Famous Hacks and How To Protect Yourself with Celebrity Hacker Chris Roberts Part 2
EXCLUSIVE CANDID DISCUSSION. In this PART 2 discussion we got the rare chance to sit down in length and learn from one of world’s brightest and most-respected hackers and security experts, Chris Roberts.
He also shares some candid exclusive stories on aspects some of his most notorious hacks including his hacking of the MARS Rover, International Space Station, AMTRACK, a UK Bank, The Chicago CTA and more.
Our mission is to keep you, your family and your organization's brand safe. Nothing technical or boring. Through humor and real-life stories we make sense of Cybersecurity.
Resources: Got a question? Reach out at CyberCrimeJunkies.com
Thanks for being a Cyber Crime Junky!
Best Security Practices for Business with famous Hacker Chris Roberts. We discussed hacking planes, trains and automobiles with someone who knows how to do it. We discussed famous hacks, detection and security awareness training best practices. Special Guest CHRIS ROBERTS
[00:00:00] We have several things we wanna talk to you about today. One of the first ones is we realize there's no silver bullet in security. Every organization is different.
[00:00:08] I think it's frustrating. Because as an industry we have unfortunately over-promised and in many cases underdelivered. Yeah. You know, we use words. Words have power.
[00:00:19] Yeah. You know, and, and we, and I think that's something we've lost, is, you know, in, in life. And I mean, you've only gotta look at today's internet, whereas one wrong word or one wrong phrase or sentence, unfortunately can condemn somebody. I mean, no two ways about it. There's a whole question of Engage Brain before opening mouth.
[00:00:38] No , no. Two ways about that. Well, we're still humans too, with like, and there is biology behind us, so that doesn't always, that filter doesn't always work. Yes. But even the best intentioned. In our industry when, when we, we have one job. When you think about it, we, we, in information security have one job. And that's to protect.
[00:00:58] Protect. That's exactly right. That's our job that nothing else matters. Our job is to protect. Yet we have taken, we've taken those words, so out of context. , we've, we've, we've promised people that we can put software on the systems and, and look after them. And we've said, we can look after you. And in human terms, look after means you've got my back and we use in military, right?
[00:01:25] Hey, I got your back. Great. That means when I'm asleep, I know somebody's got cover fire. , right? But in our world, we can't promise that yet. We still do. You know, we can do the best of we possibly can. I can help you understand risk as best as I know. Mm-hmm. , I can help you maybe mitigate some of those risks, right?
[00:01:43] I can help you reduce those risks. I can help you maybe understand what is going on out on the internet, how can I help you understand all these things and I can help you make a more informed decision. But what I can't do is protect you. And what I definitely can't do is eliminate risk and. I think one [00:02:00] of the vendors was out there, you know, and they've managed to eliminate Euro human error, and I'm like, well done.
[00:02:07] Oh yeah, well done. Eliminate human error. Yeah, I mean, what was it, two, we've been creeping around in modern era for what, two to 300,000 years? Last 60,000 years or so, really is what we count, right? And in that time we've, we've failed to actually screw around with human error. We've got some pretty good examples of it.
[00:02:25] And apparently, according to them, they've done it. They've, they've solved human error. And I'm like, you arrogant bunch of , right? Piss you or it's just there's no, there, there, there is no, no way of doing that. I mean, some of the services, I mean, I agree with you because the services have a role in the stack, right?
[00:02:47] Yes. Like of all of the layers and, and when we talk about the human, like my big thing is I don't care how much you put on the infrastructure and all the layers. When we don't educate the people in a comprehensive, ongoing way, it doesn't matter, we're gonna let them in. Like it doesn't, they're gonna get around the firewall.
[00:03:09] They're gonna get around all the other infrastructure and, and everything else. So to me it's about the. Focusing on getting even the, the, the users to a level that can even begin to visualize a human firewall. Cuz it's nowhere near, it's nowhere near that they use that phrase, human firewall and stuff.
[00:03:32] I'm like, it's open season right now in most organizations. Understatement. And even if we, even if we manage to effectively educate and we manage to. Us, the human, the tools, we still make mistakes. I, I still click fix. There are times, there have been times when I've gone, oh heck. And, and in that moment when you've got 10 of course juggling and you go and you go click and you are like, yep, yes.[00:04:00]
[00:04:00] Stupids bitch. Yeah. Yep. Well, I, I learned something from you last time about cookies and that was, cause now every website I go to, I'm like, I'm not accepting cookies. I'm going through And they, they have like the marketing ones. Yes. The the performance ones, but then they have like the required ones for the site to even work.
[00:04:21] I'm like, I'll accept. But none of of the others, but none of the others. And they've gotten sneaky. They've gotten sneaky because the browsers are like, you know allow necessary cookies and block third party cookies. Well, now the sites have gotten little sneaks and they, and they're not third party cookies anymore.
[00:04:36] They're are trusted partners. Cookies and, oh, yeah. Yeah. So now you are, and this is where again, oh, I've got my browser protection. Well, that's only as good as. As we are, are not lying. And now, and now the sites are like, oh, these 300 extra cookies we'd like to give you that they're not tracking. They, they're, there are our partners who enable and, and then enhance and elevate your experience.
[00:05:00] I'm like, no, you're sorry I my data. So in this next part we discuss detection with Chris Roberts. And what we mean by that is the real time awareness that something bad is gonna happen. We all need inability to catch things in real time so that it's not months or weeks that go by that bad things are happening that we're not aware.
[00:05:28] And in the digital space, this is particularly. . So let's give it a listen. . That's so funny. So let's talk about detection and then I wanna get into deception. Yeah. Cause I think your talks on, I've seen a lot of your talks on deception and it's fascinating. But detection is really key when we talk about internal.
[00:05:50] Security teams or internal IT teams and then engaging with vendors. It has to be a partnership, certainly. Right? It can't, it has to be a [00:06:00] collaboration. It has to be something ongoing, you know, back and forth, sharing of data, sharing of changes in the organization. But detection to me is cuz I don't, we're never gonna stop something.
[00:06:12] No, I so, so, knowing it as soon as, Yeah. I, I would think is is about as good as you can get. Yeah. Well, and it's, and it's also, so again, if you think about it, traditional detection is waiting for something to happen. Right. You know, it's, it's, it's, it's you know, a perfect example in the real world is as a nuclear test.
[00:06:34] So if you do a nuclear test the first time that some, you know, or, or a star explodes, your detection is when at an atomic level, something hits a. Right? Mm-hmm. . Now we are the same way. If you think about it digitally, the first time, typically we know something happens is when something hits the firewall, intrusion detection, or an endpoint.
[00:06:54] Right. To me that's where it gets really interesting cuz we should be able to look over the parapet or on the tech of a nuclear test or a star we can observe. We can actually look over the top of our equipment and go, you know, we built that bloody thing and we kind of know what's gonna happen and we know what particles are gonna come off of it.
[00:07:10] So we kind of a pretty good idea of how much shit's gonna come in our direction. Right. And to me that's where you get into that, the threat intelligent side of detection, which is you actually put your head above the parapet and go, Hey, what's coming at. , right. And in the digital world, you know, it's a perfect example.
[00:07:27] I mean, boom, boom is probably a good example of that. Up till two or three weeks ago, we had a set of targets that we looked at on the outside. You know, we kept a good ear and a good eye on the ground to, to as to who was interested in us. Then we announced a partnership with a, a pretty well known government, quasi-government entity that does a lot of work in that, and all of a sudden, The chatter and the traffic of people that were interested in us, or organizations that were paying attention to us went
[00:07:56] Wow. Now, we could have waited to see those [00:08:00] attacks against our firewalls and stuff, or we got a bit of a heads up because we saw chatter, we saw conversations, so we kind of knew what was coming at us. At least so that we could go, Hey, how are our detection capabilities? How well have we managed to get our logs and our algorithms and our dns, and all those other good things that we need to have in place to make sure that when something hits us, we actually touch one, get better eyes on it.
[00:08:25] Right. Mm-hmm. Well, and using frameworks, right? Like Yeah. Walk us through like the importance of the mire attack framework. When, when organizations are, are using them, because that's something we really believe in, and I think it really helps, but it's hard to explain. To regular people sometimes, or business owners.
[00:08:45] And it's like, it's not just a, it's not just an idea like this is, it's the framework in which the attacks come in. And learning that is, and, and, and operating in that framework is, is critical. Well, it's, it's, can you walk us through that? Yeah. It's good to explain to people. I think it's, you know, you, you hit the nail on the head.
[00:09:05] It's all about communication. Again, we can sit. , it's technology. And actually I put a LinkedIn post out about it today and I did it in I did it in Scottish. But it is one of those where in a technology world, we in turn and say, oh, bad guys are coming after us. Well, let's break that down. What are they doing?
[00:09:22] Let's talk about the steps. How do we do reconnaissance? How do we do initial analysis? How do we do research? How do we get in? How do we pivot? What the hell does pivot actually mean? Mm-hmm. , you know, and then you talk about all of that. How do we do it? Analysis. So the, the, the fun thing about the MIT frameworks on a fantastic job of actually giving us almost that communication capability to go, hey, It's established, it's well known.
[00:09:46] And then you can drill down into each one of those areas and go, well, how effective are we at understanding what this whole thing means? How? How would we understand whether something gets taken out of our environment? Right? How would we even understand [00:10:00] to look for command and control centers or anything else that might help us?
[00:10:04] So that, that's great. And then honestly, from a vendor standpoint, being able to sit. and look at the vendors and go, you know, Hey, where do you fit into this? You know, I know I've got good coverage here and I've got some good stuff here, but I, I'm, I know I'm missing this section here. How well do you provide effective coverage in this environment without lying to me.
[00:10:25] Yeah. And, and I, I mean, I don't know how you do threat hunting without it, right? Like I, yeah, it's tough. But here's the thing. So this is what gets really interesting. I, I quite honestly, No company should be doing threat hunting if they don't know their own environment. It drives me nuts that you've got people like, oh, we need threat hunters.
[00:10:47] Well, tell me what assets you have. Tell me fundamentally, do you know what is in your corporation today? Exactly. Internet of things, devices, everything else. There's so many things that they don't know because if you don't know that, why are the heck are you out there bouncing around like a freaking. Over caffeinated squirrel when you actually need to be understanding what the hell's in your own environment.
[00:11:12] Cuz if you don't know what the hell you've got or what it's doing, how the hell are you gonna protect it? Right? Yeah, absolutely. Have, have you seen a, an influx of the delta between. What organizations think they have and what they actually have in light of the pandemic. Because I think they, because of the pandemic, they threw so many devices out there, they've changed the whole environment of just about everybody's landscape.
[00:11:39] exploded. Yes. It went from, I
[00:11:42] mean, you know, it's been really interesting cuz at one point we thought we had a pretty good handle on it, and then all of a sudden you're like, Okay, so 90% or 80% of my workforce is now working from home. Mm-hmm. , how do I quantify the risk of, of this corporate computer? I mean, I'm working from my lab space.
[00:11:57] How do I quantify the risk of this [00:12:00] corporate asset on a network? Mine doesn't share everything cuz mine's segmented. Cuz I'm an ass. But unlike most people's corporate network where, you know, the, the, you can yell and, and Alexa or Siri is gonna answer you, right? And the, the, the security system is on the same network and the, and the television's also talking to the internet cuz Am, am.
[00:12:20] And, and, and the little kids are upstairs doing their thing and the significant others doing their thing. And all of a sudden you've gone from a corporate kind of managed issue environment where you can tell the ingress, egress. To this scatter bomb approach of goodness. And the fridge, by the way, is getting pissed off with the microwave and talk to in the washer and dryer about to talk to each other as well.
[00:12:43] Exactly. Absolutely. So, absolutely. Well, I mean, that's where, I mean, endpoint detection I think is so critical now. More so even than 10 years ago, like with people all over. All right, so. Devil's advocate. Let me play devil's advocate, and I'm not disagreeing, but let me play devil's advocate for a minute. We talk about endpoints.
[00:13:05] Mm-hmm. , and we have to look at everything. So we're talking about the watch the fruit to microwave, cuz all that can affect the network. Right? All that can get to your networks. And now you're talking about putting a solution on between vest, as we know, between about 19 and 40 billion devices. Mm. I mean, that's, that's, and we've gotta watch it and we don't enough people to watch the darn stuff.
[00:13:29] So we've gotta put orchestration in place. But how do I tell what's legit versus not legit? Versus who should have access and should Siri be actually reading my Word document back to me and all these other things? So as much as we like to think of the endpoint is, is the thing my concern is, is it, is, is back to the data.
[00:13:50] So, you know, we honestly wanna know what assets we have in the physical world. I kind of wanna know what digital assets. I wanna know what data you think you have, and especially the stuff that's [00:14:00] gonna kill you. Yep. , what's gonna take your organization down if I post it on the internet? Or what about the programs where there's endpoint like detection and response and there's, and they use the mire attack framework?
[00:14:16] Yeah. So like the security orchestra, basically playbooks. In other words, if it says something, it does something. Yeah. Right. Are they helpful? I mean, are they at least. . Yes. I think any, to your point, I think anything's helpful. Rephrase that. I think anything well implemented and architected is helpful.
[00:14:32] Correct. I think that's the key. If it's, yeah. Not implemented well, if it's not configured correctly, if it's not monitored or maintained, it's not a set and forget type of right. Security service, you can't do that. , which now means that we have to put onus on both parties. One, right. Your vendor slash your trusted provider has actually gotta help you pick and assess and implement well, but me, as the ciso, I have to be a good custodian of this.
[00:15:00] Mm-hmm. , I can't put it in simply to put a tick in the compliance box. Right. I have to put it in effectively. I have to get professional services, so I make the stupid thing actually goes. And kind of like in the real world, the house, it requires maintenance, not just when we see pen testing, we see pen testing across the industry and some of it is just crap.
[00:15:20] Some of it is just scans and scans and they're just justifying fee. And I'm like, how about some ethical hacking? Like how about ethical hacking and don't tells a thousand different things that really no one's gonna exploit, but you're gonna make me go and fix it. How about like you tell me. What are the three or four things that I should fix right now?
[00:15:40] I want a snapshot in time. I wanna know what they would actually do. Yeah, send me a screen, scrape of my inbox and tell me how you got there. Then we can talk. It's, but it's tough though because I mean, if you think about again, let's take a step back and go intrinsically, I know. where [00:16:00] my issues are if I'm honest, right.
[00:16:01] And this is, this has become better. The human, if I look myself in the mirror and go, I already know some of the stuff I have to fix. Mm-hmm. , I'm not going to spend money on a penetration test or an assessment until I've at least got those done because it, it, it's, it's a waste of money. Absolutely. Right.
[00:16:17] Once I get to that point where I don't know what I don't know, and I'm, I become dangerous. If I assume, I know everyth. Once I get to that point, that to me is where you bring that trusted assessment team in and go, Hey, yeah, give another Absolutely. And that that's the discussion we have often, right? Yeah.
[00:16:36] When you know there's certain things obvious why have a snapshot now you know, this is bloody, you know that I know I can get you a bloody inbox because, You know, you've got a whole bunch of aws, got a bunch of account, and by the way, you know, you're not training your users, so I'm just gonna, right. I'm gonna ask somebody to click on something cuz I need something done.
[00:16:55] I mean, it's right.
[00:16:59] I mean, it's. It's so important. We do this. We've been doing these trainings, we've been doing 'em along.
[00:17:06] We're part of Ingar, mark and I, we've been doing these alongside federal law enforcement for like 10 years. Mm-hmm. . And we do 'em at no cost. And there's noth, there's no sales pitch behind it. We just do it because it's gotta be done. Cuz some of these organizations, we do it for Chris. It's the only thing they do all year.
[00:17:23] That's it. I'm like, how is the, how am I, that's it. The only voice of reason about your digital life. Like, it scares me. Like, like, because that's what compliance tells me I gotta do because they have to check the box. Yeah. We have the check the box. The box. That's it. I can check the box now much. And, and it's about caring.
[00:17:47] There's so much stuff that, that is free online for awareness training. There's so many things they could do. There's good platforms out there. There's, there's, you know, the, the Noble four, we, [00:18:00] we actually manage the Noble Four platform. And again, it's not a silver bullet, it's not gonna fix humans, but it's, oh, so you saw that post I put out and we won't.
[00:18:12] You saw that poster put out the, the, do you know the one that talked about fixing the humans? Oh, was that No, before? Oh yeah. That was those bunch of Oh, wows. Yeah. So, well, yeah, that's, that's the platform that we use, but our sock actually does it and implements it, and they customize it. Yeah. This is why I gotta be honest.
[00:18:31] I like, but I don't, but that's a, yeah. They shouldn't be, they shouldn't be over promising like that because it's a tough They did. And you know, you've got how many people running through blackouts saw that? I mean, that's, yeah. So that's those little buddies, I'm afraid. So this is why I love the wiser guys, like Gabrielle guys over there.
[00:18:49] To me, that's mission. I like the platform. Yeah. It's good stuff. Yeah. It's but again, so this is exactly to your point. It's, it's, it's helping. . Everybody inside the organization learn how to look after themselves. Yeah. It's not teaching you not to send stuff and not to do stuff and not do. It's actually helping.
[00:19:09] And I think this is where there's a difference because if I train you once a year for compliance, then great, I got my ticket in the box, but it's useless. But if I actually go understand, it's gotta be part of the culture too. Don't, don't you think it's gotta be ingrain. and it's gotta come from the top down.
[00:19:25] You know, your leadership has got to actually embrace it. You can't, you can't have everybody else do it. But the leader is, the leader doesn't think they need to be trained. That's where you lead by example. And leadership's gone like, Hey we just did, I ran internal training at boom, first training course.
[00:19:40] We ran a boom, an internal brand bag session, and we had literally half the company. And it was a lunchtime session. We, we kind of ad hoed it and we had about half the company and it was freaking awesome. Bunch of feedback afterwards. A bunch of conversations. We're running another one next month. Yeah. And we'll keep doing this and we'll do the official training.
[00:19:57] So we want to help [00:20:00] people. How do I look after my parents and grandparents? Yeah. What do I do when I travel? How do I help my kids? How do I help this, how do I do this? And it's, it just gets people. ? Yes. Mm-hmm. . Yeah. I mean, because that's, to me, security's gotta be top of mind. When you fire up your laptop, you need to be thinking, what am I putting out there?
[00:20:24] What am I, what, what can, where am I making myself vulnerable? And just being aware of that. It's like when you walk into a bad neighborhood, right? Yeah. You're aware when you hear bottles rattling in the alley over there. Yeah. You know, not to turn left into the. Right. If you're not aware, you're just gonna keep walking, right?
[00:20:45] Yeah. Oh, absolutely. It, it's that awareness that's just, it's like a sixth sense. You just have to have it. And to me it's just something that's, it can't be periodic. It can't be once a quarter. It's gotta be on a regular basis. . Yeah. Yeah. Once a year you're not gonna get it done. But it's not that, it doesn't create behavioral modification.
[00:21:05] Yeah. I mean, I, I put it out there as a, I have a, I have a set of presentations I use and one of the slides on them, you know, it takes me one minute to take your email, one minute to take your phone, one minute to do this, one minute to compromise you. Yet it takes me between seven and 20 times. To get you to think about something.
[00:21:25] So you do it once a year. I'm seven years into this, before you even open an eyelid and maybe consider it at that point. I mean, it's, it's game over. It's so far. Game over. It's not even funny. Yeah, yeah. You know, even, I mean, I think that the, I mean, . I mean, I think the idea and the, the, the platforms that are out there, the test fishing, it helps.
[00:21:50] Like, it, it, it helps so long as it's done as part of a comprehensive culture shift. Yeah. And a dedication of people [00:22:00] that care. And I think to that point, again, we talk about people, it's. . I made a promise when I started at boom, and I, I will hold to that promise cuz a couple of people are like, oh my gosh, you're gonna come in and run fishing tests?
[00:22:11] I'm like, no, no. Why would I set you up to fail? Mm-hmm. . Well, you know, you need to get a baseline of where everybody is. I'm like, I know where y'all are at, right? I don't need a baseline. Why do, why do I need to? Why do we need to make a fool of certain people before I actually kind of know where you are? I know the industry well enough.
[00:22:28] I know that 50% of you gonna say yes, and 50% of you will actually know. I don't need to know anything else other than that. What I need to do is get everybody up to a baseline and then we'll start playing games, and then I'll start putting some fun stuff out, but only when. Given you the opportunity to learn, to educate, to understand, to train and given you the tools.
[00:22:49] Only then am I going to test you to see how you do. And I think unfortunately too many companies do it the wrong way around. Too many companies are like, oh, we'll do a fishing test and we'll, we'll deal with the results. No, cuz now you make people prefer like idiots, which means they don't most, some of them will be liked to hell with you and they don't want to learn anymore.
[00:23:06] Right? Now you have an have an effecti. change in the manner in which you, you, you wouldn't test a student before you teach them. Right. Let me teach you and then, then I'll test you. Well, it's, it's a all education and all professional development. It's gotta be ongoing. It's gotta be job embedded, but there has to be an element of inspiration.
[00:23:25] You have to inspire them to want to learn it. , right? I mean, you almost could. I mean it's, you know, we have in our profession the continual education credit CPEs or whatever. Mm-hmm. you almost for whatever profession. I mean, if you're teaching people in the healthcare space, the physicians and everybody else's, they too have CPEs.
[00:23:44] I mean, if you made some of these tests, like CPE eligible for a certain amount of it, then you've added an additional, even for us, you've added an additional level of incentive. That's a great point. Hey everyone. Thanks for listening so far. Now [00:24:00] we're getting to the absolute best part. It is the Infamous Hacks performed by Chris Roberts.
[00:24:07] Let's listen in. So let's, let's get into, so, so we don't wanna let you go until we at least get into some cool things that I seen. I don't wanna rehash other things. I know you've talked about numerous times, but. I love the story when you're in Chicago and you're waiting for a train. Oh my God. Well, we can you, can you explain, can we talk about that
[00:24:29] Can we talk about that? We can talk about that one. Yeah. That one's good. That one won't get me yelled at. Not that I'm, unless any from like Yeah, we won't touch, touch on anything that'll get you yelled at. We we're not gonna call AM Track or anybody, so No, no. I'm truck's a different one. We managed to have fun with AM trucks that.
[00:24:44] A very, very good friend of mine was flying and we decided to do planes, trains, automobiles, and I was actually on an Amtrak, so he hits me up he's flying somewhere and he's like, Hey Amtrak was still at the time, I mean, and who knows if they still, Amtrak still had heart bleed issues on their on some of the switches and routers.
[00:25:03] So you could actually sit on the client side of the m. Run an exploit on their client side on their client side network, on the, on the, on the visitor guest network, on the trains while you were sitting on the darn thing, and you could actually get into like the positive training control and the rest of the corporate network.
[00:25:20] So we're like, we were sitting at the station and he'd given me a shell in, I'd gotten onto the train. I'm like, all right, can we get this? So we ended up getting a scanner and we were trying to scan the, the cars as we were going by. Mm-hmm. . So we get like three ways. Shell straight through and do planes, trains normal bills.
[00:25:38] I mean, speaking one of those fun things to do. Oh my gosh. But the, but, but the one you are talking about, this was, this was, this is the one where you had it doing like the beat. Oh wow. Yeah, I believe I remember I still have the wave file from it. I love that . So we were out in Chicago at a conference in Chicago.
[00:25:56] It still goes on these days and it was like number one on number two. [00:26:00] I can't remember if it was the day. No, it was the day before. Cuz we talked a little bit about it on. , but we'd gone out that evening and, and we'd found ourselves on the, on the Chicago transit system. And you know, at the time I remember looking up and there's these old bloody screens and I'm like, wonder what's controlling that thing?
[00:26:16] So out pops a laptop and, and a bunch of other things, and very quickly were like, oh. Actually we can get into these and you have a little bit of fun. And you know, they have, they've got the announcer's voice and they've got the train. They departing and stay, you know, all these other things that they have on them.
[00:26:30] We're like, you know, we don't wanna mess with it too badly. Like, we all gonna have a little bit of fun with it. And I'm like, I know what we can do. . So ended up getting a recording of God Save the Queen. Figured we'd have to, you know, we've gotta repatriate this country a little bit somehow. figure, I got God Save.
[00:26:45] So not the version, not the Sex Pistols version, or is Sex? I've done Freddie Mercury. I did Freddie Mercury's. God saved the Queen. And, and on the, on the the Mars rover I got yelled at for that. Well, we're gonna get into that one right after this one. . Oh yeah. But this, we end up getting goat saved the queen.
[00:27:04] Got the words and everything else, put it into morse codes, then, then rhythms, the morse code so that you had, and it was, and, and it had this bloody symbol into it. So like, don't make this too obvious. So there were certain things that happened during the day, during the night on these, on these computers, on the stations.
[00:27:27] And so we replaced the wave files for a couple of them. So then midnight for like 30 seconds. This one terminal, in this one station plays, God saved the queen in mosque code. So yeah, that's a little bit's hilarious. That's hilarious. So, You did the same thing or something. You did the Freddie Mercury version on the Marsh robber.
[00:27:48] Well, Eddie and I, so we'd been up at a ghan up in c Crown Rapids as an amazing conference up there. It's, yeah, I've heard about it. I've never been there. I've heard all about it. Yeah. That's [00:28:00] Han's. Interesting. Chris and Jamie and, and the team that run it are, are freaking amazing. and I love it because it still stayed pretty much at the same size.
[00:28:10] It's been for the last goodness knows how many years, they haven't gone crazy and expanded it. It's typically half students, half crazy geeks, and so many of us kind of call it second home. It's a really, really nice one. Good feeling good, nice. Just to hang out. So yeah, so we were up there years ago and I was on stage and I was talking about minions and taking over humans and a whole bunch of other things.
[00:28:33] and I go, what the hell? We got into it. But somebody said, you need to take over the rover. And I'm like, well, I already got yelled at by NASA once or twice, but let's see if we can do it without too badly yelled at. So it was getting close to like the following year's Ger con and I'm like, oh crap, we haven't done this, but we need to do something.
[00:28:48] So bit of research again, all threat intelligence. Mm-hmm. . Yeah. All research, all trying to figure out how does this stupid thing. You know, sitting millions of miles away. How's the bloody thing worked? How's the communicate? Where's the communication? Where's the uplink station? And bless their cotton socks.
[00:29:04] You know, being a government agency, they put everything on the internet. Oh my gosh. Well, they, well, they have, we were able to do this when it was on Morse. Oh yeah. This was, oh yeah, this was when it was up there. We figured out where the upload was, what the encryption was, what the algorithm was, how they talk about it, all these other good things.
[00:29:23] So we took a road trip and we managed to figure out how to upload this thing carefully and, and managed to get about 30 seconds of Freddie Mercury on Mars, which was, was much fun and much happiness. Oh my god, that's Mars has never been the same since . Yeah, exactly. Pretty much. Yeah. It's like, man, the was just like, what the hell NASA was?
[00:29:45] Yeah. Yeah, that was a fun one. Let's just say that. Holy. So is that your favorite one of all? The ex excavated. Oh. What would be your favorite one? Yeah, what would be the one that What about, what about when you were a, when you started, when you were a little [00:30:00] boy? I thought at like 14 or something. Oh, I got yelled at.
[00:30:03] You got into like a bank or something? Yeah, my son. Was that over in the uk? Yeah, that was back over in the uk. My father had me arrested. He and I didn't see eye to eye. Yeah. So. Yeah. Shit I didn't have, yeah, that was a Commod 64. Wow. Oh, it was a Commod 64, commod one 20. I can't remember. I think I replaced it with a 1 28, cuz it wasn't even mine.
[00:30:26] It was a friends and it was my Atari game machine. And we managed to war drive and got into the bank and, you know, default admin credentials and change and not a hard password, you know, the rev, the reverse of the route tour basically, if I remember right. Something. Okay. Yeah. And managed to, to move, move financial amounts of money from an accountant, my father's name to, you know, being a master criminal to an accountant.
[00:30:52] Oh my. Needless to say, he was none to ause, but as a kid it was like my way getting my own back. So yeah, it didn't go down too well. Please stand up on the doorstep. And my mother just opened the door and she just looked at me, was like, Christopher, it's for you.
[00:31:08] Oh my gosh. Yeah. So they didn't know what the hell to do. So I lost all of my equipment. I had to replace my friend's computer. That was, uh Oh yeah, I read. . Yeah. So, hey, what's the, what's the Dave thing that you're working on? It's for like small businesses. Yeah. Well, what is that? Is it a device? Yeah. Or is it, is it a process?
[00:31:28] A bunch of them sitting in the lab space? It's one of those things, again, as as an industry, we, we are really good at going after like these fortune, you know, fortune 1000, 2000 companies. We companies put the trophy up on the wall. They're like, oh, I have caught a Fortune 500. Well done me that. , you know, there's what, 50 million?
[00:31:46] About 30 million, whatever the hell is lots of small businesses in the us, right? Oh yeah. And nobody really pays them attention. So we basically built Dave. Dave was built and designed, or they think that they're secure because they have an IT company, like a local [00:32:00] license, right? So Dave's designed really for the corner.
[00:32:04] It's designed for everybody from like four people. up to 50 to a hundred people. That's great companies. That's it. Nothing bigger. We also have it running in a bunch of like high net worth clients, houses and other things. Mm-hmm. and it's a little device and it sits on the network and underlying architecture.
[00:32:20] There's untangle in there. We've got a whole bunch of other open source stuff in there. We've got some deception tech in there. We've got a couple of bunches of some darker intel stuff in there. We've got a bunch of stuff in there and it reports itself up to a nice portal. And either we can help them understand or we can hand it off to their IT person and, and it's just a set of eyes and ears into a network that they'd never have had in the first place.
[00:32:41] And it's done at a price point that's just fricking sensible that a three or four person dentist office can afford on a monthly basis. I mean, that's the whole logic for doing it. So it has deception elements within it. Yeah. Explain that. Yeah. So let's talk. Do you want's, mark and I were talking about this earlier and I'm.
[00:33:01] One of the coolest things I've heard you talk about is the deception element. Walk us through that. So deception is nothing more than a digital minefield, and I think that's probably the best way of looking at it. So as a criminal, criminal gets in, they either want to take something or do something, and let's face it, a better conversation.
[00:33:18] We're not gonna stop somebody from getting in. So they're getting in. And once you in, so I've managed to get onto a computer. Now typically, I'm, I'm gonna look around, I'm gonna poke, I'm gonna mess around. I'm gonna look for credentials. . So I'm gonna look for shares, I'm gonna look for printers, I'm gonna look for drives, I'm gonna look for data, I'm gonna look for all these things.
[00:33:37] If I'm using deception credentials, if I'm using DECEPTION, I'm put sets a couple of sets of credentials on that computer. So I put, you know, I look at the credentials you have, and I've got a bit of logic in there that says, well, I'll make three or four more others and there'll be a similar naming context.
[00:33:52] And by the way, I'll make sure that the last used date is within the next 15 days, 30 days, six days, two days, whatever. [00:34:00] And I do a few other things to make them actually blend in properly. And then I put a couple of other shares on there and I put a printer on there and I put some, and I drop some documents and some other things in.
[00:34:10] I'm basically making a minefield and if on the network I have something that looks and smells kind of like the rest of your network and does some other things, but the moment you ask for it or you touch it or you look at it in a funny way, it ALERTS . That's great. And if you do it that way, think about it as a user of this computer, I'm not gonna go hunting around for other credentials unless I'm doing something I shouldn't be doing.
[00:34:39] So that's the logic is to say, okay, let's get in the mind of the adversary. Again, back to Mir, perfect example is Mir. Mir gives us a really nice set of, if you are here, these are the five to 10 things that somebody's gonna do next. Well, if I can mimic those, if I can build a minefield around each one of those effect.
[00:35:01] That blends in properly, that camouflages itself nicely, then I stand a much better chance of somebody tripping over that sodding thing and at least alerting me. So best case scenario I get to know before damage happens. Worst case scenario, you lose one computer rather than the entire department or half your company.
[00:35:20] Right. And is there a tracking element? Oh yeah, absolutely. So, so if they exfiltrate something, Hopefully track it down or track them. Yeah. Or you know, what's gone. So now you know whether you've got a report, now you know whether you're gonna do anything about it. Now you know, whether you have to care about it or any of these other things.
[00:35:39] Yeah. And some of the stuff that we have will call home if it gets opened. I mean, I do it all the time. Yeah. The gift card scams are, are, are fun for me. I get the gift card scam. Oh, I'll send them. Oh, I'll send them cuz they want pictures. I'll send them pictures of gift cards until the cows come home, . But they all got payloads on them so when somebody opens it up, I know where it is and I [00:36:00] know what's going on and either I can do something about it or I can't.
[00:36:02] Oh yeah. I'm not nice. Well I am nice. I'm giving them gift cards. Just not the right one. That's fine. Be you just send that email too. . That is absolutely brilliant. That's excellent. Yo. Yeah, so, so let me ask you this. What keeps you up at night? Good question. No, it is a good one, but it's probably, it's stuff that I'm working on that I haven't yet released.
[00:36:28] So there's a few things I, I probab actually, the thing I'm talking about at GK probably won't release it. We'll see. I'm working on a couple of things. I got some stuff going on with biotechnology and nanotechnology. Mm-hmm. . So the the ability to basically take data without interacting with the. . So how do I take data either through here or through these, you know, how do I effectively exfiltrate data using basically body modulation of communication methodology on at a biomechanic level.
[00:37:00] So fun stuff like that. I'm also working on some interesting stuff. I can take stuff out of the brain. I'm trying to figure out how to put stuff into the brain, so I'm a little bit of fun with that one too. And I can get it. Oh yeah, there's some, I mean, and. Taking it out actually relatively easily making sense of it.
[00:37:15] I'm, I'm getting pretty good at it. I've got some fun toys I've been messing with, not just on my own, but I'm part of a, there's a few projects I'm working on for some folks that that'll help that out. . So that, I mean, that's future stuff. If we manage to get there, don't blow the planet up in the meantime.
[00:37:30] Mm-hmm. . Why do I picture like a Franken style Frankenstein kinda lab with, you know, just wires everywhere. There's boxes of who knows what's in it. , there was up until about four or five weeks ago when when it decided to put the house up for sale, at which point most of that had to be cleaned up. And now it looks like a normal laboratory as opposed to some, something that would blow up at a moment.
[00:37:52] Notice that's funny. . So yeah, it'll all be put back out again. So, you know, from that standpoint, that [00:38:00] stuff, that stuff is interesting because we still don't have an effective way of, of, of two things. One of knowing whose hands are on these keyboards. So from an attacker and adversarial stand. , rarely, if ever can I track it down who did it, why they did it, and what their, you know, what their stuff behind it was.
[00:38:22] So when you take that and you abstract it another layer and go, I can now influence the very human to do things and I can put things in and take things out. Now we've got some really freaky stuff. So there's some fun things there messing around with. And then honestly, you know, just fundamentally just our industry as a whole.
[00:38:40] how do we do better? How, how do we improve against the tide? Because the tide says Make more money, make more money at the cost of everything. But that doesn't get back to what we're meant to do, which is simply protect, right? So how do we change that? It's, I'm, I'm kind of perplexed on that one. . That's, that's, and social things like social media don't help.
[00:39:03] You know, when you're managing families and, right, because you, you have, you know, human nature on this side of the screen, and you have all these developers on the other side of the screen that are tracking what videos, what ads, what the scroll is, how long they're looking at things. It's the, the odds are stacked against.
[00:39:23] our children. Well now you know, you add, then you add into that the stuff that we are doing. Now, how do I know what's true? . Wow. Well, and then there's deep fake and, and synthetic media and gm. Yes. Oh yeah. Like, holy cow. And as humans, we just don't ask questions. If I see something on the screen, I'll make a decision before I maybe take a step back and go, is that reality or not?
[00:39:52] And then who do I ask? How do I track, how do I validate? Mm-hmm. , you know, we, you talk about intelligence and threat intelligence. . [00:40:00] Part of the jobs I've done in the past and I still mess around with is canner intel. How do I put something out and then fool the masses into believing it? I mean, that's becoming easier and easier and easier.
[00:40:11] The further in that we go to this digital realm. Yep. I can see that. Oh yeah. Yeah. Well, when you get those projects a little further down the road, we'll have to have you come back and tell us a little bit more about item because now you've got me really interested. . Oh, yeah, there's some, there's some fun, crazy stuff.
[00:40:29] I mean, it's, I, I'm very fortunate because I still keep one foot in uh, dot gov dot mill side of the world. Mm-hmm. One of the projects came outta the military side because, you know, again, my part of my background is the military world, right? And it, we have to send teams back into theater. On a reoccurring basis because they don't necessarily get all of the data the first time around.
[00:40:55] I mean, no fault of their own. So then how do I, how do I keep them outta harm's way? How do I more effectively enable them to get all the data effectively into that? We started looking at the human side of it. So we started messing around with, you know, the no touch systems and the biomechanic systems and installing, basically using the body as a USB drive and a few other.
[00:41:14] So there's some really, really cool stuff on that and, and a lot of us just to try to protect human life. Yep. That's good stuff. That's amazing. That's excellent. Well, Chris, thank you so much for your time. Yeah, thank you. It's always important. Appreciate it. Really, really, really always a pleasure. Always, always learned from you.
[00:41:32] If anybody we'll, we'll have links. Your information. You've got a great podcast, Dr. Dark Webb. I've listened to several episodes. Fantastic stuff. Some fun with that stuff. Yeah, I'm not sure what's gonna happen with that though. We're gonna, we'll have to see. It's, it's been low quiet for a few weeks, so we'll have to see.
[00:41:49] We have some good stuff on there. Yeah. Oh, why? It's still, it's still a great, great resource and hillbilly Hit Squad is a fantastic resource. So it's, it's all, it's all good stuff, [00:42:00] man. Just keep, keep on doing the good fight. It's good. Yep. Welcome on guys. We appreciate. No pleasure for the time chaps.