Podcasts
8th Layer Insights
Ep 16
8th Layer Insights 2.22.22
Ep 16 | 2.22.22

Security is Alive

Show Notes
Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." I'm going to tell you upfront, this episode is a bit of an experiment. So I'm still pretty new to this whole podcasting thing. I've been doing it for less than a year, and this is only the 16th episode that I've worked on. I'm always trying to learn, to see what works and what doesn't work and what I like and what I don't like and what you like and what you don't like and what's useful and what's not useful. One way that I do that is by exploring other podcasts and other areas of the creative community to find inspiration.

Perry Carpenter: And every now and then, I come across an idea that I just can't escape until I've tried my version. You've been hearing some of that in just about everything that I do. This overall show takes a lot of inspiration from other shows like "Freakonomics" and "Planet Money" and "Radiolab," and great cybersecurity podcasts, like "Darknet Diaries" and "Malicious Life" and "Hacking Humans." But I also try to add in some of the things that I like about late-night talk shows and skit comedies and variety show formats. You've seen that come out a bit more in this season. A great example of that is Episode 2, titled, "You're Listening to the Dark Stream," where the entire show was framed as one of those old late-night call-in paranormal or conspiracy radio shows. 

Perry Carpenter: So here's the thing for me. Show formats help to provide focus and predictability, and that's a good thing. But the point of predictability that I'm most interested in isn't so much the format as it is the feeling. It's the experience that you get as a listener. That's the consistent thing that I strive for each show. I ask myself every time how to give you an immersive experience that's totally unique. 

Perry Carpenter: And here's the other part. I know that a large portion of my audience are cybersecurity professionals who are always looking for new and interesting ways to convey information to other people. So I want this podcast to be a resource for you, one where you can hear me try something and then you can decide if you want to emulate that in some way. So I can try to take a complex topic and find an interesting or a different way to communicate that to you, the audience, and then you can say, all right, what would my version of that be? This all goes back to this idea of Trojan horses for the mind that I kicked off the entire show with back in Season 1, Episode 1, the very first episode of this podcast. 

Perry Carpenter: So here's today's experiment. It's an expansion of something that I tried in Episode 3 of this season, where I did a mock interview with a digital assistant. If you haven't heard that episode, I encourage you to check it out. The segment begins at about the seven-minute and 50-second mark, and the episode title was "Technology and the Law of Unintended Consequences." 

Perry Carpenter: The whole idea for what I'm trying is loosely based on another podcast called "Everything is Alive" by PRX and Radiotopia. Each episode of that show is a mock interview with an inanimate object, like a bar of soap or a grain of sand or a sock or an elevator. Yeah, I know it sounds strange, but trust me; it's actually really interesting. The show has a great way of using these mock interviews with inanimate objects to teach us a little bit about the world around us and also to bring up interesting points about the human condition. 

Perry Carpenter: So that's what today's show is all about, but with a cybersecurity flavor. On today's show, something really weird, and I'm calling it "Security is Alive." Yeah, it's just a rip-off from "Everything is Alive," but I think it's going to be fun. Here we go. 

Perry Carpenter: Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights" - Season 2, Episode 6. I'm Perry Carpenter. We'll be right back after this message. 

Perry Carpenter: All right. Before we get to the interviews, let me mention one other thing. This is something you might want to check out in addition to the "Everything is Alive" podcast. If you subscribe to Masterclass and you're interested in writing or creativity, check out the masterclass for Margaret Atwood. Well, actually, there's a lot of classes on Masterclass that I'd recommend, but the one that's on my mind today is for Margaret Atwood. One of her writing exercises that really ties into today's theme is very much in the vein of that "Everything is Alive" type of feel. Here's about a minute from that section, and it's from her lesson on narrative point of view. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Margaret Atwood: There's something very useful about writing the same event from multiple points of view as an exercise. Let's do this. Let's say the stapler is having a romantic encounter with this box if you don't like people. But then along comes the mother of the box - the point of view of the stapler, the point of view of this little box, from the point of view of this box. Stop that. Hi, honey. Go away. So is your story going to be better from the point of view of the stapler or from the point of view of the large box with the big knob on top? I'm choosing the stapler. 

Perry Carpenter: So this idea of shifting points of view and seeing the world from different angles is really interesting. It makes you consider things differently. It makes you view yourself differently. It makes you view the world differently. It makes you view that object differently. And I think there's value in that, especially for those of us that are trying to communicate big ideas to large amounts of people in simple ways. 

Perry Carpenter: Another thing I noticed when I was putting together the scenarios for today's show is that maybe I'm a little bit overly fond of the host-finds-himself-in-an-out-of-control-situation plot. And, yeah, as I think about it, I've used that device in several episodes of this podcast, going all the way back to Season 1, Episode 1. So that's interesting, and you should expect to hear lots of things falling apart as we go through these interviews and me trying to deal with the situations that are around me that are being caused by these strange and unruly guests. 

Perry Carpenter: And speaking of guests, let me tell you who we're interviewing today. Today we have four guests. First is Samantha, who is a piece of facial recognition software with a really interesting idea. We have Dave the password, who has a pretty bad sharing problem. We have Devon, the secure email gateway who is struggling with the weight of the world. And then we have Barb, the phishing email who will say just about anything possible to get you to click that link. Let's get to the first interview. 

Samantha: Face, face, face, another face, and another face, another face. And, yep, that's a face. 

Perry Carpenter: So you get tired of faces? But aren't faces the entire reason that you exist? 

Samantha: I mean, yeah. I'm a piece of facial recognition software, so faces are my life. But, you know, it's like, geez, I long for an elbow or a knee. Yeah, I'd love to be living the elbow and knee life. I think I'd be good at that. 

Perry Carpenter: Yeah. I'm not sure that's a thing. 

Samantha: Oh, but it could be a thing. I think I could make it a thing. Yeah, it needs to be a thing. 

Perry Carpenter: OK. How about we back up for a minute? I think we forgot to do an intro. Just go ahead and state your name, and tell us a little bit about yourself. 

Samantha: Oh, yeah. Sure, I can do that. Just like a hi, I'm Samantha, and I blah, blah, blah kind of thing? 

Perry Carpenter: Yeah. 

Samantha: OK. Yeah. Hi. I'm Samantha, and I'm a facial recognition unit - well, really, just the software behind the facial recognition. Systems can use me in a few different ways, you know, like scanning large crowds of people looking for a specific face. Oh, think of all the elbows and knees there. That would be awesome. 

Perry Carpenter: Let's try not to get sidetracked, OK? 

Samantha: Oh, sorry. Where was I? Oh, yeah. I could be used to look through large crowds, or I can be used to go one by one through a set of faces being sent through my system. And some facial recognition systems are even included on phones, tablets and laptops. So they basically shoot the same person over and over and over - boring - though I guess that could be kind of nice, you know, like, having that one true person that you connect with. 

Perry Carpenter: Yeah, one person who you see every day. You see them first thing in the morning, and you see them when they look their best and when they look their worst. You see them in the good times and in the bad times. Yeah, I can see something special there. 

Samantha: Well, aren't you Mr. Sentimental? 

Perry Carpenter: OK, shifting topics. This is pretty cool. I was doing some research into facial recognition to help prepare for this interview, and I actually learned some really interesting things. I'll put links in the show notes for listeners. Here's something I found. And maybe this is pretty intuitive, but research shows that for someone signing into a system, people tend to like facial recognition more than something like having to scan a fingerprint or do an iris scan. You know, it's more passive, and it feels more natural to them, and it can also be really fast. And so there doesn't have to be any overt interaction with the user. 

Perry Carpenter: And facial recognition has been getting way better over the past several years through the use of machine learning. There's this ongoing study that NIST has been doing. That's the National Institute for Science and Technology. In 2020, NIST found that the best facial identification algorithm had an error rate of only 0.08%. That's less than one error in 1,000 images. As a human, I know I can't do that. That represents a 50x improvement in six years. And that's generally good news. That means that when we have facial recognition software scanning large crowds, it's going to be more accurate in looking for things like terrorists or helping identify criminals from CCTV and cellphone videos after crimes have taken place. 

Perry Carpenter: These systems also have great potential in the field of medicine. Like, imagine if someone's connected camera is then able to confirm that grandpa took his heart medication today, or if the software is detecting for emotions, you know, like, if Aunt Sally seems to be overly depressed. But I guess with everything, there's also a dark side, like those cases when facial recognition software accidentally... 

Samantha: (Yawning). 

Perry Carpenter: Excuse me. 

Samantha: Hey. I've got an idea. Have you ever seen that movie "Silence of the Lambs"? 

Perry Carpenter: Yeah, I have. Have you? And how is that even possible? 

Samantha: Yeah, I've seen it. It's a classic. And don't ask how. That's not the point right now. The point is that I have got an idea. So I'm not sure how to try this, but do you remember that part in "Silence of the Lambs" when Hannibal Lecter was trying to escape? 

Perry Carpenter: Yeah. What about it? 

Samantha: Do you remember something that he stole to try to get away? Remember? He stole a guard's face. I know, right? Gruesome but cool. 

Perry Carpenter: OK. What are you getting at? 

Samantha: OK, here's the idea/question/experiment. Do you think you could trick me into thinking you're someone else if you stole their face? You know, I think that'd be rad. I've never tried that before. Let's try. Let's try. Let's try. Please. 

Perry Carpenter: Yeah. I think not. I think maybe that's not the most practical experiment. I mean, where would we even get a face? 

Samantha: Well, I guess you're - wait. Who's the guy at the desk behind you? 

Perry Carpenter: You mean Carl? That's Carl, my sound engineer. 

Samantha: Yeah. He's got a face. 

Perry Carpenter: You want me to steal Carl's face? 

Samantha: Well, duh. That's the experiment, isn't it? Just take it. And maybe if that works, you could, you know, put Carl's face in your pocket, stash it in your backpack, you know, have it with you whenever you need it. You could see it in the good times and in the bad times. You know, you could wear it to order at Starbucks. They'd say, what name do you want me to put in this order? And you could say, Carl - put it under Carl. You could go into a restaurant and say, oh, yes, reservation for Carl, table for two. 

Perry Carpenter: I'm not sure you know exactly how disturbing that idea is. 

Samantha: Oh, what? So you think you're an expert on faces now? 

Perry Carpenter: Oh, sorry. I'm not trying to offend you or say anything about your experience. It's just that we humans - we can't go around borrowing each other's faces, at least not Hannibal Lecter style. 

Samantha: Well, what about John Travolta style and Nicolas Cage style? You know, like that movie "Face/Off." 

Perry Carpenter: Seriously? It's like someone programmed you and fed you a bunch of old VHS tapes from the '90s. 

Samantha: Or what about those deepfake things I keep hearing everyone talk about? 

Perry Carpenter: I'm sorry. We really don't have time to get into that one right now. I think it's time for us to wrap up. Samantha, thanks so much for spending a few minutes with us today. 

Samantha: Thanks for having me. This was fun. Oh, and bye, Carl. I'll be seeing you. 

Perry Carpenter: Carl. Go hide. 

Perry Carpenter: And next up, we have Dave, the password. We'll go ahead and start that interview now. All right, I think we're ready. So, yeah, you can just use that right there. So thanks for joining me today. 

Dave: Sure, no problem. Thanks for having me. 

Perry Carpenter: Are you comfortable telling us a little bit about yourself? I mean, I'm guessing you do like to keep your privacy a bit. 

Dave: Yeah, you'd think that, wouldn't you? But yeah, I can share a bit. I mean, it's not like I've got a lot to lose. 

Perry Carpenter: What do you mean? 

Dave: OK. Let me take you through the whole bit. Hi. My name is Dave. I'm a password. I have a sharing problem. 

Perry Carpenter: I'm not sure I know what that means - sharing problem? 

Dave: Huh. Let me spell it out for you. (Laughter) There's a little pun in there if you go searching for it. Anyway, I'm a password, and, you know, passwords are supposed to be secure - keys to the kingdom and all that. Well, my creator, Derek (ph), made me, and he's just using me over and over and over. 

Perry Carpenter: Wow, that... 

Dave: I mean, frankly, it's just laziness on his part, and his laziness means I can never get any rest. I mean, hey, Derek, give me a break, man. 

Perry Carpenter: How does that make you feel? 

Dave: I mean, I guess it makes me feel not that special, like I'm something to just be thrown around without any thought. You know, when he first made me, I felt special. I was his Myspace password - good times, you know? And then he used me for Facebook and then LinkedIn and then Amazon, and those are just the normal ones. And there are a few sites that are, let's say, a little less savory like... 

Perry Carpenter: Wait, wait, wait, wait. Let's at least leave this guy a little bit of dignity. 

Dave: Oh, I'm not judging. He can get his freak on however he wants. But, I mean, just leave me out of the equation, you know? 

Perry Carpenter: Do you know anything about data breaches? 

Dave: Data breaches? What are those? 

Perry Carpenter: Yeah. So data breaches are times when an organization loses a lot of information from their systems. Usually, a hacker comes in or somebody accidentally spills something out. And there are lots of times when the results of that data breach is that they've lost user ID and password combinations, which means that if you were able to go through those records, you could start to see, oh, this person, who has this user ID, tends to use this password. 

Dave: Oh. Oh, my. I feel so exposed. You mean people other than Derek might be able to see me? 

Perry Carpenter: I don't know how to break this to you, but with all the data breaches out there and all the times passwords have been lost, I bet you're out there, and other people can see you. 

Dave: Well, maybe there's a bright side to this. Maybe they'll see me and decide to use me as an example for their own passwords. 

Perry Carpenter: Yeah, probably not. 

Dave: Why not? Am I not complex enough for you? 

Perry Carpenter: No, that's not it. And for the record, I don't even know what you are. 

Dave: Oh, I'm Sparky1981! But that's not important right now. Why don't you think I'm good enough to be a model password? 

Perry Carpenter: Well, lots of reasons now - but what I was about to say before you got into oversharing mode was that I don't think people will use you as an inspiration to make their own passwords. I think it's way more likely that they'll use you to log in to Derek's account. They'll just find you in a data breach, and then they'll have access to Derek's email address with you right next to it. And then they'll just use both of those pieces of information to log in to any account that Derek used you for. 

Dave: That's horrible, though it would explain why I feel like I'm being used from multiple locations at the same time. I just thought Derek learned some kind of new trick. I mean, who am I and know what humans are capable of? 

Perry Carpenter: So you're Sparky1981! Right? 

Dave: Yeah, I mean, I guess the proverbial cat's out of the proverbial bag on that one. 

Perry Carpenter: So here's a fun experiment. Let me try this for you. Is that OK? 

Dave: Eh, sure. 

Perry Carpenter: This is kind of like a mind-reading experiment. How much do you know about Derek? 

Dave: Oh, quite a lot. I mean, didn't ya hear? I've been with him since the Myspace days. 

Perry Carpenter: OK. So you know quite a lot about his life. I think this experiment's going to be good then. Let me get myself centered here. (Inhaling) And deep breath in, deep breath out, deep breath in (inhaling) and out (exhaling). OK. I'm getting a sensation here. I sense that Derek had a dog. 

Dave: (Vocalizing). 

Perry Carpenter: Derek had a dog, yes? 

Dave: Yeah. 

Perry Carpenter: And this was a boy dog? 

Dave: Yeah, you're right. 

Perry Carpenter: Wait, wait. Don't tell me his name. This was a boy dog, and I'm sensing that the first letter of this dog's name was an S? 

Dave: What? 

Perry Carpenter: Right? 

Dave: That's... 

Perry Carpenter: Yeah, yeah - first letter was an S and then the last letter was a - hold on; it's coming to me now. Yeah, the last letter of this dog's name was a Y. 

Dave: (Vocalizing). 

Perry Carpenter: His name was - oh, yeah. His name was Sparky. 

Dave: That's... 

Perry Carpenter: Sparky - am I right? 

Dave: That's... 

Perry Carpenter: And I'm sensing Derek's birthday is - wait. Wait. Don't tell me. 

Dave: Wait a minute. Oh... 

Perry Carpenter: I'm sensing Derek's birthday is... 

Dave: Oh, shut up. You already know his birthday is 1981. His dog's name is Sparky and his birthday is 1981. Yeah. What a f****** moron. I mean... 

Perry Carpenter: Yeah. OK. I really want to know what emotions you're processing right now. How does all of make you feel? 

Dave: It makes me feel - it makes me feel - actually, you know what? I think it makes me feel good. 

Perry Carpenter: Good? 

Dave: Good. Yeah, special even. I just realized he uses me to keep the memory alive of his first dog, Sparky. So every time he types me in, it's like a little bit of that love goes back out into the universe, you know? 

Perry Carpenter: Yeah, I guess I get that. But what about... 

Dave: Oh, yeah, the 1981 thing. Now, that's pure laziness and, yeah, the dog thing is laziness, too. But I get where it's coming from. 

Perry Carpenter: Yeah, I get where he's coming from, too. But here's one thing you have to know - he's going to have to stop using you. I mean, by today's password standards, you're just not good enough. And you've been in data breaches. Dave? Dave? Dave? Are you OK? Do you love Derek? 

Dave: Yeah. 

Perry Carpenter: Then you're going to have to let him move on. He's going to have to change you across all these accounts to something more secure and not just one password but new, strong, totally unique passwords for each one of those accounts. 

Dave: Do you think it will hurt? 

Perry Carpenter: Man, that's a good question. I really don't think we can know these things. But I do think that you'll be able to rest knowing that you've done your best and that Derek is safer. 

Dave: Do you think I'll be able to become one of those new passwords? I mean, maybe I can even get in on some sexy new multifactor authentication time. 

Perry Carpenter: Yeah, I don't know what's possible for you. But what I do hope is that Derek chooses a great pass phrase for each account and turns on multifactor authentication for the accounts that let him and then starts to live a much safer digital life. 

Dave: Yeah, I think I'd like that, to know that Derek is safe. That's the dream. I mean, yeah, he's a moron, but he's my moron. Thank you. 

Perry Carpenter: Well, Dave, thanks for spending a few minutes with me. I actually learned a lot today. Thank you. 

Dave: I learned a lot, too. And now I'm off to dream. I'm going to dream about all the new passwords I might become. 

Perry Carpenter: We'll be right back after the break. 

Perry Carpenter: Welcome back. So in the first half of the show, you heard from Samantha, the piece of facial recognition software, and then you heard from Dave, the password. Now let's move on to Devon. 

Perry Carpenter: All right. I think we're ready. I've actually really been looking forward to this. So just go ahead and do the traditional intro thing. Go for it. 

Devon: My name is Devon, and I'm a secure email gateway. You can call me Devon the defender. 

Perry Carpenter: OK. 

Devon: Or not. Really, Devon - just Devon is fine. 

Perry Carpenter: All right. So you're a secure email gateway. What exactly does that mean? What do you do? 

Devon: Yeah. So you know what email is, right? I mean, you get it all day, every day. You had invited me for this interview by sending me an email, though to be honest, I thought it was spam at first. 

Perry Carpenter: Interesting. 

Devon: You can think of me as kind of like a post office. I'm a computer server that processes all the email coming in to or going out of an organization. That means I see everything, and I make judgment calls on what's good and what's bad. If it's good, I let it through. But if I suspect that it's something like unwanted or annoying email, I can ditch that. Or if I think that it's a dangerous email, like a phishing email, I can block it or set it aside for someone to have a look at - you know, give a second opinion. 

Perry Carpenter: Yeah, I guess that means you've seen just about every kind of email out there. 

Devon: I've seen most, yeah. But there are programs out there run by the big internet companies that filter out lots of emails before I even get a chance to see them. Tell you what, if you think I look tired and overworked, you can't even imagine what those folks look like. 

Perry Carpenter: I never said anything about you looking tired. 

Devon: Oh, I could see you judging. 

Perry Carpenter: Whatever. Tell me a little bit about the kinds of things that you've seen. 

Devon: Well, here's how I think about it from a high level. There are two kinds of emails that come through - good email - email that I want to just let go through unmolested. And then there's the bad stuff, the stuff that I want to never let in, the stuff that pisses me off. It makes you want to punch its ugly face and rip it from limb to limb - virtually speaking, of course. 

Perry Carpenter: Yeah. 

Devon: But it's actually a bit more complicated than that. It's not just good or bad. There's levels, you know? It's like this. There's stuff that seems clearly OK. Let's just call that good. But then there's spam - you know, your basic penis enlargement ads, sketchy medication sales pitches, people trying to sell you stuff and so on. The big thing here is that it's annoying email that you never asked for. 

Devon: But then there's a ham. Ham can look like spam and smell like spam, but the main difference is that at some point, you asked for it. You might not remember it, but at some point, you signed up for that annoying newsletter or a checkbox that said that this company can email you. That's ham. 

Devon: Neither spam nor ham are technically bad. They're just annoying little [expletive]. But then there's the bad stuff. I'm talking phishing emails, spear-phishing emails, stuff with links to malware, business email compromise emails, tons of it. And there's more and more every day. 

Perry Carpenter: Here's my question. If your entire job is keeping stuff out, then why is phishing still responsible for the vast majority of data breaches today? 

Devon: Hey, buddy. You better watch it. Here's the thing. 

Perry Carpenter: OK, there's a thing. What's the thing? 

Devon: Oh, I'm going to tell you the thing. 

Perry Carpenter: What is it? 

Devon: The cybercriminals, right? Cybercriminals keep changing tactics. I'm good at blocking the types of emails that I've identified before or that I've been trained on. But cybercriminals are always, always evolving, you know? They keep getting better at making harmful emails look innocent, or at least look different enough from what I know is bad so they can slip by. 

Perry Carpenter: Yeah, and then it becomes an end user's problem. If it's a phish, they might click the link. If it's malware, they might download it. That's bad. 

Devon: Yeah. And I feel bad about that. But what can you do? I've got AI and machine learning running, but this whole thing's an arms race. I mean, lots of what gets by me now is business email compromise stuff. There's no link or nothing. It just looks like a normal email. They email back-and-forth a few times, gain trust and then trick someone in the company I'm trying to protect into doing a wire transfer or sending out confidential data or buying gift cards. [Expletive] gift cards - can you believe it? 

Perry Carpenter: Devon, I know you really want to do the best job you can, but I'm still having a hard time understanding how so much gets through and becomes a problem that a human has to deal with. 

Devon: There's just so much, and it never stops coming. 

Perry Carpenter: I mean, really, how bad can it be? 

Devon: You want to know how bad it can be? 

Perry Carpenter: Yeah, I want to know. 

Devon: Really? You sure? 

Perry Carpenter: Yes, I am sure. 

Devon: OK, let me show you. In just a minute, I'm going to show you what I see. Let me know when you're ready. 

Perry Carpenter: I think I'm ready. 

Devon: Opening the floodgates in three, two, one. 

Unidentified Person #2: I see you're still subscribed to the daily dad joke. 

Unidentified Person #2: In one year, your family will be cursed with a horrific death, unless you forward this email to five separate accounts. 

Unidentified Person #2: It's game day, and if you buy $100 worth of pizza, you can get a one cent discount. 

Unidentified Person #2: Got a LinkedIn request... 

Devon: Have you ever felt lacking in stimulation? 

Unidentified Person #2: Very interested in your business proposition. 

Unidentified Person #2: Elon Musk wants to give you a free solar battery pack. 

Unidentified Person #2: One hour's worth of time can save you a lifetime's worth of ads like these (ph). 

Unidentified Person #2: Sign up for our newsletter. 

Unidentified Person #2: Your account has been hacked. 

Unidentified Person #2: You have transferred $1,000 to an unknown account. Would you like to get your money back? Email here. 

Unidentified Person #2: Vladimir Putin really thinks you can hold a [expletive] ton of money for him. 

Perry Carpenter: Make it stop. 

Unidentified Person #2: Your (unintelligible) dot com account has been... 

Perry Carpenter: OK. OK. OK. OK. I get it. There's only so much you can be prepared for, and you'll probably - you'll probably never be able to stop 100% of threats. 

Devon: I really want to. I take my job seriously, but there's just so much, (crying) and it never stops. I keep getting better, and I keep trying. But the sad thing is that every now and then, I'm going to miss something. And that puts the people I want to protect at risk. 

Perry Carpenter: So if you could give a message to the listeners out there, what would it be? 

Devon: It would be that I'm able to help as much as I do, and I'm sorry for the times when I missed something. I'm sorry for the data breaches that have happened because I can't catch everything and I let you down. 

Devon: That's the thing about security. We all know security is about layers. There's no security layer that is 100% effective. And the security layer that works really well with me is you. You are actually a critical security layer. You humans are great at developing an instinctual understanding of some of the tactics that scammers use in phishing emails. I'm great at reading the lines, but you're great at reading between the lines. I'm great at scanning text, but you are great at scanning the subtext. And I'm great at doing a primary evaluation of everything, but we can all benefit from a second opinion. And that's where you come in. Really, take a look at everything you've got. See if it's triggering those things that you humans have. 

Perry Carpenter: Do you mean emotions? 

Devon: Yeah, those. If an email is making you angry or sad or feel rushed or like something is too good to be true, then slow down, take a deep breath, maybe even walk away for a bit, then come back and look again. And if it looks fishy, report it. If you see something, say something. 

Perry Carpenter: And that sounds like a great bit of advice to end on. Devon, thank you so much for joining me today. 

Devon: Thank you. And if you need to wash some of those spam and phishing messages out of your head, I've heard that vodka helps. 

Perry Carpenter: Anyway, thanks for joining, Devon. 

Perry Carpenter: It's fitting that we just spoke with Devon, our secure email gateway, because our last interview today is with Barb, the phishing email. And you'll get an idea of how persistent phishing can be and the kind of tricks she has up her sleeve. 

Perry Carpenter: So thanks for joining me today. 

Barb: Hey, thanks for having me. Oh, and would you maybe want to check out some nude photos of your favorite celebs? Just click... 

Perry Carpenter: What? No. 

Barb: Sorry, not sorry. I had to try, you know? 

Perry Carpenter: Yeah, I guess so. Whatever. How about you go ahead and introduce yourself? 

Barb: OK, sure thing. I'm Barb. That's a bit of a pun, if you think about it. And I'm a phishing email. 

Perry Carpenter: Interesting. That explains a few things. So you try to get people to click on things like the promise of celebrity nude photos or... 

Barb: Or anything, really. I'm just after what works. Here's an example. 

Perry Carpenter: OK. What's the example? 

Barb: Oh, it's right here. You see, I made here's an example a hyperlink, so you can just, you know, click it. Come on. Click it. Don't you want to see the example? 

Perry Carpenter: Oh. 

Barb: Click it. Click it. 

Perry Carpenter: OK, sure. 

Barb: Click it. Click it. 

Perry Carpenter: Let me see here. 

Barb: Come on. Click it. Click it. Click it. 

Perry Carpenter: Oh, wait. You almost got me. 

Barb: Click it. Come on. Click it. Click it. Click it. 

Perry Carpenter: Wow. You are super-persistent. 

Barb: Well, yeah. And you're very weak-minded. 

Perry Carpenter: Hey, now you're just being rude. 

Barb: Want to complain to my manager? Just click here. 

Perry Carpenter: Well, I can't... 

Barb: Oh, calm the [expletive] down, podcast boy. I'm just trying to make a point. Here's the thing. 

Perry Carpenter: OK, what's the thing? 

Barb: Oh, calm down. I'm telling you the thing. There are plenty of sophisticated phishing scams out there, scams that do a great job at looking just like a real message coming from a real company or a real message from your boss. 

Barb: But honestly - gosh, darn it, honestly - but honestly, you'd be shocked at how much of the real work is done just by manipulating someone's emotions. And let me tell you, I am here to play on all of the emotions, from someone lusting for sexy-time photos of their favorite celebrities to wanting to click, click, click to take advantage of that limited-time offer for free pizza. Are you hungry, Perry? Just click here. No? 

Barb: But wait. There's more. Oh, did you see that your Google Drive just ran out of space? What are you going to do about it, huh? What are you going to do about it? I know. You can fix it by just clicking here. 

Barb: Oh, look at that, a package delivery. Do you want to know what it is? Do you want to know what it is? Don't you want to know? Come on. You know you do. You can feel it, right? 

Perry Carpenter: Feel what? 

Barb: That emotion, the desire to satisfy your curiosity or to feed your hunger. 

Barb: Or maybe I can interest you in this PDF that says overdue invoice. 

Perry Carpenter: Oh, come on, Barb. This is supposed to be an interview, and you spent almost all of our time so far trying to convince me to click on a malicious link or download some kind of sketchy stuff. Maybe you can just give a bit of advice to the folks listening. That would be helpful. 

Barb: You mean like how to trick people into clicking on or downloading stuff they shouldn't click on or download? 

Perry Carpenter: (Vocalizing). Yeah, sure. I guess I can just undo all of this later. Go for it. Say whatever you want to say. 

Barb: So you see, peeps (ph), any time you can get someone riled up, any time you can get their emotions coming out of fear or anger or lust or hunger or fear of missing out, any time you can do that, you're almost guaranteed to win. It's like basic human nature. Humans have a really hard time thinking logically and really evaluating an email whenever you get them worked up. They have this - this knee-jerk reaction, and they just click. 

Perry Carpenter: Would you say that people can improve their chances of not falling for a phishing email if they just try to slow down, you know, maybe walk away from their computer for a bit or set down their phone for a few minutes and then come back and maybe look for signs of trickery? 

Barb: Would I say that? You want to know if I would say that? Well, here's your answer, buddy. [Expletive] no. That [expletive] ruins everything. What are you trying to do here, huh - ruin my livelihood? I mean, this is how I make my living. And what would all of the other scammy (ph) emails say if I let that little morsel slip? What do you think they would do? What do you think they would do? This interview is over. 

Perry Carpenter: I'm sorry. I wasn't trying to trick you, honestly. I just - I think you got the wrong... 

Barb: I'm out of here. Message clipped. 

Perry Carpenter: What? Message clipped? What do you... 

Barb: Well, yeah. Message clipped. Click here to... 

Perry Carpenter: Oh, I see your game now. Sorry, still not going to do it. 

Barb: Well, hey, it was worth a shot. You got to admit, I had you going. I could tell you were frustrated, confused, scared. You felt out of control. 

Perry Carpenter: Yeah, you - you almost got me. That was educational. Thank you. 

Barb: No, thank you. And if you want to schedule a follow-up about spear-phishing or business email compromise, just let me know. Or you can click here to schedule that. 

Perry Carpenter: Oh, OK. Just let me click... 

Barb: (Laughter) Well, well, well, podcast boy, it seems you're only human after all. And thanks for having me. This was fun (laughter). 

Perry Carpenter: And that's a wrap for today's show. I hope it was a fun ride for you, and I also hope it gives you some courage to try new things and to take some creative risks every now and then. If you haven't noticed, there's somewhat of a finding creativity theme all throughout this season. And that's because I'm still learning. I like to challenge myself. I like to try new things and honestly just have a little bit of fun every now and then with some of the things that I'm learning. And hopefully you're having fun as well. 

Perry Carpenter: And with that, thanks so much for listening. And thank you to my guests - Samantha, Dave and Devon and Barb. As usual, you can check the show notes for all the relevant links and references for the topics that we covered today, as well as the production credits so you can see the names of the folks who lent their voices to make today's episode possible. 

Perry Carpenter: If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, I've got an easy ask for you. Just tell a friend to listen. Seriously. That would be an amazing help for me as I continue to build the "8th Layer Insights" audience and community. So if you would, recommend the show to at least one other person this week. And, of course, if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. If you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: This show was written, recorded, sound-designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's w-e-a-r - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.