0:00

Here's

0:00

the story of a guy named Michael Fagan,

0:03

and it fascinates me.

0:05

This is a story that took place in June nineteen

0:08

eighty two in London. Michael

0:10

was thirty years old and he was an

0:12

interior painter. He had a wife and

0:14

six children, but times were tough for

0:16

him. and he was having trouble supporting

0:18

all those kids and he wasn't mentally stable.

0:21

His wife couldn't take living with him anymore

0:24

and she left. and that was the night

0:26

of June seventh nineteen eighty two.

0:28

Here's Michael in his own words

0:30

saying what happened next. mean,

0:32

those were pretty bad. They were going up and down.

0:34

Was that was it going through this breakdown? And

0:37

I've all transferred streets of London.

0:41

and

0:41

suddenly come across back in the palace.

0:44

So this audio is from a BBC interview.

0:47

They did with Michael in nineteen ninety three,

0:49

Now Buckingham Palace is where

0:51

the Queen of England lives. It's a

0:53

huge building. Three stories tall, seven

0:56

hundred and seventy five rooms, and

0:58

at night, it's clearly closed to the public.

1:01

But the Palace is in the heart of London

1:03

running along some public roads.

1:06

Michael was walking down one of those roads.

1:08

and I could see the window open. It was it

1:10

was there subconsciously to do it probably.

1:13

And I just hopped over the wall at

1:16

the drain pipe and end. Wait.

1:19

What? He just hopped the wall,

1:22

climbed up the drain pipe, and got in

1:24

through an open window on the second floor,

1:27

of Buckingham Palace? That

1:29

should not be possible. Walk

1:31

around the palace for about an

1:33

hour.

1:35

Look at pictures on the wall

1:37

paintings. But

1:40

it wasn't

1:40

how I would have imagined it. I don't think

1:42

people imagine it the way it is dusty

1:45

and

1:46

squeaky floorboards, very

1:48

ordinary. You know, I don't think they spend

1:51

too much on sort of decoration.

1:54

Mhmm.

1:54

Maybe they had a time plan and maybe

1:56

it was due a redec, passed

1:59

a few doors, and I came across

2:01

a problem. and they

2:03

evidently do the night hauls in there

2:05

and whatever. Well,

2:08

in there, I was crying. She just had a little sit on the

2:10

phone. I'm

2:11

walking about Willie and Elliott, actually. I'm

2:13

not hiding. Didn't you see any security

2:16

stuff? No. No. No. Not up to none. Not

2:18

to this point. when

2:20

it's a prince challenges, private

2:22

secretary's office have banned out later.

2:25

And

2:25

there's always presence around the walls.

2:28

presence

2:28

that people send him from

2:31

the

2:31

far reaches of the globe, you

2:33

know, sort of

2:35

steady bass and cups

2:39

and that there was this bottle of wine

2:42

in California. And

2:44

I was so thirsty and I couldn't find a title. I didn't

2:47

actually intend to steal anything

2:50

to the bottled ban from the show. and

2:53

I couldn't find a call school. I was

2:55

sitting on the desk with me feet up. Push

2:58

the call into the Oh,

3:00

drinking at the bottle. And

3:02

then all of a sudden, I've thought, my

3:05

God, where am I?

3:07

I'm in park in Venice.

3:09

I don't know. What

3:12

am I doing here? I mean, it was just like there's

3:16

as if he brainer the writing, the title, it's to

3:18

do with you know, and I get

3:20

out. So I was

3:23

a walk down to the passage where I saw

3:25

a security guard with

3:27

a dog. I

3:30

looked man at corner, and I stood back and went

3:32

into a room. And

3:34

I found my way out and I made my way

3:36

downstairs. at

3:39

a window across the

3:41

the grounds at the back and over

3:43

the wall and then walking up the mouth

3:45

five minutes later. And

3:47

I felt as I've got sort of towards

3:50

Nelson's column, I fought

3:52

my card, played back if Alice.

3:54

What

3:57

a crazy story. Michael

3:59

Fagan just popped

3:59

in to Buckingham Palace, drank some royal

4:02

wine, and left, incredible.

4:04

What if he was

4:06

a spy or there to cause harm

4:08

to the place? This place should

4:10

have been much more secure than this.

4:12

This shouldn't have been possible, but

4:14

things got worse for Michael. His

4:17

wife took the kids and

4:19

he stole a car to try to find her,

4:21

but he ran out of gas and got arrested

4:23

for stealing the car, and he was out on

4:25

bail and more distraught than ever.

4:28

July eighth, came along, and he

4:30

couldn't sleep at all that night.

4:32

And at five AM, he goes for walk

4:34

down the road that goes towards Buckingham

4:37

Palace. He was just trying to clear his

4:39

head and take a walk about. I'll

4:41

tell him what I was doing at that point.

4:44

started

4:44

walking towards back

4:46

in Paris.

4:48

That five o'clock is always swimming,

4:50

clean and is going to work. did

4:54

sense that now. I'm gonna sit. I'm gonna get

4:56

in there. I'm gonna

4:58

see the queen. fundraising,

4:59

nothing's gonna stop making through

5:01

Saint James Park an

5:05

overall incident of Palace.

5:08

say good morning to the servants as I'm walking

5:10

past her mother and I have a hell of a factor.

5:12

I really don't know how people have said to you know,

5:14

added to find it at all those rooms. I

5:17

really don't know. I'm in

5:19

the queen's bedroom. So to make sure it's

5:21

a queen, I walk through the wind up this She's

5:23

looking very small in her bed.

5:25

She was a sleeping. Yeah.

5:28

All past her bed looks too small

5:30

to be the queen's go to go over

5:32

and I draw the car back just

5:34

to make sure, and suddenly she sat

5:37

up, what are

5:37

you doing here? Some

5:39

said,

5:41

Well, I was dumb start to be honest. And

5:44

I was just I was thinking

5:46

what to say is, get out

5:48

get out.

5:49

she jumps out of bed. What are you doing here?

5:51

And

5:52

walks out of the room.

5:54

So

5:55

I stood there. Maybe

5:56

I'll sat in the corner with a bed, or just about

5:59

long conversations. I

5:59

mean, a lot has been said about what went on in that

6:02

room. This

6:03

is the truth. you know, nothing was

6:05

she just said, get out and that was it. The foreman

6:08

came in. And I looked at each other and said,

6:10

oh my gosh. What did we go here?

6:13

So it's just this thing that was a rebellion

6:15

going on in my head. Do

6:18

you think you were actually trying to

6:20

get caught? when you went in that second

6:22

time. Yeah.

6:23

Yeah.

6:24

It's to make that statement of,

6:27

you know, I

6:30

am.

6:32

I am. The guy

6:34

snuck into Buckingham Palace

6:37

twice.

6:38

And with the second time getting all the

6:40

way into the queen's bedroom while she

6:42

was asleep,

6:42

creepy, and incredible.

6:46

The

6:46

chaos he could have caused was

6:48

huge, and he

6:49

was arrested, and he went to court at

6:51

the old Bailey. I was actually

6:53

charged with stealing. half

6:56

a bottle of wine. It

6:59

was just unbelievable actually

7:01

to be tried at number one core,

7:03

old Bailey, the hanging core.

7:07

intimidated me. I mean, people have been

7:09

sent to Australia from there. They've been sent

7:11

to the gallows from there. And there's

7:13

me from Arthur Butler Wine. The

7:15

jury found him innocent of

7:17

wrongdoing, and he was not

7:19

sentenced to any jail type. However,

7:22

the judge found his mental health

7:24

to be something to worry about.

7:26

So they sent him to do time in

7:28

his psychiatric ward. And

7:30

while there he wasn't able to go home and see

7:32

his wife for kids, which caused

7:34

him more stress, but he eventually

7:36

got to go home. But he wasn't well,

7:38

though. He was arrested a few more

7:40

times for fighting at the pub and

7:42

dancing in the streets naked. And

7:44

certainly, Michael Fagan isn't the kind

7:46

of man to fade quietly from the public

7:49

eye.

7:51

He even made a call, a

7:53

version of the sex pistols

7:53

song, God Save the Queen.

7:56

God Save the Queen.

8:06

one wonders

8:10

of a man and

8:13

He

8:13

finally divorced his wife but got custody

8:15

of his kids. and spent a lot

8:17

of time just being a dad. Sarah's

8:19

in her first year of school and someone said,

8:22

that that broke into backing up

8:24

palace. and

8:25

she just turned man and said, yeah.

8:28

And your dad has an essay.

8:33

These are true stories

8:36

from the dark side of the Internet.

8:37

I'm

8:40

Jack Re

8:42

iter. This

8:44

is dark net diaries.

9:02

Support for this show comes from

9:04

Axonius. Security starts with

9:06

comprehensive asset visibility.

9:09

After all, you can't secure what don't know

9:11

exists. and

9:11

comprehensive asset visibility, that

9:14

starts

9:14

with Axonics. The Axonics

9:16

solution correlates asset data from your

9:18

existing IT and security solutions

9:21

to provide an always up to date

9:23

inventory of all devices, users,

9:25

cloud instances, and

9:27

SaaS apps. so you can easily

9:29

identify coverage gaps and automate

9:31

response actions. Axonius gives

9:33

IT and security teams the confidence to

9:35

control complexity by mitigating

9:37

threats navigating risks, decreasing incidents,

9:39

and informing business level strategy,

9:42

all while eliminating manual repetitive

9:44

tasks. Visit exonias dot com

9:46

slash darknet learn more and try it

9:48

free. That's exonius, spelled

9:50

AX0NIUS

9:54

Exonius dot com slash

9:56

dark man.

9:57

So let's

9:59

start out with you telling us your name and what do

10:02

you do? Yeah. My name is Jeremiah

10:04

Row, and I'm a solutions architect

10:06

for Cenac. So it drew

10:07

me to Jeremiah is his background in

10:10

penetration testing. Companies have

10:12

hired him to see if they have any security

10:14

holes and if he can find them and break

10:16

into their buildings or network.

10:18

because if someone could just walk into your

10:20

building, that can be bad.

10:22

So companies want to test how

10:24

hard it is to break into their buildings.

10:26

How good is their security?

10:29

And these stories of how people break into

10:31

buildings always fascinates me. And

10:33

today, Jeremiah brought us a

10:35

penetration test story. Now when

10:37

Jeremiah was a kid, he liked building little

10:39

websites and this was the seed that made him decide

10:41

to go into a tech career. He went

10:43

into the military and then got a job

10:45

at Geek Squad troubleshooting

10:47

customers' computer problems. But then he

10:49

landed a better job where he learned more about

10:51

technology, and this got him into cyber

10:53

security. And eventually, he took the 0SCP

10:56

certification. This is an advanced

10:58

cert that quizzes you on

11:00

how to use hacking tools and exploitation

11:02

techniques. and it's a pretty serious exam that you

11:04

have twenty four hours to complete.

11:06

Well, he passed that, which gave him new

11:08

opportunities. I was

11:10

able to transfer that

11:12

over to a government

11:15

contracting role, which

11:17

I got hired for out in

11:19

the DC area. And

11:21

from there, we really primarily

11:23

focused on conducting network

11:26

level penetration testing, web

11:29

application penetration testing.

11:31

We were both the

11:33

internal PIN test team and the

11:35

internal red team operations. all

11:37

in one for this organization.

11:40

This taught

11:40

him how to think like an attacker,

11:42

not just any attacker, but

11:44

one that would attack government networks

11:47

and systems. attackers

11:49

like this have a lot of resources

11:51

and sometimes stop at nothing to get into

11:54

certain networks. So Jeremiah

11:56

learned how nation state

11:58

actors would think and was able to

12:00

try some pretty wild things to gain access

12:02

into facilities. I think they even had

12:04

ex military working on his team

12:06

too, like, ones who were trained

12:08

by the military to hack into things.

12:10

And, yes, the military trains troops to

12:12

be hackers. I mean, there's the army cyber

12:14

command, just the name one group. So

12:16

learning from people like this really

12:18

gave him some interesting insight. Now

12:20

what Jeremiah did there was internal

12:22

Red Team Assessment. That is

12:24

he was attacking the contractor

12:26

he worked for itself to try to

12:28

find vulnerabilities in the buildings

12:30

and the network. Seep, this

12:32

Washington DC based contractor that he was

12:34

working for did a lot of work for the

12:36

federal government, and it was

12:38

growing in expanding and there were offices and

12:40

remote locations and scattered all

12:42

around. And here's the thing, when other

12:44

nations want to hack into

12:47

our government, they don't

12:49

always go directly towards the government's

12:51

networks. They might attack

12:53

a contractor and try to

12:55

get into the contractor's network which might

12:57

give them access into the government's

12:59

network. Because if a contractor is

13:01

doing work for the government, then it must

13:03

have some sort of access to the government.

13:05

Right? So this is sort

13:07

of coming in through the side door kind

13:09

of attack. Jeremiah knew this, and

13:11

this is why he was tasked with attacking

13:13

the company he worked for to try to

13:15

find ways a nation state attacker

13:17

might get in and what damage they could

13:19

do. At some point, Jeremiah

13:21

found a remote satellite office

13:23

which did a lot of business for the federal

13:25

government and he wanted to conduct a

13:27

penetration test on this

13:29

office to see if it was vulnerable.

13:30

Basically,

13:31

we came up with the idea. We

13:34

wanted to go and test out

13:36

this location. We felt that there

13:38

were risks to

13:40

the organization and to the

13:42

clients that we work with. through

13:45

this organization that

13:48

maybe weren't being addressed or thought

13:50

of. And so we wanted to

13:52

conduct a nation

13:54

state style

13:55

of an attack from

13:58

a physical perspective just

13:59

because physical assessments

14:02

or physical red team operations or

14:04

physical pin tests just really

14:06

aren't done all that much. and

14:08

we wanted to take it upon

14:10

ourselves to go ahead and and

14:12

conduct one towards this satellite

14:14

location. And

14:15

when you pitched this idea to them,

14:18

they said, okay. Go for it.

14:20

No. Full speed ahead. Not

14:22

at all. Nobody wanted to do

14:24

it. Nobody liked it. Nobody liked the idea.

14:26

It was very risky.

14:28

And, of course, this is

14:30

a risk adverse organization. I

14:32

think I think fair to say that government as

14:34

a whole is fairly risk adverse.

14:36

And see to

14:36

me, this is backwards thinking. How can you

14:39

say your risk adverse without looking to see

14:41

what risk you even have. If you're going

14:43

to claim to be risk adverse, then you

14:45

better be out there every day looking

14:47

for any and all risks that your

14:49

business faces and reevaluating

14:51

them constantly. And you

14:53

won't turn down a security assessment because

14:55

you're afraid of what it might uncover.

14:57

in a way, I think people are

14:59

scared of the of things

15:01

being found. Right? I think people know

15:04

that things are kind of there, but Nobody

15:06

really wants to want

15:07

the big red punch

15:10

in the face to show you the

15:12

things that are there. Okay.

15:13

Yeah. So it's embarrassing when

15:15

you realize that you've got a few security holes in

15:17

your business. And I suppose

15:20

that embarrassment can be pretty

15:22

bad. Like, what if the pen

15:24

test found some major security hole and

15:26

saw evidence that someone had

15:28

used that hole to get in and steal

15:30

things? Now the business has lots

15:32

of consequences they may face.

15:34

They would have to notify their customers or

15:36

may lose some government contracts. They

15:39

may be fined or sued. They

15:41

may get a lot of bad PR if it turned

15:43

out that the security was really

15:45

bad. but

15:45

I guess it's still better to know that you've

15:47

been hacked

15:48

to not know at all. Or

15:50

what

15:50

if a penetration test ended up

15:52

damaging the network? Like, what

15:54

if by trying to exploit a server, they

15:56

accidentally took that server down? Now

15:58

there's a network outage. So I guess

16:00

there are some risks

16:01

to doing a penetration test, but I

16:03

still think it's important to do

16:04

these tests, especially on big

16:07

businesses and government contractors I've

16:09

seen news article after news article

16:11

about how foreign governments have hacked into

16:13

our government through a

16:15

contractor, and that's how they got

16:17

access. so contractors should take their

16:19

security very seriously. And

16:22

Jeremiah had to convince them that testing this

16:24

remote office was important.

16:26

Yeah. I think quite

16:28

honestly, our convincing argument

16:30

was one persistence and

16:33

two, naming those very things that you just

16:35

mentioned. Right? really painting a

16:37

picture as to what could potentially

16:39

happen. Should there

16:41

be things in these locations that we

16:43

don't know about? that

16:45

persistent argument that we would make over and

16:47

over again ultimately

16:49

led to the decision

16:52

to give us the green light to go ahead and

16:54

conduct this. Right? Because so

16:56

this is just the saying that I have, which

16:58

is, you know, the best the best defense is

17:00

good offense. and unless

17:02

you're putting things and stressing

17:04

them and really

17:07

challenging, what

17:09

is their from a

17:11

technical capabilities perspective, you

17:13

really don't know what's possible within

17:16

that environment. So it

17:18

wasn't

17:18

easy, but he got the green light. The business

17:20

said, okay. You can try to break into

17:22

that remote office physically and

17:24

through the network, but we have some

17:27

rules. not installing

17:28

any any shelves

17:31

or back doors or malware

17:33

on physical devices

17:36

itself. They didn't

17:36

wanna have to clean up any malware left

17:39

behind or cause any damage to the

17:41

network. A lot of companies have a strict

17:43

configuration change policy things

17:45

need to be approved by a

17:47

committee when installing new stuff on

17:49

production servers. So they didn't want

17:51

him to just come through and plop a whole bunch

17:53

of hacker tools into a network. that's

17:55

heavily in use, it could cause things

17:57

to break. So they wanted

17:59

to have as little

17:59

impact as possible while still

18:02

trying to prove the point of

18:04

impact. And

18:04

so that was kind of our bounce. That's what

18:06

we had to play within. But

18:09

from

18:09

an

18:09

operational perspective, we were kind

18:12

of given some wide latitude as

18:14

to how we were gonna plan this

18:16

out. And and to be

18:18

fair, we other

18:20

than the time of day when we wanted

18:22

to go and scoping

18:24

a few things up prior to

18:26

it, we kind of also left it up

18:28

open to a target of opportunity

18:30

for what we would do when we were there

18:32

as well. because we didn't know what was gonna happen.

18:34

We didn't know how this whole thing was

18:36

gonna play it out. We could have, at

18:38

some point, the cops called on us and

18:40

we could have, you know, potentially gone to jail

18:43

or we could have eaten we just

18:45

didn't know.

18:46

So Jeremiah and his team started coming

18:48

up with their own objectives.

18:50

Basically, can you get access to this

18:53

location? When you do get access,

18:55

what can you see? From what

18:57

you see, what types of scenarios

18:59

can you play out? And out of those scenarios,

19:01

how risky are they?

19:04

And then separately, can you

19:07

obtain access to devices

19:09

that are on the network. Can you obtain

19:11

access to the to the network

19:14

itself? is

19:16

there information that you can

19:18

obtain from this operation

19:20

that would potentially compromise

19:23

any any contract that that we were working

19:25

on sort of all of

19:27

the above. Okay.

19:29

So

19:29

he's all set and ready to begin the test.

19:31

Now he wanted to conduct this test like he was

19:33

an outsider. Yes, he did actually

19:35

work at this company that he was testing, but

19:37

he had never been to that building

19:40

before. and wasn't going to use any

19:42

internal resources that he had to get

19:44

information to help him break in.

19:46

This test had to be as if he didn't

19:48

work there. So he started by

19:50

simply googling the location. Of

19:52

course, this landed him on Google Maps,

19:54

which he started noting all the relevant

19:56

information that he saw what

19:58

surrounded the the building.

20:00

Were there any coffee shops that were

20:02

attached to it? Were there

20:05

any other third parties that were

20:07

also in those buildings. What

20:10

access did they

20:12

potentially have? Were there

20:14

satellite aerial images of

20:16

the location. What were the

20:18

entry points to that building, the

20:21

ingress and egress points?

20:24

how do how how how many people went

20:26

to and from the location? Who worked

20:28

at that location? when

20:31

was the normal scheduling for when

20:33

people arrived? When did they go to

20:36

lunch? That sort of

20:39

thing. Right? Okay.

20:39

So he's picked up quite a bit from

20:42

Google and now it's time for him to

20:44

take it to the next step, drive

20:46

to the building and do some

20:48

light surveillance take notes along the

20:50

way.

20:51

I went

20:52

there to take a look at what

20:55

was happening when people would generally

20:57

show up when they were leaving

20:59

where their locations were for when

21:01

they would smoke. And I

21:03

was in my vehicle. I

21:06

parked and I would hang out and

21:08

just watch. And then I drove around

21:10

the building itself and then I

21:13

would note locations on a map that I had

21:15

with me as to what I thought that

21:17

was based off of what I was

21:19

seeing. And then I

21:21

ultimately left for the day and took that

21:23

information back to add to the

21:25

portfolio that we were putting together for

21:27

the location. He takes the

21:29

intelligence he's gathered and regroups back

21:31

at the home office. I was

21:33

working with another individual called him

21:36

busy. I was working

21:38

with BC, and we

21:40

both collaboratively decided to

21:43

go about checking

21:46

every external egress

21:48

point just to see what we could walking

21:50

around the buildings perimeter, just to

21:52

see what we could notice, if there was

21:54

anything open, what locations

21:57

we could actually get into the building

21:59

from and then to kind

22:01

of follow that bread crumb trail

22:04

to see where it led.

22:06

Okay. So that's the grand plan.

22:08

Just to walk the perimeter and see what

22:10

doors are opened. It's not

22:12

a bad plan, often the front entrance

22:14

sense is where all the security is.

22:16

So trying to slip in through a side door or a

22:18

back door, bypasses all that. So

22:21

that was plan a. Plan b was to

22:23

walk directly into the front of

22:25

the location at

22:27

the front the front doors.

22:29

Do you have any idea what's in those

22:31

front doors like security guard or another locked door? No

22:34

idea. No idea how the layout is.

22:36

We assumed that there was some

22:39

sort of four year that was

22:41

there, but we had no clue. We we

22:43

had never been there before. So,

22:45

Jeremiah and B. C. have

22:47

their plans. And BC has also done a few

22:49

of these penetration tests before. This

22:51

was a junior to me at the

22:53

time. And so I was bringing

22:55

him along as one,

22:57

a backup to to

22:59

look more more realistic like

23:01

I belong like I had company.

23:04

The more individuals that you've got with

23:06

you in a party, the less likely you are to

23:08

be challenged. And so that was a

23:10

benefit towards the location.

23:13

But separately, it allowed me

23:16

to spread the

23:19

workload that was involved in

23:21

checking things. to see

23:23

what was there? They pick

23:24

a date when they're going to go there and

23:26

start preparing for it.

23:27

Yeah. So we decided

23:31

that the best way to

23:32

address was obviously business casual

23:35

to make sure that we've groomed

23:38

professionally. We

23:40

got haircuts the day before where

23:42

may made sure that we were

23:44

kind of wearing wearing polos

23:47

and and slacks and we're

23:50

looking very

23:50

sort of business casual. Well, I mean,

23:52

the haircuts

23:52

were specifically for this engagement.

23:55

In

23:55

a way, yes. But

23:58

at the same time, we kinda wanted

23:59

to look like we were

24:01

blending

24:02

into everybody else within

24:05

the environment. as well. I wonder how that worked out

24:06

with

24:07

your junior. Like, was it your

24:09

idea? Like, hey, man. Get a haircut. And

24:12

what? Why? I'm fine. No. We're

24:14

gonna we wanna look this part and maybe you had

24:16

it in your head like, man. This guy really needs haircut. I

24:18

could use this as an excuse to, like, tell

24:20

him to get haircut. Yeah. When

24:21

so so the best thing

24:23

about this particular

24:26

guy is he he kinda

24:28

got it too because he

24:31

is is also former

24:33

military.

24:33

And so he was

24:36

totally

24:36

cool with making sure

24:38

that that he was well groomed, had a haircut,

24:40

and well dressed for the event. In

24:43

addition, we brought

24:46

our We had separate laptops to conduct

24:48

red red team operations. So we had

24:50

those with us. I

24:53

had a lockpick set and

24:55

Raspberry Pi, as well

24:58

as BaaS money. And I had

25:00

a network sort

25:02

of a network star tab what's it

25:04

called? Like a land star.

25:06

The land star. Thank you. I had

25:08

a land star just just in case

25:10

I wanted to tap something in

25:12

there. I also had actually mobile

25:15

version of Cali Linux

25:17

installed on my on

25:19

a on a burner phone that I had.

25:21

and that was about it.

25:23

So it's now

25:24

the day of its go time.

25:26

With their equipment and fresh haircuts,

25:28

they drive to the building. there

25:30

are no gate guards or security to just get on

25:32

the property. So they're able to drive right into

25:34

the parking lot, park the car, and they

25:36

immediately split up and walk around

25:38

the outside perimeter of the building. That's

25:41

exactly what

25:41

we did. Yeah. So,

25:43

BC went to the right, I went to

25:45

the left, and we both walked around

25:47

the perimeter of the building and

25:50

just sort of we each had a

25:52

copy of the aerial

25:54

photography that we had marked up and

25:56

he had a folder, had a folder that was inside

25:58

of it, that

25:59

was inside of our bags. And as we were walking

26:02

around, just kind of checking

26:04

doors along the way, to

26:07

see if they're open, to

26:09

see if they're locked, and or if we could

26:11

get access to them.

26:12

To walk around, tugging on every door

26:14

they came across to see if one

26:17

opened. Jeremiah tugged

26:19

and tugged, but he didn't

26:21

find a single door that

26:23

opened. He came around the backside of the building and that's

26:25

where he saw BC coming around from the other

26:27

side. Jeremiah told him that he didn't

26:29

find any doors open. and

26:31

he let me know that on one

26:33

of the doors on his side

26:36

actually have to be open.

26:38

So together, they

26:38

walked back towards that door, that

26:40

BC found open. It

26:42

was a

26:42

back door, but it was a

26:45

door to a

26:47

stairwell that led to

26:49

all the floors in the

26:51

building itself. And the

26:54

store was just kinda left open

26:56

and it was by sheer

26:58

happenstance. It was

27:00

most likely due to a particular

27:04

implementation flaw in the physical

27:06

door itself and that someone didn't

27:09

actively make sure that it was shut.

27:11

Otherwise, it would have been locked.

27:14

which in this particular instance, it was

27:16

open hanging out and there was a crack and we

27:18

were able to open the door. So they

27:20

slip in

27:20

through this partially open door that

27:23

wasn't locking properly and go

27:25

into the stairwell. At this point, they need

27:27

to make a decision. Go up the

27:29

stairs or just try to go to the

27:31

first floor. Yeah. Yeah.

27:31

So we didn't want to

27:34

mess with the door on the first

27:36

level to begin with.

27:38

We knew that the

27:41

contractor that we worked

27:44

for had offices on the

27:46

second and third floors. And

27:49

so we wanted to we we

27:51

knew that we could gain access to the first floor

27:53

through the front of the building anyways.

27:56

So what we did is we walk into this

27:58

stairwell. We took

27:59

photos of the of the

28:02

open door just kinda as it was,

28:04

took photos of us inside of stairwell

28:06

and of course going to the second

28:08

and third floors. Now in a lot of office

28:10

buildings, the stairwell doors are

28:13

locked. from the stairwell side. You can go into the

28:15

stairwell from the office, but you can't go

28:17

into the office from the stairwell. And

28:19

they were walking up the stairs expecting to

28:21

face this and trying to think of ways that they

28:23

could bypass the door and get into the

28:25

office, perhaps wait

28:27

for someone to come out or

28:29

maybe get some lock packs out try to pick the lock. They'll

28:31

have to see when they get there. But when

28:33

they got to the second floor, they

28:35

just tried pulling on the door And

28:37

to their surprise, it opened? We couldn't, and we

28:40

could get direct access to those

28:42

floors as well, which were supposed

28:44

to be secured floors. So they got into the

28:46

second floor office, took pictures

28:48

of themselves in the office and got

28:50

right back in to the stairwell. And then they went

28:52

up to the third floor. And again, that

28:55

stairwell door opened right up for them and

28:57

they got in. Yeah.

28:58

So we walk in.

29:00

take a quick photo to show that we were in the floor and that

29:02

we just kinda walked right back out. They walked

29:04

all the way back down the stairs and out of

29:06

the building. They

29:07

regrouped and made a new

29:09

plan. goal of

29:10

the pen test is to identify as many

29:13

exploitable vulnerabilities or findings as you

29:15

can and then present

29:18

that and have them fixed as much as

29:20

they can be fixed. So they were

29:21

able to successfully get access into this

29:24

building. And so

29:25

that was kind of checked one. Now

29:27

let's test another avenue. So they

29:29

regroup at the front of the building and this

29:31

time go in through the main entrance. They

29:33

have no idea what might be there.

29:35

and they know the office they want to get access to is on the

29:38

second and third floor. And there

29:40

should be some kind of thing to stop them

29:42

from getting just directly into the office and

29:44

roaming free, but where and

29:46

what exactly would stop them? They

29:48

didn't know. Stay with us

29:50

because after the break, they

29:52

head inside.

29:57

Support

30:01

for this show comes from Linode. Now,

30:03

Linode has been my go to service for whenever I

30:05

need a Linux server in the cloud. It's fast,

30:07

easy to deploy, and always cost just

30:10

right. But they're launching a brand new thing that

30:12

I'm excited about. Managed

30:14

databases. Instead of running your

30:16

own database, Lenovo do it for

30:18

you. They offer MySQL, MongoDB,

30:21

Postgres SQL, and Redis is coming

30:23

later this year. I'm excited about this

30:25

because building your own database server is

30:27

work. You have to make sure the OS is

30:29

patched and the database software is up to date and

30:31

then worry about performance and

30:33

optimization. Lenovo does all that for you now,

30:35

making it so much easier. And the Note

30:37

has always been easy to use, which is my

30:39

favorite part about them. You get simple

30:41

and fast deployment, secure access,

30:43

daily backups are included, and they

30:45

have flexible plans. Learn more by visiting

30:48

WWW dot

30:50

linode dot com slash products

30:52

slash databases. Linode is spelled

30:54

LIN0DE

30:57

lynode dot com slash

30:59

products slash databases.

31:02

Jeremy

31:07

and BC open the doors to the front of

31:09

the building and walk in. with their

31:11

goal to get into the second and third floor

31:14

offices.

31:14

And as we were going

31:17

through, we didn't initially see any kind of front

31:19

desk on the first floor We

31:21

did see some stairs that were

31:23

spiraling down kind of from the

31:25

second and third floors in the center of

31:28

the of the building in the

31:30

foyer. They

31:30

look around and see some elevators, which tells

31:32

them there's two ways to get to the

31:34

second floor. These stairs in the

31:37

foyer or the elevator, also

31:39

looked around in the lobby of the building there and noticed a

31:41

few ethernet ports on the walls. And they

31:44

wondered if that connected to

31:46

anything, but they just took a mental note

31:48

of that. and decided to go up

31:50

the stairs to the second

31:52

floor. And

31:52

so we were able

31:54

to move up to each floor

31:58

and we noticed as we got to the second and

31:59

third floors, there were

32:02

doors to either side that were

32:04

that

32:04

would grant access to the business operations of

32:06

this contractor. Now the entry

32:08

doors were closed and their,

32:11

you know, they had

32:13

locks on them that were

32:16

that

32:16

you utilized from your keycard to

32:20

unlock the doors so you could go in, and that was

32:22

for authorized employees for those

32:24

locations. Okay.

32:25

So just by walking by the office doors,

32:27

you could see that you need a keycard to get

32:29

into that door. And on one of these floors

32:31

was a person sitting at a desk in the lobby,

32:34

but on the other floor, there was nobody in

32:36

the lobby.

32:36

There was a public seating of

32:39

in the lobby on each floor

32:41

as well. And

32:43

we both sat down on one

32:45

of the couches just so we could

32:48

figure out what it was that we wanted to

32:50

do at this point and kinda pulled out our

32:52

computers. We're looking like we were kinda

32:54

collaborating together for

32:56

work. This

32:56

gave them an opportunity to just sit in front of

32:58

the door of this office and watch what

33:00

was going on. Since nobody was in the

33:02

lobby to really bother them, they

33:04

could on something right there in the lobby, but really

33:07

scouting around, watching what's going on,

33:09

like seeing how people get in and out of this

33:11

office, or are there opportunities to

33:13

tailgate behind someone as they in or

33:15

out, and that sort of thing. But

33:17

as they were looking around, you noticed

33:19

that in this lobby, there was

33:21

a kiosk a little computer that

33:23

lets visitors check-in or give some

33:25

information or something. Well, this

33:27

was curious, an unattended

33:29

computer in the lobby. What's a

33:31

couple of protesters do with

33:33

that? Well, they start messing with it.

33:35

It was running some kind of software that lets

33:37

users only use this one

33:39

app. but they were able to figure out a way to close that

33:41

app and get into the operating system

33:43

on that computer. We were

33:45

able to access the underlying Windows

33:48

OS that was running on it. And from there, there was

33:50

an exposed USB port on the back of

33:52

it. We're able to plug in a batch of money to

33:54

execute the previously written

33:56

script. Okay. So

33:57

a BaaS bunny looks like a normal USB stick,

33:59

but when you put it into a computer, the

34:01

computer asks, hey, what are you? And the BaaS

34:03

bunny says, oh, hi. I'm a keyboard.

34:06

and the computer's like, oh, okay. Got it. I'll

34:08

let you type stuff if you want. And so

34:10

the Bashmoney has this preloaded script

34:13

and it says, Okay. Here are some key presses

34:15

and it sends a pre created set of

34:18

keystrokes to

34:20

the computer. Well, the computer thinks

34:22

it's a keyboard. So it just starts accepting these

34:24

keystrokes. And you can do things

34:26

like open up a command terminal

34:28

or a program and then start typing

34:30

commands in that. In the case of

34:32

Jeremiah, he made the script open up

34:34

a word program and start

34:36

typing on the screen. And it was just enough

34:38

so that he take a photo to prove that he has control over this

34:40

computer. Because, I mean, if you can

34:42

open up a program on a computer and start

34:44

typing words on the screen, then you have control

34:46

of that

34:48

computer. Right? So while this kiosk computer didn't have an

34:50

actual keyboard connected to it,

34:52

Jeremiah could prove that it's not

34:54

locked down and he's able to plug

34:56

a keyboard into it and take control of that

34:58

computer and nobody would stop him.

35:00

They also noted that this kiosk had

35:02

an ethernet connection to

35:04

the wall, And this is

35:06

interesting because this Ethernet

35:08

jack might be on the same

35:10

network as the computers inside this office.

35:12

And you don't even need to go in the office to

35:14

get into the network. but they didn't plug into this Ethernet jack. They

35:16

wanted to see if they could get into the office

35:18

now. And after examining the doors

35:20

for a

35:22

little while, They understood that there's a key card reader there and you need

35:24

to swipe your key in order to get the door to

35:26

unlock, but they wanted to

35:28

see if that

35:30

was true. so they walked

35:32

up to the door and tried pulling on the

35:34

handle. They should

35:34

have been locked, but as we pulled

35:37

them, the doors were just unlocked at

35:39

this particular day. So we were able to to to

35:41

open the doors as they were

35:43

and walk right into

35:46

the floor. So

35:47

that's another photo that they

35:49

took that was going in the report. They were

35:51

able to walk right in through the front door, go

35:53

up to stairs and just open the office door

35:55

and go inside the office, now they

35:57

were in an office where there's a whole

35:59

bunch of private information

36:02

around. And now that they're in this office,

36:04

they might as well try to see what kind of private

36:06

information they can team. So at this point, we

36:07

took pictures of us freely being able to

36:10

open the office doors from the

36:12

lobby and us

36:14

walking around in the

36:16

internal office space. As

36:18

we walked through the office,

36:20

we noted again other network

36:22

ports, printers,

36:24

network TVs, projects that

36:26

were being worked on. So things

36:28

that were written on whiteboards,

36:30

labels that were labeling

36:33

files that were just out in the open

36:36

space. Different IP addresses.

36:38

As we walked through, we were

36:40

able to kind of map

36:42

out the IP address schema

36:44

from IP labels that

36:46

were written and addressed to

36:48

the printers that were around the

36:50

office space. looking for any

36:52

other kind of information that

36:55

could be leveraged in some way.

36:58

And so the whole time we're walking

37:00

around, keep in mind, we didn't have our badges on, like, at all.

37:02

We walked by many people.

37:04

watched by many people saying

37:07

hi to folks. We even at

37:09

one point, went into

37:12

the the employee break room and

37:14

grabbed some coffee and kinda hung out there for a few minutes just to

37:16

see if anybody would challenge

37:18

us, like, at all, because we were

37:20

not wearing our badges again.

37:22

And nobody

37:24

said anything, like at any points, and people

37:26

kind of said, hi. How

37:28

are you doing? Not at Addus, but for

37:30

the most part, nobody ever

37:34

us. I think what

37:35

worked here is they looked at the part

37:37

and acted with confidence. If they dressed

37:39

differently than the other workers or looked

37:41

suspicious in some way, like

37:43

the way they were moved around, they would have made them

37:45

more likely to be stopped. And there's

37:48

something that makes us more accepting of

37:50

somebody, if they're already passed the security

37:52

barriers. If they're in the office,

37:54

they must belong there. Right? Or else

37:56

they wouldn't have been able to get in? As

37:58

they were moving around, they open

38:00

conference table, a little spot where people

38:02

can gather to do work, but not quite

38:04

in a conference room. So we

38:06

sat down at this table, and we

38:09

noticed that there were some Ethernet jacks

38:11

on the wall. We both

38:13

had cables that

38:16

we up with us, and so

38:18

we plugged into the wall. Now

38:20

finding an open ethernet jack

38:23

could be a gold They

38:26

saw the WiFi networks were in this

38:28

place, but they didn't know what the WiFi password

38:30

was. But you don't need a

38:32

password when you're plugging in to a port on the

38:34

wall. All you need is a cable. So

38:36

plugging in could potentially get you

38:38

access into the internal

38:40

network. These Ethernet ports can

38:42

be configured a lot of ways though.

38:44

They might give you internal access or they might

38:46

give you no access at all. It's not

38:48

a sure thing that just because physically in the

38:50

office means that you're gonna be able to plug in and

38:52

use the network. And a properly

38:54

configured office will make it so

38:56

you can't just walk up and

38:58

plug into any ethernet port. But they plugged their

39:00

computers into the ethernet jacks

39:03

and saw that the ports were alive and

39:05

gave them IP addresses, then they

39:08

quickly scanned around the network to see what

39:10

was on this network,

39:12

but there were no other computers on the

39:14

network. All they could do was access the

39:16

Internet. Nothing internal in

39:19

the office. Okay. So

39:21

might be a sign that this

39:23

company was using NAC. NAC

39:25

stands for network access control,

39:27

and it means that when you plug a

39:29

computer into a port, The router takes a look at

39:31

your Mac address of your computer to see if that computer should

39:33

have special access. A Mac address is the

39:36

hardware address on an

39:38

ethernet port which is on your

39:40

computer. So this network was checking

39:42

the computer's MAC address to see if

39:44

it was allowed on the network. And if

39:46

so, it would give you special access. But

39:48

if not, it would just give you

39:50

very restricted access. In this

39:52

case, since the router didn't know

39:54

Jeremiah's computer's Mac address,

39:56

it just gave him very restricted

39:58

network access. sort of like guest access. And I guess this is

40:00

good security. You want your ethernet

40:02

ports to require users to

40:04

check for some authorization before

40:06

giving them

40:08

network access. Because you don't want anyone to just be able to walk up and plug their

40:10

computer into any Ethernet jack and get

40:12

full access to the soft underbelly of

40:14

the network, So

40:16

if you were a penetration

40:17

tester and notice that this network had

40:19

a knack to restrict your access when

40:21

you plug in, what can you do

40:23

to bypass this?

40:26

Well, you could find a MAC address that is on the

40:28

allow list. And you could change

40:30

your computer's MAC address to

40:32

be one of those. and

40:34

you might be able to get in.

40:36

So what we did is we noted a couple of the

40:38

printers that were there in those

40:42

locations. and we went to those printers and

40:44

we were able to look up the

40:46

Macs online for the for

40:48

the style printer it was.

40:51

See, what you need

40:52

to know about MAC addresses is that the first

40:54

part of the MAC address is assigned

40:56

to a vendor. So

40:58

if you had Cisco equipment,

41:00

Every single Ethernet port on all Cisco equipment starts with the

41:03

MAC address 9436

41:05

CC, and then the second

41:07

half of the MAC address

41:09

would be different for every ethernet port, making them all

41:11

different. So Jeremiah saw which types of printers

41:13

they had and look

41:16

up what that vendor's MAC address started with and then change

41:18

the MAC address on his computer to be

41:20

the same as what the printer started with.

41:22

And then he tried plugging

41:25

Ethernet cable back in to see if he would

41:27

get a different IP and

41:30

boom. This gave him a totally different

41:32

IP, which gave him totally on access,

41:34

which was the access he needed to get

41:36

to the inside of this network.

41:38

We

41:38

were ecstatic.

41:40

We were super excited. just because

41:43

well, one, we, you know, we're able to accomplish a goal

41:45

and that was to get access

41:47

to the network. and

41:50

being able to conduct network access

41:52

bypass was something so simple as

41:54

changing your MAC. One was super

41:57

exciting and it was like, we totally got a finding

41:59

out of

41:59

this. It's it's crazy.

42:02

There

42:02

are other ways to configure NAC.

42:04

I think they got lucky that this worked.

42:06

And the network team had to find a more secure way to check up

42:08

a computer should have this sort of network

42:10

access, such as having a certain

42:12

registry file on that computer or

42:15

something like that. So

42:16

we gained access to the network. We

42:19

again took screenshots

42:20

and photos of

42:23

our steps of what we did to get

42:25

access to it. We showed that we had access to it. We showed that we had an IP. We showed that we're

42:28

able to navigate the

42:30

Internet while being connected to

42:32

the network. we kind of packed

42:34

up. We disconnected.

42:36

Put our

42:37

laptops

42:38

back in our bag.

42:40

and we went around the floor just to kind of look for

42:43

any additional target of opportunities

42:45

that we may not

42:47

have noticed before.

42:50

As we were

42:51

walking around the floor, we

42:52

noticed there were kind of

42:54

actually two separate situations

42:56

of individuals who had kinda

42:59

walked away from their laptops and left

43:02

them unlocked and kind

43:03

of open at

43:06

their desks.

43:07

we took photos of us

43:10

sitting at those computers,

43:12

kind of pretending to plug in

43:14

a device. because, again, organization was very risk

43:16

adverse, and we didn't wanna

43:18

overstep any boundaries of

43:20

what we've been allowed to

43:22

do up into this point because we want to be

43:24

able to conduct these kinds of operations

43:26

again in the future. So

43:28

instead of plugging anything into

43:30

these particular laptops.

43:32

We just kinda sat down and showed

43:34

that they were unlocked, and we could mess with

43:36

them if we wanted to. And, oh, by

43:38

the way, here's a bash buddy. We

43:40

just got then plugging one into a kiosk. We could plug it into here

43:42

too, sort of a thing. And

43:44

so we took photos

43:46

to prove impact

43:48

instead of actually having to conduct

43:50

something on those, they were already unlocked.

43:52

We already had access to them. Someone had

43:54

walked away. So we left

43:57

that floor, as we were kinda walking

43:59

out, we went to the elevator. And

44:01

as we were walking to the elevator, there

44:03

was someone from the other side of the floor

44:05

that was also walking to the elevator and also happened to be going up. So

44:07

we rode with him and the elevator kinda,

44:09

you know, said high

44:12

or pleasantry sort of things, nodded

44:14

and we got off

44:16

on the third floor and as

44:18

they walked out I

44:20

decided I was gonna impromptu follow this

44:22

person and try to see if I can do

44:24

tailgating, to see if they would challenge me

44:26

at all, to see if

44:28

they were any kind of issues there. And and sure enough, if he walks

44:30

up, scans his badge and opens up the

44:32

door, holds it for me. And

44:34

and I'm like, thanks. Appreciate it and just kinda

44:36

walked on

44:38

in. and he never challenged me this particular individual.

44:40

Jeremiah saw that his

44:41

coworker, B. C. stayed behind in the

44:44

lobby and was walking towards a different set

44:46

of office

44:48

doors. Jeremy had tried to loop around towards the other doors to let

44:50

BC in. But when he came around the

44:52

corner, BC was already

44:55

in the office Apparently, those other doors didn't require a badge

44:57

to get in. And BC just pulled on them

45:00

and got right in. So I

45:02

didn't even need to

45:04

tailgate in. but I did and kinda proved that that was

45:06

possible. But the

45:08

doors themselves weren't locked either. So

45:10

we could just open the doors on that

45:14

floor too. another finding for the report. Yeah.

45:16

So while we were on the

45:17

third floor, we kind of

45:20

focused on

45:21

the doing

45:23

intelligence

45:23

gathering. Were there any kind

45:25

of programs that we

45:26

could identify that were being worked

45:30

on that maybe

45:32

shouldn't be public information. What

45:34

other things could we obtain

45:37

about the programs? As we were walking around, we were

45:39

taking photos of whiteboards of

45:42

desks, of paperwork on

45:44

desks, of

45:46

files, the file names,

45:48

trying to collect and obtain

45:49

as much information about these

45:52

programs as

45:54

we could. so that we could then go back and

45:56

see who these

45:58

potential programs

45:59

belong to. or what

46:02

level of sensitivity should really be

46:04

associated with this kind of information.

46:08

We also noted kind of network ports on this floor whether

46:10

or not there were people

46:12

who were at their desk

46:14

with their computers unlocked

46:18

or or if they were away from their desk and they

46:20

were locked. We just noted those things

46:22

as well. and carried

46:24

on with the or used the

46:26

carryover of the previous floor like, hey. If they

46:28

weren't there, we could have also done it on this

46:30

floor too. And,

46:32

hey, by the way, there were these exposed

46:34

network ports in the public

46:37

accessible zone inside of

46:39

the office location as well. These are the IP

46:41

addresses that were associated with printers on

46:43

this location. That

46:46

sort of thing. Right? So we were

46:48

walking around just very much trying to collect

46:50

as much information and data as we could

46:52

as to what was being worked on within

46:54

the location. Once they

46:55

gathered enough information, they packed up their stuff and headed to

46:57

the office, down the steps and out

46:59

the front door, not a single person

47:01

challenged them the whole

47:04

time. And

47:04

and that was that was a pretty successful day for us.

47:08

One, our team hadn't

47:09

conducted a physical

47:12

penetration test

47:14

to

47:14

this measure since

47:17

I'd been there. And

47:19

two, we wanted to

47:21

prove an impact to the organization and three,

47:23

we wanted to make it successful

47:26

enough that they wanted to conduct these kinds

47:28

of things going

47:30

forward because they're

47:32

really huge impacts. Right? Like, if you

47:34

break these things down, they're really

47:36

huge impacts to the

47:38

organization and who the organization

47:40

works with. that could

47:42

be potentially compromised here

47:44

from a number of

47:46

avenues, not only for internal

47:48

business operations,

47:50

but also potentially,

47:52

you know, things that

47:54

affect the

47:55

government and the Department of Defense

47:57

in some way.

47:59

should certain programs be

48:04

compromised or think of any

48:06

kind of code that might be worked on at these locations

48:08

that might be incorporated as part of a

48:10

end product

48:12

for certain entity.

48:14

Right? If there's malicious

48:16

code that's added to a

48:18

software development life cycle, that's

48:21

being conducted within the confines of location that could be

48:23

almost like a

48:26

time based time

48:28

based malware or time based backdoor that gives someone access

48:30

to something after the fact maybe six

48:32

months to a year down the road if

48:35

they wanted to leverage it. there's

48:37

a lot of implications from this kind of a

48:39

thing. Definitely. So

48:40

you put that in the report and you submit

48:42

it and how is it received? So

48:44

ah so this

48:46

was something that hadn't been conducted before.

48:51

They were to

48:54

put it Frank, they kinda everybody kinda had a no shit

48:56

moment because

48:58

it was certainly an avenue that most people didn't

49:02

think about. It

49:03

was an avenue that

49:05

was foreign. And

49:06

again, you know, not many

49:07

people think

49:10

like malicious entities and or what

49:12

they might go through or what the things

49:14

that they would try to accomplish

49:18

to prove their goals. So obviously, this kind of showcase

49:20

the ability of the malicious

49:22

entities to attain

49:24

unfettered access to a location.

49:27

and this was very much a no shit moment

49:29

for leadership. So what they did after

49:31

the fact we found out was obviously

49:33

they went through that location, spoke with

49:35

the facility's management,

49:38

asked questions as to why these doors

49:42

weren't locked, next time we were there, the doors were very much locked. And,

49:44

no, by the way, we didn't have access to it via

49:46

the badges.

49:48

And A lot of

49:50

things were fixed that

49:53

we had previously pointed

49:56

out after

49:56

the fact.

49:57

Leadership was

49:59

particularly surprised when they saw how

50:01

easily they got control of that kiosk. They

50:03

didn't know it was possible to take over

50:05

that computer in the lobby. so

50:07

they just removed it from the lobby. And they

50:09

were also really surprised to see them sitting at

50:11

someone's computer at an

50:14

unlocked workstation. and how they were able to plug into Ethernet JAKs and

50:16

bypass Snack to get into the Insight

50:18

Network. The leadership was impressed by

50:20

Jeremiah and

50:22

BC and allowed them to do further testing to help keep that

50:24

place secure. Since then, Jeremiah

50:26

has moved on to a different company

50:30

called Cenac where he conducts offensive

50:32

operations. Alright. Very cool. Thank you for sharing

50:34

this with us. Thanks, man.

50:36

Thanks for

50:36

having me as Certainly

50:39

a pleasure to chat

50:42

with you.

50:48

A big thank you to

50:50

Jeremiah Roe

50:50

for sharing this penetration

50:51

to our story with us. The show is made by

50:53

me, The DreamWeaver,

50:56

Jacky cider, Sound design and original music was created by the Acrobat, Garrett

50:58

Teederman, editing helped this episode by the

51:00

framemaker, Damien and mixing is

51:02

done

51:02

by

51:04

seventy

51:04

sound. Our theme music is by the premier brake master

51:06

cylinder. Hey, pop quiz.

51:08

What weighs more? A gallon of

51:12

water? or a gallon of butane. Water

51:14

weighs more. Butane is a lighter

51:16

fluid. This is dark

51:20

net diaries.