 Okay, everyone. Let's get started with the next session. We've got Joe Gray. He's a hacker and social engineer Joe is the co-founder of I'll read this again through the hacking glass which provides free mentorship and training for info-sectors and Joe's going to be talking about deceptive techniques to derail us in tech attempts and over to Joe Thanks, can everybody hear me okay? Cool So welcome to Decepticon about me. I'm a senior security architect 2017 Derby con social engineering captain the flag winner 2018 and 2019 Nola con oscent CTF We got third place on that the password inspection agency second place this year besides Atlanta Forbes contributor and I'm also in the process of writing in a social engineering and oscent book with no starts pressed tentatively titled securing the human element So and I've started doing some oscent training. I'll give you some more details on that at the end So basically what we're gonna talk about we're gonna talk about where oscent comes from So we're gonna start at a very ground level This may be a little bit basic for a lot of you and then we're gonna kind of explain tools and techniques It may be used because we're looking at this from a personal opsec perspective But at the same time we're going to kind of incorporate some business perspective into it as well Just because at the end of the day, we're supporting a business as well We'll talk a little bit about online deception time permitting. We'll talk about decoys and canaries a little about a little bit about encryption social media and Identity management not to be confused with identity and access management if you need help with your identity and access management I Per this badge, I am a state password inspector. I will inspect your password after the talk out in the hallway So and I've got a badge so it's perfectly legitimate to So with oscent this definition is derived from the CIA's resources Love them or hate them. They do come up with some really good PR friendly definitions at times So basically where are we getting it from? Well, of course the internet that's That's pretty much the given but at the same time. We've got things like mass media Those of us in the United States and even some people abroad In the 90s the Jean Bédé Ramsey Murder a lot of people. I've actually heard this. I don't I have no insider knowledge to this but I've heard people say that The reason that happened was her dad owned a company and got around to funding and there was something in the newspaper about it And there's suspicion that it could have been Kidnapping gone wrong. Don't know. I was very young when that happened But that is a scenario of if you put something in the media, whether it's a press release a newspaper article Or anything you you are letting someone know that you are affiliated with something something has happened You've gotten around to funding somebody's bought your company Your company filed for bankruptcy Your company's chief financial officer. It's ugly. Who knows? I mean, there's all kinds of things you can find from that But then specialized conference proceedings journals all that fun stuff. That's more for the academic community So like if you present for like ACM or IEEE you have to submit a formal actual paper Not just an abstract in an outline like you do for most conferences with that there's information on there Affiliations email addresses sometimes phone numbers sometimes the source of the funding which gives me as a social engineer a pretext To have an excuse to call you or email you Photos of course, you've got the metadata of the photo Including if it's taken with a phone and not put through social media or a scrubber It could have latitude longitude type of camera pixel count horizontal vertical front camera back camera If you want to test this out have someone take a random picture and email it to you and then just view the info for it You could put it in an XF tool if you would like If you go to oscent framework comm there are Links to oscent or I'm sorry XF tools that you could actually upload the picture and it'll look at it for you as well Also with photos you've got the ability of reverse image search And then it's sometimes like with what Josh Huff demonstrated at Derby con a few years ago It's not what the photo is telling you It's what's in the reflection of the photo because someone had taken a picture of a gas pump And in the reflection was a car and he was able to trace it to the type of car the general location of it And so forth and so on so he could have went way further with that than he did Mapping in geospatial information before I do any social engineering engagement I tend to do what I like to call taking a stroll around the block and that's just hopping on Google Maps Bing Maps Street View Street side and I go and I look There are other sources as well But these are like your two most basic and I'll try to find out. Hey, is there a gate? Do they routinely leave this gate hanging open? Who's the company because I frame a lot of my stuff from for social engineering And then from there of course social media and then within social media. I'm going to go ahead and lump in dating sites as well Just because there are inner Interactions between your social media platform and your profile on a dating site So where do we gather it see as I did seven years on a submarine? this is probably one of the most ironic pictures I've seen and It perfectly describes the dystopian society we live in that we would rather view the world through the lens of what the single Source of information is telling us instead of just opening the door and seeing the world for what it is and I mean if we wanted to go and have the same talk down in the voting village We could do the same thing and talk about people's opinions are skewed based on what they're seeing there and that's skewed based on algorithms and bias But we're not in the voting village. We're not in the crypto privacy village. So we'll leave that right there So if we want to look at major resources The slide used to have Intel techniques calm Let's take a moment and have a moment of silence for the tool section of Intel techniques calm and people There's a great moment of silence But anyway, oh sent framework So leading into the trace lab's missing person CT if I taught two four-hour sessions Leading into it to help people out based on feedback from Judges like what frustrated them with submissions to get better quality submissions and as a byproduct of that The majority of our time when dealing with tools was actually ocent framework.com I had people come in with API keys and be ready to use tools like recon ng Data exploit the harvester things like that But honestly ocent framework scratch the itch for the majority of things we were looking for and for itches It didn't scratch and the tools couldn't scratch. There's always our good friend my favorite advertising firm Google Because let's face it. They're an advertising firm that dabbles in security and email. I said it I used to say they were the evil empire and then Mark Zuckerberg said hold my beer watch this and then he bought Instagram But anyway with these tools, I mean I Hear there's some affiliation with data sploit and the specific village Just a slight one But for the personal ocent perspective of the tools I'm listing here Honestly spiderfoot data sploit and onion scanner the three that you're going to look at for your personal profile solely on the fact of Recon ng it has some capabilities, but that's more for looking at data breaches You can actually do stuff with your IP address with your email address. It's a little bit more meaningful out of data sploit Onion scan that's just going to compare public SSH keys with like dark web type stuff It's meant as a privacy tool, but it's just like in map. It's just like metasploit It's just like a hammer. Is it a tool or a weapon? intent So when we gather it Where can you get it? Well, this is some borderline human here. I like to call it room ant and dumb ant At times a couple years ago I was in a department store around a Christmas time and I heard a man on the phone giving a 16 character string It was purely numeric starting with the number four in the middle of the mall. I Was busy and on my way to get something or else I was stopped and asked him to repeat it that I missed the last four and I Could have probably went ahead and asked for the CVV as well. But anyway, um Bars that's a hot spot. I was at a conference in Orlando last month and I was approached I had changed clothes was not wearing a badge was not with anybody from the conference I was approached by someone that some people in the US may consider hostile In terms of country-wise Asking me how the conference is going and ask if I'm willing to teach them about technical security Fortunately, I had populated my calendar with all my events here and because I use three different email addresses for the calendar Everything was duplicated twice. So I just went scrolling. I was like, oh, no, sorry. I'm both through the end of the year But anyway, I go inside. There's some people from the conference sitting at the bar They're all co-workers. They're talking shop and guess who's sitting right behind them So and even after I told them, hey, these people are probably listening to you They hadn't even drank that much. They weren't even drunk and they still wouldn't shut up So I rage quit went to my room Anyway, who in here does not have a social media account whatsoever? It's bad and we'll talk about that in a minute. But even if you don't I'll go ahead and hit the segue to that Your family your friends your co-workers siblings children parents Cousins somebody's bound to have it. I hate to break it to you But the Zuck already knows you you're already in his algorithm and we'll get to the the other side of that shortly I like back windshields the number of times I've almost crashed my car trying to take pictures of back windshields outweighs the number of times that I Drive my car safely But Tennessee has now passed a hands-free law So I've got to find a way to get Siri to take the picture while I'm driving I'm gonna have to get a windshield mount to But that's gonna change my threat profile because now people are gonna think I've got a GPS hiding in the glovebox And then they're gonna break it But anyway on the internet additionally Forums that's a hot spot at times. It tells me as an osin investigator that's trying to build rapport with someone Hey, you're interested in this or you have to do this if I see that you live in Canton, Ohio and you're A huge fan of python. I look in forums. You're asking questions You're getting into heated debates on stack overflow. I find your github It's all python and I see canton has a python users group I can go easily build rapport with you various ways to do that and then I can ease at that point. I've entered your bubble Anything could happen from there if I wanted to go hard. I could dox you. I could try to Do some sort of extortion something to that effect Or if I were trying to cause physical harm Get you to build trust Schedule a python get together go into the snake exhibit at the zoo and then coincidentally Unleash a cobra or Um Another snake maybe a pit viper to kill you if I wanted to do that I'm terrified of snakes. So there's no threat of me doing that. Trust me um I'm terrified of iguanas to be honest But anyway resume sites same thing Indeed is a great place for that. You don't have to register As an employer to go searching resumes on indeed So to kind of transition out of the opposite thing for just a second If you're doing reconnaissance against a company Search for that company on indeed resumes and see what kind of technologies they're using I mean the resumes may not be up to date Um, but it's giving you an idea at some point in time. The following was used Then you could pivot to linkedin and find some people to corroborate that for you because Everyone's the vice president of something on linkedin. Let's just face it and linkedin is not meant to be a pump But people keep pumping data in there instead of filtering it I don't know why Anyway, um, we've already discussed like social media and dating sites. So more of the where you know, we got the google food going on Google's really solid for that. But don't put all your eggs in the same basket either You've also got dug to go. You've got being you've got other search engines If you're looking for things in certain countries, you might need to use the regional search engine for that area You may need to even change the language setting on your computer to get the results So that's something to consider From there as well The other thing that it's worth mentioning on the slide would be review sites like trip advisor and yelp Again, that's telling me a lot about you I know based on this that you were in new york city on February 33rd and you ate at this italian restaurant And you thought it was hot garbage I know that you stayed in this hotel on March 52nd And the hotel was in los vegas And you walked into the room and it hadn't been flipped and the manager called you a liar. So you said that they had bed bugs It wasn't vegas and it wasn't march 52nd, but that may have happened in atlanta I created a proton mill just for that Anyway, so collecting, you know at the end of the day you need to build a dossier on yourself And there's two ways you need to go about doing this do it yourself And then phone a friend Uh back in the glory days of the intel techniques forums Uh, it was a routine. I heard michael talking about this on the podcast all the time pair up with someone They investigate you you investigate them share the findings remediate since I am not sure about the uh status going forward of the forums Um, if you need to do it, there's always open oscent Um, I think it's openoscent.team. I don't recall the url I'm sure someone in here has the correct answer But anyway, find someone you trust if you're not even if you're not there then um, Just go on twitter hashtag oscent. Hey, I would like to know about my Personal dossier. Would anyone be willing to collect some oscent on me and share it? There's nothing wrong with that. I mean for people who are up and coming And people who want to keep uh sharp on the topic that don't get to do it as often as they would like They're going to jump at this opportunity and You never know even if you have a new ball for them to do it They're going to search a completely different way than other people sometimes and as a byproduct of that They're going to find things that someone seasoned May not find It's just the way it is they may enter their search criteria different Nothing wrong with that. But you know Of course the picture the the picture and your likeness That's why I use that green caricature face on twitter. People think I'm an old man with a porn stash Then I show up baby-faced or with a beard and in my 30s You're like, you're a lot younger than I expected Thanks Get another disinformation works Um, but also your location your location in terms of where you live Where you work where you travel to how often you travel If I wanted to wreck someone's life, I would find out their employer initially I'd start calling then emailing Then start blasting them on social media. I'd make up something absolutely atrocious I might even go in myself or have someone else go in and cause a scene Because eventually the employer Is probably going to have enough at that point. They're probably going to let the person go when they let them go I mean Future employers are going to call them for a reference And that reference is probably not going to be pretty they may say. Hey, this person's got a really solid work ethic But boy do they bring some baggage Um user names and handles show of hands who uses the same username or handle across all platforms I know you do Zach I already checked for you It's part of your def con groups background investigation anyway, um, that's actually a threat in and of itself as well because If you do this and you don't apply proper disinformation tools like what's my name Or profiler or name check You can go and drop that username in and identify every single website that that username is used on I had a few people that were on twitter that volunteered for this Um, adrian sinabria who i'm co-presenting with at 230 today in the red team village He was gracious gracious enough to allow me to do it and I thought I came across some really juicy stuff There were a few porn sites there I was like, this isn't the age rate. I know Nope, it was someone else who uses the same handle in spain Another person that volunteered uh shout out to the blue team village munan. He agreed to I may have called him a few bad names because He went across all platforms created accounts and populated with pure garbage I wasn't able to get anything on him anything of any value. The only thing I knew was legit was twitter. That's it What about pesky myspace who here still has a myspace? They've not deleted. I know you do eric I was doing some 1099 work for no before um You're welcome for the background investigation It is um I don't know why you picked that saline dion song to play when people go to your page though Yeah, your heart does go on Uh, but anyway, the employers or clients if you're in business working for yourself instead of calling and doing things with your employer You can easily run disinformation and destroy the whole client environment Betray the client's trust If I don't trust a business, I won't do business with them That's why you always see me writing in a lift not an uber I'm sure there'll be a time that I don't trust either and I just have to flip a coin, but until then There we have it um friends family lovers It's just nature of the beast someone's bound to have anything I was doing an investigation. I was looking for someone. Um And I was told that I don't remember where it was. I'll just say indonesia. I was told they were in indonesia Here's the url to their facebook I go digging and this account was like a total ghost So I went searching for accounts of the same name. I found another account one mutual friend I go looking through that mutual friend's pictures that mutual friend is very passionately I might add with the person who I was looking for who's Was on a different account. So then I found this other account and I was able to identify. Oh They just checked in at this place where the locations of this hotel because they didn't say the city and I clicked it and it didn't work So, oh, well, they're in all these places. Let's do a reverse image search for some of this Tacky hotel wallpaper because can we can we all agree that hotels use some really tacky wallpaper? And I mean, I'm a terrible artist. I can't trace a dead cat But I think I could probably get a high paying job creating art for hotel rooms Just being honest But anyway, any other personally identifiable information that's out there depending on where you are in the world that definition changes For example in europe based on gdpr. That would be considered your email address or maybe even your ip address What are your interest likes and dislikes? What causes are you passionate about? Are you a staunch supporter of the eff? What are your thoughts about the inhabitant of 1600 pennsylvania avenue? Please keep them to yourself My blood pressure is already high today So political affiliations. What what is your political affiliation? That can play into things With the social media Look at the platforms they're using that's going to be generational as well This younger generation. They're all about what's instant So snapchat instagram selfie here a selfie there. Oh, look I had a bowl of snap and turtle stew for dinner tonight It was delicious vomit face What's the sharing profile by sharing profile? I mean privacy settings and how much do they overshare? There's a debate group. I'm in on facebook and someone got bored one day and created personality profiles for Several people we had observed in the group and there's one that's called a number 17 and that's a chronic overshare It doesn't matter what you say. They have a story to go with it and they are the authoritative subject matter expert on it But anyway password reset questions. I look at your relationships. I see. Oh, look, there's their mother. Let's go back. Oh Mother listed their maiden name Let's go. Let's go corroborate this on something like family tree now or true people search Yep checks with chart. Let's do a password reset For anyone that's wondering my mother's maiden name is a 16 character string and she's one of the few women I know who's my maiden name actually has the uh pound sign uh in it Crazy I don't know what my grandparents were thinking when they were able to Legally change their last name and not have a public record of it But hey, you know And then uh, who in here likes to do those dumb quizzes on facebook about like what's your pro wrestler name? I like them too I love them. Um, but with google you've got to you've got to employ things like innovative thinking when you're going across your searches So google being dug dug go all of this innovative thinking be creative. Don't confine yourself to just saying what you want The three resources i've listed two of them are cheat sheets one from sans one from alien vault the other is the google hacking database That's going to help you construct specific queries to found find what you're looking for bless you very much in the back Um, but anyway, you want to have the search because it's not necessarily the question you ask It's how you ask it So when i'm doing face-to-face social engineering one of my favorite questions to ask is what was your mother's What was your mom's name before she was married? I said nothing about a maiden name I guarantee you I can go right outside that door right now and within a minute probably get somebody to actually tell me something I'm not going to I wouldn't sit and validate it But the fact that they would actually give something It's kind of alarming especially if we went down to the casino and did that to people not wearing these little circles It would probably be a lot more effective And depending on where you are in the country like if you're in the south Who's your mama's people? Who's your mom and them Say stuff like that you're in So again just to reiterate the gold mines These are the ones that I have had the most success with and the one on here that I've had the absolute most success with is instagram I know you work at um Projector company ink. I go look up projector company inks mailing address. I input that into instagram As a byproduct I now see every post that was put up at that location with location services turned on I challenge you this When you get some time pick a fortune 500 company I like the fortune five to be honest and from there Put in the address of their headquarters See how many times you have to scroll down before you find a badge It's alarming. I could tell you that there is a very large fortune one company Who uh their employees have blue badges and their execs have yellow badges I could tell you there is a lot of arizona razorback or arkansas razorback fans there because someone took a picture of His sports ball swag behind his computer screen while his computer was unlocked That corroborated a lot of things that I found Using metacrawler in terms of software that was used in files published on their website So instagram It's the new osan But when are we when we think about this we have You know, there's some defenders in the room. We've got to look at some mitigations Um, let's go ahead and throw in some buzzwords. Well, we'll do some blockchain synergy artificial intelligence machine learning mitigations advanced persistent mitigations Yep military grade Rate limiting I should not be able to try to reset your password 45 times in three seconds I can't type fast, but even if I could that's pretty darn fast With the canaries and deceptive technologies. This is more of a corporate thing But employ this with the with the rate limiting. I mean if you have a personal website, it'll work Same thing there look at your configuration. Don't let your hosting provider. Just do the wizard for you Uh deceptive technologies. You may be able to do some things with that as well I have an email address that I've got published all over my website And I love it when I get these invoices for products that I shipped or that uh was shipped to me that I have No knowledge of especially when it's in very poor english coming from somewhere that doesn't match and For whatever reason this attachments a dot exe, but it claims to be a pdf I don't know how that works. That must be one of those um New file time. Okay. I was thinking it was probably one of those new uh microsoft atp functions Who knows But anyway, it doesn't matter where you are segment things segment your personal life from your work life Don't work on personal crap on your work computer. Don't work on work stuff on your personal computer That's containing your profile. It's protecting your business, but it's also protecting you If you're in the us and you're working on your personal things on your work computer Not only are you consenting to being monitored But if the company decides to pursue you in court and say that's our intellectual property You have no leg to stand on in civil or criminal anything period Uh encryption to a degree is going to help this just because it's on the internet doesn't mean it needs to be unencrypted You know we we can say crypto without saying currency We could say crypto and add graphing to the end Or gruffy But anyway minimize the data opt out when you can If you're planning any international travel like say to europe Uh, there's a cool little hack you can do Uh, i'm not sure if this would work if you just did a vpn to, uh The eu but it will certainly work if you actually are physically in the eu Um, just opt out of everything use the gdp art right to be forgotten If the company fails to do so in a timely manner, uh, they could be fined up to 4 of their global annual revenue So when I went to hack in paris this year, you know paris frances in the eu Um As soon as I got that ip address. I already had everything staged I spent some time the weeks leading in I was like i'm gonna opt out of some stuff Like especially the really pesky stuff that doesn't have a clear easy process But opt out when you can train your people train your family How to report incidents. I mean if we're talking about this at a home in a home setting Aside from zack. I don't know anybody who has a c-cert in their house I just don't If you do please enlighten me, but if you get a fish a fish something suspicious some some weird contact How are we gonna handle this? Do we report this to law enforcement? Do we report it to social media? Do we try to get it taken down or do we just leave it in place? How do we do it? Because reporting to social media is sometimes the right answer Reporting to law enforcement is sometimes the right answer Sometimes it's the wrong answer if you report it to social media. There's a good chance It's going to get deleted and then you're now going to have to get a warrant for them to cooperate with law enforcement Game if I things if you can that's more of the business setting But anyway When you're collecting you've got to think about what is the end game? Is this ethical you're collecting on yourself? So I would say we could go ahead and check that box and say it's very ethical Um, how do you protect what you've collected? How do you get what you've collected to go away? And then the collection swap with the trusted peer That's what I was talking about earlier in terms of find someone that you trust enough to do this without misusing or just basically compounding the problem Find someone and then collect that information And then you may do the same for them or something to that effect So let's move into the actual offset piece. So you didn't know the know thy enemy Who are they and why are they coming for for you? I always think back to that really cheesy horror film the strangers And they're like, why are you doing this to us? because you are home You could be a target of opportunity You may be lgbt qia plus. You may be a woman. You may be a minority. You may be a trump supporter. You may be uh anti fascist You may have said something that people consider to be bigoted As a by-product Someone is coming after you they want to wreck your digital life and in some cases in real life They may be trying to stalk or harass you. They may be trying to inflict physical bodily harm um Leading up to death and or rape It could be all sorts of terrible atrocious things. So this is why it's important You need to know your profile. Are you in a position that nation-state threat actors? Sorry for the Thing take a drink. Um that they are going to come for you. What happens when they do come for you? I've got to pick up my pace a little bit here. Um Why? So if you want to opt out here's three blog posts about opting out. I've got an opt-out link, uh curated by Micah Hoffman web breacher on the uh Next slide. I will make these slides available Uh just so that I can keep it rolling a little bit Although uh, I did just inadvertently get a lady gaga. So I'm stuck in my head because I heard someone refer to this as the paparazzi So I got that stuck in my head. It happened to me yesterday too Anyway, so that's the link if you want to get the opt-out links. He has pretty good instructions for that. So Secure internet usage. I'm not saying you can't use google. I'm just saying that you might want might not want to trust it Use a vpn It was brought to my attention yesterday that there is suspicion that express vpn has been influenced and possibly subverted by the chinese government. So I'm not endorsing that even though it's on the slide Um, so as a byproduct look at something else do your own independent research Um, and then at the conclusion of my own research, I'll adjust the slide as necessary Um, what's your browser add-ons your extensions your vulnerability management post your standard cyber housekeeping? I know I just said cyber take a drink Consider whether you're going to use your real name or your real pictures on social media Uh, we're dating apps funny story. My mom started dating for the first time in like 30 something years a couple years back She came back from a date once and it was living. I was like, oh that good, huh? She's like he lied I was like about what she's like his name. I was like, what'd you think it was? She's like Keith stone. I was like you obviously don't drink beer You obviously don't watch tv because that was the time that they were doing those really corny Keith stone beer commercials, but are you in a position where you're in the public? Are you law enforcement an executive a public speaker? Um At your employer does the news come in interviewing you about things You know is your email address in data breaches. Do you use the same username all over the place? So if you want to do something here's a thing called the stri sand effect There's the link to the github repo basically you run it in linux It's a script you and put an api key it will start a cloud instance for you on your cloud provider of choice Whether it be aws azure digital ocean whatever and it will set all these things up for you Help you cut a key all that that's going to cut your ability of subversion down drastically Because the only threats you have to deal with would be the software associated and the hosting provider as opposed to A service provider that you don't necessarily have the transparency for because you do have root level privileges with this system So when we talk about deception Disinformation is a type of deception and you have deception Unless you're talking to law enforcement or in a court of law. There's no obligation to tell the truth And as we've learned from politicians, he might still be able to get away with not doing it then but nevertheless Have your have some fake accounts put some things out there see what gets picked up on When you see things showing up in people you should know that's when you need to get concerned on facebook consider how you're going to pay for things Consider honeypots Honey tokens, honey email addresses Canaries all that fun stuff So with the disinformation make it hard for someone to attribute something to you For the males in here if you if your given name is a junior or a third You're actually at a significant advantage as long as both people with the same name don't use junior senior all those qualifiers Don't use the same browser. There's a tool called browser links. Just do a search for browser links. You can emulate navigating websites from windows 95 if you want to For the ideal facebook viewing experience, that's what I do but anyway Perfect data out about yourself. Michael Basil routinely talks about magazines if you subscribe to your information is going to end up in the public I'm not going to say where but there are several hotels that are receiving complimentary golf digests Forbes wired and Asquire magazines courtesy of yours truly solely because I thought they needed it I'm done with hotels now. So I think when I do it the next time I'm going to do some doctor's offices Because you know, they're going to cut your address out of it your name and all that stuff because they want to make it look like It was coming to them um You know do that If you want to run some disinformation accounts set up some stuff proton mail hush mail pseudo My pseudo app is amazing I use it all the time when people are like trying to get really snoopy. I'll give them a a phone number I don't like yeah, call me up and you know some people like when they really want they'll be like All right, let me call us so I can have your number You can still answer it. You can text from it as well. It's beautiful um With social media various levels of accuracy have some accounts with your name and somebody else's picture Or a caricature Have some accounts that have your picture with someone else's name on it I mean I wouldn't say be keith stone or see more butts, but come up with a realistic name You can go double false and use a fake name and a fake picture And you can go double true if you want double true could be tricky though. I'm not sure I'd go that route Final layer of the op sec consider a new mexico llc There's some privacy behind that So you can use that for things to generate public records like buying a house Do not subscribe to magazines with your llc though so other places of public record If you're in a publicly traded company and you're an exec There's a good chance your name is going to be an sec form 10k As well as maybe 8k and some of the others Here's what you don't do don't apply for a new social The vast majority of people do not qualify to get a new social If you go to the Wikipedia page for social security numbers You will actually find a fake A real social that has since been retired that you could use as a fake a wallet manufacturer in 1938 He took his secretary social made a copy of it and put the copy in every single wallet that was sold So the secretary got a new social I used to have that memorized things like 07 8 114420 I think Could be wrong don't legally change your name because what does that do? Creates a public record Don't avoid social media altogether because you need to have that social media account You need to have you need to be friends with people So if someone stands up an account posing as you and sends him a friend request thing That hey, did you do that? Well you had did you lose your phone? I mean, I've got this one cousin He gets hacked or loses his phone At least nine times a year If you looked through my friends list you would see like this guy named fred and it's like man He's got a lot of accounts. He must be really good at hosting. No, he's really that clumsy Um, but also don't take an absolute stance on anything Well enforcement all that fun stuff I'm going to skip the deceptive stuff just because of time Um, but here's a quick border by about through the hacking glass Basically, we're trying to do what academia and certifications are not geared to do um experience um and Here is hacker hold it get a picture of that real quick and there's my contact information I don't think we do we have time for questions No, sorry, I will field questions in the hallway I was told I don't have time