Throwaway here. A couple years back, we thought about hiring this guy for a security assessment, so we looked into him.
He didn't check out. He appears to be lying about his military background in Israel and has little in terms of information security skills. No certifications. Nobody in the field knows him. He refuses to provide any proof of his claims. His blog posts are vague ramblings without real substance.
He's what's known as a "charlatan" in attrition.org lingo. I'm not sure why he hasn't been called out by Attrition yet, but he's probably flying below their radar.
You can easily find his real name and do some Google and Archive.org searching and see that none of his story or timelines check out. He did work in an entry-level security position for a Waltham, MA company for a short time.
The best I can tell is that he's an EDC gear junkie with dreams of being a spy.
PS: He is not affiliated with the fine people at GORUCK.
It's obviously made up. Rappelling this way would not work and you would have a good chance of killing yourself.
When rappelling with an ATC you lock the rope off, and control your speed, by pulling the free end of the rope downward. Feeding your slack out of a backpack you're wearing would force your hand upward as the slack came out and the rope started to bind on that tiny hydration hose hole. If you're lucky the whole system would lock up; if you're not lucky you'd lose control of the rappel and fall.
For future reference the way to rappel with a rope is to stack it into the pack, open the pack up nice and wide so the rope will feed freely, then clip the pack to your harness with a sling so it hangs below you. Or use a rope bucket, which is expressly designed for this purpose.
I didn't read the blog post as a step by step instruction, more like some commercial for the bag.
I've done quite a few rapells and sometimes keep my rope in my closed rope bag on my back (with compression cords in place) if there is a large risk of the rope getting entangled with the environment, I'm on a bridge over a road or I'm on a cliff above salt water.
I use a french prusik on the rope below the ATC and pull the rope out of the bag at the same time as I pull down the prusik. Often the rope gets slightly stuck, a harder pull on the rope has freed it for me every time and I never take care when putting the rope in the bag so I would think a proper packing of the rope would decrease that risk a lot. Should the rope get really stuck I would simply take off the bag and open it up while hanging in the harness. Not a big deal at all.
Have you tried clipping your bag below you, like on a sling off your harness? It takes only a few seconds longer to set up that way, and the rope feeds pretty easily because it's coming out in line with your brake hand. It's also a bit more stable because the weight of the rope is on your harness instead of above it (as when you're wearing the backpack).
Problem #0: Security did not search his bag on entry, thus allowing him to bring rapelling equipment to a software sales meeting.
Problem #4: Security has inadequate visitor monitoring procedures, thus permitting a visitor who required escort to hide inside the building. No, I am not confusing this with #3; his escorts not bringing him to the front desk or whomever is (or should be) logging visitor arrivals to log his departure.
> "Problem #0: Security did not search his bag on entry, thus allowing him to bring rapelling equipment to a software sales meeting."
Realistically, what sort of security guard would actually stop him when they found the climbing gear? Unless they receive some special training, they'd be looking for weapons. The climbing gear would probably raise their eyebrows, but could easily be explained away ("I'm going to my climbing gym later this evening").
Relying on security guards to consider the possibility that their guest might be planning on repelling from the roof down into a secured floor doesn't seem practical.
The security guards were brutal at Intel in the 80's. You had to sign a waiver that gave Intel permission to keep anything you were carrying on your way out. They did it too (confiscate things they felt shouldn't leave the building). Most people were smart and just left everything at the desk.
That said, these days with phones and laptops being nearly attached to the wrists of folks it would be a very hard policy to enforce. Google's solution was conference rooms that were outside the security perimeter and had bathrooms outside the security perimeter as well. That worked pretty well and would have defeated this particular attack.
Even that could be accounted for. If you have 'questionable' items, security could ask that you leave them at the front desk, and you can pick them up on your way out.
At this point they'd have to start worrying about bulky clothing as well. It was hot outside in this instance, but in cooler weather/climates you'd need to go full TSA-mode on everybody entering the building.
That's practical for some installations, but not many.
Speaking as a construction worker, you'd be quite surprised how easy it is to get into places you generally shouldn't with no one asking questions. I don't wear a company uniform and I've gotten onto the roofs of buildings I really shouldn't have, including when I've been sent to the wrong address and I talked to everyone from the property manager to the building owner and everyone helped me.
You'd also be surprised how easily security can be fobbed off by telling them something they've heard a few dozen times before.
You can go to any uniform supply store and pick up some coveralls for a fake company. You would be able to walk into any commercial building with any equipment you want, and excuse it all off with knowing who the property management company is. If anyone asks too many questions you just say "I don't know, I just go where I'm told" and if you're getting nowhere you can get out of dodge by saying "Let me just call the office, make sure they didn't give me the wrong address."
Your #4 assumes he'd be logged coming and going, which in my experience isn't true for construction workers. Also hiding inside the building isn't necessary. He knew his methodology for getting into the place, which meant accessing the roof. Security wouldn't check the roof once the electrical contact shows the door or hatch is closed.
The weakest link in security is human nature. Build me the most complicated lock in the world, and it's only valuable if people remember to lock it and you can't get them to unlock it for you.
> Speaking as a construction worker, you'd be quite surprised how easy it is to get into places you generally shouldn't with no one asking questions.
No, in general I'm not. At a place where the mere location of the main server room is confidential information, though, I would be very surprised.
> Your #4 assumes he'd be logged coming and going, which in my experience isn't true for construction workers.
It was true of every defense contractor facility I have ever been to.
> Also hiding inside the building isn't necessary. He knew his methodology for getting into the place, which meant accessing the roof. Security wouldn't check the roof once the electrical contact shows the door or hatch is closed.
Well, I was counting on the roof as inside the building; I wasn't clear on that. Still, security should have known the door had been opened at some point, and done due diligence with facilities to find out if there was a reason
> The weakest link in security is human nature. Build me the most complicated lock in the world, and it's only valuable if people remember to lock it and you can't get them to unlock it for you.
Absolutely correct, which is why training and awareness are the most important features of an effective physical security plan.[1]
Basically, I keyed off the author's statement that this client has security and started thinking, WWDSSD[2]? The items I mentioned in my original post are items I would flag if I were inspecting a facility, in addition to what the author mentioned.
[1] Shit, I'm starting to sound like a fucking DSS training pamphlet.
Speaking from experience, though, if you look and act the part, you can get by with a similar amount of SE effort in contractor facilities and/or military bases. I'm not talking about Boeing's skunkworks or Groom Lake, but defense facilities and people in particular get a stereotype that isn't really true.
My uncle managed to get into a nuclear power plant with the wrong clearance tag. He was working on two facilities and grabbed the wrong tag when leaving the office.
What he said was scariest is that anyone with access to a commercial printer and lamination machine could easily reproduce them too.
So many people come and go from your average facility. I mean you can get past most gates just by landing a job at the right landscaping company if security is that strict.
It also sounds like the target was in a shared office building, so they likely had minimal influence over security procedures.
I interned at a defense contractor, at a satellite office in a shared space. Everyone (including construction workers, movers, visiting officials, employees, etc) had to be badged and logged past the reception area. And truly restricted areas required swiping in with a proper level badge.
Obviously, it's just an anecdote, but I would be surprised if similar requirements weren't standard for the defense industry.
I had a rather long career in the military doing a huge variety of things, primarily with physical security. We were pretty good at our jobs (the US is generally militarily good at its job), but there were regular security lapses that would make regular people shudder. And this was involving activities with the State Department and TS facilities and materiel. You're right though: It's not like getting into a corporate satellite office. You're gonna need a badge of some kind (or correct-looking paperwork, et al) to BS your way past the guy at the door. But it's most definitely not the kind of thing people think of it.
"The sign was so authentic that Caltrans officials let it remain in place for eight years, four months and 15 days, until its removal last month under a standard scheduled replacement. "
My dad used to work at a classified facility in the USSR that dealt with satellites. Naturally, they had pretty strict security for things going in and out. At the same time, they had ridiculous amounts of overstocked construction materials. My dad's friend told me a story once about how he and my dad got a bundle of copper piping out of there in front of the security guards.
The two of them grabbed the bundle of pipes, and carried it to the front door, then put it right outside of the front entrance to the main building and pointed it at the gate, which was about 40 meters away. They then flipped it over at the far point, and counted "one!". Then again: "two!". And so on. This way they got to the gate, and then simply continued across the street, continuing to count. According to the different versions of the story (it's been told more than once), they either acknowledged the guards, or pretended to be super concerned with the counting. In either case, the piping went into the walls of my dad's friend's apartment shortly after and been there ever since.
P.S.: Apparently, one of the people in their group also managed to sneak out a power drill (not as common back then), by tying it between his legs in a pair of large pants.
That's a very good point. The post seemed to skip all the juicy actual security bits, but made sure to explain thoroughly how good the rucksack was, how everything fit into it nicely, and how it was waterproof.
Or simple "gear whoring". Working in lucrative tech can allow for expensive toys, and the personality type of a tech pro as a tool maker/builder crosses over to other hobbies/interests. See also http://www.militarymorons.com/ which I believe is primarily self funded.
The BD ATC is perhaps the most popular belay/rappel device around, even if everyone who read this article went out and bought one it probably wouldn't affect their overall sales much.
the GR1 protected the laptop really well, by the time I was inside the 5th floor it was pouring outside and the laptop and gear remained dry.
What does that have to do with anything? Don't know, don't care. Just sad that this is the top post right now, complete with supporting commenters/marketers.
This is something of a dream job of mine. As a college student - does anyone have suggestions of what steps to take to be able to do something like this for a living? I have a small amount of experience with hacking (pen testing my own sites for fun and learning) and I have a decent understanding of a wide range of network security and vulnerabilities. But I don't have very much knowledge on the physical side of pentesting. How would I gain this knowledge, or is it something that you're expected to learn simply from experiences in the field?
Caving is very technical and can involve a lot of rigging ropes for abseil and prusiking (going up). It's not really a career, though, and you need to have access to an area with the right geology for caves. Yorkshire is excellent.
Judging from the "professional" section of the Petzl website, being a steeplejack, rescue crew or arborist (tree surgeon?) is the best way to get to use this equipment and get paid for it.
I just got done with a three year "mini career" in industrial rope access, where I got to work on-rope on wind turbine blades, in oil refineries, on the sides of high-rise buildings, and even one job up in the rafters above a professional football (American football) stadium. I'm now working towards a first job in IT or app dev, so this article is right up my alley. Nice work ;)
If you're interested in a job working on-rope, and, uh, learning the ropes, I suggest you take a look at rope access. It's a small niche industry, but pay is very good, technicians are treated well, and many companies offer an "alternative" work schedule/lifestyle where weeks of travel work are interspersed with weeks of total off-time - and good technicians can sometimes choose how much they want to work (or not work).
If anyone's interested, run a Google search for SPRAT and IRATA (those are our professional certifying bodies), and look on those sites for companies in your country. You'll have to take a week-long course (it's hard) and pass an exam before you're allowed on a job site, but if you have the stuff you'll pass, and most companies are hiring.
Interesting; I wish I'd known about this a few years back. Might have been a better option than moving companies and gas stations.
But really, my friends and I used to do a lot of building climbing for kicks when I was younger (probably four to five stories usually) and there was a long period where that kind of job would have been way better while I learned to code than the random crap jobs I ended up doing.
Looks really interesting though. Probably going to do some research into this.
Is the course integral to the job or is it the kind of thing where you pay for the course/licensing/certification then go look for a job? Seems like it might be interesting to look into just for the certification.
Of course... I have no idea what all this is like, so I might research for five seconds and realize that's lal stupid to ask
There are a lot of companies that claim to do industrial rope access outside the scope of the certification programs, but be skeptical of them at first. (That doesn't include companies in other rope disciplines that are different from rope access, like tree climbing and entertainment rigging. Those are different trades. RA takes most of its methods from caving, and some from rock climbing.) If you want to learn to do it right and have a good experience on the job, "go legit." But that means you'll have to get certified. Unless you have specific, in-demand skills (electrician, fiberglass technician, weld inspector), few companies will pay for your first course - you'll just have to pony up $1000+ on your own. However, once you get a job, they'll pay for your re-certifications, as well as follow-up courses that you take as you get more experience and climb up through the certification ranks.
Ohhh, yeah. Sorry. I reread what I said and realized I expressed myself really poorly.
I'm interested in taking the course without getting a job doing it, not the other way around. I was wondering how much it was to take it on my own dime.
I should have said something like "I'm interested in the course; can you take it and not get a job using it, or do you have to be on a job-track through a company to even take the course?"
I used to be a pretty avid rock climber and I'd be really interested in learning the techniques and types of equipment they use.
Reading my post, the climbing buildings part probably didn't reduce the perception that I was trying to do something risky, either
Well, yeah, you can just pony up the cash and take the class. Your experience would be something like this: https://www.youtube.com/watch?v=xUDob3m6rds - it's really technical, and really challenging. If you have the cash to waste, and a week, it could be fun.
Yeah, I'll have to look into it. I assumed you could take the course, but I didn't know if you'd need to be sponsored by a company or anything like that.
I don't know that I'd see it as a waste of money. I just like using my vacation time and money to experience something completely different and new, while learning new skills. Even if I'm not out doing something more interesting and engaged, I'd just end up hiking around finding a place to hang a hammock and read a book on coding or a technical paper.
My wife says my vacations aren't vacations because I never look like I'm relaxing in the classic sense. I'm not kicking back on a beach with a pulpy novel, usually (not that there's anything wrong with that). For me, a vacation is a time to psychologically recharge, and I get that by engaging myself, but on my own terms. Along with that, depending on how long the certification lasts, it's not that bad to have a backup skill/cert in the wings.
I've also found that it's really valuable to get insight into what other people do to make the world go round. Gives me a better respect and understanding of things in general.
Thanks for the response - but I think you misunderstood - sorry if I wasn't clear. I'll update my first comment to reflect this. What I mean is, how to I get into pentesting in a way that combines both digital and physical attacks. Though thanks for the tips.
I did. I interpreted the parent as saying he was interested in doing technical rope stuff, which was a reasonable interpretation, given the content of the article. I don't think most penetration testing guys have those skills, which is why I discussed fields where you can acquire/use them. Any clearer?
Lock your doors, try to get into your house, fix the security issues, try to get in again.
Buy a safe, try to unlock it without the key, buy a better safe, try to get in.
If you're especially lazy, put an ad on craigslist looking to hire janitors, take the resumes, put your name on it, and apply for real janitorial jobs.
Thanks for the suggestions. I've already dabbled into lockpicking as a hobby. I honestly have no idea what you are talking about with the last sentence though. Are you making a joke about the likeliness of making a career in pentesting? Or is this a way of describing how to infiltrate a building by running a long-con as one of their janitorial staff...
That last route threw me off at first as well. But it does provide excellent cover and who would suspect a simple janitor of anything. An added benefit is you get a key to almost anywhere.
> After a week of recon I found out that the 4th and 5th floors are only accessible with a very specific card via the elevator. I didn’t have that card. Even if I get to the elevator I could not go to the 5th floor
Interesting that one of those presenters is named Howard Payne. Along with Payne being an elevator company, Howard Payne is the name of the antagonist in 'Speed', who hacks an elevator...
Is this a real thing, or is this whole site just sort of autistic ramblings of a wannabe spy? I guess I'm inclined to believe the story only because it's not particularly exciting as fiction.
It sounds like he looped/threaded the midpoint of the rope around something and then rappelled on both strands. Once back in the building he could pull either end to retrieve the rope.
Possibly either loop the rope and descend on both ends - once inside retrieve by pulling on one end, alternately, use a knot that only holds under tension, once inside, shake rope to release knot, finally, it could be fantasy and the author didn't consider that detail.
A 70m rope (depending on the building) should manage 7 floors with a double strand (only just, and you'd want to use some webbing to anchor to the edge). The fact that he mentions a tibloc indicates he was rapping on a single strand though as that device would not handle a double strand ascension. I doubt I'd be comfortable anchoring to an AC unit though. Also, really, don't try this at home. There are lots of non-obvious hazards here. For instance, climbing ropes are incredibly strong and in practice, just don't break, unless, oh, say, they are weighted over a sharp edge like the corner of a building. And no, do not try the "shake the (insecure) knot free" technique, really. Rappelling is (statistically) very dangerous as it is one of the few situations in climbing where you are trusting your life to a single point of failure (redundancy is good! and is probably responsible for more deaths than climbing falls are [1]
Watch out! That technique is really sketchy, and won't work if the rope goes over an edge (like the edge of the building). You also have the problem of a falling metal object that can smash windows, your head, or itself.
This is like a deep ad for backpacks, right? Alpha Mac Infosec Warrior thing - like if you love minimalism and jingoistic tech-spy novels, we've got the gear for you?
I prefer that to the alternative - that someone is purring while looking at OCD pocket dumps of watches, wallets, pocket knives, and patches.
Well he did say "I have more than 15 years experience as an alpine and rock climber, I am trained in high-altitude rescue and rope safety." at the bottom.
Shameless plug for Randy Rackliff's packs out of North Conway, NH (the company is called Cold Cold World: http://www.coldcoldworldpacks.com/). They are hand-built, to custom order, in New Hampshire, weigh less than name brand packs, are made of tougher material, AND will only run you about $125.
What's the secret? Simple construction, no bells and whistles and unnecessary crap like water"proof"ing. Tougher, cheaper, lighter. Not made in China by a giant corporation. The ultimate hacker pack!
I kept looking for what exactly made it "bomb-proof" in the product description, but saw no mention of any plating or kevlar or anything, so it seems like a suspicious claim.
He didn't check out. He appears to be lying about his military background in Israel and has little in terms of information security skills. No certifications. Nobody in the field knows him. He refuses to provide any proof of his claims. His blog posts are vague ramblings without real substance.
He's what's known as a "charlatan" in attrition.org lingo. I'm not sure why he hasn't been called out by Attrition yet, but he's probably flying below their radar.
You can easily find his real name and do some Google and Archive.org searching and see that none of his story or timelines check out. He did work in an entry-level security position for a Waltham, MA company for a short time.
The best I can tell is that he's an EDC gear junkie with dreams of being a spy.
PS: He is not affiliated with the fine people at GORUCK.