¶ Start
Special Operations, Cobert SB.
And I.
The team House with your hosts Jack Murphy and David Park.
Hey, folks, I'm Jack Murphy here with Dave Park. You will see him over there or on the wide shot. He looks a little lonely today because things are different. Dimitri had some car problems, so I am back in the production chair after like two three years since I've done this last so apologies if there's any technical issues. Our guest tonight is Deviant Olum. Deviant has a background
¶ Deviant's Background in Pentesting
in pen testing, red teaming, and physical security.
A few years ago, Dave and I.
Took a class of his at Defcon where he taught kem uh. He had a whole class about cracking safes and he also has a lot of information, interesting details about the history of intelligence services cracking into safes and how they went about that. So we're going to talk about all this stuff tonight. Uh, mister Deviant, thank you for joining us.
Thanks so much for having me. This is exciting, glad to be here.
Yeah, I've been a fan of yours for a long time. Can for viewers who might not know, because this is exciting stuff like this is movie stuff, and for people who might not know what pen testing is or physical pen testing like you are. You know, you're you're the analog Barbie in a digital world, right, but you're the guy on the ground. Can you tell us what pen testing and red teaming is and particularly in your world?
Sure thing?
So perhaps the you know, the the boardroom technical language that we sanitize things with, we say it's adversarial emulation. Or if you want to sound cool, just at a cocktail party with your friends. My wife just says, I'm professionally dangerous. The movie style reference that you make. If some of the folk of the audiences are old enough to remember a film in the early nineties, Robert Redford, dan akro David Strether and another's city Poier Lake River, Phoenix.
It was called Sneakers. That's one of the best illustrations. In fact, I know the technical advice on that film. Who's in the trades?
Right?
That is what we do. We break into places so that people can find out how secure their place is. We pick the locks, we bypassed the alarms, we mess
with all the access control systems. Case sometimes I'm cracking safes and the customer gets to find out could a bad guy with a given sort of threat profile, get in, get out, possibly do so unnoticed, and then we can help advise them or their colleagues and their contacts of what mitigation steps they might want to take to change to change how robust their security is now.
Is it always mission and pop coming down from the skylight or do sometimes? You know? And I'm as asking because I know because I've seen your videos and if you guys have not checked out any of his videos on YouTube, you owe it to yourself. They're all fascinating. But sometimes as it is easy as picking up a clipboard.
Yeah, I mean it is.
You like to fantasize and say that we're all wearing the you know, the black and you have the tactical rope gear and your climate.
But yeah, it's sometimes it's one step above knock knock, knock a password inspector, you know, sometimes you just show up.
When you think about though, I actually think that's not a bad thing. I think it's representative of how trusting and safe much of our world is. A lot of people don't have a high that they live under. Alleople, if she shows up and they have to stay the affilicking clip or they've got some paperwork from the local.
Media, Pappy, and they say, hey, yeah, we're the meter readings today. Who's your facilities director? Oh he's out at lunch. Well yeah, he usually just gives me a key. A lot of people working at a front desk if nothing gets there ackled up.
Oh well that's that makes sense to me. This person doesn't seem like they're behaving like a threat. Yeah, the water meter back there in the utility closet. You need to show you the way. That's a lot of things just get done in our world. And if you've ever, for example, had a hotel and maybe the room wasn't under your name, you're staying with a colleague or a spouse, and you say, oh, I left something in the room, most hotels shouldn't give you a key without verifying with
your name's not on the room. But there's plenty of places out there where if you're not behaving squirrely, and you can say, yeah, you know who was at the desk earlier.
It was a blonde girl, right, it was Judy. Yeah, she was checking us like, well, you know, Judy, you were here.
You don't look like you're a methad about to steal the television. Yeah, what room did you need again?
Boom?
Our world has a lot of places where we reduce friction by doing a quick mental calculus and saying, yeah, that this person, you know, kind of that that Gavin de beck a gift of fear.
You're not the hairs in your neck aren't rising.
So much of what we do is, as you describe, just look like we belong there, have a cover story that's plausible, and that'll do it.
Sometimes you don't have to break out the special high tech tools.
Yeah, so let's roll back and start from the beginning.
¶ Deviant's "Origin Story"
We always like to ask our guests their origin story, like how did you get your superpowers? Or TV? So you you know, you're in a very unique world, you know, and this isn't you know. Usually we think of people who are in this world either got there by way of being with the government or against it. Right, either you know, a criminal or or you know some sort of you know, be any section of law enforcement or intelligence or whatever. How did you grow up and what led you into this?
Yeah, the the tongue in cheek answer that we like to s sometimes says that I had some of the right friends and some of the wrong friends.
And the more broad answer is.
That I had a healthy curiosity about the world around me. I didn't take a lot of things at face value. I was raised to question a lot of things by my loving and kind parents. And when you have that kind of mental disposition, and you're fortunate enough to grow up in an environment where I don't know if kids today could could grow up the way I did.
You know, people our age, your age, my age, like, we.
Snuck around, We got into place so we shouldn't have been, And there weren't just people ready to call the cops the instant they saw a teenager, you know, in that's you know what, why is he on that side of that fence.
We were allowed to kind of explore and it was lower stakes and doing so, you yeah, you kind of learned how you could get in and out of abandoned buildings and things like that.
And having that knowledge it never really left me. It never went away. It was always in the back of my mind. If I was staying at a hotel as a teenager, or you know, in my twenties, I was always trying to well, which doors go to the back of house, which go to the maintenance spaces?
I went oh, oh, there's pipes, there's a generator. This is I'm not supposed to be here. And then you get a little bit older and you're staying in hotels or visiting big buildings. You say, I wonder if I can get on the roof.
I wonder if I can get into, you know, something that's more critical infrastructure, and you start to realize that a lot of the systems that control our world, especially access control systems, rely on things like doors that swing shut and click properly, and they often don't, or you rely on things like, well, no one would want to go back there because you know, why would you ever do There's no sign on the door saying it's valuable.
Who would ever check that door?
And you start being the person who checks all the doors, and then eventually you say, wow, I can get in a lot of places that our world things you can't get into. I wonder if I could ever do anything with this, And I'm fortunate enough that I actually got to. It's not an easy career to find yourself in. It's what a lot of people turn to us for kind of a fish training, which nowadays training is two things. A lot of people like to say training and certifications.
You know what's the value in that, And it's twofold. One is learning skills, but also just kind of getting that official blessing that.
Says, well, I'm not just some chump. I'm not just.
Somebody who's a criminal. I've actually tried to better myself. I've done some of this professionally. Is if you want to become a bouncer, maybe you're a guy who's just good at fistfighting, but maybe if you actually went to a training course, they say, oh, all right, the training isn't just me. Anybody could hit somebody. You actually can keep your head about you. You can do things with
best practices. You understand the professional way to go about what otherwise would be a very blunt sort of trade. And that's why, Yeah, people come to us all the time at Red Team Alliance because they say, I want to do what you do, but I want to do it properly. And a lot of people have the knack, or at least the desire to get in places they shouldn't be, But can you do it in a way that is respectful and responsible and adds value to the claw clients who are paying you to do it?
That's that's a different the street criminal.
You know, it's interesting too because you know, like I said, you are analog in a digital world in this sense
of you're a hacker. You know, you're uh, you know, a feature at doufcon and at all the you know, different hacking conventions, and your path was it seems to me that it was probably very parallel to a lot of how the OG hackers grew up, where they were doing things that you know, weren't probably just because there weren't you know that you didn't have training facilities, you didn't have Hacked the Box, you didn't have these things. People just learned it by doing it, and and so
you were. You were on that exact same path, only where they were breaking into systems, you were breaking into buildings.
Yeah, that's absolutely the case.
And I'm very as I say, I'm very concerned that we don't give a lot of younger minds these days the space and the room to run. I like that you called out things like hack the Box and so forth. Those those resources and those assets are really important now because we don't live in a world that is as forgiving as it once was. Right, and these minds need a place to grow and experience these challenges and try out their skills in real world sort of sort of play environments.
Otherwise, if all you're doing.
Is prepackaged, you know, kind of buy the book lessons, are you really learning how things work out there.
On a job? Right?
So?
How?
Because I have to know how did you make that transition?
¶ From Hobbyist to Professional Pentester
Because where with the digital side and with hackers, we see you know the development of software companies and software and you know the and then you know countermeasures you know to hackers and stuff like that. But for you, how did you plant a flag and say hey, I can break into a building? Anybody want that?
All the credit there?
I think I would keep on a longtime friend of mine who's in town because we're in town for black Hat and Defcon. Of course, so my buddy Jeff the Dark Tangent, who started def Con and with it black Hat some years after def Con was around the black Hat conference, which I don't know if all your listeners know the full origins, I'll give you the real quick story.
It's a brilliant hack of its own type.
The origins of black Hat, the conference and trade show def Con, which originally started as just kind of a going away party for Jeff's bulletin board that he was running.
People said, oh, man, this is so cool.
I came out to Vegas and you had this big party and there were these talks are you going to do this again? You got to do this next year? This was great and he's I wasn't playing on anything like that. I just kind of threw something together from my friends.
If you want to, we'll do it.
So then def Con happened next year, and def Con happened the year after that, and Defcon the con friends kept growing and people were coming up to Jeff in the hacker world and saying, man, oh, you're a dark tangent. You run that deaf Con thing. That's so cool, man. I wish I could go to that. And he would say, then, then do it. It's a fifty dollars conference. Why don't you just come? He said, no, my company would never send me that.
Why.
He's like, well, you know, like you said, it's a fifty dollars conference. It's not professional. It's you know, it's not My boss would laugh me out of the room. And Jeff looked at these people and he said, you're telling me that I'm running an event that is accessible, has great content, has great speakers, has all the information you need, and you can't come because it's too cheap.
And they said basically, yeah, So the very first year that black Cats started, and Jeff would tell the story with a little more detail, but effectively, he reached out to his most popular speakers, the ones who were already.
Coming to Deafcon, and he said, Hey, do me a favor.
I want you to come into town almost a week early, and I want to put you up at the Caesars and I want.
You to give the same talks you're gonna give it at def Con. Give them a few.
Days early to like Feds and suit wearing people and stuff, and we're going to charge twelve hundred dollars at the door.
We're going to call it black Hat. And everyone thought that was nuts.
And all those companies that people their bosses wouldn't let them come to def Con. They said, now this is thing, the black Cat thing. You bring me this pamphlet, this is what you should be going to thanks. This is serious business, right and you know it's the same. It was the same thing for the first few years, and then of course black Hat developed professional trainings, multi day trainings, and I've been going to def Con and black Hat for ages.
Now I've been going to sayce Defcon eight and good lord, it's what is it, def Con thirty three thirty four? Oh my good lord. But when the trainings were starting, you know, people just hey, you're.
Good at this thing. You should run a training. It wasn't these full on massive training works. And Jeff approached me. Tangent said, hey, man, you've been given lock picking talks at def Con. People love that lock pick stuff you do. You know you should run a training, black Hat And I was like, get the hell out of here. No one's going to come learn lock picking from me for two days. That's insane. I just do it for free at Defcongus.
I love it.
And he said, no, you should do it, man, We're going to pack that room. And that was my first professional training that I gave. This is long before Red Team Alliance or anything that existed. It was just me and my buddy Bobbic in a room and sure enough we were teaching people the basics.
And next year they said, oh, you should electronics. You u talk about alarms.
She used to talk about this, and we just kept adding content, and as often happens at Black Hat, many times people will take a whole training and they'll say, this is great stuff.
I learned a lot. Can I hire you to do this?
And you look at them at the end of two days and you say, you just paid to learn how to do it though, and they said, yeah, but my company wouldn't believe me. I'm internal if I report all these findings that we really need an external voice to validate all these findings.
Can we just hire you guys? It's like money can be exchanged for goods and services. I don't mind having no money. Sure.
So that's where some of our earliest clients came from. They were the people we were training at Black Cat who were then immediately a month later hiring us to come break into their buildings, and then word of mouth spread.
We've never done any real marketing of any kind.
It's just people. Oh, those are the guys who do that stuff. Yeah, I've heard of that that you should.
Take their training, you should hire them, did that thing, And that's that's how I got my career.
Well, you know, now, I guess when you know we think of red teaming and you know, getting access to internal you know systems and whatnot, like the physical red teaming and the physical pen testing. You know, we think of that. But how did you you know, before the Internet, before all this, you know, was it twenty six how did you find yourself in the you know, with this set of skills in the hacker community.
Yeah, so you mentioned briefly.
I hired a little passing reference to twenty six hundred, the magazine, the twenty six hundred meetups.
I was part of the twenty six hundred crew.
Back easton Philly where I was living, there was a non pro well now is a nonprofit. At the time, it was just kind of a ragtag group of enthusiasts. There's this group called TOOL, the Open Organization of Lock Pickers. That is a group that still exists to this day. I was on their board of directors as a nonprofit board member for a very long time. But it was
people just kind of had a passing enemprist. Or you would be at a tech even a professional tech event, you might see somebody picking locks just as a hobby, much in the way that you'll see people nowadays cross stitching or doing crochet. If they're on a long plane flight or sitting in a long lecture in an academic setting, you'd see locks being picked in the hacker world, and for some people that never went anywhere beyond being a hobby and for some of us became a real obsession.
But yeah, the hobbyist community and that the hacker mindset of these are some cool skills. I just want to use them for fun. Fun can become profitable.
I would like to thank a sponsor tonight, somebody I'm actually I've never heard of, but I'm super excited about
¶ The First Big "Score"
right now. You see, I have to put on my reading glasses of getting old and with that age and the abuse that Jack and I have been through through the years, the arthritis, the sleep at NEEA, the insomnia. You know, this amounts of scotch, Yes, copious amounts of scotch. You know, we had Chris free On just a short while ago and he talked about the operator syndrome, right, and you know we have TVIS and blast exposure and post traumatic stress and all these things going on for
us and and not just us, but everybody. You're all, you know, subjected to all this stuff. So our new sponsor is superpower dot Com. And the reason I'm really excited about Superpower dot Com is a lot of things that Chris was talking about, a lot of the processes that are going on in our bodies that we don't know about, and that like your normal doctor isn't even gonna know to check their checking this stuff. It's a concierge medical service.
Uh.
You know, we've all been there. You go to the doctor, get your blood drawn, and a week later you hear everything looks fine, And a lot of times you got to pull teeth just to get them to do a basic panel. Right. Maybe they tell you to drink more water or exercise more, but that's it. No breakdown of your hormones, no insight to the inflammation, toxins, the nutrient deficiencies, just vague advice and a pat on the back. Superpower
Health is a completely different experience. It's a revolutionary new kind of preventative care, more comprehensive, more actual, and you can do it all from the comfort of your own home. Here's how it works. Twice a year, Superpower sends a licensed professional right to your door to collect a comprehensive lab panel, or you can visit a nearby lab. Super Power measures over one hundred biomarkers. That includes your heart, your liver, your thioid, your hormones, your metabolism, your vitamin
and in your mineral levels. I mean that is like everything that Chris was talking about, right, and again, a lot of you may not have been in the military and may not have had special ops, may not been combat. It doesn't matter. Like these stressors, they affect all of us, you know, and you know it's just this is amazing to me. I just cannot wait to get started with this. Then you get a personalized action plan based on your results, all beautifully laid out in their app, plus access to
your own private medical team to help guide you. It's the same level of testing and insight the pro athletes get, but at a price that actually makes sense. Stop hoping you'll live a long, healthy life, start taking action. For a limited time, our listeners get fifty dollars off when they use Code Team. That's Team Code Team at superpower dot com. The superpower not only gives you an initial plan,
but it attracts your results over your lifetime. Each test builds on the last, giving you a full picture of your progress year after year. So for a limited time, our listeners are getting fifty dollars off an annual Superpower membership by using code Team at checkout. Just head to superpower dot com and use code team that's team to get our exclusive discount, your biology decoded, your blueprint activated with Superpower. After you approach, after you purchase, they will
ask you where you heard about them. Please please support our show and tell them our show sent you. Like I said, this to me is exciting, like when they talk about getting all these tests and you know, all these things, I don't.
Even know where it started, and you have to find somebody who will actually do it.
You also have no idea, like you know, if you're having aches and pains or you're feeling tired all the time, like you don't know what you're deficient in.
It it could be a vitamin, it could it could be anything, right, yeah, yeah, yeah, So and look, maybe you're old and broken like I am, or young and spry like Jack. But it's like it's it's always a good time to start, you know, either find out what's going on or to you know, stay young and healthy for the next forty years. So anyway, check them out Superpower dot com. Use team to check out thanks. Yeah,
that's fantastic. What was the first like big score for you where you're like, wow, I can actually do this for a living.
I'll answer it in two ways.
There was the first time that I sort of unofficially fell into this work, and then the first really good client.
And I'll sanitize both of them.
Obviously, one was a law firm, and this was just a local you know, to where I was.
Living near Philadelphia.
They were just outside the city and they essentially had assists admin there. There guy who was on site. They're the guy who did all the computers and servers.
In the accounts.
He just kind of rage quit one day, just real table flip slammed the door.
And people are like, I don't know if he's coming back.
And I was known as a guy who could get into locked places just word of mouth. People knew me as that person from the hacker community. And somebody knew somebody who knew somebody who called me and they said, hey, we have a situation here at this law office. We kind of think we should be doing something. We had this guy leave. We don't know if he has the passwords.
We need to mitigate this situation. And I was consulting at the time, which means I was between jobs, right right, And I said, oh, I could make some room in schedule, and I'm make my way over there. And I didn't know if they wanted me essentially to do any tech work or I didn't know exactly what they wanted because I thought they said, oh, the door's locked, to get a break.
They didn't expect me to break in.
They expected me to take over the servers, which you know, I did a lot of network security work too, so I was there with my copy of nor Dolls and Ta boots and other things. But as I showed up, I said, it will sit tight. We got a locksmith on the way to get you in. As soon as you get into that office, you can do your thing that we hired you to do.
And I said okay.
And I sat there and just I don't know what I was doing in the lobby is pre social media.
I just must have read a magazine.
So I was bored and I said, you know, I'm sorry, I'm a clock. I've been here a while. Now, can you show me that what we're we talking about for the server room here? And they took me down a hall and I went, oh, it's just an office door. I'm pretty sure I can bypass that. And sure enough, you know, kachunk you slip I you know, took the cover off some TPS report equivalent, slip the cover into the doorframe.
Door pops open.
I was like, all right, well, canceled the locksmith, and then I did my thing with all the servers and I'm rootbooting and I said, okay, well it looks like, yeah, you don't have any Telnet or SSH running your net or your mail server. Your web must be hosted elsewhere. Yeah, this doesn't look too squarely. Have a proper incident management team come through. But you're you're looking pretty good. I can change your root passwords. What do you want that
new password to be? And writing it down? They go, yeah, a new root passport.
Yeah, what did you do to that door?
I was like, oh, yeah, your door latches aren't activating correctly because you have access control latches.
It's you know, your locksmith could explain that to you.
He said, no, you explain it to me, show us, show us in this guy's office and he's calling partners over. So that was the first time that someone said, oh, you do more than just the ones and zero's you do that break in thing, and that I was known just in the local Philly area as a guy who could do that, and as far as nationwide. One of our first, as I mentioned, you know, students that we had, was a crew of students from a we'll just call them a major tech company.
They make internet appliances and internet.
Services that loads of people have interacted with and they've been they're in your data centers. They they're a well known brand. And they were the ones that shocked. They took us out to dinner. I'd never been to a fancy Vegas restaurant. I'm some young kid, and I was shocked when they said, we got to get your infhobiues.
We want to hire you.
And you know, a few weeks after black Hat, they were hiring us to break into multiple offices around the country. And you've done this before, right, I broke it into a car dealership, in a law office in Philadelphia, some other small time stuff.
Never have anything big like this. Every job you think you're like, well, this is gonna be the job.
There's gonna be a tough one, and then you realize no, there's always a way in there's always a way you can you can break in, you can.
Find a way each and then you just get win after win after win, and.
Then and you're the guy. We got to hire those guys. Hire that team again. Nowadays, whenever somebody bids a job, they tend to reach out. So RTA is our training company, but the core group is is who you know are
breaking consulting firm. And it's funny we always get told in these calls, they say, well, yep, we're talking to you, because everyone we talked to either said hire the core group or those guys trained us, Like they're either they're the ones who do it or they're the ones who train the people who do it.
Just just hire them. So the word of mouth just keep spreading.
That's fantastic. I would love to ask.
I have to ask, has there ever been a situation where the bad guys wanted to hire you and like you're kind of like does a sketch or I need to take a step back from this one.
You know, for the longest time the answer was no. And I'll say there have been two occasions when yeah, you got two stories out of me on this one.
Two occaions were things were a little weird. One was a job that we wound up not taking. It was going to be in Taiwan. It was going to be for a very famous property in Taipei.
It's it's very big.
Famous pictures of it on the internet, where if you're familiar with what a tuned mass damper is inside of big buildings, theirs is a gorgeous you can bet you'd almost walk up and touch it.
It's a very famous building.
And the whole thing was they wanted to you know, they said, well, here we are, Taiwan is a very politically sensitive area, and we have a very large neighbor and we're not sure if they're interested in, you know, our buildings. And we were never actually one hundred percent sure if this was people from the Taiwanese authority who were worried about China, or if this.
Was kind of trying to hire us to do something in Taiwan.
I mean, I think it was probably all in the up and up, But the job wound.
Up never coming, you know, kind of coming to fruition. I said, you know what, that's probably for the best. I'm fine with that.
The other one was our on the training side at R ta. We did have a student. This was very recent. We've never we've never had this come up until very recently. We've had a student in one of our access control classes where I mean, if you don't even the show notes, you'll link you see like what our training is very clear. It's talking about like I class and room keys and badge. Badge cloning and things like that was one of the things.
And this one person showed up and almost within the first hour he started.
Asking questions about so is this how credit cards work? And we're like, well, I mean credit cards, you know, like tap to pay, I mean they use NFC, the use near field, I mean, it's like RFID kind of it is, you know, inductively coupled. But we you know, we're talking about badge control systems and you don't. You don't use credit cards to get into your data centers, right, And he keeps listening and stuff.
No, but when are we going to do the credit card stuff? You know, ISO ISO fourteen.
Four to four B.
And we're like, well, what did you just like google what?
He was asking questions that made it sound like he just googled something like card cloning and found us and it became apparent that he was literally in class because he thought he was going to learn how to clone credit cards, and everyone around him, there was a mix of like Feds and other people in the room like over at him, and he said, it's like the guy who walks into the head shop and is like, this glass pipe is for the marijuana's right right?
You know, Yeah, I was gonna I was gonna say, it sounds like it sounds like the nine to eleven hijackers that want to learn how to fly, but not way in the airplane.
You're kind of like, uh right, yeah.
And eventually we talked to him during some breaks, and he sounded like a guy. He didn't sound like he was a criminal. It sounded like he was trying to maybe spire and bark on a new career. He just
didn't quite understand why it was. I think he he told a story to us about how a relative of his had had a legitimate, like credit card fraud and how it just got reversed because you know, like you call your bank and you say I wasn't in Kansas City, and so he's like, oh, what if you could copy a credit card and then you could use it in a bunch of cities and then you claim it was fraud.
It's like free money. He was very young.
He was just a very young person, and young people are naive. And we said, first of all, no, I mean that's that is not like a crime. That is a crime.
You can't do that. Two, we don't do that here.
And three you've just said a lot of things that are very actionable in front of people.
You should not. You don't. Don't do that, please please, Rea. And we talked.
We talked to him a lot. Actually the parking lot. We the second day. We said we're sorry, we were going to have to we refunded you. We're like, this is not the class for you. I think you got the wrong idea. No harm, no foul.
You know, we took it, We took the equipment back that you know.
The kid, so he listened to a we had to say, and I think maybe it sent him on a better path.
But that was that was a shocker for me.
How how you could you know, look at our class description and come away thinking that that's what the class was about.
And he just didn't know the security world really explained.
He's like, why are all these other people in your class, and we're like, well, because they're doing it for good, Like they're doing it to test and work with these
¶ History and Evolution of Safes
companies to make it better.
Right, he had no idea that could be a career. He's like, that's so strange. Why would anyone do that?
Yeah, it's fascinating. I mean I wonder, you know, because classes like yours, same as like tactical shooting classes or whatever, that there are probably a lot of wannabes out there right who take the classes and and and really and I don't mean want to be in an insulting way. It's just they had this idea of of being, you know, Johnny high speed. They take the class and never do anything with it.
Yeah, but yeah, yeah, all the guys who saw john Wick and wanted to learn Center Access Relock.
Is exactly exactly exactly. I do like Center Actions Relock though. But so it's interesting that you were like assists admin and network admin. I you know, in my mind, for some reason, I thought that maybe, you know, when you were doing the vanilla stuff, that you were like a locksmith or something.
So I did get my certifications across the board, but that sort of came around the other direction later ever since, I have a rule for myself that every year I want to take at least one or two trainings of some kind just to learn, just to always be learning a new skill. I think you learn not just about the training that you're in. You learn it even I just I like teaching.
I am a teacher by trade, right, and I just learned about teaching by watching other people teach.
And I say, okay, boy, I wouldn't I wouldn't presented that concept that way. I would to think of it this way. So but yeah, just learning a new skill just to keep the brain as elastic as you can. So over time, I've added many credentials and letters to my name in this space just because I mean, it's like, I won't say a vacation for me, but it is a mental It is definitely a mental pleasure week when I go down to Lockmasters or Mark Bates Academy or
the Savaga Safetech Conference something like that. These are skills that I sort of kind of had because I had self taught myself along the way and I wanted to all right now I think I know this. Let me sit in the class. Oh actually no, I didn't know the last ten percent of it. I didn't know this other this new tool exists. I learned that ten years ago, and now there's a new tool. So I'm finding great value.
But at the end of these classes you wind up, you know, with paper you can hang on the wall, and then you wind up with actual certifications and accreditations, and I say, oh, that's pretty cool. So yes, I am a sav TO certified now certified professional safe Technician.
I passed my CPS.
I have in a lower number as a locksmith, I'm a forensic locksmith now, oh yeah, people like Tom DeMont and Drumpee. These these are icons of the forensics world. They taught me things that you can microscopically look inside of locks and see techniques and tools that might have been in there. Technically I could testify in court. I don't think I would survive a Daubert challenge or anything. I'm not a professional expert witness by trade things like the government Safe Work. I mean, I'm a I'm a
GSA Safe Involved Technician and inspector. It's a very long long set of training. You take it at MBA or you take it at Lockmasters. It's two weeks long. I don't spend all my days on military bases and government installations, servicing safes and vaults.
But I'm certified to I can help you build a skiff.
And you know, the one time a year that we have a client who says, hey, we need a you know, skiff certified room in this new building, or the one or two times I'll do because you don't make a lot.
Of money on a lot of these government jobs. They're they're they're GSA rates.
But I'll get a call from an army base I live right near, you know, for Lewis McCord, or I'll get a call like there was a Secret Service office that called me and they said, hey, you know, we have this safe that we have to decomm usually decommissioning, but like, yeah, we're trying to break this office down and we can't throw this freaking safe out because there might be contents in it.
The custodians long retired. We got to get somebody in there.
And I'll take the job just for the fun of it, just to keep the skills fresh into it's fun. It's fun to make some sparks and make a little bit of smoke, and then you kind of turn your back as the custodian opens the control drawer and you hear like, there's there's a video on my YouTube channel where I actually they allowed me to record. And the screen goes black so you don't see what he's but you hear him go, oh man, there was way more in here than we thought there.
Was a year. Oly, shit, there's a good gun in here, you know. Take that. Yeah, so I'll do it. I'll do it just for the fun of that.
So let's start jumping into the topic of safety and safe cracking. I think before we get into the cracking aspect, we should probably talk a little bit about safes.
Most people.
I think most listeners know what a safe is and have some idea in their mind from like a Donald Duck cartoon guy turning the dial and the door opens and you keep your gold coins inside. But you want to talk a little bit about the development of safes, the modernization of them, what people use them for, the different types of safes that are out there.
Certainly, certainly a safe or any storage container, a safe, a vault, a safe room. The idea is to make a container that is not impenetrable, because nothing's impenetrable, but you want to cause an attacker more headache than it would be ultimately worth for them to gain the spoils that are contained within. So if you have your jewelry in your house and your you know, your your important documents,
whatever will assign a value to that. Maybe you have a very nice gun collection, your you know, you and your spouse and your kids have.
Some valuable jewelry that you've gotten over the years.
Call it, I don't know, fifty thousand dollars, one hundred thousand dollars, anything more than that. In terms of financial instruments and hard you should probably be putting them in a bank vault or a safe deposit box somewhere, in my opinion, but you might have fifty k. Well, an attacker, if they know that you have, that's a really wealthy home,
let's break in there and steal stuff. If it's going to cost the attacker, like let's say ten twenty thousand dollars and specialize drill rigs, and like, I have all this safe cracking equipment, but it costs money, right, And it's going to cost the attacker a lot of time and effort, and they're making a lot of noise and they're worried about their exposure and their likelihood of getting caught. The attacker is going to kind of do the math and say, ah, it's not worth it. I'm going to
break in somebody else's house down the road. A safe or a vault is designed to cause more headache, time delay,
¶ The Art of Safe Cracking
energy effort, and resource spend than the attacker would gain demonstrability by by the risk of breaking in. So historically this was all brute force, you see, you know, like the old the old West, like people dynamiting safes and things like that.
That's that's what you would have.
You'd have usually round almost like the old Victor cannon balls type safe. You'd have these cast iron, very thick doors, and the lock mechanism was was not something somebody would tinker with the lock and a combination on the lock was designed like if you didn't know the combination. People weren't teaching safe cracking as a skill broadly back then.
It was all about that pry bars and nitroglycerine and how how can you withstand detonating the safe or if you had to blow the safe up, we'll it blow up all the money in it.
I think that was in maybe some old Cowboy movie where they blow up a safe but then the money all gets you know, gets burned up inside the monton they're going through. This one's pretty good. I think this now, this bill is a lost cause.
But over time we do run the risks of not just so sort of smack and grab.
We started saying, well, what about.
If an authorized person were to try to steal from the safe? What if somebody were to use duress on an authorized person and say, hey, you open the safe right now for me, Which didn't happen nearly as much as we are led to believe by Hollywood. It was actually very hard to hold up a town in the Old West because you'd have to get away right. I mean, there's only one or two roads out of town right there where to go.
You're on a horse. Guess what everyone else is on a horse. Yeah, if your horse runs.
Out of energy fifty miles outside of town, the people coming behind you with all their guns, they're gonna be right on your heels. Those sort of robberies like that. Bank robberies really change with the automobile. That's the history of modern bank robberies with sort of Dillinger and Bonnie and Clyde and Lamb. But the idea of a bank robber who would maybe not use brute force or duress, but who would use you know, like I'm going to
be the inside man breaking in. That was also a real big concern in the government as we started to see the modernization of the intelligence apparatus in our country, which is really a product of the First World War, the interwar years with the OSS and then of.
Course World War Two.
It is when we get really the modern intelligence community, the idea of classified documents and document storage, and what if we have spies who have been bribed or leveraged, Well, this person knew the combination.
It's not how robust the safe is and how we prevent that.
So that's where we start to see things like the development of timelocks, where on the inside of the safe door there is a movement, there's a mechanical time movement, and you set it and until that clock winds down,
the safe simply cannot be effectively opened. And timelocks were great for a while until, as I like to remind people, December seventh, nineteen forty one, the day that we'll live in infamy, was a Sunday and there's actual stories during the attack on Pearl where people were running around at
the Navy base. They're running around Schofield Barracks, Hickham Field, and they're like trying to get into the safes to get the war plants because the Japanese zeros are flying out of the sky and things are blown up in the harbor and all of a sudden, Oh wow, war is seven days a week.
We can't just use.
Timelocks anymore for our government safes. Banks to this day, banks still use timelocks. Civilian world still uses timelocks extensively. But the development of manipulation resistant or what some people we call manipulation proof kind of anti manipulation safe mechanisms and dual custody safe locks. This is all a product of the Second World War and the immediate post World War two kind of Cold War era, the espionage era
being really in its heyday. That's where we see the modern landscape of safes and vaults and mechanisms that are meant not just to resist brute force, but are meant to prevent unauthorized access from all different manifold angles.
Hey, guys, our show is sponsored by ghost Bag. Check them out. Please to make awesome mattresses, Awesome pillows, awesome betting. Ghostpread provides high quality, is super comfortable, award winning mattresses crafted in the US and Canada. Did you know that sixty percent of US adults report being too hot when they're trying to sleep. That's me, I'm a sweaty little baby. That's why we designed all of our products with cooling features so you stay comfortable and asleep all night long.
Pair any of our mattresses with ghost Beds Award winning adjustable base and get the ultimate sleep experience. Ghost Bearded Rules the family owned business sixty thousand plus five star reviews. They have sleep experts on staff with twenty plus years of experience. If you have any questions, you can hit them up and ask them, you know, maybe what kind of mattresses work for you. Twenty plus year warranty that's two times the industry standard. Free shipping and returns on mattresses.
Most of the products ship out within twenty four hours. They have in house customer support and sleep actress Sleep experts chilling in Plantation, Florida. It rules It's the best. They give you one hundred and one night's risk free to make sure that these beds are right for you. If you don't like it after one hundred and one nights, you could send it back full refund.
Uh.
When you purchase a ghost bed mattress, you're comfort guaranteed. I'm reading it right now, and it's capital letters guaranteed. Okay, they do the right thing and they're a great company. If you're not sure which ghost bed's right for you, like I said before, you could take you could take their mattress quiz online or you can give a call to one of their sleep experts and they'll help you with exactly what you possibly could need, what works for you,
and what doesn't. And the best news about this is teamhouse listeners and viewers. You get an extra ten percent off sitewide for a limited time. You just go to ghostped dot com slash house and use the code house at checkout one more time. That's ghost sped dot com slash house with the code house ho u se at checkout for an extra ten percent off site wide. I want to thank go sped for their continued support. I want to thank all the fans that listen and watch
for their continued support. Without you, guys, we are nothing. So thank you for supporting the show, and thank you for supporting the companies that help support the show. Gospad dot com, slash House for ten percent off, made in the US, Made in Canada. Shout out to our brothers in Canada. They rock. Check them out. I love ghosped. Thanks guys.
Hey, guys, I want to tell all of you today about a new newsletter that we're launching that encompasses both the Teamhouse podcast, the eyes On podcast, and the high Side News outlet, which I run with Sean Naylor. The newsletter is going to be once a week. It's going to come into your inbox and you're going to get the most current podcasts on eyes On and the Teamhouse
and whatever's topical or current on the high Side. So it's another way for us to get the information out to you as social media algorithms are pretty iffy and you never really know.
What you're gonna get. So this is a once a week email.
It'll slide into your inbox and it will have you know the greatest hits of that week.
It's really good man checking it out.
The website for it is Teamhouse Podcast, dot kit dot com, slash Join Teamhouse podcast, dot kit dot com.
Slash join.
H you go there and you enter into your email list, or you enter your email into the little thing on the website and you're good to go, and that'll be it. So we really appreciate your support and hope you'll consider signing up.
Where's the link.
The link will also be down the description if you're looking for it there.
And that's Teamhouse podcast, dot Kit, k I, t Kilo, India, Tango dot com, backslash Join.
Fascinating And so I never knew that about World War Two? Did you jack about Pearl Harbord? Yeah, first time or that? Fascinating? So what yeah, what are the steps to you know, because like you know, when we look at modern movies or even older movies, you know, the criminal always gets an exact replica of the safe and then they spend you know, days or weeks practicing on it with their stethoscope or you know, their drill where it just hits
the glass pane. But what are the actual steps for a modern like safe cracker?
So that's a really cool question. And a guy I like very much. He's been in touch with me in the past. He's an icon of the industry. Dave mccomy. He actually appears in some videos online.
He's been interviewed about how realistic was this or that scene in a movie. He has a wonderful walkthrough.
I'll send you the URL if you'll put in the show out puts for people. But it is true that safe crackers and technicians need to know, like what's on the other side of that steel door, what is the mechanism and learning about it, either by getting a replica of the safe or if you're on the up and up, if you're in the actual SAFTA Safe Involved Technicians Association land.
There's a whole knowledge database.
There's there's the List Council, there's locknet, there's whole databases that you can reference that show oh this From this year to this year, dee Bold Mosler was making their vault doors with this mechanism and this bolt work on this. So this is where the mechanism is, this is where the drill point is. This is where you want to be careful. There's a relock trigger over here, there's a
relock device over here. So knowing what's on the inside is often the first step in trying to either neutralize a safe or even just diagnose a problem, you know, figuring out Oh, okay, the safe was working yesterday, customer reports it doesn't work today.
Well, if you roll up over there and you say, how are.
You show me how you're dialing the safe, and you watch them and you say that that should work.
Is that not working?
And then you think to yourself, way, I know safe technicians that have safe different models of safelock, you know, in their van, and they'll deuld a cutaway and they'll they'll actually.
Wait a minute. If I'm if I'm turning a clockwise what the what the frig am I doing? They're looking at they go, no, no, no, the fly.
Okay, so you might have a stuck fly going counter counterclockwise. Okay, try it this way here, turn the thing and you can get a dead blow hammer and you say, wait, don't turn the number. Bang tile the next number now okay, okay, Now you're about to hit the bolt.
Work on this side, bam. Okay. Yeah, we got to open cool because you need to know if I hit it right about here, if something stuck or wasn't greased.
Yeah.
Knowing what's on the inside of the door is a huge part of the whole process.
Fascinating, it's fascinating.
Do you want to talk a little bit because I think during your talk at def Con you mentioned this a little bit about what the stethoscope actually was and how there was a period maybe a brief period of time where that was useful but not today.
Yeah.
Yes, so to this day, if you're doing manipulation, this is with mechanical, purely mechanical safe locks.
I mean there are attacks for electronic safes as.
Well, but manipulation, as we've often seen in Hollywood, you'll see, as you mentioned, the stethoscope or the low tech is like putting the you know, the ear up to a glass or something like that. You're not really hearing a lot of many mechanisms clicking and clanking, like the Foley guy doing the production of a film likes.
To add all these sound effects.
What you're trying to find is very precisely learning what are called contact points. It's a very specific area of the safe dial where to use some technical terms, where the nose on the lever arm is trying to drop into the opening on what's called a cam wheel and you're trying to find okay, touch here, touch here, and
as you're dialing the dial. You're dialing this cam wheel touch, touch, touch, and you want to get those contact points very care fully, carefully identified, because as you manipulate, the process of manipulating a safe is experimenting with different numbers around the wheel and seeing if those contact points change very slightly, it's
actually happening. And I don't know if your viewers are getting this and audio only if they're seeing my hands in front of my black shirt here, but imagine if that nose is dropping a little further into an aperture, those contact points will get a little tighter together than they would if you were up here higher up. You're looking for where the safe wheels are almost lined up
but not fully lined up, and you're taking notes. You say, oh, something's happening around seventeen, question mark seventeen, and you come back and you run the numbers again and you say, okay, no, I'm seeing something on forty two maybe, And you're slowly getting the safe to leak information out at you. But as Dave and others have pointed out in their videos
about the subject, you're doing much more visual observation. So it's fine if you want to use a stethoscope, or in modern times we would use an audio amplifier a little magnetic microphone. You could hear the contact points, but you're never in Hollywood. You're often just kind of you see the person is looking off into space as they're just listening, just listening. What you're really doing is listening and looking particularly.
And what are you are you looking for like little hitches and then as the dial goes or something like that.
Yeah, you're looking for the behavior of the dial at a very specific spot where it would be called the drop in area.
That's where the contact points are.
And if those contact points, if I'm running the dial and my contact points are always let's call it ninety eight and seven, and I run the dial some more ninety eight seven, ninety eight to seven, and then I'm starting to and I get to a point where I'm trying some numbers, and then I come back to my contact points.
And then all of a sudden, it's at ninety nine and six, Like my contact points got a little tighter together.
I think my nose is dropping a little further into the cams.
Let's jot that down.
I might have a good number there now, just because you found a potential number, or you don't know where in the combination that is, there's a series of diagnostic
¶ Biometric and Electronic Lock Security
dialing techniques that you would use to try to determine where on the dial or where in the combination.
That the dial should be dialed to that number, and little by then.
And sometimes it's fun sometimes if you're working with the customer and you say, I'm finding a seventeen and I'm finding a seventy six, and they say, oh, yeah, that's right, Dad loves seventeen seventy the real patriot. That's the second and third digits. I remember that now, and say, well, does that jog your memory?
Oh? Do you remember the first friggin digit? We could just.
Dial for dollars, so we could just try all the that you just reduce the key space to hell them a lot by selling me.
That, Yeah, what you know, this itself sounds like it's own specially right. And then you have all of the alarm bypass, electrical bypass, all the different types of sensors, all the different types of doors. Would you consider yourself an X in all these things? Or do you consider yourself like an expert in entry and being a generalist and then like being able to brush up on stuff as needed.
I think it's the hallmark of hubris of the worst kind to consider yourself an expert in too many things, or maybe any one thing at all. So I'll be the first to point out I'm not necessarily an expert in almost anything, but I'm a dedicated I'm a dedicated person in many things. We will say there's a lot of people I work with who disagree with me and say I'm being too modest, probably, but that's for them to come on and tell you about later. They can
talk about me. I'll talk about I work with plenty of experts. I work with the electronic access control expert, my colleague bobik who owns RTA and Core. I work with my alarm system expert, our guy Brian, who came out of the intelligence communities. Right, But I am I am a specialist in several things, and I believe in broadening your horizons as much as possible, which again it's been, it's been an amazing journey.
I never was the ones and zero's person.
I mean, I was a network person, but I never was an access control electronic locks person at all, and through sitting it first, just sitting in the back of the room. When you know a Red Team Alliance Access Control class, I would just kind of sit in the
¶ Intelligence Services and Covert Entry
back in case somebody needed me to hand them something.
When I got to hand out the next access I'll hand out the access control cards.
And then I would, you know, sit up front with Bobbic and I would help him. I can teach the basic pros cloning, I can. I can do that module if you need to take a break from your easier voice. And now I routinely fill in running whole sections of the Access control class just because I work with these exceptionally skilled people and it's rubbed off on me.
It's made me better to take Trent.
Just like the uh, you know, the forensics thing, Like, I'm not an expert by any means at forensics, but I wanted to learn lock forensics.
And you keep seeing these guys, you say, you gotta come to my next class, man. You YouTube that yoused to the first class, but let's come take the advanced class next month. It's like, man, I don't do this for a living. It's like, yeah, but you were great in classes, sir.
Just come to your class man, and all of a sudden you look around, you go, holy crap, Am I better at this than the average bear?
Uh?
Let me also ask you about some of the other tools that get used. You mentioned, you know, there's like twenty thousand dollars drills, specialized drills. I've also heard about the thermic lance gets used sometimes. Channeling our knowledge from James Can's role in Thief, I think that's a nineteen eighty one film, great movie. But anyway, what do he What are some of the other tools of the trade that get used even as we move forward into the era of electronic locks?
Right on, right on, And yes, m Jimmy Kahn in Thief is as a real rig that he is using. The whoever their technical advisor was on that film is exact because and again like Dave, Dave Mcomby did a whole breakdown of that movie in one of his videos online, and it's just it's.
And also I just like, well, I love Michael Man's work.
So it's like a whole world where cities are always perpetually wet and at night. I just want the look of it and the idea of these these big rigs. What you're trying to do with most professional safe cracking gear is apply force without fatiguing yourself and maintaining a drill in a very accurate spot, because anybody can just kind of go up with a giant Like when I'm breaking into a government safe and they're taking it out of service completely, I mean, I'll make a pretty big
friggin hole in it. I'll just I'll use a giant wholesaw, and even then I'm still trying to not fatigue my arms. I have a rig that'll mount to the front of the of the safe, so I can just crank on it, use a big quill. But you're trying to apply pressure in a way that you can get through. Because they are all different kinds of material, there's all kind of metallurgy and cutting science. Are you doing a metal cutting technique, are you doing a grinding technique? Are you doing precision
cutting where you're actually switching bits. There are plenty of times where you're going through different styles of material. So there's different types of barrier mesh. Where it's it's soft mild steel, then it's the hard steel plate, then it's
ball bearings. It's something that's like hard plate that you can't cut through with high speed steel you have to switch to a diamond cutter where you're actually couring it out and you're punching and you're cracking it away and you're knocking debris out of a hole.
And then you switch.
Maybe you come up to maybe you're using, as you say, a burning bar or thermic lance, and then there might be a layer of material like copper in the middle of the sick just to distribute the heat so and copper won't a blake away. You can't oxidize like you can do an oxidizing burn on cop do you have to.
Switch to switch to another tool, and all of these things. It raises the stakes for the attack, and it raises the level of investment that the attacker would have to have. If this is your livelihood and you have a full safetech shop, you have all the tools for an attacker to break in. If they weren't playing, if this is their one big score, they're not going to get through all of that.
They would have to invest in so much time and training. But yeah, the precision point, if you're even a quarter inch off, you can not only miss your pot like what you're drilling for, you can ruin the job. You can not only fail to open it, you can make it inoperable, completely unable to be opened ever again, well without completely destroying a whole other side of the safe,
let's say, so maintaining that exact precision point. That's why you see these large rigs that will be fixed in place, either with a vacuum pump or magnetically attached, or by some other means of stabilization.
I think all I ever learned was drill a hole in it, filat with water and put some blasting cap center. So I guess I guess that, uh, I guess that the score.
The score was one of Brando's last pictures. De Niro is in that with the young Ed Norton, and that is it is based on a type of technique that has been done. You.
The one major thing about that movie that's not really is most safes aren't water tight. So in that movie, they actually tap the I believe it's they tap the sprinkler system.
They pull up a big.
Hose water down, and it wouldn't work that way in real life. Which also I'm a I am a I'm a fire services technician. Now I do a lot of life safety and fire suppression inspection. And do you know that if water is flowing through any sprinkler head, it'll set off alarms in a building.
There's flow sensors that are.
All tied into any building automation and emergency services controls. So you can't just get a bunch of water out of the out of a sprinkler head and have nothing go wrong in the building.
That won't work.
But that was a real technique. Yeah, but you would have to tape the entire safe up.
You'd have to fill the whole safe with water by sealing the entire safe shut.
That's fascinating. So with you know, Jacket mentioned you know, like I think you mentioned biometrics, but like you know, because both with your regular sort of breaking and entering stuff, and you know, with the advent of the flipper and you know, and all these other tools that are out there now and with safe and security we see biometrics. Are these systems more secure, less secure, or just secure in a different way.
The diplomatic answer is that I like your phrasing.
They're secure in.
A different way. They are solving for a different problem. Nowadays, loads of businesses you're let's stay a convenience store, you know, like a seven to eleven or something might have a cash safe. You know, the sticker on the door. Teller does not have access to safe no more than twenty dollars.
Blah blah blahlah blah.
Those used to all be mechanical locks, and the teller in fact would not the kid working the register wouldn't have the combination was just the money drop guy and the manager.
Those introduced a lot.
Of user friction, and they weren't really preventing a lot of robberies. They you know, nowadays, if somebody is going to try to steal from a money drop, they're going to rob the bread truck, right, They're going to rob the a car, the armored car. So they said, why are we using these mechanical locks that are more cumbersome to maintain. They're harder for a lot of customers to learn how to use. Customers didn't really understand we live
in a world of keypads nowadays. If someone can dial a phone, they can understand how to use a keypad. Electronics safe safe technicians, especially older guys, didn't like the introduction of electronics because they were quote less secure and yeah, there's electronic bypads is a way easier than the mechanical one. There is a tool called the Phoenix. There's a tool called a little black box. We won't get way into what's called differential power analysis, and that's how these tools work.
But there are tools that will pop up in a lot of electronic locks very quick But that's not the main problem that a lot of these safe manufacturers and small businesses are solving for. The main problem they're solving for is I need a way to very quickly operate a safe and if I change the combination, I know how to write down the com I know how to enter the new combination.
I won't forget it.
And that Their day to day problem isn't a stick up or a robbery. Their problem is like, Hey, the guy from Brinx is waiting here and he's yelling at me, and he says, sorry, you're taking too long.
I don't know what you're doing wrong. I'm going to get you next week.
Right, So, electronic blocks are more convenient, they're not always they're definitely not more secure.
In my opinion.
Right Right, Let's jump into the history of intelligence services and how they intersect with this field to add a little bit of context. For folks out there of like, I think we should talk a little bit about why this matters. Intelligence services are known to, amongst other things, break into embassies and break into safes and those embassies if not just take the safe out and break into it off site somewhere. There's an article in Smithsonian magazine that I think a lot of you guys would be
interested in. It's called the CIA Burglar Who Went Rogue about this guy named Douglas Grout, and it's about this guy who was a safe cracker for the CIA and he broke into safes in all sorts of different embassies and different parts of the world, and then he felt that he got screwed over and he sort of tried to blackmail the CIA for money and did it goes so well? But that's an interesting article to talk about,
you know, how these intelligence services have these capabilities. I don't know if you read that one deviant and what your thoughts are about that particular incident.
Yeah, So the real fascinating thing about the IC world is that these are technicians who aren't breaking in to safes in a way that is easily detectable. Right many times, I'm I can teach manipulation to anybody, any of y'all. Like we teach a manipulation class at RTA, But for the most part, I'm not usually manipulating a safe.
If somebody says, hey, this safe, you know, needs to get opened, and even your best technicians nowadays drill and repair and patch it up.
You can.
We can patch it up so it looks like we were never there, but that takes a little while. And if somebody inspects the inside of the safe, they can see, oh.
Yeah, look, take the panel off. You can see, oh there's there's somebody was in here.
So getting into a safe in the way that even with dedicated inspection, it does not look like anyone was ever there. That's kind of the real bread and butter of the intelligence community. And that's the scariest thing because if you know somebody broke in, you can respond. You can either change your security posture going forward, or if you had a list of important documents in there, you
can well, those documents are now compromised. We're not going to use those root plans, We're not going to use these assets anymore. If somebody in the intelligence world really just kind of goes out there and operates in a way that isn't easy to detect.
That's really freaky.
That's really scary because they could be operating for a long time without people reporting the crimes. And it's there have been instances where professional technicians. If I'll give you one, you mentioned that article for your viewers, I'll try to give you one again.
I don't know. If you do show notes, I'll find it.
There was a crew of professional safe technicians. I believe they operated mostly around the American Southeast, out of Florida and other parts of Georgia. They would use general Aviation flying VFR. My wife, you know, my wife's almost an aspiring pilot and my friend Alyssa's a pilot. Like VFR visual flight rules. You don't have to fly all flight plans. You can just take your little Cessna or your little Piper cub or something and just fly to another city.
And if you follow you know, the rules of the sky, like you're just okay, I'm flying at the right altitude and then I land, okay. Radio and these guys we're bouncing around to different towns and getting in and getting out over the course of a weekend, not staying in you know, hotels, or anything like that under their names, and it was people couldn't figure out like this is like professional safe technician work. And the cops and the FBI were looking at lock shops like in that town right, like,
we're all your employees here. Didn't we take any tools home this weekend?
What happened?
How is this is professional work? Eventually, eventually they got caught, as many criminals do. But yeah, in the government land, the idea of that what we would call a clandestine entry. Quick bits of terminology for anybody's interested in the forensic classifications of things you have overt, covert, surreptitious, and clandestine, and these speak to the questions of who will notice and how will they notice that something bad has happened overt?
Anyone can understand, right, if I make a giant hole with a wholesaw in a small government filing cabinet that's locked up and it's going to the scrap heap, a giant freakin' hole and I'm not repairing it, that's very overt.
Who will notice?
Anybody will notice with their naked eye, and how will they note? They'll just look at it that frings out a hole in it. Covert when you talk about covert operations, it doesn't mean there's no evidence. It just means that someone would not notice the evidence unless they had special training. So if I'm leaving small scratches or marks on a surface of a door because I was using some hook to by pass my way into a room, anybody could
see that. You don't need magnification, like, oh, look, there's some scratches on the latch.
But unless someone's had special training, it wouldn't put two and two together to say, oh, I want those Those are not regular wear and tear. That's a that's a bypassed latch tool.
It's a covert entry, surreptitious. Now we get one better. Who will notice somebody with training? How will they notice? They're specifically looking for it, with investigative techniques, They're not just seeing it with the naked eye. They say, all right, and let's get the magnifiers out with dust it. Let's
look inside. That's the forensic locksmithing I'm working. I'm seeing signs of surreptitious entry inside of a lock usually, but clandestine is the real as the real big one, right, that's when who will notice?
Nobody? How will they notice? They won't you're not leaving attributable evidence that points to the nature of the crime or points back to you, or if you're you know, the government, it doesn't point back to you.
As a friendly power. You know, it's not like your your embassy's not getting a phone call. So that kind of skill that is that because if you break into a government safe, the value is not, hey, I got those secret documents. The real value is we got the documents and they don't know that we got them.
It's interesting because that's not just with safe cracking, but that I remember that section in Tool where they had all the different package at Defcon, the you know, the fool corner. They had all the different.
Packages, the tamper seals.
Yeah, the tamper seals and all that stuff, and you know people sitting there, you know, just patiently applying like acetoine. I don't even know what they use, but you know, how do how do I take what's in this box out of this box and put all of the you know, tamper seals back on the box so nobody knows I got in. Fascinating stuff.
So yeah, yeah, acetone is one of the things you would use.
Yeah, you can use very pure acetone isopropol as popular. You'll see the real secret sauce is A is A is a non POLYMERA. It's a I'm trying to think it's a non polar solvent. It's called end heptane.
Uh, yeah, that's end. Heaptain does some wild stuff.
You can you can lift seals off of all kind of weird substrates and it doesn't There could be ink like serial numbers on the seal and if you smear that with acetone, that ink's gonna run right, And heptane is lifting solvent that doesn't even smear the ink.
It's amazing.
Crazy stuff.
So let's see to where to pick up on this. Where do you want to start? As far as you know, Cold War with KGB and CIA trying to break into and steal the other secrets.
Yeah, so that's a great We talked about timelocks and how we realized that in the government of military space timelocks they ain't it like it's not going to not going to do the job. So we've had to develop what we thought and many manufacturers touted as manipulation resistant or manipulation proof mechanisms, and over the years, the only clandestine technique was that very slow methodical manipulation that I
described just dial manipulation. If you defeat that or make it very hard to do, and there's there's mechanical ways you can do that. If if any of the listeners have ever had a combination lock that they've had to enter a combination and then do another thing, twist a little what it's called a butterfly knob knob or push the dial in or there's it depends on maybe you're opening weapons lockers A twenty nine thirty seven or an old eighty four hundred series like these were designed to
prevent manipulation or make manipulation very hard. The intelligence services that tried to get around that there there are ways to manipulate what are called group one safes the locks that it's just so challenging. They said, all right, we need a better way, we need we need some other technique.
What we started to see, and this this is coming up around you know, the fifties and really the sixties, we started to see the use of radiographic techniques, gamma graph methods, where I mean it just it sounds utterly bananas when you describe it to people, but the use of a high emittance radioactive isotope placed behind or even sometimes within the safe mechanism, because on vault bars they would do this by making a pinhole in the in the doorframes sometimes, or if it's a safe, you could
just move the safe away from the wall and put the radioactive ice toove behind the safe. If they couldn't, they would get more isotope and just bring it in the next room.
To'd be like, all right, which go to the next room. Just put it over there, and you're putting film like you're literally putting an X ray film in front of the safe and developing an image to see what's happening inside the safe.
Flock block, and then you have to reverse out. There's a whole technique about it. I mentioned this in a talk that I gave recently about a team from Poland. There's a team they were just called like Division nine, like you know, the special Squad number nine. They were the Invisible team. In fact, the name of the there's a book all about it. It's called Nivid Jumpy. It's a book it means invisible. It's in Polish. The whole book is in Polish by Thomas Avasovitch. He's a Polish
investigative journalist. And what Division nine, right, well, a special Group Number nine was doing. At the time, Poland was part of the Warsaw Pact. They were part of the com Block for right, so they were breaking into our embassies and our NATO Allies embassies using these techniques. The reason we know about it now is because, of course
Poland is no longer. The Warsaw Pact doesn't exist. Poland late in the Cold War, I mean they flipped, right, Poland became part of our ally ship and all these intelligence operators suddenly were collaborating with us.
Some of them we would just debrief them.
Others were people that had to come to the West for like medical treatment because they were handling these freakin isotopes right, very unsafely.
Yeah, I was wondering about that. Where they you know, because like when you get their X rays, how you have to wear the like the you know, the lead thing, Like I can't imagine it was good for their health.
No, it was not.
And these guys knew that they were taking a hit. They wore docimitar badges and such, and some of them knew. But they was all for you know, it was their job is where they saw it. And even just transporting the isotopes around, they kind of rigged up these not really safe cans just to make them slightly man portable, and they you know, they used just docimiters and other measuring devices outside the container.
They're like, man, these are not these are not doing the job. They're not good.
They'd tell stories about how if they were on long jobs, or they would drive from city to city, they would put the the isotope in the trunk of one car. Thing would be down on his rear leaf springs, like this floating steering that was barely on the road, and they'd put one guy in the driving that car, and everyone else would get in another car like fifty one
hundred meters behind, and then caravan. And then even on long trips they'd stop and they'd rotate people out to who's the guy sitting with.
The isotope in this long drive.
Wow.
So yeah, it was not healthy. But for the longest time they were doing things that was thought of as nothing short of magic, and people could not figure out they were bringing these just troves of documents that the Intel community in Poland and in Russia and elsewhere. They were sending the documents back like, how are you getting
these documents? What the frigger? You guys are wizards, and yeah, they were just they were literally using electronic radiographic techniques to image our safe locks and get them open to see inside the safe fast.
And then we figured we figured out something might be up.
You know, they have their spies just as we have our spies elsewhere, and they were trying to source the isotopes through various scientific research labs and they had covered so why are you buying this cobalt? They would use cold or iridium one two, And our people figured out there said something something might be up with this?
With this, I think they are they doing that? Could we?
And we tried it and we said, oh we can, Yeah, this is actually a real thing. So we started making safes that would prevent that. And they basically we use plastic wheels inside of many of our safes and save the plastic wheels and lead shielding. And then they would just use different isotopes and there were different techniques that were even more dangerous. And yeah, I talk all about that in this presentation that I gave in North Carolina and in DC not too long ago.
Are those online? Are those presentations online?
They are okay, great, they are drop links for you and you can share them with others.
Yeah, we'll put everything that he is talking about. I wrote down the name of well Division nine. I'll lays get the name of the book from you. You know now with Google Translate and you take a picture of a piece and read it.
Like, yeah, I do have I do have a copy of the book that I doubt even buy the book electronically in Polish. And yeah, you can kind of machine translate it. So there's been this machine translated version that a bunch of my friends and I we kick it around in the intelligence world. It's it's a fascinating read. At least one person who saw this, who speaks very fluent Polish, he's like, man, I want to do I want to do a professional like proper translation.
Yeah, And I was like, well, Tumash is still he's still a journalist. He's still in publication.
Reach out to the author, tell him enough people, if enough people in the United States market, tell him we want to read this book, maybe he'll do it an official publication of it in.
English for sure. Yeah, we should get in the publishing business.
Dan as far as uh, some of the you know, things that get stolen. In that Smithsonian article I mentioned, you can sort of infer that we're probably trying to break into safes and Pakistani embassies for probably trying to figure out nuclear strategy stuff.
That's just my inference from the article.
There's another interesting report out there that says in nineteen fifty eight, the CIA actually accessed the Sputnik satellite that the Soviets had put into orbit, and they had access to it while it was out on world tour, and they had it for three hours to themselves to dismantle, examine, reassemble, and then, as you point out, clandestinely replace without anyone being the wiser. Interesting case of you know, breaking and entering for technological intelligence.
I guess you could say, m Yeah, that's really cool. I never realized that that's really dope. What the heck with it? Kat, Were the Soviets just like going out to dinner and leaving it into their hotel? What the hell were they doing?
Yeah, they were in the land of the Big p X, you know. So apparently it's in a book by Patrick J. McGarvey who wrote it a while back, but as far as what country that happened in that got redacted by the CIA, so we don't know.
Fascinating, Okay, okay, I mean I imagine that they also didn't only take, but probably at times placed or exchanged. Sure, yeah, you know when it would it wouldn't be a bad idea to have people doing what you want them to do when they think it's what they're supposed to be doing. So how when did you is this sort of love the of the history of it kind of reason for you devent or or have you been studying like the history of the IC and safe cracking stuff like that for quite a while.
It's something that has grown over time. For me, I definitely have done some reading in the past, but this, yeah, this latest because the book I mentioned from Thomas Avesovich that's only I believe from twenty twenty one or twenty twenty two, that was a pandemic read for me.
Fascinating.
So what else do you have for us on this topic? I've spilled some tea. You have some juicy details about intelligence services and safe cracking.
Well, let's see, I mean, all the locks.
That we use in the government space nowadays, and I touch on this in that same presentation. Anybody who's ever worked maybe for a dood contractor or something like that you made some of the listeners.
Maybe be familiar with these.
They're called electro mechanical safe locks nowadays, where it's not a keypad, it is a dial, but there's an electronic component in there and you actually have to spin it a number of time.
Time is to spin it.
Up and to charge it, and then a little numerical display will show these are These are safe locks made by nowadays they're made by Dorma Kaba.
The Kaba company is huge.
It was Kaba Moss for a long time because the
originating company was Moss Hamilton. The entire story of how the Moss Hamilton Safe Company came about and how it was proposed as a standard, it gets into a lot of if you care about how your tax dollars get spent in this country, you know, the the FFL twenty seven to forty government lock standard was really pushed by a small group of people who designed They came up with a new idea for a lock, and then they used a lot of political influence to get it accepted
as a new standard and then they were the that was the only lock that qualified under the standard.
Right, and this for the longest time.
If many people would be familiar with the name Sergeant and Greenleaf, I mean they're a huge name in the that safe in lockworld.
We use those to lock up weapons in the army.
Yeah, so Sergeant and green Leaf, like they had the entire safelock market covered, especially.
For the government and the army.
And then this new standard came out and started in green Leaf locks didn't comply because only one lock complied, right, the one that the designers of the standard made, and SNG spent all this effort trying to undermine and figure out, hey, how do we get either that product knocked off the qualifying products list or how do we get a product approved on the qualifying products list?
And all this inside politicking.
And inside baseball where these locks were being tested and evaluated and found to be faulty, they were found to be defeatable, and yeah, just a lot of a lot of like senators are involved, making phone calls and a lot of lawsuits. In fact, it comes back to Dave, Dave mccomi and his you know, his colleagues, Mike Madden Mike Madden was He's deal, so he was at Livermore.
I know.
I've spoken to Mike about this at length as well, and yeah, they they would They were proving, like with experiments, they were proving, Hey, this brand new wizbang lock is vulnerable. And they did a whole write up about it that was going to be published in the trade press, and it never saw the line of day because there was a lot of threats over lawsuits and and you know, to his credit, I really Dave's just a love I can't say enough nice things about mister Macomby day.
Macomby's a great guy.
He didn't want the main technician who did the was paid hired to do the research right. He didn't want him to experience ramifications, maybe have his clearance screwed around with, So that article was never was never put out. Now I've I've read the article, I've seen it. But yeah, for the longest time, this was just this rumor.
Oh have you heard somebody used to mess with that exo lock? Nah, that didn't It happened.
It absolutely happened, and none of these locks have ever been removed from the qualified products list. To this day, I still find the original original lock, the EXO seven it was called. It is still in the field on some containers props for long life span. Right, it's way beyond their originally anticipated duty cycle, but they're still out there. They're still in use locking up materials to this day.
Well, it's interesting that that sort of reflects what you and the other instructors and the people at Defcon and black Hat teach on the hacker electronic digital side, that everyone claims their stuff is secure, but it really isn't and a lot of these companies kind of try to whitewash that or gloss over it and pretend it's not happening. And it's interesting to see the parallel in the physical security world as well.
¶ Impact of Electronic Surveillance on Pentesting
Yeah, it's I really do wish that more companies operated in the way that finally software and network security companies do now with you know, bug bounty programs and willingness to engage with researchers and do which would nowadays be called a coordinated disc closure where the researcher gets to put out a paper but only after the threat they have found has been mitigated properly, and they even oftentimes the researchers will work with these vendors that have these programs,
they'll say, all right, let's collaborate, let's keep you under NDA until we get it fixed, and then you get the credit and the fame and the recognition for your hard work, and the public is made safer both in the short term by not disclosing it in a long term by everyone getting to upgrade and getting a new version. We don't see that nearly as much with the physical mechanical world, because you know, if a software package has a bug, they fix it and they say all right,
download version fourteen point six. You download it on the internet, you click okay install. If a safe lock has found out a bug or I mean we saw this with hotel doors, right, Lots of things have been done in the hotel doors back when it was I think Cody Brocious did the ondity locks a long time ago with like a little like in Arduino that he made some code on. And then there were some kids very recently the Salto product the safe lock, which they call the
unsafe lock when they did their Defcon presentation. These are products where the researchers work with some vendors, but like the fix is some technician going around to like every freaking door, and like installing a hardware flash, and hotels across the country like having to rotate out all of their keys, like their their card stock that they have a big box of Like, nope, you got to throw that card stock away.
We need new silicon inside those room keys.
So the lift is so much more to make an upgrade in the physical world that a lot of vendors still want to play the no.
No, no, no, don't. I don't I didn't hear that.
No, I don't want to know.
There's a problem, right game.
Well, I mean it's all it's all money. Then they don't.
You know.
It reminds me of sort of like vehicle you know, car recalls, vehicle recalls. You know, it's it's a numbers game. It's like how much money will this cost us, not how many people will we save? And so I imagine for you know, for a physical security company, it's the same thing. It's like, we don't care if you can defeat our locks as long as not everybody knows about it, right and and you know, uh, yeah, that's it's it's sad,
it's it's scary. What what are some of the things, you know, it brings us back to go ahead, no, please, go ahead.
It brings us back and recalling ed Norton. We mentioned Edward Norton in the movie The Score. He was also in uh, the movie adaptation of the Chuck Nax's book Fight Club. Right, there's that line he's talking to someone
¶ Career Advice for the Field
on an airplane in the movie and he says, I work for a major actuarial insurance firm, and.
And he talks he's literally he talks about the formula.
He's like, if there's a certain model of car and the brakes fail and people can die in a car. Right, we do the math of how many times it would happen, what's the average payout in a wrongful death lawsuit?
And if it costs more than the Yeah, we're not going to recall the.
Breaks, right, Yeah. What are some of the things, you know, you've talked about some of these locks that are still out there in service and hotel doors. What are some of the things that you see, whether it's government buildings or commercial buildings that aren't like a failing of the actual hardware, but that they do like consistently that defeats their own security. And then on the personal side, what do. What do you see people do with their own homes
or whatever? That is also sort of this repeatable offense.
Sure, two very different sort of answers.
There one thing that I see a lot of, and all of my colleagues would probably also say this is sort of improper installation, or two different systems that are not ever tested together. For example, I will mention that I do a lot of things with fires and fire in life safety. If you're ever in a building, especially if you're in hotels, if you're in a corporate commercial space.
The next time you're passing through a door and opening, if it's a kind of a heavy door, look at the hinge side of the doorframe and the door itself, the little butt side of the door, and you might see a metal or foil sticker. These are called door lay they're labeled door assemblies. These are for fire doors. A fire door if it has a certain endurance rating of forty five minutes, one hour, two hours. The entire assembly is tested together, so you'll have you name who's
making the door, true door products and something. They make a whole door assembly, and then that gets sent off to a big testing lab. Warnock, Hersy or intertech or underwriter's lab something like that. They will test the entire door and the door frame and the hinge, all these components together, and they'll literally put it in a furnace and they'll hit it with a hose stream test to see if it bows or breaks or pops open. And then it is you know, blessed and approved. It gets
a labeled rating. But that is how it is done this way with the fact, and you can make any modifications in the field. In fact, that's one of the things we inspect for and look for our field modifications. Did somebody add access control to this door? Did they punch a hole in the doorframe and then there's the door sensor in there.
Well, now you violated the integrity of the doorframe. What are you doing?
You can't.
You have to use fire rated parts to that.
So we see a lot of security systems where that door lock that you might have bought was designed properly, worked well, went through all of its testing, and then you install that.
But then somebody else comes along, some.
Integrators installing an access control panel, and then they are we're going to run wires, so we'll put an access control electronic door latch well, now you've taken away the strike plate that came with the door lock, and you're using a different type of strike mechan an electronics strike and those two components were never tested together. So installation of disparate products that were never tested together, they will not perform the way they were designed to perform.
We see that all the time because and the world is a big complicated place. I get it.
You know, your door hardware parts guy is not the one manufacturing your access control card technology system and the card system like NXP Semiconductor is not out there making door latches. So I understand the problems. But that's why we love it. We absolutely love it. When we've had people in RTA classes that aren't penetration team members.
We've had integrators and installers come to our classes and they it's open their eyes, like, oh my god. We do that all the time.
Yeah, we've been undermining the security to the customers, and you know, the customers insisting we want these parts because they look good, and you don't want to know, don't change out the other thing that will not the nice sat and finish keep that on the door, but then just change is this part of the door and now these guys come away from us like, man, I'm not gonna do that anymore.
So.
So and as far as what people do in a resident okay, go ahead, please.
No, I was gonna say, so you're not like you. You're The example you gave was how it reduces it's it's longevity in a fire setting. But you're also saying that when they come in and you know, make a convenience change like an electric clock or an access panel or whatever, it also gives you an easier ways to beat those systems.
Oh yeah, because they're installing the one like, well, I did my job correctly, but you don't realize you've installed it in a manner that it wasn't designed to be installed it or it was. Now it's trying to interact with a different system that you've never tested it on. So we'll say, oh wow, when you put those two two two great tastes, they don't taste great together because it's very vulnerable now that you bolted this onto that and it doesn't work the way you think it does.
Yeah, I have Well, I guess one more question before we go on to viewer questions, which I'd like to ask since Thief came out in nineteen eighty one. What has made safe cracking more difficult? What has changed in this field in the last forty years or so that is making whether it's our intelligence service professionals or people like you helping out. You know, the government decommissioned safes. What are the big changes that have occurred over the last few decades.
Oh, yeah, it's interesting, it'll tie back into the previous you'd asked one question we almost might have missed.
He said, what can people do at home?
And it is the same answer as what has changed with safe cracking? And it's the same answer that it's a call all the way back to I was saying. When we were younger, we had more free space to kind of play and roam.
It's all electronic monitoring.
Nowadays, you're not going to see beautiful, amazing graffiti on a subway car because kids in New York City in the seventies and eighties, I mean, they could sneak around in tunnels all night long and there may be would be one cop with a flashlight who might catch them. Nowadays, you try to go somewhere you don't belong. In Manhattan's MTA you're gonna be caught in five seconds. There's going
to be electronic co there's cameras everywhere nowadays. What makes safe cracking hard the idea of like there was a famous robbery I even if I can find the article or any footage of it, there was literally like all the strong boxes are ripped out of this huge nest of safe deposit boxes inside of a vault.
And I think it might have been in Brussels.
It was a big financial and precious goods imporium and these these people had literally concrete cored through the wall and they spent the whole weekend rating this entire vault because there was no electronic monitoring, There were no cameras, there was no alarms down there because who would ever get in. Nowadays electronics have gotten so cheap, just electronic monitoring on everything.
Now, I'm not saying you can't defeat it, it's different. I mean, we have a whole we.
Have a whole intrusion detection defeats class at r TA right.
Well, but if those gangs are doing it now, the gangs are doing it now too, with those portable man packs that they're getting off or whatever. But anyway, but but, but.
Yes, they're monitoring yourself.
Like if I can go up to your safe over the weekend, if you're away on a fishing trip or something, and I can just spend all weekend in your house working on your safe, something's wrong, right, Like, come on, use use a half decent electronic home monitoring solution telling you some pile of poo, like simply safe or something.
Use something good.
I like, Ubiquity is a pretty good brand. I don't really like Nest and ring Brim, and we're not going to get it bagging on or promoting any brands. I don't work for any these companies, don't.
They don't.
I don't have grudges of it. But using electronic monitoring and using it effectively, that's what makes everything so much harder.
Electronic intrusion detection.
Yeah, it's fascinating so for for people who might want to get into this field, right, whether because whether it's you know, doing what you do, uh sort of more in the civilian market with you know, obviously government stuff, or if they want to be a black bag guy or gal you know, working for the you know, FBI or the CIA or you know, local PD or whatever. Where do they start. What does that career path look like? There's not a military MS for it?
So right, that is true. That is true.
Although we're so self you hope you don't think I'm sounding self serving.
I mentioned not at our training. Yes we are.
We are inches away from I believe, being what is called cool program certified. The cool The cool program is people who are I think it's your last six months of service or recently exited uniform. There is budget available through the d D for people who want to train for a new career.
That's fantastic.
So coming to us or I think Blockmasters and Mark Baits MBA USA, I think they might also be Cool Program compliant. So if you're not in uniform, if you're just in the civilian land, that's fine. But it really is showing up and getting some base level of training, not only to know what the landscape is, but a lot of times and I have a whole blog post about this, I'll throw you that link as well. People like to bag on training. The training doesn't prove you
actually know how to do a thing. I've seen more people with a certification that they didn't know squat.
That's true.
I've known many people with college degrees that aren't working in the field that they got a degree in. But you know what a certification, like with training and ultimately getting a certification represents to a lot of employers. It represents that you can sit the f down and just complet something, which is a very hard thing for a lot of people out there to do. Yes, a certification doesn't necessarily mean you're the best person at what the piece of paper says you can do, but it means
you can see a task through to completion. In our scatterbrained ADHD world, a lot of times employers today just want to know are you a reliable person? Can you take a task and run with it and see it through? So I like to remind people of that when they say, man, is this certification going to actually help me out in
my career? Yeah, it's much in the same way that you mentioned people in the service, right, A lot of times if an employer sees somebody, he said, oh, this person's former Army, this person was air Force, and they might give them like, let's bring that resume to the top of the pile. It's not because the job they're going to do has anything to do with you.
Know, liberating some foreign bill. It has to do with the thing.
This person knows how to like keep their heads straight in pressure. This person knows how to execute on tasks.
This person can self manage.
So giving employers a shorthand way of evaluating, Yeah, I'm not going to be a drag in your organization. I kind of can tie my own shoes and get myself to Friday without you having to babysit me. That's valuable to what a lot. That's what a lot of companies want. They want to be able to quickly ascertain. Are you a person that's going to bring value to my org?
Right?
Right?
If you got the Patreon questions, absolutely, And I apologize for those text rings. It's I had taken my phone off airplane modes like a lot.
I didn't hear them at all.
It's all okay, great, great, great, let's see her. Let me take my phone off.
You're getting these live and we've been live streaming this whole time for.
The Patreon folks people watching.
We used to, man, I feel.
So bad that we were. We were a little bit off kilter on getting the zoom link work.
And no, it's more my fault than anything.
Okay, so matt As, thank you much. Really stoked to see Devian all on a guess huge in the pent testing community. Question for the guests, what is one tool that you see people include in their physical pen test kit that is overrated and should probably be left at home? And what is one tool you always bring with you on an engagement?
Oh? I love the first question.
I want to give more brain space to that because people buy so much stuff and keep adding it to their kit and adding it to their kit. And yeah, you know, you see the person like my daily pocket carry, then that becomes their sort of sling bag, right, and then that becomes a backpack right.
Before you know it. You're like, it's not even daily carrying or what do you what do you freaking do and you're carrying a freaking rut bag? What would I say? You know what I'm gonna go. Here's what I'm gonna do.
I'm actually going to pull up, briefly, my own you know, I'm gonna pull up Red Team Tools, which is my own catalog, and I'm going to look through my own catalog about something of like, this is the last thing you should possibly purchase from us.
Bump cocade.
Some of these are all right, it's probably it might be an electronic tool. Yeah, yeah, you know what I will say, it's a it's a cool it's a cool thing. But we have a couple of tools designed for pin pad hacking. There are people that say you can use thermal cameras to like look at a pin pad right after somebody has entered a pin to see where their
fingers were touching. We actually, I make a kit of UV powder, so you dust the pin and you come back later with a UV light and you can see where the pin pad was touched.
I know, we sell them like I make these like.
My that's Hollywood shit, man, Come on, Like, I'm not saying it has no purpose. And in fact, if you have an electronics safe, that's interesting because that's probably one code, or an alarm panel, that's probably one code that gets entered. But a door, an electronic keypad access door where there's probably lots of people with different codes, that's not gonna help.
Come on, you're not going to get there.
But yeah, I have used it on an electronics safe in an executive's office once because I was able to see.
Which numbers they had touched.
And I came back a week later, and I didn't actually open the safe worn off, but I said, is that are these the digits of your combination. I didn't even tell him what the digits the right order. He was freaked out that I actually knew it at all. But yeah, you don't need you don't need that shit by that after you bought everything else, but don't carry your daily carry and the tool that everyone should.
Have on them at all times.
Yeah, two more answer the best the best two things available. Traveler hook which is used for getting latches on doors, and it's called an underdoor tool, and they both have their pros and cons. I'll tell you a traveler hook I got my I got my wallet.
Right here.
In my wallet is a small skeletonized version of a traveler hook. It doesn't have a big chonky handle. My buddy in Scotland makes these. He calls these the skeleton hook. But it's this is just you saw. I just pulled it out of my wallet and it just I'll get doors open with this all the time.
The other one that's hard, I mean the underdoor tool.
If anyone out there has seen an underdoor tool, they're devastatingly effective, not easy to carry around.
They're big.
Now I happen to have an underdoor tool as well. It's in my belt because I have. I'm there's a whole video. It's a tiny video I talked about where I literally found a belt manufacturer that would do exactly what I wanted and make a belt with a long cavity in it. I tried money belts, but they weren't they weren't enough space. But yeah, we have the We have underdoor tools that you can whip out of a belt.
It's as good as a big commercial underdoor tool. No, but if I could give that's my gift to the world. I want to give everyone the ability to have an underdoor tool on them at all times if they want it. And I always travel with mine. Traveler hook a undoor tool for remedies for.
People who might not know what those are. Can you give us a real quick brief description of what each does?
Yeh sure?
So the traveler hook, as if anyone was watching the video part of this, it's a small tool with a tiny probe sticking off the end of it. It's a tiny right angle hook. If you want a really cheap version of them. You can grab some o ring picks at your local hazard fart or home desk spot or something like that. Those are going to be cheaper steel, and they're going to be too thick to.
I think the shafts on those are too thick to. That's why if you want to get a nice version, you get like a proper traveler hook from US or from Lockmaster sells them. I think Mark Baits sells them.
But yeah, you reach into a door jam and you can manipulate the on the door. If the latch is not dead latching correctly, which is a very perennial problem, you can slip many doors open with a traveler rook an underdoor tool.
As it sounds it reaches beneath a door.
But the idea is modern building code, ADA code, Fire code.
All these various codes require egress is always allowed.
Free egress from a building should never be denied or impeded, so you can have all the locks and access control you want on the outside of a door. If someone's inside trying to leave, I mean there's rules, there's laws and rules around this. It's single motion, a single pushing or twisting motion on a door handle. There's actually for
ada reasons. It's poundage of pressure, how many foot pounds and inch pounds of so forth of torque and push, so it's very light pressure on the inside of a door shall cause the door to unlock.
On the operable part.
An underdoor tool is a long rod that reaches up under the door, swings back towards the door, and you yank down on a cord and you're trying to hit the handle, the inside handle, but you yourself are on the outside of the door. And if you can trip that, what's called the operable part of the door. Meaningfully, it's a lever style handle that will trigger the door to release.
And if you have a long enough rod and a string on the end of it, and you know how to use it, you can pop open the vast majority of commercial doors in all the buildings that you travel.
Through all the time.
Sounds much easier to use than a wire coat hangar undone with five point fifty core tied around the top of it.
I've seen people do it, though, you know, you make use of what you got. Provis adaptance would come.
Yeah, for sure. And then the other question was, thank you very much. One question for him, how was how has physical pen testing evolved in the age of ubiquitous technical surveillance, where the opportunity for traps back by all kinds of sensors covering the entire spectrum are widely available in easy disguise. As a defender, I actually have the impression that it wouldn't be overly difficult to design a room designed to hold secrets that would be a nightmare
to try to approach covertly. Is that notion particularly off base in your opinion experience? And I'm also just curious to hear your opinion on how traps have evolved from the days of analog only solutions like matchstick in the doorway, you know, a piece of hair on the you know, resting something.
Absolutely true, absolutely true. And in fact, if you go to these major trade shows nowadays, for example, Millipole, the Military and Police Expo is one ISC, the C trade show, the Security Controls trade shows, I C West and IIC East. We're always out IC West. Out here in Vegas, we're always out I. You'll see loads of vendors. Now, I mean, AI is a hot topic, so they're shoving AI into everything. Sure, but the idea is if you put enough camera coverage,
just visual camera coverage in a space. We are just about at the point where you can, in theory, give us a technological solution a list of people who belong in the building. Now you're giving away a lot of your biometric data to an employer, possibly a third party that the employer has hired, So take that as you will. And there's a lot there's a lot of cost in installing all this, and there's probably a subscription plan involved.
But there are schools now and I don't know how I feel about this with kids and all of our kids biometric data being saved by some firm that doesn't have their best interest at hart probably, But there are schools where if anybody shows up in the school and they're not in like the face database, it throws an alert on a screen and the resource officer or some teacher gets sent down that hallway and it's like, Hi, what are you doing here?
Are you here to pick somebody up? How did you get in?
It is absolutely a huge challenge, but that's only as good as the systems that are employing it.
We've seen that a can hallucinate.
We've seen that something I remember there were early days of facial recognition somebody. Basically there was a man with a beard and he wore long like shoulder duster earrings. So the fact that he was very mask presenting. He had masculine facial features, but he was wearing something accessories that were very fem coded.
The system completely didn't know what to make of it.
It broke on like the line the first line of code couldn't classify him by gender, and like the system just failed. So we're probably going to continue to see oddities and edge cases like that, which brings us back
to the importance of testing. All these vendors out there should be engaging the hacker community and the researcher community and inviting them to test these systems, because it just takes one person to say, what if I wear my hat and I put a really really freaking bright ir led under the brim of the hat, and people did
that to defeat facial recognition for years. You're walking along the street and that just you don't your naked eye just sees a person, but all the cameras just saw a huge white blob over the It was just blew out the levels of the camera. The automatic game control of the camera didn't work.
Yeah, fascinating. I got a couple others here.
Alex asks, how did you get to know Carl in the in Range crew.
Hell yeah, I just saw Carl. I was just at High Desert Brutality. I just flew back from Idaho right like yesterday. So Carl also, Carl Cassard an amazing person, wonderful human, smart guy. He is not just a firearms person. I mean he came from the acker world. He was in the tech world. He was a SIS admin and a network guy for years. That's how he made his bones.
He was around.
I mean, he'll tell stories back when Operation Sun Devil was a big hacker crackdown and he witnessed all of that go down, and he remembers running and securing systems at the time. So Carl was aware of def Con and he had heard of this thing that I ran with firearms for years. I ran was called the Deafcon Shoot.
Still exists. Other people run it now. I've turned it over to them after a decade, and he and a former colleague of his, they came out to the deaf Coon Shoot just to see what it was about.
They said, Hey, it's in Vegas. We're in Arizona. Let's just drive up.
And he and I met at Defcon and I instantly said, oh, you're like, you're a cool guy. You're injured this stuff. I'm into what you're into. Let's keep talking. And we just kept coming to each other's events. Ever since then, he's come back to deaf Con several times. I've gone to his firearms events again. Show notes click down below. I'm sure you'll drop a link to in Range TV. It's one of the very very few people in the firearms space that is not monetized and they're not doing
a lot of corporate shilling. Most influencers in the gun world, there's a lot of there's a lot of money and pay for play reviews going on, and Carl's out there just in his own backyard in Arizona doing mud tests with a bucket of water in the Arizona sand and saying, Yep, this gun failed.
Sorry, I don't know what to tell you, MANUF sure send it to me. I'm sending it to They'll make a change, they'll send me another one.
So he's a very honest, very upstanding guy, and yeah, we've been friends forever. I visit him, I visit him at his place. We travel places together. He's he's one of my favorite people.
Uh.
One last one from m Corbin. He asks, what is your favorite fiction author?
Favorite fictional author.
The writer of fiction, not actual fictional author. Yes, yes, yes, Douglas Adams is going to be up there.
I find that the Hitchhiker's Guys series and the lesser known works the Dirt Chanley's Detective Agency and such.
Uh Dirt, you know, the Douglas Adams books.
They have this wonderful lightheartedness to them, a spirit of adventure and positivity that's just full of warmth. The world is a lesser place without Douglas Adams around. My wife would mention, you know, things like Pratchett and other sci fi authors that she you know, she's a much bigger fan of and tries to get me involved. I tried to watch Dune recently. I tried to, you know, I
watched The Lord of the Rings with her. I'm I understand Tolkien's amazing world building, but there's something about the lightheartedness and the smile that I will reread.
Adams's work to this day.
Yeah.
I used to really love Richard Morgan, The British author Richard Morgan British Scottish British Richard Morgan, I wrote the Altered Carbon series. Yeah, yeah, not not the most progressive views on some issues that are very dear to people in my life.
I have a trans daughter, so like, no, don't, don't, don't, don't promote Richard Morgan as much anymore. I think Douglas Adams would have been fine with her though, So yeah, Douglas Adams gets my vote.
Yeah.
I And last thing, I guess, Deviant Dave, do you have anything before we what Deviant plug his company and website and.
Not at all. Would just like to remind you, like when we say we're out of you don't mind hanging out. And if you're watching this recorded, you could be watching this live if you're a Patreon subscriber and we're going to do a teamhouse after dark, just a fun little story or whatever for our patron subscribers afterwards. But please go ahead, Jack.
So Devian tell people out there where they can go to procure your services if they want you to break into their home place of employment.
I bust open a's safe.
Tell them about the classes that you offer and where they can find you guys.
Sure, so yes, on the internet, I am Devian Olaf spelled not at all like it sounds. So yeah, you'll see my name in the episode. But I'm on all of the things as my user name, so YouTube. But I'm not on Twitter. No one's on Twitter anymore. But you know blue Sky mast it on Instagram read it.
I have a GitHub.
The professional side of things, my one company is called the core Group, so Bobbic and I have been running the core Group since twenty ten.
We're at the core Group dot net. That's if you want us to break in, if you want to learn how to break in, it's going to be a Red Team Alliance.
So Redteamalliance dot com. This I'm literally sitting the reason I'm in such a baar weird white box. We got the keys yesterday morning to our new building in Vegas. We're all out here moving in, so all the teams downstairs, the moving trucks have been rolling all day. Hopefully you haven't heard the garage doors rolling up and down outside.
Yeah.
So Redteamalliance dot com. Our full training calendar is online. We have our Vegas facility. We have our facility in Virginia near DC. We have classes in Australia at Europe as well if you want to buy stuff. You know, I never like mention in our retail catalog. I feel like such a shill. It's not my I wouldn't say it on my channels on social media. But Red Team Tools all the equipment and gear that I make and design and have changed over the years. Here's a fun one.
This was a product that literally existed and no longer does. And I bring things back from the dead. So we have these kind of in people's kits in the field. You just this is a fence climber.
You stick it through a fence, you drop it and it hangs and you can go up one side down the other. You get a couple of these in your pocket, and you.
Know, eight ballot you name.
However, how the fences are. You're up and over in no time, even my fat ass. So that's all on Red Team Tools dot com. You always yeah, the board group in Red Team Alliance. So the most useful.
Fantastic I was going to say that you always need something like Jack to go over first though, to lay down on the concertina at the top, so then you go up climb over them.
Harder to do all that nowadays.
I mean, we have friends at Magnosphere who the fence sensor technology. The shake sensors are getting really subtle, and I could I even I did an experiment where I said, I wonder if it would detect going over the fence. I bet it will, And the guy was like, it's going to detect you putting it on the and sure enough.
Yeah, we watched.
You can watch the little line go up on their graph. He's like, yeah, you're just touching the fence.
Was enough.
You're not getting over that.
That's amazing. That's amazing. Yeah, So definitely check out Devian's the classes, the company and the videos. Like everything on YouTube is just fantastic. So I highly recommend people track you down and watch all of that. Absolutely, thank you.
A lot of I mean my channel now must I've been on YouTube since two thousand and nine. There's a lot of crap on there, but the long I find a lot of people like the long form ste so my lectures when I've actually given presentations. There's maybe a dozen or more hour long videos on my channel that's all my professional.
Talks, and I think it's a lot of fun, you know, you talked in the beginning about you know, kids not having space anymore, and like I remember when I was maybe like in junior high, like breaking into a school over the summer, like going in through the top, and we weren't destroying anything, we weren't stealing anything. It was just the thrill of being able to get in, right
and you're in, and like you're in. Yeah, and you still, like a lot of your videos, you still have that thrill of discovery, like when you're when you're presented with a new challenge, a new technology, a new type of door sensor, you know, you know, like because it has to open from one side and put in gas or putting blowing up a balloon or whatever on the other
side of the door. Like there's still a lot of that, I don't know, like that that sense, that childlike sense of exploration, like oh, let's let's here's a new puzzle, let's solve it. Absolutely yeah, all right, guys. Uh so we will see all of you next time. Thank you for joining us, Thank you deviant And you can find all the links down the description that we mentioned on the show, and uh for our Patreon subscribers, stick around because there's a little bit more. It's gonna get spicy.
All right, I'm gonna leave it running.
D can cut the film, Oh right, right, because we can, we can roll.
Right, that's right, that's right, because we're not live for anybody. But patron, Uh, do you do you have I know, I kind of put you on a spot to you but we're still rolling. We're still live to the patron. But uh, do you do you have something in mind?
Uh?
A story or a vignette or anything.
Oh, a story from from my end?
Yeah, so, and I said, it can be you know, it could be something that a time went bad, a time went really good, a time something weird happened. Yeah, weirdest things.
I mean, there's a story I've I've told once or twice.
But my one of my favorite jobs was a job we completely had no success and it was a small company in the in the middle of America. It was a Middle America Nowheresville. And some people say, oh, you know these po dunk town that you're gonna put one over on those roobs. I mean, no one really says something rude, but uh, there's there's a certain kind of thinking that says, well, small companies, you know, these people, they're not They're not going to have sophisticated security systems.
And they didn't. They didn't have a lot of big budget, they.
Didn't have all the the whiz bang stuff that you see at the trade shows. What they had was a dedicated team of staff, many of whom had worked there for decades, and they just they had emotional investment in what they were doing. This was it was an agribusiness essentially, so they were American food supply right like this is it's I would consider critical to our nation's health and well being. I was very hopeful that their security would be robust, but it was, and where I wasn't expecting.
We came out there case the joint, did all our usual recon had our cover stories. We said, all right, let's find the local utility companies in town. We made badges, outfits, you name it in case we were on site getting questioned. So we were, you know, because of being a utility company worker, you can kind of be on the buildings around the grounds and no one would oh, that guy's doing the he's checking out, he's you're spray painting some marks in the ground a little bit.
So we did all this research.
We found a few doors that were a little bit of jar and we had somebody all right, we come up with an attack chain. We're gonna come in on Sunday morning. Everyone's at church or watching football. We were on site, walking around the premises and again looking like technicians. Right, we were in this building. There's a multi building complex.
I remember.
We're in a building for maybe half an hour forty five minutes tops, and somebody said on our team and say, hey, there's a car in the parking lot that wasn't there earlier.
We look out, sure enough, Yeah there's a car. What's that?
And we later said, do you see who's that guy looking at it? There's a guy going from building to clearly going building to building, not a security guard, just to just a dude whose badge worked.
He said, that's freaking weird. And later he came and found it.
He found us in one of the buildings, in one of the offices, and he said, hey, you know, what are you guys doing in here again? So we're from such and such Telecom. We were sent here. We did some work at your Wyoming office. He said, we're here at the Kentucky office.
Now.
He said, no, I would have heard about that. Who sent you from Wyoming?
We knew Nately said, oh, well, Keith is the plant manager over there, he does the IT infrastructure. No, I don't know if Keith what I could call Keith and find out. This guy was having none of it, and eventually we had to We had to produce a you know, always carrying a letter that says, look, we were hired by this guy. The CEO knows were here, the owner knows we're here, and he's like, yep, yeah, there was an odor to this situation.
I didn't like it. We said, well, are you working today, sir? He said no. I was driving through town.
He was literally driving down Main Street and he looked at the parking lot and just driving by the buildings, he saw one of our team in the parking lot. He said, I don't recognize that guy. He did a k turn, came back up Main.
Street and he said, then saw your guy badge into a building. And I said, I still I don't like this. And I said, wait a minute. You saw on your freaking day off a person badge you with a working badge, and you still didn't He's like, no, I didn't like it. Some didn't like sudden didn't feel right.
I know companies where you could walk in and say, hi, I'm here to steal everything, and the employees would say, yeah, f this company. They don't care about me anyway, right right care, Yeah they give a crap.
But this guy, I mean, he had been working there for probably thirty forty years. Yeah, he knew like he knew the owners. They went bowling and say he's liked.
No, he just had emotional investment, as did everyone at this company. We were on our walk through the day after we're on Monday, escort it around and at one point our escort, you know, the co owner of the company, his son. He left us alone to get something, and a woman was like, what are you doing in this wing of the building.
We said, oh, you know, Frank is letting us say. She says, like, Frank's not here. Where's Frank?
You don't belong here. Come to the front with me right now. And she had just been working there for you. Again, she had been at the same desk for the same many decades. There's a real lesson there and investing in your people. I don't just mean give pizza Fridays, right, I mean actually give real raises, take a real interest. Are people satisfied with their job? Do they care about what you're doing? That's what saved this company from everything we tried to do to them.
Okay, I want to ask you know, I don't want to keep you too long, but I want to ask either for a time you were horrified by how easy something important was that shouldn't have been easy, or about the biggest ass chewing you ever saw because something was easy.
I was really sad to learn of this was a biomedical research facility.
And ultimately they had spent a time.
I mean they had money coming out their years, right, they had spent so much money on all their security systems, but they didn't invest in a decent like badge credential technology. They were still using the most outmoded, outdated hid pros credentials, which had been around, you know, thirty years at this point, more than that forty years probably at this point, the original hip rocks and it's the most clonable badge imaginable. We ultimately it was hard to clone badges. We couldn't
really get to the employees. They weren't around. It was a very buttoned up, very tight building, but one of our staff went in. One of our team went in and interacted with the guards in the front lobby and he was just bs and with them, and there's again we talked about this in training. We had a long range reader in a laptop bag and if you got close enough to someone's badge, you could grab it.
You could because.
There's no encryption on the badges. You just had to brush past the badge. And he was able to get past one of the guards. And there's a longer version of the story that I've telled us, but eventually he gets near a guard, gets the guy's badge, and then we just cloned it into We just got in, and then we came in the next night midnight shift. There
was a big movie premiere. It was like the new Star Wars that was coming out, like the episode Phantom Menace or whatever was coming out a long time ago story, but we were able to use these We just got it everywhere at that point. And the lesson we later learned and it can't go was two how it's not always your fought's not always you can control the badges.
So this building that they were renting was owned by a huge property management company, and they insisted, like, here's the badges for the building.
This is the badge system right now.
They had other badges they could have used, but the property management company made it such a pain in the ass.
They just said, no, we're just going to go with the badges they find. We're not going to go through all the legal hoops and give you copies of badges.
So they were locked in by some weird rental agreement. But the sad part is that all that entire guard crew, I won't say it got fired. They still had jobs, but they lost that contract. Like the guards were all cycled out, and that was part of the with the executives.
I can't believe the guards let you get close to that. I said, come on, man, who's going to think that somebody? Right? You know, we had a guy who you had to talk.
I said, if you had kept those guards, that would be trial by fire for them. That would they would be way more hardened against this kind of attack, and they'd be way more poised to say, hey, I'm not going to keep my badge right in front of me while it's visible.
And you know, I think it was the wrong move.
I think they should that's that you want the person who got caught in a stumble if they're willing to learn from it and recover and get better.
Especially if they didn't even know that technology existed. Like they're they're security guards, right, They're they're not like FBI, They're not FBI.
You know.
It's yeah, yeah, it's unfortunate. Devian. Thank you, Thank you very much. We really we appreciate you with us tonight. It's a great time.
Hey, guys, I want to tell all of you today about a new newsletter that we're launching that encompasses both the team House podcast, the eyes On podcast, and the high Side News outlet, which I run with on Naylor. The newsletter is gonna be once a week. It's gonna come into your inbox and you're gonna get the most current podcasts on eyes On and the Teamhouse and whatever's
topical or current on the high Side. So it's another way for us to get the information out to you as social media algorithms are pretty iffy and you never really know.
What you're gonna get. So this is a once a week email.
It'll slide into your inbox and it will have you know the greatest hits of that week.
It's really good.
Checking it out.
The website for it is Teamhouse Podcast, dot kit dot com, slash Join, Teamhouse Podcast dot kit dot com slash Join. You go there and you enter into your email list or you enter your email into the little thing on the website and you're good to go.
And that'll be it. So we really appreciate your support and hope you'll consider signing up where the link.
The link will also be down in the description if you're looking for it there
And that's Teamhouse Podcast, dot Kit, k I, t Kilo India, Tango dot com backslash Join