 I have the delight today of introducing our keynote speaker, Andrew McPherson. We're delighted to have him here. He's the operations manager over at Paterba, with a degree in information systems and apparently an uncanny knowledge of cat memes, so I don't know how many we're going to see today. He's now been with Paterba since 2007. Over a decade he's managed to, and we'll read this from here, he's got a decade of graffing, arguing and team-making skills. a we are absolutely delighted to have him here. Aside from Altig going, he's also got a keen interest in hardware and security, so I will now invite Andrew up. Hopefully everything's going to technically get connected and work for his presentation, Breach to Bust. OK, hi everyone. Welcome to the first talk of the day. I'm surprised that it's very early for Vegas time at least, 12 o'clock. I'm quite impressed that the village has like a 12 o'clock first lot. That's more my kind of style to be at that time. OK, so my talk is called from Breach to Bust, a short story of graffing and grey data. So we look at some like Breach data and like some grey things in terms of how we how we use it within Multigo or within any sort of graffing application and what we can do with it from there. So I'll do a little bit of like who I am and Multigo, then we'll look at some common OSN tools. And I know some of them are being presented here later. Then we'll look at graffing, so like how we make sense of relationships with layout and sizing and things. And then we'll look at some of the OSN tools without the OS part or like using grey data. OK, is that better? And then I've got a nice example of the Breach data and how we'll use it to kind of find something based on like one of the organisations. While the microphone is smoothed. OK, and then we'll look at like what I think of OSN in the future, when we're going to do it. Is that OK? Hi. Yeah, that's right near my face. OK, can everyone hear me now? Maybe? OK, I'm just going to switch to this one then. Can everyone hear me now? OK, this one better. OK, unfortunately now you have to hear the whole talk in the back. OK, so we'll start. My name is Andrew McPherson. Andrew Mork on Twitter. I've been a bit over for about 10 or 11 years. So I have an information science degree. I spend a lot of time on flights. As you can see there, I've sold the game 2048. It's the only thing on my phone a lot of times. Generally I talk too fast. I'll try to fix that. Also last year my hair was white. My friends are terrible. So they call me Malfoy for a long time. They don't even have that. Let that go. And then part of this thing called ShameCon. OK, so just a little disclaimer at the beginning. This is not a sponsored talk. I know that as Poterva we do give some licenses for the prizes, but this is not related to that. Then some of the information that we have in my show details about individuals who work like an organisation, but just be reasonable human beings. Don't go and say like, oh, we're going to find it or tweet at them or share that or go and look it up. I think it's an important part of OSN. As soon as you get sensitive data on someone, it might be cool to show your friends, but it's not really that cool to be like, here's everything about a person without the consent and everything. Then this is not going to be a vendor talk. So I'm going to use Multigo a lot, but I've also been there for 11 years. Any sort of problem that I see, I try and solve with Multigo. Someone's like, we should go eat. I've got a graph of this. I'll be using the tool, but I'll talk about, hey, we can do this in many different ways. Actually, some of the talks later use some of the stuff that I'm talking about. Then I do have some demos, so if that works, good. That would be great. If you know what Multigo is, you can go to our website. There's a ton of tutorials and videos, like this. You can drag in any sort of information. You can change it to whatever you want. Then you have the ability to run a set piece of code. It's a very small thing that takes one type of information to another. That's the key concept of it. Here, for example, I just look up the MX records, and then I could take that piece of information and these are just MX records, but there could be anything. That could be someone's name or an ID number, or anything else. Then I can take those to another label. We're just graffing stuff out. In each one of those small, what we call transformations, is like a small piece of code or small application that we can integrate with. I have this slide, so I talk slower. I'm talking slower. If we look at OSNs and some of the stuff that we do, it's one thing that I find really interesting is that if I talk to someone who does this, it's like a whole tool set of tools. If you need to get historical Twitter data, there's six or seven different repos that you can go to, different applications that you can use, and everyone that I speak to has a ton of different ones. If I speak to someone that'll be like, have you heard of this tool? I'll be like, no, that's weird, because there's thousands of them. Some of the ones that people use commonly, things like the Harvester, ReconNG, have been born intel techniques, so that web interface, skip trace, and some of these are being used later today as the tool demos. Basically, all of these have a function where you can use the tool to get some sort of information. These are what I call single-layer tools, and basically what you do is you provide some sort of input, like whether it's email address or username, IP address, whatever kind of stuff that they've got, and then they'll go and mine it or do whatever. Here's just an example of ReconNG. It's actually a stole from a video, but it's from booking.com and it just looked for host names, email addresses, and then it generated this output, so it's a single-layer output. It's like one page, and it says, here's all your stuff that you've got, or they can just produce the output on the command line or any other way that you do it. These tools are really good. We need these tools, we need more of them, but I'm going to talk about where we go from using something on a single-layer, what I call single-layer tools. If we look at something like that's on a single-layer, so anytime we can click through something, like it's a page, and say, for example, this is just an example that I did earlier, but let's say that you could look up a VIN number. You can go to the DMV website and you can say, I put in someone's name and I get the VIN number of a car, of their engine. That makes sense to people right at tool. They say, I'll go from this piece of information to the other. That's fantastic, that helps, but unless we can pivot on that information, we're losing stuff. Here, I've just got an example. The top left is Andrew McPherson, that's me, I'm good. I can go from my name to a VIN number or my name to a Social Security number, maybe there's a site that leaked something that I've used to get that, but what I can do in the second example is I've said, take the things at the bottom and now I've run it again. I've got a VIN number, show me the people associated with it. With that, it just points back to me, it shouldn't be other people associated with my Social Security number or with my VIN number or anything like that. That's really nice for me. It kind of makes sense here, but as soon as I go to these people who are obviously bad, that's Andrew McPherson. It's like me, but very bad. Here, I can see there's a Social Security number and a VIN number, but as soon as in the second step, I say, let me see who else has another person who's sharing it or there's two other people with a car and obviously that's something we want to look at that's bad in terms of this kind of data. You can kind of think of it like a phone book. If I've got a phone book, I can be like, okay, I go through the phone book and I say, here's Andrew and here's the telephone number and I can call him, that's fantastic. It serves its purpose, but as soon as I want to find out who else has the same number that I do, I have to go through the whole phone book and that's a pain. If I go from one direction, then I want to be able to pivot back to go in another direction for that. I'm going to do a little bit of graffing and the graph theory, but of course my slides are done with Multigo, but there's tons of stuff that's available. There's D3 and Geffie and stuff and especially the hard work that the Google Chrome team put into JavaScript. Those JavaScript libraries now are fast and there are options that you can have in terms of graffing different stuff. Obviously, since I've worked at Paterba for 11 years, there's no way I can even see a graph that's not Multigo. There's two basic things that I'm going to talk about here. The first is if we look at orders, a lot of the time we want to say, we're only going to find good stuff after a certain amount of orders. The number of orders is bigger than two and if we look at the first one, then we have fast single order links. An example I give is, let's say you've got five individuals or aliases or five names that you need to look up. What you can do, you can just be like, I go to Google, I put in the names, go to whatever search engine you use and I go through the results. I write them all down, I put them in an Excel sheet. That's awesome, you have it for one person, then you go to the next person and the next person and now you've got these, but now you don't have any correlation between them. Maybe I'll say, actually, I've seen the same person's name on one page but what you'd like to do is say, I've got five different people on the results so that I can see these five people, three of them are mentioned on the same website, maybe different pages, but now I can say, this is probably somewhere that they're all connecting on, even if it's not public, so I can look at the metadata around it essentially to be able to do that. The things that do the first order stuff are those single-layer tools, stuff that lets you quickly take one type of information to another. Here at the top, there's something called built-with and you can go and look at what's in the page in terms of relationships. It just shows you Google Analytics because what I wanted to find in this example was that I can see, does anyone share the same Google Analytics code? Because then I know, they're all connected to the same account. This is something that's useful for me but I'm not going to go to every single page like I'm going to run a script or I'm going to run an application and over here I've taken three different websites like NSE.gov and I just said, show me these relationships, go through the pages, get that out and here it's got those different results. Now because I can pivot on it, I can get to a second order, this is where it becomes more useful. Over here, you can see that there's a couple of different sites like for protover.com, there's one of our blogs and then for the others, I can see other sites owned by that bank and now I can see like for NSE.gov all the sites that I expect, so that one says like m.nsa or nsa.army but there's a whole bunch of other sites that I don't know about that now I can link up because I can do this correlation. So just say from one step to another and then from there I can go on. And then we're going to start looking at how we can graph these together. So if we look at a basic graph, the big important thing is to say we're going the smallest, smallest steps that we can. So here at the top is about the ports back and there we can see there's a bunch of stuff that's running on port 80. Like that's useful for sure but actually what you want to do is you want to say I want to break that down into smaller steps so here in the bottom graph what I've done is I've said okay I've got all those same IP addresses and now I've taken them to the port and the service. So now I have the ability to see okay I can see the correlation on like a second order and I can see that there's I can see that there's multiple things running say for example Apache on 80 81 but here because I've broken it down in the different steps I now can see that sort of information that's available. Okay then obviously like graffing gets much further so this is just a tweet that I saw online from something called Fishing AI or Fishing AI account and they just like tracked all the different things that were involved in that iOS MDM attack and actually they found something else. They said like hey using graffing and using the ability to go from one small piece of information for another and keep them connected they can find like another piece of infrastructure that wasn't included in the original report so that's kind of where you're going to start using this in terms of that. Then there's just three sections that I'll talk about in graffing and then I promise there's a good demo at the end just stay for that, right? So the first thing is that there's different layouts so that's how stuff is laid out and this actually makes sense so when I look at other graffing tools a lot of the time they just have like a fixed layout and it's usually this one at the bottom right but what you want to do is you want to have these layouts so the first one is just called hierarchical you just go from one step to another so if you're doing like a very structured investigation or something on network level like that makes sense to use right but if you're using it on people you're not going to use that layer then the second one that I've got is called circular right because it makes things in a circle it's very clever these names so this one is basically all the things that are connected are in that big circle in the middle and if they're not connected to each other then they're further outside so I can quickly say hey these things in the middle these count that's what I'm looking for and then the last one is called organic so what that does is it just put stuff as close together as they are related which is super useful if you're looking at social networks or something like that because I can say well okay if I've got let's say my account on whatever Facebook, Twitter, any of the social networks I can say show me all my friends everyone that I know and then I can say show me all of their friends and because they're connected on organic so they're placed on the graph how close they are together I'll see like different clusters I'll see things like oh all the work people know each other and some of them know me so that will be a cluster or all the people who are family members all the people who are from the same town so that you can kind of use to say okay cool we can look at that and actually we did an investigation and one was like doing something ridiculous like selling meth on Facebook and they'd become friends with all the people that they were selling to which if you're going to do this don't become friends with them just like a one on one on that but they found like okay so we looked at the graph and we looked at these relationships and obviously there were like a lot of people who were like friends or family like a cluster that you could see and then there was just like one huge cluster of everyone that didn't know anyone else in the graph actually the target that we're looking at and of course like if you figure out that some of those people were buying like the rest of them were probably buying as well right so you need the different layouts to be like cool we can figure out where to go from here then the next thing is sizing so because we are people that are really good at being able to spot like patterns and stuff we want to use as much in terms of the layouts and the sizing that will allow us to identify this stuff so we say for example here we'll say okay well show me things that are important on the graph show me things that have got lots of connections coming in right stuff I want to see but if I look at this one over here this makes sense because if I just said okay only the amount of nodes connecting to this that's what I want to size on you don't want to do that so this first one over here just says there's two things that come into one other piece of information okay so we're not going to make that the same as something where there's two things that come into one piece of information but if separate parts are called diverse descent because here you have something like oh there's someone that has a typo in their name and they both come to the same whatever piece of information then I don't care that much about that but I care if I've got two completely discrete parts that go to one piece of information because then I'm saying hey lots of stuff is pointing to this so here we can look at like you want to change the size and the shape based on what information you've got then the last thing is collecting or grouping of if I'm looking at information so if you look at that first graph like that's great for a screensaver like you're at the office you need to look important to have this there's like just Twitter follows that's just like a mess in terms of a graph because there's so much information on that graph and most of it you probably don't care about or need so the second one like we've collected it slightly more so we've said okay well here are all the ones that are connected and here are just things like where people have a million followers that aren't connected to the group since and then the last one I've just made it like much smaller and this is easier to do so I've just got three accounts here and I say because I've put these in collections I can quickly see the groups that I want so this says like oh there's 23 between all three of these accounts there's 200 between these two and here I can see the outside like I don't have these 3,000 extra nodes filling up my graph in terms of that okay so I just want to show you a demo of this quickly so when I did this coming up in South Africa and I said hey do you mind if I get some captured data from a phone that just says you went and did a pickup of a phone you got all the call data and then I want to just like view the call data and I'm only going to look at outgoing numbers so one number called another number that's all the data that I took from it so I can illustrate like why we want to do graffing in terms of that okay so don't worry about what I'm doing there's probably a video tutorial of some kind on this okay so I can say import graph from table I'm just going to select it so let me just show you it looks um something like this okay so it just says number, date, time, call type and I can see okay this is the information that's available right so someone just pulled it off a phone that they picked up so I'm going to take the first one and I'm just going to put it into my graph here okay I just look at it and it just says cool we're going to go from the number that you've got to any of the things that you've called and next I'm just going to put it in here okay and this is fine like this is totally what I expect there's a number in the middle it called a bunch of numbers and actually I mean Excel will be amazing at this you don't need a graffing tool for this okay but now what I want to do is I want to take like from multiple different phones that were captured in the same investigation so I could say okay I'm going to take two to nine here I'm going to do the exact same thing okay so the same thing just going from the number is in the name column which is a number and I'm just going to put it on this same graph okay now because I've done that I can now look at my graph and I can start exploring it so in this case I'm going to switch the layout right because this makes a lot more sense to me and if I start looking at this data I can see okay here's two people or let's look at the bottom here so here's two people who have made calls and obviously they've got one shared number right Excel could probably do this as well so if you need that right so it just says okay if I've got these two calls there's a link between them maybe that's how they communicate but if you look at the graph at the top so if I use this over here you'll see that there's this number over here and there's another number on this side right and these two numbers have called different numbers and because we've got all the data from those phones as well I can see that in the middle in the middle over here there's one number that's called or that's been called by three different ones and this node is actually through another number okay so now I start getting that data and if I size it then I can see like hey these are the connecting nodes that we spoke about earlier so this is where you kind of use that sort of stuff okay so now we're going to get into the more exciting stuff now that we did the graph okay so we'll look at some of the OSN data obviously there's a ton of different stuff that you can get to and if you look at something like have I been phoned like I'm in tons of these it's great a couple of weeks I get one of those emails that says like there's more breach data with your information in but data breaches happen a lot so like South Africa had a phenomenal one where like 60 million where our ID numbers like social security numbers got leaked including people's names where they work addresses just basically everything on everyone in South Africa and then obviously the reddit one happened last week the week before so when they do happen people are usually like okay we can do a basic order of the data like almost right away you see something like you know when Ashley Madison came out everyone was like oh state.gov is in there so people say okay well what we can do is we take our organization we look at anyone who has this domain and we see if it's in there right because either we want to laugh at them or we need to actually protect our stuff and we can look at like how people look at how weak the passwords are and if there's password reuse and things like that but genuinely they only start from a domain or an email address that they really know so there's like a ton of work done on this but they almost always go in the direction that the data was intended for so you log in and look you up and see if your password is right and then secondly like if we're looking at this kind of stuff like everyone is like oh you know like where would you find them like they're everywhere right you can go like so here's one of the sites that I'm not going to say I went to but say that there was a site that looked like this and you can just download like all of these different breaches they're there in their own formats and like either it costs something like $20 or it's free right depending on how old something is like there you can download the Snapchat DB I mean tons of this stuff is like accessible like it's on the open web it's not even like hidden away anyway and it usually contains super useful information especially if you're doing OSN on like organizations and not just people like we'll look at the example that I do just now but also on like on a network or an infrastructure level on these organizations because I can start looking them up so usually things like first name, last name IP addresses like either in sign up or the one that you used messages sent to other users email addresses so like your standard list of things will be in everyone and then obviously more specific for each breach that happens right so we can get these on the internet and I think that we should start using them a lot more so the one thing is they do need a lot of fixing like a lot of the time they're quite difficult because they come in different formats and they're all different databases and you've got to have all that stuff and then they're really good for like the way that they were intended but you've still got to go and fix some stuff to say okay I've got a domain I need to get to the various profiles because previously they wouldn't have indexed the domain so you need to make a new column you've got to get it indexed it's quite a pain to do then the things like IP addresses they've got the actual IP address written out so you've got to go and convert it to a long otherwise you can't search a big duck it just takes too long so if you want to search like anything like any of the last really big ones or bigger ones like if you did there the IP address is like that you could do the like statement like you could go home make food come back from lunch that query will still be running right and if we're looking at data like we need it really quick like we need that stuff to come back so we can use it so we can validate things that we've really got so here for example like you need to convert it to long so you can just do a quick in comparison or long comparison so I so I actually ask these people like hey should I put your name in the slides do you want to be known for it but they haven't got back to me so for now I'm going to say they are friends that I have that have the data and they wrote some transforms for me just so that I can query it because obviously they have had to go and do all this hard work and they've got tons of the different breaches that I can use so the first sort of stuff is usually a little bit interesting like I take my email address I can see or one of them I can see like oh it was a dot box and LinkedIn my space and things like that and usually I can interact with the stuff in like what a forward manner so I say email to the profiles or domain to the profiles or IP address to the profiles and then I can start looking at that and then of course people are like oh if I am looking at this data like let's say we've got Ashley Madison or we've got the LinkedIn data so we'll say okay well people shouldn't use their work email address right that would be insane like why would you register on LinkedIn with your work email address because what if you need a new job but of course that does happen and we find it like all the time so but actually if we're trying to target people who like so for example we'll look at like the CIA or FBI like if you registered with your FBI or CIA email address on MySpace or like Dropbox like that's pretty bad right that's a bad idea like even on like Ashley Madison like you're sitting at work you're like I'm going to use my work email address that would be insane right so of the like 10 people who are in there who have done that like those are not the people I want to target or maybe they are the people I want to target right because they've done that from work but actually I want to say well I don't care about them I want to find out like the other people that are there so how do I find out like okay if you work at the CIA like how I possibly find out that you're in these dumps if you didn't register with your CIA email address right because what I want is I want like oh you're at Yahoo and then I can be like okay you're at Gmail and then I can email you that so we can look at like how we can go and explore that kind of data in terms of it so now we want to say okay well if we can look at a second order we can correlate this data breach with external data so I can do like the standard OSN stuff and then I can say well I've got this to enrich that data and now the like meta or the less used fields are super super important because I can start looking for interesting stuff in there so I'm just going to do an example on the Ashley Madison one so firstly like I know I keep talking about Maltigo but like it's really good for foot printing so to show you an example like so we're going to start with like let's say we're targeting the CIA so hopefully this works right if you're using the tool say I put it in a domain CIA.gov right and I can say things like okay I want to find all the DNS so this would be the same as using like any of those other tools right I'm just it's just built into this but you could do you do with anything so say just show me all the DNS and you get like a bunch of different information that comes out so the name servers are on Akamai but I can see some of the websites I can see that they've got relay 203 whatever this stuff is right so I've got a lot of this and then I can say okay well I take all of this and I looked at it in terms of an IP address and they can say IP address to a net block but basically I can foot print this stuff and actually with the way that we do it you don't even need to know what you're doing in terms of a foot print so one of the things that you can do is like because we're automating all the stuff obviously we also look at some of that so I say I've got a domain here and I say CIA.gov and now instead of having to go through all of that I'll show you like everyone here I could just say I run this thing called a foot print 01 and it just automates this thing so look like I don't have to touch the computer and then it will go through this process and then eventually I'll have the kind of basic level network stuff for this organization right so in this case the CIA because what I want to do is I want to say well if I can figure out all of the network space then I can start saying well is the network space anywhere else on the internet and then I can start saying well if I can figure out where they come from are they in any of these breaches so that I can start using this so the one way that I can do it so here look you just did a foot print over here there's that 1.881 everyone remember that because it should be this one I guess so this one over here is 1.881.129 right so this is the data like we're not making this up so then what I can do is I can say okay awesome if I've got this network block like this is the network this is where the CIA comes from I can go look on things like Wikipedia which is my favorite because I can say from this network block what pages have been edited to edit my favorite of all time this page called lightsaber combat right so I just imagine like they're there at the office being like can't believe someone made a change to my page again and then they're going back and they're editing that page and of course if they're not logged in like it logs the IP address right if they are logged in it has a username but if they just go and edit a page like we get the IP address so here already we said okay we use some OSN stuff we've got the CIA's network and now I can see like if anywhere in those networks they've edited a Wikipedia page I know that's how they get onto the internet because if you work there like they're not like oh just go browse the internet from your computer it's fine like it has to go through like some sort of device like some IP address that's checking that you're not like stealing all the data maybe I don't know how it works making sure that you're not like doing anything but because I have that I now know that those particular IP addresses have access to the internet so if we work there are using it to edit the lightsaber combat page because it's very important work that they do over there okay so if I've got that I also know about the people so if someone edits like every single lightsaber related page then I would run a lightsaber related fishing campaign or I'd be like hey John you really need to stop editing that page it's getting weird okay so if we go from there we can get like I'm just going to pick on one IP address just to kind of show this stuff so we've got this IP address over here at the bottom and we say that's the CIA exit node then obviously there's lots but this is one of them and here I can see like all the stuff that it's edited right so there's like intelligence things I'm like okay it looks right for my target this is the kind of information that we're using and now we can start exploring okay if we've got that exit node can we go into the breach data because remember like if they logged into Ashley Madison like it logged their IP address so they're sure they're not using CIA.gov as their email address on the account but they are using that IP address because they're using it from work like if he's editing lightsaber combat at work like he's probably doing a lot of stuff that's not work related okay so I have actually we have actually hidden the names and I'm not going to be able to do the demo live because then everyone will see it and it'll be weird but you could go and look it up if you understand the steps and it's still a relatively simple process we're just linking like small pieces of data okay so I've got the CIA exit node then I find like one account but there's a lot but I pick one account that says okay this is an account that was in these data breaches that comes from that IP address so to come from that IP address you've got to work with the CIA then we find like okay with that account I can say well what email address did you use and now of course I have like a Gmail account so I have so many works there and I have the private email address and now I can say okay well and then there's like a CV so here he works at the CIA and he has a particular like he has it in there that has been there since 2011 I don't know if he's still there well I'll talk about it just now okay and then it gets like really bad so he has a GitHub account and he has like this portfolio website and in the portfolio website he uploaded his config and in his config it has this thing called gmail.ini and in the gmail.ini it has the password for his email address then also you can find like a Twitter account that he says he's a typical techie so I know that he's a technical person they probably I don't know really look at this but then also like there's you know there's a Facebook account as well so you can go and like pivot off all this information like you normally do and you say like hey all we did was we found out that you edited a Wikipedia page and now we use because we can use like external data or data that we have that maybe isn't traditionally over sent like now we have a lot more information about the people or what I'm having of course like for this account like this could just be a honeypot right like I don't know how they would have edited but they could have set this up to be like hey check this out like and see if people start trying to email from there or something else but of course that data does link to each other okay so that's an example of how we use that sort of stuff and then I just want to finish with like what I think the O is since in the future so obviously we have like a ton of GDPR stuff like everyone in the room probably has heard about it right it's a little bit of a pain it is really good for users right because we have privacy on the internet because everyone is going to get like sued or something if they store my information but of course it does make mean that like if we're an investigator like that information is becoming more and more scarce like we're way past like the golden era of OSINT now so remember like when my space was around people were like hey fill in your details also put where you work and how much money you make like if I go and tell someone like oh I saw your Facebook but you didn't put where your current salary is like people think I'm a lunatic but obviously like back then we could say cool we got an email address we find an account and it's got tons of data and it's open so it's becoming like a lot more difficult and especially we look at things like you know like my mom knows about GDPR like she can barely turn on the computer and she's like hey have you heard about this thing I was like yeah it's over now but because of that like obviously there's no more like you know the things that we took for granted before like we could search from platforms like Facebook or LinkedIn or Amazon or whatever we could search for email addresses and telephone numbers and go directly to accounts like now we have to either use holes that are still open for the time being but like they will be closed and then we have to say okay well we go from like aliases or something else small piece of information to try and get to these accounts things that aren't concrete really that we had before right then obviously like who is basically gone I don't know what's happening with it so now I can't even see the who is to try and say like all these people registered with the same fake name like that makes good sense to me and then also like the historical information is also probably going to go I guess because they're storing all that information on people and no one gave their consent so now we're going to start like at least in my opinion like we're going to start seeing stuff move to more like underground sources so we really have stuff where there's like paid for APIs where you can pull that information from people who have that but like now it's just going to move further into that thing right then we have this whole policy clash with availability because I say I need to get that information and it's in this data breach can I have it in the office and everyone will be like there's no way you're allowed to keep a data breach in the office so you'll have to go through a third party data broker to say I can go from this information to that particular one so I think that that's probably where it's going to go through and we're going to see like okay we've got different sources that we have to use so we're going to start seeing smaller pieces of less concrete data to get to it and we're going to rely a lot more on our correlations and the confidence rating that we have and obviously we're going to do a lot more graffing stuff to say like hey we can take all these small pieces and link them on other small pieces until we get to something that we can find so using the breach data various paid for APIs or other loopholes that we can find in the meantime while they're there okay so that was me if you have any questions you can either tweet me or email is a picture of a small girl with a machine gun that was yeah so that was it thank you very much