Cyber Crime Junkies

Inside Epic Sony Breach with Hacker who did it. Cody Ketsinger

March 13, 2023 Cyber Crime Junkies-David Mauro Season 2 Episode 20
Cyber Crime Junkies
Inside Epic Sony Breach with Hacker who did it. Cody Ketsinger
Cyber Crime Junkies PRIME+
Support the show & get subscriber-only content.
Starting at $4/month Subscribe
Show Notes Transcript

Guest Cody Kretsinger shows us how hacktivists help keep businesses secure, as a security expert helping companies across the globe stay secure. He shares his incredible story of his past as “Recursion” a member of LulzSec hacktivist group affiliated with the infamous Anonymous group back when he was in college in AZ. 

Story details the Epic 2011 SONY data breach. Topics: how intelligence gathering is critical to security,, how penetration tests help businesses stay protected, best ways to limit cyber attack liability, cyber crime gang discussions, examples of recruiting in cyber crime gangs, how stolen data is sold by cyber crime gangs today, insight on true cyber crime examples, latest cybercrime stories, things we learn from criminal hackers, understanding the hacker mindset, and how to limit liability from cyber attacks. 

Full Video Episode Link: 👩‍💻 Coming soon!

/LETS CONNECT/ We Really want people to be able to Watch and Listen and we would love your help. 

📲 📲 PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. 

📲 📲   Our Channel @Cybercrimejunkiespodcast


 📲 DAVID MAURO Linkedin:  

 📲 Cyber Crime Junkies Linkedin:

 📲 Cyber Crime Junkies Instagram:

📲 Cyber Crime Junkies Facebook:

📲 Podcast Cyber Crime Junkies:   

🔔 Site, Research and Marketplace:     

Support the show

Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME

Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.

Our YouTube Channel @Cybercrimejunkiespodcast

Cody Kretsinger. How hacktivists help keep businesses secure.

Guest Cody Kretsinger shows us how hacktivists help keep businesses secure, as a security expert helping companies across the globe stay secure. He shares his incredible story of his past as “Recursion” a member of LulzSec hacktivist group affiliated with the infamous Anonymous group back when he was in college in AZ. 

Story details the Epic 2011 SONY data breach. Topics: how intelligence gathering is critical to security,, how penetration tests help businesses stay protected, best ways to limit cyber attack liability, cyber crime gang discussions, examples of recruiting in cyber crime gangs, how stolen data is sold by cyber crime gangs today, insight on true cyber crime examples, latest cybercrime stories, things we learn from criminal hackers, understanding the hacker mindset, and how to limit liability from cyber attacks. 
 Full Video Episode Link: 👩‍💻 Coming soon!

/LETS CONNECT/ We Really want people to be able to Watch and Listen and we would love your help. 

📲 📲 PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. 

📲 📲   Our Channel @Cybercrimejunkiespodcast 

[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research and blockbuster true cyber crime stories.

This is Cyber Crime junkies, and now the show.

All right, well, welcome everybody to Cybercrime Junkies. I am your host, David Mauro and I am joined today by my always positive always fantabulous co-host. Mark the Mark Mosher. Mark, how are you? Yeah, thank you for [00:01:00] that up upbeat introduction, David. Thank you. That is the insincere things to say to coworkers app that we've develop, it's very effective.

I give that a five star review. Yes, it's very good. . Hey, I'm really, fortunate. I, I, I think you and I are both really excited about Yeah. This is gonna be great. Yeah. Re really excited. So we're joined today by, Cody Kretsinger speaker leader, author, hacker, former LulSec member and, cybersecurity champion.

 Cody, welcome to the studio man. Thank you so, so much for having. Yeah, well we're glad to hear, glad to be here. You know what's interesting is we actually started this podcast about, six months ago maybe. It really hasn't been that long. And our very first live stream was about the Sony breach.

Right now. It wasn't the one from 2011. It was the 2014 breach. Okay. And we were just talking about, we were just talking about all the open questions like was it North Korea? Was it this, if it was North Korea, why did this happen? Why did, how'd they know this? Sure. And like, there were more questions than [00:02:00] answers.

And so that kind of sparked the whole interest. And so we're really that. Real fast on the Oh, yeah, sure. So it's been, Sony's been compromised several times, right? Like Yeah. It's, it's just not Sony Pictures, which is the one that, I was involved in. Right. So you, you had, you had the, the one around the movie, , the one that you were talking about.

You also had, so Sony Online Entertainment that got breached as well. And I can't tell you how many people. That will, they'll, they'll, they'll swing by Twitter real fast and be like, , you know, Hey, Cody Kretz Singer, thank you so much for, you know, hacking Sony PlayStation. And I'm like, that wasn't even my hack.

That wasn't your brief. That wasn't right. That's hilarious. So it's usually just like, ah, thanks bud . That's hilarious. So before we even get there, let's, let's walk back to kind of where, where, where'd you grow up? Did you grow up in the Midwest or did you grow up out in Arizona? Yeah, so I grew up in, in, in the Midwest.

And got involved with, with it. And a, a good buddy of mine showed me this [00:03:00] pamphlet for a, a college out in Arizona, specifically Phoenix. Yeah. And they, they had a really, really awesome curriculum. Network security was the main component of it, but they also had computer forensics as well as network engineering.

And it just, it sucked me in And it was a, a really fascinating time. Yeah. So when you, what drove you to, to be interested in computers as a kid? Like was it just the fast there, single or just kinda what you liked? Yeah, so the, I I, I love my origin story. It's the kind of what I, what I like to call it.

So there was this game called Uplink and it is a hacking simulator game actually before. A good buddy of mine, his, his father was, was really into computers. A lot computer gaming specifically command and conquer series. So that kind of like, that was my foray into computers and then gaming.

And then once Uplink came out I played it and realized that there was [00:04:00] a component of computers that was security based. Mm-hmm. . That launched me into kind of some underground hacking scenes to, to kind of figure out where I enjoyed doing certain things and then ultimately got me professionally interested in doing security.

Did you come from a background in it? Like were your parents in technology or anything like that? I, I couldn't meet two more distant people from technology . I, I'll say my, my mom was a clerical typist that, that worked her way up to a, a really good position at a local government. My dad worked in law enforcement, so he's the king of spreadsheets, which is kind of a funny goof around the house.

But it's they. . Computers aren't, aren't their thing. In fact the only reason we had a computer in our house originally it was because the city ran some sort of deal that city employees could get a, a, a certain certain computer so they could familiarize themselves with it. What was [00:05:00] your first computer?

What was the first computer? Oh, great. We ever worked on . So those are two. You can always tell somebody's age when they answer this, right? Like, kind of like, so. Yes. I, I, our first computer was a compact of some sort. I was fairly young. Mm-hmm. I, I'm, I'm, I, I do remember the large floppy discs, not the, not the small ones that everybody Oh, yeah.


And then the, the c. The CDs, you'd actually open up what looked to be a jewel case and it looked like a larger version of the of like a floppy disc. And at the bottom there was an actuating you know, metal piece that when you put the cdn, that's how it read. I remember this. Yeah, that was my thing, would move around.

Don't really remember much about it other than it ran Windows 3.1 can tell you. The first real computer that I had any involvement with and broke a lot was a, was a gateway. It came in box with the The cow [00:06:00] kind of stuff. Oh yeah. Gateway was the bomb. Man. You'd walk in there, they had the gateway people.

They were like, I'll customize a solution for you. You're like, wow, this is great. Yeah, . That is so funny. That's great. So what was it about network security and things like that that got you into want? Is, is it the challenge of it? I'm trying to understand. For myself, I always, I'm fascinated by the, by the, the mind of networking engineers that, that like, look at something, like I look at it and I go, oh, isn't that shiny?

That's so cool. You guys look at it like, how do I make this thing like, start my lawnmower? Like how do you think like that? Like, you know what I mean? Like what was it that, that interests you like that? Or even how can I break? Right. Yeah. So like the hacker, mentality's. Yeah. Yeah. Mm-hmm. , I mean, that's, so that's the mentality really.

It is that, that, that, that hackers have, and let me tell you a story. I was at a conference a [00:07:00] few weeks ago, and it was after a really long day, and I just plopped my butt down into a chair away from everybody else kind of party going on in the, in the background. And eventually four or five. Younger, younger gentlemen come up and they're, they're all talking.

It's their first conference. And eventually they asked me some questions, well, who are you ? They didn't know. Which is great, right? Because that's how I prefer most conversations to go, right? You know, what do you do? And all that stuff. And they asked me more or less the same question that you did, David, and here's what I, here's what I asked back to them.

I asked them, is there a certain component to it or security or something where you get the warm and fuzzies, so your heart flutters a little bit and a couple of 'em said, Y Yes. And I said, well, what component. Of your, of your job makes that happen. What, what makes the the hair on the back of your neck stand up?

What makes the [00:08:00] goosebumps? Right? And one guy said, well, it's actually, it's blue teaming. It's the, it's the, the, the throw of the hunt, right? I wanna find the bad guy. That's what really, really gets me going. And another guy said, Well, it's, it's red teaming. It's when I can break into a system and manipulate it to do a thing that it's not supposed to do.

And I'm scared to death that some guy or somebody is going to find me and you know, in, in that short period of time and I'm gonna get caught. And that statement from the, the red teaming side of thing. It is the thrill of finding something. Thrill the chase. Yeah. It's almost the thrill of the chase.

The thrill of being chased, right? Yes. Like you, you want to accomplish a task, you wanna capture the flag before getting caught. Yeah. There's a component of that, but there's also a component of I'm able to manipulate a system in such a way to get it to do a thing that it's not supposed to do. And I might be the first person to have ever [00:09:00] done this.

Right. Yeah. Yeah. So Well, and in the community, there's, there's street cred, right? There's accolades, there's, there's, Hey. I was able to do, I was the first one. He his head like, oh yeah, we're into that in just a second.

Everybody just wanted to mention Cybercrime Junkies Prime. We now have a subscription available through our podcast and it offers exclusive content, bonus episodes, and even pre-releases of all of our standard shows. We keep it simple, it's just the cost of one cup of coffee, one time a month, and you can cancel any.

You can subscribe by scanning the QR code next to me in the video or by clicking the link in the show notes. If you select not to subscribe to our Prime membership, please at least consider subscribing to our YouTube channel. It's at Cybercrime Junkies podcast on YouTube, and it's absolutely free. It allows us to bring great guests on the show.

Thank you for your [00:10:00] support, and now let's get back to it.

Right. I mean, that's, it's, it's kind of what, what it is. It's like trophies, right? It's like, Hey, I, I accomplished this. Let me throw it up on my throw it up on my books there. Yeah, there's, there's a component of that, I think more so in the past than. Than currently the, you know, in the past it was, look what I did on the down low, right?

Like mm-hmm. , you, you maybe talked about it within, you know, certain social groups, maybe I or c or, or maybe a, a local 2,600 chapter or something along those lines, and everybody just kind of like knew. Now so much you, you talk about a hack that you've done. You're, you're, you might wind up going to prison,

Yeah. There's consequences, right? There is no, yeah, for sure. Yeah. So let's talk about that. Let's talk. Sure. You're, so, you're, you're away at college. You're, you, you go out to Arizona, great place to go to college. Mm-hmm. . You're out [00:11:00] there and from what I, from what I've read, right. In my understanding, people I've talked to, like you were really good at school.

You were like, you wanted to go into like be work for the Department of Defense one day, like you were you, you had some great aspirations, everything else. Something happened along the way. So yeah, like walk us, walk us through that. So the, the college that I went to catered, catered to nerds, number one.

Number two, the group of people that, that went to the school or joined the school. When I did, we all kind of clicked together and we. Found each other. We found components of what everybody liked. And everybody kind of had their own lane, if you will, but we'd constantly be educating each other. And we, we built this group.

It was one of the largest student ran security research organizations in the United States where we were trying to, to find vulnerabilities, trying to find exploits or code exploits. We were trying to [00:12:00] teach other students that were. Security minded. This is a very large group of people and we were teaching people how to hack right.

Ultimately. Right. With a couple of student ran organizations. So in the three or four semesters I was, I was in college out in Arizona. I progressed very quickly, not only because of the, the academic, the academic information that was being taught, but also because of this karu. So I, I, I moved very quickly and, and you're right.

In fact, I interviewed for the nsa. I was gonna be part of the NSA red team. I had gone through the polygraph, I had gone through the psychological evaluation. I'd gone through the background check. I'd done all of those things. And what year were you in college? I would've been. I would've been a junior.

You, you, okay. You, the, the NSA recruits out of that school specifically because the type of talent that is there really, and Yeah. Yeah. Or they did at that point. Yeah. Yeah. I'm not sure. Sure now, but there were, there were myself and several other students that had all [00:13:00] applied to the NSA and several of us had either job office or we saw people graduate and immediately they were part of the nsa.

So. Yeah, yeah, there was a lot of really good talent. e Explain to the listeners, I, I, I apologize, but explain to the listeners what is the NSA like. I know it's very obvious to us, but you know, for those that might be working out or driving in their car, have this sound of work that aren't in cybersecurity.

Yeah. You know, what, what is the nsa and, and why is that so significant? Cuz it is very significant, right? It it, it is. So the, the NSA is an intelligence community, much like the cia. Is an intelligence community. You can consider CIA to be people driven. And the NSA is technology driven. So they have things called signals intelligence which is what the NSA mainly handles.

And those are things like intercepts. So understanding encrypted communication, breaking encrypted communication. In fact, the NSA employs the largest number of [00:14:00] mathematicians. Anywhere. And that's strictly to, to break code. The flip side of that is the NSA also does technology driven things.

Meaning they specialize in both red teaming operations, which is offensive if you want to think of it from like a football oriented Yep. Kind of conversation offensive. So we're breaking into adversaries, think other nation states or Terrorist organizations or any, any of those things and gaining access to grab information.

We're also subsequently helping defend our country and our allies against cyber threats. So they have both of those components as well. And there's a number of other things that I'm sure that they do that I have no idea , but that is the long and short of it. . Yeah. That's just the advertised portion, right?

That's just right. Yeah. Public facing piece, . Exactly. So, so, so you were going along, had a, had a very exciting kind of under. Career with, with, with Eyes. I'm [00:15:00] doing some pretty cool things. But you got involved with a group called lsac, it's L U L Z S E C. Explain to the, explain to the listeners what was lsac.

So LSAC started, my goodness, where do you start with this one? So LS started right there. Is I'll, I'll try to hit the bullet points real fast. Yeah. There's a group of people online called Anonymous, which is essentially a number of individuals from a, a particular particular website. In that group, there was a few people that got together who were fairly intelligent and created lsk, and it was created by two or three individuals.

One of when, one of which was, was SBU or Hector. And he was kind of the, the ringleader, if you will of, of Lex. So they hacked into a, a few different they have some very well-known breaches, , they, they do very well known hacks. Yeah. So they, they hacked into a few things and, [00:16:00] and Hector and I, in fact went back.

A lot of years back to my youth. And one day I got a, a message on AOL Instant Messenger and it said, Hey, you should come check out what we're doing over in Sack. And they had already made the news at this point, and I was, I was genuinely curious what was going on inside. It was an IRC server, so I was genuinely curious what was going on in the irc.

Absolutely. Absolutely. And so that was a good explanation by the way. And so, so you get involved there and at some point you are getting involved with some of the activities that, that LSAC is doing. Mm-hmm. . Is that fair? Yeah. So yeah, there were, there were several hacks that were going on prior to my arrival.

There were several hacks that happened while I was there. There was only one specific hack that I was involved in, and that's the, the Sony pictures. Okay. And, and the Sony Pictures hack and for the listeners, it is not the PlayStation , there's a grave statement. Sony has [00:17:00] sustained several different breaches that have made it to the media.

There's the one in 2014, which we talked about in our very first episode. There's the PlayStation one, which happened earlier, I believe, right? Mm-hmm. , and then there. A compromise that happened between like late May of 2011 and June of 2011, which is the computer systems of S P E Sony Pictures Entertainment, which were compromised.

Correct. And, and, and they, they attribute that to a compromise from Lsk. And now, does LSAC mean anything? The, the, that's what I name. Is it like lol, security, like laughing at security or what, what does it. That's exactly it. It was mainly the really the purpose of Ls sec. Yeah. Yeah. It, it's, you don't have to read into it too far.

Surface levels is exactly what it was. And , the entire idea behind Ls sec was you had, well first you had a bunch of . You had a bunch of nerds like myself that had a chip on the shoulder and wanted to prove something. And guys also, [00:18:00] we were kids. I mean, you guys were kids, like, think about We Range, yeah, yeah.

Twenties for sure. and that's all it was, is we, we found laughable security and Right. Which is out there. It's out there. Why We have a define, it's why we exist. There's a little lot find, it's still there. So, okay, so, so what, what, walk us through what, what happened and, and, and, and let's, let's start with what you guys were doing there, like if, if that's okay to, to, to speak about.

Cause I think it's all, it's all been said and done now, so I think. open to to, to speaking about it. Yeah. The statute of limitations has, has passed. And that's double, Jeff Ears is attached to, right, exactly. So we're good with this. Yeah. So the, the entire purpose, so we ran a number of scanners like bots essentially, to, to go out there and map the internet to see where we could find vulnerabilities.

And we were finding them left and right, but we'd [00:19:00] only focus on. Big targets and specifically like Sony came up and again, getting back to that trophy, like again, if you're gonna go and you're gonna spend the time risk maybe getting caught or whatever, like you wanted to have a, make it big a logo. You want a logo by it, right?

Or a name. There, there's a component of that, but there was also a component of like, screw Sony. Remember the big d r m thing that they tried to pull with the root kit and, and all of that. Yeah. Yeah. That left a really sour taste in a lot of nerd's minds. So as soon as this, walk us through what that is.

Can you explain to, to the listeners what that was? What did Sonya. So, and I have not brushed up on this, so I'm gonna at least try to get it from the 5,000 foot level. Yeah, right, right. There was there was a, a music CDs that they had put some sort of digital rights management. On. So basically making it very difficult to steal the music and play it somewhere else.

Right. Remember, this is like the era of [00:20:00] Napster. Exactly. In like prc, this is back in the day, everybody was ripping off songs, right. Ex. Exactly. So Sony developed this, this application. Which was a root kit, which installs itself. A root kit basically just installs itself at like the highest level privileges of a system and is very, very sneaky in how it does it.

And that application was there to make sure that you couldn't steal. The actual music itself. So at some point, the encryption key or the, there was a key associated with it that somebody discovered then Sony tried to sue them and cover it up, and then everybody published it online. It just, it, it grew, snowballed into this thing and eventually, There was a lot of lot of hatred towards Sony and nerds.

Don't forget . So, so there's a little bit of that hatred was, was still there when, when we discovered the, the website that was vulnerable. Yeah. Yeah. So you find the vulnerability at Sony when you're out there scanning out of all the other ones [00:21:00] that you've found, what was, what was kind of the next step, the next process?

What, how, how did that evolve into where. Yeah, it's super simple. It's, Hey guys, we got a we've got a sequel injection, which I'll explain in a moment what that is. But we've got a, we've got a sequel injection on a, on the Ghostbusters website. Everybody started attacking it, and that was essentially the order.

Wow. Yeah, so it was their website. It was actually their website that was so vulnerable. I mean, it wasn't like getting into like any bypassing of any firewall. It was nothing like that. It was just their, their public facing. It was if you wanna talk it, low-hanging fruit, this couldn't be lower. And the website that was insecure was the Ghostbuster's website.

In fact, it was I, I, yeah, so they were running some sort of some sort of sweepstakes where if you, I think there was some sort of anniversary or something along those lines. And it asked people to put in their first, last names, email address, physical address, phone number, stuff like that. And it.

Had a lot of records [00:22:00] in it and it, it also coincidentally, was vulnerable to a style of attack called sequel injection, which is essentially, You know, when you go onto a website and you submit information, meaning their first, last name, phone number, that kind of stuff. Typically what normal people would do is actually put legitimate data in, in those fields where it asks for that data.

Us being hackers. We're testing to see whether or not certain characters cause that form submission. You know, when you hit submit. To do something unexpected. And in fact, there's a kind of a standard way to approach this. There are certain characters on the keyboard to get things not to work correctly, and we found that out.

And what happens is instead of that data being submitted to a backend database, that information from the database is now being presented to us, which I kind kinda regurgitates itself. Yeah, it kinda regurgitates itself. Right. And all of that data that's sitting on the back of that website, To you guys.

So it's not only that website, but any other website that [00:23:00] uses that set of databases. So, so you can imagine that, you know, one database that has the Ghostbuster sweepstakes information, that's, that's a lot of records, but there's probably gonna be some other promotional databases on this same server.

And when we were done, it was I'm pretty sure it was between one or 2 million. Unique records that were stolen out of, out of this group of servers. Yeah. Holy cow. . So you guys are doing that, and what are you guys doing with the data? So you guys get this data, it's. Housed somewhere in the sack kingdom, wherever you guys can Yeah, we had a SharePoint.

I'm kidding. . No, it's still, we just had a, had a public facing SharePoint site in case anybody was interested. Yeah. In case you wanna download anything, so. Right. It only makes sense. Funnily enough it's just, it's a real quick aside. In the, in the position that I'm in, we share malware back and forth via teams and [00:24:00] SharePoint and whatnot, and you'd be surprised how often Microsoft looks the other way on like completely malicious stuff, which is hilarious.

So , oh my God. Yeah. That, that helps In red team engagements. I can tell you that right now. Yes. Yeah. But, but essentially it was, it was. Somebody mapped the database to begin with, at least at, at the high level, and basically said, you go for this, you go for that. You know, here's your section of data, you're quote unquote responsible for it.

And so the, I had my section of stuff and the, the tool that we used any, anybody can use something called SQL MAP or ql. It's point and click almost. And in fact, there were other in instances of somebody using haage, which is a window spaced application to do this. But the point I wanna make here is that we ran those applications for days, which means we were hammering away at this website.

I, [00:25:00] I think personally it was a week or more from, from my side of things, so nobody noticed for weeks. So we'd grab all the data and then we would, we would send that data to you know, the, the guys that were more or less running ssec, even though there really wasn't a leader. They compiled all the information.

And then tweeted at Sony, basically saying like, Hey, we're in your systems and you can't find us. And then pile social media and every brand loves to get a tweet referencing them that, Hey, we're inside your network , and you don't know it and you don't know it. Come find us. Now, remember, LSK had made national news like four or five times prior to this, this particular hack occurring.

Yeah. Imagine. Imagine a threat group right now. You know, the folks behind Qu Bott, for example. Like Yeah. Or like lock bit 3.0. Yes. Tweeting something out too, right? Yeah. Saying Sony we're in your systems and you haven't found this yet. It, it, it was more or less the same in terms of how it was received on their side.

Ah, it's [00:26:00] chilling. It's chilling, right? It is, yeah. But, . But once we had all the information, we compiled it and then dropped a tweet real fast and then there was a torrent so anybody could download all of this information. Yeah. And then, so, and you're still in college and you're going to school skipping your way over to class, right.

Looking for that interview with the nsa. And so on. What, what was it? It, was it in September of 2011 that the feds came knocking or what, what? How did that, yeah, how did that go down? Yeah, so there's a couple of components to that and what a lot of people don't know is that I was working in it. As the network security administrator for the school.

So , I, I knew all of the stuff that was right, that was going on to a certain degree. And one day myself and several other workers come into to it and everybody's access was turned off except for two individuals. And in the back of my head, [00:27:00] there's nobody else on campus except for maybe one or two people that understand what I'm involved with.

Right, right. . So in the back of my head I go, well, it's probably pretty likely yeah. That, that, that the fence are coming. And that night there was, so kind of going back to that, that security research group, there were a lot of things going on in, in, in that in, in, in that student ran organization.

None of it was illegal, but everybody was scared and we. We had a word. It was a, a word that if you ever got a, a particular word via text message and that was it. That meant either we're getting rated or we think we're getting rated, or there's a, a situation in which you might want to might wanna destroy evidence, is really what it boils down, right?

Mm-hmm. and that a few of us got, got together that evening and. That word went out to the entire group and [00:28:00] Oh, yep. And I've never seen the removal of so much hardware from a single like dorm room that I did that particular night. There was, there's a significant amount of information that was, that was destroyed.

And so when you had the sense, when you had the sense that the feds were coming before they actually came and you, you met them, what, what was going through your mind? How did that, how did that make you. I mean, it's, it, it gets into the core of the hacker mindset that you want to go and capture that flag without getting caught.

Right. And you have that sense that it's being exposed. Right. So it's, does that get you down to your core? What happened? Like, what was that feeling like? So I was a very, very arrogant young man and. While I figured the feds were coming and gonna be knocking on my door, I thought I was smarter than them.

[00:29:00] It's what it down to. Ah, OK. . Yeah. Oh yeah, yeah. Learned my lesson on that one. Right? Right. That straightened out real quick. Very quick. So, but I did take steps, right? I did. I de banned all of the drives that were associated with any of the things and, and. Destroyed. Destroyed quite a bit of information and what's jumping ahead.

When they actually do the raid and they're interviewing me, instead of actually saying, I want a lawyer, I'm. Telling them that I'm smarter than them and that I destroyed evidence and a number. Get you pretty far with the fbi, right? Yeah. They love that. They love, I told you I was young and arrogant.

example, they love sitting across the desk from like a 20 something, being told how stupid they are and how bright you are. Like they love that they they had the final last word though, . Yeah, they do. Oh, I got, I gotta ask Cody. And I heard you refer to it as a raid. Did the, I mean, [00:30:00] is is it like we see on tv?

Did they come in with the, you know, the blue jacket, with the yellow lettering and they all had guns and you know, what, what, what happened? Or did they just walk in in some suits and say, Cody come with. Us. So I much would've preferred the ladder. But it wasn't quite as bad as the former. And in fact, when I, when I give my presentation, especially to like kids about my backstory, I, there's a gif of these guys breaking into a house and they're like dropping through the ceiling, through like skylights and kicking in doors and going through repelling Like ninjas.

Yeah, repelling like. Right. And I always, I always tell people, well, that's how I got raided. And of course that's, that's a complete lie in, in fabrication, right? What they did do was show up at my dorm room and my poor roommate, I feel so bad for. Whoa, whoa. Yeah. What they, what they did do is Hey mom, I'm gonna go, Hey mom, I've got this really cool roommate.

He's got all this, like, really? He's really smart hardware. There won't be a lot of drama. He'll just be nerding out all [00:31:00] weekend. Don't you worry about me. And then the feds are at the door. Show up at the door. Hey mom, my roommates in all little trouble. All right, sorry. So the feds are at the. The, so it's five o'clock in the morning and these guys show up and there's a, there's a knock at, actually, I, I hear the key card coming.

Like the, the, so there was, there was two components to the lock. There's a physical deadbolt and then there's the key card, like you would at old school hotels, right? And. I keep hearing it getting denied because the deadbolt's engaged. I never deadbolt the dorm room door, but that night prior, for some reason, I did.

And I hear it occur. That gets me kind of out of, outta my sleep. And then there's, there's a knock, unlike a knock I've ever heard in my entire life. It's the most, most knock, it's the most afford knock you'll ever hear in your entire. I hate what that happens. . Yeah. By the way, no one's waking up any other student at five o'clock in the [00:32:00] morning at the, in the dorm, right?

So, like, I, I like, I'm, I'm already a couple steps ahead of, of what I think is occurring, but like, it's not like I'm gonna, you know, bust out the window and, and, and, and try to run away. So I open the door and there's some, the FBI agent that I grew to know and I put my foot behind the door and it's only opened just a few inches.

He, he asks, and I can't remember which name he used, but it, it's hilarious and he. Is such and such here and used a, a woman's name or girl's name. And the thing is, is that this particular college was like 98% male. The likelihood of a woman being in any of these dorm rooms was so, so small, and it caught me off guard and I said, No.

And he goes, that's when he pushed his way through the door. As you know, a FBI in Secret Service we're here to execute a search warrant. You need to sit down like all of these things. And about 20 guys whoa. Enter this very, very small dorm room. . I was gonna say the dorm room is like an eight by [00:33:00] 12 space.

Yeah, like 20 guys come. But to answer your question, they were plain clothes, right? They were wearing, okay. They weren't even in suits. They were in just street clothes. All right. . Okay. Little less intimidating. And, and so then, from what I understand and people that we've spoken with, like you were super cooperative.

You were, despite your version of being young and arrogant and stuff, you, you didn't put up much of, much fuss. You kind of were like, look, this is what we did. Like you were, you know, it was, it was, it was, it was a hack that we. Yeah. At a certain point, like they've got you dead to rights. And one of the things that, you know, throughout your process, anybody that goes through the federal process has been, has been charged by a a oh, a federal grand jury.

And they have Yeah, you've been indicted, right. You have to go through the indictment where the issue a true bill. Yeah. And they've actually said there is probable cause to proceed. Yep. Yeah. So like, there's already a level of, of like, Detail there that most search warrants don't have. [00:34:00] And then once you're through that original kind of the, the original, you know indictment if you will or even just a search warrant you start to realize like, well, they have all of their ducks in a row.

There's not really much that I can do or say. And if the, the, the Fed have something like a 97 and a half percent conviction rate. So yeah, it's, it's much different than state charges, right? Local, local district attorneys, the county prosecutors, they shoot from the hip. They, they don't have the resources and everything else.

It's like, it's like high school ball versus. You know, the nfl, like it's right when, when you get up to that, that federal level, they, they pretty much have dotted all their, I crossed all their T's before acting. Yeah. So I mean, then becomes the, the component of going back and forth with the feds. There are other former LS SEC members that were just complete.

There were. Friendly towards the feds. They also subsequently had 10 year [00:35:00] sentences as opposed to where mine was a year and a day. So I, I would say that I was, I, I did a little bit better off than, than the guys that were, that yeah. Didn't cooperate to some degree. Yeah. So did they, did they pick a bunch of you up at all, you know, on the same night or it's been five in the morning, or was it just sporadic?

How did. I was the first to go of the group. Oh, oh, wow. So that opened the flood, the, the floodgates. And from there I think everybody else realized probably best to, to, to, to shut up shop and, and, and, and move on. Now mind you, why do you, why do you think you were first? I'm just curious. Like, I wonder, you know what I mean?

You weren't like the main one that was driving a lot of it. I mean, why, I wonder why you were. Look of the draw. Oh, okay. Yeah. Yeah. I d don't know. I don't know if it was, it was, if it was easier to find me than others. There's been any speculation where you were. Yeah. Well, it, you know, the thing is, is there's been some speculation [00:36:00] as to the validity of the VPN N surface that myself and others used.

In order to kind of hide our our identity and whether or not that was, yeah, I read about that as a proxy server. You were using a proxy service and it, it should have shielded your, your, your identity, your IP at least, and things, and maybe that got compromised somehow or that's why, how did they out?

It was you guys. So my understanding is there was. Pressure. It was a, a VPN service out of, out of England and that there was enough pressure from the, the government over there that they were essentially, Mandated to give over information that they shouldn't have been collecting anyway of work. In, in, in fact, in their terms of service to begin with, it said, under no circumstances will, will we ever give this to law enforcement?

Well, they, they did. You.

Yeah, so one of the lessons we've learned here is shop and read the [00:37:00] details. of the VPN service that you engage in, right? Because you're using a VPN to be encrypted and for it to, for them not to be selling your data or transferring it. We're collecting it or collecting it. Very good point. Yeah. I would I'd, I'd go a, a step further and, and, and say that most VPN services are likely going to cooperate with with, with an authority.

Yeah. And if you're gonna commit a crime, probably not a good thing to use a VPN service. Yeah. Also don't commit crimes. Yeah, exactly. Is the end all on. That's one of the lessons. And that, and, and so fast forward, you didn't go to trial, right? You pled guilty, right? Yeah. You, you, you, you pled guilty. You got a year and a day served.

Where, where, where did you wind up serving? Did you serve it in Florida? Where'd you. I, I served it in a Martha Stewart style or esque federal prison camp in Pekin, Illinois. Ah, okay. I'm familiar with that one. Okay. . You [00:38:00] know, it's not, I'm not because I was there, but I, in my prior life I was an attorney and so I had I, I had been there to, to actually interview somebody once.

Gotcha. But yeah, but very interesting. So, yeah, I mean, federal prison is not, The jails that we see and like, scared straight and no, some of these other, you know, the, the, the county jails and, and, and the state pen penitentiaries it's much more conducive to rehabilitation. Right. And, and it's much more civilized.

Yeah, it's still a hard fall from, but yeah, being in college, like that's the whole point, right. It's still a huge blow to a human being who was. Knocking on, you know, you know what I mean? You were, you were in your prime. You were, yeah. You were in your prime, you know gonna work for the nsa, but you've recovered really, really well, and you're doing some great things and that's why, why you're here.

And so let's, let's share some of the great things that, that you're doing for the security community. Sure. [00:39:00] And the, the presentations that you're doing, like you do a phenomenal job. And this is like this, it's so important to me, like we've talked to. Ton of people that identify as hackers that identify as prior, you know, cyber criminals that have, that are on the good, on the, on the good side of the law.

Now that really help in ways that other people can't, right? Because they don't think the same way. Sure. And they don't have the same experiences. But by knowing that it's part of the reason why some people. Go undercover and they'll study, you know, lock bit 3.0 and they'll study, like, they'll get to know those personalities because if we don't understand, at the end of the day, it's all people.

And so if we don't understand the people behind it and the reasons and the behavior and the personalities, how can we adequately defend against, yeah, exactly. Yeah. I mean there's, to, to, to use an analogy, . Oftentimes you'll [00:40:00] find former bank robbers becoming bank consultants or bank security consultants.

Yeah, exactly. Great example. I, I will say that for, for anybody that's interested to get into this, I'm gonna preface what I'm about to say because if there's anybody that's interested in getting into security, there is a path in which you can take that doesn't involve doing something illegal. In fact, the, the cybersecurity industry frowns upon doing that.

I. At the very tail end of when it was still somewhat acceptable to do these things. Now it is very much not, but Right. With that being said, the things that, so the things that I help businesses with cybersecurity wise or just network security wise? Those are the things that the bad guys are, are, are, are doing, right?

So, you know, in, in my, I I say I'm a recovering red team, or I don't do it as much as, as I used to, but, you know, when, when I'm applying [00:41:00] what I know and how things work and how a bad guy actually operates and I'm, you know, quote unquote attacking a business. For a fee. Right. So it's all above board. I'm giving them with permission, right?

Yeah. They give you permission with permission. They want you to, that's what red team engagements are, right? Yeah. Hack, I mean, exactly. They, they, they want to be hacked because the agreement is you're not gonna do any harm. There's, it's almost like a capture the flag. Like it's not, but, but it's somewhat like, here's, here's a piece of intellectual property.

We're gonna hide it. You come in undetected and get access to it and we'll pay you a fee. So that way we could. Where are our vulnerabilities? Cuz from what we see, we're secure, we know we're not. Right? So where are we? We're, what are our blind spots? Yeah. It's really identifying those gaps in security, right?

Yeah. Most organizations, you, you can't check your own work and that's the reason why they have somebody come out and, and, and do what I, what I do. So applying not only that component because you can hire any red teamer that you want to, but [00:42:00] being able to hire a red teamer that. Has experience in doing, you could say criminal stuff.

Yeah. There's a little extra ooph there. Yeah. There's also, there's the credibility aspect to it, and then there's also just kind of the, the, the namesake, if you will. So yeah, there's that component. And then there's also a component where, you know, I built a SOC or a security operations center, which is basical.

Yeah, from the ground up, it was me start with, and then built a, built a sock from the ground up. So I, I, you know, hiring the correct people, making sure that, you know, logs are being analyzed, that people are responding to events. I actually stopped doing so much red teaming. I hired red teamers to do that.

Okay. And then my. focus for several years was mainly incident response. So now it's, I'm on the other side, blue team, a little purple. Mm-hmm. . Yeah. That's really good. Yeah. So now I can apply my perspective into, alright, you are either [00:43:00] currently engaged in an incident or one has happened and we're trying to figure this out.

Mm-hmm. , and now I can apply that same, that same knowledge on, on how the bad guys operate. And then that's also the same stuff. Train Absolut, my. Yeah, absolutely. That makes you really active, right? Cuz it gives you such a unique perspective on everything. Yeah, that's, you know, that's really, it's actually really cool.

Yeah. I mean, the lens that you view the same facts are, is gonna be a different lens. Right. And it's, and it's really, really insightful. So, so organizations really benefit. We have a whole team, mark and I are with All Covered, which is the Konica Minolta, M s S P. We have our own soc, we have our own red team group.

And I'm telling you, like the red team group, they're so cool. Like, they're like the way that they think, the way that they look at things. And our sock has really been built from the ground up and, and, and they're so insightful, but part of it is because they. They all work [00:44:00] together and they, and, and they, they, they collaborate.

That's really, really so important that we see mm-hmm. on a daily basis. It's really important. And, and, and businesses benefit by, by insight like yours. I mean, that's just, there's such a clear benefit. Yeah. Yeah. No, go ahead. No, I, I was, I was just, I was gonna elaborate a little bit more on it's, you're, you're completely right and running a sock gives you a, a really interesting perspective in of itself.

Amazing. Because you're, you're monitoring a lot of different businesses. I mean, we had. Financial institutions, healthcare, manufacturing emergency services, municipalities, stuff like that. So when, when you see an a, a particular attack starting to occur over here, you can then help out other folks in other places.

So it's it's a very interesting perspective to be able to kind of help business. Without them even realizing it. . Absolutely. Yeah, [00:45:00] exactly. Yeah, exactly. As, yeah. As as. As we're looking to wrap up here, what are some of the, what are, I don't know exactly how to ask it, but what are some of the main things that you're seeing that organizations need to change when it comes to.

Creating a security culture when it comes to having the right defenses up. I mean, small businesses struggle, it seems a lot more than, than large enterprise organizations that can create their own soc. What, what, what can, what can small to mid-size businesses do? What, what are some of the top priorities you're seeing?

Yeah, there's a lot. Mm-hmm.

The security mindset or, I really like the phrase culture of security. So there needs to be a focus on that and, and here's the thing. , it ain't going away. Mm-hmm. , in fact, it's going to get much more stringent and there are going to be things that come up between now and probably next [00:46:00] year. You, you look at things like the FTC safeguards and who those impact mom and pop accounting shops versus you know, big automotive dealerships.

Yep. They're all on the hook now for developing a security program. Yep, yep. And oftentimes those folks, especially if you look for like automotive dealer, It's usually, usually just the guy who's somewhat good with technology is the guy that running security. He's not IT guy. Right? Yeah. And you can't blame him for it because in the past this has worked well.

Well now there's some, there's federal charges that can be levied against those individuals who don't take the correct steps in order to, to actually protect themselves. So that's one component. So we're seeing regulation. The other component is that folks, folks don't, they think, and using this phrase again, they think that they can check their own work.

And that is really where having somebody come in do an assessment, figure all that stuff out, that's gonna be incredibly, not, [00:47:00] it's not only incredibly important, but it needs to happen. On a regular basis to, to, to identify where those gaps in security is. We can sit here and we can talk about whether or not MFA is enabled, whether or not somebody uses a password manager, whether or not there's long passwords versus short password.

Yeah, we can, we can talk about technologies and controls and all of those things, but really what it boils down to is, Understand the regulations, make sure that you're checking on those things, that somebody's got eyes on the glass because it's going to continue to grow. This is something like, like a 500% growth in cybersecurity in the last, what, year or two.

I don't expect that to slow down any time. And for, for folks that are, that are not putting focus on security it's, it's, it's gonna bite you in the butt at some point in time. And not to, not to spread fud right, right. But it's, it's one of those things where it's gonna, it's gonna, it'll come back around and, and get you at some point.

Yeah. It's not gonna go away. [00:48:00] And you're not spreading fud, you're not spreading fear, uncertainty, and doubt. Like it's because that is what is. Right. It's inherently in that topic, and it goes to the core and it goes to the core of an organization's brand, right? That brand is there because customers trust them, and people lose trust when people lose their stuff, right?

When all of a sudden, you know, you're, you, you know, you wanna buy a vehicle and all of a sudden your kids. You know false tax returns are filed on behalf of your kids because you tried to buy a vehicle. Well, guess what? You know, we can buy a vehicle anywhere. We're not gonna do it from you next.

Now we're not gonna do it. Right? Yeah. You , I mean, that's, that's good advice. It goes to the Yeah, it really goes to the, to, to the core. Yeah. And I, I agree with you about the culture, right? It needs to be, Something that is ingrained in that culture. You know, like it's gotta be something that from the top down, it's [00:49:00] gotta come from leadership.

Like, it's gotta be part of, of everything. When, when you think about you know cultures that don't tolerate harassment. , right? Mm-hmm. , yes, there's harassment training maybe once a year, but there's a culture there that doesn't tolerate it, right? Yep. And so what's happened with security is there's, there may be an an initial onboarding, cybersecurity training, or you might get an email on Tech Tuesdays about how to spot a fish, but it's not really part of the culture, right?

They're like, ah, we don't care. Go ahead. If you're working from home, save your documents wherever. Nobody ever. Stuff like that. No, like it needs to be part of the culture. It needs to be ingrained because you all have to care about yourselves, your family, and the organization's brand that you serve. Yeah.

And to, to, to add on to that, there's no organization too small. That that is correct point. Yeah. Great point. It's the, the, the only reason you don't hear about the mom and pop places getting smoked is because they either haven't, sorry, the mom and [00:50:00] pop places being compromised or having an incident.

Right. Is either because it's, it's low enough in the news that it's, nobody cares, or, or they haven't detected it yet. Yep. Right. That's, that's all. It's. That, that's a great point. That's really good. Well, everybody please check out Cody Kreiger. We'll have your links to your services, links to your LinkedIn, connect with them.

The information that you have out there is really helpful to organizations and it was fantastic. Yeah, appreciate you coming on Cody. That was fun. It was really insightful. Yeah, it was really, really insightful. So thank you so much. We'll have links in the show notes for everybody to connect with Cody and just a, a really unique, fresh insight and we really appreciate what you do.

So, yeah. So, all right, man. Thank you so much. Thank you, David. Thank you, mark. All right, you guys have a take rest of your day. Talk soon. Take care. All righty.

Hey, well [00:51:00] that's a wrap. Thank you for listening. Our next episode starts right now. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and showmans.

And thanks for being a cyber crime junkie.