Walls, Tags, And TTPs: OpSec Lessons From Graffiti Writers - Pete Neve

I'll keep it on for a little bit. Okay. Thanks, Luke. It's absolutely brilliant to be able to kick this off. B-Sides Basingstoke is my favourite security conference. I think somehow you guys managed to really capture the kind of the soul of the security community in the area. So it's the conference I always look forward to each year, even though it's in Basingstoke. So I am going to take this off. What's this all about? Walls, Tags and TTPs. So you guys all know what graffiti is. This is about the artists and writers around the world form the community of people who actually do graffiti. The reason is Graffiti has a sub-community very similar to the hacking community. There's

a lot of similarities. Both started in the 60s and 70s, really exploded into the public consciousness in the 80s and 90s. both have people that work both sides of what's legal and what's ethical and there are many other things that are similar between the two communities. So this is to look at that community and see if there's anything that we can learn about this group that works sort of adjacent to us. So I should turn on my clicker and then I should be able to get the slide out. Who am I? How did I end up doing this talk? My name is Pete Neve, I'm the Director of Security at CineMedia. I've been in the security industry for a couple of decades now. I've worked in

both offensive security and defensive security positions. So how did I end up doing a talk about graffiti? This talk started in 2019 when I came across this photo on the internet. If you cast your mind back six years to 2019, you know, this was before lockdown, before COVID, before we all ran out of toilet paper, you know, Twitter was still a thing. We read about fascism in history books. You know, it was a different world. And China was accelerating its takeover of Hong Kong. A militarized police force was exerting control. Protesters, hundreds of thousands of protesters, pro-democracy protesters were trying to fight back against the police force. that had full control over the area. The protesters used lasers to try and

jam the facial recognition systems. They're using masks because of the CS gas and using umbrellas to protect themselves from the CCTV and from the water cannons. I don't need to tell you guys that China has an amazing system of surveillance and censorship. And what really struck me is that in this environment where there is full control over what was happening, you know, the government is able to see every text message you write, they have cameras in every street corner tracking where everyone goes, you can still get your message out to tens of thousands, maybe millions of people just by writing your thoughts on a wall in a public space. And so I started a little bit of a deep dive into who graffiti writers are and what

they do in their community and that's the journey I want to take you guys on with me today. One of the things that surprised me is that graffiti, being a sort of very anti-establishment, counter-cultural kind of group of people, they have quite a few rules. If you forgive me, the first rule doesn't really fit with the flow of my presentation, but in homage to the best movie of all time, which is Zombieland, the first rule of graffiti writing is cardio. What we'll see is that a lot of these guys, you know, throughout... It was going to come up, so it had to be rule number one. A lot of these guys, they're doing a lot of things that are very physical that would be very hard

to actually do. You know, they will climb over anything, they will climb under anything in order to be able to do the graffiti. This is a video taken by these two lads, Rest12. He's just done a nice bit of graffiti on a freight train. and he's filming and the freight train starts to move off. And as he's filming it, what he starts to notice is that one of his buddies that he was painting with is playing real-world subway surfers on top of the train trying to get back to the spot in the fence where they've broken through in order to gain access to the train yard. So it goes without saying, there's a lot of

things in the videos I'm going to show you are very dangerous, very stupid, don't do them. I'm not advocating people go and start running around on trains. So this guy has to go and help his friend. Very important, spray paints are quite expensive. So you see the first thing he does is he chucks the spray paint down before he manages to get himself down off the train. It's absolutely fine, very dangerous kind of thing to do. Unfortunately, a lot of graffiti artists have died over the years doing extraordinary things. But, you know, first rule of graffiti is cardio. There are different types of graffiti. Tagging is your main, your usual one. That's basically just writing your name. It's the same as what you do

at school. You write your name on your desk or something. This just takes it outside and people start to write their name all over the city. So the next level up from that is what's called a throwy or throw up. It's a super fast piece of graffiti that's really really quick to do, should take about 90 seconds or under a minute to do. It's just these big swirling letters and the reason that's all these big round letters is because they're really easy to do really quickly and it should just take a couple of seconds to do that. And then we have these sort of big beautiful pieces. Again, it's just writing the person's name. This

is, they've spent hours doing this beautiful piece of art. And the rule is you should only paint something better than what's already there, right? So it's okay to put a throwy over tags. It's okay to put a piece over throwys, but you shouldn't really put tags on top of throwys. If you do, people get upset about you. But of course, being a sort of anti-establishment kind of thing, those rules are meant to be broken. And so they regularly do. And there's a lot of beef between graffiti writers because people write over each other's stuff all the time. If you go a little bit further you get these beautiful murals. Again this guy's just writing his

name but it's really turning into a piece of street art here. And this is where we start to get controversial because street art means different things to different people. Street art doesn't have to be big, it can be tiny little pieces like this. Or it can be the big famous pieces of street art that we all know. Graffiti writers generally don't think that Banksy is a graffiti writer, they think he's a street artist. Basically the rule is if you're doing graffiti that's writing your name somewhere and everything else is kind of street art. It's a bit of a blurred rule. It doesn't have to be that straightforward. This is a piece of street art, which

is, I'm sure some of you guys can't read it, it's just some writing. It says, "Sometimes nothing good happens to you because you are the good thing that happens to others." Right, you know, beautiful piece of, is that poetry? I don't know what it is, it's street art. And street art doesn't have to be just text like this. Sometimes it's big, bold, political statements as well. But these things are all a little bit blurred as well. We said writing your name is considered graffiti, that's considered vandalism. But this is by the 1UP Crew as part of a conservation project. They created a coral reef in the shape of their tag. Is this vandalism? Is this art? I don't know. Does it matter? Well, turns out in

the UK it really does matter. Vandalism is... Graffiti is considered vandalism, and that all fits under the category which is called malicious mischief, and that can end you... give you... a total of 10 years in prison if you get caught. I'm not aware of anyone who has ended up doing 10 years in prison. I think the longest I've seen is four years. But four years for a piece of graffiti still seems like quite a long time for me. Because if you could be working with others, it can be treated as organized crime, which means they can bring the full force of the police against you. They can do DNA tests, they can use paint splatters and all sorts of stuff. It means

they can raid your house, take all your electronics. They can raid your friends and family because it's organized crime, so they could be involved as well. Quite a heavy police response to some graffiti in certain areas. Often what happens, because it's a serious crime, is graffiti artists will end up in prison next to drug dealers and bank robbers for quite some time. And guess what they make a lot of these guys do in prison as part of their rehabilitation? What are they going to do? Yeah, paint walls, yeah, paint murals teach people how to paint. Something doesn't seem quite right about it. You might say that there are other reasons for doing this. So why do people do graffiti? considering there

are such high penalties, particularly in the UK, for doing it. Not to mention the fact that in the UK we have electrified lines and graffiti artists have died stepping on those. It's quite a dangerous thing. People have fallen from high spaces. Now, graffiti culture like hacking culture they have their own ways of saying things for most graffiti artists what they're trying to do is taking this is called getting up right i didn't make the name up getting up is about getting your name onto as many walls as you can across your city right it's about putting your putting your name out there um That's one of the reasons graffiti artists love trains. If you get your name on a train, that train takes your name around the whole city

for you. You don't have to go to all those other places. People talk about being able to do like 150 tags in a single night and trying to get their name out there as much as possible. It's a kind of game. where no one is counting and there's no prize. But it's a kind of an imaginary game. In order to sort of maintain status, they want to try and find high up places, hard to reach places, that are going to be hard to paint over, hard for other graffiti artists to get their names in there as well. That's why you see graffiti in all sorts of crazy places. It's all about trying to get there.

But that's not the only reason why people do graffiti. People do it for all sorts of reasons. There are plenty of people doing graffiti for mental health reasons. Lots of people talk about how it's just important for them to be able to express themselves. For many people, it's a way of escaping from their real life. It's something that they just love to do and a way of expressing themselves artistically. All sorts of reasons. Some people do it for the friends they make along the way. There's a lot of crossover with things, other hobbies like urban exploring and so on. So there's all sorts of reasons why people get involved in it. One of the reasons,

one of the things that really surprised me is the range of different people that get involved in graffiti around the world. I had a particular image in my head of what kind of person does graffiti. I assumed it was mostly young lads who had nothing better to do. There's a really vibrant community of people from all range, you know, every part of society doing graffiti all around the world, particularly outside of the UK, I have to say, maybe because of the strong laws that we have here, only a certain type of person ends up doing it. But we see kids doing it. We see people who have jobs. I spent some time chatting to all

the different people that I could about graffiti. I've met them online. I met them face to face, watched their videos and so on. And, you know, there are people who are lawyers, engineers, people who work in the train yards. It's not just young people who've got nothing better to do with their time. Here's a funny little video of a guy who scratched the word "smiley" on the side of a police car. The lad has obviously been caught and he lives up to his name. One of the great things about graffiti writers, certainly from my point of view in doing this, is that because they're artistic, what makes them slightly different to some of the hackers is they love to video and photograph everything that they've done and

put it online and share it with the world. So there's lots of footage of what they do. You know, it's that guy, he just scratched with a, on the side of the police car, his tag, right, which may not have been sort of a sensible thing to do. It's really surprised me the different kinds of art people do, right? The scratching that he did was with a specific implement. He wouldn't have just like picked up a random thing. He would have taken something with him in order to scratch the paint on the cars. There's all sorts of different types of things. This guy uses tiles. It's quite famous around central London. He puts these up.

These are stencils done by Blek Lerat. He was the guy who was doing stencils in this style before Banksy was doing it, about 10-20 years before Banksy started doing it. Very quick kind of style. And you see people modifying things like fire extinguishers in order to be able to spray huge areas of paint at the same time. And I think we've seen that become quite popular with Just a Boy and another protest as well trying to get paint all over the building. So lots of creative different ways. They're artists, they do everything they want. All right, so let's actually look at a particular mission by one of the groups. I mentioned 1UP earlier. These are

the guys who did some great conservation work with coral reefs. and they're raising awareness of it. We're going to join the 1UP crew in Berlin. I'm just going to forward Ryan through the first bit where they're kicking a football around waiting to get in. We're going to join them when they're checking to see the back of the station to see that the gate that they'd unlocked is previously open and actually speaking on the radio to someone who's checking the train that they're going to pay previously, making sure they know how many security guards are there on there. There are two security guards. Here they're actually talking to the people on the platform. They're saying, "Hey

guys, we're going to paint the train and they're going to do the whole train. So please just step back for two minutes while we paint the train." The train comes in. First thing they do is they spray the CCTV cameras. You see here they're going to black out the CCTV cameras so no one can see what happens. They've got a drone going. Just look how many people were involved in this mission, right? They've got so many people there and they literally are going to paint the whole train, right? They use the emergency lever to stop the train. Not too interested in how they actually do the painting. They're using two cans each in some cases.

Everyone knows exactly what they're doing. So we're just going to skip through that bit. They're painting the train. And we're going to go to the end again. where we see someone shouting "Watch out for the third rail!" as they all escape. They know they can't go back out the station that they just came from because that's where the security guards and the police might be coming from. So in just a moment they all escape across the train tracks. Someone shouts "third rail!" to make sure they don't step on it. All these guys, they go running across onto the rooftops. Just check out what these guys are wearing. They've all covered their faces. They're all wearing kind of crossbody bags mostly. They've all got gloves on. Again, we said

cardio. They're climbing across the roofs. They've got carrier bags with their stuff in. It's all interesting stuff to see how they're working. They've got ropes pre-prepared. We'll see they've got those. They chuck them down off the building and then they're going to abseil down off the building and then once they get down, some of them can climb down the fence as well. They've all got bicycles there. They jump on their bicycles and they all go their separate ways, right? This is an incredibly organized paint job, right? These aren't just a couple of teenagers who didn't know what to do that day and just thought they'd do something. This is really, really well organized. One of the things

that surprised me is these guys are very very good at modifying what they do, modifying their tools. So I think this is something that we've kind of slightly lost particularly in the commercial security sort of industry. We like to have like the right tool for the job. These guys are very good at modifying everything that they do. Right, okay. So, um, lecture cans. They make a really loud noise. If they're just in your bag, you know, you can hear them. They'll stick magnets on the bottom of them to catch the ball so that when they're in the bag, no one can hear them. It doesn't set them off. They're refill deodorant cans with spray paint that transfer it in so

it looks like you've just got a can of deodorant. They'll hide it in print with cans. Here this guy's showing off a clip that is 3D printed so that if he's climbing up somewhere and he drops the can, it doesn't fall down. They use rubber bands to stick stuff together so that the cans don't like... They bash together. So that's probably really messed up the microphone. Right. There's a lot of modification of what they do. And the other thing you notice there is they really have to be quick with what they're doing. That whole operation that we watched, the whole video is just a couple of minutes long. A lot of us in the security industry, when we're doing physical pen tests and stuff, we tend

to have these tactical rucksacks and stuff. They're sort of like these military style stuff. Of what I've noticed is these guys, they all carry these messenger bags, cross-body bags, right? So they've got easy access to the stuff so they can put their things in and out as they're going around. and they've really focused on the speed and ease of use and then they're not afraid to modify anything for that particular operation that they're on. Right, so how do these guys gain access? We're going to talk about a couple of things. They don't always walk through the front of the station. Hopefully you can see this video. Extendable ladders are really well used throughout the industry, right, to go over fences. This guy here is using an extendable ladder

in order to gain the access to the back of a motorway gantry. you know usually the first part is missing so he's using his ladder to gain access to the actual ladder that's on the side of the motorway and is able to gain access to it. These ladders are used all the time. I don't know too many physical pen testers who actually have this like constantly with them. Yeah sometimes we might use a ladder, sometimes might plan it. These extendable ladders, most graffiti writers seem to have them. They're used extensively throughout the system. Apart from your usual others, we all know that orange vests get you everywhere. That's just a standard thing that people use. This guy's clearly had access to brand new equipment. This guy's got access,

he's got keys to the train. Don't know where he's managed to get those from. Maybe it's an insider threat. The branded high-vis vests are really important. These guys, they take it a step further. What they're actually doing is they're setting up some roadworks above a grate that leads down. It's an access grate. This guy is, you know, he's got a generator with a grinder there and it's actually, they're cutting a hole in the ground, cutting through the grate and they've actually got a port-a-potty where they've cut out the bottom of the port-a-potty and they put it over where the grate is so that they can maintain access and you'll see in a little bit, they can go down straight to where the trains are, right, got full access, right,

just by wearing an orange high-vis vest, right. That's absolutely insane, right, so it's just right there. They can maintain that access for as long as they need to. These guys actually did an underground art show and that's why they needed to have that constant access so they could gain access to the tunnels and set up their underground art show before letting people in. Is Terry in the room or is he in the other bit? Oh, good luck picking guys. Okay. This is a terrible video because it was originally a VHS and so it looks like it's filmed on a potato. So I can tell you what's actually going on here. There's a padlock here and the first thing they're going to use is they're going to use

bolt cutters. They're using their bolt cutters here to, in order to be able to break the padlock and just cut through the padlock straight away. And then once they've gained access to that, they go down the access ladder, to gain access to the underground. Think how deep some of the underground stations are. They're pretty deep, so you have to forward wind through them going through a whole bunch of ladders before they get down to the bottom. And what's interesting is this is, they've used the bolt cutters on the padlocks, And then they get to this door which has got a usual sort of five lever lock, maybe six lever lock. And what we can actually

see, they know that CCTV is going to be the other side, they start covering up. And then this guy is actually using lock picks. He's actually lock picking that door. Previously, when I've, you know, we've looked at teaching people lock picking. Like we say, well, you know, we don't need to worry about bad guys using lockpicks because they just use a crowbar, right? And I still think that's absolutely true. Most bad guys are going to be using crowbars. But these guys, in many instances, they're using lockpicks. Again, these guys, look how this guy's dressed. He looks like he's sort of in a sort of business casual kind of way, doing a little bit of urban

exploring, ready for some graffiti. And what we see on the floor behind them, they've got their lockpicks set there, their lockpicking doors. Usually when I've been doing pen tests, if I come across a gridlock, lockpick doors, you know, that would need lockpicking, I usually say, "Okay, you know, it's unusual for me to actually..." And in fact, I don't think I've ever actually had to pick locks in order to do a physical pen test, right? There's almost always another way and I've always said, "Well, you know, if you've got a locked door and you've got control of the key, you're probably okay." But what I've seen here has really changed my mind on that and actually

I think that's no longer the case. Some of these videos are quite old, these guys have been doing it for some time, right? And they also have access to some of the keys. So the bad guys will usually use the crowbar but sometimes they are using log picks. So it's something we need to be aware of. The other thing we see is the bulb cutters, right? We saw that really early on in the other video. The first thing I did was attack the the padlock. Here they're using it to go through fences and there are many many examples of them using bolt cutters on fences in particular. Okay this one's a little bit dark for

you guys to see but trust me he's using bolt cutters in the dark there. They'll cut through any grill anything like that at all. I think that's something we've been missing quite a bit as a security industry. A lot of, you know, we would have looked at this and thought, well, that's actually a pretty solid fence. That's going to keep most people out. But it definitely doesn't. What I've found is it's quite useful to be able to share that information with people. I've had people telling me I'm a little bit over the top. I go to the data center and I say, hey, this cage you've got around these people, These racks, this area that

you've partitioned off, that cage isn't strong enough. This guy, by the way, just here, what he's doing is instead of cutting the actual padlock, he's cutting the metal that the padlock is connected to. The padlock might be hardened steel, but he's just cutting the whole piece of metal off in order to gain access to it. So what I've actually done then when I visited data centers and they've been saying, "Oh, you're over the top, you know, that cage is plenty strong enough." We wouldn't allow someone in with bolt cutters. What I've been able to do is pull out a pair of collapsible bolt cutters and say, "Well, you let me in with these bolt cutters,

right? If you're going to let me in with bolt cutters, anyone else can get in as well, right? I'm not particularly special." Foldable bolt cutters are amazing. The other thing we see people using quite a bit is grinders, grinding wheels, angle grinders. We've really seen quite a few of these videos here they're sort of like getting it behind in order to cut through the padlock it would be really hard to get their their bolt cutters onto it but being able to manage to get their angle grinder through is is relatively easy again it's it's really useful to be able to actually actually sound with this one which there should be this is my angle grinder that I carry. Again, easy to get into a data center or something like

this when they tell you that it's not possible to get an angle grinder into a data center. I think it's really important that we understand how important things like tools like this are for the industry. What I've actually got here is I've got a branded padlock. You can come and have a look at it afterwards. It says hardened steel on the shackle. This is checking all of the boxes. It's got a very good rating. It's like a eight out of 10 on Amazon. With this angle grinder I've cut straight through it, through and through, like both sides. It took less than a minute to be able to cut through this really good quality padlock. I think as a security industry, we're

not necessarily paying enough attention to some of these tools. My old boss, he said this: The biggest change that we've seen to physical security over the last couple of decades is the wide availability of battery powered power tools. They're really cheap, easy to get a hold of and they can go anywhere. It's not like the petrol ones where if you're starting a petrol powered thing in a data center someone's going to notice. This can be very, very unobtrusive. Now if this is true, that this is the biggest change in physical security that we've seen, and I think it is, why don't we get to use angle grinders on physical pen tests that often? Why wouldn't we? Not in scope. It's not in scope? Why isn't it

in scope? I'm actually questioning it. Is there a certain place you do see those pen tests? Yeah, you do. But it's not often, right? It's not often we get to do that, right? And that's because it's destructive, right? Noisy. Noisy. But the reason customers don't like us doing it is because we are actually doing damage, right? We're supposed to be the good guys. We're not supposed to be doing thousands of pounds of damage, right? But it does make me question if we're doing a lot of the pen tests with very limited scope, we're not able to do actually what is one of the most common attacks. Right, I should probably put this down. Okay, gloves. Obviously, graffiti artists get lots of paint

on their hands and that means if they leave a fingerprint behind, it's in paint, it's going to last forever. So they all wear gloves. I was actually challenged here at B-Sides Basingstoke at one of the mini-meets when I did a presentation about physical pen tests that I was doing. I don't know if the organisers actually know this, but a guy came up to me afterwards, he was a convicted robber who'd just got out of prison. And he said, "Hey, I've been watching videos by people like Deviant, you know, famous people on YouTube, and I watched the videos that you just showed. Why aren't you wearing gloves?" And I gave him a kind of excuse, but honestly, I think it was an excuse

as to why I wasn't wearing gloves. Every so often on the forums, Twitter, Discord, wherever people are these days, we get usually a fresh batch of enthusiastic pen testers saying, "Oh, this is ridiculous. The scope is way too narrow that I'm working on." Right? We should be able to do everything that the bad guys do. And obviously that's not how the law works and that's not how these things work. But I do understand the frustration of a really narrow scope. I've seen those pen tests where you're only allowed to go through one door and on that day they lock the door and everyone has to go through a different door. It's a completely pointless pen

test. So I understand the frustration. But I think when we say we want to do everything that the bad guys can do, which we obviously can't, but we only want that to go one way. If I was doing what the bad guys would be doing, I would be wearing gloves. But if I'm wearing gloves, that makes it much more likely that someone's going to find what I'm doing suspicious. If I'm walking around, you're just wearing gloves, right? So I think sometimes when we're looking at things, we want everything to go in our favor as pen testers. I think sometimes we need to be a little bit fair. As this guy challenged me, it did make

me realize that I should be wearing gloves on more pen tests, particularly if I'm in an area where I could be leaving fingerprints. So, protecting your identity with gloves. They're all wearing gloves. And then the next clip I show someone not wearing gloves. Hats, really, really common. These guys are always wearing hats. There's a lot of discussion about how to protect yourself against facial recognition. The general consensus seems to be if you can cover up your eyebrows and your eyes and the bridge of your nose area, that's enough to stop most facial recognition from working. So in this case even just wearing a workman's hat, pulling that down over your eyes, that's probably enough to

make it very hard for the CCTV to be able to actually identify who you are. And just an example of this, this is me doing a pen test. It would be very hard to actually properly identify myself wearing a baseball cap. You might be able to notice that I'm wearing the same glasses, it'd be very hard to say that's definitely me, right? As opposed to my colleague behind me who's not wearing anything, it'd be very easy to identify him. But these guys also carefully protect their identity. They're usually wearing masks. Often they're just wearing like a buff that they can pull up over their nose, if you've got a cap on as well. These guys

just went full on ninja and they put masks, put their t-shirts on tied behind their heads. They know there's going to be CCTV cameras around and so they're just completely covering their face. There's a usual face, you know, a usual sort of saying, "No face, no case." Obviously, that's not necessarily true, but generally it does make it a lot harder. Again, you've seen the double can thing, right? They're trying to do the train as quick as they can. But their disguises go much beyond that. Here, again, just going to a video where people are going down into the area. Look what this guy's wearing. Hope you can see that at the back. Like he's wearing,

he's doing a very good job of business casual, right? He's got like a sports jacket on, he's got some nice kind of jeans going. This is in Paris. He'd look perfectly okay walking down the street. No one suspects that he is a graffiti artist. This guy's taking it to a whole new level. He's wearing a full suit. He's got a briefcase. If you weren't wearing the balaclava, right, which, you know, can I get it away? You certainly wouldn't suspect him of doing anything. Obviously, it's funny he's wearing the balaclava. The first thing he's going to do is he goes around the corner, he's going to take that off. And then if someone calls the police

and says, someone's doing graffiti, there's no way they're going to be looking for a guy wearing a business suit carrying a briefcase. These guys are very good at... getting the right kind of uniforms. This is in Spain. This guy literally walks in wearing the uniform. The worker outside says, "Hey, do you guys work here?" And he just goes, "Yep," and walks in. He's wearing the right uniform. This is exactly the same problem that we have across the security industry. This is the same problem we have with phishing. If an email looks right, if it looks like it's come from the right person, How do you know whether it's coming from the right person? We always

have these kind of interactions. These guys are very, very good at getting hold of the right kind of kit. So you might be wondering how hard is it to get hold of the kind of kit that would let you walk around a railway without anyone noticing? And it turns out it's actually quite easy. This is a known particular disrespect to... Network Rail, that was just the local company. If you go on eBay and you know what you're looking for, there is plenty of kit available and you can look exactly where you belong in that particular area. I spent far too much money on eBay, by the way, for this presentation. Okay, I should start taking some notes. These guys are very good at knowing where CCTV cameras are,

right? They spend a lot of time monitoring. You might think that CCTV is the easiest way for them to get caught. This is a great example of someone who's just been in a road tunnel, he's been spray painting and as he leaves the area he immediately starts to cover up his face and uses his bag in front of him. We know the CCTV camera is right at the other end so when he first walks in there's probably not enough there to recognize his face but he knows he's got to cover it as he walks closer and then walks into the other area where they know those kind of access tunnels do have CCTV cameras. Some

take a very direct approach. These guys are just literally messing with the CCTV cameras, pointing them in different directions. We've seen them previously spraying. It's very common to spray just before something happens, you know, to blank out the CCTV that goes on. So these guys know where all the CCTV cameras are and the rule in sort of the graffiti world is never look at the cameras. You should know where the cameras are beforehand but never look at them. And you often see actually in police reports where they say, "Oh, we identified the person because he looked at the camera." It's that you're trying not to look at the camera, you know, that moment where you

turn and look at the camera, that's when they get your full face and it's easy to identify you. So the rule is don't look at CCTV cameras. So how do these guys know where the CCTV cameras are? They're really good at staking out places. They're able to just sit there and just watch what's going on. These are guys just sitting by the side of the railway watching all of the workers. These guys have climbed up onto the building where they can get access so they can see down onto what's going on around them. By gaining a high access point, you know, they're able to look down on workers. Most people don't look up, particularly if

they're wearing hats, which a lot of the workers are with their hard hats. They're literally waiting for the guys to leave at the end of their shift so they can go in and start spray painting. In just a moment we'll see that they're using thermal cameras. They have thermal cameras, they're looking for people on the train tracks, they're looking to see everything that's going on. If I could teach people how to do surveillance, these are the videos I would use showing them how it's done really, really well. They know exactly what it They're noting everything down, writing down people's shift pans and so on. I just want to remind you, these are mostly teenagers who

are playing a game for which there is no prize, right? And no one is keeping score. If these guys were able to put so much effort into doing that, Can you imagine what like advanced persistent threats and so on are doing? I really think we need to up our game on our side of what we expect other people to do. One thing these guys have is a lot of time on their hands and particularly in urban areas where we tend to ignore the random people around us. We have sort of anonymity by being surrounded by lots of people we're never going to see again. We tend to ignore the people that are just hanging around

and walking around. A lot of these guys are watching very, very carefully what everyone does. Of course, part of this is they're mapping out where all the CCTV cameras are. These guys know that they're mapping out the CCTV cameras. These workers here are apparently trying to dig up a hidden camera which they previously placed. because they know that the guys know where the CCTV cameras are, so they're using old-school spy equipment in order to try and catch these guys. They put some cameras in where the rubbish is. What they don't realize is that the Gravitti guys had been there the night before and found the cameras. They'd been watching. They knew when they were being

placed and got some old-school kind of spy equipment there. These guys are really watching everything that's going on and there's probably some insiders as well. We know there are people in that industry. So here they've found someone who's sitting inside one of the trains. They've seen him on his phone while he's waiting. So they know not to target that train. They're waiting until he's gone. um speaking of that they also um i chatted to the guy who actually posted this video uh he was the guy who was with his buddy at the beginning where they're playing subway surface um he's using an old school camera these guys like to document everything they're doing um but

i saw him posting that he like he's got this camera he doesn't look like he's a big fan of photography that's not that's not the most amazing camera ever right this isn't someone who's a real passionate photographer so i said hey what's you know, why are you using an analog camera? Is that for OPSEC? And you sort of say, well, what's OPSEC? So we started having a conversation. They're very good at understanding the risk of taking your phone with you. They really understand that many of them have been caught by subpoenas on their phones, on Instagram, Facebook and so on, or Google locations and all that kind of stuff. They know that they can be

caught through their phones. So when they're doing a lot of their activities they're going completely old-school analog they've got old-school cameras they're using notebooks to write stuff down you see they have pieces of paper rather than you know that using using their phones again this is a great example of where A lot of us in the industry, we want to do what the bad guys are doing, but we only want to do it when it benefits us. How many of us will be prepared to be completely old school, not take our phones with us, not take anything digital with us in order to do a physical pen test so that we wouldn't get caught in

order to really emulate what the bad guys are doing? I'd say there's not too many of us who are actually doing that. So I think there's a lot of emphasis on trying to do what the bad guys are doing, but only when it benefits us rather than the other way around. Something else we'll see, there's a little video here. I just want you to notice what happens at the beginning here. I'm interested to know what you guys notice about this guy getting ready to go out and do submissions. The video is quite long. He goes and does hundreds of tags across Spain. Does this look like this is this guy's house? He's got some kind of lock-up basement somewhere separate and

that's where he keeps his paint. These guys expect the police at some point to knock on their door and so they're keeping all of their stuff somewhere away from their house. Their houses are clean. There's a lot of talk amongst graffiti artists of making sure there's no notebooks, there's no paint, there's no spray paint, there's nothing in your house that could tie you to graffiti and they're using secondary locations in order to keep all of that stuff. Okay, so there's a lot of different techniques the guys are using. A lot of it is quite well known to us. But I really want to kind of bring it back to the angle grinder, right? I mean, I think this is really important, right? I've never actually had to

use an angle grinder as part of a pen test. I've used them for other things that we've done, working with law enforcement and so on. We don't tend to use these in physical pen tests that much because we're not supposed to be the bad guys, right? We're not supposed to be doing lots of damage. I expect Bec's talk about "are we the bad guys" might be interesting later on. So I'm looking forward to that. But I really think it's important for us to think about, I think this is actually one of the issues that we have in the security industry, is that why is it that many of our pen tests won't use an angle

grinder when we know that this is the most common tool used by the bad guys? And of course, we can't be doing thousands of pounds of damage every time we do a pen test, right? No one's going to be asking us to come back year after year to do a compliance test where we cut through their doors, then we cut through their security equipment, damage their CCTV, and so on. So I think we need is in many cases, What we need is something that's a little bit wider than that short, that scope of a pentest. Sometimes we get a fantastic scope of a pentest and they say, "Do whatever you want, break stuff, that's great." Those are very few and far between. The vast majority of pentests are checkbox

exercises which make people very frustrated. That's what a lot of the people coming into the industry find. People get frustrated where there's limited scopes. I completely understand that. I feel that as well. I think that sometimes what we actually need is more of a physical security audit. And I'm really hesitant to use that word audit because that makes people think of paperwork. I don't think we need people who are doing audits that are checklists. who have learned stuff from reading a book. I really think what we need in many cases is people who really understand the industry, really understand what the bad guys are doing, know how to use these tools, who are actually going

to do something much wider than a pen test and actually be able to go through, go around to a company and not just say we found this one way in. For people like us, there's usually easy ways in. We've got RFID cards, social engineering and so on, but we know the bad guys are generally going to be using something different. So if we're not careful, that means our pen test doesn't really give our customers what they need and it's not that useful as customers asking for a pen test that looks like that. We need something that's a little bit wider than that, where people can go around and say, "These are all the different areas

that we have." So am I saying that pen tests are useless? Absolutely not. My old CEO, he used to say, when he was CISO, he used to say, "If you tell your CEO that he should close his window when he goes out, he may or may not listen to you. But if you turn up and he comes home and he finds out that you are sitting in his favorite chair, wearing his pajamas, smoking his cigar and drinking his whiskey, that's a lesson he's going to learn for the rest of his life." And I absolutely agree, he would remember that for the rest of his life. But what I think is I don't think we should

be having to do that every single year, right? If we're doing regular pen tests, we should be building a relationship with our customers and as customers we should be building relationship with pen testers where we trust them enough to do the heck they can say you should close that window, these are the kinds of you know locks that you should use and And this is a much wider scope than the limited scope that a pen test is always going to be limited because we're not allowed to do destructive testing and that's the right thing to do. So I'm not suggesting that we shouldn't be, we should be doing less pen testing. What I'm saying is

that I think it's really important for teams to spread their experience and their knowledge well outside of the limited scope of their day-to-day job and the limited scope of the pen test they're doing. I want to see pen testers who are actually using tools like this. I don't want people spreading FUD saying, hey, I saw a guy say you can cut through that padlock. I want pen testers to know whether they can cut through that padlock or not. how much experience it has. I want us to be able to play a little bit more as the industry. I think auditors should be able to do more physical pen testing or any kind of pen testing

and working outside of their area. Sometimes an audit should look more like a pen test and maybe sometimes a pen test should look more like an audit. I want to see us working outside of our boxes and working in much wider scopes so that we have that experience within the teams. So we don't just say, "Yes, I got in using an RFID card," but you've also got a bolt that could easily be cut. You've also got a grill that could easily be got through with belt cutters and give a lot more information to the industry. So I really want to see people doing it. I think that goes back to the cyber side as well,

not just the physical side, right? What's more important, a pen test on a laptop or a build review on a laptop? But I would say they're both important, right? But the pen test is going to find some things that a build review is not going to find and vice versa. And I think we need to build relationships with customers where we're not all boxed into these compliance check boxes where we say, yes, we've done this test and yes, we've done this test. We have big gaps in between. And it's really important for us as an industry to really expand what we do into those other areas and really share that knowledge and experience with each

other. So that was my deep dive into the graffiti world and what I've learned from it. So thank you very much.