 Good morning DEF CON welcome to track one This morning's first talk will be by agent X. It is a look inside security at the New York Times Hi, I'm Jesse crowns and today we'll be taking a look inside security at the New York Times This talk is also unofficially titled a media security primer for hackers, but it's really for both journalists and hackers Most talks start off or end with a thank you at the end. They're very rushes off stage thanking all their friends But really I'd like to start this talk off by saying thank you to a bunch of people first of all my girlfriend for her love and support and for You know putting up with all my craziness when I'm like hey, honey I need you to get out of the apartment while I record my talk because I don't want anyone to see me doing it Because that would be weird I'd also like to thank everyone at the New York Times who's Reviewed this talk with me and helped me make improvements and Help me dot all the eyes and cross all the T's and make sure everything looks really nice and sharp We really do try to get this story right every time It's been a crazy couple of years And in that time we've all gotten to watch a lot of movies and it's watch the Fred Rogers movie It was really great And there's a scene in that movie where they take a couple of moments just to think about all the people in their lives Who helped them get to the stage in life where they are right now? And we don't do that enough So let's just take a few moments right now to just sit quietly Think about all the people that helped us get to where we are in our lives today Excellent excellent So yeah, I'm agent X. I'm a longtime goon here at Defcon and I'm gonna be talking about information security at the New York Times And I'm gonna start off by talking about some of my privileges and my biases that got me where I am and Help me give you some color on this so 22 years ago I started doing Defcon and that really kind of primed me for working in media security because Defcon is basically a crazy event with things changing every day and it's super chaotic and crazy and just over the top and I really like it. I like it a lot. It's been coming a long time and I started doing I started nonprofit called the hacker foundation That's the first time I dealt with the media as both a subject as a subject and then supporting them And then I had a bunch of regular jobs like a normal person. I did like it was a bike messenger. It's a caterer Webmaster for brewery, which by the way, it's a great job Don't ever give it up. Don't do that And I was working for the phone company that was great and then a couple years ago I decided to go to the internet freedom festival in Valencia, Spain, which is a wonderful event with it's basically like Journalists and activists and people from all over the world come and they're talking about digital rights and security needs and They have these little tiny beers there. They're a little one-year-old beers. They're really great And I was having one with a reporter and they They were asking me about how to talk to a source and I was like, oh, I can handle this. I was the phone company source sounds great and they're They say I want to have sources it. Oh, you should just ring them up on signal and goes Oh, the reporter doesn't have a cell phone. I was like, oh, okay. Well, or the source doesn't have a cell phone I was like, okay Just call them on their landline. You can do a couple things to minimize your footprint with them And he goes, no, no, no, you don't understand. They have a phone like this And I'm like, they have a crank up phone This is the importance of knowing the context or operating in turns out the source was a farmer in a village on a party line and They were talking about some things the government didn't like so I didn't have a solution then I didn't have a solution now But it really got me thinking about some of these really interesting and unique challenges that were out there And I I went away from that conference. I said, you know, maybe maybe I should go work in media security. So a few years go by I'm spending a lot of time in New York. There's somebody very special out there. Maybe and the I see an opening at the Times and I put in my resume. I file all my paperwork and I knew someone who worked at the Times who was at DEF CON Networking helps And I said, could you pull my resume out? I'm kind of a non to And I have a non-traditional background. It's not gonna keyword find I'm not gonna get in there And they pull it out and I do the rounds of interviews do the phone screen Do the three phone interviews do a full day of team interviews, right? It's like Fight Club of interviews and they liked me. They really liked me and I've been there at the Times ever since So that's kind of a quick story about how I got hit to the Times And it was it was it was really I felt a lot of the stuff from my background has really helped me there But that's not with the end of the journey Because you need it you need a daily why right? You need you need a reason to be there get up in the morning and be motivated, right? and One of the things I think is really important is Being an engaged citizen in our country if you want, you know, the fourth estate is an important part of Democratic country having an active and engaged media and citizenry and curious readers is really key And I get to do that every day, right? I'm challenged with that problem every day One of the things I really love about our job is that it's not about protecting shareholder value It's just You know We you know, it's really about a mission. We are a publicly traded company, but that doesn't you know That's like not the biggest issue and we have really hard problems that are complicated and new and You can have really whizbang solutions for technical sides of the problem but if you can't explain them over the phone to somebody and have them be able to implement them quickly and Understand how to work them. It doesn't matter, right? So That's always a fun side of the game And the people at the times are really interesting. There's a lot of characters there if you've ever seen the movie whiskey tango foxtrot with Tina Fey Yeah, anyway else like news people movies. Yeah That woman works at the Times and like my first week there that like we're meeting with that woman who's played by Tina Fey And I was like, yes Yes, so that's that's cool. And the work is evergreen like every day is a new challenge I think Journalists and hackers have a lot of crossover in a lot of ways and it's right there in the middle of an diagram We like the information to be free. Just kind of do it a little differently Hackers like to go out get some cool find something neat and be like buddy. Look what I got. This is awesome Journalists like to be like buddy. Look at what this hacker showed me. Let me show the world Which is really convenient because I hate doing PR And I think journalists are good. They're also, you know, there's a bit more rigor in the kind of like News analytics that journalists do then hackers do so like that's a that's an important distinction between the two of us So we're gonna go over the times by the numbers really quick because I Have helped it kind of give some perspective This is also kind of a media talk But no news org is the same, but I think we're not that different But we're really old. I only like working for old companies before this I work for the phone company, you know technical debt. Yes And we do have a lot of technical debt at the times and we have a lot of traditions though, and we have a lot of history I work at the headquarters at 620 the glass castle and below that building in a big underground basement is the physical paper archive and Facilities of the New York Times We don't really need them as much anymore, but we also don't want to lose that stuff So I got to go down there a couple before in the before times I got to go down there and paw through the paper card catalog like remember when you if you're old you know like at the library and pull out original press photos of my Great great cousin or great great uncle Felix Krembs big-time Broadway actor So that was cool. There's original photos. That's some fun stuff And that I think that's important. I think that protecting the legacies is important as building a future We have 4,500 employees So we have 1,700 print reporters 200 of them are overseas the Overseas reporters are really the tip of the pen they They're the first on the ground they work very independently in very dangerous environments And so getting them properly secured and trained up in non permissive environments is really really fun We have a huge newsroom in the States We're doing basically the same work for a lot of those folks and then we have Data flows and so on and then we also have like, you know people who run printing facilities and we have 500 plus developers with all the Information security concerns you might have about developers of which there are many We have 31 foreign bureaus 16 national bureaus and offices and facilities scattered all over the world Besides doing the process of news making we also run printing presses So we and they're huge. They're giant printing facilities. They're the factories that make papers So we have the same security concerns that any manufacturer would have We own forests so we have paper There's a whole new security thing. I didn't know I was gonna have to think about in my life GIS security We have 7.8 million subscribers. That's a lot of PII we have to protect We have a hundred plus million registered users. That's an entirely different data set, but you can imagine Some of the ways that that might be used And if you think about the old classical infosec training of CIA Not that CIA confidentiality integrity and availability You know, we have a huge audience. We need to serve globally 76 million people and we push a lot of news pieces every day 151 150 plus news pieces all the time. So that's not just news articles. It's not just what's in the paper there that's a podcast with Michael Bober and and you know TV shows Okay, you know, we have news crews now. We have video production. We have drones So getting all that data working and then finally there's a plus sign after everything on the slide for a reason We're growing. I used to work in a dying industry that had a bunch of challenges Growth has a ton of challenges, right? I mean you have to think what's good now, but what's good in the future, too Because we're gonna have to scale this So we're doing that All the time and it's nice to grow up being in a growing industry Newsmaking is not a growing industry in general, but at the times it is This is not an I show it's a we show there's actually a giant info sec team I'm just one part of it. Some of that people in the audience right now So we have a security operations team. I work on so we are the frontline question-and-answer crew For any questions that people have and need help with immediately we kind of fill in in general way We have an intelligence operation, which does both forward and backward intelligence collection and Helps us know what threats to focus on and be aware of We have an education team I think that this is vastly overlooked in a lot of info-sec programs But we have four people who handle education at the times just for information security And getting programs out there and doing in-person trainings and doing in-person consultations. So thank you We write the New York Times app. No, you know, no other company does that so it's key that we have a great app sec team We have a massive cloud architecture. So we have a secure architecture team for managing that and Monitoring and doing visibility controls and all the cloud security you'd need No one would have a job if there was no incidents and Incidents are terrifying experiences for people that don't deal with them on a regular basis So we have an incident response coordinator who helps us Kind of keep everyone in line and managed And then, you know, we're in New York City and we're a global company. So Continuity is kind of important. I mean, I can't just been a Lot of continuity events in New York City alone in my lifetime. There'll be more So that's it. And then, you know, we're a giant company. So we have risk and compliance and that's just info-sec, right? It's just the info-sec team as we call it. Then we have both national and international physical security teams we work with They're an amazing crew of people dealing with a variety of threats and threat landscapes around the world and in the United States This is increasingly Dangerous and interesting work And all three of those teams co-coordinate all the time as part of what we call the threat response team Which is basically where we just all get together and go Oh boy And then we have really wonderful systems administrators at the time So I cannot thank these people enough for doing a really great job at their job and just, you know Holding the line. I think if you still have to nag people about patching systems, that sucks. We don't and that's great And we have an end-user support team that is top-notch and very good at keying us into like the little little triggers that they're like Oh, you need to talk to security right now And then we have editors support staff and journalists all over who give us street tips They're like, oh, so the source told me this and I'm like Thank you It's really great to have like a whole tech team that just covers Silicon Valley and gets us cool info And also they ask us great questions and you know, they're partners in the process and then you know We have a lot of people that used to work at the times and they are the the past is the present is built by the past and having a really Deep bench of people who used to work at the times. It was great And they've really helped to color and build the foundation we operate on now. So that's another one So let's talk about a journalist security for hackers or if you're a journalist in this room I hear there are four journalists at the the times that are here to this year. So maybe one of them is in this room This so this is for everybody basically This is the big old really hard to read chart on threats to journalists on one side We have murder and death and on the other side. We have law warfare and civil litigation 66 journalists lost their lives reporting in 2020. This is I mean three weeks ago Two journalists were killed in a week, right? It's not we are really dealing with serious Serious situations in a lot of cases and too often repressive governments Are willing to kill journalists to keep their citizens in the dark about their actions and we often and you didn't and you know when I When I started doing in for sec, it wasn't like oh, I wonder if we're protecting people from being targeted for killing How much we've grown I'm gonna talk about harassment in a bit, but Harassment is a huge issue and it definitely helps to it definitely influences our speakers But one of the things that Harassments leads to is self-censorship and self-censorship is the death of journalism I don't protect journalism. I protect journalists and they protect it journalism We give them the bubble to operate safely and securely to do the best work they can to get the story out for curious and engaged readers And part of that is protecting them from hacking Political pressure is definitely something on the spectrum. We don't deal with it in infosec because that's way above my pay grade but That is definitely another concern denying access. That's the denial of prescredentials or access by People that control access to news makers or basically just peeing peeing gene persona non-goddering someone out of a country It's happened at my job, which is I think both horrible and a badge of honor We've had we've had reporters deport deported out of out of countries as well another way that Journalism is threatened is to add pressure add boycotts That's definitely affects some news organizations more than others Then censorship we are somewhere right now at this very instance. Somebody is trying to censor the New York Times We run a censorship busting operation. We operate our own Tour onion service version of the New York Times online You can totally read the New York Times there. Please do Our friends at tour help us a lot on that and it's much appreciated reputational attacks or attacks against Journalism as a practice organizations like the Times the idea that we should even have newspapers and news outlets and also Reporters themselves just attacking the reporter as an illegitimate or biased source of news and then finally at the very end of the spectrum here We have the the idea that there are civil people making civil arguments in civil rooms And winning them through nice conversations, and it doesn't always occur. We call that law warfare And that's the quick threats to journalism Matrix that we or graph that we work on journalists have a basically three basic security concerns There's the physical security which is increasingly a concern in both the United States where it's a very we'd like to think of it as a safe place and And elsewhere and then information security it ties in it's crossed because now that we have We've seen a Activities where people's cyber security is compromised as a lead-up to a physical attack. So that's a that's a concern and then this last one is kind of meta but Psychosocial security for journalists We're increasingly recognizing that a lot of the lifestyle choices and Long-term kind of ways that journalists make it in the newsroom Isn't necessarily the best thing for living a long healthy productive life And so there's been some changes around that and that will continue to evolve that same things actually happening in our community But we're really trying to work away from training journalists for sprints We're trying to train them to be ultra marathoners and live long happy lives and take care of them really well Old journalists are awesomely fun to hang out with because they have the best stories and they've seen a lot of awesome stuff So the stuff in highlights is the kind of stuff that we worry about on a more regular basis here So quickly talking about harassment Lucy at the CPJ helped me put these numbers together 63% of all journalists have been harassed online within the last year when they did this study in 2019 that's I mean, I think everyone in the hacker community knows that harassment happens online, but Basically, you are guaranteed to get harassed both Individually like individual people harassing you and systematically if you're a journalist doing newsworthy news 58 have been harassed in person. I mean that's a pretty big number That's like somebody come coming up in your grill and then for a job that as I imagine it is like taking notes and typing 26% of all journalists have been attacked physically. They're not wrestlers. These people aren't trained in you know combatives, but they're still being attacked And I think that that really is something to to really Let's sink in Also, if you are a female journalist these numbers are even worse So nearly two three two-thirds of women in a international women and media foundations Study say they have been threatened or harassed at least once so the numbers are even higher for them and One in ten of their respondents has received a direct death threat Which is not mark above harassment So it's it's even worse for female journalists and there are more and more women working in journalism. So it's It's very serious issue And harassment goes hand-in-hand with social social media presence Having a large social media presence is a huge boon for journalists, right? We tend to follow newsmakers who we Feel authentic and you know, we can connect with through their social media forums our posts, right? But at the same point it makes you a huge target Curating and maintaining this presence is work I don't have much of one because I'm lazy But a lot of our journalists have very very active and very real social media presence on a variety of platforms There will be serious programmatic both State actor and non-state actor run harassment campaigns against these people Most platforms are woefully unprepared to provide any real support to these people at all It is shocking how bad it is once you get behind the curtain a little you're like Where are what are you doing? And that and it's even worse if you're just a regular human being right if you've ever been harassed as a non Public persona you have almost no support from social media platforms Hot takes by journalists that are They could be the most would be like that's barely a hot take Are the ones that get the worst hits? So my tips to all journalists out there is be very thoughtful and considerate about everything you are posting And very crafty about it We often get a question about where Journalist security responsibility ends Who's responsible for the security of a journalist, right? And is it the editor is it the security team? Is it the massed head of the paper and really it's the journalist because there are so many competing interests inside the Inside the newsroom and for journalists to go after stories in a variety of places that And and manners and ways that they really have to be well informed and be able to You know say this is too dangerous for me to cover. I need either more coverage or support or help with this Because it is it is really there. They're the only ones that are collecting all the data and it's really their life on the line I'm gonna quickly digress from my recorded notes and say there's a really good example of this Which is back in the day It was very common in conflict areas over long periods of time In to cycle journalists into conflict areas to cycle the long-term journalists out for a vacation right, so you'd be a long-term journalist in a conflict area and They'd cycle out somebody and they'd send some they'd send some young reporter in to cover them and a couple of years ago one of this young reporter said I'm not gonna do that I'm not going to you know this conflict zone for three weeks I have no training and I have no idea what I'm gonna do there This is the first time in the history of journalism ever that that happened and that was a sign about how common it was for newspapers and News orcs to send people who were woefully unprepared into conflict areas and Journalists to basically bow to the pressure of that event because it is good for their career. We are working to change that And it is through training and advisement So we're big on training. We do a lot of really cool training at the times. We provide a lot of circulars We talk about a lot of stuff Training is what we do proactively To get people prepared and then advisement is what we do custom for them for specific stories or events You have to make sure that it's tailored to their needs And journalists are really great because they're very curious and persistent so any advice you give them You really need to make sure that it's actionable. It's not theoretical at all. It's that do this right practice the That's really one of the key sort of things for them It's they they don't and they'll ask why but you should know why because you wrote the paper and Made the guidance so here are five basic practices for all journalists and if you are interested in helping media organization and they're like Journalists like what should we be doing? Should we be like, you know worrying about this or that? Start with these five things because they're super easy from an infosex standpoint and they're the basics So strong diverse passwords use a password manager, right the Any password manager will do it's fine any like online password managers totally great, but Journalists get a lot of creds all over the place and they tend to do the thing So they make us as infosex practitioners terrified. They're like, oh, I came up with this really good scheme I can remember and I'm like So going hand-in-hand with that go to second factor authentication on all the things all the times Skip just skip over SMS because we're already seeing Sim hijacking used against journalists in a targeted way. So they're trying to defeat their 2FA through some hijacking attacks So use authenticator apps use hardware tokens If you're ever gonna deliver hardware tokens to journalists deliver them two hardware tokens One to use and one to backup and then have them put the backup codes in their Key Vault because Shit's gonna go sideways I promised myself. I wasn't gonna swear during this talk VPNs should be collected like cookies just all over the place companies should provide a in VPN into their systems, of course, but also they should be collecting third-party VPNs any of the nameable reviewable reputable VPN services are just fine And they there are a variety of solutions out there So just VPNs and it's very funny people ask the journalists ask me when should I use a VPN? I'm like when you're not at home and when you're not at the office and they're like show use it at Defcon And I'm like, yes Yes, you should should I use it at the Olympic press pool? Yes. Yes, you should what about the UN? Yes Yes, you should it's very simple stuff assets so one of the things that happens is We all tend to like just run on one laptop it's really important for journalists to compartmentalize their personal lives and their professional lives because Generally speaking when they get targeted they're going after the professional works and it really sucks when it compromises their personal lives So having two phones having a work phone having a personal phone having a work laptop. It's really hard for For freelancers, that's a little trickier because it's not like they don't hand out laptops like candy So but if you can do that you should totally do that and make sure that that's a regular practice Just you know, it's a key up. Please update early and update often I don't know anyone that's suffered from updating. I do know people that have suffered greatly from never updating I think we all have Love those exploits from five years ago that work. Why would I update everything's working? Use secure messaging platforms whenever possible use signal use signal Please use signal There are third part there are other messaging platforms and that is where sources will be you should you can you should use them You need to talk to sources over like more secure platforms, but If you can move to signal that would be great We are big supporters of using signal at the times you might have heard that use signal So if you're an editor You're also part of this whole problem and you're also part of the solution Editors like to hire really smart journalists you need to communicate if you're an editor You need to communicate your security risks that you know about to the journalist Even if the journalist is a seasoned veteran make sure that they know stuff that you may have heard of because They may didn't get the memo. They may not know about it. They may have managed to survive for years like just not knowing that Danger was flying around them If they're a if they're a junior reporter, they need to know this too And then also you need to listen to your journalists security concerns and take them seriously They are not to be discounted And then you need to connect those reporters with resources both the physical security resources that they will need the infosec resources we provide and The cycle so social support networks that now exist because it is very very important that we get these people in a proper pipeline You need to have a regular and commune a regular and clear cadence of communication with your journalists and We teach this in our training and it teaches tell you right now because this is also a good takeaway PSI position situation and intent journalists in the field where are they Not relative absolutely also. Where are they relatively in the story right are they coming to a conclusion on this thing? Are they still wandering around in the woods? So what's the what's their position? What's their situation? How what is their personal situation? Their safety and security situation, but also what is the situation on the ground around them? Is the crowd getting angry good to know? And then what is their next move where are they going? What do they think they're going to go do next right? When stuff goes sideways in the field these are the three factors that these three things We're gonna start looking for right away, and it basically is the same kind of stuff We do an infosec right? We want to know you know, what's the current state? What's their? You know, where are they? What's the current state, and then what do they think you can do? So please please get your PSI in order and then finally you have to do all the five things that you know We're in the previous slides because having you have to be the example right you need to provide You need to say yeah, let's talk up. Let's talk over signal right? Let's communicate this way. Let's do these things. Yeah, here's my UB keys. I use a key vault Because you've obviously made it from journalists to editor and And a lot for a lot of journalists that is their career goal, so they're gonna follow your example So that's the quick quick how to consult for journalists and news orgs But this is the other stuff that we deal with which is really kind of fun Gathering in secure handling of source materials is a hoot. I I love it when The journalist comes to me and they're like so I got a source and they've got like 20 gigs of data, and I'm like, yes awesome It's on an onion chair on tour and I'm like this will take a while And we also ran the legal concerns We like sources to if you if you're a source out there, and you're listening There's a lot of things we cannot help you with we will not direct you what we should Look for we will not direct you how to acquire something You need to decide what you think is important that the world needs to know about as a whistleblower or a source and Give it to us Hopefully through a secure means that we provide to you There's legal reasons for that and they are That's what we have lawyers, but That's a key thing. We run the tips line and we help assist run the tips line at the times so You can if Johnny can encrypt he can send us a secure GP GP GP message Or you could use secure drop and it's a lot easier We'd gladly take your files that way. We also develop a custom Drop methods for sources in complicated situations We're always on the lookout for what nation-state actors are doing what they're interested in what they're targeting what they're working on With their capabilities are because they often will use those capabilities Against journalists and sources so we kind of need to know what's going on This also goes for non-state actors as well, but It's a little harder to pin down some of those non-state actors because of Suddenly somebody's like oh now I'm gonna go after that news org I'm a telecommunications guy, so I spend a lot of time thinking about ways that telecommunications the internet can be used both as a surveillance tool and as a Way to get information or be observed so working that that magic is kind of always a thing We're interested in we're also we do a lot of Research work about how we can get data in and out of areas that you usually can't get data in and out of because of rules and Facilities so that's fun Massive LTE backpacks with like eight SIM cards in them so you can live stream from wherever We are often dealing with industrial control systems, which is kind of totally different from all the stuff in the rest of the slide deck but like I said we have a Printing facility and it has everything that a modern factory would have so we have to deal with all that stuff APSEC I mean the application security thing is a big deal There's tons of exploits and issues. We have to deal with we have our own bug bounty program We manage and deal with through that Cloud architecture of course because we have a giant cloud presence. We run on multiple carrier multiple providers and multiple carriers And you need to automate and consist of sites across all of them with all of your controls and management techniques And then the gray business of the gray lady, right? We just we're an enterprise company so we have all that stuff that enterprise companies have like the You know the mainframe we don't want to talk about And that's I you know I make a joke. It's the gray business of the gray lady but it's It's important work, right? It's how the checks are written. It's how my paycheck is written. So that's cool And it's the HR systems and all that kind of stuff. So there's all that going on, too So it's not just all sexy journalism all the time So this is my list of hard problems and if you're looking to get into this you will find Plenty of work to be done here Social media platforms generally Oh, I gotta go faster. Okay, so social media platforms generally don't put their Their security controls in a consistent language and then they change it every time So it's like hey This is how you with this is how we suggest you lock down your Facebook account for example or your Twitter account and then Somebody come back to us and be like I cannot find that and we're like that's because we wrote it yesterday And they changed it last night and now it doesn't work So if anybody has any control over the presentation of Security controls and privacy controls and social media platforms It would be great if you would maybe Come up with a scheme where you could pull the data from a file You know and I could be like this is the policy. I would like you to employ I Just want the most hard thing to get in the entire world if you could build me in like a box about this big It's battery powered it gets me like multiple like hundreds of megs of data transfer in both directions anywhere in the world That's dead simple to use and works in every environment. That would be great You know, it's not a small ask. It's just you know, I just you know If you're in Mongolia, I need a hundred meg in the sky in downtown, New York, too We're we're trying to get over the days of like having reporters like call us on a sat phone and dictate the story to somebody Which has happened recently because Bandwidth is not spread evenly over the entire globe And that's kind of a macro level deep field issue. There's also the issue of You and you'll notice this here at DEF CON right we we pile a bunch of hackers in here And then suddenly the cell network just falls over and we can't call we have no comms So what happens at like large conventions or rallies is that journalists go in they do the story But then they basically have to leave the event to get to some facility to Put their to post their story So having something where you could basically have a Wireless mesh network like Gotenna. They could push print ready photos and video would be really cool This is also not a non-trivial ask, but it is awesome if you could figure out how to do that Most mobile device management is super heavy. It's like hey This is the company phone and we're gonna do what we want We work with a lot of freelancers. That's not how it works in the world of journalism So a lightweight opt-in MDM where basically the end user can set some policy And then we can lock it down and if X happens we can do we the people who are not being detained can you know Wipe your phone for you or find you Would be cool We do a lot of remote journalists check-ins So a journalist goes to an interview and the interview is going sideways and they kind of know it might go sideways So we do a check-in with them And they're like, oh, yeah. Yeah. No, I got arrested. I'm having a meeting without tea now Those don't work at scale though, so we really need a scale tool that does that so you can do that to multiple journalists at the same time And not have to and you can keep them all straight and know what's going on Tour network speeds. I kind of touched on this when you do get that 20 gig drop. It is totally awful there's so Tours making a mighty effort to speed up the the tour network We would love it if you would contribute by building proper relays and exit nodes Helping them sending them money would be good, too. They're all wonderful people Source media sanitization you get a lot of random stuff from a lot of people Some of its malware that's not cool So if you could we're looking for better Source media sanitization tools that aren't designed for like very rigid pipelines of production like you'd seen a financial industry Better tools for searching an analysis of just random files of data. Here's 20 gigs of stuff It's photos of printouts. It's PDFs. It's text files and csvs That's a lot of data to go through and it's kind of hard to parse and in the news cycle. We're trying to get stuff out faster so basically mixed large mixed file sets file analysis and intelligence aggregation gathering would be awesome and Finally, we so in the tip system. We have signal. We have what's app people mount campaigns to tell us about horrible things that are happening in the world that they think are newsworthy and They say and our message volume goes up by 10x and suddenly All the we're getting the same tip over and over and over again And we need a way to end the what's app signal all those clients don't really have a way to filter that stuff And this happens to every news org. So we really need a Client that we can run on our end that allows us to You know manage that stuff and Finally Bellingcat has a whole ocent list of github projects that they're working on that has the same They have like a bunch of cool stuff like how to find where this photo was taken on Instagram So if you want to get involved, I highly suggest attending the internet freedom festival or similar meetups that will be happening in the States and possibly next year in Spain If you're looking for work, the digital rights job board is up there We have I post all the New York Times recs up there and you will also find a Bunch of other orgs out there that work in similar places There are other news organizations besides the New York Times. I know it's shocking. They're not very good But it's true There's Gannett, which is also USA Today The WAPO that paper down there in Washington and Wall Street Journal us Bloomberg CNN the BBC has a huge security operation by the way Reuters the AP which I didn't need I mean Worked in news. I didn't know they how the AP worked There's like a bajillion of them and they have a bunch of security people Finally your local all weekly and your local news orgs are really really in need of your help so just rocking up to them and being like do you have enough time to Let me try and help you if you could use some help might be helpful and Then if you are a researcher or you kind of want to get into the meta space of this There's a bunch of really great organizations out there. There's CPJ the committee to protect journalists There's reporters sans frontier. There's the international Federation of journalists. There's the International Women's Media Foundation and Freedom of the Fresh Press Foundation. They write secure drop and a bunch of other awesome tools And So they are all other places you can go and find some awesome awesome work And it's way better than protecting shareholder value And that is the end of the show We usually do Q&A at this time, but I'm sure he's gonna give me the fist in like three minutes ago. Yeah So if you have any questions, I'll be over there. Thank you so much Thanks for coming out at 10 in the morning by the way I was totally like no one's gonna show up for this talk Thank you