Tommy DeVoss: From Black Hat to Bug Bounty LEGEND (Ep. 164)

We would just buy cool looking domains so that we could have like a 100 character long vhost so that it says like i. am. in. you. computer. tday dot and just these we would have like a whole message. — Best part of acting when you can just you know critical think right. Yeah, — dude. — Not sure y'all know this, but two of the most respected hackers in the CTPB community, Bus Factor and XSS Doctor, are now running monthly hackalongs on the CTB Discord. Okay, you got to check this out. ctbb. show/isord. We find bugs almost every time we hack. It's crazy. And oftentimes it's not even the people running the hackalongs, it's the community members that are hacking along with us. It you definitely increase your chance of finding a bug by being on these hackalongs. So check them out. ctb. show/isord. Join bus XSS doctor and yours truly. And uh let's pop some bugs. All right, let's go back to the show. Sup guys, got the this weekend bug bounty segment for you. Uh yes, we hack dropped another great blog. Alex Broommans, I tell you, man, what a researcher. Um, this article that he released that I want to cover real quick called Python Pitfalls has some crazy stuff in it that I've definitely missed in prior assessments. So, check this out. The first one is in Python's OS. Path. join, which I've seen many times. So, in the example here, he says os. path. join passes in / user/uploads and then the payload received from the user. Right? Well, if you give it just an absolute path, it just ignores the prefix, right? So, if you give it as arguments, I'm trying to put this in audio for you guys. OS. path. join slash user/uploads is the first uh argument, and the second is / etsy password. That will resolve to slash Etsy password. It'll just ignore the prefix uh which is super crazy to me. So, uh, yeah, don't even worry about path reversals. You can just put in the absolute path. Uh, very odd. Um, and then there's also this one down here. It's the same sort of situation. Uh, which is apparently URL. parse. URL join does the exact same thing but for domains. So, consider this. You have uh url. parse. url join. The first parameter is httpacample. com and then the second parameter is httpevil. com. So you're uh you know providing an absolute URL. The output of that is evil. com. It just removes the whole example. com piece which is nuts to me. Um so Python's got some crazy weird quirks. Apparently, you should just be yeeting absolute uh file paths and absolute uh URIs everywhere into Python and it just will just accept it. Um so check out this uh article. We'll link it in the description. There's lots of other good stuff in here like pickle derialization and stuff like that. Okay, so that's that. Um next is actually a quick announcement that I wanted to remind you guys. We talked about it on the Google Cloud episode, but um Google Cloud VRP is offering a bonus to all critical thinking podcast listeners. If you mention the podcast in any rewarded report between now and the end of April, you will get uh an extra reward, either cash or swag. Um so definitely want to do that. So drop some love for us in those cloud reports you guys are putting in and get yourself uh some swag. All right, that's it. Let's go. Let's jump to the main show. Dude, Tommy, man, I've been looking forward to this episode for a long time, and this is a special episode for me, as you guys know, because Tommy is a part of my hacker origin story, uh, especially in the Bug Bounty world. So, dude, I owe you a debt forever for introducing me to Bug Bounty that day. And the reason that happened was — Yeah, true. But you just showed up at my VCU college cyber security club and we're just talking about Bug Bounty randomly. How do you even remember how that happened? — Whoever the president was, I don't remember his name at this point. — Parker. Yeah. — Yeah. So, he had emailed me or reached out to me on Twitter. I don't remember which one it was. — And he had asked me um if I would come and talk to you guys about it. And I was like, "Yeah, I guess. " I had absolutely no idea what to expect. I wasn't expecting uh like 10 nothing against

y'all, but kids standing in a — What was it? It was like a computer lab. — Computer lab. We like grabbed a corner and stuck like a server rack in there. — Yeah. And Yeah. I wasn't expecting what it ended up being, but it ended up working out. I had let um both uh Hacker One, Bug Crowd, or I guess all three, and Senate. I had let all three of them know that I was going to go be uh going to be doing it and asked each one of them to send me some u stickers and swag and stuff to get out. I think Hacker One was the only ones that actually did. — Yeah, you sent us gave us some good stuff. — Bug Crowd and uh Synynic didn't or they couldn't end time something. I don't. But um yeah, he emailed me or DM'd me on Twitter. Has to do it. And since y'all were local, I was like, "Yeah, anytime. " Cuz it's like 10 minutes from my house. — Sure. I'll pop in there. — Yeah. Whenever. — Well, it's funny cuz I was running, you know, he was my co-president and I was running the labs at that time, you know, and then you just showed up, you know, and I was like, — he didn't even tell you about. me. — Yeah. — Oh, man. — And then he didn't even come. — Yeah. — He didn't even show up. — Shout out to Parker, man. I don't know if you're listening, but uh that was the most poorly organized thing that had the greatest impact. Um so yeah, definitely grateful for that. Well, um you know how we do it here on the pod. I guess we didn't even really talk about this beforehand, but typically on the podcast, what we do is have guests bring a vulnerability that they want to talk about, you know, and give us a little uh summary just to, you know, prove some expertise. Obviously, Tommy Devos, guys, we don't have much to prove here. Uh, a legend, but if you have anything you want to a bug you want to run by us or you can talk about your more recent fuzzing stuff or — um — Well, the fuzzing I can't talk about the bones yet. It hasn't been long enough to where I'm allowed to disclose them, right? — And I don't really want to make Google mad. — Yeah. — I like them being nice. Um, I guess my favorite bug is still from Yahoo in 2018 that bought me my GTR. — Um, I was in Las Vegas in October 2018. I had like moved out there halfway for most of 2018. And um, I was waiting for my friend Steve. We were going to go do something at night. I don't remember what it was, but uh he was taking a shower and he was like a I don't want this to come across the wrong way, but he took forever to get ready like a girl. Like it took him almost two hours to take a shower, do his hair and everything. And it's like, dude, no. But I was bored and I went and took out my computer and I was sitting on his um kitchen table and I didn't want to start hacking on anything new because it's like I only had a little bit of time. could have had 15 minutes, could have had 2 hours. — Yeah, exactly. And I don't want to get into something and then have to stop it. Like this morning, having to walk away from the computer was driving me nuts. — I'm so sorry, dude. Not like literally he popped an RC on one of his bugs as he was walking out the door. — Yeah. Like I literally did it and then I had to walk out the door. But I was worried about doing that back when I was at his house. So, I went and opened up my Hacker One reports and just picked a random SSRF from Yahoo and decided to start playing with it. And I had all kinds of success in coding the IP addresses in different ways to bypass because they used a blacklist. They didn't use an allow list. They used a blacklist and blacklist are very, very bad. — Well, I don't even know why it worked, but I was super stoned. So I decided that I was going to take the AWS metadata IP and instead of encoding the entire thing, I took just the first 169 and octal encoded that left the rest of the IP the same and it worked for some reason. I have absolutely no idea why you why logically it shouldn't have worked. Yeah. And I was just trying things because I was trying to pass time. Well, it worked and I got the AWS um credentials again. Oh my gosh. Then I went back into my reports and I pulled every single SSRF that I had against Yahoo from the last three years — and it worked on every single one of them. So I went and filed 18 new reports each for each one of them was a unique location and everything, but — they needed to go and update their deny list again. And they paid me 10 grand for each one. So I got the 180 grand and then — that's nut. Four days later, I flew back here to Richmond and sat outside of the dealership that had my GTR until they were open at 10:30 in the morning and told them that it was mine now. — Wow, dude. That's crazy. So, so you had um you went back to all of your previous reports. So that's one I think that's a

great takeaway for the listeners as well is like if you do have a short amount of time perhaps to hack, go back and look at a report that you think you may be able to bypass or something like that because then you don't have to find spend time finding something interesting. — Yeah, exactly. It's a great way and I mean things change. So even if it's not bypassing the old vulnerability, — they might have added new functionality to the exact same little area that you can quickly play with and you already know — at least enough about it to find some vulnerability. So anything that's different there, it's less of a learning curve to — to translate from not doing anything to instantly being excuse me to get in there and hack. — Right. Make sure you don't bump your mic when you're doing that. Um, yeah, dude. Totally. I think that um I think that the technique is really interesting, too, because obviously, so just to speak it out, you know, plain and clear, you had an SSRF, you were going to hit 169. 254. 169. 254, which the AWS metadata endpoint, which was going to drop back the access credentials. — Yeah, because I had already done it in the past, so I already knew the exact path and the key name and all of that stuff. So I was just trying to find a new way to represent the IP address that they hadn't accounted for. — Nice. And the way you did that was taking that first 169 and — just the first one because if you did any of the other ones it wouldn't work or if you did the entire IP it wouldn't work. It had to be the first 169 for some reason. I — I'll have to look that up. I'm not sure. But I imagine what happened there is that when you had that first octet encoded with four characters rather than three, right? Octal, it's like — it's like 02. It was like 0 — 526 or something crazy like that. Like it doesn't even when you're looking at it, it doesn't even look like it's a valid IP address. — Wow. — But — that's crazy, man. — According to Yahoo, it was at least. And I actually just saw recently um within the last two weeks I saw some other kid on Twitter post that he did the exact same thing. Not to Yahoo, it was for somewhere else, — but he did the exact same thing like just a couple weeks ago and it's still working. So, it's still something that is valid today. It's still one of the things that I try anytime I find something that I'm going to test for SSRF. — Wow. Nice, man. Good bug. I think that uh you were the first person and I don't know if to discover it at all, but you were definitely the first person I heard talk about the AWS metadata URL as well and also this octal encoding. So uh for a lot of the bug bounty community I think that was uh you know you were the introduction into that — for the octal maybe like I remember the first time I hit the AWS server was actually on Yahoo as well. I was sitting in AWS reinvent up in DC. — Yeah, that's right. Yeah. — I had gone up there because me and a friend of mine here locally, Josh, we had started a company here in Richmond for security — and um we wanted to go up there as part of the company. It was right before or right when I was leaving my previous job and getting ready to do Bug Bounties full-time. And that's where they taught me about the metadata server. I had no clue what it was. and I'm sitting in a talk there with my laptop next to Josh and then they told us about the IP and that it could be used to get the uh — access creds and everything and I was like hold up. — So then I actually sent Sam ZLZ a message because we had been hacking on Yahoo and there was this place in their small business. You used to be able to go and buy hosting and domains and stuff from Yahoo Small Business and there was a place on one of their main front pages where you could give it a URL and it would go take a picture of it for you. — Yeah. — And we used that to take a picture of the AWS access credentials for us. And that was the first time I'd ever gotten it to work. — It's so funny you t talking about this because I don't remember very much from that era at all of like what was going on in life and stuff like that. I remember everything that you just said like it was yesterday, man. Like the Yahoo domain I remember as well. — AWS stuff. I was like, "Wow, this is the most interesting thing I've ever heard and my brain just like clamped on it like you know. " Um, so very good times back in the day watching you and Sam terrible. — Oh, it was a lot of fun. fun and they had st like we weren't even finding anything crazy. It was just stupid simple XSS's and stuff like that because it — it's exceptionally hard especially when you've got a website builder as part of your product. It's exceptionally hard to do that in a safe way. And — yeah, it took Yahoo a while before they were able to do it. But it wasn't their problem. — That was good scope. It was good scope, man. — Yeah, I was sad when they took it out. — I was real sad. So, so you know, pulling on that thread a little bit, like you

I've already talked about how you're, you know, a part of my origin story as a hacker, but also you were a strong influence on Sam Curry and Corbin Leo, uh, and some of the other earlier on hackers, um, that kind of popped up in the scene and started, you know, going to live hacking events and stuff like that. Um, so I mean, was that something that you were always trying to, you know, do intentionally or was that just a part of you being early on in the Bug Bounty scene, you think? — Um, a little bit of both. Uh, I'm older than most of y'all by quite a bit. And um it's been really important to me to try and get younger hackers, including all the way down to kids like in middle school involved in it. Um I got curious when I was in — like late elementary, early middle school, — so I know about when kids start getting uh interested. So that's why I like going and speaking at middle schools. I haven't spoken at in an elementary school. I don't think that would be appropriate because I'm not sure that the kids in elementary school are quite uh knowledgeable enough about computers as a whole. Like they know how to open up Roblox, right? — Or Minecraft. That's about it. But once they're in middle school, they're actually — have the ability to take classes, programming classes, typing classes, and that kind of thing. And they're actually using computers more. — And I don't want them to make the same mistakes I did. It's uh I have been having this conversation a lot the last couple of weeks, but when I started, — we didn't have virtual machines. a lab that you could go like tryh hack and try to hack and all of that kind of stuff. We didn't have any of that. Our practice was the real world. We had to go and hack real systems. And if you wanted a challenge, you had to go and make really stupid mistakes in hack government military systems. — Yeah. Okay. So, let's go down that path a little bit here. So, that was a part of your origin, right? You were a black hat earlier on and um you know got caught and kind of reformed there. Do you want to give us like the you know five minute version of that story so that we can have that context? — Yeah. Um, IRC was a fun place in the '90s. — We like to take channels from each other. So, we built very large botn nets um to dodos people and you're I don't even know if you're old enough to remember. There was this kid in Canada named Mafia Boy — uh back in 99 2000. He is credited with the first largecale DD dos attack when he dodosed like uh eBay and like the I don't remember all the sites but it was any of the big sites that were on the internet back in like 2000. And he was actually the kid we were fighting on Fnet for our channels. He was a member of TNT and I was with TDK those damn kids. and we were constantly fighting over the channels with him. So that botn net that he used against like all the Fortune 500 companies all the time. He hit us with it a lot and it would take us offline a lot. But I spent a long time doing that. I changed in about 2000. Thought it'd be fun to deface websites. So I started doing that. — When you were doing the botnetting, how were you getting these compromising these machines? Was it just rats? Are you like — No, no. There was no concept of that. No, like the only riot there was at the time was uh like sub7 and then CDC uh the cult of the dead cow put out uh back orphice but and there they were only Windows based. — Yeah. — When I was a hacker, we had a rule in our groups. You weren't allowed to hack Windows. It was too easy. — Dead ass. Don't mean to cuss, but you weren't allowed to hack Windows at all. We felt that hacking Windows was too easy. Um, but every system back then could be hacked. Literally, there was no such thing as a secure system, right? Because these things were designed with how thinking that somebody might want to break into it over the internet. The internet was still barely new. It was 10 yearsish old, maybe a little bit less. So, it was a completely different world. There was no such thing as a web vulnerability. I don't even think we had databases like for you to store one of — Didn't have databases. — No, it wasn't a concept. It was stored on disk. Like if you were to go to a website and purchase something, they would actually save your name, address, credit card number, and all of that into a text file on the web server. Like on

the web server, all you had to do was break into the web server and go find like cc. txt txt and you had a list of everybody's legitimate info. — That's crazy, dude. What a time. — And this was before we had those little three-digit codes on the back. Like, I remember being a kid and we had credit card generators where you could literally open up this tool, click a button, and it would give you a credit card number and an expiration date. It didn't need the three-digit code because that didn't exist yet. They created it because of this fraud time period. I bought probably a 100,000 domains. no domains for like a dollar a piece — just by clicking this little button and say, "Hey, generate me a credit card. " And it would just generate one. You didn't need any name or anything like that. It was all you needed was the 16 digits and a fourdigit. Um — What a time, man. Yeah, because they didn't they weren't connected like they are now to — uh I don't even know the payment process companies anymore, but they weren't connected to them in real time to be able to actually validate them and everything like that. So, I think most of the companies would just kind of like — if it was the proper format — and looked real, then they would accept it and then they would find out a couple of days later that oh, it wasn't valid or something like that. So, but it was with for domains — back then to go on IRC. We always wanted a BNC and it was just a V host. It allowed us to hide our ISP and IP address behind it. And you used to have to pay companies each month for them to create you a VHost because then they would create you the Vhost and if you paid them the $5 a month or whatever, they would make that Vhost reverse DNS to a certain IP address so that way you could go on IRC with it and everything and it all looked right. We would just buy cool looking domains so that we could have like a 100 character long vhost so that it says like i. am. in. yoump computer. And just these we would have like a whole message as our host name. — Wow, dude. What a time. So after the IRC era, you kind of moved into website to facement, right? And I imagine that was your intro into like web vulnerabilities and stuff like that. — No. No, — there were still no web vulnerabilities. — Okay, — there's no such thing. — Okay, — so like that there wasn't like websites back then were written in either HTML, — static files or — Yeah, it was like I don't even — I don't remember if we even use JavaScript. — Yeah, — like I'm trying to remember. So would you just like use some network level exploit to get access to? — Yeah, it was always we would route them through TNET SSH FTP. — Root them through TNET. — Yeah, TNET every TNET. — Uh Solaris, which is Sunos, whatever you want to call it. Um all versions of BSD, — FreeBSD, NetBSD, BSDI, OpenBSD. Uh I think there was one more too. like five of Would they just leave TNET open like or would you have to use a Tnet exploit or what? — You would use a TET exploit. But you got to remember something. — Everything had TET back then. — We SSH was new. SSH was new in the mid 90s. I want to say mid to late 90s was when it was starting to be adopted and it was significantly more common for them not to have SSH than it was for them to have SSH. So everything was TNET. So the whole process was use a TNET exploit or whatever the exploit you wanted to use whether it was TNET we um RPCs on Unix boxes listened on port 111 I think it is every single RPC that listened on that port had a remote root exploit every single one printers name ser bind what underpins our name server that had tons of vulnerabilities back in the day and that was a huge target for us we always wanted to compromise name servers Um but we would compromise them and because everybody was using Tonet we would install packet sniffers key loggers on it so that we could get the tone net credentials of anybody that connected to that machine and used it to connect to others because we would target university computers a lot. Um Taiwan, Korea and Hong Kong. those three countries they were always farther behind like

most the rest of the world like we're running Linux 5. 2 two, they're still running like 4. 1, for example. So, they were always running super old operating systems that always had vulnerabilities. — Anytime you needed shells, because our rule was you don't hack from your own uh system, — right? — You never hack from your own system. So, you would get either take the risk that first time and hack something overseas and get the access to that box or you would get somebody to give you access to a box overseas. And anytime we needed shells, we would scan the entire class A of 200 dot and 210 dot because there you were guaranteed to get a few hundred root shells over scanning those. We would write autorooters that would — Yeah, I was going to say how are you routing traffic through these things then? Are you just like hopping on by a TN net and then issuing running the exploits from there or Okay, — that's all we would do is uh now starting in the late 90s and early 2000s we weren't using tonet anymore. We were using backward versions of SSH so that way it was encrypted and we would have our rootkits installed so they couldn't see anything that we were doing and have our hidden directories and everything and we would just use those — essentially as a jump box. We would use those to do the hacking and do the connecting because back then we figured that it would just be a lot harder for them to the websites that we hacked would trace it back to that Korean or the Hong Kong or the Taiwanese server and then we were banking on the fact that they weren't technologically advanced enough to be able to trace it from there back to us. — So I mean that sounds like a good play, man. How did you guys get caught? Oh, people tell. — Yeah, people talk. — Yeah, that's the that's what it always just about came down to. Um, Cowhead got arrested because of Defcon in 01 at the Alexis Park. Um, you know, they have the little um scavenger hunt. Well, the scavenger hunt that year took you to a uh pay phone that was 24 karat plated gold on the wall. — Wow. He ripped it off the wall and took it to him instead of taking them to it because you got to remember something. We didn't really have camera phones back then. So, you couldn't just take a picture with your phone and show them you found it. — So, instead of taking them to it, he ripped it off the wall. He got arrested at Defcon. — We all went home a week later. He puts on our website. He makes Rafa makes a graphic for him and then he puts it on Kowed put it on our website and it was bragging about him getting arrested at Defcon for ripping the pay phone off. The FBI monitored our website. Duh. So they saw his post. They went to Las Vegas said, "Hey, tell me who you arrested during this week for doing this. " — Oh no. — They gave him his information in Tennessee. So they went to Tennessee and he was 15 years old. I had broken into the uh — Wait, Cowhead was 15 years old at this time. — Yeah. — What? How did he get Did he live in Las Vegas? How did he get to death call? — That's what I'm getting ready to uh explain. — Oh my god, this is crazy. — Um I'd broken into the Utah DMV computer systems — so I could actually create fake IDs. But mine, if you got pulled over by a cop and handed them your ID, you were okay. because I would actually put you into their system. — And yeah, all of us had an ID that said we were 22. I wasn't, but 17, almost 18. — Oh my gosh. And your parents were just like — Oh, they didn't care. — They were just gone. You're just like, "Hey, I'm going to a conference. Bye. " — No, I didn't even It wasn't even that. It was just I left. Like from the time I was like, — man, — 13. — From about 13 on, I could pretty much do whatever I want. Like I got expelled from school in 2000 and my punishment was I went on vacation for a month in uh New Mexico with other hackers. — So well that is uh that is one way of doing it I guess. — Yeah. — So okay so he gets caught. They monitor the FBI site or the FBI monitors that site. They track him down and then — he was only 15. — Yeah. He had pictures on his computer of him and his girlfriend who was also 15. — So — yeah, people don't understand, right, — that still counts as child pornography, — right? — So they threatened him to charge him with possession of child pornography, even though it was him and his girlfriend consensual and all of that. — They threatened to charge him unless he's hold on us. So he's hold on everybody. He didn't know enough about me to know where I lived or anything

— but he knew enough about one of our other members, Noid. — And uh Noid actually lived over in Charlottesville. — Oh, really? — Yeah. Me and Noid went to King's Dominion and stuff a few times together. And they caught No when he was boarding an airplane to go, he was Brazilian and he was boarding a plane to go back to Brazil because we had found out Cal had gotten busted and they caught him when he was getting ready, like literally getting ready to board the plane. Wow. — He knew enough about me, — right? — So out of the 13 members of the group, there was only one that didn't tell me that was Rafa. — Wow, dude. That is a crazy time just trying to like put all that together in my head. It's like you guys were so young. — Yeah, — that's nuts. And boarding planes and like create crafting these fake IDs and like that's nuts, man. — Yeah, it was a fun time. Like I had a lot of fun back then and I wouldn't change any of it. — So you got caught. You went away for a little while. How long were you in prison? And — the first time, two and a half years. Mhm. — And then I came home and when I got expelled from school, they banned me from touching a computer because one of my charges during the expulsion was for computer hacking as well. So they banned me from computers. — And then when I got released in ' 06, I'm not a fan of people telling me I can't do something, — right? — So I didn't listen. I stayed off a computer for like a month. Mhm. — By February, I was back on the computer. — It It's got to be torture, man. Like — especially being like I'm ADHD. — The only thing that can keep my interest is computers and hacking and security. So, it was like — I was working [ __ ] jobs as — construction. I was a chef for a little while and it was just boring. I hated it. Yeah. I started getting back on the computer again. I started I joined another group called Core Project — under a different name that time. Uh and defaced a few websites again. One of them was Yahoo. They got real mad at me. It was biz. yahoo. com. — And um uh for that one, I wasn't allowed on computers. My probation officer would show up at my house randomly, like at least once a month. — He had come over like a week before. So, I was like, he's not going to He had never come again for at least three or four weeks in between visits. — So, I figured that was good. — I was sitting on my computer one day and I had my computer set up in my room so that I there was the walls were like this. My computers were right here and I was sitting right here facing this way. But literally right beside me, I had two giant windows like double the size of this window right here. — Yeah. — So that I could look straight out into my driveway. And my driveway was pretty long. He had to come into the driveway and then turn and come down a little bit, turn again, and then come back up. — So you'd have some time. — So I had some time. — I see him pull in like starting to pull into the driveway and I panic. Yeah. — I jump up out of the chair, start taking — Laptops weren't as prevalent back then, so it was always desktops. — So, I start ripping everything apart. I take the keyboard and the mouse, throw it onto my bed. As I'm taking the tower out, I don't remember where I hid the tower, but I hid the tower somewhere in the house. Came back, got the monitor, hid that somewhere else. — These things are heavy as [ __ ] at that time, too. — Yeah, they were. I forgot to grab the keyboard, — the freaking keyboard, man. — Off the foot of my bed. — Ah, — probation officer comes into the house and one of their things that they do is a inspection. So, they walk through every single room of the house and look through every they aren't allowed to actually search search, but they can come in and anything that is within their view, they're allowed to use against you. — So, — damn it, dude. He had me walking him through the whole house and opening the closet so he could peep his head in and everything. And we got up to my room and the keyboard was sitting on my bed and he used that as saying there was enough uh probable cause to say that — to search or something or — no to consider me in violation of probation. Go — because there was no reason to have a keyboard if I didn't have a computer. So he violated me on my probation. And the funny thing is he gave me my little

violation hearing for like the next week. I went to it. I had been doing a lot of drugs, — but I was using these drinks and pills that are supposed to clean your system. — And I was having to take a drug test three times a week. — And I was taking these and God said to your body, man. — They never said nothing to me. Right. When I went to court for my violation, they called me out. I had failed 17 tests in a row for cocaine. — Yeah. — I passed them all for weed — and I took every test high. So the drinks and pills I was using, it was these um these like cleaning things that you take it you drink 32 ounces of water and you're clean for six hours. I was taking those. They're just like little detox things — and they worked for weed. They didn't work for coke and I had no idea until I show up and the judge is like, "Yeah, well, you've got 17 violations for a failed drug test for cocaine. " And then — And they never told you once? — They didn't tell. No, not until I was there, — dude. — So then they gave me another year. So I went back to prison for a year or a little under a year and then I got out again in uh in late 2008, I think it was. So then that time I was good when I came home that time. I didn't go back to hacking. I got an Xbox and started playing Call of Duty which I wasn't allowed to do. have a game system. — I was going to say like dude that's computer violation. — And then um I started playing a browser based game. My sister had come up from Florida to visit with her fiance at the time — and um he was playing this game called Hebony — and — Oh yeah, dude. — Yeah. So he showed it to me and was telling me about how people were finding exploits and stuff like that in it. They were making money selling resources. So I was like, I'll give it a try. I wrote the first B. — You said you were good, dude. Hold up. being good. — I was just playing games. I wasn't hacking anything. Oh, sure. Okay. — I was just playing games, — but I wrote the first bot for Ebony — and then um there was a business two doors down from me at this time and they got broken into and the only thing that was stolen was computers. — Ah, — the cops in handover, they know my history. I mean, I've been — running in with them for a very long time at that point. — And um they swore up and down it was me. Rafa was also doing blackhead hacking again from Venezuela and he had somebody in America working with him. They swore that was me. So they watched me, the FBI watched me for 6 months and could not — get any evidence against me. — So then they used the burglary at the business two doors down as an excuse to raid me and look for those computers and then find anything else they could lock me up with. M — so I was up playing Evony until 5:30 in the morning on no October 8th of '09. I went to bed and laid down between 5:30 and 6 and the next thing I know it's 6:15 and I hear something banging on the door. So I went downstairs and I peeped around the corner cuz we had those glass things beside the door so you could see outside. — Yeah. And I could see people standing out there, but they're beating on the door saying — police get out the house. I live like at the time I lived like two miles from a jail. — Yeah. — And people escape from it every once in a while. And when they do, they search our areas and I thought somebody escaped from the jail and they were like in my backyard or something. — Oh my gosh. — So I go and open the door and they bust through that door. — They bust through the door with their M16s. They handcuffed me and this is in October. It was cold as hell. I'm in just sweatpants cuz I was in bed. They've got me handcuffed for over an hour laying on face down on the floor in my living room while they secure the house — and then they found a few computers here some Xboxes and stuff like that. So they sent me back for a year and a half that time. But it was the reason they sent me back for a year and a half was because they were trying to build a case against me for doing stuff with Rafa again. And I kept trying to tell them, "Every time y'all have ever come and arrested me for something, — once y'all get to the point where you show up at my house, — it's too late to deny it. They know it was you if they ended up at your house, you know, if you're actually the one that did it. " So, I've always been honest. Like you come and kick my door in and say, "Hey, were you hacking this? " I mean, you just kicked in my

door. I'm going to admit it because I'm going to try and not get in as much trouble, right? You have at least enough that led you here. I kept trying to tell them that it wasn't me and they didn't want to believe me. So, they gave me — what was it 16 months, 15 16 months that time to build the case. And then four months into my sentence, they came and visited me and apologized. They found the person that had broken into the business to — Doorstown — and they had found the person that was working with Rafa that was happening with Rafa. So I asked them, "Hey, does that mean y'all are going to let me out of here? " And they were like, "Well, you were still in violation of your probation for having the game systems, cell phone, and the computers. But — they killed my probation. " — Okay. — So, and they removed the limitation that I was banned forever from a computer. and they removed that from me kind of as like their apology for sending me back. So, — that's a great uhation there. — It ended up working out cuz otherwise I wouldn't have been able to do bug bounties or anything. Otherwise, I still probably would have done it, but I would have just gotten in trouble — and then you would have this uh year in prison every couple years. — It's life. If I get in trouble again for computer crimes, it's life. That's why I — That's why you're really — That's why I yell at people all the time about scope. They don't understand the only reason bug bounties are legal is because the company says yes, you can do this if you follow these rules. If you follow if you deviate from those rules, what in any way, shape, or form, there is absolutely nothing you can do to prevent a CFA violation. All it takes is one pissed-off chief legal officer one day or one company to be having a bad time and then you go out of scope and them just say, "All right, you know what? Screw it. " And they go after you. And it's like, — just because it hasn't happened yet, doesn't mean that it can't. And I'm not willing to take the risk that it would be. — Let me ask you your take on this then because you've hacked with Sam a good bit. Sam does a bunch of like just I'm going to hack this company and do a write up about it under the name of security research and he you know I've talked to him about it at length and he's like I'm pretty sure it it's under this like fair usage policy of these websites you know for security research purposes and I say dude I wouldn't do that — only if they explicitly have a VDP — or bug bounty program. Yeah, — you're legal. — If they don't and you do not have written permission, it can't even just be them, you know, a friend that works there and he said, "Yes, you can. " No, you have to have written all. It's no different than a pentest. If you're going to go pentest a company, you wouldn't pentest them without having scoping documents over what you're allowed to hack, what are your limits, and everything. It's no different. So, there's a lot of people that will pick a random website. And my big problem is when these, now I'm not saying Sam would do this because I'm absolutely certain Sam is smart enough to know that if he finds a vulnerability doing this, the first thing he does is email security@comp. com, not privacy at company or legal or support trying to scare people. — That's a good uh annoys the hell out of me. And the my biggest pet peeve is when people claim to be experienced security researchers and their first email for something like that goes to privacy or legal or randomass email addresses. It's like, no, you're not an experienced researcher or anything because any researcher knows. Logically, — the first thing you do if you find a vulnerability, check if they have a program on a platform. If they don't, you email security at Why am I going to email their legal team to tell them that their legal record is messed up? — Yeah, exactly. No, it's bad, man. Okay. So, so I guess that's a good transition though into Bug Bounty. When did you first hear about Bug Bounty? And um yeah. Well, let's — 2014 is when I first heard about it. That's when I created my accounts on Packer One and Bunk Crowd, but I didn't do it. So, at that time, — do you remember how you heard about it? Like, — um I want to say it was Twitter. — Twitter. because I was extremely active as an anon but not in like I didn't do online ops like I wasn't dodosing websites. I — sure — I still consider myself an A9 but I disagree with the route most of them went. Yeah. I don't think breaking into if your target is P Fiser for example

— I don't think you hurt Piser by breaking in and stealing their customer data and releasing that. — Right. — Cuz you hurt the end user. Exactly. And anonymous. — That's my biggest complaint about anons is that they they're accepted lateral damage is a lot different than what I would do. Yeah. Um, but — so you heard about Bounty via Twitter and — Twitter made your accounts. — I made my accounts, but it wasn't worth — cuz it had only been at that point a couple of years since told me it was life in prison if I get caught hacking again. Never heard of Bug Crowd, never heard of Hacker One, and it seemed too good to be true. And then late 2015, I started seeing a post on Twitter that were bug bounty writeups, like such and such getting paid x amount of money for a v vulnerability they found and everything. — And then finally early 2016 and like January, February, I was like, "All right, you know what? I'm bored as hell at work. Let's give it a shot. " opened up hacker one, tried to register, and it said that an account already exists with my email. I didn't even remember signing up for the account. So, I recovered the email or recovered the account, logged into it, and went to the little directory of the programs and I saw Yahoo. So, I was like — said, h yeah, I knew a little bit about Yahoo. Um, and yeah, just started gave it a shot. Yahoo gave me my first bounty in March 2016, $300. And then my next bounties after that were for uh Hack the Pentagon. — Wow, dude. — And I'm pretty sure I finished first in Hack the Pentagon. And so hacked Pentagon, they advertised it a bit, gave us 30 days from all of May of 2016 to hack on the fuse host and stuff like that. It was supposed to be like uh a limited event and all kinds. They would invite us to it. We assumed that if you got an invite to the program that they had already done whatever they needed to clear you. Found out after it ran and after they owed me like 30 grand for vulnerabilities that you had to pass a background check in order to actually collect the bounties. I got pissed. — Yeah. — I went to Twitter and — vented my frustration. — Oh no. — About finding that out. No, it ended up working out. Um, — one of the people that was running the program, she saw my post and hit me up in a DM. She was like, I 100% understand your frustration. Give me 24 hours. — Mhm. — And 24 hours later, she hit me up and said, "You now pass background checks and you are going to get paid. So now if you do a background check on me, I pass it. " — Oh, wow. That's kind of crazy. Yeah. — Wow. Well, I'm glad you got that redemption opportunity there. That's — I was super mad because I spent the whole month because I had just gotten into it. — Totally. — I just gotten into it and they weren't letting us hack the US military. Like from my experience in the 90s and early 2000s, — the US government military were some of the easiest to hack into. So, I was really looking forward to doing that for bug bounties. It's also one of the reasons I stayed on sync for as long as I did. I only did government military targets on them. I left them when their new legal team decided to ban me from legal uh from government military targets. — Oh man, you keep getting it, man. That's crazy. — Um wow. All right, man. Well, how has the bug bounty industry changed since that time? Like I imagine back then it was very fresh. I mean, do you think things are more difficult now? Obviously, there's more mass adoption, but — um I don't know that it's more difficult. — It's definitely different because there's so many more companies that are doing it. — Um there's a lot more competition, but I'll be honest, 99% of the competition is not actually competition for anybody that has any kind of skill whatsoever. The vast majority and it I don't mean any disrespect to the people but the vast majority of people that I see on infosc Twitter and X whatever you want to call they're never going to succeed because they I don't think they have the right type of thinking like anybody can run an exploit but yeah I feel like you've got to have a certain logical way of

thinking to figure out how to break Because computers do everything logical. They do exactly what they're told based on certain conditions. And part of being a hacker is figuring out how to break that logic of what they're expected to do. And just most people aren't they just can't do it. — Yeah. I think there's something special about it. I've been trying to like figure out exactly how to call it, but I the only thing I've landed on is like reasonable attack vector ideation. You know, like being able to look at a system, look at the security boundaries, look at the implementation and just have enough understanding about computers in general and about the logic of that app to come up with a reasonably feasible attack vector. — Yeah. But the problem is implement that. — The problem is a lot of times our successful attacks there's no reasonable reason they should have succeeded. Like there is absolutely no reason this should have worked. But it does. But that's just one of those things that even when we know something's not going to work, we still do it anyway because we have to see it. At least for me personally, I have to see it for myself. And — it doesn't make sense why a lot of it works. But I think there's more competition. There are tons of really great hackers out there, but the only thing is like there's so many programs out there that you can realistically find a couple of programs that you want to focus on yourself and make decent money if you really wanted to. But — I will probably get to that so I'll wait. — Yeah. Well, I wanted to swing back around to SSRF and what attracted you to SSRF as a vulnerability originally because I think at the time SSRF was not as popular of a vulnerability early on in the bug bounty arena in the you know offensive security world and then you know you kind of went down this path and really raked Yahoo over the coals with that. Yeah, it was my the main reason was because I have a lot of fun beating denialist, blacklist, whatever you want to call it. Um, SSRF is one of those — vulnerability classes that historically the main way they try to fix it is to blacklist whatever it is that your report Yeah. Exactly. And there's just so many different ways that you can bypass it that it's just fun and it's a challenge. It was back then. — It's not so much anymore because at this point I've got a couple of dozen different ways that I encode IP addresses. And it's — if I find something, I'll script something to run through and test every one of my variations and things like that. And if it doesn't work, then I'll move on. Well, depending on the target, if it's a target that's a big enough target and everything, then I might pass it off to AI at that point and say, "Hey, I've tried all of this. See if you can come up with absolutely anything that should not work that ends up working. " — Yeah. — But I my main reason for SRF was because I like beating the blacklist. It's just it's fun, — dude. It feels freaking good, man. It feels good to get around a list like that, you know? — Yeah. It's like it there's no other way to describe it than it's similar to a high because you get that dopamine rush and it's just like — you know other people looked at that exact same endpoint too and when you're like none of them were able to figure this out and you were it's just one of those things that's just like that much better — and if the programmer sat there and said oh this I'll get them with this little rejax you know and then they don't escape a dot or something you know — or they forget get the little question mark at the end and things. — Yeah, it's crazy, man. It's crazy. It's a lot of fun. Um, sweet, dude. So, you mentioned AI. How are you using AI nowadays in your workflow? I know you're just Well, adding a little context, you're just coming back from a little bit of a bug bounty hiatus, and I know you're focusing more on fuzzing now, but how do you see AI in your workflow? — Um, I'm using it a lot for the exploit development aspect of it. — Yeah. Um, — I imagine that's really helpful. — It is extremely helpful. Yeah. Um, — I am having it do most of the exploit development, but I've got some restrictions on my AI. They're never allowed to delete files every couple of minutes. They have to do a brain dump into a file so that way I can read through it because I don't want them doing things 100% for me. I want to learn how to do it. — Mh. So, I've got them doing little brain dumps explaining why they did something

what they've tried that's failed. Like, I don't want just the information on what succeeded. I need to know what you tried that failed as well so that I can learn for the next time that I'm doing this and everything. Um, I've started to use it a little bit when it comes to writing um my harnesses for the fuzzing. trying to I've been targeting Chrome. It's no secret that I've uh before I would go in and find the functions that I wanted to fuzz and I would just write a very basic fuzzer that would just call the API for that function and fuzz that. But now I I've ran into several instances where I found a vulnerability, but it wasn't reachable in Chrome. So, I've got AI now where it builds my harness to essentially mimic the exact same flow it would go in go through if I were to load it via a web page. — Okay. So, you just gave me a bunch of information that we're not going to air, but um so I guess the TLDDR of the situation is you are focusing on a sub technology within Chrome and — right now, yes, because I'm trying to learn it. I've never done browser hacking before. So, I'm trying to learn it. Like, I haven't even started to learn about the IPC, how they're passing things from one sandbox to the next one and all of that kind of stuff. And I haven't done — I've done almost everything that I've done so far has been within the renderer itself. I do have a separate vulnerability that I actually need your help with because I need you run Windows. I think — I do. I'm running Windows there. Yeah. — So, I need to uh — to test a vulnerability for — I'm like 99% sure that I've got to use After Free in Chrome, but it's only — uh reachable on Windows. — I tried installing a Windows VM and — no. — Yeah, it didn't. Yeah, I couldn't figure out where the start menu was. — Okay. So you're using AI right now to build these harnesses that trigger certain code paths within the code within the Chrome code base for — Yeah. follows the same path because when it comes to Chrome, it's like they've got all of these kind of protections and validation so that as soon as you open up a website, as soon as it starts to load and everything before the first bit of its loading, they're running all kinds of checks like if there's script tags, making sure that the JavaScript is legitimate, if there's image tags, making sure there's valid video, I mean images in there, video tags, valid video and that kind of thing. All through all of that and figuring out that just because there's a vulnerability behind all of that, the vast majority of them are blocked by the validation that uh Chrome does before it ever can reach the uh vulnerable Chrome uh code path. So, I've got mine set up so that it actually sends my what do you call corpus? Uh — yeah, — my my current test file. It sends it through the harness and the harness is designed to — first go through Chrome's validation and then through the next step and then the validation of whatever's in the actual area because if it's going to fail those, I can't actually exploit it. Do you have that isolated or are you hooking into Chrome and like loading up HTML files or whatever in Chrome and then — It depends. In some instances it's isolated. Some instances I'm just running like a pure C or C++ program that calls the exact same methods that Chrome does in the same order. — I see. — And then — I'm sure most people have seen by now the CSS zero day that came out like last week that was uh exploited in the wild. I'm fuzzing for similar things to that right now where I'm actually doing it within browser as well. One of my AMD machines, I've got 32 um Chrome instances that are running and then within them I wrote some uh little custom JavaScript things that run in the web page on each side that's doing all kinds of testing. It hasn't found anything yet. I'm not even certain that it's going to work, — but we give it a shot. — Yeah, I I've mean, — you don't know if it's going to work until you try it. So, I I've got to try — Nice, man. Yeah, that definitely sounds like AI is helpful for all that because it requires a lot of — isolation of code within the Chrome code base. It requires — and it's a huge code base. It's a huge — and that's something that uh is helpful

is making sure you understand The AIs we have access to are good at different things. — Yeah. — So like for example, if I want to look at the entire Chrome codebase, — I'm only going to use Gemini. — Yeah. — Gemini with your paid subscriptions and the paid max or whatever it is that I've got. You get like up to two million tokens of context. — Yeah. You need that context to be able to not forget when you're trying to have it trace through hundreds of files. — Did you clone down the codebase? Are you having it like navigate? Okay. — Yes, I've got — got it all down. — I've got probably six different or like six unique checkouts of Chrome. I've got an ASAN Chrome, an MSAN Chrome, a Ubisand Chrome, a normal vanilla Chrome, a debug Chrome, an exploit dev chrome. — Um, all like I — it's heavy, man. That's a lot of code. — It's heavy and it's hard as hell to actually build Chrome from source. Oh my gosh, there's so many problems and dependencies. So I try and keep absolutely everything in its own folder. So that way because I mean if you're when you're fuzzing if you find a crash and you might need um asan address sanitizer in order to find it. Well if your libraries and stuff weren't most recently compiled with asan you might have compiled them with mand memory sanitizer. instead you have to go through the entire process of rebuilding it again. So I've got a different takes time. Yeah, it takes hours sometimes depending on your system. — So I've got a different folder for each different version of it. And then I've got I when I go through the process initially on a new target, I go through everything that it takes to build it for every version that I need. And then I build shell scripts that will essentially be able to because — when you're fuzzing, you've got to you change things a lot. Like every time I find a vulnerability, I patch it locally. I don't want to sit there and spend the next two days discovering the exact same vulnerability over and over. So, I patch it locally — and then continue fuzzing — and then because — it lets me get farther into the codebase — because everybody else that's fuzzing it, if you're not patching it, you're going to keep getting stuck at that exact same spot and you're going to have no way to know if there's more vulnerabilities. — And with the patch reward program, you submit that patch get an additional, you know, bonus. You know that code is getting implemented. — But not even just that, because — that's great. Google actually has it so that even if I find a vulnerability, for example, in a third party library that Chrome uses, — but it's not reachable in Chrome, — I can still go to the upstream maintainer. — Yeah. — Report the vulnerability, put a patch in for it after 30 days. If they accept my patch and merge my patch in after it's been merged in for 30 days with no like problems or anything like that, you can go file it to Google — because they've got the concept of open source. Uh — yeah, — forgot what it's called, but you can — the open source VRP thing. Yeah. — Yeah. anything that you can like you fix that is uh a material enhancement to the overall security of anything that Google uses then you can get I think it's up to like 15 grand you can get depending on what the vaults are and stuff. So — yeah, — I haven't looked thoroughly at this VRP very much, but yeah, there's a ton of open source projects that they Yeah, look at this. One of them uh supply chain compromises can get up to 31K. — Yeah. Dang. — Yeah. And they like Google's got — I'm looking at you, man. Lupin, go do this, man. Run Depy on this [ __ ] Um Yeah, dude. They've uh they've got a lot of stuff trying to care for the ecosystem, I think. You know. Um — and then Microsoft is now trying to do the same. — Oh, really? — Microsoft just made their announcement a couple weeks ago. I guess it's been a month or so ago now, maybe a little bit more, where they're going to start actually paying for thirdparty vulnerabilities and stuff that they hadn't previously because they want to also try and help — uh increase the security. — I've heard Microsoft's upping their game. I'm excited to see more from them. — I'm going to end up right now I've been doing Google. My goal is to try and be top three or five for Chrome VRP through this year. uh once I find a couple more bones to at least see myself up there. — It's crazy though, man, because some of these guys just drop like, you know, fully built out, you know, straight RC and just one, you know, but like and then it gets like 250K or whatever. It's like — Yeah. So, the max that mine the one that I've been working on can get is like 55

because it's within the renderer. But the one that I'm going to have you help verify whether it's actually reachable or not, that one could be more because it's in a what do they call it? Uh highprivileged sandbox process. — There we go. — So that one can get a little bit more up to like 85. — How are you determining what se section what sandbox all this is in? Are they — Oh, it's in the code. you just know um — like uh — there's the GPU sandbox, there's the renderer sandbox, and then there's the actual Chrome process itself. — And I've most of my vulnerabilities so far have been in the renderer process. I've got one in the GPU process. Um, I actually found it because I was trying to figure out if there was a way to escape the sandbox with the vulnerability that I've been working on. There's not. I need a completely separate vulnerability for it. But I did find what I'm 99% sure is another vulnerability. It can't be used for this kind of chain, but it could be a completely different unique reportable one. So, you've got AI helping you parse the codebase, build out these harnesses, build out these shell scripts, sort of helping you get into browser based hacking. — Yeah. — Um, do you I mean, do you find yourself doing a lot of the hacking via these AI agents nowadays for this stuff or are you doing what kind of stuff are you doing manually versus having the AI agents go do it? — So, — I'm not going to lie, I spend a lot of time having AI agents go do stuff nowadays. Well, they're doing a lot like say I get a new crash, um, they'll be doing a lot of the RCA for me, like helping me trace through the exact flow of — whatever it was that got there cuz they're so much faster. Like, I can do it. They can do it in two minutes where it would take me an hour or two. So, I naturally will have them do a lot of that. Um, I haven't gotten back into web hacking much yet. I'm trying to. I'm just struggling to get motivated and find a program that I want to actually hack on. — Google's fun, man. Google is fun to hack on. Especially for web, it is like it's challenging, you know? Oh, yeah. — It's very hard because they're not using a lot of just straight JSON. You're dealing with a lot of protojon. like, you know, just arrays that don't have any keys, you know, like, you know, — I've thought about looking at Amazon, like I mean, not Amazon, Google, GCP and stuff. I've toyed around with going back to Amazon and doing some on Amazon. Had a ton of success hacking with um — uh Sean and um — Jonathan. — Yeah. for a couple of those AWS events we were doing. Made a decent amount of money. So, I've thought about going back to that. It's just hard to get motivated — to want to do that. And I'm having a lot more fun doing the fuzzing right now. — Yeah, man. If you're having fun with it, you know, that's the main game for us at this point, I think. Right. — Yeah. Because it's like I don't want to say web stuff is too easy, but it's not as much of a challenge. So my goal I like I want to attend home to home one time. I want to compete. — I really want to do that. — That's why I am main the main reason that I'm looking at fuzzing and bare exploitation and stuff is because I want to do it just one time just to prove to myself that I can do it. — Yeah. — So — dude, we should uh we should do it, man. I I've talked about it on the pod a couple times and I've had a couple guys from pone to own on but um you know obviously the binary exploitation piece which is a lot of pun to own is not a forte for me but I have done a little IoT stuff and there is a good amount of IoT and uh and web stuff is actually really applicable to these systems — and some of the IoT systems it is for sure because that a lot of times is going to be your front door that you're going in through. Yeah. — Yeah. So some of the guys I was talking to were saying like yeah definitely like you need to have a good skill set in reverse engineering and binary exploitation but also like if you have a really good web guy you know then that would be helpful for a pontoon team because uh because definitely there are those exploits out there. The thing is it's just got to be unauthenticated RC which is like you know a tall order. Um, so — yeah. — Yeah. The my big problem with it is that it's generally got to be unauthenticated rce but also unsandboxed and everything like that. Like if you want to go and pop Chrome for it, — you don't get many points if it's rce and the renderer. You need that actual

sandbox escape and full system compromise and stuff. — It's tricky, man. — Yeah. My my goal is to compete in pone uh pone to own at least once. — Yeah. — And I want to get the max bounty one time for good. Well, I want the 250 for a uh full sandbox escaped rce in a car. — That would be sick, dude. That'd be super sick. Well, maybe we'll do a Richmond Pontto own team, man. Me, you, Turbo, you know? Uh that would be that'd be a fun one. All right, dude. Well, that was uh that was quite a run. I have to say those stories are very unique and uh thank you for the part you played in the bug bounty ecosystem, man. And and for me personally, like really I know I keep saying it over and over again, but when I think back to that day in that stupid little lab in VCU, like crazy to think that was such a juncture point in my life. — Yeah. And it's like we didn't do nothing but sit there for what about an hour just talking — looking at your bug bounty reports — talking about the different types of bounties and bugs and companies and stuff like that. It's crazy how everything kind of evolved from that. It's uh — Yeah, — it's nice. It's fun. — Yeah, — dude. Thanks so much, man. — No problem. Thank you. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'all. If you want more critical thinking content, uh, or if you want to support the show, head over to ctbb. show/isord. You can hop in the community. There's lots of great highlevel hacking discussion happening there on top of master classes, hackalongs, exclusive content, and a full-time hunters guild. If you're a full-time hunter, it's a great time. Trust me. All right, I'll see you there.