 For the next talk, we welcome a contribution to the ever-expanding zoo of Maui in the ecosystem of insecurity Pegasus, it's about the case of Armand Manzour the citizen left us excellent work in forensics, and it even made it into the Christian shines monitor lately and A big round of applause for Bill Masek and John Scott Raiton Hello, everyone. Can you hear us? Awesome. Where's my clicker? So my name is John Scott Raiton, and I'm here with my colleague Bill Masek And we are going to present a talk titled million-dollar dissidents and the rest of us Bill Masek is a senior fellow at the Citizen Lab He just got his PhD like last week at UC Berkeley, so quick round of applause And Bill is also one of the founding members of Bahrain watch which does really important work on human rights transparency and defense in the Gulf Thank you for that lovely introduction John. My colleague John Scott Raiton, of course, is my co-conspirator at the Citizen Lab He's also pursuing his PhD at UCLA And his research focuses on targeted threats specifically against civil society So for those of you who don't know the Citizen Lab, it's located in this big stone building in Toronto We do two basic components of work We look at targeted threats against civil society and then we look at information controls and what we're going to talk about in this presentation is our work on targeted threats. So in background about the lab It's fairly old in computer terms. It's independent. It's academic and our bread and butter is developing long-form trust relationships with targeted groups to find things and then combining that with a real degree of technical rigor to understand what it is that we've found whether it's phishing or other forms of attack So quick roadmap. I'm going to talk to you today along with my colleague Bill about two attacks One, Odey. We're going to talk about some infrastructure fingerprinting We're going to talk about scale issues for security in high-risk users and we're going to end on that All right, so let's jump right into the story This handsome gentleman here is called Rory Dunnegy and he's a human rights activist based in the UK He's a founding member of this organization the Emirates Center for Human Rights that focuses on you guessed it human rights in the UAE He's also now a journalist at Middle East Eye where he's been publishing a series of stories involving leaked emails from high-ranking members of the UAE government Recently he was targeted. He actually got this interesting email here from an address The right to fight at openmailbox.org. Okay seems a bit sketchy Says mr. Dunnegy. We are currently organizing a panel of experts. We invite you to apply to be a member And you should you should respond with your thoughts about the following article and there's a link here to this weird-looking site right ax.me You know look it looks kind of sketchy, right? Yeah, but at this point somebody in the audience is probably thinking to myself themselves. Oh, man It's another talk activists somewhere getting social engineered and fished like haven't I seen this talk many many times before? Well, that's a great point John, but keep your shirt on. We're getting to some interesting stuff All right, so ax.me was kind of weird, right? We started looking more into this site We figured out that it was this thing that claimed to be a service where you could shorten URLs kind of like bit.ly or you know something like this It turns out though that it was publicly accessible So anybody could go here and shorten a URL that they wanted it would redirect using just a regular HTTP 302 but the link that was sent to Dunnegy Actually redirected using a different mechanism which ran a ton of JavaScript if he clicked on it It would have run a ton of JavaScript on his computer Including a bunch of attacks that would seek to de-anonymize him if he was using Tor One particular attack was able to figure out the location where a Tor browser bundle was installed Which could contain the name of the of the person using it Also, there was a really clever technique to do a local port scan of his computer To identify which antivirus program he was using in order to perhaps enable bypassing antiviruses So he'd received this email we looked into this this weird ax.me site, right? The interesting thing was we were actually able to get more from this attacker So we instructed Dunnegy to send a response Saying thanks. Thanks for your message, but I'm having trouble with your link so This this case was actually really unusual because the attacker did in fact respond with this email and they said hey We apologize for you having problems Here's another link where you can download our organizational information as an attachment as a file But the catch is we were such a secret organization. We had to protect it with macro enabled security, right? So it requests Dunnegy to please enable macros to to view the information about the organization, right? So this is the image that he was presented with when he opened up the the word document It says this document is secured please enable macros to continue and it says it says the same thing in Arabic And it's got you know, it looks official, right? It's got the office 365 logo It's got the proof point logo like those guys do document security. Okay This is a pretty good pretty good fish so far So so what did the macro do? Obviously it displayed information, but that wasn't the only thing it did so It turns out it was a pretty basic power shell macro or a macro that ran a power shell command and the power shell command Was designed to gather basic system information as well as interestingly the installed version of net and it submitted this all this information to a kind of interesting looking site at hosting cash comm and Pulled a response back from the server which was then executed in power shell So we got this this stage to response from the server Which actually installed a scheduled task and windows and every hour It pulled new commands from the server and executed them, but it was actually a different server in caps low webcash.com And then so the third stage that the commands pulled down by the stage two we were actually able to get some of these and They appeared to be the first command was getting the ARP table Which contained perhaps information about other machines locally connected to the network to perhaps enable lateral movement by the attacker And also very very aggressively scraped the computer for passwords and browsing data using in fact gplv3 licensed code nobody tell Richard Stallman From from this application called a quasar rat All right, Bill Fishing power shell macros. I'm still kind of skeptical. This is going somewhere interesting Well, you're right. It's technically boring But it actually the sort of technique keeps working activists keep getting compromised It just sounds to me like more user error. Well, in fact John this looks kind of like a digital public health problem Indeed it does so as we've worked with with targeted groups for a good chunk of the last decade one of the things we've observed is that the internet surprising no one has profoundly reduced asymmetries in the ability of individuals and organizations to communicate and broadcast their information right The advantage the story I always think of is like in a coup d'etat used to be you know The rebels had to capture the TV station now everyone can have something like that So it's very exciting and it's profoundly changed the way that civil society does its communication But there's a great overhang because that technology has not itself changed the underlying asymmetries of Risk and power that are still articulated through the internet What that means in practice is that civil society is really vulnerable And it's made more so because most civil society organizations most NGOs are like the ultimate bring your own device Bring your own computing style computing environment. There's absolutely no IT department There's no choke point on the network that you can monitor most people have very mixed even artisanal relationships to their security and little access to behavior if you're trying to change behaviors and usually documentation of bad things is Terrible put differently It's a big headache to try to do security and the reason is not some kind of moral or ethical deficiency It's that people are really strapped for time and resources and knowledge and are trying to focus on their primary objective Which is usually not securing their boxes the predictable result Of course of all of this is a hidden and sometimes not so hidden epidemic of compromises within civil society So what happened to the story we were telling? Well, so that story about macros in PowerShell will actually lead us to an iOS zero day All right. I'm interested Bill. Okay, let's break it down John Okay, so we published the information about Rory Dunnegee and his targeting in a citizen lab report you can read about it as Part of this we were able to trace the stage one and stage two domains ad hosting cache and in capsular web cache to 11 and 69 other domain names respectively and now once we had this the next question was could we trace it even further? So we started looking at you know The who is information for these domain names as well as a bunch of their DNS records specifically the SOA the start of authority DNS record and we noticed something quite interesting. We noticed this email address P and one P N1g3p at SIGA int.org and it was pointed to you by one of the stage two domains We had found but also by three other domains, which we had no idea what they were they didn't match our fingerprints for stage one or stage two of the spyware In fact, we determined they were designed to impersonate this website asrar arabia or Arabian secrets Which is actually a legitimate news site that provides news and gossip about stories going on in the Middle East We were able to get the contents of these sites You know, we just went to visit these websites and found the following Code the following HTML code returned by the sites as you can see what's going on here Is they're showing the legitimate as far Arabia website to the user in a iFrame that takes up the whole browser window And there's also this invisible one by one iFrame Loading this weird-looking site SMSer dot net slash a bunch of numbers very weird So we began kind of investigating this we looked at this link specifically we found that it redirected to SMSer dot net slash redirect dot aspx which returned this this HTML code and You can see this is kind of Weird it's it's got a very distinctive format There's two meta redirects to Google and there's kind of like a blank, you know title and a blank body It struck us is very odd so we Use this a fingerprint and in fact scan the entire internet looking for this same fingerprint Specifically we use Z-map we use the map to scan the entire internet Doing a get request for redirect dot aspx on every server on port 80 and we found actually 149 IP addresses mapping to 149 domain names which returned this same code only 149 So this struck us as kind of kind of odd the fact, you know, maybe we were onto something important We then began breaking down and looking at exactly what those domain names we found were We found that a couple of them were designed to impersonate for example government portals Or humanitarian organizations like the Red Cross Or airlines news media and a bunch of other different categories But the theme that struck us was impersonation. You can see here some of the typos like all jazera.co instead of Al Jazeera Another thing we noticed is that some of the domains had SMS in them over and over and over and this struck us is odd Right, why would you have a bunch of domain names that are impersonating things and a bunch of other related domain names with? SMS in the name Well, maybe if you're targeting mobile phones and people get you know some sort of link that has you know SMS in it, maybe they're more likely to click on it. So we at this point We figured maybe these domain names these 149 domain names were designed to target mobile phones so we waited and We asked around One of the key features of the way that CitizenLab does its work is that it often leaves us with big questions and watching So to think about our workflow it often involves encountering a group that's received something Suspicious we take a look at what they've received We often find some commanding control infrastructure And then we look and we wait and we poke and at the same time We will develop fingerprints for that C2 infrastructure and start to get a better sense of where else it might be in IPv4 space We'll then often go back having found infrastructure Which is where we are in this story and start looking for malware or something that talks to that infrastructure and what we're doing is exploiting a fundamental principle we think of Targeted surveillance using intrusion Which is when it's used at the scale of monitoring a group of people rather than a single intrusion Infrastructure is going to get used not just for one person But for a bunch that means that servers are going to stay online for a while That means that there may be malware floating around and this is really part of the enabling feature Of this community for the work that we do and it translates into interesting results. So in 2014 Using fingerprints developed for the malware of hacking team. We came up with a list of suspected government users in 2015 we did the same thing updating earlier work on suspected government users of finfisher but back to waiting in August of 2016 we got a message from Ahmed Mansour who is as was mentioned in the introduction Human rights defender based in the UAE Mansour said guys, I think I'm being targeted again And we believed him because in 2011 Mansour was targeted with finfisher A document, sorry an EXE disguised as a PDF and then Nobody leaving well enough alone. He was targeted again with a hacking team implant in 2012 this time with an attack document and some old day So we paid attention What he had for us was two SMS messages that he had received Basically translating to new secrets about Emirati's tortured in state prisons Something relevant to his work not only as a human rights defender But to him personally as he's previously been arrested and jailed for his highly important work So we said nice bait. We'll take it So as John said we decided to to take this bait We decided to somehow see what was behind these links that Mansour had sent us and the text messages So what did we do? Well, we actually figured hey, let's open these up on an iPhone. He received the links on his iPhone 6 So we said, okay, we've we've got an iPhone Let's let's factory reset it and let's connect it to the internet through a laptop Since the link was using HTTPS. We wanted to capture everything so we set up a laptop with MIT on proxy and wire shark and basically installed the the our fake root cert on the iPhone and transcribe the link into Safari on our iPhone So all phones internet traffic was going through the laptop We could see everything and our goal was to kind of capture what might be behind this So what happens next will shock you All right, so this is the output from wire shark that we were seeing on our our laptop So the first thing obviously, you know, we transcribe the link we typed it in and we see what you'd expect I get requests for the link and it turned out this was a blob of obfuscated JavaScript, which already was was quite interesting The next thing we saw is that about 10 seconds after we typed it in the Safari window on the iPhone closed Very weird very unusual. This was our first indication that okay You know, maybe there is some sort of some sort of shenanigans going on here with this with this with this link We saw then the phone sent out another request for this that file final one one one Which was a second stage of you know lightly obfuscated shellcode a Bunch of other requests appeared, you know to emanate from the phone Giving basically like logging data or the status of what was going on to the server And then we saw a message saying trying to download bundle In other words the phone sent a log message to the server saying that it was trying to download something And it was trying to download this file test one one one dot tar Which actually was was an iPhone application and The interesting thing is that this request came from a non safari user agent Telling us that control had been transferred perhaps to some other process on the phone, which was which was fetching this So hold on bill. Are we looking at some kind of remote jailbreak? Well, that was kind of what we thought we thought we might be looking at that indeed So what exactly did we get? Well, it turned out that what we had seen was the result of three zero-day exploits The first don't exploit in safari and the second two exploits designed to jailbreak and install an app on the phone The payload that it installed was actually capable of recording Messages voice and all kinds of other data from a number of apps on the phone and For those of you who have been attending ccc We gave the artifacts that we'd received to our friends at lookout And this handsome gentleman here max bazeli gave an excellent talk on the internals of the exploits And the jailbreak on day one of ccc. So hope you all check that out. If not, you can you can watch it online So of course We also realized along with lookout that it was time to do some responsible disclosure towards apple Which we did What is of course interesting is that this was the first known as the first publicly announced remote iOS jailbreak pretty exciting and these are things that in no way come cheap most recently We learned that Zerodium is offering a one point five million dollar bounty for a similar piece of technology But this has also caught the attention of the popular media even vanity fair Which published an article asking who's stealing the secrets of Silicon Valley's crown jewel? So who did hack Silicon Valley's crown jewel? Right, right. So we've told you what we've got. We got the remote jailbreak. We got the interesting spyware, but who's behind it? So remember we did this scan we use Z map We found these hundred forty nine IP addresses that were related to that that weird site SMS or net So that didn't really help us in attribution. We got these, you know IP addresses. We got these domain names. There were no clues really So The natural next step is we decided to go back in time And of course we didn't actually go back in time. We simply used Historical internet scanning data and we looked up those one hundred forty nine IPs. How did they behave in the past? We found out that 19 of these hundred forty nine IPs actually gave a different response in the past to a get request on port 80 and It was this other weird odd looking Google redirect You can see, you know, there's like the Unicode byte order mark at the beginning You know, there's like some weird line breaks in there Looks pretty odd. And of course we've got the the blank title and blank body So this was very interesting and the next natural question was okay 19 IP addresses returned this how many others how many other ones returned the same response in that historical scanning data? So we found that it was returned by about 85 or so other IP addresses including Including IP addresses pointed to by three interesting domain names nsoqa.com qa and qa.com and male one NSO group comm and NSO group of course is a spyware vendor based in Israel This is a screenshot of their product brochure showing that they do indeed control the domain name NSO group comm and in fact The first two domain names listed there are also registered to people with NSO group comm email addresses So NSO groups brochure mentions that it's a leader in the field of cyber warfare They have this solution called Pegasus which allows full monitoring and expulsion from phones And it's exclusively for the use of government and law enforcement agencies so Although Mansour was the first target we found he wasn't the only one this is Rafael Cabrera a courageous Mexican journalist and We got in touch with Cabrera after we learned that he'd been receiving suspicious text messages so What were these messages? Well, they included things like a fake Facebook link account note account overage charges News alerts related to his work and then bizarrely just crude sexual taunts followed by a link why anyone would click on that is beyond me Why was he targeted well, it turned out that the links were either shortened links going directly to the infrastructure that we had found Or directly pointing at that infrastructure now our guess is That this may have something to do with his work on the Casablanca scandal so the Casablanca scandal in brief Is the discovery that the now president of Mexico formerly a provincial governor Received during his provincial governorship a house paid for By a company that got a concession to do an infrastructure project During his tenure as governor widely believed to be an example of corruption But this wasn't the only case either in the course of our scanning We found evidence of targeting across the globe from Mexico and the UAE To Uzbekistan, Kenya, Mozambique, Qatar, Turkey, Morocco, Hungary, and elsewhere Now of course the question is what's all this targeting, right? Well, if you listen to the chief counsel of hacking team a company that sells this kind of stuff He would have you believe That these and this is a quote that this is designed to target terrorists Pornographers and other criminals we could refer to this as la fig leaf In fact, our research turns up again and again Evidence of this technology being used perhaps for some law enforcement purposes But also pointed at the political opponents and critics of powerful regimes Journalists activists and human rights defenders. So who are these people? Well, let's give you a thumbnail sketch Hisham, a human rights defender from Morocco, one of the few free voices during the time that he ran an organization Systematically prosecuted by the government. His organization, Mamfakinch, was targeted with commercial malware Worked on by Bill, Morgan Marquise-Barre, and others including Claudia Who's here somewhere We have an Ethiopian journalist based in the US He and his news organization were targeted by we believe the Ethiopian government in the process of reporting on that country. So Clear evidence this kind of spyware in no way reflects borders It certainly doesn't respect them. Carlos Figueroa, an opposition politician in Ecuador and of course Ahmed Mansour What's interesting about each of these people is that they are in our view million dollar dissidents The cost of these programs is in effect Price tagging the power of their speech in the eyes of the governments Who are scared of them? so We have this thing that we bandy around in the lab, which is this idea of the principle of misuse basically Commercial surveillance technology Including intrusion tools and zero days will be misused in proportion to the lack of accountability and oversight This is in no way a new discovery. This is something that history has shown us Time and time again with different regimes Our view is that the current spyware market is just fully proving that history repeats itself That said there are some saliency issues So as claudio pointed out yesterday surveillance technology That sold by companies gets a lot of attention And the specific companies who sell it get a lot of attention whether or not they happen to be representative This is especially true When zero-day exploits are involved and it's also the case that this is only part of the threat to civil society So here's some thumbnail bar charts The point that i'm going to make with them is basically this The lion's share of the malware attacks that we look at and that we see at the citizen lab So note there's a potential selection bias There's some we don't emphasize high social engineering sophistication and Minimum necessary technical sophistication You don't need a really fancy lockpick if you can climb through an open window Some numbers to back this up. Here's some rigorous work done by my colleagues and I tracking Thousands of attacks against civil society organizations working working in Tibet as one example And what we see when we track which exploits are used is a proliferation of old days and very few zero days This pattern is fairly common But that's of course not the whole story and by no means would I argue that you shouldn't pay attention to commercial surveillance Right right as john says, you know threat actors tend to focus on the easiest way to get in However, sometimes the easiest way to get in is a zero-day exploit using these commercial surveillance tools And commercial surveillance tools are do receive a lot of attention, but I think it's important also to to focus on these because Commercial surveillance is not just the surveillance tool. It's really exporting all of the expertise To to run a well-resourced surveillance state If you look at companies that operate in this space like finfisher, for example, they don't just sell you the spyware They do sell you the spyware, of course, but they also sell you the support and they sell you the training And what is this this is essentially updates to get around new security measures in antivirus programs And if you don't know how to hack or fish, they'll teach you how to do that too So these vendors are not just selling the tools. They're also They're also facilitating the proliferation of the surveillance state So one of the bigger picture problems that we've got as we're thinking about how to defend against this stuff is the following problem You don't know who the next activists are going to be they don't even know themselves And so the question is how in an environment where everyone is mostly using Commercial platforms and tools for their communication even their most sensitive communication. How do you secure this world? well One potential strategy is to make us all feel forgive the hyperbolic language potential million dollar dissidents Put differently. This means raising the cost to target an arbitrary person So how do you do that? Well, there is the iphone model, right, which is you create a walled garden And you make it very very hard for users to do certain activities So you trade some user freedoms in exchange for security We see elements of this model throughout For example, as chris sagoyan correctly pointed out yesterday chrome extremely secure browser trades user security for a degree of privacy One of the challenges of this space is that companies have done a really efficient job at attracting people who are activists At attracting people who are going to use these tools in ways that are politically sensitive And many who face serious threats or will one day are using a gmail inbox right now or something similar These are not tools Currently designed to handle high risk that happen to be the most fluid tools for most user experiences But even in these environments One of the challenges is that the kinds of security options that would protect these groups are not Default enabled say during the account creation process a really good example of this would be two factor authentication Another is browser sandboxing complete sandboxing as a norm across the industry So that's a little bit what we think industry players can do, but what can you folks do in the audience? So thanks john you raised some very good points about ways to raise the cost across the bar of these sorts of attacks And that's an important big picture consideration So another thing and one of the areas where specifically we work at the citizen lab Is looking also not just at the forest but at the at the individual trees themselves and pardon the expression They're not they're not trees. They're actual real people who are being targeted with this with the spyware And the questions we try and answer are Who are these high-risk users and how are they actually being targeted in the real world? So as we mentioned earlier, we build these deep relationships and engage with with activists and civil society groups and We encourage them to forward anything suspicious that they have and send it to us So the starting point for all these investigations as as you saw at the beginning of our talk Is some sort of suspicious or suspected malicious digital artifact be it an email a message a link a file And then we we aim to answer the questions. Of course. Is it an attack? How is the attack happening? Who's conducting the attack? Who's the attacker? And what else is the attacker doing? Can we trace and look at their other activities? So of course, you know, uh, we do this at the citizen lab, you know, we we've presented some cases from the UAE And you know, my colleague john has done a lot of great work on this But uh, if we you know look at our john here on the map So john is is but one one person and he's a he's a very very, uh, smart Very very talented very very hard-working person Bill did this when I was sleeping last night But despite john's best efforts, there's no way we can get you know john to cover the entire world john Doesn't have enough hours in the day to interface with all of the potentially targeted groups and do this work across the world So really, um, you know oops So really the issue is that we need more people working in this field more people You know doing either the citizen lab model that I described or working with organizations like Like claudio's security without borders or similar efforts to try and not just work on you know, raising the cost across the board But also focus on these individual cases which illuminate the the big picture as a whole So we'd like to conclude by just offering a few thoughts from from monsoor himself Uh being the main subject of our talk We asked him if there was anything that he'd like to to give to the tech community or to the world and the message that he that he wants to convey is that uh defending human rights In his view is becoming more and more Uh difficult, uh, so the work that he does tries to communicate with victims and you know connect victims With the international media to raise their cases and raise awareness of human rights violations And that's becoming increasingly dangerous because the governments like his government in the UAE Are increasingly retaliating in ever more brutal ways For instance monsoor himself has been subject to beatings and arrests Um, you know his his car was confiscated his passport was confiscated the uh suspected to be the government Stole uh about a hundred thousand dollars from his account His bank account So so these retaliations can in some cases be be very brutal Um, and once the technology reaches these governments like the UAE He's certain that it will be abused and used to target, uh, you know Dissidents activists and and other people who are just exercising legitimate freedom of expression rights So he implores, uh the international community and technologists to try and do whatever they can to make sure that these sorts of dangerous technologies like hacking team like nso like finfisher Do not make it into the hands of repressive regimes in the first place So with that we'd like to close on some quick acknowledgments to some amazing colleagues But first thanking the organizers of this event for having us we really appreciate that and running the event so excellently um None of our work works very well without the close collaboration of a bunch of amazing colleagues Ron Debert, Sarah McEun, Claudia Guarneri, Adam Seft, Irene Peranto, Mashashin Nishihara Um, Morgan Marquise Boir who did some of the amazing work on tracking malware, um from governments The team at Lookout, um, especially max Uh, apple ink who worked with us very carefully to do the disclosure process Um, and a lot of other researchers including Seth Hardy, um, who've been tremendously helpful to us as we've done this work And finally closing um on thanking passive total Um, so with that I'd like to open it up for questions from the audience if folks have burning things You'd like to ask us. We would love to answer. I see already a question at number four. So jump right in Fortune favors the brave So there have been attempts to to restrict The distribution of these kind of tools through the was on our arrangement Do you feel that that is the best way to do this? Well, I think what we can say is that our work on nso Shows that the current arrangement Is wholly under resourced for stopping the proliferation of these tools Um, and I think I'll leave it at that Yeah, I think it's also, uh, interesting to kind of look at how the efforts have been focused so far Um, you know specifically on on you know intrusion tools and zero day exploits But also, you know looking at what the key salient characteristic of these organizations like finfisher nso and hacking team are And in my view that the key characteristic is that they don't just give you the tools because you know anybody can can give you the tools What they do is they hold your hand while you use them. They give you support. They give you training It's this complete package that really, you know, can can bootstrap a government from from no knowledge to You know getting information from from activists phones and computers quickly Yeah, and I think I'll also just observe as somebody recently pointed out to me Some form of additional regulation is probably in the pipeline And we probably want to make sure as a community that we are as engaged as possible In ensuring that that regulation works and works for us Um and uh is balanced question on the two Have you been uh profiling what devices what platforms are being targeted? And do you have any idea if if as a government do you want to pay? I don't know a huge amount of money. You have to know which platform to target So how is it being done? How do you target your people and platform? Well, great question It really depends on the case. I think in a lot of sophisticated attacks We see elements of profiling before targeting in other cases and bill can speak to this The exploit servers that we look at actually Select and fire based on what device you touch Yeah, so companies like like nso or like hacking team and probably finfisher too offer exploit services So, you know the government that's targeting you can create some sort of link and the link dynamically, you know Sees what platform you're on perhaps based on, you know, the user agent header or other headers in your in your request And then delivers the appropriate, you know spyware payload for whatever your device is Um, but you know, I think from when when you know, a government is thinking about this when an attacker is thinking Hey, what what platforms do I want? You know, they can perhaps leverage some intelligence from their country You know seeing which are the most common platforms in their country Um, but perhaps maybe the smarter attackers would think and say oh, maybe it's not really about the platform It's about the information. Where is the information? What are the other ways I can get at the information? Maybe it's maybe you want to access someone's email account and the way the easiest way to do that would be Fishing rather than, you know, targeting a specific platform or maybe there's you know Files on someone's device that you want and in that case you've got to hit that device Yeah, the flip side of course is cyber militia like groups So the my cousin knows computers approach to doing malware lots of commercial rats Those groups will often target what they see is most popular in the communities that they're targeting Uh question over there. Thank you for the talk. I would like to ask you two questions One is is there any metric to know all of these tools? How many of them were used for actual Criminal activities in in a in a position to just like dissidents and the second question is Is that maybe without this technology the tools that these government would use would be More dangerous to these activists like could they like operate spies or just like lock them up? Maybe it's like it's a bad thing overall, but maybe it's better than the alternative So these are really interesting questions. Do you want to go first and then I'll see something? Yeah, sure So so yeah, no that so with respect to your second question I think it's it's definitely an interesting point like if this technology wasn't available. Maybe they'd be you know more brutal Um, I think you know it it speaks to like I think a fundamental philosophical argument, right? Do you kind of look at at what's going on and see something bad happening and try and stop that? You know see what you can do to try and make things better Or do you you know kind of like think several steps down the line and well if I do this maybe they'll do that? Um, you know, I think and at least from my point of view I think you know what we want to be doing is you know identifying Harms and wrongs that are happening and then trying to go after those directly and then if you know the government Starts, you know torturing people in response You know, that's an additional thing that we advocate on and try and try and stop I don't know. Do you have any thoughts on that John? Yeah, I think that you know the the elegant way to look at this is that States are very attracted to intrusion software and nothing you're going to do is going to change that because more and more Communications are encrypted and many of their targets are not within their borders And so I think the model should be raise the cost to engage in those practices You can't stop it and you probably can't legislate it out of existence But the more the cost is raised through all these different means whether it's more secure devices Whether it's better norms in the community so people are less attracted to the bright shiny things of selling bugs to these brokers Um, uh, or whether it's working at behavior. Um, you want to increase cost question on one The majority of tax as you know, don't use Fancy ode exploit chains. They'll use shitty off the shelf rats How do you hope to get the community and journalists? To actually care about that because as a journalist We're not going to write about another activist getting targeted by a shitty piece of malware to be perfectly blunt as John and I know yeah, well, I think we had this conversation For me, I think The question goes back to what the objective is For us the stories that are the most important are often the human stories of harm And journalists if they take the time and their editors typically will have a nose for those And so in our view the most important part Of doing this work is finding ways to yield up real cases That said I can say candidly We've noticed that editors sometimes sort of without saying it in so many words are tired of yet another story of journalists being targeted in the Middle East This is a problem we struggle with. I think one way Forward is a little bit sideways, which is Finding cases where hacking and intrusion is used in cases closer to home That doesn't just mean, you know the democratic party or politicians. It could mean women who are victims of violence Um, it could be uh people who are being targeted or stalked and I think More of those stories and more of those human stories will help but it's an ongoing it's an ongoing battle It's why we're so pleased to be able to have an ode to talk about to trot out these points But I think journalists also Have a tremendous role to play. So just one thing to flag middlemen in the industry The relationship between a lot of these companies and countries is often not direct In between there's a middleman an organization that provides them with a fig leaf of cover Which allows the company to say we are not operational We don't determine how our product is used trying to absolve themselves of a lot of the liability This often allows them to do things like skirt regulations or to try to get around export control agreements As researchers at the citizen lab, we can track the command and control and we can link it to companies We can track the malware and we can link it to victims But we don't have a good technical means to study middlemen So I think that's a very fruitful area for journalists and other investigators to dig in I think also I think also another final important point just to wrap up really quick is You know the cases that have received the most coverage I think at least in my experience from the press are cases where you know, you can actually kind of show A documented harm because of some case because of some targeting They're what you know, some information was gained. Someone was arrested and there's a documented harm Certainly as you point out from a technical journalist perspective The stories that are going to be most interesting are the sexy zero days But but from a traditional journalistic perspective I think you know these stories where you can make establish the causal link and say hey This this person was targeted with whatever doesn't have to be sexy But they were targeted and we can show that some information was taken and then used in some sort of way that that led to real world consequences I think that is the holy grail for highlighting because at the end of the day these the important thing to highlight is You know the technology is a sideshow the main thing is the person being targeted and experiencing the consequences for engaging in peaceful legitimate freedom of expression activity Yeah, and in a sense. I think what we're talking about, you know, we use the term an epidemic of compromises We're talking about a problem that looks a lot like a public health problem And in the same way that public health has historically had trouble vis-a-vis doctors who consider themselves experts and might have some views About patients needing to wash their hands or engaged in certain behaviors. The same problem holds true here We see a lot of experts eyes glaze over When we talk about attacks that use these simple tools and yet they work and in our mind That's a perfect example of a public health-like problem And we hope to get into a place with all of you where the norms make it acceptable to see this as just as complicated An exciting a set of problems just having more parameters than a simple piece of malware Can I bounce to the next question or did you have a follow-up? Hey guys, thanks for the for the great eyed opener first and I have a question. I'm walking here around like two days and also in my daily life I see a lot of laptops with the stickers on the cameras or the stickers on the on the mics it really makes me laugh, but actually it for me is just An indication that we don't trust our software vendors actually Is there have you ever talked about how is there a community or something that we can See or audit somehow the legitimacy or maybe the trustfulness of a software This is an interesting and hard problem I'm going to take your question into a slightly different direction and say I think we're in a place where a lot of people don't have a lot of trust But especially for general users don't necessarily know what they should be doing What the low hanging fruit is so not the perfect trust but the basic stuff and what we see in our day to day Is lots of activists and others who are not exactly nilists But don't really know where the correct sources of information should come from What behaviors are worth their time and what behaviors are too costly and you know Pictures you know stickers on laptop cameras do have the advantage of at least raising awareness I think the big challenge though is in The fact that people will be looking to us as a community For easy things that they can do without a lot of judgment and without a lot of snarky Uh, just another user error And this is a really defining problem for us Bill. Did you have something you wanted to add? Yeah, no, I think that's uh, I just want to echo what what you said john You know, there's time and time again Like i'm struck by dissidents that I talked to and they you know mention all these kind of like, you know Homebrew things that they do called of artisanal security. Yeah artisanal security right where will they'll say like oh well You know, I have this crazy system Why just keep swapping sim cards in my phone to remain anonymous when making phone calls to different people or You know, oh, I jail broke my iphone to install a second copy of whatsapp So I can have an anonymous number and an anonymous number on whatsapp You know, so I think there's there's a lot of perhaps, you know of these misconceptions floating around and You know in the in the the vacuum of legitimate authoritative sources of information like this people kind of go to well Here's how I think, you know spying works here's how I think government surveillance works and therefore I have this perhaps Incorrect, you know mental model of that and then I'll you know, unfortunately get to some sort of incorrect security precaution Yeah, so I think you know this this education is important not just on you know, like seven basic security tips that everyone should do You know something like that, but also, you know You know more longer-term efforts to kind of teach people How this how this works like kind of you know, not you know, like Eight hour class or something but kind of step them through maybe like an hour presentation Like you know, how exactly does this work? What exactly should you be worried about in your threat model? Yeah, thank you. Thanks a great question Do we have other questions if there is no other question gentlemen because you're always so swift You deprived us of the opportunity to applause and thank you and that's And and if the signal angel doesn't signal that there's a question, I think that was the any more questions All right, all right. Thank you. Well, thank you so much. Oh, you know what one thought to add parting parting observation When we talk to civil society groups about digital security risk One thing it took a while to dawn on me, you know, white guy coming from north america talking to people about their problems somewhere else Agent of innocence in a lot of ways, right? A lot of naivete And one of the things that I discovered is that people of course surprise surprise Are constantly engaged in balancing the risks that they face in other domains So non-governmental organizations are constantly thinking about the political risk of different choices It's not that they aren't incapable of doing modeling of risk. They're often doing it The challenge is how to help them port that thinking and that willingness to think about those problems into things technological And I think we have a long way to go there and one of the problems that we have is The perfect is often the enemy of the good. So a lot of the recommendations that we might be tempted to You know quickly make to someone like oh, well, you should use this particular security tool because it's secure Often not only don't quite mesh With their needs But don't reflect the nuance with which they think about their own risks And the choice is in balancing that they'll need to engage in yeah I think there's one really interesting anecdote that I can tell that that kind of crystallizes that from an individual user point of view So I worked with some activists in Bahrain And you know, we heard a story a couple years ago that A bunch of activists were arrested by being traced through this messaging app that they were using and it was a We analyzed it. It was an insecure messaging app called Zelo and basically You know, so our first thought was like, okay Well, let's recommend that they use a secure messaging app But the reason why they were actually using this Insecure app was it was the only one they could find that provided a walkie-talkie functionality And how they use this is that, you know, an activist would be, you know, asleep in his in his bed He'd have the the phone beside his bed And if there were the police coming in doing house rage and searches in the village Then someone would get on the walkie-talkie and broadcast the message to everyone And it would wake up the sleeping people immediately like, you know, dozens of people and say, you know Hey, there's police raids in the village, right? And so they they couldn't switch away from this because it was part of their Model of avoiding the risk of being, you know, arrested by police and this, you know Interception digital security risk was kind of, you know, ancillary in their their their mindset to this to this, you know Real world risk. So I think that's a great point Great. Did you have anything you wanted to add? I think I'm good. All right guys. Thank you so much for your time and attention We really appreciate the welcome here Thank you. Thank you