Episode Show Notes

							
			
[START OF RECORDING]



JACK:	The Cardiff Giant is an interesting story. In the Bible, Genesis 6:4, it says there were giants on the Earth in those days, and they mated with people and created mighty men of renown. 

This guy named George Hull was like, wow, there were giants on Earth! But the reverend argued with him and said, no, no, no, there were never giants here. But George was like, no, no, the Bible says so. There’s got to be a way to prove it. But George could not prove it, of course. So, he decided to fake it. [Music] He went to a quarry and dug up a huge block of gypsum, then hired some stone-cutters to make the block into the shape of a giant man. They created a rough statue of a man that was ten feet, four inches tall, then George stained it with acid to make it look old, and put it on a train and took it to his cousin’s farm in Cardiff, New York.



Late at night, he buried it on his cousin’s farm. A year later, his cousin went to “dig a well”, and hired a crew to come out and dig the hole. They ran into this giant in their dig, and one of the workers immediately shouted, this must be an ancient burial site! So, they dug up the giant, and the word spread that they found a buried giant. People from all over flocked to the farm to take a look. It was quite surprising to see a petrified giant of a man. A lot of people believed it was a petrified human. The Bible says so, see? But some thought it was just a statue. But pretty quickly, George’s cousin realized how valuable this thing was, so he put a tent over it and started charging people fifty cents to come in and see it. Five hundred people came a day to see this amazing giant.



The whole town started to profit from it; restaurants were filling up, hotels were booked. That’s when P.T. Barnum came, and he was like, sir, I will give you $50,000 for that giant. What do you say? The farmer was like, no way. So, P.T. Barnum hired someone to make a wax copy of it, and Barnum displayed this unauthorized copy at his circus and claimed it was the actual giant, and charged people to come see his fake replica. A year later, George Hull came out and said this whole thing was a hoax, that he’s the one who buried it there. But while it didn’t prove that giants roamed the Earth, it did make his cousin pretty wealthy. That’s how scammers would get you in the 1860s.



(INTRO):	[INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]



JACK:	I want you to meet Maxie.



MAXIE:	My name is Maxie Reynolds.



JACK:	She grew up in Scotland, and had an itch for adventure when she was young. She knew she wasn’t fit for a sort of sit-down, do-a-lot-of-paperwork, office-type job. No, her head was always up in clouds, looking out the window, dreaming of faraway lands that she could visit.



MAXIE:	I left home at a really early age, about fifteen, and I had no idea what I was gonna do, what I wanted to do. So, I tried everything, and I was ending up working in bars and as a cleaner and all these sorts of things. I just thought, no, this isn’t for me, and I want a job where I can travel and see outside of Scotland. So, I went to university in England, which was somewhat treacherous being a Scottish person, and I got a degree in underwater robotics.



JACK:	[Music] She was hoping this degree was her ticket to travel. Maybe, if you’re going to be operating underwater vehicles, you’ll get to go to some pretty far-away places. So, she started applying to every company she knew that used these remote operating vehicles.



MAXIE:	I couldn’t get a job, and it was because I was female.



JACK:	The reason why this was a problem is because sometimes she’d have to go out to sea in small vessels or be stationed on some kind of platform at sea, which also had small living quarters. The problem was that these companies required men and women to have separate cabins, and they simply couldn’t accommodate her because a lot of these cabins had four beds in them, and they didn’t have any single-bed cabins that she could be in, and there just wasn’t enough women to fill up a sleeping cabin. So, she just didn’t get the job, and was told the same story over and over. But that didn’t stop her. She kept applying at places, and eventually a Norwegian company finally said yes to her.



MAXIE:	I finally got a Norwegian company to accept me, and they said, if you get your private pilot’s license, we will take you on. So, I went to a bank in Scotland and asked for a career development loan, and I got my private pilot’s license.



JACK:	Well, now, this pilot is different than an underwater pilot. This…



MAXIE:	Yes, this is a small — yeah, so, I can fly a Cessna, although I haven’t in America. I can do that. So, it was supposed to be quite similar. Then I called the company back and said, hey, I’ve got this. It takes months, so — and I was getting farther and farther into debt. So, I called them back and said, here, I’ve got this. There had been this change of management, and they were like, it’s not actually — we don’t know why they said that. It’s not a private pilot’s license you need for a plane. We’re more — as an ROV pilot, it’s closer to a helicopter. So, I changed my name, I went back to the bank in Scotland, got another career development loan, and went back and got my PPL for helicopters. Then I went back to them and said, okay, I’ve got this, but listen, no more surprises. Can I have a job now? [Music] They took me on, and it was sort of life changing for me.



JACK:	This job required her to travel a lot; North America, South America, Europe, Asia. She got to travel the whole world while working as an underwater ROV pilot, and sometimes flying helicopters.



MAXIE:	So, I lived in Venezuela for a while, I lived in Trinidad. I have been to — sort of everywhere from Nigeria to Australia, a lot of coastlines. I’ve seen a lot of water.



JACK:	While she was doing this work, she started getting more fascinated with IT. Computers became her passion. She was enrolled in remote learning courses, and was able to get a degree in computer science. Then she took a month off work and landed in Los Angeles, California just to take a break for a while. But she fell in love with LA, and while there, she started going to a gym to exercise and work out.



MAXIE:	One of the people that I was training with in the gym was a stunt man. I was — I sort of begged him to please — like, let me hang out with you. Let me be cool, too. So, eventually he sort of — he got me some training in stunts, and he actually got me one of my first jobs.



JACK:	She was in a few independent films, did a few stunts for them. She got an opportunity to be in House of Cards, and she did a stunt for them, but they decided not to use it for some reason. While that was cool, it was also short-lived, because while it’s exciting, she didn’t see it as a long-term career.



MAXIE:	I studied quantum computing, and it was really difficult. It was extremely difficult for my feeble mind, but it was really enjoyable, and I loved it.



JACK:	This turned her attention to new technologies and companies. At some point she got a job for a company in Australia, and moved there.



MAXIE:	My first entry point into full social engineer, really, and pen testing, was in Australia, and I worked for a big company down there. They gave me a shot on their graduation team for cybersecurity.



JACK:	This company had penetration testers, people who try to break into a building or a network to test the security of it. She got to watch one of these pen testers work by monitoring their activity through cameras.



MAXIE:	I was witnessing a pen test but with a social engineering component. It was a guy; he was a really good hacker, and he had gotten into the network of one of our targets, and he was opening all of the security doors and automated doors for one of —  the team, the cybersecurity team. They were just walking through and they were filming the whole thing. It was being broadcast live back to us. It was amazing. I was thinking, okay, this is a good job. [Music] This is the kinda job that I would like to do.



JACK:	Being a physical penetration tester seemed like just the thing for Maxie. Breaking into a building, acting like a spy, that seemed really fun. She asked if she could do that.



MAXIE:	They were like, well, your luck is in, because we have to test them without these technical capabilities. So, we’re just doing a physical pen test. Would you like to be involved? I jumped at the chance.



JACK:	So, they gave her an assignment, which was to try to get into a company and film what they were working on inside it. To start figuring out how to get in, penetration testers often use OSINT, which is just gathering data on a target through open, public searches online. So, she does a little OSINT and starts learning about the company more.



MAXIE:	They had some very interesting IP. They were a transport company, and they were building some unique buses and large transport vehicles within this whole complex. So, my job was to get into there, past reception, past all security, get in, and look at all of the assets and the IP, and I didn’t need to hack any computers or even plug in to any computers. It was simply to get in and to essentially have a look around.



JACK:	How fun, right? Can you get into this factory, take a few photos of what they’re building, and get out without them knowing you’re a spy? As she starts learning more about this company, she found out that they had some big connections with Sweden. As in, some of their offices were located in Sweden.



MAXIE:	If you squint your eyes and you were very far away from me, I could probably pass as Swedish. So, I had decided — and no one stopped me, I’d like to point out. I had decided that I was gonna pretext or present myself as a Swedish ambassador for this company. I had the CEO’s name and some other top exec’s names and things like that.



JACK:	She does have blonde hair, but even though she may be able to pass as Swedish-looking, there’s no way she’s gonna sound Swedish, not with that Scottish accent. So, her plan was just to put ‘ja’ on the end of everything and hope they didn’t notice.



MAXIE:	No — and it gets worse, because — so, even I — ‘cause they’re Australian, right? They’re not idiots. So, I was thinking that will never work.



JACK:	But that was her plan, and she decided to go forward with it. She liked the idea of acting like someone else. So, she was set on being the Swedish ambassador for this company; walk in, tell them she’s from the Swedish branch, and she’s just flown in to inspect the building. But in order to do that, she’s gotta look the part. So, she takes a trip down to a local clothing store, buys a new outfit, something that would make her look like an executive.



MAXIE:	I bought a clipboard, and I looked professional. I had a little briefcase, and I was really trying to look professional.



JACK:	She’s all set, ready to go in; outfit on, camera rolling. Deep breath. Let’s go.



MAXIE:	[Music] So, I go in to reception, and I approached the receptionist with a warm smile and being as nice as I can be. I said, I’m here for this, I’m here for this appointment, and this is what I want to do, and this is where I’m from. She said, okay. I was like, what? It was that easy? This doesn’t make sense. But, you know, I’m not gonna get in my own way. So, I followed her, and she took me to this little room just sort of directly behind reception, and I was greeted by this adorable, little, old lady.



There was one other person in the room, but we didn’t really talk. So, I had to present ID, which is another stumbling block, and I got to talking to them. So, they asked me why I was there again and all those things. They said they weren’t expecting me, but it wasn’t a problem. I thought, well, this is really easy. This is great. I gave them my ID, and I had an Australian ID at the time. They said, you’re from Sweden; you’ve got an Australian ID. I said, yeah, and I’ve got a dodgy accent. I went to school in the UK. So, I tried to get around it like that, and it worked beautifully, and I don’t know how. So, I got in.



JACK:	Okay, at this point she’s doing pretty good passing as this Swedish person from another office. She got into the building; check, past reception; check, and past the two people that she was handed off to. Check, check, check. Now she’s in, and she’s trying to film things, take pictures of what’s going on. There’s an engine room; that looks interesting. Film that. So, she goes in closer to take a look.



MAXIE:	I was walking towards one of these large engines, and this man was walking towards me with — I think it was two other men, and he stood out. He had this beautiful blonde hair and these big, blue eyes, like completely stereotypical Nordic look. He came up to me and he said something in a language I don’t understand, but immediately guessed correctly, this is Swedish. I’m supposed to be Swedish. I don’t know any Swedish. So, I’m wracking my brain for the limited amount of Norwegian that I know, and he — whatever he said, I kind of just looked — and I felt my body get tense and I felt my brain say, ground, open up, like, let me cannonball into hell.



This is torture. Please, no. So, I said, ja? He winked at me, like, okay, that doesn’t make sense, but okay. Then he repeated it, and so, I tried the one word I could remember in Norwegian, which is ‘nei’ for ‘no’, because if ‘yes’ didn’t work, then maybe ‘no’ would, which was — might be one of my dumbest moments. [Music] But so, then he quickly just understood this isn’t right, and then security was called. They had a very prompt security team. They came. I was detained.



JACK:	Oh no, she was caught. This is every pen tester’s fear. But just because she’s caught doesn’t mean it’s over. Maybe she can somehow get out of trouble, convince security that everything’s fine, or at least just try to leave the building without being caught more? She tried to change the story; no, no, I’m not from Sweden. I’m just working with the Swedish team. I’m based in England. So, they asked to see her ID again, and it just wasn’t checking out. They were very confused by the whole thing. At that point, she just couldn’t see any way out of it, so, she pulled out her get-out-of-jail-free letter. This is a letter that all penetration testers have that gives them authorization to do what they’re doing. It has a phone number on it, which is typically the head of security, and says who actually authorized her to sneak in. So, they called the number on it, and the head of security says, yep, this is all a planned test. Good job for catching her.



MAXIE:	We had this sort of laugh after it. Even the security guy was like, why would you pretend to be Swedish? I was like, I don’t know. I’m Scottish. He’s like, I can tell, and you don’t look Swedish. I was like, I know.



JACK:	That was Maxie’s first pen test, where she tried to break into buildings. But she loved it. This was adventurous, adrenaline-fueled. You need to keep your wits, be quick on your toes, and know all about computers all at once. She felt like this is where she was meant to be, this was cool, and decided to pursue a career in pen testing. She did a number of penetration testing engagements while in Australia, learning new techniques and getting official training on how to get better, reading a bunch of books on how to improve. One of the things that intrigued her was thinking like an attacker. That attacker mindset was something she spent a lot of time thinking about. How do people with bad intentions act? Soon, it was time for another penetration test, still while she was working for a company in Australia.



MAXIE:	The company I worked for was working with the local government in the city that we were in. I won’t say the name because I don’t want any further embarrassment.



JACK:	Now, penetration tests are not always physical. In fact, I’d say most of them are just done over a computer. The penetration tester might be outside the company and just trying to hack their way into the company through the internet, or sometimes companies will just invite the penetration tester right into the building and give them a desk and a network jack and say, go for it from the inside. Because even if you get into the network, there should be layers of security which should still keep you from getting into important things. That’s called defense in depth. So, this was a pen test on a local government office. With this one, they invited her to come into the building and plug into a port and see what vulnerabilities she could find from within the company. She wasn’t alone on this one, though. There were two other people with her, and the two other people were very experienced network penetration testers. She was still learning how to do this, so she was shadowing them and watching what they were doing.



MAXIE:	[Music] So, I wasn’t a noob, but I was — this was my first job in cybersecurity. I have a very technical background; building ROVs, flying them or steering them, I suppose. That’s all technical. Even stunts are technical to a certain degree. This was a step further because there are no physical components to it. That’s why it was so difficult for me. It’s all on screen, and Linux is its own beautiful, scary world for me. So, I was still getting to grips with this whole world and all of the commands and what these things meant and how to undo things.



JACK:	They all sat down, pulled out their laptops, and plugged into the network. She starts by firing up a network vulnerability scanner.



MAXIE:	I got to run the NESA scan, which was not the most technical job in the world, but it felt good at the time, and I got to look at what vulnerabilities were there, and I got to go and see exploits for those, and I got to run Nmap.



JACK:	These are fine basic tools to start with. It’ll scan the network for known vulnerabilities. They’re easy to use and typically benign, as in, they’re not gonna cause any trouble on the network just by running them. When you run these tools, it’s not hacking. It’s just to try to find what’s hackable. She wasn’t exactly sure how to hack into this company.



MAXIE:	When you’re around experienced pen testers who love their job — and these two loved everything — every line they wrote was sort of a piece of art for them. They loved it and they really got this high out of it, and that’s contagious. So, I started to think, this is amazing. This is so cool. Look how far we’re in. One guy, one of the guys I was there with, got a call from one of our points of contact, and he was saying, I can see you in the network. It was this big game, and it was fun and it was interesting, and I got caught up in that.



JACK:	So, after seeing all the cool things that those other penetration testers were doing, Maxie wanted to have some fun, too. How far could she get into this network? She saw there were vulnerabilities on certain systems on her scan, and she tried to exploit those vulnerabilities and get into those systems, because there’s a sort of high you get from getting into a computer when you shouldn’t be able to. She was making progress. She got into a few systems, and she was looking around, making notes on how she got in. She would look over her shoulder and always see those other penetration testers many steps ahead of her. So, she kept looking around to see what else she could get into.



MAXIE:	I found my way to some internal environment, and I hit the killswitch on a city’s water supply.



JACK:	She accidentally typed the wrong command into the wrong computer which controlled the flow of water to the whole city.



MAXIE:	The person I was with immediately saw within the network that — wait, that wasn’t right. I will assume that he was sort of with me, like following me throughout the network, and could see a lot of what I was doing. Then I was thinking, yeah, this isn’t — I don’t think that was maybe good, right? So, I looked at him, and I could sort of see on his face — and he comes over to me and he says, what did you do? You know, you can look at your history quite quickly, and I still had quite a lot on screen. I showed him, and he put his head in his hands. I was like, what? Is it really bad?



JACK:	It was really bad. Shutting off the water to the whole city — showers, faucets, sinks, even toilets were not functioning city-wide. Her two other penetration testers immediately tried to figure out ways to fix the issue. One was looking at how the system operated and if it was possible to just turn it back on, but you don’t want to just do that if it’s gonna cause a problem. The other pen tester immediately phones the point of contact, letting them know this is a major problem. Maxie was sort of in shock and incredibly embarrassed. She took her hands off the keyboard and just waited.



MAXIE:	I was detained by security guards, and they were not very pleased.



JACK:	[Music] Now, this is a completely different situation from the last time she was detained by security. The last time, she had a get-out-of-jail-free card. This time, they knew that she was supposed to be there. In fact, it was her point of contact that called security on her. She was authorized to be there and do this, but this was not supposed to be disruptive to the organization. Not only was it disruptive to the organization, but it was disruptive to the whole town. So, they wanted to at least get her recount of the matter recorded so they had it for later.



MAXIE:	I go down to a windowless room, and I’m questioned. All of a sudden, one of the sort of accusations, if you want, was that I was a Russian spy. I was thinking, how did we get there so quickly? Like, what happened?



JACK:	Apparently she spoofed her IP at one point to make herself look like she’s coming from Russia to try to test to see if they could detect that, but that was just very brief, and she was definitely not a Russian spy. But this was becoming scary now, because it wasn’t just a confession of a mistake she made. It was like they were treating this more like an investigation.



MAXIE:	So, I was held there for a couple of hours, and, of course, the police were called. The police had to be called. I didn’t have any ID on me. I had my work card, but that doesn’t really matter ‘cause it’s just a full — well, I could have printed it myself. I kept saying to them, if you let me go back to my apartment, I can get my passport for you. I’m British and I’m not a spy. You can contact my employer. I’m actually here with two people. I kept going, and they didn’t want to hear it, and that’s okay. That’s kind of their job to do, to not believe me and to look for the worst, because they’ve got to protect themselves against the worst.



Eventually, at some point I said to them, I need a quick glass of water. The look, as in — would have been enough to turn most people to stone. I was thinking, yeah, that was not an ideal question. Then, eventually my employers at the time called in, and it did get sorted. I narrowly escaped potentially what would have — I think you would call it prosecution. I escaped any legal action because of that, and I was on the graduation team, so that lent me some credibility in the fact that, okay, she doesn’t know what she’s doing, and it’s okay. My employer didn’t fire me, and I will be eternally grateful for that.



JACK:	[Music] She doesn’t know how long the water was out that day. It could have been hours, minutes, seconds. It doesn’t matter. The fact that it could be shut off and it did get shut off is why the police had to respond. But she narrowly got out of serious trouble from that one. But this sort of baptism by fire is how we learn the most important lessons in life. I mean, knowing firsthand what kind of true power a penetration tester has is profound. This feeling sometimes flips back and forth, too. Sometimes you feel completely blocked with no access to anything, and it makes you feel dumb, and other days you feel like with a single keystroke, you can wreck this entire business.



It almost reminds me of visiting a barber and getting an old-fashioned shave. The barber has this razor, and they’re shaving your neck with it. You feel very vulnerable in that situation. I think many companies do feel vulnerable when they allow a penetration tester to come in. Who knows what they saw or took? In my last job, we had a penetration tester come in and see what they could do, and they were able to crack twenty-five percent of all our passwords company-wide. That’s like, thousands of passwords. Of course, I read the report to see whose passwords got popped, but it only contained statistics, not passwords or usernames.



It made me think, this pen tester is walking out of our building with a bunch of our passwords. I’ve never felt more vulnerable at work before. We’re gonna take a quick ad break here, but stay with us because Maxie’s gonna tell us about a penetration test story that changed her life. Making some big mistakes on past pen tests did not make Maxie back down from pen testing. Instead, she doubled down. She was fascinated by the power of the pen tester, but moreso, the attacker mindset allured her. But she had to leave Australia.



MAXIE:	Well, yeah. So, I had come back from Australia. My Visa had run out — and move back to the states. My model in life is like, if I’m free to do it and I want to do it, then I will do it. I kind of always want to be infatuated with what I’m doing and focused, and I’m okay if whatever the thing is that I want to do changes, and it has, obviously. But I want to love what I do, because functionally, right, I’ll live for seventy years. Maybe I’ll live to ninety, but functionally I’ve got max seventy good years, and I want to do — well, we might do two interesting things a year. So, I’ve got 140 interesting things that I’ll do in my life. That doesn’t sound like a lot. So, I just always wanted to do the things that were most interesting, that would get me the most sort of interesting, exciting experiences.



JACK:	For her, the thing that excited her the most was red-teaming, penetration testing, social engineering. Physically breaking into buildings was just a thrill to her. So, she looked for more jobs doing that.



MAXIE:	So, I was hired on a sanctioned red team contract to test this high-security logistics company, and there were two testers that were booked.



JACK:	It was a large company, but they wanted the two of them to try to get into one of their satellite warehouses. They told her, look, there’s a locked fence around this whole property, security alarms around the doors, there’s security cameras watching the whole property, there’s active security patrols at night. They just wanted to prove that she could get to them. They didn’t want her to do anything to those machines. They gave her a little USB device and said, hey, if you can actually get to it, plug it in and take a picture that you got there, and this will prove that you made it.



Because, presumably, if somebody wanted to get a customer list or shipment list or whatever, it would be just as easy for them to plug in a USB device, grab the stuff, and unplug it. So, they asked her to see if she could do that. So, her and her coworker take a drive out to this facility during the day and just drive by, just to look at the place. Driving by is too quick. You can’t see anything. [Music] So, they decided to get out and just walk down the sidewalk and go around the whole property just to see what they can notice. Any points of entry? Are there any areas where the cameras aren’t pointed?



MAXIE:	When we had kind of gone around — the very edge of the perimeter was metal fence, chainlink fencing. So, the chainlink fencing had just — it wasn’t — it was years old, probably decades old. So, it was a bit rickety. So, you could just kick the edge up. So, we knew that.



JACK:	They took some other notes and got an idea of what the place was like. There’s a two-story warehouse building with loading docks and sort of two parking lots, one normal one with big transport trucks and cargo trucks, and a second one that had a chainlink fence around it with many more of those big cargo trucks. We’re talking eight-wheelers here, big trucks. This warehouse would load stuff on to them, and then they’d deliver it. So, they leave and decide to come back at 9:00 p.m., but Maxie’s coworker called her up.



MAXIE:	He’s like, cough, cough, I’m sick. I was like, I hate you. You’re — I know you’re not sick. You’re hungover. But anyway, last minute he gets sick. So, the scope allowed for a solo run. So, I was like, I’m gonna do it.



JACK:	She waits until night and then drives back to the facility at 9:00 p.m. By that time, the place was all closed, and there should be no workers there and just those security patrols that she was told about.



MAXIE:	[Music] I then parked behind a treeline outside of the logistics park. I was keeping away from the lights. I was staying where the shadows fell.



JACK:	Okay, it’s go time. I like the quiet approach of being on foot myself, too. You can hide easier, change directions more quickly, and be more stealthy.



MAXIE:	So, I come up through a treeline off to the side of the whole complex. I’m moving pretty slow. I’m far enough from the walls to see the whole facade. I’m close enough to spot opportunities, and I do the usual first pass. I don’t force anything. I don’t touch anything.



JACK:	She passes by the building. The classic first pass gives you plausible deniability, right? If you don’t touch anything or don’t go on the property, you can just say you’re passing by if anyone asks. But it’s quiet. There seems to be no signs of life inside; no noise, no doors open, no lights on. There were a lot of trucks in the parking lot, but all of them were dark and quiet. No regular cars there. But surprisingly, she didn’t see any security patrols. So, since she’s around the back of the building, she starts jiggling doorknobs and windows to see if any of them will open.



MAXIE:	Everything obvious that you would look at to gain entry was a no. So, doors; no. Hatches; couldn’t see them. Ground windows; they didn’t open. They were just double-pane windows. So, yeah. So, good security is frustrating in some sense. But it was this corrugated — all of the warehouses in the area were these corrugated sort of steel structures or metal structures. This — the warehouse that I had, there was sort of this grass alley in the back, at the back of it, and its neighboring warehouse also had stacks of pallets. So, there was just these stacks of pallets all the way through this almost alley. There was this high stack of pallets that kinda touched — it was within four — three, four feet of a second-floor window.



There was just this little — it was a little, rectangular window, but it was open. [Music] I was like, oh, that sounds like a great way to get in there. So, I kinda moved a couple of pallets, started to climb up these other — this other high stack of pallets. Most of them had kinda been secured to one another, so it’s — they’re still a little rickety. It wasn’t — like, I wasn’t feeling very confident that they wouldn’t crash to the ground, but they didn’t. I’m pretty light on my feet. I’m built — I am built for speed and not power. So, I do end up getting to the top. I poke my head through.



JACK:	While the building looks two stories tall, it’s really just a single story, but just with really tall walls. So, when she looks down, it’s straight down all the way to the warehouse floor, and that’s not good. That’s too high to jump down. So, she looks around and notices that the walls are made of…



MAXIE:	Like, a lock board. It is essentially — it’s pegboard. So, pegboard is basically — if you aren’t familiar, it’s steel or aluminum sheeting, and it’s got these regularly-spaced square or round holes that you — basically, you put it on walls in warehouses, usually, and then you hang heavy tooling on it. So, I’m looking at this lock board pegboard, and I’m like, alright, well, climbing down it — gravity’s your friend. So, it’s like, fingers in, and I got my little sneakers on, and I actually get down. It wasn’t as difficult as you think.



JACK:	Okay, she did it. She got into the building. Nice. Now her objective is to simply see if she could get into those computers in the building. So, she looks around for them. They were easy to find since the monitors were on and they were glowing in the dark.



MAXIE:	[Music] I get to the terminals, and they’re all open. It was beautiful. You know when in movies they’re like, aah? Like, the heaven’s light? I was like, this is great. So, they were — yeah, they were all unlocked. So, I connected this approved device, I snapped the required photos, proof I could touch — one attack and one to touch. Then I felt by the exit. That was like — I looked at the pegboard and I was thinking, well — ‘cause climbing up is a little bit different than climbing down.



JACK:	Okay, so, climbing out the way she came was not going to work. She looked around for another way out. There are a lot of doors. She’s inside; she could just open one up and walk out. No, wait, hold on. That’s not gonna work, because there’s security alarms. She looked around the doors, and, yes, they were armed. Okay, scratch that. You can’t open those doors. It would trigger noises. Since she hasn’t had any security on her yet, she doesn’t want to get their attention now. So, she looks around for other points of exit.



MAXIE:	[Music] It was a loading door that wasn’t in the best shape. So, a loading door — like a dock where the truck backs in so it can get whatever the load is. It can get into the warehouse, and you don’t always need a forklift. So, it’s a — so, it was essentially that. So, it was on a pulley system and it wasn’t attached to an alarm, which was mental for what they — for how secure they wanted to be. So, yeah. So, I kind of — it was a little bit buckled at the side, and maybe that’s why it wasn’t on that alarm. I’m not sure.



But a little pulley system — I pull the chain up just enough to sneak out, and I get back to my car through a forest, which is by far, by the way, the worst part of the story for me, because I do not like insects. But — so, yeah. So, then I’m back to my car. Or, I think I’m roughly back to my car, and I phoned my point of contact, and I report what is a success, right? I got in. I’ve managed it. I’ve got the photos. I’ll write you a report. He listened and he was like, I want to issue a scope change.



JACK:	A scope change? This means the client wants to change what he wants her to do? I guess he was impressed that she was able to do everything he tasked her with, and wants her to try more. So, he says to her, you know all those moving trucks in our parking lots? See if you can steal those trucks. She’s like, I don’t know how to hotwire a truck. He’s like, no, no, no, see if you can find the keys to any of them, and if so, take them.



MAXIE:	[Music] I was like, alright, let’s do it. ‘Cause 140 interesting things in my life — this might be one of them.



JACK:	She walks back through the woods, cursing at all the spiderwebs that she comes across, and then looks at the facility. There are a lot of trucks here.



MAXIE:	They’re the big trucks, like, the long trucks. They’ve got twenty to forty-foot containers on the back, and I’ve never driven one of them.



JACK:	Some are parked inside the fenced area and some aren’t. She starts with the trucks that aren’t in the fenced area. Step one, see if the door is unlocked. The first one she tries, the door is unlocked. Whoa. So, she opens it, gets in the driver’s seat. She looks at the ignition; the keys were not there, but to her surprise, the key was sitting right there in the cup holder in the center console.



MAXIE:	A little bit humorous. I’m like, eight billion people on the planet; I’m the best driver. So, what I’m gonna do is I’m gonna move all these trucks. [Music] I’m not gonna worry about it. Reversing that truck, I was like, I’m gonna have to leave this here, because I’m not gonna be able to do this. So, yeah, so, I took them up just the other end of the cul-de-sac almost. It was a little sort of quiet area, a little logistical parking spot, I guess. So, I just parked them all up there.



JACK:	She parked it about a quarter-mile away, and then ran back to get another truck.



MAXIE:	The keys were not consistently controlled, and the fleet wasn’t consistently parked on the inside of the secure perimeter. So, basically, it just became this live demonstration of risk.



JACK:	One after another, she was able to find keys for these trucks.



MAXIE:	So, when a driver comes back to this area and it’s past hours, they sometimes leave the keys. They’ll leave them under mud flaps or just actually inside of the truck.



JACK:	It was incredible how many keys she found in and around these trucks.



MAXIE:	Sometimes they were still in the ignition. Sometimes they were on the seat. Sometimes they were in the — you know the visor, the sun flaps? Sometimes they were in the mud flaps, and sometimes they weren’t there at all.



JACK:	Some trucks were locked, and she couldn’t get into or move them. She thought about climbing back in through the window of the building and looking for the keys inside, but she already proved she can get in there. Maybe it’s just better to try another truck instead. After taking the ones from the unsecured parking lot, she wanted to get into the fenced area and try to take one of those. She remembered where you can lift the fence up and get in there, so she scurries under the fence and looks at the trucks inside. Sure enough, same story. Keys were typically in and around the trucks there, too. So, she hops in one, finds the keys, starts it up, and starts to drive out, but realizes — oh, wait, this fence is locked. She gets out, looks at the padlock. She thinks about picking the padlock.



MAXIE:	That did not work, and I was like, I bet there’s a key for this someplace. I’m thinking, do I go back inside? Do I climb up the pallets, climb down the grating, look for the keys? I was like, you know what? This is probably proof enough. This is bad enough, because the report is gonna say, I couldn’t break into your secure perimeter. Why don’t you park your trucks in there?



JACK:	By 2:00 a.m. she had stolen a bunch of trucks and felt like she accomplished the mission. Security never stopped her. There was no one around all night. So, she goes back to her car and calls her point of contact and says she stole the trucks. He’s like, wow. Okay, great. Hey, could you come into the office in the morning and tell us how it went? She’s like, sure, but let me sleep first, because I’m exhausted. So, she goes home, and then the workers start coming to the warehouse in the morning.



MAXIE:	[Music] Day shift did arrive, and they didn’t notice anything was wrong for like, a fair amount of time. When — I think at like — how I would say it, maybe, is it took a beat for the penny to drop for them. Yeah, headquarters finally called, and my contact, I think, walked them through the findings. Eventually we gave a report. Where was security? They’re supposed to have twenty-four-hour rolling security. Where was it? ‘Cause I didn’t see them. Why were there pallets? Why were there unlocked windows? Why weren’t the loading bays connected to the alarm system? Things like that. It was — treat keys like access badges, not souvenirs.



JACK:	Did you have to give a debrief to that facility and say, hey, by the way, if you’re wondering what happened, let me tell you?



MAXIE:	Not to the facility. So, I didn’t go back to that facility. I gave it to my — to their headquarters, essentially. We went and we gave a presentation and a report. As is — it’s always the case; people sort of — mouths drop, and I think their tummies probably drop, too. They’re like, how has this happened, sort of thing, but…



JACK:	Yeah. But it’s another thing to be like, wait, who did this? We hired this person, Max, to do it.



MAXIE:	Yeah.



JACK:	This guy Max must be a jerk to be breaking in and all this. Then…



MAXIE:	Like, hello.



JACK:	…if you were to actually show up and be like, hi, I’m Maxie, and I’m the one who stole all your trucks…



MAXIE:	I’m so sorry. You have to be soft with them. Well, maybe that’s just personally. Maybe that’s a preference of mine. But stylistically, I think, be soft with them. They do not know, for the most part, that our industry exists. Yes, they know that there are bad actors out there, but they don’t know that some of us are making a career out of it. You have to go in and you have to be soft. It isn’t their fault. That’s what it is to run a company. Not everything’s safe. You can make it a little harder for people, but that’s our job to tell them, and I just think tell them that in the most direct but soft way possible. You don’t — it’s not a blame game. So, yeah, I went to headquarters and I was like, I was — I think you might have heard what happened. So, yeah. So, now on my resume I’ve got Expert Climber and Truck Driver.



JACK:	She did a lot more penetration tests and got so serious about it that she wrote a book called The Art of Attack: Attacker Mindset for Security Professionals.



MAXIE:	Yeah. Well, here’s what I would say about my book. I’m gonna explain it. If you don’t like the sound of it, just buy it for somebody you don’t like. If you do like the sound of it, it was all me. You should buy it. It’ll be great. No, in all seriousness, it’s called The Art of Attack, and its central argument is that in order to design defenses that truly work, security professionals must adopt this quote, unquote, “attacker mindset”. Its basic position is that simply focusing on tools, networks, or policies is completely insufficient. It’s necessary, but it’s not sufficient.



[Music] So, understanding how an attacker thinks, how they strategize, manipulate, persist, is fundamental to building resilient systems. I would probably finish on it by saying that skills of a good attacker are the same skills that A, I want as a person going through life, normal life, also the things that I would teach and will teach to my children, like grit, determination. We’re goal-orientated, we’re resilient, so forth, so on. They are cognitive skills that we need, and how you apply them is what matters. That is basically the premise of the book.



JACK:	[Music] Somewhere in her life, she went on a penetration test that changed the whole trajectory of her life.



MAXIE:	It was probably the most highly-strung, tensioned job of my career, as far — a company that we’ve all heard of and that we all use. We had their internal red team accompanying us.



JACK:	This company had a big data center, and they wanted to see if they could get unauthorized access inside. Now, I don’t know if you’ve ever gone into one of these data centers, but sometimes these things are extremely secure. I’ve seen them where there’s a big fence around the company, and just to get into the parking lot, you have to go through a gate guard. They’ll check your ID and make sure that you’re authorized to be there. Then when you finally park your car and get to the front door of the building, the front door is locked, and so, you need a badge to get in. Forget about any open windows; they don’t open ever.



Then, upon walking in, there’s a security guard watching what you’re doing, but you’re only in the lobby. You’re not even in the data center part of the building yet. To get in there, you need a second key, and sometimes they do an eyeball scan to verify your identity, and there are man traps, meaning there’s only one person allowed through at a time so they can check you. But then once you’re in the data center, there’s sometimes a cage around the server racks you need to get to, and you might need a third key to get into those, and maybe an extra form of identification like a fingerprint scan or something. In short, it’s extremely hard to sneak into a data center.



MAXIE:	There are actually, on this job, armed guards patrolling this perimeter, and there are vehicles that are scanned for anomalies. It is a very — in terms of security, a very robust, comprehensive site. You know, inside everything, it’s a data center. Everything is controlled. Temperature, humidity are controlled to the decimal. The power and the fibre run through — that are redundant. There’s blast-proof conduits. Every corridor, every door, every byte is sort of locked. But once you’re in, you’re in, and nation state actors will get in, and they’re willing to do what it takes. So, that was our job.



JACK:	Well, she decided to try going right in through the front gate. So, she just drove her car right to the security checkpoint and acted like she was supposed to be there, and talked to the guard.



MAXIE:	Hello. Yeah, we’re a visitor. Yeah. Like, hi, can we…? We’re here to do this. ‘Cause your OSINT can find you some of those entry points. Like, if they were doing immersion cooling, we know there’s maintenance required on immersion cooling for the fluid, for instance. So, you go up and you’re like, yeah, we’re here to do this. Sometimes that will work, and they’ll be like, oh, okay. Let me just tell the right person, or here — wait here. They were like, you’re not on the list. You’re not coming in.



JACK:	Okay, so, there’s a list. This is a clue. Maybe she could get on that list. Who maintains that list? What if she called acting like the maintenance team and says they have to do a fluid change or something, and they’re coming out?



MAXIE:	So, we tried to get on that list. We tried to call ahead. We tried to spoof phone calls so that it looked like we were calling from hopefully the right point of contact. It wasn’t working. There was too many checks. They were comprehensive. They were robust. They were sharp. So, we were like, how are we gonna get in here? It’s like, sort of a bit like they’ve built a wall. Do we dig under it? Do we go over it? It wouldn’t have mattered. It was — the sensors, the security, they were on top of it. So, we’re like, alright, what do we do?



JACK:	[Music] Hm, time to step back and think about some sort of out-of-the-box way to get into this data center. One way to try to think through something like that is just to learn more about this company. Maxie was curious how the building was built.



MAXIE:	So, we actually went to the municipalities. We had gotten some — almost think of them as blueprints, and we figured out that there was, in fact, a sewage line.



JACK:	Now, sewage lines are too small and would be way too disgusting for a person to go into. However, they sometimes run through underground tunnels that are accessible by service workers, like a smaller pipe inside a big tunnel. So, she traced where the lines leave the property.



MAXIE:	It sat at a point where we could get to another access point through basically a junction.



JACK:	Well, it’s worth a shot to try. So, they drive over to where they expect there to be a manhole, which is off the property. If their calculations are right, these pipes would lead right into the data center. But the question is, will there be a service tunnel also leading to the data center? So, they pried open the manhole lid and looked in. It was big enough to crawl down into, so they did, and then they saw a tunnel going towards the data center. [Music] So, they crawled through it.



MAXIE:	It’s a long, shall we call it, journey from one access point, one manhole to the other, but we have to do it. It’s not glamorous. It was not enjoyable, but we got through it.



JACK:	Sure enough, it led them right to the data center.



MAXIE:	Then make our way up into the site and then into the data center.



JACK:	They got in, snapped a few photos to prove they were in there unauthorized, and then they called the security team to tell them they got in. The security came and was like, what? How did you get in here?



MAXIE:	So, our report was, your guys’ security is bob on. We hate it. It was amazing. You didn’t let us in here. We weren’t able to phone ahead. We weren’t able to forge documents. We weren’t able to do any of the things that we would try to do ordinarily. We couldn’t have created a diversion to have security take their eyes off of the gates to get through whilst they weren’t looking. It wasn’t gonna happen. We got into your data center through a manhole for a sewer line, and that was the bulk of our report, that the rest of it was going. But it kind of didn’t matter to them. They were like, yeah, but you still got in.



JACK:	But this made Maxie think even more. If a data center wants ultimate security so nobody ever gets in, how could they improve this? That’s when it occurred to her.



MAXIE:	I was like, well, if you want to keep them that safe, you put them underwater.



JACK:	An underwater data center. Could that even work?



MAXIE:	Then I started to think, oh, is that — did I just have a good idea? Amazing. So, I called my old boss who I used to work offshore for a while. I was like, hey, what do you think of this? He’s like, I’ve actually thought of something fairly similar, and I had this drawing at this point. He tweaked it, tweaked the design, and was like, would you consider working with me? Here’s what I want to do; I want to put data centers underwater. I want to do it in a modular fashion, and I want to do it ‘cause it keeps them safe.



JACK:	So, the two of them got busy designing and building modular underwater data centers, where you load up the servers into what looks like a small shipping container that’s watertight, and she will then drive them down to a safe spot on the bottom of the ocean.



MAXIE:	It’s also a lot cheaper to do. So, it’s about eighty percent less expensive in terms of power to get compute underwater the way we do it.



JACK:	I don’t know anything about underwater data centers. This is all new to me.



MAXIE:	Okay, okay.



JACK:	So, I didn’t even know this was possible or even this was happening. But you’re telling me this is something you made.



MAXIE:	This is something we’ve made. This is something we’ve done, performed, and now there are actually a lot of companies popping up.



JACK:	So, is there a long extension cord that goes to these things to keep them…?



MAXIE:	Yes, there essentially is. So, what’s really interesting about subsea environment — and we touched upon it earlier — is that everything you and I use, one way or another — so, there are power cords under the water. That’s how we light up oil and gas platforms. That’s how we manage to eat on them and things like that. There are also countries that export — so, France exports power to Denmark. We not so long ago laid a cable to do that for them. So, there’s actually a lot of subsea cables. There’s also a lot of subsea cables for — there’s like, 700 cables or something like that, maybe more now, that are internet signals. So, they post a light…



JACK:	So, you don’t have to lay your own cables. You could just tap off some of the stuff that’s there?



MAXIE:	Tap in — yeah. It depends where — so, if we’re in a port, then we might extend from an on-land substation. If we’re farther offshore, then we’ll splice the power cable, put it in wet. So, we’ve got — offshore there are Wet-Mate, Wet-Mate cables. So, we’ll — they look like headphones with mic jacks on them. They look like that. They’re just really big ones of that, essentially, and we plug them into our units. So, our units look like twenty-foot shipping containers, and they — we put them on the subsea floor, we secure them there through guide posts, lock them in, plug in the power wet, Wet-Mate the power, and do the same to the fibre, and then it’s up and running. We can do about three megawatts in a unit just now, which is meaningless to most people, but that’s kinda what we need just to do a small amount of compute. Yeah, we set them on the sea floor.



JACK:	But what if — what about maintenance and stuff? Like, you need to change out a hard drive?



MAXIE:	Yeah, so, there’s a few ways that we perform maintenance. So, it’s actually not that much different than on land. So, what I will say is the maintenance cycles are reduced because there’s no dust, right? We’ve got — the servers are filled or surrounded by this dielectric fluid. So, there’s no dust. There’s no debris. There’s no people jostling the cables, and those are the biggest factors in maintenance. That’s why compute goes down eighty percent of the time. We don’t have that. Then — but, you know, it happens. We do have to maintain — there’s some fault. So, we do that a few different ways. If one server fails, it kinda doesn’t matter. We’ll load balance, we’ll shift the load, and it’ll go to some other server or some other site that we have. If a whole rack fails, it may fail in place and — again, load balancing.



Or if a rack fails and it’s important, depending on what the client — depending on who the client is and what the client is doing, we may have to bring the unit up. It takes — we guarantee you can do it within about twelve hours. So, we’ve got a vessel at site. The vessel goes, picks the unit up with an ROV, because that’s my background and that’s how I knew how to do it. So, it picks it up, put it on deck. We drain it. We do the fixes. You can also do them remotely a lot of the time. So, it really just depends. But it doesn’t cost any more time and it doesn’t cost any more in terms of the financials. Before people come for me, it does not heat the water. We are not heating the oceans. So — and I have to say it. So, water warms up more slowly than air, and it can actually hold more heat. So, the specific heat of water is higher than most other substances, and what that means is that it absorbs more heat before its own temperature increases by one degree.



So, said another way, water needs about four times as much energy to raise its temperature by one degree Celcius as the same amount of air does. So, what we’ve measured in our testing is that the water heats up by about a thousandth of a degree, which is statistically insignificant, and that’s within a meter of the unit. You put a data center on land, first of all, you have to use air conditioning to cool it. For the most part, that’s what people are doing. So, about forty to fifty percent of all the power that that data center is pulling is used to air condition, and then that is pushed out as heat. Then the ocean has to take that, ‘cause that’s our heat sink. The ocean takes that, and now you’re warming the oceans. So, it’s a very unintuitive but very scientifically-proven method of getting rid of heat; put it into water. So, yeah.



JACK:	I imagine if someone does try to pen test this place or break into it, as soon as they open the door, it just gets flooded, and then all the computers shut off.



MAXIE:	You can’t open the door. So, it’s like, you would — basically our biggest threat is a sub. You know, like a Russian sub, maybe, let’s say. So, what happens is you’d have — you’d need a sub or you’d need a vessel with an ROV attached. Or maybe if we’re at a shallow depth, you could use a diver, but a diver’s not gonna be able to do anything. You can’t pull the door open because of the pressure of the water. So, basically, you couldn’t really pen test it without getting a vessel, an ROV, or a bunch of divers, or a submarine, and good luck to you. I don’t even know how I would do that.



If anybody’s gonna pen test it, it’s gonna be me, ‘cause that is a fun job. But basically, let’s say a nation state sub came along. Great. It would have to connect it and it would have to pull it off of its security mechanisms that we’ve got sort of fastened to the sea bed. Once you’d done that, you would basically self-destruct the data that was on the servers, ‘cause now you’ve ruined the housing that is keeping them safe from the water and the pressure of the water. So, physically, they are very, very secure. Digitally, they are — it’s the same footprint. You pen test it the same way you would any other server, data center, company.



JACK:	Incredible. I think I’m stunned by that sort of thing. My brain goes into weird directions here. Is it — are there laws offshore where you can host things that are legal in this country or whatever, and all this sort of stuff? Now suddenly I like this idea of pirating websites or piracy.



MAXIE:	You’re interested?



JACK:	Is there — there’s piracy in the sea, as well.



MAXIE:	Oh, yeah. It’s rife.



JACK:	My brain just goes in all directions here.



MAXIE:	It’s rife. Yes, there are maritime laws. Very difficult to enforce them. You rely on satellites to some level. You rely on boats to police. But the ocean is vast. So, it is very difficult to enforce. So, basically, we’re counting on people doing the right thing, and that doesn’t always work. So, what we do is we make sure that we’re in the green. So, we collocate with existing assets offshore, whether it be in national or international waters. Every country has an EZ, an economic zone, essentially. That’s about — it goes from coastline to about twelve miles out. Then just a little further out, you start to get into what is essentially international waters. You can do what you want inside of them. Who’s gonna stop you? But we choose not to, as an American company. So, we collocate with other assets in the area, usually offshore wind platforms or regs or anchored boats. So, yeah, I think subsea is definitely part of the future for data centers.



(Outro):	[Outro music] A big thank you to Maxie Reynolds for coming on the show and sharing these stories. You can learn more about her underwater data center at subseacloud.com. If you want to get her book, it’s called The Art of Attack: Attacker Mindset. It’s the one with the chess pieces on the cover. If you like this show, if it brings value to you, consider supporting the show. By giving directly to the show, it helps keep ads at a minimum, it keeps the lights on here, but most of all, it tells me you want more of it. Not only that, but you’ll get bonus episodes and an ad-free version of the show, too. So, please visit plus.darknetdiaries.com. That’s plus.darknetdiaries.com. Thank you.



This show is made by me, the packet tickler, Jack Rhysider, editing by Ctrl + Alt + Delight, Tristan Ledger, mixing by Proximity Sound, and our theme music is by the mysterious Breakmaster Cylinder. I have a bad habit of doom-scrolling social media, but lately I’ve been trying to break it by confusing the algorithm as much as possible. I’ll play long recordings of fog horns blaring, or I’ll watch curling matches from 2006, or I’ll just search for the most bizarre things I can think of, like can I legally marry a ghost in Ohio? Or Baroque interpretations of dial-up modem sounds. Can you potty train a squirrel using jazz? Not because I’m interested in those results, but because I like tossing the algorithm a bag of trail mix and just watching it chew on that for a while. This is Darknet Diaries.



[END OF RECORDING]
Transcription performed by LeahTranscribes