Transcript of #164 Mike Grover - How Hacking Tools Are Changing Cyber Warfare

Mike Grover, welcome to the show, man. Thanks.

Thanks for having me, dude.

We just knocked out 1 of the most fascinating everyday carry pop pocket dumps I've ever seen. And, and the fact that you designed all that hardware is just astounding. It's awesome. Thank you. So we got connected through mutual friend, Bryce Case junior.

Yeah.

And, thank you, Bryce. And, man, we've been trying to make this happen for, I think, a year.

Yeah. Over a year.

Yeah. Over a year now. So yeah. Because I interviewed he was our he was last year's Thanksgiving episode. Yep.

And, we got connected right after he told me about the OMG cable, which you developed, and, we'll get into that. But real quick, let me, let me let me kick it off with an intro here. Sweet. So Mike Grover, aka m g. You're a hacker, red teamer, entrepreneur, artist, security researcher, and educator.

You work for Fortune 500 companies conducting red team operations to test and enhance their security. You design and build covert hardware implants that bypass and challenge computer security. You also run a business that manufactures and sells your hardware designs, which are now used by countless companies and governments to strengthen their own security. The most well known hardware design is the o m g cable, a malicious USB cable. You're also a husband and a father.

And I'm sure I'm missing a whole slew of stuff, but, at least that paints the picture. But but, you know, I wanna do a life story on you, you know, some of the some of the things that you have developed, and then probably go down some rabbit holes with cybersecurity, maybe. I love knowing what China and Russia are up to if you have any insight into that. But, but before we start anything, everybody gets a gift. So

Alright. Boys.

Thank you. Gummy bears. So made right here in the USA. Legal in all 50 states.

Alright.

So, you know, I know you guys got some fun gummies down there in California, but this is just candies.

Bill, I'm gonna eat some now, man. These are

Go right ahead. I've Want some? Yeah. I'll take some of those. Thank you.

I'll see if I can not eat these by the end of the show. Good luck. Nice. Those are good.

Not bad, Yeah. But, sorry, I'm gonna talk with my mouth full. But, Mike, I got a so I got a Patreon account. It's a subscription account. It's, they were a major we're just talking about before, you know, right before we kick this off about starting businesses and how this started in my attic, and we're both entrepreneurs.

And and, so developed a Patreon very early on. They they have been the key component to how I've built my business, and a lot of them have been here since the very beginning. So 1 of the things that I do is I I give them the opportunity to ask each and every guest a question. And so this is from somebody anonymous. What's the simplest trick hackers use that 99% of people still fall for every day?

Asking. Just ask them. Ask them for access. Granted, you gotta kinda cloak it a little bit, but you pretend to be somebody you're not. And, for instance, like, I'm I'm your IT department.

I'm your HR. You call them up, you email them, and you say, I need you to do a thing real quick. And that process will generally have them maybe, entering their password, for instance, except it's into something you control. And at that point, you've got their password. It's that is a method that still heavily used and constantly works.

No kidding. That actually happened to us here.

Oh, yeah. Yep. Yep.

We had to have Brian Montgomery, jump in and save the day. But, yeah. It was, I we got an email saying, we want you to be on this podcast. Yep. And, I thought it was bullshit.

We had a staff member that that, kinda, like, pushed me to do this, and, of course, everything was in a rush. And, boom. We saw that. Then my guy, they got into our Facebook and almost hacked everything. Yep.

Took it all. And, and Ryan was able to, jump in and save the day kinda last minute there. So Nice. Thank you, Ryan. But, what what else?

What's another 1, though?

I mean, that that is, like, the go to. Right? Like, I mean, you can walk into a building, but why do that when you can just ask from halfway across the world. Right? Yeah.

Like, I mean, most most companies, you'll still be able to walk in and do all that stuff. It's just not worth the risk, unless they've got that level of security kind of locked down where it's like, okay, you can ask anybody in the company for their password. They can give it to you, but you can't do anything with it because, you know, we got, like, 2 factor turned on or stuff like that. Different security controls and detections that suddenly requires physical access to you know, you have to take more risks to do that. And that's it's a lot more skill, a lot more work to make happen.

Interesting. Interesting. Well, you know, I had a little chat with Bryce, before before he got here today, and, we were talking. And, by the way, have you ever seen have you ever seen that video of him at the dead mouse concert? He's he's up there.

He's rapping and falls off the stage. I gotta roll this clip. It is you've seen this. Right?

I I believe so. Yeah.

Yeah. I gotta roll the clip. It's

hilarious. Pass the plane. Oh. 0.

He brought something up that wasn't in your outline.

Oh, shit.

And, so might be a little uncomfortable, but I gotta ask it. And, and I think it's a good question because it sets the stage for the entire interview and everything we're gonna we're gonna talk about. But he says, in case he chickens out, ask Mike about his design being so good that they were copied by the most well known hacker of all time, Kevin Mitnick, also known as Condor. So I gotta hear about this, man. Oh, okay.

What is this the OMG cable? Predecessor.

Right? So I had been doing lots of designs of malicious cables. Right? And I had some really early proof of concept just to just to show it's possible. No wireless connection, really tiny payload capability, you know, a few dozen, maybe a 100 keystrokes.

Really limits what you can do. It's really slow. I mean, we're not we're not hitting that 1,000 keystroke, per second thing or maybe maybe a dozen. Really slow. Right?

But it's like, it it worked. Right? You can't remotely update it. It can't do anything, but it worked. I wanna show the world because, you know, hacker, you wanna share the information stuff and work with other people.

I I didn't see it as like a product. It was just more like a project, more like art. Like, hey. Cool. Look at this thing.

And, yeah, he he reached out, wanted to, kind of collaborate and, you know, have me, you know, build 1 for him. And, I started on that process, but, we didn't I I didn't have enough time to complete it with his his work constraints as well because he didn't have time and stuff. And eventually what happened, I I didn't know about it, but he went to, someone else and said, make this for me.

And, Oh, shit.

Yeah. It was it was not like, I didn't know about it until it came out. And then the thing is, it it it wasn't very good. And I was just like, dude, first of all, it's not very good. This sucks.

I wish, like, you know, making this a proper product, but also it was like, hey, if you, you know, had the resources, like, fucking I could have used that. Because I was just doing this on the side. Right? But we have, you know, solved things since then, you know. I think there's certain levels of communication and misunderstanding, so I don't want to be like, oh, he's he's the worst.

But, you know, lessons learned as well of like, you know, if if it's something you can turn into a product, maybe wait until it's ready. You know, things like that. Which is exactly what I did with the OMG cable. Right? That that that's where it's, like, thousands of times better.

I mean, is, enraging as I'm sure that was, it's also pretty flattering that, you know, the is he really, like, the world's most renowned hacker?

I mean well, so r a p. He's no longer around. Oh, really? Okay. Exactly.

But, yeah. He the the way he would be introduced, I like, I don't know. But it was always the world's most famous hacker is the, the tagline that was used.

What made him so famous? What was

the deal? So, well, he, God. I need a refresher on this, but basically he had, gotten the attention of the FBI, and they were hunting him down, for getting into various places. A lot of social engineering tricks and stuff like that. And, kind of a cat and mouse game.

I think there's a movie called called Takedown. Right? So good movie. Check it out. But he, you know, went to prison then and was pretty unfairly treated.

There was a whole free Kevin movement where, you know, they were doing I think they put him in, like, solitary or something because they thought he could, like, whistle into the phones and, like, launched ICBM's or some shit. Oh, my gosh. This is, like, back back when everybody's like, oh, my god. Hackers. Just evil wizards.

It's still like that today, but it was much worse back then. They they had no idea what was even possible. So, yeah, I, like, he was hell for much longer. I don't think Yeah. I I I don't want to misspeak here because I don't All good.

Particulars, but he, was held for a very long time, pretty unfairly. Eventually got out and, then went into infosec as, like, a profession, using that.

And then tried to, take your own GK.

I mean, I I guess I guess he he knew he knew it looked good.

So Hey.

He's good at that.

Hey. You got the the world's most renowned hacker taking, you know, your stuff. That's, that's pretty cool. Yeah. You know, sounds like everything worked out today.

So

Oh, yeah. Definitely. He and just just for the record, he got a he had a pretty unfair shake at, life. He ended up, I think he got, pancreatic cancer. And he died before his first kid was born, which is just fucking terrible.

Man. So yeah. I've, I've since met up, with with his wife and, you know, cleared the air. So we're good.

Good for you. We're good. Good for you, man. Well, let's get to you. So, you know, like I said, I wanna do a life story.

We gotta get into the LMG cable stuff and all the other stuff that you're designing, some red team stuff. But, actually actually, in your in your bio, I know what red team operations are Yes. Or red cell operations. But, could you explain that to the audience?

Yeah. Definitely. So there's a lot of it depends where we're talking about red teaming, because there's military red teaming, which I would love, for you to give me a couple stories on. Because I mean, I'm sitting in a room with a guy who probably knows that really well way more than me, so it would be a little ridiculous for me to explain that to you. But red teaming in terms of, like, corporate cyber security is a subset of pen testing.

Pen testing is find the holes. Tell us the holes. Right? I mean, that's cool, but it doesn't quite test how someone responds. I think there's this, like, I think it's a Mike Tyson quote where where everybody has a plan till they get punched in the face.

Right? Mhmm. It's like, okay. Well, maybe a little aggressive in context of cybersecurity, but, you know, how do you solve that? Like, in boxing, you you train, you get punched in the face.

Right? And then, well, okay. Now it's not gonna be new when it happens. So you might have a plan, but are you gonna execute on the plan? Are you gonna, like, miss some steps?

Is motion gonna get involved? And, also, you know, I can find holes at different layers, but red teaming is gonna be repeating exactly the entire chain. It's often called a kill chain, where it's you're connecting all of these different vulnerabilities to go from completely outside to completely to the crown jewels, take them out and succeed, and then you show how you did it after the fact.

So how'd you get into that?

Good question. So kinda almost don't even know, but over the course of just life and I started off as just help desk IT sysadmin where you learn a lot of things. And at the time, I didn't think it was very applicable, but, like, those are all the systems and the nuances and, like, just the weird compromises you learn. Like, oh, I don't have enough budget, so I'm gonna do it this way. Or you learn about the end users that you're supporting this help desk and all the problems they run into, and, oh, they're running into, like, policy that stops them from working, so, oh, they're gonna do this.

That's gonna cause a degradation of security, but it's really common, and you know that having been in help desk and sysadmin. So you start to connect these things together, and it it becomes this really valuable bucket of information for, oh, how would I get into the company using that? And, you know, got really into security for a while. It's just it's, it's also a piece of that role. Like you're gonna run all the systems for IT.

You gotta keep them secure too, especially in small companies where you don't have dedicated security. It's like, no, you, you are the security. So you gotta learn it that way, which requires you to think also how does an attacker do it? Because you, you gotta defend against that. Right?

So eventually, I just kinda got bored of doing IT and made the jump into security, started learning, actually Bryce. So good connection on this as well. So I had known Bryce for a long time, and I think it was like 2013. First time I went to Defcon, Hacker Security Conference, biggest 1, in the world in Vegas every year. And I decided oh, god.

What was this? So there's these unrecorded talks they also do in certain areas. He was on stage. I think he was doing something with, like, Bitcoin at the time, and he had this, like, like, telepresence robot on stage for a guy who was on house arrest. Like, he couldn't come, so he brought a telepresence robot to be, like, Bryce's partner on the stage, and it was it was just wild watching this.

And so I'm in the audience, I'm just like, oh, yeah, Bryce. You know, Whitey Cracker. I don't like it. I'm gonna go see what he's doing. And then, you know, he gives us a talk, and after it's done, I'm like, hey.

Yo. What's up? Like, never met you before. But, from that point on, we kinda you know, our relationship grew. Got to know him a lot better, but he also DJs, as you know, and he was DJing for a a guy called Fuzzyknap, who or sorry.

Flip that

around. Fuzzyknap was DJing for him because he also MCs and sings songs. Right? So he needs someone, you know, to play that. So FuzzyKnock was DJing for him on a lot of his shows.

So I met him, and well, he is the 1 who had built out a red team for a new company. Not a new company. New red team for a company, large company, and he ended up pulling me over into that team.

So Cool. Yeah. I love that guy, man.

Bryce is

great. Love that guy. The big game is almost here, and this could be your last chance to get in on the action. Don't miss out on the final football game of the season with prizepix, the best place to cash in on the big game. The app is really simple to use.

Pick 2 or more players across any sport, pick more or less on their projection, and you could win up to a 1,000 times your money. Join Prize Picks, America's number 1 daily fantasy sports app available to play in over 40 states, including California, Texas, and Georgia. So join now because a quarterback will only need to throw 1 yard to win. Download the prizepix app today and use code s r s to get $50 in promo funds instantly when you play $5. That's code SRS on prize picks to get $50 in promo funds instantly when you play $5.

Win or lose, you'll get $50 just for playing guaranteed. Prize Picks, run your game. Must be present in certain states? Visit prizepix.com for restrictions and details. Going online unprotected is like leaving your door unlocked when you leave the house.

Maybe you trust some of your neighbors, but what about random strangers? Do you trust all of them too? Do you really wanna take that chance? With ExpressVPN, you can stay safe online without having to trust anyone. Every time you connect to an unencrypted network in a coffee shop, at the airport, really in any public place, your online data is not secure.

Anyone on that same network can gain access to and steal your personal data. ExpressVPN changes that as easily as opening up the app and clicking 1 button to get protected. I've been on the road speaking with all kinds of people from health gurus to world leaders, and data security is extremely important to me. ExpressVPN helps defeat hacking attempts by creating a secure encrypted tunnel between my device and the open Internet, so you don't have to worry about who else has access to your information. Secure your online data today by visiting expressvpn.com/srs.

That's expres s v p n dot com slash srs, and you can get an extra 4 months free. Expressvpn.com/srs. Well, let's, took a little sidetrack there, but let's

Yeah.

Let's get to you, and, let's get to your car.

Get there eventually.

Where'd you grow up?

Alright. So I grew up in Wisconsin. Yeah. Brothers? Sisters?

Yeah. I got a younger sister,

4 years. You guys tight?

Yeah. We we don't keep in touch as much. We're both, like, super busy. But, we we could definitely be a lot lot closer.

Is she a hacker too?

No. She, culinary. Culinary. Yeah. Picked that up for my dad as well.

So my dad, yeah. So, he was in the navy as a corpsman for a while. I think it was like 4 years, submarine stuff. But medicine. Both my parents in in in medicine were in medicine, and, they did a lot of DIY stuff.

So they built their house from the ground up, designed it from the ground up. So I was in that that kind of raw materials environment. Like, the house never actually fully got completed, which is actually kind of cool because it's constant, like, tools, raw materials around growing up. I thought that was an amazing experience. Dude, I remember, shoveling out the, the house because it snowed before we got the roof on.

No kidding. Yeah. It was pretty cool. I was I was pretty young at that time, but it was still, like, you know, impacting, like, oh, look, you can just you can just do stuff. Right?

You can, like, that wasn't a profession, but they just picked it up, learned it, how to design it, built nearly everything. I think they didn't do was the the masonry for the basement, because, yeah, the trusses, and then they were rushed with the weather to get the drywall up. So they paid for for that. Everything else they did by hand.

Wow. Wow.

Pretty cool. So but yeah. Culinary. Right? That's for going back there.

Yeah. He's really into he he was really into just cooking and, really, really good at it. I, both of my parents, were doing barbecue competitions for a while as well. It was just Jack's all trades. Yeah.

Just get into it and go. And, I think that was a pretty good learning experience. And obviously that had an impact on my sister, who got into culinary as well and just did some did some great, great stuff there. I I didn't pick that skill up.

So what what were you into as a kid? Oh, God.

Definitely electronics type stuff. So it it just depends on the stage. Video games first. Lots of video games.

What video games? What platform?

I guess it depends over time. So there is the console stuff like Nintendo, etcetera. So let's go let's go all the way back. So Atari, and this is kinda like the first hard rack, actually. My dad, so if you remember the Atari joysticks, it's it's a joystick and a single button.

Right? That's that's the whole controller. And we were playing the game tank. Right? You just move around like you're in a tank and you fire at stuff.

Right? My dad took some, speaker wire, a tongue depressor medicine. Right? And, random button probably from Radio Shack, and just taped it to a stick to the tongue depressor, ran the wires off, and soldered it to the controller so that I could have access to my own little, like, button when I I don't know. I was like 4 or something.

So I could fire the tank while he steered it around. Right? I thought that was pretty cool, and it kinda stuck with me. Right? Like, you you just modify stuff, like hack and stuff.

So, very simple, but, you know, that was the first video game, first hardware hack, right, that I was kinda exposed to. And, yeah, spent lots of time on, like, Nintendo, Super Nintendo. Then I got into Quake. Quake was extremely impactful for me. That's where I went from, you know, consoles to the computer in the house that we had.

You know, I used it for, like, encyclopedia, like, you could chat with people online. Cool. But it's more just a tool. Right? Then Quake.

You gotta start learning things back when Quake came out. It was just late nineties. Right? You gotta learn, like, how to dial up work, how to connect to other people so you could do multiplayer. Like, that wasn't just, like, a button or 2.

So you gotta learn stuff, and even running Quake, it's like, oh, you you just don't launch it, you know, reboot the computer in DOS mode and stuff like that. And so you're learning how a computer works, but that also kinda that's where we get into hacking as well. That's that's kinda, like, the inflection point of Wow. Of things. Also, you know, 9 inch nails was built into that game.

They did all the sound effects and, you you can see the 9 inch nails logo on the the crates of nails as well if you look in there. But, yeah, that was also kind of, impactful for me with the stylistic stuff and the art.

Damn. So you started the hacking stuff at, like how old were you? We went the same age.

That was that was high school.

Atari was high school?

No. Atari oh, god. I don't I don't even know when that was. Yeah. I mean, just really

It's like 5 or 6?

Yeah. I don't I don't even know. Damn. Eighties. It was eighties.

Like, I don't know. But, yeah, Quake was high school.

Right on. Right on. So what well, let's fill in the gaps a little

bit later.

Were you into anything other than electronics, or was it always just electronics? And I shouldn't say just, was it always electronics?

I mean, they're it's all connected in some way. Like, I was in cars as well, like, you know, part of it was just, like, making the car continue to run, but also, you know, like, let's let's add sound systems to the cars and learn how that works, which is, you know, electronics in some way. Also got into water cooling the computer to overclock it, but that required learning, like, short

circuit. Yeah.

Yeah. So these days you can just buy a kit and install it. Right? But most computers are air cooled. You got a little fan in there blowing out the heat.

Right? If you overclock a computer, you can get a lot more power out of it, especially back in, you know, nineties early 2000s, but it would dump a lot of heat. Lots more heat, and air cooling couldn't keep up with that. So what you do, you take little, water blocks, basically, like a little piece of copper, strap it to the processor, the video card, and run water loops through it. Kinda like a, I don't know how to better explain that, but, it's like a little maze that the, water would take through through the channels on this block, and it would pull the heat out, and you would dump it.

And at the time, kind of was a Chevy Chevelle heater core that was just, like, the perfect size, and you could use that as a radiator with a larger fan on it. So instead of using the small fans that you'd find on, like, laptops or even desktops that, you know, maybe it's, like, that big, You'll stand that big, and it keeps it quieter while dumping heat, and you can just run these things really hot. And, yeah. I I had to learn how to make those things. Right?

So, you know, you get a pond pump from like a fish store, you get the Chevelle heater core, get all the tubing wired together, but I had to mill out or I didn't mill it. I drilled it. I'll use a drill press because I could could not afford access to that. I it was, like, a $100 drill press at the time. You just do, like, cross drilling through all different directions, plug it up, and get this cool spiral pattern where the, water would go through it, and, pull heat out of all your devices.

And you get to learn about things like, corrosion, like you got copper and brass and aluminum, and like, you know, these things are gonna start to corrode, so you learn, you know, the the chemistry behind how to prevent that from happening because you don't want corrosion because then your computer's gonna have water all over it when it leaks. Just for example. Right?

So wow. So you you like a jack of all trades. Yeah. You like taking stuff apart, putting it back together, figuring out how it works, how to fix things at a very young age, and it just exploded.

Yeah. So Yeah. Basically

now. How'd you get into hacking?

So I'm gonna put that on Quake as well. So you you're playing online games. Right? And you learn you can do, like, interesting things. You start controlling things in weird ways, and it kinda escalates.

You know, like, wait a second. There at the time, there was no, what we call, like, client side security or client side, like, integrity checking. Like, the game files I had on my machine were unique to me. You know, like, you would download them from, you know, the author at this time, we were actually installing it from CD drives. And you just, you know, expect it to not mess with that, but nobody's stopping you.

You can go and mess with the, the player models, for instance. And you can, like, add a really large cross that goes like 10 feet above, below, and all sides of this per this person. Right? So now you can see him running around the corner, because you know, this this post sticking out them, and you see him coming from the corner. They don't know that, but, you know, it was a good good approach, or a lot of dark spaces.

Right? You can't really see people in the dark. You're like, cool. I'm gonna add a fluorescent color to their skin, and there they are. They're glowing in the dark.

Right? See through walls. Right? Like, you've got these, textures that would go on the walls, and, you know, they're opaque, but they don't have to be. You just set them to transparent, and then suddenly you're seeing through the walls, and, you know, that type of stuff was I have more fun, like, figuring out how to do it than actually doing it.

But that kinda just opened the door of, like, there's rules and there's expectations, but there's also not many people checking. Like, best way to kinda God. I I don't wanna get, like, philosoph get get into philosophy here, but there's this kinda beautiful, I think it's Jacques Ranciere, who defines, like, police politics. Right? As, like, you got you got a road.

Right? And it's painted. There's lines, and everybody just obeys those. Right? And he connects that back with politics, of like, how you're told to vote and do all these things.

It's like, okay, but like, what if you don't follow paint on the road? What if you go off the road? What if you get really close to the edge? Most people are They see those lines are gonna get right in the center of the road because it's what you're supposed to do. It was like, what would happen if you don't?

That's that's interesting to me. That's where weird things start to show up, like unintended designs, unintended powers and capabilities, just unintended failures, unexpected failures. It's it's really fascinating to play with that. Play on the edges, see how close you can get. And I guess now that you make me kinda say this, that's probably a good descriptor for how I think about a lot of things, like art, everything across the board.

It's fine fine find the boundaries and what happens if you go on either side of

it. Interesting. Interesting. Did you, were you, did you get involved in any of these like hacking type communities? Oh, yeah.

So yeah.

So like early, late late nineties, more more early 2000. There's a lot of online communities. Some are big. I mean, I think the the really big ones you would know of, that most people would know of are other, like 4chan and like something awful. Right?

Big places that had, like, the bigger names at the time, but there were also much smaller, like, specific topics. Water cooling. Right? There was a water cooling, there was a bunch of them, but, you know, there would be water cooling communities where people just share their techniques and stuff, so they could all just improve upon it. And, yeah, there were also, you know, hacking theme ones.

So Bryce and Digital Gangster was 1 of those. He was that that is 1 of the several communities I I have, you know, known him from. And, yeah, there's this was also at a time where online space and Meet space, were very separate. Right? Like, like online dating, for instance.

That was like, what? Now it's like, that's all the kids do these days. It's really weird. But I met my wife from 1 of those online communities. But eventually those those worlds start to blend together when you spend more time in there, and you're spending most of your time in there and just talking to these people.

Eventually, I mean, it depends on the community. Maybe not so much like Digital Gangster where it's, like, just raw crime happening is maybe not the best best idea to meet up, for many reasons. But, you know, certain lesser criminal communities, yeah, meet up with people and those worlds start to blur together. And, it's a little bit different than the, you know, 2024 is where it's just everything is just Yeah.

Meets together now. Yeah. How'd you meet your wife?

Yeah. I mean, so, we posted on some of 1 of the the communities out there, I think it was, like, from hardware overclocking. I yeah. I can't remember exactly what it was, but, we I moved out to California. That that's its own story we can go into.

But when I moved out, I think it was, like, the 1st week. It was like, hey. Anybody in this community, like, around wanna hang out? Show me around town. She was 1 of those people.

It was like, yeah. And, yeah, it just kinda grew her from there.

Is she a hacker too?

Not a hacker per se. Gamer, photography, art.

Cool. Yeah. How long have you guys been married? I'm sorry

to put you out of

the spot with that 1.

I what year is it anymore? I think it's 10 10, 14 years. It's 2009. 15 years?

2009. 14.

Yeah. So, almost 15. 15

years.

Yeah. It's crazy. Yeah. I haven't known her since 2004. So What's

the what do you think the secret to a successful marriage is?

Oh my god.

Bet you weren't expecting that 1.

No. I was not expecting that 1. I'm gonna have to think about that 1, man. I don't know, man. Just, because I can connect this back with everything is just kind of understanding, I mean, humans are a mystery to me, but at the same time, there's so much complexity and it creates it's like a everybody's different.

Like everybody wants to put everybody into a bucket. Like, there's there's the us and there's the other, but, like, dude, humans are messy and complicated and unique, and understanding that helps a lot with everything, whether it's being in a marriage or attacking somebody to get into a company. It's like, you know, the same thing. Right? Like, understanding, but, you know, very different motives and goals behind that 1 is just truly understanding the person and and working with them, and, you know, the other is kind of the inverse of that.

Right on. Right on. Let's talk about, you know, some of the stuff that you did. Did you what are some of the big hacks? Were you involved in any big hacks?

Not not like hands on keyboard. I I'd like to watch those. I so for most most of my time, like, any of the the hacking stuff, that was me I I kind of viewed it as, like, entertainment. Like, it wasn't like power, money, or anything like that for me. It's just, like, let's let's have some fun.

Right? Mhmm. Yeah. You can mess around. Like, I I would do stuff on, like, some of the communities as well.

Like, I knew the people who would run the servers. So, you know, you can mess around in there and,

like What kind of stuff?

I mean, okay. For for instance, this I gotta remember all the complexities here, but, this community was, like, very liberal with, like, temporary bans and stuff like this. You know, I got myself banned, and I'm, like, get around that. Right? And then they could not get me banned in this in this environment because they they had some add ons that they were using for this this VBELTON.

I think it was VBELTON, it might have been PHP BBB. PHP BB. Anyway, 1 of the large platforms at the time just had a lot of plugins that just gave me raw right access to the database effectively. And, you know, I could post through that. And, you know, they they had a lot of fun chasing me down in that situation.

I'm just like, how are you still here? So very, you know, lighthearted lighthearted in that, instance. You know, they they were they were more interested in how it was done than like, oh, you're you're breaking into my stuff. So yeah.

I know. I'm fine. Well, let's move into I don't know, you know, a whole lot about hacking.

So Yeah. Yeah.

You know, I would I would love for you to expound on, you know, how you got into it. Or not how you got into it, but Yeah. But some of the things that you just found fascinating that that that kept you going all the way up until building your own hardware.

Yeah. Definitely. And, actually, you know, going back into the, the youth for a little bit, something probably important. I had a phase where I was really into magic. Right?

Mhmm.

Sleight of hand, deception, that type of stuff. I think it was middle school. Right? Actually, got my first taste of, authority not being super ideal for me. Brought in a fixed cigarette to middle school.

Right? And it's the the peak of the dare dare situation. Right? Looks perfect. Looked like it was actively lit, and you blow on it, and, like, you know, talc.

I think powder came out, but it looked like smoke. That got confiscated. We got friend and I got pulled down to the principal's office. I don't know. I think I got suspended for not taking the situation seriously enough.

I'm like, how can I take this seriously? Like, it's fake cigarette, but I think my friend pointed out oh, yeah. That's right. They brought on the the cops to test it because some of the talc powder came out, and they're like, that might be cocaine. And, my my friend made probably an unhelpful comment of, like, that's not even how you would smoke cocaine.

But, yeah. Anyway, sleight of hand. You know, that gets into, like, deception and the human aspect, which is often forgotten a lot in in hacking. People are like, oh, yeah. It's just knowing computers really well.

Definitely a huge piece, but, like, it's people as well that have to be kind of, like, manipulated. You gotta understand them. You gotta convince them to do things, which is the most common way of getting into so many systems. You say, hey, like, I'm from your IT department. Let me in, and you gotta know how to make that sound legit.

Again, you know, if somebody's like, I don't know, and like, okay, let's do some urgency to, like, make them kind of panic a little bit where their decision making goes down, and they're panicking, and they're like, oh, I just gotta do the thing, or, you know, I might get fired, or this bad thing's gonna happen, or you know, there's there's so many different, like, psychological triggers that come into play and create this misdirection.

Interesting.

And you're like, oh, it's it's it's like, sleight of hand for, you know, psychology. Right? So you you push people into different directions and you get them to, you know, reveal their password or run an application on their computer that gives you access to everything. And that overlaps with the technical and the hardware and all these other things. And just, I guess, being a generalist, now that you make me think about it, it just allows you to kind of glue all of those things together.

And I guess yeah. At the time before I officially got into, like, paid security, I was thought that was a weakness of like, oh, I've never specialized in anything. I just like, I couldn't possibly keep up with the people who did specialize. I mean, that is true. There's, like, every person I work with that specializes, it goes so far into just absolute wizardry that amazes me, and I could never keep up, and because I just cannot sit down and focus and be like, I'm gonna do this thing, and that's all I'm gonna do.

Like, I get 80% of there, and I wanna go play with another thing. But Yeah. Yeah. It it worked out. It's great for the entrepreneur type perspective as well, where you're gonna juggle all the things.

Keeps you busy. Right?

Yep. Yep. Well, Mike, let's take a quick break. Yeah. And when we come back, I wanna get into some of the hardware that, that you that you've made and Yeah.

Absolutely. And

and how that happened and who's used it, what governments, all that kind of good stuff.

See what I can say.

The economy has been a major burden on Americans. Wages are flat, expenses are up, and it keeps getting harder to pay all the bills without reaching for credit cards. If you're a homeowner and you're frustrated with that cycle, I want you to make a 10 minute no obligation call today to the people over at American Financing. Interest rates have dropped, and if you're constantly carrying a credit card balance each and every month with a rate in the twenties, American Financing can show you how to put your hard earned equity to work and get you out of debt. Their salary based mortgage consultants are saving their customers at an average of $800 a month.

And if you get started today, you may not have to make the next month's mortgage payment. Call American Financing today, 866-781-8900. That's 866-781-8900, or go to americanfinancing.net /srs. You sign up for something, forget about it after the trial ends, then you're charged month after month after month. The subscriptions are there, but you're not using them.

85% of people have at least 1 paid subscription going unused every month. Thanks to Rocketmoney, I can see all my subscriptions in 1 place and cancel the ones I'm not using anymore. And now I'm saving more money. Rocket Money is a personal finance app that helps you find and cancel your unwanted subscriptions, monitors your spending, and helps you lower your bills so you can grow your savings. Rocket Money's dashboard gives you a clear view of your expenses across all of your accounts and keeps you informed with alerts if bills increase in price, there's unusual spending activity, or if you're close to going over budget.

Rocketmoney will even automatically scan your bills to find opportunities to save and lower your bills. Then you can ask them to negotiate for you. They'll deal with customer service so you don't have to. Rocketmoney has over 5,000,000 users and has saved a total of 500,000,000 in canceled subscriptions, saving members up to $740 a year when using all the app's premium features. Cancel your unwanted subscriptions and reach your financial goals faster with Rocket Money.

Go to rocketmoney.com/srs today. That's rocketmoney.com/srs. Rocketmoney.com/srs. Alright, Mike. We're back from the break.

I missed a couple of things in our outline here, so I'm gonna have you pick it up with, we're always gonna start with 26100, whatever the hell that means.

Oh, yeah. Yeah. So all the the security stuff I was doing, the the times I was, you know, doing help desk with stuff like that, security for the most part, anything security connected was a hobby. So, you know, even even the overclocking and water cooling, that was a hobby too. But, yeah, 26100 is, you know, kind of a hackerzine.

I think they're quarterly. Just lots of people writing in to show, you know, tricks they've done, whether it's with pay phones, you know, freaking phone freaking.

Wait. So what is 26100?

It's a hackerzine, basically. You can you can

go Like a magazine?

Yeah. Like a little magazine. You can you can go to, like, Barnes and Noble's and get

it. Okay. So yeah. Wait. So what is it?

Is it a book?

It's, I think it's quarterly where they will just publish a new set of, like, little, like, kind of articles written by different people

that talk

about how to hack something and how they hack something. Just cheats on systems. Just sometimes politics, just, you know, hacker minded stuff. Right? Gotcha.

It's pretty cool. But, that was also when I first got into that, you know, phone phreaking and stuff was more popular then as well.

What is that?

Yeah. So that's that's hacking with phones, basically. So this goes back way, way long ago. God. I think the guy's name was Joy Bubbles, actually.

Deaf guy. Or sorry. Not deaf. That wouldn't make any sense. Blind.

And he noticed that there were like tones on a phone when, you know, connecting to overseas and stuff. Like this is way back when, you know, you just, you had, you had to pay long distance and stuff like that. Right? Yeah. But phone calls cost a lot of money, but he noticed they made like certain tones and stuff.

So he, he had perfect pitch, and he would just whistle them back. And then he noticed, like, the phone network would do stuff when you did that. So, yeah, it was what we call in band signaling. When you can hear the signal, the other end, you know, there there's the, like, the switch panel of the phone networks hear these tones, and it's like, you know, when you you push, numbers on the keypad and they make a tone. Right?

Yeah.

You do

it in a certain sequence, and it's like, oh, it hears that. There's other tones that the keypad doesn't make that tell it to do other things. It's where the 26100 comes from actually, 26100 Hertz. I can't remember what that does, at the moment, but it it it would allow certain, administrative type functions. And it's like routing around, like, oh, you paid, and now you can route long distance or something like that.

Right?

But no shit. So hold on. Hold on. So the so it actually has nothing to do with the keys that you're pushing? It it has to do with the tone that they're programmed to make.

Yeah. I mean, at least at the time. Things have changed since then. But, yeah, it was just the tones. You could literally whistle those tones or home them or whatever.

So blue boxing was the other thing it's called. There's there's many boxes, many colors, but blue boxing just replicated that. You could literally quickly dial a number or whatever you wanted to do, do the administrative codes, play it right into the mouthpiece, and it would dial and do all these things.

Holy shit. I have no idea.

Believe it or not, that's how Apple started. Woz and Jobs made some of their first money selling blue boxes. And What is a blue box? So it's it's the device that would allow you to more or less get free phone calls in the age of, you know, having to pay for long distance and stuff. Like, go to a pay phone, just pull out your blue box, hold it up to the, mouthpiece, press some buttons, make it do what you want, call whoever you want.

It it was illegal at the time. I What was the There was a magazine I got into by a guy named Cap'n Crunch at the time. He got that name because there is a whistle inside of the Cap'n Crunch serial that just happened to make that 26100 tone when you blow it. So he didn't have perch perfect pitch like Joy Bubbles did, but he had the whistle. So just blow the blow that of the phone, then you, open up certain axis with Cracker Jack.

Sorry. Not Cracker Jack, but a Cap'n Crunch, style toy, which is really cool. But, yeah, you can electronically reproduce those sounds, and that's what they were doing with the the blue box. There's, like, red boxes, and rainbow box there was so many different boxes that would do different things that people would figure out, and they would share that with each other and, yeah, it was technically criminal, but a lot of people did it at the time. And, yeah, it's Woz and Jobs, so took that money and started Apple with it.

So

No kidding.

Yeah. It's pretty cool.

I had no idea.

Very cool. And did Woz I I would love to meet that guy 1 time, but he is a a great example of, like, the the old school hacker that was way more about, like, mischief and just figuring out how work, and not necessarily anything criminal. So Interesting. Great great example. Interesting.

So you were working at this at this magazine?

Yeah. No. So I wasn't working there. I was just enjoying it, and there were, a lot of lot of munis, different cities would have, like, meetups. Like, hey, 26 100 meetup.

And you go and, you know, meet people that are into that stuff. Really tiny where I was from, so I didn't really go anywhere, but that that was cool. It would get you into just more, like, hey, here's other ways of hacking that you didn't know about, and just gets you to think, like, wait, if I can do that, if they did that, what what else can you do? Like, let's let's play it. Like, it's just it's all about exploration and experimentation.

Like, what it is frontier too. Like, there's just unexplored space. Like, what what else can you do? And, outside of 26100, there's, like, there's all the tools that people knew of the early online days, like sub 7 or Netbus.

What's that?

Kind of kind of like a a software Trojan more or less. Basically, you get somebody to run it or you run it on their computer, and it gives you a remote access. Right? You can fully control those machines over the Internet. Right?

Open up their, the CD trays, close it up. Just do all kinds of wonky stuff that could be before pranks or it could be criminal. God. Okay. There reminds me of 1 of the ways we used it.

So again, we, I was way more about just pranking and having fun. My friend, in high school, her name was Heather. She was really into like, just spiritual stuff and, like, you know, she thought, like, spirits were in her house and stuff like that. She it was a phase. Right?

But, a friend and I had that running on our computer and you could play noises in the middle of night and shit, and just like it was terrible. It was so bad, and you know, the CD drives would open. It's like, you know, it it it she was terrified at the time, but later on thought it was funny. But yeah. For an example.

Right? Like, you you can just have fun. You can play with people. You don't you don't have to actually straight up to crime. Crime crime does occasionally pay though, so some people would get into that.

How old do you use it?

For criminal?

Yeah.

God. This goes way back. We're or I mean, we're talking like 24, 25 years ago. So I'm not a 100% remembering this, but it would have been you you can do, like, file system modifications, stuff like that. So, you know, access to cookies, you know, that'll contain, like, login information.

You can just, you know, get into people's accounts, send mail as them, and, like so, you know, spamming was a huge thing back then. I mean, this this where Bryce has gotten a lot of, reputation from from those early days, spamming. My my friend at the time, paid for his first computer by spamming for a porn company, actually, which is funny because he's, cashing a check, sizable check for a porn company, and he's like, I don't know, he's probably like 14 or something at the time, getting, like, weird eyes from the bank. So, yeah, that happened. But, what else?

Yeah. I mean

Did you ever do any did you ever do anything illegal that's passed the statute of limitations that you can share?

So a common misunderstanding about the statute of limitations is it's not just about the time in which has passed since you committed the crime. Depends on the crime, but many times, the clock starts from discovery. Interesting. It's a common missus, missing miss misconception, that is good for a lot of hackers to realize. But, I mean, I'm sure so the CFAA, it's Computer Fraud and Abuse Act.

Literally any access to any electronic interface that is not explicitly allowed, that's a federal crime. So literally what I described, you know, getting onto my friend's computer, that that's federal crime. Even though they're cool with it and all this

stuff. Yeah. Gotcha.

So literally any of those things can be heavily punished.

Gotcha.

So, yeah. It's it's tricky, but Well, let's get into your first job. Yeah. So first job, IT. Again, like, security was not really a huge thing, for the most part.

All that was side stuff, but, you know, you still have to be conscious of, you know, secure design. My coworker, was kind of my mentor at the time. He is he was ex DOD, ex, Navy, had had a lot of fun stories, but, also got me more into security. We actually did our 1st security presentation for, the company kinda using some classics here. So the movie Sneakers, a lot of it's amazing movie.

Still holds up today. If you haven't seen it, go watch Sneakers. It's awesome. But they did a lot of, like, physical security stuff. Like, you know, if the doors got the hinges on the inside, you can kick it open.

If it's on the outside, you know, then you gotta do something different. But, what else? There's, like, the social engineering aspect where they wanted to get through, like, a front lobby attendant who had to, like, buzz them in, so they had someone else come in with, like, I think it was, like, a delivery, like, just creating a lot of stress. So 1 guy's, like, yo, I got this delivery. Other guy's like, hey, I got my cake in my balloons.

Can you just ring me up? And it just goes and escalates until he's like, and just pushes the button and gets in.

Right? Mhmm.

Of course, you know, he didn't have a cake or anything like that. The balloons were to cover the camera, and the cake was think it was like a briefcase of some hardware that he had to, like, infiltrate into the company that would go attack things. Right? Great demo. We use that, like, hey, here's some physical security things, get you get you to think about it, and, catch me if you can.

Another thing where it's, you know, social engineering was used. And believe it or not, that, movie based on Frank Abagnale, most of the stuff he said is actually made up. It was like the con on the con. But anyway, yeah, that was kind of a a classic thing that still a lot of security presentations today will still use those. Anyway, long story short, kinda got me into the idea of educating on on security instead of just playing and having fun and just Mhmm.

The entertainment values. Like, oh, you gotta actually teach people. I'm like, you know, there's a responsibility here of, like, teach people how to not, fall victim. Also did some, like, live password cracking. Like, back in the day, people were using real terrible, passwords, so just adding some extra characters and stuff.

We were able to, you know, do, password password cracking just in the middle of this this presentation. Like, hey, this password you can get in 15 seconds. This one's gonna take us 10 hours. In reality, that How

do you begin to crack a password?

Basically, I mean, there's a lot of different ways. The way we were doing it was just brute forcing. Being able to have, the ability to just retry, like, word sets, like, common password sets. You can just get those. There's there's a lot of, pass password lists, what we call them, that will, when you're gonna brute force and you just wanna try them, well, like, hey, we know these are the common passwords.

We know these are passwords from leaked breaches and shove them all together. Good chance somebody's reusing that somewhere. Good approach. There's cryptography and stuff, but Do you

use a password manager?

Oh, yeah. Definitely. Highly recommended.

Which 1?

1 password's pretty good. There's there's different ones depending on what you need.

Is Keeper any good?

I haven't looked too heavily into that 1. 0. I know I know somebody who's very into, like, that that space that speaks fairly highly of 1Password, but it's been a while, so I wouldn't wanna be like, yeah. This is this is the 1 because that space is always changing. But, what

constitutes a good password?

1 that you don't know.

It's all password managed.

Exactly. So if you don't know your password, it should be unique per site, and as long as hell, and that means you're you're gonna have to use your password manager to autofill that, or, you know, copy paste. What however you're gonna do it, you're gonna need the password manager to feed that back and log in to the site. That combined with proper 2 factor, just gonna secure so much, when it comes to you being compromised by social engineering and phishing.

Okay. That's good to know. Yep. Let's move on.

Yeah. Yeah. So, yeah. After that job, I was kinda bored of Wisconsin. And my friend at the time, the the 1 who, made the money, spamming, he, moved out to San Francisco a year earlier and worked for a company called Long Now.

They're the ones doing the 10000 year clock that a lot of people are associated with. I think Bezos is on there, but, Stewart Brand

Hold on. What's the 10000 year clock?

Yeah. So it's this idea I don't I don't think they built it yet, but, still working on it. But the idea is that they're they're gonna put a clock, like an analog clock in a mountain that stays accurate for 10000 years. It's it's good it's really to get people to think really long term.

And What do you mean?

Just like who who's really you know, it it it's hard for people to think more like like even like 1 election out of consequences. Right? Yeah. Like 4 years, 10 years. Maybe you think as far as your kids.

K. Cool. Well, how about a 1000 years? How about 10000 years? Like, it just changes how you think about the future and what you do, what matters, what doesn't.

And it's it's it's kind of it's almost like a thinking prompt for people. It's like nobody does it, like, start doing it. This was also I think it was formed shortly after the y 2 k bug, which was hilarious because, you know, computers started a lot of the systems at the time were kind of birthed in the seventies, and, you know, they had 2 digits for the year. Right? Like the last 2.

So, you know, 78, 79, you know, eventually, what happens when you get to 99 and it rolls over to 0? Is that 1900? Is that 2000? Nor neither did the computers. Right?

But people were only thinking, you know, a couple decades. That's enough, somebody's gonna rewrite my software. No, no, it's not. No. We're still using that software today.

So that's where the y 2 ks bug came from, and it's like cool, you needed to at least think, you know, 1,000 year scale so you can have 4 digits of space for your ears. That was that was the entire y 2 k bug. But I believe the that was kind of around the same time that okay. 1000 years, what about 10,000? Probably where that came from.

So hold on. They wanna make a clock Yeah. That's accurate for 10000 years and put it put it in a mountain?

Yes. Basically. The mountain, I think, is to keep it safe. They have to like, keeping time for that period of time, like, you you can't use any other timekeeping system. Like, you know, the atomic clocks and stuff like that aren't accurate over that time span.

Mhmm. So you have to account for, like orbit variation, shift in the poles of the Earth, and all of these other things. Like, they have a whole CAM system that readjusts the calibration of where that clock will be in x years.

Interesting.

Over that span. It's it's absolutely crazy to, like, engineer with that in mind. It's like Yeah. Nope. You you don't nobody thinks about, like, orbit variance over time of the Earth or the pulse shifting for the clocks they use.

Like it's just not a factor, but but if what if you had to? I think it's really cool.

But Interesting.

Yeah. So, yeah. My buddy got a job just doing Sysadmin for them and web development, and it's like, hey, If you want, like, a few weeks on my couch, go for it. I'm like, you know what? I'm gonna take you up on that.

I'm gonna use that to just move out there. I had no plan. I was just like, I we're brought through

No plan.

No plan. I'm just like, I'm just gonna do it and figure it out, which I guess is a very red team approach too. It's like you you you can't plan anything. You're just gonna move and figure out what's in your bag of tricks as you go, and work around the problems. But, yeah, I'm like, I'm gonna bring 3 suitcases.

I prioritized 1 of them, was, like, my gaming system. Like, I a whole suitcase was dedicated to just a computer. Like, I don't know what I was thinking, but, yeah. That was, 30% of my, luggage when I moved out. Stayed out of the sketch for a bit.

Got some random odd jobs doing like audio QA testing and stuff like that just to make it. And, eventually got into the game industry doing sysadmin, IT, help desk stuff. And it just kinda grew from there. And, yeah, I stayed there for, like, I don't know, 15 years in the game industry. But on the side, being in San Francisco gave me a lot of unique perspective.

So first of all, Stewart Brand is kind of the guy that was running the show over at long now. Stewart Brand is 1 of the original people on, like, the hippie bus with, like, Timothy Leary and all this other stuff. Right? They're doing runner going around the country, doing the acid tests and stuff like that. But lots of just divergent thinking coming from that.

And that was interesting just to kind of see, like, I didn't get that in Wisconsin. This is also kind of where, like, you know, the PC revolution came from that type of people. Right? Or just diversion thinking, what can we do? What mischief can be made?

All all this, the stuff. The makerspace, maker fair was out there as well. So this is just this is more like hands on hardware hacking, not like security hacking, just like hobbyist hacking, like 3 d printers. Let's just build some stuff. The kind of stuff you find at, like, Burning Man.

Right? Like the art where you start mixing all these things together. That, opened my eyes to just, like, different different, focuses and esthetics. There's, really good point to kind of dev deviate here, something called Beam Bots. Actually, I'm gonna pull up this laptop here to show you a picture because it makes way more sense when you see

it. BeamBots.

Yes. You're like, what? So BeamBots, b e a m, biology, electronics, esthetics, mechanics. It's just a kind of a design philosophy around building little robots. So I just kind of had to show it because it I don't know.

You're probably picking up a bit of an insect vibe from this, I would assume. Right? So it does a couple of things. First of all, there's no PCB on here. It's just free form soldering, and all of these components, there's nothing extra for the esthetics.

It's it's all functional. So on the back, you've got a solar panel soaking up energy. This like thorax here, that's that's holding the charge from it. And then these, this is really cool. These are LEDs, but LEDs when you shine light on them, actually emit a little bit of energy on the lines, like a reverse solar panel, right?

They're inefficient solar panel, but you can literally use them as eyes for this. So depending on what direction it's facing, it's gonna 1 eye is gonna see more light than the other. That's where the light source is coming from. There's a really tiny brain in the middle, it's literally 4 logic gates. Which is tiny.

Like your your phone has millions of logic gates in it. Right? Like a calculator, my cable has 100 of 1000 of logic gates. This thing, it's got 4. Okay?

What is the logic?

What do we call it a logic Logic gate. So basically, all all computing comes down to the concept of, binary, on or off. Like, think of it like a light switch. Right?

Mhmm. It's

on or off. You can do math with that. Let's go through it real quick, actually. We got, 3 light switches, right?

Yeah.

Got to think of which direction we're going here. So, we got 1 on 2 off that that can give us a 1, turn them all off. That's a 0. Right? Easy.

Now we put 2 in the picture. You turn 2 on basically double, double the last 1. So if 2 are on, that's gonna be, 3. Basically, the first switch is the valley of 1 or 0, the next 1 is 2 or 0. And then the next 1 would be 4 or 0.

Next 1 is 8 or 0. That's binary math. Right? Okay. And all decision making, it can kind of be based on this.

So in this sense, it's very analog, but basically, this will eventually fill up and have enough energy charged that these 4 logic gates are suddenly making a decision. Like, this side's filled, which eye is sensing the most light? And at that point, it's gonna fire the opposing leg with all the energy has gotten here to steer towards that. So you have this little bug looking thing that walks. Right?

And it just constantly steers towards the light source. And to me, I thought that was really cool because a, focuses on esthetics, which is not super common, and b, it uses really cool hardware hacks, like I said with the the lights here that normally it's for emitting light, but no. You can you reverse that and use it in an unintended way. And you can use really minimal logic to do what you want. And, you know, I've applied some of that to my cables as well.

Not this specifically, just the the mindset of, like, you don't need 10 things in this cable. You can strip it down to 1 if you're really creative. Wow. That's how you that's how you shrink things. So, that's that's kinda where that connects with, you know, like, hey.

Let's fake let let's focus on, esthetics, but also minimizing and just using things in unintended ways to get more out of it. So that that was, kind of a a good point in which it kinda just opened my eyes to also, you know, soldering and electronics, but also the art of it and and all that. So, yeah, BeanBots. That was that was a a good pausing point, for my many hobbies that I would pick up over time that eventually led into what would become the OMG cable.

I know everybody out there has to be just as frustrated as I am when it comes to the BS and the rhetoric that the mainstream media continuously tries to force feed us. And I also know how frustrating it can be to try to find some type of a reliable news source. It's getting really hard to find the truth and what's going on in the country and in the world. And so 1 thing we've done here at Sean Ryan Show is we are developing our newsletter. And the first contributor to the newsletter that we have is a woman, former CIA targeter.

Some of you may know her as Sarah Adams, call sign super bad. She's made 2 different appearances here on the Sean Ryan show, and some of the stuff that she has uncovered and broke on this show is just absolutely mind blowing. And so I've asked her if she would contribute to the newsletter and give us a weekly intelligence brief. This is gonna be all things terrorists. How terrorists are coming up through the southern border, how they're entering the country, how they're traveling, what these different terrorist organizations throughout the world are up to.

And here's the best part, the newsletter is actually free. We're not gonna spam you. It's about 1 newsletter a week, maybe 2 if we release 2 shows. The only other thing that's gonna be in there besides the intel brief is if we have a new product or something like that. But like I said, it's a free CIA intelligence brief.

Sign up. Link's in the description or in the comments. We'll see you in the newsletter. Let's move into Defense Distributed. Yeah.

So I think this

is about 2013. So First Defense Distributed, it's the the company behind, the Liberator, which is a 3 d printed gun, and also the Ghost Gunner, which is a mill desktop mill that you can mill out a lower receiver, AR 15 platforms. It was like the first commonly

You're the 1 that did that?

I did not. No. So I got very interested in that. That was, that was done by Cody Wilson. He so let's, let's crack that whole, whole topic open up a little bit more.

So I think it was 2013. There was a lot of, experimentation in, like, the 3 d printing space with, like, firearms. Right? Cody introduced it to the world. He basically inflicted this idea upon, like, the public psyche in, like, this amazing way that just caught my attention in in a couple ways.

1st, it's this approach of, like, hey, we're gonna give this to the world in a way that is irrevocable. Like, going back to that, like, the police politics concept I was mentioning. Mhmm. It's just like, okay. What if you create something that, like, there's voting and opinion having, but you create something to put in the world that nothing can change that at that point.

I just thought that was just amazing from, like, the political standpoint, regardless of what topic or what what opinion you may or may not have on firearms. The politics of it and the power of creation was amazing to me. And he did it with, like, a level of, like, art and bravado that was just, like, perfect for the delivery of this, and, So what fasten so

what you're saying is is bringing something to to the world that cannot be taken back, like Bitcoin.

Yeah. Great. Another great example of, like, no opinion on that is going to change its existence. It exists. And, like, what if you're thinking about, like, real politics and participating, like, creation is 1 of the most powerful things you can do.

That that's what I kinda learned from watching that. But, yeah, I decided, like, hey, I wanna know, you know, more what they're doing. And I've I've helped out with, you know, security and, you know, just computer stuff in general. Used used what I had. Like, hey.

Can I help, to a lot of different places, whether it's, like, 9 inches nails communities, just to get more insight of, like, how the artistic process works there? Or in the case of Cody, just helping out with the security of that, just to kinda, you know, see see how they work. You know? Bunch of anarchists getting together, building a company, and just just just the whole, like, fight that they were in. It was very fascinating to me just to observe that, and, that kinda stuck with me, both the creation, the power of creation, and the artistic approach they took to it.

That that was 1 of the things I kinda had in mind when I first created the the OMG cable. It's like, hey. At the time, I thought I was just gonna open source this thing and put it out there. That ended up not making sense because it was really hard to make. You can't just DIY it.

But, yeah. It it, it was 1 of the motivators in my head at the time when I was first kind of putting it out into the world. So, yeah. 1 of those many things is just like, hey, this is a fixation. I wanna know more, and I'm just gonna focus on it for a while.

So, yeah. They're they're still doing their thing. Still mixed.

So what did you do though?

I just helped out with some security stuff. Like, I didn't I didn't have security stuff? Network and IT. So I mean, every every company has gotta have that. Right?

So I'm like, hey, you know, you're probably a small shop. Probably don't have the level of security, you know, understanding for your systems, but I don't know. Maybe I can help. So it just helped out and it allowed me to get more insight on how they run things and just just just more exposure to, like, how how the artist works. Right?

Mhmm.

Because that that, allows me to just kinda figure out there's there's a lot of things I would experiment with, but I never found, like, my medium. Right? Like, as an artist. Right? You know, like, I, you know, got into music, you know, I'm not not that great with music, you know, visual arts, not that great with that.

3 d printing's everywhere now. Yeah. You know? And so you were at the forefront of this? You were on the I mean

I I so I wasn't doing anything besides, like, the security for them. It's just just kind of, even if I didn't do any work for them, just that

Just being a small part of it.

Yeah. Exactly. But even just seeing it happen would have been enough for me Mhmm. To kinda kick start some things. It's it's another How

did that come across your radar?

I mean, it was everywhere. At the time, it was, like, in wired and all these other places. Okay. Like, 3 d printed gun, you know, firing, like, it's everyone can print a gun now, like, regardless of laws, and that's, you know, that that was kind of the the, message going around in the press. This is also kind of another pivotal time, when, the NSA Ant catalog.

So Snowden happened around the same time. This is often incorrectly misattributed to him, but there were a lot of leaks that happened around that time, both with and without Snowden, that kinda opened my eyes to the level of games and just technology happening in computing. Yeah. I mean, I already knew a decent amount of it, but the Ant catalog, man, that that had it was just like you know when you're growing up and there's, like, the spy tools in the back of the magazine, you know, just pure ink and all, you know, all those things. This was like that on crack, dude.

It was like they they had a malicious cable in there. This hey, when was it? It was leaked in 2013. The catalog was dated 2008, and they were announcing in 2009, they would have these cotton mouth cables available for, you know, purchase to their ecosystem of, you know, whoever they sell to in in the NSA. The price on those, I think it was a minimum order quantity of 50 with a $20,000 per cable price tag.

It's like, wow. Amazing. But, you know, had all these electronics inside, a radio inside, and that that was cool. And actually yeah. Pull this up again.

So, Cottonmouth. That's this this is the page out of the catalog where it shows, it's really chunky cable. Like, really, really thick hood, but they they sandwich a whole bunch of different PCBs in inside of this thing. And, you know, that stuck in my head, obviously.

And so what does that do?

They weren't super specific about the exact capabilities, but, you know, it had a radio. It had some ability to manipulate USB. I I mean, I would based on all of my reading in here, it's the the latest generation of o m g cable is basically a dead match to its capabilities, from what can be deciphered from this page. So all the way down to, like, covert exfiltration and stuff like

that. What were they using it for?

It's a good question.

What's the thing? What does she'd say?

It doesn't it just it just it's more of a capabilities thing, like getting through and breaking security effectively. So I I mean, I would imagine this gets implanted into spaces that are higher security. Like, you know, if you can't just log in and do stuff or if you can't do the easy things, you're gonna start having to use these types of tools to get into a place, have somebody plant a cable, and then you've got remote access. They they there were a lot of other tools in this space, like implanted, video cables that you would implant on a monitor, so you could remotely read what's being displayed on the monitor. Lots of cool tricks like that.

Some some were long range, some were short range, but all kinds of crazy spy gear that would allow, impressive capabilities that very few people in the private civilian space even consider defending against.

Interesting. Yeah. So what is the Ant catalog?

Yeah. I forget the if if there was ever a mention of what Ant stands for, but it was just this leaked catalog with all of the different

It was a leaked catalog.

Yeah. Somebody leaked it. It's a lot of people say it was from Snowden, but, like, if you'll actually trace it back, it wasn't. It was never at at least attributed to Snowden. Yeah.

That just came out, and, you get to look at the amazing spy gear that is out there.

What's some other stuff that caught your eye?

Definitely those those video cables. I'm trying to remember all the different things. If you can pull it up actually, but Yeah. You you wanna pull it up right now? I can pull

it up

on the Internet.

Pull it up. Sweet.

Alright. Cool. So, yeah. Let's go through, just a few of the pages of the catalog. I haven't done this in a while, so, a little rusty.

But, yeah, so, let's look at just the hardware stuff. We got let's see. What is this? This is a short to medium range implant for, RF transceiver. It was, this is a component that adds RF to 1 of the other pieces they have in here, which they call a digital core, to to provide a complete implant.

So it's kind of like a customizable build your own, what kind of implant do you need. They put this into various pieces of hardware. There's actually I think it's over here. Here's kind of, another implant. They call this thief.

Lux Rabbit. It's a hardware implant designed specifically for Dell PowerEdge Servers. Like a specific 1, hooks to, it's called a JTAG debugging interface. Basically, a lot of hardware has like a debugging interface. If you get access to that electrically, you do a whole bunch of stuff.

You can implant things, at a really low level on that machine. They give you all kinds of access. Right? Mhmm. It gives you lots of data.

So if you got a an implant that goes into there and hooks up to it, you've got like permanent access. Similar to the like, I was describing with the USB cable, with that that covert exfiltration mechanism, but this is baked into the machine. So I would imagine the way this happens is during mailing interdiction. So, you know, Dell ships a server over to the customer. Right?

And our government knows this is happening. They grab it in the mail, crack it open, put 1 of these inside, close it back up, send it off to the intended target, and, now they've got long term access inside there. Even if they wipe everything, like, down to the hard drives, put new hard drives in, you can still get it right back in. They would have to crack everything open, and look at all the hardware to find this type of stuff. Really cool.

Really cool touch of implants.

Wow. And there's no way to know that?

I mean, there there are ways. That would take so hard. Yeah. You gotta know what you're looking for, basically.

Do you worry about that stuff at

all? I mean, it depends. Like, I I me personally, no. I know the types of targets that this is destined for, and, like, you know, I I I'm not 1 of those targets.

What kind of targets is that?

I mean, well, I mean, the the Israeli pager situation. Great example of, like, do I worry about my pager exploding? Like, I I'm not Hezbollah, so I no. I'm not worried. Just for example, just to put a very, pointed, like, answer to, very current topic, for instance.

Right? Now there are certainly lots of gray area. We've seen lots of gray area where it's like, wait, you're doing surveillance on US citizens, and, like, that generally isn't happening anything like with hardware implants and stuff like that. That's with access to telcos, Internet providers, and, yeah, that's I I operate very openly, so it's not you know, I'm I'm I'm a little less concerned, but I it's more of a political and philosophical, like, you know, when nobody's got privacy, it changes society in ways that aren't very good. That's where I'm more worried.

How often do you think the US was using this on its own citizens?

I mean, this specifically, like, I would suspect Or

these types of things?

Well, hardware implants. Let's go with hardware. I I don't know how often hardware implants would be used. That tends to be super targeted. Like, and super targeted also generally, I would assume, I would hope, means significant more legislative kind of not legislative, legal oversight where, you know, you're getting the warrants and all these other things.

Whereas these really wide net things, which hardware is much harder to make wide net. Wide nets where you can collect all the things because you've got access to, telco for phone, Internet type providers, and you're just slurping everything up. Yeah. Everybody would then be pulled into that. That's the kind of stuff that Snowden showed.

Right? Mhmm. That's a different story. That's that's, everybody's get pulled into that 1 way or the other, type problems that occur. So I I do you have to worry about people getting, you know, breaking into your network and just causing problems in your life?

I don't that's a that's a complicated topic. Like, it's more privacy invasion at that point. Mhmm. And it's like, yeah. What are we worrying about?

Are we worrying about our personal safety, our personal freedoms, society as a whole, and the health of it, if they, you know, and a free press. Like it's Yeah. It's it's a very large complicated topic.

Do you think China's putting this stuff into the electronics that we're buying from them?

I mean, not, like, in the sense of, like, consumer levels. I mean, it it depends. Right? Like

Could it be access from that far away?

If they wanted to, anyone if anybody wanted to do that, yes. But the thing is doing it to just like off the shelf consumer stuff is a lot harder to do in terms of hardware implants. If you wanted to do it that way, that's where we get more into the software level, like software backdoors, which we've seen in things like cryptography. Right? You know, it's posited that a lot of, cryptography backdoors were put in by cooperation with, like, the NSA for example.

A little rusty on this stuff, but basically that becomes very valuable when you're slurping up all the Internet data, and a lot of that's encrypted. But if you know how to quickly break the encryption, well, now you can see the contents, and that's where that comes in. And, yeah, it's I

mean, a lot of people say that that kinda hardware is, installed into our Power grid.

Depends, I would say. Well, god. I have forgotten. I think I think China makes a lot of our, like, power transceivers and

stuff, but Make a ton of it.

I honestly, from what I've seen and the people I talk to that work in all this stuff, I don't think physical implants are quite needed. Like, it's the things are just not secure remotely, like, externally. Like, if you don't want to literally, I think it was yesterday, maybe. I don't know. It's something that news that has come over the last few weeks, where our own government is saying everyone I I think it was actually to their own, government employees to use signal, use Imessage, use encrypted chat, do not use text messages because China has they're just in all of the telco systems right now, which means they would be able to read the text messages.

Right? They don't need hardware implants that I know of to do this. Maybe they did that to get in, but now they're in that system. Right? Like they're I've I mean, I've helped, in environments that a foreign adversary had gotten into, and I took a bunch of time to evict them and find where they are.

I was done all remotely. Right? Like there's a lot of this stuff doesn't require, like, the James Bond type hardware to get in. And Interesting. Yeah.

That's that's a tricky topic. Interesting.

Do you worry about it?

I mean, there's so many things to worry about, though. I think, yes, kind of. There's once you've seen enough, like, horror shows though, you're like, woah. Wow. Everything is just broken.

And society as a whole, it's amazing that it operates. Just the levels of trust. Like, 1 person is all it takes with enough well placed, like, damage. And whether it's security or just electrical power grids, all all these things. There's all they can just tip over, right, with just enough of a push.

Mhmm. And, like, everything's that way. It's not just security. Yeah. So I don't know.

I kinda just lump it all together of, like, this is a really good experiment for humanity. I mean, humans have been, what, on this planet for, some say 300000 years. Right? Like, we're living in the best time. There's I I I don't think there's a single person alive today who would be like, yeah.

Bring me back at random more than a 100 years ago. Sign me up. Like, that's that's that's not a good, the odds are not good. Right? Like, we're the most comfortable we've been, most well off on average across the Earth in in this last 100 years.

And, you know, it's a good experiment, and things are volatile. I mean, that's kind of the consequence of freedom too. Right? Like, it's the people gotta gotta maintain it.

What text messaging you have to use to use?

I like signal. Signal's great.

You know, there's a lot of rumors that the CIA created signal.

I'm sure they did. I mean, so the I think they helped fund it, actually. But they they helped fund a lot of things, Argonne Mhmm. In many ways. But, I mean, SIGNAL is an amazing tool if you're an agent as well.

Like, you're gonna be overseas, in hostile environments, and you need to communicate. How how are you gonna do that securely? Are you gonna use a secure tool that sends out, like, a giant red flag because nobody else is using it? Probably not the greatest thing. It's like, hi.

I'm an agent. I don't know what you're saying, but there's an agent right there. Right? Like, I mean, obviously, there's answers to that and stuff, but it's it's valuable as, like, oh, that's just the tool everybody uses. Mhmm.

Signal. Everybody's got that. Right? Like, that's that's valuable. You know, obviously, there's always trade offs.

Right? It's like it could be used for bad, it could be used for good, and, you know, who's bad and who's good and whose perspectives.

Yeah. Right? I mean, that's how we communicate via signal.

Yeah. Yeah. Exactly.

Is that how you communicate with everybody? A lot

of people. Yeah. I mean, I I will meet them where they're at. Right? Gotcha.

Like my manufacturers and stuff don't use signal. They've got different governments over them and things like that that, yeah. It's it's interesting. Mhmm. So, yeah.

Whatever, whatever you use, I'll I'll meet you there. But, contextual contextually, it matters. Like, okay. I'm on this platform, which can be seen by these adversaries. Cool.

Noted. I'll make sure I keep that in mind, which is kind of the the the whole point of, like, the psychology when you know you're being watched changes how you behave in ways that can be negative. Like, what's you know, if you're always being watched by somebody, what what does that make you? How does that make you behave? So Different.

So Yeah. Yeah. I mean, there's there's lots of other other cool things in this catalog, like, oh, Raptor Reflectors. So this is for picking up audio. This is standard audio bugs.

Right? Like, you know, spying on what's happening in the room. What else we got? Lots of, cellular based stuff. Now this is this is, like, 10 years old at this point, so a lot of this stuff is well known.

Really tiny implant. So this is this, is like a probably a VGA cable here for, like, an older monitor, which made more sense back in, 2008. Really tiny, implant into that cable, tapped to 1 of the color signals, and it would allow somebody to kind of energize it with like a radio pointed at it, more or less, And then receive the signal bouncing back with the, the video signal encoded in the bounce. So then you'd be able to see what's on their screen. Wow.

Really cool stuff. Right? What do you

think was in the spy balloon that was traversing the

I don't know. I I haven't studied those well enough, but I mean, there's a lot of amateurs that just do that. Like, it's they'll just set up a balloon and, it's kinda like the the ham radio space kind of in a way where they're just like, oh, you know, we we can track it. There it goes. It goes around and

Let me rephrase that question. What could have been? What could it have been?

I mean, I don't I don't know, man. There's that that's probably outside of my skill set and awareness, and research. But I mean, it could be used like a balloon. I mean, I'd probably probably be using a drone more, because the problem with balloons is that they're much more higher altitude, which causes problems for a lot of electronic circuitry because it gets really cold and stops functioning. Also, you know, you've got power that you gotta deal with.

So best you can get is battery that's not gonna batteries also start to fail at that that level of cold. Right? So you need special batteries, something to keep it warm, which means more energy. So you're getting it from solar power, probably. This is really low power stuff.

Right? Like, I don't know. I may maybe just the value of how does someone respond to putting something in their awareness. Yeah. Which is absolutely a thing.

Right? How does someone respond? Which I don't know, it was similar to the drones that are popping up, and I was just like, I don't know where those coming from. New Jersey had 1 recently, but there's lots of, like, drones in the sky. I'm like, I don't I don't know what that is, but I would love to find out.

And is it collecting data, or is it just seeing how people respond to unknown, unreported drones in the sky Yeah. For, you know, tactical knowledge in the future.

Alright, Mike. Let's get into some of the stuff that you make. I know you have exploding hard drives. You got the the o m g cable. You're you're making all kinds of just crazy wazoo wizardry gadgets that I am just fascinated with.

And, so where where did this kinda start? Did it start with the exploding hard drive, USB drives?

Yeah. I mean, kinda. Like, I had always been tinkering with things like like those Beam Bots. Right? But yeah.

So I think it was on Twitter or something. I saw just a picture of somebody with a USB drive. The shell was open, and there's just like a firecracker sitting inside of it. No idea if it worked or not, but I'm just like, everybody has like the same visceral response to seeing that. Like, oh, shit.

Floating thunder. And I'm

like, you know what would be cool? Is if it was worse. So USB rubber ducky. Gotta explain what that is first for this to to make sense. My now business partner, Hak5, invented the USB rubber ducky, I don't know, like 15 years ago now, something like that.

It's does the same basic keystroke injection that I had demoed with the cable. Right? Where you plug it in, it types something really fast, whatever you want to control a computer, or whatever you want. Right? I wanted 1 of those that also exploded.

So first thing I had to do is if you open up a rubber ducky, there's not much space in there. It's all electronics. I'm like, okay. How can I shrink this really tiny, so I have space for something that goes boom? So I spent a lot of time playing with that.

Right? Now I didn't recreate a rubber ducky exactly. Like, it's a really, really limited version, like a few 100 keystrokes, really slow, done. Right? That's it.

Really hard to use, but it was tiny. And I shrunk it, and shrunk it, and shrunk it, shrunk it, and it's just, I don't know. I think it was like 8 by 10 millimeters when I was done. Like like a pill basically. That left the rest of the thumb drive empty that I could hook up with a little mini detonator, and you know, some maybe maybe a firecracker or 2, and a bunch of confetti.

And I rig this up to a keystroke injection payload that opens a browser to, animation of a jack in the box. And he's cranking it. Right? On the screen, except it goes for an awkwardly long amount of time to build up tension. And it's going it's going

That's what shows up on the screen Uh-huh. It ends.

So you're watching that, and then, pop. The, the drive blows up. Confetti goes everywhere. And I'm, like, yeah. That was cool.

I I just viewed that as fun. Yep. Like, another type of art or something like that. Put it out on the Internet, and it was, like, that's crazy. A lot of people ask me to sell that.

Now, no, that's a terrible idea for so many reasons, liability, etcetera. When you put something into the world that can be used negatively, it's always worth gaming out. Like, how how bad can it go, and can you prevent some of it, which I've done a lot with the cable. But, in this case, it was just, you know, something I wanted to put out there. But at that point, I had a really tiny ducky, right, that I could well, maybe I could put it in other things.

And eventually, I got the idea, probably in, like, doing my IT job, looking on Amazon for spare parts for hardware and stuff, I noticed there were, like, USB cable repair ends and boots. I'm like, wait, what? You can just get those? You know, at the time, I didn't know much about manufacturing. Right?

Got some of those and realized there was enough space in them for the cables and this really tiny, you know, fake ducky. Right? Shove it in there, and I get the very first proof of concept of a malicious USB cable. Yeah. Put that out.

And, you know, I already told the story about that 1 where, you know, it gets out there and a lot of people like it, and then a lot people wanted it. I think it was a year goes by before I'm like, you know what? I could make that way better. Like, that's that was a toy. Like, this is like a cool gimmick to show, like, a very basic prank, barely even worked for that.

What do what would a proper tool look like? And, yeah, I was getting way more into, like, the concept of I wanna do red teaming as well, so I'm combining those things. And, yeah, I was like, okay. Well, I need Wi Fi. I need remote control to update payloads after it's already in play.

Because the the idea is you can either deploy a cable, like, physically get Insight, or you could just leave it in somebody's bag, leave it just leave it around, and eventually, you know, people are gonna take a cable Mhmm. Sometimes, and they'll bring it in with them Yeah. To the secure space. Like, cool. I didn't have to even go in.

Great. Which creates some interesting legal problems, which we can get into that I've also solved. But, that yeah. That kinda is just how it kept evolving. And then at that point, it's like, okay.

This is a real tool. At the time, I was thinking I should do this in a way that I just make it open source and everyone could make their own. Are we still talking about the USB? Yeah. The USB cable.

Okay.

And that's, I I got I thought about that. Right? Like, I was prototyping this cable, this new 1, like, on on a desktop mill for cutting PCBs. Right? Like, I was pushing the limits on this machine where you can mill a PCB.

So the PCB actually, I gotta hold on for this. So a PCB. Like, here's here's a complete product. This is a Raspberry Pi. Right?

When I say PCB, I'm talking about just the green part here.

Okay.

That's just it's basically a fiberglass and epoxy with a thin layer of copper on it that gets turned into traces. And that connects all of these components is like the black thing there. That's a component and all the little things you see on there, they're soldered on. Components with copper traces, connecting them together electrically. Right.

So

I used a mill to kind of cut out the, the copper traces. And I would assemble in, you know, my my garage, lots of different test versions of what this cable could look like. And I got the idea, you know, kind of going back to the defense distributed concept where, oh, open source is this. People can make it on the desktop mill, you know, go that direction. What I learned over the, 8, 12 months of revising and revising is it's really hard to do this.

Like, DIY was just not in the cards. Like Yeah. Nobody was gonna be able to do this. I'm like, okay. Well, let's throw out the DIY.

I can just turn up the complexity. There's, PCBs with 2 layers, like copper on each side. Right? That's the common 1. Those are I can make those in my garage, but okay.

What if I want 8 layers or something like that? That, like, that gets really expensive. We're talking every time I wanna do a run of an 8 layer PCB, 6 layer PCB, it's like a minimum $1,000. Okay. Like, I I have to send that off to a factory.

They're using lasers and all kinds of crazy x-ray inspection stuff to do this. So I'm like, okay. If I can use that, how far can I go? And that that kind of is how I evolved into making a more and more and more complex cable that is like the latest generation o m g cable. It does all of these different things,

And, yeah. Very interesting. Very interesting. So so how did you go so you went from the exploding USB Yeah. To the to the what do you call it?

What do you call the the USB?

The exploding USB?

The other 1.

The the o m g cable? Yes. Yeah. I just o m g cable.

But there was a hard there was a USB cable that did with the o m Oh, yeah.

So, like yeah. I guess I just kinda call it, like, early prototype tests. I I was I was referring into it. I kind of at the time, it was, like, bad USB cable, which is not an accurate description. It was more of a nod to some, research at the time that was called bad USB.

That's where you would take an actual thumb drive. There's a there's a few old, old thumb drives that you could take and reprogram the controller on it Mhmm. To actually do keystroke injection. Among many other things, it could it was also a worm that would replicate to other thumb drives you would plug in. Cool concept, but

What was the first product you took to market?

OMG cable, definitely.

The OMG cable?

So here's the thing, is I was making a lot of these things, like, for, like, personal use, but I would also kind of sell it to friends and stuff, you know. It's kinda like the the back alleys of Defcon type situation. Like, I wasn't advertising this, but it's like, if you know if you know me, I know you, I'll I'll give you some of these things.

Gotcha.

But it became clear, like, I I had to start scaling up. Like, the first batch of prototype OMG cables, I think it was, 2019, I brought as many as I could. They they took me, it was, like, 8 or 16 hours per cable, and 50% of them were failures because, like, that that which is terrible. Like, when you make something, like an electronic product, usually you get, like, 95, 99 percent yields, which means, you know, 1 to 5% are failures that you throw away. These things were so hard to self assemble that I was throwing away 50% of what I made.

So that automatically doubles the amount of time invested to make a cable. So, you know, I'm doing like 16 ish hours per cable to make them. Wow.

Like that's 16 hours of cable?

Silly. So, yeah, I was kinda hitting my limit of like what I could accomplish with the time I had, and it's like, you know what? I need to learn how to, like, delegate this outsource manufacturing assembly. I because I was also doing this, like, hand placing things. You go to a, an assembler.

So an so there's a couple steps here. So I'm gonna run you through basically the manufacturing pipeline that I slowly learned is is important here. But first, hack 5. It's really important to mention hack 5 here. So USB rubber ducky, already mentioned, you know, that's that's Darren.

Darren Kitchen is phone number of hack 5. He you know, that was his his baby invented about 15 years ago. He's got so many other things like, the LAN Turtle, the Wi Fi, pineapple, just packages. What are these? They're, similar to the Anc app.

Right? Exactly. Right. So all of these are different kind of, like, hardware implants or hardware tools for they're multipurpose, but often used for offensive security. So, like, the LAN Turtle is like a network implant that can control a computer, but also, like, sniff up, network data or just do malicious network stuff.

What else? Wi Fi Pineapple. This is a little box, antennas on it, that allows you to do network attacks. Right? Really cool stuff.

Network what? Network based, so Wi Fi texts. Like, you could break into Wi Fi, you can they call them, like, man in the middle concept. I like to refer to it as mischief in the middle. But, basically, you know, you've got your device here and, like, the wireless access point here.

Right? They're talking. But you bring in a Wi Fi pineapple and it can kind of intercept in between the 2 there there's so many different ways you can do this. There's no 1 single way. It's lots of Wi Fi based tooling.

Another example, it's not so much relevant these days, but, you know when you connect to, like, your free Wi Fi access points Yeah. Coffee shops and stuff, your phone remembers that. Typically, you've tell you've told it to remember that usually. So next time you arrange, it's gonna automatically connect.

Right? Mhmm.

The WiFi Pineapple, for instance, can say, guess what? I'm that WiFi too. Right? So if I pull up 1 right here and put it next to you or just anywhere, you know, you happen to be, your phone's gonna be, like, oh, that that I know that WiFi. Let me connect to it.

Right? So that type of stuff, there's just so many different attacks that, I I couldn't possibly run through all of them. But that just as an example, like, there's so many different approaches to security. Like, we we think about computers and they're, like, plug in USB in, but, yeah, there's there's other things. There's the network, there's the wireless, there's near field communication with, like, badges and things like that.

Totally totally different tools, totally different, specialties and focuses. Like, the the the badge readers you don't think of as computer security for the most part. It's just building access. Right? But that's all 1 whole thing.

Interesting. You're doing proper complete security awareness and testing.

Well, let's take a quick break. Yeah. When we come back, I wanna get into what is the actual OMG cable.

Oh, yeah. Good point. Perfect.

Even though I'm excited for the new administration, there's a lot of tension in the world. Russia, Ukraine, the border, inflation, who knows what could happen next? Me, I'm not waiting around to find out, and I don't think you should either. Look. It's simple.

I want you to go to seanlikesgold.com. You'll learn about my partners over at Goldco. They're a great precious metals company that I trust. They're 1 of the top rated gold companies in the industry with impeccable customer service and they support the show. And for my listeners, they're going to give you a free gold and silver kit where you can learn about how precious metals could help you protect your money.

You could also get up to a 10% instant match and bonus silver on qualified orders. That extra 10% is a great way to get started, plus it helps support the show. All you need to do is go to seanlikesgold.com. That's seanlikesgold.com. Make sure you do everything in your power to help protect what's yours.

Performance may vary. Consult with your tax attorney or financial professional before making an investment decision. Alright, Mike. We're back from the break. We're talking about the OMG cable.

But, you know, we need I want you to discuss and talk about exactly what what it is that the OMG cable does and, and show us an example. And and for those that are listening, if you go to Mike's everyday carry, does a phenomenal job at at actually showing what it does real time on computers, on phones. It's fascinating. But go ahead and give us the, you know, show us what it is and and and and walk us through what exactly it does.

Yeah. Definitely. Let's let's pull 1 off the visual. There's a good 1. So o g cable.

Right? Looks exactly like 1 of the many USB cables you've got. And if it doesn't, I got a whole bunch more here to guarantee it does. You're

a Yeah. Hold up. Oh, let me see that. Yeah. So it's got a whole, a whole line of them.

Yep. And, I got the complete set. Yeah. You did. Watch out.

But yeah. So what is so each 1 of these fit a different phone or and or USB drive?

Yeah. I mean, so basically, think about,

like I should say.

Yeah. I mean, think about all the different, and it's think of it as camouflage, basically. It's like, what's the environment? Did they use white cables? Do they use USB a, USB c?

Is it a Mac shop? Cool. They're gonna have lightning on 1 end, maybe, if they got the older phones. If it's the newer phones, cool, and USB c. And it's really about blending in to fit what's already in place, so you could swap it out, or you can do other things.

There's a lot of different approaches and techniques you can have when you have a device that is physically invisible.

Mhmm.

And it and just hiding in plain sight. So that's that's the physical aspect of it. And that took me a huge amount of time of shrinking down the components, which I will describe in just a second. But shrinking it down is it just took absurd amounts of time, just designing the PCB that goes in here, and then beyond that just the entire process of integrating the PCB into a cable. That just took, like, a year basically.

Well, before we get into how you manufactured it, let's talk about what it does.

Yeah. Exactly. So the PCB inside of here, what it does is when you plug it into a it's primarily targeting laptops and desktops. It's got a PCB that will wirelessly kinda light up, and it'll connect back to you. There's so many different ways you can configure it, but this wireless connection allows remote connection into the cable, get a full web UI in your web browser.

Right? Whether it's on your phone or laptop. Can even connect out to the Internet, and you can connect to this thing from any anywhere on earth if you if you do it that way. What's what's it do though? You got control of this wirelessly.

The main When you say

it can connect to the Internet, does it does it bypass passwords?

No. You still gotta have, like, a wireless network it can connect to, or or you bring 1 in. Like, if I if I open the my phone right now and looked at all the wireless networks, I bet there's probably 1 in there I could connect to. If not, like, are you gonna notice, like, a a free coffee shop Wi Fi nearby? No.

I'm not. For instance, right, there's the flexibility is the name of the game with this. There's no 1 way to use it. There's so many ways because in a red team scenario, you don't know what you're up against, and you're gonna need some options to circumvent a problem. But, yeah, still, what what does it even do?

You're connected to it, but, it primarily emulates a keyboard. Says I'm a keyboard, and it types really fast. So what does that do? Literally anything I could do sitting at the computer at the keyboard. Yeah.

So whether that's implanting malware or whatever it may be. Right? That's that's kind of the the basic functionality of it. But, I mean it's not it. USB cables can often connect a keyboard to a computer.

You're sitting at a desk, swap out that cable, and this can now intercept the keystrokes, which is really good. Just like 1 classic use case is if the machine is locked, I mean, you can type all you want, but you're at a lock screen. You need to get past the lock screen. What do you need to get past the lock screen? You need the password.

Right? How do you get the password? In a lot of ways. I mean, you could call up the person and effectively ask them for it by saying MIT or something like that. But if you're deployed between a keyboard, you can just pull it right off the lines.

They're gonna type that password every single time they log into the computer. You remotely see that, you rebuild a new payload that maybe when they go to lunch, in the evening, when you know they're not at the machine anymore, it's just gonna type in that password, automatically unlock the machine, and then do all the, nefarious things you want it to at that point.

So you just have full access to the to the computer?

Yeah. At that point. Yeah.

You can see everything. You can access anything so long as you capture the password from the keystrokes.

Yeah. So not so much seen. Not well, there's there's there's a lot of it depends. Right? But it's primarily

screen share like that team viewer thing?

Not not not at this stage. So at this stage, we're just blindly sending keystrokes in. Right? So as long as you know, you know, what OS it is or something like that, that's that's that's all you need on a desktop. Like, I know if I hit command space, it's gonna open up spotlight on a Mac, and then I can open up Chrome, and then go to the address bar, do some things.

Right? For example. Like, that's a very repeatable series of keystrokes, and you can do them really fast once you know it. Just for an example. Okay.

Alright. So that's that's the basics of the very core functionality. And then you you combine that with key logging, and suddenly you're you're getting a a bigger picture here. But there's also other Hold on.

I wanna go down. Yeah.

Yeah. Totally.

I'm a I'm a dummy with the shit.

So Let's

go deep. So yeah. So what would you so now I didn't even understand that, to be honest, when we did the EDC pocket dump. So, basically, you're so in that little window, you said there will be a window that might pop up for our

Oh, yeah. So you see a little window blink. Right? That's basically your terminal. In that case, there's there's a lot of things I could do.

But in that case, on that, I think it was,

So you could put some type of a Trojan horse or something in there Yep. And implant it in the computer, like, very Exactly. Right. Through a series of keystrokes. Exactly.

And then if you detect the Trojan on there and you remove it, and the cable is still in play, which it's designed to be, just put it right back on. No shit. Which is absolutely a thing that has happened with a bunch of my customers that they have told me that, you know, they did an engagement with a very high profile client. We we can go into these types of things, but that reinfection vector is exactly what they used.

Do you prompt it, or does it just automatically do it when you put it in the computer?

Either or. So all about flexibility. So you can program this a couple different ways. So what I showed was me remotely connecting to it, and I hit go. But this can be configured that when it powers up, when it gets plugged in, it powers up.

It can immediately run a payload, it can wait a series, you know, however long you want, and then run a payload. Is

the payload the actual keystroke or Yeah, exactly.

So when I say payload, it's the key the series of keystrokes that gets run.

And the malware, or the the Trojan

horse, or whatever. You can. There's ways of typing out, like, yeah, if you got like a small executable that you want to transfer over, there's a couple of ways to do that. Like, you just use the keystrokes to download it. Right?

You can download stuff from, like, the terminal, for instance, or I could use Chrome and download it there and go to the downloads folder and open it up there. Through keystrokes. Yep. I can navigate everything with keystrokes.

So you could I have no idea what the hell I'm doing with this shit, but I'm learning.

We we need to do some fun stuff.

So you could send somebody an email and with a with a downloadable whatever

file. 1 way.

Yep. And then plant that cable on them. They plug the cable in. It does the keystrokes automatically to open Chrome, log in to their email, download the the thing.

Yeah. It's 1 way. Yep. Go to

the downloads folder, download it, then you're in. Yep. And it all happens within, like, a couple of seconds.

Yep. That's 1 way. I mean, I probably wouldn't email it to them because if if I was gonna email it, I probably include an email that convinces them to just run it for me. Mhmm. But if I'm up against a hardened target where it's they're not susceptible to that, they're unlikely to do it, I'm like, okay.

Well, let's get a cable that'll do it for me, as as an example. Right? This can also do mouse movements too if we need. Lots of control there. And, yeah, it's you can also yeah, so the the malware, right?

You can download that. You can also type it back out. It's it's called base 64. It's just a whole bunch of it looks like random garbage characters. If you open like, if you open up, an executable with, notepad, roughly, staying high level here, you're You're gonna see a bunch of garbage text.

Right? Mhmm. But when you type that same text out in the notepad and save it, it's that executable. So I Oh, good. Type that back into the computer, and boom.

There's there's the executable, which is something we've done quite a bit, in environments where they're checking what is being downloaded from the Internet. Okay. You're looking at the Internet. Cool. I'm gonna just type this this little piece of malware back into the computer.

Lots of cool tricks you can do like that.

Wow.

Done. And and so there there there's other aspects of this too. So, you know, keystroke injection, mouse injection. I showed you the key logging. Oh, we were you were asking about the ways of triggering it.

So I showed you remotely. I can click go. And we can have it boot up and go. There's also, what I refer to as, geofencing. Basically, it's got wireless in there, so it can just look at the nearby networks and figure out where it is and where it isn't, and you can trigger or block things on that.

And there's a self destruct function where it'll erase everything on it. Now it sounds super nefarious, but it's actually prompted by legal. A lot of a lot of places have strict controls, so with the USB rubber ducky does the keystroke injection. It looks like a thumb drive by Hak5. That's, my my business partner.

They they invented that 15 years ago ish. What what they would do is you could put, like, salaries dot xls on it, so it's like, oh, that must be the company salaries, and litter it in the parking lot. Right? That that's 1 way that people would be convinced to pick it up in the parking lot, bring it inside, plug it in, see what's on it. Right?

And boom, they've just infected themselves with malware. Right? There's a downside to that, which is depending on how bad that payload is, if you're a red team, you're an employee of this company. Right?

Mhmm.

You've got malware sitting on a loose object that anyone could pick up and bring it home, bring it into another business, and now you have just infected another business. That's not ideal. Right? So certain environments, their legal team is like no way. You put geofencing on this, you have a payload where it boots up, and it just says, am I in the office?

Is the corporate Wi Fi present? Cool. If not, completely wipe everything.

Are you shitting me so you wow. Wow. So it knows where it's at? Yep.

And where it isn't. Holy shit. So this this scan right here, this was done by Lumafield. They've got a CT scanner, which is basically an x-ray scanner that takes a lot of x rays, little slices across a product, and then assembles it into a 3 d object. So LumaField actually just did some work with them to, you know, sit down and talk about their machines they use for all kinds of things, Manufacturing inspection, but also starting to get into, like, security stuff, like, where you can literally see inside.

This is a scan of the end of 1 of my cables. So right here is the connectors, USB connectors. And over here, we got the components. So this is the main processor, and this little thing over here is the antenna. You can kinda see that USB wires worn out the bottom there.

Wow.

And the cool thing is let's see if I can turn this. There it is. That is the whole internal and lots more components, kinda on the back. You you can use this to step through every layer and just see literally every little detail about something. So, if you got untrusted hardware for for instance, that scanner would, reveal all of the internals.

In this case, it's just really cool, and it shows off here's here's what's inside my cable that's doing all the magic.

You gotta get that framed.

Yeah. I think I'm gonna yeah. It's a beautiful scan.

That is very cool.

Yeah. They they have done a lot of work to, kinda democratize the access to CT scans. CT scanning machines are normally this industrial machine that's really hard to use and really expensive, like, we're talking, like, a1000000 plus dollars for machines roughly. They do a subscription where it's like the cost of a, like, maintenance contract. And they did some amazing stuff to make it super usable, like you can see me turning this.

It's super easy to use the outputs and set it up, and, they did something magic. And I don't know that they communicate this, but, the sensor in a x-ray machine normally decays and you have to replace it. They've somehow made, like, an eternal scanner, so that reduces the cost as well, which I don't I don't know. I'm I'm completely obsessed with your technology right now. So sorry for the momentary splurge on that, but Oh, that

is super cool. Super cool.

Good stuff. Who are your customers? I got everyone, basically. So here's the thing. Me personally, I've got 1 customer, Hak5.

And we, we can probably go into the story about how we met, but basically, when I was making these things by myself and I needed to take the jump into manufacturing, I Had a lot of bad experiences, but Hak5 was amazing. They're, like, let me just kinda show you the ropes. Right? Like, manufacturing, running the business, all this stuff. Darren has been great to me.

So I sell all of my stuff to him, and all of my products are available on Hak5 as a result. They take care of who gets it, and they have very tight expert controls. There's a lot of countries they would just will not ship to.

Can I just go on there and buy it?

Yeah. You can. You're you're not in a prohibited country.

Wow.

So, yeah. You can just go on there and buy it, and hobbyists can use it. Security researchers, awareness training, so that's where you go on stage and kind of just show off concerning things so that people will change their behavior, and primarily red teams. There's lots of red teams in the private space, you know, Fortune 5 100s, military, industrial, government, all have their own equivalencies to that. And, again, the the red team is where you are emulating what an actual attacker does from end to end, penetrating to the comp getting into the company, and all the entire chain of hopping around and getting to the crown jewels, pulling those back out.

That that is red teaming, and, this is used a lot there. So, I have a lot of customers who will also reach out just for advice on how to use the cables, or maybe they've run into a situation like that legal constraint, like, hey, this is cool, but, like, oh, yeah. Cool. Let me just fix that and solve that legal problem. Now I don't know, like, the full scope of what they're doing, but it's like, oh, here's a problem.

I could solve that for you. There's Yeah. Every They they are The people I've talked to, and now I I've I know a lot more than I can talk about here, but there are plenty of people who, have said, yeah, you're going to Sean Ryan. Go ahead and you can talk about it this way. Couple people

Who are those people? Yeah. So, is it my former employer? I mean, possibly.

So I I don't know that level of detail and don't really want to, but as long as they're part of, like, the okay entities

Are there any okay entities?

Yeah. I know all exactly right. The ones who are

a whole another podcast.

It the this is gonna be defined on who is or isn't going to put me in prison. Mhmm. So let's that's that's my definition of good in this scenario is keeping those people happy. But and but to be clear, there's another advantage here, which is some of these places are critical infrastructure that they work at or are tasked with securing or improving the security. So we all benefit from that.

Like, I don't want a place that isn't has some form of nuclear material in it

Mhmm.

Getting compromised because the people who wanna compromise those places are probably looking to hurt me in some way. Right? So let's let's help them. So the other feature kind of added to these cables recently is call it HIDX Stealth Link. It's kinda the branding of it to explain what it is.

But ultimately, still acting as a keyboard, but now it's got bida bidirectional data transfer. So like a network interface, but without ever showing as a network interface. You can send data back and forth between the computer, and it just looks like a keyboard to the target system. This was used for quite a few people in a lot of environments, but, in this case, you know, they the critical infrastructure was not looking for this type of exfiltration technique, and it worked really well. Got them in, and they achieved their objectives with this critical infrastructure and got it fixed.

You know, I I was told that my name got put into a report that I will never have access to, but that is that's extremely cool. It's like cool. I got my name into a report to fix some critical infrastructure with a technique that we developed with with my team. And, honestly, I'd love to pause and even talk about that team because, while I make the hardware and the manufacturing to run the business, all the tricks this does heavily about the actual firmware that runs on this, and that requires multiple people to pull off.

Let's talk about your team.

Yeah. So a couple pieces of this, but, 1 guy's retired, and just loves working on Harper. Prior to this, I mean, he did did a lot of things, but prior to this, he was working on the firmware for police body cameras. So, very interesting background there. Another guy is blind and he does kind of the the UI you see, it's kind of poetic, he's the blind guy is in charge of the UI, he's got a lot of experience.

What is UI?

Yeah. So the the visual interface, when you open it up in the control panel and you get all the buttons and stuff

in there, Are you hold on. Pick that cable up. Yeah. Yes. When you open that thing up and look at the control panel and the buttons Wirelessly.

So when you connect to it wirelessly with your web, and then you open your web browser and then connect to the the IP address, you get a like a web web page. Right? Okay. With all the buttons on it that give you the controls, you can view the key logs. Open the hundreds of payloads you can save on here and run them, all that's purely visual.

Okay. You can click on stuff. It doesn't have to be, you can automate it, but, yeah, it's primarily visual, and it allows all the cool controls to happen. So, got another guy who, you know, in education, and a lot of them are familiar with, you know, the the government contracting spaces as well. It's fairly small team, but they have been along for the ride the whole time and just constantly interested in picking up just challenges.

And, like, the way the key logger works on here is, like, that's not supposed to be possible.

How did you get this word out? How are you marketing this?

That that's a really good question actually because I have not done any marketing yet. This thing kinda has its own legs, which, I

mean, I could imagine, but I mean, what was the first thing? Like, how did

I put a I think I just put a video out. Video of, like, hey, like, I made this with my mail. Check it out. Here's what it can do. Excuse me.

Yeah. No worries. And here's what it can do, and then, it just took off. Like, it that was mostly in the infosec space. So, you know, it kind of went around the the hacker community and the professional security professionals.

Security professionals. And at some point, it just kinda goes outside of that bubble because it gets enough traction. Like, Vice took it. Forbes took it. You know, there's there's so many different high profile

This has been in Forbes?

Oh, yeah. This has been in Forbes a couple of times. Look, mom. I made it to Forbes. Yeah.

It's, it's been pretty wild. I I am at the point though where I am starting to think about focusing purely on this because it has just become this awesome monster that, takes a lot of my time

Mhmm.

As well as running, you know, red team as well. So that's, probably something I'm gonna be pivoting into very shortly and focusing on that, helping the team, and seeing seeing what more we can do. Probably gonna relax for a bit, though. Good for you. I'm tired.

How is business? Is it going well?

It's it's very good. So, it's it's I'm probably long overdue to jump.

When do you what do you think you'll grow into with this?

I have no idea. That so I've I've never had a plan ever on any of this. It's just what's the thing and the opportunity at the moment, and how can I play with that in an interesting way? Which, you know, there's a lot of things why you would want to plan in business, but I just yeah. I don't know.

Maybe eventually I'll have a plan.

Do you have any fear about this being on the market still available?

I mean, it's been 5, 6 years now, and I'm very proud of, like, the result of it with all the places where it's been fixed and the very low abuse scenarios. Like, we're we're very intentional when we think about, okay, let's add a feature to this, but let's figure out who wants this feature, who's gonna make use of it. Like, for instance, like, the number 1 that I want to avoid is like Stalkerware or Spouseware stuff. People look at this, and they're like, oh, yeah. I need that for that.

I'm like, no. I'm I'm gonna make that hard. Like, that's not as valuable to a red team professional. I'd like, we're trying to get into corporate infrastructure. We're trying to do, do, like, oceans 11 shit on, like, Fortune 10 or something like that.

Like This would be so easy to plant in any government facility.

Yeah. That's that's

And Yeah. I shouldn't say I shouldn't say any government facility, but, you know, it might be it's been a while since I've been to a SCIF, but, you know, it's they seem to have a pretty

Oh, yeah.

You know, pretty good gage on what's going on. But I'm I'm talking like DC congress, senate

Absolutely.

Politicians. Those types would be it would be a fucking joke Just to you could hand them out. Yeah. And then use them.

Here's the thing though, is that's the other aspect, is there's a lot of very detectable defaults. You have to really know how to use the tool to work around these things, but by design it's supposed to be detectable if you're doing good security. Like, this is gonna light up and it's literally it announces itself as an oMG cable out of the, you know, effectively out of the box. Right?

Mhmm. So

hopefully you're at least checking that.

In all of your experiences a is, doing red cell operations?

Yes and no.

How many people do you think are testing that? So here's

the thing, Is the people who are that low on the bar of security, I don't I don't need these to get in. I just pick up a phone. I send an email.

Okay. Fair enough.

That's that's that's that sweet spot where it's like all, you know, you map out all the the desires, the capabilities, and the threats, and the neg negative consequences, and just thread the needle to get just that sweet spot. And, we spend a lot of time thinking about that, but I right now, I just point to the last 5 years of, like, look, the the results. And, that way you know? I I can talk all day about how how much intent we put into it, but the results are far better than the intent in terms of convincing somebody. Another thing, so, I think I showed you these.

These should actually ship deactivated for multiple reasons, which you can imagine. There's a little we call it the programmer, it's kind of a firmware tool. So you you plug this into your computer to activate it. Right? This doubles for multiple other things.

So if you do like a self destruct self destruct on it, you recover the cable with this if you wanted to. You have to get it back out of the field, but self destruct will just put it into a neutral cable that's just not harmful at all. Really good if you can't pull the thing back out of the field. You you want to neutralize all your stuff. However, if you're blue team, and you found this, you can also use 1 of these to dump every bit of firmware that's running on here, which will include payloads and all this stuff.

So as long as, you know, it hasn't been self destructed, you can just dump that and do a full forensics on it, so they get to practice as well. Wow. So, yeah. We we've done a lot of things that kind of show off the forensic capabilities and ways of approaching. So it's it's meant to be holistic for security, not just purely, offensive use.

Mhmm. But it's it's really about raising raising the bar, basically. Interesting.

I mean, when I look at that, you know, I've always heard, you know, I've always heard RIT guys always telling us, you know, don't be buying shit off Amazon. If you're gonna get if you're gonna get an iPhone cable, get it from the Apple Store, not from Amazon. If you're getting Wi Fi extenders, go from the manufacturer and not some shit on Amazon. Is China putting the shit into our ecosystem?

I doubt it. So these are highly targeted. So it's it's kinda

Things like this.

Yeah. Exactly. But I I think it's good to think about it. Like, let's let's step back to, like, different type of crime, like pickpocketing versus, like, Ocean's 11 bank job. Right?

Like, this is more on, like, you know, the bank job, whereas pickpocketing, that's what you're more likely to experience as just a random individual. Like, that's gonna be more equal to, like, phishing emails, like really low grade commodity malware type stuff that's delivered over email. Like, the risk of physically delivering this stuff, is too high. Or in the case of, like, oh, we're gonna contaminate contaminate the the the shelves effectively, online or not, that's so high cost and so easy to find. That's like some you just need 1 person to detect that this happened, and, we'd all hear the news story.

This is which kind of reminds me of that Bloomberg, grain of rice story. Right? Which was complete bullshit. My friend, Joe Joe Fitzpatrick is a great guy to talk about this, but basically there was this Bloomberg news story that a little grain of rice component was found implanted in a bunch of servers. Right?

And it just doesn't make sense, which is why that story didn't make sense because there are so many other ways of approaching that that are way less detectable. Just anybody like, how do you control where that goes? You it's very hard to control where implanted hardware goes, and if you don't have control, anyone's gonna find it. I think, like, the the closest you can get to that might be that Israeli pager story, where they had to create a fake manufacturing plant to develop these things, and that is how they controlled where it went.

So Hold on. I don't I'm not familiar with this.

Yes. Into this? Yeah. Yeah. Totally.

This is the Israeli pager story where they blew up all the Hezbollah guys.

Yes. Exactly. So Bass A. Thousands of pagers. I think it was a batch of 5,000 and 4,000 went out.

So, yeah. A lot of, lot of booms. But basically what they did is set up a fake manufacturing company. Right? And they I think they had their own manufacturing plant and everything.

They licensed a legitimate, model of Pager from a legitimate company, well known. This is a typical relationship for a lot of hardware. You just license it and you sell it, and then you're like, yeah. Put my name on it. Depends on what it is.

Like, obviously, Apple's gonna do their own thing, but we're talking pagers. Right? This is like 30 year old technology here. So they did that. They had a bunch of they they even went as far as getting a bunch of random customers and gave them good pagers.

But then they got their Hezbollah client, and I'm always curious about how they did that. I have some postulations, but, they got their Haswell client, and they they made exploding pages for them. They they put, high explosives in part of the battery and a detonator in there. And basically, it was configured to explode, detonate this thing, after a specific message was sent to the pager. And the way paging networks work are all, like, broadcast, so you can you can send 1 message that goes to all pagers in the network, which is probably what they did.

Anyway, this was in play for I don't know. I think it was like 1 or 2 years. Like, these are out there, and, slowly going through, you know, the IT operations of, hey, guys. We got new hardware, and slowly sending them up to the field. I think they were encrypted pagers.

It was funny, in in some ways that this pager focus was entirely because they knew their cell phones were compromised. Like, oh, start using pagers, or maybe it was the walkie talkies. I forget. But they were moving away from 1 comms to another to avoid surveillance, and as a result, they got explosions. But that's the kind of, like, level of control.

Mhmm. Like, if if those got out to someone else, which I mean, there's still opportunity for that. Like, they're not watching 1 pager go from hand to hand to hand. Like, it's like, oh, we deployed it to Hezbollah, and it's reasonable to assume that this level of dissemination with this margin error and other people touching them and, you know, they they probably did the math on that. Right?

I didn't. But, that that's kind of a good example of, like, how far you can go in, like, the risks of discovery. Stuff like Stuxnet. Stuxnet's another good example of, I think it was the Iranian enrichment facilities where oh, I can't remember the full story here, but there was, like, a thumb drive with a worm on it, and it got in basically, it got carried into this enrichment facility, and it would damage the part of the enrichment machinery. Right?

But didn't do it all at once. It would randomly pick 1 or the other because you don't wanna be discovered. Right? If you did it all at once, you're like, oh, something's up. It's just like, oh, 1 went up, whatever.

It must be bad. Right? Like, see, there's like the psychology of making sure it doesn't seem like it's something to investigate. It's like, oh, bad machines. It must be bad process.

They kept doing that. And eventually, I can't remember how it got to stuff discovered. But there was a issue where it started spreading around elsewhere, like the worm or something like that, and somebody noticed it, I think. I I can't fully remember, but there was a discovery event, because it kinda got too wide. And once it's discovered, okay, now you can defend against it.

Now you can find them in the wild. And, dude, it the moment somebody found anything in in our stuff, they're gonna tell the world. Like, hey, look at this cool thing I found. I'm a security researcher. So, that said, on the flip side, there's plenty of places we don't look.

Most of the stuff you find in there is just vulnerabilities. Like, oh, I didn't think there would be a hole on whatever, some aspect of a product. Like, oh, if you just log in 10 times and do this, you get in, you bypass everything. It's like, wait, what? You do what?

That's the type of stuff that's typically well, nobody thought to try that. So, yeah, it really depends. Physical implants are much easier to discover because, I mean, they're physically there. You can't revoke them. You can't be like, oh, self delete.

It's there. I mean, not not counting the Patriot situation. It's a different type of delete. But, you know, delete in a way that doesn't leave the the evidence around.

Yeah. Yeah. I'm I'm like, what's in your head, man? What's next for you?

I don't know yet. I'm just gonna What are

you thinking about?

Like, I I have been focusing more more on personal stuff, just, like, hanging out with my kids, spending more time with them while I got got the the time, and they're growing, you know, once 14. So, you know

You can shut it off.

No. Yeah. So learning how to do that is part of part of it. So,

I haven't learned how to do that.

Yeah. It's it's When you

do, let me know.

Dude, it's hard.

Because you love this. I can tell this is your passion. Yeah. You'll you you're moving into this full time. This is gonna be your full time business.

Yep. Give me a snapshot. I mean What what what are some of your ideas?

Here's an example. So I'm re reusing the same implant in a couple of ways. So, I mean, this is an easy 1. So USB adapters, basically a cable. Right?

Cool. I

had a

thing where customers were enjoying the firmware so much for like payload development. They would get the cable and cut the end off. I'm like, dude, no, that's my baby. What are you what are you doing? So, you know, there we go.

Key chains that, you know, don't have the cable on it. Cool. Got that. Now here's another 1. Are you familiar with USB data blockers?

No. So it's a commonly recommended, like, secure charging mechanism. You're like, oh, I can't trust the AirPort charger or something like that. You're like, well, get a data blocker.

Can you trust an AirPort charger?

Mostly, I mean, I I I'm personally more concerned about the quality of the electricity coming out there frying my phone than I am about, like, a data situation. Because going back to the discoverability, you put something in a wide space like that, once it gets detected, you hear about it. We've not heard about it.

Gotcha.

And especially in a secure space, like, all the airport locations, like there's everybody's on camera. Right? Like, good luck. It would be really hard. There's advisories that come out, and I think the FBI was doing, they get a lot of flack for that because there's no, like, proof it existed, but I don't know.

Like, I I don't have the intelligence they have either, so, I mean, there's things you could do. I'm I also don't consider my my creativity to be all inclusive on all ways you can do something negative. Like, there's plenty of people with different motives and minds than me. So, yeah, we'll see. It'd be it'd be a cool story.

But, yeah, data blockers. That's the the idea you you now have safe charging. I'm like, cool. I'll put 1 of my things in a data blocker. Now, you know, cat and mouse.

Yeah.

I just thought it was funny. But just as an example, just kinda chase that a little bit. Go from there. I don't know. We'll see.

Do you

have any wazoo crazy inventions that you that that you're dreaming up?

I've done a lot with on the manufacturing side. So, I've had to invent so many tools and mechanisms, both for creating these cables, which turns into their own products, because, you know, I'm teaching other people how to use them, and it breaks, and I gotta do support for those products, and then, you know, they're their own PCBs and everything, you know, it's it's a hardware product with its own firmware just to test these cables at multiple stages. So I'm still, packing these at home with the kids, and the envelopes. Right? I gotta label those.

That gets really annoying over time. I'm like, you know what? I'm gonna create a machine to label these. So, I just keep chasing that down and see how much I can do. You know, there's a there's a guy called Cliff Stoll.

He does a lot of really cool things, science, math, he's got a book on security, but he also makes something called Klein bottles. Total deviation here, but you'll see why. So Klein bottles are, you know, a Mobius strip.

You

take a strip of paper, and you pull the ends up, rotate, tape them together. Now you've got a 1 d dimension. So if you follow around with a pen, it's 1 dimensional. Klein bottle is a 3 d version of that. Anyway, he I think he lives in Palo Alto, small place.

He runs, like, distribution entirely out of his house for that. So under his house, he has built an entire robotic, warehouse system with, like, drives the thing around, pulls the stuff out. I think that's cool as hell, And it goes back to, like, the old the old school hacker mindset of just doing that. I like, that kind of stuff just catches me, and I'll I'll, like, okay. Cool.

I I wanna do as much manufacturing in home as I can. Because a, my my stuff is really small. But, you know, also let's let's see how far I can take it. How much more I can optimize. Like, I this this orange clip that goes on these things, that I ship with, so so you know which ones are bad.

I've re redesigned it like 6 times so far. Just Wow. Like, I don't know. I just wanna see how much further can I take it?

Wow. Yeah. So are you manufacturing these yourself? Or

It's a mix. So the process for it I'm gonna go back to this this PCB as a reference here. But real quick, the process that I I'm kind of taking right now is I ask 1, 1 manufacturer make the raw, the PCB, the green piece here. Then that gets shipped to another place that assembles the components to the PCB. They're they're basically running it through high heat that melts solder, and they all get like glued to the board.

Right? Now they're they get a functional piece of, and now once it's glued to the board, here's 1 of my implants, and we can get some close ups later. But here is that's that's 1 of the implants. That's the size of it.

This is what goes in the little USB thing.

Yep. Inside of the the boot of the cable, basically. This little bitty ass thing Yep. Connects to the basically.

This little bitty ass thing Yep. Connects to the Internet.

Yep. It's Wow.

Why the fuck is my modem so big? Yeah.

I know.

I mean Serious, man? Wow.

Yeah. There's there's a lot of compromises to make that happen. Like

Look at that damn thing.

Yeah. If if you were not size constrained on that, that would be 10 times bigger because it would be so much easier to make with 10 components instead of, you know, 2 or whatever. I forget how many I have in there. I think I got like 12, but, you know, times 10, the components is normally what you would see. So that creates, the need to do a lot of creative engineering to compromise and get get small.

But at some point and I'll show you here. I'll just refresh these. Here's that little 1 with the USB c end on it. And here, it's got a USB c a. So that's kinda, you know okay.

Components are on there. You know, 1 1 shop did the green PCB. 1 shop put all the components on there. Cool. Well, that's what I got right now.

Right? It's not cable yet. So another shop gonna help integrate that into cables. And so this other shop's gonna integrate it into cables to some extent. There's still unfinished work to do, unfinished testing.

Then, and and if it's the woven cable, there's another factory has to, like, do special cutting and crimping and searing of the ends so it doesn't unravel. Anyway, so, you know, 3, 4 factories later, ships over to me. I'll do the finishing work on them. Sometimes it's closing the actual cables up, but at a minimum, it's testing everything, calibrating them, putting, like, that initial firmware on there, tons of QA and QC work, packaging, shipping it off to the the the Hak5, warehouse. So Wow.

Lots of work. So where do people find this product?

Yeah. So, 2 places, basically. You can go to the o.mg.lolwebsite. That's that's my primary website. Or you can go to my business partner.

It redirects to my business partner effectively, which is hack5hack5.org/omg, and all of my products are up on their site. Wow. That's incredible, man. That is incredible. Fun stuff, man.

I can't believe, if the agency's been in touch with you to come work with

Probably. Science

and technology department? Or

I'm not sure I would know.

You would know.

Yeah. And there's been a lot of interesting challenges too.

Like, I mean, I'm, like, I'm saying, you know, that's that's actually not a joke.

That's Oh, yeah. Totally.

You know? Yeah. Very, very sharp guy. Very inventive. Very impressive.

I'm I'm happy to help, all kinds of people secure their environments. So, Yeah. I mean, they know where to find me.

I'm sure they do.

Let's see. There's, oh, you know what? Another thing might be interesting here is this kinda kicked off right when the pandemic kicked off.

Mhmm. It's

like, you know, working with, the factories, had to do all that remote, and that immediately ran into, the chip shortage. I saw that come in from, like, 6 months before everybody else did. So immediately had to figure out all the supply chain logistics, where to find chips when they are out of the market everywhere, hoarding them mass like, I this this is something I have put the, oh, first 2 or 3 years of profits entirely back into production. Whether it's

For you.

Improving the PCB, improving the capabilities, or storing extra components because we're in the middle of a chip shortage so I can still make my stuff. That was that was a wild time, and it felt like there's just 1 thing after the other that was, like, no, you can't sell these, no, the market's down, no, you can't have access to the chips, and just find trying to find ways of working around that. Down to, like, component all these little tiny components come on a in a really long piece of tape coiled up on a on a reel. Right? I I count those.

I, assemble those by myself as well, so, you know, I got machines to count them and assemble them so I can just send it off to the assembler. There there's so many different facets of running a hardware business that is like this that, is really unexpected, and I'm just kinda learning on the fly. So yeah.

Very impressive, Mike.

Thanks, man. Well, I

think we're wrapping up the interview, but I just wanna say, man, you are a super sharp, fascinating individual, and, what an amazing conversation.

Thanks, man. Very informative.

Thank you.

Thank you.

And, you know, I'll be tracking you. Where where can people find you?

Oh, yeah. I mean, I'm all over the place. I, definitely on Twitter, underscore mg_. Lots of other social networks starting to form and fall apart and whatever they may be. I'll try to keep all of that on the contact page of the o.mg.lol site though.

Perfect. Well, Mike, I wish you the best of luck, and, I can't wait to see what you come up with next.

Thanks.

Alright, brother. Cheers.

Thank you.

Hi. I'm Joe Saul Sehy. I host of the Stacking Benjamins podcast. Every week, we talk to experts about saving, investing, personal finance trends. Oh, crypto.

Can't do it.

You could have done all that research, all the bread crumbs, and thought this company's never going bankrupt.

Foiled again. You never knew personal finance could be this fun. Throwing down the gauntlet.

I'm bringing it today. I'm only gonna be off by 6 figures instead

of 7. Every boy has a dream, doc. Every boy has a dream. For sure. Stacking Benjamins.

Follow and listen on your favorite platform.