Deviant Ollam is a physical penetration specialist. That means he’s paid to break into buildings to see if the building is secure or not. He has done this for a long time and has a lot of tricks up his sleeve to get into buildings. In this episode we hear 3 stories of him breaking into buildings for a living.You can find more about Deviant on the following sites:https://twitter.com/deviantollamhttps://www.instagram.com/deviantollamhttps://youtube.com/deviantollamhttps://defcon.social/@deviantollamhttps://deviating.net/SponsorsSupport for this show comes from ThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthen your infrastructure from the ground up with a zero trust posture. ThreatLocker’s Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more at www.threatlocker.com.This show is sponsored by Packetlabs. They’ve created the Penetration Testing Buyer’s guide - a comprehensive resource that will help you plan, scope, and execute your Penetration Testing projects. Inside, you’ll find valuable information on frameworks, standards, methodologies, cost factors, reporting options, and what to look for in a provider. https://guide.packetlabs.net/.Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.
Antwerp is a town in Belgium. What comes to mind when I say Antwerp? To me, at least, it's diamonds. It's the hub of the world's diamond trade. Well, I imagine if the town is bustling with diamonds, then it's probably also attracting some criminals wanting to steal those diamonds, right? In 2019, a robbery occurred that really took things to the next level.
It was actually a bank, and it was situated in the Diamond Trading District in Antwerp. Monday morning, bank employees came to work and checked out the vault, but something was wrong with the vault, and they called the police, who had to force their way into the vault, only to find that the place had been robbed. How, though? The bank had all the right security measures.
Cameras watching the bank doors, motion sensors in the bank, and sensors in the vault doors themselves. And everything was secured tight. So how did they get into the vault?
They went through the, like, probably six to eight foot thick concrete wall. They just boreholed. You can actually see three slightly overlapping, kind of like MasterCard logo interlocking circles, boreholes of about a 12-inch diameter, maybe. And they just chewed through it over time, getting through the wall.
And they crawled all the way through, did everything they did, and crawled all the way out. Just kind of army crawled through this sandwich-shaped hole. Wow.
Drilling through a six-foot concrete wall. That must have taken a very long time. In fact, the criminals spent all weekend down there while the bank was closed so they can make a lot of noise without getting caught.
And it really goes to show that if everything is... Because the vault had basically been protected to oblivion on the door. And if anyone messed with that door, tampered with that door, tried to torch cut whatever that door... That was where the alarm was. That was where all the sensors were. All the investment was in the door. Because they said, well, what do you do with walls?
I mean, there's only so much you can do with walls. But you can believe that at least a few bank vaults in Antwerp started looking at their diamonds. And they said, is concrete the only thing that's protecting us? Because we got to at least get some shake sensors in these walls or put one or two cameras in the vault.
Because if somebody goes in the concrete and they're in there all weekend, well, that's a problem.
It reminds me of that Bob Dylan song. You know the one. Lily, Rosemary, and the Jack of Hearts. It's a nine-minute long song, and it's an epic narrative ballad. The story summed up is that Jack had his gang try to drill through the wall into a neighboring bank, while Lily and Rosemary distracted the bank owner, Big Jim. And the whole thing takes place in this cabaret?
Lily and Rosemary got the judge and the bank owner drunk while the boys made their way through the wall. And they cleaned out the safe and took off with the Jack of Hearts.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
This episode is brought to you by SpyCloud. For some people, ignorance is bliss. But for you, as a security practitioner, that's not the case. I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening.
From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right. Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud.
With SpyCloud, you have a trusted partner to fight the good fight with. Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime. To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries. That's spycloud.com slash darknetdiaries.
This episode is sponsored by Delete Me. In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit.
Anyone on the web can buy your private details to do anything they want. This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20.
Okay, so who are you and what do you do? My name is Debian Olaf, and I am a physical penetration specialist. I have been involved in lockpicking, safe manipulation, physical entry, physical bypass, and teaching about covert entry tactics for... Well, well in excess of 10 years at this point, we'll say it that way. Much longer.
Okay, so Deviant is a very well-known physical penetration tester. And we're going to hear three stories about how he's broken into buildings in this episode. And the third one is my favorite, so stick around for that. But I want to first quickly catch up about how he even got to this point.
I was a network person. I was a computer person. I was like a lot of people in the tech world, mostly making my living on a keyboard. And I liked locks and lock picking and door bypassing. I knew about these tactics. It's a very common hobby. But that's, you know, that's your avocation. But I had clients. There was a law office in town. The law office had a sysadmin.
Small to medium business, one-stop shop, single guy in an office. He ran the show with the IT. And he just sort of rage quit one day. Just, you know, table flip, I'm out of here, and slammed his office door. And it was a pretty crappy law firm, so I'm not surprised. But... When he left, the staff kind of looked at each other. I don't know if he's coming back.
Are we supposed to do something if that happens? Because he's got all the passwords. He's like, what are we doing here? And of course, you do need to put a plan into place.
They just didn't have one. So they called up Deviant to come help recover the network. And he went down there, but the network room was locked and nobody could find the key to get in. So they called a locksmith to come try to get the doors open. Now, because Deviant had a little practice picking locks by that time, he took a look at the door.
I'm looking at just your standard office, standard, you know, standard regular building. And I'm looking at the doors and the little badge readers, but nothing serious. And we get to this windowless door. the end of the hall, you know, sysadmin, IT room, some network, whatever name badge on the door, but it's just a regular door, little badge reader on the wall.
And I said, this is, so it's not like a data center door. This is just a regular door. And they said, yeah, but you know, none of our badges work on the door. And we don't like the, we don't apparently even the head, you know, partner doesn't have a key. His key, we thought it was supposed to work. We'll have to talk to building management about that.
And I said, okay, well, can I try something for a second? I mean, I'm looking at your doors and I, you know, pick up the equivalent of a TPS report and just kind of rip the cover off of that. And I said, well, here, if I kind of, and I just shoved a, you know, I shimmed the door. I just popped it in, slid, the door popped open. And I was like, well, all right, cool.
Well, cancel the locksmith, I guess, save you a couple bucks there. And I just breeze on into the room. I'm sticking flash drives in and the old Pnordal NT boot tool. I'm rebooting machines and getting, you know, restoring local admin access. Okay. Resetting passwords. I mean, what was his name? Okay. So I see his user. I'm just going to kill his user.
There might be maybe backup accounts he made for maintenance, but I don't see immediately a way to... that he's getting in, you're probably fine. I'll send you a bill. We're pretty good, man. And I hand, you know, here's your piece of paper. So here's your new root passwords. And the guy, you know, the keys to the kingdom, he takes it. He goes, yeah, yeah, sure, root password, sure.
And just kind of puts it in his breast pocket. What'd you do to that door? And I was like, oh, yeah, your doors are all installed with these electronic strikes. They're actually – it's a super common vulnerability. You can speak to whoever your integrator was about that. And he's, hey, Steve. He brings this guy. Come here. Can you show him what you did to that door? And I was like, yeah.
Do you want to show it at your office? I'll pop your office. So I'm just popping doors open. And it bugged him out. And they said, oh, my God. And that became the story of the day at the office. Not the sysadmin who quit, but this kid who came in and opened all the law partner's doors.
This resulted in them calling him back to the office to do a full penetration test. This law firm did not like that those office doors could be opened with just a basic folder. by just shimming it in between the latch and the door. And they wanted to know what else in this building was not secure. And this got Deviant even more into bypassing doors and picking locks and breaking into rooms.
Deviant was good friends with Dark Tangent, who's the organizer of the hacker conferences Defcon and Black Hat. And Dark Tangent told him, this lockpicking thing is really catching fire.
You should do a training at Black Hat. I want you to propose a Black Hat training about lockpicking. And I was like, no one's going to pay money for that. He said, no, trust me, trust me. You know, I think it'll be hot. You should do it. And yeah, so that became my career was a law firm who quit and a dear friend who said, hey, people pay money for this knowledge.
Those two forces together really kicked off the idea of doing physical security consulting for me and my main colleague through all this has been Babak Javadi. He and I have more than one company at this point doing training, consulting, advising, and I get to break into safes on army bases. It's quite a career, all from a few little things that you trip over as opportunities.
The first DEFCON I ever went to was DEFCON 17 in 2009 at the Riviera. And that's where I went up into the lockpick village and saw Deviant demonstrate how the inner mechanics of a lock worked. And he put a ray contention bar in my hand and had me practice how to get a lock open. I was fascinated by what he taught me that day. And that's where I bought my first lockpick set.
And the lockpick village has grown since then. I also remember a contest that year, which had people try to escape from jail. The premise is that you woke up in a jail, but you had your lockpicks with you. So you have to first undo your handcuffs and then pick open the cell door and then pickpocket the guard and then get the lock open to the jailhouse. It was hilarious.
And there are a million ways to get a locked door open. You don't always need to pick it. In that law firm, it seemed that the latches in the door were installed incorrectly. And by putting a piece of plastic between the door and the frame, you could shim it open. I've also seen whole doors installed backwards where the hinges are on the outside.
So you could come in with a hammer and nail and just pop the hinges off and take the whole door off without having to touch the lock at all. And so throughout the years, Deviant has been getting better and better at understanding locks and doors and physical security measures, and I consider him one of the masters in this space.
In fact, I'm willing to bet that Deviant has actually given more talks at security conferences than anyone else.
Someone did the math, and I think they said one of the few people who's talked more than I was the late and wonderful Dan Kaminsky. But again, I just would say yes to everything, and I would drive or fly just because I love talking about this. So yeah, it's well in excess of 300 or 400. That was the last time we checked, and that was years ago.
300 or 400 talks about physical penetration testing. Yowzers. How in the world am I going to fit all that information into a one-hour episode? Hmm. All right, I got a plan. I think I'm going to take a break, play Elden Ring for like 200 hours, and then listen to like as many of his videos and then come back later. Okay, that was fun. And through the magic of editing, I'm back.
And there's some good stuff that he talks about there. My favorite talk of his is this one.
So yeah, this is the elevator hacking talk. This is the talk that we were told had to be on Sunday. Because... Because reasons.
Because here's the thing. This is a full one-hour talk of him and his friend Howard Payne going over so many ways that you can take over an elevator, hack an elevator, and make it do stuff that you shouldn't be able to do. But since this was a talk in Las Vegas where there are a lot of elevators, DEF CON was a bit worried about what people would do with this information.
So they pushed the talk back to be on the last day and the last talk of the last day when people were flying home. So it was kind of a hidden talk where most attendees had already gone. But it's the most watched video of all of DEF CON's videos on YouTube. And so it's no secret anymore. And I think you should watch this video too on elevator hacking.
It'll make you think differently about elevators after you see it. Like, for instance, you may have been in an elevator where you couldn't get to certain floors unless you scan a key card. Deviant can bypass that. He can get on an elevator and then get it to go to whatever floor he wants. He shows you that there are some common keys that a lot of elevators use, and they aren't hard to get.
So elevators aren't as secure as you think. You should probably consider them to be like doors, where you really should test the security of them, and not like an elevator, which is just some mysterious box that goes up and down that only the elevator technician knows how to control.
It's one of those things that I just never thought about, that's something you need to secure in your building or office. And that's what's fun about Deviant, is how he has all this knowledge of bypassing physical security measures, and then he loves teaching that to others. I just imagine you at this point having...
I don't know, some sort of matrix style view into locks and security mechanisms that you see. Like when you pop into an elevator, you just immediately start looking at what kind of key is in this elevator. How can I turn it on off? Any door that you look at. Is that true? Are you just kind of like zoomed in on any lock you ever see?
It sounds silly, but I love that you said it, not me. But it's true. There's even a talk I made about this phenomenon. I call it Eyes of a Thief. And corporate audiences kind of like that one because you walk them through just galleries of images and videos. And I say, well, here's what you see. Now here's what I see.
And I zoom in and I say, here's this exploit, that exploit, bang, bang, bang, bang, bang. And my wife is very used to the phenomenon of us walking down a city street and she'll be talking, she'll turn. And I'm two steps back because I paused to pivot and take one picture of this building or that car or this fixture or this device. And I'm, oh, that's going in the slides.
There was a strange paradigm shift when it was you who taught me how to pick a lock for the first time, right? And I brought it home and I showed my friend and it just so happened that my friend's mother was a locksmith. And she's like, you are not allowed to know this. Like, I asked her in the past, like, hey, can you teach me how to pick a lock? She's like, nope, I'm not allowed.
I got, like, a locksmith code I can't show you. Like, it's just, sorry. And so when I came home and I said, here, let me try opening your front door. I want to see if I can do it. And she saw the tools that I had. She was just flabbergasted by it. And it gives me this kind of weird thing of, like, this is kind of sacred knowledge. Why don't locksmiths, why aren't they physical penetration testers?
Like, how come that wasn't just an easy, hey, like you said, on that job you had, we need a locksmith here. They didn't think, well, let's get a physical penetration tester here. And a locksmith doesn't consider themselves a physical penetration tester. So why is there a gap there? Why isn't it all blend together? Do you have any thoughts on that?
Yeah, I think the real thing there that you hit on perfectly is the guardedness of knowledge in the old world of the trade of locksmithing. If you're doing a physical penetration test, the value isn't in the success of the tester. It's in the deliverable. It's in the report, the knowledge that they will give you.
And giving out that knowledge, physical pen testers, yes, we are many times locksmiths, but much like Penn and Teller are magicians, but part of their whole shtick over the years has been showing the audience how they did the trick. And there are some magicians that think that ruins it, that it takes all the shine and polish off of it and the magic is gone.
But I think that showing the execution, if it's elegant and well done and impressive, it doesn't take away, in fact, it enhances the audience's appreciation for, wow, I would not have been, like, even knowing how it works, I would take five years to learn how to do that trick properly. Same thing with us. I can show you how it works, but it's not really taking away
money out of my pocket or opportunity out of my colleague's portfolio if people know how my job functions. They're not all going out immediately trying to do this job. There's, as you say, that sort of comprehensive knowledge of being able to walk through a space and instantly look and recognize every little detail that comes with years of experience. So I'm not surprised at your friend's mother.
I'm not even disappointed. For the longest time, that was just part. I was deeply ingrained in the trade. And why aren't locks, even now as knowledge is opening up, why aren't they getting into penetration testing? A lot of them, even with their knowledge as locksmiths, they can't quite do what we do. And they're frankly making far, it's a very different business model.
They're making far too much money.
Huh, that's really interesting to me. If you want someone to break into a place for you, call a locksmith. If you want someone to break into the place and then show you how they did it, call a physical penetration tester. And while that skill set of both roles overlaps in many areas, it's just two different mindsets, really.
What is your percentage on, like when you're going on physical assessments, percentage of getting into a building?
We've never not gotten in. You're always going to get in. 100% success. 100% success in terms of entering the building. Yes, every building we've ever seen, we've been able to enter, sometimes quickly, sometimes it takes a while. The question is, are we detected? Is there a response? How competent is that response? Can we talk our way out of it?
I've interfaced with guards and had a good story, had an excuse for being there. Okay. Thank you for your time. All right. Sorry. Well, next time have an escort when you're in this area. I said, okay. Guards.
I want to hear these stories about guards catching him. From scouring his videos, I found three stories he has that I think are great. So let's get into them. So this first story starts out where Deviant was hired to break into a building to test its security.
Their objective was to affect network access either externally from the parking lot, you know, a cantenna where nowadays, you know, we're not poor hackers anymore. You get a nice Yagi. But trying to pick up on, you know, the building's Wi-Fi. They said, did we, does the Wi-Fi leak? Or you can try to make internal, you know, connections.
But it wasn't the company itself that hired Deviant. It was another penetration testing company that got this job. But what they were good at was hands-on keyboard type of activities. And what Deviant is good at is physically getting into buildings.
So this other pen test company hired Deviant to essentially team up with their computer guy to get him into the building to plant computers in the network and gain remote access to this building.
So he was going to get in the building with me, find an unused network port or compromise a network port in a conference room, and then basically just, do they have Mac filtering? Do they not? Can I get a device to connect to the network? Can I not? Let me see if I can get this little Dropbox headless computer, and then it would backhaul off-site.
So he didn't have physical access experience. That was your job to get him in, and then once you get him in, You're going to keep watch, distract people, stall, whatever you need to do to let him do his job.
Yeah, yeah.
It sounds like a good crew there. It's great.
Like two high skill sets together.
Okay.
And it's a mutually beneficial relationship. It allows us to specialize only in what we're good at because I am, again, not a keyboard jockey these days. And it absolves a lot of headache and liability from the primary consultant team. They say, I don't want to touch that elevator. I'm not qualified. I'll touch the elevators. So what do you bring to this engagement?
So I had kind of a little field bag on me of some bypass tools, some lockpicks. I did have my elevator keys. I'll have an underdoor tool. I'll have door shims, a mini knife, kind of your typical kit.
Deviant checked out the building just to get a good understanding of what's there. Just driving around into the parking lot and sitting with his car and watching what the building is doing. Like, okay, there are security guards there, but they never go outside to patrol anything. They just sit at the front desk all day. On top of that, the building was very quiet.
Not many people at all are coming and going. And this made him think that they probably put all their security at one single point of entry. And they may not have secured the back doors very well. So after monitoring the place for a while, it was go time. Deviant and the other computer guy go up to the building in the middle of the day. They wanted to find a way in.
The two of them started looking around the building for a way in. They found some side doors, but they were locked tight. No clear vulnerability either. Deviant might have been able to bypass those doors, but he wanted to find an easier way in. You know, that demonstrates a simpler technique that lets just anyone walk right in with, like, maybe no tools at all.
So he kept looking around the building, but was having a tough time finding an easy way in. All the doors were locked tight. No windows were open. No poorly installed door or anything. So he goes back to that side door he saw earlier, and he wanted to take another look at it. Maybe there's something there. Now this side door was a double door.
Like you first enter one door and then there's a little room, a vestibule, and then there's a second door that you need to get through to get into the building. And when he looks for a way to get in through a locked door, he has a little checklist in his head that he runs through. It's not like he has some magic tool that he just puts in the lock and the door immediately opens like on TV.
He first analyzes the door and looks it over. He'll first just tug on the handle and see if it's unlocked. Then he'll look at the hinges. Maybe it was installed backwards. Then he could just unscrew the door. Then he'll look at the gap between the latch and the strike plate.
If this is too wide or missing parts or installed wrong, he can use tools to get in there and open the latch from between the door and the door frame. In fact, any gaps at all between the door and the frame can be exploited. But this door had no clear vulnerabilities like that.
so then he starts looking at the whole thing backwards instead of getting into this door how do people get out is there a crash bar that you just push from the inside which unlocks the door and opens it well he looked through the window but he didn't see that he didn't see a handle on this door that you could turn or unlock either which made him realize what kind of lock he's dealing with it wasn't a mechanically released door it was electronically locked
And you can also tell if you're yanking on the door and it's very clearly being held shut, maybe with the very top, but the bottom of the door is wiggling by a quarter inch, half inch. You're like, all right, that's a mag lock. That's a magnetic lock at the top of this door. I'm pretty sure we electronically can release that mag lock either looking around.
You don't see any push to exit buttons through the windows. No, it's got to be looking through the window some more. It's got to be a sensor somewhere. Where is that rec sensor? Normally, it's right above the door. And eventually, we had to look through another window from the side, and my buddy I was with, he's like, oh, my God, is that it? Is that it? Where the heck?
It's almost like down and to the right. I said, by the other door? Oh, my God, yeah, that's where they put it.
Okay. Okay, so there's a motion sensor. If Deviant can trigger that, it'll unlock the door. But it's a good 10 feet inside the door. So how? How?
It has a request to exit sensor or REX sensor. These are sensors are very common in physical access control environments, which will detect egress events, impending egress events, and they do it through motion sensors. Most of these are infrared, simple passive infrared sensors. If they sense a change in temperature, they presume that must be an individual making their egress from the building.
Okay, no problem. So how can you exploit this? If you're on the outside of the building, do you throw a fire stick under the door, like a road flare, make it hot? Well, you don't have to do anything quite like that. What you can do is take a can of compressed air, or if you're very fancy, you go to a scientific supply shop and you get a can of like tech spray or freeze spray,
The idea being if you spray into the air a little cloud of propellant, a little refrigerant cloud, it will boil off in the atmosphere and make a very cold patch of air. You can do this to open doors. You stick the little straw through the door crack, blast, and all of a sudden you hear a click. Oh, that's the lock. Okay, the lock is released. Open the door.
This was like that, although the position of the sensor was much further down in the vestibule. It was a double vestibule kind of door. And I said, oh man, I'm trying to spray the air, spray the air. And we literally killed one can of propellant. And I said, oh man, we're going to have to go back to OfficeMax or something. Eventually...
I was able to rig up a long, skinny straw that I could feed all the way through, kind of snaking it down this vestibule, and almost like a wacky, waving, inflatable arm of a flailing tube, man. It's... Looking way down at the end of the vestibule, you see this straw spinning its way all through the floor and this cloud going everywhere, and the door finally popped open.
And that was on the floor.
You went under the door. We had to go all the way under to keep it as straight as I could on the floor, and it wanted to curve around. But eventually, I got this door to release. So you hear a click, and then you know the door's unlocked. Thank goodness, too, because this was a good 45 minutes of poking and prodding and going back to the shop. Okay.
Okay, so they successfully made it into the building. Now they need to find an open network jack for the other guy to plug his computer into to try to hack into the network.
And we find a little conference room thing. And I said, okay, look at the, oh cool, Polycom phone system. And there's an RJ45 connector. I said, do you want to try this jack? And he looks in his backpack and he goes, oh no, I didn't bring the Dropbox.
A Dropbox in this case is a little computer that you can just plug in and leave behind and then try to access it from somewhere far away, like back at the hotel. But this guy forgot it. I guess he was configuring it the night before and just forgot to repack it. And it's back at the hotel. He said, well, go back.
You go back. You take the keys. Here you go. Take the car. Go back to the hotel. I'm not leaving the building. We took so long farting around with that door. I'm going to stay in this building. I can just let you back in.
when you get here and he's like man i mean the hotel's 10 minutes away and i gotta get the thing come back that i could be gone half an hour you're just gonna sit in this conference room i said no i'll find somewhere to hide so what i did is i chose to look around a little bit and i was looking for kind of an empty office or maybe a janitor's closet those are nice if the janitor's not around you can break into the janitor's closet and just sit in there silently because the the guards aren't going in the janitor's closet the staff aren't going in the janitor's closet
If a janitor comes along, you gotta, you know, say, I just had some anxiety. I work here. I needed a place to chill. Or pretend you're doing drugs. I don't know. And you say, I promise I'm going to rehab. Don't tell me. Don't narc on me, buddy. But no, I didn't find any good closets or anything. I found an elevator. And I said, okay, well, we got an elevator.
It's got no windows in the elevator cab. No, I didn't see any cameras. I'm just going to stay here, bro. And he's like, really? I said, yeah, I'm going to put the elevator on independent service, which is like a local admin mode that removes it from general dispatch demand around the building. So this elevator cab will not answer hall demand that other people might be registering, placing calls.
I said, I'll just stay in the elevator. There was even a little locked panel that I popped open. And I said, there's even a little power plug in here. I can plug my phone in. I'm just going to hang out. I could just scroll Twitter, read posts on the internet. I said, you go to the hotel, get what you got to get. Message me when you're on your way back. I'll let you in.
I thought this would be half an hour of me just getting paid for free. It turned into hours. And I was like, I was messaging him like, hey, man, did you get to the hotel? Did you go to the wrong hotel? What is happening? Are you, did you fall into a bathroom? Do you have some bowel distress? And so I'm thinking, what is going, finally, I got an answer. where he's like, yeah, it's not going well.
And I said, what's not going well? And he's like, I'll tell you when I get there. He was found a little frustrated. I said, hey, I'm getting paid by your company either way. I'm on the clock. Back to Twitter.
Two hours go by. Deviant keeps messaging the guy, what's going on? He says he had to finish setting up the Dropbox, but he couldn't get the keyboard to work to configure it. So he was trying to use the on-screen keyboard and use a mouse to type out every command, and it was just taking a super long time. So Deviant continues to just sit and wait.
Then, suddenly, I hear this really, you know, boom, boom, boom, boom, boom. This pounding noise sounded like it was on the hoistway doors, just someone banging on the doors of the elevator. And I went, holy crap. Do they know I'm in here? Have they spotted me? And I'm looking, maybe there is a hidden camera. What's going on? And I said, no, calm down, calm down.
It's like if you're camping, everything sounds loud in the woods. A deer could walk through your camp at night and you think it's a bear. But I said, no, all right. I look at my phone. All right, it's like after five at this point. This has got to be the cleaners. They must be, I don't know, getting fingerprints off of the Hoistway door chrome or something. I don't know.
But I just said, no, it's fine. And I stayed in there a little longer. I really wanted to start to use the bathroom. Thank goodness my buddy's like, all right, I'm coming back to the hotel. I'll be there in a minute. Okay, elevator back to automatic. go back to the lobby, open the doors. And I said, I'm right near the vestibule. I'm going to head toward it.
But just, I don't know what made me turn and look as the elevator was shutting itself automatically. I noticed that there was...
literally a notice that somebody had taped on the doors because I had been sort of in between two floors I've been a little bit off platform but I could hear I was right near the lobby level they were in fact hitting that door but they were it was a security guard taping a notice that said this elevator out of service yes we're aware of it we're looking into it please use you know elevators on north bank of the building and I went oh man somebody noticed I was in there just thank goodness they didn't think I was there I let my friend in
He's in the building now. Thank goodness we didn't have to fight with the long straw. All right, back to the conference room, back to the conference room. Okay. And we barely got six or seven steps down the hall when around the corner, we see a guard. Because now we're the only ones, now it is a little weird. At this point, yeah, what are you doing? It's after five, this place is dead.
And the guards look at him, look at me, and my friend is like, oh, what's going to happen here? The guard immediately saw that I had, because I was in the elevator for so long, I had put a little badge on that just said Otis. You know, I have a variety of little badges in my kit. And he went, looked at me, looked at my Otis badge, and he went, oh, you guys got here fast.
And I was like, yeah, I heard there was a report. And I, you know, I just, I lie for a living. I just dropped into it. My friend, I don't know if he was nervous or not, but I said, yeah, I heard you had a problem with one of your passenger elevators today. They pulled us off of some other job because you're paying for this elite care service.
You've got a good tier of service package with us here at Otis. Point me at the problem. Let's get you squared away. And he proceeds to lead us right back to that elevator where I had been with the notice still taped on the door. And he's like, this frigging thing, I got calls all afternoon. So now I like this. I like that this guy, he's invested in the problem. He's invested in it being solved.
And I said, oh, man, and it's the only elevator in the bank. You don't even have other cabs. Your phone must have been ringing nonstop. He's like, oh, well, there's not a lot of people in here, but they still let me know about it. I said, well, let me see what I can do, sir. I pull out my keys. I still have my keys. The keys will turn, obviously, in all the key switches.
So I have the trappings of legitimacy where I, A, look like I have credentials, B, B, I'm sympathizing with his problem. I can express familiarity with his problem. And then C, I am pulling, casually pulling implements out of my pockets that clearly work in the system.
If you were in a parking lot and you saw somebody with a red blazer and you thought they might be a valet and they say, oh, is it really busy in the restaurant tonight, sir? And then they are holding a key that opens a car door. Well, that's gotta be the valet. They're doing all the things that I've seen valets do. So this guy just thought, well, he's obviously the Otis guy.
And I'm rattling off some techno jargon and I'm turning key switches that don't do much, but I'm claiming, oh, I'm resetting the door sensors. Now this will reboot the door operator if we hold it for three seconds. Here, let's everyone step into the cab for a second. Let's let this door close. So now we're bringing the guard with us and the doors close. And I say, all right, well, that's good.
Let's try door open. No, we're still level. We're not misleveled. Sometimes a mislevel event can cause the doors to jam. Let's try to go up a few floors. So he just starts taking us up to other floors, floors that I didn't have credential access to. But he's going up floors and we're stuck in platforms pretty well.
I'm pretending to measure the platform leveling because, again, I have just enough industry knowledge to speak to what you're expecting a technician to do. I'm actually a, you know, I'm a trained life safety fire door inspector. Not because I do that for a living, but because I can walk around a building. If anyone catches me and say, what are you doing in here?
I can say, what are you all doing in here? Because these fire doors are not to code. And I can rattle off all the different, the signage is wrong. The glazing is this. You can't have appurtenances that interfere with that. So I look like a technician. We're getting up. We finally get to the top floor, which is a really juicy floor in this building. And I say, let's walk around for a minute here.
You said there's another elevator. I'm pretty sure this one's fine. But let's try the South Bank elevator, the North Bank elevators. And now the guard is so used to being in our company that even anyone else who's in the building who sees us on camera or in person, well, this guy has been with the guard, so he must belong here.
And I start spinning a story about, do you have a room with a bunch of computers in it? Because your elevator controller would be in that room. It would not be in that room. I said, but where's the elevator? I can look for the error log data on the elevator controller. We can try to troubleshoot it because you don't want to have us coming out here again and again.
Those stoppages, that was no fun for you. So yeah, the guard took us to, he's like, well, I walk around every night and this is the one room. It's got all these fans in here. So he takes us and I think my badge works. Boom. And he badges us into the server room. And I say, all right, well, you help me look.
There's going to be a bright neon green server, which is, again, I'm making that up, but I'm giving him a wild goose chase. Do you turn to your buddy and be like, this is the moment.
Oh, yeah.
You need to go now. He was tracking at that point. He knew it was up, and he was amazed that it was working so well. But he was ready to go. A good friend will see you lying, and it's all improv. It's all yes and. You just go with it. You build the world with them that they're trying to build.
So my buddy, he had the Dropbox kind of under his arm like it was a multimeter, ready to plug into something. And the guard goes down one aisle. I go down another aisle. Do you see it over there? And my buddy, of course, he's plugging stuff in. He's plugging in flash drives, watching, you know, documenting. And the guard eventually says, well, I can't find it. We can't find it.
I said, all right, that's all right. You know, it's working for now. I'm going to write it up. I'm going to write it up as a priority ticket. We'll get you squared away. What was your name again? And he gave us a name. I said, okay, well, we're going to walk around, just check. There's a few other lifts and other buildings.
If anyone else is on premises and they ask what we're doing, I'll just tell them to talk to you. But thanks for all your help. It's all good. And he was so happy that, yeah, we stuck around. Just in case we got challenged, because you want to give the client a win. You want to try to see, will anyone push back on you?
It's not about getting away so clean and so, if you work for the government and you're spying on a foreign adversary, sure, you want to get away and not experience a mortuary event. But if you're doing a corporate test, you want to see what their reactions are. If this staff didn't catch you, interface with a different staff member. If this building didn't stop you, try a different building.
Where are the good as well as the bad in their security posture? But yeah, we wound up walking everywhere for quite a long time. We got into everything at that facility at the end of the day, and digitally and mechanically and physically, yeah.
There are three things to test when testing a company's security. You can test the physical building itself, you can test the people in the building, and you can test the electronics. This one tested all three. But there's kind of a moral code that Deviant has when testing people, or otherwise known as social engineering.
I mean, here he tricked a guard into making him think he worked for the elevator company, but he also gave the guard many opportunities to check his credentials or verify who he is. Gosh, even if just the guard decided to give him a visitor's pass and took their names down, that would be better than nothing, right? So there were lots of training opportunities for this guard.
But bad guys don't really have these moral codes. They might wrestle the guard to the ground, tie him up in the elevator, or break some windows to get in. I mean, it's possible to figure out where the owner of the company lives and kidnap their kids, holding them for ransom for some company data.
But as a social engineer, you really want people that you trick to feel better for having met you instead of feeling awful because you screwed them over so bad. But where exactly that line is, it's hard to say, though. We're going to take a quick break here, but don't go away. We have two more stories from Deviant when we come back.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com. Deviants Olive breaks into buildings for a living. He's well known for it. So a company in Kansas heard about him and hired him to come out to test the security of their building.
And it was a small town, man.
It was a small town. So this was a company doing large sort of, you know, blue collar industry in a small town where I'm not from. And the only thing I got going for me is that I'm a middle-aged white dude. And that's where my flex ends. Because I don't know people in this town. I can't speak to the widgets and wonkets that they pack into boxes and parcels and drive out on a big rig.
I was going in.
We'll see how this goes, boys. Being so far away, he had to fly out and rent a car and then drive to this town. And he didn't go alone, of course. He had two others with him who also worked at his penetration testing company. And one of his teammates brought his dog with him. She's a search and rescue dog.
She's amazing. She's a dog so perfectly trained. You could let her off the leash. And she knows commands where she could, you know, run and just kind of be hidden in the woods. And so now he's a guy walking around with a leash. And who doesn't want to help a guy with a dog leash? Of course, you got that beautiful dog of mine. So eventually, you know, he'll call, she'll come running out.
If he gets challenged by, oh, here's my dog. Thank goodness.
Holy cow, the dog is a social engineer too. It's part of the act. Go hide while I pretend to look for you and wait for me to give you the secret command before you come.
Oh man, I never thought of packing a dog in a physical penetration testing kit, but they're going to need it because this place looked really hard to get into.
The goal was to demonstrate access to, quote, sensitive areas. We had a list of sensitive areas, manufacturing areas, certain people's offices that were in charge of critical functions. If we could demonstrate, we could tamper with end product before it goes to market, that would be bad. No, no, you just tamper. It means you touch hands on this one machine or this one package and take a picture.
So why don't you think you can get in? What's the what's the thing there that you're like? It was a small crew. I mean, it was maybe a dozen employees on any shift and everyone knows each other. And it's not an environment that was open to the public. So it's not like customers or visitors were coming and going, which is much more common in offices, you know.
Yeah, if we were on site, not to mention we had to read all their briefing materials on their OSHA regs and their best industry practices. So if you're in a production environment, you've got the hard hat here, you've got this, you've got the earplugs. Otherwise, the foreman will be saying, who is that person? Who let you in here? Jag off. So we wanted to minimize contact with humans.
We would go at night, we said, and we would try small town America, you play to what you think is going down, you say, it's either gonna be Saturday night football or Sunday everyone's maybe at church, I don't know. So Saturday night, we started to weaken the target. So we'd approach. We would remove card readers from their mounts. It turns out there was an open campus.
You could walk onto the grounds. There were no fences. But we would remove card readers from the wall. We would install little interception devices behind the card reader, put them back on the wall. It's a device called an ESP key. We're going to check a few doors. The doors are all tight as a drum. We'll compromise the card readers.
Hopefully, somebody coming or going on a late shift, because they worked in three shifts, maybe someone's going to use a door and we'll be able to compromise the credentials when we come by tomorrow. Sunday, we asked, do you have any hours on Sunday? They said, no, it's pretty thin on Sunday. Okay. I mean, production environment, the actual factory was running, but the offices were dead on Sunday.
We did okay. Come by Sunday morning, and we drove by the parking lot, just pulled in and pulled out enough that I could dump the remotely. I could radio into the interception devices. I got some credentials.
Good. You caught all that, right? There are RFID key cards that employees use to unlock doors to get into the building. Deviant installed a card sniffer behind the real card reader, and someone badged in during the night, and his sniffer caught that. And now he has that data and can write that onto a blank key card, which would give him access into this building.
Now, while he was doing that, another one of his teammates was hiding out, watching the building from a distance, taking pictures of people coming and going. And this guy had a camera with a long-range zoom lens. So he was out there taking photos of what badges looked like for people who worked there.
He couldn't get high-quality close-up photos of the badges being that far away, but it was enough to allow them to replicate it in Photoshop so that if someone is walking by or from a distance, they wouldn't know the difference. So the team all met up at a coffee shop to put the right logo on the badge and to write the data onto the key card.
And as we're there... My buddy, the guy who has the dog, he didn't have the dog at this moment, but that one partner, he's like, I'm just going to take one more walk around, just kind of see the factory. I'm going to get myself a little coffee or something. And he comes back to where we were as I'm making these badges. He comes back 20 minutes later. He's like,
this is going to be interesting, man. I just stuck my head in at the post office. Everybody knows. Hey, Frankie, Sally, how you doing, Bobby? And it's like, if we run into anybody, it's going to be a record scratch. It's going to be weird, man. But we said, all right, we've done this. We've been in hard jobs before. Let's go, everybody. We pull into the parking lot.
We had some PPE and hard hats kind of with us looking vaguely factory-ish. So you're looking like employees that should be there or technicians visiting? Just looking like employees. If anybody literally, like if a town cop was going by, we're like, they'll think we must work here. We look like blue collar workers. And sure enough, nobody, no police. It was right on Main Street.
It was a tiny, tiny town. But this factory was right in the middle of town. It was the only thing in the damn town, honestly. So, boop, card reader works. Okay, we get in one building. Thank goodness we're inside. We're walking around. Once you're inside, a lot of buildings, security's a little weaker on the inside. You can get into offices. You can slip a latch. You can pop a drawer open.
We found a company trucker cap. Somebody took a company jacket. Again, just you're looking a little more like you belong there. And the thing is, the badges we made, we had seen long distance photos of their badges. So I had pre-printed these badges with their logo and everything in roughly the right place to look, the badges look the part and the badges are opening doors.
But within maybe half an hour, we hear one of my teammates come around. He's like, hey man, someone just pulled into the parking lot, not to the factory. Somebody pulled in and they're coming into this office building, which no one is in this office building at this Sunday. And we're like, oh, well, we just look like we're working here. We sat kind of in the break room area. And this guy comes in.
He must have been 56, 57 years old. He's like, how do you do, gentlemen? I said, hey, how's it going there? can I ask what you're doing in the office today? And the vibe was instantly off. We said, oh, you know, we're just checking a few. We had a story. I think we said we were doing an environmental audit. We were checking door seals. He was in the building? He was already in the building.
How did he get in? So he clearly worked there. Okay. And we could see on his hip he had a badge. And we said, no, we're just checking some door seals. There were some door closure issues. And for regulatory compliance, you have to keep products separated, blah, blah, blah. We had a bit of a story. And we said, well, you know, we'll get out of your hair. We're just leaving this building anyway.
And we kind of left the building. And the guy didn't quite vibe on that. He was looking at us a little weird.
Well, this was mostly a success. They needed to demonstrate access to sensitive equipment in areas that they were able to get into the building and take pictures of them touching this equipment and stuff they just shouldn't be able to get to. But since this guy really wasn't buying their story, they decided to leave.
Because as a penetration tester, when you get caught, you want to see if you can get out of that situation. Try to leave and get out of there. See what happens. Is this guy going to stop them from leaving? So they walked out and got to the parking lot. And they could get in their cars and go, but there was another building in this parking lot that they also needed to test.
So might as well walk over to that and see what happens. They thought this guy might be watching them though. So they walked across the parking lot to the other building and made it very clear in case he was watching them that they had badges that they were using to get in the building.
These were working badges, and if the guy was watching them, he could see they had valid key cards to get in the building. Don't forget, on top of that, they have a jacket and a hat with the company logo on it.
And then we, in the new building, we're like peering out the windows through the blinds. And this guy walks to the parking lot where the guy's going to get in his car. Nope. Walks by all the cars, walks to the building we just got in. We're like, oh my God. And we hear him start walking around this building. And at this point, we're pretty sure we're roasted here. Two of us break off.
One guy goes, he meets two of the guys in some other hall. He's like, excuse me, gentlemen. I'm going to ask the same question I asked before. What are you doing in this building? And we said, well, we're doing this. He's like, no, no. Who hired you to do this job? We said, well, it was Francis. Francis in HR. She brought us. He's like, I don't know if Francis would have brought you on.
I'm going to have to try to call Francis. And he couldn't reach her. And as he's dialing, it was like, no, no, come on. Was Francis Award you made up? No, we knew. We checked their staff. We knew some staff. We said, no, Keith at the Wyoming plant, Keith knows that we're here. He's like, I've been working with Keith for a long time. Keith might have said something about new folk.
I haven't heard that. I can call Keith. So we're like, oh my God. And eventually after he's getting, he keeps trying to dial phone numbers on Sunday. And we realized if he's not going to reach anybody, he's going to just call law enforcement. This was not going to fly.
Deviant and his crew were caught. All the windows of opportunity to lie their way out of it were closed. The game was over. So time to come clean and show the get out of jail free card. See, here's the thing. When you're paid by a company to break into their building, it's possible it could all go wrong.
So you need a letter of authorization from the company, preferably someone real high up that can vouch for you, that when you call them, they will say, yes, we did hire them to do a security test on the building. And you print this agreement out and put it on a piece of paper and carry it with you at all times when you're doing a physical penetration test like this.
And this is what's known as the get out of jail free card. Now, what some penetration testers do is they print off a fake one. It's got the right name of the head of security, but with a phone number to someone waiting in the parking lot who would act like that person if they got called.
Deviant saw that this guy had everyone's number in his phone already and thought the fake get out of jail free card isn't going to work here. So he gave him his real one. And this was the first and only time Deviant has ever been caught to the point that he had to show this paper and come clean like this.
He said, I know that person, but I'm going to call her cell phone and not the number that you've printed here. So as it turns out, and we spoke to him, he said, okay, all right. Well, if you say so. All right, Susan, you know.
Brilliant. He did not trust the number on the paper that Deviant handed him. Instead, he looked up the name's number himself. And this was the right thing to do. And sure enough, the head of security vouched for them and said, good job catching them. And yes, we did hire them, and they are supposed to be there.
So now that he knows the real reason Deviant and his crew were there, Deviant had to ask, how did you catch us?
But he's like, well, I was driving by. He wasn't even on site that day, but I was driving by and I saw a couple of you boys entering the building just as we were just getting into a door. He's like, it didn't feel right. So I got a block or two down the street and I turned around and came back.
Who the hell gets past their office and has that much emotional investment to go, I should go back to the office and see what's going on. He drove all the way back in, parked and started checking around buildings till he could figure out why were these fellas he didn't recognize from 200 yards away. Why are you in my building? He had worked for this company for something like 38 years.
And he had emotional investment in the company. The company mattered to him as a person. And he was not going to take anybody giving him a line. He said, no, I want to know what you're doing. It felt like if someone was in your backyard... and they said, well, I'm just trimming your trees for your neighbor. But they kept kind of walking through your backyard.
You might be like, I'm going to knock on my neighbor's door. Why is this person in my backyard? So that's what happened. And that was the first time we ever had to show the action. And we knew, we could have had a fake letter, but we're like, that's not going to fly. This guy, he is switched on, he is sharp, and he got quite a little kudos out of that. And he was professional the whole time.
Didn't try to tackle us, didn't make threats, just kind of slowly plotted after us.
Okay, so they were caught. That's that, right? No, they said, hey, good job. You caught us, but don't tell anyone else because we're going to go and come back again later and try to see if anyone else will catch us. We left for a few hours.
We went to have lunch. We did come back and we only made it in again. gosh, 45 minutes, an hour, until we ran across some other person. And I didn't even interact with this person. This was just in a production of, I just kind of walked past them. And they almost on their heels turned and spun and said, hi, can I help you? What are you doing in this space? And we were like, son of a bitch.
But that was a great day because we, you know, this little Nowheresville facility, they had a really sharp, head of security, who had been coming to DEF CON and Black Hat, watching talks like mine, really investing and upgrading their locks and their access control credentials. And even after that, he's like, oh, you did clone, you made the ESP key. We're going to revamp our backhaul protocols.
For a little nowhere factory in nowhere. Nowhere. Not subject to threats and not subject to robber. The most threat they probably have is people trying to break in and, I don't know, steal copper or something. You know, like rural threats are not the same as an urban environment where you have a lot more
potential risk of different kinds but no this one guy he was really all about it and he took it to heart he taught he had a lot of buy-in from management and everyone was just they were pleased and proud of their people we told them keep investing in your people they like it here make sure they keep liking it here because they are the best line of defense that we've ever come across you were caught um do you consider this a caught do you consider this a fail does this is this the only time you've ever been caught or have you been caught before
I will consider it a caught. I won't consider it a fail because if you're doing your job right, this is the best success you could have. We got caught for all the right reasons, and I'd like to get caught like that much more in the future by companies that have employees that... actually care about what's going on.
The only way you get that is if you have a real nice environment where you're treating people well, not just as meat grinding through the mill, right? You actually have to make people want to work there by rewarding them, by paying them properly, by giving them real benefits. That's the only time we've been caught and didn't bluff our way out of it, talk our way out of it.
Okay, let's hear one more story of Deviant breaking into buildings. And this one's my favorite. This one is against a critical infrastructure type company. Think utility company. If someone were to get in and cause harm, it could be ruinous for like the whole town.
Most of our jobs, we get a list of sensitive assets or sensitive areas from the client. And we say, what, you know, would accessing this asset or being in this space represent a severe breach? Would a bad actor in this space have the ability to severely compromise operations or cause severe impact? Once you have that list of assets, you formulate a series of attack chains.
You sit with your team after a lot of recon, and you say, all right, so do we think it's smart enough to go to this one first, or should we try to go through this one? We've identified where these assets are, which parts of the buildings and the grounds. Okay, so which team is best suited to position here, here, here? And you come up with a plan. And if one team gets burned,
You'll say, okay, well, that team is – all right, they might have gotten noticed, might have not. Let's pull them back. Let's get off campus. They just became Overwatch. They're running a drone. They're running long-range cameras. They're back at the base on radios. Let's put another team in. We do a lot of rotating out of rental cars where you go back to Hertz or National or somebody.
You say, oh, this car is pulling to the left a little bit. They say, we have another one. We said, do you have a different model, maybe a really different color? Because if somebody's seen that weird car in the parking lot. So there was a job like that. It was meticulous. And we had, it was a large job. There were probably three or four different field teams at any given time of pairs of people.
Okay, wow. This is a big job. And if you remember from other stories, Deviant likes to be prepared and bring a big kit of things. Anywhere from having lockpicks and keys to the Otis elevator repair shirt and having long-range cameras and full badge printing machines. But this one, he needed even more.
This job was the kitchen sink, man. This job had case upon tons of Pelican cases shipped in. It was close enough that I could, it was many states away from where I was at the time, but I was living in Montana. I just said, I'll drive. If the budget's there for me to draw, I'll make it a couple day drive. And my truck was, I mean, we brought the works, man. We had a 3D printer in the Airbnb.
We had a couple of our really large key machines, our exotic key machines, just in the Airbnb on the living room table. We were ready for as much as we could be.
Okay, so when you have a job this big, it'll help if you have a few extra people. Of course, Deviant drove out for this, but a half dozen other people came out too. Bobbik was also there.
We're all cross-disciplined. Babic is very electronic-focused. Of all the team members, he is the highest strength among us in the electronics department, especially as it relates to access control technologies, credentialing technologies.
He gets good information from a lot of the industry sources and partners where he'll get the new badge printer that somebody's just pioneering, and he'll get a sample model of that, and we'll try it out. Drew came along for this one. Drew is our main surveillance person. Drew is an incredible person with camera glass, drones, you know, ultralight aircraft.
He is the eyes on the ground and in the sky. They called in Sophie, too. Sophie is a devastating social engineer. Robert was another key player here. Robert is an incredible physical tactician, along with being personable with people at the drop of a hat. I mean, he used to be a cop, right? So he can lie.
through his teeth, with a smile on, and his job is to manipulate you as a human because he's going to get what he needs and he's going to get it out of you for information or he's going to get out of your sights because he wants to move. He can be front and center or he can be a ghost. Imagine being called a physical tactician. That's quite the title, isn't it?
Drew and I reached out to an old colleague of mine named Laz, who was back East. We brought Laz in. We had a couple of interns at the company who wanted to get some exposure to field work. And a lot of times jobs just aren't big enough, but this was great. So yeah, they'd bring the interns. So we had quite the cadre of people and we actually had two Airbnb units right next to each other.
We had so many people. It was these two little like cabin type houses on some park somewhere.
Gosh, they rounded up the whole Ocean's Eleven crew for this job. And so they all met at the safe house and started on phase one, surveillance.
That was almost a week of recon. Yeah, that included driving by for the first few days, just a lot of long range camera work in cars, which led to then hikes through fields where it was a lot of Drew and Robert just in I mean, they're in hunter's camo. They're hunters and stuff, right? So they're going to crawl through field.
They were first walking, and then they were low crawling to get really up close to the buildings.
See, I don't quite get this, right? Some engagements, you're just like, let's see if we can walk in through front door. Let's go. And then some engagements, you're like, okay, you feel like getting muddy.
Oh, yeah.
You feel like getting, you know, the special equipment out. Like, I mean, there's work to that. Like, dude, really? You really want me to crawl through the mud so I can get a good photo? Yeah. Yeah. Go under the fence there. Do it at night.
And we were all about it. Who gets to do this and not ever really risk getting hurt for it, you know? I think it's a great thing to get to do it.
Okay. I just don't know. I guess I don't understand the level of like, okay, let's really start light and see how much we can get without even getting a foot on campus.
And some of that is spoken to in terms of the client's willingness to have a more involved job. I mean, labor is cost, right? So time is money, and they provisioned, they said, no, they were really serious about, they're targeted by foreign adversaries. They are targeted by real threat actors at that point. And an actual threat actor would not think twice about
spending an entire night just in, belly down in the dirt with long range glass, learning which employees go through which doors at which times and when the security patrols come around and when they don't.
Okay, so another thing to think about here is this company invested a lot into security. Cameras all over the buildings, inside and out, trip sensors, security teams. They really, really wanted to detect and stop any sabotage or intrusion or disruption against this facility. And they did everything they could to stop this.
In fact, this company had its own red team, who just attacks their own company looking for weak points and vulnerabilities, or whatever they could find that an adversary might exploit. They're on the offense, which makes them a red team. The defense team is known as the blue team. But it was the head of the red team that hired Deviant and his crew.
So he could communicate and confirm certain things with the customer, the head of the red team. Like, for instance, as they were doing their recon, they noticed something that looked like a radar system to detect intruders. So he messaged the client and asked things like, Keith, are they using spotter RF?
He's like, yeah, yeah, you spotted the spotter. Cool, yeah. We have it pretty masked, but you must be, he's like, you must have been really close. I was like, yeah, we were right up against that fence line. He's like, okay, yeah, you know, you got it. You got it. Don't approach from the west side. You spotted that one.
Because again, let's say you're the Chinese government and you got a guy laying in the dirt, crawling up to a fence line, and then this guy takes some pictures and you say, well, look at those technology. Are they using, oh, oh, that's RF. They're using spotter RF. It's a way of looking for motion sensing in a field.
And if it's the Chinese government, they would then back off and they would say, okay, let's spend another two weeks figuring out who sold it to them. Let's figure out which version they have, what its coverage is. Whereas for us, we just signal message. We said, hey, I found this. Is this what I'm seeing? They say, no, yeah, yeah.
We're not going to make you charge us another week's worth of effort to go get a sample unit, you know, and set it up in a lab and figure out the exact distance and range that it covers. It doesn't match the manufacturer spec. So it's a week of that. It's a week of getting close, taking pictures, coming back to the Airbnb, analyzing. Who's this guard? Is this mobile too?
No, he was, well, he was on foot yesterday. No, the guy on foot was in a, okay, no, this is the guy in the truck. Let's make a name for him. You make up names. It's like a pinboard, like out of a detective show, right? You got a wall of people. And one really great photo of a guard looking at us through these binoculars. Yeah, that guy, we printed that photo out a lot, put it around the Airbnb.
So some of those guards are really switched on. Well, because he couldn't see us, but he saw something and he was like, what's that? And Rob and Drew just stood stock still in the dirt in their ghillie suits for like an hour.
Ghillie suits?
Those are the big camouflage suits that you see like military use, where they have like tree branches and leaves sewn into the suit so that you look just like a bush when you're holding still. Crazy. Now, of course, they aren't just casing the place physically. Sophie is also trying to infiltrate the people inside. She's trying to get pieces of information that could help her know more.
She created a fake social media profile and started trying to connect with people who work there.
The work involved in setting up a fake profile is non-trivial. It's really hard to create like a fake LinkedIn or a fake anything these days that looks legit. I mean, you need to have history there. You need to have connections. It's like planting crops. You have to create these profiles and then you water them.
You come back and you connect and you make posts and you connect to this people and you endorse that person. Months and years later, these are now fully formed and you can maybe use one of them on a job to connect to other people. But if you get burned, well, that's all right. There's a year and a half of work that that profile is roasted. Yeah.
So the fact that she has access to these and she made those connections to find out what was going on and can, let's, can I share your profile so I can see your photos from the job? Okay, now you got the access to the private photos. Oh, that's the company's having a pizza party on Friday, that kind of thing.
Okay, so after almost a week of watching this high security building from the outside, they determined this place is completely secure. They found one little area that they could access, but it was kind of an insignificant finding.
So we determined that it was feasible to get through the fence line. In fact, as a proof of concept one night, a small team did that. They crawled up to the dirt berm where the earth had been compacted, but not quite enough in one spot. And they trenched under the fence. They just dug and dug with small entrenching tools, and they're pulling out rocks.
And they proved you could slip under the fence. And they just took a picture of one guy on the other side of the fence and then came back. that's not super practical. We knew this was still a site that was being built out. And we told our point of contact, we said, hey, just so you know, we proved we did this. The shake sensors in the fence didn't catch us.
He said, nope, I bet I can tell you, which you were probably on the north side, that's all gonna be concreted in. The footer of the fence, it's still being built. We said, okay, well, it's a data point for the metrics. But we're not going to treat that as a standard entry point.
So the only way to get into this place was going to be where everyone gets in, through the vehicle checkpoint. This place had high fences, barbed wire, cameras, shake sensors, radar. It wasn't kidding around, and that's just to get on the property.
It's like visiting, it was non-military, it was a civilian compound, but it's like a military base, right? If you have a working credential, you drive up to the vehicle checkpoint, they see it, you boop it, and you go. If you don't have credentials, you're going to the visitor's building, the tiny shack, and someone is coming out and dealing with you.
And without a credential, you're not getting in. But there's always some exploits here, right?
There was some construction going on and Deviant was able to drive into the construction area just to do some surveillance on the front gate. He got some good video footage of exactly how the vehicle checkpoints work.
And we learned, we said, okay, this is interesting. This is interesting. Look at this. Let's look at what happens here. You drive up and staff were holding their badge up at like the clearly they're presenting a badge to the guard who visually kind of would nod at it.
Then they would drive further down, a good 10 yards, past the little overhang, and there was a badge reader sitting out in the middle of the, just like unattended. There's just a big badge reader on the, and they would, boop, they would badge that, and then a vehicle gate, a gate arm would open up. I said, that's an interesting thing. That's an odd thing. Then we said, well, look at that gate arm.
Look at that gate arm. Many gate systems... will use ground loop sensors. Much like when you pull up to a stoplight, it knows your car is there because it can detect the metal of your vehicle and it'll cycle the light. A lot of gate systems use these. A very typical configuration would be, the most common one is a stop or safety loop.
Right in where the gate arm is, if a vehicle stalls out and sits there for some reason, the gate arm won't come down and hit the vehicle. You don't want to damage anything. That's typical. You might have an entry loop so that once you pull up, the gate arm just doesn't operate unless somebody boops their car. You can't walk in on foot. This is not a pedestrian entrance. I'm sorry, you need a car.
If you're a pedestrian, go to the pedestrian entrance. It's around the fence over there. This is a very common problem for certain motorcyclists or bicyclists. People on bikes sometimes don't have enough metal to trip the ground loops depending on how they're built.
But the real one, and this is the one that a lot of buildings do not use, you got an entry loop, you got that stop loop, the safety loop. There's also sometimes a clear loop. Clear meaning you have cleared the checkpoint, bring that arm right down. It costs money to install these. You got to cut into the asphalt and you're doing, you know, everything's money.
A lot of installations, this one included, chose to configure it, well, we don't need a clearage loop. We'll just, the arm goes up, there's a dwell time, and after that, it'll just drop down, unless there's somebody stalled out. So they were using a dwell time, and the dwell time was set to like, gosh, it was like 20 seconds. It was long. We're like, okay, this is news we can use.
So our plan was, we're going to tailgate in We're going to tailgate in behind what we think is a real vehicle because it was a long entrance road off the main road to get even to the vehicle checkpoint. Our plan was you're going to tailgate in. We're going to give Sophie in the front seat of the car who looked businesslike. We'll give her a badge that looks like their badges.
We knew what their badges looked like. It's a multinational company. We've seen their badges in other facilities. We don't have their badge technology. They were using private keys on their credentials, so we couldn't easily clone their badges. But Sophie could pull up and smile at a guard and hold up a badge. Then she's tailgating behind someone's vehicle, literally tailgating.
As that person boops the reader and goes through, Sophie would pull up, pretend to boop the reader. Again, that's 10 yards away from the guard shack. They can't hear a beep noise. And then before that dwell time finished, she would hightail it through. And if a guard was really sharp, they might be like, oh, that gate came down kind of quickly after that car.
But nobody's going to be that sharp, we said. All right. Now, the critical thing, we said, we need about three or four, we need different ways to have you peel off if there's a problem. The first thing is there's that construction lot, right, where I parked to get the footage.
We said if for some reason the car you're tailgating isn't a regular employee, if anything goes wrong, if they ask for directions, their lot, who the hell knows, just pull into the construction lot, K-turn, and get out of there. It's a little weird, but who cares? We'll roast that car. We'll switch the car out. We'll regroup. Let's say you're fine.
Let's say you get past, like you hold your thing up to the guard and the guard looks at you and says, hey, you know, do you work here? Do you not work here, et cetera? You say, no, I'm new here. So if you're bad, you know, you can social engineer that if you had to. If you say, you know, oh, I'm lost or is this not the main answer to the visit? No, I just started. Okay, we'll pull over there. Okay.
Figure that one out. The last one was a really slick one. We said if for any reason you get trapped at the gate, like let's say the arm starts coming down and you're like, oh, shoot, I can't tailgate in. We had printed a nearly identical badge. It looked very similar, but the logo was another company in town.
It was out in a rural area, but it was another big firm that had a warehouse or something, a fulfillment warehouse in town. And we said, pretend to boop and say, my badge isn't working. And make the guard get out of the shack and walk over. But she would switch the badge. And it was on this red lanyard. And she's like, my badge isn't working.
And so the guard would go, oh, is this the badge you just showed me? No, I'm sorry, ma'am. You've got to go down the road another few miles. You're in the wrong place. Oh, I just started. Duh, sorry. So we had all these little outs.
Okay, this is a lot of work just to get into the parking lot. Sophie's going to try to drive in. And it was important that she'd be the only one in the car. That way the guard doesn't start asking like for passengers to present their badge and get curious and interested in what's going on. But through their surveillance, they noticed the guards never check the trunks of the cars.
It wasn't just her in the car. It was Robert and I were wedged into the trunk of this car. because we wanted to get as many people as we could onto the corporate campus if we could get this to work.
So they load up their gear, jam themselves in the trunk, and off they go, driving towards the facility.
And all we could feel was just the car kind of rocking back and forth. And we judge, okay, there's some rough bumps. Those are the speed bumps, okay. And now we stop for a sec. That must be the guard. Oh, we're moving again. The guard didn't stop her, okay. And then, okay, we slowed down a little bit. Oh, we're really moving now. That must be the gate arm.
And we're really, we're jitterbugging along for 10 seconds, 20 seconds. We're like, we gotta be through that gate. We gotta be through, I know we're through that gate. And we eventually hear Sophie's voice like, it's Hollywood, we're through that gate, boys.
Sophie pulls down the back seat so the guys can climb through the car, which will take a while. It's a tight space. And this is where they split up, though. Sophie goes right to the front door of the building to try to use her social engineering skills to get into the building.
She was just charming. She just said, I'm new. She followed a group of people. I'm new here. I just started this week. Oh, did you get the tour? She said, no, there was a tour. We knew that there was a company tour that somebody posted on social media. And we're like, well, I didn't get the tour last week. I heard about that. And this guy who was like, well, I'll give you the tour, little lady.
So yeah, I mean, he's like, you should check this out. And he's taking her to place. And there were a couple other employees who, One of which even turned and looked at her and went, hey, I know it's a tour, but you can't tailgate. You have to use your badge. And she goes, oh, you're right. And just kind of pretended to boop her badge. And it's not making a sound, right?
We have little, we have, you know, beep, beep, like on our phones. So if you need to, everyone's on their phones. So you're just kind of, oh yeah, beep, beep. And just, okay, then you walk in. But yeah, one woman literally said, are you trying to tailgate? And she says, oh, you're right, you're right. They told us this in orientation training.
But yeah, they took her into the heart of the beast, right? She was sending signal messages to all of us like, hi, I'm in this thing.
With pictures.
Oh, with pictures, day one.
Okay, so while she's making her way into different rooms and getting a solid lay of the land, Deviant and Rob climb out of the trunk of the car and come out of the car. Climbing out of the trunk directly would be weird, so they had to sneak through into the car and then exit through the regular doors to look normal.
Robert and I looked like construction workers. I mentioned there was construction ongoing at the facility. So we had our sort of jeans and steel cap boots. We had some high vis. We had, you know, the helmets kind of clipped to our belts. If you want to throw a helmet on, you can. And we had tools. We had workers tools on us and more in the trunk too.
So we just kind of walked around the building and started, quote, checking doors. You know, checking the handle. Is this door really locked? But also there's a little door gap checker. It's used when I do fire door stuff. There are tolerances. This is a quarter inch, eighth inch. How much tolerance is this door? You can check it. The door jams in the top of the door and the bottom of the door.
So we're just, quote, checking doors and pretending to take notes on a tablet. And we're going around and seeing if anybody left the door open or could we tailgate in. And eventually we did. We tailgated in. We walked through some spaces. And between us and another team was able to exploit a similar path. Now that we know, we're like, well, Sophie got in. Maybe Drew can do it.
Drew's not quite as charming as Sophie, but Drew can drive through a checkpoint.
He did. And Drew was able to tailgate into the building too. This is where he just waited near a door until someone was going in or out. And then he just went in after them without having to use a badge. Day one was a success. All three teams got into sensitive areas and showed their contact how they got in. They took photos and were able to leave without being detected or caught.
So they decided to do it all again the next day, but this time be a little more sloppy. you know, like standing near a locked door a little more obviously and actually looking like you're waiting for someone to come open it for you. And sure enough, somebody did come open it and didn't challenge them and held the door open for them.
Or they might have shouted at someone, hey, can you hold that door open for me? Thanks. It was...
Shocking how once we got past that fence line, we started realizing that no one really challenged us.
Their outer perimeter was very secure, but it seemed like that was the main layer of defense. To properly secure a building, you want to do defense in depth. And not just one gate at the front, but many gates the deeper you're going. And they didn't encounter that.
So now that they've accomplished all their objectives by getting into all the sensitive areas that they were tasked to get into, it was time to step it up a bit or step it down, depending on how you look at it.
We said, let's just try to be sloppy. Let's just try to like, hey, buddy, hold that door. And, you know, don't be polite about it. And we're like, man, we just keep getting in everywhere. And we kept getting into so many sensitive rooms. We're messaging our contacts and we're saying, hey, we're in here today. You want us to try the thirdware? You want us to try this generation building?
Okay, try to get in that building. And we're really not getting challenged. So by the end of the week, you're like, we really want to give you some wins here. Do you want us to just start doing stupid shit? Trying to see what level of noise it would take to make the employees at the customer site say, hey, that's not right. I should report this to security. And we were setting off...
alerts and alarms at that point. We were propping doors open with doorstops that you're not supposed to do. And if it's held for more than 30 seconds, then a guard has to come out and go, why is there a doorstop here?
At this point, we had literally caused headache on the part of the guards because we had been putting doorstops in and holding doors open and just really kind of, they were like, what's going on? Why are the employees being such a pain these last 24 hours? This day, At one point, I think I took caution tape and I propped the door open and put caution tape all around the door.
And like, do we take the tape off? Do we not? What are they working on? I put a work order on it that's, you know, because we'd seen other work orders in maintenance areas. An exit door? No, this is an internal door to a sensitive machine room. And the guards were like, do we... And they had to escalate to a supervisor and say, no, take the tape down and we'll figure out who left that there later.
And we're still not getting quite caught, right? We were interacting with some guards. I said, hey, who took the tape off this door? That kind of, you know. But they kept seeing our badges. okay, so finally we said, what do you want us to, we're on a quick three-way call with a customer. What do you want us to do here, man? We're really trying.
We're trying to, we're walking up to people saying, hi, I'm not from this department. Can you tell me where to go? And no one asked, why are you in here? And they said, well, you said something once about destructive attacks. You can go destructive. What can you do there? You said, could you like drill a door or something?
I was like, I mean, yeah, there are plenty of things we show to other types of entry trainings we do for first responders or for military. We say, yeah, I mean, we could drill a cylinder out of the door and then you take the cylinder out and then you can pop the door. I mean, we can do that. It'll be noisy and it'll cause some damage. And they said, yeah, yeah, yeah. I mean, we'll budget it.
We'll say, here's how much you're allowed to damage and try to keep it under that amount. And let's try it on a door or two if you want. We'll pay for it. I said, okay. So we got out a giant, you know, I actually went to Home Depot or Lowe's or something, and I bought a big old blue Makita hammer drill with a big handle off the side, and I bought some high-speed steel bits. And there's footage.
There's actually footage that Robert shot with his cell phone of he and I in our high-vis just carving away at this lock in this door. And our point of contact was really trying to give his people a win. He's in the sock, and he's watching. And he's watching. He's looking at his people, and he's watching. He said, hey, Chris, can you pull up monitor 17? Can we center stage that?
And this big scream. He's like, what's going on outside building six? Do we have Sheridan here? Did you see a work order? Are we servicing doors or something on building six today? I thought that building was already stood up. And you hear, you know, like rustling of papers and people are like, I thought they had so much work going on from so many contractors.
They were growing so much at this site that someone's like, I swear I saw something about that on the pass-off notes. I think we're doing doors. I think we're doing doors today. And he's like, okay. And he kind of stepped back and messaged us and said, no, man, they're looking at you on camera. And you look the part. What are you going to do?
So, yeah, I just kind of dropped the drill where it was. The door set off an alarm. And I just left the alarm going. I just walked through. But we were trying everything. We were just setting off like a chain of alarms. until guards eventually came to us and they said, hey, you know, fella, you know, stop what you're doing for a second.
I was trying to underdoor tool a door and not hiding it at all. Just Robert and I stand up and they say, so what are you guys doing here? And they're like, were you working on the side of Building 6? I'm like, yeah, yeah. There was like an alarm. That was really loud. Like, yeah. So what are you doing? What are you doing here, guys?
And Robert, again, like back pocket, kind of hand on the letter, thinking this has got to be, our ticket is up. And I just hail married. I said, what does it look like we're doing? And that broke the guard's brain. He went, well... It looks like you're working on door, it looks like you're trying to get open this door here. but you have badges. And Robert's hand just kind of comes off the letter.
Let's see where this, and the guy's like, yeah, I mean, you work here. You're obviously on the contract team, but you have a radio, because Robert had stolen a radio from a truck. He's like, you know you can just call for remote unlock. You don't have to have us come all the way out here and bother with it. We came all the way from the other side of the thing.
So he's like, yeah, no, it's the Sheridan guys. I'm here. Yeah, yeah, warehouse. Yeah, can you open the east side warehouse? He's like... The door goes green. He opens the door. He's like, yeah, see, I mean, you can just do that, man. You must be, you know, don't worry about it. But like next time, just call, man. We didn't know what was going on with all these alarms. I said, oh, thank you.
Yeah, the story continues to get crazier and crazier. I eventually took a bike, because they had corporate, they had a couple of people who biked into the corporate office. I took someone's bike and just biked it around the parking lot, hoping that someone would report a stolen bike. I took a golf cart and started driving that around.
And they eventually, because again, we had radios, someone's like, okay, Deve, they're finally onto you. You're going to have some attention soon. And I saw these white pickups with guards start trying to find me in parking lots. They thought I was like a mental case. They were like, is that the same guy? No, he's not wearing the high-vis anymore. Who is that guy?
And I was just – I was rolling around. And there's like, yeah, yeah, crazy guys on a bike. No, no, no, no, wait. Crazy guys in one of our carts. But it distracted them so badly that I had – it was like – It was like an OJ Simpson pursuit. I was pursued by these flashing light vehicles that couldn't, what are they going to do? Knock me off a bike? Try to ram into a golf cart?
You can't cause injury. So a bike can go places that trucks can't. I would just cut through bushes or cut in between buildings, and then they would have to like spin around and go driving around the other side. And while I was doing that, the other teams knocked down every target again and again and again. And they took pictures, you know, standing in all the sensitive rooms.
because everyone's eyes was suddenly on crazy guy. Yeah, at this point, nobody cared about trying to mask door sensors. It was so many alarms that it eventually was a supervisor who was off site that day. It was his day off. And his phone, his work phone was like lighting up with a light. And he went, door 21, door 17, door 17 again, door 17 again, door 55, roll up door 76.
He's like, what is going on? And he tried to call. No one would answer. He drove in. He lived, you know, a town over. He drove in, kind of burst through the doors of the security side. He said, what is going the F on? And he's got a bunch of guys looking at this. This crazy guy is on a bike, sir. He's like, I don't give a damn about that guy. Is he at a parking lot? What's all this?
And he's looking at all the alerts. And they go, oh, really? Something going on? He's like, look at your screens. There's all these red entries in Linnell Access. There's all these failed events. There's all these door entry events. So we heard squawks on the radio start going out that said... Mobile 6, you watch Bike Guy. Everyone else, return to your guard tours. Cancel all superfluous business.
Challenge all unknown parties. Figure out what, there's more afoot here. Some guy even said Bike Guy may be a distraction. And that's what it took. That's what it took to finally get them to start challenging our teams. And that was, at the end, I just kind of got off the bike at one point and now these, like, all these trucks pull up and they all jump out and like, what are they going to do?
Again, they're not cops. They're not allowed to shoot you or go hands on. And they went, sir, could you please stop? And I went, I'm stopped. I'm perfectly fine. What's going on, fellas? Having a good day? And they asked me to sit down, and I'll have a seat by the curb. And I said, this might explain it, and I hand them a letter.
And then some of the guys were former service members, and they said, oh, all right, it's an exercise, boys, look.
One of the other teams just got in their car and left, and then security caught the third one and just asked them, are you supposed to be here? And they said, no, thanks for asking. I've been here all week, and nobody's asked me that. With that, their engagement with this client was over.
The client loved hearing all the different ways that they were able to defeat security that week, and they worked with security to fix all the things that they noticed in their assessment. It was a great training exercise for everyone involved at the facility. Wow. So thank you so much for sharing with us the way you see the world.
Yeah. Hopefully some people out there start seeing it this way too. It's not a bad way to be. You don't have to live in fear. You just live in awareness. I'm a fan of Amanda Palmer. She's a cool musician and poet. And she talks about how it's not the job of the artist to make you feel joy all the time. It's actually the job of the artist to take you into the darker places.
And if you've ever heard her music, she's good at that. But darkness isn't scary because it's dark. It's scary because you're alone. And I like to remind people that if we go into these dark places in our world with friends and allies and peers and loved ones, you realize that the dark isn't that scary because it's dark. It's just because you didn't know what was in there.
And that's why I like to bring people into the darkness with me and realize it's not that scary and they can learn from it and they can be improved by it.
A big thank you to Deviant Aleph for coming on the show and sharing these stories with us. You should be able to easily find him online by just searching his name pretty much anywhere. Deviant Aleph, which is spelled O-L-L-A-M. He's on YouTube, Instagram, Mastodon, Blue Sky, and Twitter. Or you could just look on his own website, which is deviating.net. I'll have all these links in the show notes.
Just check the description of this episode. The show is made by me, The Tarnished, Jack Reciter. Editing and assembly by The Omen Killer, Tristan Ledger. Mixing by Proximity Sound. And our theme music is by the dreamlike Breakmaster Cylinder. And even though the only dates I get are updates, this is Darknet Diaries.