Podcasts
8th Layer Insights
Ep 12
8th Layer Insights 12.28.21
Ep 12 | 12.28.21

You're Listening to "The Dark Stream"

Show Notes
Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." Just a quick note for anyone new to the show and maybe if you've even been with me since the beginning - this episode is going to be a bit different. It's going to have a different format, a different tone, theme and maybe even a bit more. So let me explain.

Perry Carpenter: The usual format of the show is to take a full episode and explore a single topic. And that episode usually features between three and four different experts to help in that exploration. But here's what you may not realize as you listen to those episodes. You might hear a guest talk for maybe 10 to 15 minutes in total. That's the time that they get. But here's the thing - that 10 to 15 minutes is usually just a selected portion of a larger discussion that generally lasts upwards of an hour. And what that means is that there's tons of great stories or interesting little bits that you never have a chance to hear. They get left on the proverbial cutting room floor. 

Perry Carpenter: So I've been thinking for a while about some interesting ways to bring some of those stories and clips to you, and I finally came up with something that I wanted to try. So today's episode is clips from the vault, and I'm presenting it in what I hope is a fun and entertaining format. And I'll tell you more about that after this. 

Perry Carpenter: Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights," Season 2, Episode 2. I'm Perry Carpenter. 

Perry Carpenter: Welcome back. All right. So as I mentioned in the intro section, today's episode is a bit different. What I wanted to do is find a number of stories that previous guests have told that have never made it onto the show before but which are really fun. And I needed a way to get those clips into an episode that didn't force me into a certain theme or narrative. So what I came up with may be a little bit unorthodox. It's definitely an experiment, but hopefully a lot of fun. 

Perry Carpenter: So here's the premise. I grew up in the '80s and '90s, and one of the things that would always come on the radio really late at night when I was driving around were these weird, just kind of outlandish radio shows about the paranormal or conspiracy theories or urban legends or a while variety of things. And people would call-in and interact with the host. And some of those calls could be pretty normal conversations.  And some of them were really, really strange and entertaining. They were just outlandish in a lot of ways, but also a lot of fun to listen to, and so that's the way that I packaged today's episode. 

Perry Carpenter: I would like to thank all of our guests for putting up with what I'm about to do with their previous interviews. And also, to spice things up just a little bit more, I did bring in some actors to cover a few parts, so be on the listen for those as well. I hope that you enjoy it. And if you do, please let me know because this could be something that I revisit every now and then as a way to bring in some of those really interesting stories that my guests tell but, for some reason, don't fit in another episode. So thank you, and I hope that you enjoy this journey into The Dark Stream. 

STATION ANNOUNCER: You're listening to K2FA Radio. 

STATION ANNOUNCER: And now, from the darkest corners of the internet to the hypnotic blinking lights in the data collection facilities of the National Security Agency, Facebook and Chipotle, you're listening to The Dark Stream with Alex Mycroft .

Alex Mycroft: And welcome, dear listeners. Welcome to The Dark Stream. This is the show where we seek truth, where we open the lines to those around the world with interesting - how should we say - stories, experiences that blur the lines between the human condition and this thing that we call cybersecurity. So are you ready to explore the darkest orifices of the interweb and shine a light? The phone lines are open, and the world is listening, so that means it's time to hear from our first caller. Marvin,who do we have to start? 

Marvin: First up, we got Rachel, Rachel on line one. 

Alex Mycroft: All right. Send her through. 

Rachel Tobac: My name is Rachel Tobac. 

Alex Mycroft: Hi, Rachel. Tell us a little bit about yourself 

Rachel Tobac: I'm a hacker. I'm also the CEO of Socialproof Security. We help people understand how we would hack them so that they can patch their human vulnerabilities. 

Alex Mycroft: OK, Rachel, I want to go back to that word hacker. What do you mean by that? I can't see you right now, but when you use that word, what I do imagine is your eyes peering out from beneath the cowl of a dark hoodie, which begs the question, aren't hackers bad people with questionable hygiene sitting in dark rooms wearing hoodies and crafting the latest ransomware strain? 

Rachel Tobac: The way that I typically describe myself is a hacker, and the way that I think about hackers are the hackers are the helpers and the people who are trying to harm people, those are the criminals. So I would say anytime you're talking about somebody who is attempting to keep a platform safer by discussing vulnerabilities, hacking and disclosing that safely, those are the hackers. And the people who are trying to extort folks, steal money, harm people, manipulate, those would be the criminals. 

Alex Mycroft: Explain to us a little bit more about that. What does that actually mean? 

Rachel Tobac: When I'm hacking, I use a lot of the same methods that a criminal might use, but I always have consent before I go ahead and do that, and I don't harm people within those attacks. So a criminal might use a pretext or who they're pretending to be that is scary to somebody, makes them think that they're going to lose access to their income or their health care or something really frightening. I do not use those types of pretexts. I'm able to solicit whatever I need and gain access however I need without ever, ever having to scare people. So that's another difference between me as a hacker and what I interpret as a criminal. 

Alex Mycroft: OK, Rachel, share some of your methodology with our listeners. I want to get an idea of how scared we should be of you and what exactly you do. I mean, you're still attacking people. So how do you do that? 

Rachel Tobac: Yes. So before I go ahead and attack my target, I do what's called open-source intelligence. And I tend to start with things like social media, low-hanging fruit. Who are their service providers? Who do they trust with their data? Things like their address, their phone number, date of birth, last four digits of Social Security number - these are the things that I need to attempt to solicit out to attempt to use them for my highest value target, whatever that is. 

Alex Mycroft: OK. Tell us a little bit about how you've used this kind of technique in the past. 

Rachel Tobac: So Donie O'Sullivan, a correspondent with CNN, approached me at DEFCON and he said, hey, I want you to hack me. And I said, yeah, sure. I mean, I can do that. What do you want me to do? Do you want me to steal all your packages, kick you out of your house, turn off your lights? I mean, what do you want? 

Alex Mycroft: You're such a pleasant person to be around. 

Rachel Tobac: (Laughter) What do you want, right? So I'm helping him decide, like, what the scope is for this project. And he was like, you can do anything, but you can't affect my health care and you can't affect my place of residence. So I said, all right, that sounds like a really reasonable scope. So I got to work doing OSINT - open-source intelligence - looking on Twitter, Instagram, Facebook, anything that I could find using special search operators. So, you know, like Google dorking, using special search operators on Google, you can do that on social media as well, as you know, and got to work doing that. And I uncovered a lot of different service providers and who I might want to target while pretending to be him, which is the goal for me, wrote out a bunch of scripts, got them approved by him. Are you OK with me making these calls? Because I have to warn you, Donie, some of the things that I do today might be irreversible. And he said, he said, that's OK. I give you consent to do them. I understand it might be irreversible. And I said, I think I'll be able to get all your points back. I don't know about the middle seat on the airlines. I don't know if they're going to let you change that again. And he said, all right, it's worth the risk. Turns out I did - I was able to get his points back, and it also turns out that the seat was irreversible. So he did have to take a flight in a middle seat for five hours. 

Alex Mycroft: Don't you feel just a bit bad about giving somebody the curse of the middle seat? I mean, that is truly evil. 

Rachel Tobac: (Laughter) He was really annoyed. But, hey, you know, it added a little bit of flair to the piece, so that's OK. I just feel bad for Donie. 

Alex Mycroft: OK, Rachel, what is the central truth that you want people to come away with after hearing a story like this? 

Rachel Tobac: The cool thing about working with Donie and doing that CNN piece is it took all the stuff that I typically do that's behind NDA that I can never talk about ever again and it publicized it. So I was able to talk about all the learnings, how I hacked Donie, the exact methods that I used, and I was able to showcase the path that attackers take to gain access and do account takeover, which resulted in a lot of companies reaching out and saying, hey, I'm a hotel chain. What have you? We think that thing that you did to Donie you could probably do to us. What do we need to change? You know, you mentioned these three things that we should do. What should we do first? And it really started an actionable conversation with a lot of the companies that we trust with our data. And that was the goal. Take everything from behind the NDA and make it so I can actually talk about account takeover. 

Alex Mycroft: And what are those three things that you talked about? 

Rachel Tobac: Yes. So I help companies understand in terms of action items, like, what do we do about you taking over our accounts? No. 1, be politely paranoid and you have to build that into your systems. So if somebody calls you up, first and foremost, do not use their phone number, the caller ID that you receive, to authenticate a person. You'd be surprised how many companies still do that. You know, I would call an airline, they would say, hey Donie, how can I help you? Just because I was spoofing Donie O'Sullivan's phone phone number. So that was the first thing is making sure you're politely paranoid with phone number and authentication. 

Rachel Tobac: No. 2, making sure we build in almost like a real-world two-factor in the way that we communicate with customers and make that seamless. So just like I mentioned to you when I said, absolutely, we can help you with that for your reservation on the 19th; we sent a code to your email address or to the phone that you're currently calling us from; go ahead and read that out for us and then we'll get started - something as simple as that can really prevent spoofing. Or you can give the customer a call back because that alleviates the spoofing issues, too. 

Rachel Tobac: And then from there, helping people understand the human-based processes that could still attempt to trip them up - so, you know, these processes, these protocols, we need additional technical tools to back them up because not every single attack is going to happen over the phone exactly like you saw with Donie. We need multifactor authentication on their systems so that if I credential harvest phish these customer support agents, I'm not able to log in, et cetera, et cetera. So building in technical tools to back them up. 

Alex Mycroft: Now, you mentioned things that would change your voice and emulate somebody else's phone number. How easy and accessible are tools like that to use? I mean, some people may think that it's only super secret spy agencies that can get a hold of that technology. 

Rachel Tobac: It takes me 10 seconds to set up, and it's $1 - so very, very accessible. Yeah. It's very accessible. And people also build their own tools. So we're just not at a place yet where we can trust the caller ID. And I believe that even if we continue to make changes, like with STIR/SHAKEN that we're seeing in the telecom world right now, I still don't believe that we're going to be able to stop all attackers from spoofing. So I would say, don't trust your caller ID. It's an indicator, but it is not a trust factor. 

Alex Mycroft: OK, quote, unquote, "Rachel." I am looking at my caller ID right now, and it says Rachel Tobac. That's just a little bit too convenient, don't you think? You call me posing as Rachel Tobac, talking about faking out a CNN reporter. I think that this is a test of me and my listeners, and I am going to drop you like a hot rock. Now - Marvin, send through our next caller. Who do we have? 

Marvin: Next on deck is Jim, line 15. 

Alex Mycroft: Jim. Hi, Jim. 

Jim: Hi. 

Alex Mycroft: Do you like Jim, or do you prefer the more formal James? 

Jim: No, Jim is good. 

Alex Mycroft: OK, Jimbo, what's on your... 

Jim: Just Jim. 

Alex Mycroft: What's on your mind, Jim? 

Jim: Yeah. I wanted to know what you know about the Polybius project from back in the 1980s. 

Alex Mycroft: Yeah, you're referring to, of course, what most people believe is really just an urban legend about this government experiment involving a secret video game. 

Jim: Yeah, that's it. How they - they just dropped these experimental games in random arcades in Portland. 

Alex Mycroft: Right, right, right - to conduct psychological experiments. So far, so true. Go on. This is ancient history. Why the call? 

Jim: Well - well, remember how those people reported men in black showing up at the machines to pull the data and run analytics on it? 

Alex Mycroft: Yeah, yeah, of course. These men in black are clearly agents from a secret sector of our government assigned to do all sorts of harm to us. But what's your point, sir? 

Jim: Yeah, yeah. I'm getting to the point. 

Alex Mycroft: Oh, please do, sir. 

Jim: OK. Yeah. OK. Oh, God, I got to get a drink. 

Alex Mycroft: Are you safe, sir? 

Jim: Yeah, no, I'm OK. I'm good. So the other night, I was at my local bar, you know... 

Alex Mycroft: Go on. 

Jim: ...Having some hot wings and chillin'. And I overheard this guy, this guy named Carl (ph). 

Alex Mycroft: Never trust a Carl. 

Jim: Well, I wasn't trying to eavesdrop. But I heard this guy, Carl, at the table just behind me talking about the Polybius and how it wasn't a government psychological experiment at all. 

Alex Mycroft: Go on. 

Jim: Yeah, not a psychological experiment at all. But these things basically had many mainframes in their chassis. 

Alex Mycroft: And all that processing power was for... 

Jim: Bitcoin mining. 

Alex Mycroft: But bitcoin wasn't invented until 2009. 

Jim: And the game was so addictive because it was actually pulling psychic energy - you know, the souls of these kids. It was pulling the souls of these kids. 

Alex Mycroft: And... 

Jim: And storing them in the blockchain. 

Alex Mycroft: Again, Jim, bitcoin and this blockchain technology - this didn't exist until decades later. What sort of evidence is there to support this? 

Jim: Well, it exists. 

Alex Mycroft: You're saying the evidence exists. 

Jim: I mean, one day nobody has heard about bitcoin, blockchains and that doggy coin. And one day, they don't exist. And then poof. 

Alex Mycroft: And then poof into existence? 

Jim: Yeah, poof. All of a sudden, everyone knows about them. The only logical explanation is that all of these new technologies, these new currencies are fueled by that origin point of each of these - the souls of the innocent stolen all those years ago. 

Alex Mycroft: Interesting theory that your friend Carl... 

Jim: Oh, he's not my friend - just a guy I overheard talking about it. 

Alex Mycroft: And thanks for the call, Jim. We're going to have to move on. Interesting theory that this Carl has, ladies and gentlemen. We'll have to look into it. Let's go to a break. 

Alex Mycroft [reading advertisement copy]: Dark Streamers — Have I got a deal for you. If you’ve been wondering what to get for that special loved one on your list who’s notoriously hard to buy for… well, you can stop the search right now. I’ve got the perfect gift. It’s gift of knowledge, wisdom, and skepticism. Yes — that’s right — teach your loved one about the dangers lurking online, in their inbox, and even invading their favorite messaging app. Yeah. You can tell them about the danger, show them how to spot the red flags, and then… teach them to slow the f*** down. They’ll thank you for it. This message was brought to you by this station, and the foundation for a safer Internet. Thank you.

Alex Mycroft: And we're back. Marvin, who do we have next? 

Marvin: Next up is Maxie Reynolds on line eight. 

Alex Mycroft: OK, we've got Maxie. 

Marvin: Oh, and stand by for some background. I just found something interesting. 

Alex Mycroft: OK, line eight, put her through. Hello, Maxie. 

Maxie Reynolds: My name is Maxie Reynolds. 

Alex Mycroft: My producer, Marvin, just sent me a note that says, you've written a book, the title of which is "Art of Attack: Attacker Mindset for Security Professionals." So, Maxie, you specialize in attacking organizations. 

Maxie Reynolds: Yeah. 

Alex Mycroft: OK. I'm wondering, then, if you can help me with something. I recently got a terrible case of food poisoning from a late-night indulgence in gas station chili dogs. I'd like to take vengeance on the chef. Can you show me maybe how I can case the joint? 

Maxie Reynolds: That's a very interesting question because it feels like you're inside of my head. 

Alex Mycroft: Maybe we can treat it like one of those bank heist movies. Do you know where we might be able to get some documentation on the building and how we could break in? 

Maxie Reynolds: So blueprints are often available online, especially older ones. 

Alex Mycroft: Yeah, this place is ancient. So maybe you can give us some advice related to how you do physical pin testing that would help me understand how we can get into this place and help our listeners understand what physical pin testing is all about and some of the things to consider. 

Maxie Reynolds: There are jobs where the actual physical architecture needs tested. You need to know how much damage you can do to a building. Some clients won't let you - will not let you lock-pick because as you lock-pick, you're damaging a lock. And some people don't care. Some people don't care if you cut a hole in their window to get in. And often you can see correlation between what they are protecting and what they will allow you to do. So the higher the stakes, sometimes the more allowance you're given. So, hey, if you can get in through the chimney, go in through the chimney, whereas other clients who just want their defenses tested and for no asset-centric reason - so it's not because they are protecting one item, one asset, one, you know - or some IP in there. They just want to have an understanding of their threat landscape. They will say to you, hey, no, like, just come in through the door; exits, entrances are allowed to you. Please don't use the windows. Please don't use underground tunnels. 

Alex Mycroft: Underground tunnels. Color me intrigued. Can you tell me a little bit more? Because that sounds like it's a plausible way in. 

Maxie Reynolds: So Los Angeles is an interesting city, and it's interesting to think of it through the lens of attacker mindset because it's heavily policed from the air because it's so flat and so huge. There are intricate tunnels throughout the whole of Los Angeles. And if you have an understanding of them, you could - I'm not saying I will, but you could essentially get down there, take, like, quad bike and make your way towards the bank that you wanted to rob and drill up through it. 

Alex Mycroft: To be clear, I never said anything about robbing a bank, but that would keep me stocked in chili dogs. So tell me more. 

Maxie Reynolds: If you wanted to, they're unpoliced. They're unknown to most people, but they exist. 

Alex Mycroft: Maxie, I got to tell you, I love the idea about these tunnels, but I'm not big on the idea of walking long distances. What do you say about the idea of me getting a couple Segways to take down into those tunnels? 

Maxie Reynolds: (Laughter) Segways - that would be epic. I would deserve sort of notoriety if I robbed a bank on a Segway (laughter). That would be amazing. 

Alex Mycroft: So Segways it is. I'll have somebody set that up. We're going to have to move on to another caller in just a minute. But before we do so, I've got a note here that says your book was optioned by Netflix to turn into a movie. So here's my question to you - if someone were to make a movie out of your life, what would the opening scene be? 

Maxie Reynolds: I think I would - to start a movie off, I would pick the time I was arrested for being a Russian spy. Obviously, that's not true. It would be a good opening to a movie because hacking is very of the now. We're watching it on TV, whereas, you know, we couldn't really pull people in with just looking at screens before whereas now hacking is very sexy, so to speak. So a movie where I am seen turning off a city's water supply, which was an idiot move, but it happened. I turned off a whole city's water supply by accident. I worked with these people who were just brilliant pen testers and, like, their fingers moved quicker than my eyes could take in. They let me - I don't know why - they let me pen test - network pen test a city, like, the government, a small city government in Australia. And I turned off the whole city's water for a short, short time. And then we were on premises doing this, and I got arrested or detained by them. 

Maxie Reynolds: And then they were calling the Australian police. And I was, like, saying, well, if you let me go home and get my passport, I can sort of prove this. And they were like, why would we let you go home? It's, like - I don't know. And then at some point in there, which it would be maybe some comic relief, I asked for a glass of water 'cause I was getting - my throat was getting drier and drier as the interview went on. So - and yeah, so I was going to go to Australian prison. So that lasted a couple of hours, actually. And then, eventually, I was let go 'cause they got in touch with my employer at the time who was not that impressed with my work for the day. 

Alex Mycroft: So I've been hearing you talk for a while, and nothing that I hear from your voice sounds Russian to me. Where did they come up with that theory? 

Maxie Reynolds: That's a great question (laughter). So I think for two reasons - one, if you squint your eyes and moved very far away from me, I look a little Russian. And also, I had tried to make my IP look as if it wasn't internal to Australia, which, by the way, I was not supposed to do. But Scope was alien to me at that point in time. I worked for this large company, and I just thought, it'll be fine. The company knows, and the government, like... 

Alex Mycroft: And so these government agents were then listening to your accent and believing that it was fake the entire time. 

Maxie Reynolds: Yeah, they were like, you can drop the accent. And I was thinking, I wish I could drop this accent. That'd be great. But - like, more than 10% of the world would understand me. But yeah, it was a very, very interesting time. 

Alex Mycroft: All right, Maxie, thank you so much. We're going to have to let you go. We've got a ton of other people waiting on the line to speak to us tonight. But first, we need to go to a break. 

STATION ANNOUNCER: The Dark Stream will return after these messages. 

Perry Carpenter: We'll be right back after the break. 

STATION ANNOUNCER: Watch out, you've stepped back into The Dark Stream. 

Alex Mycroft: Welcome back to The Dark Stream. Let's get straight back to the phones. Marvin, who do we have? 

Marvin: OK, Alex. Next up, we've got Janice. And a quick word of warning - she sounds a bit, let's just say, agitated. 

Alex Mycroft: OK, send her through. Welcome, Janice. 

Janice: Hello. 

Alex Mycroft: Hi, Janice. 

Janice: Hello. 

Alex Mycroft: Hello. 

Janice: Hello. 

Alex Mycroft: Line three, hello. 

Janice: Am I on the air? 

Alex Mycroft: Yeah, you're on, Janice. 

Janice: Oh, so I'm on now. 

Alex Mycroft: Yes. Hello, caller. What brings you to our fine corner of radioland tonight? 

Janice: I'm so glad I made it on. You know, I've been calling every night for the past three weeks, and this is the first time I've made it through. You're very popular. 

Alex Mycroft: Well, thank you, Janice. I am but a humble servant of the cosmos. 

Janice: But anyways, I didn't call to blow smoke up your a**. 

Alex Mycroft: Well, Janice, I can tell you that my nether cheeks are fine and smoke-free in any regard. Smooth as a baby's... 

Janice: Shut up, Alex. I'm here to expose the truth. 

Alex Mycroft: And what truth is that? This entire show is about seeking the truth. 

Janice: The truth that you, sir, are a fraud. 

Alex Mycroft: What, ma'am, are you talking about? 

Janice: I mean, parading around with that pompous name, Alex Mycroft. 

Alex Mycroft: That is my name, and I'll... 

Janice: Who do you think you are, Sherlock's brother? Are you a big man with a big brain on a big mission? Or are you compensating... 

Alex Mycroft: Hey. 

Janice: ...For something? 

Alex Mycroft: Alex Mycroft is my real name. 

Janice: So fake. 

Alex Mycroft: Not fake. 

Janice: Zip it, radioman. You know, you always say the truth is out there, hidden deep in the nether orifices of the interweb. So do your own research. Well, guess what, mister? I did my own research, and Alex Mycroft isn't your name. 

Alex Mycroft: Hey. 

Janice: Up until three years ago, you were flipping burgers at the Mr. Greasy off of Ninth and Carolina. 

Alex Mycroft: Not true. 

Janice: And your name is... 

Alex Mycroft: No. 

Janice: Oh, I'm going to say it. 

Alex Mycroft: Don't say it. 

Janice: Going to say it. 

Alex Mycroft: Don't say it. 

Janice: The truth deserves to be free. Alex Mycroft's real name is... 

Marvin: Sorry about that one, Alex. Not sure how they got through. 

Alex Mycroft: That's OK, Marvin. I'm just a bit rattled. But who do we have next? 

Marvin: We've got Chris - Chris Hadnagy. 

Alex Mycroft: Looks like we've got Chris. OK, Chris. Tell us a little bit about yourself. 

Chris Hadnagy: Oh, boy, I don't know. I'm Chris Hadnagy. I do know that part. Let's see. I'm the CEO of Social-Engineer, LLC, as well as Innocent Lives Foundation. 

Alex Mycroft: Oh, interesting. And how do you like to be referred to? 

Chris Hadnagy: To refer to me? Chief human hacker - that's my title. 

Alex Mycroft: Really? That sounds messy. I wouldn't think that the CEO would be involved in the dirty work that much. 

Chris Hadnagy: (Laughter). 

Alex Mycroft: So, Chris, with a company name like Social-Engineer, I'm guessing you're an expert on human nature in some kind of way. Can you give our listeners an example of how you've made that work for you in real life? What does this look like? 

Chris Hadnagy: Yeah. So I'll give you one that is in my - it's in my new book. But to me, this was one of the pivotal moments for me where I realized that you can use SE outside of security. 

Alex Mycroft: And by SE, you mean social engineering. 

Chris Hadnagy: So my family and I, my wife, my daughter and I - we were in London. And we were in the U.K., of course, pre-COVID times. And we were there to help some friends that were going through a hard time. And we went over, did a little holiday, but then we had some time with them. So we arrive at LHR, Heathrow Airport, to fly home. And I have this luggage cart, what they call a trolley, and it's filled with luggage. And I'm wheeling it up to the counter at the Virgin Atlantic, you know, economy. That's where - that's how we could fly. And I hit this little bump on the tile, and all of my bags spill over. 

Alex Mycroft: I once had the same thing happen walking through the Mall of America with a wheelbarrow full of yak manure, but that's a story for another night. 

Chris Hadnagy: Everybody turns. And I'm one of those guys that, like - when I get embarrassed, instead of just, like, not saying anything, I usually call it out. So, like, dumb American had an accident on the M5. And that's one of the highways in the U.K., right? So everybody laughs. But one of the ladies behind the counter looked directly at me and laughed. And I said to my wife, let's go to her counter because she's in a good mood. Now, I wasn't thinking of SE at the time. I was just like, I want to get a nice person. Usually people behind counters at airlines are stressed and frustrated. And she looked very refreshed, like maybe she had just started her shift. 

Chris Hadnagy: So we go up to the counter, and this is not planned. My wife just starts complimenting her on her makeup. If you ever flown Virgin Atlantic, they have these beautiful colors - purples and pinks and blues. And she has a scarf on, and she had matched her makeup to the scarf. And my wife is big into makeup, so she's complimenting this woman. Oh, my gosh, it must have taken you hours to do that. That's so beautiful. That scarf is so wonderful. And this woman's smile is so big that her face is almost cracking open, right? 

Chris Hadnagy: Like, and now I'm seeing this, and I'm thinking, oh, wait. Like, I start thinking like a social engineer. I'm like, maybe we can utilize this. Now I've started thinking. Now, I got to be ethical - right? - because this happened for, like, five minutes. My wife was complimenting. I'm not even getting anywhere with our luggage. They're just talking about makeup. I can almost see the oxytocin, like, dripping from this woman's nose, you know? That's how much it's flowing. 

Alex Mycroft: Are you sure that this woman wasn't sick? Maybe that was a flu or a heavy cold. 

Chris Hadnagy: I lean in, and I put my arm around my wife. And I - and this was the ethical part. I say, we probably can't afford it because we're all the way in economy. But I'm wondering, is there any path for us to get upgrades? Like, I've never even flown first class. But, like, is there any path to even go up to premium economy? And she doesn't even look at me. She looks straight at my wife. She goes, let me see what I can do. She types, types, types, types, types, types. Now, I'm expecting her to come back with a price, right? I did not expect this to happen. 

Chris Hadnagy: She hits a button. She prints out three tickets. She goes, this is for you. And there's three first-class tickets on Virgin Atlantic. And she goes, and you have passes to the lounge. So you have three hours before the flight. Go. And I was like, oh, man. We can't - I don't even know the price. We can't probably afford that. Like, what is the cost? She goes - she looks not even at me again, directly to my wife. And she goes, this is for you. I want you guys to have a good trip home. And she hands it to us. 

Chris Hadnagy: So now we thank her, right? Now we're walking away, and my wife was like, holy mackerel. That was amazing. What happened? And I'm, like, scientifically analyzing all of the things, right? And I sat - we went through the gate. We went to the lounge. I sat down with a piece of paper, and I wrote it all down. And I said to my wife - I said, we need to try this again. We tried it six more times, and it worked four out of six. Now, the key for us is that, because my wife is integral in this process and because she cannot lie - she is such a horrible liar that she has to have a real reason to validate the person. And the two times it didn't work, we really had an angry person behind the counter that just was angry in the face and looked disheveled. And my wife couldn't muster up the compliment. 

Alex Mycroft: Oh, interesting. Maybe your wife could leverage that by complimenting the grumpiness. 

Chris Hadnagy: Yeah, yeah. But when she could, it worked four out of six times that we got either - we got very cheap upgrades, or we got free upgrades by using the same exact process. And the key for me in the ethics was giving them the choice. So instead of locking (ph), what I could have done with that woman is I could have said, look. We've had such a long trip. And we were here for a funeral, and we're all so tired. Can you please help us with an upgrade? And that guilt may have caused her to not want to upset her new best friend, my wife, right? 

Chris Hadnagy: But by saying, look; can you just tell me what the price is; we probably can't afford it, she now had an out. She could have said, oh, yeah, these are $11,000 tickets, you know? And I would've went, ooh, sorry, no. We can't afford that. And she would have had an easy out. But by giving her that out, she gets to make the choice. Do I want to help them or not? And that experience said, wait. These skills that I have from work could be used in unbelievable everyday ways. And I started to just write down these things, these stories, all these - I would try them at restaurants, at car rentals, at different places, and I would write it down. And that became the book. That became "Human Hacking." 

Alex Mycroft: OK, Chris. Thanks so much for sharing that story. We're going to move on to our next caller now. Marv, who do we have? 

Marvin: Next up, Dan on line four. He seems a bit tired, so take it easy on him, Alex. 

Alex Mycroft: OK. Put him through. Dan, are you there? Hello? 

Dan: Oh, yeah, sorry. I was just playing with my new kitten. 

Alex Mycroft: You have a new kitten. What is this new feline infant's name? 

Dan: Her name is Log4j. Yeah, she's a newborn. 

Alex Mycroft: Log4j. That's such a strange name. Where did that come from? 

Dan: Well, I've named her after the latest vulnerability that I've been having to respond to. In fact, I've named all my pets after big vulnerabilities or incidents. You see; I'm a cat dad, and seeing my little cute cat and kittens, babies, scurry and prance around the house reminds me what life is all about, you know? 

Alex Mycroft: Sounds like a cute, albeit chaotic, scene you have going on there, but I'm not sure I get it. Can you elaborate some? 

Dan: Oh, yeah, man. When I look at little Equifax over there, I'm reminded of how powerful people will pass the buck and blame the little guy. When I watch little SolarWinds prance and play, I think about how much faith we put into the supply chain and how we don't really know what threats might lay in wait. And when I watch Heartbleed, Spectre and Meltdown all cuddled up in their little cat beds, I remember the value of something as simple as a good night's sleep. 

Alex Mycroft: Yeah. Sleep is good. 

Dan: And with little Log4j... 

Alex Mycroft: Yeah. 

Dan: Have you ever been woken up by a kitten deciding that it's time to play? Let me tell you, it [expletive] hurts. I mean, those claws, they're like little needles, sharp fish hooks piercing your skin, embedding themselves in the soles of your feet or the sensitive, flabby parts of your... 

Alex Mycroft: OK, OK, I get it. 

Dan: Ouch. Ow. 

Alex Mycroft: Dan, are you OK? Dan? Are you OK? 

Dan: Oh, God. Stop it. Hey. 

Alex Mycroft: Are you OK, sir? 

Dan: It hurts. Alex, it hurts. 

Alex Mycroft: Are you OK, sir? 

Dan: (Crying). 

Alex Mycroft: Dan, I think we're going to have to let you go now. 

Dan: Pain, suffering. 

Alex Mycroft: Ladies and gentlemen, sadly, Dan never had the chance to tell us what he was actually calling about, but I do hope that he'll remember to treat those wounds with some good antibiotic cream. Our thoughts are with you, Dan. 

Alex Mycroft: And that brings us to the end of tonight's installment of "The Dark Stream." We'll see you tomorrow night, same time, same place. And remember, stay safe out there. 

STATION ANNOUNCER: You've been listening to "The Dark Stream." 

Marvin: And we're out. Great show, Alex. 

Perry Carpenter: And this is regular old Perry Carpenter again. I hope that you enjoyed this episode. It was a lot of fun to put together. And this is the part of the show where I would usually summarize some of the main points that we covered and add some additional closing thoughts. I'm not going to do that today, but what I do want to offer is some encouragement and support for all the folks that are out there working to remediate the Log4j vulnerability in their organizations, along with the many, many other critical situations that you've worked in the past and no doubt will be called upon to work in the future. Thank you so much. Many of you have been working around the clock and giving up time with your families while dealing with this latest example of how quickly an issue can go from being unknown and lying dormant to being discovered to being actively discussed to being widely exploited and becoming a crisis situation. And then you're brought in to deal with the fallout, and it's this situation in the middle of a holiday season at the nearly two-year mark of a global pandemic. That's a lot to deal with physically and emotionally. And I just want to say a sincere thank you. Thank you for all that you're doing, all your training, all your hard work, all your sacrifice and all that you will continue to do. You are needed. Thank you so much. 

Perry Carpenter: And with that, thank you so much for listening, and thank you to my guests, Rachel Tobac, Maxie Reynolds and Chris Hadnagy. As I mentioned earlier, these interview segments were unused clips from guests who had appeared on previous episodes. If you want to check out those episodes, head over to Episode 4, which is "Deceptionology 101" and that has interviews with Rachel and Chris. And then go over to Episode 6, "Embrace an Attacker Mindset to Improve Security" for Maxie's interview. If you've been enjoying "8th Layer Insights" and you want to know how to make the show successful, there are two big ways that you can do that, and both are super important. First, if you haven't yet, go ahead and take just a couple seconds to give us five stars and leave a short review on Apple Podcasts, Spotify or any other podcast platform that allows you to do so. That helps others who stumble upon the show have the confidence that this show is worth their most valuable resource - their time. 

Perry Carpenter: The second big way that you can help is by telling someone about the show. Word-of-mouth referrals are priceless. They are really the lifeblood of helping people find good podcasts. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. And if you want to connect with me, feel free to do so. You can reach out to me on LinkedIn, Twitter, Instagram or Clubhouse. I would love to connect with you. 

Perry Carpenter: The show was written, recorded, sound designed and edited by me, Perry Carpenter, and today's show also featured the voice talents of Rich Daigle (aka Mouth Almighty) and Sarah McQuiggan. Episode artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcus Moscat. Until next time, I'm Perry Carpenter signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.