More Tales From the Crypt...Analyst

so without further ado please give a warm welcome for mr. Jeff man thanks Jeremy that's pretty much all we have time for so I guess it's lunch time so title of the talk is more Tales from the Crypt analysts several years ago I was at a conference and I can show you my info while I'm telling you this story I was at a conference I met another speaker and I at some point I asked him what he was talking about so I'm gonna do a talk on intro to cryptography I was like oh that's kind of cool cryptography is kind of a thing I'm into so I went to his talk the next day and

as I'm listening to him do this basic overview cryptography 101 I thought wow I could give a talk like this I lived this so a couple years ago at Gura Khan III premiered a talk called Tales from the Crypt analyst which was basically the story of the first several years of my time at NSA my tenure at NSA and I always promised a sequel which is essentially the essence of this talk today real quickly just to get the acknowledgments out of the way I work for a consulting company called online business systems we're mostly a consultancy advisory company we do a lot of the pen testing type of stuff and we do PC I work as well as other compliance

but before your eyes roll back in your head what we really try to do is as experts we come in and try to help companies figure out how to do security you do it right for them do it the way that gets them to a place where they can be compliant and get the regulator's off their backs but but more importantly just become more secure my background very briefly which Jeremy sort of stole my thunder but that's okay I'm not bitter or anything I've been in the business a long time sort of from the beginning if you will I spent my my formative years working for the DoD primarily with NSA and left the NSA

about 23 years ago why you're gonna hear today and basically the crux of this presentation been out in the private sector trying to make the world a better place one company at a time trying to help them be secure somewhere along the line I fell into PCI but I actually kind of liked PCI because when I was first introduced to PCI the data security standard it was presented to me as this is a framework or this is a measuring stick for how organizations should be doing security at their companies with an emphasis on a particular type of data and I read it and I said yeah this makes sense this is kind of what I've learned

over the years from the DoD let's go do it that's another story for another day so the crux to this story today is I had basically three tours of duty at NSA and I'll get into the details of that but the the third tour of duty as Jeremy eluded to is when I got into pentesting and started doing that for NSA we didn't call it red teaming back then and and that's sort of the gist of this story today so sit back relax if your stomachs grumbling lunches afterwards but hopefully we will be entertained over the next hour or so I first want to apologize as I was first putting this talk together and trying to think about

what we did 20 some 25 some odd years ago in terms of pen testing and what the what did the internet look like what did the world look like I discovered that trying to find entertaining screenshots for this talk was a little bit daunting so apologies in advance I think I did a pretty decent job but you know certainly what we had available then and and actually trying to find it and bring it forward to the future was a little bit daunting I also want to make this talk a little bit audience participatory so there's going to be times through the presentation where dates will pop up and the challenge to you is to try to answer what is the

significance what is the meaning what is important about the date it's it's a little bit of history it's a little bit of putting things in terms of a context in a timeline and if what what existed in what didn't when during the time in particular when I was at NSA starting to do pen testing so let's start off with an exercise in fact I have two this one is my special raleigh-durham edition of this test anybody have any idea what this dates about I'm not gonna give you much time to guess because I got a lot of slides to cover give up this is the original release date of probably arguably the best baseball movie ever

made Bull Durham and actually a movie that years later still gives us a very important lesson which I used to use all the time still do don't think just pitch one more date anybody else anybody three two one okay so you get the idea actually I've done this talk in it for audiences that have no idea what Skynet actually is which is a little bit disturbing so I apologize in advance if I do movie references or things like that they might be a little bit dated if you're a younger audience actually out of curiosity how many people raise your hand are let's say thirty seven years old or younger okay I've been doing this your entire life

just to put that in context and yes that does make me feel old another little wrinkle that I've added to this talk in the last couple months is to try to put an emphasis on mental health hacking we've had a lot of issues within our community if people getting burned out and people going to extreme lengths to try to end the pain so I want to as I'm telling the story of what I was doing you know many years ago trying to become a hacker and pentester and things like that I want to overlay that with the fact that I had a real life so I'm gonna bore you with a bunch of family photos but

the emphasis is don't forget you know whatever your passion is whatever you're doing for your day job your interests don't forget to step away from it and actually have a life whatever that may be so I will I will bore you with some family photos so anyway getting into it I was at NSA approximately ten years from 1986 to 1996 during that time I did several different things but boils down to primarily cryptography and I actually worked at the time there was two sides to NSA what we loosely called offense and defense the offense is what most people think of when they think of NSA it's its communications intelligence signals intelligence intercepting the communications of our adversaries and

other other countries and nation-states I worked on that side of the house breaking codes breaking ciphers I was also on the defensive side which is what we called InfoSec at the time actually designing and creating secure codes and ciphers and then later on obviously got into the pen testing with them I mentioned there's an original version one of this talk Tales from the Crypt analyst where I go into more detail of sort of the early years and things I did but I do want to highlight a few of the things that I did there as they apply to sort of the formative things events that occurred in my career at NSA which helped me to realize that I was actually

a hacker I actually believe you're a kind of a hacker from birth because to me hacking is sort of a state of mind it's it's a way of viewing things and for better for worse I viewed the world differently than most so very early experience at NSA I was working for the manual crypto systems shop we were responsible for putting out all the paper cipher systems primarily one-time pads mostly for the Armed Forces I had a customer approached me very early on and say it takes us hours to do the time pad decryption but there's this thing on our desk called a PC is there any way we could use that to just speed up the process and I thought well yeah

that's something that we could do that seems reasonable so to make a long story short produce what I am still to this day I believe is the first software based encryption product at NSA produced and all it did was take a one-time pad and on one end it was paper on the other end it was a floppy disk and we wrote a program that would run on the computer that would do the encryption and decryption a page at a time securely delete that page and move forward I had to go through and this is where it kind of gets into the methodologies and sort of thinking about pen testing I had to go through a

compliance process if you will or an sdlc process it was called FSR in those days functional functional security requirements spec specification these these specifications were written for Hardware back in those days there was no such thing as software based cryptography or online digital anything like that it was all basically radios and things that would attach to radios that would convert signals voices to impossibly like Morse code and things like that but it was not digital in any way shape or form at least the way we think of it today so I had to take hardware specs and try to follow them but make them applicable to what we were doing which was software based so I basically had to

hack the requirement specifications this did not go over terribly well I had to go through a review process and basically sit in front of the board of directors if you will you know the equivalent c-level type of people that were running the entire InfoSec side of the house and they begrudgingly had to acknowledge that I met the requirements the way they were written at least they couldn't talk me out of it or they couldn't find an argument not to go forward so they granted me the permission to publish you know produce this software based system but the last thing that this your head guy said to me was don't do this again another fun thing I did which

was for another customer again using one-time pads happened to be US Special Forces they used a particular one-time pad that as their algorithm if you will they used something called a Visionnaire table which is a slide of the alphabet 26 different offsets but using a reverse alphabet in the body of the table this produces a hundred and twenty three unique three-letter combinations three-letter try gaffes we call them so think of it plaintext Qian cipher in any order you got two letters there's always a unique third letter so that enabled the encryption process with a one-time pad they memorized it I didn't as a crux for me I had just gone through an intro to a crypto class learned about a cipher

wheel and I thought there must be a way to do a cipher whale with this visionnaire table so I came up with this wheel they liked it so much they stole it from me every time I made one so I ended up asking would you like us to make these things so we produce like 15,000 of these wheels and they were used by special forces as far as I can tell well as long as they used paper one-time pads but at least 1012 years up to maybe around the 2000s earlier this year somebody approached me and said have you ever heard of the diana cipher wheel and they showed me this picture some some artist somewhere a craftsman

has produced wooden versions of this cipher wheel and is selling them online I don't know if you can see the link there but if you if you google Diana cryptosystem you should come up with this this is on Etsy you can buy these things I got in touch with the guy that made him because I said the guy that showed it to me it's like not only am i familiar with it I the inventor of it so I got in touch with the guy that built them he was very excited he actually sent me a bunch of his wooden crypto devices so there's two sizes of the cipher wheel the thing in the middle is

a wooden version of the Enigma machine and the one on the bottom is I forget what company country it is but it's it's like polish or something that's another really cool cipher wheel so if you want some cool paraphernalia check that out this is actually I found online a picture of an actual production version of the cipher wheel I've got the two prototypes that we produced and I always show it off if you want to see it find me later anyway I was doing these things in my boss at the time referred to me as a loose cannon and I kind of took that as a badge of honor I don't know if he meant

that in a positive way or not but I kind of took that as yeah I'm a loose cannon I'm trying I'm gonna try to figure out a way to get things done and do things regardless of what the rules are hacker mentality very briefly my second tenure my second tour at NSA was I became a crypt analysis intern and I went over to the operations side of the house I happened to be there during the first skirmish in the desert Desert shield/desert storm so I got to work a bunch of midnight hours and I got a certificate for in like a small cash board which was really cool when I was a little away I was down the road I had

originally started at a satellite location and I went to the main campus so if you've ever seen the aerial photos of NSA there's mysterious black buildings I was somewhere in there and ultimately being an intern enabled me to get a certification as a crypt analyst it's it's really the only certification I hold it's the only one I really care about but again that's another story certifications so chapter 3 which is the crux of this talk today is what I did during what has started out as my last tour of duty as an intern I was back on the InfoSec side of the house and I went to work for what was called the fielded systems evaluation division in that

division the way it the reason it existed was somebody within NSA had figured out that the way that we NSA very often exploited the communications in crypto of other countries and our adversaries was we took advantage basically the systems were misused operators would find shortcuts to bypass the crypto they would use key that was intended to be used one time and for whatever reason to save paper or something that use it for a month when you when you misuse cryptography and use it in ways other than it was intended to be designed inevitably very often you introduce vulnerabilities that become exploitable and that's where the cryptanalysis kicks in so somebody had the idea well gee NSA is at the time was

the producer of all the crypto for all of the US the military the government the DoD State Department and all that we produce the best crypto in the world we test everything we get everything certified and approved we do all our certification and testing on the inside and we but how do we know that people that are out in the field using it are actually using it the way we intended it looks good on the blackboard or whiteboard but how do we know we're using it in the field so we have this whole office that was dedicated to going out into the field and actually meeting our customers and observing and watching how they used it to see if they were

doing things that would bypass the crypto or inadvertently introduced vulnerabilities I thought it was a great idea at the time I was actually assigned to look at this one particular device it was called everything every crypto device has a codename this one was called Parkhill this one was taking an audio analog you know phone voice signal converting it to digital encrypting it the digital portion taking the digital stream converting it back to analog so it could be sent over whatever channel whatever frequency and the process was reversed if you used it and you were able to actually make out what the people were saying on the other end it sounded a lot like a very choppy Donald

Duck it wasn't perfect but it was revolutionary at the time so I was assigned to look at it and evaluate it but then this happened here's a date anybody know what happened on this date this is why we're all here today well more specifically it was the release date of the first sort of publicly available web browser called mosaic anybody remember mosaic it really literally changed the world it was revolutionary it's it's what first made the internet sort of publicly available to the masses and of course there have been hackers and bad guys and people doing things on the Internet for many years but it wasn't really open and out there and people weren't aware of it but

you know thanks to you know popular movies the awareness of it became a thing I was in a branch or a group within this field of systems evaluation division that was focused on what we called at the time Network systems so you know we were there we were looking at mostly mainframes that were connecting to each other with workstations or dumb terminals I guess it in those days workstations were all UNIX based easily they were Sund or solaris and everything was sort of networked it was all UNIX in fact in the early days it wasn't really cybersecurity it had a lot to do with the UNIX and internet security here's one of those sidebars while I was doing

all this and it was really convenient because working for an organization like NSA it was literally a nine-to-five job because we were a classified entity we couldn't take our work home with them which made it convenient to leave things at work but I was getting married raising the family having kids but back at the day job there was a small group of us that were working in this network systems group and we started learning about the web and going on to mosaic and searching and finding out all these cool things and we were having this thought a similar timeframe to what Chris had talked about during his keynote this morning this was sort of early to mid 90s but we're like

hey you know we should try to figure out how to break into things and do it hacker style do it the way we've seen it on in the movies one of our main inspirations and but it's heard of this book the Cuckoo's egg I mean this actually this is Clifford Stoll that was a is I believe he's an astronomer by trained works to the University back in those days when you were getting on the computer which was a mainframe to do whatever work you were doing you had to pay for your time he was reviewing the bill the monthly bill II got one time and noticed a discrepancy and that led to him discovering that the university

mainframes which were doing a lot of government work had been compromised by East German hackers you know Iron Curtain Soviet Union all sorts of cool stuff and they made a movie about it and it was premiered on a show called Nova I don't remember ZnO but I don't know if it's still on or not but educational television back in the day but this kind of stuff was like wow we got to figure out to do this we got to figure out how systems can be secure by breaking into them it was kind of cool it was kind of fun it was kind of edgy and in more on that later I actually had the privilege

earlier this year of meeting cliff Stoll which was kind of cool and we were at a conference up in Canada so there's gonna be several these things I've had a fun year meeting all of my heroes from back in the day but anyway what the government likes to do when they have they come up with an idea of seeing something new and we were kind of doing things you know sort of it the worker bee ranks but the management was thinking lofty and higher so they reorganized and they formed this thing called the system as a network attack center so the small group of us that had been you know starting starting to tinker learning how to break into you primarily

UNIX systems how to how to hack systems we we got pulled into this group and we actually were put into a division everything at NSA is letters and numbers so we were put into an office called c4 which we thought was kind of cool this was designed to be a center of excellence it was one of the first centers of excellence at NSA produced so there was it was it was done by the management the suits we like to call them and so it was a very intellectual very resource oriented type of organization and we were put in it but we were trying to be different we were trying to be edgy we were trying to be

hackers and sort of live and think that Met mentality and come up with a pen testing methodology so we sort of formally pulled together and started a team the deputy director at the time he again he had this sort of naive vision and he thought all we need is a bunch of these long haired young you know weird type of people together and if we get them together we'll just rule the world we'll be the best that there is and we tried to educate him that you know there was a few thousand of these types of people out there and no subgroup would ever be able to compete against the masses that were available out there but

it got us reorganized they put us into an office so we were together and one of the first things we tried to do now that we sort of had an organization in budget and a mission was we wanted to learn so at the time the the the organization that was sort of leading at least within the DoD was the Air Force the Air Force for whatever reason sort of owned the internet for the military they they they were basically this admins for the the entire internet presence you know networking presence for the DoD so they set up the first Network Operations Center which led to shortly thereafter the first Security Operations Center and this was all based down in San Antonio

Texas they had an organization at the time that was called the air force information warfare Center so we knew them to be sort of the elite and the premier they were leading edge so we took a trip we wanted to go learn from them so we took a trip to San Antonio we met a couple guys there these two captains on the left is captain Zeiss he unfortunately passed away about two years ago and on the right captain Waddell these guys you know again leading edge they-they-they and a bunch of their cohorts left the Air Force they went on to start a company called Wheel group which was I believe more or less credited as being the first commercial

security vendor company out there and like many security companies that were leading edge at at that time they very quickly got snatched up by some larger company they actually were acquired by Cisco whenever I meet somebody from Cisco as an aside I ask them why are you here what you know Cisco is not a security company but they've been trying to be a security company for a very long time anyway not to dig on Cisco but you know so San Antonio if anybody ever been to San Antonio wonderful place at the time they had an Air Force Museum with a lot of planes anybody know what plane this is recently Declassified when we got down there so this was the first

time we had seen this plane and this any one this one a ten warthog this was what kind of one that skirmish in the desert and of course we had the usual sightseeing stuff including the Riverwalk and of course the 46 ounce margarita only have one of them I was in San Antonio we were on the Riverwalk we had just had some big huge steak dinner and then drinking the 46 ounce margarita and I called whom to talk to my wife and she's like you know how are you doing and I said I just had a steak and I had this margarita and she's like great I'm home with the four kids and we just

split a can of tuna fish so it was very important in my off time to make sure I took care of the family and take them on vacation so we did a lot of vacationing as an aside hacker mental health our biggest takeaway from the Air Force visit was two things one was these guys were smart but they weren't any smarter than us we were sort of on the same page in terms of learning about attack methodologies and what kind of exploits were out there in the wild and sort of the way you did things back then but what was significant to us was their their physical office structures what do they call that Feng Shui something like that

they they had instead of regular old cubicles stacked up they'd pushed everything to the corners and they literally had a round table in the middle of their office and the way that they set it up was nobody's doing their own thing but if anybody had a problem that they wanted to sort of collaborate with they'd call round table and everybody would turn and come to the middle and we thought that was really cool so we emulated that of course we had to have our own space to do that and and we we set ourselves up in an office we had the whole round table scenario we were trying to live the hacker mentality the hacker culture so we nicknamed our

office and we called it the pit the pit was an office that existed in a an NSA facility that was just west of BWI Airport and the pit was actually in this building here in the corner I think it was in the second or third floor the reason I bring this up is because several years ago a book came out called dark territory the secret history of the cyber war in the fourth chapter which is entitled eligible receiver there is a following paragraph which I like to do a dramatic reading in the middle there during its most sensitive drills the red team worked out of a chamber called the pit which was so secret that few people

at NSA knew it existed existed and even they couldn't enter without first passing through to combination locked doors so our office was the pit somehow it got evolved into folklore we didn't have double locked doors we were just an office we were an office with cubicles and a round table in the middle of the but somehow that transcended one of the members of the pit one of the people I used to work with bought the book read this they took a picture of the the paragraph and sent it out to all of us like we're famous we're famous we're in a book so the pit really at the end of the day was six people we were there are six

guys that were working together trying to learn how to do hacking ethical hacking penetration testing we actually at the time called it vulnerability and threat assessment so we tried to develop a methodology they didn't exist back then there were no sans courses there is no certified ethical hacker none of it we were just kind of shooting from the hip trying to come up with things of course we were doing this at NSA and and that immediately calls several issues because a it was something different and NSA at the end of the day and still to this day to my knowledge is a pretty conservative organization it's also a bureaucracy it is at the end of the day

government and things typically don't move very quickly within government you know Chris mentioned how long it's he's been trying to get his company through the FedRAMP program it's not efficient if you're into speed and and we were trying to live the hacker culture which moves fairly quickly so that caused conflict let's just say the biggest conflict is we wanted to break into things but to get authorization to do this thing that was kind of different and weird and also by the way was sort of against the charter of NSA which basically if I can sum it up because it's still I think a classified document document NSA's only supposed to do what NSA does to foreign nationals to others

other countries other citizens and it's a is not allowed to do what NSA does to u.s. citizens and a whole other talk in discussion is we could have about Snowden and all that kind of stuff but that's sort of the genesis of it is NSA is not supposed to do that but we can do it if we follow rules and the rules would take weeks to get done where all we wanted to do was break into something and we knew it could only take a couple seconds we came up with a methodology I think the methodology hasn't changed a whole lot because there's a way that you try to break into things you first do some sort of reconnaissance

we called it recon these days it's called open-source intelligence but you have to learn about your target and once you learn about your target you try to Zone in and try to find the weak spots and you try to find the weak spots in various ways and once you find the weak spots you try to exploit them so on and so forth to try to help put this in context because I go to a lot of these conferences and I hear lots about pen testing how it's done these days and I think again even chris referred to the amount of automation that's out there these days I want to just remind you of what we did not have available to us

when we were discovering all this so this is just this is not a this is not a concise list this is not a comprehensive list but this is just to give you some examples we were you know we were doing it manually primarily there were some rudimentary tools here and there that became available I'll share some of you but the stuff that we take for granted as pen testers these days more or less just did not exist by the way I tried to get together with my family on holidays and we would do fun things like go to the pumpkin patch and all that kind of stuff I dressed up as Santa now I do

Santa very well anyway told you about what we didn't have I want to share a little bit about what we did have and again it was all manual and we were sort of making it up as we went along I want to give you a disclaimer now the way the rules were at the time anytime we targeted a system and very often the system was a network everything we did had to be classified at the level of the target so if we were going after a top secret network or top secret server or top secret system everything we had to do was top secret and since we were NSA and we our Charter was to take care of

and monitor and inspect and secure the classified networks very often everything we were doing was classified which to my knowledge hasn't been unclassified so what I will say to you is I'm not saying we were using any of this stuff I'm about to share with you on say that this was stuff that was of commonly available at the time now just nudge wink wink I did this at a conference in Baltimore besides charm and somebody like interrupt me it's like I work for the I work there you can't do this stop stop I'm like it's a joke it's a joke so disclaimer this was a joke we had Network sniffers they were hardware they weighed 20 or 30 pounds

and we'd wheel him around on carts and we would plug him into the network devices and we would do what was called sniffing the network nowadays you have Wireshark and things like that we had the rudimentary beginnings of a vulnerability scanning tool one of the first ones out there that was publicly available as open source was a program called Satan you can see what it stands for again I had the pleasure I think it was last November since I'm involved with security weekly we were able to arrange to have the the developers of Satan on the air for an interview a very special moment we got to talk to Vita venema and Dan farmer so fanboy moment

for me and I'll say this in terms of a fanboy as an aside these guys are in it for the passion of the craft they try to help people have more secure networks they had an opportunity very early on to commercialize and make people pay for their product and they opted to opted to keep it open source not to make a value judgment but I've always thought I've always thought that was kind of cool that they just didn't see the dollar signs and run for it like a certain other person did that came out with a contemporary vulnerability scanning tool which is not to disparage that person and I won't say who it is but you know

you make your life choices I'm just gonna suggest that the outcome isn't always money that makes for a satisfying career and however we define success sometimes doing the right thing and educating and helping people be a little bit better off can be pretty darn satisfying to another date one two three nobody's going to get anything this is when something called bug Trac came out anybody ever hear a bug track remember bug tract is it still around I don't do this stuff actively anymore bug track was one at the time one of the primary sources of vulnerability information if you were if you're working on a system or a particular application or operating system and you

wanted to learn about what the what people knew about it in terms of its operation particularly vulnerabilities people would write into this email mailing list and it became an archive and you could respond it's an old-fashioned way of communicating which is only 25 years old it was a primary resource for us and we used to go to the pool and I used to have hair so this is an example of what bug track looks like and again it was an email format people would write a question and then people would respond to it and bug track had the ability to just sort of thread everything together so it didn't work perfectly but if you had a topic it had

the ability to help you find who's talking about it what they were saying one of the other thing we had as a primary source of information was advisories that were published by the computer emergency response team that you know this was tracking real world hacker activity look out there's bad guys doing something somewhere if anybody can read the small print on that check the date and check what the what the vulnerability is about this was a real advisory that they put out about virus alien operating systems being vulnerable to a virus they had a sense of humor back then some samples of OSINT again we caught it more reconnaissance back then they were basically databases

most of the internet back in them was databases that had some sort of rudimentary search engine built into it there was FA cues that were available there wasn't much to go on Archie was one of the search engines that you could look up mostly university connected databases to see what information is out there the internet was a way to look up domain registrations who owned what and what ads address space go for is another search engine before Google there was this kick-ass search engine called Alta Vista and by remember Alta Vista anybody still think is better than Netscape came along as a browser you know as more people put more things on the internet things became more browser browser

friendly and then the original browser Yahoo not the one that exists today but the original anybody remember the original Yahoo browser so we would try to acquire targets back in those days everything was internet routable the the private addressing wasn't really a thing if you wanted to be on the internet you had an IP address and you had to register your network segment they were categories categorized in domains and so on and so forth but if you found a target you wanted to do a port scan the port scanner that we had available to us at the time was something clone stroke interesting trivia note about this thing called strobe which I didn't realize until I was putting the talk together

because I was trying to look up when the inks game came out anybody have any idea who wrote strobe Juliana sighs when I saw that is like that's why I recognized the guy's name totally forgotten it I hadn't looked at strobe in 20 20 years brownie points for getting the answer right so I'm again I'm a beer you could you'd have to look up you know you had a target you'd look up what their registration was what their domains were what their address and space was Jews nslookup and you could look up the targeted account the IP addresses or the network segments and you get all sorts of fun information like the name of the

administrator that set up the account and you could usually figure out what his user idea was and then you know surprise surprise guessing passwords back in those days was a thing but that's been solved an ounce of passwords of move known we had tools that would actually do mapping of the networks to figure out the topology and it would actually do a little bit of sort of trap what we call traffic analysis look who's talking to who and who's talking to what and and back in those days there's this concept of client-server where the server was running the application and the clients would just attach with sort of an interface so the server is what you

wanted to go out go after typically that's where the perceived crown jewels were the juicy targets you could figure that out with Network and happy another date anyway this is when the password cracking program came out that was cleverly entitled crack again back in those days to get the passwords you all only had to go to the password file Etsy password this is an actual snapshot of an actual password file not from the NSA days because that would have been classified but this is one that I pulled shortly thereafter so you've got the user ID you got a colon you've got this weird string which is the hash of the passwords this used to be world readable

by anybody on the system so you could just go grab it run crack pop and recover a password after password after password again passwords have been solved now so that's not a problem anymore back in those days basically the methodology was to get anywhere on any system within the network and at once you had some sort of user access level because these were all pretty much UNIX systems the next goal was to get route if you got route it was game over it's the equivalent to getting the domain admin access these days in the windows world a very common technique for elevating your privileges to route was finding programs that were running on the system with what was

called set UID or or set UID 0 what that basically meant was the program was running as if it was running on the root account and if you could halt the interruption of that thing very often it would dump out into a shell but retain the the characteristics of what it was running ass very often you would dump out into a root to find a program running set UID figure out how to break it or halt its operation make it choke somehow and very often it would just dump out into a root shell you had root and you did the root dance and you were done so I mentioned so that's some of the tradecraft back to what we were trying

to do I mentioned that we had some growing pains we had some problems and and one of the key problems was this thing as I sent mentioned earlier the NSA Charter which I can't show to you because it's still classified but again essentially the essence of it is NSA doesn't do what NSA does to u.s. citizens another date anyone anybody know about PGP so I have a story to tell about this but in the interest of time I will skip it asked me about my NSA PGP store story if you see me somewhere out today or this evening especially if you put a drink drink in my hand I'd be happy to tell you the story

another fun fan fan moment for me is I got to meet the actual Phil Zimmerman last fall he's a real geek I mean among geeks he's a real geek but it was really cool to meet him so we had this issue of we weren't supposed to be doing things that you know to citizens and we were trying to do this ethical hacking breaking in first before the bad guys did I want to share with you one reveal of one top-secret thing that we did so this doesn't leave the room you don't really have to pause the video but here's one of our primary attack tools back in the day

now let that sink in a minute it's funny the ping command we had our lawyers our general counsel rule on the ping command and save their interpretation was because the ping command issues or elicits that they used lawyer language elicits a response from the target we have to therefore classify it as an attack tool therefore it has to be considered classified so quite literally before we could issue a ping command we would have to go through the weeks-long process of getting 10 15 20 signatures from all sorts of various levels of Management half of which didn't even know who we were or what we were doing it could take weeks if not months to wait to issue a ping command now grant

you we never really waited to issue the thing command but at some point we had to we had to wait for the paperwork to catch up to us this wasn't gonna work this wasn't gonna work in terms of building any kind of reasonable methodology that we could go out and do this thing to this ethical hacking this pentesting what we call a vulnerability threat assessment to any of our customers which was primarily the DoD the military State Department anybody running on classified Network so we had to engage with the lawyers for whatever reason I thought I can do this I have a brother that's a lawyer I felt like I could speak their language so I sort of

volunteered to take on the the assignment of trying to educate the lawyers and work with them on figuring out a way to sort of streamline this process because it's ridiculous to have to wait six weeks to issue a ping command so the original idea was the lawyer said well why don't you just show us all your different attacks and we'll sort of a pre approve them so when you have an assignment or you have a new job you you will just sort of fill out an a la carte menu you know we're gonna do a couple pings here we're gonna couple this over here and they'd be like oh yeah we know that that what that is we

approve it and we'll streamline the process and I tried to explain well that doesn't really work because we don't often know what we're going to encounter until we start doing the reconnaissance or the open-source intelligence gathering we don't know what we're up against we don't know what the potential weaknesses are that we what might want to exploit until we start doing the job so I tried to emphasize to them that we needed to think more about the methodology and the process and not so much focus on the tools and the techniques so we embarked on what I called at the time a weekly meeting with the counts the the general counsel to teach them hacking techniques

to teach them the methodology to just show them what how it worked and I called it tool time because there was this popular show on at the time called home improvement where the show within the show was tool time and again I also found time to spend time with the family because it was important to take time off so we would go on field trips and go on outings and I did get to know my kids and I think they mostly liked me even though there are adults these days but back meanwhile back at the day job we started doing this it was you know it was new it was different people were connecting to the internet and all sorts

of new in different ways so we became popular we were we were doing our thing within the our little world the DoD military classified world but somehow word got out and this will be a very abbreviated story but somehow the Department of Justice got wind that NSA had this this this group of people that were doing this ethical hacking pentesting type of thing and they said we want you to do that to us well at the time NSA was doing what it did to classified networks the organization that was responsible for the unclassified networks of the government was an organization called NIST you've all heard of NIST it was also well understood at the time and I will

disavow this if you share with people but NIST was very generally understood to not have much in the way of capability at the time so they would often defer to us anyway so again there was this bureaucratic political red tape process that we had to go through and so we were approached by the DOJ we want you to do this I had to go to the lawyers and say how we make this happen and launch this months-long process where basically what it boiled down to was it was sort of a handshake sorry for the sexist language gentlemen's agreement between cabinet members within the government so the Secretary of what do they call the Attorney General for the DOJ had to talk

to the person in charge of the DoD which was designated to the deputy director that was responsible for all this internet type stuff but they had to request hey can you have NSA do this for us so back and forth at this high level I was responsible for writing a lot of the letters and other people would do that like the lawyers get all the language right and then it would go for the signatures but this letter actually came in signed by the Attorney General at the time Janet Reno and asking for the help and the response was was eventually published signed by the the director of NSA at the time you can see I'm actually named in it as the point of

contact we were gonna do a security assessment of vulnerability and threat assessment at the DOJ and before this letter could be sent this happened this was the first compromise the first hack of a government website and back then it was all website hacking and and so that whoever did it I'd still like to meet them to this day because we never figured out who it was but I suspect that I've probably met them at some point but they they came in and defaced the NSA website you could scroll down you can find this on like the internet archive's hacker archives just googled the DOJ hack you scroll down and you get into some NSW's and sfw stuff so I'm not

gonna put it up here to make a long story short it was hacked we figured out a way to go down I took the first forensics team that NSA had and of course we didn't know what we were doing nobody did at the time the DOJ have had what most people had in those days a web server that was running on one of their own servers and there DMZ there was no co-hosting or cloud or anything like that and as soon as they discovered that they'd been hacked they pulled the plug wiped the whole system and read you know rebuild it with an operating system you know that's wiping out whatever forensic evidence there might have been whole another topic but

essentially we were doing something that somebody in the political position got wind of and we were down there for I had led a team to go down there we were down there for two three days when I got a phone call from somebody in the pit saying the shit's hit the fan drop what you're doing and come back we came back we got marched into the conference room for the Deputy Director of information security so we're in the big panel building with the big long table and the lawyer that I've been working with came in and proceeded to read us the riot act that we had done some gravely illegal thing don't you know about the NSA

Charter don't you know about the church proceedings I'm not going into that but the second time I ever heard about the church proceedings was Snowden I give a talk to where I go into detail on this that I caught that I have entitled I was the first Edward Snowden again put a drink in my hand I'll tell you the story later the upshot was we got into a lot of trouble because I was the ringleader everything kind of fell on me because somebody's got to be the scapegoat but in a positive light because we became familiar with forensics early one of their first publications that sands did was one on incident handling and I was a

contributing editor to that but at the end of the day after all sorts of bad things happened the members of the pit were again paraded into the conference room and we were told by our senior management look we really like what you guys are doing you know we want you to do what you guys are doing but if you're gonna do it here you kind of have to do it following our rules and we were hackers so we left most of us there were six of us originally two of us are still at NSA doing all sorts of wonderful things that I don't even know what they do anymore four of us are out in the private sector

the only other one that I have public permission to share with is Ron gula Ron gula went on to be the founder of tenable network security the makers of necess and me and several other people so that's the pit sort of as an aftermath I mean you know this whole DOJ thing happened at the end of 96 in August I was gone by October others followed shortly thereafter here's another date and this is for the benefit of the law often well upon and it's as close as I can get to I think was the release of loft crack which was the original Windows password cracking tool so correct me if I'm wrong Chris but I think this is as close as I've

been able to find also in 97 after I left was this thing called eligible receiver which you may recall was the name of chapter 4 in the book dark territory where we are been memorialized as being the pit what eligible receiver was was a joint organized NSA hack of the entire DoD it was designed to last for something like two weeks and you know you may or may not be surprised to know they had to pull the plug on it after like 13 hours because they owned everything and it revealed for the first time how vulnerable things were so on and so forth the picture on the right here is they actually got all the suits

and senior level executives that were so proud of themselves for coming up with this thing I guess for the 20th anniversary they got them together for a symposium at University of Maryland which would have been in 2017 that website I think is still active and you can go there and it's weird you can't Google search but if you go there you can find a link to they have a roundtable discussion where they talk about eligible receiver they also a redacted version of sort of a promotional video that they did about eligible receiver that they produced back in nineteen nineteen ninety seven it was originally a twenty minute video and they redacted it down to its like

eleven minutes you can if you're if you're clever you can go out and find it there's people that are in that video that I know when I worked with so it's it's a little interesting piece of history but it happened after sort of the time of the pit another fun date just again to put these thing in context nmap didn't come out until after I had left NSA so just everything we did at NSA in the early days was done without nmap can you imagine we still get together less frequently now we try to do it as often as we can and a recent gathering of the original members of the pit somebody who's so worsted NSA brought us a whole

bunch of tchotchke from NSA so we got I got a bottle of NSA secret sauce I've never tried it I'm not gonna open it and then we got this really cool NSA pen that actually emits the NSA seal is sort of a bat signal which is what's being projected on that coffee mug so that's not a seal on the coffee mug that's what the pen produces you can find this stuff at the gift shop for the NSA Cryptologic Museum which I encourage you to meet I encourage you to visit sometime if you're ever in Fort Meade Maryland so that's a real high-level lots of stories you know I've taken all this sort of institutional knowledge tried to turn it

into a career and at this point I try to give back and educate because I still think there's value in learning from the history of where we've come from it's been mentioned I'm a co-host on paul security weekly and I get to correct Paul all the time in try to provide context we get along really well I'm known as the PCI guy on security weekly and I don't know if I've been rewarded or put in a corner yet but they've given me my own show now and we've just started recording in the lab since October security and compliance weekly so I'm the main host of that we're trying to record several episodes before we drop it on the podcast feed so

we have a little bit of you know something for people to listen to you but Stan stay tuned if you're at all interested in sort of how security and compliance works together and I would assert that they're they are very very interrelated and can't be separated stay tuned I was I'm involved with a group called hack for kids they put out a game last year it's supposed to be educational called Freaker life at sort of the history of hacking and freaking from the 70s and 80s and 90s I was honoured enough to be included as one of the face cards what they call in hack Rijn isms and this is a group of most of

us together and at Def Con last year there was a book published earlier this year called tribe of hackers I guess because of my elder statesman status they let me be in it so I have a chapter in tribe of hackers just uh I guess right after right around the time of Def Con this year they published the second version tribe of hackers red team and I got to be in that they're working on a tribe of hackers blue team I'm not in that book not that I have anything against the blue team I'm also known as a Jedi Master I give a talk on teaching the jet and mastering the art of the Jedi mind-trick

and I was honored enough I guess it's been three years ago now to have been included in what in what's called the Cabal of the curmudgeons which is a group of old-timers that get together at RSA every year and have dinner with gene Spafford gene Spafford is one of the authors of way back at the beginning of the slide presentation basic Unix in Internet Security so he wrote essentially the Bible that we used in the early days of how to secure networks he's at Purdue University he founded Sirius CER IAS he's a really old-timer to be included in this group you have to be invited in by one of the members and you have to get voted in somebody has to

sort of present your case and they vote you know you know thumbs up thumbs down so you might recognize some of the faces up there it's a pretty small you know quote-unquote elite group but we're really we call ourselves curmudgeons because we're old and and generally bitter and and and don't don't pessimistic but we haven't completely given up hope we're still in our own way trying to organize and trying to make a difference and ironically the the person that I have my arm around the guy in the woods red sweater there is the lawyer that I dealt with back at NSA so we have we have buried the hatchet and made amends and now we're together again it being time

for lunch notwithstanding I'd be happy to answer any questions that anybody has like what's my favorite craft cocktail yes in the back wow that's a great question what constitutes a security company if Cisco isn't I guess it's really the question and I have no comment

any other questions like what's my favorite what's my favorite alcoholic beverage because I am partial to old fashions thank you if we're at a beer place I like browns and darker 'he's the fall it falls or what I prefer if you want to apply me later on yes the one that's free oh man now we're going deep I like walnut bitters I like just about any kind of bitters anyway let's go eat lunch thank you very much for your time oh and last thing I've got stickers I'll put them out on the table somewhere if anybody wants stickers more Tales from the Crypt analyst stickers