Podcasts
8th Layer Insights
Ep 15
8th Layer Insights 2.8.22
Ep 15 | 2.8.22

How to Fool The White House -- A conversation with James Linton (aka The Email Prankster)

Show Notes
Transcript

Perry Carpenter: Hi, I'm Perry Carpenter, and you're listening to "8th Layer Insights." Here's a fundamental truth about anything related to technology, infrastructure or really anything that we create - if we make something, someone else will come along and find ways to misuse the thing that we create, or they'll find ways to use it in unexpected ways. I've talked about the law of unintended consequences before. It's something that we struggle with across lots of areas of life. And in the field of cybersecurity, one of the biggest areas where we see the law of unintended consequences at work is with our email. When you think about it, we've created an amazing infrastructure that connects people around the world. It helps scientists share research, families stay in touch and, in many ways, email is the backbone of how businesses communicate. But with all of that comes the unintended consequences. We face a constant tidal wave of spam and advertisements and newsletters and online harassment and, yeah, phishing. Phishing has become the attack vector of choice for cybercriminals because it works. There are inherent flaws in how our current email infrastructure was designed, and these flaws make it pretty easy to impersonate someone or hide something nefarious within a message, and it's easy to play with emotional triggers that will get people to act without thinking rationally.

Perry Carpenter: One person who knows quite a bit about this is James Linton, also known as the Email Prankster. On today's show, I'll be talking with James about his time exploiting some of these fundamental flaws. We'll get into all the whos, the whats, the whens, the whys, the hows and a lot more. Let's dive in. 

(SOUNDBITE OF MONTAGE) 

Stephen Colbert: We just learned a prankster tricked White House officials into replying to his emails. 

Leo Laporte: There's a guy from the U.K., and he calls himself Email Prankster... 

Jimmy Kimmel: An anonymous man who lives, I guess, in the U.K. He tweets under the name @Sinon_Reborn He describes himself as an email prankster. 

Leo Laporte: ...Who has had email conversations with Anthony Scaramucci before he got fired. 

Unidentified Person #2: A prankster has tricked White House officials and others, including the former communications director, Anthony Scaramucci. 

Leo Laporte: That wouldn't be a weird thing, except he was posing as Reince Priebus. 

Unidentified Person #3: The self-described Email Prankster who has fooled a number of White House officials and bank executives, whose exploits we've told you about before, has now apparently fooled both Harvey Weinstein himself and his now former adviser, Lisa Bloom. 

Leo Laporte: He has sent emails to Tom Bossert, Eric Trump. He has posed as Jared Kushner. The Homeland Security adviser said he thought it was - he was talking with Jared Kushner. It wasn't. It was this prankster. He gave him his personal email address saying, Jared, any time you need me, just email me at home. This is the guy in charge of the cyber - of our security. 

Unidentified Person #4: Yeah. 

James Linton: I once got head of Homeland Security to accept an invite to a party. I was Jared Kushner at the time. We haven't stayed in touch. 

Perry Carpenter: On today's show - my discussion with James Linton. We'll talk about what led up to him deciding to take a virtual joyride, exploiting the fundamental flaws in how people interact with email - what he did, who he pranked, and what he's learned about human nature and himself. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights," Season 2, Episode 5. I'm Perry Carpenter. We'll be right back after this message. 

Perry Carpenter: If you've been listening to the show for a while, you'll know that I usually like to dedicate each show to a specific theme and interview multiple experts to help flesh out the topic. But each season, I also want to make time to dedicate an episode or two for an in-depth discussion with just one person, and this is one of those times. My guest today is James Linton. But before we get into the interview, I need to help set the stage with a story - not one I want to tell, but one I kind of need to tell because it relates so much to the themes that come out in James' interview. 

Perry Carpenter: So my teenage years were in the '80s and early '90s, back when most online activity was through dial-up modems, using individual services like AOL, CompuServe or bulletin board systems. And even back before caller ID was a thing on everybody's telephones. And every house had a big, thick phone book sitting right next to their telephone. As you can imagine, that made prank calling a pretty easy thing to get away with. 

Perry Carpenter: And now, if you've ever seen me in real life, you'll know that I'm not the kind of person who spends a lot of time outdoors in the summer. I'm extremely fair complected. And I can get sunburned just by walking across a parking lot. So when you look at the ingredients that I just mentioned - the early age of online technologies, pre-caller ID with phones, a bored teenager in the summer who needs to stay indoors - and you might get an idea of where things could go. Luckily, I never got in big trouble for some of the things that I tried, and I never caused any kind of damage. But I did have that magical mixture of boredom and curiosity that all too often turns toxic. 

Perry Carpenter: I remember one of the prank calls that I used to do was I would set up recordings of an office environment behind me, along with typing and phones ringing and the murmur of conversations. And then I'd open up that magic book - the phone book - that, of course, gave me a listing of people's names, their phone numbers and their home address. I'd pick a name and dial. 

(SOUNDBITE OF TOUCH-TONE PHONE DIALING) 

Unidentified Person #5: Hello? 

Perry Carpenter: When somebody answered, I'd identify myself as an employee of the National Earthquake Research Center, which, to my knowledge, isn't a real thing. It just sounds like a real thing. Then using the phone book, I'd be able to ask for someone by name, and I'd have that person confirmed that they lived at the address listed. And after they confirmed, I'd say, wow, I'm really glad that I managed to reach you because, you see, we've been monitoring a fault line that runs beneath your property, and our instruments indicate that a sizable earthquake is imminent within the next 24 hours. We recommend that you evacuate. Yeah. That always led to some interesting conversations. 

Perry Carpenter: I also did similar things on old-school bulletin board systems, where I learned a few tricks that allowed me to send system messages where it looked like the admin or the BBS owner would open up a console within the system and begin directly communicating with the end user. Luckily, when the BBS owner found out about that, he didn't ban me or report me to anyone. Instead, he asked how I did it, and I showed him. And then he gave me some mentorship on other aspects of the board. So he kind of brought me under his wing a little bit and satisfied my curiosity that way. And I think a lot of us who love technology and were curious and grew up during that time did very similar things when that combination of curiosity and boredom hit. 

Perry Carpenter: On today's show, you'll hear some echoes of that theme as I sit down with James Linton, who not too long ago, just back in 2017, gained international notoriety as The Email Prankster for a string of widely publicized activity targeting high-powered individuals, from bank officials to celebrities to political figures. James' story has a lot of nuance, and I don't want you to miss that, so I'm keeping editing to a minimum. Let's hear from James. 

James Linton: So I have to say kind of, hi, I'm James Linton, that kind of thing. 

Perry Carpenter: Yeah. 

James Linton: Yeah. 

Perry Carpenter: Yeah. 

James Linton: Sorry. Hi, I'm James Linton. I am a social engineer, I guess, mainly, and I explore how tech interacts with humans. 

Perry Carpenter: And then let's do one more, if you're comfortable with it, and have you say your name and maybe, you know, I'm the guy that socially engineered x. Pick your favorite thing out of that. 

James Linton: Yeah, yeah. Sure. Hi, I'm James Linton. I used to be known as The Email Prankster in 2017. I once got the head of Homeland Security to accept an invite to a party. I was Jared Kushner at the time. We haven't stayed in touch. But yeah, since then I've been fascinated with infosec basically and went to work in threats. And now I'm working in awareness. 

Perry Carpenter: Yeah, fantastic. That's - that I think is pretty good. 

James Linton: Yeah. I always forget to give it some jazz hands. I'm very bad at kind of... 

Perry Carpenter: Yeah. You got to be your own PR person a little bit. Why don't we get into it then? I'm going to ask you a strange question. If somebody were to come in and make a documentary or a movie about your life, what would that opening scene look like? 

James Linton: Interesting. Now, would we start in the future - beyond now? I think in a weird way, with the benefit of hindsight, I think it would start at the end of - what? - sixth form in the U.K., as people are starting to move on to university. Although I didn't know it at the time, I was autistic. I really struggled to kind of disconnect from school life and having - you know, living in a village with my family and things like that. There was a sort of resistance to being able to move on and do the university thing, I guess. And I was really quite jealous of people that were going on. So I think that was quite a defining moment. I had aspirations before that that were all linked to going to university. And it was just watching those slip away a bit, I guess, but not really understanding why and not really being able to kind of course correct it, it seemed. I couldn't understand why it wasn't - I wasn't evolving at the same way as my peers, I guess. 

James Linton: I was very into art. I always wanted to be a car designer when I was younger. That was - as a child. All my dad had to do was give me a ream of paper, and I'd be quiet for the next eight weeks. But I just used to draw cars endlessly. And it never wasn't going to happen that I would be a car designer. So I guess, before - as I was coming to the final years, towards the end of school, I was starting to discover graphic design. And I felt, I guess, that was less imposing. There wasn't as much maths and engineering involved in it. And I just gradually started lowering my sights as I started to hit resistance to making the leap, I guess, into young adulthood, as it was. And I went to a local college, and I stayed at home - stayed with a group of friends that hadn't gone on to university either. My expectation was to go on after that. 

James Linton: But unfortunately, I was kind of in a bit of a bad way mental health-wise towards the end of my college time - actually came to quite an acute bout of psychosis, actually, which actually hospitalized me. So at that stage I was - I had nothing. I had no - I didn't have my career anymore. I didn't have a university to go to. And potentially, I was looking at never having my sanity back. And this was all pressure from not being able to understand or reconcile what was going on at the time. You know, I couldn't understand why what I wanted to happen, which I'd seen it happen to people in years above me - I couldn't understand why I couldn't replicate that. And I guess that was a struggle I had all the way up until I found out I was autistic, which was only two years ago. I'm - what? - 43 now, I think. So yeah, it's been a challenging period of my life from then until more recently. But yeah, there's always been a few hurdles to get over, shall we say. 

Perry Carpenter: Yeah. 

James Linton: But I wouldn't - you know, I've got no regrets, to be perfectly honest. I think I've had an interesting life, if nothing else. 

Perry Carpenter: James' late-in-life diagnosis for autism really resonates with me because I was also diagnosed with autism in my early 40s. I had always known that the way I had interacted with the world and processed social situations was slightly different. And I had seen many different depictions of autism in books and on TV and in movies. But it only hit home with me that I may actually be autistic when I was reading a book called "The Journal of Best Practices." It's a marriage and relationship book written by an autistic man that was trying to uncover the secrets of the way that relationships work, and specifically his relationship with his wife. And as he would explain his mindset and give examples of how he thought about and approached situations, I kept thinking, that's just like me. And that realization led me to find a qualified diagnostician. And then long story short, I ended up with a diagnostic confirmation that I'm autistic. 

Perry Carpenter: There are certainly a lot of myths and misconceptions and misinformation and even more when it comes to neurodiversity. And today's show is not the venue to discuss those. But if you want to learn more about my personal journey with autism, I'll put a link in the show notes to a talk that I gave at DEF CON a few years ago, as well as at least a podcast or two where I've discussed it. OK, let's get back to James. 

James Linton: But I wouldn't - you know, I've got no regrets, to be perfectly honest. I think I've had an interesting life, if nothing else. 

Perry Carpenter: You definitely have had an interesting life. I want to ask one other question. So if you were just diagnosed two years ago and had all of that intervening time, what fell into place, or what was your reaction whenever you finally got the diagnosis? What led up to you getting it? And then what was your reaction when you heard the news? 

James Linton: What kind of led up to it was I really - maybe six, seven years ago, when I met my current girlfriend, then I really tried to bring to a close my fluctuating mental health. I'd had various diagnoses and things like that. I had a very good doctor. But it was actually a point where I switched to a different doctor. He was more into doing the kind of DSM-5 kind of questions and stuff like that, and he actually snuck in a page which was on autism. And I was speaking to him. And he goes, a lot of this does point towards you being autistic. And it was crazy in a way because I had speculated so many times because when I was given a diagnosis that wasn't correct, I'd feel settled for a day or two, but then I'd just kind of know that it didn't fit. 

James Linton: And that kind of - it feeling such a personal and such a unique illness that only I could see was, you know, really quite isolating, I guess, in some ways. So to find out that, actually, no, you are autistic; it's not this one-off thing that's just concocted in your head just for you, you know. And that brought a load of relief. All the things that I've been trying to change in my life I realize were probably fairly hard-set. They were things that I may never be very good at. So I started to go easier on myself, I guess, and not think, oh, you know, why couldn't I walk in front of everyone and take the top of a champagne bottle off with a sword and (laughter) all these kind of weird things that... 

Perry Carpenter: Yeah. 

James Linton: ...Growing up during the '80s, you know, all the action films and stuff. That was what I was kind of soaking up, I guess, and what I thought, you know, I could take parts of that and use it in my life. And I just found that certain things are really tricky, and I couldn't figure out why that was, I guess. 

Perry Carpenter: Yeah. So it seems like you had heard of autism before and seen some examples of neurodivergence and potentially thought of yourself in that category. Is that - did I hear that right? 

James Linton: Yeah, definitely. As soon as he mentioned it, me and my girlfriend looked at each other and it seemed so obvious all of a sudden. And I was hopeful that finally that the search and the wondering was over. And then little things would pop in my head like, hang on a minute, you've owned three Golf GTIs in a row, which were the same model but obviously one - slightly new ones. You're not exactly really straying with variety there, are you, James? And all these little events in my life, and suddenly I could view them more compassionately on why I struggled in that situation. You know, if I was in a really busy room at Christmas and I went off and had sort of a lie down, I was drained, and that makes sense now and I can manage that. But yeah, it didn't change my life. It just gave me some idea of the places where I should focus and of areas where I needed to look after myself a bit more. 

Perry Carpenter: Yeah. And so this diagnosis came after the Email Prankster... 

James Linton: Yeah. 

Perry Carpenter: ...Part of your life. Did some puzzle pieces come together then? 

James Linton: I guess I've always had a very obsessive nature towards things that I really got a lot of enjoyment from. And definitely the pranks I was doing became a bit of an obsession. I mean, nobody's beaten it since or even attempted it because it would be also madness to try and trick that many people one after the other in such a short period. Well, I kind of think it was - at the time, my personal circumstances put pressure on me, and that, in a way, I think was a bit of escapism, a bit of a cry for help. And also it was good for me because it felt good to be good at something. People were sitting up and taking notice. 

Perry Carpenter: Yeah. So walk me up to the time that you wrote the first email. What was that initial spark that made you say, I really want to see if I can get away with this? And then how did you put it together? 

James Linton: I did a kind of proof of concept at first, and this was at work. This was me pretending, essentially, to be my CEO and to give account handlers at work - a few got a secret mission, a few were told they were going to represent the company at the inter-company games, there'd be a swimming contest and stuff. That one really backfired on me, and this is - do not pretend to be somebody when you're in the same building as them. This prank had kind of - had said, you know, congratulations, we're going to send you off to - I think it was in the Middle East somewhere to do this inter-company games. And he was a fairly new starter, but I did have a stooge that was kind of on the chat and she was going, ha, ha, yeah, he's fallen for it. So I was basking in my glory at being such an amazing social engineer. I didn't even know what social engineer was back then. I just thought I'd been a wise-a**, I guess. 

James Linton: And then I turn in my chair, obviously smiling away, and I saw him walking towards my CEO and my insides tried to become my outside. It was a hugely stressful moment. It was kind of a mixture of adrenaline. I think the body was just trying to pass out so it could be carried out in the situation. But he went walking right up to my CEO and I was being hugely interested but trying not to show that I was hugely interested. I could see my CEO looking up from his desk kind of very quizzically. Obviously, you would be if somebody was coming to, as I found out, to thank him for the opportunity. Luckily, I kind of managed to bluff it as he was walking off from the CEO afterwards completely dumbfounded. I heard the CEO say, send me a copy of it, and I kind of jumped in at that point and said, oh, I'll send it over to you because I knew if he forwarded it to the CEO, he'd find out I'd actually created an email address in his name. It wasn't just some prank that didn't have some infrastructure. I'd actually gone to the trouble of making this Gmail account. 

James Linton: So that was the genesis. That was where I realized the kind of power you could have with it and how much trust people had. And after that particular point - I'd done other things at work as well, but after that, I thought, you know, this is getting a bit too much of a white-knuckle ride. Let's call it a day. Cue two months later, I had a bit of a falling out with my High Street bank. We went through the various ways that we could both put our case forward and, you know, the bank won. And, you know, I couldn't argue with that. All ways to question that were - had reached an end. And then I was just watching Netflix on my bed one day, and I saw it's the AGM of this particular bank. 

Perry Carpenter: AGM stands for annual general meeting. It's really just the annual shareholders meeting. Shareholders with voting rights come to vote on issues like who gets appointed to the board or different directions that the company or the bank will take, executive compensation, dividend payments, all of those kind of things. 

James Linton: And it'd had been a bit of a tough AGM. And I only kind of glanced through the story. I could see that the chairman was there, and he'd said some words, and, you know, it sounded like it was a bit of a tense time. And I don't know the exact moment I decided to do it, but all of a sudden, it seemed like the best idea in the world to pretend to be the chairman and to have maybe a bit of a laugh with the CEO, to trick him. And this was 8 o'clock in the evening. So I'm there trying to kind of imagine what the scenario would be if I was the CEO of a bank. And this is where I'm stretching a bit because I've - you know, I'm not a CEO. I've never worked in a bank. I've never had an AGM. I kind of was conjuring up these very caricature-ish images of them both sat there with these - their whiskey glasses in, you know, a very darkened club or something or have they just gone their separate ways? I wasn't to know. I thought no harm in sending an email. Surely, nobody's been arrested for kind of just sending a fake email. So I thought, well, what would a chairman say? 

James Linton: And a chairman was chosen on purpose because obviously I'd chosen the CEO at work because of the dynamics there. You know, I got to - not abuse, but I got to borrow a CEO's power over the people who he's contacting, that kind of dynamic. So if you're contacting a CEO, I struggled to think how I could do it. And I thought, well, if I go for a chairman, that probably means I can get away with language that's a bit more effusive and doesn't have to be any - you know, I can maybe speak in riddles. I was kind of going off bits of films I'd seen, (laughter) all this other stuff. Obviously, this was early days. So I hadn't even had a chance to kind of try out different tactics, I guess, and different ways of trying to encourage trust. But I quickly decided the premise of what I wanted to say was, tough day but I'm by your side type thing. I thought, that's a chairman-y thing to say. 

Perry Carpenter: Yeah. 

James Linton: So I Googled Latin phrases, quickly looked down them to see which one I could pick for a subject line. Because I thought a bit of Latin - that's probably going to add a bit of credence to it. And I picked out a detail from the news story, which was somebody who'd heckled the CEO at the actual event. I thought, well, that's a kind of hyper-personalized bit of information. So I just dropped in the name and made a reference to how brusque he was, and then hit send and then sat back. And by now, my girlfriend had noticed that I was up to no good. 

Perry Carpenter: (Laughter). 

James Linton: Her radar was on, I guess. And she's like, what are you up to? (Laughter) I'm sure she said, your heart rate's gone right up. And I just said I was just doing something. You know, nothing to worry about. I'll explain after. And she was fine with that. And I put my phone down. And then I saw that - the screen light up. And this was quite quick. This was less than two minutes, I would say. So I could kind of guess that it lighting up was associated with me just sending out that email. I thought, oh, it might be a bounce-back. Because this is the first time I'd ever tried to contact the CEO of a bank. I didn't know if they - you know, what systems they had. My kind of view on security at the time was minimal. It was less than average, I would say. So I just presumed that banks would have things that stopped this. I didn't know what they would be, but I just presumed they would be there. 

James Linton: But I read the reply, and I had to take an instant judgment. I thought, no, he's got no benefit of saying this to me if he doesn't believe it's me. He just would have not replied or he would have said maybe something not so nice. And that was the exciting bit then. That was the kind of thinking by the seat of your pants and trying to realize that I've got that bit of trust and knowing that I wanted to take it in a bit of a weird direction because that would make me happy. Because, you know, if I just asked him to print something out, to print a number 54, you know, that's not really going to be enough for me. I sort of wanted him to accept that I was saying some slightly weird things or sending him poems which have acrostics down the side and stuff like that. And it was successful, I guess. And I don't think he knew until the next day when I emailed him as myself, and I made a reference to old Slowhand is back, I think, because he'd referenced Eric Clapton to the chairman. 

James Linton: So, yeah, it was a bit of a spur-of-the-moment thing, I guess, but I did have some history on how to, you know, quickly set up a Gmail account and guess CEOs' email addresses and stuff like that. And then I wanted to share it, I guess. I wanted to - more people to say that I was really good at it, I guess (laughter). So... 

Perry Carpenter: So what was his response? 

James Linton: There was no response. He responded to the Financial Times's reporter, though (laughter). This is - because the next day, I set up a Twitter account - I wasn't even on Twitter at the time - as the Email Prankster. I didn't use my actual name. And I uploaded the screengrabs, and I sat back at work and, you know, I was all excited. But absolutely nothing. I didn't use a hashtag. I had no followers. I didn't really understand that you couldn't just release something, and then it would get some cadence behind it. So I thought, I'm going to give this a bit of a push. 

James Linton: So I noticed a few reporters had their DMs open, so I dropped a few people screengrabs. And the guy from the Financial Times was like, is this real? And I just said, yeah. Here's the logins for the account. You can have a look. And before I knew it, that was published. And then lots of other publications started picking up on it. And I thought, you know, this is probably the most exciting thing that ever happened to me in recent time. And I guess I got very protective of that and thought, you know, how can I find the cover for doing more of this (laughter)? How can I kind of justify it? And I thought, well, you know, I need a theme, maybe. I've done one bank. Maybe I'll try another. And so then I went on to the Bank of England, and that was successful. I thought, you know, I've got to think a bit bigger now. Let's try some banks in America. I tried a few celebrities. And then I guess the culmination of that was the White House, which definitely got me noticed at work for all the wrong reasons. My computer did get sent off for forensic testing. I was sent home and temporarily suspended. I think they just worried that - you know, oh, God. If he's done this, then what else has he been downloading onto his computer? 

Perry Carpenter: Right. Yeah. 

James Linton: And malware and all this stuff. And, obviously, I got a clean bill of health because I wouldn't even know how to do that if I could. But I did accidentally send an email from my work account to the White House at one stage. So I guess, you know, classic insider threat - you know, somebody has a bit of a change in their life and becomes a little bit wayward with what they're sending out. 

James Linton: When I was suspended, I actually drove home with the biggest smile on my face ever because I felt trapped by a job I loved but began to hate, and I knew that that bridge was burned. So in a way, that was also more of a - you know, if I was going for more of a "Thelma & Louise" start to my film - you know, they drove off a cliff, didn't they? You know, it would just be me driving off from there. And in the end, I just - you know, I resigned. Afterwards, I could see - because obviously, I was too obsessed with what I was doing - I could see why, for a company, it would be tricky. You know, if somebody is doing this stuff that is getting that much attention, it can be very polarizing with potential clients, I guess. So I fully understood that - why they got a bit worried. 

Perry Carpenter: Yeah, I think that makes sense. Why don't we go back real quick? I want to have you flesh out the White House story. What led up to that? Who did you impersonate? Who did you send things to? What were the responses and so on? 

James Linton: I sensed that my time was starting to be up. I'd done quite a few banks in America, and the headlines now were like, hacker is targeting CEOs of the world's biggest banks. People were getting too curious about who I was as a real person. Obviously, people around me knew that, but it hadn't actually made it out into the media yet. And they got very curious - certain publications, very curious indeed. 

James Linton: So I thought, well, you know, everything that I've done - it had to be just a little bit trickier, a little bit harder than the sort of prank that I did before. I liked to try something new, try to make it more complex because it was all done on my phone - well, 99% of it, at least. None of it was sort of done on a laptop in a basement anywhere. Sometimes I was, you know, holding shopping outside the changing room, you know, while my girlfriend was trying on clothes. And I was, you know, emailing back to someone because a lot of my later pranks were based in America. So, you know, I had to make adjustments for that. 

James Linton: And, yeah, I kind of thought, you know, you got to go big or go home. What would be the - and it was a very kind of James Bond look or outlook that I took on how I picked my - not victim but collaborators. You know, I even tried, like, Fort Knox and places like that. I got no reply. They must have pretty good sec, to be honest. But, yeah, I thought, you know, let's try the White House. And I actually - I was looking through some of my screengrabs the other day, and I noticed that I got a bounce back from, like, president@whitehouse.gov or whatever. So I had obviously been clutching at straws at the beginning. And I kind of look back on that now (laughter) not embarrassed, but, you know, it shows the naivete I had. 

James Linton: I was trying to figure out what the email would be. And occasionally, if I couldn't quite get a handle on it, I would then use Google - never any kind of invasive stuff. It was all just open-source things that anyone could get hold of. And it turned out the domain name for the White House was pretty well-published. Some roles are fairly well-shielded, but there will always be somebody there in PR or media that - you know, their addresses may be on a .PDF somewhere. 

James Linton: I managed to figure out what I thought the domain was. And the president and the vice president have slightly different ones, two different offices. And I Googled who was in the administration. I knew that Trump was in power. You know, I thought, I need a bit of a cyber slant to this. I didn't hold out much chance of getting Trump's email address. There was just so many different connotations. I just gave up there. I feel like it's easier to go for somebody who's going to be a bit more of a known regular email user. And second one down was the home secure - no. Home... 

Perry Carpenter: Homeland Security. 

James Linton: Homeland - yes. 

Perry Carpenter: Yeah. 

James Linton: Oh, my God. Sorry, Tom. Tom Bossert, if you're listening - yeah, head of Homeland Security and on the Atlantic Council. And he's been in Bush's sort of things as well. So he was kind of in charge of cyber and in charge of steering safety for America. And this was a kind of thing for me that - this would be quite interesting because nobody will know more about threats than Tom. You know, can I trick him? Could he be tricked? - type of thing. And I knew that I had been able to do it with other people. I wasn't obviously asking for any login details and stuff like that, but I did think it was a kind of interesting case study to see how anyone can be kind of diffused from taking on a wary outlook to an email. So I thought, right. I'm going to be Jared Kushner. He just seemed like an interesting character (laughter). 

Perry Carpenter: We'll be right back after the break. 

Perry Carpenter: Welcome back. 

James Linton: So I thought, right, I'm going to be Jared Kushner. He just seemed like an interesting character (laughter). There was no more reason than that. And then I put Tom Bossert's name and Jared's name into a Google news search. And kind of the first article that came up - and in a way, this was reverse - this was using the same tactic that I used with the bank to kind of look at the most - latest news article just to find this little hook, this little thing that ties the two people together. Because I found out time and time again that it's almost like a skeleton key when you can use something like that. It makes it seem such a hyper-personal email that it doesn't have any resemblance to - especially if you're not asking for anything straight out of the box. 

Perry Carpenter: Yeah. 

James Linton: It doesn't resemble a threat. So that always, for me, is kind of a bit of a golden touch. So I just thought, right, they've both been to Iraq. And I thought, how can I kind of work this back? I'm going to invite him to a party because I don't want to, you know, do anything that got, (laughter) you know, Homeland Security coming after me. So I thought, right, I'll invite him to a party and, you know, stick with my MO, which I had done so many times. And being in Iraq, I thought, actually, I can phrase it as the food at the party will be as good as that which we ate in Iraq. I didn't specifically say they ate together because I didn't know that they ate under the same roof or at the same table. But I knew that if they were out there, they would have had to have eaten food. 

Perry Carpenter: OK. I don't want you to miss this. What James stumbled upon here is the power of both specificity and ambiguity. And he wove them together masterfully. He made the reference that they were both in Iraq. That's specificity. And then he referred to the food. And he said that the food at this upcoming party will be at least as good as what they had in Iraq. Now, James doesn't know if the food that they had in Iraq was good or bad. If the food was bad, then somebody reading the email would say, oh, this is a joke. And that would create a bonding experience between the two because it was so bad, and we like to revel with each other at how bad things are. And if the food was good, well, then it's a promise of something good to come. 

James Linton: So that kind of rang true, I think. And then Tom replied. And he was up for the - (laughter) he was up for coming to the party and even sent me as his personal email address if I, you know, wanted to get in touch with him again. I did actually send him an email when I did my first lot of awareness content. I was just kind of showing him, like, good things do come out of kind of slightly weird situations. I've not heard back yet... 

Perry Carpenter: (Laughter). 

James Linton: ...So yeah. And then Tom was the kind of - I guess he was the kind of fairy on top of the tree. But the Anthony Scaramucci one was probably the more technically tricky, I guess. And just more fun because he was angry (laughter). And Jake Tapper on CNN was like, that guy was, like, really angry. You made him really angry. And it hadn't actually occurred to me at the time. And I was actually in a bit of a bad mood when I was - (laughter). It was like method acting, but the method was me. 

Perry Carpenter: Yeah. 

James Linton: I was in a bit of a bad mood when I was writing the email. So I was actually quite tough. And I did find that you could be quite bold sometimes and quite gutsy. And people would sort of respond to it, I guess. It was an interesting part where Anthony - I kind of pushed him. And then he reached out to Jon Huntsman Jr., another the email address. And that was me as well. I contacted him just to have some redundancy. I contacted him as Jon Huntsman Jr. as well. So I pushed him as one character. And he'd reached out - you know, same phone, but it was a different mail app - to Jon Huntsman, asking if he was around, can I have a chat? And it was that - that was the key point where I thought, hold on a minute. If, you know, somebody with a ton of money and a bank of people in a nation state somewhere is doing this, this would be scary because I'm experimenting here on my phone, watching Netflix. And I've got this administration member believing I'm two different people. So yeah, that was a real kind of dawning moment. And that was kind of the beginning of the end because my real identity got out. And it just didn't work anymore. 

Perry Carpenter: Oh. Yeah. What was the pretext with Scaramucci? 

James Linton: I was Reince Priebus. There's been a bit of a nickel between them. I mean, he came back at me saying to quote a fellow and things like this. And it got really confusing because it was another friend of Anthony's that - because I'd only used that email address with Anthony. And somebody else that was - I think he was some sort of publicist. He emailed me, thinking that I was Reince Priebus as well. And I was like, oh, my God. How is this happening? How has he got this, because I didn't know who he was? And then in the end, Jake Tapper ended up on there. And he's like - you know, he's - it got very confusing, anyway. And... 

Perry Carpenter: Those emails were being forwarded around quite a bit then. 

James Linton: Yeah, yeah. I think that's exactly what happened. I was trying to get him to say stuff on Twitter and things like that. I mean, I could get people to post GIFs and stuff. One of Donald Trump's lawyers, Michael Cohen, he posted a GIF, which was sent to him as Eric. And yeah, it was all kind of proof-of-concepts to see if it would work rather than it being, you know, horrendous (ph). To be honest, that was 2017. I would be really scared to do anything like that nowadays because things just seem to have changed. One small ripple in a pond online nowadays can have really dramatic consequences. I think that much has changed. 

Perry Carpenter: To your knowledge and understanding, did anything that you did at that time break the law? 

James Linton: Yeah. I mean, I had Ty Cobb, who was the White House counsel - he said it was a federal offense, I think, to impersonate a administration member or something like that. But I didn't care. To be honest, I was at that point in my life. And in a way, it was the uncashable check because I knew that they weren't really going to want to have me in a courtroom being questioned about what I'd said and the crazy things that people had taken as true. So in a way, I knew I'd built in that little bit of insurance. And never once did any law enforcement officer or anyone like that ever contact me. And I managed to get my U.S. visa afterwards as well - working visa. So they didn't put me on any kind of lists or anything. 

James Linton: And the interesting thing with the White House was I did the first kind of batch of pranks, and then I went back and did some more display name deceptions about 35 days later, I think it was, just to see if it was still possible to do it. And I actually used my emailprankster.co.uk domain name, which changed the actual display name, but the domain was my Email Prankster one. And I still managed to chat to Sarah Sanders and a few of them. So that was 34 days later. And I don't know if this is the case of anyone that's been tricked over email and, you know, they just want to forget about it rather than learn from it. 

Perry Carpenter: It's important to stop here and reinforce a key truth that James hit on. It worked in his favor for this instance and was relatively harmless, but shame and fear and embarrassment can often be the enemies of good security. We need to find ways to encourage people to report when they've accidentally clicked on something or when they've accidentally done something wrong. James was counting on human nature being what it is - that we don't want to admit when we've been scammed, that we're ashamed of that or we're embarrassed by it. 

Perry Carpenter: But as a society and in your organization and mine, we need to find ways to flip the script on that. We need to put processes and standards in place that encourage a culture of proactive reporting. And that means that we need to be intentional. We have to be encouraging. We need to support people who come forward, and we need to applaud those with the strength to do so. 

James Linton: I kind of got the feeling that if they made a fuss about it, that would be a loss of face for them, rather than being - addressing any real issue. So I was a bit worried by that, I guess - especially, you know, they've got alien technology. Certainly that's stopping some emails. 

Perry Carpenter: With the display name stuff, I'm wondering how many of the responses you were getting were coming from a mobile phone as opposed to a laptop or something where you see the display name and then you might also be seeing the email next to it, but on a mobile, that's almost always just hidden. 

James Linton: Yeah, completely. And I would purposely try and coincide a lot with times when I thought people would be out and about. And I think this is why... 

Perry Carpenter: Yeah. 

James Linton: ...Lawyers were always so easy to get ahold of - 'cause they were always going from one place to another. They were always on the phone. They just have to read stuff and then forward it on. And that caused problems. It caused problems for one lawyer when he didn't clear out his autofill on whichever he was using - Outlook, say - and ended up forwarding after - I tricked him into forwarding a Senate document meant for Jared Kushner. He sent it to me. 

Perry Carpenter: Whoops. 

James Linton: To be fair, a lot of the email stuff, as I've learned more about email security and stuff like that, I've been able to go back with completely different ways of looking at what I did and trying to see what I can bring from it into things that I do now, I guess. 

Perry Carpenter: I want to ask one question. You may not have an answer for this, or you may not want to share it. But what is one story around this time that you wish you could forget? 

James Linton: Oh. I think - I actually think the Harvey Weinstein one was a step too far, I think. 

Perry Carpenter: Give some context there. What was the prank? 

James Linton: It was when he initially was facing some charges, I think. And he's so completely lawyered up. I mean, it was the very early stages. And the feeling on Twitter and places like that - because I spent a lot of time on Twitter after. That was where I kind of grew my initial following. So I was kind of hard-wired into the news and, you know, the kind of emotions on there. And it seemed like he was going to be able to get away with stuff because he was rich. And I guess it was a bit of a social justice warrior that got under my skin. And I thought, you know, let's try and - I don't even think I thought it through that well. I contacted two lawyers of his as him. I contacted him. And to me, that's just - that was edging into guerrilla journalism that was touching on stuff that wasn't part of the script. I guess, in a way, I was still, you know, experimenting with, could the email pranks to continue in any way, shape or form? Because, you know, it empowered me. I didn't want to let it go. I'd enjoyed doing it. I wish I could have done one a year and then vanished and kept it super mysterious for, like, 50 years. But that's just not me. 

Perry Carpenter: What was the thing that made you decide to pack it up and say, I'm just not going to do this anymore? 

James Linton: It was realizing that me and what I can or what I'm willing to - the consequences that I'm willing to accept are not those that my family or, you know, people around me and care for me are willing to accept. My mom wasn't the biggest fan, and I did feel a bit hard done by because, like, you know, I kind of didn't care. I just didn't care at all. I never lost a minute sleep, and I never saw any bad things coming from it, I guess. Whereas, you know, it was potentially going to start hurting family members. And some of the media was staking out my ex-girlfriend's house, and it was all getting a bit too real because my real identity was being mixed into it. I mean, obviously, the Email Prankster was James Linton - that is a given, but, you know, it was nice to be able to hide behind that. 

Perry Carpenter: Yeah. 

James Linton: And yeah, in a way - and I think the thing that dawned on me once I'd worked in infosec for a little while - I was fairly ego driven back then. And then in infosec, you kind of learn that your ego sort of has to take a complete backseat. It doesn't matter what political persuasion you are or things like that. You know, security should be a universal thing that, you know, you just - you're trying to make it more secure against people that are trying to rip off people you love, people you know, people you don't know. It's as binary as that. You are either doing that or you're not. So, yeah, it was a bit of a growing up moment, I guess. And I'm really glad it stopped when it did because it is quite - I couldn't do it now without - I wouldn't have the - my Fitbit would break. 

Perry Carpenter: What's the biggest lesson that you learned about yourself or about human nature in general? 

James Linton: I guess in a way - I always thought that I kind of finished at my boundary walls. Once I kind of disconnected from advertising, it had no glamour to me at all. I saw so many more valuable things I could do. And moving into infosec, I could genuinely make somebody a bit safer. I could genuinely do that. I could do it to two, three, four, five or however many people. And that was quite a strange feeling, really. And it was like I had to question if I was this person that wanted to do this stuff, you know. And I think a bit of that is this kind of masking that obviously autistic people can do where I wasn't sure if I was sort of kidding myself that I was, you know, enjoying being a bit more kind of philanthropic or doing this thing that benefited other people. But I think with growing up and all the other stuff, then it did. It just - it became something that felt good to do, I guess. And that was a new feeling for me at the time. 

Perry Carpenter: Tell everybody a little bit about what you're doing now since you're kind of taking all the lessons from that time period and then flipping them over to teach people how to better secure themselves and think different about the interactions that they're in and all that. 

James Linton: Yeah. Well, so the prank's finished. I kind of was super lucky. I managed to get in at a kind of Silicon Valley-based email security company working on a pretty cool project where they were social engineering BEC actors... 

Perry Carpenter: Quick acronym check here - BEC stands for business email compromise. It's a type of phishing attack where the scammer uses email to impersonate someone in authority within an organization, like a CEO or CFO. And then under that guise, they send requests to other people within the organization asking them to do things like initiate money transfers or buy gift cards or send confidential data or intellectual property and more. Business email compromise is now responsible for billions of dollars of loss each year. 

James Linton: ...And, you know, getting information from them, basically. And there was a semi-automated system that they were expanding and growing. And we were able to collect intelligence and capture mailboxes and go through those. And I was even sending stuff to the Secret Service. I mean, how cool is that? It was like something that I may have done as a prank I was actually doing for my job. That was a bit of a pinch-me moment. And then suddenly, the pandemic came around. I was made redundant. And then I was on the outside of the industry again not having a clue. You know, I'd not looked around. I'd not looked at - I looked at a few job listings when I was first made redundant, and they were scary as anything. It was like nope, can't do that, can't do that, can't do that. And I had to be honest with myself. I was like, you know, I'm fed up with always having to kind of try and force myself to learn an entire thing. And I thought, no, I'm actually going to be easy on myself here. I've got this little prank side of things. I've got the knowledge of the BEC stuff because, you know, I've been exchanging emails with thousands of scammers - literally thousands, as well. If I can't come up with some sort of awareness thing after that, there must be something wrong. And I kind of - I did see it as a step down. I saw awareness as this sort of little dumpy thing sat at the side. I'm sorry. I'm sorry, Perry. 

Perry Carpenter: No (laughter). No problem. 

James Linton: I was like - I just did not get it. I thought, you know, threats is, you know, all leather jackets and aviators, and awareness is, I don't know, kind of, whatever - patches on the elbows and stuff. But once I started digging into it a bit, I was like, hold on a minute. It's been amazing how much some very simple premises have been. Because I wanted to get into psychology when I was - again, that was one of the things that I wanted to do when I couldn't traverse into university. So I was - all of a sudden, I was able to combine my design, advertising, graphics and visual storytelling with my actual stories and bringing in elements of what I've actually seen with my own eyes. And it felt good that I could say something to somebody and know it is true. You can not believe me, but I know it's true. And that became a real exciting thing to explore, I guess. And awareness has been one of the most amazing surprises in many respects. The number of parts to what seems very simple is just - I don't know. I think it's going to keep me busy until, you know, they carry me off, basically. But, yeah, I felt it's hugely interesting, that, as you yourself know. 

Perry Carpenter: Well, I hope that you enjoyed that interview with James Linton. I've gotten to know James pretty well over the past several months, and I'm constantly impressed by his desire to use his experiences from his past to move forward and to promote positive change. I think that we'd be wrong to dismiss everything that James did and just say, oh, those were pranks, because what he really did is he found ways to quickly win trust or provoke reactions from some of the most powerful people in the world. And he did all that using basic email addresses that he could quickly spin up. These weren't lookalike domains or hacked email accounts or anything technically sophisticated. In many cases, the domains he was sending from should have been a clear giveaway that the email wasn't legitimate. This all came down to display name deception and just a little bit of research to help gain credibility. And as you heard him say, he did this while watching Netflix with his girlfriend on the couch or laying on his bed or standing outside of dressing rooms, really anywhere he could, from his phone. There was no heavy infrastructure here. There was no technologically sophisticated hacking. This was just an email address and a mind. And I also think that one of the main reasons that people fell for his pranks was because they were viewing and interacting with these emails using mobile phones, which usually only show the display name, not the full email address. And so the very tools that these powerful people relied on failed them. For me, as I think about this, it's hard to imagine what could have happened if James wasn't just trying to have fun with some simple pranks. I think someone with malicious intent might have been able to achieve some pretty chilling results. 

Perry Carpenter: And with that, thank you so much for listening and thank you to my guest, James Linton. I've loaded up the show notes with more information about James, as well as all the relevant links and references for the information we covered today, so be sure to check those out. If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, there are two big ways that you can do so, and both are super important. First, if you haven't yet, go ahead and take just a couple seconds to give us five stars and to leave a short review on Apple Podcasts, Spotify or any other podcast platform that allows you to do so. That helps others who stumble upon the show have the confidence that this show is worth their most valuable resource - their time. The second big way you can help is by telling someone else about the show. Word-of-mouth referrals are priceless. They are really the lifeblood of helping people find good podcasts. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. And if you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: This show was written, recorded, sound-designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.