hpr-knowledge-base/hpr_transcripts/hpr3642.txt

Episode: 3642
Title: HPR3642: Interview with a Hacker: Vitaliy
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3642/hpr3642.mp3
Transcribed: 2025-10-25 02:46:24

---

This is Hacker Public Radio Episode 3,642 for Tuesday 19 July 2022.
Today's show is entitled, Interview with a Hacker vitally.
It is hosted by Operator and is about 99 minutes long.
It carries an explicit flag.
The summary is, we go back, way back to golden days of hacking.
I'm here with Tally and I don't remember your last name.
What do we call you?
Tally K. Let's go with that.
Yeah, it's got a lot of consonants, right?
Yeah, I usually try to avoid mentioning my last name.
Even when it's trying to get food picked up or something.
Just go with the first name. That's usually enough.
It's unique enough.
Well, let's start out with how we know each other, where we met.
Sure.
Well, since I'm the one with the better memory, I guess.
As you mentioned, you don't remember too much of the good old days.
So we met back in, I believe it was like 2012.
That was my first internship out of college with the Big Four company.
I was a total newb that only had basic experience with playing with VMs.
I just got my CH, which back in the time of the CPU was still pretty near.
That was kind of like the thing to go for, I guess, at the time.
Yeah.
But I think the first encounter was first real person, physical meeting other than phone calls and meetings.
So that's where it, I think, was in California, I believe.
That's when we had our engagement across the US when we traveled and did a bunch of the locations for the same client.
But they were located at like four different states.
Okay.
So that's I think that was kind of, I guess, what we first met.
But then I think the first, I guess, before meeting in person, I think the first time I called you was actually on my first ever pen test, which was I think our manager called it popping the cherry.
Yeah.
But that was even, I think it was still an intern.
Either way, that was my first corporate level pen test.
And I was stuck at, I got the first shell because there was the fall credits on the msql server.
Totally remember that because it belonged to a security company.
No, the other ones do all the HID badges and stuff.
Nice.
Yeah, the password just still to this day.
I still remember it was essay essay.
I was just like, yes.
So I got the first essay or blank even.
Yeah, dude, that still works.
And I got on the box.
It was like a 2003 server, 2008 server or whatever.
And I had like the difficulty of moving around even though it was on the domain because I had no experience with corporate networks.
And somebody was like, yeah, dude, give Rob a call.
I'm like, all right.
I got on the phone with you and you're like, yeah, dude, just look at the tokens that the windows tokens and like the impersonation delegation and all that good stuff.
Yeah.
And this is you telling this to a guy who like never heard of incognito and like didn't understand about windows tokens and like windows AD in general at the time.
So that was that was my first like jumping into AD and like figuring out, you know, back in the day it was a little easier with Metasplo using incognito, I think.
But I was like, what are these tokens and but yet to this day, man, dude, I still I still always look for that stuff where service account runs somewhere, you know, with enterprise or DA privileges.
And it's a pretty good lateral movement threat to this day.
I don't think a lot of people still rely on it because they use other tools that don't necessarily always look at tokens.
But the tokens, that was my first ever pen test.
I've done that.
That's how I got DA because they ran a service account and to this day.
And that's how I remember that story very clearly.
Nice.
It's I'm that I pop my pen test cherry with the help of Rob.
Yeah, I mean, I was in the same boat too.
Like, you know, I get, you know, a lot of people can get that first initial shell.
But they don't know how to, you know, root and you know, loot and pillage whatever host it is to get, you know, escalated privileges and or get credentials or whatever else's juicy on the computer and move from there.
Um, you know, be like, oh, I got access to this one machine and that's it.
Like, no, like once you have access to one machine, like it's generally downhill from there, especially if it's admin access or escalated, whatever.
But I was the same way.
I was like, you know, I have a shell, but I don't know what else to do.
And they're like, oh, well, you can look at the PS tree and like inject yourself into any process that's like escalated or admin or like a domain.
Um, and that's when it's like, you know, I was finding out, you could just, you know, inject yourself into a domain admin process.
And then from a remote computer running as a domain admin, you can just add yourself as a domain admin, like just just like that.
And then very few, like once did I run into where you had to be on the domain controller to add a domain admin, which I thought was interesting.
Because it was like, you cannot run that command remotely.
It's like, what?
It's like, I had, so I had to like find the domain controller.
And I think take the credentials or the hash to the domain controller and then log in to the actual domain controller to run that command to create, you know, a new bloodminder, whatever.
But yeah, there's always something fishy about, you know, however, the, you know, network is set up or AD is set up.
So we had to like do something different and a lot of people just don't understand windows enough to be able to move around or work around whatever.
You know, security controls or AD, you know, OU policies went, got pushed down that are like wonky.
Yeah, I think a lot of, sorry to find her up there, but a lot of like, um, I think guys just started in the field.
I mean, I can use myself even as an example.
I mean, I did all the stuff that I could as basically, you know, play around with VM, set up your own environment.
And even nowadays, I think people have that difficulty of, um, I guess like picking up skills and mostly what's, what I would consider like windows AD related.
I think on Mac, it's more like LDAP and whatever other variants that they use, but it's mostly LDAP and AD, which AD incorporates LDAP.
But I think everybody has that knowledge of like getting that shell.
And then, you know, that's how CTFs work. That's how even OACP works.
I don't know, I think it's been updated to include some of that lateral movement stuff.
But I think back in a few years ago, it was still just very focused on like, okay, get this web shell, you know, get this system shell house.
However, you got that shell. That's how that's, you know, that's the key.
And it is important, you know, that's how you get your entryways in a lot of environments.
You find Jenkins, you find Tomcat, you get that first shell uploaded.
Cool. You're on the domain box somewhere. All right. But what do you do next?
And that's I think a lot of people always like struggle with that.
There's definitely been recently that I've seen like a more trainings in terms of AD from like Pentester Academy and some other places where they literally pop.
Pop you into an environment and show you how to, you know, abuse Windows ACLs for permissions.
Do the curb roosting, they SP roasting all kinds of different attacks, whether it's LDAP or curb roost related or AD permissions and all that cool stuff.
So I like few months ago, I took one just as a refresher just to see if there's, you know, anything else that came up that was new.
And I think one of the areas that I still find myself that I haven't used a lot in my pen testing days was like ACL permission abuse.
When you're in certain groups and stuff like that, you can do certain things like, I know there's like a DNS related group that you can escalate through and stuff like that.
But I just didn't have a lot of hands-on experience and I think that's what I think helps people kind of solidify their skills is just doing it, you know, just going and doing it.
Whether it's in your own environment, it's good, but like actual production environment.
It's not exactly a playground, but you know, it's definitely learning slash proving grounds for you of testing out.
Yeah, that's really the only way to really learn it. Like there's no, there's no lab that has every possible combination of misfit, misfit networks.
Like they're all, they're all whack-a-doo, you know, there's always some weird control somewhere and then something else is completely wide open.
Yeah, it's like, it's like a big mansion with like a million doors and windows and like some of them are locked and some from are open.
And some of them, you know, you can open it with a paperclip and it's like, why, why?
And like, why is this door over here? Like super secure and like fingerprint locked to F.A.
And then like two feet away in the same room. There's like door that it's like, you can open it with a paperclip.
It's like, you know, seeing those connections between how you can work around some kind of controls is like that's part of how you learn and all that.
But so what about like where'd you go to school, like hometown, like your family influences?
So I'm actually, I immigrated to the US in 2002 from Ukraine. So I was born there in 1990. So gonna hit 30 this month.
I know, right?
I got ten on you.
Ah, dude, I'm catching up, well catching up, you know, well get to the same point eventually.
But so I moved here in 2002 and I've been living kind of like in the Philadelphia and a suburb area, I guess since mostly live in Philly until about five years ago.
You know, I'm not a huge on the city of in terms of parking and noise and all that I got stuff.
Some more of a burbs guy because it's quiet, it's green, it's nice.
Even though I'm not a nature person, I kind of just enjoy the peace and quiet that's outside.
And I never have to worry about parking.
So I went to the local middle school, Baldy middle school, then George Washington High School.
Again, if anyone listens to the ever went there.
But after that, I was kind of interested in IT in general in high school.
I was like, hey, the only thing we had that was like close to IT related stuff was kind of web design.
And I would say just basic programming courses.
Yeah.
So like sweet. I took those and I'm like, listen, I look at people and I'm like, what do I want to do for a living?
I definitely don't feel like I'm an interactive quote unquote interactive with just like general population.
So I'm not I'm not good with like math stuff.
So you definitely not accounting or finance.
Yeah, you know, I like history, but that's not really going to make you money.
So I'm like, you know, IT seems like, you know, I can stay behind the screen and do all my stuff and you know.
Deal with switches or whatever deal with just hardware instead of people.
I felt like that was kind of like my appropriate for me, you know, avoiding people for the most part.
So I was going to look into colleges.
I was looking for just IT programs in general, but I wanted to go to like not a, I guess a vocational school or technical college.
That was kind of like the backup.
I want to go to the regular one just to kind of have the more, I guess my idea was just to get like a more known brand quote unquote diploma.
If that makes sense, but just basically something like, oh, you went to the school like, oh, I've at least heard of it.
Yeah.
So I, in the end, I got some acceptances, but I picked Penn State just because they gave me a pretty good like financial package deal.
And I was like, cool, you know, and it's located in, you know, the middle of Pennsylvania.
So it's a pretty nice place.
And I decided that I wanted to kind of like get away from home and just live like away for a few years on campus.
And as I accepted, I got actually accepted, I believe into comp site program because I didn't do my research well enough.
And I didn't realize that they had a separate program for information size.
This isn't technology with different majors, including one that's specifically for security.
Oh, wow. When was this?
This was 2009.
Yeah, I mean, yeah, you started to see stuff like that start to pop up.
Yeah.
Now did you move where you and Philly were, were your parents work or why were you there?
Oh, so we moved to Philly because some of my family actually lives on the East Coast and some lives on the West Coast.
So originally when we were moving, my West Coast family filed old like the paperwork.
So it was my dad's side of the family.
And before that happened, while that was all going on,
my sister moved here with her husband because his family lived here.
And when we were moving at the time, my mom was like, hey, she just had a kid and you know, she wanted to help.
So she moved to the East Coast instead of the West Coast.
I kind of regret that this is this day a little bit, you know, a little bit salty about it.
But my family still lives on the West Coast for the most part, like Washington and California.
And then some of, I guess, a more extended family lives on the East Coast.
But we ended up here just because of my sister, quote unquote.
Okay.
So, but yeah, before I started this semester, I kind of looked at my coursework.
And I was like, there's no way I'm taking these courses because there were like physics and calc and stuff.
And I was like, this is not what I signed up for.
Like, I honestly wanted to have more technical courses and less of these, you know, more conceptual stuff that I don't think I would find useful in everyday like work life.
So I looked around and I was like, okay, I ST, like, what do they do?
And they had two programs, which was general IT stuff, which had like different tracks, which is like project management, more business or development track.
And then they had security and risk analysis, which was.
Oh, wow.
Yeah.
That pretty cool program, again, not, not exactly the way I would envision it.
But for the time, I thought it was, you know, it was pretty good for what was right.
And it was hard to find those types of programs back in the day.
So hopefully that changes over time since we kind of lack people in the industry.
According to the news, you know, there's not enough people.
So I saw the opportunity.
I was like, okay, security and risk analysis.
And like, I always, I honestly don't remember how I heard that and testing was a job.
But I was like, wait a minute, you get paid to hack into places legitimately.
Like they give you like, you know, get out of jail free card and you get to hack.
Like have fun on their environment, basically at their own expense and you get paid.
Basically when I found those, yeah.
And I was like, wow, sign me up.
So I picked the core, the cyber security stuff because I was like, man, that does sound cool.
And I deal mostly with computers.
I didn't realize, you know, beforehand that I'll kind of enter through consulting, which is more client-facing.
But I feel like if you're talking about kind of like what you're interested in,
in your area of expertise is not that, you know, hard to do.
Even as you progress, like even initially when I was like the consultant for the first year.
I mean, I didn't find it like too stressful.
I mean, initially, yes, because you're like the young kid and everyone's like, hey, you know,
you actually know your stuff.
But if it's like something you're passionate about and like you, that's kind of like
when you play around with all the time, you know, and learn all this stuff,
it's like, yeah, I can speak comfortably to it.
You know, I'm not afraid to voice my opinions or disagree on certain things.
So when you came, you see, were you still in school when you were with, with me?
Or was, or how do you finish?
Yeah, dude, I interned.
I was still.
You were interned.
Okay.
Yeah, I interned.
That was, yeah.
That was 2012.
I interned in 2013.
I started full time.
That's awesome.
But yeah, that was the first meeting wasn't 2012 if I'm not mistaken.
Yeah.
That's a good way to get in, you know, I had to do, you know, well, that was before IT
or before security started getting popular.
So it was like, there wasn't really a security role.
It was more like you were IT or like a network admin.
That was, that was fantastic.
Yeah, there was no like, fantastic.
It was like either help desk or your IT admin.
It was like, well, yeah, I'm IT admin.
But I'm also like, know everything about, you know, how to keep up system
from taking a shit.
And that's really kind of how it all turned out, right?
Like, you know, you start out in IT and, you know, that's what I told people,
when they ask questions, they say, you know, what do I do?
It's like, well, you basically it's IT and help desk, but backwards.
So instead of trying to fix stuff and trying to fix AD or trying to fix this,
you're like, you're trying to unfix it and make it so it's supposed to do stuff
that you don't want it to do or that's not intended to do.
So, but yeah, that's pretty, that's pretty, that's pretty good
that you're able to, you know, get that opportunity and then extend from there
and just say, boom, I'm done.
Like I've done consulting and whatever.
And you can move from there.
But so like to wear your parents like supportive or were you just kind of on your own
or?
I mean, I think to this day, if anybody asked my family,
what does, you know, what does it tell you to do?
They're going to be like, that's computer things.
Computer things.
Yeah.
Computer things.
I mean, I clarified it a little bit for them.
I think at one point my sister thought what I was doing was illegal.
So she was actually scared a little bit until I kept explaining to her.
I'm like, don't worry.
They like sign papers.
This is like, you know, she doesn't understand.
She's like an artsy type person.
So like, you know, she is older sister or?
Yeah, dude.
I have three older sisters.
Oh, okay.
The youngest one.
So yeah.
So if you're young, they forgot about you.
Your parents forgot about you anyway.
So the last one's always the one.
They're like, oh, we fine.
Yeah.
They're like, you play with the light sockets.
Yeah.
They kind of just like, I mean, they couldn't help much once we moved.
So like when I was a kid on elementary school, yeah, they can, you know, help out with school work and stuff.
But like once we moved to the US, they're, you know, they're supporting financially, of course.
They're trying to do their best with that part.
But I don't think they could help me with, you know, determining my college or any of that stuff.
Like, they're, you know, they were closer to retirement age at that point.
So it's like, yeah, I'm not going to expect you to, you know, help me out with that stuff.
So I kind of just took my own thing.
I'm like, you know, that sounds like a good career opportunity because I like this stuff.
Plus it seems to be like a fairly lucrative field.
So I think a lot of times nowadays, a lot of people just choose it because it is a lucrative field.
And that's kind of annoying because you run into people that are like, quote unquote, you know, potatoes.
They pretend they're passionate, but they're not really.
It's like you can actually like kind of sense it, you know, because you talk about stuff and you're just like, yeah, yeah.
It's like, oh, okay.
All right.
You're not really there.
It's not that I blame them for it, you know, like everybody needs a job.
So I don't blame them, but it's hard to like have, you know, peers that you can kind of just like bounce ideas off of and stuff.
They just kind of do, you know, the nine to five type of deals.
So they're not like the hooded people will wake at 3 a.m.
You know, the type of guy.
Well, that's, you know, when I was working, doing management for a little while, it was, it was that same sort of thing.
I started to realize, you know, there's like 2% of the population is that, that one that will, you know, lose time and stay up till four in the morning.
Like messing with something secure.
Yeah.
And there's like, there's like your, there's like your nine to five person that like knows what they're doing, but they do it nine to five.
And then there's your like person that says that they're passionate about something and they're interested about doing whatever it is, but they don't take it home.
And they don't, you know, go above and beyond.
So they're just kind of like nine to five, but they try to be like they're going to do something else.
Yeah.
And then you've got your, you know, your, your, your nine to five people.
And then they, you know, they're passionate and they're hobby is some of their hobby is to do this type of stuff and learn new things and teach people new stuff.
So like how did you, how did you, how did you find out about the KPMG position was it from cold field or do you just know somebody or.
So again, I'm not the most, I guess social person in terms of going out to places like bars or meet up events of any sort, but I believe they had these like career fair type opportunities in college, which I would always, you know, encourage anybody who is, you know, open to that to go to those.
You don't necessarily maybe find what you're looking for, but you definitely get experience of talking to people and just kind of get.
Yeah.
What, what type of opportunities are out there and then run into random people. So I actually just ran into one person I talked to and, you know, I was like, okay, he, you know, KPMG, whatever, like they didn't say anything about security to me.
So I was like, cool, probably not going to be interested. And then I learned through actually my friend who interned there earlier, like, oh, yeah, they do have a security team.
Okay, at least I heard from this guy.
There's one guy.
Yeah, there's Robert guy.
It's like, wait a minute.
And I was like, what does he look like? And he's like, oh, I think I saw him, but I didn't talk to him at the career fair. And I'm like, oh, yeah, they're doing some.
The event with like, I guess it was like at a, like a food place or something, like just like a get together social thing is like, yeah, you should come and talk to him.
That's what I did. I ended up going. And he's like, yeah, we are actually hiring.
And he was surprised that the person like that when I talked to them, they're looking for more like audit folks and like, I guess not just not security related.
And he's like, yeah, we were totally are looking for at least like one or two people. And I was like, oh, cool, you know, like, sign me up.
You know, so I believe.
I believe.
What was it?
You know what?
It was, it was Mark.
His first name was Mark. I honestly don't remember the last name at this point. It's been a while.
But he, yeah, he, he set up the interview.
And he did quiz me quite a bit on, like, met us for an end map.
Like he asked me like, you know, to this day, I remember like, what would be the quietest type of end map scan?
And, you know, most people would be like, sin scan.
But actually that's stealthy as in like what degree?
You know, it's like, do you, do I not want to be traced back?
And I was like, you know, that's, that's what I would consider stealth.
Not that the amount of noise it causes like a sin scan versus like a full scan.
So I was like, you know what? Do it like a zombie idle scan.
And the only reason I heard about that one is because I actually read like an end map cookbook thing.
Yeah, the whole cookbook, yeah.
Yeah, like the Metasploit intro book like this was back in the day.
I mean, Metasploit's still still around.
Honestly, like you can still get your payloads home like to connect back.
It's a little bit trickier with like modern AV and EDR, but still works.
Because definitely proved that a few months ago with like, forget what they were using.
I'm going to mention any products here, you know, the kind of shame.
And but we totally ran like a interpreter payload after we got the shell like the initial access.
And it was way easier to do certain things like incognito and on some of this other stuff that's like baked in.
Kind of like a cobalt strike, but I guess if you're looking at more open source than Metasploit's kind of go to still.
More or less outside of like empire and some of the other C2s.
Yeah, he's actually had a post.
I don't know if he's fixed it or changed it, but people kept taking, you know,
pirating a software and then selling it, you know, reselling it.
Yeah, cobalt.
Yeah.
So he did whatever the munch, I guess it's very much just to write it or at least back then it was mostly him.
And he wrote like a blog post on how to pirate his own software, which I thought was pretty commendable.
Yeah, it's missing.
So if you don't have the legit license, you can't get certain features for it,
which are like the important like malleable C2 profiles and all that good stuff.
I think it doesn't work if I don't if it's the free one.
Yeah, or even the crack one.
If you crack it, it like you can't download whatever those additional things that are highly useful for like red team operators,
which is I guess it's what's mostly used for, but I mean, it still works.
I mean, crack stuff still works.
But yeah, I totally remember the blog that he posted it's like, yeah, here.
And don't forget people can backdoor that stuff too.
So when you run your own C2, you're not here.
You might be popped already.
So it's always always easy to noodle before using crack software.
Nice.
Let's see.
What is some other.
It's going through the list here.
What is a story that you can tell of your either like a hacking story or even just an IT story in general?
I mean, it doesn't have to be with me.
You probably have better stories since you started.
I got a few examples.
I think that the best one for people who are not in the field is like, you know, you're typical like Mr.
if you've seen Mr. Robot, right?
That's probably the better example like the prison hacking scene.
If you've seen that so, but they did it over like Bluetooth or whatever.
Like he hijacked the dude's laptop and then he did all this fancy stuff.
The closest thing of a hacking story that I can tell people in terms of like movie level shenanigans.
I was in Chicago.
This was probably circa 2015, 2015, 2017, somewhere there.
And I had this client that we were supposed to test physical security as well.
But they looked pretty like lockdown.
I couldn't easily piggyback and I was like, you know, let me.
Let me see what can I do from the outside.
So I pulled up in the rental car and I parked right outside the windows of like the cubicles.
Right?
And what I had on me was all my wireless gear, which was, you know, the alpha cars from the good old days.
All the other cars that do the packet injection and all that stuff.
So I was trying to get in on the Wi-Fi to see if I can, in any way, try to get in and do some of that stuff before I do the physical one.
Try to do the internal, you know, the usual pen test shenanigans.
So I was like, you know, let's be, let's, let's make it more interested.
So I pulled up in my car set up my Wi-Fi stuff.
I also had, I don't know if you heard of mouse jack.
The thing that hijacks the HID receiver stuff.
Yeah.
So I had two of those.
Plug those in and just started scanning the background.
And I found a couple of, I believe it was like one logitech device and one microsoft device that I looked up and they're like, okay, these are vulnerable.
Yeah.
But I don't know what devices they're connected to.
But I assume windows, you know, it's like much more pretzels.
However, it doesn't matter because it works on Linux Mac or Windows.
You just have to make sure you're.
Yeah.
Yeah.
So what happened was I said a payload to do a reverse like empire shell to me.
To one of our like see two things and I just hit it and I was like, and what I got was actually one of the IT guys.
Computers is desktop executed that stuff while he was like.
Oh, I think he was away, but his screen wasn't locked.
Like he was still logged in because he was like an enclosed office.
So he didn't feel the need to lock his screen because he wasn't in like a public space.
So I'd execute and I got a shell back and I'm like, who am I?
And it's like, oh, that's like an IT guy.
Glad to be.
Yeah.
Yeah.
So I'm sitting in my car basically and that's how I popped in was literally through his like mouse receiver.
I think he had like a logic tech mouse at the time.
And I was able to actually do some of like recon actually do some of the escalation just sitting in my car.
But then I kind of had to go in and can introduce myself because I was like time, you know, for a meeting.
And I was like, hey guys.
So I'm actually on your network already.
What?
I was like, yeah, I was sitting in the car actually popped one of your computers and I actually checked them back to one of the guys.
It wasn't our contact, but it was like one of the IT guys.
And it was just like, what?
You did what?
There was always a fun next to like, I always have fun like just explaining it.
I'm like, try to put in simple terms like, yeah, there's a flaw that basically like I can emulate like a keyboard input basically and send it over.
And it's just going to try to do what the keyboard functions do on your machine without you, right?
It's just signal.
And it was kind of cool to just showcase some of this stuff because it's not necessarily, you know, like, oh, it's a high-risk finding.
But, you know, for me, it was like, hey, this is just if I'm in the area, you know, like I can't be a remote attacker.
I have to be at least within a vicinity of us.
Like kind of like for wireless, I have to be there.
But it was totally cool.
It was just, you know, and the Mr. Robot scene where they poke into the prison was like kind of the same type of feel.
I just put it up in the car.
Pop the corporate stuff and I was able to kind of get it gain access persistence and lateral movement just by sitting in my car outside.
It was really fun.
I mean, you can do the same things through Wi-Fi, but this was slightly different and just kind of more interesting to kind of explain to them.
And we're like just like what?
And to top that off from towards the end of the engagement, he since I actually for the physical, I cloned their badges.
So I was just standing out there like hanging out pretending to be on the phone.
And I got like two employees.
I think they were close enough because I had one of those giant cloners that are like just put it in one of those.
Okay.
Yeah.
And just kind of walk next to somebody.
Yeah.
Did you buy the, did you buy the whatever it's called?
Proxmox three?
I don't have Proxmox.
But I don't use that.
I use the build your own.
Yeah, I use the build your own thing.
So that has higher range.
Proxmox is useful for actually building this like we're dumping the data and like writing it.
But definitely the big thing was like the range was what we gave me most of the success.
And I was explaining that and he's like, hey, can you actually clone a card for his dad?
Because his dad lives in an apartment complex where they charge you 100 bucks to make a copy of a freaking like FOP key.
And I was like, okay.
Yeah.
I have like black cards and buy them at all.
Great.
I was like, cool.
Yeah.
Let me try.
I mean, I don't know if it's the, it's going to work.
But I gave it a shot.
I gave him like, he was like two or three copies.
You know, see if it works.
And like before I left he's like, yeah, dude, totally works.
So you just saved like $300 for my dad.
He was like, sweet.
So just like knowing the little things like, you know, they charging you for a freaking HID like cloning like XS key.
You can actually just make a copy for yourself.
Save some money.
I mean, I think the supplies for it to make a copy are not like that difficult.
They sell like the little devices that are like, I don't know, like 50 bucks.
You don't even need a prox market nowadays.
Like they sell like little portable like read and then write.
So yeah, I'm sure it's all, it's all kind of commoditized and what cheaper now.
Even the USB duckies, you can, I've been buying these little two, like $2 and 50 cents like USB duckies.
So if you do like, it's like, it's on a hack a day and you just Google like, I don't know, USB Ducky DIY or something.
So instead of paying the $30 or whatever for the Ducky that you just buy these like $3 little $3 things that we'll do basically the same thing.
But it's through Arduino and you have to like re encode it using like this Ducky to Arduino payload encoder thing.
But so I get a bunch of those.
I've got a bunch of those and I was going to hand them out during the class.
But that was before COVID hit and everything.
But yeah, that's that's pretty fun.
I've got had a similar similar experience with the client that like kind of didn't want me there yet.
And they did they they the my management didn't notify the particular site that I was going to be there.
So they looks they're like, you're can't you can't you know, you can't be here.
And I was even waiting in the like the waiting room and they're like the whole way and they're like, oh, you have to like lead the building.
So they ejected me like from the building.
And I did the same similar stuff.
I was kind of rumzing around the Wi-Fi and I had gotten access to an old network that didn't have anything on it.
It was like a legacy network that was using the old old style keys that the web the web crap.
And it was it was there was some stuff on there, but it was there was nothing to like pivot to on that network.
It was all just like itself.
And it was like some other a few other devices that weren't like on the domain or anything.
And then like two or three days later, I'm still on site trying to wait for the OK from the client to be there.
And she calls me back and she's like, yeah, I've still just you know, I have some concerns about you walking around our facility blah, blah, blah.
And I was like, well, I mean, to be honest, I mean, I do this for a living.
I don't actually physically have to be there.
I can just do it from the parking lot.
If you that's that's kind of my job.
So like if you want, I can just keep doing the work from the parking lot and with what the client know and the stakeholders know that, you know, you weren't able to, you know, let me in the building.
Because we're nervous about it.
Which, you know, to her point, like, you know, some guy comes out of left field and she has no idea nobody told me he was going to be there.
I'd be the same way.
I'd be, you know, whatever she's just doing her job, right?
But it's the kind of thing where I was like kind of rummaging around without their permission from just the parking lot and outside the outside the building.
Oh, let's see.
Oh, let's see.
Current projects work or personal doesn't have to be IT related.
So you talk about playing around with cards, fret a little bit and you're pretty heavily involved in a cover of like response still.
So like you got any other interesting projects.
Yes, I do.
So I would say, I mean, for kind of my zen period of like not doing much, I probably just do a pluck stuff.
So the media server, I mean, you actually got me into it as well when I met you back in the back in like 2013.
So thank you for that because I'm a huge fan of it.
And I've built my own media library with like all the security videos from all the cons along with, you know, you know,
update media from the internet.
It's definitely it's grew to like about I think almost a hundred to pair of bytes in size at this point.
So I'm looking to upgrade it to like a server chassis because I can't accommodate anymore.
Rives in an old case.
So that's kind of I kind of like clean it up and do some storage configuration out of type of stuff.
But it's just like to relax.
I've been thinking for me.
I don't know.
I think a lot of people do other better things.
But to me, it's just something to do with some things and clean up some things.
I don't know.
It's like cleaning is a little grass nation cool thing.
Well, you're kind of you're kind of chopping up holdings.
It's like a relaxing thing.
Yep, no problem.
Oh, one.
Can you hear me?
You good?
Testies?
It might be me.
I don't know.
I can hear you.
Oh, you're good now.
More or less.
Say something.
More or less.
Yep.
Yep.
Hello.
Test up the two through.
Yeah.
It might just be a connection from Microsoft's infrastructure.
Trishon.
Yeah, they got like 15 million people in there.
Maybe let me call back degradation.
Yeah, let me call back.
Uh-oh.
Uh-oh.
Uh-oh.
Uh-oh.
Uh-oh.
I lost my own link here.
Sorry.
Uh-oh.
Copy link address.
Uh-oh.
There we go.
Hello.
Welcome back.
Um.
Any better?
Sounds like it.
Um.
Yeah.
No, no.
I'll see you're here any choppyness.
Um.
Yeah, I didn't see any like, uh, uh, signal errors or anything like that.
Oh, yeah.
Yeah, it's probably the same thing.
I'm going to go over my project stuff.
Uh-oh.
Yeah.
IT or non-IT related?
Yeah.
Either way.
So it's like half an IT, half an IT.
So, um, uh, you can see my favorite area of it, like scoping out your target and like finding out info that's not always necessarily public, but it is there.
Okay.
Um, so.
Having that in a background, um, uh-ah, there's a lot of breaches that happen.
Right?
Uh, data dumps on the web, they kind of.
And, uh, let's.
Эt's send the senders to places to access to the data as well.
Um, but after I took this one class with, um, forget the giant ones name, but he publishes lots of.
He publishes a lot of books, forget the guy's name, but he has a lot of books on Amazon.
He can publicly obtain or a gold mine in terms of like trying to track people down.
And because you can search for interesting things in those days, they don't dump.
So you have the emails, user names, passwords, and a lot of other stuff at the time, the
P's, date of birth, and all that good stuff, right?
So what he did is he combined all these things in a pretty rudimentary way.
He ended up as text files, and then he was using RIPGrep, I believe, to do just
grapping for things to find things, right?
Well, that got to my attention a little bit because I was like, hey, I can use Elastic
Search and Kibana, so like an open source SIM type of thing, basically to import all
the reaches, right?
And actually do correlations.
So if I find let's say a unique password, right?
I want to see if there's any emails or user names correlated to that specific password.
So like reverse searching, not just by searching the email, but by searching the hashes or
the password themselves or any other input points.
And to that degree, you can also add a lot of like voting databases and other stuff, which
contains people's names and numbers and addresses and stuff.
So like you can build this like giant web of just for data mining, and I don't mean
it in like any nefarious purpose is necessarily all that you can use it for that.
For any kind of recon that we do, I can always look at, you know, has this org like do the
users and this org have they been in data dumps before like, has there any other creds
have been compromised?
Can I see what kind of creds they use?
If we want to do phishing, you know, on the specific user, if you want to target a phishing
attempt, you can kind of tailor it to them based on like, okay, they use this service before,
right?
They use Dropbox, okay?
We can customize it from Dropbox, you know, and stuff like that.
So you can do a lot of cool digging up and kind of connecting the dots to see if the
same person, if you're tracking down a person for whatever reason, you know, not recommending
stocking anybody, but if you're tracking down someone, let's say, you know, somebody
pissed you off online with a certain user name, you're like, okay, who is this guy, you
know?
Want to send them a nice word of demon for the sake of the example, right?
How would you find this person, right?
So these data dumps are really good.
And not just by looking at the email, again, you can track down unique passwords that are
tied to other users.
You can also track IPs tied to users depending on the data dumps and stuff like that.
So it gives you like this basically web of just stuff that you can correlate to individual
users or individuals, right?
And that was like, yeah, you know, I want to be the frickin mini NSA here, you know?
So that's my like current one that's kind of progressing slowly because it takes a
little bit of time to standardize the data before you kind of shove it into elastic search.
Yeah, yeah.
But I wouldn't even consider it like more IT, it's more just like, hey, I'm interested
in all these breaches.
And I want this data to be mapped and you can use it for all kinds of purposes, whether
it's security related or just for funsies, like I do.
So how much data, because I know there's like the collection, yeah, there's like the
collection, too, which is two big ones, yeah, there's terabytes of it and you can
dedupe it and stuff, but like it's, yeah, it takes space.
So like my pluck service like 100 terabytes, that thing is probably going to be like at
least 25, 30 or more like if you actually do all of them.
And I mean, like all of the public big ones, like they add up over time, like you'll
definitely need like at least 10 to start with like a good amount of them.
Like LinkedIn, Dropbox, you know, Ashley Madison, whatever it was called, like there's
a lot and they happen every day.
So you just keep dumping them from different forums, you can, you know, if you want to
spend some some Bitcoin, you can get them on some of the markets that are still alive
that the feds haven't taken down on tour.
Yeah.
But again, most of the, most of the ones I find are still on like the forums, so you don't
need to go on the dark web, most of the stuff is literally floating on like non-English
speaking forums hint, hint, you know, yeah, or like that helps.
Yeah, like some torrent magnet links somewhere, so you can find a lot of them also on like
the Pirate Bay.
I'm pretty sure it has them indexed for at least some of the bigger ones used to be a guy
that published them on Twitter, but I think you kind of stopped because I think people
were like, I mean, you got that dream.
Yeah.
So that's what I was doing, like, there was, like, it was like census, before it was
census.io, but it's like census.io now.
And for a while, when it first started out, you could, it was all free.
It was like, basically, it was, what's the one that the internet scan database that
everybody uses?
Ah, you showed in.
Yeah, it was like, it was like, show in, but it's free and it wasn't really geared towards
necessarily like, here's all the webcans or whatever, it wasn't more, it wasn't really
the stunt hacky stuff that Shodan is.
It was more of just like, here's all the top ports or whatever, but it was, it was free.
You just sign up for account, and then you could get the links to the Google Drive and
they're like, like, like I said, be like the terabyte or two or three terabytes for some
of the big ones.
Um, and you could download them for free and you could download it at ludicrous speeds
because it's all on Google Drive stuff.
Um, so you could like multi-thread download these, basically, build your own Shodan for,
for free and like, ridiculous speeds, and I would do stuff like, once I got it, it
would be like three or four, you know, terabytes or whatever, or gigs, it'd be like three
or four gigs of stuff, um, and then I would, uh, zip it up, basically use, um, uh, what
you call it, squash that fast is what I was using to try and make, keep everything small,
but apparently you can like mount Bzip or something, you can, so there's like a Bzip, uh,
type of way you can mount, um, there's, there's other ways to mount like higher compressed,
uh, higher compressed stuff, um, let me get some messages here, hold it.
Yeah, no problem, um, yeah, so let's see, what else, where were we at?
We were talking about, uh, kind of what stuff you've been playing around with.
Now, what do you have you been confronted by anybody like at work or personal that like
around the legality of it and say, oh, you can't do that because it's a legal type of thing?
Oh, man.
Because I've had some clients say, you know, we've given them information about like some
of the security issues they have from like public data and I've heard people say that,
oh, you know, you're not supposed to be looking at that stuff, blah, blah, blah, and, you
know, I'm like, well, it's public, it's basically public information.
If I can get it, it's public information.
So that means everybody else knows what it is.
So I'm just, I'm just helping you like, you don't have to be, I'm not malicious about
it.
And if I were to be, you wouldn't know anyways.
So who cares?
Right.
Yeah.
So as a consultant, I definitely experienced that where people would always want to take,
you know, they just don't want to fix things at most of the time.
That's why like they don't want the work basically, right, to tell them something's wrong.
It's like, oh, why did you bring this up?
Right.
You know, ignorance is bliss, right?
But I feel like as an individual, right, if you were to report something, I think companies
have gotten better with, especially with like bug bounties, like the crowdsource type ones,
like hacker one or what's the other one, bug crowd.
So you can definitely go through some like more legitimate channels to kind of be like
a hundred percent sure you'll get a response you're looking for and when you're reporting
things like, hey, you have, you know, your AWS bucket key is chilling on your GitHub account
or you have, I don't know, exposed timecat with default credentials, something to sell
it, right?
But there are places that are definitely going to have that shitty response of like, oh,
that's illegal or something and that's shitty, but it is reality, right?
You will, excuse me, you will run into those here and there.
They're not very common, I would say, but they do happen.
And if they do, they'll let that like discourage you from trying to help folks out, right?
It's not like, don't report very silly things like, hey, you have, I don't even know what
the silly thing would be like some example of one that like, all these like, there's a lot
of people that actually do submit some like, you have, you know, a portal, you have
port 3389 open, which is like RDP.
It's like, yeah, you shouldn't have that, but like, that is not a direct, like, risk
threat.
Now, if you have different credentials on it, then yeah, it becomes an actual risk, but
like, maybe you're missing a patch, like if you're missing a patch, depending on what
the patch is, like, if you have pulse secure VPN exposed, right?
And you have that RCE thing still on it where anybody can get in and just get all the
creds off of it.
Yeah, if you report that, I feel like that's awesome, but if you report like, oh, you're
missing like some silly patch that's like, low risk has nothing to do with anything,
like, oh, you should, you need to patch it and you tell that someone would be like, and
that's why some things get like diluted in value, right?
If they get too many people telling them things and they're like, yeah, you just another
crappy report, but in light of actually them looking at it, they might realize like, oh,
it's actually, you know, I don't think they mean any harm.
I would say, you know, just if you want to be safe, just go through the legit, like bug
crowd source, bug bounties, type things and you can get paid, even if you don't, I mean,
you'll help out folks and just submit them the reports, they at least will look through
them and you'll have like a man, quote unquote, man in the middle where you're not going
to get the, it goes through the service, right?
You're not like, you're not doing anything gray area type thing, you know, there was a
brief area where I had, you know, I had like a, like a tour set up where I had an email
account and like a, an SMS phone number to do that type of stuff and like, responsible
disclosure, but I was doing it as anonymously as I could.
And I did like two or three of them.
And it's like one of them was substantial, like a substantial remote internet facing thing.
And I never once got a response back from anybody.
So I don't know if like, I was doing it wrong or whatever and I even asked somebody on
a podcast about it and they're like, oh, well, you know, it just goes to cert and then
cert will take it and like, in theory, make the proper connections or whatever, but like,
I never really got any like, like response back from any of those clowns like that.
I guess it just because the way I do it is like, you know, I try to find like admin, whatever
and I just like bomb everybody that's on there or like send four or five emails to like
four or five different random people because you know, it's hard to find a contact for
like to disclose security stuff.
People don't even understand what IT is, much less IT security.
So I guess that was probably most of what my problem was because I never got a response
like from anybody like, like if I saw something in my mailbox and I was like, you know,
Jane the idiot and I had no idea and it's like, said something about security and whatever
like I would be, I would probably reach out to somebody and escalate, but I don't know.
At least forwarded to the right source, but yeah, I don't necessarily see that all the time.
Yeah, I kind of gave up on it and if it's something silly, I'll just put it on like full disclosure
or whatever and like, it'll be like something, something not like bad, like super bad,
it'll be like, you know, how to get something, how to get something that's either not this
free or try to change something to make it better or whatever, but I've never really
done anything like malicious or whatever, but usually the silly stuff I'll put on like
full disclosure, if it's something stupid, like how to get unlimited tokens for some
time game or something, I just don't have the time for a lot of that anymore, you know,
but yeah, you mentioned projects, you know, your favorite projects are like the Plex stuff.
As most of the stuff you have on there, like movies and TV or like you said, is it what
percentage of it is like, like what are your other favorite projects of like Plex, do
you have any other favorites?
I guess, again, project related, it's usually like tech related stuff, I mean like the
last time I've done anything hardware related has been a while, but it's just like you
have to get a feel for it, you know, I haven't been, excuse me, working anything outside
of those like data dump indexing in correlation and like Plex is kind of probably the only
two things that I would consider projects, right?
Everything else is kind of just leisure activities that I wouldn't say like are hobbies, quote
unquote, many can call them hobbies, like, you know, good old new games and some anime,
you know.
Yeah, you did consulting for like, how long do you think you did consulting because you
were kind of doing it and then you got to switch, right?
Yeah, I did consulting for probably, I would say five years, like solid five years.
Yeah, that's about what I ended up with, like, and when I started out, you know, those
soft skills were the part, and that's one of my questions is like, what are you not
very good at?
And you mentioned just like people and not being comfortable around, you know, people
in general and just doing all that.
And I think, you know, working for an accounting firm and doing like client facing stuff
helped me pretty, pretty well in that area because it's your job, your force to like
talk to people and like, you know, really get an understanding of like, you know, it's
not about just explaining the technical details around something and making it, you know,
understandable.
It's about like, okay, how does this, how does this person communicate?
What's, how do they communicate effectively?
Like, what is it, you know, they like phone calls or did like in person or do they like
whatever and I learned a lot in those six years, like, you know, how to get people to
do these, like, understand what you're saying and like, care and try to get them to care
about what you're talking about.
But, yeah, is there anything else you could say that you're not good at that would you
would like to disclose?
Not good at.
No, I mean, there's a lot of things I'm not good at, I mean, I mean, definitely not
artistic or musical at all whatsoever, try to learn things here and there, but never
worked out.
All my art homework, I mean, I think it's been well enough past my school time that
I can easily say that most of it, my sister kind of drew for me, you know, anything
art related, I'd be like, can you help?
Because my stuff looks like it's just, you know, out of the nightmares.
So yeah, I'm definitely the analytical kind of preserved, you know, personality.
So not the outgoing type, even though I can talk fairly easily about the topics that I
know or to people that I know, but like, I mean, I say hi to strangers, right, but working
that consulting gig definitely helped me like break out of that shell and kind of build
up that what I would call like the report or just the soft skills, yeah, yeah, people
call it soft skills, but to put it in like actual like words, I would say I can, I can
talk to like the C sweet board people without a problem.
I'm not going to talk the same way, you know, as as plainly as I do right now, but I wouldn't
I don't use business like nonsense terms like, you know, everyone's favorite, you know,
what's the synergy and all that crap, you know, like people use fancy words and stuff.
Like I always kept what I learned is like keeping things fairly simple helps it kind of get
across different kind of audiences, right?
So I don't I don't try to tell them, you know, I don't throw like cobalt strike in their
face like, oh yeah, we use this software, right?
Like use something simple that they can kind of understand, like helps you connect remote,
you know, get remote connection establish instead of C2, right?
So if you keep it simple and like keep things, you know, comfortable, I think that kind
of helps just in interaction with kind of anybody.
And I'm very open to explaining exactly what I'm doing at any point, like that can they
can shoulder serve me if they really care, you know, they're going to say a lot of just
terminal commands, but if they're curious, they can always look like I learned to be very
open during my consulting to just like, hey guys, like you want to see how this is done,
like this is a clone of card and I can like demo that and yeah, it just helps like make
it more just like easier to deal with instead of just, you know, being a very, you know,
just kind of businessy approachy person.
Yeah, that industry in itself is kind of weird because like, like most of the people that
are in, you know, in security or at least, you know, in heavy IT or security stuff, like
they're generally want to be helpful.
I don't know where it comes from, but like most people in IT or like in security kind
of want to be helpful and want people to learn stuff and whatever.
But it's like, it's, it's not piled up counter into, yeah, it's counter intuitive because,
you know, you try to get, you try to teach people stuff and either they don't care or
don't understand or don't want to know or, you know, you know, kind of they fear, but
they don't understand, quote, like, you know, they try to control it and if they can't control
it, then they make it go away.
I mean, I've had my previous employer was kind of that way where, you know, I, you
never got the warm fuzzies from them and they never gave you the warm fuzzies or they
never, you never gave them the warm fuzzies.
So I felt like I was just like a threat to them the whole time I was working there and
like, you know, when you get hired to specifically do pen testing for, for an employer, like
there's a certain level of trust that has to be there.
And it's kind of one of those things where like, it felt weird and like I'm sitting there
trying to establish relationships with people and like, everybody's very shifty and like,
oh, what's Robert doing over there with that, you know, like you said, the console window
and like people kind of see that stuff and they get instead of asking questions, they
just like, oh, they must be doing something bad or malicious or whatever.
And I'm like, no, I mean, if I was going to do something malicious, it'd be, you know,
from a, from a, you know, from a, from a yacht in Guam or whatever, like, do bad things
sitting at my employer, like an idiot, like that's how you end up in the news or whatever.
Um, let's see what else we got, um, favorite website, do you have a favorite website?
Let me, let me think for a second, like, I mean, I would honestly, I think the site that's
open like the tab that I would say that's open the most actually YouTube for me.
And it's not necessarily like learning or entertainment specifically.
I think it's a mix of everything.
I mean, you can say about Twitter the same.
It's like entertainment, but also like good bits of, like, tits and, you know, bits and
pieces of stuff.
Yeah.
So, um, I would say YouTube, just because I always have music playing, like 24, 7, basically,
whenever I'm doing is just hosting a concentrate.
It's been like that since like high school, I think for me and it just keeps going.
Yeah, I'm the same way.
I like, if I'm working, working, I have to have music in the background.
So I've been experimenting with, um, bandcamp, a few, yeah, yes, but then before, um,
so I got a bunch of stuff on my wish list from bandcamp that I'll go through and buy,
you know, if I get bored of music.
So I, I blow through music like crazy, um, and bandcamp's one of those kind of off, off
beat sites where you can find music that you like that's not like mainstream stuff.
That's not on Spotify.
Yeah.
That's why I'm using YouTube.
Nope.
Yeah.
That's it.
Yeah.
Yeah.
Yeah.
I like that it's not as like rigid as Spotify.
I mean, like, I use Spotify before, but I think YouTube is like one minute.
I'm like, I have music playing in one tab, but then I can open another one and like look
up at the tutorial for something like an example recently, like since COVID, um, I live
in an apartment complex where they usually send people out, right, to fix things.
Um, but they're like, yeah, we only do emergency, like maintenance now.
And my toilet thing was flushing, like on its own every like, I don't know, 15, 30
minutes.
Like that.
Yeah.
I'm like, all right.
How do I fix this?
And they're like, could be a flap, tried the flap, not the flap.
Like you're supposed to replace the seal, whatever.
Yeah.
Yeah.
Okay.
Cool.
So I just ordered this stuff.
Watch the YouTube video and, uh, and then fix my toilet.
You know?
It's like, it's kind of like a learning platform, but also entertainment, and it's like
nicely mixed.
So again, similar to Twitter, but I kind of like usually try to stay up social media
for sanity.
Yeah.
So let's see what else we got here on a scale of one to 10.
How weird are you?
That's a weird question.
Uh, it is a weird question, but if I had to put myself on a number, I would say like
an eight.
I don't think people like freak out when they see me.
I am like six foot four, but I feel like that's probably the intimidating factor for
people.
But I'm like, I'm kind of like a anime loving person.
So that kind of like, oh, what do you collect?
Like figures and stuff and, uh, mostly I have like weird music tastes.
Like I can listen to like happy hardcore and nightcore and like, just like super fast chip
monkey sound stuff, but also like metal right next to something like, I don't even know.
Like it's very all over the place.
Yeah.
I'm on the same way I've got stuff all over.
So I'll send you a few, I'll send you a few links to some different stuff that you might
and may or may not, may or may not, uh, like, like, uh, um, ones up, uh, gangster grass.
It's the name, that's the name of the group.
It's like gangster music and bluegrass mixed together, um, and then, yeah, a couple is
several months ago.
I got into, um, like, uh, I want to say it's, I don't know what's called, but it's like,
the music that's in, um, um, Vikings, um, I don't know what they have to look at the,
what I actually call the playlist, um, I don't know, genre is very well.
Let's see, playlist, folk metal is what kind of what it's called.
So it's like heavy metal, but it's like folk music and they might have like weird instruments
or like Mongolian throat singing or something in there, but I'll have to send you some of
that.
Future wave, dark wave, outrun or whatever wave stuff, yeah, yeah, that stuff sounds good.
Like the swing type of stuff, um, I can't, my wife can handle any of it, so she's all
of it.
She's fine with listening to like Lincoln Park from 2009 or whatever, 100 years ago,
then I have like, oh my god, I can't listen to this song anywhere, but that's what makes
her happy.
Yeah, let's see.
I wear headphones because my wife would probably kill me if she had to listen to my music.
It'd be like DJ, sir, all right next to some visual cape from like Japanese metal and
be like, what?
It's like, I don't know, the brain's happy.
So here I am.
Thanks, YouTube.
Tell me something that's true that almost nobody agrees with you on.
Something that's true that nobody agrees with me on, hmm, I would say, let's see, what
I would say, uh, I think like people spend, uh, what would people agree with me on, feel
like, uh, people spend like too much time, like listening to the news and using social
media, like just cut it off, and I feel like you'd be a happier person.
Like, I've, uh, I kind of, I mean, I have Facebook, right?
And I used to have Twitter, I just kind of disabled it.
Facebook, I like rarely check just in case somebody messages me, but like, like, you
can read news, but like tailored news, like I read like techy news and like, futuristic
development news, you know, all that good stuff.
Like I like tech so that kind of news, but like general, like just, if you avoid everything,
like the world becomes like a better place, like you don't even know, 2020 is gone and
like 2020 is going on, you know, like it's just like helps you just like relax and think
about your own things.
Yeah.
Focus on what's important.
Yeah.
There's a lot of people I think that, like, they have the need to check or the need to
respond to people and comments everywhere.
It's like, guys, like forget this ever existed, like I kind of missed the early 2000, like
the 90s.
I feel like I was like happier as a kid just not having some of this stuff.
I don't know.
Yeah.
It's the like, what was the term I've heard doom scrolling where like it's the COVID thing
where you're just looking for stuff and you can't get enough input of all that, all
that mess.
We don't have cable.
We will watch Kathy will watch over the air stuff every once in a while and that's where
I get my news is from Kathy or maybe if it bubbles up to, you know, something, I mean,
I was actually on site at one point in time.
This was when I was doing consulting years ago and there was some hurricane coming through
somewhere and like they were talking about the name of it and I was like, what, whatever
the name of that hurricane was, and I didn't even know what they were talking about because
I don't watch the news because it's so toxic and just just awful positive news is rare.
Yeah, that's the thing is it's like they all operate on fear and all that silly stuff
and it's just like, look, I've seen a thousand times it's the same thing over and over again,
you know, not only is it just depressing, it's just boring because you get the same story
over and over again about somebody getting shot about something.
Yeah, so I feel like people would totally disagree with me that you should kind of, you
know, like put your put your head in a hole kind of like an ostrich or whatever kind
of metaphor thing, but it's like I'm not telling you like people like clearly cut it off
but it like helps and it's like detox basically for people over like just stuck to the computer
and I mean, I'm pretty stuck to the computer based on what all I do, but I feel like
we all deserve to just like even if you sit on the computer, just watch some Netflix
or whatever, just go away from that stuff and it kind of helps you just kind of clear
up and just think about yourself man, think about your family, just, you know, just get
down to earth and just stop worrying about all these internet strangers or your internet
friends or whatever, yeah.
Yeah, I don't know the political, whatever of the guy on Hacker Public Radio, but he
uh, his name is Ahuka AHUKA and he'll do some interesting stuff around like COVID and
it's very like, to me, it feels like it's less noise and more signal.
So he'll, you know, every month or so, he'll put up a new podcast about COVID and there's
actually useful stuff in there.
It's like, okay, if you want to follow these websites, these are like the dirty, you
know, the meat of everything that's going on instead of like people going fear and run
around.
Fear munkering is real.
Yeah, so he helps kind of filter out some of that stuff and he talks about health and
stuff when it health care and how all that stuff is a mess and his thoughts and opinions,
but I, you know, it's, it's a, for me, it's not like a political thing.
It's more of like a skimmy information about current events that's not like, you know,
Fox News for Christ's sake or something.
So like, I'm just, I'm just a mess.
Yeah.
My, my opinion is that like, we have so much information.
I feel like it's hard to pick like what to focus on or what's good, you know?
It's just an overload of data.
Like you just open up and it's just like, and less scrolling of stuff, right?
So I feel like we've gotten to that point where, yeah, we're just kind of almost, I
would say like, we take whatever's at the top kind of deal and not really dive into
things like, oh, this is, you know, who posts like, what's the source of this stuff?
Like we kind of don't really even check on you that it's just kind of top post, you
know, whatever's trending, whatever's people are talking about, the popular hashtags and
all that good stuff.
And it's just like, I don't know, just became kind of funny looking at it.
Like if you step away from it, it's like, it's, it's kind of sad, but whatever, you
know, do what you got to do.
But again, I would just recommend people, you know, especially this year, just kind
of hang back from all that stuff, like just take it easy, man, go do some, go do some
home improvement.
I know COVID kind of drove people to do that, you know, focus on some other things, just
kind of step away.
Absolutely.
So you, you were, I know you're doing the consulting stuff for like five years.
And then you did some like, you know, kind of renting me Pinterest stuff.
And now you're kind of on the defense side.
And then you do the, the, the Pintesty stuff kind of for your internal employer or so
like, would you say you're kind of moved from, you've moved from the red, red teams last
Pintesty side to more of like the defense side or you just kind of all over the place.
So what happened was back in like 2018, I think I was like, hey, listen guys, this is
a benefit of working for a smaller company is you kind of can interact with pretty much
everyone, right?
And I was like, hey, do you mind if I like rotate out of consulting like I'm just kind
of getting burned out by it.
And I want to try a little bit helping you out on the other side of the house, which
is your simple platform, which includes basically the analysts and that team.
And I was like, well, I propose to you is that I can help you improve a lot of this stuff
because I know you guys have been trying to keep up with it.
Like, I feel like my experience of just breaking all the things and how to get into places
is going to be very useful in, you know, identifying our weak spots and kind of creating alerts
around that.
So that's how kind of I portrayed it and they were totally on board with it because they
didn't have anyone that was kind of like dedicated to helping out with that stuff.
They just had analysts and then the developer and the maintenance team, I guess, were also
helping out with alerts.
So it was kind of just there wasn't anybody dedicated in that role.
So what I became is kind of like a little bit of everything.
My responsibilities do include helping out the blue team and creating some of these alerts.
But that was kind of set for the kind of the start of the role later on the role is a
little bit more mixed.
So once I'm done with kind of solidifying some of the alerting and while I do that, I
felt most of it is based on off-sack research, right?
So I still play around and do training on red team stuff.
I don't do blue team training because I think they're hilarious.
Backwards.
No offense then.
It's a little backwards.
Yes, you learn way better stuff on the offense because you understand exactly what's
happening all like all the AD weaknesses like, okay, Office 365 legacy protocols, like
how do they attack it?
Okay, they use ruler.
What does that look like?
And you can test it out and you can test your defenses pretty easily, right?
Once you know how to do it.
So that's my approach to it as like understanding what do people attack?
How do they attack it and then focus our defenses and detection on that stuff for our clients?
And that's kind of where I do the development, but I mostly do it through red teams learning
and testing, if that makes sense.
Yeah, it's pretty, it's, it's, I mean, it can take some time, but it sounds like you
had the right amount of support and whatever to like get there pretty quickly to build out
those signatures, at least within, within Karma black response that are actually, you know,
trigger pretty useful stuff, right?
Yeah, it was a little bit of time to definitely you have to again, learn different things,
right?
As a, as a, I guess red team or pentastoperator, dude, you are learning all the tools and
TTPs, you know, tools, technique procedures for getting in, getting out, all not getting
out, but, you know, for persistence, if you need that, but mostly it's just about all
about getting in.
So when I came to the help out with the defense, I had to learn about, you know, okay, let's
do an in-depth, in-depth kind of analysis of our Windows logs, like, what do we get?
Where do we get all our log ship from?
What kind of devices have that and what kind of logs do we collect, right?
Based on that, what can we identify?
Do we, can we identify stuff like Kerbero staying or anything like that?
Cool.
And on that, you know, Office 365 logs, like, what does it look like?
You'd be surprised how much of documentation is lacking in 365.
There's so many responses or status codes that are not documented, that it's hilarious
for successful logins specifically, or it's failed logins, so there's like token blah
or something mismatch and like, you look it up and you're like, okay, this, I can't even
find this on Google, like, what does this mean, you know what I mean?
So, um, you do run into things like that, which is pretty funny, because you'd think
Office 365 would be pretty well documented, because it's Microsoft, but yeah, well, that's
how they do their AD stuff, like, just, what does it, like, that AD guy, ADwizard.com
or whatever his name is?
And like, just, like, Microsoft is real big until like, they don't make a thing.
And then they're like, here's our thing, and they don't tell people, like, what the impact
of it is, it could be, and like, how useful it is, they're just like, here's our thing,
I use it, if you want to use it, go forth and use it.
They don't actually explain, you know, how useful something really is, and be like, okay,
you need to take heed, you know, this is like, all your AD problems solved, use this one,
you know, policy for whatever, and like you said, it ends up being like, you know, you pop
a log somewhere or you see an event and you're like, oh, oh, so that's what this means.
The only reason you know anything about Windows is by, like, whatever log it pushed out
or whatever error popped and you're just like, oh, okay, I know how to do, look for X or
figure out this.
But like you said, you can find sparse, if you're lucky, you can find one or two posts
about whatever you're trying to figure out.
But yeah, a lot of Microsoft stuff is just kind of hidden in like, there's not any documentation
out there.
And like, the people that do it, they do it and, you know, maybe there's just that gap
that's too far for like, understanding AD is like, it's own, you know, neither one of
us are AD masters and like, understanding Windows AD is like, it's its own, you know,
I don't even understand the whole relationship for a stressed thing and like, how all that
crap works.
Like, I can use the tools.
I'm pretty much a skinny when it comes to anything AD based, but like, just understanding
how all that works is one of those things, like, I wish I could, like, I wish I was that
AD wizard guy.com, they're like, he knows everything about AD and like, that would be to use
that, like, to have his brain for pen testing would be like, basically having like, you
know, knowing everything you would need to know for Windows, like, move laterally or escalate
or figure out how stuff is, stuff is working, but, um, yep, that's cool with like hybrid
Azure stuff nowadays as well.
It's kind of like hybrid AD, so we have kind of that mixed approach too.
We have, I think we're not 100%, 100% Azure, so we have like a hybrid mixed environment
and, you know, to go one way or the other, it's too expensive, so we're kind of like doing
some stuff, kind of cracker, Jackie, um, and just getting logs from that stuff, um, trying
to look into the Azure, um, Azure events and, and like you said, just doing, like, basic
stuff figuring out, you know, what, what's going on.
I haven't even looked at it, you know, we use minecasts, so I haven't looked at, looked
at any of that stuff.
Their API is kind of weird and their web interface is kind of weird and like, there's so many
things to look at in that, in that regard, but like, it's, they, there's just no documentation
for it or if they, if they have an API, you have to build your own cause their API is
like total garbage, so, but, um, that's pretty much it.
Um, do you have any other questions or comments?
I don't know, I guess if folks are interested, I know I get a lot of questions that are
like, our analysts are incoming for the blue team, a lot of them are interested to eventually
get on the red team, right?
Yeah.
Because that's like the hotness, you know, that's the one job.
I mean, to be honest, I'm at heart and in my mind, still, the pen tester type, right?
Sure.
The breakey stuff type, definitely not, like defense is, is rewarding when you catch stuff,
but it's, it's pretty annoying to be honest, because you're looking like perneedles and
haystack all the time, right?
There's a lot of events that happen that just trigger all kinds of noise and yeah, we,
we do a pretty good job on eliminating that noise, but there's still like, you constantly
get like all this stuff that you look through and it's like, okay, to me, it's, it's not
my thing again.
Yeah.
Um, but it's, it is a, like a starting role for a lot of folks in this industry, right?
And like a lot of people ask me the question of how, like how do you make the transition
or jump to somewhere and basically consulting or internal, yeah, yeah, yeah, yeah, from
sock to, or threat ops to red team slash consulting, such bentos and all that good stuff.
And um, I think that's the, the question I guess the most.
So my, my recommendation is is again, people are like, okay, what should I do?
Is there any certs?
There's people, you know, the alphabet soup because alphabet soup is just your, um, it's
like an HR filter, more or less right for applying to places.
They just like, oh, they prefer this or they want this.
So I would say, um, definitely, uh, could you give me one second?
I need to take a real quick one sec.
Uh-huh.
Could you give me one moment I need to grab a package outside.
They just called me to pick it up.
I'll be right back.
All right.
I am back.
Sorry about that.
Uh, no problem.
We're, we're pretty much kind of wrapping things up and in like, yeah, for moving, you
know, from the, the, the offensive side to the defensive side, so the difference there
is like, for me, it's like when you're doing the offense, you can kind of do your own
thing and you don't have to like, talk to another group, like you're just, you're usually
kind of on your own, right?
Sure.
A little island.
Yeah.
And you can do whatever you want to do.
And you don't have to worry about people being like part of the, you know, being a stakeholder
and whatever you're doing, like you just kind of do whatever you do, whereas you're on
the defense side, you, you come up with a thing or you come up with an idea or a process
or a tool or technology or whatever.
You got to sit there and like, convince peers and management and other people that that
thing is good or that you should keep working on that thing.
And that's kind of frustrating, you know, not not to mention you said like the needle in
the haystack stuff, but like, you know, trying to get the buy-in like, hey, you know, I've
been using the analogy lately.
It's like, you know, like, like everybody at the table is eating like chicken wings and
pizza and they're all stuffed and they've had plenty of to eat and whatever.
And I come over with like this beautiful salad and like all these healthy foods and they're
like, yeah, I don't want to eat any of that.
It's like, I'm full.
Like, well, I know you're full, but like, this is a beautiful salad.
We should probably start talking about, you know, eating some healthy salad with our
meals instead of like chicken wings every day and like the mundane stuff that like you're
eventually, you know, going to get yourself and others like popped because you're not,
you know, focusing on like improving the program and stuff.
So it's, it's slow going for me.
Like, I think a lot of it is just kind of like future state stuff that I'm, I'm trying
to build out and it's frustrating to get like the buy-in from the rest of the, from the
rest of the group and like peers and I have to like work extra hard to like tell people
and show people, hey, this is the thing, this is the new thing I created that people should
care about.
Whereas like if you're doing your own thing, you just get on GitHub and look at it and
look at the source code and figure it out and like run it.
Like you don't have to like get anybody's buy-in to like learn a new thing or use a new
tool or whatever, whereas if you want it to be incorporated into the, you know, the
blue team process or the sock, you have to sit there and convince people that, you know,
what you're doing is, is not like that complicated.
I mean, a lot of it is just, I've noticed this like people are, you know, confused or
don't really understand what I'm trying to do.
So they just kind of like, uh, it's Robert doing Robert stuff.
I'm not going to try to bother to figure out what, how he's actually doing it and how
useful it could be.
So I'm trying to focus more on like just taking a few steps back and being more like more
descriptive and slower about people updating.
So I got, you know, four or five projects going on.
So instead of like trying to explain all four or five projects, I'm just trying to be like,
okay, let me take the first thing, you know, the first use case that's blatantly obvious
and try to like get that past and get people to understand that and then start working
on other stuff.
But I struggle because I'm like, oh, I want to like, I want to like, like, what do you
call it?
I want to correlate this.
I want to correlate that.
And then I want to launch this with that.
And then like, if this happens, I want to do all this stuff and people are like, what?
And start drooling.
I'm like, no, no, no.
Like, I've lost you.
So.
Yeah.
I think when you're talking to like, even folks on IT, I think it's like from individuals
to individual, not everyone, like can follow along, especially if you're like more technical.
I'm passionate people tend to be like descriptive, especially with technical things, like they,
you know, want to want to explain to you and be specific about what they're doing and
they use like technical terminology and stuff like that.
And that's like, sometimes it's just like too fast or too, you know, too low level for
whoever you're talking to.
But yeah, I was just talking in general for people like interested to hop, you know, from
one team to the other, I mean, there's always downsides to each team.
I know you said like blue team, you kind of have to play the game of selling your, basically
your projects to the stakeholders, not literally selling, but, you know, convincing folks that
it's important to do certain things as a red team or a pentester.
Yeah, you're more of a free, you know, free roaming bird, but people usually don't like
you around having you around, quote unquote, and you're a consultant.
Not everything.
I'm not going to say everyone, but a good percentage, I think there is going to be like, always
either part of the audit or whatever, like, oh, we need to do this.
But there's definitely a lot of companies that are, you know, more interested to having
you because they're pretty like excited about certain security stuff, which is kind of
cool to see those types of people, but yeah, you popped in like a really good time because
before like when we first started, you know, it was the stigma was like, oh, the scary
hacker guy is at the company and like, you know, everybody was scared of, you know,
pentesters, the red teamers now, it's just like, you know, it's on the news so much and
people are so used to getting, you know, old scans and pentests that like every company
is at least had a theory, some kind of pentests on purpose are not like they understand the,
you know, they understand it's like, you know, pentesting or somebody coming in and doing
security stuff is something that you should try to be on board with.
I don't know if you've noticed the stigma kind of kind of slowly evaporating to that
whole thing, but I've noticed where people are a lot like towards the end of consulting
with with KPMG, it was kind of like that, you know, a large for larger percentage of the
people you show up on site and they're like, oh, I've got the hacker.
I'm so excited like before it was like, I don't know you get away from my computers,
like don't touch anything.
And I think now people are like, okay, why'd rather you mess with my stuff and figure
all my stuff than like China or whoever else is going to come and rummage around my network.
All right, yeah, for me, I remember everybody's like, oh, you're part of the audit, like I
don't think I'm an auditor, like I am no way-shaped form or, you know, whatever auditor,
like I have nothing to do with audit, yeah, our report is like somehow tied to it and
that's how they always connected us, but since I kind of moved to non-audit related
firm, you know, not accounting, because the first two jobs that I had, you know, even
the one after KPMG was still a consulting firm that was primarily, you know, like-
Okay, audit, advisory and audit, it's like, dude, as soon as I went to somewhere that's just
security, like that's their bread and butter and not audit and any other stuff, clients
were so much easier, like nobody ever said the word audit to me, you know, in terms of
when I was testing, like I was a testing going and like, yeah, that's slowly faded away,
I think from my experience in terms of moving from kind of an organization where the security,
you know, from a service provider organization where you're providing services to others,
if the organization is not, you know, security focused, it's your kind of the appendix
and I feel like the sort of like what they deal with is kind of like get kind of placed
on you a little bit, so- but that kind of wore off over time and definitely when you're
doing, you know, work for just security related work, people are extremely knowledgeable about,
like, oh, okay, you're doing pentas cool, like you need the IPs, you need me to whitelist
anything, like people are very welcoming nowadays instead of like back in the day, or it was kind
of very tough to get anything out, like, and I've learned like, I do my recon beforehand,
like before the first meeting and I like, after the first meeting, I just send them like a nice
little PDF, like here you go, this is like your external stuff, like just confirm it for me,
not gonna ask you too much more, and you know, the response rate for that stuff is pretty quick,
but like clients will always be clients, so if you're in consulting service providers,
you know, I always gonna get the greatest response times and speeds, or you'll get, you'll send
them a list of like target scope and they'll be like, yeah, that's fine, whatever, and then it's
not, I'm not actually them, like it'd be like, somebody completely different,
that happens more often than usual, it happens more often than that should, so
don't always double check your work, yeah, I've had that happen several times, and you know,
you scan something or do whatever it is, and then like, I don't know if I told you the story
about that, like I brought, like pivoted to a computer, and it had like all the security stuff
on it, and like it was another AD, and I was like rummaging around, and I was like dumping,
I was trying to crack the, what do they call it, the windows, it's like a different kind of windows
that I have. Oh, it's like something too, like, I don't know, it was some windows hash that I
was trying to hack on, and then I talked to the vendor, or the stakeholder guy, and he's like,
oh, yeah, that's a security vendor, and I was like, oh my god, like my wife faced her in white,
and I like started freaking out, because it basically has hacked a different company.
Do you remember who's, you don't remember who's in that work, it was, it was a nuclear facility.
Yeah, that's why they were like freaking out, because it was a 2003 box that you popped with MSO8,
and I remember the call because I was on it, and I think it was Alex with us, and Alex was just
like, you're not going to believe this. I was like, what, he's like, Robert did this.
Yeah, and the manager thought it was hilarious, and the client thought it was hilarious,
I was like, scared to death, like, you know, I think it was like not intentional, you just like
accidentally popped the sock of the, like, the third party provider sock of the client.
Yeah, I'm like, hey, well, you know, it's on the network, it's, it's, it's, it's in scope, right?
Like, the whole internet, and once it's, the whole internet is in scope, once it's, once you connect
the computer to the internet, right? That's how that works. Yeah, I definitely remember that story,
because I think our manager, was it Richard at the time? Yeah, I think, yeah, he was like, he was like,
Rob did what? He was the best, because he just feel like, at one point in time, we did one where
we were just like sitting outside a Starbucks waiting for the engagement letter to be signed, and like,
you know, basically told me where to go, and like, where to show up, and what, what, what,
what I was doing, and what the scope was, and that's all he did is like, like, well, how did you
convince these people to let me go, like, full-blown McCurdy on them? Like, most people, they're like,
super scared. And I think he was able to just convince them. It's like, yeah, we got this guy,
Rob, and you know, we'll do some stuff, and we wouldn't actually explain like the risk of what I
was doing, because, you know, in the wrong hands, you know, I can put on pretty, pretty crazy,
pretty quickly. So like, yeah, he would always get these, you know, full-blown, you know, unhinged
McCurdy, release the crack in engagements, where it's like, dude, how did you get these people
to sign up for like a zero, you know, open scope, which is what you wanted, and half the time,
you know, that's what you wanted, but yeah. People restrict a lot of things, and it's like, dude,
the attacker's not gonna stop just because he told me to only test this last 24 when you have
these other, like, 10 networks available. Like, it's, yeah, and I definitely remember the full-blown
McCurdy phrase, because I'm pretty sure either Richard or Alex mentioned, then like they, you know,
he went full-blown McCurdy. Yeah, that's the part I missed, you know, the consulting part is
doing that type of stuff, but I still sent 10 defined stuff through like, just playing
around with Android, you know, Android games, and just the way people are writing horrible apps
again, but they do it for the mobile platform. I don't know if you've looked at any of that stuff,
but that's fun to look at over the weekends and during spare time, but yeah, there's, you know,
there's always those stories of, you know, like pivoting around or something getting into something,
and lawyers getting involved, they've got had one of those ones where I was working with, you know,
working with a manager, and you just like drop the mic on like the client in the middle of the first,
you know, the first thing, and didn't tell them, didn't give them a heads-up that I had completely
owned them sideways, and you know, lawyers got involved, and people were like flipping out, and I was
told to like, delete everything, and like, so I was like, well, if I delete everything, and somebody
wants evidence, I'm pretty sure like there's the whole, you know, preservation notice type of thing,
so like if we get sued, and I was told by management and the client to like, delete all my stuff,
you know, that's probably not the best thing to do, like, but I did it anyways, just because,
you know, the manager told me to, and the client told the manager to, like, and then I'll know if I
told you the story, but like that, that same client was like, oh yeah, we want another pen test,
but don't bring Robert. I was like, that's, that's the best phrase any client has ever given me,
where they're like, oh yeah, we want another pen test, but don't send that Robert guy.
You just know Robert's so loud. Yeah. That's great. Yeah, that's how you know, you've,
you've created some notoriety here. Yeah, I mean, you never, like, some clients are just a little
update about certain things, so they don't understand some of the technical aspects, and my,
my, my, my, my, my, my goodness, I'm like, slurring words. My least favorite thing is definitely,
whenever you're on site, or doing any kind of external testing, even, is if anything goes wrong,
you will always be the first, like, victim of, like, yeah, you will, like, anything happens,
like unrelated, you know, media or hit their freaking headquarters. Did you do it? You know, like,
that's the first question they ask you, and it's just like, what? I had one, like, that was,
I think there's the end of when I was, like, rolling out of consulting. I, uh, I was, I told them,
like, oh, yeah, I'm going to start testing Monday, but like, I don't want to spend any time
frame. Like, I can start in the evening if I want to, right? 1159 on Monday, PM, right? So,
still counts. So I'm kind of loose with my terminology, and apparently during a day, there was
some kind of freaking network outage, and they're like, stop whatever you're doing. Like,
I'm eating lunch. Like, what are you talking about? Like, I haven't, like, touched your network,
at all, with neat tools, whatsoever. And like, they thought it was me scanning them externally,
but apparently it was some ISP issue, whatever, that was like, causing some kind of outage. And
it's just like, it's always you. So just be aware, like, you know, if you're doing this type of stuff,
just relax. You know, that's, it's, it's, it's super common and just be like, okay,
this is what I'm doing. I mean, here's proof. I mean, I always kept like, kind of just like a loose
log type thing with just like, timing is on my IPs and max just to be like, hey, just in case,
you know, anybody like, did you, did you ARP spoof something? Like, nope, did not do such thing.
So that's even if they didn't understand what ARP is and how ARP is even works.
Gotta, gotta, gotta have some leaps of faith here that people would understand stuff like that,
but yeah, there's definitely run into people that are like, you're a network admin,
and you don't know like this term, like, okay, that's like a basic networking term, you know, like,
yeah, it got to where I had like a little, um, every where I've ever worked when people complain
about something going down or something not working, I have like a little template that's like,
you know, what's the source of what's the source IP? What is the service? What port is the service
running on? Like, when did it happen? Not when Jane came in at 930 on a Wednesday and figured out
that the service was down. When did the service actually go down? Oh, well, it went down at,
you know, six o'clock in the morning on a, on a Saturday and nobody noticed till Wednesday.
Okay, well, that's not when it went down. That's when somebody said it went down. So I had like
stipulations in there of like, when did it actually go down? Not when it was reported.
But when did the service actually go down? And like, when then of course they never give you any
of that information. They always like, it's broken and it's not working. And then, you know,
we come back a day later and they're like, oh, it's, it's fine. It's, don't worry about it. It's,
it's not a problem. It's like, they never tell you the root cause of anything. They're just like,
well, it's working now. Move on. I'm like, okay, so either you're stupid and it had nothing to do
with me and you don't want to tell me that or, you know, whatever it is to win away and magically
fix itself. Like most of this stuff does, you know, it's stuff dies and restarts and whatever.
Nobody knows why it died or nobody cares to figure out why it died. They're just like, I don't want it to
die again. Yeah, it's definitely meant to meet some interesting folks. My one favorite statement that
I've heard from a client was, um, um, they're like, we are experiencing an internal denial of service
attack. I was like, um, like, say that again. And like, we think there's someone inside the
network conducting at DOS. I'm like, I mean, theoretically possible. Correct. Yeah, theoretically
possible. But like, I'm pretty sure it's something stupid. And like two hours later, like, oh, yeah,
you were right. It was our course, which did you go in down? Oh, nice. Yeah. Okay. Because we haven't,
we haven't patched it for whatever vulnerability scanner you use in, in like 18 years. So it,
like, we send it a UDP packet with like some weird link and it, like, falls over on its face when
it gets more than 10 of them. But it's just amazing that people's first idea, not to check, like,
they're not working stuff, you know, don't do some trace routes stuff that could easily tell you
that, you know, something's dropping or just, if you have some kind of monitoring thing that would
tell you like, this thing is down, they assume it's the worst and the craziest thing you can think of
or it's you. So it's like, okay. Yeah. I have learned to like, see some of that side of it.
Because like, a lot of the times stuff I learn when I've done some management is like,
just talking to people sometimes is the easier thing to do, slash the better thing to do. So like,
you know, instead of trying to solve people problems with technology, sometimes it is easier to
just walk up to somebody and ask them, hey, do you have a problem with this or, you know, whatever
the thing is, it's like, yeah, it's easier for us to use technology to answer questions and like,
solve problems. But I've learned now to like, think about the person part of it because that's,
you know, like, I've heard quote, like, like, there's no, there's no, there's no, like, technical
problems, like all problems are really people problems at the end of the day. It's not really
technology that's the problem. It's the person that owns the technology or supports it or whatever
has some kind of preconceived something or other that's causing the issue. And it's like,
half the time it's a people problem and not like technology focused. But,
uh, good times, good times. But, uh, yeah, I appreciate you and, um, you know, um,
appreciate your time and, and whatnot. Um,
yeah, I don't know. Any time you want to ramble or talk about nonsense.
Yeah, I'm down. Um, if you want to come up with some, like, you know, hacker stories would be
something interesting for us to do. Um, I don't remember any of mine. I have some old recordings of
ones that I did, but it's been so long now that I don't even remember any of my stories.
And they're all kind of outdated now. But people tend to like those. So if you want to write down,
like some little notes for yourself. And if you're interested in doing that, we could definitely
do some stories and it might bring up some stories. Yeah, there's a lot. You just got to remember.
Yeah, I got to, like, I have an archive of like the last five years that I can dip into just
looking at the reports. I can tell you the, like stories. Yeah. Um, an example would be, um,
during my escalation, excavates, some of the passwords that I've seen are definitely some of
the best, like, like, um, spelling and, and lead, you know, for money signs for S's and stuff like
that, um, balls deep in salsa was still my favorite. That was a essay password for a database and
production for one of the clients. I was like, who did this, but whatever. But yeah, from the
hacking perspective, yeah, definitely. There's also some blue stuff too, like blue team stories,
like some of the events that we've, like, discovered were hilarious, like, someone's home route
or you're getting compromised. And then that stuff was like pinging their, um, pinging their,
like, um, corporate network because the guy was on the VPN. So like his, his home stuff got
compromised. And then that resulted in like the corporate network getting hammered and we're
getting the alerts. And we're like, where is this coming from? Yeah, but yeah, definitely,
definitely down for that. I mean, I, I did like, kind of sort of a, uh, personal incident response
sort of thing for a friend we could talk about. And like I said, like, like, I just have to keep a
note of kind of go through my history and like, LinkedIn stuff to keep a note of like what I've
been working on. And we can, we can come up some, put some, put some stories or something to,
to talk about. Cause like I said, I'm always kind of doing something little, something funny or
something weird or quirky to play with. It might not be security related, but it's usually
something IT related or whatnot. But cool, cool, man. Well, I appreciate it. And, um, you know,
have fun and I'll send you the, the, the final thing before I post it. Sure. That way if you want
to listen to it and like, say, you know, remove this or add that or whatever, um, give you a chance
to say some, McCurdy edit eight out of 10 weird. That's right. That's right. Cool, cool, man.
We'll have a good one. Talk to you later. Thanks for having me, dude. No problem.
Catch you later. Bye. See you.
You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's show
was contributed by a HBR listener like yourself. If you ever thought of recording podcasts,
you click on our contribute link to find out how easy it really is. Posting for HBR has been kindly
provided by an onsthost.com, the internet archive and our things.net. On this otherwise stated,
today's show is released under Creative Commons Attribution 4.0 International License.