The Genius of the Louvre Heist

This video is brought to you by one of

my day jobs, which is that I work at a

company called Complexly. Complexly is a

company that I co-founded with my

brother. We make a bunch of different

shows like Sihow and Crash Course and

Eons and Bizarre Beasts. It's all over

YouTube. And the goal is to have like a

team of people who work really hard to

make sure that there's good information

that people want to get. So they're not

stuck with the bad information that

happens to be on the platforms where

people are. Complexity is a bunch of

people and our budget is quite a diverse

pie. But the biggest piece of that pie

is audience support. people who buy the

Crash Course Coin or their Patreon

patrons or they get the sideshow

postcards. This is a really big part of

how Complexity is able to do its work.

And right now is the Learnathon, the

Complexitywide Fundraiser so that we

have money that isn't confined to a

show. We can spend it on new projects.

We can put it where it's most needed. We

can use it to try and do interesting and

exciting things that I can't tell you

about. I'm sorry, but if you want to

check it out, complexity.com, there's a

link in the description because that

stuff just does not work without

audience support. Okay, now to the

video. I saw some folks on the internet

saying that the people who robbed the

Louv were idiots. And I also saw people

saying that the people in charge of the

museum security were idiots. And I was

like, what a surprise. People on the

internet have opinions. But I did kind

of want to figure out what I actually

thought about it cuz ultimately, you

know, I hope everybody has a good time.

That's the take I really believe in. I

just hope everybody has a good time with

the heists. Nobody got hurt. You know, a

little bit of French history may have

been lost, but we lose history. That

happens. But as I looked more and more

into it, I started to think maybe the

criminals were kind of geniuses here.

Like they did all kinds of things that I

would not have expected. I imagine a

heist as like a black clothes under the

cover of night repelling from skylights,

blowdarting security guards, splinter

cell type situation. And this was the

exact opposite. It was timed for there

to be people in the building so that

security would have a first priority

beyond the jewels. They pulled up in a

ladder truck wearing high visibility

outfits because sometimes visible is

more invisible. And they also, I have

thought about this, they went after

items that had intrinsic value. Like the

Mona Lisa, obviously priceless, but if

you cut it into a bunch of little pieces

until it's unrecognizable, that's trash.

Jewels and metals can be cut down and

melted, resulting in objects that are

obviously far less valuable than they

would be in their original form, but

still might be worth tens of millions of

dollars. And then I started thinking

like maybe these high-v value targets

were kept in a very distant part of the

museum far away from the entrance so

that they wouldn't be easy to like grab

and run away with. Maybe that resulted

in security being a little lax about it.

Maybe they hadn't even considered

somebody coming in through the wall.

Maybe the dofes and the Paris police

didn't understand the security

vulnerability they had and the criminals

sound like a kind of unpatched exploit.

Turns out I was wrong about all of that

cuz you know what I did? I thought I

have no idea how any of this works. I do

know somebody who does. Sherry David off

is a friend of mine. Weirdly, we live in

the same Montana town, but she is also a

security expert, the head of LMG

security and the subject of the book,

Breaking and Entering the Extraordinary

Story of a Hacker called Alien. And like

being the subject of a book is so much

more cool than like writing a book.

Until that book came out, Alien was

wellknown in some circles, but no one

knew that Sherry and Alien were the same

person, which I find very cool. So I

texted her and I asked if she had Louve

thoughts and she said yes, she certainly

did. And so I had a conversation with

her and during that conversation I

discovered that there was an unpatched

exploit, but it was not at all the one I

thought it would be. More than that

though, there was a network of tradeoffs

completely out of my view that both

criminals and security experts are well

aware of. And the biggest mistake

security made might have been something

I heard no one talk about at all, the

leak of a security audit. So hacking

back at MIT started off as something you

like physically went and did. There was

a midnight coffee house club. We all met

at the coffee house and we would go

essentially find places to break into.

And this card is actually really useful

for carding a door open. But I had to

dig it up because I remembered the very

first method of entry is knock first.

>> Absolutely. And in a lot of ways, I feel

like that relates to what's happening at

the Louv because literally these guys

are out there with like high visibility

vests and hard hats and they're like,

"La, we're going to drive up to the

building." They're not like dressed in

black with ski masks going in the dark

of night because that looks really

suspicious.

>> I started to think to myself like, what

was genius about what happened here?

Like what was a failure on the part of

security and what was genius on the part

of the thieves? And I kept having ideas

and then I kept thinking to myself, I

know nothing about this but I know

someone who does. So one of the things

that you do or have done in your job is

actually testing the physical safety of

a space by breaking into it not with

permission like no one knows you're

about to do it but you have been given

the task of test our our security. Don't

tell us how you're going to do it. Just

get us. So you've done this a lot and I

wildly enough you live in my town. I

know you. We're friends. We're not in

the same We could have recorded this in

the same room, but it's actually easier

just to do it online.

>> That's harder.

>> I I could walk to your office right now.

So, I wanted to to test out some of my

thinking on you so you could tell me how

I'm thinking about things wrong. And

also, I wanted to sort of ask you this

first question, which is why do I love

this so much?

>> Oh, because

>> I likeiting.

>> Yeah. I want

>> It's so fun to steal things, Hank. You

should try it sometime.

>> Yeah. Like the first time. And by the

way, these days I do only steal things

with permission.

>> Yeah.

>> And these days, um, when I break into

things, they're mostly digital. Yeah. Um

or we also do on-site social

engineering. We have actually broken

into some really famous buildings here

at LMG. I mean, not here at LMG, but our

team has um around the country. Yeah.

>> Uh but primarily through social

engineering because, you know, for

exactly that reason, it's easier to

break in when things are open and when

people are walking around and it looks

less suspicious. I did start off as a

physical penetration tester though and

that sounds dirty but it isn't. It is

where you physically break into

buildings and write reports about it

which is half really interesting and

half you know a boring report writing

job.

>> Is it not terrifying?

>> I yeah no it's not.

>> I would be so scared.

>> I mean I guess it could be for some

people but I find it fun. Okay.

>> First of all, you always have a limited

amount of time. So it's really different

than being a real robber. I think that's

the part that's nerve-wracking because

I'm like, "All right, I have like eight

hours in this city where I can stake

this place out and make my plan." And

the more I did it, the more I realized I

could spend more and more time on

reconnaissance because if I do a good

job, breaking in and getting out has to

be best. Yeah. And there were times

where I'd break in and get out and I'd

be like, "Wow, it's 9:05. I have the

whole rest of the day." And they picked

my favorite time. Like when people go in

is like the best time in my opinion to

rob a place that people go into and out

of. I once tried to get to to tailgate

at Google headquarters just because I

didn't have a way to get into a place

where there was a phone charger entirely

uh without any interest in industrial

espionage. Um but I was just like I look

like a Google employee, right? And I

tried I tried to tailgate this person

and they they immediately got me.

>> Oo, I just needed to charge my phone. I

need to get a Uber and I didn't know how

to get home otherwise. See, you could

have been getting paid for that if you

were in my industry.

>> Yeah, I'm sure that they do lots of

that, which is why they're so good at

stopping. Tailgating is when you like

don't have a badge and you just sort of

walk in after someone. I saw a TikTok

that was like, you know, whatever's

going on at the Lou right now, I wish

everyone the best. I hope that the

criminals have a good time. I hope that

the police have a good time.

>> Oh, how nice.

>> This is kind of how I feel about it. The

the French government and police are not

feeling that way about this. Let's start

with what went right here for the

criminals. Like what what were they

smart about? Okay. Well, they were smart

about the speed.

>> Gotcha.

>> I'd say that's number one. And that was

that is the number one lesson I've

learned in my life um as a penetration

tester is you got to be in and out. Um

so I think that was really smart. And

they also capitalized on inherent

weaknesses that I'm sure the Louve team

themselves had wrestled with. They knew

that the Lou was not impenetrable. They

knew that it had security weaknesses and

they were balancing that with the need

for traffic to go down that road in

front and the need for the Lou to be

beautiful and accessible to people as

well

>> and safe like too. I always think about

security door or like uh fire doors

where you're like, "Oh my god, I got to

put a door leg every certain number of

feet and like how what does that do to

security?"

>> Yeah. But I keep hearing over and over

that uh the Louv wasn't built for

security. And that actually has made me

laugh because the Louv was built for

security. It

>> sure was a palace.

>> Yeah. It was a defensive fortress. It

was just built for security in 1190. So

it's a little bitty bit dated.

>> Yeah.

>> And there's actually a whole exhibit

about the Louv's original structure. And

that actually gives you I mean I would

be shocked if the criminals didn't go

through that exhibit taking notes about

you know just the whole structure of the

L. How do you know whether or not you

can buzzaw through the side of a

building? It seem that seems a little

tricky to me. It's probably It's a It's

a old defensive fortress. They So, they

went in by cutting through the building,

right?

>> But they did it very quickly. I mean, my

guess is we do know two of the criminals

were apprehended. My expectation is we

will learn more about their backgrounds.

Yeah. Um but the fact that their DNA was

on file somewhere suggests to me that

they may be experienced criminals.

Perhaps they have a track record.

Perhaps they've tried these things

before.

>> Um certainly if I were the criminals, I

would test it out on something first.

>> You just build a wall and start cutting

through it. I mean, this movie is going

to be so good, Sherry. I'm going to love

this movie.

>> I feel like Joel Heist maybe have been

done. I don't know.

>> Oh, but like it's always it's there's

always another way to do it. Another

question I have what I hadn't considered

is the target. So, you think about

stealing the Mona Lisa. M

>> this is a terrible idea.

>> How are you going to make money?

>> What what's what good is the Mona Lisa?

How do you sell that to someone? It's

only like good as like collateral for

some international crime boss, you know?

>> Yeah.

>> It's only like it's only bragging

rights. I recognize that like uh you

know the crown jewels of Napoleon's wife

or whatever it is that got stolen uh are

more valuable in situ. Like they're more

valuable with the providence with like

the story of what they are. But like you

can melt down that stuff and it's worth

money. You can cut gems into other sizes

and they're worth money. Do you think

that the people who do this, they think

about the difference between the kinds

of things they have to protect? Like I

if there is something that on its own

could be worth tens of millions of

dollars even for parts regardless of its

historical uh background, do they think

about that differently and do they like

keep it in parts of the museum that are

less accessible?

>> That's exactly the question I think that

a lot of experts have been asking. Is

that really the gallery you want to keep

the crown jewels in? Yes, it's valuable,

but we know it's less protected. Um, in

fact, in 1976, there was already a theft

from the same gallery in a very similar

way because it's right out there on the

street and it's not like in some

interior part of the building. So, I

think that's a really good point. Um,

and yeah, I mean, if you were the

criminal, what would you steal? You

probably wouldn't go for the awesome but

not as valuable on the black market

pottery. Um, the Monisa might be, you

know, maybe you could sell that to like

Vladimir Putin or somebody. I don't

know.

>> I'm not selling anything to Vladimir

Putin because I value my life.

>> Good. Yeah. Okay, that's good. I'm glad

we have this on record. But yeah,

they're going to cut down those jewels.

They may already have started the

process of melting things down. Um, and

I was talking to my colleague, uh, Dev.

Olaf, who by the way has written three

books on lockpicking. He's amazing. and

he was wondering if, you know, this will

start a trend of like microscopic

etching into jewels so that they're

easier to identify. Yeah. He was like, I

wonder if they've already been etched.

Probably not. So, I think we're going to

see some security trends coming out of

this as we have seen in past events as

well.

>> This also happened, I think, to some

people's surprise, while the museum was

open. But now that I'm thinking about

it, I'm like, what a great exploit.

Because now you have a bunch of stuff

that matters a lot that isn't the

jewels, which are the people, the

tourists, the people walking around. And

so security has a first priority that is

not the thing that you want.

>> Yeah. And the first thing they did was

they closed that gallery. And the idea

was the thieves can't escape that way.

And it keeps the people safe, but it

also makes it harder for security to

come in that way,

>> you know. So there's that tug of war.

>> Yeah. But they also could escape because

there was a hole in the building.

>> Yes, exact. That's exactly the problem.

Yes, they made a hole.

>> I just think about like the time it

takes to get down the truck cuz you know

those things don't move fast.

>> That was amazing.

>> Those little those lifts.

>> Did you see the video?

>> Oh no, there's a video of it like going

down.

>> Oh yeah. And they're like did you It's

like that scene in the Blues Brothers

where they run and run and run and they

get in the elevator. It's like

>> listening to the girl from Ebana. All of

this to me is is adding up to so like

some smart things going on here. Number

one, get stuff that that like the value

isn't contingent upon it being in the

current shape or form that it is in.

>> Yes, 100%.

>> Two, do it during daylight hours so that

there's like a screen. You know, they

get you got security worrying more about

the people, which I think is, you know,

the correct thing. Very 2025. Probably

maybe in 1950 or 1920, screw the

tourists, start shooting uh immediately.

But but nowadays, uh we we value the

lives of the of the people. maybe more

than we once did. So, when I was talking

to you about this, I was like, man, they

must have thought these jewels are so

far from any entrance or exit, there's

no way for you to get them. And you were

like, no, no, no, no. They knew about

this vulnerability.

>> Yeah, absolutely. And they've had

multiple security audits, in fact, since

the new director came on board in 2021.

So, not only have they known their

issues, they actually made an

announcement that the Lou would be going

through security overhauls. And to me, I

wonder if that triggered the criminals

to act now. Like, oh, okay, we know

there's security issues. We know they're

not implemented yet, uh, or that the

solutions aren't implemented. Let's act

now and strike before there's new

security, right? I mean, wouldn't you do

that if you were the criminal with our

bad guy hats on here?

>> Yes. I got to put my bad guy hat on.

Absolutely. I would do the jewel thief.

I think that I'd be the kind of criminal

who would do things very quietly and

make sure I was not make sure I felt

safe the whole time uh until getting

caught and then suddenly being in

trouble.

>> I've seen you get up on stage and I bet

that was very scary for you to talk

about cancer for the first time.

>> Yeah, I think that's to that's totally

the same.

>> You like to push yourself. Push

yourself.

>> Right. I'll I'll imagine myself holding

a concrete saw and threatening a

security guard with it.

>> Yes.

>> Am I missing anything else in terms of

what was smart here? and like what maybe

like what has changed in the last 20 or

30 years that the security audits didn't

pick up on or anything like that?

>> Oh, I mean there's so much. One thing to

note also though is that the criminals

were not equal in their skills. And in

fact, eyewitness reports say one of the

criminals cut very easily into one of

the boxes with the jewels in it. And the

other one kind of like hacked away at it

and then one of the criminals, you know,

leaped into the getaway box thing that

went down the ladder and the other one

just kind of dove really fast. There's

push and pull that the Louve staff, they

had to make some important decisions

because on the one hand, they could have

made it even harder for criminals to

break into those boxes, but they also

wanted to make sure that firefighters

could smash them in the event of a fire

and take out the jewels. And we have

that challenge with security all the

time. You mentioned fire doors and

safety, and there's always a push and

pull between safety measures and

security, keeping keeping people out and

letting them out. Because one thing that

somebody who runs a library or a museum

or any anywhere where important stuff

is, you're much more likely to lose

stuff to a fire or uh some other sort of

destructive thing than you are to lose

it to theft.

>> Yeah, absolutely. And we have to plan

for all of those disasters, not just one

kind.

>> I assume that the the Louve security

folk know about a lot of different

potential vulnerabilities they have and

they have to weigh those

vulnerabilities. How are they going to

deal with those individual things? Do

you think that this ranked fairly high

on their list of worries?

>> I mean, that's an interesting question.

You know, they have invested a lot in

security staff who are mostly focused on

the central entrance and I had the

opportunity to be there in May of this

year and saw that, you know, they did a

pretty good job.

>> Wow. I immediately suspect you're

involved.

>> No, no, not involved.

>> Yeah. I mean, watching how they coraled

large masses of people was is actually

really helpful for understanding where

they were investing their resources

because I'm sure their their security

staff are probably trained to deal with

the homeless, to deal with people who

are drunk, to deal with people who are

trying to touch the statues or graffiti

something. You know, there's the pop and

crackle and all the everyday lower

security issues,

>> but something of this magnitude doesn't

happen nearly as often. And so they're

not investing as much in dealing with

the trained crew that comes up in a

bucket truck from outside. We're always

evaluating risk. And risk is a factor um

that involves likelihood of something

happening and the potential impact if it

happens. So this was higher impact, low

likelihood. And they see a lot of low

impact, high likelihood things all the

time, if that makes sense.

>> Yeah. You mostly think about

penetration, but less about sort of like

what you do once the heist is done. I

imagine like how much planning goes into

what happens after

>> I have a surprise for you. I'm also a

certified forensic investigator.

>> Okay.

>> Um and have spent a lot of time at least

on the network side analyzing how you

respond and what happens next. That

certainly applies here. Number one,

>> I thought a lot about the fact that the

things have changed so much in the past

decade. the fact that they got a helmet

and a vest and they extracted strands of

hair and they got the DNA and they were

able to look in a database and find two

of the criminals.

>> They didn't have to trace the path. They

didn't have to find, you know, a license

plate or whatever. They were literally

able to say, "We're going to identify

this person." Yeah.

>> And then find where the person with that

identity is before they leave the

country. So, I think that's going to

have some ripple effects as to how

criminals behave in the aftermath. Um, I

think we're going to see criminals

focusing more on getting away even more

quickly because they did have time. They

could have left the country in the time

that they had and I'm guessing they just

didn't feel like they needed to.

>> But do you think that the first step is

to start disassembling the gems and

stuff?

>> Again, let's put our bad guy hats on.

You probably want to make those those

stolen items as untraceable as possible

as quickly as you can. So my guess is

they're already thinking and they

probably planned ahead. How are they

going to cut those gems? How are they

going to melt down, you know, whatever

metals they can so that they're not

recognizable? Because the last thing you

want is to be flying to a

non-extradition country with like a

crown in your suitcase.

>> Yeah. I think probably security would

catch the crown.

>> Yeah. No, I just wear that for fun.

>> It's really It's pure gold though.

>> I'm going to mail it FedEx to my friend

Vladimir Putin. I mean, another

interesting exploit is like scooters in

Paris.

>> Yes.

>> You know, everything's got cameras all

over it now, but you can go a lot faster

on a scooter than you can go on anything

else. Very hard to chase someone. And

then also very easy to switch from one

vehicle to another or, you know, go to

some blind spot. I was shocked um when

the CEO of that uh health insurance

company was murdered in New York City

that it took as long as it did to track

down the attacker because of the network

of cameras that we have. Yeah, I am sure

there have been a lot of postmortem

meetings about that. Um but you're

right, the scooter can go really fast

and certainly if it's possible for a man

to escape on foot, I would imagine it's

possible for a scooter to escape as

well. And you know, at some point your

criminal is going to ditch it. But can

we talk about vehicles more because I

think that's maybe the most interesting

piece of this. Oh, okay. Hit me with

vehicle stuff.

>> Okay. So, when I was talking to Deviant,

he mentioned the Oklahoma City bombing

uh when Timothy McVey drove a vehicle up

to a federal building um in Oklahoma

City and blew it up. He pointed out that

since that time, you know, if you go to

a federal building now, what do you see?

Barriers, barricades. You can't drive a

truck up to a federal building. It just

created this whole new process where if

there's a federal building, they have

now installed barricades. Um and so I

agree with him. I think we're going to

start to see major landmarks, including

museums, looking at doing that. Um,

because if it's possible, you know,

again, it's hard. It's on a really big

street. But the fact that they were able

to drive a vehicle up to the museum,

especially with the a freaking ladder, a

bucket truck all the way up, and I'm

actually a little bit shocked that there

weren't more concerns about that, that

that was not immediately causing some

kind of warning. Um because you want to

make sure any vehicle in an environment

like that is clearly identifiable. It's

not just like dudes in hard hats, cool,

we're all good. You know, it should have

been a very visible permit. And ideally,

you want to have that gated off and

somebody has to, you know, let them in

if they genuinely have to do work.

>> Um so I think we've already seen that

happening at federal buildings in the US

and I wouldn't be surprised if we start

to see that at major museums as well. I

mean, do you think of these things kind

of in the same context like like

physical penetration versus um you know,

like what what is traditionally now

thought of as hacking where uh it's all

about access to computer systems often

and usually remotely. Do do you think of

this as as like you know Timothy McVey

kind of found a zero day exploit? All

you got to do is buy a bunch of

fertilizer that's available. All you got

to do is drive up to the side of the

building. That's no nobody's thought

that somebody might do this yet. And

then once that exploit is known, you

start to see the patches roll out with

new barriers etc.

>> Yeah, I think that's a great analogy. In

cyber security, we would call that TTP.

So that's um the attackers tactics and

often we see a new tactic uh getting

tried out and attackers will start to

use that once they see that it's

effective. So all of a sudden they're

calling you as an IT scammer and hey

that worked. They're going to call you

again and again and again and all of a

sudden you see a rash of those. So don't

be surprised if we see another bucket

truck incident. You know, if it worked

once, maybe it'll work again. And

attackers are going to copy that.

They're not afraid to steal ideas.

>> I think about this with 911 all the time

where it was like, wow, that was just

there box cutters and uh no, like

everybody thought that a hijacked plane

meant they were going to ransom off the

plane, not that the plane would become a

weapon.

>> Yeah. You know, I find 911 interesting

as well. I don't know if you know this,

but my first job out of high school was

working for the Bank of New York. And

so, and I grew up in New Jersey. So, I

would take the PATH train into the World

Trade Center. I would come up and then I

would walk like a block to my office on

Barkplate Street and every morning I

would pass these security guards at the

World Trade Center and they were

guarding the garage. I don't know if you

remember why they were guarding the

garage. Yeah. Because I was just talking

to a colleague of mine who didn't. She's

27, I think.

>> Um, but back in around 93, um, the World

Trade Center was bombed or they tried to

bomb it. uh someone drove a vehicle in

and tried to um tried to set off a bomb.

And so now or then they had guards to

prevent the underground bombing. And so

we're always kind of responding to the

last threat unfortunately. Um that was a

big concern at the time. That's very

similar to what happened in Oklahoma

City as well. So there was that rash of

you know vehicle related issues that we

now know how to protect against. What

are the things that you think might come

out of this heist in terms of uh ad

adapting to the tactics that we're

learning about right now?

>> Well, I think number one, we're going to

see other museums starting to look at

their infrastructure. Whoa.

>> I don't know why that happened.

>> Did you just do that?

>> Yeah, I just had balloons come up and I

don't know why. I I don't know how to

turn it off.

>> Oh my god, I got fireworks about that.

>> The AI was like, he's right.

>> Are you filming this on a on your Mac

camera?

>> Yeah. I'm filming it through the Mac

operating system and it does that. Yeah,

>> if you do certain hand gestures and I

can't I don't know what they are.

>> Happy birthday to us.

>> Well, number one, I think we're going to

start to see museums really thinking

about vehicle-based attacks. And to be

honest, I'm I'm surprised they hadn't

already been. Again, there is a

difference between the US and Europe um

and culture and of course our

experiences, but the Lou was built as a

fortress.

>> Yeah. Um, and we just need to be

thinking about, you don't need to be

obsessed with security. I think the New

York Times, someone in the New York

Times said it wasn't built with an

obsession for security. Actually, it

was. Yeah.

>> Um,

>> but there are some basics we need to

think about. And so an easy one is just

keeping vehicles, especially those that

can reach higher floors, away from the

side of the building, away from the

perimeter of that building, putting up

some physical barriers, and then

tracking and making it really obvious if

there's an unauthorized building or an

unauthorized vehicle there, if that

makes sense.

>> Do you think that they may have come by

before to test and see whether or not

people would question them?

>> Oh, that's interesting. So, you're

wondering if they showed up in

construction outfits to question?

>> No. If they if they like several times

or like once before they did like a test

where they pulled their little bucket

truck up next to the building and and

didn't do anything just to see if anyone

cuz it seems to me if I saw a bucket

truck and somebody doing construction or

like even putting a saw on the outside

of the Lou, I'd be like, "There they go

again. They're doing construction on a

building." Because that's what happens

in cities. If I worked for the Louv, I

probably uh would even say, "Oh, you

know, I didn't hear about the

construction that they're doing.

Everybody's there. Somebody is

authorizing someone somewhere." If I was

security at the Louve, I would assume

then that I would know whether or not

there was going to be construction on

that wing of the building.

>> Well, it's interesting you say that

because the security teams themselves

have said there was so much happening.

In fact, I think it was the labor union

that said there was so much construction

happening in that area. It was on a

regular basis very difficult for

security to tell what vehicles were

authorized, what people were authorized,

and what weren't. So, I think that was a

common problem.

>> Maybe maybe one of the like cleverest

things is looking at seeing how like how

often this is going on and how normal

will it look.

>> Absolutely. And honestly, there are a

lot of similarities between network

penetration testing and physical

penetration testing because if you have

the time to put into reconnaissance, you

can really plan a very effective attack

strategy. And just being there for a few

days, I could see we were actually

staying very by the lof.

Um I could see how busy it was, how much

construction there that was going on.

There's millions of visitors every year.

Um, and I think it was probably

overwhelming for any normal human and

security guards are humans just like

everybody else.

>> Do you think that the thieves had a like

a first thing that they realized when

they were like, I think this might be

possible.

>> It'll be interesting to find out their

structure. Um, if it's an organized

crime group, the people who were on the

ground might have just been hired by

other people, you know, and maybe they

were promised a percentage like, "Hey, I

know a really good burglar. I know

someone with experience in jewel heist.

they did this jewelry store and that

jewelry store. People who steal things

regularly, you know, there are

professionals and they may work as

contractors for different organized

crime groups. That's certainly what we

see on the network side of things. So,

my guess and I don't know, my guess is

that this was probably organized in some

way and that the folks who were the

boots on the ground may have a

percentage, but it might not be, you

know, they may not be an isolated group.

They may be part of a bigger group.

That's very much uh not in line with how

Oceans 11 works, you know?

>> Oh dear.

>> It's always these like uh rogue

individuals who just want to do the one

last heist versus it being like a

Russian mafia would just make me sad.

>> Well, I mean it doesn't have to be

Russia. Um, but no, I mean to access

some of the resources and knowledge or

maybe it was just very talented and

experienced individuals that were like,

"Cool, let's fill up our one last heist

and then go flee the country and live on

a beach." You never know. But in order

to move Jewels like that, it's probably

helpful to have a network and to piece

it together. To answer your original

question, my guess is they probably

visited multiple times, if not many

times. Uh there were also some reports

that there was a known security issue on

that door and that makes me wonder if

they had already done a little testing

or already jimmied the door somehow or

at least taken a very close look to

understand the materials.

>> It's so human, you know, like locked in

this room there's billions of dollars

and everybody gets to go see and look at

it. And so you all like you're just

walking by you think like man like I

could I like I could get this and but

also to do it in a way where like nobody

gets hurt. It feels like a story.

>> Yeah. You sound impressed by the

criminals. You really do.

>> I am impressed by the criminals. Should

I Is that okay?

>> Yeah. No, I mean it's true. Like it's

it's a work of art in and of itself to

commit a an effective heist. Yeah. and

to get away with it, which some of some

of them didn't quite

>> Doesn't seem like they uh all have. And

indeed, if they get two of them, you

know, maybe they will find the other the

others fairly quickly,

>> maybe,

>> though. I don't know if it's a mafia

thing. I probably would keep my mouth

shut.

>> Good to know, Hank. Seems like you lean

that direction anyway.

>> I really don't like organized crime. As

someone who is bumped up against it very

lightly, um it is not a vibe.

>> Gotcha. Okay.

>> I bet I got assume that you've bumped up

against organized crime a lot. Yeah, I

mean organized crime um is penetrating

networks day in and day out. And so as

we're advising our clients um our team

is constantly like monitoring what

they're doing, trying to track different

threat actor groups. We actually have a

laboratory here in Missoula, Montana. I

don't know if you know this. We have a

laboratory where we experiment and we

run these little sting operations and

we're monitoring the the evolution of

the tactics and techniques. Um so I

think it's fascinating. They've really

the bad guys in terms of network

security uh they've really kind of grown

up over the years kind of at the same

time that businesses like mine have

grown up as well. So we are now

professional penetration testers and

they are now professional cyber

criminals.

>> Yeah. I came to visit your office once

and I uh met a ransom negotiator and uh

was just very impressed by the fact that

there is just a ransom negotiator and

that's a job people have.

>> We have a chief ransom negotiator.

>> You have several. How how big is your

ransom negotiation department?

>> Well, these days we decided to get out

of emergencies. So, we actually wound

down for the most part and we now hand

things off to another partner team that

we work with. Thank goodness because it

was getting exhausting.

>> I bet. Yeah. She said like the the most

I've ever done in one day is three. And

I was like, I hate that for you. That

sounds very stressful.

>> Ransomware is not going away, but that's

a topic for another day.

>> What do you think the failures were? To

what extent was this a low probability

exploit and it was probably known and

they they probably just missed it or do

you think cuz I think that everybody

like wants there to be a big failure. Do

you think there was a big failure here?

>> Well, I mean I don't look at security as

big failures. Everyone is always taking

risks. Walking around on the street is

taking a risk and sometimes you pay the

price. Um, one big decision they made

was putting the jewels in that specific

room, the Apollo Gallery. Um, which we

know has some weaknesses, but at the

same time, it's gorgeous.

>> It's a beautiful place for the public.

There is so much benefit to being in

that room.

>> Um, and choosing to put them in the

center of the room instead of maybe up

against a wall where they might be a

little bit more protected. I mean, it

feels when you're in that room like

they're yours, too. Like you could

almost reach out and touch them. And I'm

sure that's what the criminals wanted as

well. So, putting the jewels in that

room, which honestly if I were advising

them, I probably would have advised them

to think twice, especially given there

had already been another theft and they

hadn't really made any huge changes. I

certainly would have wanted more

monitoring in that wing. I think the

vehicle security was a big gap as we've

discussed. Um, and I'm sure that's an

area where they will invest more. Um,

it's relatively it's a relatively

lowcost investment compared with like

installing a huge camera system and

monitoring it regularly and it tends to

be more effective than just trying to

add guards. You know, I think that

vehicle security and making sure you

understand who's on site and who's near

the building is really critical.

>> Yeah. I mean, I imagine that there

there's a certain amount of adding

guards can be its own vulnerability

because then you have because humans,

you know, you have more potential inside

men.

>> Yeah. you have more potential confusion

like if if not everybody knows

everybody. Um then that that can be

confusing. You have a different guy show

up one day who's not the guy who was

supposed to show up. I've seen the

movies. Um

>> you know when I started off as a

penetration tester, um one of the first

bank branches I did, I got in, I got in

the whole back area, you know, was able

to get keys and all that stuff. And this

is like a little bank branch, so that's

actually a harder job in some cases than

a big office building. And one of my

recommendations, silly me, was um

consider a security guard. And the bank

was like, "No way." Because you have to

pay for a full-time security guard. It's

not going to pay for itself. They just

use things like die packs and stuff like

that and try to reduce the amount of

cash on hand so that there's less for

people to get away with and timed entry

into vaults and things like that. So,

security guards are are not always an

investment that people are willing to

spring for because the ROI can be lower

than you might think. Do you think that

they do security audits like you do

where it's like they actually like hire

a team to be like break into the loop or

like how how do they do their audits

there?

>> Yeah, that's an interesting question and

it it also gets to the distinction

between a security audit and a

penetration test. Okay.

>> Um I like to do a penetration test with

a security audit. So a pentest is where

somebody's going to actually try to

break into your building. Um and that

way you kind of get that creativity. you

see exactly where your weak points are

and um I think it's important to try to

understand the root cause of any

vulnerabilities that are exploited. A

security audit is more of a

comprehensive methodical process where

you're literally going through door by

door or section by section thinking, oh,

the hinges are on the wrong side here or

you know, whatever the case may be.

>> Um I think the two are important. They

serve different purposes. So with a

penetration test, you might want to

demonstrate risks to upper management so

they know what they need to invest in

and why they need to invest in that. It

can help you prioritize. Um there really

there isn't a great substitute for that

comprehensive security audit, but I

would suggest doing it after you've

addressed the root causes of a

penetration test. From what I can tell,

they've done security audits. I haven't

seen any mention in the media of a

penetration test at all, which did

surprise me. The other thing to mention,

Hank, is that one of their recent

security audit reports was leaked to the

media.

>> Oh.

>> And to me, that is a huge red flag.

That's a huge black eye for them. Um,

anytime a company gets hacked, if I see

people talking to the media and leaking

reports or leaking information, they

have a bigger problem. They might have

an employee problem. They might have

somebody still in their network. Um, but

that in and of itself is a security

problem that's going to make the PR just

blow up. And I think that's part of what

happened here.

>> Well, would that also be a vulnerability

if like your audit is out there so

everybody knows your weaknesses?

>> Oh, 100%. You know, the New York Times

said that they'd seen a copy. I

absolutely would be concerned and be

wondering who leaked this to the media.

Um, unless it was deliberately leaked

for some reason, but I don't see any

evidence of that. So, I think that's the

big takeaway. I think that a penetration

test of the Lou would be very hard

though because as we saw that the the

the penetration that happened here was

not non-destructive. So like they're

they're not going to hire you to go into

the Louv and then you pull a bucket

truck up bucket truck up next to the

Apollo gallery and get your buzz saw

out.

>> No, that's one of the problems with

physical penetration tests is that they

never want you to smash anything. And

also we're always limited on time. So,

you know, I've definitely had times

where I've been like, I would just smash

that window and open the door, but I'm

not allowed, so I'll have to pick the

locks, which takes longer and I'm more

likely to be detected. So, yeah, I think

that is a challenge with physical

penetration testing for sure.

>> Do you think that big organizations like

the Louves should allow destructive

penetration tests?

>> Hank, that's a hard question. I don't

think they needed to for this. I don't

think they need to allow destructive

penetration tests to get the bang for

their buck. If they come up with a clean

pentest report or a clean security audit

report, great. Maybe consider taking it

to the next level.

>> They're far away from having from from

being perfect enough to need that.

>> Yeah. I mean, from what we've seen,

these issues had already been called

out, except I don't know about the

vehicle one, but a lot of the other

issues had already been called out. I am

curious to turn the tables for a second.

If you were going to rob the lube, how

would you do it?

>> Um, you know what I'd do? But I think

that I would make sure that about 2,000

of the people in the Louve are on my

team. So the when you ask me that, the

first thing I I think is like, okay,

what's what are the unique skills that I

have that a security audit might not

have thought of? So like what zero day

exploit might I have? And what I have is

that like I have a lot of fans.

>> You have followers. Oh my god. So, could

I create like a be like, "Okay,

everybody, if you're up for something

very weird, come join this Discord." We

join the Discord together. I vet these

people for how crazy they are. And then

we all fly to Paris. We all are

different folks. We don't look like

we're together. We're all from America,

but so are all the other tourists. We

all go into the Louv like, and then we

time it so that we all get there and

we're all in the line at the same time.

We time it so that we're all in this in

this room at the same time. and and and

fill up that room so that nobody else

can get in. And the people at the Lou

are like, "Oh my god, the Apollo Gallery

is so full." Then Smash um and then as a

unit we run, we run out as a big crowd

and everybody's just a guy and we're

panicked and like maybe, you know,

somebody sets off some firecrackers so

they think there's like gunshots going

on. That's that's how I do it.

>> I love it. I want to hear more about

your getaway.

>> More firecrackers. I don't know. You

should use Telegram on the dark web, but

otherwise

>> Okay. Sorry.

>> I'm I'm amazed that you have thought

this through, Hank.

>> I hadn't thought it through. That was

from scratch.

>> Well, this is your superpower, though.

You do have followers.

>> I have to tell you, a friend of mine is

making a role playing game. And he was

like, "What do you want your power to

be?" And I was like, "I want you to

invent a new power swarm where I can

just turn myself into a swarm of

thousands of things." And I like that

we're on the same wavelength here.

>> Yeah. That's brilliant.

>> Well, I'm glad you asked. It made me

nervous thinking about it.

>> I want to cut

>> and then everybody everybody gets and we

give away all the jewels and then we

return the money to the countries from

whence they came.

>> Oh, you're such a prophet.

>> That's the only way I could get them on

board. All these people would never do

it if it was just for for crime.

>> Someday there will be a dark hank on the

dark web.

>> How do you know there isn't already?

>> Sherry,

>> on that note,

>> thank you so much for spending a little

time with me. Uh because there was a

bunch of stuff that I had wrong. Um

unsurprisingly because um I don't Yeah,

I I don't know that much about this

stuff.

>> Thank you for reaching out to your

friendly neighborhood security geek.

>> Yeah. And uh you can check out LMG

Security if you ever need uh security

cuz they're the best in the business.

>> Thanks, Hank.

>> And here's the situation. I'm going to

play Connections now, but you can only

watch it if you just click on the

learnathon link in the description. You

don't have to donate, but like for me

and for you, we've got a pact here. The

honest thing is to click on the link and

check out what we're doing for the

learnathon. There's a bunch of cool

stuff going on. You can find out about

it and participate in all the different

ways you want to. It doesn't have to

cost you any money, but just click on

it, look at the website, and then you

can come back and watch connections.

That's the deal that we have with each

other right now. I've established it and

you've agreed. Okay.

Are have you done it? Let's do

connections. We got Ouija board.

Backbone platform. Backbone platform.

Seance. That can't be it. Spirit.

Scrabble.

Medium. Satan. Isn't that like Isn't

that like a kind of fake meat? Backbone.

Sacrum. These are all chakras. Are they

chakras or are they or are they just

like parts of the body? Seells. Seells.

Well, what I did notice was Ouija board,

computer keyboard, and Scrabble all have

uh letters and maybe abacadarium. I

don't know what that is, but it sounds

like it has letters. But I don't Yeah, I

don't think that I think that the uh the

like mystical the mystical communication

with spirit category is a red flag. So

like spirit and seance, they like feel

connected, but like Ouija board and

spirit and and seance, they're much more

connected than that. Is a Satan is that

also a piece of furniture? I'm like whi

like which one is it that I'm thinking

of? Medium spirit outlet. Courage.

Courage. Courage sounds promising to me.

Okay, let's get these together. Courage.

Heart backbone. Yes. And spirit, you

know, a little bit of you they you got

the ability. That's Yeah. Okay. Great.

Courage was really a door into that.

Made it made that one pretty pretty

easier. Backbone and spirit I wouldn't

have put together if uh hadn't had

courage and heart to tie them together.

That means that backbone heart and

sacrum aren't a thing. Sacrum seells

satan seance.

What is that a thing? That would mean

that it was outlet, medium, venue and

platform which is a category. So it is

in fact seance sacrum seells and satan

which is just like it starts with say

but doesn't look like it should maybe

like this would be sacum and this would

be shant. What are you What are you

going to call this category connections?

What are you going to call? It's just

words starting with a safe sound, which

is a infuriating that that's the blue,

you know, since they since they

introduced purple as like a thing that

you get a little extra like badge for.

It's much much more angering for me when

I don't get the purple first. Even

though I've always said I don't win if I

don't get the purple first. But that is

that is I mean I guess I don't know.

This was just much easier. This was the

first one I got. That's the purple

things featuring letters A through Z.

Great. I don't know what an abacadarium

is. An inscription consisting of the

letters of the alphabet listed in order

for practice exercises. Okay. Well, I

didn't know that. I love that we had

them a long time ago, though. I I guess

I'm thinking of like children using

these, but that would not have been the

case. This would have been for like a

like a scribe in training. This guy

sucked. He was he was bad at his job.

Yeah. And then who knows what's next?

Probably uh uh medium outlet venue and

platform. So like a place from which you

can speak,

I guess. What's that going to say? A

channel. Yeah, just like a way. Okay,

great. Well, that's frustrating, but

we're okay everybody. Thank you for your

time. I got a perfect puzzle, but I

didn't get perfect purple first.

And we're just going to be at peace with