Dave shares a story of deception right out of Hollywood.
Joe proposes changing the financial incentives for scammers.
A porn-shaming catch of the day courtesy of Johannes Ullrich.
An interview with atomic physicist and close-up magician Adam West.
Adam West: [00:00:00] Certainly, when it comes to magic tricks and, certainly, when it comes to being scammed, a healthy dose of skepticism is very important.
Dave Bittner: [00:00:09] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:29] Hi, Dave.
Dave Bittner: [00:00:30] We've got some interesting stories to share. And later in the show, we're going to welcome Adam West. He is a physicist at the University of California, Los Angeles, and he has also worked as a professional close-up magician.
Joe Carrigan: [00:00:42] Oh.
Dave Bittner: [00:00:43] Yeah. It's a fun interview. But before we jump into all of that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:53] So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective.
Dave Bittner: [00:01:16] And we're back. Joe, my story this week is a story of international deceit and intrigue. It is good enough to be a Hollywood story. In fact, it is right out of Hollywood.
Joe Carrigan: [00:01:28] Is it?
Dave Bittner: [00:01:28] It comes to us from The Hollywood Reporter. It was written by Scott Johnson. And the title of the article is "Hunting the Con Queen of Hollywood: Who's the Crazy Evil Genius Behind a Global Racket?" Now, this is kind of fascinating. We have a woman impersonating some of the most powerful women in Hollywood, people like Kathleen Kennedy - she's the head of Lucasfilm...
Joe Carrigan: [00:01:49] OK.
Dave Bittner: [00:01:49] ...Amy Pascal - she used to be co-chair at Sony Pictures - Sherry Lansing - she was the former CEO of Paramount...
Joe Carrigan: [00:01:56] Right.
Dave Bittner: [00:01:56] ...And a whole bunch of other women as well - so these high-powered women. Now, imagine that you are a freelance photographer, and you're working in Hollywood trying to make your way, working your way up.
Joe Carrigan: [00:02:06] Right.
Dave Bittner: [00:02:06] You're young, but you have experience. And you get an email from Amy Pascal, as we said earlier, former co-chair of Sony Pictures - or at least you think it's from her.
Joe Carrigan: [00:02:16] I've hit the big time.
Dave Bittner: [00:02:17] Well, and this email says, I've seen your work. I love your work. I want to work together. I'm working on some projects. Can we connect on the phone? How would you reply to that?
Joe Carrigan: [00:02:28] Yes, absolutely, we can connect on the phone.
Dave Bittner: [00:02:30] Right. And so this person who, for the purposes of the article didn't want his name used because he's...
Joe Carrigan: [00:02:34] Sure.
Dave Bittner: [00:02:35] ...Actually fearing for his safety.
Joe Carrigan: [00:02:36] Really?
Dave Bittner: [00:02:37] Yeah. So they speak on the phone. And this woman claiming to be Amy Pascal is very flattering to him. She's saying she knows his work. She talks about the people who he's worked with. She seems to know lots of personal things about the people he's worked with, you know, a little, oh, you know, that person's nitpicky about this. So clearly she's done her homework.
Joe Carrigan: [00:02:57] Right. She has a lot of background information.
Dave Bittner: [00:02:59] Right. And she says together they are going to work, and they're going to put together some storyboards for a pitch for a big Hollywood project, and all that needs to happen is he needs to meet her out in Jakarta. She sends over a contract. Everything seems on the up and up. She'll arrange for hotels and things. He'll pay an advance for his airfare, and he'll front the costs for things like drivers and translators and, you know, expenses on the trip, and she'll reimburse him for all of that kind of stuff. And none of that is out of the ordinary for a professional photographer.
Joe Carrigan: [00:03:34] So he has to go to Indonesia.
Dave Bittner: [00:03:36] That's right and meet her there and take photos for this project that she claims that is going to happen. So he does. Six months later and $65,000 later, it turns out that this was a scam. The woman who he'd spoken to - he didn't actually ever meet her, but he spoke to her several times a day for many weeks on end. It wasn't actually Pascal, but it was an impostor...
Joe Carrigan: [00:03:59] Right.
Dave Bittner: [00:03:59] ...Who was doing an impersonation of her, who basically took the photographer for a ride. She would call him and say, I need you to meet this person. I need you to give him this amount of money for the expenses for this, that and the other thing. There was a money man in Indonesia who would meet him, you know, someone who would drive up on a moped to collect the funds and drive away. And over the course of time, this impostor was able to string this guy along for...
Joe Carrigan: [00:04:26] For $65,000.
Dave Bittner: [00:04:27] Sixty-five thousand dollars. And he's not the only one. There are - this story outlines several other scams that this woman is pulling. And it seems as though she's working with a team and really using some social engineering techniques here. They do their homework. They know all about their victims' personal lives. They can be bossy. They can be authoritative. Evidently, this woman is quite good at impersonations, you know, doing different types of accents, does her homework on the people she's impersonating.
Joe Carrigan: [00:04:54] I wonder if she is an actor.
Dave Bittner: [00:04:57] Well, it seems likely.
Joe Carrigan: [00:04:58] Yeah.
Dave Bittner: [00:04:58] Yeah. She's also very flirtatious. She tries to be very flattering and romantically suggestive to the people that she's scamming along. So it uses a lot of different buttons.
Joe Carrigan: [00:05:09] Yeah, a lot of different tactics here.
Dave Bittner: [00:05:10] That's right. They still have not caught anyone related to this. The FBI has been notified. They're working on it. They say that dozens of people have been scammed over the past couple of years with this scamming group. And it's really kind of fascinating - quite bold.
Joe Carrigan: [00:05:24] Indeed. I was wondering, where is the payoff here? Because if I talk someone into going to a different country, then they're paying the airline to get there and the hotel to stay there. But where does the payoff go? And then you say that this guy is passing money on to obviously the people that are her hookups up there, part of her organization, that are taking the money. And that's where the profit is, right there.
Dave Bittner: [00:05:45] Yep, passing on cash.
Joe Carrigan: [00:05:47] Yep.
Dave Bittner: [00:05:47] But, again, you know, we talk about - when you read this story, the red flags start going off in your mind - right? - and mine as well. But you can imagine, if you're in the midst of it and you have someone stringing you along...
Joe Carrigan: [00:05:58] The red flags in my mind don't actually start going off until she asks me to give cash to some guy on a moped.
Dave Bittner: [00:06:04] Right.
Joe Carrigan: [00:06:04] You know, if I was in this position, I could easily see myself buying a plane ticket and going to Jakarta and then getting into it when she says now - OK, now I need you to give money to a guy on a moped or, you know, somebody else who's going to come out for the expenses for this. That's where the first red flag in this comes from for me.
Dave Bittner: [00:06:19] Right. It's sort of that sunk cost thing, right?
Joe Carrigan: [00:06:21] Right, the sunk cost fallacy, right.
Dave Bittner: [00:06:21] Because if you've already - if you've already paid for a plane ticket, you're already doing work over there, in your mind you're so far along in this process - right? - that you can see - I suspect that makes it easier for you to be strung along with the other parts of the scam.
Joe Carrigan: [00:06:37] I agree. And I think this is a brilliant scam. She is targeting people who have the resources to get over there. I mean, she's targeting people who are well-known in their - in their field, I guess. It's unfortunate. I hope the FBI catches this woman.
Dave Bittner: [00:06:49] If you go to check out this story, again, it's in The Hollywood Reporter. They actually have some audio recordings of her.
Joe Carrigan: [00:06:55] Really?
Dave Bittner: [00:06:55] So they have her voice, yeah, yeah.
Joe Carrigan: [00:06:58] Awesome.
Dave Bittner: [00:06:58] Joe, what do you have for us this week?
Joe Carrigan: [00:07:00] So I don't have a story this week, Dave, but I do want to float an idea.
Dave Bittner: [00:07:03] All right.
Joe Carrigan: [00:07:03] And it's an idea for the greater good, Dave.
Dave Bittner: [00:07:05] OK. I'm with you.
Joe Carrigan: [00:07:06] OK. I've said before that hacking has a very strong economic component, right?
Dave Bittner: [00:07:11] OK.
Joe Carrigan: [00:07:11] That when you're hacking for money, when you're doing something for money, the cost is important.
Dave Bittner: [00:07:15] Right.
Joe Carrigan: [00:07:15] It's my conjecture that one of the major contributing factors to the increase in social engineering that we're seeing is that the technology's getting better. And therefore, the people are becoming the easier and cheaper targets. What if there was a way to change that?
Dave Bittner: [00:07:28] All right.
Joe Carrigan: [00:07:30] What if we started an effort or some kind of project where people who feel up to this task can join together and start wasting the time of these scammers?
Dave Bittner: [00:07:40] Go on.
Joe Carrigan: [00:07:41] I think that if we can waste enough of their time, that it might be possible to change the value proposition of scamming people.
Dave Bittner: [00:07:49] OK.
Joe Carrigan: [00:07:49] Because most of these are a number game, right? I'm going to call a hundred people, and 99 percent of them are going to hang up on me...
Dave Bittner: [00:07:56] Right.
Joe Carrigan: [00:07:56] ...Right, when I start. But what if 5 percent of them start wasting my time? Let's look at the hypothetical before. Let's say that 99 percent of the people hang up. One percent of the people I actually talk to, and actually they become a prospect that I can then start scamming.
Dave Bittner: [00:08:13] Right.
Joe Carrigan: [00:08:14] But what if I took that hundred people and said five of those people are going to actually start wasting my time to the tune of at least 15 minutes, maybe even hours, depending on how much time these people have available? So if I'm a scammer and I'm making phone calls, and I'm looking for that one person that's going to say yes, I have to go through a hundred people to find the one person that says yes.
Dave Bittner: [00:08:34] Right.
Joe Carrigan: [00:08:34] Right. So going through those hundred people generally takes me very little time. It's very quick. I start my scam. They go nope, and they hang up. And that's actually beneficial to me as a scammer for me to have that happen because I know, well, that wasn't somebody who could fall for it.
Dave Bittner: [00:08:48] Right.
Joe Carrigan: [00:08:48] But if I started getting five or 10 people who start saying, oh, yeah, and they start making me spend time chasing a lead that I'm not going to get, they have just greatly changed how much time I have to spend to get to that one person that says yes.
Dave Bittner: [00:09:05] Right. Sure. So what do you propose?
Joe Carrigan: [00:09:07] So I'm just proposing that here's a hypothetical idea. I don't know what the organization would look like. I don't know how it would operate. I don't even know if it needs to be an organization - just maybe just something that people just start doing as a hobby. But I'd like to have a way to publicize this. I guess maybe I could hear from ideas from listeners, right?
Dave Bittner: [00:09:25] They are out there.
Joe Carrigan: [00:09:26] They are out there.
Dave Bittner: [00:09:26] I see the download numbers. They are listening.
Joe Carrigan: [00:09:28] How do we start an organization where we start wasting scammers' times and that's the goal of the organization? That when you get one of those phone calls from a neighbor number - right? - do you answer it? Normally, I don't answer it. But what if I answered it and started just wasting somebody's time on the other end of the phone?
Dave Bittner: [00:09:44] What if you could forward it to a place where people were standing by to do nothing but waste other people's time?
Dave Bittner: [00:09:51] Right?
Joe Carrigan: [00:09:53] That's a great idea.
Joe Carrigan: [00:09:56] I think so.
Dave Bittner: [00:09:57] Call comes in, you forward it to, you know, 1-800-WASTE-ME, right?
Joe Carrigan: [00:10:01] Right.
Dave Bittner: [00:10:02] (Laughter) Or whatever.
Joe Carrigan: [00:10:02] So here's what we need. We need a pool of volunteers that are willing - that are just standing by to answer the phones, almost like "The Jerry Lewis Telethon," right?
Dave Bittner: [00:10:09] Yeah, for the common good.
Joe Carrigan: [00:10:09] Volunteers are standing by.
Dave Bittner: [00:10:10] Yeah.
Joe Carrigan: [00:10:10] That's a great idea because now what happens is that greatly changes the probability that somebody gets their time wasted.
Dave Bittner: [00:10:18] Well, let me take it even to the next level.
Joe Carrigan: [00:10:20] All right.
Dave Bittner: [00:10:20] What if we could solve this using some - wait for it - artificial intelligence?
Joe Carrigan: [00:10:24] Ooh.
Dave Bittner: [00:10:25] (Laughter) What if we get those smart people from Google on the phone?
Joe Carrigan: [00:10:29] Right.
Dave Bittner: [00:10:29] You know, they're the ones who have these systems that are trying to make appointments at the hairdressers.
Joe Carrigan: [00:10:33] Right, yeah.
Dave Bittner: [00:10:34] Right. What if you could just forward something to them and it automatically knows how to respond? And all it does is...
Joe Carrigan: [00:10:41] Waste the time...
Dave Bittner: [00:10:42] ...Just string them along. You know, no matter what you say, it says, wow, I'm really interested in that. Please, tell me more.
Joe Carrigan: [00:10:49] Right (laughter) that's a great idea.
Dave Bittner: [00:10:50] Right, right, it's like, oh, hold on. Let me go get my credit card. I'll be right back.
Joe Carrigan: [00:10:55] Right.
Dave Bittner: [00:10:56] I think this is a solvable problem. And if everyone had - knew what this number was - you made a common number. When these scams came in, you could just forward the call to that, say, oh, hold on one second. I really want to talk to you. And then you forward it...
Joe Carrigan: [00:11:07] Right.
Dave Bittner: [00:11:07] ...And then the call picks up and it says, OK, I'm back. Now, what were you saying? And away we go.
Joe Carrigan: [00:11:12] Right.
Dave Bittner: [00:11:12] Million-dollar idea, Joe.
Joe Carrigan: [00:11:14] Yes. I think it is a million-dollar idea. The only problem is it doesn't have any profit model. It doesn't have a business model. So I don't know that it's a million-dollar idea, but I think it's a great idea. I think it would be a great public good. I hope the folks at Google are listening to this.
Dave Bittner: [00:11:27] But to have a national resource for this - boy, that would be something.
Joe Carrigan: [00:11:31] Yeah, that would be awesome.
Dave Bittner: [00:11:32] All right, Joe, it's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:40] We've got a story this week from friend of the show Johannes Ullrich. He is from the SANS Institute, and he's a host of the ISC Internet "StormCast" podcast. He's also a regular guest over on The CyberWire, one of our partners. He sent me a note that said, I got a story that may be of interest to your new social engineering podcast. I just received one of these extortion emails that claims they have a video of me visiting porn websites. To make the threat more plausible, they include a username and password of mine that leaked in one of the large password list dumps.
Dave Bittner: [00:12:11] So the username/password is real. It's old, right? So he sent a screenshot, so I'm going to read that email they sent him now. (Reading) I do know password123 is your password. You don't know me, and you are most likely wondering why you are getting this email, right? Well, I actually set up a malware on the adult videos - pornographic material - website, and there's more. You visited this site to have fun. You know what I mean. While you were watching videos, your browser initiated functioning as RDP - remote desktop - that has a keylogger which provided me access to your display and also cam. After that, my software program collected your complete contacts from your messenger, social networks as well as email. What exactly did I do? I made a double-screen video. First part displays the video you were watching. You have nice tastes, LMAO. And second part displays the recording of your cam. What should you do? Well, in my opinion, $2,900 is a fair price tag for our little secret. You will make the payment through bitcoin. If you do not know this, search how to buy bitcoin in Google. Then it includes a bitcoin address there.
Dave Bittner: [00:13:26] And it says, note - you now have one day in order to make the payment. I have a unique pixel within this email. And at this moment, I know that you have read this message. If I do not get the bitcoins, I will definitely send out your video to all of your contacts, including members of your family, co-workers and so on. Nonetheless, if I do get paid, I'll destroy the video immediately. If you want evidence, reply with yes, and I will certainly send your video to your 10 friends. This is the non-negotiable offer, and so don't waste my time and yours by replying to this email. Joe, what do you think?
Joe Carrigan: [00:13:59] I'd reply yes.
Joe Carrigan: [00:14:03] This is terrifying.
Dave Bittner: [00:14:06] Well, you know, it's a lot going on here. And as we say, these are numbers games.
Joe Carrigan: [00:14:10] Right. Exactly. They're sending it out. I think what's interesting is that Johannes said they've done some work on - or done some research on the bitcoin address. And people are making payments to this thing.
Dave Bittner: [00:14:20] Oh, sure. Yeah. So - but let's unpack it here. The first thing they start with is your password. So they've connected your password with your email address...
Joe Carrigan: [00:14:29] Right.
Dave Bittner: [00:14:29] ...From one of the big password leaks.
Joe Carrigan: [00:14:31] Right.
Dave Bittner: [00:14:31] So the first thing you see is a password that you have used in the past.
Joe Carrigan: [00:14:35] Yes.
Dave Bittner: [00:14:35] So that is disarming. These people are not fooling around. They have a password, and it's my password.
Joe Carrigan: [00:14:39] Yep.
Dave Bittner: [00:14:40] And then they say, hey, have you been watching adult videos? So again, here's the numbers game. What percentage of people are they going to send - if you're someone who never watches any adult videos, well, you're just going to throw this away. And you're going to say haha...
Joe Carrigan: [00:14:51] Correct.
Dave Bittner: [00:14:51] ...You know, go pound sand.
Joe Carrigan: [00:14:53] Yep.
Dave Bittner: [00:14:53] But if you happen to be someone who enjoys an adult video from time to time, you may keep on reading.
Joe Carrigan: [00:14:59] Yes, they may have got you.
Dave Bittner: [00:15:01] They may have your attention. And so at that point, I guess it's a risk-reward kind of thing if you're someone who has the means with which to pay the $2,900. And then of course, the thing is that this could be the starting volley from these bad guys.
Joe Carrigan: [00:15:14] Sure.
Dave Bittner: [00:15:15] Once you pay that, they could come back to you for more.
Joe Carrigan: [00:15:18] Let's assume that everything they say is true.
Dave Bittner: [00:15:20] OK.
Joe Carrigan: [00:15:21] Let's - it's like the David Letterman situation. You remember when somebody tried to blackmail him?
Dave Bittner: [00:15:24] Yeah.
Joe Carrigan: [00:15:24] David Letterman handled that exactly the way it needed to be handled, right? He came out with everything. And he said this woman tried to blackmail me. And law enforcement got involved, and they prosecuted the woman...
Dave Bittner: [00:15:35] Right.
Joe Carrigan: [00:15:36] ...Who was trying to blackmail him. That's really the only possible alternative for how to handle these kind of things because even if he does have a video like the one he describes here - I'm not going to repeat what he says. But (laughter)...
Dave Bittner: [00:15:46] Yeah.
Joe Carrigan: [00:15:47] ...Even if he does have that video, you sending him $2,900 in bitcoin does not guarantee that he deletes it.
Dave Bittner: [00:15:53] Right.
Joe Carrigan: [00:15:53] In fact, what it might be is a signal to him - oh, this guy has at least $2,900. Let me go ahead and tell him, no, I've decided that wasn't enough. You're going to need to give me more.
Dave Bittner: [00:16:04] Right.
Joe Carrigan: [00:16:05] That will probably be the next step if you respond to this email by sending $2,900 to that bitcoin address.
Dave Bittner: [00:16:11] Well - and let's be perfectly clear here - the overwhelming odds are that there's no video.
Joe Carrigan: [00:16:15] Right. Yeah, right.
Dave Bittner: [00:16:16] This is just someone aligning your password and your email address and pressing all of these buttons, the potential for embarrassment...
Joe Carrigan: [00:16:23] Correct.
Dave Bittner: [00:16:24] ...And again, running the numbers and hoping enough people get scared enough that they'll send the payment. All right. Well, again, thanks to Johannes Ullrich for sending this in to us. It's a good one. And that is our Catch of the Day. Coming up next, we've got my interview with Adam West. But first, a message from our sponsors at KnowBe4.
Dave Bittner: [00:16:48] Now let's return to our sponsor's question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5 percent failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:48] And we are back. Joe, I recently spoke with Adam West. He is a physicist at the University of California, Los Angeles. He has a postdoc in atomic physics. He's a smart guy.
Joe Carrigan: [00:18:00] Yep.
Dave Bittner: [00:18:00] He's also a professional close-up magician. So here's my conversation with Adam West.
Adam West: [00:18:06] So a close-up magician does magic which is for small groups of people and happens kind of right in front of your face. So you know, very often, a close-up magician will perform tricks using small objects, like cards or coins or pen and paper. And they would do it to maybe three or four people. And the people involved in the magic, the people watching the magic, will actually see it right in front of them and very often will actually take part in the magic. So they might hold something or choose something. And I think that makes it a lot more effective than stage magic, where there is a real barrier between the audience and the performer.
Dave Bittner: [00:18:42] Yeah, I remember talking to a friend who'd recently seen a close-up magic show while she was on vacation. And she came back, and we were talking about it. And she said, there's just no way that the magician could have done this. I've thought about every possible way that they could have done this, and there's just no way that it could happen. And I looked at her, and I sort of smiled. And I said, well, can we agree at the outset that it wasn't actually magic? And she sort of paused for a second and went, you're right. You're right. You're right. It wasn't actually magic. You know? Like (laughter)...
Adam West: [00:19:07] Right. And I think that's kind of an interesting point because, you know, in our heart of hearts, we all know that it's a trick. And there has to be a logical explanation. And you know, if we kind of sit soberly for a long enough time, we realize that. But it's really the suspension of disbelief which characterizes magic in some way. A lot of professional magicians, you know, they espouse the goal of creating this moment of astonishment, this real moment where you let go of your preconceived notions about what is possible. And achieving that effect on a person is quite often the best way to present magic.
Dave Bittner: [00:19:42] Can you take us through some of the common techniques here? We talk about social engineering here and people using these sorts of things for bad purposes. And of course, you use them to delight people and entertain them. What are some of the common techniques that magicians use that sort of parallel to social engineering techniques?
Adam West: [00:20:00] One of them is social cueing. This is something which works very well on adults and very poorly on children. And as adults, we have these preconceived notions about what is socially acceptable, socially expected. As an example of this, if I was to have a conversation with you and be looking at you in the eyes, it's kind of natural for you, for a period of time, to kind of meet my gaze and look back at me. And this is a, you know, exceptionally simple but also exceptionally effective technique for misdirecting people. If there is a mechanical move that I have to do during a magic trick, I will often try and meet the gaze of someone so that they're not looking in the places I don't want them to look.
Adam West: [00:20:38] Another example of this is also taking someone's focus away by talking to them. So - of course, when you're having a conversation with someone, it is polite in normal circumstances to continue the conversation. And an exceptionally effective technique to misdirect people is to talk to them. So very often, magicians will, for example, ask someone a question. And at the moment where they engage in that question and formulate an answer, your attention is elsewhere. It's on the question, you know? It might be a very simple question like, are you left-handed or right-handed? But for that brief moment when you're asked the question, their attention is just, you know, temporarily moved elsewhere. And very often, the question will be completely unimportant. It's - you know, it doesn't matter whether you're left-handed or right-handed, but it's just an opportunity for me to relax your attention slightly.
Dave Bittner: [00:21:27] So what would your advice be to people who are trying to better protect themselves against these sort of social engineering attacks? Knowing what you do with the experience you have, do you have any tips for people to protect themselves?
Adam West: [00:21:40] I think one thing which a magician can use to their advantage to make something deceptive is kind of framing, is context. And I think that's an important point to consider for magicians when they perform, which is do I want to frame this as something which is, for example, I'm going to fool you, and there's nothing you can do about it? That kind of, you know, immediately sets up a very kind of combative kind of scenario and one where people are less likely to be conducive to, you know, whatever you want them to do, whether to be misdirected or to have their attention in a particular place.
Adam West: [00:22:13] In the same way, for scams, you know, the way that they're framed, the context, is extremely important. We know the kind of archetype and example of an email scam is, you know, somebody coming to you for your help. You know, I've just inherited this money, and I'm going to be taxed on it. So I need to give it to someone so that that money can be used well. And that kind of framing, that kind of context, puts you in a frame of mind where you are more conducive to help this person and more conducive to be scammed of course.
Dave Bittner: [00:22:43] So you work professionally as a physicist. And I suppose being a magician has shifted to becoming more of a hobby for you today. I'm curious. When you are at work and you are with your friends and your colleagues who are other physicists, how are they as an audience? Are they harder to fool than average people?
Adam West: [00:22:59] I think so - definitely so. In my experience, people - scientists and physicists, people I kind of work with every day, are very difficult to fool when it comes to magic. And I think there are a couple of reasons for that. The first of those is that physicists really have a strongly held worldview. They have a strongly held set of core beliefs. So for example, if I was to levitate a lady stage, for example, everyone knows that, you know, that is impossible. I can't actually levitate someone. But for a physicist, this is something, you know, with their understanding of the world and with their understanding of physical law, they hold a lot more strongly.
Adam West: [00:23:34] And I think it also makes it more difficult to fool them because they know about more kinds of things. Like, somebody might explain it away saying - oh, it's magnets or it's an invisible wire. But the physicists might know - OK, no, it isn't magnets because I know that a magnet can't be that strong in any reasonable scenario. And as such, they're less likely to be kind of duped in that way. And I think that's a really important point, which is, as I said previously, in our heart of hearts, we all know that levitation is not possible. But for a physicist, for whatever reason, it seems more difficult to get them to suspend disbelief because of the fact that they think about the world in a way which is so often circumscribed by their understanding of physics.
Adam West: [00:24:13] And I think there is a second reason for why physicists are difficult to fool. And that is because of the way they're kind of trained to interact. When I'm explaining something to a fellow physicist, for example, the way that they understand the concept is sometimes quite different to how other people might. It's usually by way of trying to find a flaw in my reasoning. So they might not inherently distrust what I'm saying, but the way that they go about enhancing their own understanding is to try and pick flaws, to promote an argument basically. This is, you know, not necessarily meant to be argumentative, per se, but is a tool for dialogue and a tool for understanding. And I think that transfers well into them not being fooled very well. You know, they're kind of geared towards looking at a similar view and, as a default, trying to understand it and trying to pick holes in why it is the way it is.
Dave Bittner: [00:25:03] Yeah. As a social group, I suppose skepticism is a virtue.
Adam West: [00:25:07] Exactly. Exactly. And now, I mean, everything is to an extent. I mean, you don't want to be skeptical of everything.
Dave Bittner: [00:25:13] Right.
Adam West: [00:25:13] But certainly when it comes to magic tricks and certainly when it comes to you being scammed, a healthy dose of skepticism is very important. And I found it difficult to fool physicists. And you know, there are some techniques which can help you do that. One of them I've already mentioned, which is kind of context, you know? If I present a magic trick to a physicist as a magic trick, then, you know, they know, they're kind of immediately in the mode of, OK, this is a puzzle. How do I solve it? But if I present it as, oh, hey, this is this really neat thing, like, I have learned about this. Isn't it weird that this happens? And they're like, oh, you're going to show me something which is genuine, and that makes them more susceptible to being fooled by it.
Adam West: [00:25:52] Another kind of extreme example of this is a sucker trick. So there are lots of tricks that I have which are exceptionally effective for physicists because they don't know when the trick is. So I might present something initially which looks very, very simple. For example, I say to you - OK, touch one of these cards, and look at it, and remember what it is. And then I find out what the card is. And that's all mildly impressive. But then their attention is relaxed, and the real conclusion is that I've actually turned all of their cards into blank cards, for example. Those kinds of tricks are the ones that are very effective against this kind of person.
Dave Bittner: [00:26:26] All right. So that was Adam West. Interesting guy, huh?
Joe Carrigan: [00:26:30] Yeah. You know, I never understood why people don't like magic tricks...
Dave Bittner: [00:26:34] Yeah.
Joe Carrigan: [00:26:35] ...Especially close-up magic tricks. And he touches on this. Some people just don't like it. You know, you say, I've got a card trick. And they're like, nope. And...
Dave Bittner: [00:26:40] Yeah.
Joe Carrigan: [00:26:41] I never understood that. I definitely fall into the group of people that is - I want to figure this out.
Dave Bittner: [00:26:45] Me, too.
Joe Carrigan: [00:26:46] I like the social cueing that he talks about. You know, I'm going to look at you in the eyes, and that's going to make you look at me in the eyes. And while you're looking me in the eyes, I'm changing the orientation of the cards...
Dave Bittner: [00:26:57] Yeah.
Joe Carrigan: [00:26:57] ...Or moving a coin somewhere. That's pretty cool.
Dave Bittner: [00:26:59] And fascinating that he said that doesn't work as well on children.
Joe Carrigan: [00:27:03] That - because they haven't picked up the social cues.
Dave Bittner: [00:27:05] Yeah.
Joe Carrigan: [00:27:06] I had a friend who used to do - he doesn't do this anymore, but he used to do child parties, right? And he would show me the tricks he was doing for it. And he had a clown outfit and everything. And the tricks he was showing me were remarkably simple tricks. And you know, he said, you can't get kids to do things that you can get adults to do.
Joe Carrigan: [00:27:24] They have to be the tricks that are - that have the gimmicks that are - actually, if you look at something he had - one of the things that he had was a coloring book where he'd flip through the coloring book, and there was no colors in the book. And then he'd say, well, take your colors off of your shirts and throw them at me, you know. And the kids would, you know, like, pantomime grabbing the colors off their shirts. And then he flipped through the coloring book the same way, but he'd do it from the bottom corner. And there would be colors in the coloring book.
Dave Bittner: [00:27:51] I see. Yeah.
Joe Carrigan: [00:27:51] So - but that kind of thing works with kids and amazes them. But if an adult saw that, you'd be like, well, you flipped it from two different corners. You know...
Dave Bittner: [00:27:58] Right.
Joe Carrigan: [00:27:59] ...You're a little bit more observant.
Dave Bittner: [00:28:00] Interesting how fooling physicists is different than fooling mere mortals like you and me.
Joe Carrigan: [00:28:05] Yes, that's right.
Dave Bittner: [00:28:05] Right.
Joe Carrigan: [00:28:07] He says, look at this interesting thing I've found. And they're like, oh, what did you find, you know? So he found a way to get into the mind of a physicist to make them more receptive to a trick, which I think is brilliant.
Dave Bittner: [00:28:17] Yeah, he knows the patterns. He knows the way they think.
Joe Carrigan: [00:28:19] That's right. I like one of the things he said. My takeaway from this is the reason these things work is because of something you don't think about. That is endemic into all of these scams that we're talking about in this podcast. It's working because you're not thinking about something. There's something you're missing, and you don't even know that you're missing it. But you're missing it.
Dave Bittner: [00:28:38] And it might be through a misdirection. It might be through...
Joe Carrigan: [00:28:39] It might be through...
Dave Bittner: [00:28:40] Yeah, yeah.
Joe Carrigan: [00:28:41] Exactly, yep.
Dave Bittner: [00:28:41] That's interesting. Yeah. All right. Well, Adam West, we really appreciate him joining us. Rumor has it that he can be found at the snooker tables in the Green Room billiards parlor on San Fernando Road in Los Angeles when he's not in his lab. So if you catch him there at a happy hour, remember there's nothing up his sleeve.
Dave Bittner: [00:29:00] And that's our show. We want to thank you all for listening, and we also want to thank our sponsors at KnowBe4, the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest.
Dave Bittner: [00:29:17] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:29:35] Our coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:43] And I'm Joe Carrigan.
Dave Bittner: [00:29:44] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.