It looks like you're having connection troubles. Reconnect now.
01/11/2021 23:42:11
33c3-talk-8115 Latest text of pad 33c3-talk-8115 Saved Jan 11, 2021 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
For the next talk, we welcome a contribution to the ever expanding zoo of Mahwah in the ecosystem of insecurity, Peg Pegasus. It's about the case of amendments to the citizenship, does excellent work and forensics and even made it into the Christian Science Monitor lately. And a big round of applause for Bill Masek and John Scott Codrington. Next. Hello, everyone, can you hear us? Awesome. Where's my clicker? So my name is John Scott Railton, and I'm here with my colleague Bill Marzak, and we are going to present a talk titled Million Dollar Dissidents and the rest of us. Bill Marzak is a senior fellow at the Citizen Lab. He just got his PhD like last week at UC Berkeley. So quick round of applause. And Bill is also one of the founding members of Bahrain Watch, which does really important work on human rights, transparency and defense in the Gulf. Thank you for that lovely introduction, John. My colleague John ScotRail 10, of course, is my coconspirator at the Citizen Lab. He's also pursuing his Ph.D. at UCLA, and his research focuses on targeted threats specifically against civil society. So for those of you who don't know the citizen lab, it's located in this big stone building in Toronto. We do two basic components of work. We look at targeted threats against civil society and then we look at information control. And what we're going to talk about in this presentation is our work on targeted threats, some background about the lab. It's fairly old in computer terms. It's independent, it's academic. And our bread and butter is developing long form trust relationships with targeted groups to find things and then combining that with a real degree of technical rigor to understand what it is that we found, whether it's phishing or other forms of attack. So quick roadmap. I'm going to talk to you today, along with my colleague Bill, about two attacks. One day we're going to talk about some infrastructure fingerprinting. We're going to talk about scale issues for securit
y and high risk users. And we're going to end on that. All right, so let's jump right into the story, this handsome gentleman here is called Rory Donaghy and he's a human rights activist based in the U.K. He's a founding member of this organization, the Emirates Center for Human Rights, that focuses on, you guessed it, human rights in the UAE. He's also now a journalist at Middle East AI, where he's been publishing a series of stories involving leaked emails from high ranking members of the UAE government. Recently, he was targeted. He actually got this interesting email here from an address, the right to fight at Open Mailbox Dog seems a bit sketchy, says Mr. Donaghy. We are currently organizing a panel of experts. We invite you to apply to be a member. And you should you should respond with your thoughts about the following article. And there's a link here to this weird looking site right at me. You know, it looks kind of sketchy, right? Yeah, but at this point, somebody in the audience is probably thinking to themselves, oh man, it's another talk activist somewhere getting social engineering and phished like, haven't I seen this talk many, many times before? Well, that's a great point, John, but keep your shirt on. We're getting to some interesting stuff. All right. So asked me what's kind of weird, right? We started looking more into this site. We figured out that it was this thing that claimed to be a service where you could shorten your URLs, kind of like Bitola or something like this. It turns out, though, that it was publicly accessible so anybody could go here and shortener, you are all that they wanted. It would redirect using just a regular HTTP 3.0. But the link that was sent to Donaghey actually redirected using a different mechanism which ran a ton of JavaScript. If you clicked on it, it would have run a ton of JavaScript on his computer, including a bunch of attacks that would seek to anonymize him if he was using Tor. One particular attack was able t
o figure out the location where Tor browser bundle was installed, which could contain the name of the of the person using it. Also, there was a really clever technique to do a local port scan of his computer to identify which antivirus program he was using in order to perhaps enable bypassing anti viruses. So he received this email. We looked into this this weird accident missile. Right. The interesting thing was we were actually able to get more from this attacker. So we instructed Donaghey to send a response saying thanks, thanks for your message, but I'm having trouble with your link. So this this case was actually really unusual because the attacker did, in fact, respond with this e-mail and said, hey, we apologize for your having problems. Here's another link where you can download our organizational information as an attachment, as a file. But the catch is we were such a secret organization, we had to protect it with macro enabled security. Right. So it requests you to please enable macro's to to view the information about the organization. Right. So this is the image that he was presented with when he opened up the the word document. It says this document is secured. Please enable macro's to continue. And it says it says the same thing in Arabic. And it's got you know, it looks official, right? It's got the Office 365 logo. It's got the Proofpoint logo, like those guys do document security. OK, this is a pretty good, pretty good fish, Sofya. So what are the macro do? Obviously, it displayed information, but that wasn't the only thing it did. So it turns out it was a pretty basic power macro or a macro that ran a powerful command. And the powerful command was designed to gather basic system information, as well as, interestingly, the installed version of dot net. And it submitted all this information to a kind of interesting looking site at hosting cache dotcom and pulled a response back from the server, which was then executed and Power Shell. So we got this
the stage to response from the server, which actually installed a scheduled task and windows. And every hour it pulled new commands from the server and executed them. But it was actually a different server. Incapsula Webcast dotcom. And then so the third stage, the commands pull down by the stage to we were actually able to get some of these and they appeared to be the first command was getting the ARP table, which contained perhaps information about other machines locally connected to the network to perhaps enable lateral movement by the attacker and also very, very aggressively scraped the computer for passwords and browsing data using, in fact, three license code. Nobody tell Richard Stallman from from this application called Quasar at. All right, Bill, fishing power, shell macro's, I'm still kind of skeptical that this is going somewhere interesting. Well, you're right, it's technically boring, but it actually the sort of technique keeps working. Activists keep getting compromise. It just sounds to me like more user error. Well, in fact, John, this looks kind of like a digital public health problem. Indeed, it does. So as we've worked with with targeted groups for a good chunk of the last decade, one of the things we've observed is that the Internet surprising. No one has profoundly reduced asymmetries in the ability of individuals and organizations to communicate and broadcast their information. Right. The advantage the story always think of is like in a coup d'etat used to be, you know, the rebels had to capture the TV station. Now everyone can have something like that. So it's very exciting and it's profoundly changed the way that civil society does its communication. But there's a great overhang because that technology has not itself changed the underlying asymmetries of risk and power that are still articulated through the Internet. What that means in practice is that civil society is really vulnerable, and it's made more so because most civil society organ
izations, most NGOs are like the ultimate bring your own device, bring your own computing style computing environment. There's absolutely no IT department. There's no choke point on the network that you can monitor. Most people have very mixed, even artisanal relationships to their security and little access to behavior. If you're trying to change behaviors and usually documentation of bad things is terrible, put differently, it's a big headache to try to do security. And the reason is not some kind of moral or ethical deficiency. It's that people are really strapped for time and resources and knowledge and are trying to focus on their primary objective, which is usually not securing their boxes. The predictable result, of course, of all of this is a hidden and sometimes not so hidden epidemic of compromises within civil society. So what happened to the story we were telling? Well, so that story about macro's and powerful will actually lead us to an Iowa zero. All right, I'm interested, Bill. OK, let's break it down, John. OK, so we published the information about Rory Donaghy and his targeting in a citizen lab report. You can read about it. As part of this, we are able to trace the stage one and stage two domains at hosting cash and Incapsula Web cache to 11 and 69 other domain names, respectively. And I once we had this, the next question was, could we trace it even further? So we started looking at the who is information for these domain names, as well as a bunch of their DNS records, specifically the way the sort of authority DNS record. And we noticed something quite interesting. We noticed this email address P and one P, P and one G, three at CIGA Intrigue. And it was pointed to by one of the stage two domains we had found, but also by three other domains which we had no idea what they were. They didn't match our fingerprints for stage one or stage two of the spyware. In fact, we determined they were designed to impersonate this website, Usrah Arabiya or Arabi
an Secrets, which is actually a legitimate news site that provides news and gossip about stories going on in the Middle East. We were able to get the contents of these sites, you know, we just visited, visit these websites and found the following code, the following HTML could return by the sites. As you can see, what's going on here is they're showing the legitimate Azfar Arabiya website to the user in a iFrame that takes up the whole browser window. And there's also this invisible one by one iframe loading this weird looking site, smyser dot net slash a bunch of numbers. Very weird. So we began kind of investigating this. We looked at this link specifically. We found that it redirected to a semester dot net slash redirect aspects which returned this HTML code and. You can see this is kind of weird, it's got a very distinctive format. There's two metal redirects to Google and there's kind of like a blank title in a blank body. It struck us as very odd. So we use this as a fingerprint and in fact, scan the entire Internet looking for the same fingerprint. Specifically, we use the map, we use the map to scan the entire Internet, doing a get request for a redirect aspects on every server on Port 80. And we found actually one hundred and forty nine IP addresses mapping to one hundred forty nine domain names which returned this same code, only one hundred forty nine. So this struck us as kind of kind of odd, the fact, you know, maybe we were onto something important. We then began breaking down and looking at exactly what those domain names we found were, we found that a couple of them were designed to impersonate, for example, government portals or humanitarian organizations like the Red Cross or airlines, news media and a bunch of other different categories. But the theme that struck us was impersonation. You can see here some of the typos like Al Jazeera Dutko instead of Al Jazeera. Another thing we noticed is that some of the domain's had Assam's in them over and ov
er and over, and this struck us as odd, right? Why would you have a bunch of domain names that are impersonating things and a bunch of other related domain names with Assam's in the name? Well, maybe if you're targeting mobile phones and people get, you know, some sort of link that has SMS in it, maybe they're more likely to click on it. So we at this point, we figured maybe these domain names, these 149 domain names were designed to target mobile phones. So we waited and we asked around one of the key features of the way that Citizen Lab does its work is that it often leaves us with big questions and watching. So to think about our workflow, it often involves encountering a group that's received something suspicious. We take a look at what they received. We often find some command and control infrastructure. And then we look and we wait and we poke. And at the same time, we will develop fingerprints for that see to infrastructure and start to get a better sense of where else it might be in IPV for space. Well, then often go back having found infrastructure, which is where we are in this story, and start looking for malware or something that talks to that infrastructure. And what we're doing is exploiting a fundamental principle. We think of targeted surveillance using intrusion, which is when it's used at the scale of monitoring a group of people rather than a single intrusion. Infrastructure is going to get used not just for one person, but for a bunch. That means that servers are going to stay online for a while. That means that there may be malware floating around. And this is really part of the enabling feature of this community for the work that we do. And it translates into interesting results. So in 2014, using fingerprints developed for the malware of hacking team, we came up with a list of suspected government users. In twenty fifteen. We did the same thing, updating earlier work on suspected government users of finfish. But back to waiting. In August of t
wenty sixteen, we got a message from Ahmed Mansour, who is, as was mentioned in the introduction, a human rights defender based in the UAE source said, Guys, I think I'm being targeted again. And we believed him because in 2011, Mansour was targeted with finfish, a document SANAYA and disguised as a PDF and then nobody leaving well enough alone. He was targeted again with a hacking team implant in 2012, this time with an attack document and some old day. So we paid attention to what he had for us was to SMS messages that he had received, basically translating to new secrets about immoralities tortured in state prisons, something relevant to his work not only as a human rights defender, but to him personally, as he's previously been arrested and jailed for his highly important work. So we said nice bait. We'll take it. So, as John said, we decided to to take this bit, we decided to somehow see what was behind these links that Mansor had sent us and the text messages. So what did we do? Well, we actually figured, hey, let's open this up on an iPhone. He received the links on his iPhone six. So we said, OK, we've we've got an iPhone. Let's let's factory reset it and let's connected to the Internet through a laptop. Since the link was using https, we wanted to capture everything. So we set up a laptop with Mithian Proxy and Wireshark and basically installed the the ah fake rootsier ID on the iPhone and transcribed the link into Safari on our iPhone. So all phones, Internet traffic was going through the laptop. We could see everything. And our goal was to kind of capture what might be behind this. So what happens next will shock you. All right, so this is the output from Wireshark that we were seeing on our our laptop. So the first thing obviously, you know, we transcribed the link, we typed it in, and we see what you'd expect a get request for the link. And it turned out this was a blob of obfuscated JavaScript, which already was was quite interesting. The next thing we
saw is that about 10 seconds after we typed it in the safari window on the iPhone closed, very weird. Very unusual. This was our first indication that, OK, maybe there is some sort of some sort of shenanigans going on here with this with us with this link. We saw then the phone sent out another request for this file, final one, one one, which was a second stage of, you know, lightly obfuscated code. A bunch of other requests appeared to emanate from the phone giving basically like logging data or the status of what was going on to the server. And then we saw a message saying trying to download bundle. In other words, the phone sent a log message to the server saying that it was trying to download something and it was trying to download this file test one one one daughter, which actually was was an iPhone application. And the interesting thing is that this request came from a non user agent telling us that control had been transferred perhaps to some other process on the phone, which was which was fetching this. So hold on, Bill, are we looking at some kind of remote jailbreak? Well, that was kind of what we thought. We thought we might be looking at that indeed. So what exactly did we get? Well, it turned out that what we had seen was the result of three zero day exploits. The first an expert in Safari, and the second two exploits designed to jailbreak and install an app on the phone. The payload that is installed was actually capable of recording messages, voice and all kinds of other data from a number of apps on the phone. And for those of you who have been attending C.C.C., we gave the artifacts that we'd received to our friends, look out, and this handsome gentleman here, Max Berzelia, gave an excellent talk on the internals of the exploits and the jailbreak on day one of C.C.C.. So hope you all check that out. If not, you can you can watch it online. So, of course, we also realized along with look out, that it was time to do some responsible disclosure toward
s Apple, which we did, what is, of course, interesting is that this was the first known as the first publicly announced remote iOS jailbreak. Pretty exciting. And these are things that in no way come cheap. Most recently, we learned that zero rhodium is offering a one point five million dollar bounty for a similar piece of technology. But this is also caught the attention of the popular media, even Vanity Fair, which published an article asking who's stealing the secrets of Silicon Valley's crown jewel? So who did hack Silicon Valley's crown jewel? Right, right. So we've told you what we've got. We got the remote jailbreak. We got the interesting spyware, but who's behind it? So remember, we did this scan, we used a map. We found these one hundred forty nine IP addresses that were related to that that weird site, Smelser dot net. So that didn't really help us in attribution. We got these IP addresses. We got these domain names. There were no clues, really. So the natural next step is we decided to go back in time, and of course, we didn't actually go back in time, we simply used historical Internet scanning data and we looked up those one hundred forty nine IPS. How do they behave in the past? We found out that 19 of these 149 ipis actually give a different response in the past to a get request on Port 80, and it was this other weird, odd looking Google redirect. You can see, you know, there's like the Unicode byte watermark at the beginning. You know, there's like some weird line breaks and there looks pretty odd. And of course, you've got the blank title and blank body. So this was very interesting. And the next natural question was, OK. 19 IP addresses return this, how many others, how many other ones returned the same response in that historical scanning data? So we found that it was returned by about 85 or so other IP addresses, including including IP addresses pointed to by three interesting domain names, ENSO Kuai, Dotcom, Kuai and Dotcom and mail. One NSO gr
oup, Dotcom and NSA group, of course, is a spyware vendor based in Israel. This is a screenshot of their product brochure showing that they do indeed control the domain name NSA group Dotcom. And in fact, the first two domain names listed there are also registered to people with NSA group dot com email addresses. So and groups brochure mentions that it's a leader in the field of cyber warfare. They have the solution called Pegasus, which allows full monitoring and exfiltration from phones, and it's exclusively for the use of government and law enforcement agencies. So. Although Monsoor was the first target we found, he wasn't the only one. This is Rafael Cabrera, a courageous Mexican journalist, and we got in touch with Cabrera after we learned that he'd been receiving suspicious text messages. So what were these messages? Well, they included things like a fake Facebook link account, note account, overage charges, news alerts related to his work, and then bizarrely, just crude sexual taunts, followed by a link why anyone would click on that is beyond me. Why was he targeted? Well, it turned out that the links were either shortened links going directly to the infrastructure that we had found or directly pointing at that infrastructure. Now, our guess is that this may have something to do with his work on the Casablanca scandal. So the Casablanca scandal in brief is the discovery that the now president of Mexico, formerly a provincial governor, received during his provincial governorship. The House paid for by a company that got a concession to do an infrastructure project during his tenure as governor, widely believed to be an example of corruption. But this wasn't the only case either in the course of our scanning, we found evidence of targeting across the globe from Mexico and the UAE to Uzbekistan, Kenya, Mozambique, Qatar, Turkey, Morocco, Hungary and elsewhere. Now, of course, the question is, what's all this targeting? Right. Well, if you listen to the chief co
unsel of hacking team, a company that sells this kind of stuff, he would have you believe that these and this is a quote that this is designed to target terrorists, pornographers and other criminals. We could refer to this as the fig leaf. In fact, our research turns up again and again evidence of this technology being used perhaps for some law enforcement purposes, but also pointed at the political opponents and critics of powerful regimes, journalists, activists and human rights defenders. So who are these people? Well, let's give you a thumbnail sketch. Hishem, a human rights defender from Morocco, one of the few free voices during the time that he ran an organization systematically prosecuted by the government. His organization, Mumford's, which was targeted with commercial malware work done by Bill Morgan Markese Bar and others, including Klaudia, who's here somewhere. We have an Ethiopian journalist based in the US. He and his news organization were targeted by, we believe, the Ethiopian government in the process of reporting on that country. So clear evidence, this kind of spyware in no way reflects borders, certainly doesn't respect them. Carlos Figueroa, an opposition politician in Ecuador and of course, Ahmed Mansour. What's interesting about each of these people is that they are, in our view, million dollar dissidents. The cost of these programs is, in effect, price tagging, the power of their speech in the eyes of the governments who are scared of them. So we have this thing that we bandy around in the lab, which is this idea of the principle of misuse. Basically, commercial surveillance technology, including intrusion tools and zero days will be misused in proportion to the lack of accountability and oversight. This is in no way a new discovery. This is something that history has shown us time and time again with different regimes. Our view is that the current spyware market is just fully proving that history repeats itself. That said, there are some sa
liency issues, so as Claudio pointed out yesterday, surveillance technology that sold by companies gets a lot of attention and the specific companies who sell it get a lot of attention whether or not they happen to be representative. This is especially true when zero day exploits are involved. And it's also the case that this is only part of the threat to civil society. So here's some thumbnail bar charts. The point that I'm going to make with them is basically this the lion's share of the malware attacks that we look at and that we see at the citizen lab. So there's a potential selection bias. There's some we don't. Emphasize high social engineering sophistication and minimum necessary technical sophistication. You don't need a really fancy lockpick if you can climb through an open window, some numbers to back this up. Here's some rigorous work done by my colleagues. And I am tracking thousands of attacks against civil society organizations working working in Tibet as one example. And what we see when we track which exploits are used is a proliferation of old days and very few, zero days. This pattern is fairly common. But that's, of course, not the whole story, and by no means would I argue that you shouldn't pay attention to commercial surveillance. Right, right. As John says, you know, bad actors tend to focus on the easiest way to get in. However, sometimes the easiest way to get in is a zero to exploit. Using these commercial surveillance tools and commercial surveillance tools are do receive a lot of attention. But I think it's important also to focus on this, because commercial surveillance is not just the surveillance tool. It's really exporting all of the expertize to to run a well resourced surveillance state. If you look at companies that operate in this space, like finfish, for example, they don't just sell you the spyware. They do sell you the spyware, of course, but they also sell you the support and they sell you the training. And what is this? This
is essentially updates to get around new security measures and antivirus programs. And if you don't know how to hack or fish, they'll teach you how to do that, too. So these vendors are not just selling the tools. They're also they're also facilitating the proliferation of the surveillance state. So one of the bigger picture problems that we've got as we're thinking about how to defend against this stuff is the following problem. You don't know who the next activists are going to be. They don't even know themselves. And so the question is how in an environment where everyone is mostly using commercial platforms and tools for their communication, even their most sensitive communication, how do you secure this world? Well, one potential strategy is to make us all feel forgive the hyperbolic language potential million dollar dissidents put differently. This means raising the cost to target an arbitrary person. So how do you do that? Well, there is the iPhone model, right, which is you create a walled garden and you make it very, very hard for users to do certain activities. So you trade some user freedoms in exchange for security. We see elements of this model throughout. For example, as Chris Cygwin correctly pointed out yesterday, Chrome extremely secure browser trade's user security, four degree of privacy. One of the challenges of this space is that companies have done a really efficient job at attracting people who are activists, at attracting people who are going to use these tools in ways that are politically sensitive and many who face serious threats or will one day are using a Gmail inbox right now or something similar. These are not tools currently designed to handle high risk. They happen to be the most fluid tools for most user experiences. But even in these environments, one of the challenges is that the kinds of security options that would protect these groups are not default enabled, say, during the account creation process. A really good example of thi
s would be to factor authentication. Another is browser sandboxing, complete sandboxing as a norm across the industry. So that's a little bit what we think industry players can do. But what can you folks do in the audience? So thanks, John, you raised some very good points about ways to raise the cost across the bar of these sorts of attacks, and that's an important big picture consideration. So another thing and one of the areas where specifically we work at the citizen lab is looking also not just at the forest, but at the at the individual trees themselves. And pardon the expression, they're not they're not trees. They're actual real people who are being targeted with this with the spyware. And the questions we try and answer are who are these high risk users and how are they actually being targeted in the real world? So, as we mentioned earlier, we build these deep relationships and engage with with activists and civil society groups, and we encourage them to forward anything suspicious that they have and send it to us. So the starting point for all these investigations, as as you saw at the beginning of our talk, is some sort of suspicious or suspected malicious digital artifact being an email, a message, a link, a file. And then we aim to answer the questions. Of course, is it an attack? How is the attack happening? Who's conducting the attack? Was the attacker and what else is the attacker doing? Can we trace and look at their other activities? So, of course, you know, we do this at the citizen lab. We've presented some cases from the UAE. And, you know, my colleague John has done a lot of great work on this. But if we look at our John here on the map, so John is is but one one person and he's a very, very smart, very, very talented, very, very hardworking person. Bill did this when I was sleeping last night. But despite John's best efforts, there's no way we can get, you know, John, to cover the entire world. John doesn't have enough hours in the day to inte
rface with all of the potentially targeted groups and do this work across the world. So really, you know, so really the issue is that we need more people working in this field, more people, you know, doing either the citizen lab model that I described or working with organizations like like Claudio's Security Without Borders or similar efforts to try and not just work on raising the cost across the board, but also focus on these individual cases which illuminate the the big picture as a whole. So we'd like to conclude by just offering a few thoughts from from Mansoor himself being the main subject of our talk. We asked him if there was anything that he'd like to to give to the tech community or to the world. And the message that he that he wants to convey is that defending human rights, in his view, is becoming more and more difficult. So the work that he does tries to communicate with victims and connect victims with the international media to raise their cases and raise awareness of human rights violations. And that's becoming increasingly dangerous because the governments, like his government in the UAE, are increasingly retaliating in ever more brutal ways. For instance, Mansoor himself has been subject to beatings and arrests, know his car was confiscated, his passport was confiscated. The suspected to be the government stalled about a hundred thousand dollars from his account, his bank account. So so these retaliations can in some cases be very brutal. And once the technology reaches these governments like the UAE, he's certain that it will be abused and used to target, you know, dissidents, activists and other people who are just exercising legitimate freedom of expression rights. So he implores the international community and technologists to try and do whatever they can to make sure that these sorts of dangerous technologies like hacking team, like NSA, like finfish, do not make it into the hands of repressive regimes in the first place. So with that, we'd
like to close on some quick acknowledgments to some amazing colleagues, but first thanking the organizers of this event for having us. We really appreciate that. And running the event so excellently. None of our work works very well without the close collaboration of a bunch of amazing colleagues, Ron Deibert, Sarah McCune, Claudia Guarnieri, Adam served our Imperato, Musashino, Shehada, Morgan Maki's boire, who did some of the amazing work on tracking malware from governments. The team at out, especially Max Apple Inc, who worked with us very carefully to do the disclosure process and a lot of other researchers, including Seth Hardy, who have been tremendously helpful to us as we've done this work and finally closing on thanking passive total. So with that, I'd like to open it up for questions from the audience. If folks have burning things you'd like to ask us. We would love to answer. I see already a question at number four, so jump right in. Fortune favors the brave. So there have been attempts to to restrict the distribution of these kind of tools through the Wassenaar arrangement. Do you feel that that is the best way to do this? Well, I think what we can say is that our work on NSO shows that the current arrangement is wholly under-resourced for stopping the proliferation of these tools. And I think I'll leave it at that. Yeah, I think it's also interesting to kind of look at how the efforts have been focused so far, you know, specifically on on intrusion tools and zero day exploits. But also, you know, looking at what the key salient characteristic of these organizations like Finfish, the NSA and hacking team are. And in my view, that the key characteristic is that they don't just give you the tools because, you know, anybody can can give you the tools. What they do is they hold your hand while you use them. They give you support, they give you training. It's this complete package that really, you know, can can bootstrap a government from from no knowledge t
o getting information from from activists, phones and computers quickly. Yeah. And I think I'll also just observe, as somebody recently pointed out to me, some form of additional regulation is probably in the pipeline. And we probably want to make sure as a community that we are as engaged as possible and ensuring that that regulation works and works for us and is balanced. Question the two. Have you been profiling what devices, what platforms are being targeted, and do you have any idea if if as a government, do you want to pay? I don't know, a huge amount of money. You have to know which platform to target. So how is it being done? How how do you target your people and. Well, great question. It really depends on the case. I think in a lot of sophisticated attacks, we see elements of profiling before targeting. In other cases, and Bill can speak to this, the exploit service that we look at actually select fire based on what device you touch. Yeah. So companies like like NSA or like hacking team and probably finfish are to offer exploit services. So, you know, the government that's targeting you can create some sort of link and the link dynamically sees what platform you're on, perhaps based on, you know, the user agent header or other headers in your in your request and then delivers the appropriate spyware payload for whatever your devices. But, you know, I think from when when a government is thinking about this, when an attacker is thinking, hey, what what platforms do I want? You know, they can perhaps leverage some intelligence from their country, you know, seeing which are the most common platforms in their country. But perhaps maybe the smarter attackers would think and say, oh, maybe it's not really about the platform, it's about the information. Where is the information and what are the other ways I can get at the information? Maybe it's maybe you want to access someone's email account and the way the easiest way to do that would be phishing rather than, y
ou know, targeting a specific platform or maybe there's, you know, files on someone's device that you want. And in that case, you've got to hit that device. Yeah. The flip side, of course, is cyber militia groups. So the my cousin knows computers approach. They're doing malware, lots of commercial rats'. Those groups will often target what they see as most popular in the communities that they're targeting. Question over, I think, for that. I would like to ask you two questions. One is, is there any metric to know all of these tools? How many of them were used for actual criminal activities in a position to just like dissidents? And the second question is, is that maybe without this technology, the tools that these government would use would be more dangerous to these activists, like could they operate spies or just like lock them up? Maybe it's like it's a bad thing overall, but maybe it's better than the alternative. So these are really interesting questions because you want to go first and then I'll say something. Yeah, sure. So so. Yeah. So with respect to your second question, I think it's it's definitely an interesting point. Like if this technology wasn't available, maybe they'd be more brutal. I think, you know, it speaks to, like, I think a fundamental philosophical argument. Right. Do you kind of look at at what's going on and see something bad happening and try and stop that, you know, see what you can do to try and make things better? Or do you kind of like think several steps down the line? And if I do this, maybe they'll do that? You know, I think at least from my point of view, I think, you know, what we want to be doing is identifying harms and wrongs that are happening and then trying to go after those directly. And then if, you know, the government starts torturing people in response, you know, that's an additional thing that we advocate on and try and try and stop. I don't know. Do you have any thoughts on that, John? Yeah. I think, you know, the e
legant way to look at this is that states are very attracted to intrusion software and nothing you're going to do is going to change that because more one more communications are encrypted and many of their targets are not within their borders. And so I think the model should be raise the cost to engage in those practices. You can't stop it and you probably can't legislate it out of existence. But the more the cost is raised through all these different means, whether it's more secure devices, whether it's better norms in the community, so people are less attracted to the bright, shiny things of selling bugs to these brokers or whether it's working at behavior you want to increase cost. Question one, the majority of tax, as you know, don't use fancy hotel chains. They'll use shitty off the shelf rats. How do you hope to get the community and journalists to actually care about that? Because as a journalist, we're not going to write about another activist getting targeted by a shitty piece of malware, to be perfectly blunt, as John. Yeah, well, I think I mean, we had this conversation for me, I think. The question goes back to what the objective is for us, the stories that are the most important are often the human stories of harm and journalists, if they take the time and their editors typically will have a nose for those. And so, in our view, the most important part of doing this work is finding ways to yield up real cases. That said, I can say candidly, we've noticed that editors sometimes sort of, without saying it in so many words, are tired of yet another story of activists being targeted in the Middle East. This is a problem we struggle with. I think one way forward is a little bit sideways, which is finding cases where hacking and intrusion is used in cases closer to home. That doesn't just mean the Democratic Party or politicians. It could mean women who are victims of violence. It could be people who are being targeted or stalked. And I think more of those st
ories and more of those human stories will help. But it's an ongoing it's an ongoing battle. It's why we're so pleased to be able to have an odor to talk about, to trot out these points. But I think journalists also have a tremendous role to play. So just one thing to flag middlemen in the industry. The relationship between a lot of these companies and countries is often not direct. In between, there's a middleman, an organization that provides them with a fig leaf of cover, which allows the company to say, we are not operational. We don't determine how our product is used, trying to absolve themselves of a lot of the liability. This often allows them to do things like skirt regulations or to try to get around export control agreements. As researchers at the citizen lab, we can track the command and control and we can link it to companies, we can track the malware and we can link it to victims. But we don't have a good technical means to study middlemen. So I think that's a very fruitful area for journalists and other investigators to dig in. I think also I think also another final important point just to wrap up really quick is, you know, the cases that have received the most coverage, I think, at least in my experience from the press, are cases where, you know, you can actually kind of show a documented harm because of some case, because of some targeting. There know some information was gained, someone was arrested. And there's a documented harm. Certainly, as you point out, from a technical journalist perspective, the stories that are going to be most interesting are the sexy zero days. But but from a traditional journalistic perspective, I think, you know, these stories where you can make establish the causal link and say, hey, this this person was targeted with whatever doesn't have to be sexy, but they were targeted. And we can show that some information was taken and then used in some sort of way that that led to real world consequences. I think that is the
holy grail for highlighting, because at the end of the day, this is the important thing to highlight is that technology is a sideshow. The main thing is the person being targeted and experiencing the consequences for engaging in peaceful, legitimate freedom of expression activity. Yeah, and in a sense, I think what we're talking about, you know, we use the term an epidemic of compromises. We're talking about a problem that looks a lot like a public health problem and in the same way that public health has historically had trouble vis a vis doctors who consider themselves experts and might have some views about patients needing to wash their hands or engage in certain behaviors. The same problem holds true here. We see a lot of experts eyes glaze over when we talk about attacks that use these simple tools, and yet they work. And in our mind, that's a perfect example of a public health problem. And we hope to get into a place with all of you where the norms make it acceptable to see this as just as complicated and exciting, a set of problems, just having more parameters than a simple piece of malware. Can I ask the next question or did you have a follow up? Guys, thanks for the for the great wide open and first question and walk around like two days. And also in my daily life, I see a lot of laptops with the stickers on the cameras or stickers on the on the mikes. It really makes me laugh. But actually it for me is just an indication that we don't trust our software vendors, actually. Is there. Have you ever thought about how how is the community or something that we can see or audit somehow the legitimacy or maybe the trustfulness of a software? This is an interesting and hard problem, I'm going to take your question to a slightly different direction and say I think we're in a place where a lot of people don't have a lot of trust, but especially for general users don't necessarily know what they should be doing, what the low hanging fruit is. So not the perfect trust
, but the basic stuff. And what we see in our day to day is lots of activists and others who are not exactly nihilists but don't really know where the correct sources of information should come from, what behaviors are worth their time and what behaviors are too costly. And, you know, pictures, stickers on laptop cameras do have the advantage of at least raising awareness. I think the big challenge, though, is in the fact that people will be looking to us as a community for easy things that they can do without a lot of judgment and without a lot of snarky, just another user error. And this is a really defining problem for us. Do you have something you want to add? Yeah, and I think that's I just want to echo what what you said, John. You know, there's time and time again, like I'm struck by dissident's that I talked to. And they mention all these kind of like, you know, homebrew things that they do call them. Artisanal security, artisanal security. Right. Where? Well, they'll say like, oh, well, you know, I have this crazy system where I keep swapping SIM cards and my phone to remain anonymous when making phone calls to different people or, you know, oh, I broke my iPhone to install a second copy of WhatsApp so I can have an anonymous number and an anonymous number on what's up. So I think there's there's a lot of perhaps, you know, of these misconceptions floating around. And, you know, in the in the vacuum of legitimate, authoritative sources of information like this, people kind of go to, well, here's how I think, you know, spying works. So I think government surveillance works. And therefore, I have this perhaps incorrect, you know, mental model of that. And then I'll, you know, unfortunately get to some sort of incorrect security precaution. So I think, you know, this education is important not just on, you know, like seven basic security tips that everyone should do, you know, something like that. But also, you know, you know, more longer term efforts to kind
of teach people how this how this works, like kind of, you know, not like an eight hour class or something, but kind of step them through maybe like an hour presentation, like, you know, how exactly does this work? What exactly should you be worried about your threat model? Yeah. Thank you. Thanks. Great question. Do we have other questions? If there's no other question, gentlemen, because you're always so swift, you deprived us of the opportunity to applause and thank you. And that's. Oh. And if the signal engine doesn't signal that there's a question, I think that was the any more questions? All right. All right, thank you. Well, thank you so much. Oh, you know what? One forgot to add a parting, parting observation when we talk to civil society groups about digital security risk. One thing it took a while to dawn on me, white guy coming from North America talking to people about their problems somewhere else, agent of innocence and a lot of ways. Right. A lot of naiveté. And one of the things that I discovered is that people, of course, surprise, surprise, are constantly engaged in balancing the risks that they face in other domains. So non-governmental organizations are constantly thinking about the political risk of different choices. It's not that they are incapable of doing modeling of risk. They're often doing it. The challenge is how to help them support that thinking and that willingness to think about those problems into things technological. And I think we have a long way to go there. And one of the problems that we have is the perfect is often the enemy of the good. So a lot of the recommendations that we might be tempted to, you know, quickly make to someone like, oh, well, you should use this particular security tool because it's secure often not only don't quite mesh with their needs, but don't reflect the nuance with which they think about their own risks and the choices and balancing that they'll need to engage in. Yeah, I think there's one really
interesting anecdote that I can tell that that kind of crystallizes that from an individual user point of view. So I work with some activists in Bahrain. And, you know, we heard a story a couple of years ago that a bunch of activists were arrested by being traced through this messaging app that they were using. And it was a we analyzed it. It was an insecure messaging app called Zello. And basically, you know, so our first thought was like, OK, well, let's recommend that they use a secure messaging app. But the reason why they were actually using this insecure app was that was the only one they could find that provided a walkie talkie functionality. And how they use this is that, you know, an activist would be asleep in his in his bed. He'd have the phone beside his bed. And if there were the police coming in doing house rage and searches in the village, then someone would get on the walkie talkie and broadcast the message to everyone and it would wake up the sleeping people immediately, like, you know, dozens of people and say, you know, hey, there's police raids in the village. Right. And so they they couldn't switch away from this because it was part of their model of avoiding the risk of being arrested by police. And this interception, digital security risk, was kind of ancillary in their mindset to this real world risk. So I think that's a great point. Did you have anything you want? I think I'm good. All right. Thank you so much for your time and attention. We really appreciate the welcome here. Thank you. Thank you.
