 Thank you for inviting me. This is fantastic. I appreciate it. Danny in NZ Pug, or NZ Pug. I've had a lot of fun here. We started, a friend and I came here about a week and a half ago. We started in South Island, started in Christchurch, and then drove all the way down to Milford Sound, and then flew up here just yesterday. You might be able to tell that I was really prepared for New Zealand because there's like different burns in my skin, different degrees. I also have a lot of like bug bites everywhere, a little badge of honor. But this country is beautiful. I have to make sure I come back. Anyways, so that's me, Lynn Root. You can tweet at me. So as Danny said, I am a site reliability engineer at Spotify. Basically, I either break stuff or fix things that people break. In actuality, what NSRE does at Spotify varies widely between different companies, but it's a combination of back in development, where my team and I run a few different services that other engineers use daily, as well as some dev ops and sys admin and all that fun stuff. But it's never a dull moment. I am also sort of a FOSS evangelist at Spotify. Help a lot of teams release projects and tools under the Spotify namespace. So if you go on a GitHub slash Spotify, a lot of cool stuff there. And as Danny said as well, I help lead Pi Ladies, which is a global mentorship group for women and friends in the Python community to help increase diversity. So today's talk, making sure that's all up there. The first iteration of this talk was in like 2013, right when Edward Snowden initially exposed everything about the NSA's programs on surveillance, including X-key score and prism. And there's been a lot of new things exposed since then. And it's been amazing. I've updated this talk. I've done this talk a lot in the past. But I've updated for a lot of more historical context in addition of how to do your own little covert espionage spying with Python. You might be wondering why I chose to speak on this topic to begin with. In all honesty, I kind of wonder that myself. This talk comes with an inexplicable deep interest of mine. I don't know where it comes from, but I love espionage. I read a ton of books on the Cold War. I studied abroad in Prague. One of my favorite TV shows is The Americans, which I don't know if it's over here. And I have a few Cold War-centric board games. I can't get enough. I know I'm weird. But when I was a teenager, I read this book called Confessions of an Economic Hitman. And I loved it. And it was about how the US sort of surreptitiously influenced other countries in their economic development. It actually inspired me to study economics in college. But looking back now, I should have known that it was the espionage and the spying that was of interest to me, not necessarily economics, because I definitely don't do anything about my degree now. But it is clear that it's not just economic development that the US exerts their influence upon. So when Edward Snowden came out in 2013, I was sort of like a vacuum for everything, all the top secret surveillance programs that are now in the public eye. And so as I read on and consumed more, the more I realized that it's not hard to do this by myself, like with the tools that are out there freely available, which is kind of scary. But of course, I kind of had to do it myself. I just had to try. So the agenda today, I'll first give a quick overview of who is doing the spying. Then I'll give some historical context about what they've been doing and how we all got here to where we are today. Followed by how the spying is being done, and then try and convince you why you should care. And I'll finish off with how this can be mimicked with a few Python tools. At the end of this talk, I'm going to save questions for outside. I like conversations better than just being asked questions and turning bright red. So there's morning tea right after this. So if you want to talk, come find me outside. So I want to be clear what this talk is not. I am not condoning what the NSA, everything, all the alphabet soup is doing. I'm not going to tell you how to avoid being tracked or spied upon. I'm not encouraging you how to spy on friends, family, or patrons of cafes with free Wi-Fi, though that's exactly what I did. I am not affiliated with the NSA, FBI, CIA, or whatever. I am not a lawyer as well. And I'm not a black or a white hat, just an average engineer that kind of likes to play one on stage. So let's set the stage about who all is involved. So we have the Five Eyes, which is the US, the UK, Canada, Australia, and New Zealand. While there are multiple agencies within each country that are involved in the data sharing, the predominant ones are the National Security Agency in the US, the Government Communications Headquarters in the UK, the Australian Signals Directorate, Canada's Communication Security Establishment, and New Zealand's Security Intelligence Service and Government Communications Security Bureau. I think it is. We then have nine eyes, which includes France, Denmark, the Netherlands, and Norway. Germany felt a bit excluded, so we now have the 14 eyes as well, including Germany, Belgium, Italy, Spain, and Sweden. Then we have the 41 eyes, which is 14 eyes, plus those that participated in the US Coalition in Afghanistan starting in 2001. So visualizing this can make it seem that it's a bit difficult to maintain one's privacy. So what exactly are all these eyes doing? You might be wondering. So this is not at all an exhaustive list. It's also quite heavily US focus, although there's a significant amount of international espionage and intelligence sharing and cooperation. So among this timeline, there are many projects or focus efforts around a particular mission. And when placed into political and international context, all threaded together, it develops a picture that is both overwhelmingly unnerving, as well as logical and predictive. So international espionage dates back further than this, but it shows a start here because it's during post-World War II that we really start to see heavy investment in signals intelligence. So the origins of the Five Eyes Group is traced back to 1941, where the Allies from World War II set goals for the post-war world. In 1946, a secret treaty called the UK-USA Agreement was signed, that essentially is the foundation of the US and the UK's cooperation on intelligence sharing. 1948, Canada joined, followed by Australia and New Zealand in 1956. So the purpose of this alliance is to share signal intelligence among each other. How they do it is each country would surveil a set of countries, like for example, the US would focus on Latin America, New Zealand would focus on the South and East Asia, et cetera. And so while the US and Canada would not necessarily spy on their own citizens, there's nothing stopping them from sharing what they did collect on each other. So the first project I'll talk about is Project Sherrock. It's essentially a continuation of the US military's work from World War II. It was probably the largest government interception program in the US during this time. Sherrock is considered an espionage exercise where the military was given direct access to daily copies of all incoming, outgoing, and in transit telegrams via the three major telegram companies. And the predecessor to this project was basically a lieutenant from the military asking one of the major telecom companies to be assigned to the company. And then the lieutenant took photographs of nearly everything he could get his hands on. So about 150,000 messages a month were being reviewed and analyzed by the NSA, all of that weren't. And then they would pass that information along to other agencies like the FBI, CIA, et cetera. 1947, New Zealand's first second site was built, referred to as NR1. This was mainly used to aid the US and the UK in monitoring communications with communists and socialist organizations. So all communications was collected, and then it was sent off to other agencies like the US and the UK. And New Zealand didn't really produce any intelligence of its own, which is sort of reflective of how supportive it was of American and British interests rather than New Zealand's own interests. So then the NSA was officially established, but it has roots dating back to World War I. Then in 1929, the cryptanalytic section of the US military was shut down by the then Secretary of State, in which he said, gentlemen, do not read each other's mail. The first US government organization to take part specifically in Signal Intelligence was the aptly named Signal Intelligence Service within the Army in 1930. It then went through a few iterations with a few different names and shifting directives, including Signal Security Agency, Army Security Agency, and Armed Forces Security Agency. So the agency was a bit chaotic, lacked focus and direction. So in 1952, it was redesignated as the National Security Agency, with a more clear outline of its purpose. And interestingly enough, since the redesignation of the NSA was in a classified memo, its existence was not known to the public until decades later. Before its exposure, the intelligence community would refer to the NSA as no such agency. So this is another project from the US, it's a sister project to Shamrock. While formerly operating in the late 60s and through the early 70s, Project Minaret actually started in 1962. And it was first started with the NSA forming a watch list of Americans traveling to Cuba and then it was expanded to narcotic traffickers. 1967, the names of activists in the anti-Vietnam War movement were added by President Johnson. Followed by President Nixon adding civil rights leaders, journalists and even a couple of senators. So the list included folks like Martin Luther King, Jr., Muhammad Ali, Jane Fonda. And finally enough, Senator Frank Church, who will later lead the Senate committee hearing that actually investigated this project. Project Minaret operated with that warrant and produced reports for nearly 6,000 foreigners and 4,000 US citizens. Echelon, it's a surveillance program ran by the Five Eyes. It was formally established in 1971 but technically started in the late 60s. It first started for monitoring military and diplomatic communications of the Soviet Union in the Eastern Bloc during the Cold War. However, it grew to a global system for interception of private and commercial communications. In the 90s, it was expected that the US was using echelon for industrial espionage. In 2001, it was recommended to the European Parliament to encourage its citizens to encrypt communications to maintain privacy as they found that the NSA was passing on information to allow companies like Boeing to win contracts. 1972, in a US versus the US District Court known as the Keith case, which is named after the presiding judge. The Supreme Court unanimously rules that the government must comply with the Fourth Amendment when surveilling an alleged domestic intelligence threat. This is actually pretty interesting. The case was against a few men who were part of the White Panther Party, which is a radical anti-racist white American group who were charged with conspiracy to destroy government property. But in a pretrial motion, the defendants wanted disclosure of the electronic surveillance information that the government had on them, which wasn't necessarily known. So Nixon's attorney general, Nixon made the attorney general say that he authorized the wiretapping because it defends for members of the domestic organization attempting to destroy the government. So now warrants are now required for domestic surveillance after decades of intelligence collection. So in the mid-70s, we have a lot of dirty laundry being aired from the government. 1974, the Rockefeller Commission under the US president investigated the CIA and revealed the fact that they had been spying on dissident groups and opening mail, as well as mind control studies like MKUltra. Summing from a lot of frightening press about the government's surveilling activities, the church committee, for the Frank church who was being spied upon, investigated abuses of the NSA, the CIA, the FBI, and the IRS, which revealed a project Shamrock and Minaret, and soon after these projects were terminated. So the government communications security bureau for New Zealand was created in 1977 for the purpose of maintaining a longstanding cooperative relationship, or collaborative relationship with New Zealand's Five Eyes partners. It also fit into the larger goal of strengthening New Zealand's and US military relations. So very few cabinet members actually knew of the existence until the early 80s, when it became its own entity separate from the Ministry of Defense. And it maintains two listening stations, which I will introduce in a couple of minutes. So after all those investigations from the committee hearings, the result of these investigations was the Foreign Intelligence Surveillance Act, or FISA. FISA basically establishes when and how federal law and agencies can spy on people. So basically no court order is needed if one wants to surveil two foreign partners or powers, but one is needed if one of the parties is a US citizen. FISA also sets up a secret court to hear warrants, in the same manner an ordinary court does, but because it's a matter of national security, all these requests are classified in secret. So with the FISA Act, a program called Blarney was started. Now this allows the US to tap directly into major connection points of communication, including wireless and telecommunications. It targets communications that are believed likely to contain foreign intelligence, which kind of is ambiguous. And with the timing of everything, I can't help assume that Blarney was just a reincarnation of Project Shamrock under legal pretenses. So we're collecting all this data and now we need to store this. Revealed in 2008, implemented in 1982, main core is a database containing personal and financial information of millions of US citizens deemed a threat to national security. This data comes from various agencies, including FISA, FBI, FISA, and is stored without warrant. So then the GCSB opened two other second stations one in 1982 and one in 1989 to intercept traffic around the Pacific Ocean, the Southern Atlantic, the Indian Ocean, and all the way to South Africa. So to this day, signal intelligence is gathered on places where New Zealand otherwise has friendly relations, but it willingly spies on the request of allied nations contributing to the echelon project. So I'm jumping forward a bit, not because there's not necessarily anything interesting going on, but more so because I suspect stuff has yet to be revealed or is otherwise difficult to understand when and where projects started. But in 1997, the FBI implemented a system called Carnivore in order to monitor electronic communications by essentially being able to customize a packet sniffer spying on all internet traffic generated by a particular person. They were able to do this by installing a program directly on the internet service provider's system. And it only ended in 2005 because it was replaced by a new and improved commercial software, which doesn't necessarily sit right with me. And so then the attacks on 9-11 brought a significant mindset, shift in mindset to the NSA before is about compliance with FISA. Afterwards, it's about how can we circumvent the law. The White House came to the NSA essentially asking what more can be done to fight against terrorism if the NSA had more authority, to which the NSA responds with a resurface plan that was deemed illegal by FISA in 1999. So this plan essentially performs contact chaining of metadata that it had collected where they would follow U.S. phone numbers for any foreign connection. And so of course, President Bush gives the NSA the authority to begin targeting terrorist-associated phone numbers. And then the president and the cabinet scrambled to draft an authorization to spy on Americans because none had yet existed. President Bush then signs the order to allow the NSA's domestic spying program and the U.S. Attorney General was told to just sign it. And so with that, the spying program was now deemed legal, triggering the NSA to feel it has the authorization to spy on U.S. calls and emails without warrant. And so off they go. In 2002, some undisclosed private sector telecoms and internet companies in the U.S. received letters from the NSA requesting support for the domestic spying program and to hand over data, including call records. Then later that year, these telecoms enter into a formal voluntary agreement with the U.S. to give data to the NSA, but only after the Washington Post exposes them in 19, or in 2006, did these companies request court orders instead of voluntarily handing over data. In 2003, construction of a secret room, now known as Room 641A, started in AT&T's San Francisco facility that's equipped with special technology that can read and analyze tens of thousands of communications per second and then send those communications to a central database, which I guess is the start of big data. This program was formally started in 2003 with the renaming of the terrorist information awareness. But development started in the beginning of 2000. It was aimed at together detailed information about individuals to anticipate and prevent crimes. This was referred to as the Manhattan Project of counter-intelligence, or counter-terrorism, and used many components of older programs. Congress does stop it in late 2003, but many parts were absorbed and adopted into other programs like the next one. So turbulence isn't one specific program or project, but it's the name for a collection of a bunch of different ones. These include efforts at decrypting communications, injecting malware into computers, and a database containing metadata on a particular piece of information like email addresses. In late 2005, the New York Times actually exposes the NSA and their warrantless spying on Americans. President Bush does confirm it, but of course not without the twist of it's for national security. The New York Times also reveals that some NSA's spying is purely domestic with telecoms giving backdoor access to communication streams. Mainway started, supposedly started seven months before 9-11, and was revealed in 2006. The NSA essentially starts storing metadata of call records that go through AT&T and Verizon. And there's essentially 1.9 trillion records in that database, with records being held up for up to five years. Revealed in 2013, Dropmire is yet another surveillance program. This one particularly targets foreign embassies and diplomatic staff, including a D20 summit, for a few years. And then so after the New York Times articles expose the NSA's, the NSA back in 2005, an unknown company requests the NSA to issue court orders rather than voluntarily handing over data. So then in 2007, a seemingly reaction to that request, the Protect America Act was passed, allowing the NSA to not need more in collecting these communications. Starting to get more modern here. Revealed in 2013, Tempora started testing in 2008 and was fully operational in 2011. Its purpose is basically to buffer all the internet traffic that passes through the UK's fiber connection points. Just so that they can basically be searched and analyzed later on. And with this, it's supposed that the UK actually collects more metadata than the NSA. This is a bit startling to me because you just have to imagine the technology required for this. In a trial in 2011, the GCHQ set up pros on more than 200 internet links with each carrying about 10 gigabytes of data a second. In 2013, work was being done to support data flow of 100 gigabytes per second. Gigabits per second, sorry. Which is about a petabyte of data a day. And then that data is preserved for three days with metadata preserved for 30 days. So The Guardian reveals another GCHQ program in 2014 and called OpticNerve. And this program has been intercepting webcam images from millions of users, Yahoo users, who are not even suspected of any wrongdoing. They just collected indiscriminately. One release document mentions the use of face detection for mug shots and general facial recognition. And it was also revealed that one still image was taken every five minutes per user. But apparently it's okay for the UK to do this because they're not required by law to minimize collection from its own citizens, unlike the NSA. It was said that Yahoo was chosen because it's known to be used by GCHQ targets. But in my opinion, I think it was chosen because Yahoo Messenger protocol is unencrypted. Because the government wants companies to comply with the US Congress passes amendments to FISA that allows telecoms retroactive legal immunity from lawsuits for those who cooperated with the NSA's wiretapping. So now customers cannot sue companies who may have violated their privacy and other rights because it was all in good faith. New Zealand isn't all that innocent either, sorry. In 2009, the security intelligence service approached university lecturers asking for help to stop foreign states. Foreign states got information on weapons of mass destruction. So a pamphlet was distributed saying, we are inviting New Zealand exporters, manufacturers, scientists, researchers, academics to remain alert to suspicious advances and seek advice on any concerns that they may have. So it's a bit like the Thought Police from 1984. So the Hacienda project is a UK's data reconnaissance tool where port scans entire countries. Supposedly 27 countries have been scanned. They're particularly interested in FTP, HTTP, HTTPS and SSH among others and looking for vulnerable services running on these ports. They collect information or the collect information is shared and used among the Five Eyes group to launch exploits or to otherwise steal data. And scarily enough, it can infect non-governmental machines to complete scans, building their own botnet essentially and enabling complete scans for vulnerable devices within a subnet within five minutes. And best of all, it only takes a simple email to request access to the data. Something good that has come out of this actually is an internet draft for proposed modification to TCP called TCP Stealth to hide ports of TCP services. And I wanna make sure it's known that these sort of images are actual slides that were leaked. There's another thing called Stone Ghost operated by the US Defense Intelligence Agency. It's a network for information sharing and exchange between the Five Eyes countries. In 2012, a Royal Canadian officer pleads guilty to actually having downloaded information from the Stone Ghost program and selling it to the GRU, which is Russia's successor agency to the KGB. Apparently, he just walked into Russian's embassy in Ottawa offering to sell secret information. And the officer said there was never really Canadian stuff. There was American stuff, there was some British stuff, Australian stuff, it was everybody's stuff. So this is mainly just goes to show what can happen if data gets into the wrong hands. So it was revealed from a secretary of the cabinet, Rebecca Kitteridge, that about 88 Kiwis were illegally spied upon for nearly 10 years. Only one of the 88 was investigated by the police, which is the kim.com, yeah. And if only enough, the police chose not to press charges against the GCSB or even investigate the other 87 illegal attempts. The GCHB said that they had an incorrect understanding of immigration laws since Kim was not born in New Zealand. He was granted permanent residency in 2010. Speargun is at least a two-phase project ran by the GCSB, where equipment was installed directly into the Southern Cross Cable, which is a trans-Pacific internet cable that supports about 95% of New Zealand's internet traffic. In response to this exposure, the GCSB spokesperson said, we don't comment on matters that may or may not be operational. Mid-2013 was when Edwin Stone came forward. Many projects and programs were revealed, including these. We have Fairview and Storm Brew, which is upstream collection with voluntary cooperation from 1810 Verizon. It was also revealed that under Fairview, the NSA has been tapping into the majority of New Zealanders' internet traffic through that Southern Cross Cable, collecting both metadata and content. There's a program called Muscular, which allows warrantless data siphoning from Yahoo and Google without their knowledge until now. We have Bull Run, which is particularly unnerving, but I expect it to last. It's essentially the NSA's program for cracking encryption with current methods and storing encrypted data for future breakthroughs. There's a Royal Concierge, which is GCHQ's tracking of bookings made at particular hotels. And then the NSA exposes, or the Washington Post exposes the NSA's programs called PRISM and X Keyscore. So PRISM stands for Planning Tool for Resource Integration, Synchronization, and Management, bunch of buzzwords. It mines electronic data, collecting intelligence that passes through U.S. servers, and it's meant to target foreigners, but the NSA has been very elusive about the data that it might be collecting on U.S. citizens. X Keyscore is what they call a digital network intelligence exploitation system. It's basically a federated query system of completely unfiltered data. And it gives users the ability to query for email addresses, for some activity, phone numbers, HTTP traffic, extract file attachments, et cetera. And it was also revealed by Snowden that New Zealand's GCSB regularly provides mass surveillance data into the X Keyscore system. Dishfire was revealed in 2014 and is actually a pretty scary one. Not that they're not all scary. Every day it collects about 200 million text messages from all over the world, including geolocation data, names from electronic business cards like those V-card things, border crossings, financial transactions, and even miss-called alerts. So also revealed in 2014, what started in 2009 is a program called Mystic. And it's not yet another telecom surveillance program. This one actually collects entire countries' phone calls and not just metadata, but actual conversations. Countries that have been targeted for this program include Afghanistan, Mexico, Kenya, Bahamas, and the Philippines. And the documents from 2013 sort of allude to extending the program to other countries. And then bad-ass. Revealed in 2015 if to give points for name creativity. This is a joint program between the Canadian Security Establishment and the GCHQ exploiting privacy weaknesses in mobile apps and use that same technology that advertisers do, including user location, their app preferences, and unique device identifiers. So you might be wondering how exactly they are doing that. So basically they're drinking directly from the hose. So the Tier 1 network, the backbone of the internet, allows vast amounts of data to pass via the simplest path. Tier 1 companies include Level 3, AT&T, Verizon, Deutsche Telecom, and about 15 others, and some even on their own transatlantic and trans-specific cables. Some major companies like Facebook, Microsoft, Google tap directly into these Tier 1 via edges, or they too own their own under-the-sea cables. And so the NSA currently does the same thing. They tap the edges shared with Tier 1 companies. Also probably by brute force. I couldn't help but use an XKCD comic here. There is that program called Muscular that taps into Google and Yahoo directly. So I think some is also done by force. And so now you might be thinking why does this matter and why should I care? So first off there's a lot of unanswered questions. The first one that I have is how do these companies not notice being backdoored? Either they're security sects, or they're lying when they're denying cooperation. And then how is foreignness determined? Am I being roped in because I interact daily with non-US citizens? Or maybe because I'm here in New Zealand. Are you now a target because you're one hop away from me? What is done with data accidentally collected on Americans? There have been articles of the NSA spying on ex-lovers and tracking people's porn habits. And finally how secure is this information? Whether I'm foreign or not, if these agencies are able to crack encryption, I'm sure that there are black hats able to do the same, or perhaps more likely. I don't know if their database admin has actually changed the default password. So maybe you're thinking so what? I've got nothing to hide, I am not a criminal. Well then I'll ask you, do you have curtains or blinds in your windows? Maybe you'll let me see your credit card bills or your text messages. Maybe you lead a boring life and are willing to share all of that. But if you got nothing to hide, then that quite literally means that you're willing for me to photograph you in the nude. And I get all that rights of those photographs and I can show them to your neighbors. So maybe you're thinking, it's not like the NSA really cares about all that. Well, there are some examples of metadata that they do pay attention to. This particular slide is taken from the EFF presentation from 30C3 in 2013. So they know that you rang a phone sex service at 2.24 a.m. and spoke for 18 minutes, but they don't know what you talked about. They know that you called the Suicide Prevention Hotline from the Golden Gate Bridge, but the topic of the call remains secret. Then they know that you spoke with an HIV testing service, then your doctor, then your health insurance company within the same hour, but they don't know what it was discussed. So it's kind of obvious what they do collect can tell a significant story and whether or not that you're okay with allowing unknown watchers into your life is certainly your call, but just because I have stuff to hide does not make me a criminal, nor should I be a target of surveillance. There's even like a 10-year-old Facebook post that I would cringe at reading now. All right, so enough with all the seriousness. Let's figure out how we can do this ourselves. This is a Python conference after all. All right, so the media tells me that I need to look like this, all right. Does this work? Hold on, hold on. I even got little gloves. You know, I feel like Mr. Robot or something right now. All right, so I think this makes me ready to at least pretend I'm a black hat, right? Yeah, I got my sunglasses somewhere, right? All right, so let's do this. I'm ready. So I use a couple different Python libraries here. The main one being called Scapey, which is just a TCP dump or Wireshark in Python. The overall idea is just the wiretapping part with particular filters. So if you actually want to store the data, then you probably have to just collect it all that you physically could and connect to a database and store it somewhere and just do queries off it. So the following is just a proof of concept of how actually collecting particular information is quite easy. So again, proof of concept and presented without warranty. Not condoning the use of traffic spying or sniffing, but if I were you, I would probably go to a cafe with open Wi-Fi networks. So a quick introduction to Scapey. This makes me cringe, but this is what they suggest from import star. So here's some sniffing for TCP traffic, basically HTTP traffic, and only getting 10 packets. So if we take a look at what that is, you can see I have 10 TCP packets and nothing else. And the results of that had to snip it. You can see a bunch of information here. If we just grab the first packet, we can use the show method and it gets pretty printed essentially. You can see the Ethernet layer, the IP layer, and the TCP layer. And literally that is all that we need to know and just essentially playing around with different filters. So the first snippet, and because I want super slick code names too, I've called this snippet tempura, like tempura but the food. So this particular snippet is inspired by the X-key score program. So basically show me everyone that has searched for a particular term. So I have offline a pcap file. And then loading it. Or if you were to do it actively, basically TCP and that host, and I've limited it to 300 packets. Or you can save it for later. So if you take a look at the packets, I do indeed have 300 TCP packets. If you look at the summary of them all, here's it dumped out. If I just take a look at one of them, I can see that there's the raw payload there. If I just get the layer. And then kind of, you know how when you search for something, there's like a Q equals kind of thing or P equals. So I just parsed this out of the raw payload and I was at the time searching for Montreal. The second packet, maybe about 70 packets later. My second query was sniffed. I was looking for best chocolate Montreal. And then the third packet, and the best coffee in Montreal. You can see where my priorities lie. So I should make note that this was before Yahoo send all of its traffic over HTTPS. Only switched over a few years ago. So it would be definitely a lot more difficult if this was over HTTPS. So snippet two. I've dubbed this omnivore, like carnivore, omnivore. It's a X key score query. Maybe something like show me everyone from a certain country that has visited a certain extremist forum. And for this, I did not dare visit an extremist forum. I'm probably already on a list already, but I didn't want to make it worse. But this is the general approach. So I have this filter of like TCP and some host. I have some data offline already and I have 258 TCP packets. If I take the eighth one, I guess, you can see I have some payload information there. And I get that and print it and I was visiting pie ladies, because I'm a good person. And so basically it's as simple as like if the extremist term that I'm looking for is in the raw payload of the data. Thank God it's false. So then I did like a quick and dirty, like traceroute function. This wraps around escapees traceroute method. And then, let's see, I was tracerouting Spotify and get a bunch of IP addresses. I take those IP addresses and get the coordinates for each IP. So I have a few. And then I'm creating like a GeoJSON file or blob that is essentially JSON with some like coordinate information on top of it. So I have this information and then you can actually copy and paste this into GitHub's gist functionality and they'll automatically render it. So you can see I was actually in Canada when I was tracerouting Spotify.com located in Sweden and you can see that the hops actually went through, I think, Netherlands and Colorado. So even though the beginning and end was to non-U.S. countries, the fact that it goes through the U.S. is still under U.S. jurisdiction, which happens for a lot of internet traffic to begin with. All right, so snippet three, named as Teflon because that's what echelon sounds like to me. So we're trying to answer the query of give me all emails with a term, a certain term in the body of the email. So I'm sniffing for SMTP traffic. I have it offline already and I have a bunch of packets, as you can see, taking packet, the 12th packet and just printing the raw payload and that kind of looks encoded to me. So decode it and it's an email address. Take the following packet, do the same thing, sum encoded string and it's actually a password prompt. The next one, take it and I wonder what happens when I decode it and some password. This is just sample data. This is not actually someone's like email and login or email and password login. So here, this is just a quick and dirty like a filter packet by a particular string. So I'm wanting to see if someone mentioned attachment in the email. So I found a query and it shows me that yes, indeed someone was talking about, I had to snippet unfortunately, but someone was talking about attachment in this email. All right, snippet four, I got two more. I've called this cold brew because since reading about storm brew, it gave me the craving for cold brew coffee. And here we're wanting to see chats for a given user during a certain timeframe. Here I'm sniffing for IRC traffic, the standard port of 6667. And we get like a bunch of packets, even some DNS queries are in there. Some pretty printing functionality, you can see that there's some sort of chatting going on. And here's the same filter packet by string function that I had. So now I'm searching for a particular user, Amarok. And you can see a bunch of conversations from Amarok. Final one, I called this lucky charms after Shamrock because that's what I craved after reading about Shamrock. And with a snippet, we're trying to mimic the Hacienda program by finding all exploitable machines in a certain country. So this IP address, it's actually for the host, for the former New York City Mayor, Rudy Giuliani. In January, the then President-Elect Trump had named Rudy Giuliani to be his cyber security advisor, which I found hilarious. So the former mayor had this like infosec consultancy like company and the site actually no longer exists. But I was able to port scan that site before it was taken offline. And you'll see why I think it's hilarious in a second. So we scan it using Python MAP library. And I didn't include the whole thing here, but we get back a list of exposed ports and services, including open SSH version released 10 years ago, anonymous LDAP, and an exposed MySQL database. We also could see that the site that was running was a five-year-old version of Jumeilaw with unpatched vulnerabilities. So yeah, with this kind of information, you could easily figure out what you want to exploit. It's not like all that information is out there to begin with. So if you wanna take a look at what this IP address points to, getting some pertents again and creating a GeoJSON, and putting that in GitHub, we can see that Rudy Giuliani's host was in Denver. Okay, so hopefully I've sufficiently scared you. Perhaps you're architecting your own new bunker with some tinfoil hats, Ken Goads, and maybe some signal scramblers. Or maybe I've inspired you to become a script kitty yourself, just don't blame me if you're caught. The purpose of this talk is to both talk about what's going on in the world, as well as convey how easy it is to pick up the stuff, even if you're not an aspiring black hat. As I mentioned in the beginning, this talk is not to teach you how to protect yourself because in all honesty, and I hate to say this, there isn't a corner in which you can hide. There are certainly provisions one can take, but as I say in the security industry, the defensive side will always be on the losing end of this fight, as there are always adversaries finding new ways to exploit things. We very well might enjoy all what technology has brought us. For instance, we're able to work from home without pants, or stalk ex-lovers with Facebook and Instagram and whatnot. You can even hack together your own script kitty stuff like me, but it's essentially up to us to keep this conversation going, being complacent and ignorant. We can't just blame technology because we essentially are the ones that give technology its purpose. So again, unfortunately I have no advice on how to protect yourself just to be more vocal. And so with that, I will close this with a pretty apt quote from Martin Neymar. First they came for the socialists and I did not speak out because I was not a socialist. Then they came for the trade unionists and I did not speak out because I was not a trade unionist. Then they came for the Jews and I did not speak out because I was not a Jew. And then they came for me. There was no one left to speak for me. Thank you.