In the world of cybersecurity, not all information is power.
In fact, “only the right amount of the right information is power.” Too much information can easily lead to sensationalization of the threat and this can overwhelm even the most concerned audience. Bewildered people rarely consider actionable steps that can improve their security posture, because they have to use their resources to make sense of all the details coming towards them.
That’s why leaders in the cybersecurity community need to take an empathetic approach while disseminating information on the platforms available to them. It shouldn’t be about getting the most attention - it should be about creating a far-reaching positive impact.
Our guest today is Baptiste Robert, a cybersecurity expert and founder of Predicta Lab, where he focuses on fighting disinformation. He’s been an active contributor to the field for many years and has a lot of experience on the best way to identify and counter disinformation tactics.
In this episode, you’ll learn about how Baptiste practices empathy in his role as an ethical hacker and the area of impact he has chosen to concentrate on. You’ll also learn some important tips that can help you in identifying online scammers and misinformation. Additionally, he’ll share with us one of his success stories and the impact he hopes to have on the cybersecurity community.
In this episode, you will learn:
How Baptiste uses empathy to fight disinformation (01:12)
How he finds the balance between being informed and avoiding overwhelm (05:13)
Most people’s reaction when they realize they’ve been attacked (16:45)
Tips to detect and avoid scammers online (23:44)
Baptiste Robert is a cybersecurity researcher and French ethical hacker officiating under the pseudonym of fs0c131y, who notably highlighted the weaknesses of the Tchap software.
In 2017, by exploiting the operating system of his OnePlus smartphone, he discovered a flaw that allowed him to take control of the terminal thanks to an Android application, EngineerMode, protected by a default password. He shared his discovery on the Internet and challenged the Chinese manufacturer, which faced an outcry and removed the application in question via an update to the operating system.
In 2018, while looking for vulnerabilities, Baptiste discovered that a mobile application, NaMo, that let people follow the news of Indian Prime Minister Narendra Modi, was sending users' personal data to an American company without their knowledge.
The communication of this discovery led to a political crisis: the opposition to the Prime Minister, led by Rahul Gandhi, demanded a debate in Parliament.
In 2020, he discovered 2 security flaws in Aarogya Setu, the Indian mobile application allowing contact tracking to fight against Covid-19.
Today, Baptiste mostly focuses on fighting disinformation but continues to also engage in security vulnerabilities research.
[00:42] Dave Smyth: In today's episode, Andra talks to Baptiste Robert; an ethical hacker and founder of Predicta Lab. The conversation looks at various aspects of open-source intelligence, what OSINT is, and the roles it can play along with the emotional impact of working in this space. Baptiste also shares some great practical ways we can all use OSINT principles to protect ourselves online. Let's get to it.
[01:12] Andra Zaharia: Baptiste, it is an absolute pleasure to have you on the podcast. It is an honor and a privilege to be able to talk to you and to talk about such an important topic, not just for this particular moment, but for our lives in general. So, thank you so much for making the time to be on the podcast. And I wanted to start by asking you, how do you practice and encourage empathy in your work to find this information? Because I think that most people do not see this dimension of emotional labor to the work that you do.
[01:45] Baptiste Robert: First, thank you for the invitation. It's an honor for me to be on this podcast. I'm really happy to be here. So, cyber can be of a complicated space in terms of emotional and especially innocent, for example. Because when you are looking for images, when you are working, for example, for cyberwar, when you are doing incident response, you are directly going to the client – the situation can be very nasty, and it can be super complicated for the client because the client has been attacked all these systems. He can do anything, he can see all the business issues you will have. So, under the technical situation, for sure, you are a cyber expert and you have to understand the situation, understand what happened. But also, you have some ideas of that side of the screen, you have some humans and you have to work with them, you have to understand the situation and take this into consideration when you are doing your technical job too. It can be very complicated, so in my opinion, this is for the cyber path but also for the OSINT path. And this is something I'm really focused these last months or years. It can be super complicated when you are working on a specific topic. For example, right now, we have an ongoing conflict in Ukraine. You can see some very bad pictures. You can see some fight, some dead body, some stuff like this, and you are alone in front of your screen. In terms of emotion, it can be super complicated. And this is why you need to have a specific hygiene, you need to stand up sometimes to get out of your screen sometimes, to look at the sun, and most of the time to take care of who is around you because a lot of us are working from home at the moment. You cannot do anything if you are in your living room, your kids are around, and you will not watch not-so-good videos. So, to sum up, I would say that we are technical people, the first thing in cyber this is a technicality. Most of us are fascinated by this. We like some technical challenge, we like to find a solution to a very complicated issue. But we also have to understand, I think this is something which is missing in our field, we have to understand that these systems, in general, these computers are used by humans, who are, most of the time, not technical at all, who don't care but the techniques at all, and they just want to have something which is working. And when something is not working, when the situation is bad, they don't understand and they panic. This is a normal human reaction. But as technical people, as people who have some knowledge, we have the duty to take this into consideration to just pose what we are doing and to explain what we are doing, what is the situation, in simple words.
[05:13] Andra Zaharia: I really appreciate you emphasizing that. And I wanted to just bubble up to the surface two things, two very important things that you mentioned. First of all, this idea of explaining things. I found that the most empathetic kind and generous people in cybersecurity take a lot of time out of their personal schedule and they invest a lot of energy into explaining things for other people: How they work, how they think, how they do their work, how they cultivate their knowledge and skills. And this is, even for me, as a person with a non-technical background working in cybersecurity, this has been one of the biggest and most important resources for learning and for also developing this commitment and this emotional attachment to this kind of work and finding meaning in it and connection to other people. So, I think that this is incredibly important, and I'm very thankful to you and everyone else who does this. And the second aspect that you mentioned, that I think is very important, is to have this hygiene, this focus on our mental health to be able to keep our rational thinking, our critical thinking, and to maintain a balance between being informed but not being overwhelmed, because overwhelm never leads to good decisions or clear thinking. So, I was wondering, how do you do that for yourself? Because you, through your work and through your interests, you sift through enormous volumes of information, trying to find patterns and trying to distinguish manipulation from truth in very complex situations; how do you do that for yourself? And where is a point that you started being interested in this journey?
[06:58] Baptiste Robert: I don't think I am a good example, to be honest. I'm working on too many things at the same time. For sure, this is not a good way to do it. But I mean, this is what I choose to do. I do have a lot of things at the same time, but I'm trying to be really organized to know what I have to do. I have a lot of things to do, but I know what I have to do. And I'm trying to add the correct priority on every task I have to do. Of course, I created my own company, I'm working for different companies. Also, I have some clients. So, I have a lot of things to do. But this is a mindset for me. This is all I'm working well with that. Multitasking is the way my brain is connected. I liked to work like this. But for most of the people, I don't think this is a good way to do it. And as you said, even for me, I need to disconnect sometimes, and this is why we have weekends. So, you have to take care of your family, spend some time with the family. And this is super important, to take this time. Also, because we are technical people used to have some personal project. I don't have time to have a personal project anymore, but I am trying to focus on the things that are pretty important. So, for example, I was tweeting a lot these last years. I tried to reduce a lot my tweet frequency, because when I'm tweeting something, I'm trying to have some interesting content, something I worked a little bit on, and something people can learn. I want people to learn something from what I'm tweeting. And so I'm trying to be useful to focus my time on what is important and to balance everything. But again, I'm not a good example of that.
[09:04] Andra Zaharia: Honestly, I think that many of us are not, but the fact that we're striving and that we're constantly trying to improve our process so we can make it as sustainable as we can, I think that that is the best effort that anyone can do. And again, being the kind of a leader in the space that you are, comes with a big burden and it's a big task. So, I can imagine that some imbalance is always present somewhere in our lives. And perhaps this is something that we all feel.
[09:40] Baptiste Robert: The current situation is a good example because we have an ongoing conflict in Ukraine, for example. So, a lot of people in the OSINT community are working very hard to do some localization on videos to try to archive everything; to understand the situation; to try to give some real-time; to collect evidence; to collect videos, images; to try to give a real-time situation. This is just a new thing to work. You have a lot of things to collect. It’s just crazy how many videos, how many images, how many medias you have to work with right now. And so I know that some people, for example, stay in front of the screen yesterday at the beginning of the conflict, more than 24 hours in front of the screen without sleeping. And this is not good, this is useful. And I know why they are doing that because when you have the power to understand what is happening, you have the capability, you have the skills to understand a very complex situation; you feel the need, you have like a duty to do something. You want to do something because you have the skill to do it. And this is why you push your boundaries. This is where you push your limits to say, “Okay, I need to stay up. I need to do it right now because I feel this is important.” This is why we need to balance our effort. This is a critical moment but people need to balance their effort, and also to not worship. And this is what I was tweeting yesterday. For example, when you manage to find the localization of a video, you can feel very happy, and you want to publicly publish it. But sometimes you give critical information to the user side. Because, for example, in this conflict, you have two sides. And obviously, everyone is looking at the internet, in general, everyone is looking at social networks. And when the Ukrainian-Russian finds localization of someone of on the other side, this is critical information, and this information can be used for real-life with real life consequences. And this is why, yes, we have some skills, we can do some stuff, but we have to take care of what we are doing.
[12:15] Andra Zaharia: Absolutely. And especially because things are so complex and they're so volatile, also ephemeral in the digital space. I think that we think because sometimes technology feels simple to use. We think that it is simple. If we're outside of this fear and we have nothing to do with cybersecurity and privacy, this information and everything that's going on. But when you take a closer look, all of this complexity comes out under woodwork. And I think that you did an excellent job at explaining how difficult it is to try to work with all of these nuances and potential risks and unintended consequences that even the people with the best intentions can create without, obviously, wanting to do so. So, I was wondering if you could explain for people who have no connection and have never heard of open-source intelligence, what that is and what principles you try to follow in your work to make sense of all of this data and information? And how people, regular individuals might use these principles to have just a stronger self-awareness and a bit of a more cautious attitude in what they do?
[13:34] Baptiste Robert: So, OSINT is for open-source intelligence. And so you have two parts in this: open-source and intelligence. The first thing people have to realize is you have a lot of personal information, you have a lot of information on the internet. Because right now, everyone has a normal life, you have real life, and you have a digital life. On your digital life, you have some icons on some social networks, maybe you have some icons on forums. You posted some reviews of restaurant, for example. So, you did some stuff on the internet. When you did that, you leave some traces behind you. And OSINT, when you are doing an OSINT investigation, you will collect all the traces. If I'm interested by you, I will collect all the potential traces you left behind you, and I will add some intelligence on it. And this is really the keyword. OSINT is not just the collection of information, OSINT is a way to collect the correct information and to add some sense on it; to be able to create some links between the data; to be able to tell a story and to understand what happened. For example, who is the person we are interested in? So if, for example, I'm looking at me, I will find a lot of information about cybersecurity, about OSINT on Twitter, on news articles, these kind of things. And I will try to understand who is this guy, I don’t know where he is leaving, what he like. You will use the internet to collect information, and then you will analyze this information in order to understand a situation. And for example, you have very great examples of OSINT investigation. With OSINT, some people manage to understand some very complex situations like some drug trafficking, some murders; they manage to understand who was behind a malware attack. So, you have a lot of different situations where OSINT can be a key point, in general. And this is what people have to understand: OSINT is only one part of an investigation. It’s very, very hard that you can find a solution, you can finish an investigation only with OSINT. But it's always a part of something bigger, but OSINT can be really useful.
[16:45] Andra Zaharia: It definitely is. And I think that when people are listening to this, I hope that they take a moment to pause and use this perspective to look at themselves, to look at their own digital footprint. Many people have never Googled themselves, they have never tried to see what's out there about themselves. But with that objective perspective, with that space, it's stepping outside of yourself and looking at your own identity on the internet as someone else would. Because that is a powerful moment of realization, of really acknowledging that our digital footprint is wildly out of control for most people, and they have no idea how far spread their data is and how much data they're leaving on the internet. And that makes you think because of, course, open-source intelligence is something that defenders use, but that also attackers and scammers use very effectively. And the more data you have, of course, the easier their job is going to be. I mean, the simplest example that I could share right now is that home burglars, actually, look at people's social media posts, and they know when they're going on vacation, for how long, where they live, what stuff they have in their house. Because it's all there, it's all on the internet, so it makes their “jobs” very easy to do, and that makes it very easy for people to do harm. So, I believe in this discipline and its role, and I think that it creates that connection between the more complex technical aspects of cybersecurity and privacy, and the very, very real impact that cybercrimes, camps, and many other types of malicious activity have on people. So, I was wondering what kind of reactions do you get from people when you lead these investigations? What kind of emotional reactions do they have when they realize how exposed they are? And how much information is out there? Do they have an aha moment? Do they change their behavior afterward? What have you seen happen after this process?
[19:03] Baptiste Robert: It can be really different depending on the person I have in front of me. But what we are doing? So, I created a company called Predicta Lab, and what we are doing at Predicta Lab is we created a software. Basically, we have a web app, you just enter your name, or user name, or an email, or a phone number, and we are collecting all digital footprint we have on this particular identifier. So, this is exactly what we are doing. So, to repeat what you just said, people don't realize that there are a lot of information on them on the internet. And so what my first idea was to say, “Okay, they don't realize it, so I will create a tool to show them that we can very easily find a lot of information about them.” When we use our tool for our clients, we just enter the name and find a lot of information, and sometimes, a lot of very personal information, which is public. There is no issue on that, but they gave this information publicly on social networks, in general. And the first reaction was, “Oh, okay, I didn't think that I left that onto 72. I didn't know that it was public.” The more we find information, the more they start to be afraid of what we can find. In general, the main reaction is to be afraid of what we manage to find. Because when we are able, for example, with only a name, to find all your family, and to find that you were with your family at this time, you leave here, your personal address is that, you drive this kind of car, these kinds of things; they say start to be pretty afraid of the situation. In general, regarding what we are doing at PredictaLab, we are trying to work with some high potential people. So, it can be CEOs, it can be politicians, these kinds of people have a very particular set model. So, they do have some enemies, they do have some people who don't like them. And when we manage to show this kind of information, it can be a big issue for some. Because for example, if you're a politician, and someone from the other side, who is a little bit crazy, want to go to your home entrance just to fight with you; this is potentially sad for you. So, this kind of information can be really, really important too. And you need to do all you can do in order to remove this kind of information. What I've noticed since I started to work on that is, in all the different flavors of the sociality, everyone is concerned. I mean, from the President to all the biggest CEO of the biggest company, everyone is concerned. This is not something just for Mr. or Mrs. Everyone. It is really for everyone. We are all concerned, and we have to do this kind of assessment regularly. This is not some one short assessment where you are saying, “Okay.” And doing that in January, and “Now, we’ll see next year.” No, no, you have to do it all the time, and you have to repeat this assessment because you have a real-life, you are doing some stuff in real life, but also you have your digital life. And this is super important to understand that in your digital life, you are doing stuff every day too; you are adding information every day. And so, potentially, you will have more information, more personal information, you will give some key information to your enemies, to your adversary, potentially every day. So, you have to be really careful on what you are writing, what you give to the internet.
[23:44] Andra Zaharia: I couldn't have summed it up better. And I think that this is a very powerful statement. And it does two things. First of all, you rightfully emphasize the fact that it is important for us to realize that once the information is out there, it is much more difficult to delete and to remove from the internet because information travels and it ends up in servers and places on the internet that we have no control over. So, the best thing to do is not to put it out there in the first place. But if we do put it out there, it's good to at least be aware of most of the stuff that we're putting out there sometimes, not all of it, because we are only human and have our limits. But this is important, and I'm really glad to hear that CEOs, and leaders, and people who have some sort of influence and are in positions of power realize that this is important because perhaps this is a trigger for them to develop more empathy for customers of their companies, for people whose lives their work impacts in any way and their decisions affect. And I hope that with this realization and self-awareness comes a bit more kindness and empathy and generosity with what other people go through in case of a data breach involving their customer’s data and other things in that area. I wanted to ask you a particular thing that came up, especially in the past few months, there have been all of these highly publicized stories about scammers of all kinds, Netflix documentaries and whatnot, and all sorts of journalists reporting on all sorts of different scams, very elaborate one. So, I was wondering, do you think that people could use a couple of simple open-source intelligence principles to figure out if the person on the other side that they're trying to do business with or that they might feel some emotional connection with is this camera or not? Can these principles be used in best way to help people find this information in these particular contexts?
[25:52] Baptiste Robert: Yes, for sure. And there are always some methods and some good checks before doing anything. In terms of scams, what people have to understand is: The human nature is we all have the same weakness. I mean, for some people, it will be ego; for some other, it will be money; it can be ideology; and the last one is completion. So, this is what we call the NICE framework. And in general, you can play on one of these four things in order to manipulate someone. For example, if you have money issue, if you have owe money to someone, I can play on it. If you need money, I can play on it in order to manipulate you and do what I want to do. Etiology is a very powerful thing, also, in order to push you to do something. At the end of the day, we are all human. And these four things are very useful to manipulate people. And when you have something fishy in front of you, you have to step back a little bit. This is the biggest issue we have right now, is we want to react directly; we want to tweet directly; we want to publish something right now. And we don't take the time to understand the situation, to think about it. And so, for me, this is the main advice I will give is: Step back, think about the situation, try to understand the situation, don't react immediately to the situation, ask questions.
[27:47] Baptiste Robert: For me, cybersecurity, is mainly asking the correct questions. And if you ask the correct question, you will have the correct solutions. And for OSINT – and this is why I like OSINT too – this is the same logic, you will ask some questions: I'm looking for something, I'm looking for someone. And what I need to look for someone? I need, first, to look. I need to find where this person is living. Where can I find where this person is living? This is the mindset you have to take. There is an example I’m giving a lot in conferences: When you are at the airport – you are at the airport, you are waiting for your plane, you want to connect to the Wi-Fi. You open your computer, connect to the Wi-Fi, and you will have a captive portal which asks you to enter an email address. So, the first reaction will be, “Okay, you asked me an email address, I will give an email address.” But just pause for two seconds and ask yourself the question: Why do you need my email address? What will you do with that doing? Does it need to fill in my email address to connect myself to the internet? No. Is it working if I give a fake email address? Maybe, let's try. And generally, you will see that if you give a fake email address, it will work. There is no issue to be connected to the internet. So, this is the main advice: Don't react immediately, ask yourself questions. And there is a certain thing people have to understand is because we all have good parents, we have been raised to say the truth. People, in general, don't lie. In real life, this is not good to lie, for sure. But on the internet, this is a little bit different. You have the right to lie, you have the right to change your identity. You have to change your identity regularly. It's not because a website is asking you your phone number. It's not because a website is asking you your email address your, your address, that you have to give the real email address. And this is something important. If it is not needed for the service, if the website doesn't really need it, you don't have to give it. And if this is mandatory, give something fake, it's not an issue.
[30:39] Andra Zaharia: These are such important pieces of advice. And thank you for taking the time to distill something that's very complex in the background into something that everyone can use, and then use it very simply. Because, yes, I think you've made an excellent point about the fact that we are so used to giving real and true information about ourselves, simply because we believe that that is right. And that is still right, but you do have that right to protect yourself, just like you said, to anonymize yourself a little bit, and to just fiercely protect our identities as they start to fragment and spread all over the place, which has never happened before in the history of human evolution and society. This has never happened before. There were never demeans for our personal information to become scattered across the world, literally, even though we can see it. And I think that's what the trouble is with many of these concepts around cybersecurity and privacy is that people do not see them and they're so abstract. They're so far removed from their lives that they don't even realize; “Yes, but I'm not an important person.” “Yes, but I have nothing to hide.” There are all these counter-arguments that people used to just disengage from these topics. And I'm glad that there are many people like you who do this important work of explaining the connections, those unseen connections between their very real lives and their very real presence on the internet because there are no boundaries now. And the internet is not just for play, it is so much for work, for maintaining social stability, and for so many other things that we're becoming aware as we go on. So, thank you for all of these details. And just one last thing that I wanted to ask you is if you could share with us an experience where you felt empathy from other people in your work or in the wider cybersecurity community, and what that felt like. I do believe that these are stories that are important for other people to see, to see that there is a lot of kindness, and a lot of help, and a lot of support in these communities and beyond them, because I don't think that we talk about them that often, and the examples here.
[33:03] Baptiste Robert: One of my biggest successes, I think. I was really happy the first time it happened to me was when a young adult came to me during the conference and told me, “Thank you very much for what you are doing. I'm following you for years on Twitter. You gave me a passion for cybersecurity. You gave me the will to work in cybersecurity. And because of you, I choose my studies in this particular area. And right now, I managed to get my first job in cybersecurity.” I'm just a normal guy in France, in Toulouse, sitting. I started all my journey on my couch just tweeting some stuff and doing what I liked. Seven years after that, I managed to have an impact. And what I prefer and what I’m doing is that sometimes in some of the story I was involved, I really had a big impact on people’s lives, but also in people's security because sometimes we manage to secure a lot of personal data. This is a weird feeling to know that you had an impact on someone else life, you don't know this person. Sometimes you tweet something, you publish something, you write an article, you do something; people will read this information, will understand this information and will react strongly to that. This is very different. This is not something you are used to. And when people are coming to you and say, “Okay, what you are doing is really cool. I managed to get my job, thanks to you.” Another example – a very big company in France told me, “Oh, okay, you are this guy. You are Baptiste Robert. We used your tweet in our internet security training because your example was a very good example.” It was a tweet about someone making a mistake in the French government as an example of what people should not do. And this is super cool to know that, directly or indirectly, all your work will be used in order to make to improve cybersecurity. So, this is pretty cool.
[35:51] Andra Zaharia: It really is. And again, thank you for sharing that story with us. I think I have felt this many times. I’m that young adult that felt that, in fact, for many people on cybersecurity, and it has changed my thinking, and has changed my life, it has changed the way that I see my development as a person. So, I applaud both you and the people who, again, do this difficult work that takes a lot of effort, it takes a lot of fashion, it takes a lot of intellectual effort, and a lot of emotional labor as well to do, and to do it right, and to do it consistently. So, I appreciate you. And thank you for taking the time to share your experience with us and with everyone who is listening. I hope that many more people resonate with these messages and find something that they can take with them from this episode. Even if it's one thing, that one thing can have a big impact and it can lead to a compound effect that we don't even suspect and we might not see. But I hope that this happens, and I know that it will help people the way that you do your work and the way that you show up for the community. So, thank you so much.
[37:02] Baptiste Robert: Thanks to you. And something I wanted to add is, also, don't hesitate to talk with people. It's not because someone is famous in his sector, it's not because this person seems to be really busy; don't hesitate to message people; don't hesitate to communicate with people to try to create a link with them. Because in general – and this is something I noticed all along my journey – people are very nice, in general. Even in complicated situations, people want to help, especially in cybersecurity, because we all understand that this is complicated, everything is complicated and there is no simple situation. So, if you have an issue, if you have questions, don't hesitate to send emails, to communicate on social network to some private message. It's super important for influencers, for leaders, for everyone to give an example and to share the knowledge because there is work for everyone and we have a lot of work to do in cybersecurity.
[38:16] Andra Zaharia: That's a very generous perspective. And I think it’s the most empowering thing to say. So, thank you once again. This was wonderful.