0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/710 Thanks! 1 00:00:14,160 --> 00:00:15,929 For the next talk, we welcome a 2 00:00:15,930 --> 00:00:18,269 contribution to the ever expanding zoo 3 00:00:18,270 --> 00:00:20,369 of Mahwah in the ecosystem of 4 00:00:20,370 --> 00:00:22,469 insecurity, Peg 5 00:00:22,470 --> 00:00:23,609 Pegasus. 6 00:00:23,610 --> 00:00:25,679 It's about the case of amendments to 7 00:00:27,720 --> 00:00:29,969 the citizenship, does excellent work 8 00:00:29,970 --> 00:00:32,188 and forensics and even 9 00:00:32,189 --> 00:00:33,779 made it into the Christian Science 10 00:00:33,780 --> 00:00:35,639 Monitor lately. 11 00:00:35,640 --> 00:00:37,979 And a big round of applause 12 00:00:37,980 --> 00:00:40,429 for Bill Masek and John Scott Codrington. 13 00:00:45,970 --> 00:00:46,970 Next. 14 00:00:48,700 --> 00:00:50,229 Hello, everyone, can you hear us? 15 00:00:51,340 --> 00:00:52,869 Awesome. Where's my clicker? 16 00:00:54,530 --> 00:00:56,629 So my name is John Scott Railton, 17 00:00:56,630 --> 00:00:58,489 and I'm here with my colleague Bill 18 00:00:58,490 --> 00:01:00,859 Marzak, and we are going to present 19 00:01:00,860 --> 00:01:03,049 a talk titled Million 20 00:01:03,050 --> 00:01:05,208 Dollar Dissidents and the rest 21 00:01:05,209 --> 00:01:07,579 of us. Bill Marzak is a senior fellow 22 00:01:07,580 --> 00:01:08,899 at the Citizen Lab. 23 00:01:08,900 --> 00:01:10,999 He just got his PhD like last 24 00:01:11,000 --> 00:01:12,439 week at UC Berkeley. 25 00:01:12,440 --> 00:01:13,549 So quick round of applause. 26 00:01:16,540 --> 00:01:17,859 And Bill is also one of the founding 27 00:01:17,860 --> 00:01:19,749 members of Bahrain Watch, which does 28 00:01:19,750 --> 00:01:21,849 really important work on human rights, 29 00:01:21,850 --> 00:01:24,129 transparency and defense in 30 00:01:24,130 --> 00:01:25,130 the Gulf. 31 00:01:25,630 --> 00:01:27,609 Thank you for that lovely introduction, 32 00:01:27,610 --> 00:01:29,739 John. My colleague John ScotRail 10, 33 00:01:29,740 --> 00:01:31,809 of course, is my coconspirator at 34 00:01:31,810 --> 00:01:33,219 the Citizen Lab. 35 00:01:33,220 --> 00:01:35,049 He's also pursuing his Ph.D. 36 00:01:35,050 --> 00:01:37,569 at UCLA, and his research 37 00:01:37,570 --> 00:01:39,879 focuses on targeted threats specifically 38 00:01:39,880 --> 00:01:42,309 against civil society. 39 00:01:42,310 --> 00:01:43,569 So for those of you who don't know the 40 00:01:43,570 --> 00:01:45,369 citizen lab, it's located in this big 41 00:01:45,370 --> 00:01:47,709 stone building in Toronto. 42 00:01:49,000 --> 00:01:51,489 We do two basic components 43 00:01:51,490 --> 00:01:53,799 of work. We look at targeted threats 44 00:01:53,800 --> 00:01:55,839 against civil society and then we look at 45 00:01:55,840 --> 00:01:56,739 information control. 46 00:01:56,740 --> 00:01:57,909 And what we're going to talk about in 47 00:01:57,910 --> 00:02:00,159 this presentation is our work 48 00:02:00,160 --> 00:02:02,439 on targeted threats, some 49 00:02:02,440 --> 00:02:04,119 background about the lab. 50 00:02:04,120 --> 00:02:06,219 It's fairly old in computer 51 00:02:06,220 --> 00:02:08,288 terms. It's independent, it's 52 00:02:08,289 --> 00:02:09,339 academic. 53 00:02:09,340 --> 00:02:12,009 And our bread and butter is developing 54 00:02:12,010 --> 00:02:14,319 long form trust relationships 55 00:02:14,320 --> 00:02:16,779 with targeted groups to find things 56 00:02:16,780 --> 00:02:18,129 and then combining that with a real 57 00:02:18,130 --> 00:02:20,499 degree of technical rigor to understand 58 00:02:20,500 --> 00:02:21,939 what it is that we found, whether it's 59 00:02:21,940 --> 00:02:23,919 phishing or other forms of attack. 60 00:02:23,920 --> 00:02:25,419 So quick roadmap. 61 00:02:25,420 --> 00:02:26,949 I'm going to talk to you today, along 62 00:02:26,950 --> 00:02:28,749 with my colleague Bill, about two 63 00:02:28,750 --> 00:02:29,859 attacks. 64 00:02:29,860 --> 00:02:31,929 One day we're going to 65 00:02:31,930 --> 00:02:33,099 talk about some infrastructure 66 00:02:33,100 --> 00:02:34,359 fingerprinting. 67 00:02:34,360 --> 00:02:36,939 We're going to talk about scale issues 68 00:02:36,940 --> 00:02:39,429 for security and high risk users. 69 00:02:39,430 --> 00:02:40,569 And we're going to end on that. 70 00:02:42,630 --> 00:02:44,219 All right, so let's jump right into the 71 00:02:44,220 --> 00:02:46,589 story, this handsome gentleman 72 00:02:46,590 --> 00:02:49,019 here is called Rory Donaghy 73 00:02:49,020 --> 00:02:51,059 and he's a human rights activist based in 74 00:02:51,060 --> 00:02:52,529 the U.K. 75 00:02:52,530 --> 00:02:53,999 He's a founding member of this 76 00:02:54,000 --> 00:02:55,949 organization, the Emirates Center for 77 00:02:55,950 --> 00:02:57,959 Human Rights, that focuses on, you 78 00:02:57,960 --> 00:03:01,199 guessed it, human rights in the UAE. 79 00:03:01,200 --> 00:03:03,359 He's also now a journalist at Middle East 80 00:03:03,360 --> 00:03:06,089 AI, where he's been publishing a series 81 00:03:06,090 --> 00:03:08,789 of stories involving 82 00:03:08,790 --> 00:03:10,859 leaked emails from high ranking 83 00:03:10,860 --> 00:03:12,539 members of the UAE government. 84 00:03:14,860 --> 00:03:17,199 Recently, he was targeted. 85 00:03:17,200 --> 00:03:19,179 He actually got this interesting email 86 00:03:19,180 --> 00:03:22,209 here from an address, 87 00:03:22,210 --> 00:03:24,579 the right to fight at Open Mailbox 88 00:03:24,580 --> 00:03:27,159 Dog seems a bit sketchy, 89 00:03:27,160 --> 00:03:28,659 says Mr. Donaghy. 90 00:03:28,660 --> 00:03:30,489 We are currently organizing a panel of 91 00:03:30,490 --> 00:03:31,389 experts. 92 00:03:31,390 --> 00:03:34,419 We invite you to apply to be a member. 93 00:03:34,420 --> 00:03:36,249 And you should you should respond with 94 00:03:36,250 --> 00:03:37,959 your thoughts about the following 95 00:03:37,960 --> 00:03:40,029 article. And there's a link here 96 00:03:40,030 --> 00:03:42,219 to this weird looking site right 97 00:03:42,220 --> 00:03:44,229 at me. 98 00:03:44,230 --> 00:03:45,429 You know, it looks kind of sketchy, 99 00:03:45,430 --> 00:03:46,430 right? 100 00:03:47,480 --> 00:03:49,699 Yeah, but at this point, somebody 101 00:03:49,700 --> 00:03:51,319 in the audience is probably thinking to 102 00:03:51,320 --> 00:03:53,569 themselves, oh man, it's another talk 103 00:03:53,570 --> 00:03:55,219 activist somewhere getting social 104 00:03:55,220 --> 00:03:56,749 engineering and phished like, haven't I 105 00:03:56,750 --> 00:03:59,659 seen this talk many, many times before? 106 00:03:59,660 --> 00:04:01,369 Well, that's a great point, John, but 107 00:04:01,370 --> 00:04:02,689 keep your shirt on. We're getting to some 108 00:04:02,690 --> 00:04:03,690 interesting stuff. 109 00:04:04,880 --> 00:04:07,129 All right. So asked me 110 00:04:07,130 --> 00:04:08,329 what's kind of weird, right? 111 00:04:08,330 --> 00:04:11,269 We started looking more into this site. 112 00:04:11,270 --> 00:04:12,979 We figured out that it was this thing 113 00:04:12,980 --> 00:04:15,199 that claimed to be a service where 114 00:04:15,200 --> 00:04:17,419 you could shorten your URLs, kind 115 00:04:17,420 --> 00:04:19,549 of like Bitola 116 00:04:19,550 --> 00:04:21,000 or something like this. 117 00:04:22,160 --> 00:04:23,749 It turns out, though, that it was 118 00:04:23,750 --> 00:04:25,879 publicly accessible so anybody could 119 00:04:25,880 --> 00:04:27,679 go here and shortener, you are all that 120 00:04:27,680 --> 00:04:28,849 they wanted. 121 00:04:28,850 --> 00:04:30,839 It would redirect using just a regular 122 00:04:30,840 --> 00:04:32,479 HTTP 3.0. 123 00:04:32,480 --> 00:04:35,479 But the link that was sent to Donaghey 124 00:04:35,480 --> 00:04:37,249 actually redirected using a different 125 00:04:37,250 --> 00:04:39,379 mechanism which ran a ton 126 00:04:39,380 --> 00:04:41,449 of JavaScript. If you clicked on it, it 127 00:04:41,450 --> 00:04:43,189 would have run a ton of JavaScript on his 128 00:04:43,190 --> 00:04:45,409 computer, including 129 00:04:45,410 --> 00:04:47,869 a bunch of attacks that would 130 00:04:47,870 --> 00:04:49,969 seek to anonymize him if he was using 131 00:04:49,970 --> 00:04:51,169 Tor. 132 00:04:51,170 --> 00:04:52,999 One particular attack was able to figure 133 00:04:53,000 --> 00:04:55,069 out the location where Tor browser 134 00:04:55,070 --> 00:04:57,049 bundle was installed, which could contain 135 00:04:57,050 --> 00:04:59,000 the name of the of the person using it. 136 00:05:00,350 --> 00:05:02,449 Also, there was a really clever technique 137 00:05:02,450 --> 00:05:04,759 to do a local port scan of his computer 138 00:05:04,760 --> 00:05:07,099 to identify which antivirus 139 00:05:07,100 --> 00:05:09,049 program he was using in order to perhaps 140 00:05:09,050 --> 00:05:11,149 enable bypassing anti viruses. 141 00:05:13,430 --> 00:05:14,989 So he received this email. 142 00:05:14,990 --> 00:05:17,369 We looked into this this weird accident 143 00:05:17,370 --> 00:05:19,069 missile. Right. 144 00:05:19,070 --> 00:05:20,929 The interesting thing was we were 145 00:05:20,930 --> 00:05:23,029 actually able to get more from this 146 00:05:23,030 --> 00:05:25,489 attacker. So we instructed 147 00:05:25,490 --> 00:05:28,459 Donaghey to send a response 148 00:05:28,460 --> 00:05:30,229 saying thanks, thanks for your message, 149 00:05:30,230 --> 00:05:31,639 but I'm having trouble with your link. 150 00:05:34,200 --> 00:05:36,809 So this this 151 00:05:36,810 --> 00:05:38,549 case was actually really unusual because 152 00:05:38,550 --> 00:05:40,619 the attacker did, in fact, respond with 153 00:05:40,620 --> 00:05:42,779 this e-mail and said, hey, we 154 00:05:42,780 --> 00:05:45,089 apologize for your having problems. 155 00:05:46,330 --> 00:05:47,609 Here's another link where you can 156 00:05:47,610 --> 00:05:49,529 download our organizational information 157 00:05:49,530 --> 00:05:51,809 as an attachment, as a file. 158 00:05:51,810 --> 00:05:54,059 But the catch is we were 159 00:05:54,060 --> 00:05:55,829 such a secret organization, we had to 160 00:05:55,830 --> 00:05:57,989 protect it with macro enabled 161 00:05:57,990 --> 00:05:59,669 security. Right. 162 00:05:59,670 --> 00:06:01,739 So it requests you to please 163 00:06:01,740 --> 00:06:03,809 enable macro's to to view 164 00:06:03,810 --> 00:06:05,519 the information about the organization. 165 00:06:05,520 --> 00:06:06,719 Right. 166 00:06:06,720 --> 00:06:08,129 So this is the image that he was 167 00:06:08,130 --> 00:06:10,139 presented with when he opened up the the 168 00:06:10,140 --> 00:06:11,049 word document. 169 00:06:11,050 --> 00:06:13,079 It says this document is secured. 170 00:06:13,080 --> 00:06:14,579 Please enable macro's to continue. 171 00:06:14,580 --> 00:06:16,229 And it says it says the same thing in 172 00:06:16,230 --> 00:06:17,339 Arabic. 173 00:06:17,340 --> 00:06:18,819 And it's got you know, it looks official, 174 00:06:18,820 --> 00:06:21,269 right? It's got the Office 365 logo. 175 00:06:21,270 --> 00:06:23,399 It's got the Proofpoint logo, like 176 00:06:23,400 --> 00:06:24,839 those guys do document security. 177 00:06:24,840 --> 00:06:27,029 OK, this is a pretty good, 178 00:06:27,030 --> 00:06:28,079 pretty good fish, Sofya. 179 00:06:29,400 --> 00:06:30,629 So what are the macro do? 180 00:06:30,630 --> 00:06:32,489 Obviously, it displayed information, but 181 00:06:32,490 --> 00:06:34,769 that wasn't the only thing it did. 182 00:06:34,770 --> 00:06:36,899 So it turns out it 183 00:06:36,900 --> 00:06:38,999 was a pretty basic power macro 184 00:06:39,000 --> 00:06:41,519 or a macro that ran a powerful command. 185 00:06:41,520 --> 00:06:43,649 And the powerful command was designed 186 00:06:43,650 --> 00:06:46,019 to gather basic system information, 187 00:06:46,020 --> 00:06:47,789 as well as, interestingly, the installed 188 00:06:47,790 --> 00:06:49,379 version of dot net. 189 00:06:49,380 --> 00:06:51,599 And it submitted all this information 190 00:06:51,600 --> 00:06:53,909 to a kind of interesting looking site 191 00:06:53,910 --> 00:06:56,249 at hosting cache dotcom and 192 00:06:56,250 --> 00:06:58,439 pulled a response back from the server, 193 00:06:58,440 --> 00:07:00,000 which was then executed and Power Shell. 194 00:07:01,310 --> 00:07:03,749 So we got this the stage to response 195 00:07:03,750 --> 00:07:06,179 from the server, which actually installed 196 00:07:06,180 --> 00:07:08,819 a scheduled task and windows. 197 00:07:08,820 --> 00:07:11,099 And every hour it pulled new 198 00:07:11,100 --> 00:07:12,779 commands from the server and executed 199 00:07:12,780 --> 00:07:14,609 them. But it was actually a different 200 00:07:14,610 --> 00:07:15,779 server. 201 00:07:15,780 --> 00:07:17,339 Incapsula Webcast dotcom. 202 00:07:19,550 --> 00:07:21,799 And then so the third stage, the 203 00:07:21,800 --> 00:07:23,599 commands pull down by the stage to we 204 00:07:23,600 --> 00:07:25,519 were actually able to get some of these 205 00:07:25,520 --> 00:07:27,709 and they appeared to be the first 206 00:07:27,710 --> 00:07:30,379 command was getting the ARP table, 207 00:07:30,380 --> 00:07:32,509 which contained perhaps information about 208 00:07:32,510 --> 00:07:34,219 other machines locally connected to the 209 00:07:34,220 --> 00:07:36,319 network to perhaps enable lateral 210 00:07:36,320 --> 00:07:38,599 movement by the attacker and also 211 00:07:38,600 --> 00:07:40,789 very, very aggressively scraped 212 00:07:40,790 --> 00:07:42,829 the computer for passwords and browsing 213 00:07:42,830 --> 00:07:45,289 data using, in fact, 214 00:07:45,290 --> 00:07:46,549 three license code. 215 00:07:46,550 --> 00:07:48,200 Nobody tell Richard Stallman 216 00:07:49,490 --> 00:07:51,769 from from this application called Quasar 217 00:07:51,770 --> 00:07:52,770 at. 218 00:07:53,980 --> 00:07:56,079 All right, Bill, fishing 219 00:07:56,080 --> 00:07:58,209 power, shell macro's, I'm still kind 220 00:07:58,210 --> 00:07:59,499 of skeptical that this is going somewhere 221 00:07:59,500 --> 00:08:00,500 interesting. 222 00:08:01,090 --> 00:08:02,529 Well, you're right, it's technically 223 00:08:02,530 --> 00:08:04,599 boring, but it actually the 224 00:08:04,600 --> 00:08:06,099 sort of technique keeps working. 225 00:08:06,100 --> 00:08:07,419 Activists keep getting compromise. 226 00:08:07,420 --> 00:08:08,619 It just sounds to me like more user 227 00:08:08,620 --> 00:08:10,749 error. Well, in fact, John, this 228 00:08:10,750 --> 00:08:12,249 looks kind of like a digital public 229 00:08:12,250 --> 00:08:13,250 health problem. 230 00:08:16,920 --> 00:08:18,119 Indeed, it does. 231 00:08:18,120 --> 00:08:20,399 So as we've worked with 232 00:08:20,400 --> 00:08:23,429 with targeted groups for 233 00:08:23,430 --> 00:08:25,499 a good chunk of the last decade, one of 234 00:08:25,500 --> 00:08:27,479 the things we've observed is that the 235 00:08:27,480 --> 00:08:28,499 Internet surprising. 236 00:08:28,500 --> 00:08:30,989 No one has profoundly reduced 237 00:08:30,990 --> 00:08:33,569 asymmetries in the ability of individuals 238 00:08:33,570 --> 00:08:35,699 and organizations to communicate 239 00:08:35,700 --> 00:08:37,199 and broadcast their information. 240 00:08:37,200 --> 00:08:38,200 Right. 241 00:08:38,669 --> 00:08:40,168 The advantage the story always think of 242 00:08:40,169 --> 00:08:42,298 is like in a coup d'etat used to be, 243 00:08:42,299 --> 00:08:43,499 you know, the rebels had to capture the 244 00:08:43,500 --> 00:08:44,969 TV station. Now everyone can have 245 00:08:44,970 --> 00:08:46,349 something like that. 246 00:08:46,350 --> 00:08:47,969 So it's very exciting and it's profoundly 247 00:08:47,970 --> 00:08:50,099 changed the way that civil society does 248 00:08:50,100 --> 00:08:51,389 its communication. 249 00:08:51,390 --> 00:08:53,489 But there's a great overhang because that 250 00:08:53,490 --> 00:08:55,949 technology has not itself changed 251 00:08:55,950 --> 00:08:58,019 the underlying asymmetries 252 00:08:58,020 --> 00:09:00,239 of risk and power that 253 00:09:00,240 --> 00:09:01,769 are still articulated through the 254 00:09:01,770 --> 00:09:02,819 Internet. 255 00:09:02,820 --> 00:09:05,219 What that means in practice 256 00:09:05,220 --> 00:09:07,019 is that civil society is really 257 00:09:07,020 --> 00:09:09,299 vulnerable, and it's made more so because 258 00:09:09,300 --> 00:09:11,369 most civil society organizations, 259 00:09:11,370 --> 00:09:13,619 most NGOs are like the ultimate 260 00:09:13,620 --> 00:09:15,659 bring your own device, bring your own 261 00:09:15,660 --> 00:09:18,029 computing style computing environment. 262 00:09:18,030 --> 00:09:20,339 There's absolutely no IT department. 263 00:09:20,340 --> 00:09:22,049 There's no choke point on the network 264 00:09:22,050 --> 00:09:23,609 that you can monitor. 265 00:09:23,610 --> 00:09:25,529 Most people have very mixed, even 266 00:09:25,530 --> 00:09:28,289 artisanal relationships to their security 267 00:09:28,290 --> 00:09:30,329 and little access to behavior. 268 00:09:30,330 --> 00:09:32,279 If you're trying to change behaviors and 269 00:09:32,280 --> 00:09:34,739 usually documentation of bad things 270 00:09:34,740 --> 00:09:37,109 is terrible, put differently, 271 00:09:37,110 --> 00:09:38,579 it's a big headache to try to do 272 00:09:38,580 --> 00:09:40,709 security. And the reason is not some kind 273 00:09:40,710 --> 00:09:42,539 of moral or ethical deficiency. 274 00:09:42,540 --> 00:09:44,279 It's that people are really strapped for 275 00:09:44,280 --> 00:09:46,379 time and resources and knowledge 276 00:09:46,380 --> 00:09:48,149 and are trying to focus on their primary 277 00:09:48,150 --> 00:09:50,279 objective, which is usually not securing 278 00:09:50,280 --> 00:09:51,389 their boxes. 279 00:09:51,390 --> 00:09:53,639 The predictable result, of course, of 280 00:09:53,640 --> 00:09:55,769 all of this is a hidden and sometimes 281 00:09:55,770 --> 00:09:58,259 not so hidden epidemic of compromises 282 00:09:58,260 --> 00:09:59,999 within civil society. 283 00:10:02,510 --> 00:10:04,459 So what happened to the story we were 284 00:10:04,460 --> 00:10:05,419 telling? 285 00:10:05,420 --> 00:10:07,309 Well, so that story about macro's and 286 00:10:07,310 --> 00:10:09,349 powerful will actually lead us to an Iowa 287 00:10:09,350 --> 00:10:10,350 zero. 288 00:10:11,270 --> 00:10:13,189 All right, I'm interested, Bill. 289 00:10:13,190 --> 00:10:15,199 OK, let's break it down, John. 290 00:10:15,200 --> 00:10:17,959 OK, so we published the information 291 00:10:17,960 --> 00:10:20,059 about Rory Donaghy and his targeting 292 00:10:20,060 --> 00:10:21,949 in a citizen lab report. 293 00:10:21,950 --> 00:10:22,950 You can read about it. 294 00:10:23,840 --> 00:10:25,879 As part of this, we are able to trace the 295 00:10:25,880 --> 00:10:28,099 stage one and stage two domains 296 00:10:28,100 --> 00:10:30,679 at hosting cash and Incapsula Web cache 297 00:10:30,680 --> 00:10:32,839 to 11 and 69 298 00:10:32,840 --> 00:10:34,609 other domain names, respectively. 299 00:10:34,610 --> 00:10:36,709 And I once we had this, the next 300 00:10:36,710 --> 00:10:38,479 question was, could we trace it even 301 00:10:38,480 --> 00:10:39,529 further? 302 00:10:39,530 --> 00:10:41,659 So we started looking at the who 303 00:10:41,660 --> 00:10:43,789 is information for these domain names, 304 00:10:43,790 --> 00:10:46,519 as well as a bunch of their DNS records, 305 00:10:46,520 --> 00:10:48,139 specifically the way the sort of 306 00:10:48,140 --> 00:10:50,419 authority DNS record. 307 00:10:50,420 --> 00:10:52,099 And we noticed something quite 308 00:10:52,100 --> 00:10:52,999 interesting. 309 00:10:53,000 --> 00:10:55,999 We noticed this email address P 310 00:10:56,000 --> 00:10:57,649 and one P, 311 00:10:58,730 --> 00:11:01,729 P and one G, three at CIGA Intrigue. 312 00:11:01,730 --> 00:11:03,679 And it was pointed to by one of the stage 313 00:11:03,680 --> 00:11:05,869 two domains we had found, but 314 00:11:05,870 --> 00:11:07,969 also by three other domains which we had 315 00:11:07,970 --> 00:11:09,499 no idea what they were. 316 00:11:09,500 --> 00:11:11,389 They didn't match our fingerprints for 317 00:11:11,390 --> 00:11:13,249 stage one or stage two of the spyware. 318 00:11:14,630 --> 00:11:16,519 In fact, we determined they were designed 319 00:11:16,520 --> 00:11:18,619 to impersonate this website, 320 00:11:18,620 --> 00:11:21,109 Usrah Arabiya or Arabian 321 00:11:21,110 --> 00:11:23,209 Secrets, which is actually a 322 00:11:23,210 --> 00:11:25,249 legitimate news site that provides news 323 00:11:25,250 --> 00:11:27,769 and gossip about stories going on 324 00:11:27,770 --> 00:11:28,770 in the Middle East. 325 00:11:29,630 --> 00:11:31,729 We were able to get the contents of 326 00:11:31,730 --> 00:11:33,519 these sites, you know, we just visited, 327 00:11:33,520 --> 00:11:35,149 visit these websites and found the 328 00:11:35,150 --> 00:11:37,429 following code, the 329 00:11:37,430 --> 00:11:39,979 following HTML could return by the sites. 330 00:11:39,980 --> 00:11:41,689 As you can see, what's going on here is 331 00:11:41,690 --> 00:11:44,119 they're showing the legitimate Azfar 332 00:11:44,120 --> 00:11:46,669 Arabiya website to the user in a iFrame 333 00:11:46,670 --> 00:11:48,829 that takes up the whole browser window. 334 00:11:48,830 --> 00:11:51,049 And there's also this invisible one by 335 00:11:51,050 --> 00:11:53,239 one iframe loading 336 00:11:53,240 --> 00:11:55,639 this weird looking site, smyser 337 00:11:55,640 --> 00:11:58,429 dot net slash a bunch of numbers. 338 00:11:58,430 --> 00:11:59,430 Very weird. 339 00:12:00,950 --> 00:12:02,839 So we began kind of investigating this. 340 00:12:02,840 --> 00:12:04,999 We looked at this link specifically. 341 00:12:05,000 --> 00:12:07,459 We found that it redirected to 342 00:12:07,460 --> 00:12:10,279 a semester dot net slash redirect aspects 343 00:12:10,280 --> 00:12:12,499 which returned this HTML 344 00:12:12,500 --> 00:12:14,839 code and. 345 00:12:14,840 --> 00:12:17,299 You can see this is kind of weird, 346 00:12:17,300 --> 00:12:20,449 it's got a very distinctive format. 347 00:12:20,450 --> 00:12:22,789 There's two metal redirects to Google and 348 00:12:22,790 --> 00:12:24,859 there's kind of like a blank title 349 00:12:24,860 --> 00:12:25,940 in a blank body. 350 00:12:27,350 --> 00:12:29,509 It struck us as very odd. 351 00:12:29,510 --> 00:12:31,789 So we use 352 00:12:31,790 --> 00:12:34,309 this as a fingerprint and in fact, scan 353 00:12:34,310 --> 00:12:36,019 the entire Internet looking for the same 354 00:12:36,020 --> 00:12:37,399 fingerprint. 355 00:12:37,400 --> 00:12:39,469 Specifically, we use the map, we 356 00:12:39,470 --> 00:12:41,689 use the map to scan the entire Internet, 357 00:12:41,690 --> 00:12:43,669 doing a get request for a redirect 358 00:12:43,670 --> 00:12:46,399 aspects on every server on Port 80. 359 00:12:46,400 --> 00:12:48,459 And we found actually one hundred 360 00:12:48,460 --> 00:12:50,659 and forty nine IP addresses mapping 361 00:12:50,660 --> 00:12:52,279 to one hundred forty nine domain names 362 00:12:52,280 --> 00:12:54,469 which returned this same 363 00:12:54,470 --> 00:12:55,770 code, only one hundred forty nine. 364 00:12:57,080 --> 00:12:59,329 So this struck us as kind of kind of odd, 365 00:12:59,330 --> 00:13:00,919 the fact, you know, maybe we were onto 366 00:13:00,920 --> 00:13:01,920 something important. 367 00:13:02,700 --> 00:13:04,649 We then began breaking down and looking 368 00:13:04,650 --> 00:13:06,329 at exactly what those domain names we 369 00:13:06,330 --> 00:13:07,330 found were, 370 00:13:08,730 --> 00:13:09,989 we found that a couple of them were 371 00:13:09,990 --> 00:13:12,239 designed to impersonate, for 372 00:13:12,240 --> 00:13:14,339 example, government portals 373 00:13:14,340 --> 00:13:16,109 or humanitarian organizations like the 374 00:13:16,110 --> 00:13:19,109 Red Cross or airlines, 375 00:13:19,110 --> 00:13:20,669 news media and a bunch of other different 376 00:13:20,670 --> 00:13:22,559 categories. But the theme that struck us 377 00:13:22,560 --> 00:13:23,969 was impersonation. 378 00:13:23,970 --> 00:13:26,489 You can see here some of the typos like 379 00:13:26,490 --> 00:13:28,559 Al Jazeera Dutko instead of 380 00:13:28,560 --> 00:13:29,560 Al Jazeera. 381 00:13:31,850 --> 00:13:33,649 Another thing we noticed is that some of 382 00:13:33,650 --> 00:13:35,869 the domain's had 383 00:13:35,870 --> 00:13:37,999 Assam's in them over and over and 384 00:13:38,000 --> 00:13:40,099 over, and this struck us as odd, 385 00:13:40,100 --> 00:13:40,339 right? 386 00:13:40,340 --> 00:13:41,569 Why would you have a bunch of domain 387 00:13:41,570 --> 00:13:43,069 names that are impersonating things and a 388 00:13:43,070 --> 00:13:44,689 bunch of other related domain names with 389 00:13:44,690 --> 00:13:46,219 Assam's in the name? 390 00:13:46,220 --> 00:13:47,749 Well, maybe if you're targeting mobile 391 00:13:47,750 --> 00:13:49,669 phones and people get, you know, some 392 00:13:49,670 --> 00:13:51,829 sort of link that has SMS in it, 393 00:13:51,830 --> 00:13:53,329 maybe they're more likely to click on it. 394 00:13:53,330 --> 00:13:55,579 So we at this point, we figured maybe 395 00:13:55,580 --> 00:13:57,979 these domain names, these 149 396 00:13:57,980 --> 00:13:59,419 domain names were designed to target 397 00:13:59,420 --> 00:14:00,420 mobile phones. 398 00:14:03,300 --> 00:14:05,819 So we waited and 399 00:14:05,820 --> 00:14:08,009 we asked around one of the key 400 00:14:08,010 --> 00:14:09,899 features of the way that Citizen Lab does 401 00:14:09,900 --> 00:14:12,149 its work is that it often leaves us with 402 00:14:12,150 --> 00:14:14,459 big questions and watching. 403 00:14:14,460 --> 00:14:16,649 So to think about our workflow, it 404 00:14:16,650 --> 00:14:18,329 often involves encountering a group 405 00:14:18,330 --> 00:14:20,609 that's received something suspicious. 406 00:14:20,610 --> 00:14:22,499 We take a look at what they received. 407 00:14:22,500 --> 00:14:24,059 We often find some command and control 408 00:14:24,060 --> 00:14:25,049 infrastructure. 409 00:14:25,050 --> 00:14:27,539 And then we look and we wait and we poke. 410 00:14:27,540 --> 00:14:29,489 And at the same time, we will develop 411 00:14:29,490 --> 00:14:30,779 fingerprints for that see to 412 00:14:30,780 --> 00:14:32,609 infrastructure and start to get a better 413 00:14:32,610 --> 00:14:34,709 sense of where else it might be 414 00:14:34,710 --> 00:14:36,779 in IPV for space. 415 00:14:36,780 --> 00:14:38,879 Well, then often go back having 416 00:14:38,880 --> 00:14:40,649 found infrastructure, which is where we 417 00:14:40,650 --> 00:14:42,749 are in this story, and start looking 418 00:14:42,750 --> 00:14:44,819 for malware or something 419 00:14:44,820 --> 00:14:46,499 that talks to that infrastructure. 420 00:14:46,500 --> 00:14:48,209 And what we're doing is exploiting a 421 00:14:48,210 --> 00:14:49,529 fundamental principle. 422 00:14:49,530 --> 00:14:52,139 We think of targeted 423 00:14:52,140 --> 00:14:54,419 surveillance using intrusion, 424 00:14:54,420 --> 00:14:56,819 which is when it's used at the scale 425 00:14:56,820 --> 00:14:58,739 of monitoring a group of people rather 426 00:14:58,740 --> 00:15:00,179 than a single intrusion. 427 00:15:00,180 --> 00:15:02,129 Infrastructure is going to get used not 428 00:15:02,130 --> 00:15:04,469 just for one person, but for a bunch. 429 00:15:04,470 --> 00:15:05,729 That means that servers are going to stay 430 00:15:05,730 --> 00:15:07,049 online for a while. 431 00:15:07,050 --> 00:15:08,189 That means that there may be malware 432 00:15:08,190 --> 00:15:09,269 floating around. 433 00:15:09,270 --> 00:15:11,489 And this is really part of the enabling 434 00:15:11,490 --> 00:15:13,949 feature of this community 435 00:15:13,950 --> 00:15:15,329 for the work that we do. 436 00:15:15,330 --> 00:15:16,979 And it translates into interesting 437 00:15:16,980 --> 00:15:19,619 results. So in 2014, 438 00:15:19,620 --> 00:15:21,839 using fingerprints developed for 439 00:15:21,840 --> 00:15:24,029 the malware of hacking team, 440 00:15:24,030 --> 00:15:26,159 we came up with a list of suspected 441 00:15:26,160 --> 00:15:27,160 government users. 442 00:15:28,290 --> 00:15:29,759 In twenty fifteen. 443 00:15:29,760 --> 00:15:31,679 We did the same thing, updating earlier 444 00:15:31,680 --> 00:15:34,199 work on suspected government users 445 00:15:34,200 --> 00:15:36,509 of finfish. 446 00:15:36,510 --> 00:15:39,269 But back to waiting. 447 00:15:39,270 --> 00:15:41,459 In August of twenty 448 00:15:41,460 --> 00:15:43,619 sixteen, we got a message 449 00:15:43,620 --> 00:15:45,689 from Ahmed Mansour, who 450 00:15:45,690 --> 00:15:48,869 is, as was mentioned in the introduction, 451 00:15:48,870 --> 00:15:50,939 a human rights defender based in the 452 00:15:50,940 --> 00:15:53,639 UAE source said, 453 00:15:53,640 --> 00:15:55,859 Guys, I think I'm being 454 00:15:55,860 --> 00:15:57,029 targeted again. 455 00:15:58,680 --> 00:16:01,169 And we believed him because 456 00:16:01,170 --> 00:16:03,359 in 2011, Mansour was 457 00:16:03,360 --> 00:16:04,830 targeted with finfish, 458 00:16:06,690 --> 00:16:09,179 a document SANAYA and disguised 459 00:16:09,180 --> 00:16:12,059 as a PDF and then 460 00:16:12,060 --> 00:16:13,469 nobody leaving well enough alone. 461 00:16:13,470 --> 00:16:15,659 He was targeted again 462 00:16:15,660 --> 00:16:17,849 with a hacking team implant 463 00:16:17,850 --> 00:16:19,979 in 2012, this time with an 464 00:16:19,980 --> 00:16:22,109 attack document and some 465 00:16:22,110 --> 00:16:23,110 old day. 466 00:16:24,290 --> 00:16:26,539 So we paid attention 467 00:16:26,540 --> 00:16:29,269 to what he had for us was to 468 00:16:29,270 --> 00:16:32,479 SMS messages that he had received, 469 00:16:32,480 --> 00:16:34,549 basically translating to new 470 00:16:34,550 --> 00:16:37,069 secrets about immoralities tortured 471 00:16:37,070 --> 00:16:39,559 in state prisons, something 472 00:16:39,560 --> 00:16:41,629 relevant to his work not only as a human 473 00:16:41,630 --> 00:16:43,789 rights defender, but to him personally, 474 00:16:43,790 --> 00:16:45,859 as he's previously been arrested and 475 00:16:45,860 --> 00:16:49,099 jailed for his highly important work. 476 00:16:49,100 --> 00:16:51,139 So we said nice bait. 477 00:16:51,140 --> 00:16:52,140 We'll take it. 478 00:16:55,570 --> 00:16:57,819 So, as John said, we decided to 479 00:16:57,820 --> 00:17:00,459 to take this bit, we decided to somehow 480 00:17:00,460 --> 00:17:02,019 see what was behind these links that 481 00:17:02,020 --> 00:17:04,838 Mansor had sent us and the text messages. 482 00:17:04,839 --> 00:17:06,219 So what did we do? 483 00:17:06,220 --> 00:17:08,469 Well, we actually figured, 484 00:17:08,470 --> 00:17:10,179 hey, let's open this up on an iPhone. 485 00:17:10,180 --> 00:17:12,429 He received the links on his iPhone 486 00:17:12,430 --> 00:17:14,588 six. So we said, OK, we've we've got 487 00:17:14,589 --> 00:17:15,848 an iPhone. 488 00:17:15,849 --> 00:17:18,159 Let's let's factory reset it and let's 489 00:17:18,160 --> 00:17:20,439 connected to the Internet through 490 00:17:20,440 --> 00:17:21,909 a laptop. 491 00:17:21,910 --> 00:17:24,068 Since the link was using https, we 492 00:17:24,069 --> 00:17:25,479 wanted to capture everything. 493 00:17:25,480 --> 00:17:27,969 So we set up a laptop with Mithian 494 00:17:27,970 --> 00:17:30,099 Proxy and Wireshark and 495 00:17:30,100 --> 00:17:32,439 basically installed the the ah fake 496 00:17:32,440 --> 00:17:35,259 rootsier ID on the iPhone and 497 00:17:35,260 --> 00:17:37,389 transcribed the link into 498 00:17:37,390 --> 00:17:39,729 Safari on our iPhone. 499 00:17:39,730 --> 00:17:41,799 So all phones, Internet traffic was 500 00:17:41,800 --> 00:17:43,119 going through the laptop. We could see 501 00:17:43,120 --> 00:17:45,159 everything. And our goal was to kind of 502 00:17:45,160 --> 00:17:46,839 capture what might be behind this. 503 00:17:48,640 --> 00:17:50,069 So what happens next will shock you. 504 00:17:52,190 --> 00:17:54,529 All right, so this is the output 505 00:17:54,530 --> 00:17:56,919 from Wireshark that we were seeing on our 506 00:17:56,920 --> 00:17:58,279 our laptop. 507 00:17:58,280 --> 00:17:59,509 So the first thing obviously, you know, 508 00:17:59,510 --> 00:18:01,279 we transcribed the link, we typed it in, 509 00:18:01,280 --> 00:18:03,469 and we see what you'd expect a get 510 00:18:03,470 --> 00:18:04,609 request for the link. 511 00:18:04,610 --> 00:18:06,349 And it turned out this was a blob of 512 00:18:06,350 --> 00:18:08,389 obfuscated JavaScript, which already was 513 00:18:08,390 --> 00:18:09,390 was quite interesting. 514 00:18:11,190 --> 00:18:13,199 The next thing we saw is that about 10 515 00:18:13,200 --> 00:18:15,239 seconds after we typed it in the safari 516 00:18:15,240 --> 00:18:17,459 window on the iPhone closed, very 517 00:18:17,460 --> 00:18:18,929 weird. Very unusual. 518 00:18:18,930 --> 00:18:21,359 This was our first indication that, OK, 519 00:18:21,360 --> 00:18:23,489 maybe there is some sort of some sort of 520 00:18:23,490 --> 00:18:25,619 shenanigans going on here with this with 521 00:18:25,620 --> 00:18:26,620 us with this link. 522 00:18:28,220 --> 00:18:30,439 We saw then the phone sent out another 523 00:18:30,440 --> 00:18:32,599 request for this file, final one, one 524 00:18:32,600 --> 00:18:34,729 one, which was a second stage 525 00:18:34,730 --> 00:18:36,619 of, you know, lightly obfuscated code. 526 00:18:37,730 --> 00:18:39,949 A bunch of other requests appeared 527 00:18:39,950 --> 00:18:42,049 to emanate from the phone giving 528 00:18:42,050 --> 00:18:44,149 basically like logging data or the status 529 00:18:44,150 --> 00:18:45,740 of what was going on to the server. 530 00:18:47,060 --> 00:18:49,609 And then we saw a message saying 531 00:18:49,610 --> 00:18:51,169 trying to download bundle. 532 00:18:51,170 --> 00:18:53,089 In other words, the phone sent a log 533 00:18:53,090 --> 00:18:54,859 message to the server saying that it was 534 00:18:54,860 --> 00:18:56,539 trying to download something and it was 535 00:18:56,540 --> 00:18:58,699 trying to download this file test one one 536 00:18:58,700 --> 00:19:00,799 one daughter, 537 00:19:00,800 --> 00:19:02,479 which actually was was an iPhone 538 00:19:02,480 --> 00:19:03,480 application. 539 00:19:04,820 --> 00:19:06,829 And the interesting thing is that this 540 00:19:06,830 --> 00:19:08,899 request came from a non user 541 00:19:08,900 --> 00:19:10,999 agent telling us that control 542 00:19:11,000 --> 00:19:12,799 had been transferred perhaps to some 543 00:19:12,800 --> 00:19:14,389 other process on the phone, which was 544 00:19:14,390 --> 00:19:15,390 which was fetching this. 545 00:19:18,280 --> 00:19:20,349 So hold on, Bill, are 546 00:19:20,350 --> 00:19:21,849 we looking at some kind of remote 547 00:19:21,850 --> 00:19:23,049 jailbreak? 548 00:19:23,050 --> 00:19:24,759 Well, that was kind of what we thought. 549 00:19:24,760 --> 00:19:25,959 We thought we might be looking at that 550 00:19:25,960 --> 00:19:27,069 indeed. 551 00:19:27,070 --> 00:19:29,799 So what exactly did we get? 552 00:19:29,800 --> 00:19:32,259 Well, it turned out that what we had seen 553 00:19:32,260 --> 00:19:34,299 was the result of three zero day 554 00:19:34,300 --> 00:19:35,349 exploits. 555 00:19:35,350 --> 00:19:37,449 The first an expert in Safari, 556 00:19:37,450 --> 00:19:39,789 and the second two exploits designed to 557 00:19:39,790 --> 00:19:41,949 jailbreak and install an app 558 00:19:41,950 --> 00:19:42,950 on the phone. 559 00:19:44,170 --> 00:19:46,239 The payload that is installed was 560 00:19:46,240 --> 00:19:47,680 actually capable of recording 561 00:19:48,790 --> 00:19:51,159 messages, voice 562 00:19:51,160 --> 00:19:52,689 and all kinds of other data from a number 563 00:19:52,690 --> 00:19:54,369 of apps on the phone. 564 00:19:56,640 --> 00:19:58,799 And for those of you who have been 565 00:19:58,800 --> 00:20:01,289 attending C.C.C., we 566 00:20:01,290 --> 00:20:03,449 gave the artifacts 567 00:20:03,450 --> 00:20:04,979 that we'd received to our friends, look 568 00:20:04,980 --> 00:20:07,169 out, and this handsome 569 00:20:07,170 --> 00:20:09,359 gentleman here, Max Berzelia, gave 570 00:20:09,360 --> 00:20:11,579 an excellent talk on the internals of 571 00:20:11,580 --> 00:20:13,889 the exploits and the jailbreak 572 00:20:13,890 --> 00:20:15,329 on day one of C.C.C.. 573 00:20:15,330 --> 00:20:16,529 So hope you all check that out. 574 00:20:16,530 --> 00:20:18,299 If not, you can you can watch it online. 575 00:20:20,640 --> 00:20:23,369 So, of course, we also realized 576 00:20:23,370 --> 00:20:24,629 along with look out, that it was time to 577 00:20:24,630 --> 00:20:26,879 do some responsible disclosure 578 00:20:26,880 --> 00:20:29,069 towards Apple, which we 579 00:20:29,070 --> 00:20:31,439 did, what is, 580 00:20:31,440 --> 00:20:33,719 of course, interesting is that this was 581 00:20:33,720 --> 00:20:35,909 the first known as the first 582 00:20:35,910 --> 00:20:38,339 publicly announced remote iOS 583 00:20:38,340 --> 00:20:39,299 jailbreak. 584 00:20:39,300 --> 00:20:40,469 Pretty exciting. 585 00:20:40,470 --> 00:20:42,719 And these are things that in no way 586 00:20:42,720 --> 00:20:44,039 come cheap. 587 00:20:44,040 --> 00:20:46,199 Most recently, we learned that 588 00:20:46,200 --> 00:20:48,299 zero rhodium is offering a one point five 589 00:20:48,300 --> 00:20:50,369 million dollar bounty for a 590 00:20:50,370 --> 00:20:52,589 similar piece of technology. 591 00:20:52,590 --> 00:20:54,899 But this is also caught the attention of 592 00:20:54,900 --> 00:20:57,089 the popular media, even Vanity 593 00:20:57,090 --> 00:20:59,879 Fair, which published an article asking 594 00:20:59,880 --> 00:21:01,949 who's stealing the secrets of Silicon 595 00:21:01,950 --> 00:21:03,599 Valley's crown jewel? 596 00:21:03,600 --> 00:21:05,909 So who did hack Silicon 597 00:21:05,910 --> 00:21:07,289 Valley's crown jewel? 598 00:21:07,290 --> 00:21:08,639 Right, right. So we've told you what 599 00:21:08,640 --> 00:21:10,229 we've got. We got the remote jailbreak. 600 00:21:10,230 --> 00:21:11,789 We got the interesting spyware, but who's 601 00:21:11,790 --> 00:21:12,790 behind it? 602 00:21:13,800 --> 00:21:16,169 So remember, we did this scan, 603 00:21:16,170 --> 00:21:17,309 we used a map. 604 00:21:17,310 --> 00:21:19,079 We found these one hundred forty nine IP 605 00:21:19,080 --> 00:21:21,149 addresses that were related to that that 606 00:21:21,150 --> 00:21:22,619 weird site, Smelser dot net. 607 00:21:23,880 --> 00:21:25,079 So that didn't really help us in 608 00:21:25,080 --> 00:21:27,269 attribution. We got these IP 609 00:21:27,270 --> 00:21:28,829 addresses. We got these domain names. 610 00:21:28,830 --> 00:21:30,210 There were no clues, really. 611 00:21:31,760 --> 00:21:33,949 So the natural next 612 00:21:33,950 --> 00:21:36,079 step is we decided to go back 613 00:21:36,080 --> 00:21:38,149 in time, and of course, 614 00:21:38,150 --> 00:21:39,529 we didn't actually go back in time, we 615 00:21:39,530 --> 00:21:41,929 simply used historical Internet scanning 616 00:21:41,930 --> 00:21:43,999 data and we looked up those one hundred 617 00:21:44,000 --> 00:21:45,379 forty nine IPS. 618 00:21:45,380 --> 00:21:46,700 How do they behave in the past? 619 00:21:48,400 --> 00:21:50,469 We found out that 19 of 620 00:21:50,470 --> 00:21:52,599 these 149 ipis actually give a different 621 00:21:52,600 --> 00:21:55,059 response in the past to a get request 622 00:21:55,060 --> 00:21:57,369 on Port 80, and it 623 00:21:57,370 --> 00:21:59,769 was this other weird, odd 624 00:21:59,770 --> 00:22:01,689 looking Google redirect. 625 00:22:01,690 --> 00:22:03,129 You can see, you know, there's like the 626 00:22:03,130 --> 00:22:05,439 Unicode byte watermark at the beginning. 627 00:22:05,440 --> 00:22:06,759 You know, there's like some weird line 628 00:22:06,760 --> 00:22:09,039 breaks and there looks 629 00:22:09,040 --> 00:22:10,509 pretty odd. And of course, you've got the 630 00:22:10,510 --> 00:22:13,209 blank title and blank body. 631 00:22:13,210 --> 00:22:14,379 So this was very interesting. 632 00:22:14,380 --> 00:22:17,109 And the next natural question was, 633 00:22:17,110 --> 00:22:18,110 OK. 634 00:22:19,570 --> 00:22:21,639 19 IP addresses return this, 635 00:22:21,640 --> 00:22:23,319 how many others, how many other ones 636 00:22:23,320 --> 00:22:24,819 returned the same response in that 637 00:22:24,820 --> 00:22:26,889 historical scanning data? 638 00:22:26,890 --> 00:22:29,139 So we found that it was returned by about 639 00:22:29,140 --> 00:22:31,959 85 or so other IP addresses, 640 00:22:31,960 --> 00:22:34,029 including including IP 641 00:22:34,030 --> 00:22:36,129 addresses pointed to by three 642 00:22:36,130 --> 00:22:39,189 interesting domain names, ENSO 643 00:22:39,190 --> 00:22:41,889 Kuai, Dotcom, Kuai and Dotcom 644 00:22:41,890 --> 00:22:42,699 and mail. 645 00:22:42,700 --> 00:22:44,349 One NSO group, Dotcom 646 00:22:45,670 --> 00:22:47,799 and NSA group, of course, is 647 00:22:47,800 --> 00:22:49,959 a spyware vendor based in 648 00:22:49,960 --> 00:22:51,549 Israel. This is a screenshot of their 649 00:22:51,550 --> 00:22:53,709 product brochure showing 650 00:22:53,710 --> 00:22:55,359 that they do indeed control the domain 651 00:22:55,360 --> 00:22:57,039 name NSA group Dotcom. 652 00:22:57,040 --> 00:22:58,869 And in fact, the first two domain names 653 00:22:58,870 --> 00:23:00,729 listed there are also registered to 654 00:23:00,730 --> 00:23:02,919 people with NSA group dot com 655 00:23:02,920 --> 00:23:04,060 email addresses. 656 00:23:06,320 --> 00:23:08,449 So and groups brochure 657 00:23:08,450 --> 00:23:10,519 mentions that it's a leader in the 658 00:23:10,520 --> 00:23:12,649 field of cyber warfare. 659 00:23:12,650 --> 00:23:14,629 They have the solution called Pegasus, 660 00:23:14,630 --> 00:23:16,399 which allows full monitoring and 661 00:23:16,400 --> 00:23:18,529 exfiltration from phones, and it's 662 00:23:18,530 --> 00:23:20,659 exclusively for the use of government and 663 00:23:20,660 --> 00:23:22,310 law enforcement agencies. 664 00:23:25,250 --> 00:23:26,250 So. 665 00:23:26,820 --> 00:23:28,559 Although Monsoor was the first target we 666 00:23:28,560 --> 00:23:30,629 found, he wasn't the only one. 667 00:23:30,630 --> 00:23:33,029 This is Rafael Cabrera, a courageous 668 00:23:33,030 --> 00:23:35,309 Mexican journalist, and we 669 00:23:35,310 --> 00:23:36,959 got in touch with Cabrera after we 670 00:23:36,960 --> 00:23:38,429 learned that he'd been receiving 671 00:23:38,430 --> 00:23:41,039 suspicious text messages. 672 00:23:41,040 --> 00:23:43,559 So what were these messages? 673 00:23:43,560 --> 00:23:45,599 Well, they included things like a fake 674 00:23:45,600 --> 00:23:47,789 Facebook link account, note 675 00:23:47,790 --> 00:23:49,049 account, overage charges, 676 00:23:51,030 --> 00:23:53,459 news alerts related to his work, and then 677 00:23:53,460 --> 00:23:55,589 bizarrely, just crude sexual taunts, 678 00:23:55,590 --> 00:23:57,539 followed by a link why anyone would click 679 00:23:57,540 --> 00:23:58,830 on that is beyond me. 680 00:24:00,790 --> 00:24:01,929 Why was he targeted? 681 00:24:01,930 --> 00:24:04,359 Well, it turned out that the links 682 00:24:04,360 --> 00:24:05,949 were either shortened links going 683 00:24:05,950 --> 00:24:07,209 directly to the infrastructure that we 684 00:24:07,210 --> 00:24:09,459 had found or directly pointing at 685 00:24:09,460 --> 00:24:10,359 that infrastructure. 686 00:24:10,360 --> 00:24:12,489 Now, our guess is 687 00:24:12,490 --> 00:24:13,689 that this may have something to do with 688 00:24:13,690 --> 00:24:16,329 his work on the Casablanca scandal. 689 00:24:16,330 --> 00:24:19,029 So the Casablanca scandal in brief 690 00:24:19,030 --> 00:24:21,129 is the discovery that the now 691 00:24:21,130 --> 00:24:23,409 president of Mexico, formerly 692 00:24:23,410 --> 00:24:25,659 a provincial governor, received during 693 00:24:25,660 --> 00:24:27,009 his provincial governorship. 694 00:24:27,010 --> 00:24:29,109 The House paid for 695 00:24:29,110 --> 00:24:31,209 by a company that got a concession 696 00:24:31,210 --> 00:24:33,309 to do an infrastructure project during 697 00:24:33,310 --> 00:24:35,529 his tenure as governor, widely 698 00:24:35,530 --> 00:24:37,839 believed to be an example of corruption. 699 00:24:40,240 --> 00:24:42,399 But this wasn't the only case either in 700 00:24:42,400 --> 00:24:43,959 the course of our scanning, we found 701 00:24:43,960 --> 00:24:46,209 evidence of targeting across 702 00:24:46,210 --> 00:24:49,119 the globe from Mexico and the UAE 703 00:24:49,120 --> 00:24:52,209 to Uzbekistan, Kenya, Mozambique, 704 00:24:52,210 --> 00:24:54,549 Qatar, Turkey, Morocco, 705 00:24:54,550 --> 00:24:56,469 Hungary and elsewhere. 706 00:24:57,490 --> 00:24:59,469 Now, of course, the question is, what's 707 00:24:59,470 --> 00:25:00,879 all this targeting? 708 00:25:00,880 --> 00:25:01,899 Right. 709 00:25:01,900 --> 00:25:03,999 Well, if you listen to the chief 710 00:25:04,000 --> 00:25:06,129 counsel of hacking team, 711 00:25:06,130 --> 00:25:08,229 a company that sells this kind of stuff, 712 00:25:08,230 --> 00:25:10,509 he would have you believe that these 713 00:25:10,510 --> 00:25:12,609 and this is a quote that this is designed 714 00:25:12,610 --> 00:25:15,609 to target terrorists, pornographers 715 00:25:15,610 --> 00:25:17,859 and other criminals. 716 00:25:17,860 --> 00:25:20,140 We could refer to this as the fig leaf. 717 00:25:22,400 --> 00:25:24,829 In fact, our research turns 718 00:25:24,830 --> 00:25:27,259 up again and again 719 00:25:27,260 --> 00:25:29,779 evidence of this technology being used 720 00:25:29,780 --> 00:25:31,459 perhaps for some law enforcement 721 00:25:31,460 --> 00:25:34,009 purposes, but also pointed 722 00:25:34,010 --> 00:25:36,229 at the political opponents and 723 00:25:36,230 --> 00:25:38,569 critics of powerful 724 00:25:38,570 --> 00:25:41,209 regimes, journalists, activists 725 00:25:41,210 --> 00:25:42,739 and human rights defenders. 726 00:25:42,740 --> 00:25:43,729 So who are these people? 727 00:25:43,730 --> 00:25:45,769 Well, let's give you a thumbnail sketch. 728 00:25:45,770 --> 00:25:47,629 Hishem, a human rights defender from 729 00:25:47,630 --> 00:25:50,149 Morocco, one of the few free voices 730 00:25:50,150 --> 00:25:51,169 during the time that he ran an 731 00:25:51,170 --> 00:25:53,839 organization systematically prosecuted 732 00:25:53,840 --> 00:25:55,519 by the government. His organization, 733 00:25:55,520 --> 00:25:57,679 Mumford's, which was targeted with 734 00:25:57,680 --> 00:26:00,169 commercial malware work done by Bill 735 00:26:00,170 --> 00:26:02,419 Morgan Markese Bar and others, 736 00:26:02,420 --> 00:26:04,609 including Klaudia, who's here 737 00:26:04,610 --> 00:26:05,610 somewhere. 738 00:26:06,740 --> 00:26:09,019 We have an Ethiopian journalist 739 00:26:09,020 --> 00:26:10,699 based in the US. 740 00:26:10,700 --> 00:26:12,859 He and his news organization 741 00:26:12,860 --> 00:26:14,899 were targeted by, we believe, the 742 00:26:14,900 --> 00:26:16,969 Ethiopian government in the process of 743 00:26:16,970 --> 00:26:18,139 reporting on that country. 744 00:26:18,140 --> 00:26:20,689 So clear evidence, 745 00:26:20,690 --> 00:26:23,149 this kind of spyware in no way reflects 746 00:26:23,150 --> 00:26:25,579 borders, certainly doesn't respect them. 747 00:26:25,580 --> 00:26:28,249 Carlos Figueroa, an opposition politician 748 00:26:28,250 --> 00:26:30,439 in Ecuador and of course, Ahmed 749 00:26:30,440 --> 00:26:31,440 Mansour. 750 00:26:32,030 --> 00:26:34,219 What's interesting about each of these 751 00:26:34,220 --> 00:26:36,379 people is that they are, in our view, 752 00:26:36,380 --> 00:26:38,359 million dollar dissidents. 753 00:26:38,360 --> 00:26:40,549 The cost of these programs is, 754 00:26:40,550 --> 00:26:42,619 in effect, price tagging, the 755 00:26:42,620 --> 00:26:44,689 power of their speech in the 756 00:26:44,690 --> 00:26:46,999 eyes of the governments who are scared 757 00:26:47,000 --> 00:26:49,129 of them. So 758 00:26:49,130 --> 00:26:50,809 we have this thing that we bandy around 759 00:26:50,810 --> 00:26:52,249 in the lab, which is this idea of the 760 00:26:52,250 --> 00:26:54,289 principle of misuse. 761 00:26:54,290 --> 00:26:56,839 Basically, commercial surveillance 762 00:26:56,840 --> 00:26:58,939 technology, including intrusion 763 00:26:58,940 --> 00:27:01,219 tools and zero days will 764 00:27:01,220 --> 00:27:03,319 be misused in proportion to the 765 00:27:03,320 --> 00:27:05,749 lack of accountability and oversight. 766 00:27:05,750 --> 00:27:08,329 This is in no way a new discovery. 767 00:27:08,330 --> 00:27:09,679 This is something that history has shown 768 00:27:09,680 --> 00:27:11,749 us time and time again 769 00:27:11,750 --> 00:27:13,499 with different regimes. 770 00:27:13,500 --> 00:27:15,559 Our view is that the current 771 00:27:15,560 --> 00:27:17,989 spyware market is just fully proving 772 00:27:17,990 --> 00:27:19,250 that history repeats itself. 773 00:27:20,700 --> 00:27:23,609 That said, there are some saliency 774 00:27:23,610 --> 00:27:25,829 issues, so as Claudio pointed 775 00:27:25,830 --> 00:27:28,799 out yesterday, surveillance technology 776 00:27:28,800 --> 00:27:30,869 that sold by companies gets 777 00:27:30,870 --> 00:27:33,119 a lot of attention and the specific 778 00:27:33,120 --> 00:27:35,129 companies who sell it get a lot of 779 00:27:35,130 --> 00:27:37,049 attention whether or not they happen to 780 00:27:37,050 --> 00:27:38,249 be representative. 781 00:27:38,250 --> 00:27:40,829 This is especially true when 782 00:27:40,830 --> 00:27:43,079 zero day exploits are involved. 783 00:27:43,080 --> 00:27:45,389 And it's also the case that this is 784 00:27:45,390 --> 00:27:47,759 only part of the threat to 785 00:27:47,760 --> 00:27:49,019 civil society. 786 00:27:49,020 --> 00:27:51,269 So here's some thumbnail bar charts. 787 00:27:51,270 --> 00:27:52,469 The point that I'm going to make with 788 00:27:52,470 --> 00:27:54,689 them is basically this the 789 00:27:54,690 --> 00:27:56,999 lion's share of the malware 790 00:27:57,000 --> 00:27:59,459 attacks that we look at and that we see 791 00:27:59,460 --> 00:28:00,599 at the citizen lab. 792 00:28:00,600 --> 00:28:03,299 So there's a potential selection bias. 793 00:28:03,300 --> 00:28:04,300 There's some we don't. 794 00:28:05,520 --> 00:28:07,709 Emphasize high social 795 00:28:07,710 --> 00:28:10,379 engineering sophistication and 796 00:28:10,380 --> 00:28:12,569 minimum necessary technical 797 00:28:12,570 --> 00:28:13,709 sophistication. 798 00:28:13,710 --> 00:28:16,349 You don't need a really fancy 799 00:28:16,350 --> 00:28:18,809 lockpick if you can climb through 800 00:28:18,810 --> 00:28:20,909 an open window, some numbers to 801 00:28:20,910 --> 00:28:21,839 back this up. 802 00:28:21,840 --> 00:28:23,339 Here's some rigorous work done by my 803 00:28:23,340 --> 00:28:23,789 colleagues. 804 00:28:23,790 --> 00:28:26,549 And I am tracking thousands 805 00:28:26,550 --> 00:28:28,349 of attacks against civil society 806 00:28:28,350 --> 00:28:30,629 organizations working working in Tibet as 807 00:28:30,630 --> 00:28:31,589 one example. 808 00:28:31,590 --> 00:28:33,689 And what we see when we track which 809 00:28:33,690 --> 00:28:36,089 exploits are used is a proliferation 810 00:28:36,090 --> 00:28:38,519 of old days and very few, 811 00:28:38,520 --> 00:28:39,659 zero days. 812 00:28:39,660 --> 00:28:41,759 This pattern is fairly 813 00:28:41,760 --> 00:28:42,760 common. 814 00:28:44,070 --> 00:28:46,109 But that's, of course, not the whole 815 00:28:46,110 --> 00:28:48,179 story, and by no means would I 816 00:28:48,180 --> 00:28:50,009 argue that you shouldn't pay attention to 817 00:28:50,010 --> 00:28:51,839 commercial surveillance. 818 00:28:51,840 --> 00:28:53,549 Right, right. As John says, you know, bad 819 00:28:53,550 --> 00:28:55,889 actors tend to focus on the easiest 820 00:28:55,890 --> 00:28:56,909 way to get in. 821 00:28:56,910 --> 00:28:58,739 However, sometimes the easiest way to get 822 00:28:58,740 --> 00:29:01,169 in is a zero to exploit. 823 00:29:01,170 --> 00:29:03,659 Using these commercial surveillance tools 824 00:29:03,660 --> 00:29:05,789 and commercial surveillance tools are 825 00:29:05,790 --> 00:29:07,259 do receive a lot of attention. 826 00:29:07,260 --> 00:29:09,389 But I think it's important also to focus 827 00:29:09,390 --> 00:29:11,549 on this, because commercial 828 00:29:11,550 --> 00:29:13,709 surveillance is not just the 829 00:29:13,710 --> 00:29:16,109 surveillance tool. It's really exporting 830 00:29:16,110 --> 00:29:18,479 all of the expertize to 831 00:29:18,480 --> 00:29:20,069 to run a well resourced surveillance 832 00:29:20,070 --> 00:29:21,359 state. 833 00:29:21,360 --> 00:29:23,279 If you look at companies that operate in 834 00:29:23,280 --> 00:29:25,619 this space, like finfish, for example, 835 00:29:25,620 --> 00:29:27,809 they don't just sell you the spyware. 836 00:29:27,810 --> 00:29:29,309 They do sell you the spyware, of course, 837 00:29:29,310 --> 00:29:30,989 but they also sell you the support and 838 00:29:30,990 --> 00:29:32,639 they sell you the training. 839 00:29:32,640 --> 00:29:34,769 And what is this? This is essentially 840 00:29:34,770 --> 00:29:37,079 updates to get around new security 841 00:29:37,080 --> 00:29:38,849 measures and antivirus programs. 842 00:29:38,850 --> 00:29:40,859 And if you don't know how to hack or 843 00:29:40,860 --> 00:29:42,269 fish, they'll teach you how to do that, 844 00:29:42,270 --> 00:29:43,499 too. 845 00:29:43,500 --> 00:29:45,359 So these vendors are not just selling the 846 00:29:45,360 --> 00:29:47,609 tools. They're also 847 00:29:47,610 --> 00:29:49,199 they're also facilitating the 848 00:29:49,200 --> 00:29:50,969 proliferation of the surveillance state. 849 00:29:53,950 --> 00:29:55,899 So one of the bigger picture problems 850 00:29:55,900 --> 00:29:57,429 that we've got as we're thinking about 851 00:29:57,430 --> 00:29:59,019 how to defend against this stuff is the 852 00:29:59,020 --> 00:30:00,309 following problem. 853 00:30:00,310 --> 00:30:02,979 You don't know who the next activists 854 00:30:02,980 --> 00:30:04,209 are going to be. They don't even know 855 00:30:04,210 --> 00:30:05,169 themselves. 856 00:30:05,170 --> 00:30:07,239 And so the question is how in 857 00:30:07,240 --> 00:30:09,129 an environment where everyone is mostly 858 00:30:09,130 --> 00:30:11,379 using commercial platforms 859 00:30:11,380 --> 00:30:13,419 and tools for their communication, even 860 00:30:13,420 --> 00:30:15,459 their most sensitive communication, how 861 00:30:15,460 --> 00:30:17,469 do you secure this world? 862 00:30:17,470 --> 00:30:19,539 Well, one potential strategy 863 00:30:19,540 --> 00:30:21,639 is to make us all feel forgive the 864 00:30:21,640 --> 00:30:23,709 hyperbolic language potential million 865 00:30:23,710 --> 00:30:26,169 dollar dissidents put differently. 866 00:30:26,170 --> 00:30:28,269 This means raising the cost 867 00:30:28,270 --> 00:30:30,969 to target an arbitrary person. 868 00:30:30,970 --> 00:30:31,869 So how do you do that? 869 00:30:31,870 --> 00:30:33,939 Well, there is the iPhone model, 870 00:30:33,940 --> 00:30:35,739 right, which is you create a walled 871 00:30:35,740 --> 00:30:37,839 garden and you make it very, very 872 00:30:37,840 --> 00:30:39,909 hard for users to do certain activities. 873 00:30:39,910 --> 00:30:42,039 So you trade some user freedoms in 874 00:30:42,040 --> 00:30:44,199 exchange for security. 875 00:30:44,200 --> 00:30:47,409 We see elements of this model throughout. 876 00:30:47,410 --> 00:30:49,329 For example, as Chris Cygwin correctly 877 00:30:49,330 --> 00:30:51,549 pointed out yesterday, Chrome extremely 878 00:30:51,550 --> 00:30:54,009 secure browser trade's user security, 879 00:30:54,010 --> 00:30:55,209 four degree of privacy. 880 00:30:56,650 --> 00:30:58,749 One of the challenges of 881 00:30:58,750 --> 00:31:01,089 this space is that companies have done 882 00:31:01,090 --> 00:31:03,219 a really efficient job at 883 00:31:03,220 --> 00:31:05,499 attracting people who are activists, 884 00:31:05,500 --> 00:31:07,119 at attracting people who are going to use 885 00:31:07,120 --> 00:31:08,859 these tools in ways that are politically 886 00:31:08,860 --> 00:31:11,319 sensitive and many who face 887 00:31:11,320 --> 00:31:13,479 serious threats or will one 888 00:31:13,480 --> 00:31:15,579 day are using a Gmail inbox right 889 00:31:15,580 --> 00:31:17,319 now or something similar. 890 00:31:17,320 --> 00:31:19,629 These are not tools currently 891 00:31:19,630 --> 00:31:21,789 designed to handle high risk. 892 00:31:21,790 --> 00:31:23,589 They happen to be the most fluid tools 893 00:31:23,590 --> 00:31:25,599 for most user experiences. 894 00:31:25,600 --> 00:31:27,969 But even in these environments, 895 00:31:27,970 --> 00:31:30,129 one of the challenges is that the kinds 896 00:31:30,130 --> 00:31:32,379 of security options that would protect 897 00:31:32,380 --> 00:31:34,749 these groups are not default 898 00:31:34,750 --> 00:31:36,759 enabled, say, during the account creation 899 00:31:36,760 --> 00:31:38,979 process. A really good example of this 900 00:31:38,980 --> 00:31:40,809 would be to factor authentication. 901 00:31:40,810 --> 00:31:43,239 Another is browser sandboxing, 902 00:31:43,240 --> 00:31:45,369 complete sandboxing as a norm 903 00:31:45,370 --> 00:31:48,099 across the industry. 904 00:31:48,100 --> 00:31:50,049 So that's a little bit what we think 905 00:31:50,050 --> 00:31:51,529 industry players can do. 906 00:31:51,530 --> 00:31:53,169 But what can you folks do in the 907 00:31:53,170 --> 00:31:54,170 audience? 908 00:31:55,120 --> 00:31:56,889 So thanks, John, you raised some very 909 00:31:56,890 --> 00:31:58,959 good points about ways to 910 00:31:58,960 --> 00:32:01,059 raise the cost across the bar of 911 00:32:01,060 --> 00:32:02,799 these sorts of attacks, and that's an 912 00:32:02,800 --> 00:32:05,229 important big picture consideration. 913 00:32:05,230 --> 00:32:07,299 So another thing and one 914 00:32:07,300 --> 00:32:09,399 of the areas where specifically we 915 00:32:09,400 --> 00:32:11,679 work at the citizen lab is looking 916 00:32:11,680 --> 00:32:13,719 also not just at the forest, but at the 917 00:32:13,720 --> 00:32:15,369 at the individual trees themselves. 918 00:32:15,370 --> 00:32:16,929 And pardon the expression, they're not 919 00:32:16,930 --> 00:32:18,279 they're not trees. They're actual real 920 00:32:18,280 --> 00:32:19,779 people who are being targeted with this 921 00:32:19,780 --> 00:32:20,780 with the spyware. 922 00:32:21,790 --> 00:32:24,159 And the questions we try and answer 923 00:32:24,160 --> 00:32:26,289 are who are these high risk 924 00:32:26,290 --> 00:32:28,299 users and how are they actually being 925 00:32:28,300 --> 00:32:30,039 targeted in the real world? 926 00:32:30,040 --> 00:32:32,109 So, as we mentioned earlier, 927 00:32:32,110 --> 00:32:33,879 we build these deep relationships and 928 00:32:33,880 --> 00:32:35,949 engage with with activists and civil 929 00:32:35,950 --> 00:32:38,169 society groups, and 930 00:32:38,170 --> 00:32:40,239 we encourage them to forward 931 00:32:40,240 --> 00:32:42,129 anything suspicious that they have and 932 00:32:42,130 --> 00:32:43,239 send it to us. 933 00:32:43,240 --> 00:32:44,619 So the starting point for all these 934 00:32:44,620 --> 00:32:46,389 investigations, as as you saw at the 935 00:32:46,390 --> 00:32:48,639 beginning of our talk, is some 936 00:32:48,640 --> 00:32:50,829 sort of suspicious or suspected 937 00:32:50,830 --> 00:32:52,989 malicious digital artifact being 938 00:32:52,990 --> 00:32:55,089 an email, a message, 939 00:32:55,090 --> 00:32:56,470 a link, a file. 940 00:32:57,490 --> 00:32:59,589 And then we aim to answer the questions. 941 00:32:59,590 --> 00:33:01,749 Of course, is it an attack? 942 00:33:01,750 --> 00:33:03,249 How is the attack happening? 943 00:33:03,250 --> 00:33:04,809 Who's conducting the attack? 944 00:33:04,810 --> 00:33:07,299 Was the attacker and what else 945 00:33:07,300 --> 00:33:08,349 is the attacker doing? 946 00:33:08,350 --> 00:33:09,939 Can we trace and look at their other 947 00:33:09,940 --> 00:33:10,940 activities? 948 00:33:11,860 --> 00:33:14,559 So, of course, you know, 949 00:33:14,560 --> 00:33:16,209 we do this at the citizen lab. 950 00:33:16,210 --> 00:33:19,389 We've presented some cases from the UAE. 951 00:33:19,390 --> 00:33:20,769 And, you know, my colleague John has done 952 00:33:20,770 --> 00:33:21,789 a lot of great work on this. 953 00:33:21,790 --> 00:33:24,009 But if we look at 954 00:33:24,010 --> 00:33:26,919 our John here on the map, so 955 00:33:26,920 --> 00:33:29,019 John is is but one one person 956 00:33:29,020 --> 00:33:31,509 and he's a very, very smart, 957 00:33:31,510 --> 00:33:32,679 very, very talented, very, very 958 00:33:32,680 --> 00:33:34,249 hardworking person. 959 00:33:34,250 --> 00:33:35,469 Bill did this when I was sleeping last 960 00:33:35,470 --> 00:33:36,470 night. 961 00:33:37,330 --> 00:33:39,369 But despite John's best efforts, there's 962 00:33:39,370 --> 00:33:41,589 no way we can get, you know, John, 963 00:33:41,590 --> 00:33:42,859 to cover the entire world. 964 00:33:42,860 --> 00:33:45,429 John doesn't have enough hours in the day 965 00:33:45,430 --> 00:33:47,379 to interface with all of the potentially 966 00:33:47,380 --> 00:33:49,449 targeted groups and do this work 967 00:33:49,450 --> 00:33:50,979 across the world. 968 00:33:50,980 --> 00:33:53,049 So really, you know, 969 00:33:54,940 --> 00:33:57,009 so really the issue is that we need 970 00:33:57,010 --> 00:33:59,289 more people working in this field, 971 00:33:59,290 --> 00:34:01,479 more people, you know, doing 972 00:34:01,480 --> 00:34:02,859 either the citizen lab model that I 973 00:34:02,860 --> 00:34:04,929 described or working with organizations 974 00:34:04,930 --> 00:34:06,789 like like Claudio's Security Without 975 00:34:06,790 --> 00:34:09,039 Borders or similar efforts to try 976 00:34:09,040 --> 00:34:11,259 and not just work on raising 977 00:34:11,260 --> 00:34:13,359 the cost across the board, but also 978 00:34:13,360 --> 00:34:15,669 focus on these individual cases which 979 00:34:15,670 --> 00:34:17,859 illuminate the the big picture 980 00:34:17,860 --> 00:34:18,860 as a whole. 981 00:34:19,719 --> 00:34:21,849 So we'd like to conclude 982 00:34:21,850 --> 00:34:24,069 by just offering a few thoughts from 983 00:34:24,070 --> 00:34:26,379 from Mansoor himself being 984 00:34:26,380 --> 00:34:27,519 the main subject of our talk. 985 00:34:27,520 --> 00:34:29,379 We asked him if there was anything that 986 00:34:29,380 --> 00:34:31,149 he'd like to to give to the tech 987 00:34:31,150 --> 00:34:32,769 community or to the world. 988 00:34:32,770 --> 00:34:34,869 And the message that he that he wants to 989 00:34:34,870 --> 00:34:36,968 convey is that defending 990 00:34:36,969 --> 00:34:39,069 human rights, in his view, is becoming 991 00:34:39,070 --> 00:34:41,738 more and more difficult. 992 00:34:41,739 --> 00:34:43,988 So the work that he does tries to 993 00:34:43,989 --> 00:34:46,269 communicate with victims and connect 994 00:34:46,270 --> 00:34:48,279 victims with the international media to 995 00:34:48,280 --> 00:34:50,229 raise their cases and raise awareness of 996 00:34:50,230 --> 00:34:51,759 human rights violations. 997 00:34:51,760 --> 00:34:52,988 And that's becoming increasingly 998 00:34:52,989 --> 00:34:55,359 dangerous because the governments, 999 00:34:55,360 --> 00:34:57,519 like his government in the UAE, are 1000 00:34:57,520 --> 00:34:59,739 increasingly retaliating in ever 1001 00:34:59,740 --> 00:35:01,119 more brutal ways. 1002 00:35:01,120 --> 00:35:02,859 For instance, Mansoor himself has been 1003 00:35:02,860 --> 00:35:05,159 subject to beatings and arrests, 1004 00:35:05,160 --> 00:35:06,999 know his car was confiscated, his 1005 00:35:07,000 --> 00:35:08,559 passport was confiscated. 1006 00:35:08,560 --> 00:35:10,629 The suspected to be the 1007 00:35:10,630 --> 00:35:12,699 government stalled about a hundred 1008 00:35:12,700 --> 00:35:14,649 thousand dollars from his account, his 1009 00:35:14,650 --> 00:35:15,819 bank account. 1010 00:35:15,820 --> 00:35:17,919 So so these retaliations can in some 1011 00:35:17,920 --> 00:35:19,389 cases be very brutal. 1012 00:35:20,510 --> 00:35:22,959 And once the technology reaches 1013 00:35:22,960 --> 00:35:24,819 these governments like the UAE, he's 1014 00:35:24,820 --> 00:35:27,009 certain that it will be abused and used 1015 00:35:27,010 --> 00:35:29,139 to target, you know, 1016 00:35:29,140 --> 00:35:31,299 dissidents, activists and other people 1017 00:35:31,300 --> 00:35:32,769 who are just exercising legitimate 1018 00:35:32,770 --> 00:35:34,119 freedom of expression rights. 1019 00:35:34,120 --> 00:35:36,489 So he implores the international 1020 00:35:36,490 --> 00:35:38,589 community and technologists to try and 1021 00:35:38,590 --> 00:35:40,419 do whatever they can to make sure that 1022 00:35:40,420 --> 00:35:42,249 these sorts of dangerous technologies 1023 00:35:42,250 --> 00:35:44,229 like hacking team, like NSA, like 1024 00:35:44,230 --> 00:35:46,329 finfish, do not make it into the hands 1025 00:35:46,330 --> 00:35:48,280 of repressive regimes in the first place. 1026 00:35:53,150 --> 00:35:55,399 So with that, we'd like to close on 1027 00:35:55,400 --> 00:35:57,049 some quick acknowledgments to some 1028 00:35:57,050 --> 00:35:59,239 amazing colleagues, but first thanking 1029 00:35:59,240 --> 00:36:00,949 the organizers of this event for having 1030 00:36:00,950 --> 00:36:02,449 us. We really appreciate that. 1031 00:36:02,450 --> 00:36:04,310 And running the event so excellently. 1032 00:36:05,750 --> 00:36:08,029 None of our work works very well without 1033 00:36:08,030 --> 00:36:09,919 the close collaboration of a bunch of 1034 00:36:09,920 --> 00:36:12,169 amazing colleagues, Ron Deibert, Sarah 1035 00:36:12,170 --> 00:36:14,249 McCune, Claudia Guarnieri, Adam 1036 00:36:14,250 --> 00:36:16,429 served our Imperato, Musashino, 1037 00:36:16,430 --> 00:36:18,679 Shehada, Morgan Maki's 1038 00:36:18,680 --> 00:36:20,659 boire, who did some of the amazing work 1039 00:36:20,660 --> 00:36:22,759 on tracking malware from 1040 00:36:22,760 --> 00:36:23,929 governments. 1041 00:36:23,930 --> 00:36:26,149 The team at out, especially 1042 00:36:26,150 --> 00:36:28,309 Max Apple Inc, 1043 00:36:28,310 --> 00:36:30,169 who worked with us very carefully to do 1044 00:36:30,170 --> 00:36:31,639 the disclosure process 1045 00:36:32,840 --> 00:36:34,279 and a lot of other researchers, including 1046 00:36:34,280 --> 00:36:36,289 Seth Hardy, who have been tremendously 1047 00:36:36,290 --> 00:36:38,509 helpful to us as we've done this 1048 00:36:38,510 --> 00:36:40,639 work and finally closing 1049 00:36:40,640 --> 00:36:41,899 on thanking passive total. 1050 00:36:43,610 --> 00:36:45,649 So with that, I'd like to open it up for 1051 00:36:45,650 --> 00:36:47,089 questions from the audience. 1052 00:36:47,090 --> 00:36:49,279 If folks have burning things you'd 1053 00:36:49,280 --> 00:36:50,209 like to ask us. 1054 00:36:50,210 --> 00:36:51,649 We would love to answer. 1055 00:36:51,650 --> 00:36:53,779 I see already a question at number four, 1056 00:36:53,780 --> 00:36:56,239 so jump right in. 1057 00:36:56,240 --> 00:36:57,440 Fortune favors the brave. 1058 00:36:58,580 --> 00:37:00,709 So there have been attempts to to 1059 00:37:00,710 --> 00:37:02,959 restrict the distribution 1060 00:37:02,960 --> 00:37:04,849 of these kind of tools through the 1061 00:37:04,850 --> 00:37:06,499 Wassenaar arrangement. 1062 00:37:06,500 --> 00:37:08,179 Do you feel that that is the best way to 1063 00:37:08,180 --> 00:37:09,499 do this? 1064 00:37:09,500 --> 00:37:12,439 Well, I think what we can say 1065 00:37:12,440 --> 00:37:14,989 is that our work on 1066 00:37:14,990 --> 00:37:17,059 NSO shows 1067 00:37:17,060 --> 00:37:19,129 that the current arrangement 1068 00:37:19,130 --> 00:37:21,619 is wholly under-resourced 1069 00:37:21,620 --> 00:37:23,749 for stopping the proliferation of these 1070 00:37:23,750 --> 00:37:24,750 tools. 1071 00:37:25,640 --> 00:37:27,559 And I think I'll leave it at that. 1072 00:37:27,560 --> 00:37:29,659 Yeah, I think it's also interesting to 1073 00:37:29,660 --> 00:37:31,129 kind of look at how the efforts have been 1074 00:37:31,130 --> 00:37:33,439 focused so far, you know, 1075 00:37:33,440 --> 00:37:35,509 specifically on on intrusion tools 1076 00:37:35,510 --> 00:37:37,309 and zero day exploits. 1077 00:37:37,310 --> 00:37:39,199 But also, you know, looking at what the 1078 00:37:39,200 --> 00:37:41,329 key salient characteristic of these 1079 00:37:41,330 --> 00:37:43,309 organizations like Finfish, the NSA and 1080 00:37:43,310 --> 00:37:44,839 hacking team are. 1081 00:37:44,840 --> 00:37:46,489 And in my view, that the key 1082 00:37:46,490 --> 00:37:48,409 characteristic is that they don't just 1083 00:37:48,410 --> 00:37:50,119 give you the tools because, you know, 1084 00:37:50,120 --> 00:37:51,949 anybody can can give you the tools. 1085 00:37:51,950 --> 00:37:54,199 What they do is they hold your hand while 1086 00:37:54,200 --> 00:37:56,029 you use them. They give you support, they 1087 00:37:56,030 --> 00:37:57,169 give you training. 1088 00:37:57,170 --> 00:37:59,359 It's this complete package that really, 1089 00:37:59,360 --> 00:38:01,309 you know, can can bootstrap a government 1090 00:38:01,310 --> 00:38:03,679 from from no knowledge to 1091 00:38:03,680 --> 00:38:05,479 getting information from from activists, 1092 00:38:05,480 --> 00:38:07,109 phones and computers quickly. 1093 00:38:07,110 --> 00:38:09,259 Yeah. And I think I'll also just observe, 1094 00:38:09,260 --> 00:38:11,299 as somebody recently pointed out to me, 1095 00:38:11,300 --> 00:38:13,579 some form of additional 1096 00:38:13,580 --> 00:38:15,769 regulation is probably in the pipeline. 1097 00:38:15,770 --> 00:38:17,869 And we probably want to make sure as a 1098 00:38:17,870 --> 00:38:19,549 community that we are as engaged as 1099 00:38:19,550 --> 00:38:21,289 possible and ensuring that that 1100 00:38:21,290 --> 00:38:23,329 regulation works and works for us 1101 00:38:24,650 --> 00:38:26,479 and is balanced. 1102 00:38:26,480 --> 00:38:27,480 Question the two. 1103 00:38:28,380 --> 00:38:30,479 Have you been profiling 1104 00:38:30,480 --> 00:38:32,609 what devices, what platforms are 1105 00:38:32,610 --> 00:38:34,829 being targeted, and do you have any 1106 00:38:34,830 --> 00:38:37,019 idea if if as a government, 1107 00:38:37,020 --> 00:38:38,459 do you want to pay? 1108 00:38:38,460 --> 00:38:40,229 I don't know, a huge amount of money. 1109 00:38:40,230 --> 00:38:42,059 You have to know which platform to 1110 00:38:42,060 --> 00:38:44,159 target. So how is it being done? 1111 00:38:44,160 --> 00:38:46,779 How how do you target your people and. 1112 00:38:46,780 --> 00:38:49,199 Well, great question. 1113 00:38:49,200 --> 00:38:51,299 It really depends on the case. 1114 00:38:51,300 --> 00:38:53,399 I think in a lot of sophisticated 1115 00:38:53,400 --> 00:38:55,559 attacks, we see elements of profiling 1116 00:38:55,560 --> 00:38:56,699 before targeting. 1117 00:38:56,700 --> 00:38:58,259 In other cases, and Bill can speak to 1118 00:38:58,260 --> 00:39:00,419 this, the exploit service that we 1119 00:39:00,420 --> 00:39:02,969 look at actually select 1120 00:39:02,970 --> 00:39:05,709 fire based on what device you touch. 1121 00:39:05,710 --> 00:39:07,859 Yeah. So companies like like NSA or 1122 00:39:07,860 --> 00:39:09,749 like hacking team and probably finfish 1123 00:39:09,750 --> 00:39:12,419 are to offer exploit services. 1124 00:39:12,420 --> 00:39:14,069 So, you know, the government that's 1125 00:39:14,070 --> 00:39:15,509 targeting you can create some sort of 1126 00:39:15,510 --> 00:39:17,789 link and the link dynamically 1127 00:39:17,790 --> 00:39:19,649 sees what platform you're on, perhaps 1128 00:39:19,650 --> 00:39:21,809 based on, you know, the user agent header 1129 00:39:21,810 --> 00:39:24,509 or other headers in your in your request 1130 00:39:24,510 --> 00:39:26,519 and then delivers the appropriate spyware 1131 00:39:26,520 --> 00:39:29,159 payload for whatever your devices. 1132 00:39:29,160 --> 00:39:31,949 But, you know, I think from when when 1133 00:39:31,950 --> 00:39:33,419 a government is thinking about this, when 1134 00:39:33,420 --> 00:39:35,159 an attacker is thinking, hey, what what 1135 00:39:35,160 --> 00:39:36,599 platforms do I want? 1136 00:39:36,600 --> 00:39:38,309 You know, they can perhaps leverage some 1137 00:39:38,310 --> 00:39:39,809 intelligence from their country, you 1138 00:39:39,810 --> 00:39:41,609 know, seeing which are the most common 1139 00:39:41,610 --> 00:39:43,529 platforms in their country. 1140 00:39:43,530 --> 00:39:45,359 But perhaps maybe the smarter attackers 1141 00:39:45,360 --> 00:39:47,129 would think and say, oh, maybe it's not 1142 00:39:47,130 --> 00:39:48,959 really about the platform, it's about the 1143 00:39:48,960 --> 00:39:50,849 information. Where is the information and 1144 00:39:50,850 --> 00:39:52,469 what are the other ways I can get at the 1145 00:39:52,470 --> 00:39:54,569 information? Maybe it's maybe you want 1146 00:39:54,570 --> 00:39:56,099 to access someone's email account and the 1147 00:39:56,100 --> 00:39:57,989 way the easiest way to do that would be 1148 00:39:57,990 --> 00:39:59,729 phishing rather than, you know, targeting 1149 00:39:59,730 --> 00:40:01,679 a specific platform or maybe there's, you 1150 00:40:01,680 --> 00:40:03,359 know, files on someone's device that you 1151 00:40:03,360 --> 00:40:04,859 want. And in that case, you've got to hit 1152 00:40:04,860 --> 00:40:05,569 that device. 1153 00:40:05,570 --> 00:40:07,829 Yeah. The flip side, of course, is 1154 00:40:07,830 --> 00:40:09,239 cyber militia groups. 1155 00:40:09,240 --> 00:40:10,859 So the my cousin knows computers 1156 00:40:10,860 --> 00:40:12,359 approach. They're doing malware, lots of 1157 00:40:12,360 --> 00:40:13,499 commercial rats'. 1158 00:40:13,500 --> 00:40:15,209 Those groups will often target what they 1159 00:40:15,210 --> 00:40:17,069 see as most popular in the communities 1160 00:40:17,070 --> 00:40:18,509 that they're targeting. 1161 00:40:18,510 --> 00:40:20,819 Question over, I think, for that. 1162 00:40:20,820 --> 00:40:23,549 I would like to ask you two questions. 1163 00:40:23,550 --> 00:40:26,099 One is, is there any metric to know 1164 00:40:26,100 --> 00:40:27,359 all of these tools? 1165 00:40:27,360 --> 00:40:29,579 How many of them were used for 1166 00:40:29,580 --> 00:40:30,580 actual 1167 00:40:31,860 --> 00:40:33,929 criminal activities 1168 00:40:33,930 --> 00:40:36,089 in a position to just 1169 00:40:36,090 --> 00:40:37,269 like dissidents? 1170 00:40:37,270 --> 00:40:39,569 And the second question is, is 1171 00:40:39,570 --> 00:40:42,389 that maybe without this technology, 1172 00:40:42,390 --> 00:40:44,549 the tools that these government would 1173 00:40:44,550 --> 00:40:46,949 use would be more dangerous 1174 00:40:46,950 --> 00:40:49,619 to these activists, like could they 1175 00:40:49,620 --> 00:40:52,229 operate spies or just like lock them up? 1176 00:40:52,230 --> 00:40:54,479 Maybe it's like it's a bad thing 1177 00:40:54,480 --> 00:40:56,909 overall, but maybe it's better than the 1178 00:40:56,910 --> 00:40:58,069 alternative. 1179 00:40:58,070 --> 00:40:59,629 So these are really interesting questions 1180 00:40:59,630 --> 00:41:00,839 because you want to go first and then 1181 00:41:00,840 --> 00:41:01,559 I'll say something. 1182 00:41:01,560 --> 00:41:02,549 Yeah, sure. 1183 00:41:02,550 --> 00:41:03,629 So so. 1184 00:41:03,630 --> 00:41:05,489 Yeah. So with respect to your second 1185 00:41:05,490 --> 00:41:07,559 question, I think it's it's definitely 1186 00:41:07,560 --> 00:41:08,729 an interesting point. 1187 00:41:08,730 --> 00:41:10,499 Like if this technology wasn't available, 1188 00:41:10,500 --> 00:41:12,450 maybe they'd be more brutal. 1189 00:41:13,590 --> 00:41:15,749 I think, you know, it speaks 1190 00:41:15,750 --> 00:41:16,829 to, like, I think a fundamental 1191 00:41:16,830 --> 00:41:18,599 philosophical argument. 1192 00:41:18,600 --> 00:41:20,759 Right. Do you kind of look at 1193 00:41:20,760 --> 00:41:22,379 at what's going on and see something bad 1194 00:41:22,380 --> 00:41:23,909 happening and try and stop that, you 1195 00:41:23,910 --> 00:41:25,679 know, see what you can do to try and make 1196 00:41:25,680 --> 00:41:27,419 things better? Or do you kind of like 1197 00:41:27,420 --> 00:41:29,309 think several steps down the line? 1198 00:41:29,310 --> 00:41:31,289 And if I do this, maybe they'll do that? 1199 00:41:32,460 --> 00:41:34,199 You know, I think at least from my point 1200 00:41:34,200 --> 00:41:36,089 of view, I think, you know, what we want 1201 00:41:36,090 --> 00:41:38,579 to be doing is identifying harms 1202 00:41:38,580 --> 00:41:39,839 and wrongs that are happening and then 1203 00:41:39,840 --> 00:41:41,759 trying to go after those directly. 1204 00:41:41,760 --> 00:41:43,559 And then if, you know, the government 1205 00:41:43,560 --> 00:41:46,469 starts torturing people in response, 1206 00:41:46,470 --> 00:41:47,969 you know, that's an additional thing that 1207 00:41:47,970 --> 00:41:50,489 we advocate on and try and try and stop. 1208 00:41:50,490 --> 00:41:51,419 I don't know. Do you have any thoughts on 1209 00:41:51,420 --> 00:41:51,859 that, John? 1210 00:41:51,860 --> 00:41:52,139 Yeah. 1211 00:41:52,140 --> 00:41:53,789 I think, you know, the elegant way to 1212 00:41:53,790 --> 00:41:55,260 look at this is that 1213 00:41:57,000 --> 00:41:59,159 states are very attracted to intrusion 1214 00:41:59,160 --> 00:42:00,749 software and nothing you're going to do 1215 00:42:00,750 --> 00:42:02,129 is going to change that because more one 1216 00:42:02,130 --> 00:42:04,109 more communications are encrypted and 1217 00:42:04,110 --> 00:42:05,639 many of their targets are not within 1218 00:42:05,640 --> 00:42:06,629 their borders. 1219 00:42:06,630 --> 00:42:08,879 And so I think the model should be 1220 00:42:08,880 --> 00:42:11,189 raise the cost to 1221 00:42:11,190 --> 00:42:12,899 engage in those practices. 1222 00:42:12,900 --> 00:42:14,729 You can't stop it and you probably can't 1223 00:42:14,730 --> 00:42:16,289 legislate it out of existence. 1224 00:42:16,290 --> 00:42:18,089 But the more the cost is raised through 1225 00:42:18,090 --> 00:42:19,889 all these different means, whether it's 1226 00:42:19,890 --> 00:42:21,539 more secure devices, whether it's better 1227 00:42:21,540 --> 00:42:23,069 norms in the community, so people are 1228 00:42:23,070 --> 00:42:25,019 less attracted to the bright, shiny 1229 00:42:25,020 --> 00:42:27,419 things of selling bugs to these brokers 1230 00:42:28,860 --> 00:42:30,839 or whether it's working at behavior you 1231 00:42:30,840 --> 00:42:31,919 want to increase cost. 1232 00:42:31,920 --> 00:42:34,589 Question one, the majority of tax, 1233 00:42:34,590 --> 00:42:36,879 as you know, don't use fancy 1234 00:42:36,880 --> 00:42:37,909 hotel chains. 1235 00:42:37,910 --> 00:42:40,619 They'll use shitty off the shelf rats. 1236 00:42:40,620 --> 00:42:42,839 How do you hope to get the community and 1237 00:42:42,840 --> 00:42:44,999 journalists to actually care 1238 00:42:45,000 --> 00:42:47,639 about that? Because as a journalist, 1239 00:42:47,640 --> 00:42:48,869 we're not going to write about another 1240 00:42:48,870 --> 00:42:51,089 activist getting targeted by a shitty 1241 00:42:51,090 --> 00:42:52,979 piece of malware, to be perfectly blunt, 1242 00:42:52,980 --> 00:42:54,539 as John. 1243 00:42:54,540 --> 00:42:56,099 Yeah, well, I think I mean, we had this 1244 00:42:56,100 --> 00:42:58,169 conversation for 1245 00:42:58,170 --> 00:42:59,369 me, I think. 1246 00:43:00,930 --> 00:43:02,489 The question goes back to what the 1247 00:43:02,490 --> 00:43:04,799 objective is for us, 1248 00:43:04,800 --> 00:43:06,839 the stories that are the most important 1249 00:43:06,840 --> 00:43:09,449 are often the human stories of harm 1250 00:43:09,450 --> 00:43:11,519 and journalists, if they take the 1251 00:43:11,520 --> 00:43:13,259 time and their editors typically will 1252 00:43:13,260 --> 00:43:14,969 have a nose for those. 1253 00:43:14,970 --> 00:43:17,399 And so, in our view, the most important 1254 00:43:17,400 --> 00:43:19,469 part of doing this 1255 00:43:19,470 --> 00:43:21,599 work is finding ways to yield 1256 00:43:21,600 --> 00:43:24,059 up real cases. 1257 00:43:24,060 --> 00:43:26,549 That said, I can say candidly, 1258 00:43:26,550 --> 00:43:29,099 we've noticed that editors sometimes 1259 00:43:29,100 --> 00:43:30,539 sort of, without saying it in so many 1260 00:43:30,540 --> 00:43:32,699 words, are tired of yet another story 1261 00:43:32,700 --> 00:43:34,289 of activists being targeted in the Middle 1262 00:43:34,290 --> 00:43:35,459 East. 1263 00:43:35,460 --> 00:43:37,289 This is a problem we struggle with. 1264 00:43:37,290 --> 00:43:39,659 I think one way 1265 00:43:39,660 --> 00:43:41,969 forward is a little bit sideways, 1266 00:43:41,970 --> 00:43:44,489 which is finding cases 1267 00:43:44,490 --> 00:43:46,589 where hacking and intrusion is 1268 00:43:46,590 --> 00:43:49,289 used in cases closer to home. 1269 00:43:49,290 --> 00:43:51,419 That doesn't just mean the Democratic 1270 00:43:51,420 --> 00:43:53,069 Party or politicians. 1271 00:43:53,070 --> 00:43:54,809 It could mean women who are victims of 1272 00:43:54,810 --> 00:43:55,810 violence. 1273 00:43:56,430 --> 00:43:58,679 It could be people who are being 1274 00:43:58,680 --> 00:43:59,999 targeted or stalked. 1275 00:44:00,000 --> 00:44:02,279 And I think more of those stories 1276 00:44:02,280 --> 00:44:03,449 and more of those human stories will 1277 00:44:03,450 --> 00:44:05,369 help. But it's an ongoing it's an ongoing 1278 00:44:05,370 --> 00:44:06,719 battle. It's why we're so pleased to be 1279 00:44:06,720 --> 00:44:08,489 able to have an odor to talk about, to 1280 00:44:08,490 --> 00:44:10,199 trot out these points. 1281 00:44:10,200 --> 00:44:12,269 But I think journalists also have 1282 00:44:12,270 --> 00:44:13,469 a tremendous role to play. 1283 00:44:13,470 --> 00:44:15,749 So just one thing to flag middlemen 1284 00:44:15,750 --> 00:44:17,279 in the industry. 1285 00:44:17,280 --> 00:44:18,959 The relationship between a lot of these 1286 00:44:18,960 --> 00:44:21,239 companies and countries is often not 1287 00:44:21,240 --> 00:44:23,489 direct. In between, there's a middleman, 1288 00:44:23,490 --> 00:44:25,139 an organization that provides them with a 1289 00:44:25,140 --> 00:44:27,149 fig leaf of cover, which allows the 1290 00:44:27,150 --> 00:44:29,789 company to say, we are not operational. 1291 00:44:29,790 --> 00:44:31,349 We don't determine how our product is 1292 00:44:31,350 --> 00:44:33,449 used, trying to absolve themselves of a 1293 00:44:33,450 --> 00:44:34,949 lot of the liability. 1294 00:44:34,950 --> 00:44:37,049 This often allows them to do things like 1295 00:44:37,050 --> 00:44:39,239 skirt regulations or to try to get 1296 00:44:39,240 --> 00:44:41,579 around export control agreements. 1297 00:44:41,580 --> 00:44:43,679 As researchers at the citizen lab, we can 1298 00:44:43,680 --> 00:44:45,269 track the command and control and we can 1299 00:44:45,270 --> 00:44:47,369 link it to companies, we can track the 1300 00:44:47,370 --> 00:44:49,289 malware and we can link it to victims. 1301 00:44:49,290 --> 00:44:51,509 But we don't have a good technical means 1302 00:44:51,510 --> 00:44:52,619 to study middlemen. 1303 00:44:52,620 --> 00:44:54,029 So I think that's a very fruitful area 1304 00:44:54,030 --> 00:44:55,529 for journalists and other investigators 1305 00:44:55,530 --> 00:44:56,189 to dig in. 1306 00:44:56,190 --> 00:44:58,469 I think also I think also another 1307 00:44:58,470 --> 00:45:00,029 final important point just to wrap up 1308 00:45:00,030 --> 00:45:02,399 really quick is, you know, the cases 1309 00:45:02,400 --> 00:45:04,109 that have received the most coverage, I 1310 00:45:04,110 --> 00:45:05,849 think, at least in my experience from the 1311 00:45:05,850 --> 00:45:07,979 press, are cases where, you know, 1312 00:45:07,980 --> 00:45:10,289 you can actually kind of show a 1313 00:45:10,290 --> 00:45:12,689 documented harm because of 1314 00:45:12,690 --> 00:45:14,609 some case, because of some targeting. 1315 00:45:14,610 --> 00:45:16,319 There know some information was gained, 1316 00:45:16,320 --> 00:45:17,399 someone was arrested. And there's a 1317 00:45:17,400 --> 00:45:18,929 documented harm. 1318 00:45:18,930 --> 00:45:20,039 Certainly, as you point out, from a 1319 00:45:20,040 --> 00:45:22,199 technical journalist perspective, 1320 00:45:22,200 --> 00:45:23,279 the stories that are going to be most 1321 00:45:23,280 --> 00:45:25,469 interesting are the sexy zero days. 1322 00:45:25,470 --> 00:45:27,479 But but from a traditional journalistic 1323 00:45:27,480 --> 00:45:29,249 perspective, I think, you know, these 1324 00:45:29,250 --> 00:45:30,809 stories where you can make establish the 1325 00:45:30,810 --> 00:45:32,819 causal link and say, hey, this this 1326 00:45:32,820 --> 00:45:34,889 person was targeted with whatever doesn't 1327 00:45:34,890 --> 00:45:36,629 have to be sexy, but they were targeted. 1328 00:45:36,630 --> 00:45:38,609 And we can show that some information was 1329 00:45:38,610 --> 00:45:40,409 taken and then used in some sort of way 1330 00:45:40,410 --> 00:45:42,539 that that led to real world consequences. 1331 00:45:42,540 --> 00:45:44,669 I think that is the holy grail for 1332 00:45:44,670 --> 00:45:46,499 highlighting, because at the end of the 1333 00:45:46,500 --> 00:45:48,119 day, this is the important thing to 1334 00:45:48,120 --> 00:45:50,249 highlight is that technology 1335 00:45:50,250 --> 00:45:51,239 is a sideshow. 1336 00:45:51,240 --> 00:45:52,889 The main thing is the person being 1337 00:45:52,890 --> 00:45:53,909 targeted and experiencing the 1338 00:45:53,910 --> 00:45:56,039 consequences for engaging in 1339 00:45:56,040 --> 00:45:57,299 peaceful, legitimate freedom of 1340 00:45:57,300 --> 00:45:58,919 expression activity. 1341 00:45:58,920 --> 00:46:00,959 Yeah, and in a sense, I think what we're 1342 00:46:00,960 --> 00:46:02,529 talking about, you know, we use the term 1343 00:46:02,530 --> 00:46:04,139 an epidemic of compromises. 1344 00:46:04,140 --> 00:46:05,789 We're talking about a problem that looks 1345 00:46:05,790 --> 00:46:07,979 a lot like a public health problem 1346 00:46:07,980 --> 00:46:09,659 and in the same way that public health 1347 00:46:09,660 --> 00:46:11,849 has historically had trouble vis a vis 1348 00:46:11,850 --> 00:46:13,709 doctors who consider themselves experts 1349 00:46:13,710 --> 00:46:16,169 and might have some views about patients 1350 00:46:16,170 --> 00:46:18,269 needing to wash their hands or engage in 1351 00:46:18,270 --> 00:46:19,349 certain behaviors. 1352 00:46:19,350 --> 00:46:21,449 The same problem holds true here. 1353 00:46:21,450 --> 00:46:24,029 We see a lot of experts 1354 00:46:24,030 --> 00:46:26,129 eyes glaze over when we 1355 00:46:26,130 --> 00:46:28,229 talk about attacks that use these 1356 00:46:28,230 --> 00:46:30,299 simple tools, and yet they work. 1357 00:46:30,300 --> 00:46:32,369 And in our mind, that's a perfect 1358 00:46:32,370 --> 00:46:34,949 example of a public health problem. 1359 00:46:34,950 --> 00:46:36,929 And we hope to get into a place with all 1360 00:46:36,930 --> 00:46:39,389 of you where the norms make it acceptable 1361 00:46:39,390 --> 00:46:41,549 to see this as just as complicated and 1362 00:46:41,550 --> 00:46:43,679 exciting, a set of problems, just having 1363 00:46:43,680 --> 00:46:45,659 more parameters than a simple piece of 1364 00:46:45,660 --> 00:46:47,489 malware. Can I ask the next question or 1365 00:46:47,490 --> 00:46:48,490 did you have a follow up? 1366 00:46:50,020 --> 00:46:51,939 Guys, thanks for the for the great wide 1367 00:46:51,940 --> 00:46:52,940 open and first 1368 00:46:54,100 --> 00:46:55,929 question and walk around like two days. 1369 00:46:55,930 --> 00:46:58,119 And also in my daily life, I see a lot 1370 00:46:58,120 --> 00:47:00,039 of laptops with the stickers on the 1371 00:47:00,040 --> 00:47:02,229 cameras or stickers on the 1372 00:47:02,230 --> 00:47:03,129 on the mikes. 1373 00:47:03,130 --> 00:47:04,119 It really makes me laugh. 1374 00:47:04,120 --> 00:47:06,189 But actually it for me is just 1375 00:47:07,690 --> 00:47:09,939 an indication that we don't trust 1376 00:47:09,940 --> 00:47:12,369 our software vendors, actually. 1377 00:47:12,370 --> 00:47:12,819 Is there. 1378 00:47:12,820 --> 00:47:14,439 Have you ever thought about how how is 1379 00:47:14,440 --> 00:47:16,689 the community or something that we can 1380 00:47:16,690 --> 00:47:18,759 see or audit 1381 00:47:18,760 --> 00:47:21,279 somehow the legitimacy 1382 00:47:21,280 --> 00:47:23,619 or maybe the trustfulness of a 1383 00:47:23,620 --> 00:47:24,620 software? 1384 00:47:27,020 --> 00:47:29,659 This is an interesting and hard problem, 1385 00:47:29,660 --> 00:47:31,339 I'm going to take your question to a 1386 00:47:31,340 --> 00:47:33,559 slightly different direction and say I 1387 00:47:33,560 --> 00:47:35,059 think we're in a place where a lot of 1388 00:47:35,060 --> 00:47:37,639 people don't have a lot of trust, 1389 00:47:37,640 --> 00:47:39,919 but especially for general users 1390 00:47:39,920 --> 00:47:41,629 don't necessarily know what they should 1391 00:47:41,630 --> 00:47:43,759 be doing, what the low hanging fruit 1392 00:47:43,760 --> 00:47:46,189 is. So not the perfect trust, 1393 00:47:46,190 --> 00:47:47,449 but the basic stuff. 1394 00:47:47,450 --> 00:47:49,549 And what we see in our day to day is 1395 00:47:49,550 --> 00:47:51,499 lots of activists and others who are not 1396 00:47:51,500 --> 00:47:53,719 exactly nihilists but don't really 1397 00:47:53,720 --> 00:47:55,039 know where the correct sources of 1398 00:47:55,040 --> 00:47:56,779 information should come from, what 1399 00:47:56,780 --> 00:47:58,459 behaviors are worth their time and what 1400 00:47:58,460 --> 00:48:00,409 behaviors are too costly. 1401 00:48:00,410 --> 00:48:03,739 And, you know, pictures, 1402 00:48:03,740 --> 00:48:05,809 stickers on laptop cameras 1403 00:48:05,810 --> 00:48:07,759 do have the advantage of at least raising 1404 00:48:07,760 --> 00:48:09,709 awareness. I think the big challenge, 1405 00:48:09,710 --> 00:48:11,809 though, is in the 1406 00:48:11,810 --> 00:48:13,369 fact that people will be looking to us as 1407 00:48:13,370 --> 00:48:15,529 a community for easy things that 1408 00:48:15,530 --> 00:48:17,449 they can do without a lot of judgment and 1409 00:48:17,450 --> 00:48:19,249 without a lot of snarky, just another 1410 00:48:19,250 --> 00:48:20,569 user error. 1411 00:48:20,570 --> 00:48:22,429 And this is a really defining problem for 1412 00:48:22,430 --> 00:48:23,919 us. Do you have something you want to 1413 00:48:23,920 --> 00:48:24,439 add? 1414 00:48:24,440 --> 00:48:26,509 Yeah, and I think that's I 1415 00:48:26,510 --> 00:48:27,979 just want to echo what what you said, 1416 00:48:27,980 --> 00:48:30,049 John. You know, there's time 1417 00:48:30,050 --> 00:48:31,909 and time again, like I'm struck by 1418 00:48:31,910 --> 00:48:33,109 dissident's that I talked to. 1419 00:48:33,110 --> 00:48:35,299 And they mention all these kind of like, 1420 00:48:35,300 --> 00:48:37,459 you know, homebrew things that 1421 00:48:37,460 --> 00:48:39,229 they do call them. Artisanal security, 1422 00:48:39,230 --> 00:48:40,129 artisanal security. 1423 00:48:40,130 --> 00:48:41,599 Right. Where? Well, they'll say like, oh, 1424 00:48:41,600 --> 00:48:43,579 well, you know, I have this crazy system 1425 00:48:43,580 --> 00:48:45,589 where I keep swapping SIM cards and my 1426 00:48:45,590 --> 00:48:47,809 phone to remain anonymous when making 1427 00:48:47,810 --> 00:48:49,999 phone calls to different people or, you 1428 00:48:50,000 --> 00:48:52,159 know, oh, I broke my iPhone 1429 00:48:52,160 --> 00:48:54,469 to install a second copy of WhatsApp 1430 00:48:54,470 --> 00:48:56,329 so I can have an anonymous number and an 1431 00:48:56,330 --> 00:48:57,619 anonymous number on what's up. 1432 00:48:58,950 --> 00:49:00,739 So I think there's there's a lot of 1433 00:49:00,740 --> 00:49:02,149 perhaps, you know, of these 1434 00:49:02,150 --> 00:49:03,619 misconceptions floating around. 1435 00:49:03,620 --> 00:49:05,929 And, you know, in the in the 1436 00:49:05,930 --> 00:49:08,299 vacuum of legitimate, authoritative 1437 00:49:08,300 --> 00:49:10,519 sources of information like this, 1438 00:49:10,520 --> 00:49:12,589 people kind of go to, well, here's 1439 00:49:12,590 --> 00:49:14,719 how I think, you know, spying works. 1440 00:49:14,720 --> 00:49:16,999 So I think government surveillance works. 1441 00:49:17,000 --> 00:49:19,099 And therefore, I have this perhaps 1442 00:49:19,100 --> 00:49:21,019 incorrect, you know, mental model of 1443 00:49:21,020 --> 00:49:22,429 that. And then I'll, you know, 1444 00:49:22,430 --> 00:49:23,869 unfortunately get to some sort of 1445 00:49:23,870 --> 00:49:26,029 incorrect security precaution. 1446 00:49:26,030 --> 00:49:28,249 So I think, you know, this education 1447 00:49:28,250 --> 00:49:30,199 is important not just on, you know, like 1448 00:49:30,200 --> 00:49:32,059 seven basic security tips that everyone 1449 00:49:32,060 --> 00:49:33,679 should do, you know, something like that. 1450 00:49:33,680 --> 00:49:36,019 But also, you know, you know, 1451 00:49:36,020 --> 00:49:37,879 more longer term efforts to kind of teach 1452 00:49:37,880 --> 00:49:40,189 people how this how this works, 1453 00:49:40,190 --> 00:49:42,259 like kind of, you know, not like 1454 00:49:42,260 --> 00:49:43,969 an eight hour class or something, but 1455 00:49:43,970 --> 00:49:45,709 kind of step them through maybe like an 1456 00:49:45,710 --> 00:49:47,089 hour presentation, like, you know, how 1457 00:49:47,090 --> 00:49:48,379 exactly does this work? 1458 00:49:48,380 --> 00:49:49,789 What exactly should you be worried about 1459 00:49:49,790 --> 00:49:50,929 your threat model? 1460 00:49:50,930 --> 00:49:52,099 Yeah. Thank you. 1461 00:49:52,100 --> 00:49:54,019 Thanks. Great question. 1462 00:49:54,020 --> 00:49:55,099 Do we have other questions? 1463 00:49:55,100 --> 00:49:56,809 If there's no other question, gentlemen, 1464 00:49:56,810 --> 00:49:58,279 because you're always so swift, you 1465 00:49:58,280 --> 00:50:00,289 deprived us of the opportunity to 1466 00:50:00,290 --> 00:50:01,309 applause and thank you. 1467 00:50:01,310 --> 00:50:02,310 And that's. Oh. 1468 00:50:13,890 --> 00:50:16,079 And if the signal engine 1469 00:50:16,080 --> 00:50:17,999 doesn't signal that there's a question, I 1470 00:50:18,000 --> 00:50:20,190 think that was the any more questions? 1471 00:50:22,580 --> 00:50:23,089 All right. 1472 00:50:23,090 --> 00:50:24,409 All right, thank you. 1473 00:50:24,410 --> 00:50:25,389 Well, thank you so much. 1474 00:50:25,390 --> 00:50:27,379 Oh, you know what? One forgot to add a 1475 00:50:27,380 --> 00:50:28,760 parting, parting observation 1476 00:50:29,900 --> 00:50:32,239 when we talk to civil society 1477 00:50:32,240 --> 00:50:34,729 groups about digital security risk. 1478 00:50:34,730 --> 00:50:36,859 One thing it took a while to dawn on 1479 00:50:36,860 --> 00:50:38,749 me, white guy coming from North America 1480 00:50:38,750 --> 00:50:40,099 talking to people about their problems 1481 00:50:40,100 --> 00:50:42,289 somewhere else, agent of innocence 1482 00:50:42,290 --> 00:50:43,919 and a lot of ways. Right. 1483 00:50:43,920 --> 00:50:45,109 A lot of naiveté. 1484 00:50:45,110 --> 00:50:47,329 And one of the things that I discovered 1485 00:50:47,330 --> 00:50:49,669 is that people, of course, surprise, 1486 00:50:49,670 --> 00:50:51,859 surprise, are constantly engaged 1487 00:50:51,860 --> 00:50:53,539 in balancing the risks that they face in 1488 00:50:53,540 --> 00:50:54,739 other domains. 1489 00:50:54,740 --> 00:50:56,809 So non-governmental organizations are 1490 00:50:56,810 --> 00:50:58,909 constantly thinking about the political 1491 00:50:58,910 --> 00:51:01,759 risk of different choices. 1492 00:51:01,760 --> 00:51:03,799 It's not that they are incapable of doing 1493 00:51:03,800 --> 00:51:05,989 modeling of risk. They're often doing it. 1494 00:51:05,990 --> 00:51:08,299 The challenge is how to help 1495 00:51:08,300 --> 00:51:10,399 them support that thinking 1496 00:51:10,400 --> 00:51:12,079 and that willingness to think about those 1497 00:51:12,080 --> 00:51:15,199 problems into things technological. 1498 00:51:15,200 --> 00:51:17,569 And I think we have a long way to go 1499 00:51:17,570 --> 00:51:19,699 there. And one of the problems that 1500 00:51:19,700 --> 00:51:21,919 we have is the perfect 1501 00:51:21,920 --> 00:51:23,599 is often the enemy of the good. 1502 00:51:23,600 --> 00:51:25,369 So a lot of the recommendations that we 1503 00:51:25,370 --> 00:51:27,469 might be tempted to, 1504 00:51:27,470 --> 00:51:29,479 you know, quickly make to someone like, 1505 00:51:29,480 --> 00:51:30,739 oh, well, you should use this particular 1506 00:51:30,740 --> 00:51:33,139 security tool because it's secure often 1507 00:51:33,140 --> 00:51:35,329 not only don't quite mesh 1508 00:51:35,330 --> 00:51:37,429 with their needs, but don't reflect 1509 00:51:37,430 --> 00:51:39,079 the nuance with which they think about 1510 00:51:39,080 --> 00:51:41,029 their own risks and the choices and 1511 00:51:41,030 --> 00:51:42,899 balancing that they'll need to engage in. 1512 00:51:42,900 --> 00:51:44,569 Yeah, I think there's one really 1513 00:51:44,570 --> 00:51:46,369 interesting anecdote that I can tell that 1514 00:51:46,370 --> 00:51:47,839 that kind of crystallizes that from an 1515 00:51:47,840 --> 00:51:50,059 individual user point of view. 1516 00:51:50,060 --> 00:51:52,489 So I work with some activists in Bahrain. 1517 00:51:52,490 --> 00:51:54,439 And, you know, we heard a story a couple 1518 00:51:54,440 --> 00:51:56,929 of years ago that a bunch of activists 1519 00:51:56,930 --> 00:51:58,639 were arrested by being traced through 1520 00:51:58,640 --> 00:52:00,349 this messaging app that they were using. 1521 00:52:00,350 --> 00:52:02,449 And it was a we analyzed it. 1522 00:52:02,450 --> 00:52:04,399 It was an insecure messaging app called 1523 00:52:04,400 --> 00:52:05,539 Zello. 1524 00:52:05,540 --> 00:52:07,609 And basically, you know, 1525 00:52:07,610 --> 00:52:09,799 so our first thought was like, OK, well, 1526 00:52:09,800 --> 00:52:11,809 let's recommend that they use a secure 1527 00:52:11,810 --> 00:52:13,939 messaging app. But the reason 1528 00:52:13,940 --> 00:52:15,799 why they were actually using this 1529 00:52:15,800 --> 00:52:18,019 insecure app was that was the only 1530 00:52:18,020 --> 00:52:19,669 one they could find that provided a 1531 00:52:19,670 --> 00:52:21,409 walkie talkie functionality. 1532 00:52:21,410 --> 00:52:23,599 And how they use this is that, 1533 00:52:23,600 --> 00:52:25,849 you know, an activist would be asleep 1534 00:52:25,850 --> 00:52:27,169 in his in his bed. 1535 00:52:27,170 --> 00:52:28,819 He'd have the phone beside his bed. 1536 00:52:28,820 --> 00:52:30,889 And if there were the police coming in 1537 00:52:30,890 --> 00:52:32,809 doing house rage and searches in the 1538 00:52:32,810 --> 00:52:34,699 village, then someone would get on the 1539 00:52:34,700 --> 00:52:36,409 walkie talkie and broadcast the message 1540 00:52:36,410 --> 00:52:38,149 to everyone and it would wake up the 1541 00:52:38,150 --> 00:52:40,159 sleeping people immediately, like, you 1542 00:52:40,160 --> 00:52:41,809 know, dozens of people and say, you know, 1543 00:52:41,810 --> 00:52:43,189 hey, there's police raids in the village. 1544 00:52:43,190 --> 00:52:44,190 Right. 1545 00:52:44,420 --> 00:52:46,099 And so they they couldn't switch away 1546 00:52:46,100 --> 00:52:47,839 from this because it was part of their 1547 00:52:47,840 --> 00:52:49,879 model of avoiding the risk of being 1548 00:52:49,880 --> 00:52:51,199 arrested by police. 1549 00:52:51,200 --> 00:52:53,659 And this interception, digital security 1550 00:52:53,660 --> 00:52:56,429 risk, was kind of ancillary in 1551 00:52:56,430 --> 00:52:58,669 their mindset to this real world 1552 00:52:58,670 --> 00:53:00,230 risk. So I think that's a great point. 1553 00:53:01,440 --> 00:53:02,189 Did you have anything you want? 1554 00:53:02,190 --> 00:53:03,079 I think I'm good. 1555 00:53:03,080 --> 00:53:04,549 All right. Thank you so much for your 1556 00:53:04,550 --> 00:53:06,049 time and attention. We really appreciate 1557 00:53:06,050 --> 00:53:07,050 the welcome here. 1558 00:53:09,770 --> 00:53:10,699 Thank you. 1559 00:53:10,700 --> 00:53:11,700 Thank you.