Transcription performed by Leah Hervoly www.leahtranscribes.com
JACK: [MUSIC] You ever drive by a prison or juvenile correction facility and see the prisoners outside in the yard? Am I the only one who immediately starts looking at ways they can escape? Seriously, I’ve parked and stared at prison fences multiple times when I was young, looking at how high the fence goes, examining the razor wire on top, watching the gate. These gates are typically doubled up; you can go in the first gate and then they close it behind you, and then the second gate opens. They never open both gates at once. I like to look up at the guard towers to see if anyone is up there. I’m sure they’re looking back down at me. The windows of a prison are typically too small for a human to squeeze through. They like to be really narrow within a brick wall. The fences are usually doubled up; if you can get over one, there’s just another one that you need to climb over which gives the guards enough time to notice you climbing over one and stop you from getting over the second. Getting out or in through these barriers seems impossible. But get ready because in this episode, we’re going to test the security of a prison.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: As a teenager, what was life like for you?
JOHN: I actually think I had a great childhood.
JACK: This is John Strand.
JOHN: My mom was awesome. My dad was a crazy pain in the ass. He got addicted to opiates after a back surgery. Periodically he’d go running through the house in his underwear screaming that the walls were bleeding. I know that people would look at that and be like oh, that’s terrifying, but that was hilarious. You know, I just absolutely loved it. I lived out in the middle of the woods; we had a dial-up modem on the computer, I spent a lot of time motorcycling and mountain-biking and getting in the middle of the woods. Played a lot of guitar. My dad was in bands growing up, my mom was just super great to be around. All told, yeah, my childhood was pretty fantastic. That’s not to say there wasn’t some interesting things that happened but overall, I wouldn’t have changed or traded anything for the world.
JACK: He grew up near the Black Hills which is a mountain range that spans between South Dakota and Wyoming. His dad did some kind of technician-type work where he troubleshot industrial electronic devices and from there, John was exposed to computers and started to like it. Through his teenage years he had a computer at home and got more and more into it, just learning how to do stuff with it. While living out there near the Black Hills, he also had a sister.
JOHN: My sister was a pain in the ass. She’s about three years younger than me and she spent our entire childhood trying to make my life miserable. If there was ever any girl that I liked, she would make sure to shout at this girl in the hallway, you know; my brother likes you! Which pretty much guaranteed – that and my crippling obsession with computers and playing guitar, pretty much guaranteed that I didn’t date in high school. She was just kind of a pain all the way through.
JACK: John wasn’t always the sweetest kid himself; he would sometimes act out and get in trouble.
JOHN: I went to a Catholic high school and my mom was the food service director.
JACK: What does that consist of, the food service director?
JOHN: She was the head lunch lady; the hairnet, the whole thing. She was ordering the food, keeping the employees going, and then basically…
JACK: At the school you went to?
JOHN: Yeah, all the way through school. She ran the food service program. [00:05:00] When I got to high school, we were in line and we were getting ready to get some food, and for some reason I got this idea that I was gonna read the menu like an old southern Baptist bully pulpit pastor. I was like praise Jesus, today we’re gonna be having chicken fried steak and then we’re gonna have a side of peas, everybody. Can I get a halleluiah? Of course, the entire lunchroom is going through and they’re like, dropping on the floor. I’ve got a couple of my friends speaking in tongues and I’m just like, doing this whole thing. All of a sudden, I get this sharp shooting pain on the back of my head. I wake up and I’m on the floor and there’s Brother Anthony who was a very formative person in my life; he was our algebra teacher.
He was this monk. He was standing over me with a cane and he goes, I don’t find that amusing, Mr. Strand. In my field of vision, I see Brother Anthony above me with this cane ‘cause he clearly hit me in the back of the head with his cane, and then my mom comes into view and she goes hit him again, Brother. That was kind of – I’ve had people contact me whenever I’ve told that story and they’re like, that’s child abuse and that’s not okay. But I want to make it clear I probably deserved it. But no, Brother Anthony was just a very hard-nosed person but he was very fair, except of course, the rampant abuse.
JACK: John finished high school, went to university, and got a degree in political science. He had a hard time finding a job with that kind of degree but a computer consulting company recognized his skills with computers and offered him a job. While there, he really got to sink his teeth into computers and fell in love with the security side of things. He went to work for a defense contractor doing cyber-security for years. This really gave him incredible exposure to the threat landscape and security and penetration testing, so much that he became a SANS instructor and actually taught hacking techniques, penetration testing, and offensive counter-measures; some pretty gnarly stuff. But he quit his job as a defense contractor.
JOHN: Moved to South Dakota in the middle of the economic collapse of 2008 and decided what the hell? It’s time to start a pen testing company.
JACK: [MUSIC] John called his pen testing company Black Hills Information Security. Since he was teaching penetration testing at SANS, this is what he felt best at so Black Hills started doing penetration testing for customers who wanted to see if a hacker could get into their building or network or computers. John was good at the technical aspect of it but there’s a lot more to running a business than just doing the technical work. He got some help from the people who supported him and believed in him most of all; his family.
JOHN: Yeah, so when I started Black Hills Information Security, it was my sister who was doing report editing ‘cause I’m a horrible writer, and my mom actually started out with the finances, helping my wife and I get started, making sure the finances for the company were set up properly. That’s created problems over the years. For example, if I’m at a conference with Ed Skoudis and Mike Poor…
JACK: These are a couple of his friends who also have great stories themselves and I should probably get them on the show one day, but these three friends got together in Vegas and decided to let loose.
JOHN: [MUSIC] We end up doing two dinners; I remember they took me out to Bradley Ogden Steakhouse in Vegas which was stupid expensive, and then Mike said I feel bad about this. We’re gonna go out and we’re gonna have sushi for dessert. It was something like $350 for both the meals. It was insane.
JACK: Now, when you go to a conference for work, you can expense it, right? The company will pay for it because meals are included in your travel, right? But his mom is the CFO. She looked at these charges.
JOHN: She calls me up, she goes I saw the credit card statement from last night. I got these charges; what happened? Did you take a group of people out to eat? I’m like no, I didn’t take a group of people out to eat. She goes, it was just you? I’m like well, yeah, that was my portion. I was eating with some other people. She goes, how much did you eat? I’m like well, it was just two meals. It was just a steak and then some sushi. Then I promptly got the Riot Act about being really derelict in my duty of running a company. Got off the phone sweating ‘cause my mom just kind of chewed my butt, and then I get a call from my sister and she’s like I just got off the phone with mom; I can’t believe you spent that much money on two meals for yourself in one night! What were you thinking? Okay, then I hang up with her. Then my wife calls and she’s like I just got done talking with your sister and you are not allowed to go out to eat with Mike Poor and Ed Skoudis ever again at the same time. It just kind of cascaded.
JACK: Alright, let’s hear some of John’s penetration testing stories because I love hearing all the tactics and methods people use to get into places. John’s penetration testing consisted of either going onsite to see if he can sneak into a building, or testing the network to see if he can hack into [00:10:00] it through a computer. He was doing some odd business with some company for a while and one day they called him up just to pick his brain on something.
JOHN: They called me up one day and they said hey, we got an airbase, we got a classified facility in the middle of this base and we want you to break into it. Do you have any ideas how you would actually get to the point where you could get into and touch a network jack that would have a classified network?
JACK: This company was asking him for tips on how to break into an active military base. Now typically, these things are extremely well-guarded, better guarded than a prison, for sure, with armed guards sometimes just at the perimeter of the base, checking everyone who enters to see if they belong. It’s intense to the point you might even be shot at, but John thinks about this for a moment and has an idea about how he can get inside a secured area of the base.
JOHN: I’m like yeah, get arrested. They’re like, what do you mean? I’m like well, if you’re trying to break into a military base and you get arrested, there’s a possibility you might actually end up in a room that has a network jack that might be on a classified network. They’re like, are you willing to try that? I’m like sure, how bad can that be?
JACK: [MUSIC] There were a couple people at this military base that knew John was coming. After all, they hired him to do a penetration test on the building. They didn’t know what John’s plan was and how he’d get in, but they knew the operation could go wrong really fast, so they gave John some duress words. These are words that if he got in too much trouble, he could tell the military officers and they’d stop harassing him, and they’d know to report this to the higher-ups. It was a sort of ticket to safety if all goes wrong. John starts memorizing these duress words and it was something like ‘sasquatch’, ‘pineapple’, ‘porcupine’, some combination of words that makes no sense unless you know that these are the duress words. John loads up his gear, the tools and devices that he would be able to use once he gets inside the military base so he can plug in and prove that he had access to this classified network. John heads to the base. There was nobody at the front gate so he just drove in. There was a common public area to this base, but then once he got in, he saw an area that was clearly off-limits. You needed to have permission to get into that area.
JOHN: The classified part, they had a fence and then they have a perimeter of gravel going all the way around it. Then of course, the parking lot had big signs that were like, No Salute Zones. I figured I would try to walk up to the gravel which had pressure sensors underneath it.
JACK: He starts walking across the gravel. This was a restricted area and he was clearly not authorized to go to. He’s hoping he’s triggering some sort of alarm where someone sees him on camera and comes and gets him. But if not, Plan B is just to keep on walking into the classified part of the space.
JOHN: Sure enough, a whole bunch of really, really twitchy eighteen-year-olds showed up with fully automatic weapons. I laid down on the ground and I was told when you lay down, put your hands immediately behind your back, cross your ankles, and just wait; they’re going to throw you into a car. I’m laying on the ground and I – they immediately shove the back of the rifle in the back of my head really hard. It hurt a lot, and then they handcuffed me, but that wasn’t bad; what was bad is they immobilized me by grabbing the handcuffs and lifting up. So, they lifted me up off the ground by the handcuffs which dislocated my shoulder and still to this day I have this huge scar where years later I had to have a Latarjet to repair the damage to my shoulder.
I already had a weak shoulder from a high school injury and that just tore my arms right out of socket. They threw me into the car and I’m screaming out my duress words, right? It’s like, pineapple! Porcupine! Sasquatch! Whatever the other word was. They’re like, he’s freaking delusional. I could hear them like; we think this guy’s on drugs. They threw me into a room. Sure enough there was a network jack and it was part of a classified network, but the whole time I’m like, I’m a contractor; I was hired and these are my duress words. They brought in the right people and I was able to let go. They were like, good job. Was that fun? I was like, it wasn’t fun at all. It took me a long time to recover. Yeah, I never really did a physical pen test against a military facility that involved firearms again.
JACK: [00:15:00] [MUSIC] John is a great penetration tester. He loves the challenge of getting into buildings or using computers to break into a network. Earlier in his career, he was given the task to break into a building and gain access to the computers inside.
JOHN: I was meant to get in and take over as many systems as possible.
JACK: First thing’s first, he does some passive reconnaissance. This is where he can investigate ways to get in without any fear of getting caught.
JOHN: One of the things I did, is I used Google Street View to go around the building. I found that there was a window that was open, in the Street View.
JACK: Wow, isn’t it nice that Google sent someone to this building to take a bunch of photos of it and then post them publically? This way, anyone who wants to break in can just use Google Street View to plan their attack without even leaving home.
JOHN: I saw that it was open and I figured that it might be unlocked ‘cause a lot of times windows that are open and closed a lot, they never latch them completely.
JACK: John has a plan and an objective, and it’s time to suit up.
JOHN: [MUSIC] My backpack just has my notebook computer, a series of USB thumb drives with various utilities and tools on it, and that’s it. I wasn’t wearing, you know, a black facemask or anything. I was wearing a black fleece and just jeans because this is one of the things that always bothers me about superhero movies; if you take Batman or you take Daredevil, they always show up to the scene where they’re supposed to do stuff, and they do something awesome, like they destroy the cartel and that’s awesome. I’m always thinking how the hell did they get there? Did they walk there in their suit? Did they jump across – ‘cause you can’t jump across buildings the whole time. My point is, you can’t dress like a burglar while you walk out of your house. I just dress in normal clothes. It’s just something I’ve always done. I know it’s a personal preference and style but a lot of physical pen testers have like, tactical bags and tactical patches, and they look somewhat sketchy, right? I just prefer to go with the standard backpack so I don’t freak people out too much.
JACK: John drives to the building. It’s night and it’s dark out. He arrives and looks around. The building is pitch dark; there’s no lights on at all in it. He walks up to it to try to find that window to break into. Alright, breathe now. Calm the nerves. This is no time to be stressed. It’s go-time.
JOHN: [MUSIC] I went up to this window, pushed up. Sure enough, it was unlocked. From the ground up to where the bottom of the window was, was right above mid-chest, okay? I pushed the window open but it’s kind of a little bit narrow so I can’t get my body halfway in and ride it like a cowboy and then go in. I go in kind of headfirst like a really clumsy, slightly overweight snake. I come in over the window and it’s over someone’s desk. As soon as I start slithering down onto the desk and get to the point where I can kick my leg out, that’s when I kicked the flower pot.
JACK: The flower pot flew off the desk and smashed on the ground, making a loud breaking noise. Now dirt is all over the floor. This instantly added a whole new level of stress to the already stressful situation. If somebody was in the building, they might have heard this commotion and come and investigate.
JOHN: But then when my bodyweight came down on the desk, [CREAKING] the desk was not designed to support my significant girth at the time, and the whole desk collapsed. [CRASH]
JACK: Oh great; even more of a mess. Even more awful crashing noises. His intention is never to cause physical damage. Otherwise he could just smash a window and get into the building, but that’s not the point of a penetration test. Breaking flower pots and desks is unprofessional but the damage was done and John was in the building. He stands up, looks at the mess he made and feels bad about it. So, what does he do?
JOHN: I just wrote a note; sorry I broke your flower pot. I put my name and my phone number. [00:20:00] I figure it’s better to own up for that stuff really, really quickly because the alternative makes it look like you’re trying to skirt around the issue. I just wrote a letter, put it on there, apologized profusely.
JACK: Okay, he’s in. It wasn’t very elegant. But it’s now dark in this office. There’s no lights on anywhere, so option one is to turn a light on. But surely this makes your presence known; someone who works there might be driving by and notice a light on and think something’s wrong. So, he chooses option two, a flashlight. But this might not have been the best idea.
JOHN: Then I turned on my flashlight and I’m running around plugging in USB drives and executing malware on as many computer systems as I can. Now, the horrible thing about this was the lights were off in the building, I’m running around with a flashlight trying to plug in USB sticks. [MUSIC] The reason why that’s funny is because it’s stupid. If you look across at a building and the lights are on, you’re like hm, okay; someone’s there. If you look across at a building and the lights are off, you’re like, no one’s there. If you look across at a building and you see a flashlight running like crazy all over the building, you think time to call the police, and that’s what someone did. The police show up, come into the building with their guns drawn, and I am just kind of sitting there freaked out. I’m like hey, I’m doing a penetration test. Here is my permission-to-test memo, my get out of jail free card.
I hand it to them and they’re looking at it and they’re reading it and they’re like okay, so you’re John Strand. I’m like, yeah. Can we see some ID? I give my driver’s license. They’re like okay, okay, good, good. First guy puts his gun away, the second guy puts his gun away, and they’re like so, what are you doing here? I’m like oh, I’m plugging in these USB drives, I’m taking over these computer systems. They’re like, how does that work? I’m like, well, come on, let me show you. I’m plugging in devices, I’m using, I don’t know, it was like, I think it was Kon-Boot. Just taking over systems and dropping malware and they’re like, this is really cool. People pay you to do this? I’m like, yeah. They’re like, oh, that’s neat. Well, have a great evening then. They never bothered to call my point of contact. It was like as soon as they saw the piece of paper, it was like oh, this dude’s legit. We’re gonna totally let this guy continue doing this pen test.
JACK: Huh, that is odd, right? Maybe he has a real innocent face or something but if I were a cop and I saw the mess and damage caused from climbing in the window and then saw a guy walking around with a flashlight being all suspicious? Yeah, I would definitely call the number on the paper just to make sure. But the cops let him go. So, he turned on the light switch in the office and just kept plugging in USB drives until he got everything he needed, and then turned the lights off and left. [LIGHTSWITCH CLICK] [MUSIC] A few years back, John went to a security conference in Atlantic City. While there, he got a phone call that he’ll never forget.
JOHN: I’m in Atlantic City and I’m sleeping. I get a call at like, 2:00 in the morning. It’s from a friend of mine who does some work with law enforcement agencies and they were tracking down an individual that had abducted a young girl. The girl just happened to be about the same age as my daughter.
JACK: Okay, it’s 2:00 a.m. and this caller is asking him to help catch a child kidnapper. I guess it makes sense; you have a much higher chance of catching the kidnapper in the first twenty-four hours, so time was of the essence. The law enforcement officers had already collected a lot of clues by asking the family if they suspected anyone who could have done this. There was a guy who was known to the family who was a suspect, so they decided to chat with that person through Skype where they normally talk with them. But this gave them another clue.
JOHN: They knew who the suspect was because he had changed his Skype icon to be a picture of this girl crying.
JACK: Not only that, but they were actually able to have a conversation with this guy over Skype.
JOHN: They approached me and they said is there any way we can track this individual using pen test-like techniques? One of the techniques that we use all the time in pen testing, [MUSIC] is you can send a document to someone and you can have that document beacon back through a cascading stylesheet or an img source tag. You’re not trying to get access to the system; you’re just trying to prove that someone opened the document.
JACK: John prepared a document which, when opened, would show that person’s IP address. John gave this document to the law enforcement officers working on this and showed them how to watch for the IP address when it gets opened. They gave this to the person who was talking with the guy on Skype.
JOHN: And sent a document to the suspect. The document was opened and then it started beacon back. Now, geolocation based on IP address is really suspect under the best of circumstances but if you have a warrant and you have the source IP address, source port, and date timestamp, [00:25:00] you can actually go to an internet service provider and they can tell you exactly where that file was opened.
JACK: So, that’s what they did. As soon as law enforcement officers knew the IP address of the suspect, they already had a warrant and so they asked the ISP for the name and location of the person who owns that IP address. ISP responded right away with this information.
JOHN: In this situation, they found it at a motel. Then shortly, right after we started getting a beacon back, they were able to get the little girl back.
JACK: Wow, what a gnarly way to use social engineering and phishing methods for good.
JOHN: That kind of changed my philosophy on the offensive versus defensive side of things. You could see how these things could be blended for a better defense, how we could use some offensive tactics to actually do some attribution for attackers as well.
JACK: Of course, yeah, that does make sense. It’s so fascinating to think about ethical hacking like this. While the years go on, John continues doing penetration tests for companies all over the country. His family continues to help run things on the business side. Again, his mom is who handled all the finances of this company, and she was the chief finance officer, CFO. But his mom was watching what John was doing and got a crazy idea.
JOHN: [MUSIC] She had been the CFO of Black Hills Information Security for some time and she’s always reading about – reading reports about awesome things that testers do. I’m telling stories about stuff that I do, and I still to this day believe doing offensive security is one of the coolest jobs in the world. We have exciting lives. It’s dynamic and it’s interesting. She saw that and she really wanted to get in and do something. When we were doing physical pen testing, she came to me and she goes, I want to do a physical pen test. She’s my mom; I’m not gonna tell her no, right? ‘Cause she might have a monk hit me, but she wants to do this. I say mom, you gotta come up with a ruse. I explain to her what a ruse is. She’s says I already got it. I’m like, what is it? She goes, food service. I’ll go in and I’ll do a food service inspection and I will get right in. It just floored me; that was a ruse that we never really thought of. It’s a ruse with authority, it’s a ruse that’s kind of inauspicious. My mom, at this point, was in her sixties and she shows up, you’re not gonna look at her and go hm, this lady looks like a hacker. No, it’s not gonna happen.
JACK: Now, keep in mind that his mom was the food service director at a high school, so this is actually something she knows a lot about.
JOHN: She knows food service inside out and backwards, right? She was a food service director for something like twenty-five years, so she had been through dozens and dozens of inspections, so she knew how the inspection process worked. She got the inspection checklist, she got a little badge, she got an ID. She knew exactly what everything needed to look like to make it look legit because she had done this so many times.
JACK: He says okay mom, let’s do this. [MUSIC] Time to pick a target.
JOHN: We had a series of physical pen tests that were scheduled that day. It was the fifth of July and it was on a Friday which meant that all of the target sites were soft targets; there was very little staff and a skeleton crew onsite and many of the people in authority wouldn’t even be there. It was a perfect time for this. Myself, Benjamin Donnelly, and my mom all piled in the car and off we went to break into a number of locations.
JACK: They had a few targets that day; a couple of offices, various facilities, and a prison.
JOHN: My mom wanted the prison which was crazy. I thought it was the hardest one to break into. But she’s like no, this won’t take me long at all. The objective of the prison was to establish callback documents and get a shell out of the prison.
JACK: Now, a shell in computer lingo is remote access to a computer through the command line, so his mom needed to get in and access a computer so that she could connect to John’s server. That way, John and Ben would be able to safely access this prison’s network from down the road. Hm. So, how can she do that? John digs into his bag of tricks and pulls out a USB drive and gives it to her.
JOHN: The USB drive had a .exe which just simply dropped an implant on the system. Then there was also a document. That document had beaconing on it. We said if you ever get a chance, you plug it in. If somebody’s looking over your shoulder, open the document. If there’s no one looking over your shoulder, run the executable.
JACK: [MUSIC] Ah, okay, this is clever; basically, the executable program on that USB drive tries to open a connection to John’s server. Once that connection is open, John can then remotely control whatever computer ran that program. Now, I might even go so far as to say this isn’t even [00:30:00] malware; this is a tool that has the functionality of getting a remote connection to another computer. It might be used by system administrators of the network to remotely admin a computer but in John’s case and John’s mom’s case, they were going to use it to gain remote access to these computers in the prison. So, John teaches his mom how to use this USB stick to help him get remote access to these computers.
JOHN: My mom was totally calm. Like, she wasn’t nervous about it at all. I was more nervous than she was. We’re all in the same car and we stop at a coffee shop that does amazing pies, and Ben and I sit in the coffee shop.
JACK: His mom gathers up her supplies and gets ready.
JOHN: She had a clipboard, a checklist, and a USB drive. That was it. That was all she had. Oh, she did have her phone; she was recording audio. We had her record audio of everything that she did, too.
JACK: Again, a clipboard. Forget about some hi-tech gadget that you need to get into a building. A clipboard is the only weapon you need. Okay, so perfect; she’s ready. She loads up the car and drives off, leaving John and Ben at the coffee shop. Now, keep in mind they’re in a town that they had to travel to in order to do these tests, so they had one rental car and she just drove off with the only car they had, leaving Ben and John at the coffee shop to wait. But not only that; she took John’s phone to record the audio. He doesn’t even have a phone to call anyone with.
JOHN: The first thing that goes through my head was this is the dumbest thing I have ever done, and she’s gone. [MUSIC] Honestly, we were so – sometimes whenever you get wrapped up in a ruse, you’re so excited about that ruse that you don’t think rationally about it. You’re like, this is gonna work, this is awesome. This is the coolest thing ever, and there’s a lot of times whenever you’re doing pen tests from a technical side or a physical side, you’re walking a tightrope and by the time you get across to the other side, you look back at where you came from and what you did and you’re like, that was stupid. When she took off, that little voice of doubt started talking in the back of my head, saying this is stupid.
JACK: I mean, what could have been the consequences here?
JOHN: Oh, absolutely she could have been arrested. That absolutely could have been the consequence, and she’s my mom, right? I know we probably could have gotten her out of prison. I know that more than likely everything would have been okay, but just, my mom getting arrested just at that point when she started driving away seemed to me like that was one, a very real possibility and two, it’s not something I ever want to deal with as a son. My mom gets arrested and I’m the reason she got arrested. This could have easily gone from a super awesome story to just a really tragic one very quickly.
JACK: Your blood pressure starts rising as she drives off.
JOHN: Yeah, yeah.
JACK: Do you guys have, I don’t know, a sync-up time or like…?
JACK: Come rescue me after thirty minutes or anything?
JOHN: No. Dude, I gave her my cell phone and I told her here’s how you start the record function on my cell phone. She takes our only car and she had to drive six miles to get to this facility. We’re stranded and I don’t have a way of communicating with her. Yeah, it was really scary.
JACK: John and Ben are in this coffee shop. They open up their computers and connect to their command and control server. This is the server that listens for when someone runs that executable on the USB stick. That’s all they can do to monitor the situation. [MUSIC] They just sit there, looking at the screen to see if any connections were successful. The facility was about ten minutes away. They ordered some coffee and tried to relax.
JOHN: Lots of coffee.
JACK: The next ten minutes goes by and they’re starting to get worried. Did she get in? Did she get stopped? Is she arrested? The server shows no activity. The wait was terrifying.
JOHN: Oh, it was miserable. That was probably some of the longest – it was probably some of the longest twenty-five, thirty minutes I’ve ever had in my entire life ‘cause you’re absolutely convinced that she’s busted because there’s no response, there’s no connections, you’re in this void of information so your brain starts filling in worst-possible scenarios. Yeah, it’s just – the waiting was horrible.
JACK: Another ten minutes goes by; still nothing. Ben and John are getting more coffee and getting more worried.
JOHN: I can’t remember if it was Ben or it was me but one of us said it’s okay, she’s fine. We’re getting shells. As soon as we started getting call backs, as soon as we started getting shells, we knew at that very second that my mom was okay. They just kept coming. It was the coolest thing ever. Then finally, one of the computer systems that called back was actually the director of that correctional facility. [00:35:00] It was just this really euphoric, amazing moment where this oppressive weight was just lifted off of our shoulders. Then, shortly thereafter, about ten minutes, she shows up and she walks in. We all get around her; we’re like how did it go? How did it go? How did it go? She goes, it’s fine. It went really, really well. I’m like, tell me about it. She immediately launches into did you know that somebody that works there actually went to high school with you? Now, you were a senior and they were a freshman.
[MUSIC] I don’t know if you would remember them. I’m like, I don’t care about who I went to high school with; just tell me the story. She just walked right up to the front, she said she was with the Health Department, it’s a surprise health inspection. They let her right in. They asked her what she needed to gain access to. She said I need to gain access to the employee workstations to make sure that there’s not food or drink there, and then I also need to get around the food preparation locations, and I also need to gain access to your NEWC. They were like, our what? She’s like, NEWC, your Network Operation Center. They’re like oh, the NOC, okay. They walked her to each of those locations and let her go unsupervised. She was completely free to roam anywhere that she wanted to go, and she chose to give them a full health inspection first. She started going through; she had a laser thermometer and she was taking temperatures of the refrigerator. By the way, their refrigerator was a bit too warm. It wasn’t within the guidelines of the Health Department.
She was going through, she found mold in different places. So, she went, she did a full health inspection, then she started plugging in the USB drive in computer systems. Because it was the fifth of July, there was hardly anyone there. Then she went back to the front desk. She talked to the person; said she was done. They said that the director wanted to talk to her which of course, my mom said at that point I started getting nervous. I’m like, I bet you did. She sits down with the director and the director’s like, so how did we do? My mom gave her the score and said this is your overall score that you got, and the director asked is there a way that we could prep for this in the future? Kind of do a self-check? My mom’s like, absolutely. On this USB drive, we have this document with a self-checklist that you can fill out. Here you go, open it up. Sure enough, she got the director to open up the file. They clicked it, and got a reverse connection out of that network on the director’s computer.
JACK: Oh, wow. That’s incredible. Well, the prison was very surprised with this report. They did not think somebody would be able to break into their prison at all. I don’t think they ever expected someone to get access to the computers after that. When they heard all this, they were shocked. They realized people weren’t following procedure. I mean, number one, nobody confirmed she was who she said she was. They didn’t call the Food Health Inspection Office to ask if there was a legit inspection planned for today. Number two, they allowed her to go into places that she shouldn’t have been able to go, like the Computer Network Operations Center, and they let her plug USB drives into computers there and run an executable program. That’s a big no-no that someone should have noticed and said whoa, whoa, whoa, who are you? The prison had to clean up all these failures on top of cleaning up the mold and other stuff she found. Unbelievable.
JOHN: I think the reaction to this – there’s a couple of things; one, talking about it at DerbyCon and then I also talked about it at RSA, was really kind of a cathartic bit of closure because my mom, shortly thereafter that, was diagnosed with pancreatic cancer and she passed away after nine months of fighting it. It’s one of those really amazing stories that kind of highlights who this person was and what they did, and the way that they looked at the world that I think overshadows all the bad things that fighting cancer had with it. My mom was incredibly dedicated to our company. I remember she tried to work all the way through when she was fighting cancer. About two days before she died, she called me over to the house. We all went over and we had dinner, and she goes, I forgot the password to my computer.
I basically got into the computer and handed it over to her. She got to the password change screen and she hands it to me and she goes, you need to set a password now. I’m like, why? She goes, I’m not gonna need this computer anymore. She died less than forty-eight hours after that. The cool thing is, I have a lot of great stories about my mom but this is one of those stories that is – it sums her up completely, being fearless, just being very good at everything that she does, and just being dedicated to what we did as far as a company. It was just really cool to have that as something that I can hold onto [00:40:00] instead of thinking about all the bad things the last nine months.
JACK: Can you talk about that superhero picture?
JOHN: Yeah, so my mom’s dying and she – I actually have it here. I unpacked my bags from RSA. She found this picture of me and it’s whenever I’m like, I don’t know, four years old. I’m in blue jeans, black boots, and I’ve got my red underwear on the outside of my jeans and I’m wearing this blue corduroy jacket, and then this Superman cape because I wanted to be Superman. My mom always told me I was gonna end up either a superhero or in prison. She said there’s no place in-between for you. Growing up, I always had this prison picture that was drawn by my godfather in my hallway, or the hallway right outside of my bedroom.
She would always point that out; you know, you could either end up in prison or you could end up being Superman. Being a little kid, I always loved Superman. She calls me over when she’s – just before we put her on morphine, ‘cause as soon as we put her on morphine, we lost – I lost my mom as soon as we put her on morphine. Her mind just kind of went away. She pulls out this Superman cape, the actual Superman cape from when I was three or four years old, like the Superman cape that she made. She hands it to me and she says I’m glad you chose wisely.
JACK (OUTRO): [OUTRO MUSIC] A big thank you to John for sharing your story with us. John, you are certainly a superhero and your mom is a legend. This show was created by me, the ULA violator, Jack Rhysider. Original music this episode created by the lone operator Andrew Merryweather, editing help from the net cat Damienne, and our theme music is by the ever-sounding Breakmaster Cylinder. Even though when someone reports a security problem some companies will just send a cease-and-desist letter instead of actually patching their servers, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]