 Good morning everyone and welcome to the village talk area. I am Tony our tough nuts when with the packing hacking village We are just across the way come please and visit us And it is my great pleasure to introduce Will who is going to be talking about some stuff You've found about leakage of data and social media So without much to do if I could get everyone to please sit down Hold on D9 Can you there we go and will with that thank you very much here you go hi Could I get a show of hands in the audience those of you who use reddit? Awesome keep your hand raised if you subscribe to the DEF CON subreddit Good and one last question Of those few keep your hand raised if you post or comment to the DEF CON subreddit Not too many just one. All right, that's okay Yeah, I was hoping for a few more, but that's okay. None of them are here. We can talk as much as we want about them Yeah, so you've probably read the program this talk is about me spending the last 12 months Call it what it is stalking the DEF CON subreddit Seeking people's personal information that they might be leaking online So yeah, thanks for coming Language warning maybe information warning definitely Particularly anyone who had their hand raised in the last a couple of questions There is a small chance that you individually may be on these slides in the next 45 minutes or so But don't freak out I've done my due diligence due diligence. There's plenty of black text or all of the slides So you probably want you to recognize yourself Yeah, I just wanted to say before I started as well, this is meant to be a no prior knowledge required speech. So If you have any questions, can we just leave them to the end and I'm happy to answer them after that Let's get on with it. Yeah, obligatory intro slide. My name is will from Australia I work for a cyber security firm there my day job is actually Not related to this at all. I work in cybersecurity in the supply chain So if you're looking through the brief and you're wondering what the hell is this got to do with that? You'd be a hundred percent right and has nothing to do with it And also, yeah, I guess when I started it as well, I had almost none of the skills required and probably still don't To to do this kind of thing I'm I'm not a I'm not a coder pretty shit a code Not a social engineer And you probably get that from my shitty dad jokes and my poor tasting memes And I'm certainly not a data scientist. I have no ability to to wrangle dot large data sets so yeah, if you're in the audience and you are Professional in any of those areas. I apologize in advance. I'll probably butcher your Your fields of expertise and misrepresent entirely, but yeah, I Just I didn't have any of that stuff and just had a crack at it anyway So this is my second Def Con. I came here last year. It's like a bucket list thing with a few friends We went and visited the wall of sheep if you haven't been there recommend doing it at some point in the conference And we love the idea of like a practical way of kind of showing people What they're leaking on a network an unsecure network and Yeah, we thought that was an awesome idea and Like like most things after a few refreshing beverages. We kind of thought I thought to ourselves. That's a really awesome idea, you know during the conference Showing people over those four days. What kind of stuff they're leaking But what about all the stuff that people are leaking? 365 days a year Sharing on social media everything about themselves and Yeah, from there. We were like Wouldn't that be a cool way? Wouldn't that be a cool presentation to sort of collate all that information? And yeah present it back in a kind of like wall of sheep online edition. So that's what that's what we kind of came out So this is what we're going to be talking about. What would a wall of sheep online edition look like? Starting with my most overconfident plans, you know Someone with no ability to do it deciding to go and do it Yeah, what even is a leak took a little bit of time to kind of like have to work that out I had no idea what I was looking for Or defining what that was going to be Needed to learn the recon game Had no kind of clue what was going on there And then sort of like the rest of this talk is really just talking about how I started hunting and gathering and finding those people And then I promise if you sit through all that The last few slides will be talking about Sort of the most juicy slide packs of people that I found Yeah, so I was like how hard could it be, you know, everyone knows people leak stuff online. Everyone knows People overshare all the time social media these days has us lulled into this idea that you know Oversharing is what you should be doing on social media So I was like I'll just find some target group Come up with some things to look for and then, you know, manually sift through and just try to find Interesting folks and then short list those people and then monitor those juicier profiles And that was kind of it from the beginning. I was like, you know Had no real grand plans to actually do a talk like this It was actually just for shits and gigs and in the sidelines And then just sit and wait essentially see how long it took and then at some point We're like, oh, yeah, wouldn't it be awesome if we actually just went after the Defcon community instead of just any random community For a few reasons So as you're probably aware if you are all those people who are in the Defcon subreddit There's also a whole bunch of other social media platforms that the Defcon attendees like to use such as the forum such as the discord And yeah, and the reddit group. So all of those things kind of is really helpful because they all have, you know Great history. There's heaps of discussion on there. It's all different types of people on there different skill sets And one really awesome thing about you hackers is you like to reuse your handle everywhere So that was really good to kind of like just track people across those three different areas And also it's on topic But yeah for the rest of the brief though, I actually just focused on on on the subreddit So yeah, where the hell do I start? I was like It's one thing to sort of come up with this idea that wouldn't it be funny to scrape to scrape a whole bunch of social media But without any kind of idea of what to do or where to find the information. What am I even looking for? I was kind of like in a in a bit of a pickle in terms of actually actually starting So yeah, we're all kind of aware of what PII is personal identifiable information I was pretty I was pretty full bottle on what like what that kind of meant, you know, your name Data birth social security number you guys have all that kind of like basic stuff. I was pretty sure I could find that kind of thing But what about all the other stuff that people leak in terms of like their own personal information? It was kind of a pretty pretty wide scope and I didn't really have much Direction as to how to sort of define it or where to find it or any kind of like ability to do that at that stage Fortunately back home At my company, I had a guy who's sitting right next to me who has a PhD in cognitive behavior therapy a cognitive behavior and sort of Is a proper proper scientist Regarding that and he was actually researching at the time the the tendencies the language and the behavioral patterns of people proceeding of sec incidents and so I was like Riley tell me how to find this stuff or how to is there any manuals tell me how to like search for it And he pointed me down the track of you guys have some amazing resources here in America your three letter agencies like CIA FBI the National Center for Canada intelligence all have really great Manuals and doctrine online, and I was like, oh, that's a really great place to start And not sorry not to get into the social engineering community here I was an all really awesome treasure trove of sort of ways to find individuals and sort of target individuals So I used all that all those kind of Resources to kind of guide me in how I was going to find this other kind of information beyond PII And Yeah, I came to the they were all sort of pointing to the idea that there are these sort of like vulnerable sort of personal vulnerability traits Or more easily manipulated life situations or sort of like leverageable information Yeah, like, you know the Russians call it Compromat And I was like, ooh Compromat I think I'll add that to my my list of things I'm looking for beyond the sort of normal Names and addresses and things like that And my kind of simple mind could sort of track that as a kind of like easy way For an attacker or a malicious actor to search for, you know stuff to find like a soft target. So it's like that that makes sense Yeah, so I come up with this idea of this term called PVI personal vulnerability information. You heard it here first As opposed to traditional PII so traditional PII so there's like Super basic attributes that we're all kind of aware of and that organizations and governments government policy like to or Have in their in their policies to protect And your standard security awareness programs also have this stuff in it as well it's mostly, you know, don't put this stuff online, but if you compare that to all the other stuff that are people leaking and You know, isn't necessarily protected by this legislation or policy You kind of have to ask yourself like which one do I which one would I prefer to see in a leak? And also which one what am I actually leaking myself all the time? See I was beginning to see I was beginning to learn that PII is sort of like just scratching the surface in terms of like online targeting of people Yeah, and I was really realizing that like the real bad dudes out there are actually searching For people who maybe will leak rather than people who already have leaked And so if you think about all those things on that original slide I was talking about all those like PII versus PVI all these stuff that you might be leaking in the blue column over here have this like Provides an attacker with options to target you So it's like who are these bad dudes? Who are who are using this kind of stuff and in all of the research that I was doing? I was realizing that you know, it's not just the usual suspects that we're talking about here I'm not just talking about APT's and hacktivists. We've all heard the stuff about you know Online radicalization of young jihadis and things like that Which actually also adding, you know stalkers Jellisex partners child predators all of these other malicious actors online who are using the exact same methodology Of trying to find vulnerable targets Using the language that they're they're they're presenting online Yes, I had the what I was like, okay, that's great I'll be searching for actual facts about people and then kind of like personality types language use and those kind of things Now how the hell do I find that stuff on you know? Large large space of information So if you've been working in cybersecurity for a minute, you'd be aware of the intrusion kill chain Just wanted to put that up there We are definitely in the risk-consonance phase here just researching identifying and selecting targets And I was kind of trying to work out like how I was going to do this So I just decided to smush all this kind of like all these different organizations methodologies into one kind of Into one like my plan So use the CIA's Methods of like spot-assess and develop and also mixed in a bit of like the military concept of fine-fix finish and using those things Using those resources Online like particularly want to add the Department of Justice has awesome Annals of you know cases Here in America or like they kind of document exactly how espionage cases unfolded and how those people were approached online Yeah, and I came up with the idea of like fine-fix follow which I realized is just It's just pretty rudimentary, but sorry fix fine-followed so I fixed Chose the haystack chose the DEF CON subreddit It's gonna find those people using those terms amongst the anonymous users anonymous users And then assess for leakage leakability and tag those people from monitoring And really at this stage. I was just doing this pretty rudimentary just control F, you know finding Finding words So it's pretty basic at this stage Yeah, so sort of coming to the part where I started started doing it So had to have some assumptions to start with was deciding that like people who reveal in DEF CON Sorry reddit slash DEF CON will reveal elsewhere as a pretty pretty basic kind of assumption If you're not aware the DEF CON Reddit is pretty small. It's pretty small traffic a low traffic So compared to other other subreddits around there and it's going to be a pretty small percentage of those person those users posts So I was like, okay if I find situations in that I'm just going to track where else they're posting and try and find more information from that point Yeah, people who reveal big things probably do small ones also. That's a no-brainer. There is going to be old information. It's a very old you know It's not very old but as years go by there's going to be stuff where people have changed Changed the information that they that they're presenting And of course there will be deception because you know realize you guys you hackers a slippery bastards So it's really just searching for things like I work for my email addresses My name is and I live in realize that's pretty pretty amateur hour But that's just kind of like the small brain small brain position. I was in at this to start with Yeah, scraping was pretty slow had limited results I was really only finding one two three things and sort of just slowly plotting away And I was limited to those keywords what I'm not limited to those keywords But I was limited by those keywords just searching for those few things that I could think of as what would be good Strings to search for wasn't finding me. You know the kind of stuff I was after and at that stage I was Yeah, I was like, I'm not really hacking this. I'm really just like pushing forward But then you know GPT into the chat And I started ask it to help me define those leaky or vulnerable language And really open up those keywords to much more things and even better than I could consider as possible things I wanted to leak I wanted to search for And still some manual sifting needed then to after I found those initial targets through posts But those juicy into group individuals started to grow at this stage. I think I had like two or three people with one or two little posts where I was like, okay, I think I'm starting to develop something here and Yeah, so if you've used chat GPT in the past you or currently you probably know it does require us a bit of Sort of convincing to get it going. I had to kind of convince it. I was reviewing my own chat logs Make sure I wasn't revealing any personal information And it was quite happy to come up with you the things that I should be looking for to try and find PII and PVI And I was like awesome Can you but can you give me the sort of like words that might precede a leak? That would be a bit more helpful than just give me the concept of the kind of things that people are looking for Yeah, and I was like, okay, can you give me a hundred different versions of that? Which was which was really helpful because that I could sort of just still doing my control F still looking through At some stage I discovered there's like a A year ago. It was still functioning was a push shift IO, which is like a website We could do live queries of of of reddit data And I was just really just mandrically going through and inserting these keywords in there and trying to search And then going back on to the subreddit and trying to find the information It was still very very clunky as you can imagine Some of these keywords were some of these sort of preceding strings aren't exactly the kind of language that people are using in the DevCon subreddit like, you know, I Received an email from just not the language that's really in there But I was finding some stuff here and there Yeah, everything was going pretty great Until if you're if you if you're a user of reddit or if you're aware read it halfway through last year or halfway through this year It's just decided to cut all access to third-party apps and my super powerful search tool just kind of went dark and I was left sort of Motivation died regretted not submitting that I'm not Finishing earlier not producing any slides but already had already actually sent this presentation to Defconn. So I was like Had nothing And I was kind of like six weeks of just like whatever was a smart idea. Well, I thought it was a smart idea to begin with and I was like probably not going to be possible now, but then from total failure I Realized that some saint had been Archiving reddit data since the beginning of time. So there was literally Every single post every single comment that had ever been made in reddit In one gigantic text file And so I was like sweet 50,000 comments 6,000 posts now. I wasn't just looking at the last 12 months. I had 18 years worth The reddit the site the reddit. Sorry the Defconn reddit doesn't go back that far But now I was really just looking at you know a decades worth of comments Which gave me a map of much more big. Sorry a much larger data set to look through Yeah, sorry. So at that stage I was Yeah, so I'm sorry. It's kind of One of the problems with doing one of these briefs is going to remember what you're doing 12 months ago Now I was working with a text file. So now I'm just really just searching through a text file You know using Python to just search for strings within the text file rather than looking on reddit online using search But yeah at some point during the year. I was listening to Darknet Diaries episode big Darknet fan And I was listening to Sam Bent who he presented last year at Defconn. He was talking about how he was using he was trying to circumnavigate the The US Postal Service to send drugs through the mail and he was trying to work out how he was going to do it And he was like well one of the you know one of the things best things about the postal service is they have a manual online For what good looks like what they're searching for and he was like I'll just do the opposite And I was driving along. I was like I think I could just do the opposite So I went online to The Australian government website to try and find like the kind of attributes that they that they are looking for when they're trying to Give people security clearances or though or they're looking to give people security clearances And I was looking for attributes For people in that sense because I was like well, that's good. That's safe Those are the people those are the things that they think people will will present as You know being able to keep a secret or being able to you know You know keep the nation secrets And I was like hey chat you PT. Give me give me all the synonyms for all of those things And then also give me all the antonyms for all of those as well So I came up with a huge list of antonyms of like the types of people that I was looking for online And then I was like find me all variations of that So sort of like just punched out hundreds and hundreds of of different sentences Which might suggest the type of person who you know presents that that kind of those kind of characteristics And yeah now I really felt like I was cooking with gas because I was not only searching for these things I was searching for sort of permutations or variations of those Just little chunks of those and I was really Finding a lot of results using this method Yes, so I also wanted to find those leak facts. So thinking back to the beginning. I was also trying to find PII So, you know from a slow and sort of like noisy scrape I was now using those kind of that you know GPT enhanced powerful semantic search to try and find words Which sort of seemed like the person was either going to leak or had leaked The search method method didn't change for using the PII I Just had to obviously assess the peak that the leaks impacts There's some stuff that people are leaking is really just sort of basic stuff like down in this green area You know just put this together to try to like kind of Visualize the how I was assessing the kind of things of people leaking That's kind of what I call this death by a thousand likes because Lots of the stuff sure whatever it's just online But you know when you when you add it all up it really is and has an accumulative effect Yeah Yeah, so I had to assess the impact But also like the frequency if you if you're you know If you have 500 comments of in the in sort of green yellow area Maybe that's sort of only worth like one comment in the in the red in the red area There's still heaps of error as you're probably aware Chachi Pity made a lot of things up a lot of the time And it was still very human driven. I was still searching through and finding I Still had to go through and look through the results and actually kind of prove or disprove whether whether it was actually what I was looking for Yeah, as you could probably imagine 18 years is a long time I had lots of false positives lots of like comments that people were making and I was just like no, that's just that's nothing So that was taking quite a lot of my time. I was taking quite a lot of energy and It's pretty boring looking through lots and like hundreds of false positives. There's lots of non-repeat offenders So like you might make one mistake like one time ten years ago And post something about yourself and I was sort of like wasn't interested in that And there was lots of target drop-off as well. So like lots of the people I was looking at So lots of the results was happening a long time ago There's people might have just like moved on and not even been into security anymore So I kind of wasn't interested in that The one thing I want to say about that is like it's it's only about in this context, right? So I'm trying to find people I'm trying to produce slides that are interesting for you guys to look at if it's a malicious actor It's like those stalkers or predators or whatever or you know more advanced enemies We're like you need to imagine like they're only they only need one slip up or one thing that they're looking for So it's only about in this context Yeah, and today we're only gonna look at high-quantity packs I didn't really put anything together where someone had just made one slip But I was also thinking now. I'm actually you know now. I've got big brain big brain mode and Then yes sort of like a couple of months ago as you're probably aware Open AI gave us access to the API. So this was huge. I was like whoa God mode. I was now able to just plug the data that the massive text file of all of those comments straight into the chat GPT Prompt and just literally ask it questions about about the data Yes, I was as I said at the start. This is meant to be like a no no prior knowledge Brief and I certainly had no prior knowledge before I started it But what it meant was I didn't have to like search. I didn't have to produce any search scripts anymore I was no longer in charge of coming up with creative versions of the kind of stuff I was looking for I know no longer needed to Yeah, sorry I said that I just all left it all up to all up to the all up to the large language model, which was awesome It was just There's really limited only by tokens if you're not aware when you're asking it questions You are limited by a number of characters in and out But they really only just slowed me down I just had to like chunk up the data into smaller pieces and re-ask the questions over and over and yeah, and in the in the meantime in the meantime since creating this brief and you know Open AI forging ahead with its with its speed of technology now that that that characters is That you get in and out has multiplied by a factor of I think like six or eight. It's like huge number of a Huge token limit now Yes, and now is that that's an example up there of like the kind of things I was asking I was like, okay, so hey this Data set that I have is a huge list of it's like a it's a play of people who are preparing to go to a hacking conference Some people in there are really awesome saying really positive things and some people in there are kind of like exhibiting narcissistic or psychopathic kind of like Traits give me a list of the top five and it was just like an instant. There you go. Here's your here's your five top targets Which was sweet, I was like, okay, so in the data give me a list of users Suggests that that are suggesting the propensity to commit crimes Show me where they live Wasn't actually showing where they live But it was sort of saying like show me all the users that talk about a town name city name or anything like that So if you can imagine comparing to back when I was previously just using Python to search through I would have had to look through in terms of like a dictionary search of every single town every single place But obviously, yeah, you know chat you can do just knows and goes hit here all the people that say where they live Show me users that suggest fear Yeah, this is interesting one show me for a specific user over the last 10 years When they're online when they make their posts and finally I was like show me anyone who's looking for anything Who has posted anything about work working on anything special or out of the ordinary at their work? Yeah, so I guess the concept of The speech that I'm trying to give Trying to get across is that the barriers of entry are completely gone All those questions that I was asking in the beginning of how am I going to do it? You know what even search terms am I looking for what comments? What about things that don't match the terms? How do I how do I do it at scale? Where is it centralized and when you know when to do it all of that stuff is completely gone? because of all of these things that make up what we would what we consider like the Capabilities required to do that They're all inherent and anyone here can can literally go online and and do online targeting of people You know with absolutely no experience whatsoever Yeah, and some of my rehearsals someone was like how can't you keep it for just do this now? Like he does plug-ins that you can just connect to the internet and you can just do it But unfortunately, it's quite resistant to this kind of these kind of questions No matter how hard I tried GPT-4 is not happy to do it So, you know getting the data saving the data down getting it offline putting it on your computer And then using the prompts to scan through it much more successful and now Let's talk about I think I've got like five or six target packs here that I'm going to talk through Before I start I just want to have to make a few caveats To to the things that we're going to look at Certainly, this is not a Representation of DEF CON attendees at all like just like you know any subreddit anyone in the world can join up I think it has like 30,000 members So it's definitely not a representation of of you guys here today With the other One second, sorry Had some very important caveats. I wanted to make oh Yeah, sorry, so the people who are up here obviously have their own make their own decisions They have their own threat model their own thresholds of like what they want to reveal online Probably have their own understanding of like how much they have revealed Oh, yeah, and one other thing is on the fly out over here I had a lot more information on these slides about what they what people have posted But I had kind of like a moment of clarity where I was like well, you know If I put up any one thing that they've revealed that kind of reveals everything So I did a lot a lot of blurring on the way over here. So Apologize if it's still too blurry for the kind of blood that you wanted to see But you know people's privacy also in an area like this is is important Anyway, let's get on with it So the first guy or girl The AI hit for email addresses containing first name last name Wanted to see talk about any illegal activity. I asked it to find comments about suffering and also any kind of You know device information or models of modems and things like that So the first person, you know quite a lot of hits here Route a brand model drug use You know, I'm not I'm not here to pass judgment on anyone using drugs or whatever But you know if you are going to post that in an online forum You know with all all kinds of actors looking at you judging whether you're a target And you're going to kind of reveal that there are moments of vulnerability about your about your life That could be it that could be a that could be a valuable data point This person's right into conspiracies, you know very easily manipulated. I would imagine Crypto bro. Yep, and the other thing was yeah So like one thing if you think about like malicious actors trying to trying to contact people or trying to like have it have a Pathway to conversation. They might have to choose between a bunch of like their hobbies or interests You know a short a shortcut or a cheat code to that is like if they're actually like seeking a mentor So this person, you know, not too much here But quite a lot of quite a lot of attack pathways Yeah, so this one this one I do I actually Pulled a lot down because this person was actually posting a fair bit about themselves But this one's going along the lines of like that's the stalker kind of threat So the individuals posted, you know their home location where they live But also, you know, their name age backstory quite a painful past lots of like Experiences of racism and things like that that that an attacker could look kind of used to build rapport But the other thing they mentioned was they're traveling alone to Def Con And was we're going to be at location ABC, you know And if you're you know a female traveling alone and you're going to reveal everything about yourself and your backstory as well as you know Positive ID of what you look like it's quite a lot of stuff for a quite a lot of sort of opportunities for Someone who's trying to you know go after you to to have you know in their back pocket Yeah, this one's interesting one. So this one Chatchapiti hit for weekend activities small towns and use of their first name So it wasn't a lot of things but you know after icon was like triaging through this is kind of like a very efficient and Minimalist kind of pathway to an attack So if you're going to talk about the city or state that you live in particularly this one I think that the population was like under a hundred thousand But also talk about a place of interest that you and your family visit on a frequent basis And finally talk about your vehicle description right down to You know decals and stickers on the back of it if someone you know had that kind of information They wanted to sort of get close to you or get close to your house That's all they would really need To to target you from from a from an individual perspective Yep breed of pet Sure, some of the slides have that kind of stuff in there not just talking about you know Those standard don't do security things like tell people your secret questions But if you're going to talk about your breed of pet Think this is like the French Bulldogs something to do with like every Every pet I've seen and Defconn is French Bulldogs But if you're going to talk about that, you know You're opening yourself up to pretty pretty effective spearfishing and things like that Person's also very open to online comms Yeah, so this guy hit for got a security clearance I live in ex-location and ranks. So this is a military person You know posted to a certain location Revealing their career goals, you know if a tacker is thinking about, you know Everyone has something they want or ever that they're going after if you're gonna reveal your goals That's kind of like an easy kind of offering for you Talk about their career timeline grievances at work military rank and their workplace and their Openness and and they're kind of like approach to authority. So Quite a lot of stuff here. I Realized in America, you guys have a little bit of a different approach to how you how you conceal security clearances and things like that In Australia, it's fairly it's fairly It's very different it's a different approach to how you how you manage your security clearance Yes, so this was this one had quite a fair bit. So I was looking for I found things for gains seniority specific device Specifications and things that they were struggling with So, you know the AI found are quite a lot of things Across these across the post from this person particularly the pet name breed Became a senior manager quite quickly If anyone here is you know just to expound on that a little bit I imagine they're probably people here who work for companies that have you know significant IP that they want to protect Or maybe you want to work one day for companies that have IP. They want to protect You know moving up in management in those in those companies is probably something that an attacker would be looking for if they're trying to Like assess your ability and what kind of stuff you know about that company Yet revealing router brand model. I'm not a hundred percent sure how bad that is you guys will probably tell me Personal demons where they live and also painful past person experience quite a lot of bullying and particularly the number of posts With regards to this was pretty high So, you know in terms of like building rapport and kind of like getting alongside this person I would imagine that you know an advanced attacker would probably have a pretty good chance from from that from that angle and Last but not least. Yeah, this is probably one of my favorites This guy posted one time in the entire 18 years of the subreddit posted one time first name last name at whatever.com and And I just googled that and straight up pictures himself at work ID card You know, I'm not assuming that this is any kind of like high security area and that this is a massive security breach But you know if you only discover to the to the physical village You can probably you can get some information about like just having the picture of the ID card Usually will get you or like if you just create an imitation ID card. That's like a that's like a pretty good Bit of information to have if you're trying to get into a facility. So yeah, don't post don't post pictures of your ID card Yeah, so those individual Target packs only revealed Only revealed small things Individually what five or six different things But I kind of encourage you to kind of think about your own social media And not just your reddit posts, but every other social media that you use And think about whether, you know, you had more than or accumulated measures Accumulated version of those target packs and how much information a person would have if they were to just use something like AI spend a bit of time and create You know create a target pack surrounding you or you know individuals that you love or or colleagues This isn't a real person that's an AI guy But yeah That's the end of the speech. Does anyone have any questions? So did you validate the data that you get it from charge APT? So is it real is the data in the data set or charge APT just imagined it? Sorry, I think I understood your question. They're saying did I validate whether that it was accurate what it was finding versus? Yeah, so as you can as you sort of saw in the some of those slides had like what The output of the search was and like the black terminal kind of section But then I went back on to reddit to kind of spread screenshots make it a bit more a bit more User-friendly in terms of a speech But yeah, I did go back had a look at what it kind of like what the con what the comment was in context And that kind of but you know it just added to the amount of time that I had to spend doing it But yeah that required human human interaction. It was not really possible to just To just have it completely automated And see a question any others Okay, yeah, so the question was what what was the most common leak that you saw over and over again? Yeah, so these were like these are these I you know I chose these because they're like the the best ones up there for kind of like a broad spectrum of things that people were leaking Didn't see a lot of like personal names Like I was saying at the start the Defcon subreddit was actually pretty hard to do like some of the other ones that I was looking at like r slash cringe and r slash NFL like I was just sort of like wanted to see how bad This subreddit was versus other others and it was really good. So it was very difficult to find Much information in there. I know it looks like those few slides there was lots But I probably had something in the realm of like Maybe 20 or 30 which I thought would be would be good starting point and probably yeah There wasn't a lot of like first names a little last names almost zero like addresses actual addresses There was just lots and I think that the PII I think was probably fairly covered by people I think most people understand and not put those kind of like in actual facts about yourself in there But the thing I did see posting over and over again was like Yeah, personal like sort of like own Feelings own mental state. That's the thing. I wanted to mention actually like the mental health slide the mental health I think it was like one of the first or second slides had as someone was discussing their like mental status It's kind of like a really That was a difficult one for me. So I was a bit conflicted about whether to put that up there because you know a lot of people use Talking about that kind of stuff in a in a forum to kind of like help them get through it But you know particularly if you're thinking if you have a heart if you have a if you believe you have a high threat model You know revealing that kind of stuff to the entire world that you are potentially compromised in different areas You know, it does open you up to to being to being manipulated in that way or being attacked in that way But yeah, I can't think of the top of my head apologize What like the most frequent one was maybe yeah, maybe that's a good thing to do next It's kind of like work. Yeah, where the where the worst where the worst leaks are happening. Thanks, sir I had a question about like fact-checking So especially on reddit sometimes people like to role play as different things in different subreddits And you'll see people on one forum saying oh, I'm a software engineer in a different thread They'll say oh, I'm an auto mechanic and they might not be either, but they want to participate in these threads Is there a way that you've kind of vetted information sharing as face fake or true information Yeah, that's a good question. So Sort of manually like manually what people will do if they're like if they're calling bullshit on a person They'll just sort of go to the user and look at all the other look at all the other posts that they're in and go through Do it using this to do it I would imagine that we pretty easy like, you know I was only distilled down to that Defcon subreddit so the data it was on that So the the prompt was only focused directly on that text file But if you were to compile a bunch of you know, when you download that torrent it was just like which Which you know, it's like one and a half terabyte. It wasn't gonna download at all I just downloaded the ones that I wanted to but if you I'd imagine this would be how I would go about it again Not a big not a data guy, but this is how I would do it go to the person find all the ones that they're in and Yeah, go get that text file put it all together and then ask it questions about Things like job things like experience and and you know from the results I got it is fairly capable in doing that and looking through and finding examples of that kind of stuff, but yeah, not I didn't I didn't actually do it, but thanks. Yeah, I Was wondering When you found yourself moving from Reddit to other platforms Do you could you rank the platforms? Which ones people share the most information about themselves on? Okay, yeah, so I didn't search through discord or for all the forums Just because discord hates being scraped and and the forums I didn't actually find that much, you know actual information in there So, yeah No, yeah, thanks All right, I've been given a couple of minutes morning wrap up if there's any one or two questions left Otherwise, thanks very much be an awesome audience