Recorded Feb 23, 2021
STATS: JT -60% | Jeff 26% | Flee 10% | Scott 3%
PCI Counter: 3
Fuck Counter: 22
Jeff Man 0:02
Welcome to this edition of Security and Compliance Weekly. We have a very special show today as we welcome one of my contemporary peers that is, OG Hacker. None other than John Lee aka John Threat aka JT aka Corrupt, aka he’s got another hacker handle, he won’t tell us, it’s our job to figure it out. He’s one of the original members of the Masters of Deception Hacker Group from New York City back in the day. And he’s joining us today to talk to us about both how he got into hacking and how he later flipped it into a career. And we’re gonna learn all about it. In our second segment, we’re excited to also add to the show, Ron Readings, and Chris Cochran, they’re from the Hacker Valley Studio Podcast. They’re also going to give us a more contemporary view of how to get into hacking and cybersecurity. And we’re bringing together all of these views from the past and the present. We’re really excited about it. So join us as we continue our journey of tearing down silos, and building bridges on Security and Compliance Weekly.
This is a Security Weekly Production. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for Security and Compliance Weekly. And welcome to Episode 62 of Security and Compliance Weekly recorded live on what is today February 23, 2021.
Jeff Man 1:45
We’re almost through February already. I am joined today virtually as usual, but my illustrious co-host Mr. Scott Lyons and Mr. Frederick “Flee” Lee. Welcome gentlemen.
Scott Lyons 1:58
Fun conversation today, very, very, very fun.
Jeff Man 2:04
Hey, before we jump into it, because we’re all chomping at the bit to get started do have a few announcements if you want to stay in the loop on all things security weekly related, you can go to securityweekly.com/subscribe to subscribe on your favorite podcast catcher or on our YouTube channel. You can also sign up for a mailing list and of course, you can join us on the discord server where things are already popping as I see the messages scrolling across the screen. Also, if you think back to last year and missed Security Weekly Unlocked you can now access all of that content on-demand doesn’t matter whether you registered ahead of time or not. But you can get there by going to securityweekly.com/unlocked and click either the button to register where the button to login if in fact you did previously register.
Also, note in honor of Black History Month all mentions a PCI will be toasted at least on my end by Uncle Nearest 1856 Premium whiskey, made by a black-owned company interesting story if you have a chance go to Unclenearest.com to look up that story. And speaking of Black History Month, I’d asked Flee a couple weeks ago, if you wanted to have an episode where we focused a little bit on you know, the black experience in cybersecurity and I asked him you know we were chatting about it and throwing ideas around “So was there anybody you think about wanting to interview”, and without hesitation, he said John Threat so I’m pretty much gonna turn the microphone over to Flee now and I might speak intermittently but I want to give Flee the chance to introduce his mentor and childhood heroes as we’re finding out his idol. So Flee, take it away.
Yeah, yeah. Thanks so much. And also, thank thanks, john drip rack he agreed to hop on the show today. You know, for those of you that aren’t familiar, you know, Jeff actually did a great intro to give you just a little bit of an oversight of JT’s history. So if you didn’t know him as Corrupt, especially those of us that are a little younger, obviously he’s just had an illustrious history. You know, I like the fact that his handle actually is John Threat, but also Media Threat etc. And there’s actually interesting project, he literally gets to have a threat actor on the show today as someone who’s been instrumental both on the black hat side, but also on the white hat side. But even more interesting. I feel like JT is the embodiment of that hacker ethos always, you know, exploring, always trying to find new avenues, and always using intelligence and savviness to kind of actually break into areas, including into areas like the media, like I think a lot of people aren’t aware JT, of all the media work that you’re actually doing now, and all the activism that you actually have killed throughout your entire career. So I would love to just maybe just dive right into it with you, JT. And yeah, let’s maybe start a little about how you actually got into security, got into hacking, whatever you want to call it. Yeah. Just tell us a little bit about your beginnings what it was like being a Baby JT, baby havoc, baby corrupt, etc. So we’d love to hear from you.
Gotcha. So I’m a hacker. Um, first and foremost, hi. I’m from Brooklyn, New York, I’m a break into computers. So originally, I started long ago, I got lucky. And there was like, some computers at my mother’s work, and I got to go in there and play with them unobstructed. There were no games or anything. So all it was to do was code. So eventually, I got my own computer. And I will just, you know, I just would code and have fun with it as much as I could. But what happened was that when I first got a modem, admittedly, when I got online, I have to admit, I didn’t really feel, I felt like a little bit of rejection from the communities online, I logged in to Q-link. And I was like, Yo, what’s up? Anybody know what’s up with these hip-hop songs? And everybody was like, yo, get the fuck out of here. New Kids rock. Like, I was like, oh, man, New Kids on the Block. disenfranchised. Um, but what’s interesting is since then, you know, hip hop has become America’s music. So now I wouldn’t feel rejected by mentioning hip hop. But, but back then. It was no go. So, um, what? that put me in a place where like, I wanted to, like, not out of revenge. I just wanted to learn how to hack I just found like, this cooler area. And I was inspired by, um, it was a dude, his handle and he was like, no good at hacking. But when I first started, it looked like everything. His name was TheGreatAmericanHacker. And I was just like, God, Damn, that’s a fucking great name. So I’m…
Jeff Man 6:55
Was that Kevin Mitnick?
No, definitely not.
Jeff Man 7:00
And we said he wasn’t a good he said he wasn’t a good hacker so..
[Lots of laughter] I didn’t say that. I think the world said that. So all right, so anyway. But at any rate, let’s see. So, um, I think that like, from there, I started. Yes, so they’re breaking into computers. And let me just tell you, if you’ve never done it before, and I don’t, I’m pretty sure this doesn’t drop in the same effect, maybe gives you a little bit of this. You know, like, the first time you might do a pentest, I’m sure. But like, breaking into a computer that you didn’t belong in. It’s like fucking an orgasm. It’s like, incredible. Hopefully, I’m not influencing anybody to do anything wrong. But Yo, that shit was fucking in the dopamine hit was beyond belief. So I kept breaking into computers. And then I met the crew that – I was in several different hacking crews, everything from like, eight-legged group machine to MOD. I don’t think most people know that was an eight-legged group machine for a while before MOD, which is kind of like a pure systems hacking group. Not that MOD wasn’t. And then MOD I met – um, I was like, on a system, I broke into it. And one of the members was on there. And like, I locked him out of the of the server. And he was like, Oh, shit. And I think I said, you know, my handle is Corrupt at the time, I hadn’t transformed. And like, Yeah, he locked him out. And then he fucking he fucking got my number. Right? And fucking called me. And when I called him back, the phone was fucking disconnected. And I was like, holy shit, this guy fucking put the fear of life into me. And I was like, You know what, I got to figure out how to do that. And eventually, I joined the group. And then, you know, we did a lot of telco hacking – hacking phone systems, which is why we could change phone numbers to do whatever we wanted to. And, yeah, figured that out. And then of course, I was like, You know what, nobody can never have my phone number again. I mean, now, it’s okay. But back then, I vowed that no one would ever call me like that again. And it was pretty successful.
Scott Lyons 9:26
I’m going to have to make an “F” Bomb tracker over here!
Just hearing you talk about this, it immediately, like, it’s obvious, just like the priding and just the front of the enjoyment of the experience itself. And I’m actually I’m kind of curious, like, what do you do with that energy now, like, I totally hear you, but like, there’s something different about, for lack of a better word, maybe being someplace that somebody else didn’t want you to be, but you actually forced your way in. And I’m also kind of curious like how you translate that enthusiasm into some of the work that you do now. And would love to even like, you know, talk a little bit about like that connection that you’ve drawn between hacking and hip hop, and just both those cultures and how they intertwine.
Right, well, let’s talk about, I’ll start with the hacking and hip hop. So what I think is interesting is that the birth of hip hop pretty much lines up with hacking, in a lot of ways. Hip Hop initially was very much a very hacking, DIY sort of movement, you know, cobbling together turntables. using them in ways nobody thought about before, both for like mixing and scratching and transforming. And flipping verbal poetry on its head with just the tools that you have it integrated technology. I remember the early DJs used to actually rip off the phone, public phone handles, the headset and then tie the wires into the instead of mixer. That’s fucking great. But like, I really thought that was great. And it’s like a hacking like halfway. But the track of hip hop and punk actually goes right along with the growth of hacking into its own subculture at that time.
So and up until now, we’re like, hacking is like basically, like, the texture of everyday life every day, computers are broken into around the world. If you talk to your grandmother, she’s like, somebody hacked me on Facebook, don’t tell nobody, like everybody is hacking. I don’t care if fucking chef or fucking bicycle repairman, everyone’s hacking. And that’s great. I think that spirit is amazing. And we’re gonna need it as we move into the future where technology pretty much undergrids almost every part of our life, being able to, you know, exploit it, repair it, push it to its limits, that’s great quality. Including, you know, the exploration of going where you don’t dare go, you could even attribute hacking, breaking into computers, people might not like it, but almost like, you know, taboo, like, Christopher Columbus into America, not, not, I mean, I know that that might be a troublesome comparison, but in a lot of ways, you know, still, the exploration is something that is part of the human drive just says we’re going to Mars, like I think in that regard, you know, exploration is, it’s a quote, Jurassic Park. It’s like a penetrative act discovery. Great, great movie to reference for sure.
Dude, I love that, you know, and one of the things I love, JT is that you’re unapologetic about – you refer to yourself as a hacker and unapologetic about owning being a black hat. And, you know, I would love to, like hear more about your philosophy on what it means to be a hacker and why you still like the moniker black hat. And definitely also want to touch on that third rail about your opinion on quote-unquote, ethical hacking.
Right? Well, I’m definitely a black hat hacker. I fucking break systems. That’s what I fucking do. Like I even before there was a white hat/black hat thing, whoever came up with that silly thing. hats. Jesus Christ, man, shit has nothing to do… Anyway. It’s here. It has stuck. I’d love to see it go away. But the truth is that really the mythology is around the black hat hacker. Nobody actually likes a fucking annoying white hat hacker. “Oh, I’m so fucking ethical, blah, blah, blah.” Like it stinks. But also, more importantly, ethical hacking gets you bad security at the end of the day. Like, the ideas for hacking come out of, what they determine is black hat hacking. Now I’m not saying there aren’t some great researchers that never broke in they fucking excellent. But there’s also the application of it, which is also a part of breaking in. You can be really good at finding a hole but exploiting it properly, across networks is actually a whole different, like fucking mental space.
Scott Lyons 14:22
So it’s – Flee, can I jump in here real quick? It’s been defined in previous iterations of what hacking actually is. I’ve heard it thrown around in the community that most hacks are 98% social engineering. Would you agree with that? Would you say? No. Would you say that you know, whoever thinks that is not looking at this correctly? What are your thoughts?
That’s a good question to debate. I mean, this, that has been raging since you know, before there was actually an industry, that idea of like, is social engineering hacking? Like we had a dude in our group, that was like social engineering master. And yeah, that’s a part of it, for sure. I mean, I see the debate, I get it. I think that’s why I draw the distinction about being like a systems hacker. Because ultimately, that’s more what I do. I can social engineer with the best of them. I used to enjoy social engineering and stuff. I used to get away with it a lot. I mean, I’ve done everything from, I mean, one exploit I did. I mean, this is years ago, I had to get – I could, I couldn’t get in the system. I guess this is social engineering. I hacked in couldn’t get root because the guy was on all the fucking time, man. This is in Germany. And so what I did was I pretended to be like, I’m one of the employees, they’re like, damn, this is gonna get canceled. I pretended to be one of the women employees there and flirted with him to the account. And yeah, he gave me I just wanted to try a little route. So he gave me the root password and a patch the system, and do what I had to do. I wanted to see what was on there. I feel bad about it now.
Jeff Man 16:06
No you’re not! [Hosts all laugh]
Hopefully, they got together. Alright, right. So just to make to finish the story. I’ll be honest with you, I bought them to completion. I mean, I definitely do that as a little cybersex going on and get that dark, dark, dirty, dark, there was a dark,
Jeff Man 16:30
It’s funny if I can interject real quick, you know, I have never called myself – I don’t think I’ve ever called myself a white hat hacker. But I was doing hacking. Professionally, I guess, while you were doing your thing. And we can talk about that later. But I can remember even in the office that I was in which we called the pit. We would develop an attack strategy in the small group of guys, at least in the very beginning, you know, the research would be done. And we’d be like, okay, we’re pretty sure if we push the button, pull the trigger. This will work. Oh, but we can’t do it. Because we got to follow the rules. I was like, yeah, I’ll push it. So I was the guy was like, yeah, I’ll push the button. Just look at my hacker handle, which we haven’t shared yet. That’s a challenge. Find out. I think it’s already been mentioned on the air. What’s a tease other hacker handle is what my hacker handle is. Hey, real quickly, our show is about security and compliance in I lived for a lot of years in the hacker world. And then I went over to sort of the compliance, more white, maybe vanilla side of the industry, in compliance, and honestly, honestly,
Scott Lyons 17:44
Though Jeff, I got to interrupt you honestly, it all comes down to who pays you whether you’re black hat, gray hat or white hat? Who’s paying the pair off?
Jeff Man 17:51
Fair enough. But, you know, we have a question that we ask all of our guests, and there’s no good way to fit it in. So I’m just going to throw it out there. We talk about there’s being two different silos, two different worlds, the security side of things, the hacker side of things. And then the other side, which maybe that’s a black and white thing, the way you’re describing black hat, white hat. But the question we ask everybody JT is, you know, where do you fall on this whole notion of security versus compliance? What we call the security versus compliance continuum? No, right or wrong answers, just what’s your take?
Right. So all right. So for me personally, I do feel like compliance drives most of security these days. And I don’t think that’s the way to go about it. I mean, I think the way I would describe it, I mean, I think, first of all, I see some huge problems in terms of security. Now, in terms of like, on the attack, side of things, yo, you know, in terms of a nation-state, like USA is fucking phenomenal, right? That’s not in question. That’s also backed up with, you know, additional layers of help that I won’t describe here. But like, in terms of security and defense, not so good. Because, in general, to manage so many computers, and so many people, everything is sort of fell. So like what kind of right now call it like checklist security. Like there’s these checklists that people go over and they swear, they got these PDF, they’ve got these checklists, they swear it’s good. If you kick the tires on these checklists. It’s like somebody wrote this shit, like about five fucking years ago. It’s not even relevant to like today’s attacks. I think in general, it’s done a disservice. Because on the other side, hackers stay fluid. They constantly try to figure out new ways to figure out how to penetrate how to stay hidden, how to execute out of fucking, you know, make pieces that are big, big, you know, have network effects and distract. You need people on a security side who think that way. And you can’t really do that to me with the sort of sort of structured thinking that’s happened. Like I said, a lot of people make a lot of money, you know, resting on these checklists. And then the company gets overrun so easily. And they feel like Well, I mean, but we had the checklist. But the checklist is outdated. And it’s been outdated. What I like to see is definitely more of the idea of thinking like a hacker. And to me, that’s where so that ethical thing falls out, right? Because you sort of like get so entranced with like, this, like identity of being in the checklist world and can’t do anything wrong? And how are you going to? How are you going to imagine new possibilities like that? It, I think it constricts people heavily from being really amazing, transforming into really amazing security and security practices, that would ultimately be for the best interest of everybody.
Jeff Man 21:03
So let me follow up on that real quick. And, if this is a little bit inflammatory, it might be intentional. Having lived in both worlds, you know, I, I get what you’re saying about the creativity and understanding, you know, how hacking works and what the mind of a hacker is like, because when I was in the early days of me being on the compliance side, and I was in PCI, from from the very beginning. One of the big things that I missed when I was on the PCI side of the world was talking to gleeful people, talking to hackers. And, you know, talking to people that got it just understood, you know, what we’re trying to do this systematically secure things, following checklists, frameworks, or whatever. And I’m like, Yeah, but you’re missing the point. You can run circles around this kind of stuff. So I get that part. But I also believe that breaking things as easy building things that can’t be broken into hard. Any thoughts on that?
Yeah, it’s almost impossible. But also in the, that’s where, like I said, that’s where the fluidity comes in, and people being able to be malleable, and think like a hacker and have those discussions, like the rigidity is what allows people to penetrate. I do get what you’re saying. But ultimately, like, like I said, when you kick back and relax on those kinds of structures, and like I said, I understand is, how do you, like I said, administrate, like a huge company with a lot of computers and devices, is, it’s almost impossible. But I do think there are ways around that like, I’ll give you like a far throw one. That’s something I’m actually working on personally, like, with some organizations, it’s definitely I feel like computer literacy, in general, is really poor, we get access to powerful devices, and expect to take a job and secure environments. And, and a lot of people have no idea how to manage their own personal security, even as, you know, the ability for like, even simple things like OSN, like the average citizen is getting really good at tracking people down and monitoring them on social media and figuring out their personal data. I think the rot the challenge has risen, but actually, you don’t actually learn. Like, if you’re not targeted toward a security field, where you were hacking on your own as a kid and interested in the stuff, then you might find yourself in a secure environment in charge of a lot of important data, and you have no idea how to secure it. Nobody’s ever talked to you about anything from your personal, you know, OPSEC to, you know, computer security practices. I mean, at this point, you know, it’s almost a shame that these things aren’t talked about in high school, or even preschool like I’m sorry, a grade school, you know, just a general discussion about your own personal data security, and that leads a course into like workplace security.
Jeff Man 24:15
Jeff Man 24:17
I hate to interrupt you. I want to take a quick break. And you know, this has been a great conversation so far. We’ve got a few other guests we need to bring in. So we’re gonna take a quick break. We’ll be right back.