The Hacker Mind Podcast: Hacking Real World Criminals Online
More and more criminals are identified through open source intelligence (OSINT). Sometimes a negative Yelp review can reveal their true identity. Daniel Clemens, CEO of ShadowDragon, talks about his more than two decades of digital investigations, from the origins of the Code Red worm to the mass shooter in Las Vegas, with a fair number of pedophiles and human traffickers identified as well. Find out what Daniel looks for and how he does digital forensics using social media and other open source resources.
The Hacker Mind is available on all podcast platforms.
[Heads Up: This transcription was autogenerated, so there may be errors.]
VAMOSI: How do you find a suspect in a criminal case? You find clues. How do you use digital to find a real world criminal? You do the same, find clues, only the breadcrumbs that lead you to an arrest are digital.
While I produced this episode, a 21 year old Massachusetts National Guard airman is alleged to have photographed and distributed copies of classified US Military material on Discord, a social media site. Here’s Attorney General Merrick Garland.
US Justice Department: Today, the Justice Department arrested Jack Douglas Teixeira in connection with an investigation into alleged unauthorized removal, retention, and transmission of classified national defense information. Teixeira is an employee of the United States Air Force National Guard. FBI agents took Teixeira into custody earlier this afternoon without incident. He will have an initial appearance at the U.S. District Court for the District of Massachusetts. I want to thank the FBI, Justice Department prosecutors, and our colleagues at the Department of Defense for their diligent work on this case.
VAMOSI: Once the classified documents were found online, there was an effort -- both by law enforcement and by the media -- to identify the leaker. And they did, relatively quickly, using something known as Open Source Intelligence, or OSINT. I’m going to be talking a lot about OSINT throughout this episode.
In this case, the alleged leaker was prolific on social media. That’s understandable, given his age. So, investigators and reporters had a name. But could they connect this name to the evidence that they had? They could.
It turns out some of the classified documents were photographed on a marble countertop, like in a kitchen countertop. Investigators looked to see if there were any social media of the kitchen of the house where the suspect lived. And there were. And … the marble countertop in the kitchen of the suspect’s parents’ house matched the marble striations in the classified document photos.
That, of course, was not all, but it is an example of how someone -- anyone on the internet -- can take a photo or blog post or Yelp review from social media, or some other seemingly random open source item and tie it back to a crime.
In this episode I’ll introduce you to someone who’s been doing this online investigative work for over twenty years. I hope you’ll stick around.
[MUSIC]
VAMOSI: Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m talking about online criminal investigations conducted by someone who is inside the infosec community, and how your social media posts -- no matter how good you think you are about hiding -- can reveal a lot about your true identity.
[MUSIC]
VAMOSI: This is a slightly different topic for The Hacker Mind in that I will be discussing some violent crimes but always from the viewpoint of the online investigator. A hacker’s eye view on catching the bad actor in the real world. It’s not graphic. And there’s no profanity. I’d never do that. Still, I wanted to give you all a heads up that this episode is a bit darker than usual.
CLEMENS: My name is Daniel Clemens. I'm CEO of Shadow Dragon, and I'm just an old school hacker guy.
VAMOSI: I think Daniel is being a bit humble. He’s been around the hacking scene since the late 1990s, he knows a few people, and he has contributed a lot to the industry. He’s currently running two companies: one a pen testing company, and another one focused on OSINT which we’ll talk more about here.
CLEMENS: Shadow Dragon is a company that builds innovative open source intelligence tools to help the investigator focus on the information that's relevant.
VAMOSI: Again, you may not have heard of Daniel before this podcast, but he’s been around the infosec community for decades. He’s just not standing on some soapbox, shouting about his many accomplishments on social media like some people in the infosec world today. Daniel, he keeps a low profile.
CLEMENS: I do. I do and usually I kind of just kind of keep them hidden away. I guess just from personality. I am not a huge blogger. I'm not a huge get out there on social media type of guy. So I'm more than willing to share different stories as long as you can kind of provide the guidance of where you want it to go. You know, I've had a lot of good, fortunate experiences over the years in my career. And it's helpful with a lot of these experiences.
VAMOSI: So one of the things I'm doing with The Hacker Mind is reclaiming the word hacker. There's this pejorative media perception of hackers. That they are all criminals. And they all wear hoodies.
Mr. Robot: Hello Friend.
VAMOSI: Okay, to be honest, I am wearing a hoodie right now, but it’s cold where I am. So to dispel some of the common notions, let’s find out more about Daniel. He started hacking in the 1990s. So was he active on Bulletin Boards and IRC?
CLEMENS: Yeah, so I did a few bulletin boards and then mainly I would get on to like the different back systems. Which then I could configure to get on the internet, you know. So, usually my mode was to find a college student, get an account, dial up, and then you know, then I was on the internet and then get on IRC and, and whatnot. So I spent a lot of time on IRC when I was a kid. More than Bulletin boards, but Bulletin boards are cool.
VAMOSI: So where in the country were you then?
CLEMENS: So I was in. I was in San Francisco for a short period of time. And then before that, I was in Colorado, Durango, Colorado. So I worked for an ISP, they're called frontier internet for a few years in high school, and then after high school, and before that, I lived in Texas. So that's kind of my journey as far as the different spaces that I was interfacing with the computer and trying to get on the internet at different times.
VAMOSI: My point in interviewing Daniel is that I want to hear some real stories about criminals online, how things really happen in the world. I want to correct some of the FUD i that see in the media -- that hackers are driven by money and ego. That’s not always the case.
CLEMENS: yeah, I love that because now it's very different. And I remember probably 2000 to 2003 ish, complaining when we when I think it was last year that we were at Alexa, Alexis Park for DEF CON. And I remember complaining like oh my gosh, there's more than 1000 people here. And you know, like, that was the complaint of the day. And, but really, when I look back on that, you know, like, that was a shifting time for how people saw and treated the word hacker you know, when I grew up. Hacker was more about the pursuit of knowledge. And that pursuit of knowledge because it was harder to find things that weren't search engines. You had to figure out how to configure Kermit, get passwords to get on. To the local facts and you had to, you know, find the guy who was a sysadmin who maybe you could, you know, get all the manuals. That pursuit in itself created a few different long term memories, I think which I think we see a lot of the opposite things being true in the workforce. Now we're Oh, I can't remember this or you know, the pursuit really, I think has a lot of biological impacts in how information is stored. How it's treated, how you experience the dopamine hit when you learn something new, right?
VAMOSI: I hadn’t thought about that, but Daniel’s right. There used to be that particular rush when you figured something out, and more to the point it also worked. You got into a network. That doesn’t happen today. In part because things are well documented -- not like the dark ages when you had to dumpster dive to find old manuals. Now you can Google most things. Not the same.
CLEMENS: Because that's what got me in from the very beginning was that you know, I'm gonna pursue this. I I've discovered something and I've also learned something in the process and it was it was a longer tedious task at hand. So I do think that the word hacker has been hijacked I, I joke with people now where they're like, so what do you do and I'm like, I'm kind of an old hacker. And depending on the audience, it goes different ways, right? It's either good or bad, but there's, it's more of, you know, there's a work ethic behind it. Right, there's, there's a method, a countercultural method to it that isn't defined by a group dynamic. It's a personal dynamic, you know, it's, and that's what the old 2600 used to be like the you know
VAMOSI: Again, Daniel is bona fide old school hacker. Daniel’s first Black HAt was in 1999. Mine was 2000. And we both know people in the industry.
CLEMENS: And going back in time, like, I remember, it was like 1999. I'd met Jeff Moss and he was going to come in and he was interviewing to be my boss. I was living in Alameda off of the Navy base there. So he invites me to go to a book that, you know, one of those first black hats and Doug Song was set doing his thing on checkpoint firewall bypass, and I'm sitting there, and a guy named Jeff Nathan. Come sit next to me. And for those that don't know, Jeff had written the arc watch module and snort when Sourcefire was just starting he was at a company called ever world at the time. He sits down next to me and he says, I've got TCP/IP illustrated and I'm just nervous being around all these super nerds, you know? And he goes, Hey, man. I'm going to, I'm going to you're going to stick with me. We're going to go to every talk, and I'm going to tell you what you don't know. For the whole day, I didn't know the guy. You know, and I don't think that that happens now. Because I mean, there's a billion people right but we're heavy heavy hitters. Guys come in and really they're there other centers. They want to extend the curiosity they want to help others and you see some of that in some of the you know, the hacker villages and stuff like that. I think those are cool. But it definitely was a different time. And I'm, I'm nostalgic about it, you know? Yeah, it was a great time. I mean, I loved it.
[MUSIC]
VAMOSI: As I’ve said, Daniel has over twenty years amassed a lot of real-world experience. In fact, over the years he has helped solve some or at least investigate the backgrounds of individuals involved in some crimes -- crimes we’ve all heard about. And it started quite innocently.
CLEMENS: Yeah, so I guess the investigative part of my career was just things I was slowly kind of getting sucked in from doing analytical work to you know, hey, can you look at what do you think about when you see this? You know, there was a hacker kid. Right when the Napster movement, anti Napster pro Napster movement was going on, named him says he went and defaced a bunch of websites and, and that was one of the first cases I was hired from, you know, a corporate corporation that had been defaced asking if I could analyze, you know what happened there. So it went from just analyzing what happened to you know, hey, can you figure we want to get this guy arrested or whatever. And so I thought, well, yeah, well, we figured out how he, you know, defaced a bunch of web pages. And myself and another gentleman, got an IRC and you know, ask lots of questions and then triangulate kind of where he was. So that was one of the first ones and then the next one. I was asked. It was actually a Child Child Exploitation case.
VAMOSI: Oh. Here’s where it starts to get dark pretty fast. Basically, in Child Exploitation cases, criminals exchange photos of underaged individuals and/or even sell access to them, which is human trafficking. One of the ways these individuals reach out to each other and their clients is through the internet. That’s were people like Daniel can find the breadcrumbs such as email aliases or social media posts that ultimately lead back to the actual names of the people who are responsible. That’s not always as easy as it sounds.
CLEMENS: And basically, they just gave me you remember, back in Windows, they had the index dot dat files that had some history in it. And so they said, What can you do with this, you know, and I said, Well, I'll just put it into my little Linux terminal and the strings dash on it. And fold up all the different groups that they were joining and that actually turned into a case called Operation Candyman where I think there's over 5000 pedophiles arrested in a in a fairly short amount of time.
VAMOSI: Here’s former US Attorney General John Ashcroft in 2002.
FBI: Over the past 14 months FBI agents across the nation have been working undercover to expose an international ring of pedophiles and predators devoted to trading and propagating pornographic images of children over the Internet today we are announcing that this circle of criminals has been disbanded and their illicit website shut down 40 individuals in 20 states are now in custody with another 50 expected by week's end they include members of the clergy law enforcement officers a nurse a teacher's aide a school bus driver and others entrusted with protecting nurturing and educating the American youth.
CLEMENS: So that was the first time where I thought wow, you know, that was I was just doing the things I normally do being curious. And shortly thereafter, I helped co-found an InfraGard chapter for a little bit of time.
VAMOSI: The FBI’s InfraGard is a public private organization where individuals and companies join and share and receive information from the FBI. How cool is that?
CLEMENS: And really I was just starting that in the vein of old DEF CON and 2600 stuff where it was, we should share information. And so I had at the time, a job where, you know, I wasn't being appreciated for my skills very much. But I was given a Class A network, and I deployed as many snort sensors on it all over. And so, this was right, right before Code Red hit.
VAMOSI: Okay, the timing was great for Daniel. For those of you who know or remember, Code Red, was a computer worm that exploits a vulnerability in Microsoft's Internet Information Server or IIS. I remember writing about Code Red for ZDNet at the time. It’s kind of clever in that it actually stopped spreading by itself; in other words it had it’s own self-destruct mechanism. But while it was raging, it was amazing compromised computers, creating a botnet that attacked one target: The White House. But until someone looked at the code, that target wasn’t obvious.
CLEMENS: And so, Code Red hit and I had all my sensors up, mark my free at from Ai posted to backtrack, hey, there's, you know, looks like this. This vulnerability is being exploited. And I was able to respond on the mailing list saying, Hey, I've got packet captures of it. Went back home that night. I think he was reversing it. And then I was you know, me and a friend were also reversing it that night and found the IP addresses that they had hard coded in there and I just handed it over to my friend and he he knew someone at the FBI and they handed it off and apparently you know, that kind of escalated until they they moved those IP addresses. So whitehouse.gov Wasn't attacked.
VAMOSI: Daniel. Being humble. Once again. Unfortunately, these were just one offs. Daniel had a day job.
CLEMENS: That was just in that just being nerdy, you know. And I started a small mailing list after that called packet ninjas. And it was just there to you know, bring people together. Let's analyze stuff. Let's analyze malware. Let's analyze exploits. Let's take apart packet captures you know, Project Honey net was going well. That was really fun. All those exercises, the honeypot or honeynet challenges I think that's what they were called in.
VAMOSI: So Daniel changed his day job.
CLEMENS: I was hired into another job at a corporation called HealthSouth. They were one of the first companies that had been charged by the Department of Justice for basically Sarbanes Oxley violations to the tune of, you know, $4 billion or something. And so, myself and another individual named Rob Farrell, we were brought in to start a security team. And so we were basically you know, we started doing enterprise monitoring packet captures, you know, decryption, replaying all the events, incident response, all the assessment work, that it was a playground, you know, I got to do everything. And then they started sending me to, you know, get training on how to formally do forensics and get all the software and all that kind of stuff. And so I started doing that. You know, so I started just looking into as many things as possible, you know, and you know, I was probably 22 at this huge enterprise. Just, it was a field day for me and I loved it, you know, and that was the beginning of really kind of, I guess, the foundations for moving between assessments, you know, offensive stuff and investigative stuff. And from my perspective, both were fairly the same. It was just a different outcome and different tools.
VAMOSI: It’s interesting. We often hear how a hacker would use some of the same tools, offensively, defensively or even investigatively. Like a knife: It can be used for both good and bad.
CLEMENS: So, I guess, a criminal hacker? Yeah, they were using, you know, whatever means they could to get access to things. But from my perspective, since I already had a background in and you know, building exploits, analyzing those things, I was big on you know, protocol analysis when it came to forensics, the the analysis workflow for doing forensics and investigations in general wasn't that much different. than trying to find a vulnerability in an application from a high level perspective, right. So, you know, like, with, you know, assessing, assessing an application you know, you're looking for all the all the small vulnerabilities the the Medium, Low, the high and then stepping back and letting your subconscious kind of fill the gaps there on how to put together the pieces forensic so that's a sequential process and then a visual spatial process of creativity. And, you know, I kind of felt like, investigations were similar because you have a very sequential structured process, but then you have to step back and there's this visual spatial correlation that you'd have to start putting things together and have multiple elements to support a theory and to me, that was very, those disciplines were just two sides of the same coin in the end, because it was still you're, you're still dealing with memory, you're still dealing with computers. You're still dealing with different artifacts, you know. And they're just different tool sets, really. So that was, that's where I started. My first company was just thinking that would be normal. You know, the that the merging of those two disciplines was normal. However, I was a little tone deaf to how that wasn't normal.
VAMOSI: Hmm. So the tools aren’t enough alone. You have to get creative with it. You have to think like a suspect, and imagine their world. How does that play into your work?
CLEMENS: Yeah, so Open Source Intelligence, a lot of that, for us is target centric. And what I mean by that is, I may have one or two things that I have. I have a starting point on where I want to enumerate breadcrumbs for somebody online. That could be an email address, a phone number, an alias and then it could be a name, but usually, that's not what you have. You're trying to get to a name, or location. And so usually, when I'm looking at open source intelligence, you know, like, you know, an email address is going to tie to a Skype account, a Skype account is going to tie to an alias, an alias is going to tie to a Yelp account, you know, and then the Yelp account, Yelp, Yelp or food review sites or adult websites or anything where there's pleasure. And that could be likes or dislikes or anything like that, on our social media platform. It opens up the opportunity that the person that usually put in those Yelp reviews is usually in a heightened state of emotion. of pleasure, or rage, where operational security levels are much lower.
VAMOSI: In infosec we talk a lot about OpSec, good and bad. Remember that -- when you’re in a heightened state of emotion -- either pleasure or rage -- you’re bound to have some bad OpSec. Let your guard down. And this is when criminals will tip their hand, with start to reveal themselves online.
CLEMENS: Right. And so, from my perspective of the value of open source intelligence, in that vein people are making assumptions and assumptions are the mother of all mess ups. And that's where we adapt to that situation with open source intelligence and think, you know, our, our strategy is, let's go find everything in the universe that fits a few different human nature patterns. Because human nature won't change. And then someone's going to make the assumption who's going to put together these 200 different sites and these little breadcrumbs. Well, we did you know, so it creates this very interesting, you know, mosaic when you start looking at it by you know, hey, I'm going to pivot on an email address to an alias to phone number and every small piece of information that's on every single site, there's always something and so what what we found is, is sites like you know, your Yelp or your food review sites, those are very helpful in an investigation to give an approximation of where that person might live, and what their patterns of life are.
VAMOSI: Has he done this in real life? Daniel provides an example.
CLEMENS: I would in a similar vein, one of my, one of my favorite stories is catching a human trafficker. And what, what he had done and where he was in his story, was, you know, when I started looking into him, he's 2425 years old. hardened criminal. He is being searched for by law enforcement, holding people against their will, I mean, selling drugs and engaging in human trafficking.
VAMOSI: So how does Daniel start to find someone who doesn’t want to be found necessarily?
CLEMENS: I ended up just kind of trying to build a picture of well, if I was this guy, where would I be? What would I do? What is my day look like? And contrasting as many questions as you can about a target to what your old school methodology of recon is on a web server, or a network is still you know, you're still looking for as many clues as you possibly can to build an attack pattern. And so, when I kept looking into this guy, I just thought, well, let's just keep rolling back in time, until I found a picture of him with all of his friends in high school. And they all had I found their like, MySpace page where they were a rap, a rap crew, you know, they had their own rap gang. But they all had aliases, you know. So I just slowly started taking apart every single alias to figure out who the real person is, look at the photos, look at you know, reverse photo image searches and you know, mapping those folks together until I could find the primary target's mother and their original Facebook page. So I had a MySpace page and I found a Facebook page and the only person who liked it was his mom. So putting all those clues together in going back in time is really helpful with open source intelligence because it helps us create a story before operational security kind of took root. And that was a key point in figuring out, you know, where this guy really lived, and where he was close to in proximity, you know, at least parts of a city where we could say hey, we need somebody to go in there and try to do surveillance and find find this guy with this car and these types of identica
[MUSIC]
VAMOSI: Think about it. Have you encountered anybody who was fairly meticulous from an early stage in only putting out what they want online so that their identity would be hidden? Given what we said that emotion creates bad OpSec, I would imagine someone like this would be unemotional, flat. Only then could be literally an enigma. Or a cold blooded killer.
We’re going to talk about a few mass murders in this next section. And I want to be clear,
shortly after mass shotting at the Marjory Stoneman Douglas High School in Parkland, Florida, the mainstream media adopted a policy of not naming the mass shooter. This is done in part to rob them of any notoriety. And I agree. They are not heroes; they are cowards. So I’m editing out the names of the mass shooters mentioned in this next section. It’s relevant we talk about them because some of these individuals strived for zero profiles. And, given to emotion, either rage or pleasure, they failed.
CLEMENS: Yeah, there's always the zero profile profile. Right. So that's, I would say, that's fairly rare. And, but that in itself creates its own profile. One of the good examples, I would say somebody that had really good operational security was the Vegas shooter, the guy who did the active shooter situation there.
NBCNews : in a matter of seconds a Country Music Festival turned tragic a storm of gunfire raining down upon an innocent crowd he was shooting everybody and there was dead people everywhere and I don't even know what was happening there was just it was a shooting it started at 10:08 p.m. first reports of shots fired a singer Jason Aldean performed initially there was confusion many wondering if the sounds were part of the show but they quickly realized what was happening a gunman perched on the 32nd floor of the Mandalay Bay Resort had opened fire on 22000 concert goers all of them scrambling to find shelter wherever they could we were laying down on the floor
VAMOSI: This mass killing hits close to home for the infosec community. The Las Vegas shooter had a room on the 32nd floor of the Mandalay Bay hotel. This is the hotel where the annual Black Hat USA conference is held. This mass shooting is also why hotels along the Strip now claim the right to enter your hotel room at any time during your stay to look for weapons. The shooter on the 32nd floor of the Mandalay Bay hotel was able to bring suitcases full of weapons into his room, then fire countless rounds into a crowd of 22, 000 gathered across the street for a Country & Western concert. 58 people died -- it is the largest mass shooting in United States history. So far. Because the wave of mass shootings in the United States has not stopped. Not after Parkland. Not after Las Vegas.
What intrigued Daniel was, after the police report identified the shooter, he wanted to see what he could find. And for the most part, this shooter was an engima, very cleverly hiding his identity for years.
CLEMENS: I was very curious about who he was, what he did, what we could find after that event, because he was already deceased.Once you know his name was released, and everything, and he had really good operational security. But there were little things that he would do for organization. So I started off with a burner phone that he had. And I had email addresses that I could get out of you know, different, you know, online, things that were released about him during the case. And really just pivot on email address, and aliases. And then took each one of the email addresses I had on him and and took apart the email address into two things. One in a turn it into an alias and then one, an email address. And what I found was he would reuse the same aliases in the cities that he had bought property from. So it was always if I could find property he purchased in a city, it'd be part of the address would be that the alias he used for that time that he was in that city, which was really it was very weird, like he's a very organized, very methodical person, especially when it came to OpSec.
VAMOSI: We often hear about premeditation. This shooter planned well in advance. He even thought about hiding his identity when it came to the bullets he used.
CLEMENS: Like he did crazy stuff like he bought reloaded ammunition from a guy, I think in Phoenix, and when he did that he wore latex gloves. And then his fingerprints weren't on the actual bullets. In the shell case, the shell casings that he shot at people which is a really strange thing to me. And so I could just see this patternality of, there's a high level of operational security, but then he was super organized about it. So you don't see that very often, you know, and then if there's zero, there's no pattern whatsoever, that the next question is okay. Now, let's start looking into obituaries. Let's start looking into anything that can give us a line on the family. Because there's going to be a girlfriend there's going to be a mom, there's going to be a dad somewhere. And and operational security is only as good as the weakest link.
VAMOSI: Daniel mentioned that that type of personality is rare.
CLEMENS: Because especially nowadays, with the advent of social media and those type of things, people want to be connected online. They believe that that's how they should react to life, I guess. And so there's always a digital footprint, right? Most like 99% of time, but every now and then there's not that huge digital footprint for so
VAMOSI: Daniel mentioned a more recent case, an alleged murdered in Idaho that made the news. I’m sure this OSINT information will be used in a case against him.
CLEMENS: for example, the Idaho killer guy that was a few weeks ago, and I forget his name, it's okay that we don't need to know his name. I was able to find his Instagram account. And his Instagram account, he was following two of the victims. So that was interesting. And then the other interesting about thing about him was most of the females he was following. Gave me insights into he's living a very objective. He objectifies women a great deal. Like there's a lot of fantasy probably in his life, and probably not a lot of courage. So I would infer there's probably you know, an equal amount of rage you know? So that that patternality even though he had a very small footprint that was very similar to the Vegas shooter because when we did find some of his Stephen paddocks hidden profiles like he had a deviant art account. He was into child exploitation stuff and some some very strange I don't know, proclivities. I guess. Enough to put him in the category of he's he's very pleasure seeking and very objectifying of everything around him. It's all for him. It's very narcissistic. And so I have seen that in a few different cases over over time, and then but as far
VAMOSI: That’s not to say that Daniel hasn’t see someone who’s good at hiding themselves. They do exist. And they’re very often Spooks. Professional spies with good tradecraft.
CLEMENS: As the zero profile stuff, every now and then you'll see it with some spooks, you know, like, there's a certain pattern that we'll see with folks that are kind of spooky or it might be working for an intelligence agency. And you can see that, especially for folks that are under the age of 40, and then over the age of 40. So a lot of times over the age of 40. spooks they'll have operational security issues because they've made assumptions at some point. And then there's their they didn't have any tradecraft training on social media and not just social media, but how they present themselves online. And it's pretty fascinating. I would, I would dare say, I think a lot of the Russian folks getting identified in countries is probably just laziness.
[MUSIC]
VAMOSI: At the beginning of this podcast, Daniel mentioned some of this early work. Remember he hung out with one of the creators of SNORT at Black Hat, then later had his own SNORT listeners out on the internet so he could contribute to the Code Red investigation when that happened. How much of this is Daniel working on his own? And how much of this an outreach from, say, a law enforcement authority.
CLEMENS: I would say pretty much 100% My own curiosity. Okay, you know, I that's just how I am. You know, there've been a few cases where corporations have reached out and asked saying, hey, you know, like, like when Anonymous was doing DDoS attacks. We got a call from one of the big financial institutions getting hit, saying hey, can you look into this and look into that, that tool and really looked for static values and protocol implementation errors and in HTTP, and how they like this is for the LOIC tool. And just wrote up, you know, hey, this is where they put the protocol wrong. You know, you can identify it every time it comes over the wire.
VAMOSI: The Low Orbit Ionic Cannon or LOIC is an open source stress test for websits. Bascially a denial of service or distributed denial of service -- in the hands of a pen tester. But in the hands of a hacktivist-- someone who is shutting a website to make a political point --it was powerful. The group Anonymous used it to go after the Church of Scientology for their alleged abuses, and for an attack on a recording industry company percieved to be blocking free speach, and later, in Operation Payback, an attack on financial institutions that blocked payment to Julian Assange’s WikiLeaks site. It was not Anonymous’ only tool, however.
CLEMENS: And then that, that in turn, turned into like, oh, well, we want you to do this for every tool that they do. And, and, and try to monitor that and so, but yeah, so it was that corporations reaching out have been more of the norm. And, you know, usually that's somewhere between someone at at some point had been on one of my old mailing list a long time ago, or it's just word of mouth. And, you know, I feel very fortunate to receive the call and, and jump in the details because I think it's cool. You know.
VAMOSI: Going into this interview I was kind of imagining that all along maybe Daniel was helping the FBI, that they might be leveraging his experience and knowledge from time to time. I mean he did start an INFRAGARD chapter, right?
CLEMENS: Right, yeah. And I mean, I think they're an interesting organization. I'm not a fan, you know, on this side of life of the InfraGard organization. I haven't ever seen them set forth a goal and accomplish it. So it kind of makes me a little more suspect of like, what was the original intent of the InfraGard organization to begin with? It seems like it was just there to have a network of people to try to approach us. And then, you know, not pay any fair, fair market prices on any consulting. Yeah. And so that's kind of my angst against that. the whole system and some of the FBI in general, you know, like, I think that the way that they treat people just in the information security community is a little I don't know, it's entitled. And they don't, they want everything for free. And that's just not going to happen. That's, you know, I got kids, I have a business.
VAMOSI: So what about the secret service side of the house. I wondered what Daniel thought about the Information Sharing and Analysis Center or ISACs?
CLEMENS: ISACs, they've been really good. Yeah. So um, and I think some of the self-policing in the ISACs with the analyst for the members of the ISAC has been really good to keep out people within the industry that are there to steal ideas from other people. Right. So I know that the ISAC has done a pretty good job there on that front, on self policing in other areas. You know, other groups and information sharing groups have not, which, you know, can put different people in different situations where they may not want to participate anymore if there's going to be somebody stealing their ideas and giving it to let's say the FBI or giving it to somebody to make themselves look cool. I think they've done a good job.
[MUSIC]
VAMOSI: So given his rich background in investigations online, how has Daniel rolled all this into his companies?
CLEMENS: gosh, well, very quietly so that's a hard question. Because it wasn't until last year, so as you know, I have two companies, packet ninjas and those guys just do assessments and find vulnerabilities and applications. And then Shadow Dragon and that's the open source intelligence stuff. In both areas, you know, we never had sales guys until last year, so that's going on from like, 2006 Until last year. And the strategy was just to do a good job. And we're never going to be good at blogging. We're not going to be good at external expression. We're just That's not who we are. That's not who I am. I'm good at conversations like this, where somebody can pull stuff out and we can. I like the conversation. But as far as trying to turn that into a machine that demands money, that's not good at that. I never was. So how that blitz how that all kind of combined over the years was just I tried to run things as a business. Do the best job that we can. Let's do our work. speak for itself. Don't look at what the competition is doing. Because that's not going to define your own reality. Define your own reality and strive for excellence. So those were some of the principles that I kind of like gravitated towards as building blocks and then, you know, quiet confidence will be my strength was another big idea.
VAMOSI: I’m curious though about the increase in the sales team. Was that a business justified reaction to increased competition?
CLEMENS: No. Well, I think that there's always competition but in the end, it doesn't matter, that there's more competition. What matters is your selling trust. And I think that that's what a lot of people sometimes forget is you know, even though like you know, we've got over 40 people in shatter dragging now and we have salespeople and all that kind of stuff. I still have to hammer on the guys like look, you know, if any of the sales guys get, bro we and salesy No, it's about grit, your selling trust, buddy, you know, and the moment you start selling a lightsaber that we don't have, you're out because we don't sell lightsabers. We don't sell. We don't sell grandiose stuff, you know, and the same thing for you know, packet ninjas. You know, those guys, they always have more work than they can handle. And the same thing at Shattered dragon. We're always busy but we're not busy trying to make artificial waves. And I don't think that's going to ever change because, you know, back to, you know, my whole point is, we're selling trust. You know, I gotta be able to look somebody in the eye and be like, Yeah, you know what that does? Or, you know, this is this is the stuff this is how you want to put it together. You might not like it, you might like it. I don't know, you know? So, I think we got lucky on a few things. I was stubborn on some architecture and design stuff that we've put together over the years and then I was very particular about the engineers that we hired and just holding them to a high standard
VAMOSI: I really like the idea of merit-- that if you are good at what you’re doing, you should advance. Too often we see people who are not good at what they do get promoted ahead and … that’s not right. If you’re striving to always be the best, why shouldn’t you be rewarded. For Daniel, this quest for success started at an early age.
CLEMENS: like kind of rolling back in time. Back to growing up. I went to a private school, and so did our CTO, Elliot Anderson. We went to the same school actually. And it was self paced learning. And you taught yourself how to learn, really, there were weak daily goals, weekly goals, quarterly goals. You did all the work yourself, and you took the test in front of the teacher. But if you got an 89 it wasn't I thought that was normal my entire life. Until you know probably my mid 20s. And I got married and my wife and I are talking because we had remapped later on in life. We went to the same school together as well. And I was like, man, you know, like, sometimes we have high expectations. You know, she's like, I think 89 is enough stuff, you know? And so I think that's one element that is is definitely, you know, infused into management or management style here at shadow track and as well as kind of like this old school Texas style, jump, you know, jump in the deep end type mentality and if you need help, let us know, but, you know, nobody's gonna babysit you. We just expect if you're failing, you'll learn and you'll ask for help and we'll help you as a team.
VAMOSI: Around the time of this interview, Matt Blaze was tooting on Mastodon about phone phreaking. He said a lot of people get it wrong. It's mischaracterized that phone phreaking was to get inexpensive toll costs so that you can get the big computers. He said, No, we were just learning. We just wanted to explore the phone networks. We totally missed that in in representing the phone features and it just blew me away and I'm thinking about talking to you about the old school hacking versus today.
CLEMENS: Yeah, learning and curiosity, curiosity. I mean, I love when I'm interviewing guys, and I can see that spark. You know, like, that spark is a rarity and you have to look for it. I would also go out on a limb to encourage the listeners that are running security teams. Look for the guys also that are on the spectrum. You know, those guys have spark. Those guys have curiosity. And they're going to be a little harder to manage. But oh my goodness, you know, your team is going to explode. I can't say that enough. Because I think a lot of times people are gonna look for like, I want a rock star or I want somebody to fit the slot. That's just perfect. But hey, go off the beaten path just a little bit. And there's some of the spark coming from that group of folks is just amazing. And I love it. I love that whole process. I think so. And I think I would like, if there's a way that we could recreate part of the 90s Right. I think that there's a space for that. I keep joking about that. Someday I want to I want to have like this idea of of having a hacker house and the hacker houses you know, a typical, you know, old Victorian four storey house and at the bottom level, are the guys that just come in to college are freshmen, that top level are the guys getting their masters and the house only can have 10 to 15 people but as they're growing in their capabilities with hardware network, and, you know, messing around with CPU architecture, and computer science and life skills, they eventually emerge to be on the top level of the house. And I think there's a way that we could recreate the 90s Maybe with a nonprofit that builds these at different universities and put some curriculum around it, you know, I think they are but I think that if you could do it for a four to six year period of time. It's treated like an equities problem, right? Like, we know that this is going to mature over this amount of time and then get the sponsors to pay for that which would be you know, either the government sponsors or the corporations or whatnot.
VAMOSI: If I'm young today, and I hear this podcast and I want Daniel’s job what do I need to do? What would be Daniel’s recommendation today because it's not the 1990s it's not the early 2000s.
CLEMENS: Yes, so I would say you know, like, so we have a few different interns that do come in. And we give them different goals and tasks, you know, so some of the things that I do ask for to begin with, like what are you doing in your free time at home with technology? And then what are you? How do you use technology in your own personal life to make it better? And then I also start asking them like, you know, what are you trying to pursue, what do you want to pursue and if they're, if they're just barely receptive to any suggestions of books to read? Or you know, old FRAC articles to read, you know, then I'm, then I have something to work with, but if they don't take any advice at all, and they just think, Oh, I've got this certification. I've got this, you know, these certifications in these, you know, degrees then usually they're not listening and they don't want to, they don't want to learn anyway. So it's really do you want to have a dialogue? And then do you want to be passionate about it? And so, I, I always tell my kids I'm like, Look, you know, like, I didn't finish college, but I was a nerd like every day of my life for all of my 20s and, you know, obviously 30s as well, but you're gonna spend if you spend time on it, you're going to, you know, it's going to take you to places you never thought you know, I was just a punk kid with dyed red hair, looking at TCP IP illustrated, you know, and trying to learn that and then, you know, 20 years later, tracking down human traffickers with technology I made for a totally different objective. And, you know, so like, when I felt that emotional reality, that was it, you know, the hard, the hard work pays off in the end and you never know where it's gonna take you. You know, and just don't work 35 hours a week. Right, like, show up on time. I mean, these are some basic life skills, but they got you to say it.
VAMOSI: I’d like to thank Daniel Clemens for getting all nostalgic with me about the early days of hacking. And also his incredible investigative skills in uncovering the backgrounds of the some of the criminals we see in the news.
Add Mayhem to Your DevSecOps for Free.
Get a full-featured 30 day free trial.