“100 points for email address,” one of the judges for the competition types into Slack. “3 x 200 points for those pictures. 600 total,” they continue.
Attendees of the annual DEF CON security conference are competing in the event’s first open source intelligence—or OSINT—capture the flag (CTF) run by non-profit TraceLabs; a challenge to hunt down public albeit potentially hard-to-find information on particular targets. But unlike other capture the flag events, this isn’t a game.
Instead, the targets are real missing people. The information the hackers are gathering is authentic, and the intention is to provide it to the authorities to help track down the subjects. At a previous event in Toronto, participants successfully found the location of two people, Robert Sell, the founder of TraceLabs, told Motherboard at DEF CON last week.
“There’s a lot of people in the infosec industry that really enjoy doing that; enjoy that investigative adventure,” Sell, who has volunteered in search and rescue for around 10 years, a very old school, gumshoe style of investigation, said in a follow up phone call. But Sell works in IT for his day job, some of which includes OSINT. “I really wanted to bridge that gap and bring OSINT into search and rescue,” he said.
Last Friday at 9AM, Sell and other judges for the CTF opened up several TraceLab Slack channels for participants to login and receive the targets. Motherboard joined those channels during DEF CON: One was for a missing child and his mother; another was a missing woman from North Las Vegas in her 40s; and a third was a Toronto man who vanished.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
As Motherboard jumped between the channels, participants quickly found physical addresses, social media profiles, family members, frequented locations, aliases, IP addresses, and other pieces of information that may be useful in some instances to investigators, and then pasted them for others to see.
“It was fully transparent. We wanted teams to learn from other teams, and not have redundant flags,” Sell said, referring to the flags in other CTF competitions, such as a code to crack or target to exploit. Participants were awarded points for each relevant, verifiable and new snippet of information they uncovered.
The CTF does have strict rules: all the information must be publicly available. Contacting the target themselves, or their family or friends results in disqualification. This includes friending them on Facebook, or commenting on any of their social media posts. The hackers can’t use passwords to enter accounts either, even if the login credentials are publicly online.
“We’re not the police, so we’re doing zero 'touch.' We’re not going to go talk to anybody, we’re not going to go phone the hotel, we’re not going to ask for their CCTV, we’re not going to do any of that,” Sell told Motherboard. “We’re strictly looking for public information.”
And although the event was linked to DEF CON, those logging on didn’t really have to be attendees; anyone could remotely tap in for the search.
Sell said hackers didn’t manage to find any of the targets this time—the challenges were particularly difficult to make up for the number of people who may log on and dig for information—but at an event held in July in Toronto, participants did find the locations for two people; a missing sex worker, and a man who disappeared without telling his friends or family.
After talking to police, Sell realized some don’t do a lot of OSINT either, despite how useful it may be to them. Authorities may not have the resources, training, or capacity to carry out these sorts of open-source investigations. That’s where crowdsourcing comes in—Toronto police came to the event, and received the information a group of hackers collected.
“The Toronto police are very open to new technologies and new approaches,” Sell said, adding that he has spoken to the Royal Canadian Mounted Police (RCMP) about the project too. The idea is to formalize the process further, especially with providing guidance on what is in and out of scope for the OSINT investigations.
Doing the exercise as a CTF-style event at DEF CON was more of an idea to try out, Sell explained. But it will likely be appearing at other conferences too, soon.
Some people kept going even after TraceLabs formally closed the event.
At midnight on Saturday, Sell and team told participants they could stop and that points would be tallied. "Nobody stopped," Sell recalled. "I was kind of confused."
The hackers seemed to not really care about the prizes. “They’re still working these cases,” Sell said.