Evolution of the Hacker Mindset. Lessons from 2011 SONY Breach and Beyond

Show Notes

Join us as Cody Kretsinger shares his journey from the blind arrogance of youth and dark side of hacking to his evolution into the brilliant, community thought leader and  leading-edge cybersecurity provider. It’s a unique perspective on protecting against cybercrime and understanding Modus operandi.

Chapters

00:00 Introduction to Cybercrime and Hacking
07:00 The Thrill of Finding Vulnerabilities
13:40 The Role of the NSA in Cybersecurity
18:24 The Sony Pictures Hack: Exposing Laughable Security
26:05 The Consequences of the Sony Pictures Hack
27:31 Introduction and LulzSec's Actions
29:48 The Raid and Destruction of Evidence
30:17 The Hacker Mindset and Facing Consequences
34:57 The FBI Raid and Arrest
43:47 Transitioning to Cybersecurity and Red Teaming
49:03 Importance of Security Culture and Compliance

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: Introduction to Cybercrime and Hacking
• 7:32: The Thrill of Finding Vulnerabilities
• 14:36: The Role of the NSA in Cybersecurity
• 20:22: The Sony Pictures Hack: Exposing Laughable Security
• 27:28: The Consequences of the Sony Pictures Hack
• 29:25: Introduction and LulzSec's Actions
• 30:58: The Raid and Destruction of Evidence
• 32:18: The Hacker Mindset and Facing Consequences
• 37:15: The FBI Raid and Arrest
• 46:18: Transitioning to Cybersecurity and Red Teaming
• 51:18: Importance of Security Culture and Compliance

Transcript

Evolution of the Hacker Mindset. Lessons from 2011 SONY Breach and Beyond

Join us as Cody Kretsinger shares his journey from the blind arrogance of youth and dark side of hacking to his evolution into the brilliant, community lthought leader and  leading-edge cybersecurity provider. It’s a unique perspective on protecting against cybercrime and understanding Modus operandi.

Topics: how intelligence gathering is critical to security, how penetration tests help businesses stay protected, best ways to limit cyber attack liability, New True Cyber Crime Examples, cyber crime gang discussions, examples of recruiting in cyber crime gangs, how stolen data is sold by cyber crime gangs today, insight on true cyber crime examples, latest cybercrime stories, inside a cyber crime gang, behind scenes cyber criminals, things we learn from criminal hackers, understanding the hacker mindset, and how to limit liability from cyber attacks. 

 

why it's important to understand the hacker mindset,hacking planes trains and automobiles,how hacktivists help keep businesses secure,how penetration tests help businesses stay protected,how stolen data is sold by cyber crime gangs today,how to limit cyber attack liability,insight on true cyber crime examples,latest insight on cyber crime gangs,new insight on true cyber crime examples,why hacktivists help keep businesses secure,new insight into famous data breaches

 

Chapters

00:00 Introduction to Cybercrime and Hacking
07:00 The Thrill of Finding Vulnerabilities
13:40 The Role of the NSA in Cybersecurity
18:24 The Sony Pictures Hack: Exposing Laughable Security
26:05 The Consequences of the Sony Pictures Hack
27:31 Introduction and LulzSec's Actions
29:48 The Raid and Destruction of Evidence
30:17 The Hacker Mindset and Facing Consequences
34:57 The FBI Raid and Arrest
43:47 Transitioning to Cybersecurity and Red Teaming
49:03 Importance of Security Culture and Compliance

Guest Cody Kretsinger shares new insight into famous data breaches, why it's important to understand the hacker mindset and how hacktivists help keep businesses secure, as a security expert helping companies across the globe stay secure. He shares his incredible story of his past as “Recursion” a member of LulzSec hacktivist group affiliated with the infamous Anonymous group back when he was in college in AZ. Story details the Epic 2011 SONY data breach. Topics: how intelligence gathering is critical to security,, how penetration tests help businesses stay protected, best ways to limit cyber attack liability, cyber crime gang discussions, examples of recruiting in cyber crime gangs, how stolen data is sold by cyber crime gangs today, insight on true cyber crime examples, latest cybercrime stories, things we learn from criminal hackers, understanding the hacker mindset, and how to limit liability from cyber attacks.
 
 
MAURO (00:02.936)
Hey, everyone. Today's interview and story is a remarkable one. And it's really one that is one of our favorites. We talk about the evolution of the hacker mindset and we talk about specific lessons learned from the 2011 Sony data breach and beyond. So join us. This is a really good conversation with Cody Kretsinger He was part of LulzSec.

And he shares his journey from, you know, blind arrogance of youth and the dark side of hacking to his evolution into the brilliant community thought leader and leading edge security provider that he is today. It's really unique perspective on protecting against cybercrime and understanding the hacker mindset in modus operandi. This is the

of Cody Kretsinger and the evolution of the hacker mindset.


Dino Mauro (00:45.142)
All right, well, welcome everybody to Cybercrime Junkies. I am your host, David Morrow, and I am joined today by my always positive, always fantabulous co -host, Mark, the Mark Mosher. Mark, how are you? Thank you for that upbeat introduction, David. That is the insincere things to say to coworkers that we've developed. It's very effective. I give that a five star review. Yes, very good.

Hey, I'm really fortunate. I think you and I are both really excited. This is going to be great. Yeah, really excited. So we're joined today by Cody Gatziger, speaker, leader, author, hacker, former LulzSec member and cybersecurity champion. Cody, welcome to the studio, Thank you so, so much for having me. Yeah. Well, we're glad to hear glad to be here. You know, what's interesting is we actually started this podcast about

No, six months ago, maybe. Maybe. Yeah, it really hasn't been that long. And our very first live stream was about the Sony breach right now. Wasn't the one from 2011. It was the 2014 breach. And we were just talking about we were just talking about all the open questions like, was it North Korea? Was it this? If it was North Korea, why did this happen? Why did they know this? And like there were more questions than answers. And so that kind of sparked the whole interest.

And so we're really funny real fast on this. yeah. So has been compromised several times, right? yeah. It's just not so many pictures, which is the one that I was involved in. So you had you had the one around the movie, the one that you're talking about. You also had so much Sony online entertainment. They got breached as well. And I can't tell you how many people that will they'll swing by Twitter real fast. It'd be like, you know, hey, Cody Kretzinger.

Thank you so much for hacking Sony PlayStation. That wasn't even my hack. That wasn't your break. wasn't me. That's hilarious. It's usually just like, thanks bud. That's hilarious. Before we even get there, let's walk back to where'd you grow up? Did you grow up in the Midwest or did you grow up out in Arizona? I grew up in the Midwest and got involved with IT.

Dino Mauro (03:08.818)
And a good buddy of mine showed me this pamphlet for a college out in Arizona, specifically Phoenix. And they had a really, really awesome curriculum. Network security was the main component of it, but they also had computer forensics as well as network engineering. And it sucked me in and it was a really fascinating time out there. Yeah. So when you, what drove you to

Interested in computers as a kid like was it just? Just kind of what you liked yeah, so that I Love my origin story. That's the kind of way what I like to call it So there was this game called uplink And it is a hacking simulator game actually before then a good buddy of mine his his father was was really into computers a lot of computer gaming specifically

Command and Conquer series. So that kind of like, that was my foray into computers and then gaming. And then once Uplink came out, I played it and realized that there was a component of computers that was security based. And that launched me into kind of some underground hacking scenes to kind of figure out where I enjoyed doing certain things. And then ultimately got me professionally interested.

in doing security. Did you come from a background in it? Like were your parents in technology or anything like that? I couldn't meet two more distant people from technology. I will say my mom was a clerical typist that worked her way up to a really good position, a local government. My dad worked in law enforcement. So he's the king of spreadsheets, which is kind of a funny goof around the house. But

They both computers aren't their thing. In fact, the only reason we had a computer in our house originally, it was because the city ran some sort of deal that city employees could get a certain computer so they could familiarize themselves with it. What was your first computer? What was the first thing you ever worked on? So those are always tell somebody's age when they answer this, right? Kind of like.

Dino Mauro (05:33.294)
Yes, our first computer was a compact of some sort. I was fairly young. do remember the large floppy disks, not the small ones that everybody used. And then the CDs, you'd actually open up what looked to be a jewel case and it looked like a larger version of

of like a floppy disk. And at the bottom, was an actuating, you know, metal piece that when you put the CD in, that's how it was. Yeah, that was my thing would move on. Don't remember much about it other than it ran Windows 3 .1 can tell you the first real computer that I had any involvement with and broke a lot was a was a gateway 2000. It came in a box with the with the the cow.

kind of stuff. yeah. Gateway was the bomb, man. You'd walk in there. They had the gateway people. They were like, I'll customize a solution for you. You're like, wow, this is great. That is so funny. That's great. So what was it about network security and things like that that got you into wanting? Is it the challenge of it? I'm trying to understand for myself. I always I'm fascinated by the by the the mind

networking engineers that that like look at something like I look at it and I go, isn't that shiny? That's so cool. You guys look at it like, how do I make this thing like, start my lawnmower? Like, how do you think like that? Like, you know what I mean? Like, what was it that that interest you like? Or even how can I break this? Right? like, yeah, I mean, that's, that's the mentality really that the hackers have.

Let me tell you a story. I was at a conference a few weeks ago and it was after a really long day and I just plopped my butt down into a chair away from everybody else, kind of party going on in the background. And eventually four or five younger gentlemen come up and they're all talking. It's their first conference. And eventually they asked me some questions. Well, who are you?

Dino Mauro (07:55.714)
They didn't know, which is great, right? Because that's how I prefer most conversations to go. You know, what do you do and all that stuff. And they asked me more or less the same question that you did, David. And here's what I, here's what I asked back to them. I asked them, is there a certain component to IT or security or something where you get the warm and fuzzy? Your heart flutters a little bit. And a couple of them said, yes.

And I said, well, what component of your job makes that happen? What makes the hair on the back of your neck stand up? What makes the goosebumps? Right? And one guy said, well, it's actually it's blue teaming. the thrill of the hunt. Right? I want to find the bad guy. That's what really, really gets me going. And another guy said,

Well, it's red teaming. It's when I can break into a system and manipulate it to do a thing that it's not supposed to do. And I'm scared to death that some guy, somebody is going to find me and, you know, in that short period of time and I'm going to get caught. And that statement from the red teaming side of thing that it is the thrill of finding something. Yeah, it's almost the thrill of being chased.

Right? Like you want to accomplish a task. You want to capture the flag before getting caught. Yeah, there's a component of that, but there's also a component of I'm able to manipulate a system in such a way to get it to do a thing that it's not supposed to do. And I might be the first person to have ever done this. Right. Yeah.

Well, and in the community, there's there's street cred, right? There's accolades. There's there's Hey, I was able to do I was the first one. Like, I know. We're gonna get into that in just a second.

Dino Mauro (09:55.096)
Hey everybody, just wanted to mention Cybercrime Junkies Prime. We now have a subscription available through our podcast and it offers exclusive content, bonus episodes, and even pre -releases of all of our standard shows. We keep it simple. It's just the cost of one cup of coffee one time a month and you can cancel anytime. You can subscribe by scanning the QR code next to me in the video or by clicking the link in the show notes. If you select not to subscribe to our Prime membership,

please at least consider subscribing to our YouTube channel. It's at cyber crime junkies podcast on YouTube and it's absolutely free. allows us to bring great guests on the show. Thank you for your support. And now let's get back

Dino Mauro (10:44.334)
Right? mean, that's it's it's kind of what it is. It's like trophies, right? It's like, hey, I accomplished this. Let me throw it up on my throw it up on my book. Yeah, there's there's a component of that. I think more so in the past than than currently, you know, in the past, it was look what I did on the down low. Right. Like you maybe talk about it within, you know, certain social groups, maybe IRC or

maybe a local 2600 chapter or something along those lines. Everybody just kind of like new. Now so much you talk about a hack that you've done. You're might find up going to prison. There's consequences, right? There is now. Yeah, for sure. Yeah. So let's talk about that. Let's talk. So you're you're away at college. You're you go out to Arizona. Great place to go to college. You're out there

From what I've read, right, and my understanding of people I've talked to, like, you were really good at school. You were like, you wanted to go into like, work for the Department of Defense one day. Like, you had some great aspirations, everything else. Something happened along the way. So, like, walk us through that. So, the college that I went to catered to nerds, number one. Number two,

The group of people that went to the school or joined the school when I did, we all kind of clicked together and we found each other, we found components of what everybody liked and everybody kind of had their own lane, if you will, but we'd constantly be educating each other. And we built this group, it was one of the largest student -ran security research organizations in the United States where we were trying

to find vulnerabilities, trying to find exploits or code exploits. We were trying to teach other students that were not security minded. It was a very large group of people and we were teaching people how to hack, right, ultimately with a couple of student -ran organizations. So in the three or four semesters I was in college out in Arizona, I progressed very quickly, not only because of the academic

Dino Mauro (13:11.478)
information that was being taught, also because of this crew. So I moved very quickly and you're right. In fact, I interviewed for the NSA. I was going to be part of the NSA red team. I had gone through the polygraph. I had gone through the psychological evaluation. I'd gone through the background check. I had done all of those things. What year were you in college? I would have been, I would have been a junior. The NSA recruits out of that school specifically because the type

talent that is there. Yeah, yeah. Or they did at that point. Yeah, yeah. sure now. there were myself and several other students that had all applied to the NSA and several of us had either job offers or we saw people graduate and immediately they were part of the NSA.

Yeah, yeah, there was a lot of really good talent. Explain to the listeners, I apologize, but explain to the listeners, what is the NSA? Like I know it's very obvious to us, but, for those that might be working out or driving in their car, have this kind of work that aren't in cybersecurity. You know, what what is the NSA and why is that so significant? Because it is very significant. Right. It is. So the NSA is an intelligence community, much like the CIA is an intelligence community.

you can consider CIA to be people driven and the NSA is technology driven. So they have things called signals intelligence, which is what the NSA mainly handles. And those are things like intercepts. So understanding encrypted communication, breaking encrypted communication. In fact, the NSA employs the largest number of mathematicians anywhere. And that's strictly to break code.

the flip side of that is the NSA also does technology driven things, meaning they specialize in both red teaming operations, which is offensive. If you want to think of it from like a football, oriented kind of conversation offensive. So we're breaking into adversaries, think other nation states or terrorist organizations or any of those things, and gaining access to grab information.

Dino Mauro (15:32.994)
We're also subsequently helping defend our country and our allies against cyber threats. So they have both of those components as well. And there's a number of other things that I'm sure that they do that I have no idea. That's just the advertised portion, right? That's just public facing piece. Exactly. So you're going along had a very exciting kind of undergrad.

career with with eyes on doing some pretty cool things. But you got involved with a group called Lulzac. It's L -U -L -Z -S -E -C. Explain to the explain to the listeners what was Lulzac. So Lulzac started. My goodness, where do you start with this one? So I'll no. There is. I'll try to hit the bullet points real fast. So there's a group of people online called.

anonymous, which is essentially a number of individuals from a particular particular website. In that group, there was a few people that got together who were fairly intelligent and created LulzSec. And it was created by two or three individuals, one of which was Sabu or Hector. And he was kind of the ringleader, if you will, of LulzSec.

They hacked into a few different... They have some very well -known breaches. They do, So they hacked into a few things and Hector and I in fact went back a lot of years, back to my youth. And one day I got a message on AOL Instant Messenger and it said, hey, you should come check out what we're doing over in Woolsac. And they had already made the news at this point and I was...

Genuinely curious what was going on inside it was an IRC server. So I was genuinely curious what was going on the IRC server Absolutely, absolutely. And so That was a good explanation by the way, and so so you get involved there and at some point You're getting involved with some of the activities that the Lulzac is doing Yeah, yeah, there were there were several hacks that were going on prior to my arrival

Dino Mauro (17:55.662)
There were several hacks that happened while I was there. There was only one specific hack that I was involved in, and that's the Sony Pictures hack. OK, and the Sony Pictures hack, and for the listeners, it is not the PlayStation. There is a grave mistake. Sony has sustained several different breaches that have made it to the media. There's the one in 2014, which we talked about in our very first episode. There's the PlayStation one, which happened earlier.

leave, right? And then there is a compromise that happened between like late May of 2011 and June of 2011, which is the computer systems of SPE Sony Pictures Entertainment, which were compromised. And and and they attribute that to a compromise from LulzSec. And now does LulzSec mean anything? That's what I mean. Is it like LOL security like laughing at the security or what does it mean?

That's exactly it. was mainly the purpose of LulzSec. Yeah. Yeah. It's you don't have to read into it too far. Surface levels is exactly what it was. And the entire idea behind LulzSec was you had, well, first you had a bunch of, he had a bunch of nerds like myself that had a chip on the shoulder and wanted to prove something. then also kids. I mean, you guys were kids. Yeah. Yeah. 20s for sure. And that's all it was is we, found

laughable security and right, which is out there. It's out there. It's why we exist. It's still there. So, okay. So, so what, what walk us through what, what happened and, and, and, and let's, let's start with what you guys were doing there. Like if that's okay to, to speak about it. Cause I think it's all, it's all been said and done now. So I think we're open to, to speaking

Yeah, the Statue of Limitations has passed. Double -jump is attached. We're good with this. So, the entire purpose, so we ran a number of scanners, like bots, essentially to go out there and map the internet to see where we could find vulnerabilities. And we were finding them left and right. we'd only focus on big targets. And specifically, like Sony came up

Dino Mauro (20:21.918)
Again, getting back to that trophy. Like again, if you're going to go and you're to spend the time risk, maybe getting caught or whatever, like you want to have a logo, you want a logo by it, right? Or a name. There's a component of that, but there was also a component of like Screw Sony. Remember the big DRM thing that they tried to pull with the root kit and all of that. That left a really sour taste in a lot of nerds minds. So as soon as

Walk us through what that is. Can you explain to the listeners what that was? What did some of you So I have not brushed up on this, so I'm going at least try to get it from the 5 ,000 foot level. There was a music CDs that they had put some sort of digital rights management on. So basically making it very difficult to steal the music and play it somewhere else. Right. Remember, this is like the era of Napster.

Exactly, back in the day, everybody was whipping off songs, right? Exactly. So Sony developed this application, which was a Rootkit, which installs itself. Rootkit basically just installs itself at the highest level privileges of a system and is very, very sneaky in how it does it. And that application was there to make sure that you couldn't steal the actual music itself. at some point, the encryption key or

there was a key associated with it that somebody discovered. Then Sony tried to sue them and cover it up. And then everybody published it online. It just, it grew snowballed into this thing. And eventually there was a lot of, a lot of hatred towards Sony and nerds don't forget. so there's a little bit of that hatred was, still there when, we discovered the website that was vulnerable. Yeah. you find the vulnerability

out there scanning out of all the other ones that you found. What was what was kind of the next step? The next process? What? How did that evolve into where we got? Yeah, it's super simple. It's hey, guys, we got we've got a sequel injection, which I'll explain in a moment what that is. But we've got a we've got a sequel injection on it on the Ghostbusters website. Everybody started attacking and that was essentially the order. Wow. Yeah. So it was a website was actually their website that was so far.

Dino Mauro (22:46.616)
I mean, it wasn't like getting into like any bypassing of any firewall. It was nothing like that. was just their public facing website. was, if you want to talk at low hanging fruit, this couldn't be lower. and the website that was insecure was the Ghostbusters website. In fact, it was a, I, yeah. So they were running some sort of, some sort of sweepstakes where

I think there was some sort of anniversary, something along those lines, and it asked people to put in their first, last names, email address, physical address, phone number, stuff like that. And it had a lot of records in it. And it also coincidentally was vulnerable to a style of attack called SQL injection, which is essentially, you know, when you go on to a website and you submit information, meaning their first, last name, phone number, that kind of stuff. Typically, what normal people would do is actually put legitimate data

in those fields where it asks for that data. Us being hackers, we're testing to see whether or not certain characters cause that form submission, you know, when you hit submit, to do something unexpected. And in fact, there's a kind of a standard way to approach this. are certain characters on the keyboard to get things not to work correctly. And we found that out. And what happens is instead of that data being submitted to a backend database,

that information from the database is now being presented to us. Yeah, it kind of regurgitates itself. And all of that data that's sitting on the back of that website comes to you guys. So it's not only that website, but any other website that uses that set of databases. So, so you can imagine that, you know, one database that has the Ghostbusters sweepstakes information, that's, that's a lot of records, but there's probably going to be some other promotional.

databases on the same server. And when we were done, was, I'm pretty sure it was between one or two million unique records that were stolen out of this group of servers. Yeah. Holy cow. So you guys are doing that and what are you guys doing with the data? So you guys get this data, it's housed somewhere in the Lulzac kingdom or wherever you guys can. Yeah, we had a SharePoint.

Dino Mauro (25:10.604)
I'm kidding. We just had a public facing SharePoint site in case anybody was interested. Yeah, in case you want to download anything. So right. Totally makes sense. Funnily enough, it's real quick aside in the in the position that I'm in, we share malware back and forth via Teams and SharePoint and whatnot. And you'd be surprised how often Microsoft looks the other way on like completely malicious stuff, which is hilarious.

So that helps in red team engagements. can tell you that right now. But, but essentially it was, was somebody mapped the database to begin with, at least at the high level and basically said, you go for this, you go for that, you know, here's your section of data you're quote unquote responsible for. And so the, had my section.

of stuff and the tool that we used, anybody can use something called SQL map or SQL map. It's point and click almost. And in fact, there were other instances of somebody using Havage, which is a Windows based application to do this. But the point I want to make here is that we ran those applications for days, which means we were hammering away at this website. I think personally,

It was a week or more from my side of things. So nobody noticed for weeks. So we'd grab all the data and then we would send that data to the guys that were more or less running a little sick, even though there really wasn't a leader. They compiled all the information and then tweeted at Sony basically saying like, hey, we're in your systems and you can't find us. then social media. Every brand loves to get a tweet.

referencing them that, we're inside your network. And you don't know it. And you don't know it. Come find us. Now remember, LowSec had made national news like four or five times prior to this, this particular hack occurring. imagine a threat group right now, you know, the folks behind, like, yeah, or like LockBit 3 .0 tweeting something. Yeah. Saying, Sony, we're in your systems and you haven't found us

Dino Mauro (27:31.182)
It was more or less the same in terms of how it was received on their side. It's chilling, it's chilling, right? It is. But once we had all the information, we compiled it and then dropped a tweet real fast and then there was a torrent. So anybody could download all of this information. And then, so, and you're still in college and you're going to school, skipping your way over to class, looking for that interview with the NSA.

And so, what was it? was in September of 2011 that the feds came knocking or what? How did that go down? So there's a couple of components to that. And what a lot of people don't know is that I was working in IT as the network security administrator for the school. So I knew all of the stuff that was going

to a certain degree. And one day myself and several other workers come into IT and everybody's access is turned off except for two individuals. And in the back of my head, there's nobody else on campus except for maybe one or two people that understand what I'm involved in, right? So in the back of my head I go, well, it's probably pretty likely that the feds are coming.

That night, was, kind of going back to that security research group, there were a lot of things going on in that student -ran organization. None of it was illegal, but everybody was scared. And we had a word. It was a word that if you ever got a particular word via text message, and that was it, that meant.

Either we're getting raided or we think we're getting raided or there's a situation in which you might want to might want to destroy evidence is really what it was down. And that a few of us got got together that evening. And that word went out to the entire group. And yep.

Dino Mauro (29:48.83)
And I've never seen the removal of so much hardware from a single like dorm room. then I did that particular night. was, there's a significant amount of information that was, that was destroyed. so when you had the sense, when you had the sense that the feds were coming before they actually came and you, you met them, what, what was going through your mind? How did that, how did that make you feel? I mean, it's, it gets into the core of the hacker mindset.

that you want to go and capture that flag without getting caught, right? And you have that sense that it's being exposed, right? So does that get you down to your core? What happened? Like, what was that feeling like? So I was a very, very arrogant young man. And while I figured the feds were coming and going to be knocking on my door,

I thought it was smarter than that. It's what I've learned down here. okay. Yeah, I learned my lesson on that one. Right, right. You that straightened out real quick. Very quick. I did take steps, right? I debanned all of the drives that were associated with any of the things and destroyed quite a bit of information.

jumping ahead when they actually do the raid and they're interviewing me instead of actually saying I want a lawyer. I'm telling them that I'm smarter than them and that I destroyed evidence and number other it gets you pretty far with the FBI, right? Yeah, they love that. I told you I was young and arrogant. They love sitting across the desk from like a 20 something being told how stupid they are and how bright you are. Like they love

They had the final last word though. Yeah, they do. So I got to ask Cody, and I heard you refer to it as a raid. Is it like we see on TV? Did they come in with the blue jacket with the yellow lettering and they all had guns? What happened? Or did they just walk in in some suits and say, Cody, come with us? So I much would have preferred the latter, but it wasn't quite as bad as the former. And in fact, when I give my presentation, especially to kids,

Dino Mauro (32:09.966)
about my backstory. There's a gif of these guys breaking into a house and they're like dropping through the ceiling through like skylights and kicking in doors and going through... Repelling like ninjas. Repelling like ninjas, right? And I always tell people, well, that's how I got raided. And of course that's a complete lie and fabrication. What they did do was show up at my dorm room and my poor roommate, I feel so bad for him.

Yeah, what they what they did do is. mom, I'm going to go. Hey mom, I've got this really cool roommate. He's got all this like really. He's really smart. There'll be a lot of drama. He'll just be nerding out all weekend. Don't you worry about me. And then the feds are at the door. Hey mom, my roommates in a little trouble. Alright, sorry. So the feds are at the door. So it's 5 o 'clock in the morning and these guys show up

There's a knock at the... Actually, I hear the key card coming, like... So there was two components to the lock. There's a physical deadbolt, and then there's the key card like you would at old school hotels, right? And I keep hearing it getting denied because the deadbolt's engaged. I never deadbolt the dorm room door, but that night prior, for some reason, I did.

I hear it occur that gets me kind of out of my sleep. And then there's a knock, unlike a knock I've ever heard in my entire life. is the most - knock? That, that, that, that, that. It is the most afforded knock you'll ever hear in your entire life. I hate when that happens. By the way, no one's waking up any other student at five o 'clock in the morning in the storm, right? So like, I'm already a couple of steps ahead of what I think is occurring, but like, it's not like I'm going to bust out the window

and try to run away. So I opened the door and there's the FBI agent that I grew to know and I put my foot behind the door and it's only open just a few inches and he asks and I can't remember which name he used but it's hilarious and he goes is such and such here and used a woman's name or a girl's name and the thing is that this particular college was like 98 % male.

Dino Mauro (34:29.87)
The likelihood of a woman being in any of these dorm rooms was so, so small. And it caught me off guard. And I said, no. And he goes, that's when he pushed his way through the doors, you know, a FBI and secret service. We're here to execute a search warrant. You need to sit down, like all of these things and about 20 guys then enter this very, very small dorm room. was going to say the dorm room is like an eight by 12 space. Like 20 guys.

But to answer your question, they were plain clothes, right? They were wearing, they weren't even in suits. They were in just street clothes. Okay. Okay. And, and so then from what I understand and people that we've spoken with, like you were super cooperative. were, despite your version of being young and arrogant stuff, you, didn't put up much of much fuss. You kind of were like, look, this is what we did. Like you were, you know, it was, it was, it was, it was a hack that we achieved.

Yeah, at a certain point, like they've got you dead to rights. And one of the things that, throughout your process, anybody that goes through the federal process has been charged by a federal grand jury. they have to have... you've been indicted, right? You have to go through the indictment where they issue a true bill and they've actually said there is probable cause to proceed. Yeah. So like there's already a level of like...

detailed there that most search warrants don't have. And then once you're through that original kind of the original indictment, if you will, or even just a search warrant, you start to realize like, they have all of their ducks in a row. There's not really much that I can do or say. if the feds have something like a 97 and a half percent conviction rate.

So it's, it's much different than state charges, right? Local district attorneys, the county prosecutors, they shoot from the hip. They, they don't have the resources, everything else. It's like, it's like high school ball versus, you know, the NFL. it's when you get up to that, that federal level, they, they pretty much have dotted all their eyes crossed all their Ts before acting. Yeah. So, I mean, then becomes the component of going back and forth with the

Dino Mauro (36:48.43)
There are other former LulzSec members that were just complete. They were not friendly towards the feds. They also subsequently had 10 year sentences as opposed to where mine was a year and a day. So I would say that I was, I did a little bit better off than the guys that were, that didn't cooperate to some degree. Yeah. So did they pick a bunch of you up at all?

you know, on the same night, it's been five in the morning or was it just sporadic? How did that work? I was the first to go of the group. wow. So that opened the floodgates and from there, I think everybody else realized probably best to shut up shop and move on. my dear person... Why do think you were first? I'm just curious. Like, wonder, you know what I mean? You weren't like the main one.

that was driving a lot of it. I mean, I wonder why you were first. Look at the draw. I don't know. I don't know if it was easier to find me than others. There's been speculation. to where you were. Well, you know, the thing is, is there's been some speculation as to the validity of the VPN service that myself and others used in order to kind of hide

our identity and whether or not that was I read about that as a proxy service, you were using a proxy service and it should have shielded your identity, your IP at least and things and maybe that got compromised somehow or maybe it had exposed how did they find out it was you guys? So my understanding is there was enough pressure, it was a VPN service out of England and that there was enough pressure from the government over there that they

essentially mandated to give over information that they shouldn't have been collecting anyway. In fact, in their terms of service to begin with, it said under no circumstances will we ever give this to law enforcement. Well, they did. I can tell you that. asked quite. Yeah, I've got a disk where it's got all that information. Yeah, so one of the lessons we've learned here is shop and read the details of the VPN service that you engage in, right?

Dino Mauro (39:08.994)
You're using a VPN to be encrypted and for it to, for them not to be selling your data or transferring it or collecting very good. I would, I'd go a step further and, and, and say that most VPN services are likely going to cooperate with, with, with an authority. and if you're going to commit a crime, probably not a good thing to use a VPN service. Yeah. Also don't commit crimes.

Yeah, exactly. That's one of the lessons. And so fast forward, you didn't go to trial, right? You guilty, right? You pled guilty. You got a year and a day served. Where did you wind up serving? Did you serve in Florida? I served it in a Martha Stewart style or ask federal prison camp in Pekin,

okay. I'm familiar with that one. Okay. That's not not because I was there, but I in my prior life, I was an attorney. And so I had I had been there to to actually interview somebody once. But yeah, but very interesting. So yeah, mean, federal prison is not like the jails that we see and like scared straight and some of these other, you know, the county jails and the state

penitentiaries. It's much more conducive to rehabilitation, right? And it's much more civilized. It's still a hard fall from being in college. That's the whole point, right? It's still a huge blow to a human being who was knocking on, you know what I mean? were you were you were Yeah, you were in your prime, you know, gonna work for the essay, but you've recovered really, really well. And you're doing some great things. And that's

why you're here. And so let's share some of the great things that you're doing for the security community and the presentations that you're doing. Like you do a phenomenal job. And this is like, this, it's so important to me. Like we've talked to a ton of people that identify as hackers, that identify as prior cyber criminals that are on the good, on the,

Dino Mauro (41:31.246)
good side of the law now that really help in ways that other people can't, right? Because they don't think the same way and they don't have the same experiences. But by knowing that it's part of the reason why some people they'll go undercover and they'll study, you know, Lockbit 3 .0 and they'll study, like they'll get to know those personalities because if we don't understand at end of the day, it's all people. And so if we don't understand the people behind it and the reasons and the behavior and the personalities,

How can we adequately defend against

Yeah, I mean, there's to use an analogy. Oftentimes, you'll find former bank robbers becoming bank consultants or banks. exactly. I will say that for anybody that's interested to get into this, I'm going to preface what I'm about to say, because if there's anybody that's interested in getting into security, there is a path in which you can take that doesn't involve doing something illegal.

In fact, the cybersecurity industry frowns upon doing that. I was at the very tail end of when it was still somewhat acceptable to do these things. Now it is very much not. But that being

The things that I help businesses with, cybersecurity -wise or just network security -wise, those are the things that the bad guys are doing. I say I'm a recovering red teamer. I don't do it as much as I used to, but when I'm applying what I know and how things work and how a bad guy actually operates and I'm quote unquote attacking a business,

Dino Mauro (43:18.818)
for a fee, right? So it's all above board. I'm giving them with permission, right? With permission, they want you to that's what red team engagements are. Exactly. They want to be hacked because the agreement is you're not going to do any harm. There's it's almost like a capture the flag like it's not but it's somewhat like here's here's a piece of intellectual property. We're going to hide it. You come in undetected and get access to it and we'll pay you a fee so that way we could learn.

where are our vulnerabilities? Because from what we see, we're secure. We know we're not. So where are we? What are our blind spots? It's really identifying those gaps in security, right? Most organizations, you can't check your own work. And that's the reason why they have somebody come out and do what I do. applying not only that component, because you can hire any red teamer that you want to, but being able to hire a red teamer that has experience

doing, you could say criminal stuff. There's a little extra umph there. There's also, there's the credibility aspect to it. And then there's also just kind of the namesake, if you will. So there's that component. And then there's also a component where I built a sock or a security operations center, which is basically, yeah, from the ground up. was me and then built a built a sock from the ground up. So I,

you know, hiring the correct people, making sure that, you know, logs are being analyzed, that people are responding to events. I actually stopped doing so much red teaming. I hired red teamers to do that. And then my main focus for several years was mainly incident response. now it's, I'm on the other side. team, a little purple. Yeah, that's really good. So now I can apply my perspective

All right, you are either currently engaged in an incident or one has happened and we're trying to figure this out. And now I can apply that same knowledge on how the bad guys operate. And then that's also the same stuff that I would train my folks on. That makes you really effective, right? Because it gives you such a unique perspective on everything. That's really, it's actually really cool. Yeah, I mean, the lens that you view the same facts is going to be

Dino Mauro (45:41.802)
a different lens, right? And it's really, really insightful. So organizations really benefit. We have a whole team. Mark and I are with All Covered, which is the Conica Minolta MSSP. We have our own SOC. We have our own Red Team group. And I'm telling you, like the Red Team group, they're so cool. the way that they think, the way that they look at things. And our SOC has really been built from the ground up and they're so insightful.

Part of it is because they all work together and they collaborate. That's really, really so important that we see on a daily basis. It's really important. And businesses benefit by insight like yours. mean, that's just, there's such a clear benefit. no, go ahead. No, I was just, I was gonna elaborate a little bit more on

You're completely right and running a SOC gives you a really interesting perspective in of itself because you're monitoring a lot of different businesses. mean, we had financial institutions, healthcare, manufacturing, emergency services, municipalities, stuff like that. when you see a particular attack starting to occur over here, you can then help out other folks.

in other places. So it's a very interesting perspective to be able to kind of help businesses without them even realizing it. Yeah, exactly. Yeah. As we're looking to wrap up here, what are some of the what are I don't know exactly how to ask it, but what are some of the main things that you're seeing that organizations need to change when it comes

creating a security culture when it comes to having the right defenses up. mean, small businesses struggle, it seems a lot more than large enterprise organizations that can create their own sock. What can small to mid -sized businesses do? What are some of the top priorities you're seeing? Yeah, there's a lot.

Dino Mauro (48:04.312)
The security mindset, or I really like the phrase, culture of security. So there needs to be a focus on that. And here's the thing, it ain't going away. In fact, it's going to get much more stringent and there are going to be things that come up between now and probably next year. You look at things like the FTC safeguards and who those impact, mom and pop accounting shops versus big automotive dealerships. They're all on the hook now for developing a security

And oftentimes those folks, especially if you look for like automotive dealerships, it's usually usually just the guy who's somewhat good with technology is the the IT guy, right? Yeah. You can't blame them for it because in the past this has worked well. Well, now there's some there's federal charges that can be levied against those individuals who don't take the correct steps in order to to actually protect themselves.

So that's one component. So we're seeing regulation. Another component is that folks don't, think, and using this phrase again, they think that they can check their own work. And that is really where having somebody come in, do an assessment, figure all that stuff out, that's gonna be incredibly, it's not only incredibly important, but it needs to happen on a regular basis to identify where those gaps in security is.

We can sit here and we can talk about whether or not MFA is enabled, whether or not somebody uses a password manager, whether or not there's long passwords versus short password. We can talk about technologies and controls and all of those things, but really what it boils down to is understand the regulations, make sure that you're checking on those things, that somebody's got eyes on the glass because it's going to continue to grow. This is something

like a 500 % growth in cybersecurity in the last what year or two. I don't expect that to slow down any time. And for folks that are that are not putting focus on security now, it's it's it's gonna bite you in the butt at some point in time. And not to not to spread FUD. Right. But it's it's one of those words. It's gonna it's gonna it'll come back around and get you at some point. Yeah, it's not gonna go

Dino Mauro (50:26.614)
And you're not spreading flood. You're not spreading fear, uncertainty and doubt. Like it's because that is what is there. It's inherently in that topic. to the core of an organization's brand. Right. That brand is there because customers trust them and people lose trust when people lose their stuff. Right. When all of a sudden, you you're you know, you want to

buy a vehicle and all of a sudden your kids, know, false tax returns are filed on behalf of your kids because you tried to buy a vehicle. Well, guess what? You know, we can buy a vehicle anywhere. We're not going to do it from you. Now we're not going to do it. I mean, that's, that's, goes to the, yeah, it really goes to the, to, the core. Yeah. And I, I agree with you about the culture, right? It needs to

something that is ingrained in that culture. You know, like it's gotta be something that from the top down, it's gotta come from leadership. Like it's gotta be part of everything. When you think about, you know, cultures that don't tolerate harassment, right? Yes, there's harassment training maybe once a year, but there's a culture there that doesn't tolerate it, right? And so what's happened with security is there may be an initial

cybersecurity training or you might get an email on tech Tuesdays about how to spot a fish, but it's not really part of the culture, right? They're like, we don't care. Go ahead. If you're working from home, save your documents wherever nobody ever asks. I'll get no like it needs to be part of the culture. It needs to be ingrained because you all have to care about yourselves, your family and the organization's brand that you serve. Yeah. And to add onto that, there's no organization too

That is the only reason you don't hear about the mom and pop places getting smoked is because they either haven't, sorry, the mom and pop places being compromised or having an incident is either because it's low enough in the news that nobody cares or they haven't detected it yet. That's great point.

Dino Mauro (52:46.828)
Well, everybody, please check out Cody Kredzinger. We'll have your links to your services, links to your LinkedIn, connect with them. The information that you have out there is really helpful to organizations. it was fantastic. Appreciate you coming on, Cody. That was fun. It was really insightful. Yeah, it was really, really insightful. So thank you so much. We'll have links in the show notes.

for everybody to connect with Cody and just a really unique fresh insight. we really appreciate what you do. yeah. So all right, man. Thank you so much. Thank you, Mark. You guys have a wonderful rest of your day. Talk to you. Thanks, guys. care of mine. All right.