BSides DC 2019 - How Not to Cheat on Your Wife

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers alright so how to not cheat on your spouse what Ashley Madison can teach is about OPSEC about me as I run through this really quick froze you I am NOT who's in the program tada I'm lost knowledge I was asked three minutes before the started to come on so congratulations disclaimer yes all views and opinions contained within this presentation are my own they do not represent the beliefs or opinions of my employer any affiliated organizations I really need to say that because I'm pretty sure my boss will be so happy when he finds out

I gave this talk on Monday oh yes it's all giant like humorous like presentation so for love of God please don't cheat on your spouse I don't advocate that well unless you know you're you go for it do you I'm not here to kink shame furthermore do not claim that these met the homes sure that you stay out of trouble so if I tell you to do something for OPSEC for love of god don't blame me and when you get caught it's not my fault background anybody doesn't know what OPSEC is word comes from military usage means operational security shortened it's basically all about situational awareness protecting your identity protecting your information to avoid being caught in situations where you

don't normally want to be caught so from the Ashley Madison point of view right it's people like do you want to be caught by your spouse for hackers that sometimes turns into not getting caught doing things you're not supposed to be doing but we even see this in like ethical hacking in the world of like red teaming and stuff like that because we're trying to do things where we don't want our attacks and things to be caused so that's all technically part of operational security for people who have forgotten what Ashley Madison was because that was like five plus years ago now it was an alternative dating site in the sense that it was basically

focused on extramarital affairs and there's a whole bunch of like evidence to show that like 90% of the women on there were fake and they were created with thoughts and other information to lure guys in to spend money to have accounts so lots of scams fake accounts paid you know deletions all sorts of stuff with it that was real like shady but it was a great trove of data that got dumped out to the point that like at the time when I got this when this happened my employer actually paid me to go through the data to see if any of our employees had used their employee emails to sign up and register and we're doing stuff on

Ashley Madison using their work accounts but like you would even see like local like message boards and Facebook groups where like people were like did you see who in her neighborhood was in the Ashley Madison dump like it was that like prevalent that people like with no skill were able to to go through this data so impact team is a group that that called themselves hacktivists nobody really I don't know if this ever got fixed if anybody actually did figure out who they were because I never kept up with attribution side of it because it wasn't my thing but basically there were ones who got the data and released it out to the public and it was a very

extensive it wasn't just like the data that was in their databases but there was like source code for like the web page there were emails used by the company like all sorts of data was in there I mean this thing was gigabytes like 60 over like actually probably a hundred something total I only had like the stuff I cared about which was everybody's personal data because I'm weird I know mm-hmm so identifying users so what's really interesting about this dump is and what's important to know is actually Madison didn't know validation of email addresses so you could sign up with any email address and you'd be good to go they never did like those emails like

please validate that this is your email address so you find some very interesting data inside the dump also IP addresses obviously are very poor indicators of who actually had accounts when I was going through the data and actually doing like I was spot checking a lot of it when I was doing this presentation but you could go in and for incidents where you actually had physical addresses if you match that up to like what IPS they had recorded you were getting pretty close in the sense of yeah they had an IP assigned by like Comcast that they generally use in this one area which matches up to that address that they had and the only stuff

they had physical addresses for is when people used credit cards why people use their own visas and didn't use gift cards I still don't know to this day it's not that much work to go to Target and buy a Visa gift card I swear yeah this was a this was a this was a great political comment that like a comic that came out around the time - massive data breach which was actually like very accurate public shaming yeah I'm not advocating advocating public shaming but like I mentioned before message boards on the internet people were like outing their neighbors who were showing up on the list and like there was like oh yeah I knew something sketchy was going on at

that house kind of thing like it was it was bad yeah and so the whole point that like I tried to make is that because the email addresses are so easy to fake because they never validated it it's real easy like I don't know if anybody ever thought of this but setting up a whole account to ruin a marriage of somebody else because they could and then there's the fake account thing right so there's a there was another two other company's dates in your city and JDI dating you can see combined they had almost a hundred thousand accounts tied to IPs that belong to that company like you could go look up and like that to

according to Erin that's who owned those internet those IP addresses lots of IP addresses that were reported for accounts were set to home so that's another eighty two thousand counts so you can see there's a decent chunk of like information that shows that there were accounts that were obviously being faked either by BOTS or by employees of the company behind Ashley Madison and so now in the operation security for not cheating on your pets bastard totally not for cheating on your spouse I have four basic steps into this there's probably far more and a lot of these go into more depth but creating a plan for protecting any identity creating a plan for burning and identity acquiring

materials to execute your plan and the next executing your plan all of these have different issues and problems along the way and so this this is like one of those things where like everybody talks about similarly to like people talking about burner phones at Def Con every year it's not a burner phone if you go around telling everybody all have a burner phone here's the phone number for it by the way my name is Bob and I work and yeah do I need a burn plan so if most things in life a lot of this all is a risk assessment right when you're doing anything operationally you're doing something stupid like cheating on your spouse you're hacking into the FBI

or any other crazy ass idea you might have that may border on illegal or potentially illegal like if you're doing this if you're doing work for like an actual like pen test it is who are you targeting you know knowing who you're targeting how paranoid you're actually going to be and how much trouble would you be in if you're caught having physical connections or where everything falls apart right it's really easy on the internet to create accounts and email addresses and do all these virtual components that don't necessarily have to have a physical tie back into reality what becomes an issue is like if you you get into money you get into the need for

phones and computers and resources and all these physical things that make it easier to connect back to an individual person becomes a lot harder to maintain that type of operational security and even personal security to some extent depending on how again paranoid you are so again who cares if you get caught your ISPs you know if you're doing stupid [ __ ] on their networks they usually aren't fans of that the companies you might be attacking if it's a tech company if you're hacking them the FBI for committing a crime or hacking the US government or your angry wife with a frying pan so again it's all about knowing knowing your target and what what's the ultimate end result

going to be you know and some of these it's jail time and some of it it's giving half your [ __ ] away and spending the rest your life paying your spouse because you did something stupid and if you did something stupid that's on you so how a hacker can become infamous yes some classic OPSEC failures so for people who don't remember soon he's this is the case I want to say they were down in Australia and posted taunting pictures to people to the to like the towards like the FBI and Australian authorities and other groups like haha look what the [ __ ] we got away with their left exif data and the [ __ ]

photos that's how you got caught dumbass the Dread Pirate Roberts that was another one this happened that came down right around the same time and it was OPSEC issues I'm pretty sure it's in my notes but I'm going to off my memory now as I recall basically what they wound up tagging the original Dread Pirate Roberts with is the the he was there was some period in time where he crossed accounts so like he would go into tour and have one set of accounts to run to access like the whole Dread Pirate Roberts persona and running the whole like you know dark web market and whatever all that [ __ ] but like he's somehow at some point had crossed that

with his personal email address and access from the same machine across ip's I think while he was in tour that's how you get caught doing stupid [ __ ] like that and actually that's one of the ways that they've broken like if you look at other experiences particularly of torso so I always warn people about it towards only as safe as you are things that they've done in the past to catch people when they're tor involved as a lot of times the default tor browser gets updated really slowly so exports hang around so they crew their exploits that they use drops on your machine and the second year off tour and you're using the same computer again on standard

internet they know where the [ __ ] you are because you're accessing your standard DNS you're accessing your standard web interface you're using your other regular accounts and that's how you get burned so again this is where the physical device [ __ ] you in that situation is because you're using the same physical device for two separate things and it's a common point to identify back to yourself so physical identity how you'd identify in real life right I am a tall person I looked this way it's kind of hard for me to alter this right there's only so much I can do so NIEM is very fluid right like I could walk into a room and we're

really good this in the hacker community some of us better than others about giving a handle and people not knowing what your actual name is or what your real name is and it's easy to give people another name or to do a no other name and until you need to do something that requires like presenting an identification it's really easy to use another name but altering appearance is hard payment methods are actually relatively easy in a world where you can do a lot of cash buy gift cards and then equipment the physical world is the harder to protect and alter but it is easy to control if you put in time and effort it just becomes work again like I

mentioned earlier identities online are really easy to create so it's harder and harder to find email services where you don't need to give like a cell phone or some other identification for what they will argue is to to allow you to recover your account before the reality a lot of it is to prevent spammers they don't want people both generating accounts and you're more likely to get flagged you go to Gmail and create an account and about half the time you won't get asked a lot of times it's you get flagged if you're coming from an IP if you're using tor or VPN or another service that has like a common exit point and they see a lot of

traffic that comes from those you're more likely to get flagged when you do a concretions I have to provide a phone number or an alternate email address or whatever else but online personas are easy to are much easier to control there allows you to segment because there's a lot of anonymity to them hmm so again as image before avoid cross-contamination right trying to keep multiple accounts becomes a lot of work avoid using real information obviously [Music] avoiding predictable behavior this is probably the hardest one from like both a physical and an online presence as people get into patterns of life patterns of behavior which can make it a lot easier to identify individuals or narrow down groups of individuals based

on patterns of life and behaviors right so you see this if you go read some of the apt reports for like nation state level acts they're really great about only attacking during the business hours of whatever country they're in which is great operational security when you want to identify who the it's attacking you oh look it's 8:00 to 5:00 in Russia yep that's when we're getting attacked so pattern life is one of those things acquisitions money right don't use credit cards it's like a no-brainer you would think the Ashley Madison dump shows us otherwise and the real-world transactions using cash is easy use cash to get gift cards to purchase Visa gift cards that are

literally cash equivalents essentially at that point but they can be used as credit cards everywhere if gift cards fail there's also rechargeable debit cards you can get now they sell these things right next to the gift cards usually and a lot of times you can recharge them sometimes at the stores they'll do it sometimes a little machines in kiosks you can do it app but they're basically treated like a standard debit card at that point and there's obviously Bitcoin dogecoin like coin every other cryptocurrency and online specific gift cards so what actually Madison teaches about money people are stupid therefore almost there were over 9 million credit card transactions less than 200,000 were verifiably used as gift cards and I say

verifiably because they literally were the people who were smart enough to put the name field as a gift card or like whatever gift card name was on there or clearly like a non human name if I went through and took all the card numbers I could process this out run them through checkers and identify banks and even probably narrow down like gift curtains because a lot of those a lot of those first eight digits will identify that information the the people who did use gift cards still [ __ ] [ __ ] up they still use their real email addresses when they did purchasing they still use their real addresses they still connected from home

you were still seeing there were some people who got smart like you every once in while you'd come across a gift card here's the skiff card number 1 2 3 main street like some town USA like they found and that's how they were in their charges so some people were doing it right but a very very small percentage so equipment right don't reuse equipment so this good game goes to we're using don't reuse computers when you can prepaid wireless is dirt cheap nowadays hell even postpaid wireless is getting to a point where it's dirt cheap problem is they do credit checks and everything else for postpaid hotspots are easy to get when everybody has an MVNO that runs

off one of the big providers so it's easy to to find stuff you can walk into a Walmart by the Walmart Wireless gear with cash buy the service with cash so it's all cash we were doing physical equipment like cash cash is king because nobody's tracking it it's not like a credit card even the gift cards get squirrelly and if you're going to buy large quantities of gift cards you need to spread that [ __ ] out because that starts raising red flags to its stores and some stores do cap and gift card purchases what's his changed about equipment there was a lot of blackberry used I kid you not people like had registered like

their blackberry like email address that they were like using to get like [ __ ] so like like you there was just a lot of that stuff like going on I guess business guys on travel all the time that's you know oh my got my blackberry let's see if there's any hot dates in this town yeah I don't know shopping options so again taking cash retails aplenty ah because this requires you to go like beyond camera right so like at the I'm cheating on my wife level we're like no police or anybody that we're gonna be involved probably not a big deal if you're getting into a legal area you're still going to be on camera

somewhere buying gear but even then a lot of that's hard to track but the other thing you can do with cash is Craigslist and usually nobody's tracking that and if you've got your online presence properly separated you can go buy some laptop off some dude and hope that he wasn't previously using that to do illegal activity excuse me sir I saw you had this computer here could you tell me have you ever used it for illegal activity in the past I just need to make sure it's not been but the other good thing to look the other place to look for for stuff like that too are our thrift stores looking for like Goodwill Salvation Army you'll find

stuff the old computers listen if you're doing something like cheating on your spouse you don't need like high-power equipment to be you know to be you know snooping around online you know you might have to figure out how you're hiding it from your significant other but I'm not questioning your relationship choices so you know that's more options just so the Craigslist Amazon lockers again this goes back to needing the gift cards and they are you know recording you when you go to pick those up there's grab-and-go lockers at the Walmart's so there's tons of places to even get stuff shipped to you now to do this so again it's all about determining like where the risk is the other thing

I'll say too and this is probably more an issue now than it was even five years ago when I was first looking at this data and first putting this talk together is a lot of these services now particularly with computers and computer equipment so like bamas on Locker thing addition to like being recorded we picked [ __ ] up much stuff is serial numbered and they if it's on the packaging they record it on the way out and they record on the way back in for returns so like the Amazons of the world can probably tell you tell the FBI or State Police there came looking hey we found this computer that we know was used in

the crime and we have the serial number can you trace first where it went could probably find I would have they would be able to say which Locker probably even have the picture of whoever picked it up - how long we keep that data who knows but that is probably that is a serious issue of trying to order stuff online is the serial number tracking and of stuff getting online so again internet is stupid easy there's free hot spots every free like Wi-Fi everywhere if you're going and doing illegal activity really you can just go and find somebody we're still running like WEP and crap like has it really crappy like you know passphrase on there WPA and just steal

their wireless prepaid hotspots are also everywhere so there's plenty of opportunities to get internet without using your home internet access or your own cell phone because we all carry wireless in our pocket now know hey I'll have to pull it off five years later it's still there um VPN right so this becomes a privacy concern do you trust your hosting provider this is really like you know great nowadays they oh right after the Nord VPN breach so very appropriate there which is you know the double-edged sword right you had privacy because they weren't keeping logs but nobody knows who the [ __ ] has your data now because they didn't keep Denny logs yeah encryption you do have no real

anonymity I mean you can have your online persona you can keep that separation you can do your money you still have separation but there's still that persona still tie it to VPN unless you're rolling your own getting a VPS but you're still paying for the VPS to somebody right at some point you got to get people money tor you have anonymity but you don't know who the hell's listening do you trust your eggs and nodes it's great for being anonymous it's not necessarily great for protecting your data particularly if you don't keep track of doing you know TLS through your tor tunnels um but tor is great for that you know I don't I'm not

a fan of tor tor post VPN it's like the combination that gives you everything conveniently enough in order to epeans one of the providers who used to do that so I haven't updated this slide because again five minutes before there's a ton more providers now that tor plus VPN is an option on the VPN tunneling so like if that's something that you want like even now maybe not even just from an operational security perspective of like doing something whether it's pen test or doing something illegal or cheating on your spouse no matter what what you're doing if you want that combination there are a lot of providers that do that now so it's worth like looking for is this

one of the things I want out of my VPN service

yeah I mean if all you're doing is avoiding your spouse that could work I don't even know if it's still I don't even know so this worked five years ago I don't think I don't know if any of the AOL proxies are still around or still working today this used to be really big of European with scammers out of Europe would be using AOL proxies because it made everything will click there in the u.s. there were a lot of counts made this way by the way so VPSs they were cheap as a matter of fact you can get the very baseline cloud compute infrastructure from Amazon or from Google for free I mean it's not a

powerful box but it works there's really cheap fly-by-night providers that you can pay like five bucks - ten bucks - and have a server and that can be the point where your system burns and you disconnect everything right so if you have your last control point is where everything's happening from it gives you a unit of segmentation from everything else it doesn't mean you can give up on OPSEC on your laptop or whatever you're using I suppose at this point you could do this from your cell phone I mean a five years since you know I remember doing this talk the first time cell phones have come a long way still so we're over that point is though it

becomes a big deal email does it mention before it becomes really hard to find ones we don't need phone validation anymore Gmail is a 50/50 shot I don't know if you I don't remember about yahoo mail I last time I tried a mail.com account I do think I asked for an email protonmail actually it's really great for that apparently they don't ask for anything and their quest for being forgiving you privacy they don't ask for a hell of a lot so if you're fine with their free tier and don't need a lot of storage that's a totally great option if you do need if you do want a different mail writer prepaid phones work to fill this

gap if they ask for a phone number and you only need it during registration after that you can do the thing into a fire and never use it again if you don't want to list of what are they thinking boy there were tons of corporate emails again they don't they weren't actually checking the emails but do you guys think some people were actually signing up for that some people using their SMS and session of MS as email so for those who don't know because nobody uses this really anymore pretty much everybody in here has a cell phone which is I guess everybody in the room you can send a media message to your phone using your

phone number at and then whatever your mail provide whatever your cell phone providers email string is they have a different one each of them have a difference so like it may be media at your service provider you know MMS comm or something ridiculous like that so there were some people who signed up using that means a lot like I said earlier lots of Bakker emails some school emails the WTF of it there were twelve thousand dot mil email addresses used and for you know anybody who went to an academy army one so there you go there were 2,200 gov emails spread across like every known agency for NSA three of which I can confirm based on

the way the formatting of them they weren't legit - CIA seven FBI only two that I know we're legitimate and there's another reason why I know that in fifty-seven DHS the reason I know that is because there were a lot of like really like appears like a you know stupid stuff like this is why we don't trust emails Joe Biden wasn't had a one person Obama supposedly had one yeah maybe so but you know oh oh that this is why you can't trust the FBI one like agent Mulder had like five of those seven accounts were his FBI email account and I have to imagine somebody at FBI after x-files originally came out created email accounts for them just to

see what the hell would come into those email accounts like and if so if anybody from the FBI is here or ever watches this please let me know I would love to see those emails because I'm sure they're hilarious hmm no they didn't do any e-mail verification so that's what makes it hard that's why we can't trust the emails from nationís and dump as like any valid form of identification because they didn't do validation they basically let you sign up and you were good to go they never sent an email validation back so any email address could be used a lot of email addresses were used multiple times that's why in the case of the FBI

I knew only two of them could potentially be legit because five of the seven belong to this guy so so they weren't even using it as a new key identifier by the way so you could have the same email multiple times I managed I don't even know how their [ __ ] worked no wonder they were breached some truths paranoia a lot of us will be overkill

local law enforcement is pretty is going to be a prey limited source right like if you're doing something illegal and stupid if you don't get to the bar that the FBI cares about most local law enforcement agencies bar is pretty low state agencies are a little better they're getting better company is actually you're getting a lot better if you highly recommend never trying to don't ever attack anybody that's illegal but full of God don't do anybody's been breached before most of them learned their lessons I say most nation state levels is where things get a little nutty here right I mean so conspiracy theorists don't stand a chance though who knows old-fashioned cheating is cheaper like the fees for Ashley Madison

were like outrageous and as we see from their data it was largely a scam right the online fees were high like the amount of time and effort you have to do to like set up a VPN to create extra accounts like and you still have all the same expenses as cheating normally you still need the sketchy hotel room you still have to go pick people up in the bar for random bar dates and rendevouz or before they tore down all the like casual hookups on Craigslist you had to still go through there and pay the hooker money or ain't like the inevitable divorce attorney fees like there's often stuff right all these costs are still there save the money

just go to the bar a lot of this is common sense right like I don't always say super things but yes keep talking to make it sound worse right a lot of this makes sense like a lot of this is just common sense like it's like if I walk into a room full of people and say you know hey I'm gonna go you know oh [ __ ] I'm just gonna switch this right now and bust into you know my Kali VM and let's just start hacking in the hotel like that's stupid because I just admitted to like a whole room full of people on camera everything else I'm gonna do stupid illegal [ __ ] so

sometimes the best thing you do is just keep your mouth shut Wow yeah see I did fly through this because I started really late mmm so I will take questions now as I flew through that really quickly yes yeah so the question is like did I see any like VPNs or VPS is there anything like that I do think there were a couple I P geolocation IP is I didn't run the entire thing so a lot of it was about checking especially for like IPS because at the time when I was being paid for was checking email so emails got first dive and then from there when I was working on this talk a lot of it was

what I wanted I'm gonna focus on what I have verifiable data for so those nine hundred some odd thousand or nine million or whatever was credit card transactions were my heart data that's like I have to have an address because they ran a credit card let me tell you what they were storing is not PCI compliant who but yeah so and so because of that like it was a very like tight set so I Pisa didn't go all the way through I know I still have this data set sitting around somewhere and that is probably one of those things that would be fun to look at is pull those data's and run all the air and

requests and it's a stupid it'd be a stupid easy script to pull out IPS and then just make who is calls to see who owns them all the problem you run into with a lot with the VPS is is I would have to probably run those outside it just Aaron because most of those are just going to show up as providing so like an order V P n1 it's probably not actually gonna show up isn't owned by Nord it's going to show no owned by whatever data center they're coming out of but I'd still get the same amount of information roughly yeah but Aaron keeps historical record too so you can see some of the some of the time frame and

people have got so together it would be probably some change over this time the other thing that's happened a lot since this - back when the state of wood came out there wasn't as much isp netting going on Azura's today so benefit for anybody who actually wanted to go track historical data because you're actually seeing people's IP and not like the Comcast night IP that everybody inside as a cluster comes out of yes so that question is it actually fine buddy from my company no I did not so we didn't have anybody using the ether working email addresses there were none of our work addresses came up than that and I checked a couple of other

companies that I either had worked with an immediate timeframe like before just to kind of like I could always like reach back and be like hey I'm seeing this like really like you know this somebody did this you might want to look into it but and I may have searched for a few people who I didn't like there I'd be lying to say there weren't a few people I'm like I never trusted that guy let's see if he's on the list but no for my own company now I did not see any money yes like a true hard ratio is hard to come by in part because with no validation like I was able to see yeah there was at

least a couple hundred thousand that were clearly fakes but there was a lot of reports of oh this person this account here can't be real or you know it's it's hard to identify in some cases some of them you could actually probably check like user names and see if they're used elsewhere because some of them were fairly like unique user names so they're probably stuff that people are using and other spaces - and they weren't just like you know Jenny 1 2 3 or something stupid like that that like anybody who's named Jenny could use any other questions

[Music]

it's social it's it's its well-pleased best thing I can say is like get rid of everything and anything that you can it's easier if you have like a single burn point right so this is why I say like if you're having a physical separation like don't use the same computer and just say well I'm fine because I'm going to tour if you're using one computer and you only use that computer for that and you're using Starbucks Wi-Fi everywhere you go this goes back to the pattern a life thing right so this is like that like just like the catch-22 right so you watch all those like TV shows like what people don't go outside a certain radius of

their house so like your first logic is I'm gonna go outside the radius of my house and the next thing you know is you've created this giant black circle where you never go so it's that like go to places around your house but also drive to the Starbucks 20 miles away and like spread it out right like it becomes a little bit easier but this is where like from the the cheating perspective it becomes hard for a business guy right like if you're cheating in whatever city you're going to and like your wife actually hired a PI because she's catching on to you and like he's actually falling like he's actually like falling card transactions or he's like

found this persona he thinks is you and now he's tracking it it's not hard for him to put two and two together if he starts deploying like you know fake personas and different cities that he knows you're traveling to that you know so that he can see if you can get a connection made in those individual cities and make that make that connection which is why I say just go to the bar it's easier any other questions yes

[Music]

how did it so the question is kind of like once a little bit more on tour and how people are getting away if like all this stuff if it's if as I'm trying to decline it not as secure so a big part of the problem with tour particularly the market for identities and credit cards as a lot of people are international so there becomes the heart stop for like us-based and it's not even just that they're foreign they're in Russia or they're in Eastern Europe or they're in other non-extradition countries so it becomes a lot harder to be like what we want to shut this down so usually they have to go for a lot of the ways they go

for those routes is well they use a hosting provider it's in a country we do have connections with okay well we shut down the host well they just pick it up and move it somewhere else the other thing too is so there was a recent case of a relatively large ring of like child pornography that just got shut down there was multinational and it was based around toll I want to I'm pretty like yeah they were using tor they always they always use tor but what happens is in those situations you also have to assume that there's probably active investigation of some sort and you're never going to get confirmation or denial that like an actual like

investigation of those sorts of illegal things are happening until they get shut down and the giant like DOJ logo shows up on the company's web page saying they've been shut down and we've seen that even in like non tor and non dark web god I hate that phrase sites so like Backpage was the sketchier craigslist we'll call it and that they got DOJ at some point because the their involvement in the prostitution that was going on through there was probably a little more direct and what most people realize so and honestly the the International factors are big prayers and it's a it's a big part of reason why a lot of the malware like our race of it is against

well we stopped one thing well now here's a new banking Trojan or here's a new here's a new like you know cryptolocker and like all these different things because they're they're all international and they're all like that's how that's where a lot of our heart stop is so for a lot of times it's just easier for us to implement the corrective actions and is to move on yes Who am I again sweet I don't do I have my clothes outside I don't so I am lost knowledge so for anybody who missed my opening slide I know I'm the like substitute feller go back to my first slide could you actually see that spell we it's like

the whole presentation reversed it did it that means like the Benny Hill music here we go ha there's how it's spelled with zeros it's that way on Twitter it's that way on twitch it's that way pretty much everywhere lost knowledge ComNet so yes yeah I've been doing InfoSec for 14 plus years at this point so I'm just an angry hacker it's really all I have to say about that any other questions

[Music]

yeah yeah so the question the question is kind of like you know using the abilities to to like identify and detect fake accounts against like social media what's very interesting about social media and the social media by issue right now is that a lot of the people who are generating social fake social media accounts are stink backed groups which means they have all the money and funds to to make it a lot harder to detect them one of my big takeaways of operational security in general always is like it's you can do it really well but it takes a lot of work and so the more money a group or an individual or person has the easier it is for them to

to hide that they're fake and that they're bought that they're not real where a lot of this stuff in social media today catches these things is when they see the same tweets going along it's the same like five or six groups and they're growing I'm trying to make them look organic but they're always communicating and interacting with each other that's how some of the really early ones got busted and then someone like the really lazy BOTS just do like the first like the generic like Twitter account generation which is like your first name plus like six characters and then you start spending time looking around realizing there's a lot of really lazy people who don't know how to order

work and that's how there are Twitter handles and accounts are which is really frustrating when you're trying to identify in your own Twitter feed and people who are following you who's actually a bot or not there actually is a a service that you can login with your Twitter account and they will go through and look and identify like this percentage of your followers are bots and they're using heuristics and trying to look at that same data Twitter in theory has access to enough data in depth that they could identify those and probably pull them quicker but the problem you're going to run into as with everything is the second a lot of machines start doing that they're gonna

start banning real accounts and shit's gonna go down because people will be pissed off because oh you know it's just proportionally affecting people on the right or on the left or whatever and people are gonna get angry it's the problem with letting the machines make a decision I think if they are interested I think that my [Music]

yeah or and I think that's that's one of the things so for a while Twitter opened up the validation program and then a couple people were abusing it but I do think that was actually the right way to like try to have human validate people who cared enough to be validated especially important when you get people who are like influencing and have like hundreds of thousands of followers and sometimes even the tens of thousands like once you get over a thousand or two it doesn't take a lot for that one tweet to become massive so but I do believe I am done thank you everybody sorry you didn't get to see whoever was supposed to be here but thank you

[Applause]