Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.
Want to get your hands on a Flipper Zero? Read on. We’re giving one away!
You know what they say, you save the best for last. As we wrap season two of Adopting Zero Trust, we take a shift from our standard conversations about modern cybersecurity strategies and look back at some of the history that got us to where we are today.
This week we chat with Hector Monsegur, Co-Founder of LulzSec, and current Director of Research for Alacrinet, who discusses his journey from hacktivism to white hat pen testing.
In May of 2011, a series of cyber attacks swept the globe. Starting with Fox News, after a broadcaster called rapper Common ‘vile’, then an attack on X Factor (yes, the show Joe Rogan used to host) leaking contestant data, and through to taking down the Sony Playstation network. A, at the time, black hat hacking group was founded and picked off targets for laughs (lulz) rather than financial gain. Among the group was co-founder Hector Monsegur, better known by his alias Sabu, who shaped the movement into cause-based cyber attacks or hacktivism.
But the story starts well before the formation of Lulzsec, and before the FBI knocked on Hector’s door. It stretches back to a time when there weren’t resources for people to learn how to hack, pen test, and become cybersecurity practitioners didn’t exist, unlike the endless amount of certs and higher education programs that exist today.
I got online in the mid 90s, I was 11 and a half, 12 years old. I think 12 was a solid number there for sure. And you know, my foray into the internet, my introduction was to AOL.
That was where it started. And then on AOL in those days, it was a whole scene dedicated to writing custom proggies. That's what they call them, a program. So these programs will automate certain AOL functionality, but very soon you learn, right, that it was lame. Cause there's so much more you could do, but I, I definitely give kudos to that time and the developers at that time, because they introduced me to program and you know, playing with basic and then eventually visual, visual basic people, you know, which was 16 bit.
And script kiddies there were a plenty, including myself, who got my family AOL account banned. But for Hector, his curiosity got the better of him and he wanted to go deeper.
You know, I got to learn some basic concepts of API, basic concepts of, of, you know, how to call a library and how to pull a function from, you know, a DLL, for example, or OCS or whatever. And then I found myself with IRC, right? Internet Relay Chat, for those of you that are not that familiar. And IRC was the Wild West.
It was the place to be. If you wanted to learn, that's where you go. If you want to. You know, enjoy some some craziness and get cursed out in every possible language and see all the racist stuff You ever want to see in your life all the stuff that was available on the internet at that time You could get it in a single IRC channel if you wanted to or a single IRC network.
In my case, it was FNET.
And that is where we leave you this week. For the rest, you’ll have to tune into Hector’s interview.
Key Takeaways
The evolution of one's ethical stance: Hector's journey highlights the importance of questioning and reassessing one's actions and beliefs.
Collaboration and collective impact: Working together can amplify efforts and create positive change, even in the realm of cybersecurity.
Balancing curiosity and responsibility: Exploring technology and hacking skills should be accompanied by a sense of responsibility and ethical considerations.
Giveaway: Flipper Zero
As a fun way to end season two, we are giving away a Flipper Zero. If you are not familiar, let’s just call these pen testing toys. With this in mind, you can also get into legal trouble if you abuse them, so you must be 18+ and be in the U.S. If you get yourself in trouble, you didn’t get it from us.
Here’s how to enter (pick at least one):
Subscribe to our show (here).
Give us a review on Apple Podcast.
Share this episode on LinkedIn and tag us.
Tell us what LEGAL thing you will do with it in the hacking reddit thread.
Editor’s Note
The season finale of AZT is here, and we couldn’t have found a more interesting way to wrap things up. Hector has such a unique and storied past, and we can’t recommend his own series enough. The very agent who knocked on his door joins him as the cohost on Hacker and the Fed.
We also can’t thank you, our listeners, enough for another year of the show. Neal and I do this as a passion project first and foremost, but as we seek to attract harder-to-reach guests, we are also building in some ad opportunities. We are ensuring that doesn't impact how we highlight the practitioner's perspective on modern cybersecurity strategies, too.
Speaking of growing, that other podcast I mentioned last episode? Mastering the Art of Failing can now be found at failingpod.com or on your favorite podcast app. The pilot series will highlight people who have found success in their lives, but not without some challenges along the way. Our first guest, Glen Hellman, was part of several successful exits… and quite a few not-so-successful flops. As the series progresses we’ll expand beyond just career-oriented stories and dig into physical, mental, and other states of pushing boundaries and levels of success.
Before There Were Certs… There Was Hacking
Hector shares his early experiences in the world of hacking, which began in the mid-90s. Influenced by movies like War Games and Hackers, he developed a passion for exploring the digital realm. Starting with AOL and IRC, Hector honed his skills in programming and exploitation. His curiosity led him to learn UNIX and eventually become a systems administrator. However, his path took a turn when he discovered the concept of hacktivism.
Hacktivism and Ethical Dilemmas
Hector explains how he became involved in hacktivist activities, driven by his interest in geopolitics and activism. He participated in operations targeting the Puerto Rican government and the United States Navy, raising awareness about environmental concerns. Subsequently, he engaged in cyberattacks against Russian and Chinese infrastructure. However, witnessing the infamous Apache helicopter video leaked by WikiLeaks in 2007 challenged his perspective and made him question how he approached things at the time.
Transition to White Hat Hacking
As Hector's views evolved, he took a closer look at organizations like WikiLeaks and the emerging collective known as Anonymous. While initially skeptical of group collaboration, he realized the power of working together to expose injustices and vulnerabilities. This realization prompted his transition from hacktivism to becoming a white hat hacker. Hector started leveraging his skills for legitimate purposes, focusing on penetration testing and helping organizations strengthen their security posture.
Transcript
This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.
Elliot: Hello and welcome back to Adopting Zero Trust or AZT. I'm Elliot Volkman your producer alongside Neal Dennis your host And today we have a little bit more of a unique conversation which will start with providing some background and context from our guest and then jump into our typical focal points, which will have some semblance of resemblance to Zero Trust.
So that said I'm just going to jump right into it because this man has quite a bit of a history. I would be shocked if you are not. Familiar with him to some extent, especially if you've been an info infosec and then into cybersecurity is it's maybe a little infamous, but certainly paid his dues and going to provide a lot of context that.
I think folks like ourselves would be very interested, especially when we jump into the pentest side of this conversation. So without further ado and again, Hector, I'm sorry if I messed up your last name, but we have Hector Montsegar who's currently the director of research for an organization.
Who may or may not have started with a significant black hat history. A co founder of an organization called Ballsec and also was known as Sabu. So if you are not familiar with his background we're going to have a little abridged conversation. So with that being said, Hector, maybe you can open up that can of worms.
How did you jump into this world? I know we were just chatting and it is exactly where I want to pick back up, but, you know, When you started you know, there wasn't higher education programs to help you understand how to pen test and break into things in a safe or legal ish way. But yeah, you know, tell us about yourself.
How did you get into this? And then, you know, that'll lead us to the the regular conversation.
Hector Monsegur: Yeah. Sounds great. Emphasis on the legal ish for sure. And, and, and by the way, before we start here, a big shout out to you, Elliot, for reaching out, of course, Neil, for having me both. You guys is so far it's been a pleasure and I'm looking forward to our conversation. So in terms of how I got involved in cybersecurity, um, it really started by accident, man, you know, it started like a, I think a lot of folks from my era that mid nineties, early two thousands, you know, era where, you know, they may have seen a film or two, right.
The films that really got me interested was like war games and the nets, you know, the common ones that you hear from everybody, right? Sneakers and some other
Neal Dennis: Hackers. You've got to always
Hector Monsegur: Hackers, right?
Neal Dennis: yeah.
Hector Monsegur: Hackers was, you know, it was crappy as it is, but you know, it was. It was interesting. Yeah. It was interesting because it, it introduced me to the concept of like the scene.
There's groups of people out there that collaborate, you know what I mean? And when you watch war games, it's just the one kid from the suburbs by himself. You know what I mean? He has the fortune of having computers and a, and an external modem. He has, he has access to certain resources, the nets, right? We have a successful malware researcher.
She's fantastic. Shout out to Sandra Bullock. And she has a job. Right. So it's like, these are people that like are individuals. They are. They're introverted and and so hackers introduced the concept of wait. No is beyond that there's groups of us out there We do mingle sometimes and of course the famous scene or the infamous scene of risk is everything right the introduction of the risk architecture That was new to me.
I had no idea what the hell risk was and and here we are in 2023 We finally get access to it, right? but anyways I You know, I got online in the mid 90s, I was 11 and a half, 12 years old. I think 12 was a solid number there for sure. And you know, my foray into the internet, my introduction was to AOL.
That was where it started. And then on AOL in those days, it was a whole scene dedicated to writing custom proggies. That's what they call them, a program. So these programs will automate certain AOL functionality, but very soon you learn, right, that it was lame. Cause there's so much more you could do, but I, I definitely give kudos to that time and the developers at that time, because they introduced me to program and you know, playing with basic and then eventually visual, visual basic people, you know, which was 16 bit.
You know, I got to learn some basic concepts of API, basic concepts of, of, you know, how to call a library and how to pull a function from, you know, a DLL, for example, or OCS or whatever. And then I found myself with IRC, right? Internet Relay Chat, for those of you that are not that familiar. And IRC was the Wild West.
It was the place to be. If you wanted to learn, that's where you go. If you want to. You know, enjoy some some craziness and get cursed out in every possible language and see all the racist stuff You ever want to see in your life all the stuff that was available on the internet at that time You could get it in a single IRC channel if you wanted to or a single IRC network.
In my case, it was FNET. I'm not sure about you, Neal. I think Neal, you was probably an FNET guy too, but I'm not, I'm just speculating. FNET is where a lot of us got started from that era. And and yeah, you know, now once you're on FNET, once you're in the IRC and people are now sharing things, they're sharing exploits, you know, it's funny for those of you that don't know that you, you're probably in the industry a little bit More recent you might go on twitter You might see an exploit for sale for eight million dollars or even the ios zero click vulnerability and sandbox escape with the userland privilege escalation That's going for like, I think, I think a Russian marketplace offered 20 million or something like that.
But back then you were getting it for free, right? Because researchers and practitioners were very much about the knowledge is power. Let's share that. And by the way, this hacked the Gibsons along the way. So I got into looking at exploits. I started to learn C and then one day I read a really good article.
This was in the mid to late nineties. On Cgi exploitation so back in those days and i'm sorry i'm going a little bit long elliot feel free to cut
Elliot: No, no, you keep going, man. This is still the bridge version.
Hector Monsegur: If this is a bridge man, damn,
Elliot: I mean, you get a whole podcast focused on this, which I guess might as well do a little shout out here. Definitely check that out to remind it's hacker in the Fed, right? You also probably have another one.
Hector Monsegur: No, it's just hacker in the fed. It's literally me and the guy that arrested me and we became good friends big tarbell. He is the man definitely if you guys ever have like a If you ever looking for someone from that perspective definitely hit him up
Elliot: Nice. So yeah, not to cut things to the end, but that, that is almost the punchline a little bit. Pretend you didn't hear that part. But yeah, absolutely. Check out Hacker in the Fed too. There are some really interesting stories along there. So anyways, Hector, go on, the floor is yours.
Hector Monsegur: yeah, so I read, I read a writeup and I wish I could remember the name, the guy, literally his name was I forgot if I, if I figure it out, I'll let you know, but it was, it was obviously a pseudonym, you know, some, some random, you know, set of characters and he wrote about exploitation of web servers by means of CGI and before, you know, PHP became very popular and now you have like, node and you have all these different technologies.
If you went to a website back in the mid nineties, you may notice. You know, the, the, the hosts, the path, and then indexed on CGI or something that CGI and CGI stood for a common graph, common gateway interface. There you go. And basically what it was is it was you know, a interface between you, the user and the backend server.
And in the middle was something, and that something was either a C binary. Okay. Or a Perl scripts. So this is where it gets fun because now I'm like, damn, I don't want to. I don't want to go too deep into C because all of this is still new to me. Mind you, I'm 13, 14 years old. I'm still absorbing this stuff as I go.
I had no mentors. I had no proper education. So I was like, okay, I'm still learning. I think Perl might make more sense. Cause it is, it is a scripted language. And for those of you that didn't mess with Perl back then, mess with Perl now, it is a beautiful language in its own way. It's not as readable as let's say Python.
But it has a lot of very strong characteristics. Now, the trick was, can you learn the nuances of the Perl language enough to be able to execute commands on a CGI script on a web server running on who knows what backend? And that's where my mind started to really go deep into that stuff and try to understand it better.
After I started to learn CGI, then I needed to learn Unix. Because in those days... And this is pre this is obviously pre Mid 2000s. That's when iis took over the internet and he had a whole bunch of millions of windows servers running websites So this is prior to code red and code blue and all that fun stuff.
Neil. You might remember that time and so a lot of the servers back then were running watts solaris sun os And in order for me to learn Unix, I had to find access to a Unix server. And in order for me to do that, I had to break into a web server using a CGI vulnerability, which was a code injection to read the password file on the backend server, then take that password
and Donald John, the ripper. And then with John, the ripper, I just let it brute force on my machine, which was running a DOS command prompt. I was still in windows back then. anD then I got a password and then I had to read the next article, which was how to break into systems over telnet. Right. Another cheesy, like, you know, two and a half page article written by another teenager.
And it was basically, here's what you need. You need telnet you need an ip address or a host name and user and password combination I had the username and password combination. I was on windows So fortunately, I did have telnet and in 98, I believe that's when putty came out to make things so much easier 97 98 when putty came out.
So now i'm logging into servers And I have no idea what to do. Okay. One day I go to the library and I find a book and I know I'm going to bust the title of the book. But it's basically somewhere along the lines of the internet's first cyber war. You guys remember that? It's a story of masters of deception, the legion of doom. Great story. Great story. And you know, there was one person and that's all, which I still haven't met yet. I would love to meet. And if you guys know him, you know, send him my regards, but fiber optic, the Unix hacker, right? That was, that was him. He was the guy everybody else is into freaking and everybody else is into all this other stuff but fiber optic or marco beans real name He was the unix wizard.
So I said I want to be like this guy in order for me to be like that guy, I have to learn unix So this is the story of how I accidentally became a systems administrator and that's how I started my career So a long story, but that's how we end it
Neal Dennis: That's awesome. Man, there's a lot of historical throwbacks. Oh my, oh lord. Oh gosh. And then, yeah, I'm not going to go down that rabbit hole more than you already did. But that's awesome, dude. And I think what we were leading into before we hit record was... You know, the requirement around why, right?
And you said this a little bit as well. If you want it to do these things, like you mentioned, you had to go find a box online because it's not like you could either afford one or be someone was willing to offer you up a training space that didn't exist back in the nineties. As wild, wild West as it technically was hacking into a box simply to go poke and prod didn't outright get you arrested depending on who owned it. Right. But it was the land of. Everybody's both ethical and unethical in their approach to everything because the ethics of doing the shit hadn't been defined, which was fine. As long as the business could still move forward and you eventually told them that you were in there, everybody was pretty hunky dory which was nice.
But yeah, so we moved beyond this, right? So we got your sysadmin to get started. I always, you know, we're going to jump up a few years, but You know, you obviously had some issues and some things that kind of tipped you over the scale a little bit towards doing more purposefully things, right? I've always been curious about this a little bit.
I know a little personally in the background, both through podcast and some other things about what got you there. I think it's for me, it's an interesting story to get to understand, you know, how you go from learning and doing things back before it was technically legal to know you're on the other side of the fence, whether on purpose or not, or whether because the laws changed. yOu know, how did you how did you find yourself transitioning from, from support squad to the greater LulzSec Sabu days, if, if, if that's a fair story to talk to?
Hector Monsegur: Yeah, no, we could definitely touch on that and i'll try to keep it more brief, you know the The reality is is that the security industry back then was very much closed Close to people like me at least the way I felt it. I applied for jobs I never got a call back and it was very one dimensional and a lot of the guys from the early security industry I'm sure you remember this name.
I know you've been around A lot of those guys from that early security industry period. It's about like the mid to late nineties and early two thousands. They all came from like the military. They all came together. They started building their businesses together. So not all of them were in the military, right?
Some of them, you know, they just were born into it. Their fathers were probably involved in software development, or they had the luxury, like you look at Robert Morris and the Morris worm, his father was like a professor. So he had access to Unix systems. He had access to technology. In my case, I was literally building computers off the streets, man.
And I was, you know, trying to get online and, you know, cracking into Earthling accounts. I could maintain the dial up connection. You know what I mean? That was, that was the only way I could keep online cause I couldn't afford it. buT as you move forward there, you know, there was one change for me.
It was one thing that changed my direction, my path. Yes, I initially started off very innocent. I assure you that, you know, even when I broke into a system I made sure that I would, you know, maintain it. I would patch the vulnerability. I would update the system when necessary. In fact, I think Dave Attell had a good joke about that.
Back in those days, servers were much more unstable than they are today. And and, and, and Dave said, I think his joke was, I forgot when I read this, it must have been like, When he was at stake at that time, you know, or maybe i'm mixing the people up So if the audience knows feel free to correct it But his messaging was something somewhere along the lines of well, you know how you know that someone's broken into your network Your systems are running well, right? Because the attacker is going to get in. They want to maintain persistence. They're going to update the system. They're going to patch the vulnerability. They don't want to rehack to take place because then you lose access. But with that all in mind, all of that information would change my perspective and change my direction.
What is the conversation I have with my grandmother? My grandmother was born and raised in a place called Lattice in Puerto Rico. And Lattice, if you know, if you do your history or do a book report in Puerto Rico, you'll know is that that was the home of. What they called El Grito de Ladis the, the Ladis cry, right, or war cry.
It was basically a place of revolution and they tried to revolt against the Spaniards and the Spaniards did not they didn't, they weren't passive in their, on their their reaction. So it introduced me to geopolitics and introduced me to you know, cactivism and around that same time, you had the cult of Dekau pushing and conceptualizing activism.
So I personally credit hacktivism with the cult of that cow because they're the first ones that kind of We're talking about at least from what I remember. I'm sure others remember maybe earlier references but cdc were talking about it and what what their approach was is Hey, so we had a good success with bo or back orifice.
That was their trojan, right? They came out with bo2k and part of the bo2k project was to allow chinese dissidents to be able to connect out to the internet and circumvent the great firewall of china That was a massive project. So shout out to cdc for even thinking about that back in like 1999 2000 So with all of that in mind, I gave you guys some context.
And now I'm like, okay, I like the concept of hacktivism. I'm going to participate. And my first, my first hacktivist operation was in the year 2000. I was 16, I believe, or a little older, maybe, maybe a little bit older. And it was against the Puerto Rican government and the United States Navy. And that was because there was a contract in place where the Puerto Rican government allowed the United States Navy to use a small island by the name of Viejas.
For the testing of uranium depleted uranium shells. The problem with that is that there were people actually living on that island. And so it became a very big local political issue. And then it started to creep over to New York, people over to Illinois. There's a lot of Puerto Ricans in the island had moved to Illinois and New York and Boston and so on.
So now it became like a, an American issue. We need to talk about this. There was success there. And almost immediately in the next year, 2001, I started attacking. This is where I became a threat actor for China and Russia. I spent the next five plus, maybe more years, attacking Russian and Chinese infrastructure.
So I probably cannot travel to China or Russia for a long time maybe never. Although I would love to see love to visit St. Petersburg and check out parts of China. But that's what my, that's where my, my hacktivist career started. Now, to you know, speed this up a little bit, right, because I know we only have so much time.
Around 2007 ish or six ish was when you saw the video from WikiLeaks of the Apache helicopter gunning down the journalists in Iraq, and that changed my perspective, man, maybe even radicalized me. I was like, Oh no, this is not cool. And as much as I supported the United States military and the United States government, obviously I'm still attacking Russia and China at the time.
I was like, you know, this is not cool. So I began looking at, you know, those different organizations at the same time, anonymous is becoming a thing, but I ignored it because I was always a lone hacker. I was the one actor by myself, breaking into networks, infrastructure, solo. I never really worked in a group and I even though I did have a group called pure elite back then and I was Participating in hack wiser for a long time as well or for a short time as well.
I mean, I was like, you know what? Let me check this out. And eventually I got involved with anonymous later on I saw that out of the thousands of people in the irc network It was maybe a handful of actual hackers people like me and you know, the average spring happened I participated in that the tunisian situation libya and syria and then you also had iran let's just say it was non stop hacking for like five six Ish years straight breaking into every government agency and organization you think of and by the way, this is a fun fact for the audience the United States government did not care that I was attacking foreign interests.
It was only until I started attacking U. S. interests is when I got that knock on the door. You know what I mean? Fun fact for the audience. Maybe maybe rules have changed since then, but apparently back then, hacking foreign governments was not technically illegal for me. anD yeah, that leads us to today.
There was a knock on my door, like I just referenced to a moment ago, and... The FBI gave me a reality check. They said, you know, Hector, you seem pretty bright, but you're dumb in a way because you're doing this stuff. And you, you know, you're not really thinking this through. The problem that you have is you have two girls in the house.
So we need to figure this one out because you're going to go to prison for a long time and you're going to probably going to lose the girls as well. And so that's when you have that reality check. Sometimes in life we need that.
Neal Dennis: Yeah. No, I mean, I think,
Hector Monsegur: I hope I answered your
Neal Dennis: no, it does. So I think, once again, I, I ask because it's good background. I had had a fortunate privilege. Maybe I was working on the government side of the house contractor at the time when, and on kicked off as well as eventually, obviously we'll say, and so I was, I was on the the other side of the fence looking, you know, looking in as a lot of this stuff was happening.
But. Historically speaking, there's definitely some things I did of a questionable nature, not to the extent of yours in respect to getting caught and, and other things, but I definitely have my private moments behind closed doors where I did stuff I probably shouldn't have. Hopefully nobody's we're way past statute of limitations, so we're good.
Hector Monsegur: Absolutely. You're good.
Elliot: All right. For our listeners, for legal purposes, he didn't do anything illegal. Thank you.
Neal Dennis: for people listening, I haven't done anything illicit or illegal in at least 12 years. I want to caveat that that I'm aware of that being said, I think it's good background because and this, I think this gets us to the state of affairs today, right? Which once again, we were alluding to earlier on before hitting the court where 90s, It's getting started for those in our age bracket that were curious about the things FNET, my gosh but then you had Loft and Heavy Industries out there publicly promoting certain types of efforts in the 90s as well, right?
The first congressional hearing on what would be cyber security with Loft and everybody.
Hector Monsegur: They were great.
Neal Dennis: Yeah, it was amazing. Especially retrospectively thinking about all the groundwork. And then 2000s, early 2000s, the China U. S. cyber war when the plane went down and all that other junk, right? We had Lion and Ugly Gorilla and Cock.
Anyway, large group of people on that side, large group of people on this side. Wonderful experience because once again, like you said, if you're hacking them and nobody gives an F, if you're hacking us, then that's obviously the line back then. And then you flash forward, you get galvanized politically, which is very understandable and, you know, that obviously kicks off movements lessons learned you move forward.
And now we're here where, you know, not only are you, you know, turn the page to more of a, uh, wider perspective. Hats wise. You know, you're also. Lessons learned. But on top of this, you obviously own a company you're working for, you know, you have your own, uh, consultancy type approach, things, pen testing, all these other fun things.
But I don't think anyone in our age bracket could really get to where you're at today. Had they not done the things that we did way before I think those are life lessons that today people are never going to have access to. Illegally or otherwise easily and freely. And I think those all build into where you can have this fun perspective around the the impact of security today and the necessities of what's there.
And then, obviously, at some point in the next 20 minutes, you know, we'll maybe throw out the word zero trust and get your take on that. But yeah, no, so I appreciate that. I like the deep dive. I like the memory lane here in the history. I told Elliot when he. When he told me that you were booked, I was like, man, this is gonna be one of those ones.
You know, I'm like, do I ask for his autograph or do I just sit back and just play it cool? Cause, you know, like I said you know, you're part of the history of our generation for what it means to, you know, for cyber security. So it's cool stuff. So
Hector Monsegur: sure. We'll come to New York. We'll get some steaks at Peter Luger's, man, and you know, we'll have a nice
Neal Dennis: dude, I will, I'll be up there tomorrow.
Elliot: contact
Hector Monsegur: man. Come through. But but no, it's fantastic, Neil, and I appreciate all that. You know, the reality is, and by the way, kudos to you for remembering Lion. Lion was like, that was like, I looked at Lion like a counterpart to us, man.
He was, he was gangster. In fact, he's a major player in, like, the Chinese military. I'm not sure you know
Neal Dennis: Yeah. Oh, yeah. Yeah. He went to jail, right? I think most if you pay attention to history for those not aware The lion was basically the guy who led the the Chinese patriotic hacker movement and what was that 99? 2000 and then disappeared under the radar for the better part of 7, 8, 9 years, supposedly went to jail, supposedly was shot, supposedly just died of cigarettes, whatever shows back up again, uh, 2006, 7, 8,
Hector Monsegur: Somewhere around there. Yeah. And he's in like, full, like regalia, full
Neal Dennis: yeah, like full fledged man of the hour, dude, and yeah, I, I was, I was following along when he came back as I think a lot of us might have been as like, holy crap he gonna break now?
But yeah, that was some fun times for sure. So no, so once again for everybody history is important in any effort here And this is why I think once again, this is an important conversation. We we have a piece of history granted You know relatively speaking. We're not ancient but We will be someday and it's good things to remember.
We have to know where we came from We have to know how we got to where we're at And more aptly, we have to figure out how to do our lessons in a more politically correct or legal manner so people don't have to worry about learning life's lessons the hard way like some of us might. So that's it.
With that in mind. Yeah.
Hector Monsegur: yeah. And Neil, if you don't mind, the one thing I'll say for the audience here is that, you know, I, I, I brought up a lot of interesting points and, and parts of our history and there's some good nostalgia there, but I'm not glorifying any of that. I, I look at it as, as some learning steps that we all had to take at that point.
You gotta remember that in 2023, right now, where we stand. You if you want to get into cyber security and do exactly what I did And learn what I did and learn what neo did and learned what he does you have platforms, you have try hack me, you could go to Google cloud and sign up and get a free terminal, free shell.
You can learn Unix there if you want, you could there's, you know, there's this hack the box and there's hacker one. If you want to practice on a real environment rather than a theoretical or hypothetical environment, we didn't have that luxury. So our route was different. Our path was different. But now it's not so much now, if you want to get into security, you can do it right.
You can follow some really good people on YouTube, for example, that are fantastic. I mean, I wish I had the skills. To the, the, the communication skills rather. And, and, and of course what Elliot does, right. With the creating media and creating content and, and, and editing, right. I don't have the, I don't have the patience for any of that.
So otherwise I'd be on YouTube, you know, straight up, you know what I mean? But but it's, it's a different era now. And, you know, I, I really want folks, especially those of those that are parents or even the young listeners, listen to your, to your episode today. Yeah, you could do exactly what we did with the differences.
You have a, you have a legal path to do it and it's way more content now. You know what I mean? So hopefully that inspires at least one person.
Neal Dennis: No, you know, man, man. Yeah, that's awesome. So I moving forward a few steps. You know, maybe trying to give Elliot parts of the tech talk that he wants to have other than life's history lessons here, which once
Elliot: me five minutes and we're, we're golden. We'll, we'll call it clear, but honestly, the background of the story, that's what we're here for.
Neal Dennis: no, it's all good. I mean, Elliot, was there a lingering question now that we've got the story that you wanted to kick off the more topic oriented for our podcast perspective before I take us down
Elliot: we can add a little context towards the legal side now, maybe pen testing and how it impacts things if you want to go down that route. But, you know, as our listeners can attest to, I've never been able to wrangle Neal and that's what makes the show great.
Hector Monsegur: Awesome. Yeah. So about whatever you guys want, pen testing is really solid is an interesting place to be in right now because, you know, a lot of companies are looking at pen testing as like a commodity. Some companies that have to hire a vendor for pen testing services are looking at it like, oh man, there's another regulation, another compliancy rule, something else within our industry.
We have to check this off. And I want to share some lessons for the audience out there that have to deal with hiring a vendor, because there's a lot of them out there that are still, you know, one thing I didn't mention is back then security, even though it was very young, there was a lot of snake oil, there was a lot of garbage out there.
And this is why the security industry took quite some time to grow, because if you wanted to get a specific product or service or something, let's say zero trust was a thing back then, right? You know what they would send you they would send you a nice big invoice and contract and they'll send you an appliance An appliance you would have to connect to your network and it'll do all those zero trust things in the background And then you would have to pay rent or lease that appliance for the next 10 years of your life and burn through your budget for another 12 years but thankfully we're in a much better place with a much better space And, you know, I see that in your head Elliot, but I
Elliot: Sometimes, I mean, the antithesis of why we created this podcast was people using zero trust. So horribly wrong.
Hector Monsegur: Hmm. Yeah, but you know, you have to okay from my perspective on the offensive side
I understand where you're coming from. Right. And I also think that a lot of people pushing the concept are more of the sales marketing side. They may not understand the technology and, or they may not understand the concepts.
They may not know what micro segmentation is. They may not know what access controls are. You know what I mean? And I feel like when, whenever I'm dealing with salespeople and they start with the gimmicky stuff, man, all right, let's break that down. I'm not admonishing you. I'm not disrespecting you right now, but let's talk about it.
Cause I want you to be an understanding of the topic you're talking about. And that'll even help you with your sales process. Because trust me, there's a lot of C's this, you know, the, the big, the big you know, thoughts. I forgot the word. I was about to say something there, but the big point that I want to make is that a lot of folks believe that CISOs are necessarily or not necessarily so technical, right?
They're more on the executive side, which is usually the case many, many times, but there are CISOs out there that are highly technical. You might run into a NEO that fell into the CISO position. And so if your sales, I know I see you I see you shaking your head, but I it but i've met those guys Neil right and they're very brilliant.
They were probably with us on irishy back in the days And so they understand the concepts now as for sales and marketing person if you're throwing out jargon, you're throwing out words It doesn't make it, it's very clear that what you're saying doesn't match what you, what, what what you're trying to sell.
Right. Or it seems like, you don't know what you're talking about. That's, he's just going to go somewhere else. So now you're losing business. Cause you don't really know the concept that you're trying to sell as a package. So yeah, you know, that's, I think that's a really big, bad sales marketing situation.
I think we can improve it as a community, you know what I mean? But first we need to make sure that everybody's on the same page is what zero trust really means. that's a big problem. I'm sure you guys have seen that right?
Neal Dennis: Yeah. Yeah. Definitions are definitely key, especially when you're trying to let's back step standardizations and the, the application and acceptance of standards are critical. Problem is now it's dutiful. We talked about how easy it is now to break into the scene if you really want to legally break into the scene and do things the right way free or otherwise.
But the one thing that I think has become more burdensome is policy and standards, you know, whether it's ISO NIST, pick a flavor of the day, there's now more. Bodies out there trying to do standards and Elliot knows this firsthand but you, we have this breadth of new terminologies, this breadth of new ideologies and every other company.
The moment that term comes out decides they want to come up with the standard for what it means. And that's whatever sticks against the wall, right? 10 years later, but it's a big issue. So trying to define zero trust, trying to define policies around it. The word's been around for a while, but we didn't start having a more consolidated.
Approach to the construct until maybe the last few years, and I would say arguably not until government finally pitched in and started saying something about it, you know, a year ago, so that makes it hard. Right? So thinking about the ball forward piece here with y'all and and pin testing. I know y'all have a, more proactive approach to the pen testing assessments, right? It's it's not an on demand in the true sense of, Hey, let's hire someone once every six months. Y'all's approach is more, why are you waiting? This should be a rolling kind of effort, right?
Hector Monsegur: Exactly, right
Neal Dennis: and so question being, you know, from y'all's perspective on this, why is that so important relative to just, you know, what we do progressively, you know, once or twice a year kind of thing.
Why do you feel like that? That's the right impact to have.
Hector Monsegur: Yeah I I'm very big on continuous assessments continuous pen testing I feel that point in time pen testing is obsolete. I mean, you know, we've been doing it for 30 years, right? I'Ll give you guys real world examples with real customers without mentioning the names obviously, right? So I had to deal with an engagement for clients.
They brought me in to do an internal red team And for the audience that don't know the difference between a pentest and a red team there's this stark differences, right? So when you're doing a pentest, you're obviously going to do everything that a vulnerability scan would do but you would identify potential attack paths you would then try to validate those vulnerabilities within those attack paths and then you try to create a story well, I used I used uh You know, I noticed that on your network.
You guys were allowing dac pv6 broadcasting That allowed me to play man in the middle or what they call now adversary in the middle. And then I redirected that traffic to a bunch of windows servers that had SMB signing not enforced. Now I have a relay attack. Now I could also create a sock a proxy to those hosts and then use them to bounce off and connect to the active directory and leverage privileges, right?
Whatever. Okay. So we had a client where they brought us in for, for, Oh, and then, and let me finish that thought. So that's a pen testing and adjust, and you want to try to help the client understand the findings and of course, the severity, and then of course, impact and so on and so forth. And when you have red team is a little bit different, right?
Red teaming is of course, a military term and those in the military practice red teaming a lot. The concept there would be, okay, let's put together a sort of strike force or a red team or in Sweden, I think it's called a tiger team, right? And ironically, one of my first, my first security ventures was tiger team security.
But anyways the idea there is that in the military unit, that you didn't particular. They would get tasked with a base. Let's say a base in Puerto Rico, a base somewhere. The idea would be, hey, can we identify gaps in the security posture of that base. Can we get inside? Are we able to jiggle some keys?
Can we just break the lock by force, et cetera? You get the idea. And then of course there are crown jewels or objectives. That's the main differentiators. When you apply that to a internal network or external network, whatever you have to work with the client to identify their concerns. Case in point. Hey, we've spent a whole bunch of money on MFA implementations, right?
Can you circumvent MFA? Whatever that means. Can you log into our domain controller over RDP without an MFA prompt? And if you're able to find that MFA prompt, can you use something like MFA fatigue to make a domain administrator? Just press yes and allow you into the server. So with the red team, you're looking at objectives, right?
specific case studies and or Depending on the rules of engagement go beyond what a pentest would do, right? So in a pentest you would validate a vulnerability maybe even exploit it Right. Depending in a red team, you would leverage, you identify, validate, leverage that vulnerability to exploit the system and then move laterally.
And go as far as you can within your scope. Okay, cool. So when you have clients these days saying, Hey, we need a pen test to address a regulation concern, regulatory concern or we're trying to get a cheaper cyber insurance premium, we need a pen test once a year. And we need some sort of attestation letter.
How can you help us with that? You come in as the pen tester and the client waited to the third or fourth quarter. And so they need this done by like December 31st. Otherwise they're probably gonna get fined or they're probably gonna get blazed with high premiums, depending on the scenario. And they're like, yeah, so it's the last week of december You know the last two weeks of december half our staff are gone So we may not be able to detect some of that stuff.
But you know, go ahead do your pen test and by the way, we have 20 000 internal assets. You have about a week and a half to finish this So good luck, right? So from a pentesters perspective, that's that's like asking me to take on michael jordan on 101 And then score at least one point within five minutes, right?
That's probably not gonna happen now If you're smart about it, even if you are in that situation, I agree. Sometimes it does happen what you want to be able to do from the from the from the organization side is have a scope That's very realistic for your pen testing vendor. Okay, something like hey, we want to do an active directory audit So please use bloodhound.
Please use whatever it is. You need to use to identify potential issues with Our active directory configuration please use, you know, whatever tools you need to do to identify potential access controls issues, please. Look at our shared. We're still using smb for file shares Please look at those permissions, right?
And so yeah now going back to the example trying to give you guys we had an engagement where we identified some vulnerabilities And literally the week after you had the specter ops team big shout out to those guys And they came out with their research paper on active directory certificate services vulnerabilities from esc1 to esc11 That's at least 11 different attack vectors in an active directory pki environment So now the client even though they're running out of time.
They're hitting me up like hey What do you know about this? I'm like, don't worry about it. I've already ordered this system. I've already compromised AD. I got you. Check out the final report, right? That's what you would hope you would get in a pentesting team. So definitely, you know, as an organization do your research and find a team that's research forward or research oriented like a specter ops or even my team, right?
Black Hills InfoSec out of Florida, right? These are, these are companies That, you know, they specialize in research, even trusted sex. Shout out to them. These are teams that are focused on research and they're going to make sure that that pen test is solid. Otherwise you're just going to get a vulnerability scan.
You're going to mess a scan with a nice logo on it.
Neal Dennis: You know, you're giving me some chemical flashbacks here from when I was my last, my final job in the military government side contract. I, I was the guy who had to go through and write up all the formalized reports on the red team exercises for the Air Force. Not the guy who got to go out and have the fun, just the poor schmuck who had to review all the fun and formalize the outputs.
Now, that being
Hector Monsegur: the after action reports and all that.
Neal Dennis: yeah, that may or may not have been one of the reasons why I finally left the contracting side.
Elliot: Okay.
Neal Dennis: and ability to answer the right questions when legal comes calling, but not only that, if we think about this from trying to move our security, I, I, I get up and have some talks every once in a while about reactive versus proactive defense posturing and, and how to go from A to B, at least at a high level strategy wise.
Thank you. You know, everybody always, you ask the question, how many of you want to be in a more proactive posture, and pretty much everybody always raises their hand. Then you ask the following question, how many of y'all actually think you're proactive in your approach, and about 92 percent of the hands go down.
And the remaining five in the room, when you ask them another question about, you know, what are you doing to be proactive then they shut up. But I, I think this posture, you know, being more proactive with the pen testing, being more iterative, and it becomes a cyclical thing that you apply to, you know, just your, all day to day.
And this gets us into zero trust a little bit and in my opinion, where, when we think about compliance, we think about policy zero trust today, I think, is sitting at a place where it's more. sTrictly driven for by policy and compliance ideology and only a little bit about security policy, even though they're, they're wrapped in together, right?
Obviously but I think we're at that kind of cusp of a point where zero trust is building into being true security versus pure compliance, just like back in the 2010 11 age, all the systems were as they were being created were compliance driven. Now they're security driven. I think Zero Trust is in the same phase, personally, where it started off as a compliance driven etiology, now we're into the security driven etiology of it.
I think this pin test methodology is a great way. Always check your wall, always check your defenses, always keep it moving forward, and any time you push anything new, it should be tested repetitively and over until you either break it or push something else new. Yeah. Yeah.
Hector Monsegur: to be able to validate your implementation. So some companies, what they do is they'll, they'll see a really cool product and buy it and implement it. And that's it. They move on or rather they'll deploy it and move on. That doesn't really work because a lot of these tools are fantastic.
Let's talk about edrs For example edrs are very cool, right? Some of them are very good others not so much and you know, depending on the product you go with right? They might be plug and play But the one thing you notice I just for just just to give you guys some heads up here I've spent like the last four years plus researching and working with breach and attack simulation or emulation you know, and that was a very fun time in my life because even though it was never a malware guy, that really wasn't my thing.
I still needed to be able to answer questions from my clients. So I have to sit there and I have to learn these concepts. I had to get into malware research and development and I had to learn what the attackers in the real world are using in terms of TTPs, right? And their techniques and their tactics, their procedures, their methodologies.
What it is that they do wants to get into your network and how they move laterally and you know It's different when you're a hacktivist because when you're a hacktivist you'll get in you can sit there for three years And just slowly collect information and then one day leak it and be the bad guy, you know For these ransomware operator operators or these initial access brokers, right?
These guys want to get in quick They want to get in as easy as possible. They want to make it cheap, right? And then once they get in, they're going to do some lateral movement attempts. They might be noisy, maybe not, depending on the target, right? And then they want to try to identify how they could create the most chaos internally and how to exfiltrate as much data as they can before they're stopped.
It's way different methodologies. I had to get into that stuff. And here's what I learned as you look at edrs, like I said, some of them are very good fantastic We don't even mention the product names. To Sit down and configure and improve and every environment is different Okay, so you need to now tailor that edr configuration To your environment you have to make sure that you've seen the actual alerts As they're being detected.
Okay, you have to do more work. Now. This is where it comes back to neil's point Um on on proactivity you have to be more proactive in your measures if you start to see a bunch of alerts Instead of looking at your sim and saying wow, yeah, this is this is probably normal activity Because i've seen it 10 000 times a day No, you want to look at and investigate and triage these events as they happen And now I could imagine it'll be very expensive the bigger your organization is But then that's when you bring up a third party vendor to help out.
You know what I mean? You can't do everything by yourself and you need to figure out a way to budget that into your, into your security program. And here's how I'm seeing some companies doing it, right? They may not want to, they may not want to like destroy their security budget for the year, right?
But, they could incorporate this. I've seen this in a couple companies. They'll incorporate, bring it in a SIM or a SOC team rather, right, as like, one of their software acquisition budgets, right? So they leave the security budget for something else and I've seen a lot of play in different companies.
It's, you know, I've had the fortune to experience a lot of it but yeah, no, I mean, it becomes difficult when you're buying products, you're deploying it and just saying, okay I think we're good. No, you're not. Right. You need people to help you out with that. And I think with zero trust, you have similar issues, right?
You could buy a zero trust application or appliance or product and set it and forget it. Like the old Ronco commercials back in the eighties and nineties. Right. But the reality is no, you still have to be proactive about it. You still have to maintain the logs. You still have to validate that your tools actually work.
If you don't then what's the point?
Neal Dennis: 100%. 100%. So I think I mean, we're mostly up on time and I don't know where we're at for overage here, but I had one last you know, I'm, I'm going to throw it back to Eli cause I know he's going to ask the same thing I'm going to ask. So I'm going to
Elliot: No, no, lay down what. As long as you're not going to ask him what his definition is of zero trust is, because I think we burned that out a million years ago. You go ahead, man.
Neal Dennis: No, I was just going to give a shout out cause he's thrown out a lot of good names from a company perspective, but he hasn't actually, other than say, or my company, but he hasn't really actually said what it is. I don't know. So I feel like we at least throw that down just a little bit from that perspective.
And, you know, talk for about two seconds Hector on what you and your company provide relative to this. Cause specifically, right. I think that that's a fair shout out and a fair play. And people need to understand that the internet legends do still have companies and they deserve money too.
Hector Monsegur: Oh, yeah, right now i'm i'm, you know, I would say i'm a director of research at a company called alacranat the outer west coast and they're var they're basically a reseller that brought me into building the security team, right? So big shout out to them for thinking outside the box and, and, you know, doing their thing you know, it's near the end of the year.
So eventually I'll probably branch off and do my own thing. And you know, I'll let you guys know what that is when that time comes. But the reality is my friends that you knew, I do appreciate, you know, the, the, the shot out there and the time on that, you know, I think that if any, if anybody takes anything in this conversation is that, you know, there's, there's a lot of context.
It's a lot of nuances and security. It's not black and white, right? Yeah. I can't just say, Hey. Here's this really cool zero trust product or hey, here's this really cool ndr or xdr or mdr or edr And yeah, here you go. Enjoy once you once you deploy you're good. No, you know, you have to be more proactive in your approach and if Me personally neil i've always the way I push it out to people especially those that I mentor, right?
I tell them hey if you're gonna go into the defensive side of work I want you to be proactive. Absolutely. But I also want you to be preemptive I want you to be able to look at your security program and say, okay, here's where we stand let's do an impromptu tabletop exercise. We don't need an outside vendor to help us with that We could sit down all of us with all the department heads and all the engineers and start asking questions What's the worst case scenario if our ceo is compromised?
What's the worst case scenario if our intern is compromised? How are our developers dealing with? Using, you know, public resources, like a, like a external GitHub or gi GI bucket or whatever. You know, what, what is it that we're gonna do if there is a breach? In fact how resilient are we? Can we do, can we say that we're re our business is resilience to, to a breach?
Can we deal with recovery? How fast can we recover? Right? These are all the questions that you can start asking, and as you start asking those questions, getting answers. You start to identify gaps in your organization Then at that point you start bringing in vendors when you need them, you know what I mean?
So i'm not i'm not i'm not much ones on. Self promoting meal, but I tell you I I hope you guys You know, if you have any questions, feel free to hit me up, you know I'm on linkedin feel free to send me a message. You have a question by all means
Neal Dennis: I guess that wraps up the other part of the question is where to hitch you up at. So we're good there too.
Hector Monsegur: That's me being preemptive Neil, if you don't
Neal Dennis: There we go.
Hector Monsegur: Yeah, I'm pretty much on LinkedIn. I do have a Twitter account. I haven't used it since the sad bull days, honestly. I came, when I came back I'm not sure you guys know this, I was banned off the internet for a while. I could not use the computer for quite some time.
So I think 2015 is when I came back and I argued with some of the folks and then went back into the shadows, went back to work. If you want to hit me up, find me on LinkedIn, send me a message, feel free. And we'll go from there.
Neal Dennis: Sounds good. Back over to you, Alec. I
Elliot: Yeah. All right. So I do have one last question. I think we have a hodgepodge of kind of listeners and I am annoying Neil to spin off this new concept that he's working on. So I would imagine we probably have entry ish level. Practitioners, they probably are stuck in the soc. What would you say to folks that wanna move towards pen testing or red team, something to that extent?
Now that you obviously are well versed and experienced in it, but what, you know, what would you encourage people to do in the legal senses? If they want to hone their craft and focus on something to that extent.
Hector Monsegur: anD the way I'm going to answer this is is is with the assumption that even if they want to stay At the analyst level even when they want to stay in the sock They want to be the best at socket as they want to be It's going to i'm going to give you the same answer for both questions. So for both premises, right and that's going to be you have to practice you have to learn you have to read i'm gonna tell you my methodology and you guys can laugh at me if you want and You know, you can critique if you need to, but I wake up at four or five in the morning every day.
I go through to InfoSec Twitter. I go through Mastodon. I go through bug track. I go through mailing lists. I'm looking for new vulnerabilities. I'm looking for new attack vectors. I'm looking at new tools. I go on GitHub. I'm looking for new offensive tools. I'm constantly looking at and researching and reading threat Intel reports and new malware analysis.
I'm looking at virus total. I'm going to. Net sec on reddit. Like I'm going to all of these places. Why? Because just like in any other job with the exception of maybe, I don't know, art, maybe, I don't know. And maybe I'm wrong on that. I'm not an artist. I can't speak. You as a practitioner will become obsolete very quickly.
And in order for you to continue with your career and move forward, you have to be very similar to how Neil and I agree on continuous validation and with continuous testing and continuous discontinuous that being proactive. You also have to be proactive in your career path, right? So you could be the very best sock analyst out there, or you could be the very best hacker you want to be, but you have to learn these techniques.
And by the way, it's not a one man show, right? Or one woman, one woman show. It is a team effort. So take advantage and work with people, network, meet folks in the community, start making friends like Elliot and Neil, right? Because any little conversation is going to spark a new path for you. So you have to be proactive in your, in your endeavors.
And that, that would apply to both the SOC folks on the defensive side and blue team. And it also applies to the red teamers. I think more to the red teamers because once they're, once there's new techniques, they're not aware of they're not going to be effective with the next engagement. So say heads up on that
Elliot: That is a fantastic answer. Definitely went a little more in depth than I was hoping for, which is even better.
Hector Monsegur: my bad
Elliot: No, no, no, no, that, that, that is what I'm hoping for.
Neal Dennis: thought you were going to tell him just to go read Hackers for Dummies or something. Mine's
Hector Monsegur: Why not
Elliot: yeah, no, meanwhile, I have like, I know one of Neil's answers is like, oh, yeah, just get like, one of these guys. And he's got like, two or three by now. It's like, yeah, just you know, go try to break into your garage or something. So that makes sense. See how that works out.
Neal Dennis: still in my backpack for my trip. I had to get out of the parking garage.
Hector Monsegur: There you go. Yeah, definitely hone your craft. Absolutely, you know, and it's one thing that I you know I tell folks a lot these days is that you know You have a lot of resources most of them are free if you want to learn like deep technical stuff I don't know this guy personally, but I watch his videos all the time.
It's second YouTube that guys He literally walks you step by step through each each VM that he's hacking into he's breaking into you know, that kind of knowledge is fantastic. You look at another YouTuber like LiveOverflow, right? He's pretty big, and what I like about him is that he explains concepts.
He breaks it down for you. He may, it may not be the same content as Ipsec, but with Ipsec, you're looking at the technical side. With LiveOverflow, you're looking at the concept side. Now you take both of that together. They're both free. They're both on YouTube. Make sure you give them a nice little like here and there when you appreciate the content.
And boom! Now you're learning a whole bunch of stuff that, that you didn't know the day before and then of course take advantage of ai man You know, you have access to bard and claude and chat gbt, you know Sometimes you don't have the time to sit there and read a whole book on a topic So you could summarize with chat gbt or similar just be careful with the with the bad answers You know, I mean you have to be aware and validate right emphasis on validating the results.
So
Elliot: I love it. I mean, I, if, if I could sum it up, you're a looping things back together on the continuous improvement. You got to do that for yourself just as well as you would for. Your job and what you're trying to secure or protect or harden. Beautiful. That's how we love to close it out. So Hector, thank you so much for giving us a little bit of background and context on to your history.
Again infamous, famous, hacktivist, however you would prefer. You know, we really appreciate you, you know, being so open. Obviously you have your own podcast that continues this conversation. Again, we highly encourage people to go and check that out. I feel like that's probably one of the better ones that are out there.
There are dozens and dozens of us out there now, but yeah, so I mean, y'all just break it down. Plus, you know, I don't know if your counterpart on that, was he one of the folks that kind of knocked on your door or?
Hector Monsegur: the man that knocked on my door and put the cuffs on me
Elliot: There it is. I mean,
Hector Monsegur: my life
Elliot: you don't get a dynamic like that somewhere else.
This, like, the real version of catch me if you can, which I guess that story isn't quite true. You know, if you want, like, something more honed in reality, there you go. Definitely check that one out. But actor, thank you so much for joining us. Really appreciate it.
Hector Monsegur: Yeah. Thank you gentlemen for having me It's been a pleasure and you know feel free to hit me up for a part two sometime I'll be glad to spend some time with you guys.
Neal Dennis: Definitely appreciate the memory lane, Hector, as well.
Hector Monsegur: Oh, yeah,
Elliot: Yeah, maybe I can maybe I can chase down Mark that you haven't yet had a conversation with and we can do a round 2. Cool. All right. That's it for AZT everyone. We will back next week. I don't know. Maybe we'll make this our season finale because it's pretty good. We'll see. All right. Maybe next episode.
Otherwise season 3. See you then. We'll figure it out. Bye.
AZT: From Hacktivist to White Hat Hacker. A Chat with LulzSec's Sabu.