At the collision of digital security and physical safety

all right okay with the mics are they working just turn them on okay so josh said on iron

security today i'm talking about the collision that happens in physical safety space when digital was wrong so let's start who am i christian husband for me to get a bio wedding anybody um president ceo as i mentioned with that awesome and it also means that i do everything because when no volunteer is available i have to do the work volunteers i do have volunteers i have great volunteers uh except for matt i don't know why we keep that guy around former intel uh military intelligence officer former uh military cyber operations officer still doing that in the reserves for the next couple months and then i'm out free um done some published research on social network science i do some

informal cyber security research so that's kind of on a back burner lately with everything going on love me some python you get a lot of trouble with python uh open source intelligence is a blast and then judo is my hobby that i'm so bad at but i just can't give up for whatever reason today's agenda slide decks have agendas you guys don't really care about this well i'm going to frame the talk though is who we are what we've been into and how that has been changing my perception of the role of cyber security the role that enables other people to succeed you're not going to hear a huge amount of tech in this talk there is some

to talk about how joins and relational databases can provide them anyone who didn't realize that zeke is fundamentally a bunch of databases with foreign and primary keys you're in for a surprise um and we're going to tell a couple stories along the way that i've sanitized i've kind of brought them down to a terrible level not only for the sake of ndas and all that stuff but for the sake of the violence and whatever else is in them so i do want to give you kind of a warning in advance you might encounter some of that if it makes you uncomfortable i have no hurt feelings if you want to leave or need to leave

that said here's one of them 17 in summer of 2018 in central europe there's a woman who's been trafficked most likely out of eastern europe into central europe and she decides after being sent on a job and being abused and disfigured on that job that she's done she's out so she runs she gets on a bus she gets a hold of someone that then became my client and asked for help these guys run a small safe house they've got social workers they've got counselors help women find new jobs after they've been forced into slavery moved around the world and landing somewhere away from their family away from the support network that probably abandoned them to begin with

and she goes there for help well we'll skip over for the moment all the opsec and open source intelligence failures that were done uh or that led to basically the safe housing so she's run from a gang it's organized

their email and they figure out where the ceo lives all this stuff and they decide that they're going to send abusive image material to the email basically says we know who you are we know you have her she belongs to us you're hurting our bottom line give her back or more people are going to get hurt then the social workers phones start ringing and this harassment campaign goes on for a couple days and then somehow the victim we don't know how she caught word of it because they tried to keep it all tight to the chest catches wind of it flees back is permanently injured put in the hospital and we'll never look the same again

why do i tell that story not to be emotionally heavy though it is an emotionally heavy story it's hard to tell there are worse details in there unfortunately because when we fail to do things like opsec right we just say you signal use tor and we talk about this bro mentality consequences to people in the world how to follow that advice when it's not good enough when we don't do things like blocking loading of external resources getting someone's ip address off of a safe house can quickly turn into geolocation phishing that safe house could be the same thing so what do we do for the people who are out there alone and unafraid who are in the field

they're getting their hands dirty they're trying to help people and they're too small to have an i.t team they're too small to have a security team they don't know really what fishing is much less how to stop it and they certainly have the funds to hire mandiant to come save them oh and they're not journalists so where citizen lab gonna be etc that's not to throw shade on any of those companies but that there's all of this malou out there of people just trying to make the world a better place that are not being served and that's where we come in we exist to provide cyber security support to people serving in dangerous situations our goal is them more effective at what

they do instead of replacing them i realize that they're not cyber security experts they realize that i'm not an activist i'm not a missionary i'm not whatever they are so we form a relationship and we make them a better version of what they were in order to do that i can't take this infosec attitude where i walk in and infosec as a means and it ends into itself it must fundamentally be part of moving the mission forward so that's what we do at arika so now it's time to tell some kind of fun some of which are kind of weird we're gonna hard right turn zoom in the beginning of 2020 does anyone remember that it was actually 18

19 months ago it wasn't yesterday believe it or not um so in the middle east did anyone in here pay attention to what happened in various repressive middle eastern regimes when kovit locked them down too anyone see the news on that vpns that were legal gray areas were suddenly light gray instead tools like zoom that were banned were suddenly legal whatsapp legal status changed a bunch signals legal status changed a bunch next thing you know you have people who are doing civil rights advocacy as well as in in my case christian missionaries reaching out saying like hey these tools are suddenly legal but the communications department of the government is also saying don't worry the legal but we can still see

everything you're doing so where's where's the truth at what's going on well surely zoom is good enough right their white paper said they were into unencrypted it won't get too much into what they're doing now but we'll uh kind of harp on where they were at beginning 2020. zoom sees this opportunity they grab this gigantic audience and they're telling people that they're safe they're doing indian encryption so this picture of the on the left is actually what zoom was telling people but in reality the way they were implementing their crypto was resulting in uh exactly what was called like ecb ecb mode was turned on so that means that if you encrypted this picture of you

know the linux ping one with ecb mode on you can still tell it's the linux ping one it's just in grayscale now that's real good crypto right those of us who've done any kind of crypto know that the pattern should be totally observable but wait it gets better because they were doing end-to-end encryption right so the keys were sealable which citizen lab proved and what you're seeing on the far right there is the citizen lab proved you could intercept the keys and once you intercepted the keys you could watch the entire thing they did have to capture the video and the audio in two different channels though so what does this mean if you're any kind of person who

is just trying to use the tools that are available to get your job done when you can no longer leave your house and your job's somewhat risky and the government's saying it's okay but we can watch you and then the corporations are saying don't worry we've got your back but actually we don't really care because we're just trying to make money i won't dig into these two vignettes too much but we basically say that zoom is not suitable for secrets the reason we say that is one their crypto sucks their architecture is designed to allow them to intercept it whenever they choose to and then if you need proof of the pudding they said they'd never do this and they did

so why am i talking about this because purple dragons here's dod you don't have to raise your but you recognize the purple dragon it's the opsec talk i checked unfortunately the d20 joke purple dragon is not one of the chromatic dragons and dungeons and dragons so no such luck there might be there so we're gonna talk topic for a little bit because this is a lot of what consumed our time in 2020 and quite a bit of our time in 2021. um rule one i like to say is shut up which is basically the same as loose lipstick ships but that's not necessarily position right you accomplish your mission if you never talk to somebody especially if you're in a

people business probably not your unhackable computer that's unplugged in the corner and like a safe great secure but it's not accomplishing anything for your business so clearly we have to find opsec model that meets people where they're at military strictly and it can't be unusable well that's not easy so one of the things we started doing is trying to teach people what does it mean to analyze your operation and to figure out opsec from the perspective of operation security being a process that you do to identify the vulnerabilities that are fundamentally tied to your behavior and the mission that you're trying to accomplish it's a lot about identifying how is it when i do something how does that advertise who

i am what i'm trying to accomplish and how can that be exploited and then even when it's not being exploited how can that break but soapbox what is it not it's not use signal use okay those are good tools but what's the problem with just jumping straight to tools people and processes are completely removed i see a bunch of you can tell who the consultants in the room are yeah people processes technology yeah it's also not blanket advice it's not never use facebook right it's not never use zoom as much as like i discourage the use of zoom it's it's not to say you never can you can't say whatsapp is owned by facebook you should never touch it

insert your app of choice you can't say protonmail finally cave to a government so we can't use them anymore it's just too complex for that you also can't say always use open source because again the teams you're working with have no i.t team so please explain to me how you're going to deploy elastic and manage it as everything's changing without someone who even understands what's happening under the hood at alaska also just kind of silly privacy advice like can we just take a moment to appreciate this is real advice this bottom line you should never give out your pet's name online now if your pet's name is your password okay don't give it out online but if you're smart enough

like not to use that as your recovery question or your password it's okay to let people know there's a fundamental disconnect is what i'm trying to say between what we see on twitter between the tech pros and the privacy bros and what people actually need particularly outside of the western world so this is the framework that we've laid out it's pretty straightforward foundational understanding is just basically how to use a computer what does opsec mean how to write a mission statement and i'm going to dig into a couple of these but i'll hit what they are for the moment environmental analysis and threat analysis are about the big four questions of framing what's going on in your area

where are you what does that area look like and how does it impact what you're doing you'd be surprised that some people have gone into areas that they're trying to help and they haven't even asked the question about how does where i live impact the work that i'm going to do how does the demographic that i most interact with lock me out of other demographics that i'm actually trying to reach next two big questions who are your threats this is where we start attacking the tin foil because everyone thinks that nsa is their threat everyone thinks that the kgb is i don't know how hgb is not technically around anymore but they're out there they're still still the

boogeyman still going to get me but even more important once you know who your threats are how are they going to impact you and we'll dig into that in just a minute then we talk a little bit about operational analysis if you can't explain what you're doing then you probably don't know how it's going to break and you don't know how someone's going to punch you in the face and break it for you and then we try to get into the most simplified vulnerability management process possible what could go wrong model how it could possible so that they're actually usable so where i'm going to dig in a little bit show like time through and it takes even longer to

do i'm going to dig into part of i'm going to vulnerability modeling and vulnerability just hit some weight stops so don't worry about it the thing that i want to highlight here is identifying threats is a big part of how we do security just period whether that's ops or security if you want a model for how to defend yourself besides one that's focused on what you have and how it's vulnerable you need to understand how bad people want to hurt you categories of threats so they stayed

with a international lawful unlawful how they want to interact with you but the big thing that we started discovering here is you talk to people and they're like i'm working in you know this country near saudi um you pick one of the ones in that region and we think that the secret police are out to get well secret please probably put your office

you for most people's threats when they're out moving around and they have sensitive cell phones in their laptops and what do i mean by that it's not necessarily going through an airport though that is one of the cases it's not necessarily actually hitting a taliban it's i just got material father thinks is surreptitious or that i shouldn't have on my cell phone home and because i'm a woman in this environment i don't have a right to privacy and my brother took my phone and my brother's the man so he gets to have the password to my phone and he unlocks it and he sees the material and now i'm at risk for my life so the thing we try to drive home people

here is to take the tin foil hat off we'll get there when we get there but also someone wants to hit you with a missile they're gonna get you calm down like not much you can do about a threat that's patient enough and well-resourced enough to get you wherever you're at what you can do though is think about how the person next to you when you piss them off is going to harm you or is just going to report you or get upset with you if you're really going to get on this police's radar it's probably going to be because someone just got motivated to snitch on you but then even more important than how do

i get on that radar and how do i get hurt is how do i push that risk off to someone else and am i ever doing that to them without their consent or informing them of what's happening so when i put a pamphlet when i put a bible on someone else's phone where it's not supposed to be did i inform them of what i was signing them up for what they were signing themselves up for and did i tell them hide this in this particular way so that the secret police don't get you and fail to inform them that their dad is probably really not going to like that so that's why we talk through

identifying threats is because realistic threats are so much more helpful for building a defensive model and a security model than just i feel like i'm james bond and therefore hydra or whoever's coming after me i know mixing mixing uh fandoms so skipping over operational analysis then we get down to vulnerabilities we try to get like these are people that don't understand cyber security not because they're dumb if you if you listen to any of the talks that we're like about consulting it's not because users are dumb it's because users have built their expertise come to them you've got to bring a model to them that says i understand what you're trying to accomplish and i want

to make this as usable for you as possible so naturally in practice you're going to be like way over technical and then way under technical and you're just going to kind of pin them around until you actually get to something that they understand and are going to use but kind of walk through a couple examples of how behaviors turn into compromises and different things that could go wrong so like someone taking a weekly trip to somerville imagine that you're in somewhere in southeast asia that has a city in somerville that makes sense and your whole team in a van but somehow you want to keep the fact that you're all a team a secret so imagine the situation where like this

is a thing i want to keep protected but i'm going to go get everybody in this in the same van at the same time and how that gives away the very thing that you're potentially trying to protect information that's used or created by the whole team getting in the van and going to summerville together you get a dinner and size of the team also the time of your weekly trip think through the assets and tools that you're using whereas you're using your van you're using your gps you're using whatever else to get there and what are the ways that it could go wrong gas tank that could be a million different things right you could just

run out of gas someone could actually do something to it tire pressure accidents as well as deliver sabotage there and then obviously getting spotted traveling together i'll zip through the next one and go down to tracking the locals with the crm this one unfortunately is kind of a real case so imagine like you're out there and you're trying to make contacts with people in a local area there's a couple different use cases for this um the missionary one is the most straightforward uh it's evangelism motivated the activist one is a little more complicated because sometimes activists want to build grassroots movements how do you explain to someone with no cyber security background the danger of putting all of their

contacts for your surreptitious operation in a contact and resource manager so that anyone can find it especially when that's an excel sheet on your unencrypted laptop one of the ways we try to do that is to get people to think about the information that's created or destroyed or that's used and processed when they're behaving in a particular way i don't necessarily need to jump them straight to this is how it moves over the wire and this is the type of cues i need them to understand that by walking down the street something world around them and is that something they want to communicate something they don't want to communicate teach three-time mitigation mitigating control excuse me

as cyber security folks we like to jump to the access that's why we preach end-to-end encryption so much it's an access control for data and transit and in certain configurations it's somewhat of a control for data at rest unfortunately when we preach that we give people the idea that if i get into an encrypted channel i can run my mouth and it will never have any consequences so something that we try to help people understand is there are two other types of controls at least this may be over find the model but the first is behavioral can i change what i'm doing to get rid of the vulnerability altogether if i don't need port 22 facing the

internet can i turn it off just because it came turned on on linux by default do i really need it there maybe maybe not if i don't need to send that newsletter with everybody's information and all my sensitive operations out to all of my supporters then i don't do that maybe i do need to send the newsletter but i don't need to include that information i don't have to worry about protecting information that i don't have that i don't collect i don't have to worry about securing information in transit that i don't send so one of the easiest ways is to go back to loose lip sync ships and say do i really need to say this thing before i

say it going back to russell eumix talks like what is essential to getting my mission done right do i need to say this to get my mission done or let's just steal a quote from robin drake am i doing this to satisfy my ego instead of to lead the team or to accomplish the mission they're all about people that have access to information access information people in this room probably understand those really really well it's everything from acls to cryptography but analysis things get a little like funky because that means assuming breach how do we make the information unusable to an adversary and that's very very hard to do and still keep it simple and

usable so we don't actually see a lot of counter analysis controls because it's really hard for someone without a lot of resources and time to keep moving forward that's where but big takeaways from this build small and usable litigations like if i if i try to jump someone from not even understanding that behavior has consequences to like running some super secret squirrel like security stack without the time or money to do that i'm probably not giving them something that's actually going to implement it i can lay out the best plan in the world but if it's too hard if it's too unusable it's not getting put into place mitigations that you can remember particularly when it comes to behaviors

are better than complex solutions i'm sure all of us have like been in a job somewhere where they're like this is the whole security process and you're like can't remember it not doing it no one says that on purpose but you get into the moment you're like what was it again oh yeah go out the left door and they're like actually it was out the right door up the stairs down the stairs turn around the building three times and then finally this is something that i personally struggle with osec does as well as don't let perfect be the enemy of good we have a really big problem with that at infosec it's that oh well sms is bad

for two-factor and yes it is but if you're in africa it's your only option is it better to have no two factor or sms two factor there's a lot of us walking around on the internet be like well you know they could hijack your sim card and then where's your two packers gonna be then you know what they had to do they had to hijack the sim card and if you had a weak password without that two factor on there they didn't even have to do that so going back and stealing some ideas from military philosophy extending the cost or expanding the cost that the enemy has to pay the adversary has to pay to get at you

with simple and small things tell a couple stories here on consulting so that's all like opsec training side so then we'll take kind of a turn here and talk about consulting which is for us is teaching people how to build a cyber security program where one doesn't exist starts with helping people understand the need for a cyber security program a couple ideas up here on the slide that we run into pretty consistently we don't need a cyber security program if they break in they can only steal emails we have monetized cyber security to such an extent that people are stuck in a mindset of preventing monetary loss and when you change the context into a

small altruistic non-profit organization they then see i don't have any money so i don't have any money to lose therefore cyber security is not a risk but when you talk about the information in exchange for these guys it's the location of people in the field it's location of local partners it's people that can get hurt if it gets out and so you dig in and kind of help them understand that so okay well what happens to your operation in indonesia if this information gets leaked oh well i have to shut it down and bring everyone home okay so now we have something to protect it's not something to hide it's not necessarily money to keep in our pockets

people to enable developers love to say that they built it right and they configured it right i see you guys say therefore it is secure so how do you know if someone's knocking on your door if you don't have a door doorbell and you never like listen at your door to hear if someone's knocking so we've seen a lot of people put up like web servers and custom web apps and all this other stuff and it's secure we built it right also it's only accessible over port 443 it's running https we're good never run a phone scanner never looked at and there's certainly no monitoring in place so now we have to back up and not only

understand that there's something and someone to protect but that there's kind of some simple steps small disciplines we can start taking in order to keep ourselves safe the first is once you build it then let's start like routinely scanning it and checking it to see if it still behaves the way that we think it behaves security at its simplest is finding misbehaviors in the system so if we build the system right like we said we did then we probably have documented how it should behave and we can look for those small departures and somewhere in those departures of how the correct behavior and misbehavior is the bad guy if they're there it's cuckoo's egg level stuff

another misconception we run into is the money question when it comes to ransomware so rents money that doesn't mean they don't care about you just because you're broke a lot of them are also opportunistic but you know just because you don't have the three million dollar pot to give them doesn't mean they won't take seventeen thousand empty your bank account and walk away uh ransomware also is super fascinating did you guys ever think you know three four years ago reading about ransomware you'd be reading discussions about ransomware's business model in 2021 that in in 2020 and 2021 that we would see this the term ransomware as a service pop up like these guys have better business

models than most of us and their customer service will put most infosec people to shame so they will take what money you have and then either run away with the keys if you're too broke or get you back online and let someone else come in and come in a different day what's my point in all this there's there's a mind shift change has to happen as a security practitioner you are not here to get your ego off you're not here to show how cool and sexy cyber security is you're here to take care of somebody you're here to make someone else's business function and then cheaper than a breach is failing people if you look at marketing out there has

anyone ever seen that like on the internet like you know cyber security br we don't actually say well i'm cheaper than a breach but we say breaches cost people 50 million dollars a year and i only cost 1 million dollars a year i don't know about you guys but my bank account doesn't support one million dollars a year or 50 or 50 million so clearly something's got to give somewhere in there and insert a small talk about our funding model at this point one of the reasons we exist is to help the people who can't afford the big companies to do it so we come in and we try to give a fair rate that's you know at actual cyber

security rate we come into the bottom quartile every time by design and it's still sticker shock for most people because their frame of reference is the guy they hired to write the wordpress blog that then didn't get secured for them and it's not you know any kind of cybersecurity consulting much less instant response rates if you guys have looked at instant response rates on the market they are prohibitively high for most small medium companies much less non-profits so then we you know small pitch into how we get that done we then go to our donors and we say there's a gap between what we want to make so that we can stay alive and what the client can afford

because they have no money so how do we get the client up to where the project should be appropriately priced which leads us into one of the things that we do it's network monitoring for safe houses um sometimes call this the itty bitty mssp you've got some other names for it internally that are more fun but the idea is if you're running a small safe house where protecting the geolocation is part of what your network needs to do spotting threats that are crossing your perimeter is part of what it needs to do and then selectively managing the content so that you're not a prison you're trying to teach people about freedom and get them back on their feet and do

self-determination all these great things but you don't want certain content particularly that related to malware um getting through to you or to the people you're housing so what we do in some cases this is a very selective thing we're talking about we put a managed firewall out there that runs some nids and also does some obfuscation and content filtering and enables us basically to be a layer between them and the internet and this was designed with that first vignette in mind that i threw out there of when someone sends an email that should have been a phishing email what have you done one to like just turn atp on in their extreme server but because in office 365 by the way if

those are unfamiliar non-profits can get a discounted rate that can get them atp so if you do any consulting like even you know just someone's like hey i'm a friend i'm in a non-profit what should i do turn on atp if you're using 365 and then if you're in google workspaces they have an equivalent product go in make sure it's turned on but past that level we come in we actually do some stuff for them to try to protect that so this is where again is some of the tech stuff and uml diagrams and whatnot not super interesting but this is how we get it done so on the on the left hand side we have the stack

of log collection so down on the endpoints we're pulling logs off disk we're feeding them up into um aws aws s3 using kinesis fire hoses dump stuff basically coming straight off those firewalls straight off those sensors into well-structured s3 buckets which we can then use amazon athena which is their implementation of parquet to read those file structures as if they were a sql database so if i'm pulling most cyber security data it's fundamentally well structured most of the cases so i can store it in a well schema relational database and you know combine it together in different ways this is where i go with like zeek is actually a relational database and a bunch of text files

on the flip side though okay so we thought about pulling a certain cloud approach and stopping with logs and running decision trees and doing all this machine learning stuff but then we realized that that's the top of the pyramid of pain we have no business being there instead let's get some ioc feeds and i'll share some free ones for you guys on the next couple slides and say like what if we have two pipes for iocs one is analysts have been doing hunting on the data let's feed it into the stack from what the analyst decided the signature should be and start creating alerts from that and the other is let's just pull the free and

trustworthy feeds uh into the system and put them in their own databases and start doing simple matching and then then at our edge where people are coming out of the system we can start blocking things that are bad and updating the the filter lists in the block list that also there's some web hook magic in there with git and not but it ultimately ends up in a database in parquet athena and then for those who aren't familiar sometimes a nid's alert is as simple as a sql join it's a lot of what's actually happening under the hood in most cases there's some rug x and other nonsense in there and then that feeds to an analyst you

can make a decision on it and that ultimately can go to again the blocking part or the notifying the customer what's going on when we talk about some of the things we're interested in researching ichart of a slide this is just a proof of concept that if i access tor over it i can take a feed of tor nodes and prove that someone is doing that tor is a good use case of something that most networks don't need access to unless there's like an actual anonymity case out there somewhere um so yeah just a simple thing that you can block and also a really easy thing to detect when it happens in this case we're matching based on a known list of

tor nodes but tor's network signature in most cases is like by default it's really easy to spot as well so we have another hunt we can just use all that stuff straight at the surface some free feeds i'll pause here if you guys want to take a slide but there's a lot of good stuff out there there's a lot of noisy stuff out there too if you've ever used emerging threats open rules they are great and they are not tuned um if you want reputational information check out umbrella's top one million snort puts out a good ip block list dan dot me has like five or six different great sets of like this just informative lists

everything from um tour list to bad reputation scan a lot of similar information so does lsde to a free ioc fee for phishing check out open fish and then sansei um that should be isc yeah internet storm center uh pardon that um has a bunch of stuff as well under the tools and data sections of their website so you don't just have to listen to their podcast you actually get their data too where i'm going with that and then we'll kind of land the talk here um coming back to use cases that infosec is not handling well stalkerware in 2020 saw a huge spike in use in domestic abuse cases where this overlaps with me as i'm

concerned with anti-trafficking control of accounts is one of the number one ways to monitor a victim of anti-trafficking the handler otherwise known as the pimp will control access to the google account control access to the phone they don't need stock aware because they can just open the phone and read what's going on they can track my iphone whatever and see what's going on but as we see this increase in domestic abuse which shares ttps for control and monitoring we can reason that it will eventually find its way into the anti-trafficking space so clearly the info only tied to people being harmed already in domestic abuse space and may be tied to more harm in the future

unfortunately this is an area that we're totally missing the mark on previous research going back to as early as 2018 that i can find at this point basically shows that if you put this stuff in a virus total if you put this stuff in any kind of virus scanner they will almost always come back clean these are the manufacturers of four different types of uh stalkerware and you can see there's 86 detection in virus community edition by default and only two of these just distribution domains malware distribution domains get flagged as any type of suspicious and if you were to squint at the slide you would see that the worst that any of these get labeled

is potentially unwanted program that's adware that's not that bad i mean it's annoying it could be used to serve malware but it's just adware and then even worse most of these are i.t tools or mobile communication tools you have a whole segment of commodity malware out there that's being treated like it has legitimate purpose even as companies like google and then a lot of the human rights organizations effs actually on board with this with stock aware coalition are saying like this is bad this is being used to literally hurt people we've got to stop doing this and the infosec community she's like nah telecommunication tools in their defense though some of the actual apks and whatnot involved in this

do flag a little bit higher i think the highest i saw at any of these though uh was like 36 out of 86 so they're still under a 50 detection rate for like the actual binary doing the dirty work there is some good news though their c2 sucks it sucks it really does so these guys do not do anything to obfuscate once it's installed on the machine it's typically running as a background service and from there they're like we're not malware we have nothing to hide no one thinks we're malware we don't need to do this so what that means is the command control server is often provided by the service owner what that means is

their c2 one is arrogant and it's really really obvious it's like spotting signal on a network if you're running a pcap super clear self-provided c2 actually means the distribution domain is often the c2 domain so if i can figure out who's making it i can figure out how to spot it on nits we've also got some iocs for the actual binaries and whatnot so this is an example of some iocs we've collected for the community um you know excel table and whatnot port this up into our cloudnids and then we can see when we simulate traffic across it because they're using their own domains we can spot it really simply and then also if you wanted like a one-stop shop

for tracking stock aware on the wire watch domain name uh dns requests for the word spy just put like an asterisk on either side of that you will find so much of these guys because they're so just like what we spy on people what's wrong with that well fortunately for us we can find it we can block it really easily and then some of them actually have obfuscated names yeah coming close to the end of the time so i'm going to stop there i've got more stories to share if you guys like want more you can come talk to me it's kind of

security and it was taken we turned it into latin and we're still here things that we need though right now we're doing a lot of consulting to do with volunteers who don't have time during the day because your clients need to see you when they're when you look at applications and networks not just people on facebook stalking drop sec we need people to communicate we could really use a volunteer coordinator and then obviously there's those curious we are a 501c3 if you are so inclined um so i'm going to stop here i do have some giveaways and i would love to take your questions there are the full calls

stefan what is the most the most rewarding thing that we've seen is when someone picked up a security like themselves so we saw like the story about the woman who was harmed completely transform security they just recently started a new on as more trafficking has gone online they've kind of followed it like in tech funnel and instead of being like hey we're doing this now let's go bolt on some security they've now switched into this idea of like this needs to be in the design process and in that regard they're actually showing more maturity than some like software development teams yes sir yes sir

so we no longer do pro bono work but we do highly subsidize work um what we learned is this is the life straw story is people that receive work for free don't typically care about it till they're scared and security requires people to put in work up front so all that said we do stuff that's very highly discounted um down to almost free but we don't do completely free and we do mostly work for other non-profits and missionary organizations my two most active projects right now are missionary organizations and then i've got two ongoing reoccurring things with small anti-traffickers one in europe one in the united states and then looking at my upcoming projects i've got

a couple more missionary ones in the pipe and then i've got a couple for for-profit sustainability ones and that's the other side of how we do fund some for profit work to make that risk margin by like taking people who can't afford to pay what the project is worth on we go like do some for-profit stuff we don't take home all that money it stays in the bank so that we can continue to do work when people can only pay five dollars a month yes sir

yeah yeah so i i look for two hours a week as kind of the minimum commitment um it sounds like a lot and well actually i think it sounds like a little bit but it's usually a kind of high bar for people to actually hit but we want them to average there instead of you know that always be the case um and then for the consultants we really need people who can jump on something last minute and do background research at a minimum so anywhere from you know eight to ten hours a month averaging out somewhere around two hours a week for people who end up on the the knits project it could be a little bit lower

because it's more asynchronous and it can kind of just keep pushing the ball forward without having to be involved in like actually working with clients yes sir

yes and no um so we've done that once so far and it worked really really well we plan to do it again in the future what where we're at with the internship program is figuring out what maturity level we need and frankly speaking when it comes to like leading a client engagement most college kids aren't quite ready for that yet but they still can be helpful by being on those calls and helping do some of the writing and researching um so the the short answer is yes the long answer is it's in progress and so not quite yet but hopefully by the time next summer break rolls around we'll have our our stuff together for that

we have not yet fortunately um and i think part of that is a a factor of being in the background uh and working for those organizations instead of like being out actually doing the work ourselves after down and grab one of these two simple answer we've been fortunate so far okay and then