What Ashley Madison can teach us about OPSEC

as I wait for Google Drive to get caught up. Alright, so I was gonna let everybody pick, but then I'll just give you two options here. Do you want actually something quasi-informative or humorous? So I don't know if I have anything quasi-informative.

Ah, thank you for the one person in the back who's going to vote because nobody else wants to shout out. Awesome, I actually know a talk then if it would log me into the right Google Drive. Oh my god. Ah, doop, doop, doop.

And tethering is slow. I wonder if I can turn that off. I have an idea. This may also work. It may also be horribly bad.

Google Drive. If I manage to give this talk from my phone, it'll be like epic in terribly horrible ways.

That's not going to work either. Great.

Where's my network to work?

and hopefully I can get connected, but if you can give me WiFi, that'd be even better. Yes, I have HDMI. WiFi would be good though, because tethering is terribly slow. And I don't have cached presentations because, you know, I wasn't planning on giving a presentation until 10 minutes ago now. I have chosen to talk for you guys though. It's an oldie but a goodie. Apparently I gave this one four years ago at sky.con just recently. The name of the talk once it gets up is how not to cheat on your spouse. This is an old one where I went through Ashley Madison data. It's entertaining.

So this one here.

Hopefully, we're all assuming I can type too, so this is also a big, you know. No, it's still not connected. It says connecting still. connecting, connecting, connecting. B-S-I-D-E-S-D-C.

Ha ha, there. Let's all celebrate.

Thank you. Thank you to our wonderful staff and volunteers. Let's give them all a hand.

Ha ha, and people run out of the room. It's all right. Present.

Ta da. All right. How to not cheat on your spouse, what Ashley Madison can teach us about OPSEC. About me as I run through this really quick, for those of you, I am not who's in the program, ta-da, I am lost knowledge.

I was asked three minutes before this started to come on, so congratulations. Disclaimer, yes, all views and opinions contained within this presentation are my own. They do not represent the beliefs or opinions of my employer or any affiliated organizations. I really need to say that because I'm pretty sure my boss will so happy when he finds out I gave this talk on Monday. Oh yes, this is all giant like humorous like presentation. So for the love of God, please don't cheat on your spouse. I don't advocate that. Well, unless you know, you're, you go for it, do you? I'm not here to kink shame. Furthermore, do not claim that these methods will ensure that you stay out of trouble. So if I tell you to do something for

OPSEC, for the love of God, don't blame me when you get caught. It's not my fault. Background. Anybody who doesn't know what OPSEC is, Word comes from military usage means operational security shortened. It's basically all about situational awareness, protecting your identity, protecting your information to avoid being caught in situations where you don't normally want to be caught. So from the Ashley Madison point of view, right, it's people like, do you want to be caught by your spouse? For hackers, that sometimes turns into not getting caught doing things you're not supposed to be doing. But we even see this in like ethical hacking in the world of like red teaming and stuff like that because we're trying to do things where we don't want

our attacks and things to be caught. So that's all technically part of operational security. For people who have forgotten what Ashley Madison was because that was like five plus years ago now, it was an alternative dating site in the sense that it was basically focused on extramarital affairs. And there's a whole bunch of like,

evidence to show that like 90% of the women on there were fake. They were created with bots and other information to lure guys in to spend money to have accounts. So lots of scams, fake accounts, paid deletions, all sorts of stuff with it that was really shady. But it was a great trove of data that got dumped out. To the point that at the time when I got this, When this happened, my employer actually paid me to go through the data to see if any of our employees had used their employee emails to sign up and register and were doing stuff on Ashley Madison using their work accounts. But like you would even see like local like message boards and Facebook groups where like

people were like, did you see who in our neighborhood was in the Ashley Madison dump? Like it was that like prevalent that people like with no skill were able to go through this data. So impact team is a group that called themselves hacktivists. Nobody really, I don't know if this ever got fixed, if anybody actually did figure out who they were, because I never kept up with the attribution side of it, because it wasn't my thing. But basically they're ones who got the data and released it out to the public. And it was a very extensive, it wasn't just like the data that was in their databases, but there was like source code for like the webpage, there were emails used by the

company, Like all sorts of data was in there. I mean this thing was gigabytes, like 60 over, like actually probably like 100 something total. I only had like the stuff I cared about which was everybody's personal data. I'm weird, I know. So identifying users. So what's really interesting about this dump is, and what's important to know is Ashley Madison did no validation of email addresses. So you could sign up with any email address and you'd be good to go. They never did like those emails like please validate that this is your email address. So you find some very interesting data inside the dump. Also IP addresses obviously are very poor indicators of who actually had accounts. When I

was going through the data and actually doing like I was spot checking a lot of it when I was doing this presentation but you could go in and for incidents where you actually had a physical addresses if you match that up to like what IPs they had recorded You were getting pretty close in the sense of, yeah, they had an IP assigned by like Comcast that they generally use in this one area which matches up to that address that they had. The only stuff they had physical addresses for is when people used credit cards. Why people used their own visas and didn't use gift cards, I still don't know to this day. It's not that much work to go to Target and buy a Visa gift card, I swear.

Yeah, this was a great political comment that like a comic that came out around the time of the Ash and Madison data breach, which is actually like very accurate. Public shaming, yeah, I'm not advocating public shaming, but like I mentioned before, message boards on the internet, people were like outing their neighbors who were showing up on the list and like there was like, oh yeah, I knew something sketchy was going on at that house kind of thing. Like it was bad. Yeah, and so,

The whole point that I tried to make is that because the email addresses are so easy to fake, because they never validated it, it's real easy, I don't know if anybody ever thought of this, but setting up a whole account to ruin a marriage with somebody else because they could.

And then there's the fake account thing, right? So there was two other companies, Dates in Your City and JDI Dating, You can see combined they had almost 100,000 accounts tied to IPs that belonged to that company. Like you could go look up and like that's who, according to Aaron, that's who owned those IP addresses. Lots of IP addresses that were reported for accounts were set to home. So that's another 82,000 accounts. So you can see there's a decent chunk of like information that shows that there were accounts that were obviously being faked either by bots or by employees of the company behind Ashley Madison. So now into operation security for not cheating on your spouse, totally not for cheating

on your spouse. I have four basic steps into this. There's probably far more and a lot of these go into more depth, but creating a plan for protecting any identity, creating a plan for burning an identity, requiring materials to execute your plan and then actually executing your plan. All of these have different issues and problems along the way. And so this is like one of those things where like everybody talks about similarly to like people talking about burner phones at Defcon every year. Well it's not a burner phone if you go around telling everybody you have a burner phone, here's the phone number for it. By the way, my name is Bob and I work in, yeah. Do I need a burn plan?

So with most things in life, a lot of this all is a risk assessment, right? When you're doing anything operationally, you're doing something stupid like cheating on your spouse or hacking into the FBI or any other crazy ass idea you might have that may border on illegal or potentially illegal like if you're doing this, if you're doing work for like an actual like pen test. It is who are you targeting? You know, knowing who you're targeting, how paranoid you're actually going to be and how much trouble would you be in if you're caught? Having physical connections are where everything falls apart, right? It's really easy on the internet to create accounts and email addresses and do all these virtual components that don't necessarily have

to have a physical tie back into reality. What becomes an issue is like, if you get into money, you get into the need for phones and computers and resources and all these physical things that make it easier to connect back to an individual person. becomes a lot harder to maintain that type of operational security and even personal security to some extent depending on how, again, paranoid you are. So again, the who cares if you get caught. Your ISPs, if you're doing stupid shit on their networks, they usually aren't fans of that. The companies you might be attacking, if it's a tech company, if you're hacking them. The FBI, if you're committing a crime or hacking the US government, or your angry wife with a frying

pan. So again, it's all about knowing your target and what's the ultimate end result going to be. In some of these it's jail time and some of it's giving half your shit away and spending the rest of your life paying your spouse because you did something stupid. If you did something stupid, that's on you. So, how a hacker can become infamous, yes, some classic OPSEC failures. So for people who don't remember some of these, This is the case, I wanna say they were down in Australia and posted taunting pictures to people towards the FBI and Australian authorities and other groups like, ha ha, look what the fuck we got away with. They left exif data in the fucking photos.

That's how you got caught, dumbass. Dread Pirate Roberts, that was another one. That came down right around the same time and it was, OPSEC issues, I'm pretty sure it's in my notes, but I'm going off my memory now. As I recall, basically what they wound up tagging the original Dread Pirate Roberts with is,

there was some period in time where he crossed accounts. So like he would go into Tor and have one set of accounts to run, to access like the whole Dread Pirate Roberts persona and running the whole like you know, dark web market and whatever, all that shit. But like he somehow at some point had crossed that with his personal email address and access from the same machine across IPs. I think while he was in Tor, that's how you get caught doing stupid shit like that. And actually that's one of the ways that they've broken. Like if you look at other experiences, particularly with Tor, so this is why I always warn people about, well, Tor's only as safe as you are. Things that

they've done in the past, to catch people when there's Tor involved, is a lot of times the default Tor browser gets updated really slowly, so exploits hang around. So there are exploits that they use, drop shit on your machine, and the second you're off Tor and you're using the same computer again on standard internet, they know where the fuck you are because you're accessing your standard DNS, you're accessing your standard web interface, you're using your other regular accounts, and that's how you get burned. So again, this is where the physical device fucks you in that situation is because you're using the same physical device for two separate things and it's a common point to identify

back to yourself. So physical identity, how do you identify in real life, right? I am a tall person, I look this way. It's kind of hard for me to alter this, right? There's only so much I can do. So name is very fluid, right? Like I could walk into a room And we're really good at this in the hacker community, some of us better than others, about giving a handle on people not knowing what your actual name is or what your real name is. And it's easy to give people another name or to do another name until you need to do something that requires like presenting an identification, it's really easy to use another name. But altering appearance is hard.

Payment methods are actually relatively easy in a world where you can do a lot of cash, buy gift cards, and then equipment. The physical world is the harder to protect and alter. But it is easy to control if you put in time and effort. It just becomes work. Again, like I mentioned earlier, identities online are really easy to create. So it's harder and harder to find email services where you don't need to give like a cell phone or some other identification for what they will argue is to allow you to recover your account. But for the reality, a lot of it is to prevent spammers. They don't want people bulk generating accounts and you're more likely to get flagged. You go to Gmail and create

an account and about half the time you won't get asked. A lot of times it's you get flagged if you're coming from an IP, like if you're using Tor or VPN or another service that has like a common exit point and they see a lot of traffic that comes from those, you're more likely to get flagged when you do account creation to have to provide a phone number or an alternate email address or whatever else. But, Online personas are easy to, are much easier to control. They're a lot easier to segment because there's a lot of anonymity to them. So again, as I mentioned before, avoid cross-contamination, right? Trying to keep multiple accounts becomes a lot of work.

Avoid using real information, obviously. Avoiding predictable behavior. This is probably the hardest one from like both a physical and an online presence. as people get into patterns of life, patterns of behavior, which can make it a lot easier to identify individuals or narrow down groups of individuals based on patterns of life and behaviors, right? So you see this, if you go read some of the APT reports for like nation state level acts, they're really great about only attacking during the business hours of whatever country they're in, which is great operational security when you want to identify who the, It's attacking you. Oh look, it's eight to five in Russia. Yep, that's when we're getting attacked.

So pattern of life is one of those things. Acquisitions, money, right? Don't use credit cards. That's like a no-brainer you would think. The Ashley Mattson dump shows us otherwise. In the real world, transactions using cash is easy. You use cash to get gift cards to purchase pieces of gift cards that are literally cash equivalents essentially at that point, but they can be used as credit cards everywhere. If gift cards fail, there's also rechargeable debit cards you can get now. They sell these things right next to the gift cards usually. And a lot of times you can recharge them. Sometimes at the stores they'll do it. Sometimes the little machines in kiosks you can do it at. But they're basically treated like a standard debit card at that

point. And there's obviously Bitcoin, Dogecoin, Litecoin, every other cryptocurrency and online specific gift cards. So what did Ashley Madison teach us about money? People are stupid. There were over 9 million credit card transactions. Less than 200,000 were verifiably used gift cards. And I say verifiably because they literally were the people who were smart enough to put the name field as a gift card or like whatever gift card name was on there or clearly like a non-human name. If I went through and took all the card numbers, I could process this out, run them through checkers and identify banks and even probably narrow down like gift cards because a lot of those first eight digits will identify that information.

The people who did use gift cards still fuck shit up. They still used their real email addresses when they did purchasing. They still used their real addresses. They still connected from home. You were still seeing There were some people who got smart like you every once in a while you come across a gift card. Here's this gift card number 123 Main Street like some town USA like they found and that's how they ran their charges. So some people were doing it right but a very very small percentage. So equipment right don't reuse equipment so this again goes to reuse don't reuse computers when you can. Prepaid wireless is dirt cheap nowadays. Hell even post paid wireless is getting to a point

where it's dirt cheap problem is they do credit checks and everything else for post paid. Hotspots are easy to get. Everybody has an MVNO that runs off one of the big providers. So it's easy to find stuff you can walk into a Walmart by the Walmart wireless gear with cash by the service with cash. So it's all cash. We were doing physical equipment like cash Cash is king because nobody's tracking that shit. It's not like a credit card. Even the gift cards get squirrely. And if you're going to buy large quantities of gift cards, you need to spread that shit out because that starts raising red flags too at stores. And some stores do cap gift card purchases.

What's this teaching about equipment? There was a lot of Blackberry used. I kid you not, people had registered their BlackBerry email address that they were using to get shit.

There was just a lot of that stuff going on. I guess business guys on travel all the time, that's, oh, I got my BlackBerry, let's see if there's any hot dates in this town. Yeah, I don't know. Shopping options. So again, taking cash, retails plenty. Obviously, this requires you to go beyond camera, right? Like at the, I'm cheating on my wife level where like no police or anybody's ever gonna be involved. Probably not a big deal. If you're getting into a legal area, you're still gonna be on camera somewhere buying gear. But even then a lot of that's hard to track. But the other thing you can do with cash is Craigslist and usually nobody's tracking that. And if you've got

your online presence properly separated and you can go buy some laptop off some dude. and hope that he wasn't previously using that to do illegal activity. Excuse me sir, I saw you had this computer here. Could you tell me, have you ever used it for illegal activity in the past? I just need to make sure it's not been. But the other good thing to look, the other place to look for stuff like that too are thrift stores. Looking for like Goodwill, Salvation Army, you'll find stuff, the old computers. Listen, if you're doing something like cheating on your spouse, you don't need like high power equipment to be, you know, to be snooping around online. Though you might have to figure out how you're hiding it from your

significant other. But I'm not questioning your relationship choices. So again, oh yeah, it's more options. The Craigslist, Amazon lockers, again, this goes back to needing the gift cards. And they are recording you when you go to pick those up. There's grab and go lockers at the Walmarts. So there's tons of places to even get stuff shipped to you now to do this. So again, it's all about determining where the risk is. The other thing I'll say too, and this is probably more an issue now than it was even five years ago when I was first looking at this data and first putting this talk together, is a lot of these services now, particularly with computers and computer equipment, so like the Amazon locker thing, in

addition to being recorded when you pick shit up, a lot of that stuff is serial numbered. And if it's on the packaging, they record it on the way out and they record it on the way back in for returns. So like the Amazons of the world can probably tell you, tell the FBI or state police who there came looking, hey, we found this computer that we know was used in the crime and we have the serial number. Can you trace first where it went? Could probably find, I would have, they would be able to say which locker, probably even have the picture of whoever picked it up too. How long they keep that data, who

knows. But that is probably, that is a serious issue of trying to order stuff online, is the serial number tracking of stuff. Getting online. So again, internet is stupid easy. There's free hotspots, free like Wi-Fi everywhere. If you're going and doing illegal activity, really, you can just go find somebody who's still running like WEP, or like has a really crappy like passphrase on their WPA, and just steal their wireless. Prepaid hotspots are also everywhere. So there's plenty of opportunities to get internet without using your home internet access or your own cell phone because we all carry wireless in our pocket now. Oh hey, I left a bullet off. Five years later, it's still there. VPN, right? So

this becomes a privacy concern. Do you trust your hosting provider? This is really like, you know, great nowadays, right after the Nord VPN breach. So very appropriate there. Which is, you know, the double-edged sword, right? You had privacy because they weren't keeping logs, but nobody knows who the fuck has your data now because they didn't keep any logs. Encryption. You do have no real anonymity. I mean, you can have your online persona, you can keep that separation, you can do your money, you can still have separation, but there's still that persona still tied to VPN. Unless you're rolling your own, getting a VPS, but you're still paying for the VPS to somebody, right? At some point you gotta

give people money. Tor, you have anonymity, but you don't know who the hell's listening. Do you trust your exit nodes? It's great for being anonymous, not necessarily great for protecting your data, particularly if you don't keep track of doing TLS through your Tor tunnels. But Tor's great for that. I'm not a fan of Tor. Tor plus VPN, it's like the combination that gives you everything. Conveniently enough, NordVPN's one of the providers who used to do that. So I haven't updated this slide. again five minutes before there's a ton more providers now that tour plus VPN as an option on the VPN tunneling so like if that's something that you want like even now you maybe not even just from an operational security perspective of like doing something whether it's

a pen test or doing something illegal or cheating on your spouse no matter what you're doing if you want that combination there are a lot of providers that do that now so it's worth like looking for is this one of the things I want out of my VPN service

Yeah, I mean if all you're doing is avoiding your spouse, that could work. I don't even know if it's still, I don't even know, so this worked five years ago. I don't think, I don't know if any of the AOL proxies are still around or still working today. This used to be really big if you're with scammers out of Europe would be using AOL proxies because it made everything look like they're in the US. There were a lot of accounts made this way, by the way. So, VPSs, they are cheap. As a matter of fact, you can get the very baseline cloud compute infrastructure from Amazon or from Google for free. It's not a powerful box, but it works. There's really cheap

fly-by-night providers that you can pay like five bucks to, 10 bucks to, and have a server. And that can be the point where your system burns and you disconnect everything, right? So if you have your last control point is where everything's happening from, It gives you a unit of segmentation from everything else.

It doesn't mean you can give up on OPSEC on your laptop or whatever you're using. I suppose at this point you could do this from your cell phone. I mean in five years since I remember doing this talk the first time, cell phones have come a long way still. So, whatever that point is though, it becomes a big deal. Email. As I mentioned before, it becomes really hard to find ones where you don't need phone validation anymore. Gmail's a 50-50 shot. I don't know if you, I don't remember about Yahoo. Mail, last time I tried a mail.com account, I do think I asked for an email. ProtonMail, actually. It's really great for that, apparently. They don't ask for anything in their quest for giving

you privacy. They don't ask for a hell of a lot. So if you're fine with their free tier and don't need a lot of storage, that's a totally great option. If you do need, if you do want a different mail provider, prepaid phones work to fill this gap if they ask for a phone number. And you only need it during registration after that you can throw the thing into a fire and never use it again if you don't want to. List of what are they thinking people are, there were tons of corporate emails. Again, they don't, they weren't actually checking the emails but you gotta think some people were actually signing up for that. Some

people are using their SMS slash MMS as email. So for those who don't know, because nobody uses this really anymore, pretty much everybody in here who has a cell phone, which is I guess everybody in the room, you can send a media message to your phone using your phone number at and then whatever your cell phone provider's email string is. They have a different one. Each of them have a different. So like it may be media at your service provider you know, MMS.com or something ridiculous like that. So there were some people who signed up using that means. Like I said earlier, lots of BlackBerry emails, some school emails, the WTF of it. There were 12,000 dot mil email addresses used. And for

anybody who went to an academy, Army won, so there you go.

There were 2200 dot gov emails spread across every known agency, four NSA, three of which I can confirm based on the formatting of them, that they weren't legit, two CIA, seven FBI, only two that I know were legitimate, and there's another reason why I know that, and 57 DHS. The reason I know that is because there were a lot of really like, here's stupid stuff, like this is why we don't trust emails. Joe Biden had one, President Obama supposedly had one. Eh, maybe. So, but you know, oh, this is why you can't trust the FBI one. Agent Mulder had like five of those seven accounts were his FBI email account. And I have to imagine somebody at

FBI after X-Files originally came out created email accounts for them just to see what the hell would come into those email accounts. And if so, If anybody from the FBI is here or ever watches this, please let me know. I would love to see those emails because I'm sure they're hilarious.

No, they didn't do any email verification. So that's what makes it hard. That's why we can't trust the emails from the Ashley Madison dump as like any valid form of identification because they didn't do validation. They basically let you sign up and you were good to go. They never sent an email validation back. Any email address could be used. A lot of email addresses were used multiple times. That's why in the case of the FBI, I knew only two of them could potentially be legit because five of the seven belong to this guy. So they weren't even using it as a nuke identifier by the way. So you could have the same email multiple times. I don't even know how their shit worked. No wonder

they were breached. Some truths, paranoia. A lot of this will be overkill.

Local law enforcement is pretty, is gonna be a pretty limited source, right? Like if you're doing something illegal and stupid, if you don't get to the bar that the FBI cares about, most local law enforcement agencies bar is pretty low. State agencies are a little better, they're getting better. Companies actually are getting a lot better. If you, I'd highly recommend never trying to, don't ever attack anybody, that's illegal.

The love of God, don't anybody who's been breached before. Most of them learn their lessons, I say most. Nation state levels is where things get a little nuttier, right? So conspiracy theorists don't stand a chance. So who knows?

Old fashioned cheating is cheaper. The fees for Ashley Madison were outrageous and as we see from their data, it was largely a scam, right? The online fees were high, like the amount of time and effort you have to do to like set up a VPN, to create extra accounts, like, and you still have all the same expenses as cheating normally. You still need the sketchy hotel room. You still have to go pick people up in the bar for random bar dates and rendezvous or before they tore down all the like casual hookups on Craigslist. You had to still go through there and pay the hooker money, right? The inevitable divorce attorney fees. There's all this stuff, right? All these

costs are still there. Save the money, just go to the bar.

A lot of this is common sense, right? I don't want to say stupid things, but yes, keep talking to make it sound worse, right? A lot of this makes sense. like a lot of this is just common sense. It's like if I walk into a room full of people and say, you know, hey, I'm gonna go, fuck, I'm just gonna switch this right now and bust into my Cali VM and let's just start hacking the hotel. Like that's stupid, because I just admitted to a whole room full of people on camera and everything else, and I'm gonna do stupid, illegal shit. So sometimes the best thing you do is just keep your mouth shut. Wow, yeah, see, I did fly through this because I started really late.

So I will take questions now as I flew through that really quickly. Yes?

Yeah, so the question is did I see any VPNs or VPSs or anything like that? I do think there were a couple geolocation IPs. I didn't run the entire thing so a lot of it was spot checking. Especially for like IPs. At the time what I was being paid for was checking email, so emails got first dive and then from there when I was working on this talk a lot of it was I want to focus on what I have verifiable data for. So those 900 some odd thousand or nine million or whatever it was credit card transactions were my hard data. That's like I have to have an address because they ran a credit

card. Let me tell you what they were storing is not PCI compliant. But yeah. So

And so because of that, it was a very tight set. So IPs, I didn't go all the way through. I know I still have this data set sitting around somewhere, and that is probably one of those things that would be fun to look at is pull those datas and run all the error and requests. And it'd be a stupid easy script to pull out IPs and then just make whois calls to see who owns them all. The problem you run into with a lot with the VPSs is I would have to probably run those outside of just error because most of those are just gonna show up as providing. a NordVPN one is probably not

actually gonna show up as owned by Nord, it's gonna show up owned by whatever data center they're coming out of. But I'd still get the same amount of information roughly. Yeah, but Aaron keeps historical record too. So you can see some of the timeframe. And people have got, so yeah, there would be probably some change over this time. The other thing that's happened a lot since this too, back when this data came out, there wasn't as much ISP netting going on as there is today. So benefit for anybody who actually wanted to go track historical data, because you're actually seeing people's IP and not like the Comcast net IP that everybody inside of the cluster comes out of. Yes?

So that question is, did I actually find anybody from my company? No, I did not. So we didn't have anybody using their work email addresses. There were none of our work addresses came up in that. I checked a couple other companies that I either had worked with in the immediate timeframe like before, just to kind of like, I could always like reach back and be like, hey, I'm seeing this like really like, you know, if somebody did this, you might wanna look into it. But, and I may have searched for a few people who I didn't like.

I'd be lying to say there weren't a few people, I'm like, I never trusted that guy, let's see if he's on the list. No, for my own company, no, I did not see anybody. Yes?

Like a true hard ratio is hard to come by, in part because with no validation, like I was able to see, yeah, there was at least a couple hundred thousand that were clearly fakes, but there was a lot of reports of, oh, this account here can't be real, or, you know, it's hard to identify, in some cases, some of them you could actually probably check like user names and see if they're used elsewhere. Because some of them were fairly like unique user names. So they're probably stuff that people are using in other spaces too. And they weren't just like, you know, Jenny123 or something stupid like that that like anybody whose name Jenny could use. Any other questions? Any others?

All right. Oh wait, one more, yes.

It's, well, at least the best thing I can say is get rid of everything and anything that you can. It's easier if you have a single burn point, right? So this is why I say if you're having a physical separation, don't use the same computer and just say, well, I'm fine because I'm going to Tor. If you're using one computer and you only use that computer for that, and you're using Starbucks Wi-Fi everywhere you go, this goes back to the pattern of life thing, right? So this is like that, like, this is like the catch 22, right? So you watch all those like TV shows, like, well, people don't go outside a certain radius of their house. So like your first logic is I'm gonna go outside the radius

of my house and the next thing you know is you've created this giant black circle where you never go. So it's that like, go to places around your house, but also drive to the Starbucks 20 miles away and like spread it out, right? Like it becomes a little bit easier, but this is where like from the cheating perspective, it becomes hard for a business guy, right? Like if you're cheating in whatever city you're going to, and your wife actually hired a PI because she's catching on to you and he's actually following card transactions or he's found this persona he thinks is you and now he's tracking it. It's not hard for him to put two and two together if he starts deploying fake personas in

different cities that he knows you're traveling to so that he can see if he can get a connection made in those individual cities and make that connection. which is why I say just go to the bar, it's easier. Any other questions? Yes. So, can you expand a little bit more on SOAR because you know, we hear a lot about that, you know, so it's very hard and stuff like that, but that's really important to help people get in the way, and how do they do that? You just said that's not as secure. So the question is kind of like once a little bit more on Tor and how people are getting away with like all the stuff if it's, if, as I'm trying to

coin it, not as secure. So a big part of the problem with Tor, particularly the market for identities and credit cards is a lot of those people are international. So there becomes the hard stop for like US based. And it's not even just that they're foreign, they're in Russia or they're in Eastern Europe or they're in other non-extradition countries. So it becomes a lot harder to be like, well, we want to shut this down. So usually they have to go for, a lot of the ways they go for those routes is, well they use the hosting providers in a country we do have connections with. Okay, well we shut down the host. Well, they just

pick it up and move it somewhere else. The other thing too is, so there was a recent case of a relatively large

ring of like child pornography that just got shut down that was multinational. And it was based around Tor, I wanna, I'm pretty like, yeah, they were using Tor. They always use Tor. But what happens is in those situations, you also have to assume that there's probably active investigation of some sort. And you're never gonna get confirmation or denial that like an actual like investigation of those sorts of illegal things are happening until they get shut down and the giant like DOJ logo shows up on the company's webpage saying they've been shut down. And we've seen that even in like, non-Tor and non-Dark Web, God, I hate that phrase, sites. So like Backpage was the sketchier

Craigslist, we'll call it. And that they got DOJ'd at some point because their involvement in the

prostitution that was going on through there was probably a little more direct most people realize. And honestly, yeah, the international factor is a big part of the reason. It's a big part of the reason why a lot of the malware, like our race of it is against, well we stop one thing, well now here's a new banking Trojan, or here's a new, here's a new like, you know, crypto locker, and like all these different things, because they're all international and they're all like, that's how, that's where a lot of our hard stop is so for a lot of times it's just easier for us to implement the corrective actions than it is to move on. Yes? Who

am I again? Sweet! Do I have my closeout slide? I don't. So I am lost knowledge so for anybody who missed my opening slide I know I'm the like substitute filler. Let me go back to my first slide. Could you actually see that spelled? It's like the whole presentation in reverse now. It needs like the Benny Hill music. Here we go. There's how it's spelled with zeros. It's that way on Twitter, it's that way on Twitch, it's that way pretty much everywhere. Lostknowledge.com.net. So yes. I've been doing InfoSec for 14 plus years at this point. I'm just an angry hacker. That's really all I have to say about that. Any other questions? Thank you.

So the question is kind of like using the abilities to identify and detect fake accounts against social media. What's very interesting about social media and the social media bot issue right now is that a lot of the people who are generating fake social media accounts are state-backed groups, which means they have all the money and funds to make it a lot harder to detect them. One of my big takeaways of operational security in general always is Like you can do it really well, but it takes a lot of work. And so the more money a group or an individual or a person has, the easier it is for them to hide that they're fake and that they're a bot, that

they're not real. Where a lot of the stuff in social media today catches these things is when they see the same tweets going along to the same like five or six groups and they're growing them, trying to make them look organic, but they're always communicating and interacting with each other. That's how some of the really early ones got busted. And then some of the really lazy bots just do the generic Twitter account generation, which is your first name plus six characters. And then you start spending time looking around and realizing there's a lot of really lazy people who don't know how Twitter work, and that's how their Twitter handles and accounts are.

Which is really frustrating when you're trying to identify in your own Twitter feed and people who are following you who's actually a bot or not. There actually is a service that you can log in with your Twitter account and they will go through and look and identify like this percentage of your followers are bots and they're using heuristics and trying to look at that same data. Twitter, in theory, has access to enough data in depth that they could identify those and probably pull them quicker but the problem you're gonna run into, as with everything, is the second they let a machine start doing that, they're gonna start banning real accounts and shit's gonna go down because people will be pissed off because oh, you know,

it's disproportionately affecting people on the right or on the left or whatever and people are gonna get angry. It's the problem with letting the machines make decisions.

Yeah. Well, and I think that's one of the things, so for a while, Twitter opened up the validation program and then a couple people were abusing it. But I do think that was actually the right way to try to human validate people who cared enough to be validated, especially important when you get people who are influencing and have hundreds of thousands of followers and sometimes even the tens of thousands. Once you get over a thousand or two, it doesn't take a lot for that one tweet to become massive. I do believe I am done. Thank you everybody. Sorry you didn't get to see whoever was supposed