- I don't know what you want. If you are looking for ransom, I can tell you I don't have money. - I saw that there were some posts. She was indicating she was in Belgium. Then suddenly she was in the Netherlands, but the pictures didn't add
up with the city she was in. - But what I do have are a very particular set of skills, skills I've acquired
over a very long career, skills that make me a
nightmare for people like you. - Just running PHP beta scripts through every single email, sending them. Say there's a bomb at the school. It's gonna go off at 3:30 today. And that caused mass school
evacuations in the UK. - If you let my daughter go
now, that'll be the end of it. I will not look for you. I will not pursue you. But if you don't. - This is a case of probably
safety, of public safety. We don't know where this person is. - I will look for you. I will find you. (fast-paced, tense music) - Hey, everyone. It's David Bombal, back with a very special group of guests or a panel of guests. We're gonna be talking about OSINT. Welcome. Technisette, let's start with you. - Well, I'm Technisette. You can find me on Twitter at @technisette or on technisette.com. My real name is Lisette. I'm currently working in law
enforcement in the Netherlands. - Before this call started, I was trying to like get
some information out of you, but obviously you're very
shy about sharing that, but that's fine. (laughs) Steven. - Hi, everyone. Yep, my name is Steven Harris, though I'm probably better
known by my nickname, which is NixIntel, which is
where you can find me on Twitter and my blog at nixintel.ino. Similar to Lisette, I have a background in law enforcement. I spent most of my career
working in cyber crime and open source intelligence. I teach the Open Source
Intelligence course for SANS. I'm one of the instructor
candidates for that. And I work for a company called QOMPLX and we use open source intelligence to help people improve
their cyber security. - And last but not least, Micah. - Hey, David. It's nice to be on the show with you. I'm Micah Hoffman. I go by the WebBreacher moniker online. I like to say about myself
that I am a collector of amazing people in the world of OSINT, bringing them together. Whether it's through
OSINT Curious Project, whether it's through My OSINT Training's
training platform I run, or whether it's through the OSINT Games Capture
the Flag OSINT platform, I like bringing together
the best of the best and having a lot of fun with them. My background is in
psychology then in medicine, then in IT, then in cyber,
and finally into OSINT. So I've got a pretty diverse background. I'm on my like fifth career. - Tell us about OSINT Curious. What is this? How did the three of you get together? What is it about? - Sure. OSINT Curious is a US-based nonprofit. It was created back in 2018 when myself and five other people got together and decided
to create a free place with highly accurate and trustworthy, open source intelligence training
materials and blog posts. We'd noticed that there was a wide variety in the technically complete OSINT data that was being released on the internet, and we wanted a single place
where people who come to and they could trust the content. I go there. I know that it's going to
be actionable information that's solid, ad free, et cetera. And so back in 2018, we created the OSINT Curious Project. Right now, we have about 13
members all around the world that create blog posts,
YouTube videos, live streams, and 10 minute tip videos. We also have our own Discord
so that people can, again, come together and talk as a community. - I'll put the links below. Please go and subscribe to the OSINT Curious YouTube channel. Show them some love for
sharing such great content. Go and follow everyone
on their social media. Show them that we really want to get them back for more content. Let's start with this question. What is OSINT actually, and how do I get started? - Let's start from the very beginning and say what OSINT stands for, which is open source intelligence. And it's really, really broad, and it can mean different
things in different disciplines, but it's essentially taking information that is publicly available, whether you pay for it
or you don't pay for it, and analyzing, verifying, developing that public information into something that is useful for you, for your client, for your
company, or whatever. That's the intelligence part of it. So the open source is
where we get the data from, and the intelligence is the useful stuff we can do with that information. - Lisette, you're in law enforcement. Is this something that I'm assuming gets used a
lot in law enforcement, as well as in commercial
enterprises, yeah? - Definitely. If we do a lot of OSINT stuff within law enforcement as well. A lot of the OSINT stuff you can do, you can do like any other
person on this planet with an internet connection and a device, either a phone, a tablet, or a laptop would be able to do all of the
things we are doing as well. The only difference for me personally, for being in law enforcement, is that I have a lot
more rules to obey to, to make sure I'm not crossing
any privacy lines or any laws. It's quite strict for me. - And I mean, especially
'cause you're in the EU. I suppose there's a lot
of like additional rules. And we won't get into the politics, but EU has all kinds of rules of things that you can and can't do, right? - The EU does have a lot of rules going, but for in the Netherlands, it's only the Dutch law
I have to keep myself to. I'm obeying that rule and that law and making sure that everything
I do is legal for me. - Why OSINT, and how's that different if you like to red teaming and all cyber, just for people who don't understand how it's different. So why do we do OSINT? - Open source intelligence, or, as you probably call it in cyber, reconnaissance or recon is
literally the first step in most of the cyber security
things that people do, whether you're doing red
teaming and penetration testing and you have to find targets. You have to find a person or a company, find out more about them, find
out what domains they own, what IP addresses. Or whether you're a
blue teamer researching who's attacking your systems, researching why people got
a certain phishing email. In digital forensics, people use open source intelligence when they dump somebody's phone and they have all the
user names that they need to figure out what they're
connected to on social media. So open source intelligence for me was that aha moment when I knew that my cyber career was
finally coming to an end and I had found this
exciting, accessible place, like Technisette said, where you can find almost
anything online that people, governments, and companies are sharing. And it's in those
techniques that we share, in those tools that we use, and ultimately, like Steven said, in the intelligence that we develop that truly makes OSINT an amazing all around activity for professionals and for hobbyists alike. - I once heard a story,
and I dunno how true it is, that some government agencies are really happy that Facebook exists because it saves them a
lot of the old hard work. Is there some truth in that? - Yeah, I think so. I started my law enforcement career just before Facebook sort
of came into existence and you had to do intelligence
the old fashioned way, like you had to go and speak
to people and write things down and then draw maps with pen and paper to see who's connected to who. And then as Facebook became more popular, it was all there for you. You knew who was friends with who, and you knew where they went. And so yeah, those sort of platforms, Facebook in particular, but
social media more generally, has made things a lot easier. - Do you need any special
skills to do this? Or do you have to go on special courses or is it just something
that you can pick up? - I think anybody can do this, David. You just need some
personal characteristics or personality traits
that you can bring forth. And Technisette, I know that
you wanna say some of this. I'll just mention one and maybe
you can take it from there. The determination that
people have, the persistence, those are incredibly
important when you have this, well, infinite amount
of data on the internet. Technisette, what were you thinking? - You have to be curious as well. You have to want to go
on this treasure hunt as you may wanna call it,
to find that little gem that connects all of the dots or answers that one specific question you really need to get an answer to. And this is one big puzzle hunt. I'm gathering all of my
pieces of information, putting them together to paint
the whole picture for myself. And every time it's a different puzzle, so I rarely get bored doing this. - But I think it's, to take
that metaphor one more step, it's a puzzle that you don't
know what it's a picture of until you've got all of
those data points together, assemble them or analyze them, and now you can see the picture. Would that be accurate? - Yeah.
- I agree. - Yeah. I think that's right. You don't need any formal skills or training to get started necessarily. I think to get to that end
stage where you are producing really good, high quality intelligence, around the analysis of things, that's the tricky, harder part. There's no kind of magic
book you can read to do that, but that's what takes
the time and the practice to become a good OSINT
practitioner, I think. Do you guys agree with that? - Absolutely. I think the trainings
give you that jumpstart if you need them, but very much like the cyber stuff that's out there right now, you could literally watch, I don't know, David's channel over
the past couple of years and you could learn a huge
amount about hacking and all. There are so many videos out there that from various OSINT conferences. You absolutely could learn things just by watching YouTube
videos and reading blog posts. - Especially read what the
OSINT community is sharing. 'Cause I've been in this specific field in law enforcement for over nine years. But I know now that I've
been doing this work for far longer than the nine years, been also doing this at
my previous employer. In that whole time, let's say 15 years, I only have three trainings
on how to do OSINT. All of the other stuff I
learned by either doing them, but also reading what other
people have experienced. Like NixIntel writing a
blog on how he delocated a specific image on Instagram motivates me to be more specific when I'm, for example, looking at a picture, to look at the lamp post or
look at a electrical socket. You need to be active in the community. Well, you don't need to be active, but you need to read and catch up. And if you do that, you can get like at a good
certain level quite easy. - Like if I was starting
today, where would I start? Would I go OSINT
Curious's YouTube channel? Or what I do first step, second step. Have you got like any tips? Go here, start here. Kind of guide me. - The OSINT community is
very active on Twitter. Search for the #OSINT. look at all of the top tweets
or all of the latest tweets and I can guarantee
you you'll be ending up with very interesting blogs,
good quality YouTube videos. And what I personally
think is great about OSINT, you can read a blog, which may take you like 10 to 15 minutes and you've learned something new. And that's what we do at
OSINT Curious as well. We try to create content
that doesn't take you like four hours to get
to know a specific topic or a specific technique. We tend to keep it small and simple. So we do videos of 10 minutes
max to teach you a new skill. And I think that's also
quite cool doing OSINT is that you can learn something new in a relative short amount of time. Be curious, click around.
(David laughs) - Give some names, like the three of you. That would be my first three
people to follow on Twitter. Any other recommendations
of accounts or people? And then websites. Give us specific websites. I'll put them below. Give us your websites, various resources that I can start with. - So my suggestion, David, is start with OSINT Curious. That's OSINTCurio.us. That is like a one stop shop to all of us. On our about us page, we have
all of our Twitter handles. So if you don't know who
to follow on Twitter, you've got that on our about us page. But wait, there's more. If you want to talk with other people outside of just Technisette,
Steve, and myself, we've got a Discord where you can talk to hundreds of thousands of people all around the world that
love open source intelligence. So instead out of asking
me, Micah Hoffman, hey, how do I do this on
Facebook, Instagram with a domain? You can ask people in
different parts of the world what do they do. And then also on the OSINT
Curious Project's website, there are links to those
10 minute tip videos, our YouTube channel, and
of course our blog posts. - Why did you create this? Was it just to try and help the community? - We created it to have that voice and to bring people together really. We had five people and
myself that got together and we said, instead of us speaking with separate voices about this is good open source intelligence, we brought it together on a
single platform and decided this is what we want to do. And Technisette was one
of those other people that was there at the very beginning. - You know, the problem
is when you're starting, it can seem overwhelming. So some people like to read,
some like to watch videos. Do you have any books
that you could recommend? Any one of you? - I'll just say from my perspective, there are books out there
about open source intelligence, but I think the minute
that they are published, they are very much out of date. Much like cybersecurity or
many aspects of cybersecurity that are constantly evolving and changing, by the time you write a book
about exploiting something, it's probably a little bit old. So in open source intelligence, there are some books by several people. But I think that watching social media, whatever platform you're
on, for the hashtags, going to some of these
websites and YouTube videos, you absolutely will stay better informed and more up to date than
following some of these books. But I don't know. Steven?
- Yeah. There's one book I will recommend, although you've made a really good point. The material that's
produced by the community can go out of date quite quickly, because techniques change very often. So it's hard to recommend
a book I read this year or two years ago that's
still relevant now. But I will mention one called "Hack the World with
OSINT" by Chris Kubecka. For anyone who wants to think about offensive security, recon,
it's a fantastic primer. Some of the things that
she discovers in that book, like some the insecure systems and vulnerability she finds, just using open source
intelligence, it's so fantastic for anyone who wants to get into that. - That's great. Technisette, any recommendations from you? - I must say I agree with Steven as well. I like Chris's book a lot, because it brought me more OSINT on a perspective which is
not part of my daily job, as much as it is for other people. I do have a copy of Michael
Bazzell book as well, the Intel Techniques book. I do like it, but it's a very thick book and I'm not very well-concentrated
finishing big books. But it's a very good quality
book when you are in the US, because I've noticed that a
lot of the things that he wrote are specifically for US only. So for me in Europe, some of the things are not as relevant as they are to people in the States. - When I look at like a
lot of content online, it tends to be very US-focused or very even European focused. But is a lot of the
resources on OSINT Curious relevant to, like, if
I was living in Africa or in the Far East? Is it just general stuff that can be applied
all over the place, or are there specific
skills for like the US versus other parts of the world? - I think that a lot of
things are pretty similar. So whenever I want to do an
investigation on somebody and I tend to use Google as my
first search engine to go to, a lot of the search operators I use can be used in multiple
parts of the world. Maybe I have to think about
changing some language, maybe translating a specific name into Arabic or Cyrillic or whatever, but there will always be specific websites only locally to a specific area. So for example, before Facebook was the number one
platform in the Netherlands there was Hyves.nl. I used to work there. It looked like Facebook,
had the same look and feel, but it was focused on Dutch people only. So if somebody from the States would be investigating
somebody from the Netherlands, that should have been a
platform they should visit and see if they can find any information. So there are always locally-known websites that are quite popular and you need to catch up on that, either by Googling or, for example, looking at the top visited
websites of a specific country to see if there might be any websites in that list you're unfamiliar with, or looking at mobile
apps that are popular. For example, in India, they probably are not the same apps that are popular in the UK or in Spain and you need to get
those platforms as well. There's a lot of similarities, but there are some country-specific or region-specific websites and apps you should definitely investigate if you are in that specific region. - So anyone up for a demo? - Can do something. So one of the main things that we find in the open source intelligence
investigative world is that we have sort certain
data that we start out with. So if it's an email address or whether it's a phone
number or a domain, we take that and then our whole job is to find other places, mostly online, where that data has pivot points, where there's other data out there. For example, I'll start out
with just John@example.com. Most people know about going to Google. With most people, they'll
get these results. And you can see there
are almost 12 million, 12 million? 12 billion (laughs) results
that have come back. So the next thing that we have to do is obviously narrow down Google's results. Maybe we're looking john@example.com and we put it in quotes. So the quotes say, John@example.com. That string itself has
to appear in the results. And notice our results have
come down to 132,000 results. So previously Google was chopping up the word John, example, and .com. And now it's saying, oh, John@example.com is in the results. So just by adding quotes,
we have some good results. We can add other things too. If we're looking for other words, we can add keywords,
we can remove keywords. For example, maybe I don't want anything with the word test in it, so I can use dash symbol
here or the hyphen to don't give me anything
with the word test in it. I just took out another 30,000 results. And through this iterative
process of creating keywords, searching them, using Google operators, and then refining your results
using these Google operators, we can narrow Google and Yandex and DuckDuckGo and other results. But I mean, other people
will tell you that Google's only one piece of the pie. For instance, let's just
take John@example.com and head over into the cybersecurity world of searching for breach data. Very common thing that we
do is take an email address and see if it's been
found in any breaches. Because if we can find that, then what we might be able
to do is identify passwords and systems where the accounts of this person might be found. Have I Been Pwned?, which is a site that you're probably familiar
with, might be familiar with. We come over here and
what we do is we paste in our John@example.com and we find, oh no! It's in 98 breaches and 33 pastes. Each time we're doing this, we're recording what we're doing. The most glamorous part
about OSINT is documentation, and I say that with a big grain of salt. But what we're looking
for is those pivot points. Here we have John@example.com,
our target email address, and we see that it's on the 500px system. All right, now I know that there may be an account over there that
I might want to pursue, or an Animal Jam or something. And each one of these bits
of data has other things, like in this breach,
there's email addresses, passwords and usernames. Whether it's an email address or we can start out with
a site that I really like, which Technisette and
Steven will attest to, whatsmyname.app. Sometimes you don't start
out with an email address or you start out with an email address of like WebBreacher@gmail. And you're like, wait, that
WebBreacher could be a username. Well, not only do we
go through our process for email address searching, but we also might wanna
break that WebBreacher off and then search on the
whatsmyname.app site. I'll search for something else, John Doe. And this site takes one username, and when you choose the category
that you want to search, it'll have your browser
make over 370 requests to find other places where an account for that username exists. So here on coder wall, you can see the URLs down here. Reddit, there's a John Doe user account. Gab has a John Doe user account. Over here on the right hand side we have a nice little table
that we can export to our notes and now we have a huge
number of other sites that we need to start investigating. And when we find those sites, we work through our process
to harvest the avatars and the biographical
information, the location data, and we continue to move, gathering data, analyzing it and pivoting. - Just to add up to what
Micah was saying is that we do need to check if
all of these results are one and the same person, because there's a very high chance that somebody else on the world has the same username as well. So we need to visit all of these sites, pivot further on to see
if everything matches and then only you can conclude, well, John Doe indeed has over 72 other accounts on other platforms, which we can either connect to each other or connect to that one
person we're pivoting on. - Have you got any examples
of how this has helped something like in a case or
just in a business or something? - Well, I had a very successful case when I had just started
out in law enforcement. When in law enforcement, you get a lot of extra information about what everything else is going on within the police force. For example, I don't wear a uniform, but the people who work on the streets and who take care of all
of the emergency calls, they experience a whole different world from the things that I do. We have like a newsletter. Gets sent to your email once a week, just updating you on whatever is happening in the region you work in. And as I was working in Amsterdam we got an alert from Interpol
saying that this girl, she came from Australia,
she suddenly left her house. She was only 21. And she left a note on a
table to her parents saying, "Well, I fell in love with this Dutch guy. He bought me a plane ticket. I'm heading over there. Well, see you later. I won't be back for a while." So the parents got very anxious because they were afraid their daughter might be in the hands
of a human trafficker because they've never heard of this guy and they were also very conscious because her mental health
wasn't very stable. And all they asked in a newsletter was if you see this girl, just check if she's okay,
report it back to Interpol. And I was like, hey, this is interesting. This is a young girl. She's 21. She must be out there on social media. So I was searching on Facebook,
found her Facebook profile, but it had very... Well, the information didn't add up. I saw that there were some posts. She was indicating she was in Belgium. Then suddenly she was in the Netherlands, but the pictures didn't add
up with the city she was in. So then I found her Instagram account and she had two photos there, one saying, well, this is
the front view of my balcony. And this is the other view from the backside of
the apartment building. As I was looking at that picture, I was like, this screams
that it's in The Netherlands, because like the way
the houses were built. There was a bus line and there
was a bus actually driving. And I recognized the logos of a bus line that goes in the Netherlands. It must not be very hard
to figure out where she is. And by looking closely at
the pictures she posted, I was able to geolocate it back to the apartment building
she was probably staying in. And because I'm in law enforcement, we have a little bit extra data,
more of the closed sources, and I was able to search
for the name of the person she said she went to to see if anyone in
that apartment building might be having the same name and I found only one
person with the same name. So I called up the local police because it was in another district than where I was working in and I was like, "Hey, have
you seen this newsletter? I think she's in this location. Maybe you can do a welfare check." And they were like, "Okay,
well, this sounds very legit. Let's go there and see
who opens up the door." And it was the girl. So within less than two hours, I was able to find her, found her. She was indeed very much
in love with the boy. And I'm not quite sure. I hope they are still happily ever after, (David laughs) but he was very shocked that the police were at his front door and he apologized a trillion times, and so everything was good. She was not in the hands of a trafficker, but I was really happy that
I was able to give relief to parents who were on the
other side of the world and me just behind my computer, not even ever stepping a foot
in the location where she was. So that was quite cool. - Is that how you got interested in this, or was that after a period of time? You'd already been doing this for a while? - This was in the first six
months I was in law enforcement. Just definitely lit the fire even more. I was like, yeah, if I can do this, I'm going stay here and do
a lot of this other stuff that I can help people with. - What did your colleagues
think about that? I'm assuming some of the older colleagues perhaps didn't realize the power of this? - Absolutely. And still a lot of people
are especially afraid. I think it's like the
first time a computer got introduced on the work floor, people were like, "Oh no, computer! I like my typewriter much more." And I think there are people
who still have that feeling like, oh, I like my computer now, but the internet is quite scary. I do like Google, but that's about it. So I think there will
always be a generation gap between people willing to adapt
to new, modern techniques. - But isn't this an opportunity
for someone who's young? Because I mean, a lot of people who are young and up and coming, I'm showing my age, but I mean, not all of us grew up with
an iPhone in our hands. This is a great opportunity
for someone who's tech savvy. Is that right? - Absolutely. The world you have to navigate to work in open source intelligence is very familiar to you already if you are a young person. So you know how social
media platforms work, you know which platforms
are popular, which are not. You might understand a little bit about the technical side of the internet. When I think of some
of my older colleagues in law enforcement or people of my parents'
generation for example, they wouldn't have a clue really how to get started in this world. But if you are a younger person now, and you know how to, I dunno, make a podcast or post a video on TikTok, you are already at the
beginning of being able to understand the environment
that we can work in. And it might seem to you that it's just something
you take for granted, but actually there are a lot
of people who lack those skills and you're at a huge advantage now if you're a younger person
wanting to get into OSINT. - There just seems to be
a lot of opportunities, is that right? So, I mean, there's a lot
of kind of jobs available, is that correct?
- It depends. And many of the jobs don't
say, "You must know OSINT." They use other words like recon or they just say you have to
be able to do certain skills. The skills that open source
intelligence investigators use are used by lots and lot to people. I had a conversation with a
recruiter one time and I said, "You look for people
with certain skill sets in certain parts of the world and so do I. What do you do?" And she looked left and she looked right and she said, "Let me tell you. I can get a lot of trouble
for telling you this, but we use Boolean queries." I'm like, "What do you
mean Boolean queries?" She goes, "Okay, you go to Google and then you type in penetration tester or security engineer." I said, "Oh, that's a Google dork. We've been doing that for 20 years." She goes, "No, no, no! Boolean searches." so a lot of people that do OSINT don't realize they're
actually doing OSINT. And what we're seeing now with the advent of OSINT-jobs.com and other places, the word OSINT is now
becoming more prevalent in job titles and also job fields. But it's also there are
a lot of opportunities for volunteer efforts to help
decrease human trafficking, to help people that are
domestic violence victims. A lot of those nonprofits
use the volunteer efforts of people that want to get into
OSINT to help their victims. - Yeah, a lot of people
have the cool and sexy, like I wanna be a hacker and
I'm gonna use OSINT for that. But that's just one small,
tiny piece of the pie. Is that right? - Yeah, 100%. OSINT is multi dimensional and red teaming recon is just one part of the OSINT landscape. There are journalists who use OSINT, most famously Bellingcat, but many other journalists. Obviously there's law enforcement, but fraud investigators, risk analysts. I've even seen finance,
cryptocurrency firms are now advertising for OSINT specialists because they realized people are starting to understand what this word means. So, yeah, if you are looking
to work in this field, the opportunities are vast, probably as long as I've been in this area more than they ever have been I think. - The field of cyber is absolutely huge with red teaming and blue teaming and all of the other different, policy and compliance and all. Same thing over in OSINT. There are people that we know of that are amazing at geolocating a photo. You show 'em a photo. They look at the fauna in there, they look at the flora, they look at the plants and trees, and they're like, "Oh, this
palm tree only is found in the East Coast of the Mediterranean Sea within this latitude and longitude." But those people might not be great at social media exploitation,
like Technisette is good at. Or there's people that are
really good at domains and IPs, and WhoIs and DNS that do other stuff. Saying that you want to get into OSINT is still just the first step into this huge area that you can further differentiate yourself into. - I think the scariest thing for me is the more I talk to you and
the more I read about this, the more I wanna take myself offline. Can you give us like some examples? You know, like if I wanted to be private, do I have to go live in a cave? - [Micah] The answer is yes. - The answer is partially yes. Probably everyone you know has to live in that cage too. The flaw of trying to hide online lies in the hand of
your friends and family, because they will post that
picture of the family reunion. They will post that picture
of you having dinner with your friends in either
your backyard or restaurant. So even though you might be trying to stay off of all of the platforms, it's the people who stand close to you who are your biggest risk probably. - Well, it's even worse than that, right? I mean, if we wanna get really scary with facial recognition that's out there. I mean, David, you're
walking through the city, just minding your own business and there's some tourist there that takes a selfie of themself and you're in the background
and you just happen to look. Now whatever platform they are posting they have a shadow profile
for a person with your face. So even if you don't
have your David profile on that platform, they know that a person with this face happened to be in that
location on this date. And, oh, look, they were over here on this other date. So there are a lot of privacy issues that are really, really important. The more private a person is the less OSINT we can
find online about them. And we do have to do things
like what Technisette said. We have to pivot to their family members, their colleagues that might
be sharing their data. But yeah, there are absolutely ways that you can decrease your online persona to make yourself and
your family more private. - And let's talk about that for a second. Like Edward Snowden is a famous example, whether people love him or hate him. He does this thing where he says you have to put something over your head when you look at your computer or you have to do things to your phone and all kinds of crazy things. How would I become more private, apart from living in a cave and having no friends and family? (all laughing) - That's the solution. You just nailed it. - Is that the answer, yeah?
- Yeah. - Divorce my wife, have no kids, have no family, go live in a cave. - One of the ways that people
sometimes end up in OSINT I think when they start
to look at themselves. I think you have to figure out
how private you want to be. So for some people that is just increasing the settings on your social media profiles so that they're not publicly viewable. It might mean you don't have a
LinkedIn profile for example. It might mean if you register a website, you use a privacy service so
that the WhoIs is redacted. That kind of thing. What I would suggest to people is know why you want to be
private first of all. 'Cause I think when I've sort of mentored or dealt with people who
are new to OSINT sometimes, they really tie themselves
in knots of anxiety. What if Tor's compromised? And what if my VPN provider? And do I have to have a VPN
provider on Raspberry Pi? I'll just give this as
as an example of that. I was talking to a guy
probably about a year ago. He was sort of 16, 17,
starting out in OSINT and he was good to take
part in Trace Labs, which is an open source
investigators capture the flag, basically to help find people
who are missing in real life. It's a great cause. And he message me saying I'm about to do my first Trace Labs. I've got one Raspberry
Pi that's running my VPN and that's connected
to another Raspberry Pi which is connected to Tor, and I bought this fancy new
router for my home setup, which has extra open source firmware. Do you think that will be enough? Like, yeah. (laughs) Well, if we're gonna do OSINT we are gonna have this single privacy and we're gonna do it properly. But you need to avoid tying
yourself up in those knots and spending lots of time and effort. You need to think about why
you want to be private first. Do you just wanna avoid
being targeted by fraudsters? Do you just want to avoid corporations sneaking around your data? Or are you trying to take on the NSA? Because there's a big
spectrum of things you can do to address those- - Well, there's really two
parts of that, right Steven? You mentioned, and David,
you were talking about, us as potential targets making ourselves more private online. But then Steven actually mentioned the operational security or OPSEC when you're doing open source
intelligence investigations, making sure that you, me, Micah Hoffman, Steven Harris, Technisette don't get caught up in the investigation. I don't know, David, if you've
ever seen the Netflix show "Don't F with Cats." - No I haven't. Go on. - It's a three part series I believe about some people that found a
person that was abusing a cat and eventually found out that
this person was a murderer. He went and killed somebody. The challenge there was that these people who were doing open source
intelligence investigations, they were not protecting themselves. And through a series of events, they created a Facebook group to talk about this and share things. And eventually the person
that was their target joined that Facebook group, and it really opened each one of them up to becoming a potential victim. So as OSINT investigators, we do use VPNs. We do use virtual machines,
which many people know about. And we use those things, things
called sock puppet accounts, which are real accounts on social media that aren't in our own
names to do our work. So when we're on Facebook, when I'm looking at things on Facebook, I'm not searching for people using Micah Hoffman on Facebook, I'm using a different account so that people can't attribute
that information to me. But it really also depends
on your personal risk model. Who are you trying to
protect yourself against? - I mean, the problem is
you can get really paranoid. I mean, Steven, we both
of us live in the UK. And I mean, I'll say this in jest, but the UK government has got this really, I dunno how to say it politely, this wonderful rule where they can spy on all your internet traffic. So some people who are
very privacy focused might in jest say the UK
is as bad as North Korea because they wanna look
at all your traffic. Is the answer how paranoid
do you want to be? I mean, if you really
want to be out of it, don't live in London because you'll be on every
camera on the Underground, 'cause England is full of cameras. What is a reasonable ground
to be fairly private? - My experience is, having
been on the other side of that on various law enforcement investigations, which using CCTV is a basic
investigative technique. There are other, more secretive techniques to do with communications
and things like that. Having been in that world, I actually worry less on the outside because seeing how it's
not a data free-for-all. So if MI5 or the police want to access certain types of internet data about you, the bar doing that is
actually pretty high. You're talking about you have to argue your
case to a judge first. You can't just log onto
the computer and say, "Oh, I'll see which websites David Bombal's been visiting this week." There are lots of safeguards in place and I actually worry less now than I might have done
before in all honesty. Yeah, can you hide from CCTV cameras? Yeah, come and move to the countryside. It's great. (both laughing) - I'd agree with that. Yes.
- Yeah. The reality, it's very, very difficult and there has to be this, I think, without going to the politics of it, we have to be vigilant
about our freedom still but be mindful that there are things there that do protect you to a certain degree in terms of how this material's
all processed and accessed. Be proactive in monitoring
how that changes. - Best way that people can figure out how to make themselves more secure online is to figure out what's out there. Take 15 minutes or 30
minutes, Google yourself, Google every single one, or use whatever search engine you want. Search every email that you have. Put quotes around it. Use every nickname, pseudonym, username that you've used, and your family members, and see what's out there. I can't tell you the number of times I've done an OSINT investigation and my client says, "Hey, I have these three accounts on Instagram, Twitter, and Facebook," or whatever. And then I simply put
in their phone number, email address, or name sometimes and it comes up with MySpace accounts or some comment that was left on a pornographic website
using their username. And it's embarrassing
and it's simple to find. So in order to reduce your
overall online perspective, go and find out what's out there, make a note of it and go, "Hey, I think I should change my name on that website or remove
some of that data." It'll really be helpful and
it's easy for anybody to do. - So in other words, do an
OSINT on yourself, yeah? - Yeah, absolutely. Because you also know what's
right and wrong, right? If I search for Micah Hoffman, I'll be able to find results and go, "Wait, this is the Micah
Hoffman out in California. That's not me." And so I know what's out there and then I can see, oh wait, I didn't know that this was indexed. One of the things that I think Technisette can absolutely attest to is that the social media platforms are constantly changing what's public and what's private in your account. So I had an example. One time I did a security
awareness training for a company. And I said, "I'm going to look at myself, see what I can find on
myself in 15 minutes." Set a timer, started doing things. And I was finding like
all of my LinkedIn stuff that I know just a month
before I had secured. And it turned out that
LinkedIn did an update. When they did the update, they changed some settings to
make my profile more private. So my data was hanging out
there on the public internet. And the only way I found that out was by actually doing the searches. - My take is nothing you put
on the internet is secure, like on any social media
website, should I say. So, I mean, be prepared that someone's gonna find it at some point, I suppose, is sort of my paranoia
way of looking at it. But that's interesting. So you do an OSINT on yourself and that will do multiple things. That'll help you secure your data and also teach you the process. Is that kind of the idea? - Absolutely. And as you start adding
more and more tools, there's a great website out
there made by Bruno Mortier. OSINTFramework.de is a site that has a huge amount
of resources with links. So just start out doing what you know. if you only know how to
Google, Bing, Yandex, Baidu, use a search engine, cool. But if you are competent
on a social media platform, if you are somebody that
understands some other things about domains and other stuff, then use some of the links
that he has on that website. Or go to Technisette's website, type in the word phone
in the search field, and you'll get a whole bunch
of blog posts, YouTube videos, and websites that you can go to, to search for your phone number to see if it's out there
on any of the sites. - That's great. Technisette, there's
a big problem in tech. There's too few women in tech. So is this an area for women? I'm assuming it is 'cause
you're in this field. - The funny thing is that when I look at my fellow OSINT researchers in law enforcements, I would
say the majority is female. But not everybody is as fond
of being in the spotlight. Like I'm publicly known, people know my face, people
know I'm Technisette. Not everybody likes being
in that kind of daylight. So I think there are
quite some women out there which we are not familiar
with or we don't know them because they choose to stay in hiding. The whole discussion if there are too little women
out there in tech or OSINT, I find it very difficult
because it has to do a lot with how you grow up. Because when I was a child,
I used to play with Barbies. But my mom was the biggest
computer freak I knew, so she was actually teaching me how to do, like how to play a game on a floppy disc using just the command line in Windows. And she actually taught
me a lot of the things I still do today. But if you don't have
that person in your life, that mom or dad or other people who have a educational role in your life, it can be a teacher in a school as well. If they don't offer you the opportunity to sniff whatever a computer can do, I think it can be really challenging. I think a part of why
women are maybe not so big in cybersecurity and computers, et cetera, is maybe because people tend to think that girls like other stuff. So at a young age, they
get a lot of other things than a computer in front
of their nose to play with. - I mean, I don't wanna get
into the politics of it, but I think if I look
at my wife and myself, she would be a million times better at social engineering than me because she has this
ability, uncanny ability, to be able to sum up someone
just by looking at them, and I'll never see that. I'll just use her as an example. Are there certain
attributes that ladies have that would be a huge advantage in OSINT? I mean, I think social engineering, my wife would be a million times better at that than I would. - When looking at females in general, maybe people think that
there's a lower risk that we might be dangerous. So people tend to believe you a lot sooner probably than, let's say, a bald guy. (all laughing) - That hurts.
- No offense. - No offense. No offense. - At least she didn't say with a beard, 'cause that's a one-two punch.
- That's true. (laughs) - You guys have to leave
the conversation now. - Yeah, pretty much. You're absolutely right, David. I mean, social engineering
uses a lot of OSINT to get that backstory,
to get the data points to support whatever trust type of ploy that you're gonna do. And women not only have great, and as a whole have a
great investigative spirit, but they also are more believable actually carrying off those social media and those social engineering
types of engagements. - Even when I walk into a store and say, "Oh, can I please use the restroom?" There's a higher chance that
they will let me go in there than, let's say, a-
- Steven. - Let's say Steven. (laughs) Just because you can laugh and
you can like smile a little and they will let you go. But we're a wolf in
sheep's clothes. (laughs) - And that's a good point, Technisette. We're talking about, well, you mentioned being
public versus being private. A lot of people that do amazing open source intelligence work
do not seek the limelight because of the sensitive targets
that they're working with. When you're working with organized crime or some kind of government that has some authoritarian
types of reigns, or maybe you're investigating hit squads that have been sanctioned
by government employees or by some government. You are less likely to
say, "Hi, I'm Micah Hoffman and I'm researching that
country's hit squads" publicly, because now the target's on me. So there are a lot of people that are not as public
as we are with OSINT. - Yeah. That's a very good point. Technisette, what advice
would you give women then who are interested in this? Again, is it just like
follow women on Twitter? I just want to try and broaden it. The reason I always do this
is I've got two daughters and if I ever wanted to
interest them in this tech, how would I come convince them that this is cool and exciting, rather than doing something else? - If you have a daughter and you yourself are in the
tech world in any kind of way, or doing anything with
computers or technical stuff, just to let them experience whatever you are doing a couple of times. Let them help you do
a small investigation, saying you want to see whoever bought your grandmother's house after
she passed away, for example. - That's a good one.
- Just Google the address. Show her some little tips and tricks that might very helpful
in her phase of her life. So for example, if she needs to Google
stuff to find resources for her study, help her saying, "Well, there are all of
these Boolean searches or Google dorks you can use to find the exact
literature that is helpful to continue your study with. Or if she's going on a date, let's Google this person together, or I'll give you some tips so you can Google that person yourself just to check if he or she is a safe person to hang out with. - That's a good one. I'm gonna use that on any
boy that likes my daughters. (Technisette laughs) - Let me show you what daddy does when he researches your boyfriends. That's gonna be great, yeah. - So just some simple things that could make her life more convenient, that might spark a little bit of a fire on getting further into
the field of OSINT, I hope, I think. - I think it's great. I mean, it's like my daughter, she's been on my YouTube videos from young and all she wants to do is be a hacker, and that's because she does it with me. And I think it's exactly right. Like your example of your
mom teaching you computers. If you share your passion with your kids, they're gonna also be inspired hopefully to get into this field. - I did some work in the dark web in Tor, and I remember when I was
creating one of my talks, my daughter was a great age and she decided that she wanted to come in and say, "What are you doing, dad?" Like, well, I'm on the dark web. You wanna learn about at the dark web? It was the safer areas of
the dark web, if those exist. But I was showing her what was going on. And then at later at dinner, my wife said, "So what did you do today?" to my daughter and she's like, "Oh, well, I saw how to buy drugs on Tor. And if you want a fake ID
or wanna buy a US passport, this site has it. But if you want," and I was like, okay, okay, okay. We need to dial that back a little bit. But yeah, I mean, show
them what's out there. And I think that also
has the counter effect of if they see how easy it is for us to find those Instagram
posts and the Snaps, then they may be less
likely to share publicly. - How do you convince your kids not to post on TikTok
and all these websites? Show them how easy it is. - You cannot prevent
them from being online, but I think it's very important that you have the conversation
in not a negative way. So not saying, "You should unpost this
and that on Instagram," or "You shouldn't accept
anybody as your friend," but have an open conversation. I learned this a long time ago. There's an organization in the Netherland very actively involved in teaching parents how to deal with their children
and their online behavior. And one of the things
one of the speakers said, well, just by asking your child, have you seen anything
funny on Instagram today? Can you show me? Just to get into that conversation, get into a very friendly field of just letting your child show you what they have been up to online, but not in a judgmental way. So maybe you can laugh together about a funny video of
a cat they maybe saw. And maybe you spot something that might be harmful or dangerous, then talk about it and say, "Hey, did you see there's
somebody commenting and swearing a lot. If you have any problem with this, or if you feel offended by
this, please let me know, come to me and talk to me about this because then we can handle
things or help you further." So I think it's very important to have a conversation with your child about what they're doing online, but not in a judgmental and negative way. - 100% agree with Lisette there. In my line of work that I
dealt with usually teenagers who had become victims of sexual
abuse online, for example, the common theme there where
things have started to go wrong was that parents had no idea
about what they're doing. And the advice we always
used to give to parents is to be proactive in your interest in what the kids are doing. So a lot of parents are technophobic. They don't know one platform for another. They just know they're in their room on the internet all day. and even with youngsters
who got into hacking and fell foul- - The 15 year old in Oxford, wasn't it? Like recently?
- Yeah. To be honest, I was taught this statistic when I worked in cyber crime. I dunno how true it is but
it was true in my experience that the average age is about 37, 38. For cyber crime, it's about 18 or 19. For kids who are getting into hacking, it's a perfect age where
you have that curiosity, that drive, that want to prove yourself, to show off your friends, but you're also not always the best at assessing risk and
consequences at that age, too. The younger you are, like parents, please take interest in what your kids are up to even if you don't understand it. - Even if you don't understand it, that's probably the best reason to talk to your kids about it. Say "Hey, you are on
Instagram all the time. Can you show me what it's like? Would it be something for
me to be onto as well?" And then say, of course,
"I'll never follow you, or like any of your pages, because that will be
very embarrassing to you, but show me how does this work." - One of the things that was helpful, I think, in my family was my respecting of the kids and what they want and don't want posted. For instance, I know a lot of parents are taking pictures of
themselves and their kids and just putting it on their social media. And I've heard people say, "Oh, my kids didn't
want that to go online, but I'm the dad, so I'm
gonna go ahead and post it." And what we're teaching our kids is that they don't have a say in what images should be
or should not be online. And so respecting that
and teaching them also that taking pictures inside of
your homes can be dangerous. One of the things that
Steven's really good at is doing image analysis and looking at the things
that are in the background. I mean, David, I've been looking at that mindset is everything poster. I've been looking at all
of those books and stuff, and we do that, whether it's on Zoom or whether it's in some
live stream or some picture. And pulling out those details about how a family or how a person lives can be extremely powerful in figuring out how to do trust games, how to social engineer them, or how to get them into
some bad relationships. So teaching kids that when I look at somebody
else's YouTube video and I can see, oh, look,
he bought this thing. Let's research that product. Where did he buy it? Or other things, it helps them think about other people might do
that to them as well. - Yeah, so basically you're telling me to go live in a cave, yeah? - Pretty much. We're back to the cave. Yes, absolutely. I mean, that solves so many things! Unless your cave has wifi, in which case that's a
challenge too, but yeah. - Is there any closing thoughts or advice or any war stories? I always love stories
before we wrap it up. - I have a good username story. Probably about four or five years ago now when I was still in law enforcement, we were dealing with a
group of teenage hackers. I call them hackers. Their actual hacking
skills were relatively low, but they were great at
causing nuisance online. So they learned how to SWAT people, which is where you call
in the law enforcement and tell them there's a gun at the house to get them into trouble. Or they were emailing
out mass bomb threats. They got the email address
of every school in the UK via a Freedom of Information request and just ran a PHP script
through every single email, sending them, say, there's
a bomb at the school. It's gonna go off at 3:30 today. Blah, blah, blah, blah. And that caused mass school
evacuations in the UK. Their capabilities were limited, but in terms of the
damage they could cause it was quite significant. But they loved the attention. And rather than keep quiet, they sought approval from their peers. They wanted to taunt the FBI and they wanted to taunt the police. And so they took to Twitter and they set up a Twitter account. And every day they would
post these messages about what they'd been up to. And some of them were nonsense. Some of them, they actually had caused some harm to people. But their constant thing was
you'll never capture us, FBI. You'll never capture us, UK police. You'll never capture us. We're undoxxable and gods, and all this kinda stuff. So all we had to go on when I started looking
at this were usernames. And what we figured out
was that as part of, they saw it as part of
their operational security to continuously change their usernames. I think in their mind they thought if I change my username all the time, I'll be harder to find. But what we figured out, well, they change their usernames all the time they can't have always thought this. They're obviously fairly new to this. So if we can go back far enough to some of that other
social media accounts, we'll find what their old usernames were and we'll work with those. So there's a couple of
things we can do with Google. For example, we can filter
Google results by time. So if I wanted search
for what David Bombal was talking about in 2014, I could just set up a Google filter and just show my results in 2014. So we did that with their usernames and we went back only a couple years when they were in their early teens, when they were into Minecraft and we had their Minecraft usernames. And we used tools like, well, I don't think you'd
release What's My Name App at that stage, Micah. This is probably four or five years ago. We used some similar tools to find what other platforms did
they use these usernames on? And this one guy who's
the leader of the group, we took his Minecraft username and we ran it through the platforms and we found he had an account on Reddit. So how do we know it was his? Well, he was mostly talk about Minecraft and things like that. So we inferred from the content
it's probably the same guy. But what we found in one of
the posts he's made on Reddit was he had used what we call a PGP key to verify that the account was his. And for those of your viewers who are not familiar with the PGP key, it's basically, it's a unique
string that identifies you. It's like a signet ring. It's like your autograph, a fingerprint. So when I tagged my Reddit
account with a PGP key, it's definitely mine. And so we then searched for his PGP key, which we could link to an email address. And we took the email address and we did a search on
the first part of that. We took the first part
of the email address, like Micah showed before, and eventually we found
an account on Pastebin. Pastebin, it doesn't seem
as popular as it used to be. But Pastebin is basically a site where anyone could dump
any old random text and share it with anybody. So it used to be used for data breaches and things like that. We found he had had some technical issues with the DDoS tool that he was making. As part of their campaign of terror, they were doing DDoS for
hire or DDoS as a ransom. So they would knock a
company's website offline and say unless you pay
so many thousand dollars, you're not gonna get any customers. Again, it was fairly low level stuff, but quite disruptive for the victims. And in one of these pastes, we found a conversation they'd
had between both of them where they were trying to use a VPN, but they couldn't get it to work. They were trying to run a VPN connection to their DDoS tool and they
couldn't get it to work. So they pasted, trying to troubleshoot it, they pasted the log into Pastebin. I went through this and
it also had the username. It had the home IP address that they were trying to
connect to in the logs. It had the log of the server
that they were trying to, the IP address of the server
they were trying to connect to. So immediately we can
link username to home IP, to the DDoS tool. And it had the Mac address of the device that he was
connecting from in there. And again, if your viewers aren't aware, the Mac address is the
unique serial number on the network adapter on your laptop, and they're one of the kind. They're unique. They're like fingerprints. So lo and behold, when
my colleagues in the, I think it was Herefordshire police, when they went down to arrest him, they went to his house and sure enough when they seized his laptop,
it was the same Mac address. He was arrested and remained in custody and he chose to plead guilty after that. But that was all from a username, from people opening
their mouths on Twitter. You'll never catch me! You should know if you do that, that is a red rag to a
police officer. (laughs) - Exactly. - If you say FBI will never catch me, well, you know what's gonna happen. - And he was a teenager
when he was arrested? - Yeah, he was 17 or 18 at the time. He'd be in his early twenties now. But yeah, he went to jail for three years on the back of that. And his counterpart in the US went to jail for eight years I think. The Americans are more generous with their sentences. (laughs) But that started from username inquiries, username and pivot and pivot, and finding a key, find an email, turn that into username, pivot again and you find this stuff. And there were a lot of
rabbit holes along the way, and it took several weeks to do this. It wasn't instant. So that's my favorite username story. I dunno if I'll ever top it. - Back when I was working
for a company years ago, one of the use cases for OSINT that we had was finding missing employees. We had a lot of employees and sometimes one or two of
them didn't show up to work, and we'd have to call them and email them and try to find them. And I remember one time, this person just didn't
reply to their emails, didn't reply to their phone. We tried next of kin. Nobody had any idea where this person was. And so naturally we start thinking this is a case of public safety. We don't know where this person is. We hope that they're okay. And so what we started doing
was taking those selectors, those phone numbers, emails, usernames, and then looking at social media. And we didn't find anything. We knew that they took off
on a flight from one place, and they were supposed to
go see a client for work, and they never made it. And so after exhausting all
the social media platforms, looking at all of the other places, we decided to branch
out and widen the area and start looking at news
events that had happened. And we took the flight
number, the destination, and this person, not
even this person's name, but just those things and
we just started searching. We found on a news site that
there was a medical emergency that had happened while the airplane that this person was flying on was en route to his destination. And it said that the person,
the patient, whatever was taken immediately to this hospital for further evaluation
or emergency surgery. It turned out he had an
appendicitis attack at 35,000 feet and the only way we knew about
this and knew where he was, was from some public
events that were shared. - I've joked multiple times now about going and living in a cave. But I mean, the world is
so connected these days. I suppose the advice,
or what advice would be, be careful with what you share online. Be careful with your personal data. Is that kind of the bottom line? - Probably Google yourself.
- Google yourself is better, because one of the things
that you'll find is that some of the stuff out there, David, it's not stuff that you've
posted or maybe even your family, but it's stuff that, I don't know if you're
a runner or a bicyclist and you compete in races. - I'm an IT guy. I don't exercise. - Me neither. Me neither. I gave it up for privacy reasons. Well, when you finish
your race or whatever, they put your name, your age,
and other thing, your time, online for other people to get. And I don't want people to get that. But I was doing a case one time and I was looking and
my target was a runner. And I noticed that on every
finishing race results list, there was a woman with his same name that finished just a second or two faster and she was eight years old. And I was like, well,
okay, same last name, runs every single race that
he does, eight years old. This is probably his child. And sure enough, just by
looking at those running races which were public data, it
was easy to identify that. So using the Google technique will help find those things too. - Weren't the Americans
in Iraq or something and they were running and their Fitbits- - You're about Strava. Strava's an exercise application. Been around for a while. And it allows people to use
their smart watches and Fitbits to track where they go using GPS, and then they upload
that data to a website. It's a social website so that they can share that data and say, "Hey, Technisette. Look, I ran over here." One of the biggest problems
that has come to bear with that is that many places where service people from around the world
were actually running were on bases that may not have been in public satellite imagery. So in 2018 when Strava aggregated a whole bunch of those
runs, those bicycle rides, those walks that people had generated and they essentially
updated this heat map. And you can go to the
Strava heat map now online, and you can look at an area and the brighter a path or road is the more activity has happened there. The idea there is that if a person in a certain country or city is in charge of maintaining trails, they can look at the Strava map and say, "Oh, this is very bright. This trail is heavily used." The problem became is
when people made that map have a dark background, and then they moved over places
where there were no roads. and they saw very bright areas like in the middle of the deserts in different places in the Middle East. They would look in those deserts and say, "Hey, there's a very bright spot there." And when you look at the
Google satellite imagery, there's nothing there but desert. And yet, if you look at the Strava data, you can see that people
were absolutely running on a very, very structured road layout. And Strava, to their
credit, once people said, "Hey, you're revealing
where our bases are," Strava removed some of that data. But yeah, I gave a talk
back in 2015 about that, where people over there in
the UK were making their, well, a company over there in the UK was making their guards use Strava as they walked their patrols
around different facilities and then their guards would log in, Patrol Steven and Technisette at 04:25, and they put that out publicly. And I looked at the Tilbury
power substation over there and you could see the exact
path aggregated over time and this heat map of where
the guards were walking and where they weren't walking as well, and it was incredible. - If someone wanted to do something nasty, that would show them
where to attack basically. Is that what you're saying? - Yeah, absolutely. In this exact case, the
guards would walk along the west, south, and east sides of this Tilbury power substation. The whole northern side
was never, ever walked on, at least never walked on while the person was logging things to Strava. It absolutely can be used for
reconnaissance and physical- - It is however far
less than it used to be, because the functionality for other people to see where you were, so to actually see the
tracks you were running onto, this feature was called fly by. So you would be able to upload a route and to see whoever flew by the location you were running, walking, or cycling on. And Strava actually turned
this off by default. So if you want to share publicly what your exercise route is, you have to manually switch it on again. So the amount of data that was
found a couple of years back, it's probably not the same as it is today. For everybody who's now very anxious watching this YouTube video, like, oh my God, my
Strava data is out there. If you have never switched
this on, this is still off. But maybe check your
Strava privacy settings just to be sure. (laughs) - Yeah, you're not making
me any more confident, because I'm talking to the three of you and the more I listen to the three of you, the more anxious I get about like, okay, I'm gonna go live with that cave. Hopefully I've inspired people watching to go and Google themselves, and also get into this field because it's very much a
growing industry, isn't it? There's a lot of demand. Is that right? - Google yourself. And if you want to show your employer the benefit of OSINT, Google your company and you'll find lots of security and other skeletons in the closet that you wouldn't find otherwise. Yeah, Google yourself and
Google your employer. (laughs) - Well, thanks so much. I really wanna thank the three of you for spending so much time with me. Hopefully I can convince you to come back and perhaps get into more techy stuff, like get into the weeds. We've done a little bit about that. But for the audience, any of you watching, please put your questions below that I can ask in another video, or we can answer in the comments below. Really wanna thank you for
spending so much time with me. Thanks. (upbeat music) - The more you learn about
open source intelligence, the less likely you are to
publish, to post to social media. It's just scary what's out there. - I hope you recorded that.
- Nope. I didn't. - Well that's good. I recorded it in Zoom, so that's-
- No! (Technisette laughs)
- I'm kidding. If you don't want me
to post that, I won't.