In this episode of From the Source, host Matthew Stibbe interviews Matthias Wilson, an intelligence trainer and OSINT professional. They discuss the challenges and advancements in OSINT, particularly the integration of AI technologies. Matthias shares his journey into the world of OSINT, emphasising the importance of critical thinking and the potential pitfalls of over-reliance on AI tools. The conversation also touches on digital personal security and practical advice for those looking to deepen their OSINT skills.
Matthew Stibbe (00:01) Welcome to From the Source, the Blackdot podcast. I'm your host, Matthew Stibbe, and I'm here today with Matthias Wilson, who is an intelligence trainer, OSINT professional and consultant. Great to have you on the show, Matthias.
Matthias (00:15) Hey Matthew, thanks for having me here. Really a pleasure.
Matthew Stibbe (00:19) Well, I'd like to start with a question I ask all our guests. In the world of OSINT right now, what are you geeking out about? What's front of mind for you today?
Matthias (00:29) We're probably going to give the answer that everyone gives at the moment. I'm working with AI, but not just ⁓ chat bots like ChatGPT or Mistral, things like that, but trying to get a decent AI running on my machine. And I've come across complications when it comes to that, because apparently if you're using older hardware, it's not as easy as they make it look and sound on the internet.
Matthew Stibbe (00:54) This question of running AI locally has come up in other conversations for From the Source, but also with other clients of ours. So tell me, how much of a challenge is it? I mean, what are you using to get your ⁓ local LLM up and running?
Matthias (01:12) Well, basically I'm using two or three of the clients that are out there, AnythingLLM, GPT4All, things like that. And the idea would be to run ⁓ a local database, a local ARAG to query that. But if you're running with a standard business laptop without a dedicated GPU power and VRAM and things like that, it tends to take a while to ingest the data and at the same time also to query the data and actually talk with it.
So it's not the flow, the smooth flowing process you know from like ChatGPT online, when you upload something, you ask a question and you immediately get an answer. It does tend to take a while. So, just to give you an example, the other day I uploaded a couple of documents that were like 200 megabytes and that took like an hour to ingest before I can even do anything. And then every time I would query the local AI, on that data, it would take anywhere between two and five minutes, for it to make up its mind and come back with an answer. ⁓ so if you're working with like a MacBook Pro, modern version, with a lot of GPU power and things like that, it might be easier, but like the standard business laptop that most of us have, ⁓ is, actually not adequate enough to, run your, your AI locally, at least with some of the more sophisticated and bigger models.
Matthew Stibbe (02:34) That's really interesting. Another client of ours is talking about running local data centers and doing that so they can get the responsiveness. So is it a concern for you, and I think AI might be a theme for this conversation, is it a concern for you about running ⁓ OSINT type queries in public LLMs?
Matthias (03:00) Yes and no, it always depends on the field you're working in. So for example, if you have really sensitive work, for example, in law enforcement or even intelligence agencies, everything that you put online, even if it's an ⁓ online AI tool, ⁓ is transported through the internet, can be intercepted, ⁓
is maybe even used to train that AI for the future. So yes, there is always that problem. I mean, it's the same thing if you go to Google and just Google something. Google remembers what we did and how we did it and which results we looked into. And then we get a biased result the next time we go there. So I don't think there's a big difference between Googling things or using Bing or Yandex or using an online AI ⁓ in terms of ⁓ security.
Matthew Stibbe (03:49) Yes.
Matthias (03:49) You
You just have to be aware of that. And there might be some investigations where you can use these tools. There might be other investigations where you might refrain from using such tools or databases.
Matthew Stibbe (04:01) Like a lot of fields, it requires a little bit of judgment and discretion, doesn't it? I spend quite a lot of time telling my colleagues, don't just go and put client data into ChatGPT to analyse it, because it's not... So, okay, we'll come back to AI. I know we will. So, but let's... tell me a little bit about your career and how it led you to the world of OSINT.
Matthias (04:26) Well, the world of OSINT was there before my career. That's the interesting thing. When I was 16 or 17 in school and we had to write an essay on this book that I absolutely did not want to read. It was boring. It was, I don't know the English title, but in German it's called Nathan Der Weise. And it's basically about all these religions coming together. And there... was just...
Matthew Stibbe (04:29) Thank
Matthias (04:50) Everyone wrote the same thing, just like in slightly different words. It's been like that for probably 50, 60 years in German schools. And I was too lazy to do that. So back then I was a regular user of the Usenet groups online, basically a message board where people could post things. And yeah, it's a long time ago. And I was digging through that and came across someone who actually posted an essay about what I had to write for school.
Matthew Stibbe (05:07) I remember using that. Yeah.
Matthias (05:19) So the hard part there was not finding it, but was actually, you know, handwriting this information off my screen. And it worked. And then I realized there is a lot of information out there. There's a lot of information online. So ever since then, I have been Googling, doing OSINT, whatever you want to call it on a variety of different topics. And then luckily enough, ⁓ I got into military intelligence ⁓
where this natural curiosity that I had, ⁓ I could use that on my job. And I spent 17 years ⁓ in military intelligence, various deployments, ⁓ mostly to Afghanistan. And after a while, I thought I'm just going to try it out in the private sector. And to make things short, the last three years, ⁓ I was working for BMW ⁓ in their executive production team ⁓ as the person responsible for digital personal security of the board members and also TSCM.
So, technical surveillance countermeasures. So that's the short version.
Matthew Stibbe (06:20) And you've recently sort of started your own consulting business, PLOSINT, right? Can you tell us a little bit about that?
Matthias (06:28) Yes, was not really planned. ⁓ I had other plans in life and then I just realised that a lot of people were asking for intelligence training, for OSINT training. ⁓ And I had a fairly large contract from the Australian police, not Australian, Austrian police, sorry, to train all their analysts in OSINT and online investigations. And that kind of got the, the PLOSINT business started.
So now I'm focusing on delivering high-quality training, ⁓ mainly to law enforcement, but also given my background at BMW and executive protection, also setting something up to give close protection officers and executive protection teams a specialised OSINT training exactly for their needs.
Matthew Stibbe (07:16) Fantastic. It's funny you mentioned Usenet. I'd completely forgotten about it, but I remember in the early 90s using that. And it's interesting just to draw a sort of a line between that, which had many of the characteristics of social media today and social media. And the difference being the population of people who used Usenet, very small, mostly geeky, academic, techy people, and now everybody. But it does, it made me think about...
William Gibson's comment that the future is already here, it's just unevenly distributed. Anyway, interesting little digression. So.
AI is clearly a thing that's happening to all of us everywhere, but in the world of OSINT, ⁓ I feel from looking at some of the things you've been saying recently online that you're concerned about it maybe undermining people's core skills and their critical thinking skills. I wondered if you could talk a little bit about the dangers as you perceive it of AI.
Matthias (08:17) The main danger is it just makes things so much easier. So let's take the example of geolocating an image. I mean, in the past, you would sit down, you would run it through Google Lens or Reverse Image Search and if that didn't come back with an immediate result, you had to sit down and basically look into all the details of the image. What do you see there? Maybe there's a street sign. Where is the location of the sun? Are there any
distinctive types of buildings that you can look for? And you had to put a lot of effort into that. And now you have AI tools that do that for you within seconds. So I think, and this is human nature, we tend to become lazy. So if we want to geolocate something, we're not going to sit down by ourselves and do that for one, two, three, four, five hours. We're just going to feed it to AI.
With a lot of these tools and platforms, they might immediately come back with a good result. And that's great. If it works, it's fine. Please use it. But if they don't come back with a good result, then, again, you have to do this yourself and invest the time. But as we are all 'lazy', ⁓ we're just probably going to tend to use AI, use platforms, use tools
and not bother any further if it doesn't find a result, you know, kind of the mind state of 'this tool is so amazing, so awesome. And if he can't find it or she, I'm not even going to try.' And I think that's kind of the wrong approach. And that is actually something that I am seeing that people are becoming overly dependent on, on certain platforms. It doesn't necessarily have to be AI. And while they are all good and they're all great, I think the best way for an analyst or
an OSINTer to go forward is, even if you use platforms or tools, do a lot of manual work on the side to keep those skills because you don't want to lose them.
Matthew Stibbe (10:22) Is it like a pianist who needs to practice every day to be sharp? How do you keep those skills, those critical faculties working?
Matthias (10:32) It's
a lot of practice and you have to have a lot of diverse ⁓ settings and diverse cases that you work on. A couple of weeks ago or months, I wrote a blog kind of explaining this. So we commute to work with our car every single day. Some of us spend one or two hours one way in the car. So we're driving a lot and we're doing this for 20 years, right? Does that make us a good driver?
Matthew Stibbe (10:59) Hm. Yeah.
Matthias (11:01) I'd argue no, because you're basically you're not testing your limits, you're not testing the car, you're not testing yourself. You're getting into it, you're going to work, you're coming back and there's nothing special about it. So what is the difference between the daily commuter and a race car driver?
Matthew Stibbe (11:20) It's a question, I suppose, of the challenge and the response and the quick thinking.
Matthias (11:28) themselves in various scenarios on different tracks with different techniques. So they spend maybe the same amount of time as a daily commuter, but they train differently and they actually train. So taking this and putting this into the world of OSINT, let's say you have a person, an analyst sitting somewhere that every day does eight hours of OSINT work, but that OSINT work is just querying a database. That's it. All they do is just take some information, query it and get some information back. You're not going to get better doing that. But if you try a lot of different scenarios, a lot of different investigations where you constantly stumble upon roadblocks and you don't have an answer to that, you can challenge yourself and you can get better doing that. So it's not just practice or a lot of practice. It's also what you practice on.
on. So, for me, my wife hates this, but when I'm out and I see something I'm interested in, I start Googling and I'm not going to call it OSINT, but like we were at a restaurant, this is a funny story, a couple of years ago, near Rome, and the cook was telling me about his special forces background and he was in Afghanistan lots of times. And I was hearing this and some of the points in the story didn't make any sense.
Because Afghanistan, that's where I spent a lot of my life. I know what's going on there. And so I immediately started Googling and I found out that that was kind of his cover story for being in prison for 11 years because he was an enforcer of one of the local mafia families. So, my wife saw me doing this. She knew what I was up to. She kicked me in the shin and ⁓ basically... don't start an argument with this guy. I think he's dangerous. ⁓
But that was just one situation out of daily life where you stumble upon something and then you just start getting into that research mode. And each time you do that, it's free training.
Matthew Stibbe (13:22) Hmm. So how can I put it if I can translate what you're saying? Indulge your curiosity and maybe occasionally wander off the beaten track.
Matthias (13:33) Yes. Yes. And, and just don't always stick to the things you know, ⁓ try different things. Like for example, now if people are talking about AI, why don't you try to, to host your own AI on your own computer, just to see what it's capable of, just to see how it works, just to see how you can use that. Or if you're working in financial due diligence, ⁓ there are lots of databases out there that you can query, but maybe every once in a while, just try something completely different and more,
more of a technical approach to OSINT or a people-oriented search on OSINT, just try it out. And that does not make you an expert in people OSINT or technical OSINT, but it will broaden your mind ⁓ and really help you out, especially the aspect of critical thinking and analysis techniques. Doing more will not make you a specialist in everything, but it will just broaden your general knowledge.
Matthew Stibbe (14:32) knowledge. Is there a cookbook or a shopping list of things that people could go try that maybe they haven't thought of doing? How would you build your own roadmap for that exploration?
Matthias (14:44) To be honest, I don't. I kind of have an idea, I have a question that needs to be answered. And while I start doing my research, and the research is more or less very structured, then I will get to a point where I did not find what I wanted to find, or I come across a so-called roadblock, for example, a paywall or something like that. And then I have to start getting creative how to find information.
So, you know, transferring this to like people research, you're looking for a person and this person doesn't have online or... online presence at all. So you could stop there and say there are no social media accounts. Or you can move forward and say, let's try like the outside in technique, looking for known acquaintances or family or friends, and maybe they've posted something about this person. So you have to kind of get creative, figure out who is involved with that person and see if you find information about
them on other people's profiles.
Matthew Stibbe (15:46) It sounds like it can be helpful sometimes to step away from the tools and the techniques and start going back to questions and objectives and then go, well, imaginatively, how could I solve this or answer this? What other options have I got? Often that I find in my work very helpful just to sort of dig back to what am I trying to achieve here rather than how do I do the thing... I've always done.
Matthias (16:09) There's a lot of theory
On that gap analysis, structured analysis techniques, and it all comes down to the same thing, but also stepping back, taking a deep breath, and then just figuring out what information do I have? What information do I not have at the moment? How did I try to get there? And just to basically doing a slight analysis on your approach itself is also very helpful. And one thing I've also found is if you don't know the answer to a question, maybe someone else does. So in certain cases, you can reach out to other people. Now, if this is an investigation in the public domain, ⁓ you can just go ask other OSINT experts and, you know, not about your investigation, but on certain methods or techniques. Or let's say you're working in law enforcement and you're the OSINT specialist
and you just can't seem to get forward in your case. So why don't you ask someone that doesn't even work in OSINT, but is a very experienced investigator and say, hey, what's your take on this? What's your opinion? Do you have any ideas? So that's one piece of advice I give in my courses is no one will know everything. ⁓ But if we kind of take the crowdsourced approach and just go
actively reaching out to other people even if they're not OSINTers or even intelligence analysts, you might be surprised with the ideas that they come back with.
Matthew Stibbe (17:33) For sure. And, there's a flip side to AI, of course, because it's also generating all this content and this slop, some of it interesting, some mostly not. Does that create challenges for people working in OSINT? How do you evaluate your sources when the source might be just ChatGPT?
Matthias (17:54) So in any type of intelligence work, you have to always distinguish between the information and the source. And I think in the OSINT community, a lot of people do not do this. If you come from another intelligence background, HUMINT for example, or a SIGINT, it is very vital to figure out who said what or who posted what or where did this information come from.
And once we have the information, of course, we have to verify it. We have to see, is it AI-generated? Is it maybe propaganda, fake news, whatever you want to call it. But this immediately leads back to the point... Who spread this information and how credible are they? Are they a reliable source or not? So, when
I do my investigations, I always have, you know, one eye or one ear on that as well, not just finding something, but looking into the person, entity, organisation that actually posted that. Because it could be that I come across this entity multiple times later on. And if I have one time done my assessment on the sources, reliability and credibility, that makes it easier for me further on.
So it's not just about finding a piece of information and then verifying that specific piece of information, but also looking into the entity that posted it online. And that very much translates to the Admiralty Code that is used in military intelligence. I mainly this was used in HUMINT but also in SIGINT. So it's not just about what was said, but who said it.
Matthew Stibbe (19:39) And it's, most of our listeners I'm sure will be familiar with that, but this idea of assessing sort of credibility and reliability of a ⁓ source, is that commonly used or commonly understood in OSINT?
Matthias (19:54) From my personal experience, no. That is something that is commonly used ⁓ among government intelligence, military or intelligence agencies... they grow up with that to some extent within law enforcement. But a lot of people that do not have that background, they just go right at it and they're good OSINTers, and of course they try to verify the information, but they don't put a highlight on the source as well.
⁓ so that's something that, that they should try to learn, not just looking at the information, but also who, who said it, who posted it, who faked it with AI? Because like you said, we're, getting more and more of this, this slop, more and more data that is out there. And then it will become really relevant, ⁓ to filter in the first place. If you know, okay, there's a site and 99 % of the time, when I look at that, it's just junk that comes out of there. So I still might look at that site, but,
in my priority, it's been downranked to other, more respectable sites.
Matthew Stibbe (21:01) We're burning through this time and it's a fascinating conversation. I'd like to move on to a different topic, if I may. ⁓ You've had some background in digital personal security and ⁓ that's a little bit also in a different context, my interest and background. And when I was doing it 10 years ago, we were saying you need to have antivirus and firewalls and some fairly basic sort of IT stuff.
That's changed now, hasn't it? I mean, what do people need to be thinking about? I mean, OSINT professionals for sure, but actually people. What do they need to be thinking about to make sure their digital personal security is up to standard?
Matthias (21:39) So I like to call it digital hygiene. ⁓ It's basically about what do you post or what do you share about yourself, your life online? And not just what you share, but maybe what other people post about you online. So let me give you an example. When I was at BMW, ⁓ of course the job was to ensure the safety and security of the board members.
You know, they have a safe and secure environment if their family is also safe and secure. So you have to extend it to the family. And then one of the things is ⁓ working at BMW car manufacturer, there's a lot of climate activism that does not like what they do. So of course we do not want to have any protests or any people visiting their private homes. So I can go to a board member and say, don't share your private address online.
That's very easy, that's simple. But you have to tell this to the family too. And then they'll be like, okay, we understood this, this is fine. But they don't know the possibilities of OSINT and geolocating. So maybe someone has a 12 year old or 15 year old or 17 year old kid on TikTok or Instagram that is uploading videos or photos that can be geolocated leading back to a private address.
Nowadays, it's becoming even more challenging because, as we discussed before, geolocating images is something that used to take hours or days and can now sometimes be done within seconds through an AI. So the bottom line is just be sure of what you are sharing online or people that are close to you are sharing online and, you know, try to be, you know, get a feeling for how can this impact
my life, my personal security, my digital security? And the best example is always the kid oversharing things where you can actually geolocate that image.
Matthew Stibbe (23:41) That's...
timely and valuable warning, but crikey, I hadn't even thought about the geolocation aspect of it. Okay, so, and I notice you've got a nice sort of digital background here, so I can't look out of your window and geolocate you. So last question, because we're almost out of time here, but for investigators and professionals who are looking to deepen their knowledge of OSINT or perhaps put the toe in the water for the first time.
Matthias (23:55) Yep.
Matthew Stibbe (24:10) What's the best way to do that? How do they start down that road?
Matthias (24:14) So I like to say OSINT to OSINT. First of all, you need the fundamentals, the basics of intelligence analysis, and there are many different courses out there that will provide that. There are some that are free, there are some that are paid, there are books out there, and that will give you the absolute basics. I'm not gonna get into that... but you know...
Basic intelligence analysis, there are a lot of people that can do that. The question is, how can you get better at your job? And, as I discussed before, it's all about practice. Not just to go to work and do your nine to five job and do the same thing in a repetitive way all day long, but maybe every once in a while, just sit down and build your own case.
Like you see a website where you want to go buy shoes or something like that and then just try to figure out who's behind the website. Is this a legit shop or is it a fake shop? Where is the company registered? And all of a sudden you're in an OSINT investigation where you can get into like a more technical domain-based OSINT research but at the same time also company research. So that's just one example. Constantly practice this. Now it doesn't have to be the level that I do that or else you get in trouble with your wife because if
I start taking out my phone and doing this research every single day for one or two or three hours, I do get in trouble. But I'm pretty sure that all each and every one of us can, can spare an additional hour or two every once in while to do something like this. And then if you get to the point where you do not know ⁓ how to, to continue in your investigation, like I also said before, you can ask people. There is a very, ⁓ livid community on, ⁓ LinkedIn, for example.
Used to be one on Twitter back then when it was good. That's been a bit complicated now, but just, you know, reach out to the broader community and learn from them, see what people are posting and just try it out. So it's practice, practice, practice, trying it out all the time and not just in your comfort zone, but doing things that are completely different.
Matthew Stibbe (26:22) And maybe Bluesky but LinkedIn, there's a community there that people can go and tap into. Fantastic. Well, Matthias, that's been a fascinating A1 interview. I really appreciate your time today. ⁓ And that brings this episode to a close. And if you're listening to this and you'd like more OSINT insights, you'd like to learn about Blackdot or their product, Videris, please visit Blackdot Solutions. Thank you very much for listening and goodbye.