More than 350 ethical hackers got together in cities across Australia on Friday for a hackathon in which they worked to “cyber trace a missing face”, in the first-ever standalone capture-the-flag (CtF) event devoted to finding missing persons.
Similar CtFs have been held before, alongside conferences such as DEF CON and B-Sides, but this was the first such event focused entirely around a missing persons hackathon.
Organizers called the results “astounding,” ABC News reports.
During the six hours the competing teams hammered away at the task of searching for clues that could potentially solve 12 of the country’s most frustrating cold cases. 100 leads were generated every 10 minutes.
The National Missing Persons Hackathon was run by the AustCyber Canberra Innovation Node, which partnered with the Australian Federal Police, the National Missing Persons Coordination Centre and Trace Labs: a nonprofit with a mission of crowdsourcing open-source intelligence (OSINT) and training people on OSINT tradecraft.
OSINT is data collected from publicly available sources. That includes Google searches, for example. The missing persons hackathon is the sunny side of that coin. Last week, we saw a much darker side to OSINT when we heard about a Japanese pop star who was attacked by a stalker who zoomed in on the reflections in her eyes from selfies, then searched for matching images on Google Maps to find out where she lives.
ABC News mentioned another recent case of the use of OSINT: last month, Twitter user Nathan Ruser picked up on a video uploaded to YouTube that showed hundreds of detainees at a train station, handcuffed and blindfolded, and all with freshly shaven heads. They were allegedly members of the Uyghur Muslim community in western China.
Chinese officials had denied the mass detention. To verify the image, and to find out when and where it was taken, Ruser used elements in the imagery to geolocate the scene: buildings, a cell tower, a carpark, trees, and train tracks, for example, feeding the images into Google Earth. Other useful elements included a pole that acted like a sundial, casting a shadow that could be matched with other images that show the sun at a given azimuth, casting specific shadows, at a particular day, to get a rough idea of the day it was taken.
4 days ago a video showing 3-400 detainees handcuffed & blindfolded at a train station in Xinjiang was uploaded to YouTube (https://t.co/GpEaZ7YkIK)
— Nathan Ruser (@Nrg8000) September 21, 2019
In this thread I'll share how I've verified that this video was filmed at 库尔勒西站 (41.8202, 86.0176) on or around August 18th. pic.twitter.com/hr5xd8nahM
The participants in the Australian missing persons hackathon used similar search techniques to try to find previously uncovered hints at what could have happened to the missing persons focused on in the event. Those 12 cold cases were selected from what ABC News says is now more than 2,600 Australians listed as “long-term” disappearances.
At the start of the event, contestants were allowed to view the missing persons case details by logging into the CtF platform. The organizers haven’t released results of the mass gathering of OSINT. All leads generated on the missing person cases were handed over to the National Missing Persons Coordination Centre.
Technology Decisions quoted Minister for Industry, Science and Technology Karen Andrews, who said that an event like this shows the good that can come from hacking:
You can only imagine the great heartache when a loved one goes missing. Family and friends are often haunted by the experience for life. They never stop looking and trying to find answers.
This event is a great opportunity to use online investigative techniques and hacking skills in creative and socially useful ways.
Australian Federal Police Assistant Commissioner Debbie Platz said that crowdsourcing like this opens up a whole new way of policing that will hopefully lead to solving more of these heartbreaking cases:
Police often say that the community are our eyes and ears. We’re taking this concept to a new level. By involving the community, and in this case hackers, into the search for missing persons, we hope to solve more long-term missing person cases in a way that police could not do alone.
Luna
I hope this article is updated so if there is a person found or new evidence we will know that this is helping.
Lisa Vaas
If I hear anything, I’ll do that. Readers, contact me on Twitter—@LisaVaas—if you hear of some good news coming out of this hackathon.
Jeff Mo
While the participants may have been hackers (or some may have not been), from what I understand of what they did and the information they used, they did not actually “hack” any systems to generate the leads — they used skills to find/take existing public data and get leads from this data. For example, viewing a photo, then looking at location information on Google Earth to identify the photo’s location, requires skill, knowledge and persistence, but it doesn’t require hacking into anyone else’s systems.
Lisa Vaas
Everything participants did was legal. One of the definitions of “hacker” (and, I believe, the original definition), was “an expert at programming and solving problems with a computer”—a meaning that doesn’t imply criminal action. That was absolutely the definition meant in this story.
Mahhn
I’m partial to the broad definition of hacking in general meaning to alter (device. software, method/thing of any sort) to make it perform/behave/look different than intended. A hacker can be a, programmer, hotrodder, locksmith, doctor, or even a little kid making a paper airplane that does loops.
Bryan
@Mahhn
Could it be said that you LifeHacked a word’s definition?
:,)
Barberousse
Contrary to what is written in the article, this isn’t the first such event, it’s not even the first organized by TraceLabs. They’ve been organizing these OSINT CTFs in conferences and CTFs (Defcon, Hackfest Quebec, etc.) at least since 2018.
Paul Ducklin
I’ve updated the article to make it clearer that this was the first *dedicated* event of this sort – in the first sentence, Lisa used the words “devoted to finding missing persons”, but it perhaps wasn’t obvious that there were no other sessions, contests or conference stuff going on alongside. As TracesLabs put it, “In 2019 we are [hosting] new global events that are not associated with any particular conference but instead focused on global OSINT professionals coming together online in an effort to help bring loved ones home.”
LAW1
Back in the day Cracker was the criminal element of hacking.
Paul Ducklin
I think the word “cracker” has become inextricably and specifically linked with breaking some sort of protection scheme, whether that’s a cryptographic key, an anti-piracy system, or a password hash. Thus I consider “cracker” rather too specific to be used as a synonym for “malicious or criminal hacker”, a term that covers IMO a wider ranges of bases. So you might *crack* a password and then use it to *hack* into a network.
joe
This is obviously great news but this by far is not the first competition of its type. Please check out Trace Labs OSINT CTF, they’ve been running missing persons CTFs for at least two years.
Paul Ducklin
See my comment above – TraceLabs itself denotes this year as the first time a *devoted* hackathon of this sort, not connected to a conference, has taken place.
Bryan
Every now and then I’ll comment on an article simply to follow it–usually for the ensuing discussion, but occasionally for potential updates to the story itself.
This is one of those instances.
subscribe-to-article button: suggestion box idea
:,)
Bez (@Bezleysnipes)
While i can understand where you are coming from with your argument, i believe its been taken out of context.
Hacking as the general public see it is normally the act of breaking into a system that they are not allowed access to, but in actual fact hacking is really the act of making or using something to do something its not meant to do.
So using information be it photos or other sorts of files that were created to do one thing and then using it to get some sort of other information is hacking, just not in the commonly misunderstood way.
BerryWhite
Looking forward to hear what comes of this