We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
2
 Cite
 Share
 Related Material
 Download Purchase
No logo availableDEF CON
 Chamales, George

Formal Metadata

Title
Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan
Title of Series
Number of Parts
122
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube, news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities. These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations. In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online). The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe. Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community - enabling them to build more secure systems and more effective, life-saving deployments. George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.
DEF CON 1977 / 122
1
Thumbnail
45:38
Seven Ways to Hang Yourself with Google Android
2
Thumbnail
47:32
Assessing Civilian Willingness to Participate in On-line Political and Social Conflict
3
Thumbnail
39:15
DEF CON Awards - 2011
4
Thumbnail
43:07
Welcome & Making of the badge
5
Thumbnail
40:58
We Owe it All to the Hackers
6
Thumbnail
47:07
Blinkie Lights: Network Monitoring with Arduino
7
Thumbnail
41:27
IP4 TRUTH: The IPocalypse is a LIE
8
Thumbnail
19:58
Hacking the Global Economy with GPUs Or: How I Learned To Stop Worrying And Love Bitcoin
9
Thumbnail
23:01
Are You In Yet? The CISO's View of Pentesting
10
Thumbnail
44:14
Runtime Process Insemination
11
Thumbnail
42:14
DIY Non-Destructive Entry
12
Thumbnail
48:24
Three Generations of DoS Attacks
13
Thumbnail
47:24
PIG: Finding Truffles Without Leaving A Trace
14
Thumbnail
50:38
Economics of Password Cracking in the GPU Era
15
Thumbnail
42:43
Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests
16
Thumbnail
32:21
An Insider's Look at International Cyber Security Threats and Trends
17
Thumbnail
51:20
Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence
18
Thumbnail
48:31
Why Airport Security Can't Be Done FAST
19
Thumbnail
14:35
Halloween Makers Or How a Haunter: Voids Warranties, Social Engineers and Finds the Joy of Curiosity
20
Thumbnail
33:00
Bulletproofing The Cloud: Are We Any Closer To Security?
21
Thumbnail
17:46
Taking Your Ball And Going Home; building your own secure storage space that mirrors Dropbox's functionality
22
Thumbnail
46:05
Kiosk Hacking Redux
23
Thumbnail
50:53
Whoever Fights Monsters?
24
Thumbnail
45:15
Net Neutrality Panel
25
Thumbnail
46:47
Smartfuzzing The Web: Carpe Vestra Foramina
26
Thumbnail
32:01
This is REALLY not the Droid you're looking for...
27
Thumbnail
50:28
SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas
28
Thumbnail
47:33
Represent! Defcon Groups, Hackerspaces, and You.
29
Thumbnail
1:50:40
PCI 2.0: Still Compromising Controls and Compromising Security
30
Thumbnail
46:18
Network Security Podcast
31
Thumbnail
56:34
Is it 0-day or 0-care?
32
Thumbnail
51:39
Former Keynotes - The Future
33
Thumbnail
1:43:32
DEF CON Comedy Jam IV, A New Hope For The Fail Whale
34
Thumbnail
54:18
Ask EFF: The Year in Digital Civil Liberties
35
Thumbnail
51:01
PacketFence, the Open Source Nac: What we've done in the last two years
36
Thumbnail
18:22
FingerBank - Open DHCP fingerprints database
37
Thumbnail
40:46
Steal Everything, Kill Everyone, Cause Total Financial Ruin!
38
Thumbnail
36:13
Getting SSLizzard
39
Thumbnail
41:42
Malware Freak Show 3: They're pwning er'bodey out there!
40
Thumbnail
48:47
Virtunoid: Breaking out of KVM (Kernel Virtual Machine)
41
Thumbnail
46:21
SSL And The Future Of Authenticity: Moving beyond Certificate Authorities
42
Thumbnail
44:11
Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities
43
Thumbnail
40:36
Abusing HTML5
44
Thumbnail
49:44
The History and Evolution of Computer Viruses
45
Thumbnail
21:25
Beat to 1337: How to create a successful university cyber defense organization
46
Thumbnail
45:44
Build Your Own Radar System
47
Thumbnail
18:15
Whose time is it anyway?
48
Thumbnail
43:03
WTF Happened to the Constitution?!
49
Thumbnail
48:42
DCFluX in: License to Transmit
50
Thumbnail
47:26
Network Nightmare: Ruling the nightlife between shutdown and boot with pxesploit
51
Thumbnail
41:31
The Art of Trolling
52
Thumbnail
43:40
The Future of Cybertravel: Legal Implications of the Evasion of Geolocation
53
Thumbnail
1:25:04
Balancing The Pwn Trade Deficit: APT Secrets in Asia
54
Thumbnail
42:47
Sneaky PDF
55
Thumbnail
47:06
Vulnerabilities of Wireless Water Meter Networks
56
Thumbnail
45:48
Hacking Google Chrome OS
57
Thumbnail
49:48
Strategic Cyber Security: An Evaluation of Nation-State Cyber Attack Mitigation Strategies
58
Thumbnail
14:22
Kernel Exploitation Via Uninitialized Stack
59
Thumbnail
14:30
Don't Fix It In Software
60
Thumbnail
46:26
Pentesting the Smart Grid
61
Thumbnail
50:42
Hacking MMORPGs for Fun and Mostly Profit
62
Thumbnail
39:09
Key Impressioning
63
Thumbnail
48:40
Hacking .Net Applications: The Black Arts
64
Thumbnail
16:48
Phishing and Online Scams in China
65
Thumbnail
50:18
We (the government) are Here to Help: How FIPS 140 Helps (and Hurts) Security
66
Thumbnail
41:41
Mobile App Moolah: Profit taking with Mobile Malware
67
Thumbnail
10:52
Kinectasploit: Metasploit Meets Kinect
68
Thumbnail
44:18
Archive Team: A Distributed Preservation of Service Attack
69
Thumbnail
47:47
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
70
Thumbnail
49:42
Physical Memory Forensics for Files and Cache
71
Thumbnail
44:40
Security when nanoseconds count
72
Thumbnail
46:05
Web application analysis with Owasp Hatkit
73
Thumbnail
49:25
Getting F***** On the River
74
Thumbnail
43:02
Port Scanning Without Sending Packets
75
Thumbnail
43:52
The Art and Science of Security Research
76
Thumbnail
39:59
I'm Your MAC(b)Daddy
77
Thumbnail
47:21
Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan
78
Thumbnail
40:46
VDLDS - All Your Voice Are Belong To Us
79
Thumbnail
21:33
Handicapping the US Supreme Court
80
Thumbnail
49:52
Don't Drop the SOAP: Real World Web Service Testing for Web Hacker
81
Thumbnail
19:39
Steganography and Cryptography 101
82
Thumbnail
45:06
Cellular Privacy: A Forensic Analysis of Android Network Traffic
83
Thumbnail
36:48
Mamma's Don't Let Your Babies Grow Up to be Pen Testers: Everything Your Guidance Counselor Forgot To Tell You About Pen Testing
84
Thumbnail
46:04
Federation and Empire
85
Thumbnail
41:30
From Printer To Pwnd
86
Thumbnail
51:48
DEFCON Networking Team: How we learned to stop worrying and deploy a network for ~12 hackers in 3 days.
87
Thumbnail
46:58
Hacking and Forensicating an Oracle Database Server
88
Thumbnail
30:20
Pentesting over Power lines
89
Thumbnail
52:42
Introduction to Tamper Evident Devices
90
Thumbnail
48:29
Speaking with Cryptographic Oracles
91
Thumbnail
48:20
Owned Over Amateur Radio: Remote Kernel Exploitation in 2011
92
Thumbnail
52:19
Black Ops of TCP/IP 2011
93
Thumbnail
44:38
Art of the possible
94
Thumbnail
45:22
Weaponizing Cyberpsychology & Subverting Cybervetting: For Fun, Profit & Subterfuge
95
Thumbnail
31:02
DUST: Your RSS Feed belongs to you!
96
Thumbnail
38:03
Bosses love Excel...hackers too!
97
Thumbnail
49:05
Battery Firmware Hacking
98
Thumbnail
42:39
Metasploit vSploit Modules
99
Thumbnail
48:28
How To Get Your Message Out When your Government Turns Off the Internet
100
Thumbnail
41:09
Deceptive Hacking: How misdirection can be used to steal information without being detected
101
Thumbnail
14:58
How Our Browsing History Is Leaking into the Cloud
102
Thumbnail
40:50
Network Application Firewalls vs. Contemporary Threats
103
Thumbnail
50:54
"Get Off of My Cloud": Cloud Credential Compromise and Exposure
104
Thumbnail
25:59
Jugaad: Linux Thread Injection Kit
105
Thumbnail
45:13
Bit-squatting: DNS Hijacking Without Exploitation
106
Thumbnail
39:40
Traps of Gold
107
Thumbnail
27:15
Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP
108
Thumbnail
1:33:26
A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux
109
Thumbnail
38:01
Hacking and Securing DB2 LUW
110
Thumbnail
51:37
Cipherspaces/Darknets: An Overview of Attack Strategies
111
Thumbnail
16:20
Pillaging DVCS Repos...for fun and profit
112
Thumbnail
28:39
UPnP Mapping
113
Thumbnail
38:07
When Space Elephants Attack
114
Thumbnail
52:33
Vanquishing Voyeurs: Secure Ways to Authenticate Insecurely
115
Thumbnail
27:24
Pervasive Cloaking
116
Thumbnail
54:16
Whitfield Diffie and Moxie Marlinspike
117
Thumbnail
42:45
Covert Post-Exploitation Forensics With Metasploit: Tools and Examples
118
Thumbnail
30:05
Smile for the Grenade! "Camera Go Bang!"
119
Thumbnail
46:33
Look At What My Car Can Do
120
Thumbnail
48:30
Lock Designs for Government and Commerce: Deconstructing Insecurity
121
Thumbnail
35:57
I'm Not a Doctor but I Play One on Your Network
122
Thumbnail
46:28
Staying Connected during a Revolution or Disaster
00:00
Line (geometry)Online help1 (number)QuicksortForm (programming)Information securityWater vaporSet (mathematics)Group actionAreaMessage passingTwitterLine (geometry)ResultantField (computer science)Series (mathematics)Texture mappingSoftware testingInformationDifferent (Kate Ryan album)Type theoryVariety (linguistics)Self-organizationDependent and independent variablesOnline helpTraffic reportingFacebookProcess (computing)YouTubeInformation and communications technologyIndependence (probability theory)Computer animation
01:46
Level (video gaming)Menu (computing)Texture mappingPRINCE2Group actionCodeTraffic reportingSelf-organizationFacebookInternetworkingGoogle Street ViewGoodness of fitMessage passingProjective planeTranslation (relic)DatabaseAdditionPhysical systemShooting methodUniform resource locatorComputer animation
03:16
Electronic data interchangeDenial-of-service attackField (computer science)Traffic reportingPhysical systemPosition operatorMappingUniform resource locatorGroup action
03:53
Address spaceWebsiteDensity of statesVotingMedical imagingGroup actionBuildingSatelliteMassUniform resource locatorRule of inferenceComputing platformScaling (geometry)InternetworkingDensity of statesTraffic reportingWebsiteHoaxNumberComputer animation
04:32
State observerInformationInformation securityPasswordIdentity managementFeedbackSurface of revolutionLocal ringHypermediaMappingScaling (geometry)NumberMultiplication signGroup actionLattice (order)Point (geometry)Independence (probability theory)Range (statistics)Computer configurationType theoryTouchscreenSelf-organizationContent (media)Process (computing)Medical imagingSoftwareBitOrder (biology)Cellular automatonVulnerability (computing)TrailGoodness of fitDifferent (Kate Ryan album)HypermediaResultantInterface (computing)QuicksortComputing platformPhysical systemSystem administratorDisk read-and-write headInternetworkingSurface of revolutionComputer programming1 (number)Moment (mathematics)Set (mathematics)Local ringTexture mappingInformation securityFeedbackPresentation of a groupEmailField (computer science)Time zoneEntire functionWebsiteTwitterInformationState observerDependent and independent variablesRadio-frequency identificationCentralizer and normalizerSoftware testingGodRight angleMessage passingTerm (mathematics)State of matterPower (physics)Water vaporImperative programmingInteractive television
14:39
Computing platformTexture mappingLevel (video gaming)BuildingInformation technology consultingDirected setNewton's law of universal gravitationInformation securityPasswordAddressing modeLocal ringOperations researchStandard deviationExplosionMessage passingProcess (computing)Web serviceOpen sourceCodeFile Transfer ProtocolServer (computing)Point cloudInternetworkingLine (geometry)Interrupt <Informatik>Gamma functionExecution unitDirection (geometry)Server (computing)Group actionOpen sourceSelf-organizationLocal ringProcess (computing)NeuroinformatikHypermediaInternet service providerInterrupt <Informatik>Traffic reportingPoint cloudCloud computingComputing platformInternetworkingWebsiteMessage passingIntercept theoremInformationIP addressDependent and independent variablesQuicksortInterprozesskommunikationPhysical systemStandard deviationMathematical analysisTrailContext awarenessFilm editingOperator (mathematics)NumberPasswordComputer programmingUsabilityRight angleMappingCartesian coordinate systemOpen setSensitivity analysisDampingHeat transferDescriptive statisticsLink (knot theory)Information securityPhysicalismField (computer science)Computer configurationCode1 (number)Computer virusRange (statistics)Vulnerability (computing)Likelihood functionData managementLimit (category theory)SurfaceAuthenticationPlastikkarteCore dumpBlogType theoryCASE <Informatik>Position operatorElectronic mailing listMobile appHydraulic jumpLeakUniform resource locatorInformation privacyFlagSoftware bugArithmetic meanPoint (geometry)Multiplication signMoving averageProjective planeGoodness of fitPatch (Unix)Texture mappingFunctional (mathematics)Entire functionKey (cryptography)Set (mathematics)
24:33
Computing platformLevel (video gaming)Texture mappingWordWebsiteFacebookMessage passingHypermediaDirected setExplosionProcess (computing)Mathematical analysisAutomationLocal ringLattice (order)TwitterServer (computing)Endliche ModelltheorieMorley's categoricity theoremInstance (computer science)MappingProcess (computing)Sensitivity analysisPhysical systemMessage passingQuicksortQueue (abstract data type)Multiplication signNumberTerm (mathematics)Information privacyBroadcasting (networking)System callState of matterInformation securityInformationIntrusion detection systemLevel (video gaming)Task (computing)WordForcing (mathematics)Group actionComputing platformMathematical analysisInternetworkingGoodness of fit1 (number)Arithmetic progressionHypermediaPasswordInterrupt <Informatik>Internet service providerEmailCASE <Informatik>Point cloudGoogolWebsiteSoftwareVotingSet (mathematics)Self-organizationFacebookEquivalence relationEntire functionCommunications protocolIntercept theoremBitUniform resource locatorTraffic reportingComputer configurationDependent and independent variablesUsabilityMereologyType theoryTexture mappingLimit (category theory)Attribute grammarVariety (linguistics)Different (Kate Ryan album)ChainVector potentialPoint (geometry)Direction (geometry)Filter <Stochastik>MultilaterationCore dump
34:27
ExplosionFormal verificationFreewarePresentation of a groupCodeMessage passingInterrupt <Informatik>Web serviceDirected setRotationInformationOperations researchSynchronizationInformationMessage passingPhysical systemInformation securityBlogBasis <Mathematik>Group actionVector potentialRevision controlLine (geometry)Time zoneAbsolute valueSet (mathematics)Medical imagingSoftware testingStreaming mediaStandard deviationWordVideoconferencingComputing platformSelf-organizationDependent and independent variablesMappingUniform resource locatorUtility softwareScripting languageTraffic reportingProcess (computing)TwitterMultiplication signEvent horizonPoint (geometry)Similarity (geometry)Online helpFormal verificationHypermediaCASE <Informatik>Coordinate systemType theoryMetadataSoftware crackingOpen sourceDomain nameData miningTelecommunicationRight angleVideo gameMaxima and minimaMultiplicationGoogle MapsMechanism designEmailMilitary baseMeeting/Interview
44:20
Electronic mailing listEntire functionSoftware developerDependent and independent variablesGroup actionTrailWikiSoftware testingStandard deviationGateway (telecommunications)Uniform resource locatorSet (mathematics)MappingVariety (linguistics)HypermediaOnline helpSpacetimeCodeAreaEmailData managementTask (computing)Equivalence relationMereologyNumberForcing (mathematics)Projective planeLocal ringDifferent (Kate Ryan album)Multiplication signTexture mappingJava appletInformationPresentation of a group
Transcript: English(auto-generated)
00:02
I've been doing security for about 10 plus years now. And I started off doing work for the U.S. government, pen testing, critical infrastructure type of stuff. Then switched over into the private sector where there's an actual bottom line and you can justify good ideas. And worked in a variety of different things, corporate pen testing, that sort of
00:21
thing. Then switched over into working independently. And one of the really cool things about working independently is you can work on whatever you want. And so I've been interested in humanitarian work for quite a while. And so about two years ago I decided to start working in that field. And I'm here today because the humanitarian technology community needs your help. These groups and these organizations that are working in
00:43
disasters and crises have all the same challenges that a normal IT infrastructure has but they have a whole bunch of new ones that come from the sort of work that they're doing. And one of the things I'd like to talk to you about today is a new technology that's being used in the world of humanitarian response called crisis mapping. And the way crisis
01:02
mapping works is pretty straightforward. When there's a crisis, there's a set group of professional aid agencies. And they provide aid in the form of medicine, food, water, to people inside of the crisis. And that's the way it's always been. But now the people inside of the crisis have new technology, communication technology like phones that can send
01:21
out SMS messages and Facebook accounts, Twitter accounts and they can send out YouTube videos. And as a result there's a huge amount of information that's coming out of the crisis areas and out of disaster areas. And crisis mapping is the process of collecting that information, processing it into a series of reports, handing those off to the aid agencies so they can provide much more targeted aid to the people that are affected by
01:44
these disasters. Now the largest crisis mapping deployment that's taken place in about the two years since the technology's been around took place following the earthquake in Haiti. Where even though the city of Port-au-Prince was decimated when a massive earthquake struck a city that was made entirely out of unreinforced concrete, a group
02:02
of technologists were able to get the SMS infrastructure back online very quickly. And another group of people were able to procure the SMS short code 4636. They broadcasted that SMS code out to the population saying send us what is happening around you. And this allowed people on the ground to send out SMS messages that could be
02:21
picked up. The first problem was they were all in Haitian Creole. So a team of a thousand volunteers from the Haitian diaspora were contacted over Facebook and plugged into an online system that allowed them to provide translations for these messages. So now we know what is actually being said. But we don't know the location. Remember this is
02:41
Port-au-Prince. There was no Google street view. There were very few geo-referenced databases. So those same volunteers and additional volunteers from the internet provided geo-location of the messages based on what was coming through on the SMS. And then those reports were forwarded on to the aid organizations using geo-RSS. It was a really fantastic project. A lot of good work came of it. Lives were saved. And it's
03:02
an excellent example of how this technology can be really useful in a natural disaster. The problem is that natural disasters don't shoot back. And now this same technology is being used in places where there are active hostile groups. The first large-scale deployment that I worked on was supporting a team on the ground in Pakistan who were responding to the nationwide flooding that took place last year, in the middle
03:24
of last year. And things were going fairly smoothly. We brought a system online. We had teams of volunteers that were geo-locating reports from the ground as well as field reports coming in from the UN. And then this happened. So now we're in a position where we are building a map and there is an active hostile group, the Taliban, who has said
03:45
that they are going to target foreign aid workers. And we have a giant map that contains the location of foreign aid workers. We had to adapt accordingly. The next deployment that I worked on was in Sudan for a nationwide referendum, voting referendum. This is an image of what is believed to be a mass grave in the South
04:04
Cardifan region that was picked up by a group called Satellite Sentinel. Again we were working with a local NGO on the ground in Sudan and had to deal with a number of issues. We received obviously fake reports. Things like, everything is fine at this polling location and everyone is voting for the ruling party. Stuff that we knew we
04:22
couldn't trust. We had our site blocked by the internet companies inside of Sudan so people could not reach it initially and we had an inadvertent DOS based on the flaw in the platform we were using. The most recent large scale deployment that I did was the Libya crisis map, which we started in early March when Libya was just beginning to
04:40
cease a basic civil unrest and we ran it as it turned into a full scale war. The Libya crisis map was unique for a number of reasons. One of which is that it was the first time that we worked without a team on the ground. Instead a group that I worked with in this field was requested by the United Nations to set this system up so that they could have insight into what was happening on the ground both inside of Tripoli and the border
05:03
towns where there was a significant refugee presence. We had a number of things to deal with at that point. Things like protecting the observers, the people who were reporting from the ground inside of the war zone. Verifying the information that was coming out because it was being fed directly to the response agencies allowing them to determine what to do. And trusting all of the processing that was done because we used an entire group
05:22
of volunteers from the internet. What's fascinating when you look at this technology is that the largest deployment took place in Haiti in a natural disaster and now it's being used in Libya in an active war zone in less than 18 months. And it's an accelerating trend. We now have active deployments taking place in Syria, Bahrain and Egypt. The good news is that the good guys are catching on to this technology. They're
05:44
starting to recognize its value. This is a tweet from the head of the World Food Program talking about how good Libya crisis map is. The bad news is the bad guys are also catching on. This is uh there's a team in Egypt that's done a number of these deployments and last year they were approached by the secret police who demanded back end access to their system. So that the secret police could see who was logging in and
06:04
submitting messages to them. And so we all work in in security. We we all know how this plays out when we start dealing with security of new technologies. And what I'm really concerned about is that we're about to go from the ooh shiny to the oh shit moment in crisis mapping. And and and that's a definite concern because in in this situation we
06:22
have a lot of very very significant consequences. Um the the most the most grievous of which and the the one I'm most concerned about is that if something significantly bad enough happens to one of these deployments, if it does get compromised and people do get hurt as a result of it, the big agent aid agencies, the ones who are best positioned to
06:41
make use of this technology will just stop using it. They'll label it as a liability and a risk and it won't matter that there's lots of people on the ground who are broadcasting useful information because there won't be anyone there to hear it. So there's a couple of us who work in work in security and have security backgrounds that have been working on this technology. And we're in the process of trying to to get ahead
07:01
of the bad guys on this. So what we're doing, the reason I'm here today is I want to talk about what we've done so far. What has happened over the last several years in this uh with this technology. And get a little bit of feedback from the audience both inside the presentation and afterwards. Uh from what the things that I'm saying. So I'll be discussing not only the bad things that can happen but some of the ways
07:21
that we're looking to come up with a basic set of best practices. So as I go through this presentation and the rest of the presentation and talk about things, please pay attention. If there's something that I don't say, something that I don't talk about, an attack that you see, a vulnerability that you see, please remember it. Uh if there's a little bit of time at the end, I'll try to take some questions. I'll be back in the speakers room afterwards or please contact me by email. Because it's entirely possible that you could
07:43
come up with something that we aren't seeing. And as a result we could build that into these best practices and they could really help people out in the field. And finally want to get some interest in the security community because this is really important technology. There's a lot of good work to be done. And we went through a couple different ways to present this information. We realized the easiest way
08:02
to do it would be to just walk through the steps that take place in an actual deployment. I had planned to bring an online system that would allow people to go through and be able to send attacks at it during the presentation. The problem was right before I flew out here, I noticed there was a really awesome new feature that was inserted into the platform I was going to be letting everyone attack. And that is
08:22
the ability to add arbitrary JavaScript from the admin interface to the site. Which is an awesome feature. You can do all sorts of great stuff. And then I thought about it happening at DEF CON. And so I've got the images online. I'll talk about where you can grab those if you want to download them and JavaScript inject yourselves to your
08:43
heart. So the cool thing about this is that the approach that's taken in these types of deployments all pretty much runs the same way. There's just been a blank in the country of blank as a team from blank were responsible for deploying a crisis map in order to just to kind of speed things up. Let's just say that there's been a revolution in the
09:02
country of Turkestan. And if you've never heard of Turkestan, it's because it doesn't actually exist. Let's just assume it's somewhere around here-ish. And Turkestan has been ruled by a dictatorial government, power in a military coup, a very active police tendency to monitor the internet, monitor the cell phone networks and arrest, torture and
09:25
kill people that disagree with them. So to make things a little bit more interesting, what I'd like to do is I'd like to have you guys play a certain role as we go through. We're going to be asking some questions about what do you want to see? What do you think is a good idea for these types of deployments? And over at Black Hat, what I
09:42
did is I split the audience up into the bad guys and the good guys. But we're all devious bastards here. So let's just say that you're the bad guys and you're also the bad guys. So as we go through, I'm going to ask you a couple of questions. And I'm going to ask you, if you're the bad guys, if you're the Turkestani secret police, the local terrorist cell, the local drug smugglers, what do you want to see happen?
10:04
What is going to give you the best opportunity to compromise these deployments, to screw things up, to stop the people from succeeding? And the first question is, as a team from the blank, who is it that's going to be setting these things up? And the most important thing that we found for these types of deployments is that the people who
10:22
are setting these things up and running them do need to be on the ground. Until we get to the point where all the aid agencies and all the aid organizations know to connect into these systems, it's imperative that there be advocates on the ground who can go to the meetings, the group meetings, interact with the people that are actually doing the work and make them aware of what is happening. And based on the experiences that we've
10:44
seen, these are your range of options for who would be running this thing. Everyone from a group of individuals, not affiliated with any particular organization, a local NGO, media organization, and for this example, let's assume that it's a member of the independent media organization, not the Turkestani state-run media, an international
11:04
NGO like the Red Cross or the UN or a military type organization, an external military, not the Turkestani military, who's running this. So what I'd like to do is take a second, think about this. Picture yourself as a bad guy. Think about what you would do to each of these groups and who you would like to see running it to give you the
11:22
greatest opportunity for screwing up the deployment. I'm going to take a drink of water. All right, now can I get a show of hands, who here wants this platform to be run by an individual? All right, who wants to be run by a local NGO? Who wants to be
11:45
run by an international NGO? And who wants to be run by the military? All right, now one of the things that I'm concerned about as I go through and talk about this is when we go back to the crisis mapping community, one of the first things that's going to happen is I'm going to be accused of giving the bad guys ideas, of listing the attacks
12:04
that can take place. And so I could try to go through and lecture the people I'm talking to about security through obscurity, why you must assume that the bad guys know the system, but instead I'd like to make the point that I sit in front of a group of people at a security conference and presented this to them and knowing nothing about it,
12:21
they were able to spot X, Y and Z attacks. So can I get one or two people to put their hand up and tell me what you picked and why? Yes. That's a great point. So she said an international NGO because they don't necessarily understand what's happening on the
12:42
ground and they do have resources and supplies, things that the bad guys would want to pick up. Somebody else? Yes, sir. That's an excellent point. So the idea is he wants to use an individual because he can corrupt the individual and then make use of the technology. One more person. Yep. So local NGO because they can be worn down, they're
13:16
going to get exhausted, they have limited resources and when they start to get worn out
13:20
you can take them out. All excellent, absolutely great points. Thank you very much. I'm going to ask that a couple more times. And the cool thing about this is that these are answers that seem like, you know, because duh to us, but when you start talking to people who don't think like security people, who don't think in terms of attacks and defense, it's going to be things that they won't immediately understand. And so this is very helpful to be able to say, we came up with this because it's just obvious to
13:43
people who think this way. And so you have to assume that somebody who is paid by a government, by a state organization to be a devious bastard is going to come up with it as well. So this is the breakdown. It's going to my off the cuff breakdown of who's currently running these types of deployments. What you see is by and large a lot of them are being done by individuals because people can just set this technology up, they don't
14:03
have to get approval. There's a pit that's being picked up by local NGOs. More and more, there's been some tests by media organizations. Al Jazeera did a pilot in, oh God, in Gaza. Al Jazeera did a pilot in Gaza. There's been some basic work by international NGOs, so there will be a crisis map. And there's one or two groups that I'm aware of
14:23
in the U.S. military who are working with this technology. The issue is, the first issue is that there is no, you know, central organization who's responsible for doing this. So the entire process for setting up is entirely ad hoc. This is a quote that came across one of the crisis mapping groups shortly after the Mumbai bomb blast asking if
14:41
anybody knew of a map that was online so that they could send volunteers to it. The problem is there's this pervasive assumption inside the community that just because you have the skills to set up one of these systems means that you have the same skills needed to run it. And in fact, the skills needed to actually set it up are tiny compared to the skills and the effort needed to run it. Think about the Haiti
15:02
response required over a thousand members of the diaspora community to work for weeks on end. And just because somebody set it up doesn't mean that they actually know what they're doing. But because we're in the place where we don't know who's going to be setting these things up in any given crisis in a disaster, we're at the point where we have to build trust on the fly with whoever's running them. And what we found in doing
15:21
this is there's kind of three core concepts that we can use for trying to determine trust on the fly. The first is corroboration. I was contacted by the group in Egypt that was then contacted by the secret police. And I had no idea who they were. But I had a colleague that was working with them. I trusted her and she could corroborate their story. The next is reputation. The individual who set up the deployment in Pakistan was
15:44
a guy who was a TED fellow and a tech CEO. And so TED, the smart people's conference, they do vetting. He's a tech CEO so he has to have some kind of a skill. Still he knew nothing about crisis mapping but he seemed to be kind of a smart guy. And then finally we have history, past experiences with a particular person. And in this case the individual who
16:04
set up the crisis map to help the Mumbai bomb blast was somebody that we'd worked together with on pack report in Pakistan. So we had a background with him. But the problem with anybody being able to set these things up on the ground is like you mentioned, direct attacks. These are news reports about bloggers who have been
16:21
arrested. These are people who set up one website with just their opinion on it. And to my mind, these types of crisis maps are one website with potentially thousands and thousands of people's opinions and thoughts on it. So the idea that they could be targeted in the same way as bloggers seems like a pretty short jump to me. And remember, we're in a position where the secret police were already contacting these
16:43
groups. So when you think about direct attacks, we've got kind of a range of vulnerabilities where the individuals, the local NGOs on the ground like you guys said are the ones who are most susceptible to attack. The other concern is that we don't have to worry just about direct attacks, we have to worry about indirect attacks. Infiltration of groups by hostile organizations. And this could be something like
17:05
someone is picked up and their account is tortured out of them. This could be somebody who is paid by money. This could be a computer that is hacked. And our primary defense against that is isolation of operations. This is equivalent to the need-to-know approach in the government security community. But what you see when you
17:22
think about isolation of operations is that the smaller the organization, the higher the likelihood that a compromise could lead to a compromise of the actual deployment. Another reason why this should not necessarily be done by individuals. So we have our threats to deployment managers, but let's assume we've got somebody who's willing to do this, the next question is they're responsible for deploying a crisis map. And crisis maps
17:43
have got to do a couple of things. They've got to collect messages from the ground, process them into reports and then present those out. And right now you have three options for what your crisis map platform is going to be. You can code it from scratch, just hack it together. They're fairly straightforward programs to run. You've got to be
18:00
able to pull things in, put them on a map somehow. You can collude together existing geolocation services and social media services. Or we're also beginning to see some open source applications that are being built specifically for this and used in the field. So back to you guys at the track of Stanny's. When someone wants to set one of these things up, what do you want them to use? Think about it for a second. All right. Who wants to
18:28
see a platform that is coded from scratch? All right. Who wants to see existing services collude together? All right. And who wants to see the use of open source applications? So by and large open source applications. Why do you want to be an open
18:44
source app? Is that what you want to do as a bad person or as a good person? You're saying that it's useful and transferable to other situations. Oh, you're not a bad person.
19:00
We have one good guy. How about somebody who is a bad person and wants to tell me why they'd want it to be an open source app? Exactly. So you have the code, you can figure out your attacks ahead of time, you know how to subvert it. One more person. Show of hands. Gentleman in the blue shirt. What did you pick and why? Open source for
19:30
the same reason? Yeah. So what we're seeing a lot is actually this is being used primarily by open source projects. And the key from the good person's side for using open source projects is that they are adaptable. We are dealing in very fast paced
19:42
situations where we need to, we don't have time to go back and ask vendors for a patch if something goes wrong. And we need to be able to add new features and new functionality on the fly as it's needed by our deployment by the response organizations. But the downside of course to that is we are going to have code vulnerabilities. This is going to take place whenever you write something that's code. The
20:03
particular open source app that we use a lot is one called Ushahidi. And one of the great things about Ushahidi is you can make reports private until you decide to approve them. These are the three leaks that we found in this process. So you can connect to the private reports by going directly to the URL for that report and they're all
20:21
labeled sequentially by ID number. They showed up in the reports listing. So just the public reports listing of reports. They didn't think to check the privacy flag. And they also leaked into the search system. And this is kind of funny from a security standpoint because they kind of screwed it up just about every possible way you can. The problem though is that we found the direct URL access bug during the Sudan
20:44
deployment. We found the reports listing bug during the Egyptian, one of the Egyptian deployments and the search leakage during the Libya crisis map deployment. All situations where we're dealing with sensitive information. So code vulnerabilities are definitely a concern. One of the ways that we've gone around dealing with that is again
21:00
an isolation of operations approach where we took the actual data that was being collected that included personal sensitive information and ran that on a completely private system. So the Libya crisis map initially started off as a password protected limited access deployment that was only given, where access was only given to response organizations who contacted the U.N. And midway through the deployment the U.N.
21:23
thought wow this is really great, this is really useful, this is really impressive work these people are doing. Let's make it public. So now all the analysis, the collection that we've done, they were asking us to make it publicly available to anyone in the world. So what we did as a compromise on that is we kept our private password
21:42
protected system where we had an ideally limited attack surface because everything was behind at least basic authentication. And we set up the public Libya crisis map which was the thing that was promoted on the internet. And that public crisis map did not receive any kind of sensitive information. We stripped out all the analysis and the descriptions and left only just the title of the report, the location and if there
22:05
were public links to media organizations, we left those in as well. And we put the entire transfer process on a 24 hour delay. So that there was a kind of limited usefulness of the data to people on the outside world. The next thing we have to decide
22:21
is where do we want to actually have this deployed. So you have to run the system somewhere and your basic options again are a local server on the internet or hosted on the cloud. So could I get a show of hands from the trackest any bad guys out there, where do you want this system to be hosted? Do you want it to be hosted on a local server in the country? Do you want it to be hosted on the internet? One hand, and then you
22:44
put it down really quickly. Do you want it to be hosted on the cloud? All right, someone who said they wanted to host it on the cloud, can you tell me why? Sir? Okay, so you
23:04
can set down the internet and then cloud providers have insecurities and get access to it. How about somebody who said they want it on a local server? Sir? Actually, ma'am, gain physical access? Yep, yep, it's much easier to attack something that's local and
23:25
it's inside your country. So you're absolutely right, the main concern for local servers are direct attacks. Fortunately we haven't had that happen that I'm aware of. What we have had though is service interruption on the internet. The bad guys have figured out the internet off switch, not only to shut off internet for the entire country but also for
23:42
specific sites. So Egypt and Syria have just flat out cut the internet. Bahrain has significantly upped the number of sites that they're blocking. This is what happened to us, we believe, in Sudan. Fortunately we were on a cloud provider and so we were able to switch IPs really quickly and they weren't able to catch up and catch on to the fact that our IP had changed and the site was back online. The other thing we have
24:02
to worry about is message interception. We understand that network traffic can be compromised and we have different ways that we can deal with that. This is a report from the Wall Street Journal talking about how there's a belief that the various groups inside of the Middle East are using different tools to actually crack Skype. And this is something that's particularly concerning for us because Skype is one of the, is like
24:23
the defacto communication standard that's used for everybody who's doing this sort of work. So what we're working on to deal with this is the concept of we know that the local servers are potentially vulnerable to attack. We know the cloud servers can be blocked, they're shut off. So we're working on systems to synchronize and anonymize traffic back
24:43
and forth. So this is similar to what we were doing with Libya crisis map where we were switching between a public and a private instance but we're also going to be doing it from the cloud back onto the ground. So the off chance that the server is compromised on the ground, the bad guys aren't going to be able to find the sort of sensitive
25:03
information that they're going to want to get and they're going to want to be able to use. So we've gone through picking up a lot of these, covering a lot of these questions. Who are we? Where are we deploying? What are we deploying? And the last question of course is what are we going to do this for? And there's a huge variety of different things that this can be done for. Doing things like tracking
25:24
the location of people in need that have been affected by a crisis. Monitoring for war crimes and collecting information that can be used in prosecution later. Directing people, I mean directing aid. And the big concern though is that we've gone through all this work and all these different ideas and all this different thought process and
25:42
looked at these different vulnerabilities but we're still inside of that tiny little dot. There's still a lot of work that has to be done around these types of deployments to actually make them successful. And we have things like spreading the word. Actually getting the message out to the populace, to the people that we're going to be collecting information from about what it is that we're looking for and what we can
26:00
provide. And we've got a couple of different options. The first is pass it on to no one. Just passively collect the data that's coming in. Use a private network. Ideally people that have been trained ahead of time. This is what's being done in a lot of the vote monitoring types of deployments where it's using a small set of vote monitors who already know protocols both for reporting and ideally for security. Or you can just put the word out to absolutely totally everyone out there who will
26:24
listen letting them know hey this thing is online send us your information. The first concern with patching the message out is misinterpretation. This is the equivalent of when you call your doctor and they say if this is an actual emergency please call 911. And in situations where the system that's being used to collect this data is not
26:40
directly linked to the response organization. It's kind of indirectly linked. There's people on the ground trying to promote it for use by the response organizations. There's the possibility that they could be intercepting messages and the people on the ground could think that they're going to be getting an automatic response from this. And so they won't think to go out and contact the actual aid organizations who may be better positioned to give them aid. Another concern is message corruption. This is a
27:04
tweet that went out during the Sudan, not the Sudan deployment that I worked on, but another one that was tracking violence inside of Khartoum. Basically saying hey don't go to this site. It's been infiltrated by the Sudanese government. The problem with this, there are a number of problems. The first is that it was actually a false message. The
27:24
actual message had been sent out by the people running the platform that people should not use SMS to contact the platform because they couldn't trust that it wasn't being intercepted. But by the time it made it to Twitter the message had turned into don't go here it's been compromised by the government. So the message that's being passed out is liable to be inadvertently corrupted but there's also the potential that it can be
27:46
intentionally corrupted. So the next step is collecting messages. We've gotten the word out. The platform is online. People have heard about it. They're now starting to send data back in. And there are a couple of different options for the actual collection. You have direct collection processes from things like SMS, phone, things that are definitely
28:03
coming from one person directly to your platform. The other process is to use something like social media where it's being broadcast out to the world and we're just going to be collecting it from there. And then the final one is to collect reports that are coming in through the media. The primary concern with the submission of messages is attribution. The ability for people who are monitoring these systems to be able to
28:24
attract the message back to an individual. And when we're dealing with direct messages through SMS email or people connecting to a particular site online, at that point somebody who's monitoring the network has got both the end point where the system is going to where the messages are going to and they're able to track back the people who are actually
28:42
sending them. In the case of social media it's a little bit more indirect because the message is kind of going up to some place in the cloud, some kind of service and it can be very challenging to hunt that message down and then figure out who's behind it and who they're what their username and password is and then figure out who this actual person is. However we do now have these platforms that are collecting these
29:03
messages for people and presenting them online which could cut out at least the hunting down the message part for the bad guys. And then we have protected attribution from the media where they have by far a much more limited scope and understanding of what's happening on the ground compared to the entire citizen population who's got phones and SMS capability. But they do have a little bit of
29:25
coverage because they are media and they're able to protect not only themselves but ideally they've got systems in place to also protect the people that are reporting to them. Again with any kind of collection process we do have to worry about service interruption and message interception. These same sort of issues that are going to
29:42
affect the platform location are also going to affect the passing of messages. The next stage is we've gone through, we've collected, we've put the word out, we've put the platform online, things are going relatively smoothly, people are now starting to send messages into the platform, messages are being collected. Now those messages need to be processed. And that processing is not necessarily that easy. You know think about
30:05
Haiti. In Haiti they received over 50,000 SMS messages in the several weeks of during their deployment that all needed to be looked through and processed. And so the processing has to be done by somebody or some system. And right now the sort of groups
30:20
that we have to do this are a local team on the ground which is what the Haiti deployment eventually transitioned over to that we're now seeing in the crisis mapping community, teams of individuals who are you know members of this community and willing to work for this, work on these deployments and are aware of it and kind of know the ropes. They're still relatively small relative to the online volunteers. There's anybody out
30:43
there on the internet which was used initially in the Pakistan deployment that we worked on. There's also beginning to see some initial work on automated analysis. I like my internet clouds there. Some automated analysis systems to actually process these messages in an automated fashion. The problem is those are still very
31:02
experimental systems and in any case they're going to need to be fed good data that's created by groups of people. So at least for the immediate future we're going to have to rely on groups of people to process the messages one way or the other. And right now the primary technology that people are using, these groups are using are giant shared
31:22
Google Doc. They just take all the volunteers, throw them into a shared Google Doc and give them kind of a basic workflow how they should go through and process these messages. From a security standpoint it's terrifying that they're doing this but from an actual usability standpoint it pains me to say that it actually works halfway decently
31:42
well because you can actually get groups of people online. They can see everybody else is working on it. They can see the progress is being made. It's a very good morale builder. This particular doc was one of the ones that was used during the Libya crisis map by a group called the standby task force that I helped found last October to
32:00
start standardizing some of the processes and the response and organizing groups of individuals and teams to deal with each of these efforts. The one issue with the standby task force that we have is it's designed for short term deployments. And we started off the Libya crisis map with a relatively small group of people that were pulled from the community that we were already aware of and then when it came time for us to
32:22
transition off, we went back to the UN and said we're a short term solution here. We need to either shut it down or you guys need to find people to work on it. And they said oh that's no problem at all. We've got a UN volunteer core that we can put out broadcasts to the entire internet saying who wants to work on this stuff. So we went
32:41
from our relatively small closed community of people to an open call across the internet to say who wants to work on this system. So all the operational security that we've put in place around protecting people's privacy et cetera et cetera et cetera was going to be blown by the opportunity for infiltration. And again we're back at this
33:00
concept that it could be somebody who has turned, somebody who is working directly for a state organization et cetera. The folks who let people into the Libya crisis map through the UN, they did try to do some basic background checks on the people. They asked for Facebook accounts, Skype IDs, Twitter accounts to try to prove that they were like an actual person. But that's not actually real security. What we're looking at
33:26
instead as a potential model is to deal with something called crowdsourced microtasking. The idea that we can take the steps that are involved in the processing of these messages and split them up into kind of siloed processes that only, that people would
33:42
only be able to work on kind of like an assembly line on one particular action. Be that in geolocation or categorization or filtering. So what we'd be able to do ideally is add at the front of this queue something for anonymization. So we could take people that have an established trust inside an organization and focus their work on just
34:03
stripping out personally identifiable information and then passing that on to other people further on down the chain to provide different pieces of work. One of the concerns though is that we've now still got, we've added in this idea of privacy so we can strip out the identifiable information. But we now have to worry about things like accuracy.
34:25
The microtasking system there was used last week for a deployment or for an exercise that replayed some of the English translated messages from Haiti. And the team involved with a team of volunteers went through using this microtasking system to do
34:42
each of these steps including geolocation. And it worked pretty well. When you look at these, this map, you know, seeing where these volunteers were able to identify where inside of Haiti the messages were coming from inside of Haiti. Haiti. Haiti where these messages were coming from. This is where the rest of the messages that they were
35:01
processing ended up getting mapped. Because what we had was untrained volunteers going through, taking the first thing that looked like a location, slapping it into Google maps and then copying the latitude and longitude back into the report. So we had things all over the place. You see a big bump inside of France where the Haitian Creole is very
35:20
similar to French and so there's a lot of French names for towns. My favorite personally is the one that they put in Alexandria, Egypt. Which means that they not only didn't realize what they were doing but it didn't occur to them that the Arabic script on top of the city names was unusual. So we have to worry about inaccuracy in the system. And this is people that are trying to do their best. And it
35:44
doesn't even take into account the potential for people who are trying to purposefully put in misleading information. And so the solution that we have to that is more sophisticated crowdsourcing. The image here is from a crowdsourcing platform that was used during the Pakistan deployment that's run by a company called
36:01
CrowdFlower. And CrowdFlower has got a significantly, just a really, really cool infrastructure in place that lets you do something beyond just presenting the information. You can actually track and score the people who are working on it. So again, we're starting to see this concept of corroboration where in the Pakistan deployment we required that before a message was moved on through the geolocation
36:22
step, multiple people had to agree that it was in the same place. And this is multiple random people. We also had the ability to get a scoring accuracy from the people that are working on these platforms. This is done by inserting known good data, you can call it gold data, into the message stream and seeing what answers
36:41
people come up with based on that gold data. So you're kind of inserting tests into the process as they're working on the system. And then finally, places like CrowdFlower, they have existing user bases because it's used similar to Mechanical Turk by a group of people who are familiar with the system. And so you're able to see this kind of reputation where you can see they've been, they
37:00
worked on this other thing and they were pretty accurate. And so we hope that systems like this will help us deal with the inaccuracy and help minimize the potential disruption from people who are just making honest mistakes or people who are inside the system trying to purposefully screw things up. And so we've gone through this entire process. We've set up the system, we've put the word out,
37:24
we've collected the messages and now we're at the final step where we need to decide what we want to approve, what we want to think is actually true. And report verification is something that is the primary question that we're always asked by the aid agencies. Kind of the big question is how can we trust this information? How do we
37:43
verify this data? And the answer is it's very, very hard. I don't know how many of you are familiar with the Gay Girl in Damascus blog. Show of hands. How many people heard of that? All right. So for those of you that don't know, the Gay Girl of Damascus blog was this blog in Syria that was chronicling the life of this young girl
38:01
who was living in Syria under this despotic regime and there was bad things happening to people who were homosexual and everyone was really concerned about it. The problem was that the gay girl in Damascus was actually a married guy in Ireland. And the entire thing was completely and totally faked. And he got away with it for months and months
38:20
and months, fooling everybody. It was on CNN, et cetera, et cetera. And this is really, really going to be a very difficult problem to deal with. And there is no easy answer to it. The best that we're working on right now is again that concept of corroboration, reputation and history. And the Gay Girl in Damascus blog is an
38:41
excellent example of that. Where the information was out there, people believed it. It was very accurate. It was very detailed. But where this started to fall apart was when a reporter I believe from the UK who is widely known as kind of being an authoritative source of the mining of social media, he received word from some people that he knew that
39:03
there were certain things inside of these messages, inside of these blog posts that weren't adding up. They couldn't find people inside of the gay community in Damascus who knew of this girl. And then they started digging more and more and more into the actual electronic side of things and found things that further didn't line up like where the domain was registered, where the posts were coming from, et cetera. And
39:27
the information couldn't be corroborated by people who were on the ground. Reputation where the word came out from a reporter who was very, very well established as being accurate for information in the Middle East. And he in turn got that message from
39:42
people who had a long history of trusted reports. So from there they were able to work this back. We had a similar case during the Libya crisis map where we received word, including images, that indicated there were white phosphorous attacks taking place which would have been a very, very serious escalation in hostilities. And what the
40:05
volunteers were able to do is they dug into the metadata for the reports as it was told to me by one of the coordinators and were able to pull out information that indicated to them that this did not take place at the time that the report was purporting that it came from. And so they ultimately dismissed it and there have not
40:20
been, to my knowledge, any further reports indicating that that was actually true. So when we go through this entire process, we still end up back at this concept of corroboration, reputation and history. And then the final step, once the reports are actually put online and they're presented, there's the possibility that it's no longer in
40:41
our hands what's actually going to happen to it. The first concern is things like misinterpretation. One of the first deployments that I ever did just when I was starting to get used to this technology was tracking a night of rioting that took place in my hometown in Oakland. And I was just monitoring Twitter and pulling information from Twitter and from the news reports about what was happening on the ground. And at one point there
41:05
was a cop car who was kind of starting to get closed in by protesters and he was backing up, maybe 10-ish miles an hour. And he just brushed a woman that didn't see the cop car coming. The woman went down. My understanding is that she then got back up and was
41:22
able to leave and walk away. And we saw this happen. It's on video. You can find live video from the helicopters of this happening. And we were now faced with the question, like, do we want to report this? Was this actually news? And we decided not to. And then the next day I received an e-mail from an acquaintance on the East Coast saying, hey, I
41:42
saw your map. It was really great. But you didn't have the report about the woman who was murdered when she was run over by the cops. And that's a great example of how these things can get away from you. And I responded back to her, no, we didn't report that because it didn't happen, et cetera. The other thing we have to worry about is manipulation. If something does get all the way through, what can be done with
42:05
purposefully forged reports and how can we detect those? I really, really liked Moxie's concept of trust agility. And I think that's something that we're absolutely going to have to work in to our system going forward at every step in this process is the ability to retract who we trust at any given situation. And finally, the risk of
42:23
utilization. The possibility of these messages, these platforms can be utilized by the bad guys. And this is one of the reasons that we try to do things like keep them private, not post them online unless we have to. If we do have to present information, presenting information that is delayed, that is not as useful to an adversary. And so we've
42:41
got all these problems, all these potential issues, all these things that can go wrong. And the big question is, is it worth it? As somebody who is working in security and has had to deal with a lot of these deployments, even with all the things that can go wrong, all the potential attacks, my opinion is yes, it's absolutely worth it. This technology, despite the issues, has got a huge amount of promise. And the challenges that
43:05
come in are things that are expected. This technology is being used in hostile conflict zones where there is an absolute need for security. And it would be silly to think that for some reason the IT side of things would be exempt from that need for
43:20
security. And so the approach that we'll be taking over the next months and years is going to be to develop a set of standards and best practices that can be used to allow people to do these types of deployments safely and securely and identify the ways and kind of get the word out so that people know about it and they're able to do these things at the beginning. And the other reason is that eventually something is going
43:44
to go wrong. Someone is not going to get the word. Something is going to slip through the cracks that we weren't expecting. A new attack is going to emerge and bad things will eventually happen. And when that does, it's going to be vitally important that we have something to show the response agencies, the large organizations who would be
44:03
inclined to walk away from the technology at this point to be able to explain to them that this technology can be done securely. There are things that can be done and unfortunately in this particular case, something got through. So we will have a response in the event that something bad does happen. Because this technology has got a
44:21
lot of things that can be used for, not just inside of an actual disaster. This is what became of the Haiti deployment. It was initially set up for the response to the earthquake and is now run by a local company inside of Haiti who is using it to track a significant amount of information, not just about the actual disaster. And it's become a
44:43
resource to the entire community, tracking everything from the location of hospitals and the caller response. And it's become established as a long-term ongoing support to the Haitian country. And will be there in place for the next disaster whenever, whatever that
45:01
is. So there are a couple of groups that I'd like to specifically call out that are doing really great work in this area and excellent opportunity for people who are interested in working in this space. The first is crisismappers.net which is the main, one of the main mailing lists and main community groups for the crisis mapping community.
45:21
That includes both members of the volunteer community, the developer community, and a growing, significantly growing group of professional responders who are taking part in this. The next is the standby task force which is a group that's been responsible for providing volunteers for these large-scale deployments. We're working on developing standard tools, technologies and workflows to make this possible. And this was
45:44
a team that worked on the Sudan referendum and the Libya crisis map. And finally, Crisis Commons. Is Heather here? So Crisis Commons is a group that was started by Heather Blanchard who's a long-time member of the media goons. And they do a number of different projects from everything from setting up wikis during disasters to providing
46:04
weekend hackathons where people can contribute code and new tools for some of these deployments that are taking place. And they do fantastic work. On the right side, on the right side, there's a set of the tools that we're using. Ushahidi is the one that's been used in a lot of these deployments and a lot of the screenshots you saw. Frontline SMS
46:23
is a very simple Java-based SMS gateway that's being used for a variety of things throughout impoverished countries. Sahana is like a Swiss army knife for disaster managers and OpenStreetMap is an awesome, awesome wiki equivalent to Google Maps. So the
46:44
final question I have for you guys is, as I've gone through, as I've talked about these things, just based on how you think, you've come up with things that weren't in the presentation. You've come up with things that I missed that I wasn't thinking about or didn't have time to talk about up here. What I could really use your help in doing is coming up to me, talking to me, sending me an email, I'll be back in the question and
47:04
answer room, about those things. Tell me what we aren't thinking about because we need your help in pen testing these ideas. That's everything I've got. Thank you very much.