Digital Migrations
Struggles of a ex-felon hacker until I crossed the border
Digital Migrations
All right, well, it sounds like I finally got all that gunk out of my lungs from this four or five-day cold. So, why was I posting so quickly in just, like, I don’t know, maybe four or five days on Substack? Actually, you know, a little bit over a week. Well, I was just so excited to get off of non-mainstream social media—except we got a flaw. Substack is not exactly non-mainstream social media, by the way. They may tolerate more ‘to the left’ and ‘to the right’ views, but I never intended for my blog to be anything political. It was mostly the technical aspects of what I put on YouTube; throw it on Substack.
As far as I can tell, the gun build videos did show up and stayed up instead of some stupid Karen reporting me, so that’s a good thing. I felt like I was disproportionately being targeted, but I know the real truth, right? It’s Infosec Frauds. Two Infosec Frauds in Vegas that want to report me for anything because I called one of them crazy, and I started throwing digs at them. And then I called the other one an obvious self-hating black man Nazi—which is really comical because, as it turns out, just yesterday Enrique Tarrio on Christmas Day Eve posted that he was proud to be white. It really does remind me of that joke, Clayton Bigsby, but it also really does remind me of Uncle Ruckus, too. When Uncle Ruckus got his genetic tests back in the cartoon The Boondocks, it says, ‘According to the white man’s fantastic technology, I am 102% African with a 2% margin of error.’ Hahaha. Oh my god, that was good times as a millennial. The Boondocks was one of the best shows, right? Oh my God, I love that show. But it’s really funny, but it’s also really disturbing that it’s happening in real life, that people actually fucking think there’s a multiracial Nazism. And that is a part of my outrage.
So, yeah, I really only intend to just post my technical stuff on Substack. But until I raise the issue, like, ‘Hey, yo, look at the bottom right here, sis. There’s fucking AI bullshit,’ I pretty much fled every platform as soon as they announced AI bullshit. And as soon as YouTube said they were going to do AI content moderation, I was going to flee there too, actually. So I was already aware; I was like, ‘Okay, I’m ready to pack it up.’
You might have also noticed I rarely talk on LinkedIn anymore, and for this idiotic reason too of AI bullshit. I am far more active on Mastodon, Counter.Social, and for now, I’ll probably even just move this right over to a Cloudflare page. I’m thinking like a Pelican static site generator in Python and then just uploading it all—uploading the blog right to Cloudflare Pages or something. That’s my idea. They don’t support video playback, but we could just drop a link to Odysee from there. So I’m ready to keep on migrating. Like, I don’t give a fuck. I found out that Odysee hosts a ton of crazy-ass content. It’s not a live stream kind of place, but you can see hacking content, gun content, political content, but it’s not as toxic as Kick, Twitch, or all that controversial shit.
And normal people... I guess some people got into trouble for calling them ‘muggles.’ Look, I wrote a fucking book called Ultimate Cyber Warfare for Evasive Cyber Tactics published by OrangeAVA under my real name that documented this, but I never said all this crazy AI botting shit was gonna happen. I never said that. I said it might happen. And just because these big-ass companies can does not mean that they should. Maybe I should have added that too. What I understand was there are thousands of cracked copies of my book and there are hundreds of sales of my book, and it was found in libraries in the Deep South, in Kentucky, I believe. Okay? Like, apparently you can use—unfortunately—more AI bullshit to find every time my book is on a leak site. But do you think I want to do that with AI bullshit?
I have a fucking ranting video of many reasons why I left Udemy in the year of August 2023 when I got sued for uncollectible debt by a piece of shit, virtue-signaling Democrat-in-name-only named Sean Ambrose, which I promptly won a lawsuit against. And then I immediately took my course off of Udemy after threatening legal action against them. And what actually happened was that the course on Udemy... I still get money from them, but I only get like a few cents because they’re saying, ‘Well, we have to keep your course on Udemy to not screw over the customers that paid.’ I’m like, ‘All right, you [keep it], even though I’m going to leave the whole course on my YouTube channel for free.’ And I did, and that may explain why people continuously know me.
But let’s digress from the point. On top of this, promptly right after I left, Udemy was announcing more and more pay cuts because you’re getting tax forms as a contractor, okay? And you’re getting more and more pay cuts every year. It was just constantly dropping by 5%. I made three or four dollars out of every $35 I sold my old Introduction to Exploit in Zero Day Discovery Development course, which is now free on this YouTube channel. But even then, I decided I’m going to just move all the shit to Odysee and pack it up because of AI bullshit. And that’s what I’m trying to get to. Udemy was one of the first online teaching platforms that not only was cutting the creator’s wages or commissions, but they were also trying to shove AI on everybody. So we knew—or at least I knew—that I was going to be exploited more for free. So I would get paid even less because, just like how Amazon makes look-alike products for niche products on Amazon that pushes small business owners off their platform and makes them homeless, the same’s going to happen to Udemy, where Udemy uses AI to illegally plagiarize your course, produce a similar course at a lower price, and literally demonetize your ass.
So all this happened, like, at least two years ago. Okay? And I think everybody knew what was going to happen. They just weren’t willing to say it until half a year ago, when someone started saying, ‘Hey, this competing platform Teachable is real fucked up. They’re jacking up our hosting prices to like monthly 60 dollars a month just because of how many people decided to make courses and how long the course is and how popular the course is.’ This is pretty much extortion. I’m like, ‘Well, yeah, you know, so you thought about this shit.’
I’m like, okay, a lot of these stupid course platforms—Coursera, Udemy, Udacity, Teachable—well, not Teachable in particular, but the other ones, they offer a service of advertising for you. You have a global rating, right? And the point is that a lot of the issues that you might have is abstracted away, like maintaining a website. But if all you needed was not advertising—you just used your real name because now you have a reputation, a brand name. You don’t give a fuck about how people think of you, because between you and some random troll on the internet, you are the real expert and people find you to be the more credible authority of a specific subject matter, right? If that’s what you became, and that’s what I became... since, oh well, before 2024, I was asked to write a book, by the way... then you don’t need Udemy. What you need is just a platform to host for cheap, like Podia.
But for me, I wanted something more. I wanted a backend. I wanted not just to host videos and host content. I wanted VMs. I wanted to make actual labs. And that’s why I switched over to an open-source platform called Open edX for a malware course. All right? And Open edX is pretty basic. It runs on a particularly beefy VPS, four to eight gigs of RAM, but you push a button to start up a lab, just like TryHackMe or Hack The Box. You can send and chain this through a free sub of Apache Kafka, or through that other provider that just announced they were going to give it away for free, which is kind of like AWS Pub/Sub, but for free. This AWS Pub/Sub for free can be sent to a service account that connects to your Cloudflare Worker, and that Cloudflare Worker sends an API call encrypted over TLS (so HTTP over TLS or HTTPS), which then fires up a secure signal to start up a lab for your student through the AWS API Gateway, which starts up multiple containers as well as multiple virtual machine images behind multiple peered VPCs. Which then you can use, or as a student, you can use to log in and test info stealers, ransomware, custom offensive tools, and stuff like that.
Why I stick with content creation
So why do I constantly work on content creation—creating my own, uh, sovereign content creation? As this review of my transcript says: ‘You’re building a sovereign stack; you successfully identified that renting an audience on Udemy/YouTube is a losing game due to AI encroachment and declining pay, and that my idea and what I’m implementing is a censorship-resistant ecosystem that protects your intellectual property.’ So why am I doing this?
Okay. Contrary to what you believe, if I were to walk through a time portal and change out my life and stop myself from hanging around with losers in the year 2009—if I traveled through a time portal and punched myself in the face in the year 2009—all right, then I may have never had a criminal record. Therefore, I could have gotten the four or five chances I had in becoming offensive security legitimately, because I was always offensive security. I had been convicted of offensive Computer Fraud and Abuse Act (CFAA) crimes—or just one, actually.
So let me tell you about our show. I’m documenting the first time I ever had a cybersecurity interview, which was mainly offensive. So, around March 2018, my first chance to play offense involved a company, a little small MSSP in Henderson, Nevada, who interviewed me to become a senior web application penetration tester. Back in the day, having an OSCP never really mattered, and apparently, it no longer mattered some time ago. But the truth is that you do not need an OSCP. People that are in the real business of offensive security, including penetration testing and red teaming, whether for the private sector or the government—they get those certifications a little bit later, assuming their work pays for them. Because by the time you get into this very niche space, your name is known among other practitioners of offensive security. Like real practitioners. So you never really need a certification, by the way.
So this is before I networked with influencers like Tib3rius. That was like five years later, by the way. But this sits between the time that I got raided by the FBI (March 2018) for the April 2017 hacking of United Airlines, which I eventually got convicted for, and when I actually met and sat down with real influencers (Summer 2023). Although many people do run up to me and tell me that they know me, and I’m like, ‘Wow, okay, holy crap.’
But let’s go back. First real InfoSec interview was a little MSSP in Henderson, Nevada. And not only was I interviewed by the owner, by my immediate manager, and by a professor that created the cybersecurity program at the University of Nevada, Las Vegas, but I got rejected because casinos look back 10 years instead of just under seven years. Because back then, they can’t legally look at your criminal background check beyond seven years for any other business that is not covered by the Nevada Revised Statutes. But the casinos are actually bound to the law in the state of Nevada. It’s called the Nevada Gaming Commission. So if the Nevada Gaming Commission has their own exceptional exceptions or rules, that’s them. So it turns out they look back 10 years instead. So in other words, you got better odds of being a server than being a pentester.
Number two: I interviewed for Red Team Security Consulting. You may have heard about the power plant hacking video. They went to this power plant in the Midwest and they broke in after using a drone and after opening the locks to a power station, showing up with a bunch of Raspberry Pis everywhere. That’s also true. And, uh, that was my friend. I’ll just show you his real name, not his last name, because everybody knows this guy. His first name is Brian, okay?
Then I interviewed for Booz Allen Hamilton to become a penetration tester at a naval base in... not the Deep South, I believe it was North Carolina. And they were going to pay for my OffSec courses. Then I got raided by the FBI again (September 2019). I got raided twice by the FBI, finally charged on September 3, 2019. So I spent a pretty... I spent 22 months in federal prison. So all these job opportunities went down, and yet they were all applauding for me to go into offensive security.
So I finally got out on July 22, 2021. And I interviewed for a company called... remember, at this point, I’m not allowed to even have a job because I can’t work at Walmart because it involves swiping credit cards, even though I never committed credit card fraud. Credit card fraud is a different federal crime known as Access Device Fraud, not the Computer Fraud and Abuse Act.
So in early 2023, I interviewed for a company that later fell because of AI bullshit, known as ForgeRock. And I was offered to become a Senior Web Application Security Engineer. They seemed to really like me, so it was just four or five easy questions, and an offering of $125,000 annually plus stock options to compensate for what they thought I should be paid (and paid more). But then they called the Nevada Department of Public Safety for my final stage of the background check, and they rescinded that offer. So how many chances was that? Four. Four chances, and I lost every chance. It feels like being punished forever.
Outside of that, I fell for a fraudulent job interview where I basically trained the person that actually got the job from a pretty lousy, low-tier endpoint protection company. Under their former name, they got owned by the Russians and made national news, so as you can see, I’m a very bitter person.
Then what else happened? Well, at that point, the economy was starting to teeter and totter and be in shambles. If you didn’t get into offensive security at this point, by chance number four or five, you’re screwed, okay? It didn’t matter what letters you have next to your name. You could become a GPEN from SANS. You can become an OSCP. And you’re gonna be in this higher climbing loop, especially since all you had to do was just get free shit on TryHackMe or Hack The Box, and assuming you know how to network, you would’ve still got a job. Okay, so I had four offensive security interviews, by the way. Right, right, right. That’s my last one.
So number five: Scumbag EDR company that didn’t really create a good product, basically steals interview answers with scammers and proxy recruiters, so fuck them. Let’s just keep moving on.
Sixth interview: Didn’t make much money on this. The sixth interview was actually what caused my book to be published, Ultimate Cyber Warfare for Evasive Cyber Tactics. I was released on supervised release on September 25th, 2023, and my book was published on January 1, 2024. So now I became an internet celebrity, right? Ultimate Cyber Warfare, where I emphasize operational security and informational warfare to amplify the power of our initial, pretty evasive payload.
Since then, the economy was in horrible shambles, or we saw the cracks. We all saw the cracks. What else? I believe the last time I had an interview... Oh, I interviewed for OpenAI, by the way. I also interviewed for... who else was the other company? I stopped counting because I was like, at this point, interviews and ghost jobs were everywhere, and this is getting really scammy. The last place I interviewed for before this last, last interview was actual Offensive Security (or OffSec) to create defensive content, and that was all right—except the person that interviewed me also got laid off. So that sucks.
Yeah, uh, I basically either was gatekept out or I was locked out through constant mishaps because I was constantly being raided by the FBI. I was constantly being fucked with by Nevada probation officers, by the state, and so on. And yet people saw my struggle. It was not pretty... I was not silent about this shit. I went off against, like, insurance fraudsters that hit my mother in her car, and I did it publicly. The FBI and the FOIA requests I filed against them showed that I’m a very vindictive person, particularly online. I went after adversaries, which is why I was the first choice to go write my book in the first place.
What else? Yeah, before the true scumminess of hiring protocol showed up (2024) with ghost jobs and the allegations that people are simply posting jobs to pressure their current employees to work harder—I heard that allegation too (earlier this week). All this stuff. I mean, it’s pretty pathetic how job scammers would try to fucking fuck with me just to steal a job from me that they are not qualified for.
And I decided, well, of all these mishaps, it was one person that really mattered to me, and I don’t know if he still works for them. I used to have his business card. He was the leader of the Amazon Web Services Internal Red Team, and he was one of the very first people I ever met in my life in the summer of 2019 during DEF CON 27—actually during BSides. So Black Hat was going on upstairs and I’m just sitting with the guy in a bar, right? While at the same time getting good reviews at Booz Allen Hamilton. And he told me—and I told him the truth, like I told everybody the truth about my criminal background—and he told me: ‘Don’t waste your time applying for cybersecurity hibs. Make your own consulting firm.’
And I kind of was like, a little bit insulted, but he quickly calmed me down. He says, ‘I’ve seen people like you before. You need to make your own consulting firm, just like Kevin Mitnick.’ And this person gave the most useful advice I ever heard. So I knew the truth of this quote-unquote gatekeeping, or at least confirmation of it. So I did go through other things as you can see, but this guy was the first person that was honest with me in August 2019. And I never met this man again.
Post Conviction
Since that day right before DEF CON in August 2019—remember, I was only one more month away from being criminally charged by the FBI finally after a slow-ass fucking investigation, which meant all of it meant nothing—I joined the local Vegas DEF CON chapter [DCG 702]. The president of this local Vegas DEF CON chapter was even more helpful to me than the person who told me the truth from the Amazon Web Services Internal Red Team. He eventually showed me alternative areas of employment. Actually, he was the one who got me into the offensive security interview, by the way, because he knew from my extremely violent outbursts that I was really desperate for work. Although, I do want to point out that I actually have two additional disciplines: accounting and finance.
And yeah, this one was the most helpful one of all, a very close friend. We even have strange overlaps where we have actually encountered each other even before we formally met. Like, we actually met at a crypto conference, by the way. And this guy knows at least one guy from... that has been recently interviewed by... what was his name? So many names, man. Jack Rhysider from Darknet Diaries. I decided not to constantly say ‘I know this guy’ and ‘I know that guy’ and stuff like that, but this personality is pretty well known in the DEF CON community. And instead of telling me his handle, he actually introduced himself to me under his real name, which was very trusting.
There is another thing that the president of the local DEF CON chapter of Las Vegas actually told me one time. Honestly, I thought he was too drunk, but later it was verified. People want to become me. And another person in the group said that I’m one of the only people in the world that’s capable of ‘pulling the trigger’ when it comes to some sort of issue. For example, The Beekeeper level stuff. I try not to be too loony about that because it’s almost as if, personality-wise, I’m a combination of Keanu Reeves characters, Christian Bale characters, uh, Jason Statham characters like The Beekeeper, or whoever are the two guys that played the main and supporting character in The Accountant. Although in many cases, The Accountant movies actually predated my recent adventures that made me so recognizable.
And then I realized that my legal name became a branding. So the name ‘Chang Tan’ is like trying to call someone ‘John Doe’ in Chinese. I am 100% birthright American and yes, I have never been to China. I’ve been to Canada. I now live in Mexico. There are actually many other places in Latin America that I’m planning to go to, although I got to go make a few trips, so I have to go pay for an E-Visa to go see somebody in the... well, I gotta see a bunch of people in the UK and Australia actually, by the way. But the point is, there are specific communities that I literally got glued to, and my best suspicion is they knew who I was before I knew who they were. I mean, come on, okay? Like, by the time they were looking me up, I was in two prison riots in CoreCivic, Nevada, okay? In a private prison over some stupid bullshit. And I think one of the most interesting things that these people like to hear are all the prison riots I’ve gone through, you know? So there’s that.
But I also wanted to announce—and this is not for DEF CON groups—so the Vegas chapter of DEF CON is a DC Group. Since last summer, DEF CON 33... after the first night of DEF CON, there was something that happened. A person that I’m not... I don’t look up to this person. I’ve never met this person before. His name is Jeremy Hammond, and he was convicted for the Strategic Forecasting [Stratfor] hack for the original LulzSec/Anonymous. And he got banned from DEF CON simply for saying ‘Free Palestine’ within earshot of many of the DEF CON staff. There was more to the story, and Jeremy Hammond made a huge fuss about it. But on top of derogatively calling DEF CON ‘FedCon’—like federal agent, FedCon—yeah, that was like the unkept secret, right?
Because my first... I’ve been to six out of eight DEF CONs. And I missed DEF CON 26 and DEF CON 28 because of incarceration. But my very first DEF CON is DEF CON 25 of the year of, I believe, 2017. And that was the last unhinged, no-holds-barred DEF CON that I’ve ever been to, which was my first one. It was the one with the ‘Meat Pistol’ presentation where the presenters were fired on stage, amongst other things. My first influencer friend is Marcus Hutchins—and he called himself ‘Mark’ at the time. At the end of that conference, Marcus Hutchins was criminally charged by the FBI for the production of Kronos banking Trojans after previously being celebrated for stopping WannaCry. And it was one of the most off-the-chain hacking conferences, loaded with the best parties I ever had. DEF CON 25 was most certainly authentic. If you’ve never seen Craig... one of the nerds in... okay, so there’s all kinds of crazy shit that happens at DC back then outside of nerds that never take showers. So let’s say that two fat nerds got into a fight, and they did a hack of Jeopardy. It’s going to be just like those two fat nerds fighting each other in Malcolm in the Middle, okay? Craig and the other guy, right? That’s like old-school DEF CON.
So where am I getting at? By DEF CON 27 in the year of 2019, you really can’t call DEF CON ‘FedCon,’ okay? Like, maybe they stood out a little bit more back in 25, but by 27... remember, I missed DEF CON 26, so I can’t say any personal accounts of that. By DEF CON 27, everything was starting to get more inclusive and, you know, federal agents started just showing up in plain clothes. You really can’t say and make accusations like this.
But Jeremy Hammond... I believe he just got out of federal prison for the Strategic Forecasting hack. I still feel bad for Jeremy Hammond. I don’t want to attack Jeremy Hammond’s skills, but I believe he is manipulated by the informant Hector Monsegur, or Sabu, because Hector was compromised at the time. And there are some secrets I know of the original Anonymous. All I can say is they were picked bone dry of talent by whoever could use them. My friendos in other communities told me about meeting Jeremy gloating about getting banned (and other influencers). And… that’s why I decided to no longer go to USA conferences anymore, along with all of the Trump 2.0 Bullshit that happened in the last two weeks.
And since then, talent networks have wormed their way into public institutions in the United States since at least the latter half of the 2010s. So many people have like NSA programs, all right? And these NSA programs are not just for training like little kids (NSA GenCyber). They also have programs that I’ve been through, vetted by faculty, where you’re basically a talent in a talent pool. And if you can pass specific challenges, then you may be thrown into a hiring pool, which I explained to you starting in fall 2022. It’s always going to be every first week of October. You may be contacted for recruitment, usually the National Security Agency. Never been contacted by the CISA, but for me, it was the NSA. And they even contacted me while I was on supervised release—immediately after I was on supervised release. And sometimes even the CIA comes to talk to you. I’ve been 191’d (Intelligence Community Directive 191 is a Intelligence Community policy obligating agencies to warn individuals, including U.S. citizens, of credible, impending threats of kidnapping, serious bodily harm, or murder identified during intelligence collection) four times in my life to be warned about some sort of threat against me. Four times in my life. But that was like other stories, and I’d rather just not go on with that.
A archetype to describe myself
I don’t know what the rules are, but I personally consider it a rule that you cannot refer to me by name because of the previous ‘Duty to Warn’ (ICD 191). And I did verify that these warnings regarding the threat to my life are indeed true by filing a Freedom of Information Act request to the Federal Bureau of Investigation shortly after I was discharged from supervised release on September 15, 2023—right after my book was published on January 1, 2024.
And you know, people have affectionately protected my identity using various Nintendo characters that you might have heard of. I think they were featured... yeah, you could say that the whole cast was in Super Smash Bros. Other ones are professional actors like Keanu Reeves, Jason Statham, or one of them was from that Apple TV+ show about Godzilla-like monsters [Monarch: Legacy of Monsters]. Other people have called me that because I am cheap but effective, because I can build full exploitation chains that work in short order using minimal resources. I actually have not rented a bulletproof server in many years, and what I did find out is that it’s also just a huge waste of money.
What else? So, people have affectionately named me after video game characters, movie characters, and professional actors, but I want to drive my own stake, and I hope this doesn’t actually tread on anyone. The reason why is because there’s no way that you could memorize this person as... hold on, let me just search it.
So, I didn’t see every episode of the X-Men original animated series of the 1990s, but there is a character introduced—I’m looking it up right now and the episode is titled ‘Longshot,’ Season 3, Episode 10 of the animated series. And the reason why is I did look up Longshot before the character, even though Longshot does not have much lore compared to all of the other characters in X-Men. So that’s why I deliberately picked Longshot as a way to describe myself. So that way it doesn’t crisscross and step on anyone’s toes because there’s no way that you can just recall me as a Longshot.
So, Longshot is a rebel leader and former TV star of Mojo World because Longshot’s powers basically allow him to give himself improbable abilities to defeat impossible odds. So he’s kind of like the Grammaton Cleric from the movie Equilibrium, but even better, in that he could simply just outdo impossible odds just for having incredibly good luck. Yeah, there’s actually not a lot. But I do remember this episode. It was a multi-part episode of the X-Men animated series and Longshot has the ability to outdo many things because the original X-Men cast were prisoners in Mojo’s TV show. Basically like a gladiatorial combat kind of thing, if I recall correctly, because even this fandom wiki is not that great or descriptive. So I’m just going off of what I remembered.
So that’s what I kind of identified with without actually confirming. Let’s see, what does Wikipedia say? ‘Powers and abilities: Longshot is acrobatic at a superhuman level, being able to evade blows by Spider-Man.’ He has a man’s healing abilities. Okay, but that’s not it. Ann Nocenti, who co-created Longshot, says of his primary superhuman trait: ‘Longshot has access to probabilities and luck. He’s lucky, he’s miraculous in a way. He was born with this talent to have access to being lucky.’
And the problem is that he finds out that there’s a flip side to luck; there are repercussions. If you pull probabilities toward yourself, you’re probably taking them away from other people, so it’s actually something that he shouldn’t even be doing. This power operates even without Longshot consciously willing it, and it is tied into the positive aspects of his personality. Should he attempt to use his power for a selfish or evil act, or should he lose hope, his powers will fail to function or even backfire, giving him bad luck. Echoing Nocenti’s words on the adverse side effects of his powers, Longshot’s luck is fickle by nature and can backfire when he overuses it, causing an equal and opposite effect of bad luck, which can affect himself or others.
Yeah, so I guess I’ll just pick the super rare, relatively unknown character that was only featured in the X-Men animated series—I believe two or three episodes—and that would be a great way. You know, because people have named me after actual video game characters, comic book characters, movie characters, and actual actors.