 Hello, thank you everybody for attending this talk. My name is Stitch, Elger Jonker. I'm from the Netherlands as you might have spotted and if you think you're hot, well this is terrible wearing this on stage. So I have a small presentation, a really short presentation about fail map or file card. It's a Dutch translation. And I hope you can see it on the projector. You see a map of the Netherlands, which is grayed out. We're going to color that map today. So my question was, within our government, is information security taken seriously? And instead of doing a really short-sighted investigation and then shout and have some short media attention, I thought we should answer the question with some facts, some numbers. And that's what I did. So I, with a couple of friends, we made this nice proof of concept. So we took the local Dutch government's municipalities, we created a map, find subdomains of this municipality and then do a simple TLS and SSL scan on them and color the map. If you announce that at the right moment, you might have an impact. And this is what happened. So the colored map was presented on a conference with only security officers of municipalities. And that's fun. We have 200 people there that instantly are terrified. That's good. So on March 19th this year, you see the map on the left with the nice red areas. Three days later, the map was much, much more green. In fact, we sold about 150 security issues just over the weekend by announcing it. And that's fun. We coded this, like, in a few days and we, yeah, it was by accident that we got the opportunity to talk to those people. So today, only 1% of the secure connections is terrible. It used to be 8% and the amount of domains is steadily growing. And it continues to lower. So that's good. Now, this works. Excellent. Hooray. But we can do a little bit more. So why did this work then? First off, it's somewhat negative. It's fail map. You fail if you're red on the map. And there are so many other municipalities that are green and you don't want to be the one that stands out. So you want to put in some effort and type in app get upgrade. It's continuous and it's not voluntarily. So we are basically forcing security scans upon the municipalities whether they like it or not. Some got angry. Some loved it. So we will stick with the ones that love it and they are the role models. And we also got the security office, like broadcasting, like, oh, no, we're having another media accident and we will have to work till four in the morning and some of them did. So, yes. So the next thing is the world. We have a small country, the Netherlands, but there are so much more crap out there. We can all solve this. The plan is to do any government anywhere with any legal test, especially the any legal test is highly dubious, but we will figure out a way that everybody will benefit from this plan. So what we did is start a new foundation. It was called the Internet Cleanup Foundation. It was started the day before this camp started. So that was nice and nice scheduling. We've got a team of eight volunteers for the Netherlands to run this site and to make it faster because it's terribly slow right now. But to make it faster, to make sure that in the end, everyone, even your computer in-app person, can just run this check by themselves and verify on their own that the government is doing a good job or not. So we got some funds for it. We basically have a project for one year. So we have some continuity, which is awesome because this took about 40 hours of work each week while having a full-time job and it will kill you. So we now have some funds to make this our job. It's fun. So it's actually the government paying us to troll the government good. So our goals are to, in the Netherlands, have 6,000 security failures fixed in this year. In Europe, well, 60,000 and in England and the rest of the world, 600,000. So that will be a lot of work and it will be a lot of fun because we automate everything. So what does this project deliver? Well, the thousands of security improvements, a source code repository, which is already there. You can already get cloned the project. The instructions for running your own will be there. There will be a foundation that has unlimited Google Ads, so yay, and large sets with data. So all scans we do will be published and you can use it for your own. Do some data mining on it. So the non-tangibles are that the government can be trusted a little bit, very tiny little bit more, in doing their jobs properly. So hooray. It's also an enabler for the security business because if the government think this is important, some businesses might also think this is important. And they are also trained to handle security incidents. So if we find something that is actually terrible, we will not disclose it. We will do the standard responsible disclosure known by many. And well, they can learn to handle that. It will be fun. More work till four in the morning. So our next steps, we are setting up a team. We have a foundation now. We set up a team that has meetings every two weeks. So it's pretty boring stuff, but it's like you need to get an engine running. And we need to see what's the optimum way to spend our funds. And well, we will we want to migrate to open street maps because we hacked something in just a few hours that looks like a map of the Netherlands, but really isn't. And we have to add more checks. So not only for TLS but also for DNSSEC and for Deakin and SPF and all the other stuff, insecure cookies and you name it, everything you can scan in like half a second with zero knowledge. We are going to automate. So the conclusion was this actually works and we need it. And I only have a simple question is hello, England, where is your precious information stored? We need to know because we need to know what to scan. And that's an honest question. And I would like to ask you, where is your personally identifiable information stored? What companies and would you be willing to help this project and the rollout to England? So that's an honest question. The answers. Gov dot to UK. Oh, it has everything. I hear a lot of remarks. Isn't it so that in England, the personal information is stored with companies and you can like a digital fault or something here? We have Equifax, which has got all of our financial details, everything tied to everyone and they're in Scotland. There's free of these companies. Call credit and something. Experian and they have information on every single person, everything. Excellent. So there's another question. There's quite a large cashed copy in Big Room in Cheltenham. Okay, of everything. Of everything. It's in a sort of donut-shaped building called GCHQ. Yeah, I know that building. Yeah, I've seen it. Anybody else? I think we've given up all our secrets. That's a question. I'm just trying to find the relevant legal clause. I can't provide any information because I'm a foreigner and in the light of Brexit, I'm getting deported anytime soon. So basically, all your browsing data, if I recall correctly, is stored in your internal provider for a year and it's accessible by the law enforcement in any case. So we should check that nobody, so there are regulations that already exist. We're not here to bend them, but we can at least verify that there is no obvious leak in those providers. So that the government gets the data, but nobody else. Well, I don't know what that means, but I cannot hear you, sorry. There's a mic on the way. The decision lies with the government or we don't know yet because as I said, it's stored on your internal provider, which is a private company. So we don't know how safe is our browsing history at the end of the day. So they might one day sell it to, let's say, be corporation with sell sandwiches and because I googled eggs yesterday, some, you know, my mailbox gets crammed with sandwich advertisements. We don't know. And this question remains unanswered. Well, I hope we can get an answer for that. So thanks. Well, that's basically basically our talk. A couple of other places where they store, they should be company's house, the land registry and the Charities Commission which do information on all those things. It didn't really, I didn't really get the question, but I will listen. I will talk to you later, please. So if anyone wants to waste some time and scare the shit out of people and make them really nervous, you're more than welcome to join. It's it's pretty much fun. And yeah, since everybody is going with responsible disclosures, there's a lot of room these days to actually hack things. So Ray, thank you very much for attending and see you on the site.