 Hi, I'm Jesse Kremse and today we'll be taking a look inside security at the New York Times. This talk is also unofficially titled, A Media Security Primer for Hackers, but it's really for both journalists and hackers. Most talks start off or end with a thank you at the end, where I rushes off stage thanking all their friends. But really, I'd like to start this talk off by saying thank you to a bunch of people. First of all, my girlfriend for all her love and support and for, you know, putting up with all my craziness when I'm like, hey honey, I need you to get out of the apartment while I record my talk because I don't want anyone to see me doing it because that would be weird. I'd also like to thank everyone at the New York Times who's reviewed this talk with me and helped me make improvements and helped me dot all the I's and cross all the T's and make sure everything looks really nice and sharp. We really do try to get this story right every time. It's been a crazy couple of years and in that time we've all gotten to watch a lot of movies and get to watch the Fred Rogers movie. It was really great. And there's a scene in that movie where they take a couple of moments just to think about all the people in their lives who help them get to the stage in life where they are right now. And we don't do that enough. So let's just take a few moments right now to just sit quietly and think about all the people that helped us get to where we are in our lives today. All right, all right, all right. Let's get this show on the road. So I'm really going to quickly start off with my journey. I think this will help reveal some of my biases and some of the stuff in my life that kind of formed how I got here and why I think certain things are neat and some aren't. I've been a long time Defcon Goon. My first Defcon was Defcon Six and that was a really pivotal moment in my life. Working at Defcon really has given me a lot of confidence, but it's also given me a lot of life lessons in A, working with really type timelines, really chaotic environments, really challenging people, and really learning about how to deal with just time-based pressures in a technical and logistical way. From my experience at Defcon, I ended up starting a nonprofit called the Hacker Foundation where I had my first interactions with the media as a subject, but also doing a little media support, which is also very interesting. And that was great. And then for years, I had regular jobs. I was a bike messenger, a caterer, I was a webmaster for Brewery, and then I was a wireless engineer and then I was doing the offensive security for the phone company. Those were all great jobs. People I worked with were wonderful, but I really felt like I needed to just look a little bit more at stuff. And I heard about this thing called the Internet Freedom Festival in Valencia, Spain, and I decided I'd go do it and see what it was like. It was a really different conference from Defcon in a lot of ways, very different from a lot of Hackercons, but similar in the way that all festivals are. And I got to meet a bunch of journalists from around the world there, and I was talking to these little tiny beers called Canya in Spain. They're one euro, it's really great. It's a little small beer, it's about just as much beer as you want. So I'm having a beer with this journalist and we're talking about stuff and he's like, oh, I have this source I want to talk to, and I want to talk to him kind of. I don't want to be overwatched by the government. And so I'm like, OK, well, you should call him on signal. That's a really good method. And he says, oh, no, no, he doesn't have a cell phone. I'm like, oh, OK, well, you have to call him on a landline. Here's some stuff you can do to minimize the risk. You can't negate it, but you can minimize it. And he goes, oh, no, no, he doesn't have that type of phone. He has this type of phone. And I'm like, oh, interesting. So this is the importance of getting more details. So basically the source that he was trying to talk to was a villager who had a party line. So if you called that number, you called everyone in the village. And he, so, and I was like, this is a really hard problem. I don't have a solution for you now. And I still actually don't have a solution for this problem. But it stuck with me. It sticks with me today. I think about this problem. I think it's a really good and interesting problem. And these are some of the technical security challenges that journalists are dealing with. And so I left Valencia, Spain, went back to my regular life, as it were, but I kept thinking about what was this stuff. And I started spending more time in New York City. And there's just something very special there. And then I saw a job opening at the New York Times. I said, you know what? You won't get the chance to do this again. You should apply. So I applied. I contacted someone I knew with the New York Times and said, hey, can you reach into the pile and pull mine out? Because I have a non-traditional background. My resume may not even get seen by anyone. So my resume got passed around to some folks. They looked at it. I did a phone screen. I did an interview. I did another interview. I did a days worth in-person team interviews. And they liked me. They really liked me. So I got a job offer. And I took it. And that's how I ended up with the New York Times. You know, applied for the job, get the job. Not the complicated, right? And since day one, it's been a very exciting, fulfilling, and rewarding job. And that's the quick version of how I ended up with the New York Times working full time in media journalism. I think it's important, though, to think about what gets you up every day. Getting the job is not the end of the journey. It's the beginning of the journey, or it's between another phase of the journey. So one of the things I really like about my job is that I think it's a civic good. I think newsmaking organizations, the Fourth Estate, is a key part of a country. And it's really important to be an engaged citizen in that country. So I basically do that all the time now, which is really nice. The job isn't just about protecting shareholder value. We are a publicly traded company, but it's not just about making money. It really is a very mission-oriented job and company. It's great, I really enjoy that. The problems are hard. They're hard in both technical ways, but also in logistical and very human ways. The, you know, if you have a really whizbang, super awesome technical solution, which can't explain to somebody over the phone or they don't have the equipment, or they don't even know how to use the technology, it doesn't matter, right? It won't solve the problem. So coming up with solutions that are really, you know, work in a variety of environments under a variety of stressors is really, really a delight. So that's great. The people at the New York Times are characters. There's tons of great characters. They make movies about these people, but then you end up meeting them in the hall and having coffee with them and being like, huh, interesting. They're a fun bunch, and they're driven, and they're passionate, and they're persistent, which is, you know, I think a lot of qualities that hackers enjoy. And the work is evergreen, right? The work we do is, I always feel like every day I go in, we're always getting new challenges and new things are always popping up. The news happens all the time. I also think that there's a kind of cousin relationship between journalists and hackers. We're both very interested in having information free to the public so that the public can make well-informed decisions. Hackers really tend to be very interested in acquiring info and showing it off to their friends because look what I can get. Journalists tend to be a little bit more downstream. They tend to be more like, look at this information I got from some hacker. This is great. Let me show it off to the world. They also tend to be very rigorous in their analysis of that information, which I think is much needed. So let's just really quickly talk about New York Times, about the numbers. There are no typical news organizations. The New York Times is an atypical news organization. In many ways, it's 169 years old. It's gonna be 170 as a birthday next year, yay. As you can imagine, a company that old has a lot of technical debt, but it also has a lot of history. And that history is good. One of the great things about working at the Times in the before times was that we went in the office and many floors below the one that I work on is the archive. So went down to the archive and got to paw through the paper card catalog index for Felix Crenns, who is, I believe, a great, great cousin of mine or an uncle maybe. Anyway, he was a big time Broadway actor at one point. And so got to find his name in the card catalog, then go into the actual like archive stacks and pull out vintage photos of him that were provided by his agent to the Times, which is, and hold them and show them off to my family, which was great. Really a wonderful experience. We have a lot of great people who work at the Times. We have 4,500 employees. This includes reporters. This includes people that print the paper. This includes admins and tech staff. This includes developers. We have 1,700 reporters worldwide, which is a huge amount of people to help. 200 of them are overseas. Those 200 are really some of the best reporters we have because they're the only person you can sometimes send to a place is the only person logistically available to do the work. So they have to be well-prepared and on top of the situation and really understand what's going on there. They're really the tip of the pen. It's very exciting to work with our foreign journalists or our overseas journalists. We have 500 developers. No other company makes the New York Times app and website like the New York Times. We, it's new territory for everybody all the time. So we're constantly learning and being challenged and developing new things with our developers. We have 31 foreign bureaus and 16 national bureaus. So we have offices globally and nationally, the end of a variety of other facilities. We have a factory, Prince newspapers, which is pretty cool. And then now we also have a very diversified workforce who lives and works all over the world and the country. So that's a whole new challenge. It's just that geographical spread, right? We don't just have to keep everybody safe in HQ, as it were. We have 7.8 million subscribers. That's a lot of subscriber data. That includes all kinds of PII. We have 100 million plus registered users, which represents a huge amount of data, which we also have to keep safe, of course. And then if you actually think about that classic infosec training, CIA training, confidentiality, integrity and availability, not the other CIA. We have to get the paper out all the time. We have to get the news out on the newspaper and on the website. So, and that's average weekly audience of 7.6 million people. That's a lot of people to reach. We move a lot of data just in general, right? We produce 150 plus pieces of journalism every day. And it's not just print, it's not just photos, it's podcasts and TV shows and live streams of events and stuff like that. And finally, there's a plus sign after all the stuff on this slide, right? That's because we're growing and growth brings its own challenges. I used to work in a dying industry and that has its own challenges too. But growth has a lot of challenges and it feels fun, but it's also very scary. And so I think that's a whole other interesting kind of, it's a pseudo number. So that's the New York Times by the numbers in a nutshell. This isn't just me. I'm not the only person at the working infosec at the Times or even working security. The infosec team at the New York Times is composed of the security operations team. I work on that team. We are the front lines we answer and advise on all kinds of questions and issues every day, every hour. I'm on call at this very instant recording this talk. We have an intelligence team who does both forward and backward looking intelligence gathering to help us figure out what threats we need to align to and where to best use our resources. We have an education team. Education is a huge part of what we do because of the independence of so much of our staff. Having well educated, well-prepared staff is really very, very key. Like I said, we have our own apps. We have our own apps. So then we have our own app sec team which is really another key thing. We have a secure architecture team because we have, imagine this, a giant technical, a giant cloud presence. So of course we have a secure architecture team. Incidents happen. If they didn't happen, none of us would have jobs. So having an incident response team who can guide both, who can help the InfoSec team do their job better when we're responding to incidents but also guide the other people involved in that incident through the process. It's wonderful. I live in New York City. New York City has been hit with all kinds of business continuity events within my lifetime and not just like in the last 20 years. So that's a, so we have a, so that's another thing that is also within the InfoSec sphere. And then finally, of course, we're a business. So we have to manage our risk and our compliance needs just like every other business out there. We're not the only security operations at times. We also have a physical security team nationally and internationally. And both of, and all three of these teams, InfoSec, national, international all meet together on the threat response team where we trade intelligence and we work on ways that we overlap because increasingly there is a great deal of overlap in what we all do together. And that's just the security apparatus, right? That's the people that have security somewhere in the title. But we also have really wonderful CIS admins out there who really hold the standard and do a really, really good job of making sure that our systems are secure so we don't have to bug them. That's so nice when you have really top motivated CIS admins making it happen. So we don't have to be like, hey, it's patch Tuesday, you gotta patch that. They're already like, you patch that. I'm like, even better. We have a great end user supports team out there who just listens to our users. So when the user says this thing and they're like, oh, that's a security event. You need to talk to these people right now. And then we have folks in the newsroom, editor supports deaf and journalists who help us coordinate and form us of events and form us of threats that they've gotten both in the physical, but also in the technological sphere tell us about all kinds of stuff they're hearing on the street, which is also really wonderful. And then also the past has helped us. We've learned a lot from the past and from the people that've been at the times before us who've helped build the organization and the team. So it's just not just now that got us to where we are. The present is made by the past and the past is contributed mightily. So here's a quick guide for journalist security for hackers, but also conversely, if you're a journalist, this is also for you. This is a really great graph that kind of shows the threat continuum for journalists out there. And on one side we have murder and on one side we have litigation. Death is a very real concern for a lot of journalists. This is a very high-risk job in a lot of ways. It shouldn't be, but it is. And it's not typically one would consider a high-risk job, but in 2020, 66 journalists lost their lives in the course of reporting. Just today, I was reading in the paper about a reporter who lost their job in a conflict area or lost their life in a conflict area. And the week before, a journalist also lost their life covering a parade. And targeted killings by repressive governments that are too often willing to kill journalists to keep citizens in the dark about their actions does happen. So we always have to factor that in when we're thinking about the physical security aspects of journalism. This also kind of plays into the infosec, which is not traditionally something we would do, but increasingly repressive governments and non-state-accuracy use technology to assist them in precursor activities to murder. Going down the matrix really quick, we have harassment. I have a slide for this, we'll talk about this in a bit. We don't, so the security team at the New York Times doesn't protect journalism. We protect journalists. And journalists' job is to protect journalism. And that means producing high quality journalistic works and not so censoring. It means that our job is to keep them safe enough so that they don't feel that they can't cover a story because it's too hot, it's too sensitive. And this ties in the next thing, right? If they think that people are after them from hacking, that's an issue. So we help protect against that as well. Political pressure, it's basically a way above my pay grade, but it's definitely something that does stop or does concern some journalists at some times. Denying access is another way that journalists' work is threatened, right? Either in the withholding or manipulation of press credentials or to deportation. You know, P&G and persona non-grotting someone out of a country so they can't come back is something that does happen and has happened in the two years that I have worked at the New York Times, two journalists. Add pressure is a factor. Boycotting the New York Times or another news organization to add to people that would advertise with the Times is definitely an influence that has affected media organizations worldwide. Censorship, right now there's some government censoring the New York Times somewhere in the world, either overtly or covertly. With the Times, try to provide news to everyone as much as possible all the time. We, for example, I was talking with a colleague today about the New York Times' version of the onion service. We do have an onion service online and that's specifically as part of our censorship busting operations. Reputational attacks, there are attacks against the practice of journalism, against the organization, and of course, against the reporter themselves trying to de-digitimize them. And that's a more long-term kind of high-brow argument, but I think it's also a definite concern of journalists. And then finally, at the very end of the spectrum is litigation and lawfare, where we like to think that very civil people use very civil words in a very civil environment to try to win civil arguments. This doesn't always occur, but we like to think that that happens. So there are kind of three bins that are in here. And one of them, the last one, kind of doesn't fall on the matrix because it kind of pervades all of them, actually. There's the physical security stuff, which is an increasing concern year after year in journalism. Increasingly year after year is also the need for increased information and cybersecurity as technology plays a bigger and bigger role in reporting both, and our lives, both as a day-to-day activity, but also in the nature of how reporting is done. Understanding how technology works, how big data can be understood and analyzed is really key. Finally, there's a psychosocial security concern here. It's taken, I don't know how long has journalism existed for, right, for ages. It's taken a long time for people to realize that the day-to-day stresses of being a journalist takes a serious and possibly negative toll on the practitioners. And so, when we're working with journalists and we're talking about security practices, we're really trying to train them for an ultramarathon, not a sprint. The best, most fun journalists to hang out with are the ones who've been around the block a lot. They have great stories, they're really well-seasoned, and they have some really good security practices based on some part one lessons. So, any media information security organization would definitely take a look at all of these things that are highlighted here in bold as something that they would pay attention to on a regular basis. So, I mentioned harassment at the beginning, I can't go lost over it, but let's look at harassment. We're gonna throw a bunch of numbers at you, but I think it's, I want to get this point through. According to, so Lucy at the CPJ helped put these numbers together for me because this is not something that I look at the numbers of every day, but in 2019, 90% of respondents to one of their studies, two journalists, experienced safety issues or threats in the USA, which is, we like to consider one of the more safe countries to be a journalist. And then, large numbers of journalists have been harassed in various ways. 63% of all journalists have been harassed online. I think we in the infosec community familiar with the fact that people get harassed online. Journalists get it all the time and they get it in various ways. Following up that number very shortly, very shortly behind it, 58% have been harassed in person. I have, you know, I've had my run-ins in life, but I haven't been systematically harassed in person, right? I can think of one or two incidents, right? But in this case, you know, it happens to a lot of people who work in journalism. Finally, this bottom number, 26% have been physically attacked, right, so one in four, a little bit more than one in four have been, you know, attacked in the course of doing their work. That's a pretty big percentage for a job that isn't really about getting in, you know, physical altercations. They're not wrestlers here. And the other thing to think about is that this is, there's some disparity here, right? Women get this way more than, way worse than men. Two thirds of women respond and say that they've been threatened or harassed online at least once according to the International Women's Media Foundation. And one in 10 respond, one in 10 of their people that they've surveyed has said that they've experienced a death threat in the last year. Not just harassment, but straight up death threat. And I see these threats and they're real. They're not, people aren't joking. So harassment's a real issue and it's something we deal with on the regular basis. And it goes hand in hand with social media presence. Having a strong social media presence for a journalist is a huge career asset. If you look at big names at any media organization, they usually have big followings on social media, on Twitter or Instagram or whatnot. Some media organizations don't realize this, but curing and maintaining your presence on social media is work. So one of the reasons I don't do it is because I don't want to do the work. I don't want to have a big social media presence because I don't do other things. And with that presence will come harassment. Most platforms are woefully unprepared to provide any real support regarding online harassment, both to journalists and to just regular people. I think there's plenty of evidence of that if you look through the mind sphere of the InfoSec community online. So one of the places that I always see a lot of people get kind of spur of the moment harassment is from hot takes or spur of the moment comments. So I always advise journalists to be thoughtful and consider about everything they post online and that they separate their personal and their private and their public persona so that they get some separation because they deserve it, Franco. But yeah, hot takes tend to get people in some trouble. But they should have the right to have hot takes. People just need to start being nicer to each other. So really quickly, people often ask me where does the responsibility for security journalists lie? And it really lies with the journalists themselves. The buck stops with them because there's a ton of competing interests and my interests are not necessarily the same as a journalist, the same as an editor. The editor isn't the same as the journalist and the journalist isn't the same as all those other events, everybody has different needs and wants and desires here. So finally, at the end of the day, it's really the journalist's decision and if they're gonna cover a story and how they're gonna cover that story. The job of the Infosec team or any security team working with media is to prepare them with the best tools and knowledge available and give them the freedom and respect to take care of themselves and also do the best they can covering that story. That's it. But it's often the journalist's job to make sure it goes down correctly. So let's really quickly talk about training and advisement. That's something that we spend a lot of time doing. A lot of time we do at the times. Training is lessons and pre-prepared lessons where we really get people to start to speed on proper techniques and tools. And advisement is when they come to us and say, hey, Jesse, I got this question and we think about it and we give them the best advice we can about what they can do. This is often what will happen if you as a security professional end up working with any news organization or media person. They will ask for advice about something. So make your advice actionable. Journalists have a lot of competing interests and their time is very valuable. And they basically have to deal with a ton of stuff. So making practices that are doable and not theoretical is really the best thing I can suggest. But they are curious and persistent folks. So expect them to ask you challenging questions about the practice or advisement you give them. So here are five basic practices for journalists. As a journalist, you should be doing these as a information security professional and hacker and journalists are asking you for advice. This is the five pieces of advice. Maybe you should give them. It's a great starting point. Use strong diverse passwords on all your accounts. Please, please, please. You're gonna have a lot of accounts as a journalist. And so you're gonna need to use strong diverse passwords. This will of course mean you need to use a password manager. Any password manager out there is probably better than no password manager. And a real online password manager that's backed up that's securely operated and securely run is really the best solution. Notebooks, things you remember, iterations of things you remember are really, really not gonna work. Use second factor authentication on everything you can. As much as you can. Skip over doing it with SMS though. Use authenticator apps and use hardware tokens. Use authenticator apps that back up to your password manager, so that if your phone is lost, stolen or confiscated, you can get back in the game real quick and you don't have to re-enroll everything. Use hardware tokens whenever possible. Have two and have the codes of course. One of the key things to do is to take that second token and keep it in a safe place and not carry two with you at all times, just have the one on you at all times. Use a VPN, use it on every untrusted network that you run across that you're operating a computer or a phone on. Any untrusted network is not your home network and not your work network. So pretty much all the weird networks you jump on, all the press pool networks at the Olympics or at a convention or something, especially this convention. Company should have a VPN for gain to its own assets. Journalists should collect third party VPNs as they see fit. There's a bunch of great ones out there. There's plenty of market research about which ones are the best. Just choose one that's a high quality, repeatable VPN provider. Keep track of your assets, where you store your information. Divide your public and private assets. Your work computer shouldn't be your personal computer if at all possible. I know this sounds annoying, but it's a really good thing to do for a number of reasons. If you're a freelancer, I know this is really tricky, but definitely think about keeping as much of your public and private life separate from a data compartmentalization or information compartmentalization standpoint. Update early, update often. I don't know anyone who suffered greatly from updating to the latest version of some OS or patching their systems. I do know people who have suffered greatly from not doing that. Use secure messaging platforms. Use Signal for as much messaging as you can. You can even use it to securely store your notes. You can just message yourself notes, right? Signal's a great tool. We really like it. The other secure messaging platforms out there have a lot of different interests that don't always seem to align with their user interests. But you're gonna have to go where the source is. So whenever possible, try to shift to Signal, but if you have to use one of those other third-party secure messaging platforms, do find the online guides that are out there about running those more securely so that you can minimize your attack surface and your exposure. So it's not just reporters who are part of the newsroom. There's also editors out there. So here's the five basic practices for editors. You really need to communicate known security risks to your journalists. If you know it's a security risk, your journalist who has maybe been around for a long time or maybe hasn't, may not know them for whatever reasons. Let them know. Tell them, you know, these are the things that I am concerned about for your safety or your information security safety regarding this story. When a journalist comes to you with security concerns, you need to listen to them and factor them into the reporting. You also need to connect that reporter with support systems, be them in-house or external, to help them stay safe. It's really very, very, very useful when an editor says, hey, I've got a team, they're gonna cover the story, can you talk to them? Have a regular and clear cadence of communication with your reporters when they're in the field. This is really key. Always start off the conversation with the same basic question set, PSI. What's their position? Where are they in the story, physically in the world and where are they in the story? What's their situation? What's the environment around them looking like? What's the situation looking like? And what are they planning to do next? If you can have those three pieces of information handy when something goes wrong or you think something might be going wrong, then your security team will be able to provide even better support. And finally, you have to do all the things in the previous slide. You need to be the example of how to do secure journalism securely. So the fun never ends, it never gets easier as you move up the old hierarchy in the newsroom tree. So that's the basics for journalists and editors in the newsroom. Let's talk a little bit about some of the stuff that we in the InfoSec team deal with on a regular basis and more of what we do. So here's the more of what we do. You know, we help journalists and editors gather and secure source material all the time. We make sure that we don't cross any legal red lines. We never instruct sources on how to get information. We, that's not our job. We're not doing that. We're really looking for sources to, they have something they wanna give us. They collect it and they deliver it to us. We operate a tips line and we operate our own secure drop servers from the Freedom of the Press Foundation so people can get us that information. Also, we will develop solutions if needed. We are always concerned about the intent and operation of nation-state actors, both on how they are interacting with our journalists and what capabilities they have and whether or not they've exercised those capabilities against us or other news organizations. As a telecommunications guy, I'm super into telecommunications security. So all the types of communications, both in how it can be used for surveillance, how it can be used for interception. So we're constantly looking at that and trying to improve our own telecommunications security as best we can within the operating environment. We operate a factory that makes newspapers. So we have all the industrial control systems you might imagine that exist in any factory out there, which is really great. It's also really challenging because it's very different from a lot of the other stuff we've talked about today. I said it before, I'll say it again. You know, we have our own apps that we build, so having secure applications that are both externally facing, like the one in your phone from the New York Times is the crossword, but also internal apps that we use to build, run and operate the newspaper or the newsroom is really key as well. So we look at the security of those things as another area of concern or focus. Of course, we're concerned about our cloud architecture and infrastructure. We've moved out of data centers everywhere. We're a very cloud-centric company now. I think any news organization that's still running data centers is possibly making a mistake. So having secure cloud architecture that is both redundant, available, but also absolutely secure and admirable is really, really key. And finally, I'm gonna kind of lump into enterprise security here, but this is just the great business of the great lady. We're just like every other company out there. So we have legacy systems we need to keep in track of. We have the not so exciting information security things like your HR systems or your accounts payable systems, which are very exciting because they involve real people's lives and getting paid. But that's a huge area for us to also pay great deal of attention to. And that's really the nutshell of, you look at the newsroom very specifically and then the rest of the company at large. So let's look at some hard problems that we face that we can't really solve. These are not things that, we're like one of many who would desire these outcomes, but these are really kind of interesting hard problems. And if you're looking for a challenge out there, please take a look at my list of hard problems and solve them for me and just produce the golden goose because that would be awesome. One of the things we run into all the time on social media platforms is a lack of clarity and consistency in language and presentation, security controls. Social media platforms really seem to like to change their security controls all the time, change how they're referring to things even at the most basic manner. So that when we say, hey, this is what you do to do this. And one of our people goes, I don't see that button. And we look at it and we go, so it was there yesterday. If there was a system or a scheme where the policy you would like as an individual for your security controls and privacy controls could be read from a file as opposed to like, clicked on a bunch of random click boxes on five different tabs. That would be great. So if you have any influence or control over this, that would be wonderful. I really like someone to produce the holy grail of telecommunications devices. I need something about this big. It does like multiple hundreds of megs of bandwidth reliably, runs on batteries. So that when we send journalists to natural disasters or conflict areas or just out into the hinterlands of the world, they have a way to return us high quality, rich journalism. We're not just a print or a more, it's not just some words we need to stream out. We're not just dictating phone, dictating stories over teletypes now. We're trying to move up the scale of the kind of media we're producing. So that would be great if you could do that. Not asking for much. As we all know, when you get a large gathering of people together, a festival or an event or rally, we often see modern telecommunications, wireless telecommunications kind of grind to a halt or slow way down. And then what happens is journalists basically have to go to the event, cover it as best they can, and then get back to some sort of, usually a landline, but sometimes just outside of that cell area to file their story and provide some context for it. So really, what we're looking for is something like a wireless mesh network, something like Otena or MeshTastic that can send print-ready photos or video as well as long bits of text. That would be an amazing little tool to help us get that working. We'd love some tools that allow for lightweight mobile opt-in mobile device management. So we work with freelancers and their phones are their phones. They're not our phones. We're not gonna top down, just like start putting our policy on their phone. So something that is, but we could come up with some like, quick enrollment thing where we're like, under these circumstances, what do you want us to do? Duh, duh, duh, duh. So that if they get detained for whatever reason, we can A, know that they're detained because we can track them physically and we're allowed to through their device or we can block their phone for them. In that same vein, remote journalist check-in tools, these generally don't work at scale and we have a lot of journalists, so we do a lot of check-ins. So if there's a tool out there that would allow basically a way for journalists to self-enroll for a security check-in and then it would check in and they would be able to report back and if the check-in didn't work or they hit the red button because the meeting is not going well and they really do need some backup, that would be wonderful. Tor network speeds, I love it when a source comes to us and says, hey, I've got six gigs of data, I don't wanna drop on you and we're like, yes, that's wonderful. And then they say over an onion share and I'm like, ah, because I know downloading six gigs of data or the Tor network is really, really, really painful. So anything you can do to help speed up the Tor network speeds would be great. Operating proper relays and exit nodes is wonderful, supporting them financially so they can hire more folks to work on the project. Tor is currently working on increasing their network speeds. I'm really excited about that project at many different levels. Speaking of that six gigs of data we just got, it would be really great if we had a really wonderful set of tools for source media sanitization. We are looking at tools right now but it doesn't seem like anyone makes a really great, robust method for sanitizing masses of data at scale in a newsroom, especially with a lot of the controls and features we would like to see as a news organization and not a financial organization or an insurance organization. Finally, we have all this data, right? Better tools for searching and analyzing large mixed file sets. You just get a lot of random stuff in folders sometimes and you're like, okay, this is photos of PDFs. Interesting. You can't just grep that. Maybe it's mixed set, right? Maybe it's to be a lot of different data. So having a way to handle that would be wonderful. Finally, an external message handling tool for secure messaging platforms. When we start getting 10X messages in our tip line because of a campaign from a group that we really like to be heard, it makes it very difficult for us to weed through all of that information. So something that we could operate that would allow us to manage all those messages in a secure way and do some filtering and binning so we can really go, okay, this is all from this, but here's a unique tip and here's a not unique tip. It would be great, especially for apps like WhatsApp, Signal, Telegram. Again, not an easy thing, but definitely worth doing, especially we want these tools to be tools for civil good. Those are the hard problems. Oh, and finally, Bellingcat has their own list of OSINT projects that they're working on that are just all GitHub stuffs. Definitely check out Bellingcat's work and their need for building tools for open source investigators. So maybe you wanna get involved, maybe hopefully I've inspired you. Please think about attending the Internet Freedom Festival. There possibly will be some similar meetups like that in the States in the next couple months. So definitely stay on the lookout for those. Attend a generalist convention if you feel like that's another great place to kind of get a flavor for what's going on. If you're looking for work, check out the Digital Rights Job Board. A lot of posts are put up there. I post all the New York Times jobs to that board as they come up and there are openings right now at the Times in the security group. We have major, they're tough. I mean, we're not the only, we're not the, you know, there are other newspapers out there. There are other news orgs, surprise. So definitely check out, you know, The Wall Street Journal, Bloomberg, The Washington Post, CNN, BBC, Rogers, the AP, Gannett. And also, you know, if you don't want to switch your job, but you just want to try and help, you know, your local newspaper, it's a really good idea. Local news is really, really, really important and it's really, really, really on the ropes right now. So definitely think about, you know, checking into your local newspaper, even if it's an alt-weekly and asking if they want any help because they might, they probably do need the help and even if it's just advisement, it could lead to something you could not, but it could definitely help. If you are a researcher, if you like working in NGOs, and you like doing advocacy, definitely check out some of the NGOs working in the space. There's the Committee to Protect Journalists who helped me get some of my stats. This report is sans frontier. They're a wonderful organization. The International Federation of Journalists is out there working on the half of journalists internationally. The International Women's Media Foundation is another great place to look and then, you know, the Freedom of the Press Foundation, a lot of folks, I bet you, in this very room are from that organization. So please, please think about working for one of them or working with them. And there's a bunch more. I didn't even name, also working on these same issues. So hopefully you found this talk enlightening. If you have any questions, feel free to ask me. You can hit me up on Twitter. My DMs are open. And I'm not a great Twitter person, by the way, but I will look. I will give an eye out for you. So feel free to ask me any questions you'd like. Thank you so much and have a good day.