The age of information sharing with OSINT Curious president Micah Hoffman
Terry Pattar: Hello and welcome to the World of Intelligence, an open- source intelligence podcast brought to you by the Janes Intelligence Unit. For more information on how we can help with OSINT training and development, go to janes. com/ osinttraining. So Micah, thanks for joining us. Just for everyone who's listening to this, I just wanted to give a quick introduction to you. Micah Hoffman, you are one of the key members of the OSINT Curious Project. You also deliver OSINT training for SANS. And I think in and amongst all of that you're probably one of the leading OSINT practitioners globally, I would say. What I love about some of the stuff that you put out there in particular is not just that you're doing all of this and doing it for small audiences, but you're actually sharing and being part of the OSINT community, which is getting across some important stuff for different people who might be interested in OSINT no matter what sort of sectors, et cetera, they're working in. So thanks for joining us.
Micah Hoffman: Well, thanks for having me on the show.
Terry Pattar: No problem. I wanted to just start off by talking about how you first got into open- source intelligence and where you started off and what sort of dragged you into it, if that's the right way of describing it?
Micah Hoffman: Yeah. It's actually been an interesting trip. I mentioned this on, I think, the OSINT Curious Podcast that this is my fourth or fifth career in my life. I actually have a degree in psychology. Back in the 19- somethings I got a degree in psychology. And then through some twists and turns, I ended up in computers, fixing computers, setting up computers and servers. Then I started hacking them professionally and breaking into them and doing really more core cyber things like penetration testing, incident response, incident handling. I found I really loved that aspect of the world, how I could break into systems and find things I shouldn't be able to find. And then one of the pieces of our process was always to do online reconnaissance of our targets before we attacked them. And I remember this one assessment I did where we were trying to break into a web application that was on the internet. Our process said we have to Google that application name and then see what comes back. So I Googled the application's name, and there was this PDF help document on some other site of the people that actually coded it. I decided to just read the manual. Sure enough, on page one it said, " Hey, if you're trying to get into this application, try a username like this and a password like that." I essentially took that information, which I had just Googled, and logged right into the application without even hacking it. I thought, " Man, this stuff is really powerful, this reconnaissance."
Terry Pattar: Interesting.
Micah Hoffman: But I didn't even know that there was an open- source intelligence. Since I came up through cyber, we called it recon or reconnaissance. We didn't call it OSINT. Then later on after really looking for things, I found OSINT and I just fell in love with it.
Terry Pattar: How did you first come across it as a term in that sense then?
Micah Hoffman: That's an excellent question, Terry. I do not recall when I first was turned onto the word OSINT, but I do recall it being probably in one of those tweets that somebody sent out that was like, # recon# OSINT. I'd actually been doing a lot with Recon- ng, the command line tool, and I wonder if I saw the term in there somewhere.
Terry Pattar: Because one of the things that I love discussing with people who are working in this field is the differences in approach but also the differences in definition. What is open- source intelligence to you versus what to somebody else? I don't know if you listened to the last episode. I was talking to Eliot Higgins from Bellingcat, and they talked about how they apply open- source intelligence techniques to online journalistic investigation, essentially. With the kind of audience that we have at Janes, so the kind of organizations that we work with being primarily defense and government, there's a very traditional, well, sometimes very traditional viewpoint on OSINT, and it's one of the disciplines. It's kind of seen as being separate from things like imagery intelligence or other types of intelligence they might pursue. I would say in terms of the modern kind of OSINT, when people come to it from other fields or other directions, there's less of that kind of distinction. What I find really interesting is looking at what others are doing outside of the sort of defense and government world. You probably, I'm guessing, in all of the training and all of the advice you've given and the work you've done as well, you've probably come across open- source intelligence in lots of different flavors. Have you seen those kinds of distinctions or those kinds of differences playing out and different interpretations of OSINT?
Micah Hoffman: Absolutely, Terry. You hit it right on the head there. What I get is from a lot of my students, I get a different perspective. And much like what you and other people that interact with different groups of people that are trying to achieve OSINT goals, I get their perspectives on it. We'll have somebody come into the classroom that has a financial services background, and they're looking for people that are on the dark web that have caches of credit card numbers. They're looking to find where they came from, what the numbers are so that they can deactivate them. Or we get the typical law enforcement and military and intelligence people in the class as well who have the more traditional, like you said, the SIGINT, IMINT, SOCINT, all those types of intelligence requirements and understanding. But then we also get people in the class from the movie industry, the gaming industry. I pulled some of these people aside at some time and said, " Why are you in the class? What are you looking to get out of this?" I mean not in a bad way, but what is it that you're looking for? They said everything from, " We're looking for a pirated version of our software." " We're looking for leaded documents." As I teach more and more, my understanding of what the world considers as OSINT grows and grows and grows, and I love that.
Terry Pattar: It's interesting, you mentioned the dark web there. I'm still seeing a lot of people talking about these distinctions between the web, well, the surface web, the deep web, the dark web. What's your view on it? I mean are those distinctions still valid? Because I'm in two minds. I'm in two minds about whether those are still useful distinctions or not.
Micah Hoffman: Yeah. It's useful for debunking purposes. When you have somebody that's a new OSINT analyst or somebody that just hasn't ever been in the dark web or in the deep web, they don't call it the deep web. They just call it something else. Those people, it's helpful for them to understand what everybody's defining deep, dark and surface web as. What I teach in my class is how the definition of what's dark web and deep web changes and shifts sometimes daily. I mean we see resources that are on the surface web like Michael Bazzell's IntelTechniques.
Terry Pattar: Yeah. An excellent resource.
Micah Hoffman: Tools that he had. They went to the deep web because he put an authentication page in front of it. They didn't go anywhere special. It's just you can't access them.
Terry Pattar: Am I right in thinking that if you're not part of the club, you can't get in now?
Micah Hoffman: I try to stay out of the politics, but I believe that's the case.
Terry Pattar: Well, I think for him it's probably a practical measure, right?
Micah Hoffman: Yeah.
Terry Pattar: I mean he doesn't have that many people who he can probably help at the same time.
Micah Hoffman: Yeah. They're vetted people too. They're his customers. I get it. But for the dark web, I did a talk for a group in Boston last year. My talk started out with the debunking the myth of the dark web, how yeah, there are these kind of nasty places of the dark web, but with Tor the way it is and with other dark web systems the way they are, the distinctions between I'm going in the dark web and I'm going on the surface web is very blurred. Because you can get to the surface web from Tor, and you can get to Tor from the surface web. It's interesting. So it's less useful I think as distinctions, but we definitely try to clarify that to our students.
Terry Pattar: Yeah. I mean, I get a lot of people who come to our training courses and they're like, "Can you give us a separate training course on the dark web?" I say, " Well, I could probably show you it in about 20 minutes." Because like you said, there is that element of debunking or demystifying it. But then the rules of engagement for different organizations vary, and some people are allowed to do it. Some people aren't allowed to look in that because for whatever reason it's been determined from a legal perspective, perhaps, they're not safe going into that part of the web.
Micah Hoffman: I think one of the things that a lot of organizations are more concerned about than their staff seeing pictures or videos or things that they shouldn't is more that by being on those networks, sometimes their systems will help facilitate the illicit transfer of goods or services across the dark web. By becoming a peer node on these networks, many times traffic is slowing through your system and you have no idea what it is, but it could be illegal things.
Terry Pattar: That is true, yeah. I think that's one of the things for a lot of people getting into this area who are new to it who have to really bear in mind is that the sort of legal restrictions that are in place, and it does vary by jurisdiction as well. So always be careful, I think, in whatever jurisdiction you're operating in would be good general advice for anyone and then what kind of areas of the web you're operating in as well. Within that theme of general advice to people getting into OSINT or working in OSINT, it'd be great to get you to describe really the OSINT Curious Project and what you guys are doing. Because you've been putting out some great stuff both on Twitter but also through your webcasts and everything else that you're putting out, and so maybe just a description for people in our audience who aren't familiar with it or haven't come across it before would be great.
Micah Hoffman: Sure. Happy to talk about it. I love the OSINT Curious Project. It's a nonprofit that we created over here in the United States. It is at the website osintcurio. us or osintcurious. com. On the website, well, actually the project's goal is to take some high quality OSINT people that like to write, like to share, like to talk, and help amplify their voices to share that OSINT information with everybody and anybody for free. We have people on there like Dutch OSINT Guy, like Kirby Plessas, Technisette. We just had some people on there like Chris Kubecka. We have a whole bunch of really high quality people that are sharing their information. I look at it as a facilitator to share information. What we do is we work together as a group instead of individuals. We're just getting ready to release a couple blog posts that one person has started, other people have contributed to. So it's a really good, well- rounded product. We do that with our podcasts, too. Every two weeks we do our own podcast, and we do a podcast webcast so that you can see our faces. And you as a general person out there in the world can actually be in our live studio audience since do them via Zoom, which is neat. I love bringing the community into our talks, into our blogs and other things as well.
Terry Pattar: It's a great resource for those of us working in this area, but it's fascinating as well to hear from you guys about some of the practical experience and maybe some of the things you've worked on. Because you hit on a really interesting point there, which is that working as a group, and I think with the way the open- source intelligence has developed in the last few years and is particularly a direction that I see it going in is that you need to have that collective with the different maybe expertise and specialisms that you can bring together to share ideas about different tasks and different ways of approaching problems. I really enjoy your podcast and the webcast and seeing how you guys do that. In terms of everyone being high quality, you can certainly see that and hear that in the kind of things you're putting out. You just sit there with the other members of the group, and I'm thinking, okay, that's my guest list for my next few podcast episodes right there.
Micah Hoffman: Yeah.
Terry Pattar: Because you know, everyone does come from slightly different backgrounds, right? And you bring different skills and experience to the mix.
Micah Hoffman: Yeah. That is absolutely an extremely important point that I've learned over the years doing cybersecurity and OSINT is that the more diversity that you have in backgrounds, in talent, in skill, in passion, and in just gender and race and all of that, the more diversity you have, the more powerful your group can be. Doing cybersecurity things, I can remember thinking about an attack vector and how do we break into this one system or website. And then I would talk to one of my colleagues, and they would say, " Well, why don't you do this?" And I thought, " Why didn't I think of that? That seems so elegant." So taking others' advice, those opinions, and cherishing their input is really, really important to me and to the project. That helps us move forward and make better products.
Terry Pattar: Excellent. Do you find also that everyone within the group or the collective or the general community, I suppose, getting their input helps you get across what has become this sort of ever sprawling nature of open- source information, that we're looking at so many different platforms or types of information? It's a lot of it being unstructured, a lot of it being in maybe different languages or coming out of different countries, people in different countries and regions using the same platforms but differently. How do you see that helping in terms of that collective?
Micah Hoffman: Oh, it's incredibly important. As you mentioned, well, as I mentioned, the diversity of people and their experiences and their work helps to broaden all of our perspectives. When you have somebody like Dutch OSINT Guy or Technisette who have been in law enforcement or Ritu Gill, who's also been in government, they approach OSINT with certain targets, certain subjects in mind. Whereas other people like Sector035, who's an amazing person at geolocation and chronolocation, he has different skills. When he and Dutch OSINT Guy and Technisette and myself and Kirby Plessas, when we all get together and I bring cyber- y things or command line tools and they bring some other things, there's almost nothing that we can't do. I think having that well- rounded team that supports the differences that others bring to the table and leverages those is one of the most important things to becoming successful.
Terry Pattar: It's like the Avengers of OSINT.
Micah Hoffman: Yeah, yeah. Very much. Oh, I'm so going to steal that from you, Terry.
Terry Pattar: Oh, take it. That's so cool.
Micah Hoffman: Nice.
Terry Pattar: Do you think that with some of the government organizations or clients that you've worked with or others in the collective may have worked with in the past that there's a natural issue there in that if you are a US government agency or a Canadian government agency or a British government agency, you naturally have to rely on employing nationals of your own country, and it's harder to get those different perspectives when you're looking at an information space which is so international, it's so diverse and complex? I don't know. Is that something you find coming up, whether it's in the training or the general questions you get from some of the organizations you work with?
Micah Hoffman: Yes. Virtually on day one, people raise their hand and say, " So I have these documents that I don't speak or I don't read that language. How do I translate that or how do I understand what the meaning is?" That can be extremely important to organizations.
Terry Pattar: I mean translation is... Yeah.
Micah Hoffman: No, yeah.
Terry Pattar: I'm always being asked about exactly that.
Micah Hoffman: It's really, really hard sometimes too. I love listening to the students that come into my class and hearing their stories and their challenges. Again, it makes me a better person. I had one person that was in class, and she was working with a government agency doing translation. She said she's a native language speaker of a certain part of the world. And the government organization that she worked for got a translated version from a translator, a linguist, of a document that they had found out there in a certain area of the world. She looked at it and said, " Well, while the words are translated correctly, the intent and meaning behind those words is totally lost because the classical translator missed the underlying meaning of what some of these words and phrases go together."
Terry Pattar: Interesting.
Micah Hoffman: But unfortunately, a lot of us don't have access to linguists and to people that are born from those countries or speak those languages that we want to research, so we do have to rely on computers and translating apps and things.
Terry Pattar: Yeah. No, for sure. That's one of the questions that crops up regularly, I would say, in the training I deliver certainly is, " How do we get on top of content in other languages if we don't speak those languages?" I think if people are relying on free translation tools, there's a limitation there in terms of what they can achieve without going out to translation services or getting the right linguists involved. As you've described there, I think sometimes with linguists there's also a generation gap. When we talk about open- source information, particularly online information, we're dealing with multiple generations and people using information differently across those generations. It could be something as simple as slang. Slang changes and adapts. If people are unfamiliar with how... Well, I'd say particularly on social media, and I think if people are unfamiliar with that, it can be difficult for them to perhaps translate some of that content.
Micah Hoffman: Yeah. You bring up an excellent point that I hadn't really thought about before is that the platforms that the young people are using are different than the ones that are more entrenched. In fact, some of the older generations that we're finding may not even use the social media to go ahead and get their messages across. They might have other people get their messages out. But understanding what they're saying and what it means is incredibly, incredibly important.
Terry Pattar: In terms of the OSINT Curious Project, so where do you see it going next? I mean what are the plans? Is it carry on doing what you're doing, or are there any other sort of plans for things coming up?
Micah Hoffman: Well, we just went through our first growth. We celebrated one year back in December. We grew. We added five new people onto the project as advisory board members. And we are churning out some amazing information now. As far as growth, unfortunately, we are one of the victims of the coronavirus outbreak in that our next step was to generate a little bit more revenue for our organization by doing in- person training. We are scheduled to still give a training in June at the Layer 8 Conference in Rhode Island, the OSINT and social engineering conference, if that conference still happens. But we were going to do some of these one- off trainings to bring our low cost or no cost training to the people that are really hungry for it. But I think right now we're going to be sticking to things on the internet and virtually.
Terry Pattar: Okay. Would that training be aimed more at people who are beginners in the field or people who are more advanced, more experienced?
Micah Hoffman: This one specifically is aimed at the beginner. However, I don't know if you've experienced this too, but when people say, " What does the beginning OSINT class look like?" Whether it's one that OSINT Curious is teaching or somebody else, I always am hesitant to answer because I know that there's certain skills that are core skills to OSINT, and I can teach those. But sometimes the depth that we go into any one of those skills, like a good example is Facebook. Facebook, what does an OSINT 101 class or a beginner class look like in Facebook? Are you decoding the basics, the four URLs? Are you messing with the JSON? What does that look like? We've billed this as a basic class or an entry- level class that anybody can use, but it's definitely not an easy class.
Terry Pattar: Interesting. So people have to have some sort of technical experience or expertise and to be at least familiar with using IT to a certain extent, I guess.
Micah Hoffman: I think you're right, yeah. You have to have that core competency of okay, I can get around on a system and do things, but that's what we usually start with is how do we navigate. I don't know if in the training classes you've conducted or been in, a lot of the ones that I've seen, people will use a virtual machine for that. And getting people that have never been in Linux into a Linux system to do their virtual machine work is sometimes a culture shock in and of itself, so lots of things to learn.
Terry Pattar: There was a couple of things that you touched on there. One is that when people and some of the organizations that we've talked to in the past, when they want, say, training on open- source intelligence, they sometimes view it through the same prism as all of the other training that they develop and deliver to their staff. They want it to be progressive, so they may want a program or training that goes from basic to intermediate to advanced. But it's really hard, I think, with open- source intelligence as a field to divide it up like that.
Micah Hoffman: I agree.
Terry Pattar: Yeah. I think in some ways you almost want to have a, okay, here are the OSINT fundamentals. Then now let's do a specialized session on this one particular area or this one particular area. So rather than a progression, I guess something more like a sort of small network of courses that people can then select from which ones may be more relevant to them.
Micah Hoffman: Yeah. I agree. Actually, on the OSINT Curious website, we've actually got what are called 10 Minute Tips, which are a series of videos that are essentially a video library that show all these different tips and tricks for doing OSINT, for learning OSINT skills in 10 minutes or less. Each one's a 10 minute or less YouTube video. Some of them go to 12 minutes, but they're free videos that are out there to create that library where people can create their own custom learning environment.
Terry Pattar: Yeah. And it's one of the challenges, I think, in this field is that the learning is more dynamic in some ways. Because how do you find with those videos... I mean how often do you have to update them?
Micah Hoffman: Yeah. Sometimes pretty often. Sometimes the techniques are the techniques. Using the ExifTool on the command line to extract metadata from a file is pretty standard. It's been the same way for years and years. But yeah, I did a 10 minute tip on doing things with TikTok, and I don't know if TikTok saw the video. But within a little while, probably a couple months of posting it, people are starting to comment, " Hey, this doesn't work anymore." Oh, yeah. Well, yep, we have to update it. You're absolutely right.
Terry Pattar: Yeah. Something similar happened to some of my colleagues at Janes once. I think we wrote a piece of intelligence on a military subject, let's just say, that relied on... Actually, it was published in one of our magazines. That relied on some information from a webcam that was an open webcam. Yeah. A couple of months later, I think it was, that webcam went offline. So yeah, I don't know whether they do monitor these things and change and adapt based on the stuff we put out there. Do you find actually in some instances that you've got to take that into consideration when you're publishing tutorials or things like that openly that you don't want the techniques that you're helping people learn to be used for nefarious purposes, let's say?
Micah Hoffman: Well, it's not only nefarious purposes, but it's also we don't want them shut down-
Terry Pattar: Right.
Micah Hoffman: ...by publishing something or a tip or something that shows sometimes a weakness or a flaw in a website or a lack of security in an area and then the website finding out about it. A good example was start. me pages, technisette. com.
Terry Pattar: Yeah. Yeah, they're fantastic. They're some fantastic dashboards.
Terry Pattar: Interesting.
Micah Hoffman: I posted this out on a tip. I'm like, " Hey, did you know that you can do this, this and this and get the email address?" Somebody tagged the start. me people. They're like, " Oh, that shouldn't be that way," and they killed it right then and there. Part of me is like, " No!" But part of me is also kind of happy that the world's a little bit more secure and safe.
Terry Pattar: True. I mean for those who aren't familiar who might be listening, the start. me platform essentially allows people to create dashboards of links or bookmarks, which can be really useful collated resources. Particularly on open- source intelligence, there's quite a number of them. I suspect looking at one or two of them that some people have created new ones that have just copied previous people's ones. I'm sure there are people out there who create dashboards on that platform who might be feeling like they've been ripped off, but it's a great resource. And there's some really good ones. You mentioned Technisette and there's multiple others that give really useful collections of links that are fantastic. When you're searching for an idea, I think, of how to approach a problem, you're not sure what resource to use, you can dip into some of those and see what resources might be available.
Micah Hoffman: Yeah.
Terry Pattar: I take it that's something you use. You use some of those regularly?
Micah Hoffman: Oh, absolutely. As you know, I'm over here in the United States. And when OSINT investigations go outside of, well, my comfort zone, my understanding, whether it travels into the world of dating and sex or it goes into cryptocurrency or it goes into radicalization and terrorism, I know that there's Emmanuelle Welch's start. me page out there for the dating and sex. I know that there's Lorand Bodo's out there for the radicalization and terrorism stuff. And Bruno Mortier's osintframework. de, the start. me page that allows me to explore and understand what else is out there instead of just googling for dating sites in Korea or whatever. It really helps to categorize that and to launch my investigations.
Terry Pattar: Let's face it, that kind of Google search is going to really change... It'll change the adverts you get for the next few days.
Micah Hoffman: Yes, absolutely. Yep.
Terry Pattar: Yeah. Okay. That's some great stuff. I was also going to ask you about some of training. I know we've touched already some of the training work you've been involved in, but a lot of that is with SANS. You had the big SANS conference earlier this year. How did that go?
Micah Hoffman: Oh, it went fabulously. This was before the virus had taken its toll on our in- person classes. We had over 130 people come to Virginia and listen to some amazing speakers from all over the world come and talk about OSINT for a day. It was inexpensive. It was a great networking environment. I heard the best things from students, from the speakers, and from everybody. Next year, virus willing, we're going to go ahead and... Is that a saying now? I think it should be.
Terry Pattar: I think it's going to be, yeah, if it isn't already.
Micah Hoffman: So virus willing, we're moving to a two- day conference. It'll be 100% OSINT. It'll be over here in Maryland in the United States. We're very excited about it. Conditional on the world events, but we're really excited about all of the things that it's going to do. Because we'll get bigger, we'll get more content in there. Really, I mean, Terry, I love the fact that many more conferences are starting to recognize the power of OSINT and accepting those talking points.
Terry Pattar: Yeah. There seems to be many more events that are specific to OSINT that keep popping up, I think, at the moment.
Micah Hoffman: Yeah. Are you finding that as well?
Terry Pattar: Yeah, definitely. I would've loved to have come over for the SANS conference actually. I was hoping to be there, but time is difficult to manage in the best of circumstances. But with all the different events that are coming up actually, it's hard to make time for all of them now, I think, more so than maybe a few years ago. So yeah, from the SANS conference perspective, are you aiming at a particular audience or is it anybody that's interested in OSINT? Because I know from SANS' background and perspective that it's more kind of cybersecurity focused, but is that still the core audience or are you looking for a broader audience than that?
Micah Hoffman: That's a very astute observation there, Terry. What I've tried to do is create... Well, I grew up with the cybersecurity community where we would support each other. We would share things, whether it was exploits or defense or just ideas. We would share them publicly with whomever wanted to contribute. A lot of the steps that I've been working on in the past couple of years have been to create that type of community within OSINT, within the OSINT world where whether it's the OSINT Summit, the conference we were just talking about where we're sharing for a low price. I think it was$ 175 this year. It's some excellent quality content. Whether it's OSINT Curious and we're sharing content and bringing the community into our webcasts, or whether it's a LinkedIn group that I just created with SANS called OSINT Community on LinkedIn where people can come together and share ideas and ask for help and really just explore the field. My training class, the SEC487, SEC487 class, the OSINT Summit, it's all meant for anybody to come in. And even if you have no knowledge of OSINT, if you can use a computer, the talks will reach you and the content will help you.
Terry Pattar: Okay, great. Yeah. You mentioned obviously there's other events coming up. There's the Layer 8 Conference you mentioned earlier. Any others that you're involved in or looking to attend?
Micah Hoffman: Yeah. Actually, again, as long as everything works out, I've been... I don't know if I can say this. Oh well, I'll say it. I've been accepted to speak at the OSMOSIS Conference in San Diego, California.
Terry Pattar: Oh, great. Okay, fantastic.
Micah Hoffman: In October.
Terry Pattar: That's later in the year. Yeah, October. Right, right. Yep.
Micah Hoffman: Yeah. So I'm looking forward to that as well.
Terry Pattar: Excellent. Is that again aimed at a more technical or cybersecurity audience or is that more broad than that?
Micah Hoffman: I believe it's more broad. This'll be my first year there. The way it's been described is there's a lot of people like private investigators, some law enforcement, as well as just anybody that wants to come as well.
Terry Pattar: Yeah, okay. Great. Just thinking about that sort of, again, the breadth of open- source intelligence and where it's at at the moment and where it might be going next, what kind of challenges have you found in terms of the changes that may have taken place in the information landscape over the last couple of years? How do you view the current sort of state of the art when it comes to open- source intelligence?
Micah Hoffman: The most important thing that I get across to my students or in the webcasts or whatever is the understanding of how things work so that when our favorite tool, our favorite technique fails, we can break down whatever the changes are and figure out how we can still achieve our OSINT goals. When Facebook did their big changes last year and it totally threw everybody for a loop, there was a core set of people that said, " Okay, this is what the new normal is. Let's go ahead and try to figure out what this is and how this works." That's what I try to show my students. In our OSINT class, one of the things that we talk about is using tools like CyberChef and using the web developer tools within the browsers to look at the data. We dive into JSON content so that hopefully the changes that happen in the future, while they might shake some of the known techniques and some of my students, majority of the students will be like, " All right. I'll be resilient here. I can get through this." And they will be able to continue on with their mission. Yeah, we get temporary setbacks or maybe even permanent setbacks. Like with the Facebook content, I don't think we've gotten back all of the functionality that we had with the prior graph search. I think there's a lot we still can't do, but this is the new normal.
Terry Pattar: No, it's interesting. Do you find that in some ways some of that content now, we can't really consider it open- source information anymore and that actually in some ways the scope of what we're able to do, although you said you can go right up to the limits of what's now possible, but do you find that we're perhaps in some ways losing some of the ability that we had before in terms of at least the availability of information?
Micah Hoffman: It depends. I really think it depends. One of the first things I talk to my classes about is what is open- source intelligence in their perspective. Their perspectives are really interesting. Within the classic military or law enforcement, they have one view, whereas other people are like, " Yeah. I'll create a user account on some random forum and then I will go in there and start to interact with people." And other people in the class are like, " That's not OSINT. That's social engineering or that's infiltration." I think OSINT as a field is very gray and gradient depending on your perspective.
Terry Pattar: It's an interesting way to put it, yeah. Yeah. Well, yeah. I think we're certainly seeing things moving to a point where actually I wonder if at some point people will make a harder distinction or a harder definition for it. I know certainly in the UK law enforcement agencies, government agencies use this kind of five- level system and the key distinction comes in probably between level two and level three. And up to level two is where they're trying to still stay anonymous or covert in the research they're doing, so they're not giving away who they are and what they're doing. Then level three is the point at which they can then create logins for platforms and things like that to access more information. But I think in that sort of model of... In that way of conceiving of open- source information, at some point what was previously considered open source or part of open- source intelligence as an activity, at some point it moves into perhaps what is more online human intelligence once you start engaging. I guess that's if you're coming from that kind of government background. Whereas if you're coming more from an investigative journalism background, that's probably just journalism.
Micah Hoffman: Yes, yes.
Terry Pattar: It's reaching out to contacts, speaking to them, speaking to originators of information on social media. Yeah, I guess it totally depends on where you're coming from and what restrictions you might have in place, whether it's policy or legal based. But yeah, because we've been discussing this topic a bit at Janes over the last 12 or 18 months or so and talking about how, especially with those changes that came in from some social media platforms last year, but even before that we wondered, has there been a golden age of open- source intelligence in a way with sort of the bursting through of a lot of these social media platforms and the growth of online information for 10 years or so, maybe mid- 2000s to last year or just before last year? And are we now seeing a bit of a constriction of information not just in terms of what the platforms or social media in particular, what they're doing, but also in terms of the general move towards greater data privacy, information privacy, whether that's through regulation or changes in people's own behavior. I don't know. Is that something you're also seeing as more of a challenge that when we are either losing tools or access to information, that's not the full picture? Some of it is actually people changing their behavior. Has that affected your work at all?
Micah Hoffman: I think so. I think so. I always talk about the inverse relationship between privacy and our ability to perform OSINT, right? Because the less private a person is, the more public information they have, the more information we can grab via OSINT techniques. As they increase or as the platforms they use increase their privacy, our ability to perform OSINT on them directly drops dramatically sometimes and we're forced to go ahead and look at their friends, their coworkers, if we're dealing with human targets. So absolutely, these types of changes and security does impact the work. However, if you look at the platforms that have started coming out, well, there's almost a security maturity model that we're seeing. You look at Facebook. Like you said, we had a golden age there for many years, right, where we could find these amazing, amazing intersections of people doing things. Now that's matured and we're seeing less of that. But I mean, you look at emerging platforms like TikTok, and when they first came out they're like, " Hey, use us." And if you looked at the information that was being shared back and forth, there was a huge amount of information that was not private at all that was shared with every TikTok that was posted. I think it really is similar to just software development. Let's get the features out. Let's get people using our platform and we'll worry about security and privacy on the back end.
Terry Pattar: Yeah, interesting. Interesting. I guess that not going to slow down. I think we're probably see more and more platforms popping up and becoming popular at different times. So yeah, it'll be interesting to keep an eye on that, and I think that's one of the things that for OSINT practitioners, we're continually having to stay on top of what are those changes and what new tools and platforms are people using and where is the information? Where is their new information suddenly cropping up? Where is the information landscape expanding into even if it's constricting in certain other places? Yeah, it's a really interesting point you made there, actually. I think sometimes it is easy to focus on where we're losing information and not think about where we might actually be starting to get more information in other places.
Micah Hoffman: Yeah, yeah. I think there's always going to be opportunities. I look at it as kind of a cat and mouse game where as Facebook tightens up their privacy or as users on the Facebook platform tighten up their privacy, just using Facebook as an example, of course, it challenges us to work harder to still gain access to the data that we need to legally and ethically. But it's always going to be a race to figure out who can secure versus discover information to help us achieve our goals.
Terry Pattar: Yeah. For sure, yeah. Yeah. Do you see any other sort of future developments or other trends occurring right now that you think people working in open- source intelligence should be tracking or be aware of?
Micah Hoffman: Well, the dark web was really, really interesting for a little while, but I think what we talked about earlier is really coming to bear where people are realizing that a lot of the marketplaces, the groups, the forums that were on the dark web are moving to the surface web. I think social media is going to continue to provide us a huge amount of information overall in social media, everything from Telegram groups to... As we were just seeing, if people don't have Twitter accounts, if OSINT investigators don't have Twitter accounts for just watching what's happening in the world, I highly suggest that people get them just to follow the hashtag OSINT. Because I've been just watching that over the past couple weeks and seeing that some of the screen snap- shotting apps that people use are publishing the snapshots that people are taking on their systems publicly.
Terry Pattar: Wow.
Micah Hoffman: So you can essentially Google some of these snapshots. So there's always going to be opportunities. Now, whether those opportunities-
Terry Pattar: That sounds a little crazy. I mean that's-
Micah Hoffman: It does.
Terry Pattar: Yeah, wow.
Micah Hoffman: I mean it's all over Twitter. The question becomes, Terry, is do those opportunities to find things using these new techniques like screenshots, does that intersect with what my target is doing? Is the person I'm tracking taking screenshots using that platform? These are the kind of things that we're going to constantly be going through in the coming months and years. But if I had to look at my crystal ball, I think what we're going to see in the OSINT world, and I'm hoping to be kind of an instigator of this, is coming together on core things like methodology, like other things like process. We're never going to all agree together on a single process for doing OSINT because we have so many different drivers that challenge us to grab this OSINT data, yet we still can come up with some kind of overall community- driven process. I think that that's going to be one of the big focuses of 2020 for me and some of my friends, so keep looking out for it.
Terry Pattar: That is a very intriguing idea. I really like that idea, and that's a great point in terms of I often find that when I'm working with people or training them or coaching them in how to do open- source intelligence, their focus is overly sort of, I guess, zoned in on the information sources themselves, just a particular set of sources, or it's about the tools and their focus is on the tools. I try and get them to take a step back from that sometimes and say, " Okay. Well, let's actually think about the process and the methodology you're using to actually go about achieving your objective. What is the objective of your research here or your investigation," or whatever it might be. I think sometimes that people lose sight of that, or they think, okay, doing that is actually a little bit too basic. And especially when they get given a question or a requirement on a topic they know really well, they'll just, and I guess it's human nature. I probably still do it to some extent. I'm sure others do it. You just sort of dive straight into the researching and trying to gather the information without actually thinking about how you're using it or how you're putting it all together. I think that's definitely an area where actually you find if you get people to be more structured in the way they do it, they will achieve the biggest gains in terms of efficiency rather than focusing on learning about where there might be more resources out there or different tools and things like that. Yeah, I'm definitely intrigued by that idea. I think it'll be interesting to hear more about that and see how you guys progress on that this year.
Micah Hoffman: Well, yeah. I think you're absolutely right that there is a huge focus on tools and on websites instead of the actual techniques. I did a talk at DEFCON's Recon Village two years ago on all of the different problems that we have within... Well, some of the different problems that we did in the OSINT world, and one of them was I went through all of the links in technisette. com and osintframework. com and osintframework. de and all these different sites and essentially showed that hey, there are hundreds, or in the i- intelligence PDF resource there's thousands and thousands of URLs that we push out. And we get people to think, " Hey, these are the places you need to look." The challenge is none of them are qualified. None of them are quantified. We don't know what they're good at, what they're not good at, if they're paid, if they are trials. So I think what we're going to come together on, or I'm hoping what the community starts coming together on is those core resources that we can decide, these are solid ones and this is a solid process that uses those resources or whatever resources are important to us. I'll just finish with one last thing.
Terry Pattar: That'd be great.
Micah Hoffman: I created a website called Yoga, Y- O- G- A, . osint. ninja. What yoga. osint. ninja does is it doesn't tell you specific resources of what to do or what to use, but it does show you, hey, if I have this type of information, like an email address, then you click on the email address little icon and it shows you, you can do a who. is search or a social media search. It gives you that next kind of process step. I think that in the coming year I'd like to really bolster that out, not necessarily on Yoga but in other methods, in other ways of saying, " Hey, if you have this, try these different things to further your investigations."
Terry Pattar: That sounds fantastic. Yeah, that sounds really good. I mean, I think there's a whole other podcast episode to be had just on picking... Well, A, on picking that URL name, yoga. osint. ninja. It just sounds fantastic, but also, yeah, just in focusing on what you just described there in terms of the processes that people are using. So yeah, no. I look forward to hearing more about how you progress that and getting inputs from others and seeing how that develops.
Micah Hoffman: Cool. Well, yeah. It'll all be on Twitter and on OSINT Curious.
Terry Pattar: I have to say, yeah, I do find the hardest challenge in OSINT is keeping up with the other OSINT practitioners and actually getting the benefit of all of the knowledge and expertise that are being shared, especially on Twitter. Yeah, that's a job in itself.
Micah Hoffman: It is. And man, I suffer from something called imposter syndrome where I just, I highlight the deficiencies in what I don't know or the gaps in what I don't know. So when Nicks Intel or MW- OSINT or Sector035 publishes something like, oh man, that is amazing how he did that. I should know that. Why don't I know that? Then I divert my learning from what I'm supposed to be doing to that. But yeah, there's so much great information being shared nowadays. I think that this is the golden age of OSINT as far as community and information sharing, maybe not necessarily as far as information retrieval from certain social media platforms though.
Terry Pattar: Yeah. That's a really good point as well. I think for us at Janes, I mean that's one of the things we really wanted to do with this podcast was just connect with other practitioners and get some ideas and thoughts from people outside of our sort of relatively narrow field. In terms of looking at defense and the government space, for a lot of them, they've maybe had that more traditional mindset around OSINT in the past, but how can we adapt if we broaden that out and how does that change how we practice open- source intelligence? Yeah, this, as you said, golden age of sharing ideas amongst OSINT practitioners I think is really beneficial for everybody. So yeah, long may that continue.
Micah Hoffman: Yeah. I don't know if this rings true with you as well, but what I'm finding is the word OSINT is not something that a lot of people know. They do OSINT work, like recruiters and sourcers. I tell this story to some of my colleagues and students that I spoke to a recruiter that was trying to find people to fill job requisitions. I said, " How do you find people?" And she said, " You can't tell anybody this, but I use Boolean searches." Like, " Well, what's a Boolean search?" She said, " You go to Google and you type in penetration tester or incident responder." I'm like, " We've been doing that advanced Google Dorking since 2001." She said, " No, no, no. It's not Google Dorking." I was like, " Well, it's OSINT." " No, no, no. It's Boolean searches." I think getting the word out about what OSINT is or understanding what OSINT is within different areas is going to help broaden our overall capability.
Terry Pattar: Yeah. I love that. That's a great story. Yeah, this has been great talking to you, Micah. I'd love to continue the conversation another time. Hopefully, maybe once we are post- coronavirus, maybe we'll meet up at a conference or something in the future. But in the meantime, I look forward to continuing to benefit from all of the knowledge you're sharing at OSINT Curious. If there's anything we can assist with at Janes, then do get in touch. I'll hopefully be, perhaps, in contact with some of the other Avengers of OSINT Curious to get them on to some future episodes as well because I know they all bring their own individual experience and skills and background to the field. So yeah, I'd love to talk to the rest of the group at some point too. But yeah, thanks for joining us. It's been a real pleasure.
Micah Hoffman: This has been terrific, Terry. I'd love to come back on again post- virus or whatever or in the future. Had a great time with you.
Terry Pattar: Thanks for joining. And for everyone listening, do check out our other podcast episodes. And get in touch and let us know if there's anything you'd like us to feature on the Janes OSINT podcast. Please leave a rating on Apple Podcasts or on your preferred podcast listening platform. And for more information on how we can help with OSINT training and development, go to janes.com/ osinttraining.
DESCRIPTIONIn episode 8 Terry Pattar, head of the Jane’s Intelligence Unit, is joined by Micah Hoffman, president of OSINTCurio.us
They discuss the current state of the art in OSINT and how practitioners are adapting to changes in the information environment, including their experiences with OSINT training and the raft of current OSINT tools, as well as the sense of community and advice-sharing within OSINT.