Play to Win: Teaching OSINT Through Hands-on Activities

good afternoon besides Augusta how's how y'all doing right now everybody got that Chick-fil-A kind of ah after lunch feel yeah that was my first Chick-fil-A Sandwich I've been in a different place in this world so I couldn't go but couldn't have they were pretty damn good pretty damn good and we're thrilled that you're gonna be here with us for the next hour or so um we do have some prizes to give away we have four prizes for those of you that ask great questions and participate with us also Griffin and I like doing things that are interactive so uh we need you if you want to play along get out your phone get out your laptop

you're gonna need the Internet because the reality is that I could stand up in here and teach you about things on slides I could talk to you about how you need to learn by taking training or doing other stuff but that's not fun what if we did things a little differently that's what we're going to focus on in the next couple minutes Okay so we start out with a challenge this is an ocean talk we want to give you an ocean challenge what we're not going to give you is any help any hints any clues any knowledge or anything like that so you may already possess what it takes to solve this Challenge and that's great

you may not so you might have to go and see if you can figure it out we're going to give you 60 seconds to do it in a second here three words are going to appear in that red box on the screen there's a structure that correlates with a location that are related to those three words okay those three words will take you to a place in the world if you know what to do and at that place in the world there's a structure we want the name of that structure in 60 Seconds and when you when you know that name of that structure yell it out the first two people to yell it out actually will get

prizes now of course that means you don't actually have to do any of this you just have to be the first one to cat copy what the first person says and the second place person will absolutely be fine you ready yes let's do this here we go 60 seconds Starts Now where is this location

uh yeah that might be good nice

and we've got some lock picks for you young man here we go well done very very good 15 seconds that's great now for those of you that are wondering what the heck just happened um we're gonna reveal this to you but what we need you to do is think about uh I'll take this this is fun okay so think about your experience that just happened right there okay when we told you that this was the challenge you were gonna have to work with these three words I saw a whole bunch of people right away light up grab their phone grab their laptop they know what to do okay and then I saw a whole bunch of

other people that are just looking at me like what three words what does that mean I don't understand so did you know what to do instinctively right off the bat did you have the knowledge already coming into the challenge in order to be able to be successful how did that make you feel if you didn't okay a lot of competitive people in this room I'm assuming right we all like to compete and win did that motivate you or demotivate you that you felt like either you were adequate or inadequate in your knowledge did you learn anything or were you even able to learn anything in the 15 seconds that it took someone else to solve it

who had the knowledge maybe not

oh it was true that was the Eiffel Tower and how do I know because we made the slides and I'll show you in just a moment all right very good so some of you had the knowledge and some of you did not but for those of you that did not could you have solved it if we gave you some hints so I'm going to show you a couple of hints here the first one would be the logo up on the screen those slashes inside that red box is a logo that you would have needed to know how to solve this challenge if you didn't already know some of you are probably thinking right now okay I can take that logo I can go

work with it I know what to do here's another hint if the three slashes aren't familiar maybe a site like symbols.com can tell you what they mean so now another group of you all of a sudden leveled up and said you know what I think I could figure it out from here to find the correct location the correct geographic location you have to be precise with your spelling so those exact three words exactly how we spelled them would have led you to the Eiffel Tower in Paris France if you know that a site called what three words has mapped out the world in three meter squares and each one of those three meter squares has an individual con uh connection

between three specific words in a certain order they don't repeat anywhere else and you can use those three words to Lead somebody to a three meter spot anywhere in the world congratulations you just completed a learning Capture the Flag experience and that's our talk everybody thank you very much for coming please thank you very good okay so and the point is some of you also gained some knowledge because not everybody in the room knew right off the bat that they were going to be able to solve that challenge but now every one of you knows how to do that or at least where to look so a little bit about us my name is Griffin online I go by Atlas

wonder if you're involved in the online ocean Community um I I do a couple of different things I work with Micah in the myosin Training Site we gave a talk uh training rather two-day training this week on open source intelligence we also both are co-founders of the ocean Games capture the flag platform uh which we're going to tell you about here in a second I also am the director of intelligence for the national Child Protection task force and that's a us-based but International working non-profit heavily comprised of law enforcement prosecutors and now Tech professionals that combine their skills in order to work on cases of missing exploited and trafficked children around the world so we take the skills that we're going

to talk about learning in this talk today and somebody like myself or the people on my team put them to work to help find Predators or victims of crimes against children and I have a history in cyber security I grew up doing b-sides up in the Washington DC area all around and I love cyber security and and the infosec community I've been around for a while I wrote a Sans class on open source intelligence I taught web app pen testing and I really found myself gravitating more towards open source intelligence or stalking people odds researching people online and when I was doing that I was like you know we can teach this we can help people learn how

to do this because the techniques unlike many of the Cyber techniques where you might need an advanced degree in what the heck 802.16 is and how it propagates through metal versus wood innocent it's looking at social media it's looking at things that you and I do every day and so what I did was I created the myosync training company the ocean games company and uh Griffin has helped me out with some of those things but let's uh let's talk a little bit about what you're going to be able to get out of this talk first off we're going to be talking about what is Ocean's a little bit deeper because I know that this is info second I know

that many of you probably already used osin in your work whether you're offensive defensive or somebody else that's not even in cyber you're doing open source intelligence you just don't know it yet also we're going to be talking about gamification how do you make learning fun who here has ever sat in a class and you're like I can't wait for this thing to to end what the heck is this guy talking about oh I could teach this yeah that's not fun that's not a way to learn that's a way to go to sleep and that's not what we're here to show you we're here to show you that learning can be fun all you need to do

is find the places to do it also through the years of teaching either Sans classes or other classes Griffin and I figured out that people learn in different ways I know right it's weird but you know if you're a visual learner or a person that likes that do things with your hands like assemble Badges and what we're going to do is we're going to help point you at those types of online challenges that might be right for you all right and we'll show you where these challenges are okay so another challenge oh sorry that's mine that's yeah that's your cue we'll get this figured out we'll get this one okay so in the rest of the slides throughout this deck we've

hidden three words okay they correlate to a monument now all of you should know what that means if you see a word that has red text and those three slashes in front of it they might not always be obvious but that's going to be one of the three words that are clues that will lead you to the Vic the location by the way that's not one of the words okay obviously we've experienced this before they are not in the correct order so you're going to get three words and you have to try some combinations figure out what the correct order is and when you get that go ahead and tweet it to us with that

hashtag ocean games Augusta and the winner whoever tweets to us first we will reply to your Tweet and say great job so big big money on the line now the reality is is that you know we're talking about oh sent here at a cyber conference and uh set conference but like I said the world of Open Source intelligence or ocean is one that you've been in for probably decades and you didn't even know it many of you use the same skills to find things to research people to research products to look up who's doing what and what we do like Griffin said is we find people and we do that with a certain goal in

mind hey this person is exploiting other people let's find where they live where they work what they do oh this attacker is hacking somebody let's research that domain that their their uh their information calls back to so there's lots of ways that we actually use um ocean skills in the world of cyber and really I mean as an offensive security person I used to do I used to love doing recon on my targets and and when I did I was amazed at what I found one of part of our process before we'd hack a website for a customer is we would Google the name of the website and when we Google the name of the website

you never knew what came back but if you Google properly you could find some really cool stuff like one time I found this this help document who here reads help documents yeah oh look at you all reading the manual yeah yeah the funny manual um yeah so you read the help document and I'm reading the help document and my buddies are telling me hey Micah we need to be scanning this host we need to be exploiting I'm like whoa whoa whoa there Cowboy let's just read the manual so I read the manual sure enough on like page three it said if you want to log in to the application that we were testing enter a username

like this and a password like that so I went and I entered that username entered that password and I was in my buddies were like what exploit did you use I'm like Google so there's a lot of power in these tools we are sharing so much data intentionally and unintentionally on the internet those of us that know how to actually find that are quite successful in our work now as I mentioned you probably have done some Googling or some mapping to get here right how do you find out where to park how do you find out where this location is pictures of Mark Baggett looking like a boss I mean these are things that people are looking for and they

correlate to Ocean skills I was looking to see if anybody would take a picture of that no please don't please it is it is being tweeted to baguette probably yes okay so let's talk about gamification the science of gamification you probably experienced gamification all throughout your lives in different ways and we want to talk about gamification as it relates to learning there's a number of different reasons why it makes learning experiences better how many people in here as part of their job are tasked with training other people a lot of hands right so the traditional way of training people is you prepare your materials maybe you get some walkthroughs you put everything together in a logical order you uh lay it all out

in slides and you go and you present the material okay and that's fine for some people and they can learn that way and they can see it and depending on your presentation they might be able to absorb that but other people just don't quite learn that way okay some other people might need a little bit more Hands-On or they might need a little bit more mental motivation maybe they need some type of reward or uh you know the motivation of achievement or things like that gamification brings that into your teaching so if you teach I would encourage you to think about how to gamify your learning we just taught all of you how to find what three words and

use that to make a location that was fun right okay better than us showing a slide has what three words website on it and telling you what it is it was a challenge okay and everybody had that experience together and when you incorporate gamification into to your teaching style or if you know that it's part of a learning style that helps you learn and you look for resources that give that to you you're resilient to failure because failure in a gamified setting doesn't feel as finite as failure in your day job right it doesn't feel as as finite as I just got out of that training class and walked back over to my desk and I

couldn't do the thing that I was just supposed to learn okay gamification helps you fail forward games can create an emotional connection I'm going to show you an image here and I want to know how many people have an emotional connection to this image a lot of people in the world right it's Candy Crush a lot of people have an emotional connection to that game they have to get in there they have to play it they have to have the daily achievements okay gamification hooks people in it makes it fun and entertaining something like this takes advantage of it and becomes a worldwide sensation okay think about the psychological aspects of gamification and how tangible it can

make the learning for you but then think about your kids how many people in here have children okay how many of your children have a tablet or a device with games okay right and the kids love those things if they're like my kid my four-year-old would literally starve to death if I gave him a tablet that was plugged in and just walked away okay he wants to do nothing but play those games and he's learning I mean they learn colors they learn shapes they learn how to do things because that that learning is gamified it's fun okay who would have thought that learning could be fun also from many many years of being in the cyber world I know that there's lots

of different types of ways to learn right we have captured the flags that I've played at Derby con if you remember Derby con at Defcon at other places and I have almost not showered for three days as I've been intensely focused on getting the most points in a certain game but I know that not everybody learns that way and that's really not motivated some people if you have a crisis situation or you have one hour or 60 seconds to do something people rise to the occasion especially if they're bringing their existing knowledge to Bear if you know about what three words and we say we're going to give you three words that represent the geographic

location you are going to be able to better perform the tasks that we're going to give you and so what we find is that some of the educational experiences some of those capture the flags that are out there the people that are performing best are the ones that are already qualified to do those tasks the people that like to take their time like to make their notes like to go over their forms and processes those people are learning but are not necessarily going to be as successful on some kind of scoreboard also pressure I've seen situations uh so before cyber I was in medicine for a little bit and I've seen people just crumble under the pressure of a very

stressful life and death situation have seen other people that just hop in and know exactly what to do also some of you probably do really well if you can just kind of relax you like your lavender candle you have your hacking glow lights on in the background right you set the mood now you're ready to go you got your Tic Tac yeah I mean these types of situations can be tailored these learning experiences can be tailored whether you love to compete show your name on a scoreboard get the high score get a perfect score get that recognition or whether you're a solo performer everybody should be able to learn the way that they want and imagine how how

discouraging it would be if you are new to a field New to a topic and we're like hey look all these people have already gotten perfect scores and it only took them like two hours and you get to question one you're like I have no idea what even what three words is a little discouraging there would that make you want to continue learning maybe for some of you most of you maybe not also some people like working as a team some people need to play as a team and other people are more of those lone performers either way is absolutely fine and there are certain situations where one might be more beneficial to the other working as a team can be great

because you can parse out things hey you cover this you cover this you cover this I'm going to focus on that and then we'll all come together and we'll win the challenge versus you being responsible for everything I know a lot of people that love being responsible for everything because they know that they can count on themselves they know that they're not going to take that two hour break after lunch because they're tired and the team will suffer so competition can be good also there are a lot of resources out there in cyber security there are a bazillion capture the flags that are free it people just giving it away there are also some that maybe have some type

of donation associated with them or some other a monetary type of investment in the ocean World same thing we've got free ones out there we've got paid ones and and really you there's a there's a great mix you can choose which one works for you okay so we're going to talk about are there any ocean focused games okay some of you may be using oscent in your job right now in your daily lives some of you may be interested in Ocean maybe like Micah and they want to make the jump into just doing that full-time uh it's one of those things that just catches certain people it's fun right it's if you have the bug you have the

bug and if you're one of those people like Micah and myself who really really love open source intelligence or you want to learn and you're fascinated we've got some resources for you I have a start me page that I'm a bit of an information hoarder okay I love knowledge I love to read people's blogs I love reading articles I like watching videos I like being in communities where I can learn from other people that's fun for me but it gets a little bit overwhelming okay so a long time ago I created a start me page and I used it to organize my own thoughts I have a section on my favorite blogs I have a section on my

favorite open source intelligence tool sets there's like 50 different places in there just in the tool set section and each one of them might have two thousand three thousand different tools categorized based on what you're trying to do in ocent okay I don't have to think about where my resources are now I can go to one place and for those of you that are not familiar with what a start me is it's just a bookmark page of URLs these icons up here represent a website so each of those websites may have different types of challenge content on it in the ocean World lots of people love sharing their URLs their bookmarks via these start me Pages yeah

great so let's talk through some of the discriminating factors for how you can actually choose the best CTF for you or the best learning challenge Hands-On learning challenge in ocent we're going to focus specifically the first one is one one shots I don't know if any of you look at Twitter and you see somebody posting a picture hey I'm on vacation and here's a picture out my window I bet nobody can figure out where I am okay those are one shots you figure it out you're done and sometimes those one shots help you learn something or practice is skill they're very low stress you work on it by yourself or you can work on it as a team but you do it

in your own time if there's no like limit on when you need to submit your response also there's no cost involved so very low barrier to entry the bad part is you got to wait for the next one to uh in the next post or the next time somebody put or uh sends one of these out there are some people out there that work and put these type of Open Source intelligence quizzes out every single day and it's at hashtag or not hashtag at quiztime on Twitter there are different people and the cool thing is is that they give you different uh targets different subjects sometimes they'll say hey I'm on a train right now

and they show you a picture they don't tell you anything about it there's no words and they're like what train is am I on and what is three stops from here what is the name of that town and you're like I don't even know what part of the world you're in but you work on it or you read the Twitter replies and you see how other people are solving this and you get smarter okay so this next format is the learning CTF and this is the one that's specifically designed to allow you to progress your learning along the way maybe not necessarily just test your skills okay in this case we're highlighting the ocean dojo and osun Dojo is an amazing

uh resource uh kind of an ecosystem now created by a friend of ours named cindwindy online and the ocent dojo allows you to not only go and learn and challenge your skills it also allows you to participate in the community so they have a rank system within the ocean Dojo where you can achieve higher ranks by completing different things and that can be giving a talk writing a blog post getting involved in a community so it really helps to build that sense of community and at the same time they also release challenges they also release videos and things like that designed to help you learn and this specific one that's on the slide is from the try hack me site which

some of you probably have been to free site you go there sin Wendy has created these challenges you go answer the questions have some fun learn some things the best part about it is like Griffin said this is about learning so there are hints in there and other things to help you learn and grow anybody ever play geoguessr here yeah this is one of my favorite favorite things geoguess are for those of you that don't know it we're going to see a little example of it later on but essentially this is a website that's made a game out of Google Street View imagery you ever go to Google Street View and you're like hey let me see

what's in this area well with geoguessr the idea is is that they put you down in a certain town city part of the world and you have to figure out based upon what you see around you where you are sometimes you have to get it right to the country level sometimes to the city level sometimes to the meter and it's actually kind of fun the the best part about it is the variety of games you like competing they've got Battle Royale where you're going to go up against the people on the other side of the world that have nothing else to do but play Geo guesser 24 7 and beat your butt and it's fun

sometimes if you're somebody like me that doesn't like to compete because you don't like some 12 year old on the other side of the world beating your butt then they have a co-op mode that you can play with your kids my kids are a little bit older than Griffin's and are in college and so you know on Friday nights or Saturday nights when things are going slow they want some time off they'll say hey Dad you want to play geoguessr and we could play together and figure out where in the world we are in fact we we shifted from watching The Great British Bake Off once it it finished its season last year from doing that on Friday

nights we started playing geoguessr and you'd be amazed at the other skills that your kids and you pick up and we'll talk about those in a little bit okay now we have ctfs with missions okay has anybody in here ever participated in a tracelab CTF just a couple of people okay so what Trace Labs has done is they created an entire organization around kind of gamifying the research of missing persons cases around the world so what they do is periodically maybe once a month or every couple of months depending on how things are going they will hold an event and it's got a static amount of time it'll be you know five six hours on a Sunday afternoon and you

can participate alone or in teams and what you do is you sign up and they give you at the beginning of the CTF event the targets there might be four five six different actual real missing persons cases from anywhere in the world and you get to start with whatever's available on that missing person's case and you go out with yourself or with your team and you gather up as much open source intelligence as you can that might generate leads about that person's whereabouts and you submit it and they have a point system a scoring system and you can achieve you can win a black badge like we're all accustomed to in other types of CTF challenges but more

importantly you're contributing to something big okay I was a volunteer for them a couple of years ago working on the reporting team in the background and after those events myself and a handful of other people took those tips compiled reports and sent them off to the law enforcement agent that's in charge of that missing person case and we help generate those leads CTS with a mission not only that but you see on the slide there's the at myosin training short URL that's just a short URL thing like bitly or owly or whatever because we save you time typing in the long URLs there um here's another one and this is actually really deep type of challenges

that that require you to invest a significant amount of your time learning exploring figuring stuff out um this is one from sector 035 who's a person over in Europe what he does is he makes these simple uh these simple challenges you just send an email off to a certain email address and what will happen is you'll get a reply back that'll start you on your journey then it'll tell you to do something when you do something you have to then submit it it will give you something else back and so each time you solve a challenge it'll give you your next mission it's actually kind of cool and I know people that spend literally the entire year working

through these really really hard challenges it's free you can do it however long you want and you you there's actually a lot of learning and growth that happens as well okay and just for you because you're our favorite audience this week as Michael likes to say we have a short favorite second favorite all right sorry if you took our training class earlier this week you guys are our favorite people these are the second favorite second favorite you guys are a very close second we created a very short example CTF with a handful of challenges in it short URL uh or a QR code up there that'll be up for probably a long time but no pressure right the stress factor

is really low you're not competing against anybody you can work it alone it's free it's just an example and an opportunity for you to come and try out a couple of challenges of your own yeah if you've never done an open source intelligent CTF or any CTF sometimes that first step that first barrier of oh my gosh other people are going to see what I'm posting oh my gosh I don't know what I'm doing we wanted to remove all that so all this is is a Google form and there's things that you submit to it things that cyber security people would probably have a a pretty good handle on and if not well we've got some hints

just submit your your answers and you'll learn exactly what uh what to do okay the idea is that ocean learning and Hands-On learning in general is a is an opportunity for you to Choose Your Own Adventure right you set the pace you choose what you do and some of the the offerings are absolutely incredible and when you match how you learn with what is out there you can do some amazing things you also get out of it what you put in this sounds kind of simple but the reality is a lot of people they will not they will they will not try very hard we have people that have done some of our ctfs that get in there and all they're

doing is they're brute forcing the answers we say something like the middle name of this person is six letters and they're like AAA b b b b b b c and they're just brute forcing it they're not even trying to go answer the challenge so if that's what you're doing fine but you're not actually learning from the engagement also try multiple platforms because what you'll find is that the way that Griffin and I create ctfs might be perfect for the way that you work but you also might find that sin windy or sector 035 or the people at hacktoria actually have something that's more engaging or fits you the way that you like to do things

with your team and you can you can go ahead and do a CTF with your team if you are concerned about being embarrassed about your low score or how slowly you're doing things on the scoreboard most of these ctfs allow you to create a pseudonym a name and if they require you to register with an email go and create a CTF email for you to use in these things that doesn't have your name in it so I might create you know John Doe one one three eight five at hotmail.com and that's what I'm using to register these so nothing's going to come back to Michael Hoffman so if I screw up in one of these ctfs so

what it doesn't matter well Griffin and I have found also is that the more you do this with friends the more you sit at the table like all right we're all going to do this CTF what did you get oh the more you work on that the bet the faster you actually learn yeah you'll get through the CTF better but you're tapping into the people around you skills experiences and knowledge and you'll actually do uh do some faster learning the first step is always the hardest one and so all we ask you to do is give it a try that example CTF nobody sees the results except for Griffin and I so if you've never done a capture the flag

give it a try that you have absolutely nothing to lose the other thing that you should think about is if you are working in some job cyber oh since whatever and you have to learn things on the job if you mess up then guess what the database might get corrupted or some hacker might get past your Yara rules or whatever I think I use that properly um or you know other things might happen that are bad in these ctfs the idea is is that you're training in a safe environment you mess up nothing happens you maybe get a little bit deduction on your points and that can be really really helpful to just allow you to

continue to learn and you decide you want to learn or compete this is from uh geoguessr I've played literally hundreds if not thousands probably hundreds of hours of Geo guesser um something I am proud of and I can tell you this there's sometimes I want to get the perfect 25 000 point value for five rounds of geoguessr and so I will work literally for hours trying to find out what this shape of somebody's mailbox in Sweden looks like and what street it can be found on because I want to be that precise other times I'm like yeah it's close enough to this oh look I got over 20 000 points you're not always going to

want to compete sometimes you just want to play and that's okay I gave a talk back in 2017 2018 on imposter syndrome a big mental health issue for a lot of people in cyber security and in other places as well and I talked about one of the ways to defeat or to Tamp down some of those feelings that I have about imposter syndrome are to track my progress learn a little bit each day see how fast you can do things see how much better you are than before and so when you're doing geogaster track your scores track how fast it took you to find things oh I'm really good over in Israel because they have Hebrew on all their signs

um I'm really good over there but I need to work over here and I can note my own progress so now we're not just learning we're working on our mental health and really helping ourselves get better okay so there's a bunch of other intangible benefits that comes with solving these challenges and Micah has talked about some of these things but they can bleed over into other parts of your life your approach to this type of learning or maybe your approach to developing this type of learning for your own team can help people build other skills the organizational skills how they keep track of the information how they document it their attention to detail all of that stuff matters when

you're solving a challenge and like we've talked about already it might matter because you compete against yourself it might matter because you're in front of a team and everybody can see what you're doing it might matter because you are results driven and you have to have the top score all of that's fine but the idea is that it's motivating those skills to come out okay it keeps you on task it helps you learn and it helps you get better so let's talk about this let me walk through a little example of how this might work and this here we're going to be working on persistence and determination because I know when you are doing your cyber threat intelligence

and you're trying to find out who's behind this IP address that's sending the whatever towards our systems or when you're looking at hey who's actually going to be hired for our company I want to learn about them and their skills and where they're coming from you are actually going through more than just a cursory look at the data that's out there this is from geoguessr um that that Google uh street view based game and sometimes in geoguessr you get put into a city and you can just you can literally scroll around and you can see like phone numbers and license plates and signs that say Micah's hot dog joint you go to Google and you type in Micah's

hot dog joint and there's only one in the entire world and you know exactly where you are and other times you're on a dirt road out in the middle of who knows where but the cool thing about geoguessr is that you can turn around and see that the road continues the other direction and there's nothing to go on but you know what by playing this game by realizing that I want to learn I start work going down the road and for this exercise I will just let you know I actually got like tendonitis in my elbow because it was it was kilometers of just clicking and clicking and clicking this is what I do for you all you see this hurting

myself um and so sometimes you see Signs Now signs and Geo guess are awesome because there's language there's shape there's color there's even things like how it's How the sign is strapped to the pole there are websites out there like Geo hints and Geo tips where you can actually look up hey for a sign with these two straps on the back that's probably over in Hungary versus Chile it's amazing so you look at the sign you're like um okay I I can't make that out so you get a little bit sad right but you keep working and you keep going down that road and another 15 minutes go by and I finally find this and I'm like yes

people and I've got Hogs and horses now I know nothing about Hogs horses foliage nothing like that so if I did know that that was a certain type of hog that is only raised in a certain part of the world I would be golden but this is just extra data and I don't know that what I can do is look at the people I can look at the color of their skin I can look at their clothing I can look at other things like hey there are they smoking cigarettes are they holding things what color are their clothing and then I note those in my I put that in my notes just like if you're doing a pen test

you're recording all the services that a system has open and then you'll come back to it you never know what you're going to need so I note these things down and I go down the road and you know what after about a half hour of going down this road just clicking you start seeing the Matrix like you see there's water there's like mud on the road there in the center tire tracks is this in the desert part of the world nope we also see certain vegetation up there Lush vegetation I mean there's probably a lot of water okay you know that that's something um we can we can kind of make those assumptions in our heads and then and

then you see a sign with words and you hear the angels singing and and you're like yes finally it's it says uh territorio um all right well I'm not exactly sure what that means but I go to Google Translate and I translate I'm like okay I'm getting some things now maybe we're in a certain place also there's standing water on that road means they'll probably get more water than they can than they can use all right so maybe rainforest if I translate this with Google lens on my mobile or on a device it says territory with community property Canada law all right but we also see the language the language where the number three is

this quechua I don't know what that is maybe some of you do but I Google it and what happens is it comes up and says South African people of Peru parts of Bolivia Chile Colombia and Ecuador now I've localized it there are six continents I don't care about right now just focusing on one and we put that in our bag and then we keep going down the road and we see these people wearing very traditional very common clothing of people in that area of the world so now I have confirmation and I'm still persistent so 15 minutes later I'm going down the road even further and I see another sign and I'm like yes I can kind of make out that word and

this is the problem with Google is that how many times you're like oh I'll just take that phone number off the building and it blurs it out redacts it here it's just low resolution but I I think that says tardigal and when you search on tardigal you find out that it's in Argentina and then when you look in Argentina and where tardigal is is it near Bolivia is it near Chile yes which really matches with that ketchup language right all right so now we start looking at roads that are going the same direction that we were going on that on geoguessr and when we find a road going Northeast and southwest that is in tardigal or

near tardigal we can pick a place on that road and when I put that that number two down there pardon me is like oh you put it down in the wrong place you're 12 kilometers off but in the entire world I was 12 kilometers away from this random picture in some part of the world I've never been to I chalk that up as a win even though I only got 4852 points because sometimes it comes it's the experience experience you get when that 12 kilometer result I know if I persist in my work I know if I persist in my learning I'll get to that end result eventually then I can put the ice packs on my arms

okay so of course it's not all about winning right but some people the motivated by winning people don't have fun unless they win or have a chance to win and that's okay I throw this in here as a little bit of a jab because obviously we are the type of people that try to err on the side of letting people have the learning experience without the pressure of competition but that's not for everyone and that's our talk ladies and gentlemen you might have noticed two out of the three slashes uh have appeared in the in this talk uh there's another one maybe oh wait do we all three of them were there well there you go well done so if

you know does anybody know where that location is yes dang you the world peace mind sir we have very good either a war collar dope scope for you so you can look weird while you're doing stuff or you have a coffee cup there you go cool um this is our information up here uh this is the a link to the CTF does anybody have any questions for Griffin or I yes yes congratulations okay okay so the question is we got in the ocean world what do you get what do you do if you are looking up a person and they don't have a lot of information online they're almost a ghost so in the ocean

world what we do is we look for that person any identifiers can't find it what we do is we know that sometimes the weakest links are the people around them so I'm going to Branch out to if it's in scope for my investigation and that's the thing is that Griffin and I do investigations we're not randomly stalking people we're not looking up people just to look into their lives we're doing it with a purpose so if my purpose is finding this person because they're in Jeopardy or they've gone missing I'm going to look at their friends I'm going to look at their family members because invariably there's going to be some family member taking a picture with my target even

though my target doesn't have a Facebook account so I'll switch to them other questions about open source intelligence or training or ctfs sir how do you avoid what how do you avoid getting yourself in trouble I'm thinking that you probably mean can you tell me more about what you mean

okay so uh the question is is how do you keep yourself safe when you might need to visit sites that has content that's not maybe legal or ethical for you to download would that be right Griffin go ahead and take this one sure so thanks how long can I stop um so I work in the world of uh crimes against children including child sexual exploitation material and things of that nature uh there are certain subsets of people with the legal authority to be able to handle and process that imagery there's also I mean we could spend the rest of the day talking about everything that runs alongside that from mental health to systems protection and

everything else what I will say is when it comes to open source intelligence strictly know your legal boundaries know your company policy boundaries because those will oftentimes be more stringent than your legal boundaries and also know the ethics of what you're going to do ethics is something that is uh there is no black and white ethical line there's a lot of things that are hotly debated you know is it is it open source intelligence if I go password knock your account on Facebook so I can get a partially redacted version of your email address so that I can corroborate it with something else and then I know that your phone number is the same as

those last two digits that I saw you know so there's there's gray areas in that regard when it comes to legality and it comes to the material literature I think that you're asking about there's no gray area okay if you're not authorized and you're not in law enforcement you don't go to those places you don't do those things

yes yes yeah I mean there are saved so one of the other things that Griffin and I do much like many of you that maybe uh malware hunters or incident responders that have to investigate some site that is some callback or or hosting malware that your users might be going to there are ways of visiting websites pulling down data without pulling sensitive content like malicious documents or even images I don't know if any of you are from the past like I am but I used to browse the internet using links which is a terminal based yeah we laugh about it but think about it if you have sensitive content like kids being exploited and that's absolutely legal for you to even

see or put on your computer in your web browser's cache don't even bring it down use a text-based web browser to get the text but not the images if there's other things that are illegal um that you that we didn't cover just talk to Griffin afterwards yes sir

so oh I can do this let me do it yeah so so the question is about synthetic personas which some of you might know as sock puppets some of you might know them as research accounts or alternative identities and they're these these uh false Persona they're people on social media that aren't really real people people are using them to put distance between their real accounts and whatever it is they're looking for so if I want to gain access to some organization I might on Facebook get a very attractive young woman's picture and make a very attractive uh maybe a Young Person's LinkedIn saying hey I just graduated with a cyber security degree in this place I'm studying for my a plus and I'm

really looking to get into cyber security and start connecting her to different places that's more catfishing that's the operationalizing of that of that sock puppet account but how do we figure this out well we verify and validate that's that's the first thing you look at that Pro profiling Griffin has done this two billion times taking scammer informations from Reddit and other things you you research those phone numbers to those emails those pictures is that picture reused somewhere else is it a model on some stock photo site yeah and if you're interested in learning how to do that myosin training has a class on it's a good one yeah so the the people that um the people that are very careful and

have great operational security and hide all of their details and stuff that can be very time consuming and maybe require some level of Engagement to uncover uh the folks that are doing this at scale the shotgun approach you know uh scam website that goes up for 48 hours until it gets knocked down and stuff those people are recycling elements because they don't have the luxury of time right they're recycling imagery they're recycling text from other places you can find uh you know you could find that text being repeated on the next scam website as soon as they send it up or uh you know maybe you find it referenced in Prior research material and like there's

things that you can do to exploit those unfortunately the really good one-on-one actors that only have their own time to to deal with that can like I said that can require engagement yeah you break apart that what's that fish ing fishing versus wind right if somebody takes the time to put in make a really good Persona you're not going to be able to discern the different I mean the personas that we use in our work you'll never be able to see them we're already connected to all of you hashtag besides Augusta yes sir

the question is what's the best way to create your own sock puppet so we're going to defer that because we teach classes that take 45 minutes to just teach part of that so um there are training courses out there that can help you create those and the idea with sock puppets good people use them because I don't want to go on Facebook looking you up and you see hey look Michael Hoffman ocean person is looking me up that might spook you or otherwise so we create sock puppet accounts legitimately not legally but legitimately and we um we use those instead of using our own but there are courses out there that that can help you

out with them other questions cool um well thank you all for coming and for staying awake we really appreciate it [Applause]