Episode 1: Digital Jesus aka Matt Harrigan

About This Episode

Digital Jesus/o.0, aka Matt Harrigan, turned a telecommunication product release into a 0-day, tipped off drug dealers about government surveillance, skirted the crackdown of U.S. Secret Service’s Operation Sundevil, and emerged as a founder and CEO of cybersecurity companies.

Featuring

Credits

Transcript

Michael Schiffman:

Matthew Gordon Harrigan, a.k.a. o0, a.k.a. Digital Jesus, welcome to Warlocks.

Matt Harrigan:

How are you?

Michael Schiffman:

I’m doing great. How are you?

Matt Harrigan:

I’m doing fine.

Michael Schiffman:

Let’s talk about where you grew up, how you grew up.

Matt Harrigan:

Yeah, so I grew up in Del Mar, California right by the ocean. And back in the ’70s, it is a fairly affluent area now. Back then, I don’t know that it wasn’t affluent or was, but it was definitely more country-esque. We still had a bunch of dirt roads and there were chickens running around and stuff.

Michael Schiffman:

So you said you have half brothers, I assume they didn’t come along until later. So you were only child for…

Matt Harrigan:

Until I was about 12. Yeah.

Michael Schiffman:

Okay. So then talk to me like middle school, high school. What was life like for you?

Matt Harrigan:

Middle school was, I went to Earl Warren where my mom worked. Always had a little bit of that hovering going on. We had some relatively famous people run through our school system including…

Michael Schiffman:

I remember you told me about this, some famous athletes.

Matt Harrigan:

Yeah, some famous athletes named John Lynch and went to the same high school I went to. And also Tony Hawk.

Michael Schiffman:

I think you also mentioned you were a bit of a latchkey kid, so let’s talk about what that was like in the ’80s and ’90s.

Matt Harrigan:

Well, so because my mom was working in the school district, I live with my mom most of the time. And this is back when, again, this is a little beach community. So the cops used to call it Snake Mountain because there was all these little windy roads. And unless you know the area, it’s really confusing. But I would ride the bus to school most of the time because my mom had to be there at 6:30 in the morning and didn’t get out of there until 4:30 in the afternoon. And I was supposed to be there at 7:45 until 2:30.

And so the timeframes just didn’t match up. So I’d take the bus in, but this is back when the bus system for the schools would just come within two blocks of your house and you just grab your little backpack and you’d walk down to…

Michael Schiffman:

Bus stop.

Matt Harrigan:

To the bus stop. And our bus stop had these two gigantic Great Danes that hung out in the yard next to the bus stop, I remember.

Michael Schiffman:

Two just giant dogs.

Matt Harrigan:

Enormous dogs, like scariest thing you’ve ever seen in your life if you’re this tall. But they were cool, but it was like, I just remember there were these enormous dogs. And then I’d get on the bus and we’d go to school and I’d come home. And Del Mar was such a safe place at that point that your parents didn’t really worry about anything. A lot of people will say, “Well, Gen-X parents didn’t worry about anything anyway.”

Michael Schiffman:

Both of those experiences match my own. I lived in a small town as well, so same experience.

Matt Harrigan:

But I remember never feeling like that was a problem. It was safe. It was super safe. And the only time anything weird around there would happen, everybody would instantly know about it. So we didn’t have any neighborhood creepers or anything like that.

So I would just come home, I’d off the bus and there’d be a cabinet in the garage where the key would be. And I’d open that up and then open up our back door and then go in and I’d consume massive amounts of food, watch TV and go out and skate and surf with my friends. That’s what you’d do when you’d come home.

And then I’d stay out until probably 4:00, 4:30, come home, do homework, and then spend time with the family and goof around on the computer a little bit.

Michael Schiffman:

Well, let’s get to that in a second. What was your… Academically, how did you do in high school and such?

Matt Harrigan:

Okay. I mean, probably a little better than average. I always found it really boring. It was easy. Most classes were easy. I think I probably struggled with math a little bit early on, mostly because it wasn’t interesting, not because I found it difficult. It was just like, okay, yeah, I get it. It’s algebra.

Michael Schiffman:

It’s hard to see the real application of that at that point.

Matt Harrigan:

I just remember feeling like I wanted to take a nap during every class. It was like, this is the boring thing ever.

Michael Schiffman:

What interests you? Didn’t you had some other interests? Was this at high school that you…

Matt Harrigan:

Yeah, so I really, really fell in love with architecture. I really loved the idea of design, and I got super interested in that in probably eighth grade, and then ended up taking every drafting course that they had in high school. My teacher was this guy, Arne Ruskin, who was this kind of eccentric dude but really, really sharp like an actual architect. And so he would teach these classes at the high school.

I remember distinctly the way I learned architecture was by drafting, with a drafting arm on a giant table with a straight edge. And then I remember finding out that we were going to get these computers at the school that did this also. And I was like, okay, I like computers-

Michael Schiffman:

AutoCAD or something?

Matt Harrigan:

Yeah, it was AutoCAD. And I was like, oh my God, you can have a standardized wall size and not have to draw the wall yourself every single time, and you can literally cut and paste this thing all over the place. I could do 10 times the amount of work in half the time.

Michael Schiffman:

AutoCAD was Auto Computer Assisted Design, which was designed to… It’s this early software for, does it still exist? I don’t even know.

Matt Harrigan:

Oh, yeah. Yeah. There’s entire companies that are billion-dollar companies that make this stuff.

Michael Schiffman:

So, he’s okay. It’s been modernized. Is it design software for architecture and such?

Matt Harrigan:

Yep, yep. And there’s a bunch of consumer grade spinoffs of all these things. There’s a ton of software that does this stuff now.

Michael Schiffman:

And so at this point, you’re all in on architecture and loving it and thinking that this is, your career path is architect.

Matt Harrigan:

Yeah. So while I’m learning AutoCAD and enjoying myself doing that, you have school counselors and they’re trying to tell you what you should do career-wise. You tell them what you’re interested in. And I was like, “I really like music and I really like architecture.” And so then they showed me what a musician like and a symphony could make, and they showed me what an architect could make.

And I don’t don’t know if you remember this or if you had this at all, but these counselors had these standard books of like, architect, $22,500 a year. And I asked my folks, I was like, “Is this a lot of money or how much money is this?” And they’re like, “That’s not very good money.” And I was like, oh, okay. Well maybe there’s something I could do that would make more money.

And then I kind of stopped thinking about it because I was 12 or 13 years old. I didn’t really give a shit about money at that point in my life.

Michael Schiffman:

So you were also interested in music at this point?

Matt Harrigan:

Yeah.

Michael Schiffman:

Talk about how you fell into that musical influences, what did you play an instrument and all of that.

Matt Harrigan:

So I started out playing the saxophone.

Michael Schiffman:

No kidding.

Matt Harrigan:

My parents, I don’t know if your parents did this, but they really wanted me to have a musical instrument and have that experience, as do I with my kids. My daughter plays piano. My son is producing electronic music on his iPad and laptop and stuff. And so they’re both super into it.

Michael Schiffman:

So we’re back in high school. You’re interested in music and architecture, and then this computer with AutoCAD showed up. Was this your toe-dipping into computing or you had a computer at home? Let’s talk about your first.

Matt Harrigan:

Yeah, we had a home computer at that point. I had a… We actually had two. I had a 286 that was a Kaypro. And then the school actually for whatever reason had a bunch of Tandy’s. They had TRS-80s.

Michael Schiffman:

Trash, Trash-80.

Matt Harrigan:

Yeah. And then we had a Commodore 64 and that Kaypro at the house. And I just remember thinking, okay, both of these things will run Basic commands.

Michael Schiffman:

Basic command, meaning?

Matt Harrigan:

Basic, the programming language.

Michael Schiffman:

The programming language called Basic, very early programming language.

Matt Harrigan:

Yeah. They were Basic shells. So in order to like…

Michael Schiffman:

The shell being an environment in a computer where you can type commands or in this case programming language primitives to make the computer do things.

Matt Harrigan:

Exactly.

Michael Schiffman:

So over to, you’ve got this Commodore 64 at your house, and you play video games on this?

Matt Harrigan:

Yeah. So the first sets of video games I had, I had Zork.

Michael Schiffman:

I remember this.

Matt Harrigan:

Yeah.

Michael Schiffman:

Zork was text-only, wasn’t it?

Matt Harrigan:

Yep, yep. And you’d be like, go right, go left, enter dungeon. And it understood a limited number of commands. It’s funny, I’ve been thinking about Zork a lot lately as a result of where we’re going with LLMs, large language models, and AI and yeah, just the idea of talking to the computer, typing to the computer and telling it where you want to go inside which room in the castle, right?

Michael Schiffman:

Yeah. I guess it’s a-

Matt Harrigan:

Open treasure.

Michael Schiffman:

That’s pretty incredible. I hadn’t made that connection, but if you could think 35, 40 years ago from Zork to where we’re at now with these LLMs, that’s crazy.

Matt Harrigan:

Then we got a modem.

Michael Schiffman:

And then we got a modem. And then modem is…

Matt Harrigan:

It was like the day everything changed.

Michael Schiffman:

Modem is the gateway drug.

Matt Harrigan:

It was like CompuServe, you could call up. AOL didn’t exist yet. None of that stuff was in existence.

Michael Schiffman:

And these roaming services could dial up with your modem and what they’d have.

Matt Harrigan:

It was sort of a really professional version of a BBS. It was like there’s this menu system and you could send email to other people on the system. It wasn’t like internet SMTP email, it was just notes between people who were on the service. I don’t know what the thing was that I connected to that allowed me to, I guess, realize that there were other BBS’s out there. It wasn’t like I connected to another BBS.

Michael Schiffman:

BBS being a bulletin board system.

Matt Harrigan:

Bullet board system. I didn’t find one and then realize like, oh, this is a thing. Someone else had told me about this local BBS that I’m not even really remembering the name of right now. It was something corny, like the dungeon layer or something. And I was like, okay, cool. We’ll go check this out. And there’s other computer nerds on there.

And I remember thinking like, oh, well, if this CompuServe thing exists at the end of this phone number, and these guys exist at the end of this phone number, and there are 9,999 numbers per NPA NXX, right? Oh, there we go, definition time. What is that acronym? Network Prefix Address, NPA? Area code and prefix, right?

So the idea that in a given area, in a given area code, you’ll have various numbers of prefixes and then typically 9,999 numbers assigned to that particular prefix. So I remember thinking, okay, well you’ve got CompuServe over here and you’ve got this BBS over here. Let’s see what’s on all the rest of these things.

And while later in computer security land, the idea of war dialers became very common. And in fact, there’s some pretty famous ones.

Michael Schiffman:

And war dialer is?

Matt Harrigan:

A war dialer is a program that will systematically dial every phone number in a given area code and prefix to say, and then determine whether or not there’s a carrier, another modem on the other end of that number.

Michael Schiffman:

Did you find anything, any interesting systems that you were able to then manually investigate?

Matt Harrigan:

Yeah, this one I think you’ll find amusing. That’s how I discovered Unix. I had no idea what Unix operating systems were or anything. And I had this theory that certain people with certain names used weak passwords. And the one that I would always try first is Mike. So I would go, Mike, Mike, and dude, it was like 50%.

So my Mike, Mike trick worked on a bunch of different Unix machines that I found, and it turns out invariably like Mike is the sysadmin for the box too. So then it was pretty easy to get yourself root from there.

Michael Schiffman:

So I guess you said you had admin access here. Okay. So talk about what that was like.

Matt Harrigan:

So it was trippy to think that like, oh, I mean, you’re still sort of in this bewildered state of like, A, I’m connected to someone else’s computer, and B, I can do things on it that I probably shouldn’t be doing. But you kind of get this godlike sense of like, oh my God, I can do all this crazy stuff, and what other crazy stuff could I do? What other computers are there out there that I could learn about?

And that’s what it was really always about for me. It was like it wasn’t ever wanting to do something bad to someone else’s environment or to steal anything. It was more about, okay, I’m really interested in how computers work. And there’s obviously a bunch of these different operating systems that I have no other way of getting exposure to.

So that’s the only way that I could get into them, right, was by breaking into them and checking it out and learning about the differences between this kernel or this file system, or how does this particular program run differently in System V versus BSD? And so that’s how you start getting knowledge about how the world of computers works.

Michael Schiffman:

Being curious.

Matt Harrigan:

Yeah. I remember being really excited about the idea that I specifically remember Japan. I’m like, “There’s people in Japan I could send email to.” And so I remember just sending random people email just because I was excited about the idea that instantaneously I could make a letter appear in a guy’s computer in Japan. And so I established a random pen pal because I found this guy’s email address somewhere.

Michael Schiffman:

The information superhighway was truly transformative.

Matt Harrigan:

It was pretty wild. And then at some point, I discovered IRC.

Michael Schiffman:

IRC, internet relay chat as I like to compare it to with Slack without graphics or anything else.

Matt Harrigan:

Yep. We call Slack advanced IRC.

Michael Schiffman:

Do you remember how old you were at this point? You’re in high school at this point?

Matt Harrigan:

Yeah, at this point I’m in high school. I don’t remember what the first channel that I joined was, but I remember being really interested in the idea. I don’t think I was even calling it hacking at that point. I think it was just like, how do you even find other people who are interested in the security of computers? And I stumbled across somebody in some channel that was like, oh, you need to join #Hack. And I was like, okay.

Michael Schiffman:

Channels are chat rooms in this case. I have a really important question for you. At the time, most people adopted pseudonyms, nom de plumes. At this point, what did you call yourself?

Matt Harrigan:

Well, so I didn’t have a handle up until probably, I guess it would’ve been late senior, the summer of my senior year of high school, beginning of my freshman year of college in that timeframe.

Michael Schiffman:

Okay. So you adopted the o0 or Digital Jesus later on?

Matt Harrigan:

Well, so the Digital Jesus thing came in. So what happened was I was sitting around, yeah, it would’ve had to have been that summer, sitting around with my buddy Mike.

Michael Schiffman:

Not this Mike?

Matt Harrigan:

Different Mike, we would meet years later. But sitting around with him and we were just sort of talking the philosophy of computer networking and what the future would hold. And I was like, he had, I don’t remember what his specific view was but my view was very open internet. This should be for all the people. And I started making a lot of hand gestures. He goes, “You’re like a Digital Jesus.” I was like, “Yeah.” He goes, “That’s your new nickname.” And so I guess it sort of stuck and went by that for a number of years.

Michael Schiffman:

When I met you, it wasn’t DJ, it was something else.

Matt Harrigan:

O0.

Michael Schiffman:

Yeah. And how to… Talk about the history of o0.

Matt Harrigan:

Well, so there’s two aspects to that. So during the timeframe when a lot of people were going to jail for doing technically what our computer crimes was the timeframe in which I had the Digital Jesus handle. And later on, you want to distance yourself from that sort of stuff as much as possible when you see a bunch of your friends go to prison. So you make a decision to change your online identity and become something else.

And I was like, and I remember just being sort of bored and frustrated and lazy. And I was like, okay, I’m going to call myself something else. And I was sort of doing this on the keyboard and that was like o0. And they were right next to each other, so I just went, “O0 joined #Hack,” and that was it. I was like o0 from then on out.

Michael Schiffman:

In prep for this, you pulled up one of your ancient little computers and found just gobs and gobs of old IRC chat logs, which I am like…

Matt Harrigan:

Mortified to see?

Michael Schiffman:

Perhaps. I expect a fair amount of cringe-worthy.

Matt Harrigan:

Yeah. There’s some very cringey material in there.

Michael Schiffman:

But I can’t wait to see this amazing sort of archeological gem that you’re going to excavate and share with us.

Matt Harrigan:

Yeah, I think it’s going to be good.

Michael Schiffman:

Some 25-year-old IRC logs sounds super fun.

Matt Harrigan:

But eventually you start having conversations, or at least this is how it was for me. I started having conversations with people in DMs about things that I was interested in like, “Oh, I think I found an exploit for BSD Tahoe,” or whatever operating system that you were looking at at the time. And so then I always found that if you sort of offered something up, people would typically reciprocate. They’d be like, oh, well check this out. I got this thing for this other operating system.

Michael Schiffman:

Quid pro quo was a big deal back in those days. Yeah.

Matt Harrigan:

Well, it was the first way pre-open disclosure, the whole idea of having vulnerabilities and exploits become public domain. Early on there was the opposite.

Michael Schiffman:

So let’s back up for a second. So some of the most sought-after things in the hacking scene were exploits.

Matt Harrigan:

New bugs, yeah.

Michael Schiffman:

So one thing is to have the vulnerability. Another thing entirely is to know. For example, there’s a service on a Unix machine that might serve web pages or email or some other service, because Unix is very service oriented. People would discover vulnerability on that, that if exploited properly would give elevated privileges. In other words, you could go from an unprivileged user to one that can actually read everybody’s files on the machine or something to that ilk.

And so that’s what an exploit, in this case, these were weaponized and still to this modern day as the so-called 0-day. In other words, unreleased, effectively unknown exploits that aren’t patched are incredibly valuable.

Matt Harrigan:

Some them are worth millions of dollars.

Michael Schiffman:

A hundred percent. There’s a huge black market, gray market even. The US government will buy these.

Matt Harrigan:

Yeah. One that stands out in my mind is it had this thing, this whole idea of a system administrative module where…

PART 1 OF 4 ENDS [00:24:04]

Matt Harrigan:

… of a system administrative module where one computer could control a cluster of other computers. So with the SAM thing, you would tell the main one-

Michael Schiffman:

SAM thing?

Matt Harrigan:

SAM, system administrative module, I think is what it was called.

Michael Schiffman:

Okay.

Matt Harrigan:

You would tell it, “Okay, here are the IP addresses of the eight other computers that I want in this cluster.” And it would go, “Okay,” and it would connect to each one. It would say “Enter the root password.” So it would enter the root password once, and then it would go create a secondary UID 0, another root account.

Michael Schiffman:

Another privileged account? Root being the most privileged account on the index machine?

Matt Harrigan:

Yep, and it would create this account called SAM_exec. And then it would provide an encrypted password for each of those computers that the master one was to control. And I was like, “I bet you we could crack that password.” And so I ran it through… It was a dictionary attack, right?

Michael Schiffman:

Brute force dictionary attack where you have a whole list of English words and then you basically encrypt those-

Matt Harrigan:

Yep.

Michael Schiffman:

… and compare them against-

Matt Harrigan:

Exactly.

Michael Schiffman:

So these were probably ones that weren’t salted?

Matt Harrigan:

Yeah, no.

Michael Schiffman:

Salt being a way to randomize the encryption such that you can’t do a dictionary attack very easily.

Matt Harrigan:

Right. So again, this infrastructure is named SAM, this administrative infrastructure. And the password that it assigned to every single root account that it created on all those other machines is capital Yosemite, right?

Michael Schiffman:

Yosemite Sam?

Matt Harrigan:

Yosemite Sam.

Michael Schiffman:

Wow, you just triggered some ancient memory in my brain of, I remember coming… At some point you moved up to San Francisco Bay Area, which is not far from where I was living at the time, and I have some vague memory of coming to your house, I think. And you had an HPUX machine or-

Matt Harrigan:

Yep, I had a whole rack of Spark Stations and HPUX 7-15, 7-20s.

Michael Schiffman:

I have a memory of that. And Yosemite Sam is also somewhere in my brain somewhere adjacent to this. Wow, that’s interesting.

Matt Harrigan:

I probably demoed the bug.

Michael Schiffman:

Yeah, maybe that was it.

Matt Harrigan:

Those machines were so cool. It was like a risk-based architecture. And so that, I think, became one of my first posts to Bugtraq, actually.

Michael Schiffman:

Bugtraq was the-

Matt Harrigan:

Yeah, it was a mailing list that most of the people we knew at the time were on, anyone who was interested in computer security. And people would exchange their thoughts on different security vulnerabilities.

Michael Schiffman:

It was a way to do open disclosure of vulnerabilities, and it was the responsible disclosure route that we had available to us at the time.

Matt Harrigan:

Right. And I remember being nervous about bringing this up because at this point, a bunch of the vendors, including HP, were already on there. And I posted, I was like, “Does anybody know anything about this SAM exec issue that goes on here with HPUX?” And I alluded to the problem, and then Elias actually stepped in.

Michael Schiffman:

Elias Levy, who was the moderator for Bugtraq and also well-known as Aleph One.

Matt Harrigan:

Yep. He stepped in. He’s like, “Harrigan, remember this is an open disclosure list. Drop your exploit.” And I was like, “Okay.” So I put it on there and a lot of people were really interested in it and it did not make HP very happy. And that’s the first time I remember thinking to myself, “Oh, there probably needs to be a more responsible way of doing this than just disclosing it to all of your hacker friends without talking to anyone.” And at that point in time, there was no roadmap for that. No one had done this before. So there wasn’t the idea that, “Oh, yeah, the responsible thing to do is to go to the security contact at HP or Sun or whoever, the vendor,” and then work it out so that you don’t jeopardize their situation. It was just like, “Oh, this is security research, let’s just throw it on the list.”

And they weren’t super excited about that idea. And I remember one dude got really upset and I was like, “Hey, well, how do you want to do this on a go-forward basis? Because I guarantee you I’m going to find more bugs.” And he’s like, “Okay, well, let’s work it out.” And so conversations like that eventually became the general public policy about disclosure and how you responsibly disclose bugs in unison with the vendor. And now there’s entire companies that do this like Bugcrowd and all of those.

Michael Schiffman:

And there are bug bounty programs now where companies just invite people to break in and find exploits and they pay them money for it.

Matt Harrigan:

Yep, yep.

Michael Schiffman:

Very above board.

Matt Harrigan:

And the government even has their own, as you mentioned previously.

Michael Schiffman:

Sure, yeah. Some of our friends have done a lot of work there. So what were some of the folks early on that you met in the hacking scene?

Matt Harrigan:

I’m trying to remember the first person that I met in person. Well, the very first person that I met in person would’ve probably been either Jeremy Jackson “Kluge” or John Bosanac “Gatsby”.

Michael Schiffman:

And Kluge and you were on a cover of a Forbes article?

Matt Harrigan:

We were.

Michael Schiffman:

That would come clearly later. I think that was what, when did that?

Matt Harrigan:

’96.

Michael Schiffman:

96?

Matt Harrigan:

Yeah.

Michael Schiffman:

And so if I recall correctly, Gatsby was a pretty close friend, early influence for you?

Matt Harrigan:

Yeah. In the, I want to say… So we met through my friend Ian, who was a coffee shop buddy. And I was telling him about some of my computer security thoughts and stuff. He’s a really smart guy, so he got it. We ended up working at SAIC together on some of the first web stuff.

Michael Schiffman:

SAIC?

Matt Harrigan:

Yeah, Science Applications International Corporation, which was previously headquartered in San Diego.

Michael Schiffman:

Yeah, they were.

Matt Harrigan:

And I think they’re in Virginia now. But there’s still a massive campus there where I used to go every day and I worked in the information technology lab with Ian. And everybody was trying to understand this new thing called the web and what is it? How does it work? How do you-

Michael Schiffman:

So this would’ve been mid ’90s, maybe?

Matt Harrigan:

Yeah, that sounds right. Maybe ’93, ’94.

Michael Schiffman:

Yeah, I think officially the web sort of dropped around ’94-ish, I want to say, without… Someone else can fact check me, but I think that was approximately when.

Matt Harrigan:

That sounds right. So we were in there working on this stuff together, and I remember then that’s one of the places I had access to all of these machines. So we had a DGUX machine. There’s a bunch of stuff in the data center that you could get accounts on. I had accounts on the corporate VAX. We had an actual VAX where most people would read their email. So I brought the logs from the war dialer that I was using at the time, because I think I had discovered ToneLoc at this point.

Michael Schiffman:

ToneLoc was a very well-known war dialing tool from that era.

Matt Harrigan:

Yeah, which worked way better than the one I wrote. A million times better.

Michael Schiffman:

It was pretty far along software.

Matt Harrigan:

It was really robust for a couple of guys just hacking it together. And so I was like, “Hey, have you been war dialing the area?” He is like, “Yeah, here’s all my logs.” And I brought my logs and we compared notes. And I was like, “Hey, what’s this one?” He goes, “Don’t touch that one.” I was like, “Well, what does it do?” He’s like, “Well, it’s a dial-up to this thing called POSNP.” I think that’s what it was. PAD operated switch network protocol? It was a PAD system, which is basically a different kind of networking, X25 networking, which would allow you to connect to one thing only for the purpose of connecting to a specific set of other things over the-

Michael Schiffman:

So the internet speaks TCPIP, which is the full step, this protocol suite. And you’re talking, this is a different protocol suite entirely?

Matt Harrigan:

Yeah, it’s a different protocol suite. And it had a singular function, which is… A PAD’s job is to connect to another PAD and allow you to execute commands on a terminal for the singular computer that is on that PAD.

Michael Schiffman:

And the computer was?

Matt Harrigan:

And that computer in that case was the local 5E switch, which is-

Michael Schiffman:

Phone switch?

Matt Harrigan:

Yeah, that controlled all of the numbers that I had previously dialed.

Michael Schiffman:

Okay. So is this the phone masters? Are we… Segue into that?

Matt Harrigan:

That was my entrance into that world of things and I learned a lot from John about-

Michael Schiffman:

Can you talk about what Phone Masters was and go into that?

Matt Harrigan:

Yeah, so there were a lot of… The previous well-known groups in the space were LOD and MOD, right?

Michael Schiffman:

Hacking groups?

Matt Harrigan:

Hacking groups. And a lot of those guys knew each other and still do. And so Phone Masters was a collection of people from both sides of that fence. So you had Tabis, you had John, who was never really either an LOD or MOD guy.

Michael Schiffman:

John Lee?

Matt Harrigan:

No, John Bosanac “Gatsby”. So we were one generation past what these guys had done.

Michael Schiffman:

Right. They’d started in the mid ’80s, I think, LOD and MOD? And they didn’t always get along.

Matt Harrigan:

No, there’s still, I think, some animosity there between certain people. Some of it very understandable. But there were some people from MOD involved and some people from LOD involved, and then a couple of people I had never met.

Michael Schiffman:

And they gathered under this banner from these different groups to do what?

Matt Harrigan:

Well, so we never ever called ourselves the Phone Masters. That is a term that the FBI came up with.

Michael Schiffman:

Interesting. So the FBI got involved?

Matt Harrigan:

The FBI was heavily involved. The term that we used to describe our little band of merrymakers was “The Loop”. And the reason that we use that term is the way that we would host conference calls was by essentially establishing a loop on a phone switch, which is, if you’re not familiar with what a loop is, there’s basically, you can call one phone number and you can call another phone number and they connect in the middle. So that’s how we would do conference calls because it was essentially undetectable and it didn’t have a bill rate associated with it. As long as you had control of a switch somewhere, you could just establish one.

Michael Schiffman:

And oftentimes you’d set up these bridges just to bullshit on the phone, right?

Matt Harrigan:

Yeah.

Michael Schiffman:

It wasn’t necessarily for planning purposes for any nefarious deeds. It was just to talk and hang out.

Matt Harrigan:

Chatty teenagers, yeah. Like, “Hey man, what are you doing?” And then of course, people would get on and start toning and stuff and being annoying. So I would say that the way that that started out was, okay, there’s a bunch of dudes who are really interested in phone switches and telecom infrastructure in general. And so we all got together… And the thing that I was most interested in was, again, hearkening back to UNIX operating systems, some of these switches have basic, they’re underpinned by UNIX fundamentals. So there’s a kernel and there’s this thing called DMERT, which controls all the upper layer functions of 5E, right?

Michael Schiffman:

We should probably mention that operating system kernel is the most privileged part of the operating system itself, where the most privileged code runs.

Matt Harrigan:

Yeah. And so I always wanted to understand more about how that part of those computer systems ran, because it did some really interesting stuff with hardware. This is the thing that’s responsible. It loads all these different modules, and some of the modules control the actual electronic switching of different sets of wires. Some of them control the feature sets that go onto a specific account onto your subscriber line, like 619-755-3000. Whoever owns that phone number now has access to these services on that phone.

Michael Schiffman:

Like voicemail or call waiting or something like that?

Matt Harrigan:

Yeah, call waiting, caller ID. In fact, that’s how I discovered that caller ID was going to be a feature set that was eventually to be released on Pac Bell, was I saw it on a switch and I was like, “What is this?” And so we had the giant 5E manual. I swear this thing is this big.

Michael Schiffman:

I remember that.

Matt Harrigan:

And so we go and look it up and we’re like, “Oh, caller ID.” That’s basically ANI or automatic number identification for consumer grade folks, and they were going to release it that summer. And so we were like, “Well, let’s release it now.” So we turned on caller ID on a line that we had set up that went to someone’s house. I don’t remember exactly where. But then we found it had already been turned on on the East Coast. I want to say either or maybe it was Southwestern [inaudible 00:38:35].

Michael Schiffman:

Wouldn’t you need a phone that supports it, though, in order to actually see?

Matt Harrigan:

You needed the little box that-

Michael Schiffman:

There was a box in the beginning-

Matt Harrigan:

Yeah.

Michael Schiffman:

… before they built it into the phones,

Matt Harrigan:

It looked like a pager.

Michael Schiffman:

Yeah.

Matt Harrigan:

And you would plug your phone into the back of that and then plug that back into the wall.

Michael Schiffman:

Yeah, it sat in serial position, in front of the phone and the-

Matt Harrigan:

Yeah, so we turned that on and I was like, “Okay, let’s see if we can see who’s calling,” and it totally worked.

Michael Schiffman:

That’s crazy.

Matt Harrigan:

I was like, “Oh, this is insane.”

Michael Schiffman:

Wow. So you pre-released… It was a zero day, as it were?

Matt Harrigan:

Yeah.

Michael Schiffman:

You pre-released caller ID? That’s fun.

Matt Harrigan:

Yeah. And that’s the other fun thing that you could do… And again, when you think about this stuff and you think about computer hackers now, it’s nation-state stuff, it’s crime, it’s all this stuff that’s terrible in nature that you-

Michael Schiffman:

Typically in pursuit of some objective that is not, “Hey, let me see if this works.”

Matt Harrigan:

Right. It’s about either harming someone or something or stealing something. That’s, generally speaking, why people commit crimes. But while what we were doing was technically illegal at the time, nobody had any of those objectives as far as I knew, except for one guy eventually. And he found out the hard way that that’s probably not the thing to do.

Michael Schiffman:

Yeah. So let’s talk about your… You mentioned that the FBI got involved? [inaudible 00:40:05].

Matt Harrigan:

I still think that the Phone Masters, The Loop, I still think that was probably the most prolific group of people that I ever saw participate in any of this stuff.

Michael Schiffman:

Below-board type activities that were considered illegal at the time?

Matt Harrigan:

There’s certainly been people who have more notoriety for doing hacking stuff. Obviously Mitnick did a bunch of stuff.

Michael Schiffman:

Kevin Mitnick, yeah.

Matt Harrigan:

But the depth and the level of access that this group of people had was absolutely insane.

Michael Schiffman:

What are you comfortable talking about with this depth in the [inaudible 00:40:43]?

Matt Harrigan:

I’ll just say that we’ve talked about 5Es and 1As-

Michael Schiffman:

These various switches?

Matt Harrigan:

These various switches. There’s 4Es that are long-distance routing switches. There’s DMS-100s. There’s an entire ecosystem of gigantic hardware that controls, or controlled it at some point, a hundred percent of the physical infrastructure that the internet and every other communication service relied upon.

Michael Schiffman:

Right, because it was all over the phone lines at some… Early on, sure.

Matt Harrigan:

So even the fiber switches that control and the things that connect to microwave towers to get across canyons, all of that stuff is controlled by this infrastructure. It’s literally, if you think about, if you use the super highway metaphor. And there’s the cars that ride on the highway, and then there’s the asphalt that the highway is comprised of, this is the dirt that the asphalt sits on so that the cars can go. So this is the earth.

And once you step back and you realize that you literally have control over everything pretty much worldwide. On a phone line, you have tip and ring. Ring carries the electrical signal that makes your phone ring. Tip is what carries the voice or the data that’s being represented as sound. And so we just figured out a way to capture… If you had a number that you were interested in, you could just take it over like it was nothing.

Michael Schiffman:

And neither side of the conversation would have any way of detecting this?

Matt Harrigan:

No, it is impossible to detect.

Michael Schiffman:

Yeah.

Matt Harrigan:

In fact, in order to bust people in that group doing those things, I believe this is public knowledge, the FBI had to develop a specific box that they put in the central office.

Michael Schiffman:

Central phone office?

Matt Harrigan:

In the central phone office. And I don’t remember which one it ended up going in, but it was there to capture outgoing calls being used by people in Phone Masters to connect to remote systems. So they had, could see… It was a reverse version of what we had built. And I think it was a custom development. I want to say they spent 80 grand on it and then it got wet. They left it in the central office and it got wet.

Michael Schiffman:

Physically got wet?

Matt Harrigan:

Physically got wet, and they had to build a new one because it fried. We would reroute the 800 number for Pizza Hut to our conference call line and end up taking pizza orders and stupid stuff like that, but just clowning around.

And then I think what brought the whole thing down was one person in particular in the group decided that they were… Man, I don’t know that that’s even public knowledge. That they were going to sell data that it is impossible to obtain unless you are in federal law enforcement. And that, in conjunction with some other decisions that were made about what to do when some of the… We had, I don’t know, a three-week running conference call that got billed to a random person that somebody picked out of the phone book.

And those two things, one caused like AT&T’s fraud division to obviously get their hackles up, rightfully so. And the other thing caused federal law enforcement to become really interested. And then those two sets of people talked. And I think that’s what brought down that group.

The interesting thing about that entire set of people is that with all of this power and all of this knowledge for months and months and months, maybe even more than a year, no one ever thought to look up whether or not there were taps on anybody’s phone in the group.

Michael Schiffman:

Because you had the ability to do that at that time?

Matt Harrigan:

Right. And then it occurred to someone like, “Hey, maybe we should take a look.” And yeah, pretty much everybody.

Michael Schiffman:

Were any of your friends getting busted at this point? Or had you known anyone that got raided?

Matt Harrigan:

Sundevil had just happened.

Michael Schiffman:

Operation Sundevil?

Matt Harrigan:

Yeah.

Michael Schiffman:

You want to talk about that for a little bit? Just to-

Matt Harrigan:

I wasn’t involved in Sun. The only involvement I ever had in Sundevil was heckling Gail Thackeray at DEF CON 2 or whatever, whenever that was… But who I’ve spoken to since, and she’s a very nice person.

Michael Schiffman:

Okay. So Operation Sundevil is fresh in your mind, where there was a-

Matt Harrigan:

So yeah, a bunch of people went to jail.

Michael Schiffman:

Sure.

Matt Harrigan:

And I just remember thinking to myself, “I need to extract from this.” I’m super, having a great time, having a bunch of fun, doing the kinds of… I considered it research. And I remember thinking, “This is going to come to an end one way or the other.”

So you either have the choice to end it yourself and be responsible for your own future or someone else is going to make that decision for you in an unpleasant way. The federal government always wins. That’s the thing you have to remember. They have an unlimited amount of money and an unlimited amount of time and an unlimited amount of resources. You do not.

Michael Schiffman:

Yeah. You get on the other end of that, it’s not going to go well.

Matt Harrigan:

Right. And then I had that quick conversation, ended with, “Dump everything.” And I went, “Okay, well, I guess it’s that. Now’s the moment.” And you see in movies, everybody’s got thermite attached to their, all this crazy… No. We had a computer and we took the computer with the hard drive in it, and we took the hard drive out. And then we took the other stuff out and you smash it into little pieces and you put it in a garbage bag. And then I am a person who grew up surfing, so I have a great amount of respect for the ocean. Other people in that group, not so much. So I have it on good authority-

PART 2 OF 4 ENDS [00:48:04]

Matt Harrigan:

… in that group, not so much. So I have it on good authority that there is a hefty bag filled with computer parts at the bottom of the ocean for some other things that went on. I mean, the depth and breadth of the stuff that they had was enormous, and some of them chose to hold onto those things and even were able to, if I am not mistaken, used them in negotiations, like entire PGP encrypted disks, able to use those in negotiations for reduced sentencing.

Michael Schiffman:

So in other words, the people that didn’t get rid of all of this stuff and didn’t stop doing what they were doing got busted, and then they were able to leverage some of the artifacts they had to reduce their sentences.

Matt Harrigan:

Yeah. They did a simultaneous timed raid on, I want to say, at least four different people, all at 7:30 in the morning. I think in John’s case it was funny. He lives in this gated community and there was a standoff with the security and the FBI at the front gate.

Michael Schiffman:

Wow.

Matt Harrigan:

And they’re like, “You’re not coming in.” “We’re coming in.” He was laughing about it. He was like, “They had a hard time getting to my house.” Yeah, but they came in fully armed in tactical gear and the whole thing, with the yellow jackets and all that.

Michael Schiffman:

As they do. So you did not get raided?

Matt Harrigan:

I did not get raided. I had a couple of interesting meetings where I was-

Michael Schiffman:

Did the FBI, they did pick you up and question you?

Matt Harrigan:

Yeah, yeah. Well, one thing I would say to anyone who ever ends up in this situation, I’ve had to speak to the FBI multiple times. Usually at this point in my career, I’ve run many security companies, and generally speaking, when I’m talking to the FBI it’s to assist them with some actual computer crime that’s going on. Back then when you’re the subject of an investigation every lawyer on the planet will tell you you say one thing and one thing only, “This is my lawyer’s business card.”

Michael Schiffman:

Yeah, get me my lawyer.

Matt Harrigan:

There’s no reason for anyone to speak to law enforcement without their lawyer present.

Michael Schiffman:

Sure. They would prefer the other way.

Matt Harrigan:

Best advice I ever got from anybody.

Michael Schiffman:

Yeah. But they would certainly prefer that you did.

Matt Harrigan:

Yeah, of course. Even if you think you’re being helpful in that conversation, the odds are you’re going to do nothing but hurt your own situation so you just have to make sure to take care of number one first. So, yeah, I don’t talk to law enforcement without a lawyer present ever.

Michael Schiffman:

Sure.

Matt Harrigan:

Which generally what the result of that is is that they won’t want to talk to you. They just drop it. There’s only been two instances in my life where that’s been a requirement. The first one was the Loop phonemasters, and the second one was with Max.

Michael Schiffman:

We’ll get to that. So we were out the other night, you said something about a van?

Matt Harrigan:

Oh, yeah, yeah, the fraud van. So one of the people in the group, who I’ll let him tell his own story, was the guy who designed the mod for the phone, the OKI 900 phone.

Michael Schiffman:

OKI 900. This was a very modifiable cell phone, if I remember correctly, from the mid-

Matt Harrigan:

Well, it wasn’t designed to be modifiable.

Michael Schiffman:

But it was modified by a lot of our contemporaries.

Matt Harrigan:

Yeah. I think the key vulnerability it had, if I remember correctly, is one of the EEPROMs that was in the phone was supposed to be readable only, but became read-writable. And so you could do all kinds of stuff with this phone, essentially rewrite the firmware for the phone, which is exactly what this person did, and developed a mod where this thing could literally stay on the same voice channel but continually tumble the serial numbers that it was reporting into the cell tower and into the system.

Michael Schiffman:

Just make it hard to track the phone call.

Matt Harrigan:

Made it impossible. So there’s no way, other than using direct RF triangulation, which is almost impossible to do to a moving target, there’s no other way to determine where someone is who’s doing this thing. So the guy who wrote this stuff, I still think he’s one of the smartest dudes I’ve ever met, and we used to cruise around town and look for interesting things near telephone company facilities. You’re no stranger to the idea of trashing, right?

Michael Schiffman:

Sure.

Matt Harrigan:

I think I even have some footage of Mudge diving in a dumpster.

Michael Schiffman:

So this is the idea of going to a place, a business that you’re interested in that might have some fun stuff, and looking through their garbage.

Matt Harrigan:

Yeah. And usually it was dot matrix printouts. So these long spools of things that are going on inside the phone company. Sometimes there’d be a username handwritten on there, a password scribbled, or sometimes it’d just be in the documentation. And a lot of the documentation that we got for… You couldn’t just order up a 5e manual back then. A lot of times you’d have to go trash one. And so they’d have multiple copies of these things that were provided by Bellcore, or whoever was doing the docs at that point, and so you’d just grab one out of the trash. A lot of the stuff that would teach you about the systems that were inside the building. So a 5e manual, here’s a 1A manual, here’s a DMS manual, GTD-5.

Michael Schiffman:

All these different phone infrastructures.

Matt Harrigan:

Yeah, all these different switches and computers that control them, so you’d pull this stuff out of the trash. And then it turns out this is actually in a 2,600 article that I went back to reread recently because I knew we were going to do this. And I was like, I have this faint memory of this person who wrote this article suggesting that there’s a phone number that you could call to just straight order the manuals and no one on the other end of the line will check to see whether you work for the telco or not. And I was like, did that really happen or did I imagine that. I went back and read it and it was this article in 2,600 by Firm Grasp, which is just all about hacking the 5e. And it’s like, yeah, if you ever want to learn more than I’m teaching you here in this article, just call this number and order the manual.

And turns out you can also call those same people, and I still can’t believe this, you can call those same people and order on microfiche a copy of the source code for the 5e switch which someone actually had in their possession.

Michael Schiffman:

That’s incredible. Wow.

Matt Harrigan:

And I was just like, I can’t believe you have this. It’s insane.

Michael Schiffman:

It is.

Matt Harrigan:

So if you ever needed, you didn’t really need to go discover vulnerabilities on the 5e because it was inherently vulnerable.

Michael Schiffman:

Winter inside the walled garden, yeah.

Matt Harrigan:

Right. But during the course of finding these manuals and whatnot, you’re diving through dumpsters or you’re looking around the general area. There was this building in San Diego that was one of the main cellular central offices, or it might’ve been a thing called RC Mac, which is the recent change in memory administration center, which is where they make changes to the switches. And we were cruising around in there and in the parking garage we pulled over and saw it was like the van of Doom. I’ve never seen, still to this day, I’ve never seen anything like it, other than maybe what some of the Ninja network guys did with building their own phone networks or whatever. But this van had the passenger seat was out and there was a full size PC tower, like a 486 DX2, with a gigantic monitor, and then the entire back half of this van had physical data center racks in it.

So with computers that I have no idea what these things do, they’re super highly specialized cellular telephone computer things, and I’ve never even heard of any of these brands, and then on the roof of this van there’s like 60 antennas. So this thing’s job, to the best that we could tell, is to drive around looking for people doing the exact things that we were doing, like cellular telephone fraud. There’d be no other purpose of this van other than to triangulate something. None of this equipment looked like basic diagnostic stuff. This thing was purpose-built to go hunt things. It was very clear that there must’ve been $1 million worth of gear in this van.

Michael Schiffman:

Wow.

Matt Harrigan:

And so that’s when the person I was with and I looked at each other and we’re like, we probably shouldn’t hang out near this thing too much longer.

Michael Schiffman:

It sounds like that’s another good canary in a coal mine for you guys.

Matt Harrigan:

Yeah. And so that’s the point in time when you start thinking about your hacker mortality. The notion that you’re probably not invincible, there had been plenty of stories of people getting busted at this point, and then evaluating whether or not this is something that you want to continue to do, and whether you’re getting anything out of it other than the coolness factor.

Michael Schiffman:

Yeah, the pursuit of knowledge only goes so far, I guess, to the point to where you have to worry about your actual liberty.

Matt Harrigan:

Yeah.

Michael Schiffman:

One other thing I wanted to ask you about, you mentioned this to me recently. We were talking about phone taps earlier, but you guys went to look for, when you had the access, you went to look for other phones that had taps on them. What was that about?

Matt Harrigan:

So just curious which of these individual lines were flagged for call logging, which is basically the idea of presenting a list of data for each of these phone numbers about what they did, who called them, who they called, what happened? And we found a bank of them that were pagers, and so it was super weird that we’re like, well, why would pagers be tapped? Oh, right, who uses them?

Michael Schiffman:

Still in the 90s.

Matt Harrigan:

This is in the 90s, right.

Michael Schiffman:

Phone pagers that were tapped.

Matt Harrigan:

Yeah. And these were just regular POCSAG pagers. They weren’t even alpha pagers.

Michael Schiffman:

POCSAG?

Matt Harrigan:

POCSAG. I don’t know. What does POCSAG stand for?

Michael Schiffman:

I don’t remember the acronym, but you can just-

Matt Harrigan:

It’s the protocol that basically is used for wireless transmission of…

Michael Schiffman:

For just alphanumerics, right?

Matt Harrigan:

Yeah, it does alphanumerics, but mostly it was used for numerics.

Michael Schiffman:

Okay.

Matt Harrigan:

Yeah. So there’s this bank of pagers and we’re like, well, why would anybody tap a bank of pagers? Oh, right. Who uses pagers? Drug dealers.

Michael Schiffman:

Sure.

Matt Harrigan:

So we thought it would be funny to call a couple of these dudes, to page them to our conference line and be like, “Hey, what’s up?” And a lot of times what they’ll do is you talk to these guys and they’ll be like, “Oh, yeah. I have a construction company,” or I have this or that. I’d go, “Okay, well, I don’t know if you’re aware of this, but law enforcement is keeping track of everybody that pages you. So good luck with your 2x4s, or whatever it is that you do. That’s a thing.” So we tipped a couple of these guys off. They’re like, “Thanks, man.”

Michael Schiffman:

Wow.

Matt Harrigan:

Yeah.

Michael Schiffman:

So a lot of your friends have gotten busted at this point, and you’re looking around and trying to figure out what’s next for you. So what was going through your head at this point?

Matt Harrigan:

So I remember I was sitting there on, I even remember the laptop I had at the time, it was a white Toshiba. The big cool thing about this laptop was it was a color screen. Do you remember when we went to color screens from monochrome on laptop?

Michael Schiffman:

Yeah, sure.

Matt Harrigan:

So I was super excited about that. And I remember I was running a really early version of Linux, maybe the first version of Slackware or something on it. And I had four different terminal windows open, and I had four Fortune 500s up on my screen.

Michael Schiffman:

Meaning that you had privileged access.

Matt Harrigan:

Administrative access.

Michael Schiffman:

Privileged access to computers owned by these various companies.

Matt Harrigan:

Right. And I just remember thinking to myself two things. One, this is definitely going to cause a problem sooner or later for me personally, and two is these companies have a lot of money and they have a problem. Well, the fundamental tenant of business is if you can solve somebody’s problem for them they’ll give you some of the money. So that’s when I thought to myself, okay, well, I’ll start a consulting agency for dealing with this problem, and that’s how MCR was born.

Michael Schiffman:

MCR, your first company you started.

Matt Harrigan:

Yeah. There was no security industry, it didn’t exist. The term penetration testing was by and large used by the military.

Michael Schiffman:

Mm, that’s right.

Matt Harrigan:

And it didn’t necessarily even always refer to computer security. Penetration testing in the Army Corps of Engineers is a term that deals with how hard is the sediment? What does it take to brush through it? It’s a different term in different facets of life at this point in time for a bunch of different people. And so ethical hacking, pen testing, none of this stuff existed.

Michael Schiffman:

So you left Cisco.

Matt Harrigan:

I left Cisco.

Michael Schiffman:

And MCR started swinging. You started hiring people.

Matt Harrigan:

So I had this idea we can aggregate all these logs. We can understand what’s going on on firewalls. We’re going to need a system to manage that and to display it and to categorize and prioritize things. And then we built the first SIM, right? I was pitching this idea to you and I was like, “Dude, we could build this thing.” I’m like, “You write good C, right?” Some of this will be in C. A lot of the lighter weight languages weren’t even around yet. So, I mean, Perl existed, but it wasn’t really like…

Michael Schiffman:

Python wasn’t a thing at that point. At least-

Matt Harrigan:

Python wasn’t a thing. PHP was out, but there were bits and pieces of this that you could build, and I think we ended up building it in Java. I actually have screenshots of the original MCR SecureOne that you built, where-

Michael Schiffman:

The code I wrote was in C. I remember some of this.

Matt Harrigan:

Was it?

Michael Schiffman:

Yeah.

Matt Harrigan:

Okay. And so we’re actually charting the numbers of events that are occurring per minute, per hour, looking at Telnet D, who’s trying to Telnet to the box, and trying to piece together all these disparate pieces of information to create an actual map of what a security incident looks like. This is in 1997 or maybe ’98, but in that timeframe, and no one had done anything like that. And the thing is just those two different things now are entire facets of this industry.

There’s multi-billion Dollar companies that built SIMs. There’s multi-billion Dollar companies that operate MSSPs. And I always wonder whether or not I’d still be at MCR had we really stuck to it. But the problem was at the time that in order to really blow something like that out you had to go get venture capital. And I knew a bunch of these folks in the South Bay and got intros to them from other people that we had worked with. And I went and pitched this, but the feedback that I got was, “This feels like a services business. We don’t invest in services businesses.” That was the first time I’ve heard that. I didn’t know that venture valuations are based on multiples of things that you can sell over and over and over without using people’s time, right?

Michael Schiffman:

Right.

Matt Harrigan:

So that’s the VC view of the world. And so I was just trying to figure out how to couch this thing in a way that would be investible, and just could never really get there with it, and so we ended up selling off the company.

Michael Schiffman:

You also had a guy working there, named Max Butler, aka MaxVision. You want to talk a little bit about that incident?

Matt Harrigan:

Sure. Yeah, that was pretty wild. Again, I mean, I don’t think… I’ve certainly met people that I don’t consider to be highly intelligent that are involved in this space, but I would say that by and large, most of the people that I’ve met in the computer security or hacking scene are super, super smart. And one of those people is this guy, MaxVision or Max Butler, depending on which day of the week it is who’s that guy. I met him, I want to say originally on IRC, and he relocated from somewhere back East to the Bay Area around the same timeframe that you and I were working on SecureOne. And he was looking for some contract work. We had a bunch of pen test stuff that needed to get done and so I had him on a couple of projects. And he came in one day and he goes,” Hey, are you looking at any of these new drops that are coming out from the ADM guys?”

Michael Schiffman:

This would be vulnerable exploit drops from hacking groups. ADM being one of the hacking groups of the day.

Matt Harrigan:

Yeah. Which when you look at these, the way that people were releasing stuff, they were building their own Zines, like FRAC, but they had their own independent versions. Like ADM was the first version of security blogging, was the README file. And so they were just dropping tons of exploits, and it was hard to really determine which ones of these, there was just so much volume, it was hard to know what was really going to be fruitful and what wasn’t without literally reading through thousands of lines of code, which at that point in time, I’m running a company I don’t have really time to do, but Max is in it. He’s all the way in the most recent drop that these ADM guys released. He’s like, “There’s some really good stuff in here.” And I’m like, “Oh? Like what?” He goes, “Well, are you familiar with BIND?”

Michael Schiffman:

Berkeley Internet Name Domain, which was a very ubiquitous, notorious is almost a better term for this piece of software. So it was what provided DNS services for a bunch of different Unix variants, and it was notoriously buggy. And you could actually look up in that era there was a whole matrix of BIND software versions and the vulnerabilities that it was affected by. And there were so many.

Matt Harrigan:

So many. I would say the only thing that had more bugs than BIND was SMTP. Remember Eric Allman started that thing back in the freaking ’81 or something.

Michael Schiffman:

SMTP, the Simple Mail Transport Protocol. SMTP, the software, the service that was responsible for low-level email protocol.

Matt Harrigan:

Sending email on the internet, yeah. So anyway, this BIND exploit is packaged in this ADM kit.

Michael Schiffman:

It was BIND 9.

Matt Harrigan:

It was BIND 9, yeah. And Max is like, “Check this out.” And the way that the author had written the exploit it randomized the octets of IP addresses and then just tried to own a box and then drop you into a root shell. And Max showed me that it worked. It would just keep cycling through random IP addresses until it got one, and then it would pop root and just drop you onto someone’s box. And I was like, “Okay, don’t do that any more from in this building. Don’t do that anymore, period, by the way.”

Michael Schiffman:

This is a weaponized exploit that would randomly try and find a host on the internet that had a vulnerable version of the software, and then if it had found that it would magically give you privileged access on that machine.

Matt Harrigan:

Exactly. And so we look at the code and I was like, well, if you un-randomized it you could create a directed exploit out of this. I’m like, just remove this chunk of code and replace it with something that you can put it in argv. Make it an argument to the program and direct it at a specific host.

Michael Schiffman:

Yeah. Give the program the ability to specify the actual target that you wanted to, rather than randomly pick one.

Matt Harrigan:

Yeah. And he goes, “Oh, that’s a cool idea. I’m going to go home and work on that.” I was like, okay, whatever. And so he does, and then he comes back and he’s like, “It works, dude.” I was like, “Yeah, it’s pretty cool.” So I’m like, “I’m not sure what we’re going to do with it other than unless you want to go fix BIND 9 and release a patch for it, but we could use it in pen tests and stuff.”

Michael Schiffman:

Legitimately use it for customers that have hired you to try to break into their networks.

Matt Harrigan:

Yeah. And Max had different ideas. Max decided he was going to go out and own the entire freaking internet.

Michael Schiffman:

And he picked some really poor choices for targets, if I remember correctly.

Matt Harrigan:

Yeah, yeah. Some people who-

Michael Schiffman:

Some .gov and .mil.

Matt Harrigan:

Yeah, the folks who get really unhappy when you take over their computers.

Michael Schiffman:

U.S. Government and U.S. Military.

Matt Harrigan:

Yeah, and a bunch of commercial establishments as well. And so, yeah, he got busted.

Michael Schiffman:

And he did this from MCR’s networks.

PART 3 OF 4 ENDS [01:12:04]

Matt Harrigan:

Yeah, he got busted

Michael Schiffman:

And he did this from MCR’s networks.

Matt Harrigan:

He, at one point, did and that’s when we were asked some questions. And Max got picked up kind of on the sly. I didn’t know that any of this was going on. The day after he had gotten busted, we had a big meeting with a customer coming up. He was supposed to present the results of this pentest, and he’s like, “I can’t come into the office today.” And I was like, “What’s up?” He’s like, “I can’t tell you over IRC.” And I was like, “Okay. Well, I need you here, so why don’t we get together and meet up and we can figure out what’s going on and solve the problem.” So he goes, “Yeah, let’s meet at this Denny’s.”

Michael Schiffman:

Local chain restaurant.

Matt Harrigan:

Yeah. So we meet at the Denny’s. He walks in and he is looking super sketch. He’s like over his shoulder every which way, right? And he sits down at the table and he just writes on a napkin and he has this pager thing. And he writes on this napkin, he’s like, “This is a bug.” He’s pointing at the pager. And I was like, “Okay.” So then we just talked about how delicious Super Birds are for the next 10 minutes and then I left. And I was like, “I don’t understand what just happened.”

It turns out that what Max had told them was that I was the mastermind of this exploit and the idea to unleash it on the internet and blah, blah, blah, blah, blah. If I ever did say anything like that, I was probably cracking a joke, and I don’t think that I ever did. But nevertheless, that’s what he told the FBI when he got busted that I was the… Because their whole thing is if you want a lesser sentence, give us something bigger. So I became Max’s something bigger that he wanted to give them. And I have documents from the Freedom of Information Act that say exactly what he reported to them. All of it’s bullshit.

Michael Schiffman:

That’s crazy. Around this timeframe, he also reached out to me and asked me on IRC if he should run or just turn himself in. This might’ve been just before this-

Matt Harrigan:

I know because I have your IRC logs.

Michael Schiffman:

That was sort of around the timeframe I think that I got picked up by the FBI and questioned about a bunch of stuff.

Matt Harrigan:

I would love to hear more about that.

Michael Schiffman:

Well, it’s a story for another time. It’s in my interview actually, but-

Matt Harrigan:

Cool.

Michael Schiffman:

Yeah, it was all around this timeframe. So the sum total of this was that-

Matt Harrigan:

Well, they ended up coming to the office looking for me while I was down talking to Max. And either you or Jason were the ones that were like, “The FBI is here and they’d like to talk to you.” And I was just like, “Hand them the number for the lawyer.” Again, I didn’t do anything, but I’m not getting involved in this.

The end goal is I don’t want to be having conversations with law enforcement about illegal activities that might have actually occurred from our network because I was unaware of them and this guy went and did most of this stuff from his house to literally thousands of machines. The last thing I want to do is I’m going to distance myself from this dude, for sure.

Michael Schiffman:

What ended up happening to him, do you remember?

Matt Harrigan:

He went to prison. And I want to say he got a couple of years initially, I don’t remember exactly how many. And I think the judge was sort of lenient because one of the things that Max did as a result of having owned these machines is he installed a patch that patched the problem so that no one else could exploit it.

Michael Schiffman:

So no one else could get in. Yeah.

Matt Harrigan:

Yeah. But also left access open to himself, so there wasn’t that much leniency to be had. I think that did buy him something though. And then he got out and I didn’t have any further contact with him after he walked out the front door of MCR. I still have not.

Michael Schiffman:

So bring this back to MCR. You said that MCR eventually got sold off. And at that point, what were you doing after that?

Matt Harrigan:

At that point, I had the guy who was sort of the VP of Ops for Pac Bell, which was our first customer a few years prior, had moved out to Denver and we were talking and he goes, “Yeah, this is crazy. This guy, Jim Vaughn, just sold his company Frontier Vision to Adelphia for some absurd amount of money, like $40 billion or something.” So he made all these investors a tremendous amount of cash, and they basically said, “What do you want to do next?” And he’s like, “I want to do fiber-to-the-home.” And they’re like, “Okay, well, how much money do you need?” And he’s like, “A billion dollars.” And they’re like, “Okay.” In order to raise a billion dollars at that point, and this is like ’98, ’99, you got to go to the biggest investment banks in the world. Our investors were like Blackstone, Oak.

Michael Schiffman:

What was the company?

Matt Harrigan:

It was called Winfirst.

Michael Schiffman:

Winfirst.

Matt Harrigan:

Or Western Integrated Networks is the other name. So Blackstone, JP Morgan, Oak, all of the huge IB sort of VCs. So yeah, we raised a billion too in our series. I think it’s still the largest series A of any company ever.

Michael Schiffman:

That’s a lot of money even by today’s standards, but 25 years ago, this is insane.

Matt Harrigan:

A tremendous amount. It was insane. Then 2001 happened.

Michael Schiffman:

The dot-com crash.

Matt Harrigan:

The whole economy just fell out. So these big players like Blackstone and JP Morgan, they’re losing their shirts in telecom because that’s the thing that’s taking the biggest hit. And we’re not technically really a telecom company, but we’re one-third a telecom company. So they’re like, “Hey, we got to round this up and find a buyer.” So we found a buyer. It was eventually sold to SureWest, which is another ISP play that’s out that way. And then that was all wrapped up and I think it’s all part of Consolidated Communications now, which is a big international, or I guess at least national telecom.

Michael Schiffman:

Okay. So where did you go? What did you do?

Matt Harrigan:

After Winfirst, I took a little bit of time off and went and did some photography, which was nice. I was like, “I don’t want to touch computers or security or whatever.” But since then, after I had my breathing room, I’ve been involved in security startups or consultancies in one form or another since then. So for the last 25 years, right? I’ve started a few, sold a couple.

Michael Schiffman:

And along the way you met someone who’d become your wife. Let’s hear a little bit about that.

Matt Harrigan:

Actually, that was during my time off.

Michael Schiffman:

Photography. Okay.

Matt Harrigan:

I was running around town. This is before digital cameras became highly popularized. I just knew that I wanted to be a quality photographer, so I went and I researched who makes the best optics and learn as much about camera bodies as I could. I wanted to go on the cheap side, so I went with Minolta gear, which is not the answer, by the way. But I got this camera and I would run around town shooting urban scenes and still life stuff.

Michael Schiffman:

You’re in Colorado at this point?

Matt Harrigan:

In Denver, yeah.

Michael Schiffman:

You’re in Denver now.

Matt Harrigan:

And back then there were parts of lower downtown that were still really pretty crappy that were falling apart. I remember this one photo I shot, there was this dude who was smoking some form of drug and looked really tweaked out, and he’s standing behind this broken down building, and it’s called Downtown Hobbies. And the Downtown is skewed this way, and the Hobbies is skewed that way. And there’s this guy with his downtown hobby, right? Smoking crack or whatever. But yeah, so I’m shooting all this film, and the nearest place to me that could do development was Wolf Camera, which is where my wife was working.

Michael Schiffman:

She wasn’t your wife at the time.

Matt Harrigan:

Well, neither one of us knew that she was my wife yet, but I thought she was cute and I would constantly be in and out, probably shooting more than I needed to to develop film. So I started up a conversation and asked her out, and here we are a decade and changed later.

Michael Schiffman:

How long have you guys been married?

Matt Harrigan:

Oh, that’s a good question. Since 2008.

Michael Schiffman:

16 years or so. And you have some kids?

Matt Harrigan:

We do. I have two kids, Vanessa and Cooper. Vanessa is 13, about to be 14, and Cooper’s just about to leave sixth grade.

Michael Schiffman:

And I think you mentioned that, is it Vanessa who’s into computers?

Matt Harrigan:

Yeah, she’s getting really interested in writing code and understanding other people’s code and understanding how systems work. So we work on little projects that I think she’ll think are interesting. And she’s funny. She’s got definitely a lot of my DNA in there. She’s always asking questions about how to break into stuff. And I was like, “No, you need to learn how computers work first before you try to go break into them. And then I’ll teach you how to do some hacking stuff.”

Michael Schiffman:

That’s super great.

Matt Harrigan:

But Cooper’s like that too. His whole jam is harking back to music, right?

Michael Schiffman:

Digital music, you said.

Matt Harrigan:

Yeah. So he’s got his little studio set up and he’s producing electronica. And it’s really good stuff, man. I’m super impressed with both of them. They’re doing great.

Michael Schiffman:

That’s great. I suppose we should talk about 2016 and what happened in 2016. Novemberish.

Matt Harrigan:

Novemberish timeframe, election time, eight years ago, whatever. Yeah. The way that I look at all of that is social media was like a newish thing. And from where I was sitting, I don’t feel like I was speaking to a global audience or attempting to in any way. I was telling Anchorman jokes with a buddy of mine, who you actually know, on Facebook, and we were going back and forth and just kind of cracking jokes.

Michael Schiffman:

So set the scene. This was election, I think-

Matt Harrigan:

It was on election night.

Michael Schiffman:

It was election night, November 6th, 2016, something like that.

Matt Harrigan:

Yeah. And you know the scene in Anchorman where they go, “Oh yeah, Brick killed a guy with a pitchfork. Yeah, you should probably lay low for a little while.” I was kind of hamming it up about being Brick Tamland, right? Someone decided to, out of context, screenshot the things that I was saying and present them to the rest of the world as if I were a psychotic person attempting to assassinate the president. And look, the one thing I’ll say about that is I’m not abdicating responsibility for what I said. I said what I said. I never would have said any of that had I known for a second that it would, A, become that public, or B, be presented in the manner that it was presented in.

Michael Schiffman:

You never meant it to be taken literally.

Matt Harrigan:

It was not to be taken seriously whatsoever.

Michael Schiffman:

It was an off-color joke that you made and you thought it was a trusted audience.

Matt Harrigan:

Yeah. You think you’re having a conversation with your friends when in reality, you end up having a conversation with the rest of the world and your stuff gets posted on 4chan for internet trolls to pump up through all these siphons that they have on Twitter and everywhere else. Is that fair? No. But did I insert myself in the dumbest possible way? Absolutely. Would I ever consider doing something like that again? No.

Michael Schiffman:

What ended up happening?

Matt Harrigan:

Well, whenever the Secret Service becomes aware that there is an existence of a threat like that, joke or not, you get to have a chat with them. So having literally been at a conference presenting on a panel where Secret Service people were present three days prior, I was pretty sure I knew who was going to show up. So both myself and other people were proactive in reaching out to them to be like, “Hey, we know this is going to come up, so when would you like to come over to my house and make sure that I’m not a crazy person?” So that was a fairly simple process. They have to ask you a series of questions and you have to answer them, and then you can kind of go about your merry way, assuming that they’re not looking to take it any further.

Michael Schiffman:

But there’s quite a bit of personal fallout as well.

Matt Harrigan:

Yeah. One of the things that happens when something like that gets pumped up online as loudly as it did and people believe that to be your actual intention, they’re not nice, right? Just imagine-

Michael Schiffman:

There are threats against you and against your family.

Matt Harrigan:

Yeah.

Michael Schiffman:

You had to relocate.

Matt Harrigan:

Yeah, I relocated my family for a period of time. We had some-

Michael Schiffman:

You had to leave your business.

Matt Harrigan:

For the safety of the employees.

Michael Schiffman:

The company you founded, you had to step down from.

Matt Harrigan:

Yeah. I chose to resign specifically because, A, it was too important for the company to continue doing what it was doing, and B, it would not have been fair to not do that given the circumstances. Now, would I change things about how I handled that entire situation post-event? Absolutely. We live in a different era now, and my tact was just to be honest and just apologize publicly. I’d be like, “Hey, I’m really sorry if I upset anybody.” Because that’s who I am at heart. I’m a pretty nice guy. You can ask around.

But the reality is that’s not it. A PR person will tell you straight up, “That is the exact wrong move.” They’ll tell you, “No, go against the grain and tell everybody to go pound sand and then it’ll just go away naturally, and then stop talking to the press.” And that’s not advice that I got from anybody. So it was what it was, and it was a huge bummer for everybody involved in the company at the time. The company’s doing great now, by the way. A new guy is the CEO.

Michael Schiffman:

PacketSled.

Matt Harrigan:

Yeah, it’s called MixMode now and it’s doing pretty well. So happy for everybody there. And I’ve been working on a bunch of other companies in the meantime.

Michael Schiffman:

Anything you want to allude to?

Matt Harrigan:

Well, look-

Michael Schiffman:

Can you talk about the space it’s in maybe?

Matt Harrigan:

Yeah. There is this nexus of generative AI and security functions that need to get taken care of internally to companies, and I think that I’ve found a space in there that is hard to solve for that I have a solution for that solves a substantial problem.

Michael Schiffman:

That’s great. We look forward to hearing about it. So I have a sort of meta question for you here. Why are you doing Warlocks? Why’d you do this?

Matt Harrigan:

That’s easy. I’ve always thought this should exist, and there have been iterations of like, “Hey, let’s talk to former scene people or former hackers or computer security industry people.” But there’s never been one where it was exclusively focused on these people, this type of content, and that was being taken super seriously. And it’s something that I thought about creating actually a number of years ago.

I think everybody has. And for Nathan and you and everybody involved in this to actually step up to the plate and do this, I thought was really very cool and an important piece of documenting the history of one of the most interesting and fascinating times in my life. It’s a magic era, and particularly the 90s scene I thought was really interesting and cool, and I met a bunch of people. I’m friends with literally hundreds of people from that era still to this day.

Michael Schiffman:

That’s why we’re in this room together right now.

Matt Harrigan:

Exactly. Yeah. It’s an important part of the history of technology too, right?

Michael Schiffman:

Well, thank you for doing this. It’s because of people like you that it exists and it’s why we’re here. Well, thank you so much, Matt Harrigan.

Matt Harrigan:

Yeah. Thanks, Mike.