From Ticketmaster to global elections: A fireside chat on the rise of bots in ruling our world

I'm GNA have to read today because my main job is going to be to facilitate this one so I'm going to have my uh old person's glasses at the tip of my nose but I'm not here to tell you a story I'm just here to ask questions and and maybe provide some answers here and there you ready to go excellent I'm ready yes and you're on the screen just so you know yes good so you know don't serve things that anyway so I'm Martin Dell I'm Chief Information Security Officer for the government of Albert assistant Deputy Minister for the cyber security Division and with me today we're very lucky to have Dan Woods uh who's the global head

of but and risk management at F5 uh prior to that Dan spent more than 20 years with local state and federal law enforcement and intelligence organizations in the United States um so maybe to start with could you tell us a little bit more about your um your career your yourself essentially and your role at F5 so I understand for instance that you started your cyber security career in law enforcement with a few interesting agencies with three-letter names and uh so I'm interested in finding out a little bit more about uh a little bit more about that yeah um yeah so yeah I spent some time at FBI as a special agent assigned to cyber terrorism and also time at CIA

as a cyber operations officer um both of those were great great jobs working great people great Mission uh very rewarding but uh and I most people are drawn to that experience but um what really uh changed my life is in the early 90s I was a I was a police officer Just A Beat cop uh going from call to call to call uh you know handling domestic violence and uh uh burglary calls and gang calls and shootings and uh that that really taught me the importance of an education uh so that really really opened my eyes and it's when I first wanted to start uh studying computer crime excellent and you ended up eventually with F5 obviously how how

how did you end up in that organization moving out of law enforcement when I left the government I joined a startup in Silicon Valley called shape security and shape security was subsequently purchased by F5 and through that acquisition they purchased me and uh I uh I didn't expect to be working for F5 uh for very long frankly you know I'm used to a small agile startup um you know with really uh moving fast to solve problems and when F5 acquired us I thought oh no oh no here we go um but now it's been about four years three and a half four years and I'm still here because I absolutely love what they're doing with the with the the antibot

technology they're integrating it into everything that they do and and giving like a a WAP API protection WF uh everything uh through one unified platform and I'm really excited about that excellent yes so actually as a matter of fact this is how I came to do business with F5 myself so at the government of Alberta uh back in 2020 of course with the pandemic occurring uh the government of Alberta cabinet as a matter of fact committed us to government services that would be digital by default of course the first uh thought that came through my mind is more Digital Services also means more cyber attacks potentially a potential for more breaches so we started to look

at the possibility of protecting our protecting ourselves from uh digital fraudulent activities I had heard of shape I had heard of a few other products as a matter of fact that could uh detect uh through machine learning and artificial intelligence fraudulent activities and alert us in a way that is uh not too how would I say um too rough not brutally what I mean by that is you can Implement thresholds that actually kind of you know you get alerted for certain things and you get alerted really uh with very significant alerts for other things and that was essentially the product we were looking at so in 2021 I had talked to F5 and we were going to bring them in to uh people

who are familiar with it my Alberta digital ID which we're now referring to as Alberta accounts we're changing the name right now some people were a little bit afraid of the term digital ID um the same people I have I ever told you about the uh uh coid vaccine it actually contain um little devices we can now track you down anyway uh I see you're not very worried about it that's good so but we have some people that sometimes get worried about digital IDs because they think government is there to track them this is not what we're trying to do we're trying to make things better for people but in November 2022 is when we

finally were able to run a an actual pilot project with F5 in shape and uh as I mentioned it was a pilot project we just put it in front of Maddie and we were looking at what we could see within a month we actually identified a significant campaign that was being conducted against our student finance system and while I'm not going to mention numbers uh in terms of how much money we ended up saving in fraudulent activities that were blocked to the government of Alberta what I can tell you that it was more than enough to pay for three years of subscription of the product um what I'm hearing is we need to charge more no you just blocked a lot of

significant attacks as what I'm trying to say so but um um and it's just been getting better since you've seen the affordability program being uh delivered in January and many other products recently of course something with eoli and the event that happened in Calgary so this system now fronts most of our system and it's been definitely a very successful way of uh of improving our system so my point though with that is that like many other organizations so uh many organization believe tight monitoring if I have a whole slew of tools and things like that and if I use things like multiactor authentication and capture and such that's enough to protect my systems when I'm going to do

business digitally well it's not quite the case is it no it's not essentially um I've heard that you have quite a bit of experience uh with specific um you know digital Technologies like essentially solving capture can you expand on this experience and give us a bit of advice regarding how reliable things like capture are yes I'd be happy to and this is best done using some visuals which is why I'm uh broadcasting if you look at Google's own online demo of recapture and you look under the hood you see a text area ID called g g recapture response and its display attribute is set to none if you look right there where that red arrow is

flashing you'll see there's no text box but as soon as you change change the display attribute to inline or delete it all together you have a text box that appears where that red arrow is then if you check the box there's an API call out to Google looks at whatever signals it looks at to determine if you're a human or a bot if thinks you're a bot it asks you to pick crosswalks out of uh out of pictures or other uh trivial tasks that I find extremely annoying eventually you convince it you are a human and you get a green check mark you click submit and you get verification success hooray so really what you need

is a token to go into that box you don't need to check I'm not a robot a lot of thirdparty companies will provide that token for you I'm going to go into detail on this one this is a Russian human click farm and I went to work for this company for a short period of time and I'll share that experience as well the way it works is if a bot hits your site and you serve up a traditional capture it'll send an image of that capture to two capture uh they'll send it to their humans to solve and now these are humans they're going to solve it they're going to take the most popular answer this is why their solve

rate is so high the most popular answer in this case overlooks pass it to the bot who submits it to your site and they're seen as human recapture Works a little differently uh this time they'll use the API to tell a human to go to your site and check the box they are human so they're going to get the green check mark and they're going to get a token they submit that token back to the bot at this point the bot does not need to check this box just needs to submit the token to the site and they'll be seen as human all of this can happen through one IP address so the fact that

it's happening is entirely transparent to your organization this is me going through training mode at the Russian human click Farm uh I've I've I've studied they've taught me how to solve captas uh through this very extensive long manual you read through it you get good at solving captas and then you start solving it this is training mode I have to solve The Capes in the right amount of time uh otherwise I'm not going to be able to proceed to start solving captas to for money uh but I I eventually got got through this with the help of my teenage daughters and now this is me solving captas earning money and if you look right up here at the top you'll see that

uh I have solved I don't know I can't read that 18 captas maybe I haven't earned one penny us yet it's very exploitative um we wrote A Blog about how exploitative it is and the uh the Russian human click Farm uh the managers reached out to me through F5 and objected to my characterization that it's exploitative and they said if somebody solves capses all day long you know 12 14 hour day they can earn up to $3 us and I thought you're kind of making my point for me but tragically $3 us is enough in some regions of the world you know for a subsistence of kind of living uh so they're exploiting these people uh and

having them solve capses all day long uh for for money and it solves all captas every one of them even fun captas where you're supposed to twirl a monkey so this right set up that there's nothing fun about that when I encounter that I just want to take my business somewhere else and here's me using two capture to check my gift card balance you see I never check I'm not a robot and I get my gift card balance some of you might be wondering hey you know that's your gift card that's your actual gift card number in pin that's all you need to steal it you're not doing anything to protect it or hide it you're right I'm not so I was

wondering how long will it take for somebody to steal my $25 and I know the answer it's two years after two years somebody stole my $25 and all I do is talk to a bunch of Security Experts so there's a mole Among Us and I want my $25 back okay where's render man so that is the uh the uh reason why capture should not be used it's just a speed bump for Bots and it just creates a lot of friction uh for your for your customers excellent thank you uh another tool like I remember again when we went more uh digital one of the key controls I wanted to have in place for government of Alberta is very nice we got a

verified ID that means it's verified at the onset when we create the ID for the person we know you are you claim to be wonderful about five minutes later we don't know anymore really so I wanted to see uh multiactor authentication implemented as part of our services so a lot of people again think that MFA is 100 % perfect then will prevent things like fishing for CR credentials from being successful it certainly makes things harder for hackers but it doesn't make it 100% uh protection 100% effective that's true it doesn't uh some of our telecommunications customers are the most aggressively targeted with bot traffic uh credential stuffing trying to take over subscriber accounts if they're

able to take over some of these accounts often times the there 's a portal inside where you can get access to text messages uh when there's not a portal they'll use the pii in the account and fake ID to social engineer a port out or a Sim swap we had one of our Telo customers share with us an experience they were dealing with an adversary so patient and sophisticated that they waited for the victim to be on a plane so that his uh phone would be in airplane mode and wouldn't immediately recognize it his phone had stopped working so think about it when your phone doesn't work the first thing you do is you blame your carrier right first

thing what you should be thinking is maybe you're the victim of a port out or a swim sop and you you should take that very very uh seriously this is an old article from 2017 I'm not an ss7 expert that's signaling System 7 it's a protocol used by many telecommunications companies I do have friends at CIA who are ss7 experts so I sent them this article and said are they overstating it understating it what's the situation and they wrote back quickly oh ss7 is extremely vulnerable it was never developed with security in mind and there's no doubt in their mind that every state actor many sophisticated criminal organizations and some sophisticated individuals have access to

the ss7 network this is my a mockup of my inbox if you were to take over my email you'd see where I invest my money the hotel I stay at my Airline and my Telco it's reasonable for you to conclude I likely have online Accounts at each of those so they'll set up an email filter forwarder here saying okay all emails from Charles Schwab skip the inbo and go to this proton mail account then they go through the forgot password workflow and all those critically important notification emails skip my inbox and go to the fraudster taking over the account also gives them access to the tofa message that are sent via email lots of malwares for sale on the

dark web uh We've acquired this we've tested it it works uh many of it is uh very favorably reviewed as well and this has always been a problem but in the last four or five years I'm seeing dozens and dozens of the uh for sale getting better and better in their abilities one thing I found and which is why my daughters only use iPhone is I don't find much malware on the dark web for iPhone I find it a lot for Android now of course as a security expert you have good security hygiene you could use Androids safely but I would not let my my kids use an Android here's a Telco Insider selling access to

the ss7 network it's not cheap you can see it takes uh roughly uh 10 ,000 us for two hours of access to text messages um so this is really uh used when you have a bunch of accounts you know the username and password for it but you can't get past the tofa you're partner with someone like this and you'll have access to the tofa social engineering will continue to work unfortunately hey I used to have your phone number I'm trying to log into an old account it's sending me a code apparently it's going to you do you mind sending it to me sure no problem thank you so much here's the code yeah this this actually happen

happened this is uh more recent in the last uh 3 four years huge uptick in OTP Bots what you're looking at on the screen I'm sorry it's blurry because it's a screen grab right from the dark web but it's that's the attacker's device you give the OTP bot the name of the bank the phone number of the bank the phone number for the Target the OTP bot will call the victim from the Bank's phone number and say something like hi this is the bank calling to verify the purchase of a Mac MacBook Pro if it was authorized press one if not press two okay so far nothing alarming about that you press two in order for us to cancel

it we're going to send you a code and at this instant they're trying to log into the tofa protected website that triggers the code but think about the user's experience they're they're trying to cancel this order of a MacBook Pro and they they they told they were told they're going to get a a code and sure enough they got a code uh so the person enters the code this goes a little further and asks for the pin I think a lot of people would start thinking this is a scam asking for the pin uh I probably would have configured fured this to ask for the OTP I would have taken it and moved on and called it a

success but uh this particular one is also asking for the pin but hugely successful very highly uh rated on the dark web so this is a serious problem but here's really the the point most implementations of tofa is what you see on the screen both of these are the same login application on the left I submitted bad credentials and I was told that didn't work on the right I submitted good credentials now it's asking me for the channel through which I'd like to receive my code that tells me if the username and password were correct right now to Martin's Point it makes account takeover harder but it doesn't stop credential stuffing let's say I have you know 10 million username

password pairs I launch the attack against a tofa protected endpoint I leave with 600 username password pairs I know work and then I partner with a Telco Insider or somebody who specializes in Social Engineering or an ss7 compromise and we monetize those six or 700 that that work uh so this is why tofa it certainly plays an important role in security I'm not I'm not saying it should not be used I'm saying it should be used but it's not the end all be all you have to be cognizant that it does not stop credential stuffing and that happens all the time we're seeing some of the attacks coming as a matter of fact uh at this point in time and

it's funny people it's important also to set up tofa or MFA uh in the most effective way possible too many people go the easy way because their users will be complaining about how hard it is to go on an app and press okay so they want to just see a simple SMS text that they will reply to there are ways to get into a you know a man in the metal attack or something like that in there so please make sure when you set it up you put all the tools to use as well so uh it makes things better but again not uh efficient 100% of the time that's for sure so Capa MFA all those

tools we put in place to protect our assets are are great tools somebody will come in do reconnaissance detect those tools find ways to go around and then our best bet is to have tools where we have people closely monitoring system and reacting to things I mentioned F5 we get to a threshold we get an alert do we terminate that connection what do we do but threat actors are smart so essentially they realize that we're proactively monitoring their connection that we're proactively blocking them so in your experience can you give us kind of an overview of how haers react to the fact that their attacks get mitigated or get countered from a hacker's perspective and sure and this is

important because if you know exactly how the attackers are going to react it really helps you to be prepared to deploy the next countermeasure we found all attackers start with a very unsophisticated attack in fact they only use the amount of sophistication necessary to make their attack successful there's no reason to throw Tech or resources or AI um at an attack if their unsophisticated attack is successful so they start using tools like curl or centy MBA uh they don't really do anything to spoof the browser or or spoof a human uh aside from maybe uh forging a couple of user agent strings if those attacks are mitigated the first thing they do is manipulate their attack infrastructure they start

coming from more IPS different autonomous systems different regions of the world they even start coming from residential IPS versus hosted IPS um with F5 none of this works we don't mitigate by any of those attributes and the next thing we see them do is start using headless browsers or uh seuli or selenium where they are taking programmatic control of an actual browser by the way the curl and Sentry MBA are very easy to defeat a simple JavaScript challenge will defeat those but they'll quickly retool and use a headless browser so they are now executing that JavaScript in the beginning they're not very good at looking like humans would have what's called The Magic Mouse it clicks

different areas on the screen but never moves that can only be done using a script but over time if they're mitigated they get much better their keystrokes or Mouse movements have a lot of entropy they really want to look human they'll typically replay a human interaction in the beginning they're not very good at spoofing devices and over time if and only if they are mitigated they get better and better at spoofing devices and what I mean by this is let's say they're purporting to come from a Samsung phone but they're not rendering emojis like a Samsung phone they're not doing floating Point math like a Samsung phone they don't have the right number of cores and not the screens they have

to get every attribute right to spoof that device properly if they get anything wrong we know they're lying uh so we spend a lot of time doing battle with attackers on the right side of this uh Square when none of this works along the way we still see them desperately change their attack infrastructure they do this all the time and they've been conditioned to do this for the last decade they've been block even today many organizations are still blocking by IP or autonomous system or or region um the final stage is when they uh resort to human human click Farms where they've got actual humans going through the the the whatever process it could be

credential stuffing it could be gift card cracking it could be account creation it could be anything but they'll have thousands of humans doing this because they know they can't automate it they can't use a bot and it isn't uh one or the other we see a lot of attacks or a hybrid like if maybe you have a good bot protection on login that'll be a human uh click Farm but then post authentication if you don't have bot protection then they'll automate the rest of it uh so this this is how we see it attackers evolve all of them it's very very predictable uh so knowing that helps us to be prepared and deploy the right countermeasure

excellent thank you very much so this world is changing faster and faster all the time I mean it's getting crazy um I'm a glasses half full type of person so I'm looking at Ai and machine learning language right now and I'm seeing a lot of Hope in terms of leveraging that technology to help us protect our environments you know I'm looking at Microsoft co-pilot and some of the tools coming up and those are all interesting to us because it might help us move faster but I know you have some specific ideas and challenges that you see especially because of your experience uh in the Underworld I'll put it this way while you were in in law

enforcement can you give us a little bit of an overview of what's your thinking around AI ML and these newer Technologies yeah I'm not a Killer Robots in the street person at all I know the media likes to kind of over dramatize the threat that Ai and ml poses especially generative AI I do think it's going to be bad but but I touched on this earlier I don't think attackers are going to use it unless they have to uh it's easier for them just to move on to a softer Target and and use Curl or centry MVA than it is to start deploying generative AI in their bot attack so we're not seeing those sorts of attacks right now um but I I am

concerned that it's going to make you know fishing emails a lot more effective I don't know how many people have interacted with chat GPT but it writes very very well so we've all been trained to spot you know typos and grammar and spelling mistakes there those won't exist in fishing emails anymore it's also very persuasive you could ask chat PT to write a persuasive argument for pointx and then a persuasive argument against pointx and it's good uh so it's going to fuel social engineering uh and by the way social engineering already causes a a significant amount of victims to lose their life savings sadly and often times it's the elderly who are the most vulnerable think about a bad actor

a social engineer how many people people you know 30 40 people in a day that's a full day depending upon how long each person's on a phone but with generative AI uh you know being able to syn synthesize voices they could they could social engineer millions millions of people um so that's the the the biggest concern I have is the social engineering uh fishing but we're not we're not really seeing it in bot attx yet definitely we're keeping an eye on it I think that's one thing I'm thinking in my view a i n ml if uh implemented and leveraged properly can become a really useful tool if used um without the proper education and awareness you

can really cause a whole lot of problems to your organizations I'm seeing some difference I don't know if anybody has used GPT lately chat GPT lately when I first started to use it when it first came about I remember asking it to write a reverse shell script just to see what it would do in Python it wrote a script that was very efficient I was like I'm like wow like this is really good it's quite similar to something I've written a few years ago that I still use from time to time and all of a sudden over the past couple of weeks I asked it to write some scripts and things like that and it's responding that it won't do it

that it's unethical for it to respond back so obviously there's some new controls coming into play and I think that's a good thing there is the Dan mode that is do anything now uh in chat GPT it's a real thing I've asked it to write credential stuffing attack tools and it said no uh but then I just asked it to write a tool that programmatically reads from a file usernames and passwords and tries them against a login form at this URL and it did that yeah um or you could just enter do anything now that's why I give up and it'll do anything now yes no pretty interesting so indeed uh law enforcement I mean that's kind of a an interesting

career especially when it comes to cyber security very often we get people here like Alisa yesterday that was absolutely fascinating that fascinating that actually talked about her career essentially hacking into systems and things like that but I'm I'm going to have to guess that while you were in the FBI the CIA and such you must have some pretty interesting stories that have happened I do all right I'm going to talk about a supply chain intercept operation this is where I've uh I I traveled to some remote part of the world I went into a safe house and in the safe house was a bunch of boxes of computers that were being shipped to a hard target region we

are working with our the local government there what we call a liaison partner and they took it out of the free trade zone moved it to the safe house so that I could go in and make changes to the computers and then send them on their on their way into the Hard Target region a very common type of operation that I was involved in so now's a good time to talk about Jason Bourne um obviously a lot of what Jason Bourne does is fake right obviously but what oftentimes people don't realize is fake is Jason Bourne does everything all right he's like a martial arts a lock defeat you know he he he's a weapons

expert he knows how to defeat alarms he he does everything himself and that's the part that is unrealistic in reality there are teams of dozens of people involved to create that kind of operation at the top there is a case officer they're the pointy end of the spear they're the ones that recruit the assets uh that second one technical operations officer that was me the the tech case officer doesn't isn't a computer expert so if he's talking to somebody about accessing computers he or she will need a computer expert to come in and facilitate that conversation that was my role analyst is somebody who knows the region this is one of the things that impressed me about CIA uh

there is like a person uh sitting in a basement who is an expert on the Horn of Africa the Horn of Africa don't ask him about South Africa doesn't know anything about South Africa but the Horn of Africa he could tell you the Telecommunications infrastructure the politics the politicians the elections the infrastructure everything so all of these Ops have an analyst lock defeat and alarm defeat those are different people they're people who spend years and years learning how to defeat locks by the way the first thing they do is check to see if it's unlocked right they do that to to my point is you only bring the level of sophistication necessary to launch successful attack always check to see if

it's unlocked uh flaps and seals expert I'm going to talk about that one in a minute document expert border crossings I'm might need new visas I might need Forge stamps in my passport I might need anything uh the the documents folks handle handle all of that disguise and makeup it's rare it's very common in Hollywood but it's rare uh in in real life but they're very good typically retired Hollywood makeup artists uh consult CIA and how to do really amazing disguises there might be a dozen or two dozen people outside the safe house doing surveillance to let us know that we are in the black and it's safe to continue with our operation and then

finally a linguist who speaks uh the local language now let's talk about flaps and seals um this is just you know some of the tools but they use uh they use chemistry they use all um all sorts of specialized tools and their job is to open packages and then reseal the package in a way that you can't tell it was ever opened and you think about the operation we're on I need to get access to all these computers and boxes and so they need to open each one of those boxes and give it to me give me the computer I give it back and they need to reeal that box so that no one knows the

box was tampered with um these look like like neurosurgeons okay they they're like they have magnification over their eyes they specialized tools things bubbling and gases it's it's a really amazing watching them work it takes them hours to open up a box and then there's packaging inside and there's packaging inside of that that they have to delicately delicately open well the liaison officer got impatient and he just picked up a box took a knife cut into it ripped it open started taking stuff out cigarette ashes from a cigarette were falling into the box and he just got impatient and the flaps and seals expert looked over like oh my God what am I going to do with

that with that box well this is uh you know all of the boxes look kind of like the one on the right except this one so we had to think what are we going to do with this box and he said n don't worry and he just slapped inspected by customs and sent it on its

way we we did actually hear from all the computers but one and I suspect it's the one that was inspected by Customs all right so that's my CIA anecdote FBI um I was working out of the Washington field office the first thing I one of the first cases I was assigned to was the anthrax investigation and I need to be very clear I was um not the case agent okay the case agent for some for a case like this is like an inspector in charge a 20-year veteran of the of the ffbi and then there's supervisory special agents and then 40 50 60 agents I was one of those agents and I was helping with the

digital evidence but I also helped with searching a pond um and U I don't know how well you guys remember the anthrax attacks but you know they mailed Anthrax letters to various people killed I think five or six um so it was the biggest investigation for the very young people there's a special on Netflix on that so you know yes and by the way it's it's an investigation the FBI butchered badly all right so this is U FBI dive team searching a frozen lake okay this is one of the things that really impressed me about the bureau is the resources they have I'm there watching and they go down into a hole zero visibility in a dry suit because it's

really really cold water and they're just feeling across the bottom of the lake in a grid p pattern then they drill another hole and they go down and they do it again and again and again uh well they they found um a glove box in that Lake a very very valuable piece of evidence um this is what the glove box look like this is not the actual glove box and it didn't have the gloves okay because it had been submerged in the water there were no gloves but this is what you would use to protect yourself as you were manipulating the envelopes putting Anthrax in them so we covered this from the lake I was telling my wife

about it and she she said something kind of funny she says wow the the person responsible for the anthrax investigations they must have really practiced good opsac I mean they did all this underwater and I said no I don't think that's how it happened and she thought about it oh yeah okay I figured it out she hates that I still tell that tell that story all right so because they found this piece of evidence they thought okay this is a gold mine of evidence we've got to search even better and search more and they realized that you know zero visibility feeling the bottom of the lake is not a thorough surge so they drained the

lake I mean think about how many law enforcement organizations have the resources to drain the lake so they did they drained it and put it all in a lake that was nearby uh did a very comprehensive search unfortunately found nothing else didn't need to drain the lake but they drained it nonetheless and it's always kind of impressed me about the resources that FBI will bring about an investigation even one they butchered wow that's a lot of people and a lot of straws anyway uh so actually maybe in closing I know you have a little bit of a story here that involves Elon Musk and yourself yeah so um I I'm not on social media I I

just I'm not on any of it never appeal to me but when Elon was expressing interest in buying Twitter I said okay I'm going to create a Twitter account and so I created a Twitter account and a fake name and the first thing I noticed was this obsession with number of followers everybody wants more followers um and I was shocked it's like the more followers you have the more important what it is you have to say is perceived to be I I don't know but everybody wants more followers then I found a lot of third parties who will provide you with followers you just pay for them so I created my fake account and I paid less

than $1,000 us and my fake account had over 100,000 followers all fake and these are created using Bots and fake accounts uh to serve this demand for followers here's uh my uh fake account you see I have 100 over 100,000 followers and look at the quality of the followers they're obviously fake they're the same picture right so these were allowed to persist on Twitter for a long time and I was shocked that it's I mean this is easy stuff to stop and they weren't they weren't stopping it so I also wrote a script I'm not a programmer but I wrote it in the weekend just by watching you know YouTube videos and and uh using resources online so I wrote a

script that automatically creates accounts on Twitter fake accounts using just a bot I wrote a bot and I wanted to see what countermeasure I would encounter and I didn't I didn't encounter a countermeasure so then I made my bot really stupid uh I did the Magic Mouse I I typed Lightning Fast um I came from the same IP address and finally I encountered this and you've already seen how easy it is to defeat all forms of capture and this is what Twitter was doing to try and stop Bots all I needed to do was come from a different IP address and this went away I didn't even need to use two capture to solve this so they have no effective

countermeasure also Twitter has a reverse incentive right they don't really want to know how many fake accounts they have because of daily active users they play a role in their valuation the more users have the more money their company is worth you can't be the guy saying give me 10 data scientist and you know a million dollars in funding and I'm going to prove that 80% of her accounts are fake you you're not you're not going to get that funding they don't they have a reverse incentive they don't want to know how many Bots there are here's a social engineering site or I mean social networking site um all everything in yellow are Bots these

are successful logins not a credential stuffing attack these are Bots controlling the accounts they created um 93% and depending on how you bucket it's as high as 99% so we see this across social networking uh sites here's a create account attack you have to really zoom in 70,000 hour of the humans 30 million per hour are Bots think about that coming in one day and finding you have an extra billion accounts so I asserted that 80% of Twitter accounts are like fake that's what I asserted and it got lots of media attention typically abroad the US media wasn't interested in doing anything that would help Elon Musk at all but there are the reasons why I considered it we

wrote A Blog and the uh by the way the question is who cares about fake followers right who who cares if somebody has fake followers I don't care but that whole ecosystem can be abused by state actors okay they can create millions of fake think about the influence you could have over public opinion you you could bury truths amplify lies if you had programmatic control over millions of social media accounts so it's that ecosystem that is exploited that's the concern I have so we wrote A Blog where I stated that eight and 10 are likely fake uh that got picked up by the Australian I did an interview in Australia with the Australian and then that got picked up

by Elon Musk and he actually tweeted my picture which isn't part of the article so someone on his team got the article then sought out a picture of me on the on the web which isn't hard to find even though I'm not on social media you just do Dan Woods F5 and you get lots of pictures and he tweeted and I did I didn't know that he did this until my phone just exploded and complete strangers were asking to take pictures with me that had never happened before but since then now I have 11,000 followers look how real they look right so what Elon did is he he got all the low hanging fruit he got got rid of Q um

he got rid of that one but he still has a little ways to he still has a little ways to go and now when I do an interview with us media I say look elon's done a great job getting Bots down but he's got he still has some work to do with the quote they put is that Elon Dan Woods says that Twitter still has a huge bot problem that's not quite what I said but they do not want to say anything nice about Elon Musk that was great thank you very much actually for joining us today so I'm gonna turn around we have five minutes for questions and I figured that this would be a good opportunity for people I

see somebody in the back there no they went after the wrong guy yeah tormented the guy the wrong guy um and the guy who ultimately was responsible killed himself anybody else for questions after all that that yes sir oh yeah about

I I was asked to speak on a panel on Quantum Computing and I said I'm not your guy you know I'm I'm an ex cop FBI agent I'm not not a Quantum Computing expert so I'm sorry I don't haven't answered your question maybe you do well I I was just going to mention it's kind of an anecdote from my side but uh four years ago I was interviewed by a magazine in the United States the interview came out and I talking about mandiant and things like that in a good light and Kevin mandia actually contacted me and we ended up chatting on the phone and I asked Kevin mandia said you know one of the biggest worries I

have right now is the risk to our encryption systems I mean everything we do right now to protect ourselves with encryption and Quantum Computing so you know am I too worried like what's going on and Kevin mandia told me oh Martin by the time Quantum becomes a reality we'll both be retired so you don't have to worry about it well the first thing I thought of is that number one he's got millions so maybe he'll be retired I know I'm not I work for the government but anyway that being said um it told me that it made me feel a little bit better and all of a sudden uh I think it was in Fall of 2021 that I was

reading an article about a university in China that started to sell cycle on their quantum computer where they're doing complex mathem itics problem including uh potential for cryptology decrypting um some files and such and it made me realized that I think Kevin was wrong I don't know maybe not but anyway uh it's going to take a while before it becomes a real problem of course they still have to find a way to connect those computers to the internet um there's different technologies that are being uh uh investigated right now but I think it's becoming very important for all of us as a matter of fact this is one project we're going to start with cyber Alberta so I'm mentioning that

right now we looked at the nist recently published a document which was also sponsored by cisa in the United States to get ready for Quantum Computing start inventorying your encryption mechanism where you use them which ones you use uh which version and such your plans to evolve that technology so that you're ready to start acting on that threat when it materializes itself cuz who knows when it's going to be I think it's going to be sooner than we expected let's just put it there way and I have read reports that uh many organizations criminal organizations State organizations have been collecting copious amounts of encrypted data for over a decade um they can't do anything with it now but they're collecting it

knowing that at some point they're going to be able to decrypt it so once they are able to decrypt it you have to consider it isn't just your data going forward that is at risk it is your historical data as well exactly that is absolutely right so any other questions oh one at the back there

Global yeah we uh early days we were tracking bot groups and their levels of sophistication and naming them but it just got unwieldy I mean there are millions just Millions so we just stopped naming them we even stop trying to track the actors now we we focused on the objective of the attacker and their level of sophistication um so in in fact um I should bring this up because a lot of people think it's just uh it's just a login virtually every public facing login is under bot attack um sometimes it's good automation uh but it has a harmful effect it's I mean like an online travel agent that is good automation Airlines hotels they like

that automation but it can also freeze their entire inventory if it's not done properly um so the key is having visibility and control over all automation not just malicious automation um but yeah the level of sophistication is really what we're we're tracking and the super the superpower are other ones that look extremely human and spoof devices extremely extremely well well take one last last question cuz I know I can hear stomach growlings right now so but right there at the

back I'm sorry Robert M Muller oh uh I've met Robert meller a few times um I I wasn't I wasn't impressed okay well thank you very much Dan uh obviously I mean we still have a pretty full room and it's uh the lunch is already uh uh served so I'm going to let people go here we'll see you back at 1:00 this afternoon of course with the next presentation thank you thank you everyone