We Hack Purple Podcast

We Hack Purple Podcast Episode 37 with Guest Ritu Gill

May 13, 2021 Tanya Janca and Ritu Gill Season 1 Episode 37
We Hack Purple Podcast
We Hack Purple Podcast Episode 37 with Guest Ritu Gill
Show Notes Transcript

Host Tanya Janca  learns what it's like to be a Open Source Intelligence Analyst, with Ritu Gill, AKA OSINT Techniques! https://twitter.com/OSINTtechniques
Thank you to our sponsor Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: [email protected]

Find us on Apple Podcast, Overcast + Pod 

Welcome to the we had purple podcast, where each week we meet an interesting, exciting and well experienced new guest who is a member of the information security industry. This week we're gonna be re to Gil, she's gonna tell us all about open source intelligence gathering, we have not had anyone on the show yet with this really super cool job. So I'm very excited to talk to her this week. We are sponsored by Red fix, powered by denim Group, and I am your host, Tony Jaa, but you don't wanna hear about me. I'm old news, I'm basically like furniture, let's bring out retitled to the show. Thank you for coming to the whale podcast. I'm excited to be here with you. This is kind of a first for me, so I'm excited to be it and happy to see you. Yeah, I'm happy to see you too. Could you tell our listeners and viewers... Well, I mean, this is re to gill, but could you tell us your job title and just a little bit about yourself? Yeah, sure, I can like... Okay, I can definitely do that. So, radyo guys already know my day to go, My job title, I'm a open source intelligence analysts, and that sounds really loaded, but what that essentially is that we use open source information, so open source information is publicly available information to answer specific intelligence questions. And if you want me to break that down a little more, it's essentially finding and following those breadcrumbs that people leave behind online in order for usually for our research or an investigative purposes, and this could include things like risk assessments, it could include looking for missing people, or people who are wanted for things like murder or other crimes as well... Are you sort of a digital detective? I guess I like how you put that. I guess you could call it that, yeah. I haven't heard that before, but... Yeah, I guess it does have the markings of getting online and I've heard different terminology, but I would say yes to that question, web slut, there's different terminology out there that I've heard, I'm like, Yeah, I just find things online or I like connecting the dots. That's essentially what I like doing. That's Awesome. That's very cool. I bet you have helped solve a lot of cases that you're not telling us anything about... That is correct. No. Yeah, I definitely have to be aware of the sensitivities around some of the things I've worked on, but that is the exciting part to me when you do make those connections and... Yeah, that's definitely one of the, I guess, bonuses of doing this type of work, you feel like you've accomplished something or you were able to help somebody out with their investigation... Yeah, that's very cool. I have a friend, and sometimes if our other friends go on a date, she'll look the person up on Facebook and tell them if they're already dating someone or not, so that is married. Didn't have six kids to do your math, she's like, Oh damn what... That's not the same, it's not the same as what reach does. It's very different. It's similar is though, because open source intelligence could be used in so many different ways, but... That's a great example, Tania. There's times when people use open source to say, you hire someone to clean your house or baby set your children. And we tell people like, Yeah, go take a look. See who you're bringing into your home. Who's gonna be baby sitting your children or cleaning the house, whatever it is it... Those things, those are things that open source can be used for as well. Interesting, okay, so I think a lot of people that are listening or watching are probably really curious about what is it they like in the life of an open intelligence gatherer. So I know that you were a cape and you're like That's sorta to do about it. What is it like? What would I bike? Do you have to sit in meetings all day or... No, definitely not. A ton of meetings. There are meetings, of course, that's normal part of doing business, but we're talking about the internet here, so there's so much that we have to sit through as analysts, as researchers doing OSINT, Open Source Intelligence, and one of the things is it could be so overwhelming what we're looking at... And one of the number one things, and every day is like this, when you're doing research like this, you want to avoid... And this is what I do, I try to avoid those pitfalls. Things like falling rabbits kind of thing, and when I say rabbit hole, it just means when I've gone too far past my objective of the task, so stuff like that is really important because we can easily get lost in... I'm sure there's a lot of people that end up lost on Instagram every evening and Facebook everything, checking out what their ex was doing or whatever, but the thing is, even with investigations, it's easy to end up somewhere where it's like, Hey, this is not... There's no point in this right now, I've gone too far, I need to pull myself back out of that rabbit hole, so in day essentially for me, it could be exciting because you do get variety, but it would be getting... Bringing on, say, a new client, and the first thing I always do is I'm like, Hey, what are you looking for? What do you want to get out of this Open Source Assessment? So I will ask them what is the intelligence question, What are we trying to answer here, and then I set my workflow accordingly to that, again, depending on what we're looking at, is it a person, is it a company that all will determine where I'm gonna look and what that assessment is gonna look like at the end of it. Have you ever... Do you said sometimes you kind of like fall down a rabbit hole, have you ever done that and then discovered a bunch of really cool things, or did you just go down the rabbit hole and you're like, Oh, that was a waste of time. There's been many times where you do find useful things in without doing all the research, you have to... I just find like we have to look everywhere to say that we've done a thorough job, so you can't just be like, Hey, I'm just gonna look at it like that in the box, thinking you have to kinda look outside of the box when you do that... Again, there's times where I'm like, Hey, there was purpose in the rabbit hole took me somewhere. But there's times where in that rabbit hole or I'm like, Oh okay, I'm like, You know what, moving on now, kind of thing. So I guess I could say it's work both ways. Okay, fair enough. So what type of personality traits do you think someone needs to be good at open source... Intelligence gathering. I would say... Well, there's a lot. I think there's a few that come to mind. Critical thinking. So the ability to take basic information and turn it into intelligence is a big thing, intelligence is also something that's not just picked up, it's not just sitting in someone's Facebook account, it's something that... And that's why we make a difference between Open Source information versus open source intelligence, so I think having those critical thinking skills is really important in order to add value to your products. Sorry. Could you define intelligence? Like what you mean? 'cause people listening might think, Oh, a smart person... No, that's cheer. Smart people. No, that's not what we did. So when I talk about intelligence, I'm speaking from the perspective of the investigation, so something that's gonna allow you to take... So we have an investigation. I say Write up a report using my open source research, well, that Intel, the intelligence I provide, I want to be able to take that investigation to the next step, so that's the kind of angle that I look at it from, or that's what I mean when I talk about intelligence, especially when I'm talking about open source intelligence, so again, it's taking that information, but we're using analytical skills to make these assessments and produce a report or a profile on a person, a company or whatever... Empty, I'm working with essentially, right? If that makes sense. I have another one, if I can keep going. Another really, really important, I think, trait, is to be able to articulate, if that is, if I could call it in a trade, so when I say articulate, being able to explain the work you've done is so important, because at the end of the day, if I am working for someone, whether it's, I take on a new task and I'm doing a risk assessment, I need to be able to walk my client to my customer through all the findings, so you have to be really... You have to be able to articulate what you did... People that work in law enforcement and really understand this as well, because when you get called to court, you have to be able to articulate what you did, how you did it, and explain it very thoroughly, otherwise, otherwise we pay... Could back fire on you. So those were a couple of things that come to mind. Cool, cool. So what types of... Oh, everyone who's watching. So we're having more of... More people. Us, thank you for coming. I'm Tanya. If you wanna ask retention, you can in the chat, she's not here to spy on your ex for you, but she is going to talk about what her job is like, how you can get a job like that, etcetera. But let's go back to re what types of technical skills does someone need to get into the field of open source intelligence gathering? So that's interesting. So I'm gonna say right or I'm not a technical person. A lot of people get confused, they think like... Yeah, they think... And everyone's understanding or definition of technical might be different too, right? When people ask me like, Oh, you're super technical. I'm like, No, I'm not. I have a degree in Criminology, so just to lay out a little bit of my background, I finished my degree in criminology, I don't have coding experience from way back, growing up, I didn't do that in school, but I did grow up around computers and that helped me understand the basics. So when it comes to being an open source analyst, I think you definitely have to be comfortable using a computer, being able to research and stuff like that, that comfort is really important, but I always tell people, I'm like, You don't have to be technical, because I tell people, I'm open to learning, always. There's always so much to learn out there, but I'm like, I don't define myself as technical per se. Okay, oh, that's encouraging 'cause I find a lot of people will get scared away from a certain field because they're like, Oh, I don't consider myself technical, so I don't think I can do it, and so people who are interested in this can know that's okay, but also I have to say that even if you're thinking, Oh, maybe I'm intimidated to go try it anyway, I Inoue know, know And no, for sure. And there's a ton of people... I have a lot of OSI friends per se. And the thing is, they do have those technical skills or background, and that's always helpful to do some of the more Bassin, it's just... For me, it's like you can be a beginner and you don't have to have technical spirits, you can get there eventually, you can get to intermediate and be like, Hey, I'm comfortable here, or you could go advance and start writing your own scripts and stuff like that. I tend to just use other people's scripts and stuff like that if I need to do that type of work, but one of the things I just would like whoever is listening is don't allow that part of not having or not feeling like you have technical experience dissuade you from pursuing a career in Open Source Intelligence, It's allerdale skills. Yeah, so actually that's where my next question is going, so what type of training did you take to get to there, or is there even training that you can take... Yeah, so it kinda goes to... So there's different... Again, there's different levels. I'm gonna talk about open source first, so there's a ton of open source courses out there for people to take, and of course, some places offer basic, intermediate, more advanced courses, you have to kinda choose depending on if you're just starting into it, which makes sense, right. So definitely open source courses help 'cause it helps you understand, especially I'm just thinking of it from being somebody completely new and trying to understand it, not only you wanna do your own one of research, but if you wanted to take a course, I would suggest taking like a 0 101 in like that beginner stage, so you're not overwhelmed either, right, but just to get your feet wet. That's one thing people can do, and I know there's a number of places that offer courses... For me also, the thing is I took courses in the beginning, but keeping in mind, I work for law enforcement, work for the government, so that perspective I had... I Got the in house training as well, so that's a little different, but that being said, there's a lot of also, there's also outside trading that we relied on... Right. And that's open to anyone. But you can give... Once you start applying this in investigations is when you really start learning and connecting, figuring out in your own buying... Hey, this is how it works. One other thing I just wanna add... Sorry, I'll stop talking. I talk a lot. No, no, I want you to talk a lot. You're the guest. That's the point. One thing I wanted to also mention is, so aside from taking open source courses to gather that understanding, there's also very useful to take analytical courses, so things that like a intelligence analyst would take, because those teach you analytical techniques, social network analysis. I could go on and on. Being aware of your biases, all the things that will help you essentially in your open source research. Oh, that's so cool. We have a question from the chat, so how do you find your clients or do they... Or do you kind of find them? Which I think I do on you finding things. Oh, I get it. Okay, I did get that for a second, I was like, What? Fidel For me, so I have my own private business and I'm involved... Well, I'm sure we'll get there at some point, but I'm involved in a lot of different things right now, so I usually... I don't reach out to people, I don't go find clients, because again, I'm very selective with who I'm gonna be doing work with and whatnot, and I have to be very aware of that, but I think there are... For the people who are seeking to look for clients and stuff that you could definitely do that because you can open source them, right. We see who needs to get some open source, some value for whatever they're working... Not being said, for me, it's a little different. Like I said, so I don't usually seek out clients, so I don't know if that answers the question appropriately, but for me, how Do they find you to... Someone wanted to hire you A is... It's pretty easy to find me. You Google my name to Gail on I think a bunch of my platforms might show up, so a lot of people contact me through LinkedIn or through Twitter, those are different ways you can contact me, you'll see in my Twitter bio, you'll see my proton mail, I get emails as well, and I'm open to receiving those, typically host the different places that I make those connections. Okay, so how often do you receive requests for you to spy on people that someone is dating or wants to date, and how annoying is it? On a scale of one to 10. Yeah, how annoying It? That high up there on the scale. Titania, I do get that often, and I don't do work like that, 'cause it's like a little bit of a conflict, and yet it's not the type of work I do, so... Yeah, it's just like, Okay, I can't help you. I do get lots of emails like that and I just... Yeah, I just can't, I just can't deal with those. But it is frustrating, so it does get frustrating after a while, I'm like, I know I don't want those... Are there people asking you to commit crimes because sometimes, very rarely, but once in a blue moon, people will write me and ask me if... What they're asking, I'm like, Oh, that's a crime. A... Well, that's what I respond because I am sassy. Like that like, Oh, doing that would be a crime. Are you asking me to commit a crime and they're like, Oh no, no. Do you get that to... Oh, that, I don't know if I've got that. I'm like... And there's times where I see emails that I'm like, Okay, this is just a phishing email, I don't respond, right. So I'm like, Okay. And many times, maybe it's those types of emails, I just don't have... I have the time for those, but it's interesting if it is like you're like, Oh my God, I know this person and they're asking me to do such and such, I don't typically get requests like that though, or... It happened, yeah. Watch after this podcast. All of like, I'm gonna get all these emails. No, no, don't ask her that she's not gonna do work that will ever land her in jail. We have another question. Do you ever offer to cover bail? I don't think so, Kellen, that sounds like... That's not her job. Well, that's an interesting ask, I'm like, Okay, so relian, open source that later... No, he's just easy. Okay, more serious questions. So let's say someone's very interested in this and they want to potentially pursue a career in open source intelligence gathering, what types of work experience should they try to get to lead up to that, or should they apply right away, or how could they try to launch a plan with that as the end goal. I Think... Yeah, so the first part of that, again, I always try to look at it from a couple of different perspectives, but overall, having research related experience really helps... Right, but remember, you can obtain that from those who are still in school, you do a lot of research when they're finishing whatever you're taking, I just remember... It's been a really long time since I graduated, but I remember doing a lot of research and things are different back then, but that's fine. I remember one of the things that I wanted to do was when I was in my third and my fourth years, is really where I got interested in research, I was like, Okay, this is me. I remember they had a crime analyst, one of my profs at a crime analyst come in and talk to us, and that's where I kind of switched minds in terms of like, Hey, this is kind of cool. Like, what is she doing? And that's where my interest came in, so research related experience is really important, the second part is start exploring OSINT, especially if you're looking for specifically to this field, start exploring what's out there, start searching, use your search engines and Google quotes, open source intelligence analysts and the area you live in, just to see what they want as qualifications, because every area will be different. I'm in Vancouver, we're in Canada. He got right like other people might be in different areas, and that's one way to almost like even if you don't meet the qualifications today, that's something you could work towards, especially when they list those qualifications. So that's thing I would do. And one other thing I could just suggest is also when I... Before I started open source, one of the things like even in the beginning, and even now, I read a lot, like reread about op, read a boat. And there's places, I'm sure we're gonna cover that a little later, but there's places on the Internet where you can read blogs and see how other people are using open source intelligence, so those are really important 'cause it sets your mind up for that type of... Okay, that's how that works. And then connecting those dots. But definitely research research doesn't have to be related to police work only, you don't have to be like, Oh no, I have to go work for law enforcement... No, you don't... You, the doors open for you to explore other options... Where are their options? Did you say where or what... What are the other options? So I kind of assumed that you would work for law enforcement or the military or something, and it never really occurred to me that there'd be a lot of other places that would want intelligence as well, so... Are you allowed to give us examples... For me, because my entire career has been with the government, and it has been specifically with law enforcement, so that's where my understanding... That's where my examples come from. That being said, I mean, for example, you can work for an insurance company and be a open source analyst, 'cause I know they use them, they use online researchers, whatever they call them, I don't know. And like ours, that we have regionally in our province is called one thing, but they must have some sort of investigators that check on people or fraud to make sure that the stories are lining up, looking at their social media to say like, Hey, you said you broke your back in accident, but you're like sky diving. So again, that's one example that just comes to mind, there's gonna be obviously a ton of government agencies that hire like the spy agencies and stuff, I'm sure they need open source people, but outside of that, you definitely have things like private companies will also be hiring... I'm assuming, right? I haven't pursued those exactly, so I don't know that... I know they're out there, TPI firms, private investigators is huge, and they also want people that are good at open source research, of course, they're gonna be doing a little more probably being a PI then what open source analyst or a typical open source analyst would do, but a PI would also need to be really good. A really good researcher. Interesting, so we're at the middle of the show where I am going to think our podcast sponsor. Thank you, tread fix. They create the most depends vulnerability management system. This side of the Galaxy S threat fix. Thank you for sponsoring us. I also wanna ask everyone to click the thumbs up if you are having fun, if you're listening to this later on or viewing this clip, give us a thumbs up subscribe, and if you can write us a podcast review, we really like those things here at... We have purple. Okay, but back to re does this type of work pay... Well, so some of us called us the cheese question because I often talk about, So how much cheese can you buy when you go to the grocery store, but you don't have to answer it in that, but it is like the type of rule... So from what I understand, of doing all the different... Going through all the different interviews, being a security architect, pay tons and being a journalist, or working at a start up or starting your own startup pays really poorly. Right. Where are you on the scale? Is it the type of job that pays very well, or is it pretty good in the middle for as far as IT jobs go, You're doing it, the Help Desk? Yeah, okay, so I wanna go back to your cheese thing, I'm gonna be like, Hey, I can't have cheese, 'cause I'm like his intolerance, so... But for question. I was like, Oh look, to stick with that, where she going with this cheese Question, maybe you could have vegan cheese or cheese made out of nuts... Yeah. Probably do something like that. There's alternatives I expense. So back to your question on a serious now... So again, I work for the government, everybody knows government salary. Stuff is public information. If you know something, I guess, whatever category. So I believe I do get paid well for the work I do. So looking at it from two perspectives. There's that government perspective. That's a government worker. You tap out somewhere. We all talk somewhere... Right. When you're a government employee. Right, so that's something to keep in mind. But for those of you who are wondering also 'cause I have my own business, overall, for me, when I put the two together, I'm comfortable with what I make, but one thing that also that I have the ability to do is after a number of years with work experience, I have 14 years in the Canadian government. I'm at a place where... You get to a place where you have experience and you get to call the shots with it cuts your own private company, if I take on a contract and I'm like, I won't do it unless it's at a level that is worth it for me, 'cause that work life balance is such a struggle too, so you really have to... You always have to make those choices, but... Yeah, all I'm trying to say is, I would say I do get paid well and I'm comfortable... That's what's working for me right now. When I worked at the Canadian Government, so I worked for them for 15 years, and very quickly I went from CS level one, two to see because I had already worked in it for quite a while, and so I was a S3 for over a decade. And at the eight year mark, you hit the top and then you just have no where to go, so... Yes, and they're like, Oh, you can become a manager... I tried it a few times and I was like, you can have your money back and go to elite people that you are now to fire is hell. Yeah, that... No, there's no recourse for so many things and totally understand it. So after 135 years of service, I was like, Hey, guess what, I have to go, because you have 18 more years planned for me with no promotion, so I have way very... Things to do. A good luck with all that. Cloud transition. You're gonna do one. I don't blame for that at all because like I said, government employees, You top out somewhere, but that's where private looks so appealing to some people because it's... For me, to be honest, I'm like, that's where the money is, right? But everyone has to do... We make their choices. Also the super cool projects, the super bleeding edge, cool tech, like government's a very safe place to work at. That's a very risk resistant, and I'm like, Ooh, Scotland, I can threaten. They don't like to... Yeah, no, I completely understand what you're saying. It's relatable. If you are a disruptor, I started up in the IRA place for you are... Yeah, but also I don't make very much money. And that is okay right now, 'cause we're just starting, but... That's cool. Okay, so I have more questions that are about you. Okay, are there a lot of opportunities, because I see a lot of people really into it, just like social engineering, I see a lot of people really interested in it, I'm like, how many jobs are they're really an open source intelligence gathering. So this kind of touches on what I mentioned before, I think, but it does... It obviously matters probably if you are looking... If you are looking private or government, and then also looking at what country you live in, or all those factors, those will come in and play when you're looking for that job, and I think there are a lot of people looking for OSINT jobs 'cause they're in... They are fun. I haven't been doing it for all these years. 'cause it sucks. It's really cool. It's really fine. That's why you do it. And I can't stop, but the things I would just remember that not all jobs are labeled Open Source analysts, even though you're doing that, private firms will probably be pretty straight up, I think, in terms of what you're doing, but with Garrett job, sometimes a job is called intelligence analyst, and you could be doing open source, but you won't know that until you make contact with the person on the job board or whatever it is, to find out, but I think the keywords to really search, like I mentioned before, intelligence analysts, crime analyst, Open Source outlets, Open Source Intelligence Analyst, and then looking at what they have to offer, because a title is one thing, and the government's a little strange when they do that, but sometimes it's not right in the title, job title, because I sometimes... Just because a specialist... I know it was that time... Yeah, you need to ask, you need to definitely reach out and ask the questions, I think that's the best way to do it, to really understand like, Hey, does this job include any open source research stuff? But yeah, one of the things I used to do is always look at like I would do those searches and I'd pull out even from places like if the US... I'm like, I've never loved it in the US, but I'm like, I wanna see what open source analyst in the US for those private firms or the government, what does it say they want, and then I would take things away from those... Right. And this is earlier on in my career where I was like, Okay, I'm like, I don't wanna do that, but I wanna do that, and I kinda pick and choose, but it just gives you a better idea also what kind of companies are hiring and what kind of work you'll be doing. Oh, cool. Do you feel like because of your work that you're very careful about what you put on the web... Definitely, yeah. I think there's that level of your operational security or of set is really important, but for me as well, I am careful with what I post them when you're out there, as much as people like we are... I love talking Osan, but I don't wanna put my house addressing, I don't wanna take a photo in front of my home and be like, Hey, this is where I live, and I think that's just the privacy and the security of concerns that people that do this type of work, have to be aware of it, and also just the fact that you mentioned that... I just wanna bring up this point, everyone, this type of work is usually aware of that, because we're constantly finding those breadcrumbs that people have left behind and using them for building up to figure out where that person lives or you locate them, whatever it is you're trying to accomplish... Looking at your threat model, for some people, they don't need to worry about things as much as others it... For me, it is important to ask some things, I don't need every section of my life to be that private, but there are parts that I do try to privatize a bit. I Think that's smart. If you were... So I realize the average person that's listening to this podcast is a lot more aware than the general public because it's a security related podcast, but if you were gonna give a couple, just like one or two tips for people to protect their own private information online, besides not taking a picture of you. Waving in front of your house. Do you have any other brief suggestions, I'm sure that you could literally write a book, but maybe the one or two that people don't think of. I think... Well, sometimes it's just basics too, but putting... If you use social media, use privacy settings on your personal accounts, and some people are like, Oh, why do I need to do that by putting on your privacy settings just... It's a little step that you have to take so that not just anyone can show up on your profile and grab those photos of you and God knows do what those... Right. The other thing is one thing, this is just something to think about, but I will always say this is like, You should never post anything online. And this is how I ask myself before I post anything on Twitter, on the Instagram or of the world. I will say if this got leaked out to a larger audience, is that gonna be a problem for retail and asking myself, Is this something that will compromise me or make me look like whatever a person that I'm not... I have to ask myself before I post that, because there's always gonna be those data leaks and hacks and things that keep... Breaches that keep happening. So when you are online, if that's one thing you can ask yourself prior to posting, that should keep you maybe kinda say that's kind of one of the techniques I use. I'm like, Hey, if this guy... Oh, what does this say about me? Yeah, yeah, I agree. I remember when the life... Do you remember the Life Labs breaches? ETO and I both live in British Columbia and Canada, and I'd like to know it's all Canadians in the house tonight. Even our sound engineers Canadian, and in Canada right now, but not in BC, but that said, lots of places across Canada will use this company called Life labs to do tests for your health, so like a blood test to say If your iron is low or you need some B12 or whatever else could be wrong with your body, and I'm not a doctor, so I'm not very creative with that, but it's build on to the internet, and I remember going in right before and I had to have a blood test for whatever, and they're like, Hey, would you like to be able to get your results online, and I was like, Hell no, don't put my step anywhere here, your jam, internet. No, no, no, no, no. Yeah, yeah, and so that didn't... And then three months later, it's like, day to breach, Life Labs, everything that's ever happened to you is on the intestine. I know, I remember that. I was like, Oh no, that's not... Could it all of like... That's really horrible, actually. Yeah, that's the thing I Recherche will happen and we need to be careful with the type of stuff services that we use online as well, right. Yeah, definitely. Interesting. I agree, 100%. So I have more questions for you. Can I add one thing? Go... Oh, please add all the things. Okay. I just wanna add one other thing just to mention is a lot of times, and this is just the other perspective of researchers like sires archers... Yeah, we rely on that. What do I would call it? A soft target, I don't know if that's the word I'm looking for, but... So essentially what I'm trying to say is, if I'm looking a subject and say, we'll just call him boyfriend, we're looking at the boyfriend, he's non existent online or he's locked down because he's doing bad things, often, we can get a work around by going to secondary targets like girlfriends or their significant others. So in your own circles, it's always important to let your spouses or your people know, your significant others or kids, parents, 'cause those are how you end up making connections, is that way a weak link is what I was not... Soft target. Yeah, weak link is what I was gonna say. The weakest link will end up giving away your, I guess, your operational security, even if you're a bad guy or you know, so it's just those things to think of again, when you are using social media platforms. I literally lecture this, yes. You go get a Tondo not, do not bring that listening device, it to my home. I had a roommate come home with a Google Home, I'm like, you take that devil device down to your peer that does not go into shared space. Yeate, Sarah, my parents have one. And when I visit the man Ontario, so not since the pandemic, I'll be like, Okay, Google. And then it says something and I'm like, Shut up and stop listening. They're like, Stop talking down to the Google home, the nothings Out for three for so long, and that's when everyone went and got it and it was like... People were like, they had... They're like, I have one in every room. I'm like, Okay. I'm like, I don't think that's a great, great idea. Maybe if you wanna try it, 'cause you're like, Oh, I've got something free, but make sure you unplug it and you turn the off and on bottom of the hole, Google, if you don't plug it and turn off the offend... I don't trust it. It's not dead until it is like completely turned off and unplugged. I'm way free to... Okay, I have more questions that are actually on topic this time, so what's you like... So this is the super hard question for you to get ready, what do you like the best and we took the least about your line of work, a questions. Super tough. I really like the diversity of the types of files I've been able to work it, so depending on keeping it... When you have that diverse, you almost don't know like you show up at work or you take on a new client, and you're like, Hey, what are we working on today? That can be quite exciting, just to know that it's never stagnant, it's just... It's always evolving. There's always something new, there's always something different, and I'm always learning something new, and I love learning from other people as well, and that's why I love the OSINT community on Twitter because that constant like sometimes we go back and forth with ideas and then we move it over into the DMs or email, but it's collaborating with other people. I love all that stuff. One other thing is, I really like, and I already mentioned connecting the dots, but I just like saying that because when a customer comes to me with... No, a customer will come to me with some information, a client will come to me, they're like, Hey, I know this much about whatever it is, but there's always this big empty kind of bubble that they don't know about. And so when I do an assessment for them, open source assessment, and I find new information that's where I get really excited, and that's where I find that really, I guess... Exciting part of the job, yeah. 'cause I'm like, Yeah, I did something and I wanna help you. I wanna help you accomplish something, so... Yeah, that's success for me. And Then what do you like the least? So. Okay, well, this one's pretty easy because it's an ongoing struggle at times, so when you're spending as much time as I do on the computer, not being able to turn off your brain is really difficult, and that's a serious issue, and I don't know if other people... That do this, I haven't talked to a ton of people about it, but it's so hard because I end up getting so wired... If I work too late, I get so wired that I can't go to bed and then the next day it ruins my next day because I gotta work that day too, so... Do you feel that to to... Sometimes if I'm coding a lot, I dream in code, I'll dream about conidia the answers when I used to code every day, I would wake up sometimes and I'd be like, I know the answer, and I'd come into work and fix the bug, and then you... Tuvalu actually give me an hour bonus it. I get it, and he... You like take an hour early, good job. You're working in your sleep... I know exactly at ORF. I sometimes have ideas and I go to bed and I'm like, Oh, I gotta get out of bed and write it down. That happens, but one of the things, as much as I love my job is, again, it is turning off and then knowing your triggers and stuff like that, that those are things that are important to be aware of and just risk factors in terms of like what is it gonna keep you up, but if you look at certain stuff, 'cause we know there's people out there that work like national security type of files that could be quite disturbing, so you don't wanna look at that maybe before bed time, but generally, I just find as soon as I'm... The mind's going, 'cause I'm working on something, the brain's going... If it's past a clock and I plan on going to bed early that night, it's just not... Great. Yeah, so someone was saying, but if you work late enough, you can log that for the next day, I don't know how that's gonna work out. I know it doesn't balance... Okay, Trinity, I've worked in other time zones too, which is always kind of... That really messes you up to... Don't do it if you don't have to. So a couple of times you've mentioned, Oh, there's resources for that. Do you wanna share some resources that you like your first... Resources for... Resources to learn about open source intelligence gathering. Oh yes, for sure. So one of the things I wanted a part of actually is a non profit called Osiris, and on the advisory board for that, but it's a place where people can go read about all these really cool Osan people, really super smart OSINT people. We do blogs, we do 10 minute videos, we do different live streams as well, so it's definitely a good place to, I guess, learn all sorts of levels of use, so you're not gonna only learn... Be dinner, I'm gonna say there's things on there that other people have blogged about that I'm like, Hey, that's advanced, I need to learn that better because I'm not good at that, but they long devoted. So there's things like that. Sanctus is a big one though, and I definitely recommend that. Do you want me to list of What about yours? So yeah, I was gonna say, So my website... You could find me at Othniel dot com. Again, I'm still reachable on Twitter. You could reach me on LinkedIn. I use several platforms, or you can just email me and if you... Just hearing of me here, just mentioned that you're on... You heard me on the podcast, I like to know where people hear me from, just so I have an idea of who I'm dealing with, or I'm like, Okay, was this somebody that knows me... That type of stuff. So my company, I do talk, I will do training. One thing I will be offering soon, it's coming soon, and it is gonna be osmosis, so that's... Yeah, that's coming soon. I don't have exact date, but that's a Manolo for and it will be posted on all my social... So you can look for it. I'm sure it'll be on the website and then on Twitter and all the places, but that's something new and exciting, I've been working towards... Oh, that's so awesome. Yeome. Excited. I been waiting, trying to get things to line up and they're slowly lining up, so just wait for that announcement. So there's a question from the chat that's excellent. Do you participate in on CTF, like trace labs? Yeah, so trace labs, I have participated in CTF with pre labs. I've done it, I haven't done any recently... That was a while back when I did participate in a couple. In a few, at least, I think I've done three. Those are pretty fun. That is a really good place where you can learn more about and have hands on experience with how open would work and tree slabs is... They essentially, what they do is, what you would be doing actually on the CTF, for those of you that don't know, would be like they have real missing missing cases, they work with local law enforcement, have these cases, and then they have the CTF where people team up or individuals, and they go find different things online that could help the police, because at the end of the day, please don't have a lot of resources when it comes to missing persons cases and it's... Yeah, exactly. It's all about the cheese. So the thing is, what trace labs assist with that is they will run a CTF, you can show up, participate, and one slave, I guess, package whatever tips they get from the people that participated and passes over to the investigative officers and sometimes it's successful, which is amazing, right, just to get people off those missing person's list. That is awesome. I like how it's a learning experience, it's realistic, but also it actually helps. That's awesome. Cool. Okay, so one last question and then we have to go. If you are gonna give someone one piece of advice to try to get into this field, what would it be... One piece of advice... Okay, that's really hard. 'cause it's just one I do. Does it have to be One? So I can be more than one, it can be more the one to... Okay, if somebody's new. And I have already said this today, I think, but read about how sin is applied, and when I say that Google, use advanced operators and Google, what is OSINT? How is OSINT used? Articles should populate that us, you could read and take a look at... I do have a section on my website, I can't remember, I'm like, Do I have it up? It's all, if you're new to OSINT, I believe, or are you new to OSINT, a couple of resources like articles to read or videos to watch, just like I did one with Mica from SANS called Intro to OSINT that is posted in that section, that's an example 'cause that shows you like, Hey, in the beginning, what would you do? But definitely a reading is really like for me, that's how I started. And then I built on that and then I got a better understanding. So I would do that, and if you're not on Twitter, get on Twitter, search the hashtag Oster gonna. This is like that second part where you're gonna see a lot of people sharing resources and blogs related to sin, so that's also something you can do. Nice, that's awesome, Brett, this has been so helpful. Thank you so much for coming on the wearer podcast and being my guests. Thank you, Toni, for having me. I'm delighted to be here. Awesome, let's wrap it up. Thank you everyone for coming, and it's time for us to go. Thank you for listening to The we had purple podcast, where each week we made an awesome human being like retail who teaches us all about what it's like to do their amazing job, in this case, open source intelligence gathering. And I don't know about you, but I actually learned quite a bit. The intelligence part is definitely not really what I understood it to be, so I think I understand it a lot better now. Thanks to her. Thank you, read fix for being our sponsor, and thank you all of you for coming back week after week, we have a few more episodes in this, or we have three more months episodes of this season, we have so many amazing guests coming up. I'm actually really excited about all of them, I mean, I did get to pick them, so there's that, but I'm Tony Jaa, I'm your host, and this Saturday, we are going to be streaming live streaming, Chapter Three of Alice and Bob learn application security. It is about secure design, so you can meet me at youtube dot com, she has purple for free, and a bunch of us are gonna go over the chapter, what was in it, lessons from it, then we're gonna go over the questions at the end. I've invited a couple of expert guests, including Adam shows, stack Vandana Verma Rall again, is gonna be an awesome party with lots of amazing people, we're also gonna have Aaron Ward and me being the nerve in the middle asking lots of questions, and so please feel free to drop on by at 1 PM Pacific time, we're gonna be there for two or three hours, depending upon how much we have to say, the more guests are, the more there is to talk about, and I can't wait to see you there. Secure all the things with we hack purple.