Sometimes we forget how much trust we place in the little things around us like a lock on a door or a badge on someone’s shirt. We see those symbols and assume everything behind them is safe, but it doesn’t always work that way. A person with enough confidence, or the right story, can slip through places we think are locked down tight, and most of us never notice it’s happening.
My guest today is Deviant Ollam, and he’s one of the rare people who gets invited to break into buildings on purpose. He talks about how he fell into this unusual line of work, the odd moments that shaped his career, and why understanding human behavior matters just as much as understanding locks or alarms. Listening to him describe these situations, where he’s walking through offices, popping doors, or blending in with repair crews, makes you realize how blind we can be to our own surroundings.
We also get into the practical side of things: the mistakes companies make, the small fixes that go a long way, and why teaching employees to slow down and ask a few extra questions can make all the difference. It’s an eye-opening conversation, especially if you’ve ever assumed your workplace is more secure than it really is.
“If someone tries to rush you past a moment of hesitation, that’s your signal to slow down and ask questions. Be politely paranoid.” - Deviant Ollam Share on XShow Notes:
- [03:24] Deviant shares how early adventures, abandoned buildings, and curiosity about locks pulled him toward physical security.
- [06:20] A story about a law firm reveals how an office “secure” door was bypassed instantly, exposing major hardware flaws.
- [09:16] Discussion shifts to how the locksmith and safe technician community reacted to his public teaching and how that’s changed over time.
- [13:28] The topic turns to security theater and the gap between feeling safe and actually being protected.
- [16:18] An explanation of symbolic locks versus real security products highlights how easily people mix up the two.
- [19:11] Conversation moves into the lack of clear U.S. lock standards and why European systems make things easier for consumers.
- [21:51] Layered security comes into focus, emphasizing that the goal is to delay and deter rather than stop every possible attack.
- [24:35] Monitoring tools, overlooked windows, and forgotten blind spots show how attackers often choose the easiest entry point.
- [27:38] We look at the politics of penetration tests and why coordinating with building management is essential.
- [31:28] Escalation testing illustrates how long suspicious behavior can go unnoticed inside an organization.
- [34:34] The need for simple, obvious reporting channels becomes clear when employees aren’t sure who to alert.
- [37:00] A breakdown of common cover stories shows why attackers lean on confidence and industry jargon.
- [39:50] Urgency and pressure tactics surface as key components of social engineering and why “polite paranoia” helps.
- [41:14] A viral prank underscores how easily an unverified person can be escorted into restricted areas.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Deviant Ollam
- Deviant Ollam – You Tube
- Deviant Ollam – Instagram
- Practical Lock Picking: A Physical Penetration Tester's Training Guide
Transcript:
Deviant, thank you so much for coming on the podcast today.
Thank you for having me. This is great. I’m glad we made the time.
I’m totally looking forward to it. Can you give myself and the audience a little bit of background about who you are and what you do?
Who I am is a guy on the Internet nowadays. I’m mostly like, oh, it’s that guy. I’ve seen you on somebody else’s channel, way better than my own or something. I get invited to places because of what I do, and what I do is break into buildings.
I’m a physical penetration specialist and a covert entry technician, and I’m also a safe and lock technician. I get invited by companies to break into their places sometimes because they want to know how somebody can break into their places.
That to me just seems to be a really cool, fun job of, I get to do “illegal” stuff, but I’m not going to get arrested. Or hopefully I’m not going to get arrested.
Yes. I got a perfect track record on that front so far, at the very least. Most people in our field—not everyone—there’s been the occasional incident that makes the news, but yeah, it’s very rewarding. It’s rewarding to apply a skill that most people don’t get to use in a legitimate way, and doing so, as you point out, you’re not really at legal peril. It allows you. It emboldens you. It allows you to project this air of confidence.
I sometimes make the analogy that it’s like rock climbing on a really good belay system. If you know you’re not going to fall to your death, you’ll make that aggressive leap to the next handhold that you might not want to if you’re free climbing. But having that confidence backing you up, you could just stare somebody down and say, yes, I belong here. The boss sent me in. I’m from this company, of course. This is my work order.
You are selling it because you believe it. You’re going to have that lie locked in. What’s going to happen to you? Nothing. They’ll read that confidence. They’ll say, yeah, I guess you are. Here’s the key to the workroom.
I’ve got some stories about that, and we’ll come back to it. Maybe we can talk about how to deal with that. There’s got to be a story. How did you get into the field? I don’t think you went out of high school, “I really like to break into stuff. I haven’t been caught yet. I just need to start a company breaking into stuff.”
The joke one liner that we usually say is, I had some of the right friends and some of the wrong friends. I had a healthy taste as a youth for exploring places that were abandoned or just wandering through public lands. You come across a fence, you say, I wish I could get on the other side of that fence.
Having that mentality always carried with me, and that turned into a hobby practice of lockpicking, lock bypassing, and learning how security hardware products work or fail to work. It’s not uncommon in the tech and hacker world for people to pick locks for fun, and I was one of those people.
But most of my work professionally was with the ones and zeros behind a keyboard. I was an IT-type guy. And the real pivot point—there were a couple of big ones—the one that I tell the story to some people, was a law office. They called me for consulting services when their system admin quit. He just quit in the middle of the day. Just table flip, I’m out of here.
By my recollection, it was a pretty terrible law firm, so I don’t blame him. They looked around and they said, I don’t think he’s coming back. We should call somebody. Somebody knew somebody who knew me and they said, hey, can you get over to this side of town? I said, yeah. I’ll hustle over there.
When I showed up, they said, all right. Thank God you’re here. Sit tight. We got a locksmith on the way to get you into the guy’s server room. Do you need some coffee or something? I said, no, I’m good. Do what you got to do, man.
I don’t know what I was doing. It was before Twitter. I’m just reading a cereal box. Eventually, I said, hey, I’ve been here for half an hour. You got me on the clock. You want to show me what we are talking about here in terms of this server room?
They take me down a couple of halls and they say, this is the room right here. But see, it’s locked. It is just an office like every other door. I just like, do you mind? Do you need this piece of report? Can I borrow this? I slipped the door open. I said, yeah, okay. Well, cancel the locksmith.
I started doing what I was hired to do. I’m throwing in these single user modes, NT boot, old software that people in your user base might know. I’m resetting passwords. Okay, it looks like nothing. Remote services are running. Your mail’s up. The web must be hosted elsewhere. You look pretty good. You’re going to want to hire somebody to do some actual forensics and after. But you’re probably all right. You don’t have to sweat it. Here’s your new root password. Oh, yeah. New root password. What’d you do to that door? I was like, oh, yeah. Your doors are not latching properly. I noticed the door hardware you had installed when I came in. You could probably do this to any of your office doors. I showed a couple of the law firm lawyers how to pop their own doors, and they were so fascinated. They actually brought me back just to do an audit of the office.
This was around the same time that a very good friend of mine, Jeff, who runs conferences called DEF CON and Black Hat, said, man, how are you not a trainer for us at Black Hat? We should have… I was like, a trainer for lock picking? Nobody gives a damn about locks… No one’s going to pay money for that. He said, trust me. Submit a training. We’re going to like that. You’ll get some people in there.
We’re one of the longest-running trainings now at Black Hat. We teach access control and physical security from an attack and defense perspective. It’s just all picked up just because nobody else was talking about it the way I was talking about it. And now everybody thinks about the physical, not because of just me. It’s become part of the consciousness, but I played that little bit of a part there.
There was the concept of the lock pick villages at a lot of hacker conferences, where I used to bring all of my kit around, and in between talks, or you want to learn how to pick locks. It’s a very fun way to introduce people to the mindset of a security product that doesn’t exactly do what you think it is doing. Just because it seems to work out of the box, is it actually working that way? I don’t know about that.
Anyone Could Walk In Share on XDo you have any formal locksmith training? Or are you just entirely self-taught?
No, I do now at this point. When I started out, I was all self-taught, as many young scrappy hackers were. But in the time since then, especially once our companies became profitable, I’ve made it a commitment to myself to do at least one professional training a year.
I will always attend. There’s the Associated Locksmith of America. I’m an ALOA member. I’m a SAVTA (Safe and Vault Technicians of America) member. I will attend their conferences annually. I will take their training. I’ve picked up so many fun different skill sets. As a safe technician, there are a lot of fun ways to—as we would call it—neutralize safes and containers, as the sanitized language of our trade.
On the locksmithing side, I’m a forensic lock technician. I can take a lock apart, look for microscopic tool marks, and tell you what techniques might have been employed. Or I can tell you about fire doors and life safety systems in buildings. Why? It seemed like fun training. It seemed like it would give me a good cover story for why I was in a building. If somebody said, what are you doing here? They’re like, well, what are you doing here? Because these fire doors are not to code.
I did a whole two-hour talk just about fire code, fire prevention, fire suppression, and it became one of my most popular lectures. Because these are all systems that we interact with every day. You have the sprinkler heads over top, you see the pull stations on the wall. But how do they all work on the back end? I like looking under the hood of the hidden systems, and this is a field where I get to be in a lot of those back room maintenance spaces.
Yeah. I’m the same way. I enjoy the opportunities when I’ve been in buildings for whatever reason, make friends with the facilities manager, and hey, what’s behind that door? I’ve never seen that door open. Oh, let me show you. To me, it’s really interesting to see infrastructure, how infrastructure works, and how easy it is to access stuff that you really shouldn’t be able to access.
Absolutely.
Does being a vault inspector and a professional locksmith, do those entities and those communities appreciate that you do pen testing? In the sense of, are you viewed as a double agent? That you’re one of the good guys and you’re also one of the bad guys?
It is definitely an aspect of the industry that many don’t understand. In fact, even more so than the penetration work is the public persona that I have. Being an author, a public speaker, and a YouTuber, that is what used to be looked very negatively upon by many in the old heads in the trades. To this day, some of them still, I don’t know why people talk about this on the Internet. Yet a lot of it has really been rewarding for me to see a shift there, where at conferences, one or two people will be a little grumbly.
But for every one or two people that give you one of these side eyes, there'll be 10 or 20 people that come up and say some variation of, hey, man. I’m here literally because of this thing you talked about. Or someone says, man. Look around this room. See all the gray hair in this room? I can hire people now in my shop that I need because of stuff that you and your friends have put out in the world and get people interested in this field.
On balance, I think I’m doing well. But yeah, the industry took some growing there to understand and accept the people like me.
I guess the people that are probably less happy with you are companies that make locks and physical security companies.
To some degree, yes. And even a lot of those folk have come around. Nobody wants to look bad. Nobody really has a problem (I think) with being better or being told, hey, you could be better,
But imagine you are into physical fitness. You want to be told, hey, you’re doing a great job. You beat your time on that race you ran last year. You don’t want to be told, hey, you’re out of shape and you’re going to die. If you’re a chef, you want to be told, man, this dish is incredible. You don’t want to be told your food is terrible. So it’s all in how you approach people.
We have firms that have specifically reached out to us and said, hey, we are thinking of releasing this product onto the market. We have a new safe, we have a new lock product, we have a new alarm system. You name what slice of the sector, we've worked with them. But we just don’t talk about it publicly or name them publicly, because what they want is to be proactive and say, before we make a fool out of ourselves, can you put this on your workbench and work with us for a while?
If you’re going to go to that extra length of time, effort, and spend, there’s no reason for you to be made to look bad on the Internet. Of course, I’m not going to say, look at this dumb… Well, it wasn’t a dumb design. It was a prototype design that we made better, and now that’s the company you want to be succeeding.
The people who grab something off the shelf, purport that it is a high security product, and then break it on camera—oh, look at this stupid thing; I broke it—then they’re throwing things around on camera and just looking really cavalier, that is what makes vendors get very upset. They say, well, you weren’t using it the way…
What is the design intent of the product? Is a question we like to ask. Someone was, can you believe this terrible lock? Why would anyone sell it? I’m like, I’ve seen that lock used to lock up trash cans behind a bar. It’s probably fine. It’s a $10 lock. Who cares, you know?
It’s like locks that you put on luggage. There were seven keys to open any of those locks. And if your lock can’t be opened by one of those seven keys, they cut it off. Security theater is probably not the right thing. It just makes it so your stuff inadvertently doesn’t spill out of your luggage.
I love that you brought that up. The phrase “security theater,” which was a phrase coined by a friend of mine, his name is Bruce Schneier, an excellent speaker and author in the world, actually talked about something. It’s a quirk of the English language, where if we say this thing is secure, to be secure as a verb can actually have multiple meanings.
Anyone Could Walk In Share on XIf I say I am secure, well does that mean that the door over there is locked with a very robust mechanism? No one’s coming in? Or does that mean I am secure, I feel secure? There’s the feeling of security, and the actual objective reality of security. If being secure is someone’s goal, many times they might not feel secure, even if they are in a very safe environment. Many of the most safe, middle-class Americans think that danger’s lurking around every corner, but they’re actually quite safe.
Also, many people want to just pursue the feeling of security without actually achieving it. The idea of security theater, as pursued (usually) by large, bureaucratic systems, is great work that Bruce pioneered. In fact, talking about the TSA many times.
The part I like to focus on, especially as it relates to mechanical locks and the, I’m going to put a key in this door, in this cabinet, or in this safe, there is a break in the market, and we don’t specify this designation very well of what I would call symbolic locks versus security locks or security products.
Indeed, here’s a great example. You might have a regulatory or legal liability reason for, if there was a panel on this wall, like a circuit breaker panel or an electrical service box. I’m in a gun shop where the customers can come and walk through here. Let’s say somebody’s got their no-good teenager with them, they’re wandering and they say, ooh, what’s behind here? And then zap and they blow their hair back.
Well, if that panel was unlocked, the store might be liable. But if you put a lock on it—it doesn’t have to be a good lock. We’ve seen plenty of circuit breaker panels and other utility cabinets that just have a rinky-dink lock on them—but it’s communicating to the public, this is not for you. Don’t reach your hands in here. Leave this alone. They have taken enough proactive steps to, if some kid actually watches some YouTuber, jiggles the lock open, and then they zap their fingers, they say, well you weren’t supposed to be in there.
One of the classic examples we give is in the office, if everyone fights over the thermostat in the office, you can put that little plastic cover over it that has a lock on it. No one can really like, you could reach a pen through the slots, because it has to sense the ambient air. You could pop the buttons and change the thermostat, but you’re not supposed to be doing that.
If there’s a small, three-foot-high fence around somebody’s yard, yeah, somebody could jump over it. But it’s hard to explain why you are inside the fence line. You know you weren’t supposed to be there. It’s a symbolic product that serves to demarcate property.
Where we get in trouble is when somebody goes to the local hardware store and they say, I need a lock. Looks good. They’re really buying a gym locker lock or something, but they wind up putting it on a storage unit that’s going to be unattended for weeks or months at a time. That’s where you want something more robust that might actually see somebody manipulating it, attacking it, breaking it, bending it, hacking on it.
So that leads to the question, how does a consumer of locks (let’s say) because that consumer could be a business, how does a consumer of security products determine—you’re going to the store to buy a lock—which is actually a theater lock? How do you appropriately choose a lock for what you’re doing?
Yes, if I’m locking my gym, it just needs to be an inconvenience to stop someone from poking at it and it opens. But if it’s at my warehouse where I’ve got $100,000 of equipment behind a roll-up door, a gym lock is not the appropriate solution.
I bought them at local hardware stores, and there’s never been a real clear, here’s the use case for this. We’re going to size them from smallest to biggest, or cheapest to most expensive. There is no clear demarcation line between this one actually offers better protection, maybe it can’t be cut easily with a bolt cutter. But aside from that, there’s no real clear designation of what lock I use for what application.
It is unfortunate that we don’t live in a society with as many effective standards. There are some, so the retail packaging of many products will show this is 6 out of 10 little padlock icons. That’s all vendor fluff. That might as well be you walking into a restaurant and how many stars of spicy is somebody’s Pad Thai. It’s relative to every establishment.
There are a few, like BHMA and ANSI standards. Underwriters Labs has a specific standard for a high security lock product. But these are convoluted long numbers. I’m much more of a fan of how other societies across the pond, like in parts of Europe, for example, SKG is a government standards rating in the Netherlands. You have one star, two star, or three star. These are not ratings created by the industry. They’re created by police and insurance agencies, and it's instantly understandable for consumers. The insurance over there, your insurance on your business or your home can sometimes stipulate, your policy might say you must use a two-star or a three-star lock on your door.
We don’t quite have that here. The closest it comes in the safe world where I work, like, Underwriters Labs got you on safes. Safes have very specific ratings for how resistant they are to certain types of attack for how many minutes. And they should have ratings if they’re rated for fire—how much heat endurance they will have for how many minutes. But as far as just a lock on your door, storage unit, or something like a padlock on your bike, it is not. It is a very opaque world.
The best advice there I could give is go and purchase your locks from a reputable locksmith, a locksmith who has a ALOA number, who has maybe ideally a brick-and-mortar establishment, where you walk in, have some rapport, and say, here’s the use case that I’m trying to protect. What do you recommend and why?
They’ll give you a couple of options. They’ll try to explain it. But are you worried, for example, I have a lock on my house that is not impenetrable because my house has windows. My real concern and our family’s whole concern has always been key control.
I was more interested in, I’m going to put this deadbolt on the door, made 10 keys, and actually use stamps. I actually roll mark stamp numbers into all of them. I use a password manager, I use 1Password, in one of our shared vaults my wife and I and our family, we have all the key numbers. We have this key, you have that key. The house cleaner has that key. If the cat sitter moved out or moved away, I’ve got to get key number six back from the cat sitter. It goes back in the safe, because I don’t want the keys just floating out there. I chose a lock that it would be very hard to duplicate those keys. That was my use case and my main scenario, and it works well for me.
Some other people might care much more about sheer brute force. Is somebody going to be ramming or prying the door open? That’s not the thing that we see in our neighborhood. Again, someone would smash a window in my neighborhood. But if you have (as you pointed out) a warehouse with millions of dollars of equipment, somebody’s probably going to be, it’s not about the illicit key copy. It’s that somebody’s trying to just smash their way in the door itself.
I always have found it funny that people will talk about, oh, I’ve got this great new lock on my front door. It’s a 30-year-old house with a 30-year-old doorframe. I’m like, even if you had no windows, no one actually has to unlock the lock. They just kick the front door hard enough and the wood frame’s going to break.
Which is why we always try to emphasize, both in the locksmith and in the professional security assessment world, security should be in layers. You don’t necessarily have to prevent all attacks—and no one can prevent every attack—but your security implementation should delay and deter an attacker.
Anyone Could Walk In Share on XThe best way to think about it, really, people say, well, a house has windows. A building has a…, but let’s talk about a safe. Again, I’m a safe technician. Even a safe is not an object that you put valuables into so that they will never be touched. A safe is a container designed to make an attacker think this is going to cost me this much time, effort, and money, and leave me exposed to potential interdiction. The risk analysis isn’t there for me as an attacker. I don’t want to spend 20 minutes making a ton of noise, using tools that cost more than the valuables I’m going to get out of this safe if I break into it. So it’s to delay and deter the attacker and allow you to detect that something is going on.
A big component of all this, which has gotten cheaper and cheaper nowadays, is monitoring. If, again, I am in a gun shop that has cameras all over the place, that would’ve been beyond the dreams of even a high-end business 10–20 years ago. But you can implement very robust monitoring solutions. Electronic monitoring nowadays is very cheap, so if you’re not doing that.
All of my gun safes at home, probably the ones here, have modules inside the safe outside the, so you know the moment that door swings open, there’s going to be an alert that registers and logs. And if it’s happening outside of hours, you are right on your cell phone. What’s going on? Who’s this? Respond.
It’s funny because when we moved into our house, we had an alarm company come out and put in window sensors, glass break sensors, interior motion, all sorts of stuff. They had their recommendation. I said, well, I also want motion detectors in every single room. I want window break and window sensors on all the upstairs windows. The guy was like, that makes no sense to put window sensors on a second story window. That just doesn’t happen. I said, well, the relative cost of this is not that expensive for you to do it. Just do it.
A few years ago, there were a number of break-ins in our neighborhood where people were dropping ladders up to second story windows, were able to get into houses and get out while the alarm systems were on because no one had any motion or any window or door sensors on the second floor. Someone got smart and just decided, let’s just bypass the problem by going to the second floor.
Absolutely. Hell, look at the Louvre.
Well, there’s also bad IT security there as well. That’s a different issue. Or maybe it isn’t. I don’t know. Maybe they should have hired you to try to break into the Louvre.
Oh man, that would be a fun job. I haven’t done a museum of that scale, anything like that. That would be dope.
That would be fun. When it comes to your work and companies hiring you to break in, what does that look like? Clearly the company’s saying, hey, we want to make sure we have a good security system. But how do you structure that? I’ve heard from other physical entry people that had their interactions with law enforcement, have been cuffed, and were luckily not prosecuted. What’s the process that you go through to make sure that that doesn’t happen to you? Because if I were your job, before I do anything, that would be my concern.
Many times, it’s very interesting when a company hires somebody like us. Right from the get-go, we have to start to figure out who the stakeholders are, whether internal to that client. There might even be some internal politics at play, where one group needs budget and somebody else is blocking them and they say, is there’s already going to be some infighting, which fortunately doesn’t happen too much. But learning how to deliver that message, learning how to speak with care and kindness so that you’re not thought of as the bad guys who made somebody look foolish, it’s a lot of emotional work that we do.
To wit, if you think that somebody is hiring a firm like ours because they have an axe to grind or because they really want to shake things up, that’s the situation where you might have a point of contact who is playing a little fast and loose with what they think will be tolerable or palatable.
There have been situations. Here’s a great example. You might have a company on the 13th floor of a building. Well, they probably don’t own the whole building. There’s a building management company who’s responsible for the guards in the lobby, all the badge systems and the turnstiles down there.
The 13th floor client says, yeah, we want you to break in from the street. I’m like, well, okay, but do you want me to exploit the lobby? You don’t pay those guards’ salary. You want me to start messing with them? You want me to mess with the elevator system to get up to the 13th floor without a badge? You don’t pay for that elevator system.
In their head, it’s all security. But you have to say, well, whose security is it? Let’s bring in that other stakeholder. Many times, the company might be very reticent. Let me say, okay, well, then we’re not going to actually attack your elevator, but let’s do a quick walk through the lobby with the building management, say just so you know, freebie from me to you, I could exploit this elevator. I could show you how if you want. But during the course of this engagement, you will escort us into the elevator and then just send us on our way up on the 13th floor. The 13th floor client will say, we’re going to stipulate that an attacker could do that. It saves you hassle and preserves your relationship very well with this building management. Those interactions where you have to do a lot of that emotional lifting are valuable.
The occasions when it has gone very badly for others in our industry, you’ve mentioned that some people have had some discussion with law enforcement. I know of at least one famous incident, when people actually got cuffed, booked, court case. It is still ongoing, the civil litigation, because it was a baloney arrest. But that was because somebody at the state level hired this firm and they didn’t really engage the county level authorities. Now the state supersedes the county, of course, but the county got butthurt. For that reason, we will often reach out for higher profile jobs.
We’ll say, okay, if you’re bringing into this critical infrastructure, you’re bringing us in there, we’ll look up the local sheriff, we’ll look up the local whomever, interface with them, and say, hey, just so you know, this is our firm. This is what we do. This is a homeland security–designated site. We want you to know from this range of dates, we might be there.
Now we won’t say I’m going to be breaking in. We’ll say, we’re going to conduct attempted trespassing, which is true. We just don’t want the deputies looking, oh, what are the kind of cool tools they’re using? We’ll say, now it’s up to you to communicate this or not during morning roll call, but if somebody calls from the field a report of, hey, who’s going over that fence? We wanted you to know, you don’t have to have a Senate priority call, get a traffic accident.
And they’re always, thank you so much for letting us know. I’m only going to talk to my lead deputy about it, but thank you for reading us on this project. I understand what you’re doing. A little bit of work like that can go such a long way.
As you can imagine, a local townie cop or even an actual sheriff officer talking to you and you say, well actually Sheriff Mc so-and-so, he’s read into the project. If you want to call right now, I realize it’s after hours, call him on his cell phone. He’s going to know about this. That can deescalate things so rapidly.
Do you usually have to get the business owner to contact law enforcement as well? If I were law enforcement, I’d be like, hey, that’s great that you’ve reached out to me. You say you have permission, but I don’t know that you really have been hired by this guy, and hired to actually do what you might be doing.
We keep those people CC’d on the email, and we even encourage law enforcement to say, don’t trust me that this is the person. This is the person, but look them up on publicly-facing records. If you want to reach out, call them on their main company number. Ask to speak to so and so. They will confirm this for you as well.
Have you had engagements gone sideways, then?
We have never had the police called. It’s come close a couple of times because there are plenty of clients where they don’t want to just see you succeed as a pen tester. They want to see the response to their staff. If you’ve gotten in and out a few times, they’ll say, all right. Start escalating. Start doing things a little more egregiously. Leave a door propped open. Be idle in an area that you clearly shouldn’t be. Take your badge off so you’re walking around and you don’t look credentialed. You keep escalating until you get a response.
Sometimes, that involves a lot of escalation, really doing things so that by the time somebody says, this guy is taking apart the security camera and taking it off the ceiling. That actually panicked somebody once, they thought this about to be a mass casualty incident. Somebody escalated, oh, get the security down here. Then you’re having a talking to about what are you doing? Somebody’s ready to call 911.
But you always have your letters, your authorization. You say, no. I’ve actually been here all week. But it’s, who actually finally reported me. You did? Good job. Didn’t see me Monday, Tuesday or Wednesday though, did you?
Have you run across issues where people clearly saw you doing stuff that you weren’t supposed to be doing, were pretty sure that you weren’t supposed to be doing it, but just didn’t bother to report it because they thought someone else would report it?
Close to that, yes. There are instances. I’ve had instances where I was trying to open a secure cabinet. Again, this is later in a job where you’re trying to get caught at this point. It was just midday office hours and I’m kneeling by this cabinet making a bad show of using my picks, just trying to make a lot of noise and rattling things around. A guy right next to me at a desk goes, what are you doing? And I say, what does it look like I’m doing? He’s like, it looks like you’re picking that lock. Sometimes you have to do that.
Again, that’s not a normal reaction. If I was an actual thief, it’s a weird thing. So the guy looked away. But we’ve had incidents where it’s usually not even a conversation. You’re walking down a hall. I got a glance from that person that did that was not good. I’m going to duck down this hallway and I’ve hidden in a closet or something. You hear this has been usually later at night, you hear a lot of footsteps moving around the building. Because I broke into a locked closet to hide, and I’m messaging with my point of contact. I’m like, is somebody…? He’s like, oh yeah, something’s up. We got a call. Somebody’s looking around to see where the heck you went, man. You spooked somebody.
Even on those instances, some of those have eventually resolved as, I looked around and I couldn’t find the guy. I just went back to my desk. I didn’t know what to do. I guess he left the building. Somebody sent an email that said, hey, there was a suspicious person, but I don’t see him anymore. Is that the wrong response? Is that the right response? How many companies out there actually have response plans? Or do they train your employees?
In fact, this was a great thing. For the longest time, in the digital sector, if you thought your company was the victim of a scam or a hack or something like a phishing attempt, people would say, who do you report it to? What do you do? What if you notice a bug in software and you want to report it to a vendor?
The idea of having security act as an email address at a company was a concept that the InfoSec world had to push. Because a lot of people would say, I actually don’t know who I would… I would call the help desk, I guess. Or they’d have all these weird answers for who they would. I would call my boss, but it was after hours and I didn't want to wake them up.
So yeah, having that one catch-all point of contact for, hey, something’s wrong, I don’t like this, give people a way to report it, whether it’s a suspicious guy, a suspicious text, an email, or a scam attempt, something like that.
Anyone Could Walk In Share on XI was pretty active early on in the anti-spam community. I was surprised at how many, like there’s an RFC, there’s a protocol, that you should always have a postmaster at your domain, and it should go to someone who actually does stuff.
I was surprised that when reporting spam, you go to the company’s website and clearly there’s no, I’m going to spend 20 minutes on the phone trying to find who’s responsible for the mail server. Then you, well, let me just send an email to the postmaster.
It was really fun one of the times when there actually was someone at the postmaster address who said, oh my gosh, thank you for reporting this. I’ve taken care of it. But probably a good 85% of the time, the message either bounced back is undeliverable, or just goes into a black hole and they never fixed the issue. I like the idea of security, but I wonder how many companies it just goes into a black hole, even if it is a valid address.
You were talking earlier about having confidence when you walk in somewhere because you know you’re not going to get arrested, and it allows you to play a role better. What are some of the roles that you play? This is stuff that’s going to impact mom and pop companies. How do they determine that someone shouldn’t be there? What should they be looking for?
Loads of the time, we will break in hoping to not have to run into anybody who will stop us. But if you get challenged in any way, you always want to have a cover story. Whether that is, I’m here from site B. A different office sent me over. I work at this company. I just came out of the Wyoming office, the San Francisco office.
Or you could be a third-party who has a valid reason to be there. I am with one of your local utility companies. I am here to check the infrastructure on the roof. I’m with Verizon. I am here to do x, y, and z. I’ve said I’ve been servicing the copiers and printers. I’m from Xerox. I know a lot about elevators. Many buildings have an elevator. I’m here to check elevator leveling. Have your elevators been running a little slowly? We’ve heard that there have been error codes that we’ve been getting. We’re part of your elevator service package. Oh yeah, our elevators are slow. Everyone thinks their elevators are slow.
If you can speak with pretty good jargon, that’s a way to say, I’m here to do x, y, and z. A lot of times, you’re interfacing with a staff member who is not responsible for the elevators or the copiers or the network, and they don’t want to be the one to interfere with legitimate work being done.
A phrase that I really like in the social engineering circles, the awareness side, Rachel Tobac, I believe is who I credit this to—her SocialProof Security is her firm, great, great gal, she and her whole family and team—talk about being politely paranoid. You can be, and I think as a society, it doesn’t speak very well about us, but nowadays people don’t know their neighbors as much.
Someone coming up to your door or someone calling you—because nowadays our phones are just spam machines at this point—you generally nowadays don’t trust as much as you used to. You say, well what do you actually need? Why are you calling me? No, who are you again? And it’s made it a little bit harder to do some scams with people of a younger generation, unfortunately.
I don’t know what that says about our society, but that level of yeah, yeah, yeah. You say you’re trying to do something important here. Hold on. What do you mean? Anytime there’s a hurry-up involved, it’s the same as it is in carny show kind of magic. There’s a little bit of rush tempo to try to get you not cognitively switched on. But if you ever sense, hey, I’m in control of my own life. This is my space. I have the right to say, hold up, clarify that for me. Who sent you again? I’m going to need to verify that. Please.
It’s like any other consent. If you’re out on a date with someone who says, I’m going to buy you a second drink, you’re having a good time, right? You say, no. I’m still enjoying this one. Ah, be a sport. I’ll buy you a drink. Be like, actually no. Listen to what I’m saying. Consent is important. I’d like that in a minute. If someone’s trying to hurry you past anything that makes you uncomfortable, that should raise that flag. Be polite, but a little bit suspicious.
””If Share on X flag.” – Deviant Ollam” username=”easypreypodcast”]
When I had worked in an office building that was owned by another company, I remember two different alerts that had sent us out at one point. They had a rash of somebody just walking into the suites with a clipboard, just looking like they know what they’re doing, walking by women’s desks, grabbing a purse and just walking out the next door. It’s kind of that if you think people look like they belong there, people just ignore them.
Then the other one was, they’d come to the door and say, the building manager has hired us to review the fire suppression system. We just need to poke around here and here and here. They go do that, and at the end, we need you to sign off that we did the work. Then they would ultimately end up sending a bill. The building manager’s like, well we didn’t hire them, but you signed the paperwork saying that you would pay them. So you’re stuck.
Amazing. That’s pretty wild.
Just because if people act authoritative, then people just treat them like, oh, I guess you’re supposed to be here. They aren’t politely paranoid.
There was a really good Instagram reel recently, and it’s cute to me because it’s low stakes and ultimately no one gets hurt. But a guy walks into small businesses, usually food establishments, with a toolbox. He says, I’m here from John Pork Electric. I just got to check the service panel. My boss sent me to check the blah-blah-blah.
The frontline workers say, sure. The service box is back here. The guy’s recording because it’s making content for the Internet. His toolbox literally contains like a spoon and a plastic straw. He blows on the circuit breaker, he’s making a little clicky-clack noises, he’s like, okay.
Then he walks 5–10 minutes later. He is like, okay, my boss will call you guys next week. It should be pretty good. He’s got me working a double shift today with no lunch break. Do you think you can give me a drink or a burger or something, man? And the frontline went, yeah, sure. What do you want? Sure, we can get you that for you. Why not?
The part that most people watch that and say, that’s amazing. Dude got a free lunch. I watch. I said, it’s amazing. Dude walked all the way back and left unescorted in the back room because he was carrying a beat-up toolbox with nothing in it.
And then they fed him on top of that. Oh, that is hilarious.
Thank you for the stories. Deviant, if people want to find you and your company online, where can they find you?
I am Deviant Ollam, not spelled remotely like it sounds. So enjoy that. It’ll be in the show notes, I guess. But also it’s easier to find me with The CORE group or Red Team Alliance. If you want to do what we do, we don’t just practice this. We preach it and teach it.
We are very proud to be one of Black Hat and SANS groups. We’re one of the longest running trainings in the industry. We have our facilities in Virginia and Las Vegas, also classes all around the world. Come learn about alarms, access controls, mechanical locks, you name it. We’re happy to train you.
Awesome. Deviant, thank you so much for coming on the podcast today.
Thank you for having me.
Thank you for listening to this episode of the Easy Prey Podcast. If you found something in this episode beneficial, please share it with someone you know and leave a review at easyprey.com/review. Notes and a transcript of this episode with Deviant Ollam can be found at easyprey.com/301. This has been the Easy Prey Podcast, defending against scams one episode at a time.
Click to tweet: “Just because it seems to work out of the box, is it actually working that way?”
Click to tweet: “There’s the feeling of security, and the actual objective reality of security. If being secure is someone’s goal, many times they might not feel secure, even if they are in a very safe environment.”
Click to tweet: “You don’t necessarily have to prevent all attacks—and no one can prevent every attack—but your security implementation should delay and deter an attacker.”
Click to tweet: “Give people a way to report it, whether it’s a suspicious guy, a suspicious text, an email, or a scam attempt.”
Click to tweet: “If someone’s trying to hurry you past anything that makes you uncomfortable, that should raise that [red] flag.”
