 Hi everyone, as monkey mentioned, I've been here before. I think this is my fifth time presenting here at DEF CON and I'm pretty excited to be back. I'm getting to see some friends. I haven't seen it a long time. It's been about eight years since I've been to DEF CON, but I've been coming since 1999. If you can figure out then how old I am, which means it was a long time ago. But I continue coming back because I really love this crowd and I love the skill set you all have because I know the kind of amazing work you do. And I'm gonna talk to you about some stuff we're doing at UC Berkeley and also with a fantastic nonprofit. So before I start the slides, I met Austin at Shmucon and he got up and gave this really great presentation. I'm not lying, it was good. And it was enough to say, well, I'm one of the volunteer for him, for his nonprofit, what he's doing. So he's combating human trafficking using skill sets that you all have. Intel analysts, if you are a red team type of person, the way that you solve problems we know is extraordinary. And we'd like to talk to you about some stuff that we do both at UC Berkeley and his nonprofit. So let me get started. Yes, we're gonna be talking about subverting authoritarian regimes and getting to some of the organizers of human trafficking and some of the organizers of, I'll show you. We have some interesting clients we've had at UC Berkeley's Citizen Clinic. Now a lot of you might have heard about Citizen Lab in Toronto, we are different at UC Berkeley. What we do is we take, I'll go through the slides and I'll show you a little bit more about it, but we take nonprofits that are high risk and I'll explain to you what that means. And when I took over the class about three years ago, I kind of upped the high risk that we take. I'm not sure Berkeley's always happy about that in a sense, but we have done some work for very brave nonprofits to help the directors and the volunteers continue to do the work that they do because for most of our nonprofits, security is not their thing. It is ours. So we step in and kind of take that burden off of them so they can get back to doing stuff that matters and make big changes. So this is me. Last time I was up here on the stage, I was talking about hacking industrial control systems. In fact, Dora the SCADA Explorer is here in the audience today. So we did some SCADA hacking, but I do mostly car hacking work. In fact, my day job and work for Berkeley as a part-time instructor is I do contract work, sometimes for automobile manufacturers, sometimes for the U.S. government. I do car hacking and I started doing a lot of that here at DEF CON. And so Austin, do you wanna come up and talk about your background? No, okay, well, this is Austin. Awesome Austin, there we go. Maybe we can call him that for the weekend. But he started this nonprofit and I cared so much about what I heard. I'm like, I can volunteer for this to you. I have time to do this and I was glad to. So what is civil cyber defense? It's the first bit of the title in our very long title that we have here at DEF CON. And this is what it is. And this term was actually coined by Craig Newmark. Craig Newmark was, he started Craig's List. And Craig has been giving donations to organizations and nonprofits such as the Center for Long Term Cyber Security at Berkeley. They fund my class and he funds them. There are other places around the country and I'm gonna reference another one that he funds which is in New York, it's Columbia School of Journalism White Institute. And I'll tell you about a case that they have going on that's tangentially related to something I'm gonna tell you about that we saw too. So as I mentioned, citizen clinics different than citizen lab. We don't do forensics, but when we do find stuff that's interesting and I'll show you something in here that is, we give them a call. But we are looking for people to volunteer and I'll get to that too, that have that type of background. So what we do is we do defense for these organizations. So this is how it goes. So if you were a student at UC Berkeley and some of you are in here, and I know you are that have taken my class, I teach two there. When is Chris Hoofnagle's class and he is here today as well. And that's an introduction to cybersecurity. And this is in the MICS program at UC Berkeley. And it's a graduate program for cybersecurity and it's all remote. So I'm from the DC area and I've only been to Berkeley's campus once in three years. It's a really good program for cybersecurity and it's a lot of fun. And the other class I teach is the one I'm talking about here too. I take two clients per semester for citizen clinic and I only like to take 14 students into my class. And I do not just pick cybersecurity background students from the MICS program which is the master's program for cybersecurity. We've had journalists, we've had statisticians, we've had people from the information sciences school because sometimes we have a lot of data to go through and they're really good at doing that. Maybe even more so than some of us in cybersecurity. So I take students from all across the university and not just graduate students. I have about one or two undergraduate students I let into my class every semester too. So what I do is I break the class in half, seven on one team, seven on the other. Some students of mine, maybe they have a security clearance and my high risk client is a little bit too much. It would be a lot of work for them to do reporting and stuff. So they choose a lower risk but still a client that has had a need, they have faced threats and that as a client usually is domestic. So it's someone in California perhaps has a nonprofit and it's for many different topics and we choose one domestic and international. And so the first six weeks of the class because I have students who don't do cybersecurity they don't know what tour is, things like that. We love Google and I'm gonna tell you why I love Google in a few slides next but we got them off of Google for doing searches for clients because we teach them how to hide online. It's very important for the protection of our clients and also for their safety. So I teach the first six weeks and I put them into sort of a crash course is here's how you hide online and you cannot please do not. I usually say do not make one mistake one time your alias is gonna be blown if you just hop onto Google and start doing some research. So with all of our clients it's not quite this high risk but I want these students to know what it's like in case they ever do take some jobs where you do have to work in the dark web using aliases. None of the clients know the names of my students and they don't know what they look like either and we don't use Zoom. We do for our classes but not for meeting with the clients. The reason for that is we're assuming that most of our clients have already been compromised. So we're making sure the students protect themselves because you see some of the clients we take are they're taking on organized crime and they're taking on governments that are adversarial to democratic interests. So first six weeks they do that. So second six weeks I run it like a company. So I'm the CEO. I will manage every bit of the project they do. I'm not gonna micromanage but I do watch to see if they're making recommendations because ultimately when that final report goes out it's a representation of me my professional license is in Berkeley. So the second six weeks they meet with the client and it's like running a company and we put out a work product at the end. So as I mentioned we use high security procedures. So I've done this kind of work in the past with research. I've worked for a lot of companies where I gotta teach students how to use a VPN and I'll show you the tools that we use in another slide but that's one of the basic things is teaching them how to do that and as many, most of the tools we use because we do have a modest budget as well. We're a 501c3 as well at the Center for Long Term and Cyber Security. So sometimes the super expensive awesome tools you all use for the companies and develop for the companies you work for we can't quite afford. So we do the best with what we have. So I gave this presentation a couple of days ago and someone came up and said, why are you using that VPN? And I'm like, it's what we can afford right now and it's the best we can do with what we have and this is the kind of mindset the students some of them come from big companies some of them are at sea levels for big cybersecurity companies coming to get their master's degrees. They feel a little uncomfortable at first but if you're gonna do work for a non-profit one of the things that's respectful for us to do is say, hey, what's your budget? We need to work within that and we do it citizen clinic as well. We have a budget too. So I have strict NDAs. If my students break any of them I just kick them out of the class. My students here from Berkeley today can attest to this that the first class I kind of scared them a little bit with the NDA because I wrote it and it's pretty important to make sure that we protect again the client. Not all clients are like Austin's non-profit many don't want ever to be known that Berkeley helped them. Again, it's another vulnerability to know where the researchers or the cyber defense came from so some clients don't want to be associated with Berkeley. So students can't ever talk about that. They can say we had a non-profit we worked with in El Salvador, great let's keep it broad so we don't want them being identified if they don't want to and here's why. So I got a call in the middle of night and someone went from my class I give up my phone number for emergency purposes and they're like hey our client just said they have Pegasus on their phones and I'm like no way for a non-profit this size they don't have a big budget that can't be right. Who'd you hear it from? The non-profit and they said who'd the non-profit hear it from? Well from Apple. I'm like okay let's take a look at those emails and in fact it was legit. This was surprising to see because for those of you who don't know what Pegasus is it's a very expensive surveillance tool and it's supposed to only operate on phones and that are not with a plus one like US country code. I won't comment on that but it's interesting to see this on our non-profits, the director's phones and it was kind of concerning. So we did what we could to preserve the evidence in case there was a very future case coming up so my students got to learn about that chain of custody. So it was an interesting experience but it was kind of eye-opening to the students like if we'd blown our alias if our image had been shown yeah you guys would all be in Pegasus and I know I was, I'm up here talking about work I do. It's just part of the job but not for my students so they were protected but there is a similar lawsuit we did not, Berkeley did not join this lawsuit but it is against NSO group. There are a couple going on I believe Apple has one against NSO and also Columbia University's Knights Institute. Also funded by Craig Muir by the way puts some grant money there. They are pursuing this against NSO to their journalist from El Faro around the same time that our client in El Salvador was got this infection so did the journalists and what our client did is they were helping people escape organized crime in El Salvador so they were helping them migrate out of the country or hide in the country in safe houses. So you can see how it was pretty serious when we heard about this because the kind of work we do at Citizen Clinic people's lives are on the line and I'm gonna show you there's another example I have for some of the clients we've had without naming who they are but again I take students from all of these I haven't yet had one from law in Berkeley but I'm hoping and I would love any attorneys in the audience to come help me with some of that work if you're able to volunteer I'll talk to more about the volunteering in a minute but okay so I also am intending this video perhaps will be watched by some people that are gonna start clinics in the future and some universities you do it all okay so if you are the instructor for this you are starting up a company with contracts, insurance all that stuff that isn't as fun but is super important you also need to know stuff about PCI DSS these are things that we've come across I won't read through all this but you need to also keep an eye on all of this like you're managing the company you're helping clients from the past that you've worked with the Citizen Clinic I do that, I keep contact with clients in the past like how are you doing, have you had any incidences managing the clients that are current and then looking to get new clients for the future part of what I'm up here doing too is if they're nonprofits that are high risk and would like some help contact us at Citizen Clinic at UC Berkeley so you're managing all the students sometimes they don't all get along so you're trying to do an HR stuff as well but language translation is a big thing when we put out a final work product if it's all in English that's not gonna be so useful for clients that need it for example in Cambodian in the camera so these are some of the things that you gotta manage so you run a company with 100% turnover every four months so it's a lot of fun it's a lot of work it is not at all like teaching another university class but it is so rewarding that's why I'm up here talking about it that I've taught in the university setting for 19 years and I've never had a class this exciting, this dynamic and that takes us many hours there's some weeks where I spend 20 hours on Citizen Clinic work but I love it so here's some of the tools we use and I know you're not gonna see this in the back in particular I try to get as much in here I was asking my students like am I forgetting anything this is just the start of a list that we didn't really have a list and we put it all together but we do all kinds of research online too as you can imagine we also make sure that if the students are communicating we use stuff like Signal like we know we're not a big fan of WhatsApp but we tell our clients that too please use Signal so these are some of the recommendations and if you're thinking the recommendations we give for our clients are super technical they're not this is stuff that the term is kind of I don't really love this term but it's cyber hygiene it's basic stuff use a password safe this is some of the consulting we have to do others gets a lot more technical such as actually taking a look at for example what's on people's phones if their phones have been compromised but generally a lot of the work we do is very general and teaching the students this stuff too in particular ones that are not in cyber security is very important here's just some of the clients that we've had and I'm gonna go through this really quickly some of the interesting ones that were really important to me that I really enjoyed working with is there were migrants coming over on boats from Africa and the Middle East and they were landing in Greece and they were put into migrant tent cities and in particular women and children that have gone through that process a lot of them were survivors of sexual assault and there was a healthcare provider both psychological care and healthcare in the migrant tent city in Greece the problem was is that there were American psychologists volunteering using their own laptops and that was medical information that was being collected by some physicians it was not being protected as it needed to so we had to do some HIPAA and GDPR because it touched some servers in Europe as well so that was a very interesting client that we had with that there are others in here if you work in physical security have you ever had to secure a tent? We did so one of our clients had a tent in Tijuana and one of the last weeks we were working with them they called me up and they said we just found GPS tracking units on our vehicles and these are two women who are American attorneys that are down there taking business from the coyotes and from which means also from organized crime and they're helping people through the legal migration process really amazing work they're doing someone wanted to know where they lived and where they went after working in the tent in Tijuana so we we helped to try to figure out track where that GPS came from we didn't have a lot of time to do that we had pictures of it and that's about it but we were securing how their documents were stored because some of that was HIPAA too they were also taking records, medical records from in particular women and children that were victims of sexual assault as part of their migration process to the border and that is being used to create some of their case files for the refugee status so we were doing all kinds of stuff that's not just cybersecurity I think you can see now why I accept a broad variety of students from the university so here's some examples we recently had one also in Cambodia they are an organization that are working to for democratic government if you know a lot about Cambodia's history they've had an authoritarian regime for a long time and just as we were finishing up with them they said that someone in their organization not a director but one of their volunteers had been arrested and this is difficult to hear because it's nothing we can help with but we knew that someone who had been on some of the meetings was being held in detention because he was not supporting the current president so again the work we do is hard it's very exciting and as I mentioned I love it if you do this kind of work you're gonna love it too let me tell you about some opportunities that you can do are you here from academia? if you are come find me at this conference because I wanna talk to you there is a grant process that's out there and Google has a very generous fund so and I'll tell you about what that is but well here it is actually it's on this slide about one million dollars is gonna be given to clinics that go through an application process and I think about maybe half a dozen or no actually it's more like a dozen are gonna be chosen to receive this grant but you gotta be a university to apply for these grants I believe and the consortium for cybersecurity clinics at UC Berkeley is sort of organizing this process but the grant comes from Google so we are very appreciative of that that is also some of that funding is gonna come to citizen clinics so we can buy some more tools and it's wonderful these are the clinics that exist in the United States right now not that many yet right? I feel like we can do better, we can get some more so let's do that if you wanna start a clinic, contact me here and I know this is a large URL and I realize you can't click on it online because you have a PDF but I have a form that you can fill out and I'll get you to who you need to talk to in the consortium that we have at Berkeley if you wanna start one and now let me introduce Austin to come talk about his nonprofit and why they're gonna be our client at Citizen Clinic in the fall come on up Austin. Good morning. So Tiffany didn't mention that I absolutely hate public speaking and at Black Hat there was these nice bright lights so I couldn't see anybody with the first row and there's a lot of you in here so thanks for coming. All right so I started this organization back in January, I've been in the business for about 10 years. An operation that we had last year was we rescued 83 girls from Dominican Republic that were Venezuelan and Colombian. That sounds really great but the reality 83 girls just gets replaced within a matter of weeks. The bad guys figure out our TTPs or tactics and techniques of how we found them and they just adjust fire and move so just the whole cycle starts over. So I said we've got to do better as an industry A to Z this industry is not doing what it should be doing and law enforcement and the government are really handcuffed. They don't have the resources and the funding so nonprofits are really stepping in and kind of offering some of what to local law enforcement and international law enforcement organizations what they don't have, sorry somebody's calling. So this is our mission is to identify, map and disrupt transnational human trafficking networks with a nexus to the United States. And the reason that we want a nexus to the United States is because in a lot of these countries you can't get some sort of prosecution or some sort of civil action against the bad guys, right? So we try to draw that back to the United States so that law enforcement or prosecutor's office or international organizations like the UN or the Organization of American States can take some sort of sanction action against people that are trafficking human beings. These are some of our partners some important ones to point out they're Skoll games, they are doing fantastic work. It's a group of former special operations guys that just kind of gamified hunting traffickers, right? And the next game is in October. So I definitely recommend you guys go and check out what they're doing. Another one is collective liberty and then all of these folks here have you see Berkeley's up there. All of these folks here have done something to support us or give us tools or hackers for charity. This guy in the front row here with the blue shirt. He's from hackers for charity. My organization would not exist without him. So definitely come see them over at the vendor section. They're near the pineapple. This is the fastest growing global crime, right? It is bypassed arms trafficking. It is bypassed. I would say there's probably enough to say that it's bypassed drugs at this point narcotics trafficking. But you know all the data out there is guesses at best, right? There's nobody, these bad guys, they're not submitting 990s or annual reports that we can pull up online. But I think the evidence exists and this is some of the numbers, right? 28 million victims in the category of labor trafficking which covers organ harvesting, sex trafficking, so on and so forth, right? 12% growth since 2016. That is about the equivalent of the entire population of DC has been enslaved and that is the right term to use. They've been enslaved since 2016, right? And that's just growing larger and larger every single year. So this is our strategy. We identify, map and disrupt. We look at patterns in a specific area, whatever that may be. And I'll talk about one of our operations in a minute but we look at all the data points. We try to put them together and we find those trends and those patterns. Once we've identified that there is some type of network, we try to map it end to end. And then we work with a separate team to come up with strategies to disrupt it. So there's an old Harvard method of quantifying and disrupting. That's what we try to use. These are some of our metrics of how we identify success. You're gonna go to a ton of the websites out there for organizations and they say, oh, we saved 10 billion people this year. We rescued, blah, blah, blah. You're never gonna see that clicker on my website because I think it just kind of re-victimizes victims. We don't work with law enforcement that arrests prostitutes, right? I just don't think that it's productive to arrest. It's kind of like putting a bunch of drug addicts in prison, doesn't really make sense. But we look at how do we, how many target packages have we sent over to law enforcement? How many networks have we mapped? How many of victims have we identified and pushed into programs that will help them get out of this lifestyle? And then arrest and prosecutions, right? So these are two of our projects, Operation West Keg, which is kind of a larger project and then we have smaller projects underneath. That's essentially looking at networks operating within the state of Texas that have a nexus to somewhere outside of Texas, whether it be internationally or not. Ideally, we want to map from Houston down to Peru and Guatemala and find where those networks are. Because if you can't shut down the organizations themselves, the next best thing is to shut down the supply networks, right? And then Project Key. Actually, Project Key is this guy right here with the camera waving. He came up with a great idea that, he's one of our analysts, he came up with a great idea of getting the word out about extortion. And if people aren't familiar with what extortion is, it's one of the biggest issues that our teenagers are dealing with in the United States. They're using, over social media, they'll be using the lover boy tactics. And most of the time, it's just a sock puppet account that they're getting young girls and young boys fall in love with this anonymous person. And then getting them to send sexual photos of them naked and then extorting them for. You know, I think as of today, there's been like 12 kids that have killed themselves over this. So it's a really big issue. And go to the website and take a look at both of these if you're interested in more information on this. This is Houston for Operation West Keg. We looked at everything from Yelp data to just everything and made a heat map. And this is what we're looking at now of all of these commercial industries or these commercial enterprises that are networked together, whether it be money laundering or any variety of any other issues. I think that was quicker than last time. Sorry. So I'm gonna hand it back over to Tiffany and she's gonna tell you about one thing. This email is not working. So just Austin at Traverse Project. Just take my last name out of it. Yeah, that was my mistake. So, um. Okay, so I can pick them, right? So this is one of the nonprofits. I was like, I wanna show what we, the type of clients we have at UC Berkeley in the Citizen Clinic. And we're so excited to work with Austin this fall, which brings me to another thing is we're here to talk about what you can do if you wanna get involved in these topics to do some things with your skill set. So I know many of you work for organizations where you get one to two weeks off of paid time off for volunteering. Citizen Clinic via Center for Long-Term Cybersecurity is a nonprofit 501c3 and so are they. So if you have time, they would love to have some volunteers. They're looking for volunteers that perhaps have intel analyst skills. Well actually, anyone who's interested in helping out, even if you're in marketing or sales, getting word out about what they do is what they're looking for. At UC Berkeley for Citizen Clinic, we're looking for subject matter experts. Can you come and guess lecture for our class? Can you volunteer? You may not know the name of the client, depending on how the client wants the NDAs to be created, but know that if we pick them, they're awesome like Austin's nonprofit, but they may not want you to know their identity, but they do have some problems that some of you have the skill sets to solve. So we'd very much like to have some volunteers. So if you're interested, you can contact us here at Citizen Clinic as well, and we're creating a list. So I'm gonna send you a Google form, then on the Google form, you're gonna have, there's gonna be some information about what would you like to do, how much time do you have to volunteer? Do you wanna come guess lecture? So I'm gonna tell you just a brief story. I was at Black Hat with Austin doing the same presentation two, a couple of days ago. And after the presentations, someone came up to us and he said, he might be here today. I'm not gonna name him, but he said, I helped write Pegasus. And I'm like, oh, okay. Thank you for coming to our talk. I wasn't quite sure what to say. And he said, I'd like to help volunteer. I'd like to talk to your students about how Pegasus was created. This is obviously public knowledge. Now how the exploits were written. And I'd like to volunteer my time to do some work for the clients that you have at Citizen Clinic. Hearing that was one of these things like, all those long hours and like our classes for me on the East Coast, classes around West Coast time go to midnight for me. After working all day and I do classes all night, it was like one of these things that if I had one of the developers for Pegasus coming to volunteer, I'm like, that's great. I feel like it's my work has been done in a way. So you don't have to be a creator of Pegasus to come volunteer for us. But it's one of these things that if you have specialties, again, if you're an attorney, if you do compliance, you do like PCI DSS. And really we're looking for a broad range because when we step into a client meeting, I don't know a lot about what the problems are until we start taking a look. Network engineers are always useful because we do see some stuff like that. If you're like a master with Google Suites and how to lock all this stuff down, I got someone from Apple come up to me at the last talk and they're like, we can do a presentation on if they have an iPhone, how we can enhance privacy. I'm like, great, because I don't know all of this stuff. It's hard to, I mean, you can imagine how much it is. And we would love to have some volunteers to assist us with this. And with that, let me just say that we're really glad to be here talking to you here at DEF CON. And here, come on up. So if you wanna reach out to us, please do. And we appreciate your interest in coming to hear about the work at UC Berkeley Citizen Clinic. And what's your first project? Is there anything else you wanna close with? If anybody has any questions, just come and find us. We're, I'll be at the Hackers for Charity booth. And we'll be here if anybody wants to come talk. And if you are a student at UC Berkeley and have taken my class, I have challenge coins for you. You have earned them, and I'm like 20, but you have earned those. So come up and talk to me and I'll give this to you. All right, thank you.