#164 Mike Grover - How Hacking Tools Are Changing Cyber Warfare

My Grover, welcome to the show, man. Thanks for having me, dude. We just knocked out one of the most fascinating, everyday-carry pocket dumps I've ever seen. And the fact that you designed all that hardware is just astounding. It's awesome. Thank you. And so we got connected through mutual friend Bryce Case Jr. Yeah. And thank you, Bryce. And man, we've been trying to make this happen for

I think a year over a year. Yeah, over a year now. So yeah, because I interviewed, he was last year's Thanksgiving episode. And we got connected right after he'd told me about the OMG cable, which you developed and we'll get into that. But real quick, let me kick it off with an intro here. Sweetie. So Mike Grover, AKA MG.

You're a hacker, red teamer, entrepreneur, artist, security researcher, and educator. You work for Fortune 500 companies conducting red team operations to test and enhance their security. You design and build covert hardware implants that bypass and challenge computer security.

You also run a business that manufactures and sells your hardware designs, which are now used by countless companies and governments to strengthen their own security. The most well-known hardware design is the OMG cable, a malicious USB cable. They're also a husband and a father.

And I'm sure I'm missing a whole slew of stuff, but at least that pates the picture. But I want to do a life story on you, some of the things that you have developed, and then probably go down some rabbit holes with cybersecurity. Maybe I love knowing what China and Russia are up to if you have any insight into that. But before we start anything, everybody gets a gift.

Right. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East. Go East.

I'll see if I can not eat these by the end of the show. Good luck. Nice. Those are good. Not bad, huh? But, um, sorry, I'm going to talk with my mouthful.

Mike, I got a Patreon account, it's a subscription account. They were a major we were just talking about before we kicked this off about starting businesses and how this started in my attic and we're both entrepreneurs.

Develop the Patreon very early on. They have been the key component to how I built my business. And a lot of them have been here since the very beginning. So one of the things that I do is I give them the opportunity to ask each and every guest a question. And so this is from somebody anonymous. What's the simplest trick hackers use that 99% of people still fall for every day?

asking to ask them for access. Granted, you gotta kind of cloak it a little bit, but you pretend to be somebody you're not. And for instance, like, I'm your IT department. I'm your HR. You call them up, you email them, and you say, I need you to do a thing real quick. And that process will generally have them maybe entering their password, for instance.

except it's into something you control. And at that point, you've got their password. That is a method that is still heavily used and constantly works. No, kid. That actually happened to us here. Oh, yeah. Yep. Yep. We had to have Brian Montgomery jump in and save the day. But yeah, we got an email saying, we want you to be on this podcast. Yep.

I thought it was bullshit. We had a staff member that kind of like pushed me to do this. And of course, everything was in a rush. And boom, we saw that. Then my guy, they got into our Facebook and almost hacked everything, took it all. And Ryan was able to jump in and save the day kind of last minute there. So thank you, Ryan. But what else? What's another one though?

I mean, that is like the go-to, right? Like, I mean, you can walk into a building, but why do that when you can just ask from halfway across the world, right? Like, I mean, most companies, you'll still be able to walk in and do all that stuff. It's just not worth the risk unless they've got that level of security kind of locked down where it's like, okay, you can ask anybody in the company for their password. They can give it to you, but you can't do anything with it because, you know, we've got like two factor turned on or stuff like that.

different security controls and detections that suddenly requires physical access to, you know, you got to take more risks to do that. And that's a lot more skill, a lot more work to make happen.

Interesting, interesting. Well, you know, I had a little chat with Bryce before, before he got here today. And we were talking and by the way, have you ever seen, have you ever seen that video of him at the Dead Mouse concert? He's, he's up there. He's rapping and falls off the stage. I got to roll this club. You've seen this, right? I believe so. Yeah. Yeah. I got to roll the club. It's hilarious.

He brought something up that wasn't in your outline. And so might be a little uncomfortable, but I gotta ask it. And I think it's a good question because it sets the stage for the entire interview and everything we're gonna talk about. But he says, in case he chickens out, ask Mike about his design being so good that they were copied by the most well-known hacker of all time.

Evan Midnick, also known as Condor. So I got to hear about this, man. Oh, okay. Is this the OMG cable?

predecessor, right? So I had been doing lots of designs of malicious cables, right? And I had some really early proof of concept, just to show it's possible. No wireless connection, really tiny payload capability, a few dozen, maybe 100 keystrokes, right? Really limits what you can do. It's really slow. I mean, we're not hitting that 1,000 keystroke per second thing.

I mean, maybe it doesn't. Really slow, right? But it's like, it worked, right? You can't remotely update it, can't do anything, but it worked. I want to show the world, you know, hacker, you want to share the information stuff and work with other people. I didn't see it as like a product, it was just more like,

project, more like art. Like, hey, cool, look at this thing. And yeah, he reached out and wanted to kind of collaborate and, you know, have me, you know, build one for him and I started on that process. But we didn't, I didn't have enough time to complete it with his work constraints as well, because he didn't have time and stuff. And eventually what happened, I'm

didn't know about it, but he went to someone else and said, make this for me. And it was not like, I didn't know about it until it came out. And then the thing is, it wasn't very good. And I was just like, dude, first of all, it was not very good. This sucks. I wish like, you know, making this a proper product. But also it was like, Hey, if you, you know, had the resources, like fucking, I could have used that. Because I was just doing this on the side, right? But we have, um,

you know, solved things since then. You know, I think there's certain levels of communication and misunderstanding. So I don't want to be like, oh, he's, he's the worst. But, you know, lessons learned as well of like, you know, if it's something you can turn into a product, maybe wait until it's ready, you know, things like that, which is exactly what I did with the OMG cable, right? That, that, that's where it's like thousands of times better.

I mean, is in raging as I'm sure that was, it's also pretty flattering that, you know, is he really like the world's most renowned hacker?

I mean, well, so RFP, he's no longer around. Oh, really? Yeah, exactly. But yeah, the way he would be introduced, like, oh, but it was always the world's most famous hacker is the tagline that was used. What made himself famous? So well, he, uh, God.

need a refresher on this, but basically he had gotten the attention, the FBI, and they were hunting him down for getting into various places. A lot of social engineering tricks and stuff like that. And kind of a cat and mouse game. There's a movie called Take Down, right? So good movie. Check it out. But he went to prison then.

and was pretty unfairly treated. There was a whole free Kevin movement where, you know, they were doing, I think they put him like solitary or something because they thought he could like whistle into the phones and like launch ICBMs or something. Oh my gosh. This is like back when everybody's like, oh my God, hackers, just evil wizards. I still like that today, but it was much worse back then. They had no idea what was even possible.

So, yeah, he was held for much longer, I don't think. Yeah, I don't want to misspeak here, because I don't remember the particulars, but he was held for a very long time, pretty unfairly, eventually got out, and then went into InfoSec as a profession using that. And then tried to take your own GK.

i mean i i guess i guess he knew he knew it looked good so he's good at that you get the the world's most renowned hacker taken uh... you know

Your stuff, that's pretty cool. It sounds like everything worked out today. Oh, yeah, definitely. And just for the record, he got a pretty unfair shake at life, ended up, I think he got a pancreatic cancer. And he died before his first kid was born, which is just fucking terrible. Man. So yeah, I've since met up with his wife and cleared the air. So we're good. We're good. Good for you, man.

Well, let's get to you. So, you know, like I said, I want to do a life story. We've got to get into the OMG cable stuff and all the other stuff that you're designing, some red team stuff, but actually, actually in your, in your bio, I know what red team operations are, red cell operations, but could you explain that to the audience?

Yeah, definitely. So there's a lot of, it depends where we're talking about red teaming, because there's military red teaming, which I would love for you to give me a couple of stories on, because I mean, I'm sitting in a room with a guy who probably knows that really well way more than me. So it would be a little ridiculous for me to explain that to you. But red teaming in terms of like corporate cybersecurity is a subset of pen testing. Pen testing is find the holes.

tell us the holes, right? I mean, that's cool, but it doesn't quite test how someone responds. I think there's this like, I think it's a Mike Tyson quote, where everybody has a plan to like get punched in the face, right? It's like, okay, well,

maybe a little aggressive in context of cybersecurity. But how do you solve that? In boxing, you train, you get punched in the face, right? And then, well, OK, now it's not going to be new when it happens. So you might have a plan, but are you going to execute on the plan? Are you going to miss some steps? Is motion going to get involved? And also, I can

behind holes at different layers, but red taming is going to be repeating exactly the entire chain. It's often called a kill chain, where it's you're connecting all of these different vulnerabilities to go from completely outside to completely to the crown jewels, take them out and succeed. And then you show how you did it after the fact. How'd you get into that?

Good question. So, kind of almost don't even know, but over the course of just life and I started off as just help desk IT system where you learn a lot of things and at the time I didn't think it was very applicable, but like those are all the systems and the nuances and like just the weird compromises you learn like, oh, I don't have enough budget so I'm going to do it this way or you learn about the end users that you're supporting as help desk and all the

problems they run into and, oh, they're running into like a policy that stops them from working. So they're going to do this. That's going to cause a degradation of security, but it's really common. You know that having been in health desk consists of it. So you start to connect these things together and it becomes this really

valuable bucket of information for, oh, how would I get into the company using that? And you've got really into security for a while. It's also a piece of that role. You're going to run all the systems for IT. You've got to keep them secure too, especially in small companies where you don't have dedicated security. It's like, no, you are the security. So you've got to learn it that way, which requires you to think also how does an attacker do it.

You got to defend against that, right? So eventually I just kind of got bored of doing IT and made the jump into security. Started learning actually Bryce. So good connection on this as well. So.

I had known Bryce for a long time, and I think it was like 2013. First time I went to DEF CON, hacker security conference, biggest one in the world in Vegas every year. And I decided, oh god, what was this? So there's these unrecorded talks they also do in certain areas.

He was on stage, I think he was doing something with like Bitcoin at the time. And he had this like telepresence robot on stage for a guy who was on house arrest. Like he couldn't come. So he brought a telepresence robot to be like Bryce's partner on the stage. And it was just wild watching this. So I'm in the audience. I'm just like, oh yeah, Bryce, you know, what he cracker.

I don't like it. I'm going to go see what he's doing. And then, you know, he gives the talk. And after he's done, I'm like, hey, yo, what's up? Like never met you before. But from that point on, we kind of, you know, our relationship grew. We got to know him a lot better. But he also DJs, as you know, and he was DJing for a guy called Fuzzy Knop who, or sorry, flipped that around.

Fuzzy Knop was DJing for him, because he also MCs a sing songs, right? So he needs someone to play that. So Fuzzy Knop was DJing for him on a lot of his shows. So I met him. And well, he is the one who had built out a red team for a new company, not a new company, new red team for a company, large company. And he ended up pulling me over into that team. So cool. Yeah. I love that guy, man. Bryce is great. I love that guy.

The big game is almost here, and this could be your last chance to get in on the action. Don't miss out on the final football game of the season with prize picks. The best place to cash in on the big game. The app is really simple to use. Pick two or more players across any sport, pick more or less on their projection, and you could win up to a thousand times your money.

Join prize picks America's number one daily fantasy sports app available to play in over 40 states, including California, Texas and Georgia. So join now because a quarterback will only need to throw one yard to win. Download the prize picks app today and use code SRS to get $50 in promo funds instantly when you play $5. That's code SRS on prize picks to get $50 in promo funds instantly when you play $5.

When or lose, you'll get 50 bucks just for playing guaranteed. Prize picks. Run your game. Must be present in certain states. Visit prize picks.com for restrictions and details.

It's a new year, and if you need to hire for your business and want an easier way to find qualified candidates, head to Zippracruder. And right now, you can try it for free at zippracruder.com slash SRS. Zippracruder is the top rated hiring site according to G2.

How fast does ZipperKruder's smart technology start showing your job to qualified candidates? Immediately. ZipperKruder's powerful matching technology works fast to find top talent so you don't waste your time or money. You can invite top candidates for your job to apply and even encourage them to apply sooner.

Here's to a new year of hiring made easier with ZipperKruder. Four out of five employers who post on ZipperKruder get a quality candidate within the first day. See for yourself. Try ZipperKruder for free at zipperkruder.com slash SRS. That's zipperkruder.com slash SRS. ZipperKruder. The smartest way to hire.

Well, let's take a little side track there, but let's get to you. And let's get to your time. I'll let you get there eventually. Where'd you grow up? All right, so I grew up in Wisconsin.

Brothers sisters. Yeah, I got a younger sister four years. Yes, tight. Yeah, we don't keep in touch as much both like super busy, but we could definitely be a lot closer. Is she a hacker too? No, she culinary. Culinary. Yeah, I picked that up for my dad as well. So my dad.

Yeah, so he was in the Navy as a corpsman for a while. He was like four years submarine stuff. But medicine, both my parents in medicine were in medicine and they did a lot of DIY stuff. So they built their house from the ground up, designed it from the ground up. So I was in that

that kind of raw materials environment. The house never actually fully got completed, which is actually kind of cool because it's constant tools, raw materials around growing up. I thought that was an amazing experience. Dude, I remember shoveling out the house because it snowed before we got the roof on. Yeah, that was pretty cool. I was pretty young at the time, but it was still impacting.

just do stuff, right? That wasn't a profession, but they just picked it up, learned it, how to design it, built nearly everything. I think they didn't do the masonry for the basements, because the trusses, and then they were rushed with the weather to get the drywall up.

So they paid for that. Everything else they did by hand. Wow. Wow. Pretty cool. But culinary, right? That's for going back there. Yeah, he was really into just cooking and really, really good at it. Both of my parents were doing barbecue competitions for a while as well.

Yeah, just get into it and go. And I think that was a pretty good learning experience. And obviously that had an impact on my sister who got in the culinary as well. Did some great great stuff there. I didn't pick that skill up. So what were you into as a kid? Oh, God.

Definitely electronics type stuff, so it depends on the stage. Video games first, lots of video games. What video games? What platform?

I guess it depends over time. So there was the console stuff like Nintendo, et cetera. So let's go all the way back. So Atari, and this is kind of like the first hardware hack, actually. My dad, so if you remember the Atari joysticks, it's a joystick and a single button, right? That's the whole controller.

And we were playing the game Tank, right? You just move around like you're in a tank and you fire at stuff, right? My dad took some speaker wire, a tongue depressor medicine, right? And we ran a button probably from Radio Shack and just taped it to a stick to the tongue depressor. We ran the wires off and soldered it to the controller so that I could have access to my own little like button when I was like four or something.

So I could fire the tank while he steered it around, right? I thought that was pretty cool and it kind of stuck with me, right? Like you just modified stuff, like hacking stuff. So very simple, but you know, that was the first video game, first hardware hack, right? That was kind of exposed to. And yeah, spent lots of time on like Nintendo, Super Nintendo. Then I got into Quake. Quake was extremely impactful for me. That's where I went from

You know, consoles to the computer in the house that we had, you know, used it for like encyclopedia, like you could chat with people online, cool, but it's more just a tool, right? Then Quake. You gotta start learning things back when Quake came out, you know, it was late 90s, right?

You had to learn how to dial up work, how to connect to other people so you could do multiplayer. That wasn't just a button or two. It's learn stuff. Even running Quake, it's like, oh, you just don't launch it. Remove the computer in DOS mode and stuff like that. You're learning how a computer works, but that's where we get into hacking as well. That's the inflection point of a lot of things. Also, 9-inch nails was built in the game. They did all the sound effects.

You can see the Nine Snails logo on the crates of nails as well if you look in there. But yeah, that was also kind of impactful for me with their stylistic stuff and the art. Damn, so you started the hacking stuff at like, how old were you? Who looks same age? That was high school. Atari was high school? No, Atari. Oh, God. I don't even know when that was.

Yeah, I mean, just really. It's like five or six? Yeah, I don't even know. Damn. It was eighties. But yeah, Quake was high school. Right on, right on. So, well, let's fill in the gaps. Yeah. Were you into anything other than electronics? Or was it always just electronics? And I shouldn't say just. Was it all electronics? I mean, it's all connected in some way. Like I was in cars as well. Like, you know, part of it was just like,

making the car continue to run. But also, let's add sound systems to the cars and learn how that works, which is electronics in some way. Also got no water cooling, the computer don't overclock it, but that required learning water cooling.

These days, you can just buy a kit and install it, right? But most computers are air-cooled. You've got a little fan in there blowing out the heat, right? If you overclock a computer, you can get a lot more power out of it, especially back in, you know, 90s, early 2000s. But it would dump a lot of heat, lots more heat, and air-cooling couldn't keep up with that. So what you do, you take little water blocks basically, like a little piece of copper, strap it to the processor, the video card,

and run water loops through it, kind of like a...

I don't know how to better explain that, but it's like a little maze that the water would take through the channels on this block. And it would pull the heat out and you dump it. And at the time, it was a Chevy Chevelle heater core that was just like the perfect size. And you can use that as a radiator with a larger fan on it. So instead of using the small fans that you'd find on like laptops or even desktops that maybe is like that big,

you just found that big and it keeps it quieter while dumping heat and you just run these things really hot. And yeah, I had to learn how to make those things, right? So, you know, you get a pon ponk from like a fish store, you get the Chevelle heater core,

get all the tubing wired together, but I had to mill out and I didn't mill it. I drilled it. I'll use a drill press because I could not afford access to that. I was like $100 drill press at the time. You just do like cross drilling through all different directions, plug it up and get this cool spiral pattern where the water would go through it and pull heat out of all your devices.

You got to learn about things like corrosion, copper and brass and aluminum. These things are going to start to corrode. You learn the chemistry behind how to prevent that from happening because you don't want corrosion because then your computer is going to have water all over it when it leaks. For example, wow.

You're like a jack of all trades. Yeah. You like taking stuff apart, putting it back together, figuring out how it works, how to fix things at a very young age, and it just exploded. Yeah, yeah, basically. So basically, how'd you get into hacking? So I'm going to put that on Quake as well. So you're playing online games, right? And you learn you can do interesting things. You start controlling things in weird ways, and it kind of escalates you like, wait a second.

At the time, there was no client side security or client side integrity check. The game files I had on my machine were unique to me. You would download them from the author, at this time we were actually installing it from CD drives. You'd just expect it to not mess with that.

Nobody's stopping. You can go and mess with the player models, for instance. You can add a really large cross that goes 10 feet above below and all sides of this person. You can see him running around a corner because this post is sticking out to him and you see him coming from the corner.

They don't know that, but, you know, it was a good approach or a lot of dark spaces, right? You can't really see people in the dark, you're like, cool, I'm gonna add a fluorescent color to their skin and there they are, they're glowing in the dark, right? See through walls, right? Like, you've got these textures that would go on the walls and, you know, they will pick, but I don't have to be. You just set them to transparent and suddenly you're seeing through the walls. And, you know, that type of stuff was

I had more fun like figuring out how to do it than actually doing it. But that kind of just opened the door of like there's rules and there's expectations, but there's also not many people checking like best way to kind of

God, I don't want to get like philosophy. Get into philosophy here, but there's this kind of beautiful, I think it's Jack Rossier, who defines like police politics, right? As like, you got, you got a road, right? And it's painted, there's lines and everybody just obeys those, right? And he connects that back with politics of like, oh, you're told to vote and do all these things. It's like, okay, but like,

If you don't follow the paint on the road, if you go off the road, if you get really close to the edge, most people, they see those lines are going to get right in the center of the road because that's what you're supposed to do. It's like, oh, it happens to be dumb. That's interesting to me. That's where weird things start to show up, like unintended designs, unintended powers and capabilities.

Just unintended failures, unexpected failures. It's really fascinating to play with that. Play on the edges. See how close you can get. And I guess now that you make me kind of say this, that's probably a good descriptor for how I think about a lot of things, like art, everything across the board. It's fine. Find the boundaries and what happens if you go on either side of it.

Interesting. Interesting. Did you get involved in any of these like hacking type communities? Oh, yeah. So, yeah. So like early late late days, more early 2000s, there's a lot of online communities. So we're big. I mean, I think the really big ones you would know of that most people would know of rather like 4chan and like something awful, right? Big places that had like the bigger names at the time. But there were also

much smaller, like, specific topics, water cooling, right? There was a water cooling, there was a bunch of them. But, you know, there would be water cooling communities where people just share their techniques and stuff, so they could all just improve upon it. And, yeah, there were also, you know, hacking theme ones. So Bryce and Digital Gangster was one of those. He was, that was one of the several communities I have, you know, known him from. And, yeah, there's,

This was also at the time where online space and you meet space were very separate, right? Like online dating, for instance. That was like, what? Now it's like, all the kids do these days. It's really weird. But I met my wife from one of those online communities.

But eventually those worlds start to blend together when you spend more time in there. And you spend most of your time in there and just talking to these people. Eventually, I mean, it depends on the community, maybe not so much like digital gangster, where it's like rock crime happening is maybe not the best idea to.

meet up for many reasons, but certain lesser criminal communities meet up with people and those worlds start to blur together. And it's a little bit different than the 2024 is where it's just everything is just together now. How did you meet your wife?

Yeah, I mean, so we posted on some of one of the communities out there. I think it was like from hardware over clocking. Yeah, I can't remember exactly what it was, but we I moved out to California. That's its own story we can go into. But when I moved out, it was like the first week and just like, hey, anybody in this community like around want to hang out show me around town. She was one of those people was like, yeah. And yeah, just kind of from there.

Is she a hacker too? Not a hacker per se, gamer, photography, art. How long have you guys been married? Sorry to put you on the spot with that one. What year is it anymore? It's 2009. 15 years? 2009. Yeah, so almost 15.

15 years. Yeah, it's crazy. Yeah, I've known her since 2004. So what's the what do you think the secret to successful marriages? Oh, my God. But you weren't expected that one. No, I was not expected that one. I'm going to have to think about that one, man. I don't know, man, just.

because I can connect this back with everything is just kind of understanding. I mean, humans are a mystery to me, but at the same time, there's so much complexity and it creates.

everybody's different like everybody wants to put everybody into a bucket like there's there's the us and there's the other but like to humans are messy and complicated and unique and understanding that helps a lot with everything whether it's being in a marriage or

attacking somebody to get into a company. It's like the same thing, right? Like understanding, but you know, very different motives and goals behind that one is just truly understanding the person working with them. And, you know, the other is kind of the inverse of that. Let's talk about, you know, some of the stuff that you did. Did you, what are some of the big hacks? Were you involved in any big hacks?

uh... not not like hands-on keep right i'd like to watch and those uh... uh... i so for most most of my time like any of the hacking stuff that was me

I kind of viewed it as entertainment. It wasn't like power, money, or anything like that for me. It's just like, just have some fun, right? Yeah, you can mess around. I would do stuff in some of the communities as well. I knew the people would run the servers, so you can mess around in there. What kind of stuff? For instance, I kind of remember all the complexities here.

This community was like very liberal with like temporary bands and stuff like this. You know, I got myself banned and I'm like, get around that, right? And then they could not get me banned in this, in this environment. Cause they, they had some add-ons that they were using for this, this be built in, uh, I think it was people that might have done PHP, BBB, um, PHP, BBB. Uh, anyway, one of the large platforms at the time just had a lot of plugins that just,

gave me raw right access to the database effectively. And I could post through that. And they had a lot of fun chasing me down in that situation. Just like, how are you still here? So very light-hearted in that instance. They were more interested in how it was done than like, oh, you're breaking into my stuff.

Yeah. Well, let's move into... I don't know a whole lot about hacking. I would love for you to expound on how you got into it, or not how you got into it, but some of the things that you just found fascinating that

they kept you going all the way up until building your own hardware. Yeah, definitely. And actually, you know, going back into the youth for a little bit, something probably important, I had a phase where I was really into magic, right? Slight of hand, deception, that type of stuff. I think it was middle school, right? Actually, got my first taste of authority not being super ideal for me, brought in a

fixed cigarette to middle school, right? And it's the peak of the dare, dare situation, right? It looked perfect. It looked like it was actively lit and you blow on it and like, you know, talc, I think powder came out, but it looked like smoke. That got confiscated. We got friend and I got pulled down to the principal's office.

I don't know. I think I got suspended for not taking the situation seriously enough. You can take this seriously. It's basic red, but I think my friend pointed out, oh, yeah, that's right. They brought on the cops to test it because some of the teleporter came out and they're like, that might be cocaine. And my friend made probably an unhelpful comment of like, that's not even how you would smoke cocaine. But yeah, anyway,

A sleight of hand, you know, that gets into like deception and the human aspect, which has often forgotten a lot in hacking. People are like, oh yeah, it's just knowing computers really well. Definitely a huge piece, but like, yeah.

It's people as well that have to be manipulated. You have to understand them. You've got to convince them to do things, which is the most common way of getting into so many systems. You say, hey, I'm from your IT department. Let me in. And you've got to know how to make that sound legit. And if somebody is like, I don't know. OK, let's do some urgency to make them panic a little bit where their decision-making goes down.

and they're panicking and they're like, well, I'm just gonna do the thing or I might get fired as bad things gonna happen. There's so many different psychological triggers that come in and play and create this misdirection. And you're like, oh, it's like a sleight of hand for psychology, right? So you push people into different directions and you get them to reveal their password or run an application on their computer that just gives you access to everything.

And that overlaps with the technical and the hardware and all these other things. And just, I guess being a generalist now that you make me think about it, it just allows you to kind of glue all of those things together. And I guess, yeah, at the time before I officially got into like paid security, I always thought that was a weakness of like, oh, I've never specialized in anything.

I couldn't possibly keep up with the people who did specialize. That is true. Every person I work with that specializes, they go so far into just absolute wizardry that amazes me. I can never keep up because I just cannot sit down and focus and be like, I want to do this thing and that's all I want to do. I get 80% of there and I want to go play with another thing.

It worked out. It's great for the entrepreneur type perspective as well. We're going to tickle all the things. Keeps you busy, right? Yeah. Well, Mike, let's take a quick break. Yeah. And when we come back, I want to get into some of the hardware that you've made. Yeah, absolutely. And how that happened and who's used it? What governments, all that kind of good stuff? See what I can say.

Going online unprotected is like leaving your door unlocked when you leave the house. Maybe you trust some of your neighbors, but what about random strangers? Do you trust all of them too? Do you really want to take that chance? With ExpressVPN, you can stay safe online without having to trust anyone. Every time you connect to an unencrypted network in a coffee shop at the airport, really in any public place, your online data is not secure.

Anyone on that same network can gain access to and steal your personal data. ExpressVPN changes that as easily as opening up the app and clicking one button to get protected. I've been on the road speaking with all kinds of people from health gurus to world leaders and data security is extremely important to me. ExpressVPN helps defeat hacking attempts by creating a secure encrypted tunnel between my device and the open internet.

so you don't have to worry about who else has access to your information. Secure your online data today by visiting expressvpn.com slash SRS. That's e-x-p-r-e-s-s-vpn.com slash SRS, and you can get an extra four months free, expressvpn.com slash SRS.

The economy has been a major burden on Americans. Wages are flat, expenses are up, and it keeps getting harder to pay all the bills without reaching for credit cards. If you're a homeowner and you're frustrated with that cycle, I want you to make a 10-minute no-obligation call today to the people over at American financing.

Interest rates have dropped, and if you're constantly carrying a credit card balance each and every month with a rate in the 20s, American financing can show you how to put your hard earned equity to work and get you out of debt. Their salary-based mortgage consultants are saving their customers at an average of $800 a month. And if you get started today, you may not have to make the next month's mortgage payment.

call american financing today eight six six seven eight one eighty nine hundred that's eight six six seven eight one eighty nine hundred or go to american financing dot net slash srs all right mike we're back from the break i missed a couple of things in our outline here so i'm going to have you pick it up with uh... we're going to start with twenty six hundred whatever the hell that means oh yeah yes so

All the security stuff I was doing, the times I was, you know, doing help desk with stuff like that, security for the most part, anything security connected was a hobby. So, you know, even though overclocking water cooling, I was happy to, but.

Yeah, 2600 is kind of a hacker zine, I think it's a quarterly. There's lots of people writing in the show, tricks they've done, whether it's with payphones, you know, freaking, phone freaking. Wait, so what is 2600? It's a hacker zine, basically. You can go like a magazine. Yeah, like a little magazine. You can go to Barnes & Nobles and get it. Okay. So yeah. Wait, so what is it? Is it a book?

I think it's quarterly where they will just publish a new set of little articles written by different people that talk about how to hack something and how they hack something, just cheat some systems, just sometimes politics, just hacker-minded stuff.

But that was also when I first got into that, you know, phone freaking and stuff was more popular than as well. What is that? Yeah, so that's hacking with phones, basically. So this goes back way, way long ago.

God, I think the guy's name was Joy Bubbles, actually, Duff Guy, or sorry, not Duff. That wouldn't make any sense. Blind. And he noticed that there were tones on a phone when connecting to overseas and stuff. This is way back when you had to pay long distance and stuff like that, right? But phone calls cost a lot of money. But he noticed they made certain tones and stuff, so he had perfect pitch, and he would just whistle them back. And he noticed the phone network would do stuff when you did that.

So, yeah.

This is what we call in-band signaling. When you can hear the signal, the other end, there's like the switch panel, the phone networks, hear these tones. And it's like, you know, when you push numbers on the keypad and you make a tone, right? If you do it in a certain sequence, it's like, oh, it hears that. There's all other tones that the keypad doesn't make that tell us to do other things. It's where the 2600 comes from, actually, 2600 hertz. I can't remember what that does.

at the moment, but it would allow certain administrative type functions, and it's like routing around like, oh, you paid, and now you can run long distance or something like that, right? No, shit. So hold on, hold on. So it actually has nothing to do with the keys that you're pushing. It has to do with the tone that they're programming.

Yeah, I mean, at least at the time, things have changed instead. But yeah, it was just the tones. You could literally whistle those tones or hum them or whatever. So blue boxing was the other thing it's called. There's many boxes, many colors, but blue boxing just replicated that. You could literally quickly dial a number or whatever you wanted to do, do the administrative codes, play it right into the mouthpiece. And you would dial and do all these things.

Holy shit, I have no idea. Believe it or not, that's how Apple started. Waz and Jobs made some of their first money selling blue boxes. What is a blue box? It's the device that would allow you to more or less get free phone calls in the age of having to pay for long distance and stuff. Go to a pay phone, just pull out your blue box, hold it up to the mouthpiece, press some buttons, make it do what you want.

Call whoever you want. It was illegal at the time. There was a magazine it got into by a guy named Captain Crunch at the time. He got that name because there is a whistle inside of the Captain Crunch cereal.

that just happened to make that 2600 tone when you blow it. So he didn't have perfect pitch, like Joy Bubbles did, but he had the whistle. So you just blow that in the phone, then you open up certain access with crackerjack, not crackerjack, but in Cap and Crunch style toy, which is really cool.

But yeah, you can electronically reproduce those sounds. And that's what they were doing with the blue box. And there was like red boxes and rainbow boxes. There were so many different boxes that would do different things that people would figure out. And they would share that with each other. And it was technically criminal, but a lot of people did it at the time. And yeah, it was and jobs. So took that money and started Apple with it.

No kidding. That's pretty cool. I had no idea. Very cool. I would love to meet that guy one time, but he's a great example of the old school hacker that was way more about mischief and just figuring out what things work and not necessarily anything criminal. Interesting. Great example. Interesting. So you're working at this magazine.

Yeah, no, so I wasn't working there. I was just enjoying it. And there were a lot of different cities would have like meetups like, hey, 2600 meter, and you go and meet people that are into that stuff and really tiny where I was from. So I didn't really go anywhere. But that was cool. It would get into just more like, hey, here's other ways of hacking that you didn't know about and just kissed you to think like, wait, if I can do that, if they did that, what else can you do?

Let's play. It's all about exploration, experimentation. It is a frontier too. There's just unexplored space. What else can you do? Outside of 2600, there's all the tools that people knew of the early online days, like Sub-7 or Netbus. What's that? Kind of like a software Trojan more or less. Basically, you get somebody to run it or you run it on their computer.

And it gives you a remote access, right? You can fully control those machines over the internet, right?

open up their the CD trays, close it up, just all kinds of wonky stuff that could be before pranks or could be criminal. Okay, there reminds me of one of the ways we used it. So again, I was way more about just pranking and having fun. My friend in high school, her name was Heather. She was really into like, just

spiritual stuff and like, you know, she thought like spirits were in her house and stuff like that. It was a phase, right? But friend and I had that run on her computer and you could play noises at the middle of night and shit and just like, it was terrible. It was so bad. And you know, the CD drives would open and just like, you know, it.

She was terrified at the time, but later on thought it was funny. But yeah, for an example, right? Like you just have fun. You can play with people. You don't have to actually straight up to crime. Crime, crime does occasionally pay though. So some people would get into that. How would they use it? For criminal? Yeah.

God, this goes way back. We're talking like 20 or 25 years ago. So I'm not 100% remembering this, but it would have been you can do like file system modification stuff like that.

access to cookies, that will contain login information, giving people's accounts, send mail as them. So spamming was a huge thing back then. I mean, this is where Bryce has gotten a lot of

reputation from from those early days, spamming. My friend at the time paid for his first computer by spamming for a porn company actually, which is funny because he's got cash in a check, sizable check for a porn company. And he's like, I don't think he's probably like 14 or something at the time getting like weird eyes from the bank. So yeah, that happened. But

What else? Yeah, I mean, did you ever do anything illegal that's passed the statute of limitations that you can share? So a common misunderstanding about the statute of limitations is it's not just about the time in which has passed since you committed the crime. Depends on the crime, but many times the clock starts from discovery.

Interesting. It's a common misconception that is good for a lot of hackers to realize.

But I mean, I'm sure. So the CFAA, computer fraud and abuse act, literally any access to any electronic interface that is not explicitly allowed, that's a federal crime. So literally what I described, getting onto my friend's computer, that's a federal crime, even though they're cool with it and all this stuff.

Yeah. Gotcha. So literally any of those things can be heavily punished. Gotcha. So yeah, it's tricky, but... Well, let's get into your first job. Yeah, so first job, IT. Again, security was not really a huge thing for the most part. All that was side stuff, but you still have to be conscious of secure design.

My coworker was kind of my mentor at the time. He was X-D-O-D, X-Navy, had a lot of fun stories, but also got me more into security. We actually did our first security presentation.

for the company kind of using some classics here. So the movie Sneakers, a lot of amazing movie still holds up today. If you haven't seen it, go watch Sneakers. It's awesome. But they did a lot of like physical security stuff. Like, you know, if the doors got the hinges on the inside, you can kick it open. It's on the outside, you know, then you get to do something different. But what else? There's like the social engineering aspect where

they wanted to get through like a front lobby attendant who had to like buzz a man. So they had someone else come in with like, I think it was like a delivery like just creating a lot of stress. So one guy's like, yo, I got this delivery. Other guys like, Hey, I got my cake and my balloons. Can you just bring me up? And it just goes and escalates until he's like, I just pushed the button and gets in, right? Of course, you know, you didn't have a cake or anything like that. The balloons were to cover the camera.

And the cake was, I think it was like a briefcase of some hardware that he had to like infiltrate into the company that would go attack things, right? Great demo. We use that like, hey, here's some physical security things. Get you to think about it. And catch me if you can. Another thing where it's, you know, social engineering was used.

And believe it or not, that movie based on Frank Abagnale, most of the stuff he said is actually made up. It was like the con on the con. But anyway, yeah, that was kind of a classic thing that still a lot of security presentations today will still use those. Anyway, Long Story Short kind of got me into the idea of educating on security instead of just playing and having fun and just entertaining with values like, oh,

And I actually teach people and there's a responsibility here to teach people how to not fall victim. I also did some live password cracking. Back in the day, people were using real terrible passwords. So just adding some extra characters and stuff. We were able to do password cracking just in the middle of this presentation of like, hey, this password, you can get in 15 seconds. This one's going to take us 10 hours.

In reality, how do you begin to crack a password? Basically, I mean, there's a lot of different ways. The way we were doing it was just brute forcing being able to have the ability to retry like word sets, like common password sets. You can just get those. There's a lot of password lists, what we call them, that will, when you're going to brute force and you just want to try them, well, like, hey, we know these are the common passwords. We know these are passwords from leaked breaches, shove them all together.

good chance somebody's reusing that somewhere. Good approach. There's cryptography and stuff. Do you use the password manager? Oh yeah, definitely. Highly recommended. Which one? One password's pretty good. There's different ones depending on what you need. Just keep running good.

I haven't looked too heavily into that one. I know, I know somebody who's very into like that, that space that speaks fairly highly of one password, but it's been a while. So I wouldn't want to be like, yeah, this is, this is the one because that space is so exchanging, but, uh, constitutes a good password. One that you don't know.

So password manner. Exactly. So if you don't know your password, it should be unique per site and as long as hell. And that means you're going to have to use your password manager to autofill that or, you know, copy. How are you going to do it? You're going to need the password manager to feed that back and log into the site. That combined with property factor is going to secure so much when it comes to you being compromised by social engineering and phishing.

Okay, that's good to know. Let's move on. Yeah, yeah, so after that job, I was kind of bored of Wisconsin. And my friend at the time, the one who made the money spamming, he moved out to San Francisco a year earlier.

and worked for a company called Long Now. They're the ones doing the 10,000-year clock that a lot of people are associated with, I think, pesos is on there. But Stuart Brand. Hold on, what's the 10,000-year clock? Yeah, so it's this idea. I don't think they've built it yet, but still working on it. But the idea is that they're going to put a clock, like an analog clock in a mountain that stays accurate for 10,000 years. It's really to get people to think really long-term.

What do you mean? It's hard for people to think more like even like one election out of consequences, right? Four years, ten years. Maybe you think as far as your kids, okay, cool. Well, how about a thousand years? How about ten thousand years? That just changes how you think about the future and what you do.

what matters, what doesn't. It's almost like a thinking prompt for people. Nobody does it, like start doing it. This was also, I think it was formed shortly after the Y2K bug.

which was hilarious because, you know, computers started a lot of the systems at the time were kind of birthed in the 70s and, you know, they had two digits for the year, right? Like the last two. So, you know, 78, 79, you know, eventually what happens when you get to 99 and it rolls over to zero zero? Is that 1900? Is that 2000? Oh.

Or neither did the computers, right? But people were only thinking, you know, a couple decades. That's enough. Somebody's going to rewrite my software. No, it's not old. We were still using that software today. So that's where the Y2K bug came from. And it's like, cool, you needed at least think, you know, a thousand year scale. So you can have four digits of space for your ears. That was the entire Y2K bug. But I believe that was kind of around the same time that

Okay, 1000 years, what about 10,000? Probably where that came from? So hold on, they want to make a clock. Yeah. That's accurate for 10,000 years and put it in a mountain. Yes, basically. The mountain, I think, is to keep it safe.

They have to keep in time for that period of time. You can't use any other timekeeping system. Like, you know, atomic clocks and stuff like that aren't accurate over that time span. So you have to account for

like orbit variation, shift in the poles of the Earth and all of these other things. Like they have a whole CAM system that readjusts the calibration of where that clock will be in next years over that span. It's absolutely crazy. It's like, engineer with that in mind. It's like, you don't, nobody thinks about like orbit variants over time of the Earth or the poles shifting.

for the clocks they use. It's just not a factor. But what if you had to? I think it's really cool. Interesting. Yeah. So yeah, my buddy got a job just doing a system for them and web development. And it's like, hey, if you want like a few weeks on my couch, go for it. I'm like, you know what? I'm going to take you up on that. I'm going to use that to just move out there. I had no plan. I just like I brought through. No plan. No plan. I'm just like, I'm just going to do it and figure it out.

which I guess is a very red team approach too. And it's like, you can't plan anything. You're just going to move and figure out what's in your bag of tricks as you go and work around the problems. But yeah, I'm like, I'm going to bring three suitcases. I prioritized one of them was like my gaming system. Like a whole suitcase was dedicated to just a computer. Like, I don't know what I was thinking. But yeah, that was 30% of my luggage when I moved out, stayed out of this cash for a bit.

Got some random odd jobs doing like audio QA testing and stuff like that just to make it and Eventually got into the game industry doing so said man it helped us stuff It just kind of grew from there and yesterday there for like I don't know 15 years in the game industry, but on the side Being in San Francisco gave me a lot of unique perspective. So first of all

Stewart Brand is kind of the guy that was running the show over at long now. Stewart Brand is one of the original people on like the hippie bus with like Timothy Leary and all this other stuff, right? Going around the country doing the acid tests and stuff like that, but lots of just divergent thinking coming from that. And that was interesting just to kind of see, like I didn't get that in Wisconsin. This is also kind of where like, you know, the PC revolution came from that type of

Right? We're just diversion thinking, what can we do? What mischief can be made? All this stuff. The maker space, Maker Faire, was out there as well. So this is just, this is more like hands-on hardware hacking, not like security hacking, just like hobbyist hacking, like 3D printers. Let's just build some stuff. The kind of stuff you find at like Burning Man, right? Like the art where you start mixing all these things together. That

open my eyes to just like different, different focuses and aesthetics. There's a really good point to kind of deviate here, something called beam bots actually on the pull up this laptop here to show you a picture because it makes way more sense when you see it.

Beambots. Yes, you're like, what? So beambots, B-E-A-M, biology, electronics, aesthetics, mechanics. It's just a kind of a design philosophy around building little robots. So I just kind of had to show it because I don't know. You're probably picking up a bit of an insect vibe from this, I would assume, right?

It does a couple of things. First of all, there's no PCB on here. It's just freeform soldering. And all of these components, there's nothing extra for the aesthetics. It's all functional. So on the back, you've got a solar panel, soaking up energy. It's like thorax here. That's holding the charge from it.

And then these, this is really cool. These are LEDs, but LEDs, when you shine light on them, actually emit a little bit of energy on the lines. So like a reverse solar panel, right? They're inefficient solar panel. But you can literally use them as eyes for this. So depending on what direction it's facing, it's gonna, one eye is gonna see more light than the other. That's where the light source is coming from. And there's a really tiny brain in the middle. It's literally four logic gates.

which is tiny. Like your phone has millions of logic gates in it, right? Like a calculator. My cable has hundreds of thousands of logic gates. This thing's got four, okay? What is the logic? What we call it? A logic gate. So basically all computing comes down to

The concept of binary on or off like they give me like a light switch right on or off You can do math with that Let's go through it real quick actually like we got Three light switches, right? Yeah I Think which direction we're going here, so we got

One on, two off, that can give us a one. Turn them all off, that's a zero, right? Easy. Now we put two in the picture. You turn two on, you basically double the last one. So if two are on, that's going to be three.

Basically, the first switch is the value of one or zero. The next one is two or zero. And then the next one would be four or zero. The next one is eight or zero. That's binary math, right? And all decision making can kind of be based on this. So in this sense, it's very analog. But basically, this will eventually fill up and have enough energy charged that these four logic gates are suddenly making a decision.

This side's filled, which eye is sensing the most light. And at that point, it's going to fire the opposing leg with all the energy that's gotten here to steer towards that. So you have this little bug-looking thing that walks, right? And it just constantly steers towards the light source.

And to me, I thought that was really cool because A, focus on the statics, which is not super common. And B, it uses really cool hardware hacks, like I said with the lights here that normally it's for emitting light, but no, you can reverse that and use it in an unintended way. And you can use really minimal logic

to do what you want. And I've applied some of that to my cables as well. Not this specifically, just the mindset of like, you don't need 10 things in this cable. You can strip it down to one if you're really creative.

Wow. That's how you shrink things. So that's kind of where that connects with, you know, like, hey, let's focus on aesthetics, but also minimizing and just using things in unintended ways to get more out of it. So that was

kind of a good point in which it kind of just opened my eyes to also soldering in electronics, but also the art of it and all that. So yeah, beanbots, that was a good pausing point for my many hobbies that I would pick up over time that eventually led into what would become the OMG cable. I know everybody out there has to be

Just as frustrated as I am when it comes to the BS and the rhetoric that the mainstream media continuously tries to force feed us. And I also know how frustrating it can be to try to find some type of a reliable news source. It's getting really hard to find the truth and what's going on in the country and in the world. And so one thing we've done here at Sean Ryan Show is we are developing our newsletter.

And the first contributor to the newsletter that we have is a woman, former CA targetter. Some of you may know her as Sarah Adams, call signs super bad. She's made two different appearances here on the Sean Ryan show. And some of the stuff that she has uncovered and broke on this show is just absolutely mind blowing. And so I've asked her if she would

contribute to the newsletter and give us a weekly intelligence brief. So it's going to be all things terrorists, how terrorists are coming up through the Southern border, how they're entering the country, how they're traveling, what these different terrorist organizations throughout the world are up to. And here's the best part, the newsletter is actually free. We're not going to spam you.

It's about one newsletter a week, maybe two, if we release two shows. The only other thing that's gonna be in there besides the Intel brief is if we have a new product or something like that, but like I said, it's a free CIA intelligence brief. Sign up, links in the description or in the comments. We'll see you in the newsletter.

Let's move into defense distributed. Yeah, so I think this is about 2013. So first defense distributed, it's the company behind the Liberator, which is a 3D printed gun, and also the Ghost Gunner, which is a mill, desktop mill.

that you can mill out a lower receiver AR-15 platforms. It was like the first commonly. You're the one that did that? I did not. No. So I got very interested in that. That was done by Cody Wilson. So let's correct that whole topic open a little bit more. So I think it was 2013.

There was a lot of experimentation in the 3D printing space with firearms, right? Cody introduced it to the world. He basically inflicted this idea upon the public psyche in this amazing way that just caught my attention in a couple of ways. First, it's this approach of, hey, we're going to give this to the world in a way that is irrevocable.

Going back to that, the police politics concept I was mentioning, it's just like, okay, what if you create something? There's voting and opinion having, but you create something to put in the world that nothing can change that at that point. I just thought that was just amazing from the political standpoint, regardless of what topic or what opinion you may or may not have on firearms, the politics of it and the power of creation was amazing to me.

And he did it with a level of art and bravado that was just perfect for the delivery of this. So what you're saying is bringing something to the world that cannot be taken back.

Bitcoin. Yeah, another great example of no opinion on that is going to change its existence. It exists. And if you're thinking about real politics and participating, creation is one of the most powerful things you can do. That's what I learned from watching that. But yeah, I decided, hey, I want to know more what they're doing.

And I've helped out with security and computer stuff in general. Use what I had. Like, hey, can I help? To a lot of different places, whether it's like nine-ish nails communities, just to get more inside of how the artistic process works there or in the case of Cody, just helping out with the security of that, just to kind of see how they work.

bunch of anarchists getting together, building a company, and just the whole fight that they were in. It was very fascinating to me just to observe that, and that kind of stuck with me, both the creation, the power of creation, and the artistic approach they took to it.

was one of the things I kind of had in mind when I first created the OMG cable. It's like, hey, at the time, I thought I was just going to open source this thing and put it out there.

that ended up not making sense because it was really hard to make. You can't just DIY it. But yeah, it was one of the motivators in my head at the time when I was first kind of putting it out in the world. So yeah, one of those many things is just like, hey, this is a fixation. I want to know more and I'm just going to focus on it for a while.

So, yeah, they're still doing their thing. What did you do there? I just helped out with some security stuff. I didn't have security stuff. Network and IT stuff. I mean, every company has got to have that, right? So, I'm like, hey, you know, you're probably a small shop. Probably don't have the level of security, you know, understanding for your systems, but I don't know, maybe I can help.

So it just helped out and it allowed me to get more insight in how they run things and just more exposure to like how the artist works, right? Because that allows me to just kind of figure out. There's a lot of things I would experiment with, but I never found like my medium, right? Like as an artist, right?

I've gotten music, you know, I'm not that great with music, you know, visual arts, not that great with that. I mean, 3D printings everywhere now. Yeah. You know, and so you were at the forefront of this, you were on the, I mean. So I wasn't doing anything besides like the security for them. It's just kind of, even if I didn't do any work for them, just that. Just being a small part of it. Yeah, exactly. But even just seeing it happen would have been enough for me to

kind of kickstart somethings. It's another. How did that come across your radar? I mean, it was everywhere at the time. It was like in Wired and all these other places.

3D print a gun firing. Everyone can print a gun now, regardless of laws. And that was kind of the message going around in the press. This was also kind of another pivotal time when the NSA ant catalog. So Snowden happened around the same time.

incorrectly misattributed to him, but there were a lot of leaks that happened around that time, both with and without Snowden, that kind of opened my eyes to the level of games and just technology happening in computing. Yeah, I mean, I already knew a decent amount of it, but the ant catalog.

Oh, man, that head, it was just like, you know, when you're growing up and there's like the spy tools in the back of the magazine, you know, just hearing ink and all, you know, all those things. This was like that on crack, dude. It was like, they had a malicious cable in there. This case, what was it? It was leaked in 2013. The catalog was

dated 2008 and they were announcing in 2009 they would have these cotton moth cables.

available for purchase to their ecosystem of whoever they sell to in the NSA. The price on those, I think it was a minimum order quantity of 50 with a $20,000 per cable price tag. It's like, wow, amazing. But had all these electronics inside, a radio inside, that was cool. And actually, yeah, let's pull this up again.

So cutting mouth. This is the page out of the catalog where it shows it's really chunky cable, like really, really thick hood. But they sandwich a whole bunch of different PCBs inside of this thing. And that stuck in my head, obviously.

So what does that do? They weren't super specific about the exact capabilities, but it had a radio, it had some ability to manipulate USB.

Based on all of my reading in here, it's the latest generation OMG cable is basically a dead match to its capabilities from what can be deciphered from this page. So all the way down to covert exaltration and stuff like that. What were they using it for?

That's a good question. What's that? What does she'd say? It doesn't. It just it's more about capabilities thing, like getting through and breaking security effectively. So I mean, I would imagine this gets implanted into spaces that are higher security. Like, you know, if you can't just walk in and do stuff.

If you can't do the easy things, you're going to start having to use these types of tools to get into a place, have somebody plant a cable, and then you've got remote access. There were a lot of other tools in this space.

like implanted video cables that you would implant on a monitor so you could remotely read what's being displayed on the monitor. Lots of cool tricks like that. Some were long range, some were short range, but all kinds of crazy spy gear that would allow

impressive capabilities that very few people in the private civilian space even considered defending against. Interesting. Yeah. So what is the ant catalog?

Yeah, I forget if there was ever a mention of what Ant stands for, but it was just this leak catalog with all of the different... It was a leaked catalog. Yeah, somebody leaked it. A lot of people say it was from Snowden, but if you actually trace it back, it wasn't. It was never at least attributed to Snowden. Yeah, that just came out and you get to look at the amazing spy gear that is out there. What's some other stuff that caught your eye?

Um, definitely those, those video cables. I'm trying to remember all the different things. We can pull it up actually, but yeah, you want to pull it up right now? I can pull it up on the internet. All right. Cool. So yeah, let's go through, uh, just a few of the pages of the catalog. I haven't done this in a while. So, uh, rusty, but yeah. So, uh, let's look at just the hardware stuff we got.

Let's see, what is this? This is a short to medium range implant for RF transceiver. This is a component that has RF to one of the other pieces they have in here, which they call a digital core, to provide a complete implant. So it's kind of like a customizable build your own, what kind of implant do you need? They put this into various pieces of hardware. There's actually, I think it's over here,

Here's kind of another implant and call this thief Lux rabbit to hardware implant design specifically for Dell power edge servers like a specific one hooks to

It's called a JTAG debugging interface. Basically, a lot of hardware has a debugging interface. If you get access to that electrically, you do a whole bunch of stuff. You can implant things at a really low level on that machine. They give you all kinds of access. It gives you lots of data. If you've got an implant that goes into there and hooks up to it, you've got permanent access. Similar to the, I was describing with the USB cable,

with that covert exaltration mechanism. But this is baked into the machine. So I would imagine the way this happens is during mailing interdiction. So Dell ships a server over to the customer, right? And our government knows this is happening. They grab it in the mail.

crack it open, put one of these inside, close it back up, send it off to the intended target, and now they've got long-term access inside there. Even if they wipe everything, like, down to the hard drives, put new hard drives in, you can still get it right back in. They would have to crack everything open and look at all the hardware to find this type of stuff. Really cool, really cool touch of thin plants. Wow, and there's no way to know that.

I mean, there are ways. Yeah. Yeah. You had to know what you're looking for, basically. Do you worry about that stuff at all? I mean, it depends. Like, me personally, no. I know the types of targets that this is destined for, and like, you know, I'm not one of those targets. What kind of targets is that? I mean, well, I mean, the Israeli Patriot situation. Great example of like,

Do I worry about my pager exploding? I'm not Hezbollah, so no, I'm not worried. Just for example, just to put a very pointed...

answer to a very current topic, for instance, right? Now, there are certainly lots of gray area. We've seen lots of gray area where it's like, wait, you're doing surveillance on US citizens and like, that generally isn't happening with hardware implants and stuff like that. That's access to telcos, internet providers, and yeah, I operate very openly, so it's not, you know, I'm

I'm a little less concerned, but it's more of a political and philosophical like, you know, when nobody's got privacy, it changes society in ways that aren't very good. That's where I'm more worried. How often do you think the US was used on its own citizens? I mean, this specifically, like, I would suspect these types of things.

Well, hardware implants, let's go with hardware. I don't know how often hardware implants would be used. That tends to be super targeted. And super targeted also generally, I would assume, I would hope, means significant more legislative, not legislative, legal oversight, where you're getting the warrants and all these other things. Whereas these really wide net things, which hardware is much harder to make wide net. Wide nets, where you can collect all the things because you've got access to

telco, phone, internet type providers, and you're just slurping everything up. Yeah, everybody would then be pulled into that. That's the kind of stuff that Snowden showed, right? That's a different story. Everybody gets pulled into that one way or the other type problems that occur.

So I do have to worry about people breaking into your network and just causing problems in your life. That's a complicated topic. It's more privacy invasion at that point. It's like, yeah, what are we worrying about? Are we worrying about our personal safety or personal freedoms?

society as a whole in the health of it, if they, you know, free press. Yeah, it's a very large complicated topic. Do you think China's putting this stuff into the electronics that we're buying from them? I mean, not like in the sense of like consumer levels. I mean, it depends, right? Like... Could it be access from that far away?

If anybody wanted to do that, yes, but the thing is doing it to just off-the-shelf consumer stuff is a lot harder to do in terms of hardware implants. If you wanted to do it that way, that's where we get more into the software level, like software backdoors, which we've seen in things like cryptography, right?

It's posited that a lot of cryptography backdoors were put in by cooperation with the NSA, for example. A little rusty on this stuff, but basically that becomes very valuable when you're slurping up all the internet data and a lot of that's encrypted. But if you know how to quickly break the encryption, you can see the contents and that's where that comes in.

And a lot of people say that that kind of hardware is installed into our power grid. Depends, I would say. Well, God, I have forgotten. I think China makes a lot of our power transceivers and stuff. But make a ton of it. Honestly, from what I've seen and the people I talk to that work in all this stuff,

I don't think physical implants are quite needed. Things are just not secure remotely, externally. Literally, I think it was yesterday, maybe. It's something that news that has come over the last few weeks where our own government is saying, everyone, I think it was actually to their own government employees to use signal.

use iMessage, use encrypted chat, do not use text messages because China has, they're just in all of the telco systems right now, which means they would be able to read the text messages, right? They didn't need hardware implants that I know of to do this. Maybe they did that to get in.

But now they're in that system, right? I mean, I've helped in environments that a foreign adversary had gotten into and took a bunch of time to evict them and find where they are. I was done all over remotely, right? A lot of this stuff doesn't require the James Bond type hardware to get in. Interesting. Yeah, that's a tricky topic. Interesting. Do you worry about it?

I mean, there's so many things to worry about though. Yes, kind of. Once you've seen enough horror shows though, you're like, wow, wow, everything's just broken.

Society is a whole. It's amazing that it operates, just the levels of trust. One person is all it takes with enough well-placed damage. Whether it's security or just electrical power grids, all these things, there's all to just tip over with just enough of a push. Everything's that way. It's not just security.

Yeah, so I don't know, I kind of just lump it all together of like, just a really good experiment for humanity. I mean, humans have been what on this planet for some say, 300,000 years, right? Like, we're living in the best time. I don't think there's a single personal life today. It would be like, yeah, bring me back at random more than 100 years ago.

So I mean, like that's not a good, the odds are not good, right? Like we're the most comfortable we've been most well off on average across the Earth in this last 100 years. And it's a good experiment. And things are volatile. I mean, that's kind of the consequence of freedom too, right?

The people got to maintain it. What text messaging app do you use? I like Signal. Signal is great. There's a lot of rumors that the CIA created Signal. I'm sure they did. I think they help fund it, actually. But they help fund a lot of things, in many ways. Signal is an amazing tool if you're an agent as well. You're going to be overseas in hostile environments and you need to communicate.

How are you going to do that securely? Are you going to use a secure tool that stands out like a giant red flag because nobody else is using it? Probably not the greatest thing. It's like, hi, I'm an agent. I don't know what you're saying, but there's an agent right there, right? Like.

I mean, obviously there's answers to that and stuff, but it's valuable as like, oh, that's just the tool everybody uses. Signal, everybody's got that, right? That's valuable. Obviously, there's always trade-offs, right? It's like it can be used for bad, it can be used for good, and who's bad, and who's good, and who's perspectives. Yeah, right. I mean, that's how we communicate via Sentinel.

Yeah, yeah, exactly. Is that how you communicate with everybody? A lot of people. Yeah, I mean, I'll meet them where they're at. Like my manufacturing stuff don't use signal. They've got different governments over them and things like that. Yeah, it's interesting. So yeah, whatever you use, I'll meet you there. But contextually, contextually, it matters. Like, okay, I'm on this platform, which can be seen by

These adversaries, cool, noted, I'll make sure I keep that in mind, which is kind of the whole point of like the psychology, when you know you're being watched, changes how you behave in ways that can be negative.

like once, you know, if you're always being watched by somebody, what does that make you? How does that make you behave? So different. So yeah, yeah, I mean, there's there's lots of other other cool things in this catalog, like, uh, reflector. So this is for picking up, uh,

audio, this is standard audio bugs, right? Like, you know, spying on what's happening in the room. What else we got? Lots of cellular based stuff. Now this is like 10 years old at this point. So a lot of this stuff is well known, really tiny implants. So this is this is like a probably a VGA cable here or like an older monitor.

which made more sense back in 2008. Really tiny implant into that cable, tap to one of the color signals.

And it would allow somebody to kind of energize it with like a radio pointed at it, more or less, and then receive the signal bouncing back with the video signal encoded in the bounce so that you'd be able to see what's on their screen. Wow. Really cool stuff, right? What do you think was in the spy balloon that was traversing the

I don't know. I haven't studied those well enough, but I mean, there's a lot of amateurs that just do that. Like it's, they'll just set up a balloon and it's kind of like the ham radio space kind of in a way where they're just like, oh, you know, we can track it and there it goes. It goes wrong. Let me rephrase that question. What could have been? What could it have been?

I mean, I don't know, man. That's probably outside of my skill set and awareness in research. But I mean, it could be used like a balloon. I mean, I probably probably be using a drone more because the problem with balloons is that they're much more higher altitude, which causes problems for a lot of electronic circuitry because it gets really cold and stuff's functioning. Also, you've got power that you got to deal with.

So the best you can get is battery. That's not going to, batteries also start to fail at that level of coldness, right? So you need special batteries, something to keep it warm, which means more energy. So you get in from solar power, probably. This is really low power stuff, right? Like.

I don't know, maybe just the value of how does someone respond to putting something in their awareness, which is absolutely a thing, right? How does someone respond? Which, I don't know, similar to the drones that are popping up and those are like, I don't know where that's coming from. I think Jersey had one recently, but there's lots of like drones in the sky. I'm like, I don't know what that is, but I would love to find out.

Is it collecting data or is it just seeing how people respond to unknown unreported drones to the sky for tactical knowledge in the future? All right, Mike, let's get into some of the stuff that you make. I know you have exploding hard drives. You get the OMG cable.

You're making all kinds of just crazy wazoo wizardry gadgets that I am just fascinated with. And so where did this kind of start? Did it start with the exploding USB drives? Yeah, I mean, kind of. Like I had always been tinkering with things like those beam bots, right? But...

Yeah, so I think it was on Twitter or something. I saw just a picture of somebody with a USB drive. The shell was open and there's just like a firecracker sitting inside of it. No idea if it worked or not, but I'm just like, everybody has like the same visceral response to see now. Like, oh shit. It's floating in thunder. I'm like, you know what would be cool is if it was worse. So.

USB rubber ducky. Got to explain what that is first for this to make sense. My now business partner, Hack 5, kind of invented the USB rubber ducky, I don't know, like 15 years ago now, something like that. That does the same basic keystroke injection that I had demoed with the cable, right? Where you plug it in, it types something really fast, whatever you want to control a computer, whatever you want, right? I wanted one of those that also exploded. So first thing I had to do,

If you open up a rubber ducky, there's not much space in there. It's all electronics. I'm like, okay, how can I shrink this really tiny? So I have space.

for something goes boom. So I spent a lot of time playing with that, right? Now I didn't recreate a rubber ducky exactly, like it's a really, really limited version, like a 200 keystrokes, really slow, done, right? That's it, really hard to use, but it's tiny, and I shrunk it, shrunk it, shrunk it, shrunk it, and it's just, I don't know, I think it was like eight by 10 millimeters when I was done, like a pill, basically. I had left the rest of the thumb drive empty

that I could hook up with a little mini detonator and maybe a firecracker, too, and a bunch of confetti. I rigged this up to a keystroke injection payload that opens a browser to an animation of a jack-in-the-box, and he's cranking it on the screen, except it goes for an awkwardly long amount of time to build up tension. It's going, it's going. That's what shows up on the screen. You're watching that.

And then pop. The drive blows up. Confetti goes everywhere. And I'm like, yeah, that was cool. I just viewed that as fun. Another type of art or something like that. Put it out on the internet. And it was like, that's crazy. A lot of people ask me to sell that. Now, no, that's a terrible idea for so many reasons, liability, et cetera. When you put something into the world that can be used negatively, it's always worth gaming out.

how bad can it go and can you prevent some of it, which I've done a lot with the cable. But in this case, it was just something I wanted to put out there. But at that point, I had a really tiny ducky that I could

Maybe I could put it on other things. And eventually, I got the idea, probably doing my IT job, looking on Amazon for spare parts for hardware and stuff. I noticed there were USB cable repair ends and boots. I'm like, wait, what? I'm going to just get those. At the time, I didn't know much about manufacturing.

got some of those and realized there was enough space in them for the cables and this really tiny, you know, fake ducky, right? Shove it in there and I get the very first proof of concept of a malicious USB cable. Yeah, put that out.

And I've already told the story about that one where it gets out there and a lot of people like it and a lot of people wanted it. I think almost a year goes by before I'm like, you know what? I could make that way better. That was a toy. This is a cool gimmick to show a very basic prank. Barely even worked for that. What would a proper tool look like?

I was getting way more into the concept of, I want to do red teaming as well, so I'm combining those things. I need Wi-Fi, I need remote control to update payloads after it's already in play, because the idea is you can either deploy a cable, like physically get inside, or

You can just leave it in somebody's bag, leave it around, and eventually people are going to take a cable sometimes, and they'll bring it in with them to the secure space. Cool, I didn't have to even go in. Great.

which creates some interesting legal problems which we can get into that I'm also solved. But yeah, that kind of is just how it kept evolving. And then at that point, it's like, OK, this is a real tool. At the time, I was thinking I should do this in a way that I just make it open source and everyone could make their own.

Um, are we still talking about the USB? Yeah, USB cable. Okay. And that's, uh, I, I thought about that, right? Like I was prototyping this cable, this new one, like on, on a desktop mill for cutting PCBs, right? Like I was pushing the limits on this machine where you can mill a PCB. So the PCB, actually, I got a little promise.

So a PCB. Here's a complete product. This is a Raspberry Pi, right? When I say PCB, I'm talking about just the green part here. OK. It's basically a fiberglass and epoxy with a thin layer of copper on it that gets turned into traces and that connects all of these components. The black thing there, that's a component. And all the little things you see on there, they're soldered on. That's components with copper traces connecting them together electrically.

Right? So I used a mill to kind of cut out the copper traces. And I would assemble in my garage lots of different test versions of what this cable could look like. And I got the idea, kind of going back to the defense distributed concept where open source is this, people can make it desktop mill, go that direction. What I learned over the 12 months of

revising and revising is it's really hard to do this. Like DIY was just not in the cards. Nobody was going to be able to do this. I'm like, OK, well, let's throw out the DIY. I can just turn up the complexity. There's PCBs.

with two layers like copper on each side, right? That's the common one. I can make those in my garage, but okay, what if I want eight layers or something like that? That gets really expensive. We're talking every time I want to do a run of an A layer PCB, six layer PCBs, a minimum of $1,000. I have to send that off to a factory. They're using lasers and all kinds of crazy x-ray inspections and stuff to do this. So I'm like, okay, if I can use that,

how far can I go? And that kind of is how I evolved into making a more and more and more complex cable that is like the latest generation OMG cable. It does all of these different things. And yeah. Very interesting, very interesting. So how did you go? So you went from the exploding USB to the, what do you call it? What do you call the USB? The exploding USB? The other one.

The OMG cable? Yes. Yeah, I just, OMG cable. But there was a hard drop, there was a USB cable that did with the OAM. Oh yeah, so like, I guess I just kind of call it like early prototype tests. I was, I was referring into it kind of at the time as like bad USB cable, which is not an accurate description. It was more of a nod to some research at the time that was called bad USB.

That's where you would take an actual thumb drive. There's a few old, old thumb drives that you could take and reprogram the controller on it and actually do keyster conjunction. Among many other things, it was also a worm that would replicate to other thumb drives you would plug in. Cool concept, bud. What was the first product you took to market?

Oh, OMG cable, definitely. So here's the thing. I was making a lot of these things for personal use, but I would also kind of sell them to friends and stuff. It's kind of like the back alleys of DEF CON type situation. I wasn't advertising this, but if you know me, I know you. I'll give you some of these things. But it became clear, I had to start scaling up.

Like the first batch of prototype OMG cables, I think it was 2019 I brought as many as I could. They took me...

It was like eight or 16 hours per cable and 50% of them were failures because that was just terrible. When you make something like an electronic product, usually you get like 95, 99% yields, which means one to 5% are failures that you threw away. These things were so hard to self-assemble that I was throwing away 50% of what I made.

So that automatically doubles the amount of time invested to make a cable. So you're doing like 16-ish hours per cable to make them. Wow, 16 hours a cable. Silly. So yeah, I was kind of hitting my limit of like what I could accomplish with the time I had. And it's like, you know what?

I need to learn how to delegate this outsource manufacturing assembly. Because I was also doing this hand placing things. You go to an assembler. So there's a couple steps here. So I'm going to run you through basically the manufacturing pipeline that I slowly learned is important here. But first, hack five. It's really important to mention hack five here. So USB rubber ducky already mentioned.

that's Darren, Darren Kitchen, his phone at about five. That was his baby invented about 15 years ago. He's got so many other things like the land turtle, the Wi-Fi pineapple, just packages. What are these? Similar to the end, right? What's the land turtle? Exactly, right? So all of these are different kind of like hardware implants or hardware tools for

They're multi-purpose, but often used for offensive security. The LAN Turtle is a network implant that can control a computer, but also sniff up network data or just do malicious network stuff. What else? Wi-Fi pineapple. This is a little box, antennas on it, that allows you to do network attacks. Really cool stuff.

uh... network what uh... network-based uh... so Wi-Fi text like you break into Wi-Fi

They call them man in the middle concept. I prefer doing as mischief in the middle. But basically, you've got your device here and the wireless access point here. They're talking. But you bring in a Wi-Fi pineapple and it can kind of intercept in between. There's so many different ways you can do this. There's no one single way. It's lots of Wi-Fi-based tooling. Another example, it's not so much relevant these days,

You know, when you connect to like your free Wi-Fi access points, coffee shops and stuff, your phone remembers that. Typically, you've told it to remember that usually. So next time your range is going to automatically connect, right? The Wi-Fi pineapple, for instance, can say, guess what? I'm that Wi-Fi too.

Right? So I pull up one right here and put it next to you or just anywhere, you know, you happen to be, your phone's going to be like, oh, I know that one. Let me connect to it, right? So that type of stuff, there's just so many different attacks that I couldn't possibly run through all of them. But just as an example, there's so many different approaches to security.

We think about computers and plug-in USB-N, but yeah, there's other things. There's the network, there's the wireless, there's near-field communication with badges and things like that. Totally different tools, totally different specialties and focuses. The badge readers, you don't think of as computer security for the most part, it's just building access.

But that's all one whole thing. Interesting. You're doing proper complete security awareness and testing. Well, let's take a quick break. Yeah. When we come back, I want to get into what is the actual ONG cable. Oh, yeah. Good point. Perfect.

You sign up for something, forget about it after the trial ends, then you're charged month after month after month. The subscriptions are there, but you're not using them. 85% of people have at least one paid subscription going unused every month.

Thanks to Rocket Money, I can see all my subscriptions in one place and cancel the ones I'm not using anymore. And now I'm saving more money. Rocket Money is a personal finance app that helps you find and cancel your unwanted subscriptions, monitors your spending, and helps you lower your bills so you can grow your savings.

Rocket Money's dashboard gives you a clear view of your expenses across all of your accounts and keeps you informed with alerts if bills increase in price, there's unusual spending activity, or if you're close to going over budget. Rocket Money will even automatically scan your bills to find opportunities to save and lower your bills. Then you can ask them to negotiate for you. They'll deal with customer service so you don't have to.

Rocket money has over 5 million users and has saved a total of 500 million in canceled subscriptions, saving members up to $740 a year when using all the apps premium features.

Cancel your unwanted subscriptions and reach your financial goals faster with RocketMoney. Go to rocketmoney.com slash SRS today. That's rocketmoney.com slash SRS rocketmoney.com slash SRS. Even though I'm excited for the new administration, there's a lot of tension in the world. Russia, Ukraine, the border, inflation. Who knows what could happen next?

Me, I'm not waiting around to find out and I don't think you should either. Look, it's simple. I want you to go to Sean likes gold.com. You learn about my partners over at Goldco. They're a great precious metals company that I trust. They're one of the top rated gold companies in the industry with impeccable customer service and they support the show. And for my listeners, they're going to give you a free gold and silver kit where you can learn about how precious metals could help you protect your money.

You could also get up to a 10% instant match in bonus silver on qualified orders. That extra 10% is a great way to get started. Plus, it helps support the show. All you need to do is go to SeanLikesGold.com. That's SeanLikesGold.com. Make sure you do everything in your power to help protect what's yours. Performance may vary, consult with your tax attorney or financial professional before making an investment decision.

This episode is sponsored by ROCA. ROCA is a performance eyewear brand for people who want to invest in themselves. ROCA manufactures premium sunglasses, prescription eyeglasses, and readers, and cuts all of their lenses here in the US at their headquarters in Austin, Texas.

Roca recently partnered with one of my favorite guests, Dr. Andrew Huberman, to launch a new line of glasses called the Wine Down Collection. Guys, I've tried these. You know I have problems sleeping. I absolutely love, love, love these frames and lenses.

They're available with them without prescription and have a proprietary red lens that helps filter out short wavelength light. Short wavelength light is in pretty much all artificial light and it's terrible for your sleep. Roka let me try a pair of these things and I can feel the difference whenever I wear them. I wear them in the evening after the sun goes down. I pretty much started at dinner and I wear it until bed and let me tell you these things work.

With so many options and I wear and wellness products out there, it's a relief to know the glasses I'm wearing help two things I really care about, my vision and my sleep. And as a business owner with all the decisions I already need to make every day, wearing a pair of Roka's glasses is one of the best ones I've made. Check them out for yourself at roca.com and use code SRS for 20% off site-wide at checkout. That's roca.com with code SRS.

All right, Mike, we're back from the break. We're talking about the OMG cable, but I want you to discuss and talk about exactly what it is that the OMG cable does and show us an example.

And for those who are listening, if you go to Mike's Everyday Carry does a phenomenal job at it actually showing what it does real time on computers, on phones, it's fascinating. But go ahead and give us the, you know, show us what it is and walk us through what exactly it does. Yeah, definitely. Let's pull one off. It's a visual. There's a good one. So,

OG cable, right? Looks exactly like one of the many USB cables you've got. And if it doesn't, I got a whole bunch more here to guarantee it does. Yeah. Hold that. Oh, let me see that. Yeah. So it's got a whole, uh, a whole line of them. Yeah.

And I got the complete set. Yeah, you did. Watch out. So each one of these fit a different phone and or USB drive. Yeah, I mean, so basically think about it. I should say. Yeah, I mean, think about all the different. And think of it as camouflage, basically. It's like, what's the environment? Do they use white cables? Do they use USB A, USB C? Is it a Mac shop? Cool. They're going to have lightning on one end, maybe, if they've got the older phones.

newer phones cool and USB-C. And it's really about blending in to fit what's already in place so you could swap it out or you can do other things. There's a lot of different

approaches and techniques you can have when you have a device that is physically invisible. And just hiding in plain sight. So that's the physical aspect of it. And that took me a huge amount of time of shrinking down the components, which I will describe in just a second. But shrinking it down, it just took absurd amounts of time just designing the PCB that goes in here. And then beyond that, just the entire process of integrating the PCB into a cable that just took

like a year, basically. Well, before we get into how you manufactured it, let's talk about what it does. Yeah, exactly. So the PCB inside of here, what it does is when you plug it into a, it's primarily targeting laptops and desktops.

It's got a PCB that will wirelessly light up and it'll connect back to you. There's so many different ways you can configure it, but this wireless connection allows remote connection into the cable. It's got a full web UI in your web browser, right? Whether it's on your phone or laptop.

can even connect out to the internet and you can connect to this thing from anywhere on Earth if you do it that way. What's it do though? You got control of this wirelessly. When you say it can connect to the internet, does it bypass passwords? No. You still got to have a wireless network it can connect to or you bring one in.

If I open the iPhone right now and looked at all the wireless networks, I bet there's probably one in there I could connect to. If not, are you going to notice a free coffee shop Wi-Fi nearby? No, not. For instance, right? The flexibility is the name of the game with this. There's no one way to use it. There's so many ways, because in a Red Team scenario, you don't know what you're up against, and you're going to need some options to circumvent a problem.

But yeah, still, what does it even do? You're connected to it. But it primarily emulates a keyboard. It says, I'm a keyboard, and it types really fast. So what does that do? Literally anything I could do sitting at the computer at the keyboard. So whether that's implanting malware or whatever it may be, that's the basic functionality of it.

But, I mean, it's not it. USB cables can often connect a keyboard to a computer when you're sitting at a desk. Swap out that cable and this can now intercept the keystrokes, which is really good. Just like one classic use case is if the machine is locked, I mean, you can type all you want, but you're at a lock screen. You need to get past the lock screen.

What do you need to get past the lock screen? You need the password, right? How do you get the password? There's a lot of ways. I mean, you could call up the person and effectively ask them for it by saying, I'm IT or something like that. But if you're deployed between a keyboard and just pull it right off the lines, they're going to type that password every single time they log into the computer.

You remotely see that, you rebuild a new payload that maybe when they go to lunch in the evening, when you know they're not at the machine anymore, it's just going to type in that password, automatically unlock the machine and then do all the nefarious things you want it to at that point. So you just have full access to the computer? Yeah, at that point, you can see everything. You can access anything so long as you capture the password from the keystrokes.

Yes, not so much seen. Well, there's a lot of it depends, right? It's not like a screen share like that team viewer thing. Not at this stage. So at this stage, we're just blindly sending keystrokes in, right? So as long as you know, you know, what OS it is or something like that, that's all you need on a desktop. Like, I know if I had command space, it's going to open up a spotlight on a Mac.

Then I can open up Chrome and then go to the address bar, do some things. For example, that's a very repeatable series of keystrokes and you can do them really fast once you know it. Just for an example. All right. That's the basics of the very core functionality. Then you combine that with key logging and suddenly,

you're getting a bigger picture here, but there's also other. Hold on, I want to go down. Yeah, yeah, totally. I'm a dummy one. Yeah, let's go deep. So yeah, so what would you, so now I didn't even understand that to be honest with when we did the EDC pocket dump. So basically you're.

So in that little window, you said there'll be a window that might pop up for. Oh, yeah. So you see a little window blink, right? That's basically your terminal. In that case, there's a lot of things I could do. But in that case on that, I think it was. So you could put some type of a Trojan horse or something in there and implanted in the computer like very exactly, right?

through a series of keystrokes. Exactly. And then if you detect the Georgian on there and you remove it and the cables still in play, which is designed to be, just put it right back on. No shit. Which is absolutely a thing that has happened with a bunch of my customers that they have told me that they did an engagement with a very high profile client. We can go into these types of things, but that reinfection vector is exactly what they used.

Do you prompt it or does it just automatically do it when you put it in the computer? Either or. So all about flexibility. So you can program this a couple different ways. So what I showed was me remotely connecting to it and I hit go.

but this can be configured that when it powers up, when it gets plugged in, it powers up, it can immediately run a payload, it can wait a series, however long you want, and then run a payload. Is the payload the actual keystroke or something? Yeah, exactly. So when I say payload, it's the series of keystrokes that gets run. And the malware, or the storage and hosts or whatever. You can. There's ways of typing out, like, if you've got like a small executable,

that you want to transfer over, there's a couple of ways to do that. Like, you just use the keystrokes to download it, right? You can download stuff from like the terminal, for instance, or I could use Chrome and download it there and go to the downloads folder and open it up there. Your keystrokes. Yep. I can navigate everything with keystrokes. So you could, I have no idea what the hell I'm doing with this shit, but I'm learning. We could do some fun stuff. So you could send somebody an email and

with a downloadable whatever. And then plant that cable on them. They plug the cable in. It does the keystrokes automatically to open Chrome, log into their email, download the thing.

go to the downloads folder, download it, then you're in. And it all happens within like a couple of seconds. Yep. That's one way. I mean, I probably wouldn't email it to them because if I was going to email it, I probably include an email that convinces them to just run it for me. But if I'm up against a hardened target where it's, they're not susceptible to that, they're unlikely to do it. I'm like, okay, well, let's get a cable that'll do it for me.

as an example, right? This can also do mouse movements too, if we need lots of control there. And yeah, you can also, yeah, so the malware, right? You can download that. You can also type it back out. It's called base64, it's just a whole bunch of, it looks like random garbage characters, if you open, like if you open up an executable with notepad roughly,

stay in high level here. You're going to see a bunch of garbage text, right? You type that same text out in a notepad and save it. It's that executable. So I can type that back into the computer.

And boom, there's the executable, which is something we've done quite a bit in environments where they're checking what is being downloaded from the internet. OK, you're looking at the internet. Cool. I'm going to just type this little piece of malware back into the computer. Lots of cool tricks you can do like that. Wow. It's fun.

And so there's other aspects of this too. So you know, key stroke injection, mouse injection, I showed you the key logging. Oh, you were asking about the ways of triggering it. So I showed you remotely. I can click go. We can have it boot up and go. There's also.

What I refer to is geofencing. Basically, it's got wireless in there, so it can just look at the nearby networks and figure out where it is and where it isn't. And you can trigger or block things on that. And there's a self-destruct function where it'll erase everything on it. Now, it sounds super nefarious, but it's actually prompted by legal.

A lot of places have strict controls, so with the USB rubber ducky does the keystroke injection. It looks like a thumb drive by Hack 5. That's my business partner. They invented that 15 years ago, ish.

what they would do is you could put like salaries.xls on it. So it's like, oh, that must be the company salaries and literate in the parking lot, right? That's one way that people would be convinced to pick it up in the parking lot, bring it inside, plug it in, see what's on it, right? And boom, they've just infected themselves with malware, right? There's a downside to that, which is depending on how bad that payload is,

If you're a red team, you're an employee of this company, right? You've got malware sitting on a loose object that anyone could pick up and bring it home, bring it into another business, and now you have just infected another business. That's not ideal, right? So certain environments, their legal team is like, no way.

You put geofencing on this. You have a payload where boots up and just says, am I in the office? Is the corporate Wi-Fi present? Cool. If not, completely wipe everything. Are you shitting me? So you... Wow. Wow. So it knows where it's at. Yep. And where it isn't. Holy shit. So this scan right here,

This was done by Lumafield. They got a CT scanner, which is basically an X-ray scanner that takes a lot of X-rays.

little slices across the product and then assembles it into a 3D object. So Luma Field actually just did some work with them to sit down and talk about their machines. They use for all kinds of things. Manufacturing inspection, but also starting to get into security stuff like where you can literally see inside. This is a scan of the end of one of my cables. So right here is the connectors, USB connectors, and over here,

We got the components. So this is the main processor. And this little thing over here is the antenna. You can kind of see the USB wires worn out at the bottom there. Wow. And cool thing is, let's see if I can turn this. There it is. That is.

the whole internal and lots more components kind of on the back. You can use this to step through every layer and just see literally every little detail about something. So if you got untrusted hardware for instance, that scanner would reveal all of the internals. In this case, it's just really cool and it shows off. Here's what's inside my cable that's all the magic. You got to get that framed. I think I'm going to. It's a beautiful scan.