Overview of Darknet Diaries — Episode 166: Maxie
This episode features Maxie Reynolds, an adventurous engineer-turned-red-teamer who recounts her path from Scotland to underwater robotics, offshore work and ROV piloting, then into cybersecurity and physical penetration testing. Through vivid anecdotes — social-engineering a reception as a fake Swedish exec, accidentally shutting off a city’s water, nicking trucks from a logistics yard, and crawling through a sewer tunnel into a hardened data center — Maxie illustrates the attacker mindset that drove her to write The Art of Attack and to co-found a company building modular underwater data centers (Subsea Cloud). The interview mixes career history, technical stories, security lessons, and a look at subsea data center tech and threat models.
Key takeaways
- Career arc: underwater robotics → offshore ROV pilot/helicopter training → computer science → pen testing/red teaming → author and subsea data center entrepreneur.
- Attacker mindset matters: understanding attacker goals, persistence, and creative thinking is essential for effective defenses.
- Physical security often fails in simple ways (unlocked vehicles, unalarmed doors, exposed windows, manhole access) and is as critical as digital security.
- Red-team operations can reveal catastrophic risks (e.g., city water control) and must be carefully scoped and authorized.
- Underwater data centers are a viable, more energy-efficient way to host compute: modular, immersion-cooled, physically resilient, and maintainable via ROVs/vessels.
Notable stories & incidents
- Cardiff Giant anecdote (intro): a historical hoax used as a playful opener.
- Swedish pretext pen test (Australia): Maxie posed as a Swedish exec, got past reception into a factory, and was ultimately detained until her authorization letter verified the test. Lesson: pretexting can work quickly but always carry clear authorization.
- City water mishap (internal pentest): while plugged into an internal network during a sanctioned test, Maxie ran a command that shut off the water supply citywide. Police were called; legal trouble was narrowly avoided. Lesson: internal access can have real-world impacts; commands must be handled with caution.
- Logistics warehouse (red-team): Night infiltration by climbing pallet stacks into a warehouse, planting an approved USB proof, then finding keys left in/around trucks and moving multiple tractor-trailers out of unsecured lots. Demonstrated poor asset control and perimeter gaps.
- Hardened data center (high security): unable to get in by standard deception, the team located and used a municipal manhole/service tunnel to enter the data center and prove physical access. This insp ired discussion of subsea data centers.
Technical & operational insights
- Tools/processes used: OSINT for recon, social engineering/pretexting, physical infiltration (climbing, lifting fence), vulnerability scanning (Nessus, Nmap), internal network exploitation, ROV usage for subsea maintenance.
- Defense-in-depth failures highlighted:
- Unmonitored windows, unsecured loading docks, unlinked alarms.
- Poor key control: keys left in/around vehicles.
- Overreliance on perimeter checks without hardening service access points (e.g., municipal tunnels).
- Red-team etiquette: be firm but empathetic when debriefing clients; present findings clearly and without blame to ensure remediation.
Underwater data centers (Subsea Cloud)
- Concept: modular, watertight server containers placed on the seabed, tapped into existing subsea power/fiber via wet-mate connectors.
- Advantages:
- Immersion cooling eliminates most air cooling overhead — significantly reduces CAPEX and ongoing power for cooling.
- Reduced dust and physical disturbance → lower failure rates.
- Strong physical security: hard to access without vessels/ROVs; pressure and water ingress create high barriers to tampering.
- Maintenance: units are recovered using vessels and ROVs when necessary; redundancy and load balancing reduce immediate impact of failures. Environmental heating is negligible (measured increase ~0.001°C within meter).
- Legal/operational constraints: maritime/exclusive economic zones and co-location near offshore assets chosen to mitigate jurisdictional/enforcement issues.
Actionable recommendations for defenders
- Treat keys and vehicle access like digital credentials: control, track, and centralize key management.
- Connect all critical doors/load-in bays to alarms and monitoring; don’t assume physical barriers alone are sufficient.
- Include OSINT-driven review of local infrastructure (e.g., service tunnels, manholes) in facility security assessments.
- For internal network tests, enforce strict change control and command-checking procedures to avoid disruption of critical infrastructure.
- Use red teams not to shame but to educate: present findings empathetically and prioritize fixes that reduce attack surface fast.
- Consider architectural risk reduction (e.g., geographic redundancy, alternative cooling) when designing sensitive infrastructure.
Notable quotes
- “Attacker mindset… is fundamental to building resilient systems.”
- “Treat keys like access badges, not souvenirs.”
- “If you want to keep them that safe, you put them underwater.”
Resources & where to learn more
- Maxie Reynolds — The Art of Attack: Attacker Mindset for Security Professionals (book)
- Subsea Cloud (underwater data centers): subseacloud.com
- Darknet Diaries bonus/support: plus.darknetdiaries.com
- Episode credits: Host — Jack Rhysider; editing — Control-Alt-Delight; mixing — Proximity Sound; theme — Breakmaster Cylinder.
If you want to quickly understand the episode: focus on Maxie’s four signature pen-test incidents (reception pretext, city water outage, logistics truck theft, data-center manhole entry) and her conclusion that simulating and thinking like attackers is essential — which led her to both write The Art of Attack and to pursue a practical engineering solution (subsea data centers) to harden physical infrastructure.