 So my name is Ken Weston and today I'm going to be talking about being a professional cyber stalker. I actually founded a company called GadgetTrack. I kind of fell into it. I was sort of a reluctant hacker and CEO and I actually learned quite a bit along the way. I basically started developing various theft recovery tools to help recover stolen devices. I kind of got into also the investigation side because law enforcement needed a lot of help. And I'll kind of talk about some of those challenges and things I learned along the way. So I've actually assisted law enforcement with a number of investigations and not just with the tools I developed. A lot of times they would come to me for other theft recovery tools or other data that they may have. And I'll kind of talk about that too, sort of how to harvest information from social media and other sources as well. I'm not with GadgetTrack anymore. I'm currently a senior security analyst at Tripwire. I'm catching a different type of criminal and dealing with different types of data. But I still keep involved in some of this stuff with some of the investigations. So for those of you into some hardcore justice porn, this is my wall of shame. These are actual cases I've been involved with. You'll see a lot of photos taken by web cameras. I blur their faces out to protect the guilty. And some of these are also some of the folks I actually recovered devices for if we didn't have photos of them from the web camera. So what's interesting is that more than half the time when I went to go recover a device, the police would go in and they would find other crimes that were committed. A lot of times there were fencing operations, drugs. They would find people that actually had warrants for other crimes. Even got involved with a very violent carjacking. And the laptop sort of served as a trojan to help us identify and find the people that were involved. And also, you know, by basically trojanizing devices, you know, itself becomes a trojan providing visibility into these larger criminal enterprises. And I'll go into some of the details of these cases throughout the presentation. So that being said, you can probably imagine some of the work I do. It doesn't have its critics. It's usually from folks who don't quite understand the intentions or the background of the tools. The fact is they're incredibly, they're tools that are much more invasive, that are available to do more nefarious things such as rats, a lot of malware out there that people can use if they actually want to spy on someone. You know, during the process of developing the tools, I was very concerned about how the tools might be used and also concerned about privacy. Actually investigating some of the other recovery tools that were out there, I found a lot of them actually had back doors into the systems. They would actually gather more data than they really needed. And so I tried to develop a tool that was both useful for law enforcement investigations, but also balanced the privacy implications as well. So I also found on mobile devices in particular that applications gather a lot more information than what I did. And I'll talk a little bit about that. So a lot of things that marketing applications do are more scary than some of the information that I would gather for theft recovery purposes. I got started with this when I was working for a company that was specializing in blocking USB devices. This was a long time ago, 2007, 2008. My exposure at that time to security was basically just as a server administrator trying to secure web servers and managing the websites. And I got really interested in actually how these USB based tools were being used to compromise networks. You know, hacking is hard. You know, trying to access a network from outside is very difficult, but being a lazy hacker, you know, using USB devices to compromise a system or steal data, it's a lot easier. So I started actually working with these tools and I actually created a website called USB hacks where I actually started posting some of the tools that the community was developing. I started working with some of these myself. And it was really interesting. I started getting some interesting inquiries from both sides of the law. That was the first time the FBI gave me a little call. But I think once they understood my intentions that this was more about raising awareness. Because at that time, nobody was actually talking about this or providing these tools. And now, you know, the least they had those tools to play with. So network administrators can actually test their networks to see how it would react to these particular tools. A lot of researchers actually still ask for those tools. So I actually put the URL there just below the title. So if you want to download those, just be careful. Most should be picked up by antivirus, but you can still modify some of the scripts and it will still work. So, you know, after I brought it down, I thought about, you know, what if I was able to utilize these tools and actually make them more friendly, right? So instead of taking a Trojan and actually causing damage, what if we turn that into a happy Trojan? Right? So, you know, the idea is very similar is that, you know, you plug in a flash drive, utilize auto run capability, you run a binary and you're able to gather a lot of information. And, you know, you can do a lot where you can grab hash, you can grab all this stuff, but for theft recovery purposes, I figured, you know, we get the IP address, we get internal network address, we can do some geolocation just off of the IP, so we at least know what city they're in. But the more useful information was the computer name and then the username of the person that actually is using that system. And through that, I launched this as a free tool. It was actually part of my master's degree. It's my system that I built and I put it out there for free and I was just kind of curious if people would be interested in this. It got on the homepage of Dig and it got dug to death. It was like 20,000 people registered over the course of two to three days. And as you can imagine, this was all coming into a central server. So it actually, you can actually activate tracking remotely and then when the device gets connected, it'll then send data to the owner. So I was able to harvest a lot of information about the devices that this was working with and it was far beyond USB devices. I found it was working with external hard drives, GPS devices, because that's how you update the maps at the time. It worked with also the iPods. So if they didn't have the right software on the time and you plug in one of these iPods and you access it, it would actually get triggered as well, which was pretty interesting. I've gone ahead and I've put the actual USB client source code, at least one version of it up here. So if you guys get the slides or you want to download it, it's in C++. But then here's the auto run capability, right? So this was a massive vulnerability that Microsoft put out there and it's still present today. You'll even see systems that are vulnerable in industrial environments, healthcare. They're still going to be running Windows XP and they're still vulnerable to these types of attacks. And I'll kind of show some examples of that too. So you think that this, we would have learned by now that USB devices are bad, but even Black Hat this year, a lot of people, they scattered a bunch of flash drives out and they fell victim to it and had data stolen from their systems. I'm not sure if it was instant bystanders, hopefully it wasn't any you guys. If it was one of you, get the hell out. So one thing I learned is that the trouble with getting the IP address, you know, we talk a lot about attribution, you know, this attack came from China. Well, you know, IP address, you know, it's very, very difficult to use for attribution. One thing I found is that law enforcement don't like paperwork that actually don't like doing a lot of work. So when you're dealing with IP addresses, they have to do a lot of filing. They have to go through to get a court order to get that information from an ISP. You know, some of this process can take anywhere from two weeks to three months. It really depends on who you're dealing with. It also doesn't, it's not identity. It doesn't actually put the person in front of the computer. So you can go and you can recover that and it's like, yeah, that wasn't me. I don't know what you're talking about. There's also, you know, it can help with probable cause, but it's increasingly becoming a challenge to use IP address for probable cause. It's not always accurate as well, especially nowadays, you know, you have mobile hotspots, people with Starbucks, things like that. So IP address really isn't working very well. And in general, it takes a really long time. When you're trying to recover a stolen device, it's a major hassle because time is of the essence, especially when these devices are getting fenced. So with this, though, you know, I had the first, the first that I know of the first iPod recovery. And it wasn't from IP address. I was getting a lot of these things where a lot of kids were installing on their iPods. And it was easy because a lot of times these kids would steal it and then they would go home and then they would plug it in and then it would be like the colopagus family. There's only one kid that had that last name. So the school was able to actually get the iPod back for those kids. So it was kind of fun. And I think it was cool, too, is that this time when we did this, is this the idea that if you steal something, it can be tracked. So I like to think that maybe that had a little bit of an impact on people wanting to steal these devices. And also through this process, when I learned all the devices it was working with, I found that it was working with these high-end thermal imaging cameras. So I was actually approached by a company to develop a custom agent for them, where we actually would use this to protect these devices that are around $3,000 to $300,000 thermal imaging devices. So it was a very similar process. The one thing with this was that they actually wrote the images to an SD card. So they were like, well, what if someone takes out the SD card? So we actually wrote some custom code in the firmware where when it puts in a new SD card it will actually write a new agent back to the SD card. So even if you put a new one in it's still going to block it. What's really interesting, too, is that they were just concerned about theft recovery, but also these devices are export controlled. And they were finding some of these devices were running up in countries that they shouldn't be. So that was another sort of additional measure that they wanted to take. So if one of these cameras ended up somewhere and was connected to a computer in Iran, for example, they would be able to map that back to the reseller who actually sold it to them. And so with this, too, is that I disguised, and the other agents I disguised the agent as a passwords file. On this one, I disguised it as a thermal image of a cat. So this is actually some stuff that I was working on. I never actually released it. I was actually looking at how to do similar things with OSX. You don't have the auto-uncapability, but you can still trick people. One of the big vulnerabilities I like to exploit is greed and stupidity. But I found some things that were really interesting, is that using AppleScript and why AppleScript, why not Objective C? First, I'm a shitty programmer, and to AppleScript is trusted. It actually has a lot of interfaces with a lot of other applications. So if you're targeting an Apple system, you know that it's going to have iTunes, and it has an interface with this. And that's what I'm going to leverage. So one thing I found, too, was that Apple's a little tricky. Sorry, it's kind of tiny, you guys can't see that. But I disguised the Trojan as a MP3 file. What's interesting with OSX is that if you try to like a .mp3 on an app, it will throw a .app at the end of it. So it's trying to help the user so that they know that's an application. So the first rule was to try to trick that. And I used what's called a homoglyph. So basically trying to find a character that looks like a period, and there's a little Turkish character called an ogonek. If you put that in there instead, it won't throw the .app on the end and it looks like it's a .mp3. And I have a demo of this too, which I'll try to do at the end if I have time. But then further, you can disguise the icon, which is pretty simple. And I've actually put some of this code up. I'm just going to go through some bits of it. So there's an object where you can get system information. There's also another one you can get where you can get all the applications that are currently running, which is cool. You can then write some scripts that will then interface with those applications and try to steal data. The biggest one was I was trying to exfiltrate data. Sure, you can do things with shell scripts and what not, but sometimes that will throw errors or alerts. So what I did was I just found a way to actually exfiltrate data through iTunes. So I will basically grab all the data that I want. And then there's some transcoding that I do. It's included in the URL here on my GitHub page. It's got the full script. And then I'll pass it out through iTunes. And then iTunes that actually will stream in .mp3. So you think you're listening to some music while in the background? We're doing some bad stuff. What's neat too is that you can actually do shell scripts from Apple script, which is great. And I'm not sure if you guys saw the new sex vulnerability. So I threw that in here. Just be careful if you run that on your system. It's not on the one on GitHub, but still review the code, please. I don't want to get in trouble. So, you know, USB is still an attack vector. It's still a threat. We saw that with Stuxnet. We've seen it with USB malware that even hit the international space station. More recently we saw some U.S. power plants that actually were infiltrated with employee accidentally bringing in infected USB sticks. Again, a lot of those systems are still running vulnerable versions of Windows XP, which I think pretty much all of them are vulnerable now. And also, we just saw this here again, a black hat. So, you know, it still is a threat. So, kind of moving on. You know, IP address, you know, that's a one piece of information, but a lot of times you're going to need a lot of other data. This is a crazy wall. You guys have seen this in, like, all the CSI shows, right, when you're trying to track a murder. They have all the evidence and they put these lines, right. And that's kind of the thought process that I follow as well. Tools that actually make this a lot easier nowadays are like Maltigo. It automates a lot of that process. So I'm not sure if you ever used it, but it's a pretty great tool. And you can actually write all the custom transforms to do a lot of this work. But basically, I had a case where I was tracking a flash drive just to give you an example. And, you know, we were able to get the initial IP address. And it was a weird username, too. It wasn't something that would actually identify a person. And we mapped it to an AT&T subscriber. But, you know, AT&T is going to take, like, three months to track it down. And the flash drive was from a professor and he had some research data on it. But it was still hard to convince law enforcement to spend their resources to go out and actually track this down. So we did start getting connections from a university and a specific computer lab. So that was useful. Because we also get the internal network information, which is as useful. So we went to the university IT department and their campus security. And we found that, yeah, so we got a time stamp. We have an internal address. But these are guest computers. So there wasn't actually a student ID when you logged in. So we're still not able to get the specific person. But I started asking questions, like, what other data sources will we have here? And come to find out, you have to swipe your student ID card to get in. And so they have logs there, right? So we were able to access those logs. We tied that with the time stamp. Now we have a list of who is in the actual room. Add to that, they also, a year before, had a number of systems that were actually stolen out of that lab. And so they actually had cameras as well. What's really cool is that a lot of people don't realize that a lot of these cameras when they actually store the data, there's also a log file that gets generated. So we're able to correlate that time stamp as well to identify who specifically was in that room. And they were able to use this information. Found out who it was. You know, had the professor as long as well as the campus security outside of the guy's classroom the next day. And he got his device back. And all his information was still there. Yay! So after working with USB devices, I wanted to find ways of, you know, looking at how to recover more expensive devices like laptops. You know, I looked at a lot of existing tools and they relied heavily on the IP address. Which is, as I mentioned before, it takes a lot of time. Some of them, actually they'll utilize more invasive techniques as well. They'll actually open up a back door into the system so they'll have recovery teams that can deploy that. They can install key loggers and other things like that, which I found that to be overly intrusive and I think in many ways makes the system more vulnerable. There's, they also will sometimes put stuff in the firmware and muck with that. So there's a lot of, a lot of risks. And I found that, you know, we don't need to go to that extreme. I think there's other ways of going about it and recovering devices. So I combined utilizing the web camera and, you know, with Wi-Fi based geolocation. There was a company that was already doing the web camera on the Mac, but no one was utilizing Wi-Fi location. This is around when the first iPhone came out and that's what it was using. So I worked with Skyhook and it got that deployed for this. So we're able to get geolocation, we're able to get camera information. So this was sort of a game changer, especially for law enforcement. There were some challenges with it. So the way it worked is that you would activate tracking on a remote server. The device would check in to see, you know, if it's been stolen, if it's been flagged, if it's supposed to start gathering evidence. And there's a lot of different things that would trigger that. If it moved to a new network, if the IP address changed, if there was a login event, so it was pretty smart. It would also note if it changed location that it would also check in. And so it would then send information. And at the time I didn't want to manage a server, especially with the photos and things like that. So we just had it go directly into Flickr. So you actually register your Flickr account so that way you have control of all your data. You don't have to worry about a third party accessing your information. Or activating your camera and spying on you. I don't trust myself. So whenever the laptop would connect, it would get the location from Wi-Fi, it would capture photos, and it would do this every 30 minutes. And it would do it very quickly. So the green light, it would just be like a blip. You wouldn't even notice that it was on. So for the location, I used Skyhook Wireless. It was a great service. But now Geolocation is embedded in all the operating systems. There's APIs for it. And pretty much every major both laptop as well as mobile operating systems. You can also get location from the Google Maps API. So here's the kind of a call to how to go about doing that. So if you want to write your own scripts to track your devices, that's a good way to go. So the first recovery I had was actually with this tool was in New York. I had to work with a New York police officer who was kind of an a-hole. He was basically saying, he was really frustrated because he had to deal with these types of tools before and he's all pissed off because he's going to have to deal with paperwork. And I'm like, no, you're fine. Look, so the location is within 10 to 20 meters. And he goes, okay, well, what's that mean? I go just print out a photo of the guy, go to that location, ask around. And he's like, yeah, don't tell me how to do my job, all right? And then he did, right? And they go in and he was this owner of a tattoo parlor. And if you look at the photo in the background, you're going to see a lot of cool toys. So there's a nice big screen TV. There's all sorts of cool synthesizers, all kinds of audio equipment. And so when the police finally went in there, they found the customers, it was an iMac. And they also found three laptops from different cases and a lot of other stolen property. So this is one of those examples where you trojanize an app and then the trojan app is sort of unveils all these different crimes that may be committed. So at that one I said we had a 300% recovery rate because the other laptops were recovered. So another case we had was in Portland, Oregon where I live. There was a group that was repeatedly breaking into schools. So they were targeting a bunch of Portland schools. They would go in and they kept stealing laptops. What was really frustrating was that they would do this continuously. They would go in, they would steal the laptops. The district would go and replace those laptops. A week later these guys would come back in and they would steal them again. It was like, really, it was like, it was like four or five different schools that this kept happening to. So I approached them and I said, hey, I got an idea. So we deployed this software to a bunch of bait laptops and we left them out. We didn't even put them like in their locked cabinets and just let them out there. And sure enough a week later they got ripped off. So we got the network information and this was a bit of a challenge. We're getting some photos and we actually got it to a house that was in Vancouver, Washington. So that's kind of, that's the next state over. It's right next to Portland. And we got the location to this one particular neighborhood. And again the locations within 10 to 20 meters. And so I told them about this and gave them the information and the detective working on it. So he goes there and he thinks it's an exact location. He just goes to this one, it's a duplex and he goes to one side of it and the guy that answers the door, he knows him. It's the guy that works on his roof. And so he's all pissed off at me. He's like, you guys don't know what the hell you're doing. So I was pissed off and so I drove out there and I started actually looking at the wireless. I don't know if you can see it but there's a little street there and I pulled in and I pulled on my laptop and I started looking at the wireless networks in the area to make sure that it was accurate. And sure enough, the thing is that there was a wireless network that was called it was Russia. And I look over and they're right next to the on the other side of the duplex. There's a car and there's this big like Russian pride bumper sticker on the car. And then I swear I'm looking there and then this girl comes out she starts washing the car and then the guy who we have a photo of walks out and I'm like, oh shit and he looks at me and I'm like looking like I'm looking for directions on my laptop right like I'm lost. But I called the detective and then they came out and then finally they they were able to continue the investigation. What's interesting with this is that they never actually told that this software was involved in their case. I was an anonymous source and they ended up arresting six to seven people that were in this case. It was an organized group. They were stealing a lot of other property as well. Some of them were pretty bad dudes and they got them to think that they'd all ratted on each other. So it was kind of cool. So for some reason there's a lot of sort of these Russian guys that are involved in stealing property in Oregon. I was involved in another case where the laptop was stolen and we didn't get anything for like two weeks. I'm like, oh man they like they reformatted the hard drive or something right. But you know I tracked it and we started getting a ping in Missouri of all places and I was like, how the hell did that happen, right? So we're getting this and there's this guy named Victor and he was nice enough to change the username on the computer to his full name. That was really nice of him to do. So he's really trying to help us out. But I had photos of him everywhere. The first one we had was at, you know, in McDonald's. And at one point he was in a hotel. That was really shady and there's like a girl behind him. There's something going on there. But I was able to find that I found his MySpace profile and I was really noticed that he's really into Scion. He's a big car nut that's really into Scion. And I found that he has a bunch of posts on a lot of different forums on Scion showing off his car. So that was helpful too because then he gave me his license plate number. He was also a big eBay seller. So he was selling, he had a store and he was selling all kinds of car parts. So you can kind of tell what kind of business he's involved in. And then he was nice too, well not so nice because he sold the stolen laptop to his friend. And Omar. As well as a stolen bike. And what happened here is that when the police actually went in, this is the first time we worked the district attorney. He said, you guys have given us enough evidence that even if he doesn't have the laptop, we can bust him for possession of stolen property. So that was kind of interesting. We're sort of like making case law. But what was happening is that there's a Russian group that was here in Portland. They would steal a bunch of property. They would load it into this big white van. And there's another Russian group in Missouri and they would swap stolen property. Because where's the first place you're going to look when your laptop gets stolen? Craig's list. Right. So they're kind of smart there, but not that smart. We got them. Oh yeah, and Victor too. It was actually his dad who was involved in the one. So it was a birthday present. So his dad's nice guy. He gave him a stolen laptop for his birthday. And now he has a criminal record. Thanks, dad. There was another case where he had, I was in Brazil. So it's not just in the U.S. This was a little bit of a challenging, actually a little bit challenging working with the Brazilian police. But there was a couple of guys that were in their car and these guys came out with guns and, you know, said get out of the car. And then the driver, they punched him in the face, knocked him to the ground and then kicked him. He had like broken ribs and a broken nose. And then a guy who actually installed my software, he left his laptop. It was still in the back. So we started getting pings and then the police were actually really excited about this because they were, I guess they did this quite a bit, right? So they were assaulting a lot of other people as well and still a lot of vehicles. But it's just a good example of how this can work internationally as well. It doesn't just have to be the U.S. Sometimes it depends on law enforcement how willing they are to help out. But there's ways of convincing them. And here's the customer with his laptop back. He was a veterinary student too. He just finished his dissertation and he didn't have it backed up. So he was really happy to get it back. So then I also moved on to mobile. So mobile is a little challenging because geolocation is easier because it was already in the device itself. But IP address has become much more problematic. We also want to, we found that people really don't care so much about the device as the data. So we built a system for backing up photo and contact information. And I was really concerned about actually doing that, like storing people's photos on a server. First of all, if we get hacked and someone accesses all of our customers' photos, that could be really bad. Or the contact information as well. We saw this with the fappening, right? That the risks that are associated with that. And so we built a system so that when you actually install the app, you enter a key, a privacy key. So it actually encrypts your images and your contact information before it sends it to the server. I like this too because if we do get hacked, their data is still protected. Also, if law enforcement comes to us and they want information, yeah, here you go. It's a big encrypted blob and they have to go to the customer to get that key. So and then you can also do the data wipe and things like that. So I built this tool and I have a little bit of a video here to walk through one of the cases. So hopefully the video works. That's helping track them down. News Channel 8 said Teach Out spent the past two days with police and investigators on the trail of swiped cell phones. He's live outside the Washington Square Mall where the theft took place at. Well, the managers of the Sprint store here at the Washington Square Mall behind me say they're very confident that tracking software developed only miles away from here and put onto their demo phones will lead to an arrest. This is a $500 phone. This ends up being a $450 phone. Two empty display cradles are all the remains after someone stole two demo cell phones from the Sprint store at Washington Square Mall on Saturday. Moments after surveillance video caught the theft on tape, employees initiated tracking software installed on the stolen phones. They were able to not only find the GPS location of the individuals that took them, but also we've been able to monitor any activity that happens in the phone. That activity turned out to be pictures someone took shortly after the phones were stolen. Tigard police admit it's a brave new world when pictures taken on cell phones can be told to send back pictures once they're stolen. That has not only peaked the interest of our investigators, but in essence appears at this point could be very credible information for us to follow up on. The Portland creator of the software tracking the theft says police are on the right track. If they're not the thieves, they definitely know who stole it. And if you look over the head of this man, you'll see in the window an organ temporary permit. Phillip, this is Ed. With the help of a gadget track investigator on the phone, we tracked the stolen phone signal to this Vancouver apartment complex. There we found the exact temporary permit and young woman who told us off camera, a man she called Peter, had sent this photo to her Saturday evening, but says she knew nothing about the phones. My name is Ed. We tracked the second cell phone signal to this duplex about eight blocks away. You don't have a Samsung epic phone in this location? No. At least we're here yesterday looking for it. We're back live now outside the Washington Square Mall where we've just obtained within the hour those DMV records on that temporary permit. Tiger police say they hope the men in the pictures will contact them soon so they can explain how their faces ended up on a stolen cell phone. Back to you. Thank you, Ed. Teach out. The contractors. Thanks. Thank you. So, you know, it's helpful. You know, we had, you know, the footage. Again, kind of like I was talking about with, you know, the video camera footage. That's helpful. You know, actually see when they caught it. We had some challenges with some of these devices because the, for some reason the GPS coordinates were, with our software that's accessing it wasn't right, but luckily the photos of they took of themselves did have the GPS coordinates embedded in it and we had a timestamp as well. So they're really helpful. As I mentioned, you know, stupidity is one of the better vulnerabilities that helps us out quite a bit. You know, we were able to get the location from that as well. And of course the trip permit, you know, that's just, that's just ridiculous. But they ended up getting these guys and they, again, they ended up, there was five guys that were involved in this. And they're actually stealing other property. One of these guys actually had a warrant out for arrest already. And they also, in the process of investigating this, they also recovered a stolen car. So. And so what I learned from this, too, is I started looking at, you know, the data that's actually embedded in the images where it's really helpful. So there's a lot of metadata that's actually embedded in it. A lot of you're probably familiar with it. It embeds GPS coordinates. It has a timestamp. And I also started looking at high-end digital cameras and I found a lot of them actually will embed to make model and serial number. And a really good tool here, there's a URL for this called XIF tool. If you want to mess with XIF data and write scripts to do this kind of work, you can do that. I also have a tool called XIFscan.com where you can upload an image. And you can see what, if there's GPS coordinates or serial number embedded in it, you can do that. And one thing I found is that there's several camera brands that actually will embed that serial number and many of them are high-end cameras. So I wanted to go out and see if I could use this for tracking stolen cameras. And one thing I found, too, is I had a reporter that actually asked me, you know, there was a thing about celebrities getting their nude photos hacked. And the XIF data, the media kept saying, yeah, the phones were hacked. But in actuality, the XIF data revealed that it was actually multiple phones over the course of several years. So the odds of it being one device that was hacked is very slim. So the point of compromise was actually email. It was a guy named Chris Cheney who was just guessing their passwords. Now he's serving 10 years in jail. So I looked at, like, how can I use this information? There wasn't a way to actually search for it. You can search for a serial number. Sometimes you'll see something on Flickr. But I was like, I want a database of this data where I can actually go through and identify that. So I worked in an experiment with something. I was actually helping another startup friend of mine. They were doing a thing called CPU usage where you can actually, you know, you give up your idle computer time and they'll give you money for utilizing that. So a bunch of computer labs at universities were using this. Sort of like SETI at home, but for other projects, right? And then you as a researcher could harness the power of thousands of computers. So we went to experiment with this. So I wanted to go through and I wanted to mine Flickr. So the way that works is I wrote some scripts to go out and hit the Flickr API. Flickr was very restrictive on the API and how many calls you can make. So trying to do that from one system and trying to do it quickly, they're going to block you. I actually talked with a friend of mine who they had some issues. They saw the data and they saw the reports coming through. They're a yahoo and they're trying to figure out who this was and excuse me. But we, so we basically were allowed, we had about 200 computers at our disposal and we went through and we mined all of Flickr and it took about three weeks to a month. It was like four billion images. So we had this huge database. And then I put it out there in the media that this was available. And, you know, the way that it works, I also mined 500px, Panoramio, I found other ones like Twitpick, Twitter, and some other sites as well. We started harvesting some data from there. So the way that it was working is that we would harvest this information and then you can actually put in the serial number of your camera. And then it'll show back results, all the images that we found. So the idea is that if your camera was stolen and then three months later you see a photo getting uploaded to Flickr, you can go recover your camera. And it was just a proof of concept. But it worked. We actually, John Heller, he saw this service. He actually had a camera that was stolen when he was on assignment for getting images at the Egyptian theater. He just turned around basically $9,000 with the camera gears gone. He was a contractor. You know, he's not going to get that back. It's pretty hurtful here. But he did a search and then he found an image on Flickr that was uploaded well after it was stolen. And that mapped to Facebook to another professional photographer. And he had a photo of all of his gear. And there, sure enough, was his camera. The LAPD got involved. And what happened was the thief, he stole the camera from him. He then sold it on Craigslist. And then the guy that bought it from Craigslist had sold it on eBay. So the person that actually had it had no idea that it was actually stolen. But the police, they went in, they were able to recover it. The guy that got it on eBay, he went to the seller and he was able to get his money back. Yay. But the other guy now so much. But they went in a year after it was stolen to the apartment where the guy bought it on Craigslist and they go in and the guy was still there and there was all kinds of other stolen property. So it's the first recovery of its kind I think I've ever seen like that. You know, here's the report there. But yeah, he got arrested. So I had another case where a guy, Craigslist, I'm going to start calling it like crime list or something because that seems to be where all this stuff happens. He was selling a camera gear before he moved and a guy came with cash in his hand. He wanted to take a look at this camera that he was selling. Takes him out to the garage, shows in the box. The guy just pops him one, knocks him to the ground and runs off. So he actually found images that were mapped to it. I am just helping with this. We got a lot of information about this guy and all the other photos that he was uploading to other social media websites as well. And he was doing some pretty interesting things. You know, taking photos of themselves smoking weed, driving down the freeway, you know, photo of himself with a gun, showing how hardcore he is. And they also took a photo of his speedometer going 110 miles an hour down the freeway while smoking dope. And we had the time stamp, geolocation and everything so law enforcement really liked that. Vulnerability, stupidity. And this tool was actually also used by ICE, so they're really interested in using this in the child exploitation investigations unit. So they do some really cool work where a lot of these guys that are actually victimizing children, there are some sick forums out there where they'll actually be giving each other advice and they'll actually upload photos of, hey, there's this young girl, I have in my car. And they can actually look at some of the images of the ICE guys, like a road sign or something like that to look for some indicators that they can go and try to stop this before anything happens. And so they were actually utilizing this tool as well. So the baby is using the same camera when he goes to Disneyland and takes photos with his family. So if you get a serial number of one of these images, you map that and correlate that with a camera on Flickr, for example, that can help them idea suspect. I'm not sure if it was actually ever used or ever caught anybody, they couldn't tell me, but I thought it was kind of a cool application of it. So basically this is Edmund LeCard and he's sort of the grandfather of forensic science and he has this thing called LeCard's exchange principle that every contact leaves a trace. Of course he was talking about physical crimes. When you go commit a crime, you actually bring something with you and you leave something behind. And so I believe that carries over into the digital world as well from my experience. We have a lot of breaches that are happening. We have all these data points and when we start to correlate them, we can create a rich profile of an individual. And then we talk about internet of things and all the different places where we can find those indicators from device IDs. Things that we may not even think about right now that can identify us. Technology can exist a year from now that will be created for us that we may not be aware of. There's also data created about us that correlates all this information so I really worry about the marketing groups in particular. And then there's what I call boogie data. So a lot of people don't realize when you send an SMS message, for example, you delete it, the other person deletes it, but the problem is there's 20 log files that get generated at least through the application. And I think our privacy is being protected when in actuality it's not. So I call this boogie data because it's information that's out there and it can come back and haunt us later. It's going to hit us really hard. I've been working with a group, Privacy Century, they have an application called spyware.b. And it's actually looking at applications that are accessing your location and sending that to servers in China, for example. And that's it for my talk here. If you guys have questions, feel free to ask me on Twitter or on my e-mail. Do we have more time? Five minutes? Okay, I'm going to do a quick demo. Let's see if this works. Demo gods. All right, so here's the MAC Trojan. You guys ready? So here you see it says like .app. Here's another one that's an mp3. If I double click on this, if the network connection works, we should see it in action. Thanks a lot, guys.