Jan 3rd 2018 by KillerPokeGames • 28 Questions • 38 Points
I am an infosec professional and "red teamer" who together with a crack team of specialists are hired to break into offices and company networks using any legal means possible and steal corporate secrets. We perform the worst case scenarios for companies using combinations of low-tech and high-tech attacks in order to see how the target company responds and how well their security is doing.
That means physically breaking into buildings, performing phishing against CEO and other C-level staff, breaking into offices, planting networked rogue devices, getting into databases, ATMs and other interesting places depending on what is agreed upon with the customer. So far we have had 100% success rate and with the work we are doing are able to help companies in improving their security by giving advice and recommendations. That also includes raising awareness on a personal level photographing people in public places exposing their access cards.
AMA relating to real penetration testing and on how to get started. Here is already some basic advice in list and podcast form for anyone looking to get into infosec and ethical hacking for a living: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/
Proof is here
Thanks for reading
EDIT: Past 6 PM here in Copenhagen and time to go home. Thank you all for your questions so far, I had a blast answering them! I'll see if I can answer some more questions later tonight if possible.
EDIT2: Signing off now. Thanks again and stay safe out there!
What was your quality of life like after you quit your job, and how were you able to continue with your goal? As someone considering a freelance profession, this is the main thing that scares me.
What was the status (class) of your dad before the October revolution? What were the contents of the messages he sent to people on the outside?
Have you ever gotten in trouble with the law? I mean as in, the police got involved before you could pull out whatever papers allowed you to break in etc?
I live minimally so I've continued with my usual cost of living.
However, with that said, my income this past year has been the lowest its ever been and if this game doesn't start making more sales. Then it would have been a year wasted.
I don't suggest doing this unless you can comfortably afford to risk it.
My father was a photographer which would be middle class. The messages he sent to his parents were about his wife and children - the usual stuff discussed between parents and children. He was never involved in politics which meant that he was not a member of the Communist Party.
Companies and organisations usually rely on their own security services and departments first before escalating to the police, which is part of the process we are testing. Although we usually have a "get out of jail"-letter in the back of our pockets stating why we are there if things do escalate; we never had to deal with the law or the police and we intend to keep it that way =)
Its been quite shit to be honest.
I expected to get more exposure on steam, but since they now accept dozens of games a day. Its like trying to have a conversation with everyone screaming around you.
The game has been well reviewed, but has been unable to get any traction in sales and exposure.
Getting reviewed by steam curators is completely pointless.
Giving out keys is completely pointless.
Using keymailer returned 0 reviews and only risks having your game be leaked on a torrent site.
From what I've seen, there are 3 routes you can take to make your game a commercial success.
1. Sell yourself and not the game.
Many games that end up selling well on steam aren't necessarily good or fun games. They're mostly memes, jokes, or the person who released it has been a controversial social media figure. This takes months to years to build up and Its not the route I took. Thats why I ended up buying games like super meat boy and limbo.
Both beautiful games aesthetically, but not games I played for more than 1-2 days.
I only bought them after the exposure they got with the news articles and the Indie Movie.
2. Have an IN.
Many mediocre games have done fairly well financially because the person who developed the game knows people who could get exposure for the game.
If 1% of people who know about your game end up buying it. 1% of 0 people is still 0.
Getting a review on a gaming channel, being promoted by steam, or having a review written by a mainstream website will ensure you get sales. Regardless of quality of the game.
3. Buy it's success.
If your game isn't going viral on its own, you can always force it to.
Buying game reviews, buying youtube reviews, buying adspace, sponsorship, etc.
Everybody is for sale if you can afford it and if you have money to throw away, everyone will gladly accept it.
I have spent $0 on advertising and as a result, my game, though highly praised by everyone who has played it. Is a commercial failure in my opinion.
I'm about to re-release it on google play, but I doubt it will make a difference there as well since I don't have IRL tv commercials like clash royale or a botnet to seed it like flappy bird.
Anyways, a tl;dr is that you have to spend almost all your effort on marketing because gaming is now about everything except the game.
I think it was the spiritual crisis caused by discrepancy between the rosy propaganda and totalitarian reality that made the Soviet people lose faith in the system. I think there is a lesson in this for us.
In percentages, how much of your work is hacking in the old sense, like reverse engineering, digital tampering and usurping some kind of computer or other electronic gadget? How much is social engineering, role playing and in general would not need a keyboard?
I've already spent over a month on twitch getting streamers to try it, but none of the streamers with more than 20 viewers even respond, let alone play it.
The Soviet propaganda painted the United States as an almost fascist country where everyone was being exploited by the capitalists and wished they lived in a Communist country. One couldn't read Western newspapers or books and did not have any information about real life in the West. The fact that no information was available from the West did not give us an opportunity to compare the two systems. I did not believe them and, having studied in West Germany after fleeing the Soviet Union, already knew what democracy was all about.
Information gathering, pretexting and recon usually (there are exceptions) takes up 3/4 of the time spent on a job. Actual time on the customer network itself is usually only a few days compared to the many weeks of preparing phishing and social engineering scenarios because we will already know where the systems are we have to access and already have gathered so many credentials to be able to access them. Most time spend after that is actually finding the target data we are after versus what user accounts and roles give access to what. Good question.
So a white hat hacker? Also whats the easiest way you've broken In?
Yea, I have. 0 Viewers.
It depends on how you define "petty crimes". During the collectivization of farmers, theft from the collective farm of a handful of grain stalks needed for survival was considered a crime punishable by years of imprisonment. People stole because there were shortages of everything and among the population, stealing from the government was not viewed as a real crime. In general, petty crime was common.
Edit: People had to remove windshield wipers when they parked their cars for fear of them being stolen.
Knocking on the window of the kitchen at the back of a large office building where the target office was located holding a box that was empty.
What is some of the craziest shit you've done while breaking into buildings?
I can't wait for it.
There isn't going to be enough psychiatrists to cover all the trauma that fully immersive VR will create.
"The Black Book of Communism", Harvard University Press, 1999
There are a lot of examples that come to mind. If I had to pick a few: breaking into an ATM in the middle of a mall while hundreds of people pass you doing their shopping (and not caring because you are wearing the ultimate cyber weapon: a fluorescent vest). Walking through the basements of a dark data center of a financial institution after business hours and almost getting locked in. Replaying an employee's fingerprints on fingerprint access control readers using toilet paper. I'm sure there is more stuff that I am forgetting but those are the first things that come to mind.
What languages did you use, and what skills do you think are needed to pull off a simple web game with simple graphics/animation?
I was thinking a solid grasp of html/css/js/php. ruby, python? Was also planning on having entirely server based operations for security, so backend database (mysql? for multiplayer and preserving data). Wbhat do you think of Node?
How do you think things would have turned out if Trotsky had been able to succeed Lennin instead if Stalin rising to power?
Thank you for your question. I have answered this above: https://www.reddit.com/r/IAmA/comments/7n2s34/iama_survivor_of_stalins_communist_dictatorship/drymmya/
If you are using an optical finger printer reader i.e. a piece of glass serving as the touch surface, then a latent print might be left on the reader. If the reader is wrongly calibrated and/or misconfigured then a piece of damp toilet paper on top of it can replay the latent fingerprint.
Are you going to release on other platforms?
When shoud we expect a release of your new Battle Royale game?
What inspired you during creation of this game?
If you could choose again, would you take the same path?
What would be your ideal method of governance?
What was the size of your red team when you started. Do you have a team that competes in CTF events?
Are you going to release on other platforms?
Yea, I finished going through the ordeal to get the game to compile for android and I'm going through the process of submitting it to the google play store right now.
When should we expect a release of your new Battle Royale game?
Hard to tell. I have a beta build of it up live right now, but none of the testers I know have played it for more than a few hours.
IMO, it doesn't have the hook perfected yet.
The addicting excitement of winning a BR match.
Its likely because I removed most random factors and focused on skill rather than luck such as item drops.
I might have to go back and redesign it to risk a release.
What inspired you during creation of this game?
During the creation, I wanted to make people excited, happy, angry, confused, scared, and just about every other emotion.
I wrote down hundreds of level ideas and picked the ones I thought were best to develop into actual levels.
Some were flops and were removed.
Others were too boring and had to be redesigned.
But over all if I watched a beta tester scream, cry, laugh, or any other severe emotion. I knew it was a good level and worth keeping in the queue.
If you could choose again, would you take the same path?
As things currently stand, I would not because as much as I liked making games and having people play them. The goal was to make it financially viable so that I could continue doing it and so far it hasn't been able to make nearly any returns to justify continuing.
However, I'll keep at it for a while longer to see if things turn around.
A red team assigned to a job usually consists of 3 to 4 people depending on the skill sets that are required with 2 people being on the job on a constant basis over a period of a few months in order to ensure realistic results and responses from the target company. We sometimes compete in CTF events if we have time.
This sounds like a dream job. when it comes to legal means in attacking networks. Are there any tool, methods that are actually illegal?
Do you think it would be a better solution to do game development full time, quitting the current job or is it better as an after work project?
I don't recommend quitting your job to pursue game development since there is little chance of actually making money with it.
Also do you think it’s possible to build a open source game ( a GitHub open project ) if I don’t intend to sell the game and only make money from donations, just enough to keep the servers up and maybe some marketing ?
Donations are the worst possible source of income for funding projects.
People rarely donate. Unless you manage to hook a few dedicated players who are willing to basically pay for everything on your behalf. You won't be able to pay server costs, let alone marketing.
I think it is democracy in which the opponents are not considered to be enemies, as we had it in the second half of the 20th century.
If you think this is a dream job, we are hiring: https://www.f-secure.com/en/web/about_global/careers/job-openings
Why wasn't Stalin assassinated?
What do you think of the Russian War effort in WW2
What do you think of Putin and his role in Syria?
What is a good book that provided a fair analysis of Communist Russia
What does your hacking kit look like? Could you list some (or even your favorite) tools you're using in your daily job/life?
Depends on the type of game you want to create.
If its a single player browser game.
According to rumors, Stalin was assassinated by Lavrenty Beria who arranged for a larger than normal dose of blood thinning medication be given to him. Beria felt his life was threatened when Stalin was preparing another purge of the leadership.
I am not an expert in matters of the war.
As for the book question, my new book "A Brief History of Communism" analyzes life in Communist Russia.
Here is a selection that we usually bring on the job and after carefully planning our attack plan using at least two to three attack waves spread out over a couple of weeks or months:
- USB Armory, to have a self-contained system with everything you need
- Multi-band WiFi dongles with Atheros chipset suited for frame injection
- Proxmark EV2 or custom RFID/NFC copiers for access-card stealing or cloning
- Magspoof for access-card stealing or cloning
- Weaponized PocketCHIP / Raspberry Pi / Beaglebone with LCD display for WiFi hacking using a rogue access point. But also for running tools on the go such as network manipulation, credential extraction and man-in-the-middle tools
- Rubberducky or teensy for fast typing of payloads when required
- USB keyloggers and USB extension cords either stand-alone or WiFi enabled
- Ducttape and straps to install rogue network implants for later persistent network access
- Extension cords and network cables
- Bluetooth headset earpiece to stay in contact with my colleagues keeping watch
- Lockpick kits, bump keys, jiggler keys and other lockpicking tools
- Pliers, wrench, screw drivers for breaking down a lock or door
- Camera to photograph evidence and findings
- USB thumb drives tied to a lanyard and old keys to be "left" in bike sheds and parking lots containing interesting and enticing content for the lucky finder
- Fake paper access card and badge holder
- Banana, bunch of papers or other things to hold in your hand. People who have something in their hand walking around the building are usually not regarded as suspicious
- Disguise and clothes if you have to switch roles. You might have come into the building as the smoke detector check-up guy and might have to transition to a suit and tie to be able to get into the executive offices in another wing of the building
If someone is planning to learn a computer programming language, which language would you recommend to that person, which would help the most in pen-testing?
I decided on the $2.99 price tag so that it would not be the lowest, yet still be under the $5 price tag.
One of the main issues I have with my game is that photos and recordings are not able to convey the gameplay very well. You can't take a picture of a sense of accomplishment or of people figuring out the puzzle after struggling so hard to solve it.
So to give it a fair chance, I priced it relatively low to entice buyers, but enough that it wouldn't be a loss.
However, it seems that by trying to compromise in the middle, I've gotten neither.
The fact that he is approved by 80% of the Russian population shows that because Russia never had a real democracy, an autocratic government is acceptable to a majority there and so is Putin's objective of restoring military power and influence in the world.
Everything is geared towards Python these days so having proficiency in Python and scripting languages such as Powershell/Bash/etc will give you a lot of options when having gained access to systems or when wanting to develop something. Check out the grayhat hacking and blackhat hacking book series.
What party/ideology do you identify with in the US? What do you think about Bernie Sanders being painted as a communist for wanting to incorporate socialistic programs into our capitalist society?
What is the weirdest thing or setup you encountered during paid or unpaid hacking?
I am in the middle of the road between the republicans and democrats.
We should differentiate between Communism and Socialism. Bernie Sanders is not a Communist. I think he would like to see a system more like what they have in Sweden, which is a monolithic society and would not work here.
Finding video surveillance and access control management systems exposed to the internet without firewall. Finding "this is the backup of the entire website.zip" in the webroot of a production server for a bank. Being able to guess the password of the network connected guest badge allowing us to print our own guest badge every day and just walk in the building (the password was 12345). Production level financial information servers running under the desk of a sysadmin because of internal IT politics and tensions. A company with a garbage container outside containing hundreds of computers and hard drives in perfect working condition containing passwords, documents, financial records, etc.
Once breaking into an ATM in a major retail chain we triggered the seismic alarm and it started to make a lot of noise. When looking around no one even looked at us. Until a child, trying to go through the revolving door to get into the mall, touched the glass wall of the revolving door triggering the alarm and stopping the door for a couple of seconds as part of the security measure. The glass revolving door alarm sounded exactly like the seismic alarm of the ATM and thus no one cared =]
As a survivor of Stalin's regime, what would you say to demonstrate how bad it really was to someone who's romanticizing the communist ideology?
Like the movie Sneakers?
Stalin's regime caused the death of over 24,000,000 of his citizens. They killed my father and many others just for writing a letter to their family abroad. They starved millions of people during artificially created famines in order to force farmers into collective farms.
I would recommend reading "Gulag: A History" by Anne Applebaum.
One of the better - if not the only real - red teaming movie out there with a killer cast. I love it and watch it at least once or twice a year. No more secrets Marty.
Do you think that the hardships you endured are related to an inherent evil in Communism? Or is it that the people in power were corrupt?
What I mean is, do you think in a perfect world Communism would work and the problem is we are imperfect creatures, or is Communism evil even if it is implemented perfectly?
Pain? Try prison. I've already done that. Maybe you've heard of a few? Wait, a computer matched her with him? My voice is my passport. Verify me. Shoes? Fancy. It would be a breakthrough of Gaussian proportions. But no one has figured it out. Yet.
I find myself quoting that movie all the time.
Considering that the same system in other countries like China, Cuba, and Cambodia led to the same results, it shows that it was the system that is incompatible with human nature. It couldn't be implemented in any other way. Powerful people in other ideologies are also corrupt and yet they did not murder millions of their own citizens.
There are a lot of things "bursting with ultrasonic" in our conversations at work
What is your opinion on educated people in America who openly support communism, as well as dictators and their dictatorship?
As the son of a Cuban whose family was prosecuted and killed in Cuba, it infuriates me to hear people who praise those like Castro. So many people see only what they want to see.
Edit: after some responses and questions I went to talk to my father about the family history. Turns out my direct family (grandfather, pregnant grandmother) left Cuba because my grandfather, a doctor, helped both Batista's men and the men they were fighting during a shootout. Batista put 500,000$ on my grandfather's head for aiding the others. They also disagreed with Batista and later Castro, who ran the rest of my family out of Cuba.
My father said to relay a few things, first that Batista was bad, no denying that, but Castro was worse in his opinion. Batista was a murderer, but he mostly just messed with the political class and left the rest alone if they didn't interfere with the money. Castro messed with everyone, and ran the country into the ground.
My grandfather, Maximo/Luly Viera, was smuggled out, while his cousin Mingolo was not. Mingolo was on Batista's bad side, so he was caught, shot 150 times, and thrown on his mother's front porch.
Edit 2: My father said to post, if communism was so good they wouldn't need fences and walls and machine guns to keep people in.
How did you learn to do everything including experiences and education history?
I think these people are not sufficiently educated because schools are not doing a good job teaching history. I wish history teachers themselves knew more about what went on. Those who don't know the past are liable to repeat it.
Work as a system administrator when security consultancy simply didn't exist. Work as a network engineer and web master. Learn about where companies drop the ball when it comes to inter-company or inter-department communication and responsibilities. Learn where companies cut corners and try to exploit those. Learn social engineering and what drives or upsets the meatware i.e. the people working there. Have expert knowledge about operating systems, networks, web, mobile and other facets. Check out this list of tips to get started: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/
Hi Mr. Konstantin,
Thank you for making yourself available for an AMA. I stumbled late onto your AMA last year and commented on how influential your book was to me while I was in high school. Your grandson Miles came across my message on that thread and reached out to me last week that you'll be doing an AMA and again reached out earlier today to let me know it was up - thank you, Miles! This actually reminded me the book would be a great gift for my sister who is interested in studying 20th century history - I found the last hardcopy on amazon at the moment :D
I have a few questions if you are able to answer:
Are you still speaking at local schools on life in the USSR? Do you have comments from speaking with students/teachers on your life? You comment on how education does not sufficiently emphasize lessons from history, and I think hearing and seeing someone speak, or writing personal accounts, will likely always be a lesson that finds more connection than watching an aged documentary or reading from a dry school textbook.
Apart from writing, do you have other hobbies?
Do you think communist or other harsh political ideologies would be harder or easier to find root today compared to the early 20th century?
Thank you - best of luck to you and your family in your business and personal endeavors!
Sorry if this already got asked, but what’s your opinion on shows like Mr Robot? If you watch it, how possible is a scenario like that? Do you feel like the show addresses all parameters required to pull off a hack of that scale?
Thank you for your message.
I am no longer speaking in schools, but I am still being interviewed occasionally in local libraries. I found that most history teachers I met are not knowledgable about Communism and therefore their students are not familiar with it.
As for hobbies, I try to follow scientific developments in all areas.
I think that with jobs being lost to automation and artificial intelligence it may become easier in the future for these ideologies to take root.
Mr Robot is being praised for its realistic portrayal of hacker tools and attacks and it is indeed a fun show in how they show how simple it can be to compromise something. They get the occasional thing wrong and I always find it refreshing to hear Sam Esmail and team talk about how they actually fix the things they got wrong afterwards. But it is and remains a show. I don't think we are going to see anyone trying to melt backup tapes anytime soon but I like the cyberpunk aspect to it ;)
Is it communism or dictatorship and lack of free speech that made life under Stalin so bad? Can you have a democratic communist country with free speech?
Have you ever seen the show White Collar? If so, what are your thoughts on any of the cons on that show? Your story had me thinking of the ep where Neal/the FBI break into a bank to demonstrate weak points in its security.
A Communist system cannot tolerate another political party or ideology. Therefore, perhaps only after they exterminate all of their opponents, they would accept "free speech" from their supporters.
I have not, will check it out thanks.
Do you think Troksky would have been able to bring about a more wholesome, successful, and supportive form of socialism than Lenin did?
how do you feel about contractors contracts significantly limiting your attack surface?
Since Trotsky wrote, "The Red Terror is a weapon used against a class that, despite being doomed to destruction, does not wish to perish," I do not think that his rule would be any more benevolent than Lenin's.
We usually get in pretending to be the contractors themselves
What do you feel about the current state of the American hard left? And the polarization of the political landscape in general?
How would one get started doing this?
I think that the hard left is balanced by the hard right and neither are compatible with democracy as we know it. This is the most polarized time in our history and I think this too shall pass.
Thank you so much for taking the time to do this! Your insights are fascinating and I'm definitely hoping to pick up your book soon!
Do you think there are any artistic/fictional representations of life under Stalin's regime that have a particular resonance with your experiences?
How do I protect myself as a normal user best from cyber attacks?
Yes, there is a Russian movie with english subtitles that is called "Burnt by the Sun" which is available on Amazon.
How do you feel about all the memes and jokes about Stalin, Hitler, and communism in general? Are they offensive?
I read that you are from Belgium. As a Belgian Computer Science student who is also interested in (Software) Security, is there any University in Belgium that you recommend for getting my Masters?
I am not familiar with memes, but I do not find these sorts of jokes offensive.
I am no longer living in Belgium I'm afraid and my school days are long over. It all depends on your interests and what it is you want to with information security.
What are the books that you would recommend to people who are already into hacking and who would like to acquire more knowledge on different hacking techniques as well as the way of thinking?
It kind of depends what domains you want to get better at. Most of the skills that are required are expert sysadmin skills, being able to program and script things together and having a solid understanding on how the technology works. But, also understanding what the caveats are of that technology being used in an organisation and how it can be used against that organisation. And for that you need to know what the daily tasks are of a sysadmin, network administrator, developer and deployment environments, how code gets distributed from the IDE to the production environment, how email environments work, etc. Basically how a company works and how it functions.
Rather than going the "hacking exposed" and other book series way which are more tool related and which will not help you in understanding; I am a big proponent of playing war games or hacker challenges. Learning by doing and getting your hands dirty on your own lab, writing your own tools and code is going to be the most productive for you to learn new things. But from a pure technical side I always recommend the following books as a bare minimum:
- The art of software security assessment
- Exploiting software and how to break code
- The tangled web
- O'Reilly's Network security assessment - latest edition
- The web application's hackers handbook
- The browser hackers handbook
- Mobile application hacker's handbook
- Grayhat Python
- <Any book on your favorite operating system>
- <Any book on your favorite programming language>
- <Any book on TCP/IP>
- <Any book on ITIL and IT processes and procedures>
- All the books I forgot for which you are all facepalming right now
What are your favourite ‘war games’ and ‘hacker challenges’ ? From a 2nd year comp sci student looking to go into security!
Try http://overthewire.org and http://cryptopals.com and get involved with their communities. Look for any kind of challenge be it system or network based. SANS.org usually has a recurring hacker challenge e.g. their holiday challenge, as do the major conferences which they archive for later download and replay. As far as originality I like http://www.pwnadventure.com a lot.
Is protocol fuzzing something you leverage in your approach? How common is fuzzing in hacker community?
Red teaming seems to be a method of finding the weakest security links possible, but what about slighty more difficult vulnerabilities that you dont attempt to find bc they take too long to discover or you just miss them? Do you suggest more significant security program change within an organization after you exploit the low hanging fruit?
Fuzzing is more useful if you want to find vulnerabilities in a certain piece of technology. It is extremely rare we use fuzzing as part of a red team test but it has happened that we were able to fingerprint what software a company was using as part of their daily tasks, find vulnerabilities in it and then exploit those in a way that advances us towards our objective.
There will always be things that we do not find as part of a red team. We only need to find one way in. If a customer is interested in finding as many vulnerabilities as possible in a given solution, technology or process then we can offer that service to them as well but it kind of goes beyond what a red team is trying to achieve. Which is to test the resilience and monitoring capabilities of an organisation against a targeted attack where the attacker picks the attacks, not the defender. Once the detection mechanisms reach a certain maturity and most low hanging fruit is found, then and only then as part of an iterative process can more controls and processes be introduced.
Are there any programming languages that are better to learn specifically for ethical hacking?
If I had to pick two, python and powershell will help you the most, in no particular order.
Have you ever hacked all the things? Have you ever managed to drink all the booze?
Do you enjoy your job? I work server administration and I find myself disliking it more and more everyday. I would rather be breaking in than patching holes constantly it seems. I would like to learn more hacking do you have any educational sources you recommend?
I do - because I get to use my own creativity in order to see how far I can push a scenario that might result in compromise and use/develop some custom tools and techniques along the way.
How "lucky" is it for you that meltdown and spectre happend? Can you use that for future jobs?
There are easier ways to get into organisations than using these kinds of attacks which take a lot of planning and which might get you caught. But if we were to attack a VPS or cloud provider right now, it would be on our list of attacks to try it. At least until the window of opportunity closes and companies figure out what mitigation path to take in trying to respond to what we are seeing now as a result of spectre and meltdown. We usually focus more on the more systemic root causes of why breaches happen which is departments not talking to each other, shared cyber risk responsibility and not being aware of attacks across their organisation globally, among others.