 Let me introduce you Claudio. Claudio is a hacker, he's an open source developer, he's a privacy and security researcher and mostly human rights advocate. And he's also a core member of HoneyNet Project and Center for Internet and Human Rights. And he specialized on government surveillance and threats directed to dissidents and journalists. And today we will go for this lecture through many examples of targeted surveillance employed by governments all around the world. And we will see how we can make a concrete impact and change the situation. Thank you very much and welcome Claudio. Hello everyone, thanks for coming. I'm a bit blind so I'm not going to see you guys. I kind of slightly changed what I originally wanted to talk about. I worked as she introduced on targeted surveillance a lot, I helped civil society organizations and human rights defenders deal with targeted surveillance and attacks of different kinds. And over the last few years we collected a lot of good examples that show what exactly these means and what are these attacks, how they look like, what are the implications and the difficulties in researching these things. However, I decided to do something a little bit different. I'm not going to go through the details or technical details about these kinds of cases but talk generally of what I learned over the last few years and what it means to me at least be engaged in this kind of work. So a little bit of introduction, it's kind of unnecessary now, but Claudio I go online by next. I'm a hacker, I do a little bit of journalism every now and then. I'm a research fellow at the Citizen Lab at the University of Toronto with which I did actually most of my research work and also fellow at the Centre for Internet and Human Rights. So the first starting point is always have to be mass surveillance. We talked about that a lot, we learned a lot about mass surveillance in the last few years. We fought very hard in the last few years to get the public to be interested in this topic and care about this topic. It's not only revealed a lot of material and documentation on mass surveillance and a little bit on targeted surveillance as well, but generally this has been the main topic of discussion of the last few years. There is general consensus that mass surveillance is a bad thing, with a few exceptions, a couple of assholes, but generally we all kind of agree it's a bad thing. Also the public which is generally not engaged in privacy or security research understand that it's a bad thing, generally speaking. However, at least in the way that I relate to the public and with people that I talk to that don't deal with these issues directly, there is a certain perception that on the other side targeted surveillance, so instead of bulk collection of an inscriminant amount of data, collecting data on specific individuals is acceptable and there's nothing wrong with that. And over the years I kind of developed a bit of a thinking about that and came into the conclusion that it's actually a great mistake to think that way. When it comes to mass surveillance we did a little bit of political improvements, there's been a lot of political discourse in a few countries in Germany, it's been probably the only one that actually took some action about it. But the biggest part of the outcome of all the revelations of the last few years has been on the technology side. There's been great amount of work on producing better privacy-enabling technology, there's been a number of new secure messaging and communication systems being developed and most of that probably also has a reaction to what has been known and discovered through some other revelations about mass surveillance. So the outcome of this is that we're going towards a direction where encryption is becoming widespread and where encryption is becoming ubiquitous in some way. And that's a good thing. That's a great thing because it kind of takes away all the number of issues which are fundamentally those ones that enable mass surveillance. But on the other side they're kind of driving us towards a direction which is currently serving me even more in some ways. Which is the direction of targeted surveillance. When it comes down to targeted and mass surveillance it's very easy to make a distinction between them. But when it comes down to technical aspects of it, often we understand they actually are kind of intertwined with each other. They're complementary and one facilitated the other in its own uses basically. For example we learn about Turbine and Quantum and all these huge programs that the NSA make use of and they're part of these programs are related to the bulk collection, part of these programs are related to breaking into computers and user computers or internet backbone routers and so on. These kind of different types of actions, active and passive, connect with each other. By breaking into computers they allow to get access to networks to wiretap in full and in bulk where they actually couldn't otherwise. So it's dangerous to kind of make that kind of distinction. And especially when we're going towards the direction where targeted surveillance is often justified for anti-terrorism investigations and these kinds of things and when few months ago we learned that there's almost one million people on the FBI terror watch list what is targeted anymore? What is the line to be drawn where targeted become mass at this point? However the real problem that at least we start getting is that it's good that we start training people to use encryption tool, it's good that we start training them on what are the values of being anonymous online but that's not always enough. As I was mentioning before these widespread use of encryption is necessarily going to drive the attackers and the intelligence services and whoever is your adversary to move the monitoring of your action from the network to your computer and that gives them a lot more capabilities and a lot more insight in what your life is about. And ultimately, and we've seen many examples of that, those ones that are not able to both communicate privately and keep themselves secure are not going to succeed in the end. In the course of the last few years we worked and I worked personally directly in contact with some people in different countries and different realities and different political contexts. And it's not hyperbolic, when I talk to people that are kind of outside of our field, they feel that when we talk about people being surveilled and people being monitored by their governments and their adversaries of different kinds, we're kind of those paranoid nutbacks. But it's actually not the case, it is true that through these methods and through use of digital means these people get serious consequences. I've seen people go to jail, I've seen people live in their countries, I've seen people disappearing even in some occasions. It is a serious matter. And we've been talking about this for a long time. If you're interested in many of these cases and the kind of human stories of it, me and Morgan from the Citizen Lab as well, we presented at Congress a couple of years ago and we went through a lot of these situations and all of these human stories. So if you're interested in that aspect, I invite you to watch that presentation, you can find it on YouTube and so on. However, this time I want to still to bring at least one example to give you an idea of what generally we deal with. Most cases when we think of surveillance and think of targeted surveillance even, we almost always talk about governments and law enforcement and intelligence services and so on of democratic, non-democratic countries regardless. And we almost always start thinking about the future in the hacking team and so on. The reality of things is that those are kind of exceptions at least in large number of things that we observe. And this is a great example that we observed a while ago. So the Citizen Lab published a research, I think, December last year. And these research basically uncovered a new type of actor that we haven't observed before. The setting is in Syria. Raqqa is a city in Syria. It's about 160 kilometers from Aleppo. And one year and a half ago, ISIS took over the city and kind of started running it as the headquarters of the occupation of that region. Starting closing all the schools, starting imposing new rule of law, and starting repressing dissidents and activists in their own country, in their own city that were fighting against the Assad regime. Similarly, they were being prosecuted as well but the new people in power. There is a group, a particular group of activists in Raqqa that it's called, their name goes Raqqa is being slaughtered silently. And it's a group of people that previously they say, we were activists against the Assad regime. We were publishing the wrongdoings of the governments. And at some point when ISIS took over, we decided that we needed to switch and we needed to be even more upfront and more courageous in some ways by publishing everything that ISIS was doing to our city. And so they did. They make use of internet, of course. They make use of digital media. Most of what they do is taking pictures and videos in the streets and showing what happens when someone is being executed or something happens in the city and they publish it online. And this creates a lot of media attention both in the country and outside of the country. And because of this attention, they've been obviously persecuted heavily and allegedly even one of their members have been found and executed. And the other members are in hiding. Obviously they can't do this openly. They would be all executed at once. And some of them left the country even because of their retaliation or what they were doing. And since they're in hiding their adversaries, so possibly we don't know for a fact, obviously when you do technical research, you never know for a fact. But the context suggests obviously that these might be eyes-affiliated people being interesting in these individuals. They're starting trying to find digital means through identifying the anonymized them. And the digital mean, it comes down always to being targeted surveillance and targeted attacks of different kinds. So as it happens in every other situation, these guys receive an email. In this email, there is some very carefully crafted content that tried to lure them into doing something stupid. And in this case, for example, they're saying that they're Syrians in Canada and they're sympathetic to their cause and they're working on a project to bring attention to the situation in Syria outside of Syria. And they asked them to look at this draft of the work that they're doing, which is attached to the email. And obviously the draft of this project they're doing is not legitimate. It's a piece of malware. Similarly, if they're not succeeding in that, they're also asking to be put in contact with the members of the group through Facebook so that they could identify them. When you would open the file, you would see some pictures, pictures of the city with some, you could probably can't read them, but there are some markings showing, for example, American bombing alleged, obviously, and positions of ISIS at the quarters and so on. And there's a bunch of them. You can kind of scroll through them. While it opens these pictures in the back, some malicious code is being executed. The purpose of this malicious code is actually very simple. In this case, their interest was purely to de-anonymize these individuals and find who they are. And so it wasn't doing anything fancy. It wasn't storing key logs. It wasn't storing screenshots. It wasn't intercepting any Skype communication or whatever. It was just collecting very basic information out of the computer, out of the internet line, and sending it over via email. And that was potentially if it would have succeeded enough to identify the people that were associated with the group, find who they are, find where they live and kill them. And this is, you know, you can see how this progresses. It starts off with an email and it ends up with people, you know, dying because of what they're doing and dying because of technical means through which these actors are able to persecute online. People are engaged in activism of different kinds. And this story is interesting because it's unconventional from the ones that we generally observe. And there's few lessons that we can learn from that. The first one is that we don't always talk about governments. These are kind of the three main actors that we identify normally when researching into these areas. First one, obviously, being nation states. And this is probably the most common one, you know, governments, especially non-democratic governments, but sometimes democratic governments as well, making use of target surveillance to identify, monitor and reconstruct networks of people that are engaged in political actions or in journalism or whatever that is contribution in the lockout context. And they want to find them and arrest them eventually. Very often, we see groups for hire. You know, people, black heads that sell their services to eventually nation states again. We see that, for example, in some situations in Iran and some other countries in that area where the government doesn't necessarily have the capabilities or they want to use external resources and this happens quite a bit. And as we see, it happens also with militias. And in this case with the situation that I explained before, it might very well be groups of hackers, group of black heads that are affiliated with a certain political or extremist movement even and they're participating in destroying the opposition of that specific movement. One of the things that I can understand over the time is that it becomes very convenient to be used as a method of surveillance and of interception much more sometimes in mass surveillance because it requires a lot of bureaucracy. And this is something that we're dealing and discussing a lot in these days given all these recent events. You know, when you want to monitor someone or a group of people, you don't need to interact with the ISP or the mobile network provider and you don't have to go through all the bureaucracy and the oversight of these organizations after by themselves. You just package some way to deliver and exploit, to deliver a malicious payload and get it executed and you'll skip all these controls that are in place and have been in place for a long, long time for good reasons. And similarly, many countries also lack a proper legitimacy framework. So even in our countries, I don't know exactly what this situation is in Germany. It's found a bit confusing but as far as understanding Italy, for example, which is my country of origin, it is there is no law that grants the authorities to use that specific type of technology. There is no regulation that says this is the technologies that we're talking about, this is how we should use it and this is in which context and situation there isn't. The way that it's being employed nowadays is through the adoption of wiretapping warrants and things like that which are archaic and they're being designed and thought of at times where technologies was much different and at times where the capabilities that exist now were not even thought of. At the same time, do you really want to regulate these things? This is something that, for example, we're debating it right now and over the last couple of years as well in Italy and in Europe and most of it in the countries that are kind of being found, being participant in these kinds of activities and where these technologies are being produced. We discussed a lot about export controls and I don't know if you follow all of that kind of flame situation going on there. There's been a lot of discussions going happening around that type of control and there hasn't been as much discussion on how these things are actually already being used in our countries. So we're talking and introducing laws on how to prevent other countries to use the same technologies that we built and we use ourselves, which I find quite hypocritical. There is some of that discourse going on right now. I personally find it quite dangerous to go towards the direction, introducing these kind of regulations and legitimizing once and for all the use of these very invasive and very difficult to control and very difficult to challenge. Technologies is a thing that needs to be thought of very carefully. Once you establish these things, you can't take that back and the danger of establishing these regulations would be to incentivize even more both production and the use of these technologies. And I'm not sure we really want that, especially given both the way that they function, they tamper heavily with the operating systems, they completely divert the original functioning on what the device is doing and there is almost no good way to have proper oversight of how this, you know, piece of software runs. Interestingly, we're having a little bit of this discussion in Italy after the old hacking team situation and there has been a great article published by a penalized lawyer in Italy that basically has been saying, you know, there is Italy and many other countries in Europe which co-signed the Convention of Budapest in 2001 or we agreed at that point that anybody that would have been producing and using and whatever technologies they're designed to break into computer systems need to be penalty prosecuted and that's what these companies actually are doing and the conclusion of this article has been legal all along which is an interesting thing to reflect upon. Another good lesson is that these technologies are being built in many situations by commercial companies, sometimes it's not actually the case but they're very accessible even if you take it for free or if you buy it from one of these European companies it's kind of cheap, you know, but they go from maybe 100,000 euros to, you know, 3,500,000 euros, it's not much. It's pocket change really and the more money you put the more options you have. The problem with this is that the prices of these things being so low obviously allow many people to use that and make good use of that in some ways and we see that many, many times over and over. With the Citizen Lab we've been monitoring some of these companies that have been producing and selling these technologies. In Germany you probably know FinFisher which is software, a spyware, a malware which is produced by a company based in Munich. We identified attacks used employing FinFisher and we started monitoring where we would find FinFisher infrastructure around the world and we see many different countries, many of which are not very democratic. Similarly, if you've been following any kind of news in the last month and a half you must have heard of what happened with Accentim. Accentim is kind of a competitor of FinFisher. It's based in Milan and they produce spyware for law enforcement intelligence agencies all around the world and suddenly when that happened, people realized, oh, they've been selling to oppressive regimes around the world. Turns out that we actually found all of them pretty much all of them already a year and a half ago although that didn't raise as much attention. Another lesson that we learned from many of these cases that we worked on is that these technologies and these tricks are very effective and they're not necessarily effective because they're sophisticated. Actually, most of the cases, they're not. From a technical perspective, they're really damn boring things to look at but they're effective because of the context and because of the knowledge through which the attackers leverage in order to compromise the victims. They're effective because they're difficult to recognize and they're difficult to identify and once you're compromised, it's even more difficult to realize you're being monitored and there's no good way to challenge this thing. And obviously compromising someone, computer, someone mobile phone gives a lot more insight on what this person has been doing more than tapping his phone line. You know what he's thinking, you know what he's searching, you know what he's writing, you know who he's talking to, you know who he's emailing, you know can reconstruct entire networks of people that are working together through these means. And you know, training people to use encryption and you know, using all of these things, it's good but it's not good enough. It's hard to train people to recognize social engineering attacks. If you're able to do that, I would really like to learn how you do that but it's really hard. Even showing over and over again to people how these attacks are generally pulled off, it always happens that it will fall for it at some point in time because their carefulness kind of fades away. It's, again as I said, it's hard to challenge and requires at least some technical expertise to recognize when these things are being employed. And you know, besides the fact that as I was mentioning a few occasions where you see the FinFisher and hacking team of likes, most of these things are actually quite boring and despite being boring, as in like technically boring, they're still quite effective because they go quite unnoticed. Another thing that we learn is that different regions tend to use different models of Parandy and by continuously monitoring how people are being compromised, you can start seeing some patterns and recognize that maybe certain type of targets in a certain type of environment in certain type of country are most likely going to be targeted in this way or that way. Some of them are more recognizable than others. A lot of the attacks that we observe that Citizen Lab has been publishing about has been related through Tibet and China. There has been a lot of attacks obviously going towards type Tibetan communities in China and abroad. And generally the models of Parandy has always been the same. They've always been using customized malware, sometimes using modified versions of malware that has been, whose source code has been leaked online like close-rad and so on. But generally they make use of their own tools and that makes it quite easy to recognize them and that makes it quite effective for us to keep monitoring them over the time and being able to see when that something happens, stop it as soon as possible. And as a way to deliver attacks to generally always use very known old exploits and repackage documents that are really public. For example, presentation slide tags, event invites, news of different kinds, letters from Tibetan communities, from outside of the region, for example, from Europe and America and so on. And that's kind of, is always the way that you see them doing everything. You run instead, you see a variety of things but generally quite consistent. You see a number of custom rats, generally very unsophisticated, mostly in Delphi and .NET. And you can see them recurring over a long period of time which means probably there is a very small number of groups inside the country that have been developing these expertise and these technologies even from 10 years ago till now. Syria, for example, is a very interesting case. Both Syria and Iran obviously are under embargo so it's very difficult for them to get access to any kind of technology so either they have to build in house as it does happen in Iran or they have to use tools that are free to download on the internet. And while Iran does show to have decent technical expertise to build malware and build offensive technologies, Syria never seemed to be quite there yet. And that's in some way a good thing because they ultimately always have end up reusing the very well-known rats, dark comet, black shades, extreme rat and these kinds of things which are very well known and generally, although you could argue about that, should be very well detected. It also makes it difficult for us as researchers and as human rights defenders to monitor who is doing what because everybody is kind of using these same tools for many different reasons in many different areas around the world. And if we come across an attack that has been using dark comet or something along those lines it's more difficult at least to be sure that it's been used in the context of Syria. South America instead, except again for, you know, the hacking team and the fin fishery of the likes seems to be using a lot of Java rats. Islands Bioblock and a number of others, very simple vectors written in Java, they do very basic things, usual key logging and stuff like that. There is some of them also available from mobile devices and so on but it seems to be a very recurrent pattern even across multiple countries in Latin America. I have no idea why but it's something that has been seen as a recurring pattern and it's quite interesting and I'm still researching what's said about. Another example which we worked extensively on has been Bahrain. So Bahrain actually has been the way through which we started all investigative research in targeted surveillance and the surveillance industry. During the 2011-2012 protests in the Arab Spring, we saw a great amount of attacks happening against political dissidents and activists that were engaged in the protests in those areas. And many of them at that point were actually being targeted with fin fishery and that was the first time that we observed fin fishery in the wild and that kicked off a whole, you know, big, multi-year-long research effort. At the same time at some point, this faded out probably also as a result of the media attention that came after the publication we made exposing the use of fin fishery in Bahrain. They're starting using different techniques and one of the most interesting ones, for example, is social engineering people through social media, Twitter and Facebook and so on and not do anything else besides asking them to open a link and the link would just be an IP spy instance. An IP spy is basically a service run by a couple of websites. You can put up yourself. It's just probably five lines of PHP or whatever that just gets the IP address of the individual opening the page and then you would use that, trade multiple landing pages and see whose IP address is according to who they've been sending a link to and they've been using this as a way to denonymize anonymous protesters online and people that were posting news and pictures and videos and so on during the diaspora during the protests and afterwards as well. Another interesting lesson is that it turns out that exploits are not as common as one might think and through this even less so. Most of the attacks happened through social engineering and spearfishing. Even the ones that are employing commercial spy were like Hack and Team and Finfisher by experiencing the large majority with few exception have been delivered through the use of spearfishing which is a very interesting thing and also something to consider even the current discussions going on about regulation of exploits and security research. At the same time you obviously have some exceptions. You come across every now and then situations where some zero days are being used. Generally that has been seen happening in China not necessarily against civil society per se but some of those actors have that capability and we know that Hack and Team and these companies do obviously have zero days at their disposal but supposedly they're probably gonna use that in very few occasions and maximize the profit out of the sale of that. So this is coming towards the part where I complain about things. So why do the things I do which is something I get asked a lot ironically. So the first reflection is everything we do I think as a political meaning. Especially when I deal with technical people and security researchers and so on and I think everybody here and people at the camp is an exception. I think people that come here do probably have already a certain inclination towards being engaged socially and politically but the large majority of that community isn't. Especially the InfoSec community isn't at all. You know man I don't feel the same way especially in kind of the US centric security industry. It tends to be seen as something that is not normal. It's something that takes you away from the pure hardcore technical aspects and that you're moving away from being a hacker or a security guy to being an activist and I assume that a lot personally and I think it's stupid. Because everybody has its own politics. Different people have different politics. I have certain politics. You have different politics probably from mine or maybe we have the same. I suppose probably we have the same since you've lapped. But your current comfort level on doing certain type of work including the type of work that I'm talking about at some point over the time reveals this politics and I think we have to embrace that as a tech community. We have to embrace the fact that we individually and as groups as organizations operate in very strong political context especially in these years where cyber security is at the top of agenda of most governments around the world and we're in a time where a lot of regulations are being introduced and a time where we hear on media every single day about cyber war and things like that. So publishing information about a state actor and publishing information about government hacking is a political thing, is a political action. At the same time as I see over and over again during the last few years not publishing information instead and withholding information is not a political action it's serving a political agenda and you see that a lot happening from security companies. In the last, I don't know, five, six years how many reports, how many news that you read about Chinese hacking, about Russian hacking and all of that and how many have you read if you take all this another relation aside about US hacking or British hacking or German hacking or Western countries hacking you don't hear that a lot and you don't hear that a lot because they're being refilled by the people that have the expertise and have the knowledge about these attacks but don't engage in publishing them. We've seen that in a few occasions so in the last eight, nine months or so I worked on a few publications that had to deal with surveillance and targeted surveillance and malware programs from five ice countries. In the first occasions, we published together with Morgan Marquis-Bouard on the interstep our research that we've been working on for several months on a malware program that we identified that seemed to belong at that point to UK and US, NSA and GHQ and that were connected to the Belgacom hack that you probably remember from the Snowden documents. So during the research, we managed to find a large amount of malware samples spawning back to 2003 up to 2013 or 2000 or even beginning of 2014 even and we were fairly confident that these was surveillance programs and malware programs from those countries. Similarly, a little bit afterwards we together with H.A.G. and Laura and Aura and Leif and some others we worked on a publication to speak on some of the documents related to computer network exploitation capability of the NSA and seeing the reaction of both of these publications has been very interesting. When it comes down to the InfoSec community and the InfoSec industry has been extremely critical and I was kind of baffled by that because I was seeing a lot of attacks, a lot of people complaining about these publications and accusing us of being irresponsible by publishing these technical details. However, there were the same people that at the same time were publishing information about malware programs and computer and network exploitation capabilities without even blinking an eye. And many conversations came up through the results of me kind of complaining on Twitter about that. And one of them kind of got me thinking more than others. Some person came to me online and on Twitter and told me, you know, there's I don't have anything against the journals. It's your job. I'm on this note and so on, but I'm all into dropping shit from foreign at CNE. And so I asked, so if you obtain knowledge about similar capabilities from your own government, do you conceive that? And he said, yes. And I think that's fucked up. It's fucked up for multiple reasons. Firstly, because that's not just one person. That's a trend. And you see that trend recurring on pretty much the large majority, if not all, of security companies and organizations that engage into doing threat research and threat intel or whatever that's called nowadays. That's dangerous. The fact that they're withholding information about a certain country, most likely the wrong country or countries of, that are allied of their own country, is obviously in service of a certain political agenda. It's probably also with all in fear of retaliation and damage to their business and PR. But it's a problem because whatever the reasoning is, it portrays a real picture of what's going on in the world. We'll hear a lot about the opposite block in this geopolitical conflict that is happening nowadays that we don't hear anything about everything else. And then when we learn something about it, it turns out that our countries are even more aggressive and more sophisticated and more dedicated by using these kinds of techniques. And especially, as I was mentioning before, in a time where we are talking a lot about regulations and we're talking a lot about imposing sanctions to foreign countries using hacking and so on, and we're not talking about how ourselves are using it in Europe and Western countries is dangerous and wrong. And especially for me, I find it very troubling because, again, it portrays one-sided, very narrow view of what is the state of security of technology in our society and on the internet. They portray, again, one-sided view of what the current state of security is. And ultimately, if security has to be universal, people working in security companies and security companies themselves has to be transnational. The technology goes cross-borders. All of us use the same things and the same people they're going to hack in foreign country will be exploited with vulnerabilities and malware that are being used against us as well. It's just the same. And so, if security is not universal, it isn't security at all. And the other kind of lesson that I learned and that I try to pass on as much as I can is that what we do, in some cases what we don't do, as hackers and researchers and so on, has a huge impact on society at many different levels. See, that's the impact on small parts of society, maybe in a very remote country in the world, being able to prevent some religious minority or some activist group that is exposing corruption and so on from being targeted is extremely important. I've seen many situations where, after the fact that they're being surveilled, these people just stopped doing what they were doing. They stopped being engaged politically. They stopped being engaged in journalism because of fear and not necessarily because of fear for themselves, but because of fear of compromising the network they were operating in. In many cases, if someone has been targeted, it's not just operating by himself, it's operating in groups. And sometimes isolating the one that has been already compromised is seen as the best option and probably it isn't. But it has that chilling effect and I've seen that in many occasions. But at the same time, we can have a much bigger impact on global society as well. And then we see that, especially in the last few years, Bussiner isn't a topic that I particularly like talking about, it's a very complicated thing. There is kind of a block of privacy people that want to implement expert controls for very serious and legitimate reasons. And there's a block of security researchers and technical people that don't want that kind of regulation because of bad experiences in the past. Regardless of what is the position as, regardless whether you agree or disagree with these kinds of techniques, and actually, frankly, I'm not even sure myself. But the outcome that I took out of the vasten regulation, which for those that don't know, it's basically an arrangement that is signed by a large number of countries to control the exportation of different generally military equipment and weapons and so on. And recently they introduced also the controls for exporting intrusion software and things surrounding that. And that happened mostly as an outcome of the publications of the Citizen Lab and of the EFF and all the groups that engage into these things and revealing how these technologies produced by European companies were used in certain contexts. And that's actually the lesson they took out of it, which is the fact that us as researchers and as hackers, by doing this kind of work, by publishing these kinds of information, we're able to get a significant impact. And that impact has been brought even at the highest level of policymaking and political work in the European Union that even move things to the point of enforcing countries to change laws because of the fact that these companies in our countries were being involved in these kinds of abuses. And again, that's not necessarily a good thing, but it shows that if we engage in these kinds of research and if we engage in publishing this information and be active in the political discourse and providing feedback on how regulations should both serve those ones that are being targeted and victims of these attacks as well as us as researchers, we can probably have a very positive impact on society. And again, I keep repeating that, but especially now where we're seeing all these kinds of regulations, it is critical that us as technical people as well, despite how fucking boring it is to go or read regulations and drafts for a hundred pages from the European unions and your own countries, that's extremely boring. But if we don't do that, nobody else is gonna do it for us. And it is critical that we do that kind of engagement and we do take part in policymaking at that point. So I'm kind of coming to it and hopefully, I wanted to have some time for questions, but I'll see if I can make that happen. The, still the kind of reasoning at least behind why I do the things I do are pretty much two. One being the fact that there are human costs due to surveillance and I really talked about this. But for me, at this point, I grew to a point where the technical analysis and technical aspects are way less interesting and way less relevant, but they're in service of a certain political analysis. And that's uniquely because I've been exposed firsthand on the human cost and human impact on the use of these technologies and I didn't like that. The second reason is because I'm very, very concerned on the proliferation of surveillance, especially targeted surveillance in a sense of technology in general. I'm very concerned, again, as I explained about the regulation and legitimization of these things, but I'm extremely concerned about these ongoing imbalance that we see and we saw that also from these noted documents partially, that shows that there's a huge amount of effort and huge amount of resources being spent in creating offensive technologies and breaking software and network protocols and encryption standards and so on. And comparatively, there is an insignificant amount of effort being put into building security technologies and fixing issues and creating defensive strategies. And sadly, most of that, I mean, actually it's a good thing, but sadly because we can't really simply compete with that opposite side, comes from the free software community. And it's an imbalance that I'm very, very much concerned about. So how do I deal with that thing? Firstly, I assist those that are targeted. It's the first, most obvious thing to do. And there's many of them. There is a huge demand of technical expertise in civil society, human rights organizations, media organizations, activist groups and so on. And there is a very, very limited supply. And that's mostly because, again, tech people tend to not want to engage in things that have a political aspect. The second thing is that I think that by engaging into this research, and I invite all of those that have the expertise and want to learn how to do this kind of research to start doing it. Publishing reports and publishing information over and over and over again is probably one of the most meaningful ways to resist the use of these technologies besides all the policy making and besides all the building of technologies. Maintaining some kind of economic tension is extremely important. Every time that we publish something about a certain type of malware or certain type of act or using attacks techniques of different kinds, we burn it. And by burning it, we need to make it more costly for them to re-engineer things, to redeploy things and use them again and spread them over into the customers again. It adds costs, it makes it more expensive. And if it doesn't make it more expensive, at least it doesn't make it cheaper. My hope, at least, is that by continuing and doing this and sometimes it's still quite boring. You still see the same things over and over again. If you're interested in getting into this field, forget about finding every other day the most incredible piece of software, a piece of malware or a piece of exploit you'll ever see. It's not gonna happen. You'll see the most boring shit ever. But the importance of the keep doing those kinds of things is not in a technical aspect, it's in a political context. And it is in these exact things that I'm describing about maintaining some kind of tension. And hopefully, if we keep doing that and if we keep doing it more, we don't go to the point where it becomes so cheap for people to produce and using these things that it just happens without any kind of control. So NGOs and human rights offenders are, as I said, under heavy attack, they have a huge demand of technical expertise and they suffer a lot, mostly for two reasons. One is being lack of visibility into what are the threats and these visibility is very much available to the InfoSec community and the hacker community. And the second one, as I described, is lack of capacity. There is no security staff in most organizations. There is very little IT staff at all if there is any. And that's not good enough. So what I'm getting into is the fact that we, as a community, we can collectively make an important change. You know, we are the ones that have the expertise. We are the ones that have the data. We are the ones that have the visibility in what happens around the world. That's because for some of us, it's even our day job. And not necessarily, it's not necessarily into researching into attacks in civil society, but we come across these situations quite often every now and then. And despite the fact that those are completely useless to security companies, they are of incredible value to human rights defenders and people that work in civil society. So I've been thinking about how to approach this problem. And one of the solution is try to bootstrap away for all of us and InfoSec people, even the ones that I don't like. It doesn't matter. Once they have data, once they have expertise, get together, breach with human rights organizations, breach with privacy organizations, breach with all those ones that have presence on the ground and are in demand of your experience and of your help. And let's try to make some movement, some platform for people to connect and get together. And if you have like two hours a week to volunteer on something, for example, you might be a pen tester and you have two hours and a week on a Saturday afternoon you have nothing to do, you might be of great help by pen testing the website of, I don't know, some media website in Lebanon that absolutely have no resources in them being broken into all the time because they're exposing corruption or something. Let's try. So we're trying to do something practical. I know it's not an easy thing to do and I know absolutely nothing about community building and I don't want to be the one in the position of doing so. I want to use these situations where you all get together to discuss some of these things and slowly get to a point where we can be in a place of collectively collaborate on issues that are more important than building some kind of blinky box for some security company to feel safe. So we did something and it's a start. So we were building a collaborative knowledge base because before getting into helping people we need to understand what we're dealing with. And some of us know some things, some of us have been working on these things for a while and there is no yet some good central place where all of these knowledge is collected and we're trying to build that now. And the idea is try to collect all this information related to targeted attacks, related to surveillance companies, related to encryption laws, whatever. Anything that helps building a narrative on what has been happening that have a negative effect on civil society in every country in the world put it together and rebuild narratives on them. So we started doing a little thing. We created a good GitHub organization and we started creating something that it's called Data Packages. Brandon explained them at the Tactical Tech Village yesterday, you can look them up. It's an easy way to define data structures for people to contribute to. And I'll show some example in a minute. We created an OJS FBI server that we're gonna publish hopefully really soon and a frontend that is already online. And I'll show that in a minute too. The starting point is create a platform for people both to consume the data if you're interested in what is that I'm talking about of attacks in Syria. You go on this website and you'll see all of the things that we see and we're able to document publicly in Syria. And you can start from there. You can analyze that, research it, find more things. If you find more things, contribute them back and help building the full picture that we don't have yet. So we have some repositories. We have some data packages as we called them. They basically represent some pieces of data. I spent some weeks extracting all file hashes of malware samples that have been used in against the society over the last few years. It's been a pain. So I hope that people will make some use of that. And some journalists, for example, has been working on extracting all companies that have been reselling surveillance software for hacking team all around the world. Maria, for example, has been working on a compiling list of surveillance vendors and encryption laws all around the world. So very diverse types of information but that are very connected with each other and that by presenting them in ones, kind of give a good overview of what has been happening in certain countries. And hopefully a small example of that. So if you want to look into the data and contribute, this is the GitHub organization. It's intentionally a fluffy name because we want to engage all sorts of sites. And here is the front end that we have online. It says that digitalfreedom.io. We kind of put it together literally one minute before I came here. But you kind of get the idea. So we're starting to collect data that is related to all these different countries around the world. And the system is a node application that pulls out automatically data from GitHub, service them through an API, and you can browse that data. You can query that data, extract information about a specific type of matter of family, about a specific country, or whatever, and get that data out. And if you're interested about a specific country, you click on that and here's all of the things that we have on that particularly, classified by organization, and so on. So that's very briefly because I'm running out of time and I wanted a couple of questions eventually. And along with that, one of the issues that I explain is we lack a lot of visibility as people working with civil society and people working with human rights offenders, we don't see attacks happening. People don't have the expertise and the knowledge to identify when someone is being compromised. It takes a long time and the ones that come to us generally are false positives. And that happens because we don't proactively see a lot of these attacks happening, but people with certain leverage, sort of access to data, or certain type of profile do see that a lot. And it happens in some situations of where people working in the infosec industry for companies that I would normally despise, but some of these individuals have some consciousness and came across some attacks that for the company was either irrelevant or politically complicated to deal with. And so they've come to me or to others working with me and said this is some piece of data which we can't make any use of and it's very, very relevant because it's being used against journalists or activists in this country and you should look at that and do whatever you can with it. And it's been very helpful. And similarly, there's other situations where this could happen again, not just with malware, but with other instances as well. So we're launching also submission platform for whoever doesn't want to engage publicly, doesn't want to put their name on pieces of data that might be sensible. There is an onion right there that you can visit. It's a global instance. We accept submissions from four different contexts. Hopefully a lot of raw data that we can actually make good action upon. We're hoping to get people and organizations from different backgrounds that work in these four or more topics to come to us and be part of that and become receivers of this data as well. If you are an organization that work on censorship and you're interested in learning about new censorship events that come from a certain country, please reach out. If you're someone that research and an organization that research and malware and exploit attacks against society, please reach out. It would be great to kind of make a whole community at once. It's very simple. You'll see some examples right there. You just give a brief explanation of what we're dealing with and the file itself and then we're good. So that's basically it. Hopefully this is a starting place. We're building something very simple, but that hopefully will help some people to start getting into this field, and start researching more and publishing more about these topics, and hopefully over the time make it so that it happened to grow organically a community of all of us that want to contribute and help people in need in doing good things for them. This is not something I've done alone. I want to thank all the people that supported me and helped me over the years. I'm particularly, I want to thank Brennan. Brennan, if you can stand up. He's been developing, he's been literally spending all the last few days, several hours a day building this stuff in JavaScript that I have absolutely no idea how it works and now to do that. So thank you a lot. And if you want to learn more about how these things work, please reach out to either one of us and we can explain and see if we can work together. And that's it, so thanks for coming. If you have any questions, we might have three, four minutes, maybe? Four minutes, okay. Yes, thanks a lot. Thank you very much. And now time for questions. We have two microphones on left side and on right side. Please queue up for the questions. Good. Any questions? Okay. I guess not. Yes. Thank you again. Thank you very much.