	He analyzed the cables coming back from the factory and found that on the power supply inside the cable was a tiny, microscopic crack, and to his horror, it was on over half the cables, which meant his first batch of cables — half of them had to be thrown out. A huge financial loss for him. He had to teach the manufacturer how to test for quality at every stage of the build process in order to find exactly where the cracks were coming from. He discovered at some point the manufacturer would throw all the finished components into a bag to give to the next build stage, and when they were getting all jostled around in the bag is when the cracks would show up.



Typically, that may not be a problem, but since he’s working with such small components where silicon is exposed in some areas, then it was damaging the circuitry. So, he got that fixed and was back on track, and he was back to selling the O.MG cables to whoever wanted them online through the Hak5 shop. These cables look amazing. They look exactly like a normal USB cable, one that you would charge your phone with, and you would never be able to tell that it’s a malicious one. It’s supposed to be stealthy like that.



MG:	One of my manufacturers lost an entire box of cables. Could not account for it. So, the way the cables are configured, they’re not very useful, luckily. They’re not hot, so to say, but there’s a good chance that this box just got shipped to one of their customers who was expecting totally normal USB cables. So, there is absolutely a chance that there are some O.MG cables just floating out there. I forget what the exact number is; like a hundred or so, which is kinda scary.



JACK:	MG strikes me as someone who just obsesses over making his cable better and better, and it’s amazing how he’s constantly improving the manufacturing process and the functionality and the build quality of the whole thing.



MG:	For the first several years, I wasn’t trying to focus on profit here. I was just — every dollar that we ended up getting that turned into — be product, I’d put it right back into improvements, R&D, because it was a passion project. I mean, it still is, right? But that just allowed me to focus on so many trivial things. The cable clips themselves — so, people would routinely lose their cables, so we started creating these fluorescent clips that we would include with the cables to prevent that, right? You can take them off if you don’t want it or just keep it on, whatever. But this was — I’ll make this one short, but it’s another example of scale in a hilarious way. It’s so simple.



So, I’m 3D-printing all of these little clips, these fluorescent clips, and they’re great when you got a few of them, but when you got a hundred or a thousand in a bag, they start getting tangled. So, that’s really annoying to pull out tangled clips when you’re trying to pack envelopes. So, I redid the design. Okay, now I’ve got tangle-free clips, you know, and now we got the woven cables that are more snag-less and things like that. How can I speed it up so I can get a bed of 600 clips in a single 3D-printed bed without it cascading and falling apart? How can I improve the labeling process from a hand-held labeller to an automated-machine-done labeller? It probably doesn’t make financial sense to do it, but it’s fun to automate and obsess. So, yeah, point being, I have the opportunity of obsessing at the sacrifice of profit.



JACK:	Now, over time, his cables have gone through many revisions, a lot of feature upgrades, too. So, if you were to buy an O.MG cable today, here’s what it can do.



MG:	It comes in all types of different forms, whether it’s got a USB-A or USB-C active end. In the passive end it’ll have Lightning micro USB-C, usually meant to emulate the aesthetics of exactly the common cables that are out there. It acts exactly like a normal USB data cable, right? But it’s got an implant inside, as you can probably deduce by now, and that thing stays dormant. But an attacker can remotely connect to it via Wi-Fi nearby, or they can have the cable connect out over the internet to a server you control anywhere. It can also do some autonomous things like geofencing and triggering things automatically based on wireless networks it does or doesn’t see, right?



Okay, cool, but what does that do? So, you get a whole web UI on a full or a laptop, whatever it is, that gives you full control over this cable. We already talked about keystroke injection payloads, emulating a keyboard. We cranked up the speed at which these things can run to nearly a thousand keystrokes a second, added some mouse injection as well, so you can navigate a mouse around the screen, click on stuff, expanded the capacity of these things to store hundreds of individual payloads if you want or just really giant payloads. The name of the game is always just flexibility. So, if you want one giant payload or two hundred tiny ones, cool.



You can do that for your need. We added USB key-logging a while back. So, if you deploy a cable between a keyboard and a desktop or a laptop, which happens a whole lot in corporate spaces, you can log those keystrokes if it’s a full-speed keyboard. Most recently we added kind of a novel communication link. So, we’re calling it HIDX StealthLink. What it does is — imagine a network interface that looks like a keyboard to the host. So, it says, I am a keyboard, and it looks like a keyboard if you open up Device Manager, but it’s got a bidirectional raw data link. So, if you’ve ever used Netcat or something like that to create little tunnels for data, same concept.



So, you can have a remote shell running on the target that’s on a completely air-gapped machine. It doesn’t even have a network interface. So, very cool. I had also mentioned a lot of these other types of features like the ability to run self-destruct, the ability to do geofencing. The self-destruct specifically is to wipe the data. So, if you’ve got some proprietary malware on there you don’t want to be found, if it gets lost, we can help wipe that. If you got keylogs on there with sensitive data, like, I don’t know, passwords or whatever it may be, cool, we can wipe that. You can also disable the cable so that it just stops acting like a cable, and hopefully that’ll encourage your target to throw the cable away and get it out of play. That’s kinda just a high level of all the different things it can do.



JACK:	Yeah, this thing is pretty scary, and it’s one of those things that now that you know a normal-looking USB cable can be an evil thing, it makes you distrustful of all USB cables. Like, if you see a random USB cable sitting around, it might be some sort of trap that someone left for you, hoping that you’ll plug it into your computer so that they can get into your computer. I’ve got it in my hand here and I’m looking at it compared to another cable I have, and it is identical. It’s crazy how…



MG:	Nice. Which one is it?



JACK:	iPhone one, Lightning.



MG:	C to Lightning or A to Lightning?



JACK:	C to Lightning.



MG:	Oh, so, funny story about that one; if you hold up the C — type C ends and look at the white hoods, I delayed that cable by — I think it was a couple months because it was 0.3 millimeters longer than the actual thing. So, I was just like, oh, man, it matters. It didn’t really matter, but at the same time, the guy who does the front-end work for us is blind. He was a customer originally when we released the keylogger edition of the cable, and he came to me. He’s like, dude, I’ve got — I’m feeling these two cables side by side, and I cannot tell the difference. So, that was amazing to me.



JACK:	Yeah, it’s just remarkable. Going back to the ANT catalog and Cottonmouth, I wonder if the NSA has bought a thousand of these to be like, oh, this is so much cheaper than the $20,000 per unit we have, and it has way better features, and we don’t have to run the R&D and all that sort of thing. You have any idea?



MG:	I mean, I’ve heard some whispers that I probably shouldn’t talk about, but I’ll say this, is that there’s many reasons why that could occur, which, I mean, sure, price point — yeah, absolutely. Maybe ease of use. I can’t really speak to what the product experience is of their stuff, but I can suspect. But here’s another thing, is deniability. If you found a Cottonmouth cable, you’re gonna know where that came from, right? Or especially if you’re certain intelligence services, you’re gonna have a good idea of who made this highly-custom hardware. But if you’re seeing something off the shelf, there’s some deniability in there for NSA as an example, right?



Like, I don’t know where that came from. That’s just a off-the-shelf O.MG cable, right? So, I would imagine — yeah, I have certainly talked with numerous people who are in that space whether directly or kinda third parties employed by them to do tests and stuff like that where these are absolutely in a whole lot of those types of environments for various needs whether it’s testing, third-party assessments like red-teaming, stuff like that. I’ve talked to police departments, stuff like that, who are using it for all kinds of different needs.



JACK:	Yeah, but again, it’s that interesting aspect of circumventing things, right?



MG:	Yeah.



JACK:	So, before, Cottonmouth was only available to US intelligence agencies and maybe Five Eyes. But now the O.MG cable is available to the world, so all of NSA’s adversaries also have this, and that is interesting that it’s — the technology isn’t only in one person’s hands now but that there’s a level playing field of like, nope, we’ve got that, too.



MG:	Yep. I mean, at the same time, I think it should be. Like, if I could have made that the way I did, I feel like others can make that, and therefore it was just a matter of time. Whether or not we heard about it in public was probably the only question there.



JACK:	That’s an interesting way to look at it, right? It used to be that only an exclusive group of people could get their hands on such a thing, and now anyone can. Yeah, that’s scary that this thing could be anywhere now, but maybe the bigger danger here isn’t when the cable went public but when it was kept secret, when the only ones who had it were shadows, people who didn’t want you to know they had it, people who didn’t want you to know this existed, people who didn’t have to follow the law. I mean, compare it to smallpox. For centuries, people died of smallpox, and we had no idea why. But then we discovered what it was and we learned how to contain it, and then we learned how to fight it, and then we learned how to defeat it.



But in that process, we learned how to weaponize it, and that’s the double-edged sword of knowledge. We’re in danger without it, but we’re dangerous with it. We’re gonna take an ad break here, but stay with us because when we come back, MG’s gonna tell us stories about how this cable is used in the wild. So, over the years, people have shared stories with MG about how they’re using his cable, and have asked for some really interesting feature requests. One story he was told was from someone who’s a red-teamer for the DoD, the Department of Defense. That is, his job was to try to hack into the US government’s networks to test their security.



MG:	This team posed as an Xfinity tech via e-mail and phone. So, they got a legit comcast.net account which literally every Comcast customer gets, but you got username@comcast.net. They’re just like, you know what? We can pretend to be a Comcast employee with that, and I bet it’ll pass. It did. So, after some back and forth with this target, they set up an appointment. They found some Comcast/Xfinity clothing at a thrift store, stuff like a hat and jacket. They did some OSINT, found some fake IDs, printed those out. They show up. [Music] They say, hey, we only need access to the MPOE. MPOE is main point of entry. So, that’s where they — the line comes into the building, typically the basement or something like that. Tends to be a lower-security area compared to the server room.



So, they’re given access, and they install a small device that allows them to remotely disrupt that line, the main line of the ISP, in the future. So, they leave, they wait a few weeks, let everything kinda just settle, and then they start causing disruptions. They return on site. They ask to look at the MPOE first, which lets them reclaim that remote device that they had planted. They say, ah, it’s not fixed. I see you’re having issues, but we’re gonna need to find the other end of this cable. Where does this go? They knew that’s gonna be going up to the server room, typically. So, they brought them up. They brought two supposed Xfinity techs up. There was a camera in the server room. So, they had two techs; one tech would strategically block the camera with their back each time the other needed to deploy a piece of hardware.



So, at first they deployed two different malicious network devices, two different types of things, but then they see a server with a monitor and a keyboard hooked up, and then there’s a USB cable hanging off of it. I think it was an ADA micro. It seemed to be for charging a wireless mouse, right? There was a wireless mouse nearby. It was just like, dude, that is the perfect spot for an O.MG cable. I think we got a perfect match in the kit. So, they pull it out. They noticed, oh, this cable even has a very distinct scratch on it. I’m gonna scratch this cable, make it look perfect, right? They were obsessed with the details. The cable is already configured to connect to their guest Wi-Fi and then call back to a C2 server.



They wait for an offsite teammate to confirm that the cable’s now connected not only to that, but back to their C2 server. That means they got full remote connection from anywhere. They were left unattended in this room for a little bit, so they call the target back. They’re like, hey, I think the internet’s fixed. Can you check it out? They use that same server that they were eyeballing to — oh yeah, it looks like the internet’s good, which gave them a little bit more insight into what’s running on that server. They leave and kinda start their initial work. They’ve got these tools in play. Now, within a day, the target knew something was up. They found at least one of those malicious network devices which immediately led them to the next network device that was in there. It got cleaned out. Everything is fine.



JACK:	What was the malicious network device? It’s not the O.MG cable. It’s…



MG:	It’s not, yeah. It’s other hardware that is not as physically stealth.



JACK:	Oh, okay. So, they left it there as dropboxes, kinda thing.



MG:	Yeah…



JACK:	Okay, gotcha.



MG:	…something like a dropbox. It was slightly disguised, but it’s visibly there. It’s like a new thing. So, they picked up on that, and immediately — okay, we got a — there’s an issue. We don’t know how this got here; sweep the room, cleared out…



JACK:	Okay, and this is kind of how pen tests go.



MG:	Yeah.



JACK:	It’s like, let’s go at stages, right? Let’s first see if we can be super stealthy, and then if we didn’t catch us, we’ll be a little bit more sloppy…



MG:	Exactly.



JACK:	…and then if they don’t catch us, we’ll be overtly breaking rules, and if they still don’t catch us, then they’ve got a lot to explain, and we could try stealing company cars or something, and what’s the next step, right? So…



MG:	100%.



JACK:	…I’ve heard these stories before, and it sounds like that’s what they were doing. Like, we’re gonna put a super-stealthy thing in, a medium-stealthy, and a very obvious — this thing shouldn’t be here.



MG:	Yeah, but the funny thing is they did a whole remediation sweep and they didn’t catch the O.MG cable. It’s still — it was still in play after — like, hey, red alarm; something happened here. Sweep it. We found two malicious devices. But the thing is the cable was dormant. It hadn’t run anything. It was just sitting there connecting to their guest Wi-Fi, waiting. So…



JACK:	Yeah. I mean, what would have triggered the other device discoveries? Were they doing stuff?



MG:	Yeah, they were more active, so definitely go looking — but, you know, it depends. What would you assume if you’re like, oh, there’s malicious hardware in here? What level of sweep do you need to do to that room and how thorough does it have to be? But, hey, the O.MG cable survives an active sweep. So, the server had some constraints that made things a little bit difficult, which was probably why they were a little less thorough, which was, a) they had some EDR in their endpoint detection-and-response tooling that would have detected any form of malware persistence. So, they can run a payload on this and deploy some malware that would just live until the server rebooted.



Also, the entire OS was just completely wiped about once a week. So, even if you did have persistence, that’s still getting wiped. That’s a pretty locked-down environment, right? But since they had a cable attached physically at all times, that was the persistence. So, anytime they lost the malware connection, they would just rerun that payload. Boom, they’re back in. They’d change the payload over the times, but ultimately this allowed them to run and just work completely undetected for what turned into a six-month period of time. The only reason the exercise ended was because they — the contract came to an end and they needed to wrap things up to explain the full processes and procedures they were using for the op.



JACK:	Is this kind of what you were hoping to — like, this is exactly the story that I was wanting someone to do this with, is stick it in a place, have it be there forever, you can get in there whenever you want, have the remote persistence, trigger payloads, get into systems, and no one’s gonna detect you forever? That’s gotta be exactly what you were hoping, right?



MG:	Oh, absolutely. There was just so many like — oh, yes, you used a lot of the features to just really push this, and it makes me happy ‘cause it’s — are we doing Rickrolls? Are we really pushing the boundaries and improving environments and just doing some really cool James Bond shit? Yeah, that’s — I love that.



JACK:	[Music] Because MG has brought this cable into the world, he’s met some very interesting people from all around the world and heard some wild stories. Like, there was this one person who was telling him how he used the cable to get into an air-gapped computer. That is, there’s no way possible to hack into it from outside. The reason why the computer was air-gapped is because it was part of a digital forensics lab that was collecting evidence and looking at computers without the risk of any of that data getting out.



MG:	This group was hired to audit an entire security policy, including the physical security of the building. So, they monitor 24/7 with a whole bunch of cameras at all sides of this building that they had deployed, and it was really hard when there were guards present just constantly, 24/7. Everything was fully access-controlled. It was all logged. It was all audited. How are they gonna do this? Of course, the goal was get — to gain access to that evidence computer which was air-gapped. Had access to that large SAN for storage via network. After a whole bunch of discussion, they decided, you know what? We’re gonna use an O.MG cable.



JACK:	Their first idea was to submit a hard drive that needed to be forensically analyzed by that computer, but then throw an O.MG cable in the package, and hopefully the tech opens it up and pulls out the cable and says, oh, I’ll use this to plug something in. But they thought, no, that might not work. They probably have their own USB cables in the lab, and they’re not gonna use the one in our package. So, they decided to get a USB external hard drive.



You know, the ones where there’s a hard drive with the little USB pigtail coming off of it, and you just plug it in your computer and you can see it as an external drive. Well, they cut that little USB pigtail off and then snipped off the end of the O.MG cable and soldered it onto this hard drive, because the O.MG cable only has one active end, and the other end — it really isn’t needed for anything. So, they just took the end with all the functionality and stuck it into this hard drive so that when the forensic tech opened it up, they would have no choice but to plug in this USB hard drive into the computer.



MG:	Now it’s integrated to that drive, and the drive looks like a totally normal drive. It’s the cable of that drive that suddenly is the problem, and it stays dormant. So, yeah, put all these different payloads on there in advance. The most important note; they ran a boot pay — so, a boot payload on this thing is it run — on an O.MG cable, it runs every single time the cable powers on, so when you plug it in, right? So, they include a geofence that would check to make sure it’s in bounds. It’s like, it’s at this evidence computer, which — they were given some insider info on this one to make it safe. They’re like, okay, here’s the network that you should use to keep this in play, basic checks to ensure it only ran on that evidence system, so, something an actual adversary wouldn’t do, but when you’re a third party trying to keep everything safe, you do a little extra.



So, they placed the hard drive in an envelope with the — let’s just say required labeling that they were able to find via some public record requests. Say, hey, this is probably what this envelope should look like to make it believable. So, they turned it in at the front desk via a courier service which was totally not a courier service; it was them. They advised, hey, this is for an active thing. It’s needed for legal discovery. Probably need it soon. Done, right? Now, the drive sat for two weeks unplugged, just waiting, right? But then it got plugged in, and once it was, they got a notification that kinda detected when it would come up, and they left it plugged in for six days to do a full image of this drive.



So, they had intentionally kinda downgraded the speed to USB 2.0 to get a USB 2.0 connection on a four-terabyte drive. So, they were imaging this thing for six days, which means six days they had an O.MG cable plugged into the evidence computer. Now, they could have set up a bunch of automated payloads and stuff like this, but for damage control, they decided to keep an active human in the loop for this whole thing. So, when it got plugged in, they got the alert. They returned and accessed the cable from basically the lobby or the parking lot, right? One payload allowed them to create and modify files on both the local system and, more importantly, the SAN. That’s where all the evidence is, right?



You can manipulate the evidence. They have just proven that. Evidence is supposed to be just pure and untouched. Then they noticed that — okay, yeah, obviously the SAN — you need a network to connect to it, so it was connected via Ethernet from this machine. But they learned that while the evidence machine was supposed to be air-gapped, it was only by DNS. So, instead of doing a domain name connection out, you just connect out via IP address, and suddenly, hey, it’s working. You can connect out to the internet by just going direct via IP. Boom. Now they got the ability to exfil evidence from the storage device out over the internet. I think you can immediately assume some terrible scenarios where that’s a big problem.



JACK:	How prolific is this cable? How many companies out there are using it?



MG:	One day I’ll probably find a way to disclose that, but basically, I don’t know many places that don’t have one.



JACK:	What?



MG:	Yeah, it’s — I’m continually amazed. I learn about new places that I didn’t even know exist. Like, wait; a) you exist. That’s crazy. B) You have my stuff? What? Okay, cool. It’s a wild ride going from — I’m just making something that I thought was borderline art in my kitchen to all of these types of stories I am telling you. It’s a little hard to digest sometimes, but at the same time, I’m trying to take it very seriously.



JACK:	Yeah, but I mean, Hak5 or even your own website could be used by these companies if you do know which ones.



MG:	Oh, I mean, yeah, I think that would be bad form. There’s a lot of companies that probably don’t want that info out there. I think have — I will list the media that it’s been seen on, like Nat Geo and stuff like that. I just saw the O.MG cable in a Netflix episode, apparently, of a zero-day. They’re talk — I think it was Robert De Niro talking about the O.MG cable on screen, and I think Jesse Plemons’ face was in there. I’m like, dude, what? That’s wild.



JACK:	Okay, so, Hak5 is who sells these things. Is there anyone they don’t sell to?



MG:	Yeah, so — absolutely. They have a couple ways to think about this, and I’m gonna just generalize it here a little bit to make it easier to understand. But basically you can kinda think of three categories of countries, first being countries who are explicitly allowed. You could kinda think of those as friendly NATO countries and Five Eyes, right? Then the second category would be countries who are explicitly disallowed. So, think sanctioned countries like Iran and North Korea. But then you got this third category — is countries who are on neither of those lists. So, if the goal was to make as much money as possible, you’d be selling to that third group.



But if you’re trying to do more than the legal minimum, you might avoid selling to that third group, especially if you’re operating in a space that many people perceive to be a gray area. Even if it’s not a gray area, perception still matters. But Hak5 only sells explicitly to the allowed countries and skips over that third group. It’s a voluntary decision on their end, but it’s also a factor of kinda having to be more diligent when you have tools that are more capable. So, toys versus professional tools kinda steps up the level of attention to following the rules and going a little bit over the minimums, right?



JACK:	Those rules fascinate me. It’s really export controls that the US government has set up where certain electronics can’t be sent to certain countries. The classic one that just came to mind ‘cause of recent events was the — DeepSeek surprised us all with their AI ability.



MG:	Yes.



JACK:	Then it turns out that they had tens of thousands of Nvidia cards, which I believe is against the export control rules. Nvidia is not allowed to send tens of thousands of these cards to China. So, it’s just like, well, how come Nvidia didn’t get shut down or fined or slapped on the wrist by the US government…



MG:	Right?



JACK:	…for selling so many of these? At some point they gotta be like, okay, we need more, we need more. Okay, who are you distributing this to? Oh, don’t ask. Okay, so, I don’t know, I just wonder if these — the export control rules even matter or if they have teeth or if anyone follows them, ‘cause honestly, I’ve filled out forms before and sometimes it’s just a checkbox; do you live in any of these countries? No. Okay, good, we’ll send it to you, then.



MG:	Right? I think the Nvidia one’s a pretty good example. I don’t think all of their products are export-controlled. So, this probably goes back to the capabilities and the toys versus the upper-end stuff, and can you do good or bad things with them? Almost dual-use kinda territory. Ultimately any restriction, kind of as what you were getting at, can be bypassed. But introducing any degree of friction generally is good if you’re trying to stop a certain activity. Perfect controls are hard. It’s a balancing game much like almost all security defense is, right? We often get that wrong in the security industry. It’s like, oh, it’s not perfect, so it’s not worth doing.



It’s like, not necessarily. Speed bumps help to some measurable degree in a large scale. But it’s worth reminding; again, Hak5 is the only entity I sell to, but — and as much as I love not having to worry about it for my own stuff, I absolutely love supply chains in general, especially when you look at them from the offensive security mindset. So, I’m totally with you in terms of being fascinated. I think that stuff gets way too little attention, and if you focus on it, you can wield crazy amounts of power if you understand it. So, yeah.



JACK:	Okay, so you’ve told us a few stories of your cable being used for good. Do you know any instances of it being used for bad? Does anyone tell you about those stories?



MG:	So, I don’t know of any stories specifically for my stuff, but Hak5 actually had a semi-recent example that is super applicable here with their Wi-Fi Pineapple and the Russian GRU. So, let’s — what was this? So, the Wi-Fi Pineapple, it’s specifically designed not to be perfect. This is for doing security pen tests, right, not for evading. That’s the product design. So, simple things like MAC address randomization are omitted. What else? There’s a certain way it sends management frames that could make it harder to fingerprint if they modified how that works, but they don’t.



It’s intentional, ‘cause the product is meant to enable pen testers to do Wi-Fi audits where they’ve got permission not to evade the detections. So, anyway, late 2018, Russian GRUs caught in Brussels targeting, I believe, UN facilities, right — not the place if you were making this that you kinda want to see your stuff showing up. But the Wi-Fi Pineapple was being used in the trunk of a car, and that explicit choice to not make the device super stealthy definitely helped law enforcement track this down and figure out what was going on probably a lot faster than if they made other choices in their product design.



JACK:	Well, I’m surprised there’s not more malicious intent stories, because — you know, I just go to the grocery store today and the cash register — I could see the back of it. I can plug something into the back if I wanted, and there are so many other restaurants and stuff where I’ve seen a computer exposed. At the bank — I was at the bank, and the back of their computer was easily there, that — I could just pull a cable out of my backpack, shove it in, and they wouldn’t know. I’m surprised there’s not just stories of people using this to rob grocery stores and banks.



MG:	I mean, there — behind the scenes, and I don’t think a lot of people see it, I put a lot of work into just gaming out all of the potential risks to minimize that. It’s not perfect. It’s totally possible that bad things will eventually happen. There will be a news story. But I think over the last five to six years it’s been sold, I personally cannot point to any news stories where a bad thing happened, whereas if you compare it against other peer devices — let’s just say that — in the field, I think there’s quite a bit more news stories just comparatively, if we’re taking a sampling. So, that track record I’m just very happy with so far.



JACK:	I mean, you can — I assume that people are buying this and using it for malicious intent. I mean, you self-described the thing as a malicious cable, right? So, we can assume that people are gonna do bad things with it. But I worry about your liability here because if you’re saying I have a malicious thing, this thing is very dangerous, you could do this and this and this with it, and someone’s like, great, I’m gonna go do that with it — but it says here — I have the package in front of me and it says do not use this unless it’s on a network that you are — have permission to use and such like that. I wonder if that’s enough to make you not liable for people actually using this maliciously.



MG:	Yeah, so…



JACK:	‘Cause, the thing is is that you’ve got people who are malware creators out there, botnet creators; they don’t unleash it to the world. They don’t spread it. They don’t infect people. They just make it, and then they’re the ones who are going to jail for this.



MG:	Yeah. There’s definitely some differences there, but just, is that legal message enough? Absolutely not. Not for me. When you’re in the gray areas, you can’t just do the minimum. It’s also important to point out that legal is not the same thing as ethical, which is, again, why it’s not enough for me. Product design, like I mentioned, detectable defaults, they’re not legally required, but I think they’re critical in terms of reducing harm. Community management — like not just dropping a tool and then letting the Lord of the Flies happen, for instance, right? We’re talking about a lot of nuances. You and I right now are talking about a lot of nuances that a lot of people haven’t spent the time thinking about.



So, I think it’s good to try and share those nuances and just generally keep things from going off the rails within those communities, ‘cause this, again, helps the outcomes. It’s sort of like open source. A lot of people will just drop code and call it done, but it takes a lot more work, in my opinion, to do it responsibly. You gotta — real open source is code that you’ve cleaned up, that you’ve maintained, and the community around it has maintained, too. It takes work and effort. But it’s also important that — this isn’t just about self-preservation, which is kinda the topic here. It’s about community preservation as well, which is really important.



So, one entity just being too reckless is basically all it takes to ruin it for everybody, and there’s tons of examples of that type of thing happening. Obviously if my goal was to push the limits of the law, then sure, my answers would be different. But my goal is to push the limits within security. I guess that — I want to keep focusing on that, and that’s why I spend tons of time thinking about all the ways I can reduce harm and risk in all the other areas. This cable started off as just a one-off, a proof of concept, but it moved over time into large manufacturing, sales, and the way I think about the risks has evolved along the way right alongside that.



JACK:	Yeah. So, you talk about supporting the community; I assume that’s the ethical hackers, the white hats of the world…



MG:	Yep.



JACK:	…that have permission.



MG:	Yeah.



JACK:	And that’s great that that’s your intent to help improve security for networks, to help people test it ethically, but that intent, I think, does — is what matters in the eyes of the law and a lot of situations. You just told us that you’ve sold these things in the back alleys of Defcon and dark corners. Defcon in general is a place that has malicious actors and criminals. We’ve seen people get arrested there and such like that. So, I wonder if there’s any sort of — if that’s proof enough just to be like, no, this guy sells it at Defcon; of course he’s got malicious intent. There’s no way he’s doing it — like, he would be selling it at a legit conference that’s just all about securing and not hacking. This is a hacker conference.



There’s just something there that — and not just that; there’s — people might come to you and they’d be like, hey, I want this feature, and you’re like, oh, that’s a good idea, and you add that feature. Maybe that — you judge them first and be like, wait, hold on, who do you work for? Do you have permission? Or do you hear people be like, man, I keep plugging it into the bank and the bank keeps popping me. I need a feature to be more stealthy. Then you’re like, wait, hold on, I’m not gonna help you. There’s gotta be this world of who you actually do business with and who you don’t or who you help and who you don’t, because, again, that intent matters. If there’s a criminal coming to you and saying, hey, I need this for criminal reasons, do you — what do you do there? Because that’s where the intent comes in, right?



MG:	Yeah, so, helping could be, again, anything, right? It could be operational advice for running an op, it could be feature changes or additions. It could even be custom hardware. I’ve been offered thirty grand for a cable, and I have turned it down because it’s like, hey, this could risk the future. But there’s also other things. People will come in, they’ll have — they’re clearly not in the space of information security and they’re trying to do some spouseware stuff. I’m like, as soon as I get a hint of that, it’s like, immediately no. Also, what you’re doing, I just have tons of issue with. You need to redirect this. Spend your money on couples therapy or something. This cable is not a marital aid.



JACK:	Well, yeah, see? This is what I imagine, right? So, there’s these privacy phones of the world, and they specifically wanted to help criminals, right? So…



MG:	Yes.



JACK:	…they would enter — they would get them in the hands of drug dealers and such and say, what can we do to make these phones more private? What features do you want? That’s what made the people who made the privacy phones go to prison. We have phones that are secure, even the iPhone, right? It’s secure to some degree, and you don’t see the Apple team going to prison because they’re making things private or secure. But it’s the fact that they — those other privacy phone creators were doing things to work with criminals. So, I imagine some, I don’t know, street hacker gang being like, alright, MG, we got all these cables but we need it to be one step better here. We need you to put this in. I just imagine this world where people are approaching you and you’ve gotta be like, sorry, I will probably go to jail if I help you, so, no.



MG:	Again, kinda like as you were pointing out there, I don’t do this for just anyone. I get to know who they are, who I’m giving custom help to. Actually, so, the operational stories I’m sharing with you were from those relationships. Ultimately, you need to do some due diligence, kinda like you were saying; contact the entity being targeted, verify a contract for offensive work is in place with the other person asking for help, simply verifying the identity of the entity asking for help to ensure they’re legit, definitely not just offering it up to anybody. I have turned down very large offers of cash because it wasn’t exactly where I wanted it to be.



(Outro):	[Outro music] A huge thank you to MG for coming on the show and sharing these stories with us. You can find more about him by visiting his website, which is o.mg.lol. This episode was created by me, your pseudo-mama, Jack Rhysider. Our editor is the last jpeg, Tristan Ledger, mixing by Proximity Sound, intro music by the mysterious Breakmaster Cylinder. Sometimes I feel like the biggest cybersecurity threat to myself is my future self, that version of me who forgets to update software or reuses a password or falls for a phishing e-mail. So, to stay safe, I started locking myself out of my own accounts. Let’s just say future me and past me now officially hate each other. This is Darknet Diaries.



[END OF RECORDING]
Transcription performed by LeahTranscribes