 Okay, let's get started on the next session. Next session I'll hand over to Master Chen in a second. This is the follow-up kind of talk to a 2015 Skytalk which was automating, stalking, and now this is the antidote to that of a stalker and a haystack, and without further ado, I'll now hand over. Thanks very much. Hey, everybody. So first of all, I want to say thank you to the Recon Village. I want to say I love how big DEF CON has gotten. I really do. But the villages is kind of, I like speaking more of the villages because it's more intimate. I get to see more faces, like literally see more faces because after about 30 feet I'm blind anyway. So it's good to see everybody here. How many people are hungover? Okay, that's why you're all here. All right. Because nobody here is hungover. All right. Okay, awesome. Anyway, so my name is Master Chen and today we'll be talking about finding stalkers in haystacks. Just like the introduction. In 2015 I did a Skytalk called automate your stalking. And what I did was basically monitor the person, my subject or my target without following them directly. And I'm going to get into a little bit of those details. Okay? First off though, who am I? Here's the laundry list of stuff that I've done. I've written for 2600. I host a podcast here locally in Las Vegas by the way born and raised. So it would be a shame if I don't attend DEF CON, right? So I've written for 2600. I do my own podcast here in Vegas. I am the Sinchop secretary, the hacker space secretary here in Las Vegas. And here's some of the times that I've spoken before. So I've started it with B-sides. I spoke at DC 101 in 2016. I've spoken again at B-sides and of course in 2015 down here at the bottom is DC Skytalks. And of course the reason why that's red is because this is the follow-up to that talk. And before I get started with the meat and potatoes, I want to know a little bit more about you guys. How many people, this is your first DEF CON? Okay, cool. Awesome. Thank you and welcome to DEF CON. Three days later at the end of it. Okay. How many of you guys are phone freaks at all? Anybody, does anybody have phone freaks a little bit? Okay, cool. Awesome. I did that talk on weaponizing your feature codes back in 2016. Turning, you know, Star 6.9 into a call flutter or Star 6.7 into a SMS flutter. We'll talk about that later. Okay. Anybody here psychology geeks? Anybody who's into psychology or maybe social engineering? Okay, cool. So I have a bachelor's degree in psychology. I've never used it in the technical field. I'm a Voigt administrator by trade. So hey, seize, get degrees, whatever. All right. And did anybody make it to my talk back in 2015? Okay, well, Connick, you don't count. All right, cool. So everybody here is kind of like new to the concept or new to what I've been talking about. All right. So before I show the next slide, I do have, these are the harder questions in the next slide. How many people have been stalked before? Either in real life or online? Okay. Of course, this is why you're here. Welcome. Okay. Hopefully I can help you and, okay. And how many people have done the stalking? How many people have, this is where I was hoping that no hands were raised. All right. Okay. Thank you. Keep an eye on that guy back there. So those are those questions there. I really was hoping that I got zero. By the way, I did this guy talk on Friday and I got like three hands. So you guys were much better statistic. All right. So these are standard disclaimers. Again, before we get into the technicals, I am not a lawyer. I am not a stalker or I ain't no I ain't us. I am not a lawyer. I am not a stalker. Okay. Stalker is bad. Please do not do it. But you can let me do it for research purposes. Now this research only covers one attack vector. We're talking about social media, specifically Twitter. Okay. So that's where we're going to focus on. But of course, later on, I'd like to branch off into other types of social media and maybe apply my algorithm to those types of media. Okay. So why this talk? Again, I've been saying this like three or four times. You know, 2015 automated stalking. I felt bad because the people who came up to me afterwards were asking about the stalking method. Like, how do I do this and how do I do that? And I was like, you know, you're asking very pointed questions. I don't know if I might have released a tool that made it easier to be a creep. And I, you know, I don't want you to be a creep. I just do things because I'm interested. This is a hobby. It's not that I actually want to stalk people. I just wanted to see what kind of data is out there. And that's my only motivation. And so when I saw people coming up saying, how do I do this and how do I do that? It made me a little bit nervous. So that's why we're here today. This is the this is the bandaid. Here's the repository for the code that I wrote back then. I did write it in Ruby, but now it isn't Python. I've been convinced to write in a different language, but whatever. And there's the PDF version of the talk, the slide deck from back then. Okay. Okay. So I'd like to, even the playing field today, and that's why we're here. Okay. All right. A quick recap of the 2015 talk and the methodology. Okay. So these are some of the stalker statistics from the Bureau of Justice Statistics. That's their website there. And what they told me and the statistics haven't changed. So I tried to check their statistics to see if that has been updated, but they showed the same numbers. So 14 in a thousand people have an issue with stalking, whether it be in real life or online or some form of it. Okay. And so if you want to look more at those statistics, they are there. There's a link. I only have about a half an hour. I want to give you guys what I can. So what did I do back in 2015? Well, instead of, and I'm going to be using some of you guys, I'm going to be looking at you. Okay. But I don't know you specifically except for this guy right here. So instead of following you directly on Twitter and knowing what you're up to and whatnot, I'm going to follow all of your followers. Okay. I'm going to follow all your followers and not you directly. And they are going to tell me what you are up to. Okay. Now how do they do that? They'll tag you in, you know, check-ins when you're checking in at the bowling alley or when you're checking in at the movie theater. They'll tell me where you are. They'll tag you in a photo with your face on it, even though you didn't tag yourself in it. They tag you in it. And I don't need to follow you directly. Especially if you've already blocked me or you've already thought that I've been a creep, right? And so back then in 2015, Instagram was notorious for sharing geolocation data. They're better at it now. And they don't actually tag you with the location of where the picture was taken slightly better. So there you go, right? Now the cool thing about this though is since I got the computer to do it, I didn't have to sit at a computer to monitor anything. I would actually get notifications on the smartwatch, which back then was the pebble. God rest that company. I got the fit better. So it is what it is. But I got notifications on the watch when I had, you know, activity from my target or from my subject. So I would be notified, oh, so and so is doing this. So and so is doing that. And for the most, for most of the time, they were none the wiser. Okay. So again, I don't want to follow the target directly. Why is that red flags, right? Red flags, you don't want to follow the target directly. You don't want them to know that you have maybe a ghost account or a sock puppet following them for you. You just don't want to arouse any suspicion. So how do we stop that? Well, instead of following them directly, we follow their followers. And that was the methodology back in 2015. So now the question becomes, well, how do we find the stalker? Now I'm not good at finding memes. I'm not good at making memes. So insert dank meme here. Use your imagination. You guys can do that, right? You guys did say you were not hung over, right? All right. So here's a snippet of the code that you can now find on my GitHub repository. It is a new repository called anti-stalker bot. Now the meetup, this is a big chunk of the code. What we're doing here is I'm going to each and every one of my followers, taking their followers and putting them into a raw data text file. Just a whole bunch of Twitter IDs and you'll see some of that baseline or you'll see some of those screenshots in a little bit. So again, I'm going to Connick, I'm doxing you, sorry. I'm going to Connick's followers, taking all of his followers and putting that in the file, yours putting in the file, putting in the file. So I'm not following any of you guys. I'm putting that all in the same file. And now there's there's a reason for that. What I want to do is as the target, as the person potentially being monitored, if I have a little bit of text savvy, I want to turn my followers back on them so that there's this reverse engineering, right? Or there's this reverse of what I did back in 2015. So now I'm going to use that raw data file to find out if there's any correlation, if there's any similarities to what I've, you know, to what I started. Okay, so let's talk about a baseline. Okay, when I started this research, I only had 883 followers. I now have almost 900 and almost actually almost 1000. So good press, right? Now, I had 883 followers. And of those 883, 83 followers, I followed all of their followers. Okay, and I got 1.03 million instances of followers. Now, instances is a very important word, right? So I've taken all of these, all of these followers, put them all in a data file. Now, of that 1.03 million, though, there were only about 815,000 unique IDs. Now, how do we explain that? Well, you two, you three or four may have the same types of followers in your list, right? You all might be following or the same type of InfoSec blog may be following you, or the same type of psychology blog may be following you, or you guys may just have mutual friends. So the first thing that we do is we have to find unique IDs. Okay, we have 1.03 million instances. These are not all unique. There are 815,000 unique IDs. And it's important for me to convey that message so that you guys understand where the data is going, okay? So if you look at it, that's about a 50% follow rate when you see me or my ID showing up 450 times. That just means mutual friendship, right? If you're following me and I follow you, I'm still in your list. We're friends now, right? And I use friends because how many of us are actually friends with people that we are friends with on social media. A lot of F words today. So that's why you have that 50% follow rate. Because for the most part, I'm following you, you are following me, we're all having a good time, right? And that's why I show up 450 times in the follow rate of my followers. So here's the raw data screen cap, okay? This is all not organized yet. These are just unique Twitter IDs and that's why I blurred out part of it so that, you know, you don't see who's following me, although that is kind of public information, but at least I'm not going to be responsible for any data leakage. So as you organize the data, you see that the high follower rates flow up to the top. Now that 450 is myself. That is myself in this baseline. I am following that follow rate. That's 50%. Okay? Now everybody else, you'll see that the next highest number is about 124, even though I wrote a red line through it. But the next highest one is like 124, 120s down to the 90s. These are the people that are in your InfoSec blogs. You share interest. Probably a lot of people, if we were to look at that data, these are a lot of people who are probably attending DEFCON right now because they share my interest. They share my interest in psychology, phone freaking, InfoSec, et cetera, et cetera, et cetera. Now in this next slide, this data is showing the same thing just in two different ways. And we'll get into this here. So up at the top, at the top left, you see that number is 713,000. Okay? That's 713,000 unique IDs that are only following my followers once. Now we're still in the baseline. So this is actually normal activity. Okay? It is normal for you to only have one piece of correlative data among all the followers. So these are all unique. And there at the bottom right is the 450, 450 being me. Okay? So that pie chart on the left-hand side is showing you that the 88% of my followers or the followers of followers are unique. They are people who are not in correlative data. They're not in InfoSec. They're just people who just so happen to be there. It's not, it's not anything that drives back to you specifically. So now my next question is before I see a preview slide here. Has anybody followed me organically before this? Like before you even knew about this talk, has anybody been following me before? Oh, cool. Awesome. Awesome. All right. Now my next question to you guys then, all two of you. Have you seen this new follower in your list? No? Oh, he's checking right now. So my question is have you seen this person? All right? My follow-up question is has anybody in here saw the, have you guys seen this movie called The Last Dragon? Show enough? Anybody from the 1980s? One of those black exploitation films? Right? It's a really good movie. Kind of campy, but it's supposed to be because it's the 1980s. So there's a reason for that. I'll explain that at the end. But that's the account that is my ghost. That's my puppet. That's the person who's now going to stalk me. All right? So now after I had this script run and I ran it overnight, so I would go to sleep with the script running I'd wake up to all this raw data. All this really cool raw data that I can sift through later. The stalker account. This gentleman right here, Bruce Leroy. Yeah, Bruce Leroy. Yeah, you saw, you found it? Perfect. That was me actually. So I was able to follow 800, sorry, 813 of the 883 followers, okay? So that gives you about a 92% follow rate. The only people that I was not able to follow are people with private accounts, verified private accounts, protected accounts, whatever you want to call it. But those are the people who I couldn't follow. These are the people who, you know, they want, you need to get permission to follow them. Usually they're, I don't think they're journalists, but they're people who are very private people, right? I'm sorry? There you go, see, verified data, cool, live. So the next highest number, again, was myself, and you'll see that in the next screen cap. So we're going to go back to some screenshots, and you'll see here I scraped the raw data. The data has kind of changed, okay, but here's the important part. At the bottom, you'll see that the highest follower now has 812. Now, this is not normal, okay? What I'm saying here is the data shows that having a 92% follow rate is not normal, and that's where you find the anomaly, right? Because the next one is 452, which, by the way, is me, right? Follow, I follow you, you follow back. Friends, we're friends. So it's very interesting to have a 92% follow rate, okay? Now, you might notice that in the last slide there was 450 followers being myself, and now it's 452, it's because I took a little bit of a weekend, and so I started the first scan, and then the second scan was stalking three days later. So hey, I might have gotten a little bit more popular, I don't know. But here's the new data, and here's what the new data shows. You'll see that in the blue, it's still 88%, because that's normal, right? 88% of my, the followers of followers are unique IDs, but you'll see in the right hand side, okay, you see again that's still 813,000, alright? But at the bottom, you'll see the 450 there, and then you'll see way in the right side, 812, and that's where you find that scum of the earth coming to the top of the drink. And so this is how we're using the analytics to find that in particular person. So here is the, here's the data in comparison, right? 883 followers, I was able to follow up to 813 or 812, depending on when I pulled that statistic, the percentage doesn't change. But there it is. Now I did want to check to make sure that Shaolin Chenpo, which by the way was that ghost account, that was the official name, not the name, but the Twitter handle, okay? I wanted to make sure that it wasn't following me directly, which it is not, because I searched for that, and that's the only thing that came up. And for those of you, right? I've actually spent some time in the Shaolin Temple to train. I tried to grow my hair out for MohawkCon. I didn't have time. I usually shave my head because I do martial arts with the monks every now and then. I choose to shave my head. I'm not a vegetarian or anything, but that's just up to me. So here are some reminders. The problem with social media is it is public by default, right? Now I understand that Twitter uses it as a megaphone. I get it. But there is correlative data here that shows that you can be monitored without being monitored directly. And that's the important part here. So just keep in mind that Twitter is public by default. A lot of other Instagrams, or Instagrams, a lot of other social media is public by default, and that's the problem that we have here. Now what I'd like to do moving forward, of course, is use my method, use this to against other types of social media. Maybe not Facebook specifically, but definitely Instagram. And I have an idea for how to maybe analyze hashtags. We'll get to that. Maybe next year. Right? So here are the resources and links that I have here. This link right here is the new GitHub repository for what I've currently changed or what I have for this talk today. And if anybody here has been a victim of stalking, whether it be cyber or take a drink. We're cyber, right? I can't believe I used that word. In any case, if you were stalked on the internet, please go here at the second link. It is a way to complain to the government about it or to find resources on how to handle that type of thing. I don't condone stalking. I don't like stalking. I just did it to see if I could do it, really. And another thing too, one of my subjects from the first time I did a talk like this, I actually followed a handful of people and kind of obfuscated that data so there wasn't any specifics about them. And I did go back to see if one of the subjects had maybe learned their lessons. And the funny thing is a lot of the followers of this particular person, they're all private accounts now. I was only able to get a 50% follow of the data, as far as data goes, I wasn't able to stalk them accurately. So they didn't give me accurate information because that was all private accounts and I can't follow private accounts. So it was a good positive change, so I felt good about it. So education, right? So in conclusion, I think I found it. Are there any questions? That was pretty quick! Son of a bitch! Question. Right. Yes, this is definitely a shotgun blast type of method. So the question was, for the video camera there, the question was, is there a way to wait the accounts and see if maybe there's friendships, like true friendships among people, right? People who hang out every day, people who interact every day. Is there a way to wait them so that their data is more pertinent to what we have here in the set? That is in the works. Now by no means am I done today. I'm presenting what I have currently. I would really like to partner with anybody out there who has really good coding experience. I am not a software engineer. I hack shit. I throw code to the wind and see if it works. And that's just how I work. So I'd like to go ahead and take a look at some of the things that I do with Cali module or, you know, put in a module of some sort of Cali application. Long-winded to answer your question, I have not waited anything yet, but I would like to. And this is, today is by no means the end of my research. The thing is, it becomes a chess game, right? So now I know how to do anti-stalking. So now as the time goes by, I think this is going to be where I can really sit in for a while and really dig into that research. So that is in the future. Thank you. Question? Yeah. Yeah. Right. So the question was, is it Twitter's responsibility to detect stalking, right? Essentially, bottom line. Okay. So I'm very weary about saying it's so-and-so's responsibility. I understand that not everybody's technical. I understand that not everybody's going to run this code and then do this type of analysis. I get that part. But to say that it's somebody's responsibility for your security, it's a little weird, right? The companies do what they can. They do their best to mitigate certain types of risks. And again, this is just maybe my hacker mentality, which is I'm going to analyze it, right? I don't want to necessarily say that it's Twitter's accountability. Maybe it is. I don't want to just say that, though. Right. Exactly. So maybe if we can get right. So maybe if we can get Twitter in front of Congress, maybe they'll change a few things. But again, the problem is that Twitter, by its nature, by what it does, it's a sounding board. By its nature, it's public by nature. So I don't know if you necessarily want to change that business model, right? The thing is maybe you are now a little bit more aware, a little bit more educated about how that data is used, right? So I don't know if that's the answer. I don't know if it is the answer to make everything private by default, but it is something to maybe explore. I'm trying to be as objective as possible here. I'm not putting anybody under the pressure. So when I did this talk on Friday, I invited everybody to the bar with me afterwards. So same invitation here. We can keep talking. We can keep having this discussion. Question. So that's, oh, cool. I want to get to your level. Okay. Right. So the question was, does this scale up like from, you know, I only have about 800 followers, does this scale up to somebody who has somewhere below 800? But that would be very interesting. I would imagine that the data that you see, the graphs that you see are going to be very similar, though, because even with bot accounts, right, you say that maybe a lot of your followers are bots. Oh. Okay. So your followers are 98% real, but you get attacked by a lot of bots, maybe, right? Okay. So the thing, I will say that the thing that Twitter is using, you have to have some sort of valid, and I use valid in air quotes because I am a VoIP engineer, valid phone number, right? You have to have a valid phone number now to sign up for a Twitter account. Okay. So you could maybe get a Google voice number, or actually, you know what, I don't even think that works, but you have to have a valid phone number to start an account. And that's because of course, all of the latest data, okay, this is me playing chess, okay, so I don't actually suggest this to any stalkers, but a way around that would probably be a burner phone because it's a legitimate phone number, it's a mobile phone number. I'm not sure why Google voice doesn't work. And now I'm just rambling. So to answer your question, I believe that it could be scalable because I don't think the data itself will change except for these numbers. We have thousands and thousands of unique followers and only maybe one, maybe two anomalies, right? The only anomalies that I found were the two, were myself and the stalker, and that's what we found here in the data. So I hope that answered your question. Okay, cool, thank you. Question, way in the back. Oh, fuck, yeah, sorry, yes. I'm old school DEF CON, okay, I can swear, right? I hope you like it. I do want to expand this type of research or this type of analytics to other social media. But I know I can't do it all alone. So if you guys want to collaborate, that'll be great. My next target is actually Instagram. Don't ban me, Instagram, please. I haven't even started the research yet. But yes, I want to, it's not just going to be Twitter, I want to analyze all types of social media to see what I want to check out next. Again, I want to make what I've written into a little bit more of a module that we could put in reconNG, maybe a Maltego transform, something that's bigger than myself. That's my favorite part of doing this type of research. I know I can't do it all by myself. I might have met a couple of you guys in line. I like contributing to the bigger picture. So absolutely, right? Next question, right there? Oh, yeah. Sure, yeah. All right. On the same day, right? Yeah. Right. So the question was, or it was kind of like a statement. Thank you. I'm sorry, I'm three shots in now. Remember, no breakfast. I haven't had breakfast yet. But yes, so the question or the statement was, with this method, of course, you can see this follower or stalker had started following all of your followers, and you'll see that in the data that they started following at pretty much the same exact time. That is a way to maybe detect this. So again, this goes back to the chess game that we're playing with the stalker, right? So of course, there are ways to detect this method now, right? So it goes back and forth. This is the cool part of the research. When I realized I had one and done speech or one and done presentation and then I'm done. Now one thing, you bring up the API a lot, so I'm wondering, are you a developer? No. Okay, that's why I'm just curious, right? So with what I was doing here, I noticed that there's, okay, rate limiting, right? So the rate limit, and this is kind of interesting, I was only able to query about 15 accounts every 15 minutes or else I was able to let this program run one every minute. Okay, I'm going to query your account every minute or once a minute or once and then wait a minute, query your account, wait a minute. So I was only able to query 15 accounts in 15 minutes. It took 14 hours or something along those lines. I can't remember the math but it took a long time to grab all of that data. Now yes, I have 14 hours to let the computer do the analytics while you go have a Hawaiian barbecue or whatever you're trying to do. So these are the types of limitations that I ran into. I don't know if that, you know, but these are some interesting things that I found in the API myself. So cool, very cool. And you know what guys, I'm actually very excited that we have a lot more question and answer time here today because I got almost no question and answer time back here. Yeah, yeah. Yeah, so the suggestion is of course using AWS and the thing though is the API is tied to your unique Twitter account, right? So like when you sign up for a Twitter account or to develop for Twitter, it's assigned to a unique account. I'm sorry? Not that I well they maybe do. I didn't check that far. Okay, so yes the question was can you just use AWS to use multiple accounts to scrape that data? You probably could with a bulk API. I use a single one to one account API key limit there. So there's that. See, I'm cool with these open ideas. This is now where it becomes a discussion, right? Question, yes. Right, now of course there are ways around maybe the rate limit. Your question is Oh, I'm sorry, go ahead. I'm not familiar necessarily with neural networks. I'm just now getting into the whole idea. Okay. Okay, that's very interesting. The question was a whole bunch of stuff about neural networks that I actually have not explored. So I'm sure, let's talk. I'll get into that eventually. By the way guys, again, I'm not a software developer. I throw code together and if it works, it fucking works, right? So it's really cool to have discussions with you. I am learning as I discuss with you, right? So it's cool. Question. Oh, yeah, dude, sorry. Let's go to the way back. So I am at Chenbox, that's C-H-E-N-B-0-X on most social medias. I'm on Instagram. I am on Twitter. Let's see if you can find me on Facebook. You probably can. It's really easy. I'm not going to hide so much. But I also do this podcast here locally in Las Vegas. We are Gray Noise Media. It's a Swedish domain. We haven't talked shit about Sweden yet. So we can actually have that domain. That was the only rule to have that domain. Don't talk shit about Sweden, you can have that domain, right? So I do that podcast weekly. And we talk about InfoSec, we talk about nerd stuff and nerd culture. The show goes on without me now and I love that. So while I'm here at DefCon, they still did the show bigger than myself. It's cool to be a co-founder and co-host, but if it could run without me, fuck yeah. So follow us you guys. It's a lot of fun. It's just as drunk as I am now. I am like that every Friday night. My doctor still hasn't detected any liver damage. Yeah, so there you go. We can talk about this all day, you guys. I am totally open to meeting you guys outside in the hall and just having discussion with you. My favorite part of the conference is talking to all of you. It really is. I can do a contest later. It doesn't matter to me. I love talking to all of you guys, especially first time DefCon goers. This is what I do. I talk to people. I ramble, but it's a lot of fun. So in any case, thank you everybody. It's been a lot of fun. Thank you.