 was actually quite looking forward to moderate this talk because OPSEC aside, I have to admit, I know Claudio quite well, and why is that? Because we share a co-working space. And the third tenant is a drum set. And this is important to know for the little story I tell now. I almost, I always notice when he does his work breaks because first he reads Twitter for 10 minutes, then he gets triggered. And the next thing I know is a 45 minutes drum solo in Norwegian death metal. And I don't know how many of you are familiar with Gorgoroth. Yeah, but that's not always pleasant. And I noticed something changed during the last few weeks. And I wondered what happened. And part of the explanation for this is this talk. And so if you discourage Claudio with this new project, then the drum solos during work hours start again. And I would beg you, please don't do that. But welcome him with a big round of applause. Claudio Guarnieri, security researcher with Amnesty International, and fellow at the Citizen Lab. Well, hello, everybody. So firstly, I have to say I'm a bit sick, so my voice isn't that great. So please bear with me. Secondly, usual disclaimer, everything that I'm going to say today is purely just my opinion. Does not represent any of the opinions of my employer, any of the organizations that I work with. I'm going to run for a little today. And actually, it's the first time that I give a non-technical talk. And that kind of scares me a little. But I hope it's going to make sense. So this is going to be a reflection on the last few years of my experience. I'm a security researcher by training and by profession. And the last few years I work specifically in working with human rights organization and journalistic organizations and civil society in general in assisting on security issues. And I've learned a lot of things, especially coming from more corporate security background. So computer systems were destined for a global cultural and economic revolution, I think, that our community, the hacker community, anticipated a long time ago. And we saw that potential and we saw it coming early on. And while we enjoyed that little time of good times of reckless mandatory online and playing as the hackers movie teaches the cowboys of the early internet connected age, we also soon welcome the global realization that we were right all along, that technology was going to become predominant in society, and that information technology was going to change everything and computer security in particular was going to be critical. And with that we embrace the legitimization of our culture and with that also the monetization of our skills. And now the internet basically governs our lives. What's interesting is that the moral principle of our subculture, our counterculture as some people say, that was traditionally subversive and anti-authoritarian have changed radically and have been increasingly deluded with vested interests. And the traditional distrust for the state is only meaningfully visible in some corners of our community. And this one being one of them. For the most part at least the most visible one I would say, the security community, but the industry really in particular. And I make that distinction quite often throughout this speech. He's enjoying the six-figure salaries, the Luxor, Switzerland, Las Vegas, the media attention, and the business class traveling and all of that. And what concerns me is that with hackers having moved through their professional lives and their careers and working for many different sides of society and across the entire political spectrum, now it's becoming really difficult to identify shared values among ourselves in this larger community. And what is to say is also that the internet morphed with us. It changed with us too. Once it was kind of an unexplored space that we were wandering in solitude. And now it's become a marketplace for goods. It has become the primary vehicle of global communication. It has become the place to share cats and memes and porn and news. And also, thankfully enough, an unprecedented platform for intellectual liberation, organization, mobilization, and so on. And that's all great. However, to quote Kavinkali, there is no powerfully constructive technology that is also not powerfully destructive in another direction, just as there is no great idea that cannot be greatly perverted for great harm. And indeed, an invention or idea is not really tremendous unless it can be tremendously abused. And this should be the first law of technological expectation. The greater the promise of a new technology and the greater is the potential for harm as well. And sure enough, we soon observed that same technology in the internet and everything that we built over the decades that we consider a technology of liberation and self-determination. We discovered it being turned into a tool for repression as well, and it was inevitable. There is never significant technological imbalance between states and their citizens. And as billions of dollars are poured into systems of surveillance, both passive and active, it might not just be by the United States, but really by any government that is wealthy enough to do so. Credible defense is really either a lag behind or remaining accessible, and generally only available to corporations and businesses with deep enough pockets. And a few ambitious free software projects that we have attempting to change things radically are often faced with rather unsustainable funding models, which really will last long enough to grow these projects to maturity. And I think this is a big issue that we need to face really soon. And nation states are very aware of this imbalance, of this technological imbalance, and use it to their own advantage, of course. We've learned through the years that technology is regularly used to curb dissent, to censor information, to identify and monitor people, especially those engaging in political struggles and societal struggles. And we saw some examples of it that are very well known. We saw the relentless attacks against journalists in Ethiopia. We saw the crashing of protest movements in Bahrain, the hunting and hunting of dissidents in Iran, and the tragedy that then became of Syria. And all of this complemented with electronic surveillance and censorship. And it is not an hyperbole anymore to say that people are getting arrested for a tweet. It just happens more and more every day. And anybody who negates these realities is just either misguiding or misguided. And all of these cases that we observed and we learned of over the years remind me not only that oppressive technology can be used to silence people, but that we also take granted access to simple defensive technology or technology in general, when in countries like Morocco, Egypt, the Emirates, and many others, even simply access to encryption or the use of encryption is normally forbidden by default. And that in other parts of the world, even basic communication platforms are regularly blocked and at times even entire access to internet connections are shut down for the entire nation. And we should be outraged and laud against it. I don't think we are enough. So security can no longer be a privilege or a commodity in the hands of those few who can afford it. Those who face imprisonment and violence in the pursuit of justice and democracy can not succeed if they don't communicate securely as well as remain safe online. And I think that's a lesson that we have learned already. Security has to become a right. It has to be exercised and protected. It is the precondition for privacy, which is the key enabler for freedom of expression, which is a requirement for a healthy democracy. And while the security industry is becoming increasingly dependent, but financially and politically on the national security and defense sector, I think we find ourselves in a renewed need for a structured social and political engagement from the hacker community. And geeks like us often do not get along very well with ethics and politics, I have to say, until eventually they've grown off maturity, I think, to recognize the implications and the social responsibility we have as technologists. And some of us get there sooner, some of them get there later. Some of us just never will. But having social consciousness is often, I think, even cause of ridicule among techies. And that's unbearable. You can experience this exclusion when you become spoken on matters that the larger security community deems stranger to the competences, and you start seeing others becoming patronizing and condescending to you. Fortunately, not here, not at Congress. But I'm sure many of you experience the same just as I did elsewhere in other parts. And you shouldn't let that intimidate you. We need to recognize the privilege we have as educated professionals and technicians, the advantage we have with our understanding of the many phases of technology, and realize that we cannot abdicate that responsibility of upholding human rights in a modern connected society, especially the way it keep acting as its gatekeepers. And be it creating or contributing to free software or helping someone in need or pushing internet corporations and being more respectful to users' privacy, dedicating your time and abilities to the benefit of society is concretely a political choice. And you should embrace that with consciousness and pride. The fact is that there is a very prominent human rights culture and narrative in the crypto community. But there is very little of that in the security community and especially in the industry. I don't really know why, but that definitely needs to change. It is time to start asking ourselves, what is that we're working for and what is that we're working towards in our lives? I think we need to start to think and formalize the idea of security activism, parallel to privacy activism and human rights activism, all of these forms of engagement in society that we already practice. And we do have the means and hopefully also the will to do that. But we also face a lot of challenges in this and we need to rethink the strategies and reconsider the tactics that we employ. And I thought a lot about this and in traditional activism, there is a predominant concept which is the concept of bearing witness. This is the practice of observing and documenting a wrongdoing and without interfering directly with the assumption that exposing it to the world might be sufficient enough to prevent it in the future from happening again as a result of the public outcry and the public attention. And it is viewed as a powerful tactic and quite often also the only available or meaningful tactic. This wasn't always the case. In activist movements, the shift of tactics are generally witness in reaction to the growth, the legitimization, the structuralizing of these movements themselves, which have to conform to the norms of society and of acceptable behavior. And similarly, as we security researchers and technologies and privacy activists conform too, we also bear witness in some way. We observe, we document, we report on the abuses of technology in a way that I believe is a powerful plane that economic tension that exists between offense and defense. Being a journalist, electronic communication intercepted or computer compromised or the censorship of website or the blocking of messaging systems that we see pretty much every week. The exposure of technology that is being used to empower such repressions increments the cost of their development and their operation, that is a meaningful tactic. As they are the tactic, defeated, circumvented and consequently necessarily re-engineered and redeployed, this process costs money and time. An exposure can effectively become a way to curb their indiscriminate adoption and become basically an act of oversight in some way by showing that there is competent people watching out and that abuses won't go unnoticed. A hacking team and FinFisher and all of these cases are a great example of that. There are cases where operations of companies producing spyware or other technologies of sorts and their assault to governments around the world were more effectively understood and studied and scrutinized as a result of the public attention derived from a bunch of geeks like us and the researchers tracking and repeatedly exposing the abuses perpetrated through the use of such technology. And then we have cases where FinFisher arrives and hacks the companies and leaked all the emails and documents and quite frankly outplay us all. However, there is one fundamental flaw in the bearing witness we practice. It is a strategy that requires accountability in order to be effective. It implies that a perpetrator of this wrongdoer is identifiable and pressureable. And it requires you basically to just name and shame people and organizations and states and institutions. And none of these properties are often available to us in the digital world, right? The internet provides abusers plausible deniability and an accountability quite often. So it makes it closely impossible to identify the abusers in the first place in any meaningful way. I mean, recently we've seen a shift of that, but let alone name and shade them effectively. And in our society bombarded with information and increasingly exposed through the media to the risks and the breaches that happen almost daily. The few stories we are able to tell on repression of dissent and citizens are becoming repetitive and boring. After all in the front of the majesty of the Mirai DDoS attacks and entire countries being shut down off the internet apparently. And the hundreds of millions of online accounts compromise every other week even in front of the massive spive infrastructure of the five eyes and so on. What is in the eyes of the public and activists from the Middle East or some other part of the world that is unknown to most and it's compromised with a crappy erosion that has been bought off the internet for 25 bucks. That is not an interesting story. So we need to stop and take a deep breath and look at the world around us and see if we're missing the big picture. So a little bit of puppies to lift your spirits and for me to drink some water, wonderful. So firstly, we need to stop thinking that the most interesting or flamboyant research is the most important one. And when companies like NSO or Hackin' Team or FinFisher, you know the most well-known examples are found involving violation of human rights of sorts, it makes it for a hell of a media story, you know. And sometimes in research that I worked on and I co-authored in London, front pages of printed major international newspapers and I find that a bit ridiculous to be honest. But it's great in some way, but the truth is that despite how legally and politically important these cases are and it's great to expose them and bring them to the public attention as we have done in the last years, those cases are also exceptions, you know. They're not particularly representative in fact to what is the reality of the use of technologies a tool for repression by most states. And for one dissident found targeted with sophisticated commercial spyware produced by a European company or American company or whatever. There are hundreds more who are infected with free to download poorly written introsions which, you know, would make any secure researcher yawn and get bored immediately. But it is sort of equal attention in some way. And what I've learned over the years in working in this field is that fighting this legitimate hacking and, you know, intrusion of journalists and dissidents is a never ending cat and mouse game for us, but it's also rather technically boring one. However, once you grow out of the boredom at the side of yet another dark comet or black shades rat or a four years old Microsoft office exploit, then you start understanding the true value of this work which is that it's less technical and it's more human. And it is not about the next hack of the next unusual device or vehicle as it is not about ourselves or profiles or our careers. And too often we observe a toxic celebrity culture in the hacker and the security communities emphasized also obviously by the aggrandizing bias of the media that too often looks for the story of the renegade hacker and too often we indulge into that. And often at the expense of the victims of oppressive technologies who really struggle and mostly remain unheard and unknown to most people. So we need to grow some humility and start containing our egos, I think. The challenges are many. And I spent the last few years as I said, kind of offering my expertise and my modest skills to the human rights community. And while I have to say that it's greatly satisfying in a way that I didn't find as much satisfying previous corporate work, it is also a mastodontic struggle, really. You know, securing a global civil society is a road filled with obstacles and complication. And while on the one hand it can provide really interesting and presented challenges for our problem-solving minds as hackers, it also comes with the role of knowing that lives are at stake and really that it's not just some intellectual property or some profit or some couple of boxes, blinking boxes on a shelf being at stake. So how do you secure a distributed, dissimilar and diverse network of people who face different risks, different adversaries and operate in different places with different technologies and different services? It's a topological nightmare. And while we, the security community at large, I don't mean just we in this room, secure corporations and organizations with proper modeling, you know, by uniforming and tightening the technology that is being adopted and by watching closely for anomalies in that model, what we, the handful of technologies that are working in the human rights field often can do is only recommend a stock software or another hoping that it's not going to fail that person that we are helping, quote unquote. So I've recently traveled to a West African country to meet some local journalists and activists and as per annual in my checklist of things to preach around, I suggest us to want to encrypt this phone as you normally would. And later in the night as we meet for dinner and he comes into place and he starts waving his phone at me and these plates show that his hand right phone had failed to the encryption process. Despite having followed all of the appropriate and necessary steps, it corrupted all of the data on it. And the person looked at me and said, I'm never going to encrypt anything ever again. So sometimes the technology we advocate is inadequate. Sometimes it isn't accessible or just too expensive. Sometimes it just simply fails. And we can't expect the world to fix itself just by making some tools available despite how vital they are. And so that brings me to the second reflection which is that we need to become more engaged. So we need to become an integral part of the social struggles and movements that are very much needed in this world right now. And so my suggestion too is to find a cause and assist others. And being a local environmental organization campaigning against fracking or a citizen journalist group exposing corruption locally or a global human rights organizations fighting injustice or even just assisting in the policymaking field, your help might make a significant impact much more there where our expertise is so much lacking. And Congress with this space we have has so much to give in that. And rather than lamenting a lack of technical content as I often read in here, we should welcome with open arms all of the different voices that enable us for at least that one time a year to hear about what else goes on in the other corners of society. Thank you. It is that one opportunity to learn more about ethics and politics on which very little we actually know of and actually very little we learn in our education, technical education. And perhaps today or tomorrow you will learn or hear about some cause or some projects that you might decide to contribute to and that's already a success. Then we have Twitter, our Twitter filter bubble and the rest of the year think about exploits and malware analysis and programming and all of this stuff. I think that it's important to recognize. But we can do more, we can organize. The problem is that civil society which is what I deeply care of suffers a fundamental lack of visibility but also understanding of the threats it faces in this digital sphere because of a lack of internal expertise and the financial inability to access technology and solutions that are instead available to the corporate world certainly isn't making things any easier. And the fact of the matter is that regular users are no longer consumers of security let alone dissidents or journalists. We need to approach this problem differently. I recognize that civil society isn't going to secure itself. Hackers are in such high demand that and also so highly remunerated I have to say in the private sector I guess you guys know that I believe that civil society and the nonprofit sector in general have very little chances to build inadequate internal expertise. It seems just an impossible struggle. And not many would abandon their career to follow this path really and those that could or those that would want to probably even can't. So what if we reverse this and what if we create a place for technicians to gather, organize and work collectively on a volunteer basis to provide at least some assistance to civil society? And that's where I'm getting at. So we need to flip this game. And this is one attempt of doing so. Security Without Borders is a project that I have the pleasure to announce here. And it is an open collective of hackers and security professionals who volunteer with assisting journalists, human rights defenders and nonprofit organizations with security issues. We already gathered a number of people being a penetration tester, malware analyst, engineers, researchers and I invite all of you to join in some way. We want to create a structure we want to create a structure able to assist voluntarily with penetration tests, incident response, malware analysis as well as we're able to build tools, write newsletters and make all of those missing components that will make civil society a lot stronger. And it's still very much an experiment that will grow obviously and change and adapt as people participate. But the idea is to reverse this problem and make sure that if we aggregate enough number of people that can dedicate even one hour a week we'll have enough manpower to actually solve a lot of issues that are remaining unsolved right now. So it is still an experiment but I do believe however that if we come together and through a coordinated effort of solidarity and volunteering we can perhaps miss those changes in society that are very much needed. And this time not for fortune and fame but for that greater good that we all deep down aspire to. And with that I thank you all and you can go on the website right now to find some more details and find ways to reach out and get in contact with us. Thank you. Thank you very much for the talk about equal firepower. We have plenty of time for questions so if there are questions you can line up on that mic and on that mic and in the meantime do we have questions from the internet? Signal Angel, okay. Okay, so if that's that I'm sure that Claudia can be approached aside the stage and I wish you a good time so far. Thank you.