Keynote with Matt Mitchell

here's okay alright look for a hand there's an empty seat there I know you want to hang with your friends but we're all friends here besides Rochester okay alright I have no idea what that is I can't see my slides right here that's okay I'll just go with this well we're screaming

so in perfect peace has rocked fashion we will be randomly streaming this we just decided this two seconds ago we will be streaming this talk right now in track 2 so if you can't fit in this room you can go to track 2 it'll be much it's not as cool as being in this room I'm not saying leave but if you can't fit you don't want to be standing up back there then please go to track 2 okay before we begin a couple announcements right after this there's gonna be a food truck one food truck that's gonna be right outside the building everybody's going to be going there there's gonna be a line I'm sorry that's just how that's

going to work if you don't want to send the line there's other areas around RIT that you can go get food feel free to there's all all places are on campus there's a one hour block in our schedule for food and coming back at like 1:00 p.m. and you should be ready to go so you good [ __ ] yeah as long as the record is reporting oh cool so I want to introduce our keynote Matt Mitchell is somebody that I met years ago I think at some lets you have stuff in Spain maybe and he's a guy that I just like his perspective on InfoSec it's not I went to school I did InfoSec

and here's the things that I'm supposed to learn he has like more applied knowledge and some of this stuff and has seen some different things so I'm really excited for him to be here please give him a round of applause Matt Mitchell [Applause]

thank you for being here Rochester whoo okay I was here in the morning announcements and people were still waking up but we had a whole bunch of amazing session so I want you to like stretch out this is a one-hour talk I'm gonna try to squeeze it in so we could do some Q&A maybe is that sound cool yeah yeah so I'm from a Harlem in New York City and people are really vocal there so I need you to you know a little bit louder so this sound great okay yeah okay let's do it

okay next slide well okay I'm Matt and I'm known for this project that I do called Krypto Harlem but I do a lot of other things we're going to jump into that as well this is my Twitter I'm I need followers I'm still an egg I'd still need some followers so follow me on Twitter that's my GPG key if you want to send me an encrypted email complain about this talk no worries I'm happy to happy to decrypt and read and encrypt and send it out to you and this talk will be posted via Twitter if it's creative comments so you can catch it later but just give me a minute a couple days to get it up okay

so Who am I I'm a hacker but I work for the benefit of civil society nonprofits NGOs dissidents journalists and human rights defenders that's what I do and that's all I do I don't do it in my spare time I don't do it nights and weekends it's my full-time job when I meet young folks who are studying information security studying cyber studying application security hacking always at those events and always in those universities I'll see people from government sector private security but I don't normally see these groups represented and there's a lucrative path there if you're interested these groups need you just as well we always talk about how there's tons of jobs in InfoSec and not enough people but not

all the jobs are in one place and that's what my talks about and some of the applied kind of practical security knowledge that I've gotten from from doing this work for many years so let's dive in how's it sound that's what I'm talking about I was like alright I heard about Rochester I heard it'd be like that energy right so let's bring it like Niagara Falls style all right okay okay so one of the things that I'm really passionate about is being an ally for marginalized groups underrepresented groups you know when I was a kid I was really into punk rock I was really into riot girl and there was a thing like where a band would come on

stage and you'd be like girls to the front and they were like look dudes step back 20 paces this isn't for you and I like that you know cuz this field of computer science was developed and and worked on and pushed forward by women and then all of a sudden if you watch this if you ever check out this planet money recording it's a great little podcast all of a sudden the numbers just took a nosedive and they've stayed really low so if you're someone there in the audience who self-identifies as a woman this talks for you it's dedicated to you if you're from an underrepresented group you're a marginalized group whether it's one that's like obvious like you're a dude

from Harlem right or whether it's one that you know may be of a learning disability maybe you're on the spectrum maybe you know you're queer maybe it's not so visible this talks for you too alright

how could you not put your hands together for that okay let's go I was walking through the hallways yesterday after this really amazing capture-the-flag class it was very high quality I only took like an hour but just took my head in but anyone who got to go to that you're gonna be grabbing some flags and CT apps all over the place so you're the it was very very good and I passed by the sign that said um women and computing at RIT and I saw her and I stuck my head in and I met this group there women in computing that has a mailing list of like three hundred some-odd people and has an active

membership of like 70 something people I'm a really good day and I thought was really amazing that that's available here so if you want to see these numbers change and you know want to see things better more people in this field definitely represent and raise up the work of this this club is organization this group and definitely ask them if anything you can do so I thought it was great and I just want to a piece of my slides something local okay alright so I'm the founder of this event called crypto Harlem and crypto Harlem is an event where I in my neighborhood talk to people about surveillance we know that surveillance is not meted

out evenly and regardless on your viewpoints on it some folks are more surveilled in other folks it's just the way that it is so if you're seen as a suspicious other then you're gonna face surveillance more on your existence in life than other people and in the inner city that just happens to be a lot of folks who are gonna be surveilled so I thought let me just do this three-hour office hours like look I'm a hacker I know if anyone wants to go to this thing and over five years it's going to be quite successful I have it at this little community center space on the street there on Malcolm X Boulevard in Harlem in

Manhattan to predominantly african-american neighborhood and you know the reception has been really huge we've gotten a lot of mimosa huge where there's I've always decided that I want to keep it small I've always decided that I want to make it part of the community so some we do it once a month and sometimes I use turned people away because I come back next month we're full right or some people will just show up because they're working folks and they'll show up and just grab 30 minutes of knowledge and then leave and someone will take their seat and but is anyone interested to see what it might look like the event itself all right okay thanks let's see how you

I'm gonna check in 45 minutes into this talk I want that energy okay so this should work hopefully okay that's it

not yeah oh wait you hear their sound oh okay hold on yeah old-school hold on solve your own problems I don't know that's gonna mess up the Streamy thing but I can unplug the audio jack I'm allowed to I'm allowed to do stuff my laptop is I think I am pumping out through the HDMI all right so another we can do right I could change my what your output okay could you give me like two minutes your time to change my audio is that cool all right maybe thingy here yes okay whoa quick your hands together for this gentleman right here amazing amazing normal conference that would been over besides Rochester we just keep on going

okay so who wants to see what that event looks like okay I think I got it do I know how to use a computer No when I talk to you about surveillance this is kind of like why I don't have anything to hide I never get that when I'm talking to this community you can't buy a bag of chips in Harlem without being surveilled a crypto party is an event where people get together to talk about digital surveillance digital safety and what they can do to be safe or mitigate risk Gupta Harlem is open for all people all people are welcome but crypto Harlem is here for a reason it's for black people in Harlem who are over policed heavily

surveilled and this is a safe space for us all to learn together what's something to learn from each other Harlem is like a cultural hub it's really important to highlight it like where it's been where it's going including tech in that conversation is just important about making sure that we can progress like it's about disruption one thing that I do is I spend a lot of time looking at current events in information security cyber and I ask myself like how does this story affect people on the ground in Harlem right now so I walk around for three hours just handing out flyers talking people in the community promoting the event because you know you're not gonna get the best

people and a good representation of the community by posting it on Meetup or Twitter that's just not reality you need to go to the barber shops you need to go to the Hair Salons you need to talk to the pastor of that church and the Imam of that mosque and really get down with the people it's a free class that we do right there around the corner over there yeah it's about computer security it's like family friendly house more surveillance and a lot of other issues in New York City especially in communities across in Harlem we had the single stop him first it's like very aggressive and it's dehumanizing but there's a new practice which is like the digital version of it

which is probably more dangerous what we see with this kind of digital world of stop and frisk are young folks who were told by YouTube and Twitter Facebook be yourself express yourself tell us your stories and present them here and those stories are being turned against them if there is any criminal act or an act of violence by one person and that person is associated with you or associated with your crew you'll get taken down a lot of people understand this idea of like six degrees of separation but when your personal color is like two these kind of stories we need to pick them up we need to raise them up we need to address them and solve them ourselves

because no one else will

[Applause] black folks have been surveilled since the very beginning since we landed here on slave ships right so you're a number they're just like slave number ten walked over here walked over there drank some water did this that situation has followed us but hasn't changed that much technology will just make things harder to see so what Matt does with these crypto parties they so bring hope bring a different topic each time he comes in it's about exposing them to a lot of different piece of information but it's also about equipping you with that knowledge and moving forward on your own

I think he does a really good job of then trying to encourage you to take control of whether it's your privacy or it's learning about blockchain learnt about Bitcoin like he really tries to empower people thank you okay what about at a protest so New York City like we're gonna try to set the rules where we all turn off the cameras out of protest so you're not being you know shown like okay I'm just person I'm against this thing what's the cameras are Co moving faster than the regulations are because law doesn't move that quickly I think that it's for us as citizens to get a little more involved in these policies and issues so we can

help steer them people are hungry for this and there's so many community leaders who are already here and coming into a room like this just kind of gives you an affirmation like yes we're on the right path I'm a hacker but I'm black first and when you see me block away you know I'm black you don't know I'm a hacker one thing that I hope to get out of this event is creating more black hackers creating more black people in cyber creating more black people and InfoSec because it's a space where there are more positions and people so I want to see more of my in the in the work that I I work in

people say this is the next frontier of civil rights and it's a statement that I agree with done five minutes [Applause] okay I was on mr. robot I didn't even know I was watching mr. robot the last season and then Elliott picks up his phone and it's posted like in that show it's quite a few years ago so it's the old version of signal where it had this dual confirmation and look at the words that Krypton Harlem that's my event whoa and then there was a then there was a scene where Elliott like runs into a data center right and he's like him and mr. Roboto like fighting it out he's losing consciousness constantly and he

sits down at a terminal and it says contact Matt Mitchell that's me whoa how weird is that free advertising yeah Tibet I don't make any money out of this but yeah I know it's okay it's cool I do it for I do for the people I do it for the lulz okay so um another thing that I do though cuz you know doing a community event is great but it doesn't buy you gold boots so I'm wearing gold boots you can tell so what I do is I work as independent operational and information security trainer for a group called gjs security I'm a subcontractor I work for a lot of different groups but most of my

time is spent with these folks and they're a hostile environment emergency first aid training group that's called he fat and the way that they do the hostile environment training is one that simulates a real world environment and I think that's really important and I'll loop back to this again but when we're working with journalists who are about to go to a conflict zone like Syria or they're about to go to where there's a hurricane like hurricane Maria and going to Puerto Rico they need to be certified in how to be okay so they can tell the story and the news organization that they work with sends them to these he fat trainings by groups like gjs and the

way that UGS does it is when you show up at the farm that's one of their facilities it looks like what you're about to experience because you need to know what you're going to do when you hear that gunshot sound you need to know what you're gonna do when the wind and the rain are blowing at you and you're freezing cold and you don't really know because it's hardwired you got to bring yourself there in a comfortable way because you don't want to find out when it's the most important time that you freeze you don't want to find out the most important time that you run or that you're gonna just lock up and put your

pants you want to know in a safe environment when we're gonna be there and then we can take you from where you are to what will get you through and I do the digital side of this so it's one thing to tell someone you should encrypt your email because this thing could happen in some anecdotal story you should use signal because this could happen something right it's another thing when you're actually seeing it happen and it takes someone with a certain skill set to make that simulation ring true and that's what I do I'm gonna talk more about the difference between what we learn in our courses in our training in our university setting and the reality on

the ground you another thing ideas are I do digital safety and security coaching for a group called a movement for black lives which is an umbrella group about 60 organizations some of them are very well-known like black lives matter some of them are not that well-known like black youth project 104 them their organizers who are working inside the United States and for a lot of the people who are organizing whether you're in the labor movement or a feminist movement or civil rights racial justice movement strangely enough your adversary we talk about threat models are things like you know your FBI or Department Homeland Security or things like that you know if you're if you're working for

sex workers right against this Fausta Act right if you're working with right nobody okay no way look it up PFF look it up okay if you're working with undocumented folks right if you're working with anyone who's marginalized their adversaries are going to touch upon things that aren't normally adversaries to you and it's very sophisticated and to properly be able to defend folks you've got to completely change the way that you work and up your game okay so who is this person that you're listening to I was a 2016-2017 Mozilla Ford open web fellow Mozilla had this program with foreign foundation which is a big civil society funding group you might have watched the documentary paid for by

Ford Foundation and that money came from Henry Ford who made like the first harm American car his brother right they paid for me to work with a group called Color of Change which is a modern civil rights organization and I did organizational security for them because an organization cannot install signal it does not have hands right so how do you secure an organization how do you do that how do you get them to a place where they are looking at a different type of positioning and footing for the threats that come in everyday that's something that I tackled and I created a framework out I was a 2016-2017 Internet freedom Festival fellow and iff is an

amazing conference that's free to attend that happens in Valencia Spain every year and it's a I think this past IFF with just a couple of months ago or maybe it was even one month ago well the past iff was represented by a 60 almost like 65 percent global South so the feel from India Africa developing world people in countries that are growing so quickly with leadership that's a little bit unsure of technology making rules and laws that we could never imagine happening here in a place where maybe you know you can have a GPG but you have to give your passphrase to law enforcement or security forces if they ask for it that is the law on the

books right or where encryption itself is illegal but you can still shop on Amazon some reason they let that SSL encryption happen but they won't let you encrypt USB Drive so when you're dealing with those problems they're harder to solve you can't just say hey use this tool when the tool you recommend might be breaking the law all right so it's important to go to events like this for me to talk to real people who are doing really basic things on the ground just trying to like fight against CCTV cameras or strange changes in laws and fake news and things like this I was a 2016 - 2017 new America cybersecurity initiative fellow and new America is a

DC based think tank and they think about what the future will look like and they're very invested in cyber you I always can tell what kind of hacker or what kind of information security or what kind of tech person you are when you do the work that we all do that we all study that we're passionate about by how you even refer to it if you say cyber then I get it I know where you're coming from right and it was great I really enjoyed this because in my fellowship I got to meet people who you know we're military outfits with like you know pins and stars on them and that's their interaction with cyber

right that's their interaction with this work and I got to talk to them from like hey what about this vantage point and we're gonna learn together well hold on don't worry don't worry don't worry okay I am I was a 20-17 Institute for the future good fellow and that is another thing tank that's based in Palo Alto which is like Silicon Valley and it was interesting there we were looking at the future of governance and what will government and governance look like in the future and strangely enough we just happen to stumble into this year where brexit changes in the leadership in the United States in Western Europe and across the world were happening so oh yeah this is

like a I'm not dropping any O'Day's but I am gonna tell you a new title is I'm the security lead for a group called a tactical technology collective and they're based out of Berlin they're in Amsterdam NGO non-governmental organization and I assist them with their information security with their curriculum and training and with how they keep their trainers safe when they travel to help people in different parts of the world because that's something that I specialize in not just being great where I stand but trying to apply that in a condition that is so different than what you can imagine I'm an advisor to the open Technology Fund and OTF are the people that fund a lot of the open source and

free tools that we use every day whether that's my envelope whether that's signal open whisper wouldn't have signal wouldn't have that initial funding without OTA and there are a lot of people here including mark who works with OTF and does great things and helps helps that program and I'm an adviser to Internet freedom festival that's in Valencia I went to a too many times it's like this is so important to me I want to make sure that I lend my skills to keeping them safe and also staring it a little bit to keep that magic special and I used to be a developer and data journal to the New York Times that was my last like full-time nine-to-five type

gig okay so information security information security to me is just keeping our data safe we have information we want to keep it secure whether that's encrypting it whether that's obfuscating it whether that's like you know stenography whatever it is it's just keeping your information safe and there's so many ways to do it and is but it's basically tools software computer science photography at its core operational security is the tradecraft behind it and that's completely different every tool that we use the flaw is ourselves we don't necessarily understand how this can be used but like I was actually talking to Jessica about the footprints that we lead and to be a really good student of operational

security is to understand how to properly keep your information secure not the tool to use but how to use that tool and that is a lesson that you can best find by researching scraps of information not just how human rights defenders get caught but also how like really horrible bad people get caught too we have to open up our minds to both sides of this because once we we understand that then we understand like okay so if these parameters were to catch a bad person they could also work for a nation-state to catch a good person and the thing that I want to talk about is practical security which is more lessons learned it's combination of

information security operational security over time things that you'll see when you travel around the world but I literally was in India two days ago I was like mark I swear I'm coming don't stress no stress and on Friday I'm flying out to Berlin things are so different from the internet connection to the price you pay for data the people's relationship to technology and their thoughts on it right in Europe they have this thing called gdpr where everyone is like hey that's my data you can't hold on to my data you got to delete that information if you use your VPN for VPN users and you put it to your any European countries you'll see all these messages like hey

we use cookies we're sorry we use cookies is that okay with you you know like this a totally different situation if you go to a dating data mining website like Spokeo or pitbull and you type in a European friends information there's a lot less there than what's on us right

I'm going to talk about the four types of hackers from trying to make a lot of space so we can do a Q&A if people have questions though anyone no no questions nobody okay maybe no Q&A

there are more than four types of hacker it's a complete generalization I mean what is a hacker anyway Brent I mean does a hacker have to wear a black hoodie know who wear a gold jacket do whatever you want you know I think a hacker is someone who's always curious who's wondering yeah but how exactly does that work let me make sure let me take it apart and maybe I can't put it back together but I learned something right there were always hackers like there was always technology technology was the wheel technology was fire and we come from a tradition of people who were questions about fire and they had burnt fingertips right people with questions about the

wheel and maybe it crushed their foot but they were curious that so that's our kind of hacker descendants right but I'm talking about the four types of paid hacker in a generalization and I want to talk about my friends who are or my favorite people who are in those four and then maybe I'll loop back if nobody has any questions and talk more I like talking how's this some as this Kino going yeah this is what you came for making sure because this besides it's really special besides is people who you'll see tomorrow at the grocery store besides is people who you'll see at the next like sci-fi movie waiting in line at the local cinema right besides is not flying

to Vegas and getting a hotel room and none of that stuff it's real it's local it's where it all starts it's a real community and please take the time to not only listen to things like this keynote which are very different from the technical talks but also turn to the right and laugh and be like hey what what brought you here to the person you see in the hallway because this is a one day thing but it never ends this is just that easy to these is just the kickoff for that local energy right so for me there's like these four types of hacker they're the gummies right and to me the guns are awesome they're people who work

for nation-states they work for governments usually governments whose passports they hold yeah usually there's little exceptions I'm gonna get to that yeah yeah and yeah you know so we all know that there are intelligence gathering organizations and law enforcement organizations and security forces in every country but we probably don't always realize that every one of those has a hacker even your local police department might have a data analyst whose job it is to just handle that thing and they get trained and maybe there's just one box they get to pull out every once in a while to use everyone has that hacker then there's the kind of InfoSec cyber firm some of them are peddling snake oil it was

really weird like I was in the airport and I never thought this day would happen I walked into the terminal and there was a giant billboard for like a company that's only like gonna help other businesses protect themselves from hackers that's where we are right now that's like the world that we live in it's pretty amazing and I yeah it just blows my mind every day cuz you know I was talking to some folks yesterday about when I got started in this there was no pad and you definitely didn't think you could make money on it it was just something that you were did in the dark by yourself is you were curious and weird all right all right I

might write anyone else out there right yeah okay it's okay you're with friends and family here and but now it's different and now I see people walking around like they're military we're not mercenaries we're not spies we're not trained military we lose things we spill things we are geeks we dress bad that's who we are that's who you are I've met mercenaries you are not then you can have like yeah I get it you can have the to the velcro and it's not the same cybercrime is very lucrative it's so lucrative that it's um deserves a quarter of the pie the skills that we have can be used to make money and whether that's like in

the most dignified way where you bump into some kind of bug and instead of reporting it to the organization or company who software it is that you report it to a company that collects 0 it is for a small fee just fine I'm not gonna name them we all know who they are or whether you're on the hacker black market working in escrow not knowing who you're working for giving a little bit of what you found and getting a little bit of pay until both parties put a thumbs up you know the amount of money though is either so low that it's like well why do I would I do this it's kind of murky morality or

so high you're like I hope they never find out who I am I might not be able to spend this there's hacktivists people who nights and weekends they fight for a cause they believe in something everyone sitting here believes in something you want to push that forward what if you used your tech skills to just give it a gentle push maybe you're not the most nuanced political scientist in the world hey you know maybe you see the world is this way or that way one in zero but at least you're doing something and then there's a bucket that I belong in which is the Public Interest civil society hacker and I feel like that's a

group that doesn't get enough attention that's a group that white people don't realize like how do I get involved there how do I get funding there how do I get paid there what's that look like right it's not all like ACLU is only so many positions EF F is mostly lawyers right I mean Cooper is awesome éva awesome like the attackers under the hood yeah but there's other opportunities okay so one opportunity this is not like a paid opportunity yet but it's a new thing that just started is there's a hacker named NEX real name Claudia who works for Amnesty International and who makes a lot of interesting tools if you are interested in reverse engineering or

malware you'll see that some of claudio's tools are trying to make it push button to find basic abnormalities to find indicators of compromise like cuckoo and other things like that so at a Chaos Computer Club I think it was two years ago did I hear music okay but it's cool a Chaos Computer Club next decided to launch this thing Security Without Borders because there's Doctors Without Borders and there's reporters without borders but there's not really this idea of security Without Borders when we read about a hack that's affecting people for example just recently there was this discovery by a group called citizen lab at University of Toronto that citizens of Ethiopia were being surveilled but not in

Ethiopia they live in New York they live in London they're being surveilled by their country where they sat which is very strange and should never happen but when these things happen and we read about these reports it doesn't mean that the affected communities are getting the aid that they need because there aren't enough of us to do that the ratio would be like drinking out of a firehose security without borders is an attempt to say no matter what your level of skill we're gonna get you in a position where you can donate a few hours or a few days or a few weeks and assist a community in need and I think it's really admirable it's really nice one so

please look into it this is Emily Emily was really awesome and actually at my last crypto Harlem event Emily spoke to the people which is great and Emily's a former NSA hacker I'm gonna say right and what Emily was like I'm concerned about this like growing aggression right intolerance and hate groups and so Emily created a thing called nemesis which was the first of like maybe I should learn how to do this I don't know anything about object recognition I don't know anything about teaching a computer machine learning and having it be able to identify objects and I decided not to put up a picture of nemesis identifying a symbol of hate I decided I'll just put

a picture of Donald Trump because and it's identified as a plate of lasagna 91% this is probably like an early test it's it's amazingly accurate it's so accurate that you can run this tool nemesis that is not a plate of lasagna you can you could run this tool nemesis on a video and if you run it on a video it'll show you everywhere that a symbol of hate you've been hiding in that video which i think is an amazing project so you know I one thing that I think is awesome amount of the many awesome things about Emily is even though Emily came from the intelligence community emily was like i identify with certain movements or in causes i've solidarity

and i have a certain passion I'm a human being and I'm gonna spend some time just attempting to do something that Facebook doesn't do that Twitter doesn't do and she did it like one human being created a tool that would allow you to just block every troll and every horrible person on the internet and you wonder why social media companies haven't built something like this especially now that it's open-source and on the web and you can look at it so if you're interested in this definitely check out the code base okay Andre is a former FBI agent he also spoke at Krypton Harlem I like to try to make sure the gummies get a voice there

because honestly you know at the speaker's dinner yesterday sorry we didn't invite you there wasn't that much food at the speaker's dinner yesterday we talked about how in the media in in on TV hackers are one of these four things and we're fighting against each other but in reality we're like 80% the same like we listen to the same silly music we will like the same silly TV and movies and the other like 20% we don't talk about right and and Andre spoke about the FBI before there was a division that was set up just for hacking and for finding bad hackers or people who were you know law enforcement were going after and Andre

now works in the private security world another example of someone who started in intelligence community and now works in private security and if you're a fan of mr. robot Andre is the person that makes sure all the FBI stuff is legit because we all know the hacking is legit because we understand some of that but maybe you don't know because you're not an FBI agent at the FBI stuff is legit and they even have a character that's fake Andre who's this character you might have seen in the in the last season yeah as I kind of like Hey ha ha you know I think his name is Andre - it kind of looks like Andre there and

moving on but again guffy person moving to commercial is a path that you see all the time but you don't have to start as the gubby person to get there in fact a lot of times people will think you know what I should have just went commercial I just didn't realize that the path if you self-identify as a woman there is one of the best reverse engineering malware courses available in the world and it's free all you have to do is get to it and it's called black hoodies and black hoodie underscore Ahri is black hoodie reverse engineering and black hoodie was the idea of Marian who is a malware hunter and Marian also known as pink

flawed on Twitter was like I want to see more people who look like me in these rooms when I'm taking trainings I want to see more people who look like me in these meetings when I'm working on malware why aren't there those people and people would say well women aren't interested in this and there are no women and so Marian thought well I'm a woman so that can't be true let me just try to do this thing where I say hey I'm gonna be in this room and if anybody wants to come we'll do three days of intensive classes after email correspondence training and tons of people showed up and tons of people graduated and it happens every single

year

cool these are people who are changing things you're using some of their work experience and some of their identity and who they are to push things forward Harlow Holmes works for freedom of the press foundation freedom of the press is a organization that works with news organizations reporters and journalists and Edward Snowden as position of freedom of press foundation Eva works as a director of cybersecurity at EF M every day when a reporter needs a training on just how to do simple things like GPG or difficult things like source management right or you know trying to understand like chain of custody for things that relief from a whistleblower Harlow heats that call and the nonprofit

freedom of the press foundation fronts a lot of that bill so people can get the care that they need and they publish information and they have a site now that also looks for abuses of the digital rights of reporters all around the world and it has a map and you can just kind of check it all out he was a woman on the internet who knows how bad trolling is what also understands that some of the biggest threats when you look at a real threat model facing people who self-identify as women are their partner as an ex-partner and wrote a post on Twitter if you're a woman and you had getting harassed or having a problem with a hacker let me

know I will help you and [Applause] it's kind of crazy to just write that in your timeline and then you get thousands of people liking it and all these how do I get do dm's like what's the best way to do but she was like look I got to start somewhere right I might not be able to help every single person but I definitely helped the first five 10 15 20 right what if we all just said I hope one of you so many people were like I need help and it was really funny cuz some of the post afterwards were like wow like these hackers are not good this was easier than I thought

you know

runa is a friend of mine who used to work for organizations like gjs who took possible environment training understands physical security the way I do which is like from sitting waiting for my turn into my digital side right but now works in a new position that's going to be in every newsroom in the world and that's leading digital security and information security for a news organization in her case it's the New York Times if you care about news and fake news you care about media and how their stories are told they need you there's an application security position open right now the New York Times you can go from studying here or attending besides to working there mica works for

a smaller news organization called the intercept they're like a website only I was hanging out with mica the other day so you smiling hanging you know throwing back a drink give me a high-five it's like you think he has no worries in the world but he's the person that defends the Snowden archive regardless of how you feel about the fact that those documents exist he's the person who decides what gets locked down and how so when they slowly release them it's not spilt all over the place right and so the list of adversaries and people who are interested in seeing those documents before they get published is as you can imagine rather high but these are the

challenges that are really exciting because there's no path easily laid down you're not sitting there at work following a checklist that was made from a consulting firm you know a lot of times a group will hire you not for your intellect and skill but because you can never get this checklist wrong and that could get pretty boring after a while imagine playing a game that there are no rules and there's no clear path forward

on the hacktivists side and on the cybercrime side I asked a bunch of my friends like who wants to be in the slide really strange everybody stepped away they were like no no no no so I had to I had to go with people who you know have already had their moment right t flow Mustafa used to work for a law set and I think he was 16 years old at that time and at one moment they were the baddest hacked of his crew on the known internet they would point to have a target and that whatever they said they were gonna do got done but then we all know you know the whole like Sabu story okay so

but now Mustafa is an amazing researcher and you know I think it was just in December I was watching him speak about his work noticing how British spies work on the Internet to you know discover information it's a really amazing video if you go to media dot cccd okay media like video audio media dot three C's Chaos Computer Club dot d e as in Deutschland and just type in Mustafa al Bassam and you'll see this great great video you probably watching right now headphones please John thread aka corrupt you know one thing you'll notice is when you when you're done with your hacktivists career which usually doesn't end well or you're done with your cybercrime career like

you know Secret Service was like corrupt please stop jumping into phone calls and phone lines and he was like maybe right so then there were one year in federal prison but uh after that he became John threat the filmmaker and also someone who I was a hero of mine when I was a kid you know I picked up this Wired magazine and there was a guy who looked like me on the cover I never seen anything like that before and I found out that he was doing exactly what I was doing but to this like really insane high level high stakes and John is someone who's still very passionate about this work but now on the legal side or you know not so

easily

Sara Jamie Lewis wrote a book queer privacy Sarah used to work for GCHQ which is kind of like the NSA in England rim but now works on things that sounds really passionate about which are how threats are different for different people how the queer community has issues with privacy and how that ISM bills into you the digital side of things when your very identity is a thing that is most under threat the digital side of that is quite important also Sarah does work on securing modern toys that have intelligence and Bluetooth and all kinds of crazy things for parents and also personal pleasure devices which are now getting really high-tech but with very very bad

application and digital security but you probably don't want that thing near your body so just because like it's weird because this is something that like it was like well I use these things I want to look into it I have curiosity and I'm gonna write papers and blog posts that make a difference it touches my identity touches my community and I'm gonna make a difference and from that you're gonna get calls you're gonna find consulting work you're gonna have articles written about you that's a path that you can take you Kirstin is a woman who single mom was working a computer job heard about like I want to get into this InfoSec thing was dealing with a tough boss who was

treating her not the same as all the other employees because she was a woman but she wrote this book secure the InfoSec bag now is doing great works on industrial control systems and securing them in one of the states in this country and this book is new and it's kind of like there's no path there's read this get this cert follow this but it's not laid out in any kind of procedural way and that's what this book is it's kind of like a checklist for people who get a job and are wondering how can I get better they get a job and they wonder how can I succeed and her goal is to make that all the bug

bounties on hacker 1 are claimed by women i think it's an admirable goal

quiescence is the cyber officer for New York City who essence is super young and is in charge of securing New York City on the cyber front as a see so for New York City it's like a new position every city is gonna get a/c so they don't know where to turn quiescence has so many certs like my head spins it's like looking at the alphabet 300 times right if you follow that path you'll be the seaso of Rochester or any city you want alright cuz it's a burgeoning field it's a new thing that's happening the federal government local and and national need you to secure cities villages states and parisa is someone I'm just gonna talk

about is there was a conference RSA Conference which sponsor our season sponsor of this and versus started our own conference call our sa conference it's kind of like a you know jokey which is very inclusive and very diverse because she didn't see the conference that she wanted so she made it in a very short period of time I think a matter of weeks and it's a real thing so yes without an hours yes so and people were just continued to buy tickets just to support it right people were like no it's okay take my money we have that power because our community looks like so many different shapes and sizes but cares about the same thing

you musashi someone who works at citizen lab citizen lab is something that's out of the University of Toronto and is new but I know that there are things like it happening in Berkeley now and more tech hubs are developing these kind of centers of kind of like cyber excellence at citizen lab they track how nation-states use malware and surveillance against citizens one quick story in Mexico a place where I've done trainings and work with folks there were a bunch of activists who are getting the same strange text message click on this link sometimes we would say things like your daughter was in a car accident this is a link to the hospital things like that right and most

there's a group called access now that many in the audience might not be familiar with but they have a helpline which is an encrypted email line you send them an encrypted email it's open to anyone who calls himself an activist right and they will send you a reply and they were getting all these emails from people who were not connected and did not know each other with the same basic message they knew it had to be a threat it's like the most obvious indicator of any kind of compromise the most obvious sign that this is a some kind of a sophisticated attack they pushed it up to citizen lab who analyzed it and found that this was a link to a zero-day that

affected all iPhones and allowed the person on the other end and the command and control center to have access to your phone your messages they owned your entire thing they reached out to Apple it was patched and it stopped working right since I was really small citizen lab has very few people working there and they're always moving into other parts of this community they need new people and other organizations like citizen also need new people like this group in Berkeley Calif Institute was sure I'm rocking was founded by Nick marrow and Nick is awesome person because he had a ISP and they received a letter and it said hey we need information on one of your users

IP address etc he never seen him like it before he gave it to his lawyer said don't tell anyone that you got this thing he's like is this real and Gloria's like I've never seen this before but these are real seals this is really from the government's it's the FBI subpoena and it's the first time anyone ever fought a National Security Letter it's the only reason why we know national security letters are at been previously the people who we give our data to were just okay yeah I guess you can have it anyone and council is like a very very small operation calyx now is an institute that assists in education and in learning and also sponsor is my

event with the Harlem that's why I'm rocking a shirt right and nick is someone who needs people to work with him and all the groups like calyx need people who are talented like you he's a cool person to work for bagels coffee low hours right if you're interested in how to get started on this path III wanna let you know that I'm not just like randomly pulling out some faces on Twitter like these are people who I talk to you quite regularly and refer to and work with in the field all the time there's this book that you probably have not read but it's awesome it just came out and it's called ties that bind

organizational security for a civil society make sure that when you find this thing ties that bind it's written by the engine room all right okay okay not like you know boating knots type of thing okay yeah okay Ford Foundation paid for an in-depth study into how civil society the people who are trying to make this world a little less sucky how they help how they work how nonprofits deal with organizational security and it's something that we need to understand because it's not something that's taught and it's information that we can directly apply to assisting and finding jobs and roles in those organizations there's this thing called a Public Interest technologist that's well funded with grants and funding to the millions

of dollars so you don't have to sleep on your friend's basement basement floor or couch or something like that you can actually do this as a real job and something that's different from working in intelligence or different from working in academia there's another book holistic security a strategy manual for human rights defenders holistic securities at 180 something pages and it's published by tactical tech there's a book out there called something like holistic digital security but that's not this it's holistic security by tactical tech both these books are free by the way you can just go to the website or find the money informant on the internet and get their PDFs another resource that I use all the

time when I'm doing risk assessments when I'm kind of doing my decision matrix on you know trying to be objective deciding whether it's safe to go somewhere or how I can help someone because I need to understand exactly what it's like sitting where they are before I go sit with them is this group frontline defenders which publishes this thing called the annual report on human rights defenders at risk in 2017 frontline defenders there's a lot of work on the digital space and if you go to their website and you type in a country you'll find someone who is in a country or as in a city or is in a place where their government came after them

because of something they did like a USB or an email it seems like that right there an amazing organization and this guide or this annual report is and must read oh I'd say much time I have I'm over time I think right yeah okay okay five minutes okay so I was gonna talk about some of my experiences in the field so let's do this really quick in my five minutes would you rather a Q&A type thing you could clap you a name you can put twice anybody know your name nobody one person one question okay I'll talk to you afterwards yeah and thank you for asking a question I'll find something to give you maybe this jacket alright so I

asked some people I work with because I work in private commercial security it's different from some of these great nonprofits like freedom of the press foundation our clients prefer discretion right whether I can get in depth about some stories so I decided like we talked about it this is the version of the story I'm going to tell right I was in a country and the people there were getting hacked constantly their phones were getting hacked their emails were getting hacked and it ends up that in that country everyone uses Yahoo as their email provider but you'll find when you travel or it is the world is so different by just moving a few miles or

kilometers in a different direction some countries everyone uses viber they're like whatsapp what's that right some countries everyone uses Yahoo emails right you can't tell them don't use Yahoo emails it doesn't work that way right your job is to find a way to make this safe your job is to meet them where they are and make that moment something that changes the whole trajectory of their movement of their reporting of whatever they're doing I got them off of using I got about two using two of Fame right and I was explaining how it works you put your number in and then you'll get a text and then you put this code in put in the field to put in your text your

number in in Yahoo when you put this country in it doesn't let you put the right number of digits in whoever programmed that field didn't realize like they have a different number and it doesn't work I had to like go in inspect it look at the request that came through and just push in a number and it took it so you know that's not something that they could do tomorrow right that's not so they could do next week to protect themselves so when I find things like this you know I'm just okay you know you need to fix for this this isn't good you know and person always says well what do you mean it's not good and I'm like well

this doesn't work for this particular country you look it up the number and it's a really weird conversation you're gonna have it's kind of like if you've ever had to if you ever found a bug and you were trying to like disclose it responsibly it's like first there's like these different phases like they're like really defensive and then they're confused and then they're like really suspicious and then you get them to come around and they still don't fix it but eventually you get it done and when you get this done it feels great because you know that and you're not just helping the people in that room you're helping anyone from that country when you get

this done it's not like you found a flag in a CTF which is super exciting you know that feeling but you're like wow like I'm helping someone live I'm helping someone be free I'm helping someone maybe avoid being detained or torture I was working in African country where they were not very evolved on gay rights they're not very evolved on the rights of queer folks gender non-conforming folks right and I had to work with a room of people from different countries right Africa is not it's a continents not one country and every country has different laws and I found like when I'm researching these laws they were like basically copying and pasting parts of European laws and

slapping them together and being like this is our law right but in that they were creating like okay it looks like this thing that I want you to use you can't go home and use that if you get caught with this Tales USB if you get caught with this veracrypt hidden volume it could be over for you so in that you know you you can't follow the best practice that you read about on the internet or when you see people arguing on Hacker News or Stack Overflow or whatever right you need to really dig deep and ask yourself like am i okay with sending this person off with advice that can get them in serious trouble you

have to be very prescriptive and it requires some understanding of law some nuance some understanding of physical world and we ended up coming up with a solution that didn't use computers at all right you know so it was just kind of like you're gonna go to this place you're gonna blow a whistle people will hear it you know those those are those are the kinds of solutions to you you find yourself having to find Graham we don't always win sorry I'm gonna keep it I'm gonna try to wrap up two minutes thank you there was recently a training in Turkey with people who do the same work that I do were working to a local

division of Amnesty and some other groups that just getting some students together and talking about digital safety but unfortunately do a like perfect storm of bad coincidences and events that training the doors blew open from the back door security forces came in and arrested everyone the locals and the trainer's who were put into prison and we had to campaign to get them out you know it's not the safest job in the world right it's not the easiest job in the world but it's probably one of the most fulfilling I feel working in the field shaking hands with someone who really is like a hero in your eyes sometimes I do check-in always with my students and

sometimes they don't answer me back and I find out like they're on house arrest they don't answer me back and I found it that they disappeared and I was having this conversation yesterday what do you do when that happens how do you continue to do this work and I I remember I was saying how like you know you get a good therapist right first of all your students are not risk-averse there are people who are fighting so hard for the liberation of their people for the put like positioning of their digital rights to have a real open Internet like that we enjoy every day for things like this their reporters their activists their fighters and they

know that they're gonna get a few they have to take a few to give up for you and in that you I can feel pretty good because I know that there would be doing this anyway and I'm doing my best to outfit them with the tools and the skills they need to do it longer to do it better and they're appreciative and every once in a while there is a win and it just keeps you going you celebrate that win and it makes you makes this job all worth it so I'm sorry too I think that I'm gonna wrap up okay so OTF if you have an idea for some cool app or some cool tool you don't need to go to

venture capitalists you don't need to go to some social good hackathon you can just look at what oh TF is funded learn about how they work and consider trying to get together with a group maybe you form with your friends and get a contract fight for the future is a way to be an activist without worrying about ending up in prison you know they do a lot of great work and are very effective at very small groups of people reach out to them and say listen I've got the skills to do some of this good work nekkid collection pull money that civil society a lot of different groups came together to try to say let's pool our

money because we want to make sure that you get paid at competitive or pay that's a par for the work that you do and your colleagues who are also leaving alright do all right okay Mozilla has an open web program Mozilla will pay you for a year to travel the world to work with a non-profit and help them with making the internet healthier and the applications are open right now so just apply I mean I applied and it was hundreds of hundreds of applicants they picked eight of us and I was it's like winning the lottery just do it it doesn't it's a simple web form New America Cyprus great initiative if you're a pro out there you don't not all

this stuff is like entry-level but if you're a pro out there think about getting a small fellowship with New America writing a paper having them support your work and attending their conferences just getting immediately into working with people who are cyber comms and military different types of voices and dealing with different types of problems it really change the way that I think about a lot of this stuff Ford Foundation has a tech Fellows Program and that's where you'll actually work inside the Ford Foundation helping them with technology and it's an ongoing fellowship program for I think it's like a two-year fellowship and it's it's really amazing and you'll end up having access to all these different groups of

all these different amazing people right okay who stole all the Mark Zuckerberg Mark Zuckerberg comes to the hill right I know people a couple of my friends at tactical tech we're writing really funny posts like mr. Zuckerberg my my VCR keeps blinking 12:00 o'clock we need the people who serve us right cuz we're their constituents to do better and what better way than to go into Congress and immediately helping someone understand the issues that we know so well and that's what this congressional innovation fellowship is it's getting tech folks onto the hill for about a year and just look into it if you think like wow I didn't like the way that went down it's not really their fault can you

imagine not having someone who properly advise you working with you every day so why don't we as good citizens you're not gonna run for office why not run for a nerdy office and get in there all right coach for America is a similar program they deal with programming and developing but security and application security becoming more part of this and you'll get a stipend and you can work in different places and there's a lot of positions open to sorry I put it out there there are organizations like you the Foundation which do a lot of work in security have fellowships and openings that again are accessible to people who are not we're experienced out there or

repair my voice and a few things for people who maybe are starting out okay nope no aspiration tech is a nonprofit that has a nonprofit dev summit where developers working open-source tools to help regular folks and activists are always out there sorry to come to your lunch Chaos Computer Club it's not easy to get to it's a little overwhelming but if you go you'll see me there so just say what's up república is a large media conference and it happens to be in Germany but also a place where you'll meet people who are attacking this issue from a different point of view not everything comes from San Francisco in the world of InfoSec and absent tools

rights Kahn is coming up it's in Toronto it's a place where activists and policy makers get together to try to come up with digital rights and security issues and all these things have job boards by the way also Freedom Forum is something from the Human Rights foundation who I work with and you'll you know when you go to the forum it's kind of like a TED talk but for activists and dissidents I met someone who is like poison several times by the FSB which is like a Russian security forces I met someone who is opposition leader who's like I know the people surveilling me they I bring them tea in the morning they sit outside in

the car right you'll get to meet great amazing people like this but you also get to help them and talk to them about InfoSec so I know that this is something that's they have like a little kind of Genius Bar Tech bar every year and it's really and they need more people there to help these folks it's really amazing ok allied media conference is an American Conference for American activists and into the 20th anniversary and it's in Detroit every year so you can think about you know just going there it's really really young it's it's really really exciting and Tekken and hackers and InfoSec folks are always needed by these growing movements in our own country

start works is a commercial company that tends to be kind of progressive and allow people to do passion projects and okay that's it sorry what's the earth do a good job protect it that's my slides sorry about that okay please eat some food the food truck line is not for the meat sorry right over man I hope that was good